fix tests

rebase fix
OnceLock
2026-02-01 22:47:52 +00:00 · 2025-11-04 16:41:31 -08:00 · 2025-11-03 22:08:52 -08:00 · 2025-11-03 21:04:18 -08:00 · 2025-11-03 21:04:17 -08:00 · 2025-11-03 20:56:27 -08:00
66 changed files with 2229 additions and 606 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -46,7 +46,7 @@ jobs:
          echo "pack_output=$PACK_OUTPUT" >> "$GITHUB_OUTPUT"

      - name: Upload staged npm package artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
        with:
          name: codex-npm-staging
          path: ${{ steps.stage_npm_package.outputs.pack_output }}
--- a/.github/workflows/issue-deduplicator.yml
+++ b/.github/workflows/issue-deduplicator.yml
@@ -16,7 +16,7 @@ jobs:
    outputs:
      codex_output: ${{ steps.codex.outputs.final-message }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5

      - name: Prepare Codex inputs
        env:
@@ -87,7 +87,7 @@ jobs:
      issues: write
    steps:
      - name: Comment on issue
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
        env:
          CODEX_OUTPUT: ${{ needs.gather-duplicates.outputs.codex_output }}
        with:
--- a/.github/workflows/issue-labeler.yml
+++ b/.github/workflows/issue-labeler.yml
@@ -16,7 +16,7 @@ jobs:
    outputs:
      codex_output: ${{ steps.codex.outputs.final-message }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5

      - id: codex
        uses: openai/codex-action@main
--- a/.github/workflows/rust-release.yml
+++ b/.github/workflows/rust-release.yml
@@ -350,7 +350,7 @@ jobs:
            fi
          fi

-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v5
        with:
          name: ${{ matrix.target }}
          # Upload the per-binary .zst files as well as the new .tar.gz
--- a/README.md
+++ b/README.md
@@ -33,7 +33,7 @@ Then simply run `codex` to get started:
 codex
 ```

-If you're running into upgrade issues with Homebrew, see the [FAQ entry on brew upgrade codex](./docs/faq.md#brew-update-codex-isnt-upgrading-me).
+If you're running into upgrade issues with Homebrew, see the [FAQ entry on brew upgrade codex](./docs/faq.md#brew-upgrade-codex-isnt-upgrading-me).

 <details>
 <summary>You can also go to the <a href="https://github.com/openai/codex/releases/latest">latest GitHub Release</a> and download the appropriate binary for your platform.</summary>
@@ -75,11 +75,12 @@ Codex CLI supports a rich set of configuration options, with preferences stored

 - [**Getting started**](./docs/getting-started.md)
  - [CLI usage](./docs/getting-started.md#cli-usage)
+  - [Slash Commands](./docs/slash_commands.md)
  - [Running with a prompt as input](./docs/getting-started.md#running-with-a-prompt-as-input)
  - [Example prompts](./docs/getting-started.md#example-prompts)
  - [Custom prompts](./docs/prompts.md)
  - [Memory with AGENTS.md](./docs/getting-started.md#memory-with-agentsmd)
-  - [Configuration](./docs/config.md)
+- [**Configuration**](./docs/config.md)
 - [**Sandbox & approvals**](./docs/sandbox.md)
 - [**Authentication**](./docs/authentication.md)
  - [Auth methods](./docs/authentication.md#forcing-a-specific-auth-method-advanced)
--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
@@ -172,9 +172,9 @@ dependencies = [

 [[package]]
 name = "anyhow"
-version = "1.0.99"
+version = "1.0.100"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b0674a1ddeecb70197781e945de4b3b8ffb61fa939a5597bcf48503737663100"
+checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61"

 [[package]]
 name = "app_test_support"
@@ -891,7 +891,7 @@ dependencies = [
 "pretty_assertions",
 "similar",
 "tempfile",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tree-sitter",
 "tree-sitter-bash",
 ]
@@ -1032,7 +1032,7 @@ dependencies = [
 "diffy",
 "serde",
 "serde_json",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 ]

 [[package]]
@@ -1084,7 +1084,7 @@ dependencies = [
 "futures",
 "http",
 "image",
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 "keyring",
 "landlock",
 "libc",
@@ -1108,7 +1108,7 @@ dependencies = [
 "strum_macros 0.27.2",
 "tempfile",
 "test-log",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "time",
 "tokio",
 "tokio-test",
@@ -1214,7 +1214,7 @@ dependencies = [
 "schemars 0.8.22",
 "serde",
 "tempfile",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "ts-rs",
 "walkdir",
 ]
@@ -1506,7 +1506,7 @@ dependencies = [
 "codex-utils-cache",
 "image",
 "tempfile",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tokio",
 ]

@@ -1534,7 +1534,7 @@ version = "0.0.0"
 dependencies = [
 "assert_matches",
 "async-trait",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "time",
 "tokio",
 ]
@@ -1549,7 +1549,7 @@ version = "0.0.0"
 dependencies = [
 "anyhow",
 "pretty_assertions",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tiktoken-rs",
 ]

@@ -1750,8 +1750,7 @@ checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28"
 [[package]]
 name = "crossterm"
 version = "0.28.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "829d955a0bb380ef178a640b91779e3987da38c9aea133b20614cfed8cdea9c6"
+source = "git+https://github.com/nornagon/crossterm?branch=nornagon%2Fcolor-query#87db8bfa6dc99427fd3b071681b07fc31c6ce995"
 dependencies = [
 "bitflags 2.10.0",
 "crossterm_winapi",
@@ -2722,7 +2721,7 @@ dependencies = [
 "futures-core",
 "futures-sink",
 "http",
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 "slab",
 "tokio",
 "tokio-util",
@@ -2766,6 +2765,12 @@ dependencies = [
 "foldhash",
 ]

+[[package]]
+name = "hashbrown"
+version = "0.16.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5419bdc4f6a9207fbeba6d11b604d481addf78ecd10c11ad51e76c2f6482748d"
+
 [[package]]
 name = "heck"
 version = "0.5.0"
@@ -3201,13 +3206,14 @@ dependencies = [

 [[package]]
 name = "indexmap"
-version = "2.10.0"
+version = "2.12.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fe4cd85333e22411419a0bcae1297d25e58c9443848b11dc6a86fefe8c78a661"
+checksum = "6717a8d2a5a929a1a2eb43a12812498ed141a0bcfb7e8f7844fbdbe4303bba9f"
 dependencies = [
 "equivalent",
- "hashbrown 0.15.4",
+ "hashbrown 0.16.0",
 "serde",
+ "serde_core",
 ]

 [[package]]
@@ -3495,7 +3501,7 @@ checksum = "b3d2ef408b88e913bfc6594f5e693d57676f6463ded7d8bf994175364320c706"
 dependencies = [
 "enumflags2",
 "libc",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 ]

 [[package]]
@@ -4175,7 +4181,7 @@ dependencies = [
 "futures-sink",
 "js-sys",
 "pin-project-lite",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tracing",
 ]

@@ -4218,7 +4224,7 @@ dependencies = [
 "prost",
 "reqwest",
 "serde_json",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tokio",
 "tonic",
 "tracing",
@@ -4258,7 +4264,7 @@ dependencies = [
 "percent-encoding",
 "rand 0.9.2",
 "serde_json",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tokio",
 "tokio-stream",
 ]
@@ -4369,7 +4375,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b4c5cc86750666a3ed20bdaf5ca2a0344f9c67674cae0515bec2da16fbaa47db"
 dependencies = [
 "fixedbitset",
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 ]

 [[package]]
@@ -4437,7 +4443,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3af6b589e163c5a788fab00ce0c0366f6efbb9959c2f9874b224936af7fce7e1"
 dependencies = [
 "base64",
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 "quick-xml",
 "serde",
 "time",
@@ -4603,7 +4609,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a3ef4f2f0422f23a82ec9f628ea2acd12871c81a9362b02c43c1aa86acfc3ba1"
 dependencies = [
 "futures",
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 "nix 0.30.1",
 "tokio",
 "tracing",
@@ -4690,7 +4696,7 @@ dependencies = [
 "rustc-hash 2.1.1",
 "rustls",
 "socket2 0.6.0",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tokio",
 "tracing",
 "web-time",
@@ -4711,7 +4717,7 @@ dependencies = [
 "rustls",
 "rustls-pki-types",
 "slab",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tinyvec",
 "tracing",
 "web-time",
@@ -4872,7 +4878,7 @@ checksum = "dd6f9d3d47bdd2ad6945c5015a226ec6155d0bcdfd8f7cd29f86b71f8de99d2b"
 dependencies = [
 "getrandom 0.2.16",
 "libredox",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 ]

 [[package]]
@@ -5023,7 +5029,7 @@ dependencies = [
 "serde",
 "serde_json",
 "sse-stream",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tokio",
 "tokio-stream",
 "tokio-util",
@@ -5548,7 +5554,7 @@ version = "1.0.145"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "402a6f66d8c709116cf22f558eab210f5a50187f702eb4d7e5ef38d9a7f1c79c"
 dependencies = [
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 "itoa",
 "memchr",
 "ryu",
@@ -5609,7 +5615,7 @@ dependencies = [
 "chrono",
 "hex",
 "indexmap 1.9.3",
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 "schemars 0.9.0",
 "schemars 1.0.4",
 "serde",
@@ -5678,6 +5684,12 @@ dependencies = [
 "digest",
 ]

+[[package]]
+name = "sha1_smol"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbfa15b3dddfee50a0fff136974b3e1bde555604ba463834a7eb7deb6417705d"
+
 [[package]]
 name = "sha2"
 version = "0.10.9"
@@ -6186,11 +6198,11 @@ dependencies = [

 [[package]]
 name = "thiserror"
-version = "2.0.16"
+version = "2.0.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3467d614147380f2e4e374161426ff399c91084acd2363eaf549172b3d5e60c0"
+checksum = "f63587ca0f12b72a0600bcba1d40081f830876000bb46dd2337a3051618f4fc8"
 dependencies = [
- "thiserror-impl 2.0.16",
+ "thiserror-impl 2.0.17",
 ]

 [[package]]
@@ -6206,9 +6218,9 @@ dependencies = [

 [[package]]
 name = "thiserror-impl"
-version = "2.0.16"
+version = "2.0.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6c5e1be1c48b9172ee610da68fd9cd2770e7a4056cb3fc98710ee6906f0c7960"
+checksum = "3ff15c8ecd7de3849db632e14d18d2571fa09dfc5ed93479bc4485c7a517c913"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -6427,7 +6439,7 @@ version = "0.9.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "75129e1dc5000bfbaa9fee9d1b21f974f9fbad9daec557a521ee6e080825f6e8"
 dependencies = [
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 "serde",
 "serde_spanned",
 "toml_datetime",
@@ -6451,7 +6463,7 @@ version = "0.23.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7211ff1b8f0d3adae1663b7da9ffe396eabe1ca25f0b0bee42b0da29a9ddce93"
 dependencies = [
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 "toml_datetime",
 "toml_parser",
 "toml_writer",
@@ -6510,7 +6522,7 @@ checksum = "d039ad9159c98b70ecfd540b2573b97f7f52c3e8d9f8ad57a24b916a536975f9"
 dependencies = [
 "futures-core",
 "futures-util",
- "indexmap 2.10.0",
+ "indexmap 2.12.0",
 "pin-project-lite",
 "slab",
 "sync_wrapper",
@@ -6688,7 +6700,7 @@ checksum = "adc5f880ad8d8f94e88cb81c3557024cf1a8b75e3b504c50481ed4f5a6006ff3"
 dependencies = [
 "regex",
 "streaming-iterator",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "tree-sitter",
 ]

@@ -6711,7 +6723,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6ef1b7a6d914a34127ed8e1fa927eb7088903787bcded4fa3eef8f85ee1568be"
 dependencies = [
 "serde_json",
- "thiserror 2.0.16",
+ "thiserror 2.0.17",
 "ts-rs-macros",
 "uuid",
 ]
@@ -6865,6 +6877,7 @@ dependencies = [
 "getrandom 0.3.3",
 "js-sys",
 "serde",
+ "sha1_smol",
 "wasm-bindgen",
 ]

--- a/codex-rs/Cargo.toml
+++ b/codex-rs/Cargo.toml
@@ -128,7 +128,7 @@ icu_provider = { version = "2.1", features = ["sync"] }
 icu_locale_core = "2.1"
 ignore = "0.4.23"
 image = { version = "^0.25.8", default-features = false }
-indexmap = "2.6.0"
+indexmap = "2.12.0"
 insta = "1.43.2"
 itertools = "0.14.0"
 keyring = "3.6"
@@ -182,7 +182,7 @@ sys-locale = "0.3.2"
 tempfile = "3.23.0"
 test-log = "0.2.18"
 textwrap = "0.16.2"
-thiserror = "2.0.16"
+thiserror = "2.0.17"
 time = "0.3"
 tiny_http = "0.12"
 tokio = "1"
@@ -276,6 +276,7 @@ opt-level = 0
 # Uncomment to debug local changes.
 # ratatui = { path = "../../ratatui" }
 ratatui = { git = "https://github.com/nornagon/ratatui", branch = "nornagon-v0.29.0-patch" }
+crossterm = { git = "https://github.com/nornagon/crossterm", branch = "nornagon/color-query" }

 # Uncomment to debug local changes.
 # rmcp = { path = "../../rust-sdk/crates/rmcp" }
--- a/codex-rs/app-server/src/codex_message_processor.rs
+++ b/codex-rs/app-server/src/codex_message_processor.rs
@@ -1172,9 +1172,23 @@ impl CodexMessageProcessor {
        // Verify that the rollout path is in the sessions directory or else
        // a malicious client could specify an arbitrary path.
        let rollout_folder = self.config.codex_home.join(codex_core::SESSIONS_SUBDIR);
+        let canonical_sessions_dir = match tokio::fs::canonicalize(&rollout_folder).await {
+            Ok(path) => path,
+            Err(err) => {
+                let error = JSONRPCErrorError {
+                    code: INTERNAL_ERROR_CODE,
+                    message: format!(
+                        "failed to archive conversation: unable to resolve sessions directory: {err}"
+                    ),
+                    data: None,
+                };
+                self.outgoing.send_error(request_id, error).await;
+                return;
+            }
+        };
        let canonical_rollout_path = tokio::fs::canonicalize(&rollout_path).await;
        let canonical_rollout_path = if let Ok(path) = canonical_rollout_path
-            && path.starts_with(&rollout_folder)
+            && path.starts_with(&canonical_sessions_dir)
        {
            path
        } else {
--- a/codex-rs/app-server/src/message_processor.rs
+++ b/codex-rs/app-server/src/message_processor.rs
@@ -64,64 +64,79 @@ impl MessageProcessor {

    pub(crate) async fn process_request(&mut self, request: JSONRPCRequest) {
        let request_id = request.id.clone();
-        if let Ok(request_json) = serde_json::to_value(request)
-            && let Ok(codex_request) = serde_json::from_value::<ClientRequest>(request_json)
-        {
-            match codex_request {
-                // Handle Initialize internally so CodexMessageProcessor does not have to concern
-                // itself with the `initialized` bool.
-                ClientRequest::Initialize { request_id, params } => {
-                    if self.initialized {
-                        let error = JSONRPCErrorError {
-                            code: INVALID_REQUEST_ERROR_CODE,
-                            message: "Already initialized".to_string(),
-                            data: None,
-                        };
-                        self.outgoing.send_error(request_id, error).await;
-                        return;
-                    } else {
-                        let ClientInfo {
-                            name,
-                            title: _title,
-                            version,
-                        } = params.client_info;
-                        let user_agent_suffix = format!("{name}; {version}");
-                        if let Ok(mut suffix) = USER_AGENT_SUFFIX.lock() {
-                            *suffix = Some(user_agent_suffix);
-                        }
+        let request_json = match serde_json::to_value(&request) {
+            Ok(request_json) => request_json,
+            Err(err) => {
+                let error = JSONRPCErrorError {
+                    code: INVALID_REQUEST_ERROR_CODE,
+                    message: format!("Invalid request: {err}"),
+                    data: None,
+                };
+                self.outgoing.send_error(request_id, error).await;
+                return;
+            }
+        };

-                        let user_agent = get_codex_user_agent();
-                        let response = InitializeResponse { user_agent };
-                        self.outgoing.send_response(request_id, response).await;
+        let codex_request = match serde_json::from_value::<ClientRequest>(request_json) {
+            Ok(codex_request) => codex_request,
+            Err(err) => {
+                let error = JSONRPCErrorError {
+                    code: INVALID_REQUEST_ERROR_CODE,
+                    message: format!("Invalid request: {err}"),
+                    data: None,
+                };
+                self.outgoing.send_error(request_id, error).await;
+                return;
+            }
+        };

-                        self.initialized = true;
-                        return;
-                    }
-                }
-                _ => {
-                    if !self.initialized {
-                        let error = JSONRPCErrorError {
-                            code: INVALID_REQUEST_ERROR_CODE,
-                            message: "Not initialized".to_string(),
-                            data: None,
-                        };
-                        self.outgoing.send_error(request_id, error).await;
-                        return;
+        match codex_request {
+            // Handle Initialize internally so CodexMessageProcessor does not have to concern
+            // itself with the `initialized` bool.
+            ClientRequest::Initialize { request_id, params } => {
+                if self.initialized {
+                    let error = JSONRPCErrorError {
+                        code: INVALID_REQUEST_ERROR_CODE,
+                        message: "Already initialized".to_string(),
+                        data: None,
+                    };
+                    self.outgoing.send_error(request_id, error).await;
+                    return;
+                } else {
+                    let ClientInfo {
+                        name,
+                        title: _title,
+                        version,
+                    } = params.client_info;
+                    let user_agent_suffix = format!("{name}; {version}");
+                    if let Ok(mut suffix) = USER_AGENT_SUFFIX.lock() {
+                        *suffix = Some(user_agent_suffix);
                    }
+
+                    let user_agent = get_codex_user_agent();
+                    let response = InitializeResponse { user_agent };
+                    self.outgoing.send_response(request_id, response).await;
+
+                    self.initialized = true;
+                    return;
+                }
+            }
+            _ => {
+                if !self.initialized {
+                    let error = JSONRPCErrorError {
+                        code: INVALID_REQUEST_ERROR_CODE,
+                        message: "Not initialized".to_string(),
+                        data: None,
+                    };
+                    self.outgoing.send_error(request_id, error).await;
+                    return;
                }
            }
-
-            self.codex_message_processor
-                .process_request(codex_request)
-                .await;
-        } else {
-            let error = JSONRPCErrorError {
-                code: INVALID_REQUEST_ERROR_CODE,
-                message: "Invalid request".to_string(),
-                data: None,
-            };
-            self.outgoing.send_error(request_id, error).await;
        }
+
+        self.codex_message_processor
+            .process_request(codex_request)
+            .await;
    }

    pub(crate) async fn process_notification(&self, notification: JSONRPCNotification) {
--- a/codex-rs/app-server/tests/suite/send_message.rs
+++ b/codex-rs/app-server/tests/suite/send_message.rs
@@ -313,10 +313,11 @@ fn assert_instructions_message(item: &ResponseItem) {
        ResponseItem::Message { role, content, .. } => {
            assert_eq!(role, "user");
            let texts = content_texts(content);
+            let is_instructions = texts
+                .iter()
+                .any(|text| text.starts_with("# AGENTS.md instructions for "));
            assert!(
-                texts
-                    .iter()
-                    .any(|text| text.contains("<user_instructions>")),
+                is_instructions,
                "expected instructions message, got {texts:?}"
            );
        }
--- a/codex-rs/cli/src/mcp_cmd.rs
+++ b/codex-rs/cli/src/mcp_cmd.rs
@@ -353,7 +353,7 @@ async fn run_login(config_overrides: &CliConfigOverrides, login_args: LoginArgs)
        .context("failed to load configuration")?;

    if !config.features.enabled(Feature::RmcpClient) {
-        bail!("OAuth login is only supported when [feature].rmcp_client is true in config.toml.");
+        bail!("OAuth login is only supported when [features].rmcp_client is true in config.toml.");
    }

    let LoginArgs { name, scopes } = login_args;
--- a/codex-rs/cloud-tasks-client/Cargo.toml
+++ b/codex-rs/cloud-tasks-client/Cargo.toml
@@ -22,6 +22,6 @@ chrono = { version = "0.4", features = ["serde"] }
 diffy = "0.4.2"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
-thiserror = "2.0.12"
+thiserror = "2.0.17"
 codex-backend-client = { path = "../backend-client", optional = true }
 codex-git = { workspace = true }
--- a/codex-rs/core/Cargo.toml
+++ b/codex-rs/core/Cargo.toml
@@ -80,7 +80,7 @@ toml_edit = { workspace = true }
 tracing = { workspace = true, features = ["log"] }
 tree-sitter = { workspace = true }
 tree-sitter-bash = { workspace = true }
-uuid = { workspace = true, features = ["serde", "v4"] }
+uuid = { workspace = true, features = ["serde", "v4", "v5"] }
 which = { workspace = true }
 wildmatch = { workspace = true }
 codex_windows_sandbox = { package = "codex-windows-sandbox", path = "../windows-sandbox-rs" }
--- a/codex-rs/core/src/client.rs
+++ b/codex-rs/core/src/client.rs
@@ -931,8 +931,10 @@ async fn stream_from_fixture(
 fn rate_limit_regex() -> &'static Regex {
    static RE: OnceLock<Regex> = OnceLock::new();

+    // Match both OpenAI-style messages like "Please try again in 1.898s"
+    // and Azure OpenAI-style messages like "Try again in 35 seconds".
    #[expect(clippy::unwrap_used)]
-    RE.get_or_init(|| Regex::new(r"Please try again in (\d+(?:\.\d+)?)(s|ms)").unwrap())
+    RE.get_or_init(|| Regex::new(r"(?i)try again in\s*(\d+(?:\.\d+)?)\s*(s|ms|seconds?)").unwrap())
 }

 fn try_parse_retry_after(err: &Error) -> Option<Duration> {
@@ -940,7 +942,8 @@ fn try_parse_retry_after(err: &Error) -> Option<Duration> {
        return None;
    }

-    // parse the Please try again in 1.898s format using regex
+    // parse retry hints like "try again in 1.898s" or
+    // "Try again in 35 seconds" using regex
    let re = rate_limit_regex();
    if let Some(message) = &err.message
        && let Some(captures) = re.captures(message)
@@ -950,9 +953,9 @@ fn try_parse_retry_after(err: &Error) -> Option<Duration> {

        if let (Some(value), Some(unit)) = (seconds, unit) {
            let value = value.as_str().parse::<f64>().ok()?;
-            let unit = unit.as_str();
+            let unit = unit.as_str().to_ascii_lowercase();

-            if unit == "s" {
+            if unit == "s" || unit.starts_with("second") {
                return Some(Duration::from_secs_f64(value));
            } else if unit == "ms" {
                return Some(Duration::from_millis(value as u64));
@@ -1427,6 +1430,19 @@ mod tests {
        assert_eq!(delay, Some(Duration::from_secs_f64(1.898)));
    }

+    #[test]
+    fn test_try_parse_retry_after_azure() {
+        let err = Error {
+            r#type: None,
+            message: Some("Rate limit exceeded. Try again in 35 seconds.".to_string()),
+            code: Some("rate_limit_exceeded".to_string()),
+            plan_type: None,
+            resets_at: None,
+        };
+        let delay = try_parse_retry_after(&err);
+        assert_eq!(delay, Some(Duration::from_secs(35)));
+    }
+
    #[test]
    fn error_response_deserializes_schema_known_plan_type_and_serializes_back() {
        use crate::token_data::KnownPlan;
--- a/codex-rs/core/src/codex.rs
+++ b/codex-rs/core/src/codex.rs
@@ -1003,7 +1003,13 @@ impl Session {
            items.push(DeveloperInstructions::new(developer_instructions.to_string()).into());
        }
        if let Some(user_instructions) = turn_context.user_instructions.as_deref() {
-            items.push(UserInstructions::new(user_instructions.to_string()).into());
+            items.push(
+                UserInstructions {
+                    text: user_instructions.to_string(),
+                    directory: turn_context.cwd.to_string_lossy().into_owned(),
+                }
+                .into(),
+            );
        }
        items.push(ResponseItem::from(EnvironmentContext::new(
            Some(turn_context.cwd.clone()),
--- a/codex-rs/core/src/codex/compact.rs
+++ b/codex-rs/core/src/codex/compact.rs
@@ -13,9 +13,9 @@ use crate::protocol::ErrorEvent;
 use crate::protocol::EventMsg;
 use crate::protocol::TaskStartedEvent;
 use crate::protocol::TurnContextItem;
+use crate::protocol::WarningEvent;
 use crate::truncate::truncate_middle;
 use crate::util::backoff;
-use askama::Template;
 use codex_protocol::items::TurnItem;
 use codex_protocol::models::ContentItem;
 use codex_protocol::models::ResponseInputItem;
@@ -28,13 +28,6 @@ use tracing::error;
 pub const SUMMARIZATION_PROMPT: &str = include_str!("../../templates/compact/prompt.md");
 const COMPACT_USER_MESSAGE_MAX_TOKENS: usize = 20_000;

-#[derive(Template)]
-#[template(path = "compact/history_bridge.md", escape = "none")]
-struct HistoryBridgeTemplate<'a> {
-    user_messages_text: &'a str,
-    summary_text: &'a str,
-}
-
 pub(crate) async fn run_inline_auto_compact_task(
    sess: Arc<Session>,
    turn_context: Arc<TurnContext>,
@@ -149,6 +142,7 @@ async fn run_compact_task_inner(
    let history_snapshot = sess.clone_history().await.get_history();
    let summary_text = get_last_assistant_message_from_turn(&history_snapshot).unwrap_or_default();
    let user_messages = collect_user_messages(&history_snapshot);
+
    let initial_context = sess.build_initial_context(turn_context.as_ref());
    let mut new_history = build_compacted_history(initial_context, &user_messages, &summary_text);
    let ghost_snapshots: Vec<ResponseItem> = history_snapshot
@@ -168,6 +162,11 @@ async fn run_compact_task_inner(
        message: "Compact task completed".to_string(),
    });
    sess.send_event(&turn_context, event).await;
+
+    let warning = EventMsg::Warning(WarningEvent {
+        message: "Heads up: Long conversations and multiple compactions can cause the model to be less accurate. Start new a new conversation when possible to keep conversations small and targeted.".to_string(),
+    });
+    sess.send_event(&turn_context, warning).await;
 }

 pub fn content_items_to_text(content: &[ContentItem]) -> Option<String> {
@@ -218,33 +217,47 @@ fn build_compacted_history_with_limit(
    summary_text: &str,
    max_bytes: usize,
 ) -> Vec<ResponseItem> {
-    let mut user_messages_text = if user_messages.is_empty() {
-        "(none)".to_string()
-    } else {
-        user_messages.join("\n\n")
-    };
-    // Truncate the concatenated prior user messages so the bridge message
-    // stays well under the context window (approx. 4 bytes/token).
-    if user_messages_text.len() > max_bytes {
-        user_messages_text = truncate_middle(&user_messages_text, max_bytes).0;
+    let mut selected_messages: Vec<String> = Vec::new();
+    if max_bytes > 0 {
+        let mut remaining = max_bytes;
+        for message in user_messages.iter().rev() {
+            if remaining == 0 {
+                break;
+            }
+            if message.len() <= remaining {
+                selected_messages.push(message.clone());
+                remaining = remaining.saturating_sub(message.len());
+            } else {
+                let (truncated, _) = truncate_middle(message, remaining);
+                selected_messages.push(truncated);
+                break;
+            }
+        }
+        selected_messages.reverse();
    }
+
+    for message in &selected_messages {
+        history.push(ResponseItem::Message {
+            id: None,
+            role: "user".to_string(),
+            content: vec![ContentItem::InputText {
+                text: message.clone(),
+            }],
+        });
+    }
+
    let summary_text = if summary_text.is_empty() {
        "(no summary available)".to_string()
    } else {
        summary_text.to_string()
    };
-    let Ok(bridge) = HistoryBridgeTemplate {
-        user_messages_text: &user_messages_text,
-        summary_text: &summary_text,
-    }
-    .render() else {
-        return vec![];
-    };
+
    history.push(ResponseItem::Message {
        id: None,
        role: "user".to_string(),
-        content: vec![ContentItem::InputText { text: bridge }],
+        content: vec![ContentItem::InputText { text: summary_text }],
    });
+
    history
 }

@@ -347,7 +360,8 @@ mod tests {
                id: None,
                role: "user".to_string(),
                content: vec![ContentItem::InputText {
-                    text: "<user_instructions>do things</user_instructions>".to_string(),
+                    text: "# AGENTS.md instructions for project\n\n<INSTRUCTIONS>\ndo things\n</INSTRUCTIONS>"
+                        .to_string(),
                }],
            },
            ResponseItem::Message {
@@ -383,30 +397,55 @@ mod tests {
            "SUMMARY",
            max_bytes,
        );
+        assert_eq!(history.len(), 2);

-        // Expect exactly one bridge message added to history (plus any initial context we provided, which is none).
-        assert_eq!(history.len(), 1);
+        let truncated_message = &history[0];
+        let summary_message = &history[1];

-        // Extract the text content of the bridge message.
-        let bridge_text = match &history[0] {
+        let truncated_text = match truncated_message {
            ResponseItem::Message { role, content, .. } if role == "user" => {
                content_items_to_text(content).unwrap_or_default()
            }
            other => panic!("unexpected item in history: {other:?}"),
        };

-        // The bridge should contain the truncation marker and not the full original payload.
        assert!(
-            bridge_text.contains("tokens truncated"),
-            "expected truncation marker in bridge message"
+            truncated_text.contains("tokens truncated"),
+            "expected truncation marker in truncated user message"
        );
        assert!(
-            !bridge_text.contains(&big),
-            "bridge should not include the full oversized user text"
+            !truncated_text.contains(&big),
+            "truncated user message should not include the full oversized user text"
        );
+
+        let summary_text = match summary_message {
+            ResponseItem::Message { role, content, .. } if role == "user" => {
+                content_items_to_text(content).unwrap_or_default()
+            }
+            other => panic!("unexpected item in history: {other:?}"),
+        };
+        assert_eq!(summary_text, "SUMMARY");
+    }
+
+    #[test]
+    fn build_compacted_history_appends_summary_message() {
+        let initial_context: Vec<ResponseItem> = Vec::new();
+        let user_messages = vec!["first user message".to_string()];
+        let summary_text = "summary text";
+
+        let history = build_compacted_history(initial_context, &user_messages, summary_text);
        assert!(
-            bridge_text.contains("SUMMARY"),
-            "bridge should include the provided summary text"
+            !history.is_empty(),
+            "expected compacted history to include summary"
        );
+
+        let last = history.last().expect("history should have a summary entry");
+        let summary = match last {
+            ResponseItem::Message { role, content, .. } if role == "user" => {
+                content_items_to_text(content).unwrap_or_default()
+            }
+            other => panic!("expected summary message, found {other:?}"),
+        };
+        assert_eq!(summary, summary_text);
    }
 }
--- a/codex-rs/core/src/conversation_history.rs
+++ b/codex-rs/core/src/conversation_history.rs
@@ -366,23 +366,10 @@ impl ConversationHistory {
        match item {
            ResponseItem::FunctionCallOutput { call_id, output } => {
                let truncated = format_output_for_model_body(output.content.as_str());
-                let truncated_items = output.content_items.as_ref().map(|items| {
-                    items
-                        .iter()
-                        .map(|it| match it {
-                            FunctionCallOutputContentItem::InputText { text } => {
-                                FunctionCallOutputContentItem::InputText {
-                                    text: format_output_for_model_body(text),
-                                }
-                            }
-                            FunctionCallOutputContentItem::InputImage { image_url } => {
-                                FunctionCallOutputContentItem::InputImage {
-                                    image_url: image_url.clone(),
-                                }
-                            }
-                        })
-                        .collect()
-                });
+                let truncated_items = output
+                    .content_items
+                    .as_ref()
+                    .map(|items| globally_truncate_function_output_items(items));
                ResponseItem::FunctionCallOutput {
                    call_id: call_id.clone(),
                    output: FunctionCallOutputPayload {
@@ -411,6 +398,53 @@ impl ConversationHistory {
    }
 }

+fn globally_truncate_function_output_items(
+    items: &[FunctionCallOutputContentItem],
+) -> Vec<FunctionCallOutputContentItem> {
+    let mut out: Vec<FunctionCallOutputContentItem> = Vec::with_capacity(items.len());
+    let mut remaining = MODEL_FORMAT_MAX_BYTES;
+    let mut omitted_text_items = 0usize;
+
+    for it in items {
+        match it {
+            FunctionCallOutputContentItem::InputText { text } => {
+                if remaining == 0 {
+                    omitted_text_items += 1;
+                    continue;
+                }
+
+                let len = text.len();
+                if len <= remaining {
+                    out.push(FunctionCallOutputContentItem::InputText { text: text.clone() });
+                    remaining -= len;
+                } else {
+                    let slice = take_bytes_at_char_boundary(text, remaining);
+                    if !slice.is_empty() {
+                        out.push(FunctionCallOutputContentItem::InputText {
+                            text: slice.to_string(),
+                        });
+                    }
+                    remaining = 0;
+                }
+            }
+            // todo(aibrahim): handle input images; resize
+            FunctionCallOutputContentItem::InputImage { image_url } => {
+                out.push(FunctionCallOutputContentItem::InputImage {
+                    image_url: image_url.clone(),
+                });
+            }
+        }
+    }
+
+    if omitted_text_items > 0 {
+        out.push(FunctionCallOutputContentItem::InputText {
+            text: format!("[omitted {omitted_text_items} text items ...]"),
+        });
+    }
+
+    out
+}
+
 pub(crate) fn format_output_for_model_body(content: &str) -> String {
    // Head+tail truncation for the model: show the beginning and end with an elision.
    // Clients still receive full streams; only this formatted summary is capped.
@@ -856,6 +890,81 @@ mod tests {
        );
    }

+    #[test]
+    fn truncates_across_multiple_under_limit_texts_and_reports_omitted() {
+        // Arrange: several text items, none exceeding per-item limit, but total exceeds budget.
+        let budget = MODEL_FORMAT_MAX_BYTES;
+        let t1_len = (budget / 2).saturating_sub(10);
+        let t2_len = (budget / 2).saturating_sub(10);
+        let remaining_after_t1_t2 = budget.saturating_sub(t1_len + t2_len);
+        let t3_len = 50; // gets truncated to remaining_after_t1_t2
+        let t4_len = 5; // omitted
+        let t5_len = 7; // omitted
+
+        let t1 = "a".repeat(t1_len);
+        let t2 = "b".repeat(t2_len);
+        let t3 = "c".repeat(t3_len);
+        let t4 = "d".repeat(t4_len);
+        let t5 = "e".repeat(t5_len);
+
+        let item = ResponseItem::FunctionCallOutput {
+            call_id: "call-omit".to_string(),
+            output: FunctionCallOutputPayload {
+                content: "irrelevant".to_string(),
+                content_items: Some(vec![
+                    FunctionCallOutputContentItem::InputText { text: t1 },
+                    FunctionCallOutputContentItem::InputText { text: t2 },
+                    FunctionCallOutputContentItem::InputImage {
+                        image_url: "img:mid".to_string(),
+                    },
+                    FunctionCallOutputContentItem::InputText { text: t3 },
+                    FunctionCallOutputContentItem::InputText { text: t4 },
+                    FunctionCallOutputContentItem::InputText { text: t5 },
+                ]),
+                success: Some(true),
+            },
+        };
+
+        let mut history = ConversationHistory::new();
+        history.record_items([&item]);
+        assert_eq!(history.items.len(), 1);
+        let json = serde_json::to_value(&history.items[0]).expect("serialize to json");
+
+        let output = json
+            .get("output")
+            .expect("output field")
+            .as_array()
+            .expect("array output");
+
+        // Expect: t1 (full), t2 (full), image, t3 (truncated), summary mentioning 2 omitted.
+        assert_eq!(output.len(), 5);
+
+        let first = output[0].as_object().expect("first obj");
+        assert_eq!(first.get("type").unwrap(), "input_text");
+        let first_text = first.get("text").unwrap().as_str().unwrap();
+        assert_eq!(first_text.len(), t1_len);
+
+        let second = output[1].as_object().expect("second obj");
+        assert_eq!(second.get("type").unwrap(), "input_text");
+        let second_text = second.get("text").unwrap().as_str().unwrap();
+        assert_eq!(second_text.len(), t2_len);
+
+        assert_eq!(
+            output[2],
+            serde_json::json!({"type": "input_image", "image_url": "img:mid"})
+        );
+
+        let fourth = output[3].as_object().expect("fourth obj");
+        assert_eq!(fourth.get("type").unwrap(), "input_text");
+        let fourth_text = fourth.get("text").unwrap().as_str().unwrap();
+        assert_eq!(fourth_text.len(), remaining_after_t1_t2);
+
+        let summary = output[4].as_object().expect("summary obj");
+        assert_eq!(summary.get("type").unwrap(), "input_text");
+        let summary_text = summary.get("text").unwrap().as_str().unwrap();
+        assert!(summary_text.contains("omitted 2 text items"));
+    }
+
    //TODO(aibrahim): run CI in release mode.
    #[cfg(not(debug_assertions))]
    #[test]
--- a/codex-rs/core/src/environment_context.rs
+++ b/codex-rs/core/src/environment_context.rs
@@ -20,6 +20,14 @@ pub enum NetworkAccess {
    Restricted,
    Enabled,
 }
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
+pub struct OperatingSystemInfo {
+    pub name: String,
+    pub version: String,
+    pub is_likely_windows_subsystem_for_linux: Option<bool>,
+}
+
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
 #[serde(rename = "environment_context", rename_all = "snake_case")]
 pub(crate) struct EnvironmentContext {
@@ -29,6 +37,7 @@ pub(crate) struct EnvironmentContext {
    pub network_access: Option<NetworkAccess>,
    pub writable_roots: Option<Vec<PathBuf>>,
    pub shell: Option<Shell>,
+    pub operating_system: Option<OperatingSystemInfo>,
 }

 impl EnvironmentContext {
@@ -70,6 +79,7 @@ impl EnvironmentContext {
                _ => None,
            },
            shell,
+            operating_system: Self::operating_system_info(),
        }
    }

@@ -83,6 +93,7 @@ impl EnvironmentContext {
            sandbox_mode,
            network_access,
            writable_roots,
+            operating_system,
            // should compare all fields except shell
            shell: _,
        } = other;
@@ -92,6 +103,7 @@ impl EnvironmentContext {
            && self.sandbox_mode == *sandbox_mode
            && self.network_access == *network_access
            && self.writable_roots == *writable_roots
+            && self.operating_system == *operating_system
    }

    pub fn diff(before: &TurnContext, after: &TurnContext) -> Self {
@@ -110,7 +122,12 @@ impl EnvironmentContext {
        } else {
            None
        };
-        EnvironmentContext::new(cwd, approval_policy, sandbox_policy, None)
+        // Diff messages should only include fields that changed between turns.
+        // Operating system is a static property of the host and should not be
+        // emitted as part of a per-turn diff.
+        let mut ec = EnvironmentContext::new(cwd, approval_policy, sandbox_policy, None);
+        ec.operating_system = None;
+        ec
    }
 }

@@ -141,10 +158,11 @@ impl EnvironmentContext {
    ///   <shell>...</shell>
    /// </environment_context>
    /// ```
-    pub fn serialize_to_xml(self) -> String {
+    pub fn serialize_to_xml(&self) -> String {
        let mut lines = vec![ENVIRONMENT_CONTEXT_OPEN_TAG.to_string()];
-        if let Some(cwd) = self.cwd {
-            lines.push(format!("  <cwd>{}</cwd>", cwd.to_string_lossy()));
+        if let Some(cwd) = self.cwd.as_ref() {
+            let cwd = cwd.to_string_lossy();
+            lines.push(format!("  <cwd>{cwd}</cwd>"));
        }
        if let Some(approval_policy) = self.approval_policy {
            lines.push(format!(
@@ -154,29 +172,44 @@ impl EnvironmentContext {
        if let Some(sandbox_mode) = self.sandbox_mode {
            lines.push(format!("  <sandbox_mode>{sandbox_mode}</sandbox_mode>"));
        }
-        if let Some(network_access) = self.network_access {
+        if let Some(network_access) = self.network_access.as_ref() {
            lines.push(format!(
                "  <network_access>{network_access}</network_access>"
            ));
        }
-        if let Some(writable_roots) = self.writable_roots {
+        if let Some(writable_roots) = self.writable_roots.as_ref() {
            lines.push("  <writable_roots>".to_string());
            for writable_root in writable_roots {
-                lines.push(format!(
-                    "    <root>{}</root>",
-                    writable_root.to_string_lossy()
-                ));
+                let writable_root = writable_root.to_string_lossy();
+                lines.push(format!("    <root>{writable_root}</root>"));
            }
            lines.push("  </writable_roots>".to_string());
        }
-        if let Some(shell) = self.shell
+        if let Some(shell) = self.shell.as_ref()
            && let Some(shell_name) = shell.name()
        {
            lines.push(format!("  <shell>{shell_name}</shell>"));
        }
+        if let Some(operating_system) = self.operating_system.as_ref() {
+            lines.push("  <operating_system>".to_string());
+            let name = operating_system.name.as_str();
+            lines.push(format!("    <name>{name}</name>"));
+            let version = operating_system.version.as_str();
+            lines.push(format!("    <version>{version}</version>"));
+            if let Some(is_wsl) = operating_system.is_likely_windows_subsystem_for_linux {
+                lines.push(format!(
+                    "    <is_likely_windows_subsystem_for_linux>{is_wsl}</is_likely_windows_subsystem_for_linux>"
+                ));
+            }
+            lines.push("  </operating_system>".to_string());
+        }
        lines.push(ENVIRONMENT_CONTEXT_CLOSE_TAG.to_string());
        lines.join("\n")
    }
+
+    fn operating_system_info() -> Option<OperatingSystemInfo> {
+        operating_system_info_impl()
+    }
 }

 impl From<EnvironmentContext> for ResponseItem {
@@ -191,6 +224,47 @@ impl From<EnvironmentContext> for ResponseItem {
    }
 }

+// Restrict Operating System Info to Windows and Linux inside WSL for now
+#[cfg(target_os = "windows")]
+fn operating_system_info_impl() -> Option<OperatingSystemInfo> {
+    let info = os_info::get();
+    Some(OperatingSystemInfo {
+        name: info.os_type().to_string(),
+        version: info.version().to_string(),
+        is_likely_windows_subsystem_for_linux: Some(has_wsl_env_markers()),
+    })
+}
+
+#[cfg(all(unix, not(target_os = "macos")))]
+fn operating_system_info_impl() -> Option<OperatingSystemInfo> {
+    let info = os_info::get();
+    match has_wsl_env_markers() {
+        true => Some(OperatingSystemInfo {
+            name: info.os_type().to_string(),
+            version: info.version().to_string(),
+            is_likely_windows_subsystem_for_linux: Some(true),
+        }),
+        false => None,
+    }
+}
+
+#[cfg(target_os = "macos")]
+fn operating_system_info_impl() -> Option<OperatingSystemInfo> {
+    None
+}
+
+#[cfg(not(target_os = "macos"))]
+fn has_wsl_env_markers() -> bool {
+    // Cache detection result since env vars are stable across process lifetime
+    // and this function may be called multiple times.
+    static CACHE: std::sync::OnceLock<bool> = std::sync::OnceLock::new();
+    *CACHE.get_or_init(|| {
+        std::env::var_os("WSL_INTEROP").is_some()
+            || std::env::var_os("WSLENV").is_some()
+            || std::env::var_os("WSL_DISTRO_NAME").is_some()
+    })
+}
+
 #[cfg(test)]
 mod tests {
    use crate::shell::BashShell;
@@ -198,6 +272,58 @@ mod tests {

    use super::*;
    use pretty_assertions::assert_eq;
+    fn expected_environment_context(mut body_lines: Vec<String>) -> String {
+        let mut lines = vec!["<environment_context>".to_string()];
+        lines.append(&mut body_lines);
+        if let Some(os) = EnvironmentContext::operating_system_info() {
+            lines.push("  <operating_system>".to_string());
+            lines.push(format!("    <name>{}</name>", os.name));
+            lines.push(format!("    <version>{}</version>", os.version));
+            if let Some(is_wsl) = os.is_likely_windows_subsystem_for_linux {
+                lines.push(format!(
+                    "    <is_likely_windows_subsystem_for_linux>{is_wsl}</is_likely_windows_subsystem_for_linux>"
+                ));
+            }
+            lines.push("  </operating_system>".to_string());
+        }
+        lines.push("</environment_context>".to_string());
+        lines.join("\n")
+    }
+
+    #[cfg(target_os = "windows")]
+    #[test]
+    fn operating_system_info_on_windows_includes_os_details() {
+        let info = operating_system_info_impl().expect("expected Windows operating system info");
+        let os_details = os_info::get();
+
+        assert_eq!(info.name, os_details.os_type().to_string());
+        assert_eq!(info.version, os_details.version().to_string());
+        assert_eq!(
+            info.is_likely_windows_subsystem_for_linux,
+            Some(has_wsl_env_markers())
+        );
+    }
+
+    #[cfg(all(unix, not(target_os = "macos")))]
+    #[test]
+    fn operating_system_info_matches_wsl_detection_on_unix() {
+        let info = operating_system_info_impl();
+        let os_details = os_info::get();
+        if has_wsl_env_markers() {
+            let info = info.expect("expected WSL operating system info");
+            assert_eq!(info.name, os_details.os_type().to_string());
+            assert_eq!(info.version, os_details.version().to_string());
+            assert_eq!(info.is_likely_windows_subsystem_for_linux, Some(true));
+        } else {
+            assert_eq!(info, None);
+        }
+    }
+
+    #[cfg(target_os = "macos")]
+    #[test]
+    fn operating_system_info_is_none_on_macos() {
+        assert_eq!(operating_system_info_impl(), None);
+    }

    fn workspace_write_policy(writable_roots: Vec<&str>, network_access: bool) -> SandboxPolicy {
        SandboxPolicy::WorkspaceWrite {
@@ -217,16 +343,16 @@ mod tests {
            None,
        );

-        let expected = r#"<environment_context>
-  <cwd>/repo</cwd>
-  <approval_policy>on-request</approval_policy>
-  <sandbox_mode>workspace-write</sandbox_mode>
-  <network_access>restricted</network_access>
-  <writable_roots>
-    <root>/repo</root>
-    <root>/tmp</root>
-  </writable_roots>
-</environment_context>"#;
+        let expected = expected_environment_context(vec![
+            "  <cwd>/repo</cwd>".to_string(),
+            "  <approval_policy>on-request</approval_policy>".to_string(),
+            "  <sandbox_mode>workspace-write</sandbox_mode>".to_string(),
+            "  <network_access>restricted</network_access>".to_string(),
+            "  <writable_roots>".to_string(),
+            "    <root>/repo</root>".to_string(),
+            "    <root>/tmp</root>".to_string(),
+            "  </writable_roots>".to_string(),
+        ]);

        assert_eq!(context.serialize_to_xml(), expected);
    }
@@ -240,11 +366,11 @@ mod tests {
            None,
        );

-        let expected = r#"<environment_context>
-  <approval_policy>never</approval_policy>
-  <sandbox_mode>read-only</sandbox_mode>
-  <network_access>restricted</network_access>
-</environment_context>"#;
+        let expected = expected_environment_context(vec![
+            "  <approval_policy>never</approval_policy>".to_string(),
+            "  <sandbox_mode>read-only</sandbox_mode>".to_string(),
+            "  <network_access>restricted</network_access>".to_string(),
+        ]);

        assert_eq!(context.serialize_to_xml(), expected);
    }
@@ -258,11 +384,11 @@ mod tests {
            None,
        );

-        let expected = r#"<environment_context>
-  <approval_policy>on-failure</approval_policy>
-  <sandbox_mode>danger-full-access</sandbox_mode>
-  <network_access>enabled</network_access>
-</environment_context>"#;
+        let expected = expected_environment_context(vec![
+            "  <approval_policy>on-failure</approval_policy>".to_string(),
+            "  <sandbox_mode>danger-full-access</sandbox_mode>".to_string(),
+            "  <network_access>enabled</network_access>".to_string(),
+        ]);

        assert_eq!(context.serialize_to_xml(), expected);
    }
--- a/codex-rs/core/src/error.rs
+++ b/codex-rs/core/src/error.rs
@@ -255,7 +255,7 @@ impl std::fmt::Display for UsageLimitReachedError {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        let message = match self.plan_type.as_ref() {
            Some(PlanType::Known(KnownPlan::Plus)) => format!(
-                "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing), visit chatgpt.com/codex/settings/usage to purchase more credits{}",
+                "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing), visit https://chatgpt.com/codex/settings/usage to purchase more credits{}",
                retry_suffix_after_or(self.resets_at.as_ref())
            ),
            Some(PlanType::Known(KnownPlan::Team)) | Some(PlanType::Known(KnownPlan::Business)) => {
@@ -269,7 +269,7 @@ impl std::fmt::Display for UsageLimitReachedError {
                    .to_string()
            }
            Some(PlanType::Known(KnownPlan::Pro)) => format!(
-                "You've hit your usage limit. Visit chatgpt.com/codex/settings/usage to purchase more credits{}",
+                "You've hit your usage limit. Visit https://chatgpt.com/codex/settings/usage to purchase more credits{}",
                retry_suffix_after_or(self.resets_at.as_ref())
            ),
            Some(PlanType::Known(KnownPlan::Enterprise))
@@ -460,7 +460,7 @@ mod tests {
        };
        assert_eq!(
            err.to_string(),
-            "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing), visit chatgpt.com/codex/settings/usage to purchase more credits or try again later."
+            "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing), visit https://chatgpt.com/codex/settings/usage to purchase more credits or try again later."
        );
    }

@@ -613,7 +613,7 @@ mod tests {
                rate_limits: Some(rate_limit_snapshot()),
            };
            let expected = format!(
-                "You've hit your usage limit. Visit chatgpt.com/codex/settings/usage to purchase more credits or try again at {expected_time}."
+                "You've hit your usage limit. Visit https://chatgpt.com/codex/settings/usage to purchase more credits or try again at {expected_time}."
            );
            assert_eq!(err.to_string(), expected);
        });
@@ -647,7 +647,7 @@ mod tests {
                rate_limits: Some(rate_limit_snapshot()),
            };
            let expected = format!(
-                "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing), visit chatgpt.com/codex/settings/usage to purchase more credits or try again at {expected_time}."
+                "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing), visit https://chatgpt.com/codex/settings/usage to purchase more credits or try again at {expected_time}."
            );
            assert_eq!(err.to_string(), expected);
        });
--- a/codex-rs/core/src/event_mapping.rs
+++ b/codex-rs/core/src/event_mapping.rs
@@ -13,13 +13,19 @@ use codex_protocol::user_input::UserInput;
 use tracing::warn;
 use uuid::Uuid;

+use crate::user_instructions::UserInstructions;
+
 fn is_session_prefix(text: &str) -> bool {
    let trimmed = text.trim_start();
    let lowered = trimmed.to_ascii_lowercase();
-    lowered.starts_with("<environment_context>") || lowered.starts_with("<user_instructions>")
+    lowered.starts_with("<environment_context>")
 }

 fn parse_user_message(message: &[ContentItem]) -> Option<UserMessageItem> {
+    if UserInstructions::is_user_instructions(message) {
+        return None;
+    }
+
    let mut content: Vec<UserInput> = Vec::new();

    for content_item in message.iter() {
@@ -167,6 +173,38 @@ mod tests {
        }
    }

+    #[test]
+    fn skips_user_instructions_and_env() {
+        let items = vec![
+            ResponseItem::Message {
+                id: None,
+                role: "user".to_string(),
+                content: vec![ContentItem::InputText {
+                    text: "<user_instructions>test_text</user_instructions>".to_string(),
+                }],
+            },
+            ResponseItem::Message {
+                id: None,
+                role: "user".to_string(),
+                content: vec![ContentItem::InputText {
+                    text: "<environment_context>test_text</environment_context>".to_string(),
+                }],
+            },
+            ResponseItem::Message {
+                id: None,
+                role: "user".to_string(),
+                content: vec![ContentItem::InputText {
+                    text: "# AGENTS.md instructions for test_directory\n\n<INSTRUCTIONS>\ntest_text\n</INSTRUCTIONS>".to_string(),
+                }],
+            },
+        ];
+
+        for item in items {
+            let turn_item = parse_turn_item(&item);
+            assert!(turn_item.is_none(), "expected none, got {turn_item:?}");
+        }
+    }
+
    #[test]
    fn parses_agent_message() {
        let item = ResponseItem::Message {
--- a/codex-rs/core/src/features/legacy.rs
+++ b/codex-rs/core/src/features/legacy.rs
@@ -123,7 +123,7 @@ fn set_if_some(
    if let Some(enabled) = maybe_value {
        set_feature(features, feature, enabled);
        log_alias(alias_key, feature);
-        features.record_legacy_usage_force(alias_key, feature);
+        features.record_legacy_usage(alias_key, feature);
    }
 }

--- a/codex-rs/core/src/rollout/policy.rs
+++ b/codex-rs/core/src/rollout/policy.rs
@@ -46,6 +46,7 @@ pub(crate) fn should_persist_event_msg(ev: &EventMsg) -> bool {
        | EventMsg::UndoCompleted(_)
        | EventMsg::TurnAborted(_) => true,
        EventMsg::Error(_)
+        | EventMsg::Warning(_)
        | EventMsg::TaskStarted(_)
        | EventMsg::TaskComplete(_)
        | EventMsg::AgentMessageDelta(_)
--- a/codex-rs/core/src/sandboxing/assessment.rs
+++ b/codex-rs/core/src/sandboxing/assessment.rs
@@ -25,16 +25,6 @@ use tracing::warn;

 const SANDBOX_ASSESSMENT_TIMEOUT: Duration = Duration::from_secs(5);

-const SANDBOX_RISK_CATEGORY_VALUES: &[&str] = &[
-    "data_deletion",
-    "data_exfiltration",
-    "privilege_escalation",
-    "system_modification",
-    "network_access",
-    "resource_exhaustion",
-    "compliance",
-];
-
 #[derive(Template)]
 #[template(path = "sandboxing/assessment_prompt.md", escape = "none")]
 struct SandboxAssessmentPromptTemplate<'a> {
@@ -176,27 +166,26 @@ pub(crate) async fn assess_command(
                    call_id,
                    "success",
                    Some(assessment.risk_level),
-                    &assessment.risk_categories,
                    duration,
                );
                return Some(assessment);
            }
            Err(err) => {
                warn!("failed to parse sandbox assessment JSON: {err}");
-                parent_otel.sandbox_assessment(call_id, "parse_error", None, &[], duration);
+                parent_otel.sandbox_assessment(call_id, "parse_error", None, duration);
            }
        },
        Ok(Ok(None)) => {
            warn!("sandbox assessment response did not include any message");
-            parent_otel.sandbox_assessment(call_id, "no_output", None, &[], duration);
+            parent_otel.sandbox_assessment(call_id, "no_output", None, duration);
        }
        Ok(Err(err)) => {
            warn!("sandbox assessment failed: {err}");
-            parent_otel.sandbox_assessment(call_id, "model_error", None, &[], duration);
+            parent_otel.sandbox_assessment(call_id, "model_error", None, duration);
        }
        Err(_) => {
            warn!("sandbox assessment timed out");
-            parent_otel.sandbox_assessment(call_id, "timeout", None, &[], duration);
+            parent_otel.sandbox_assessment(call_id, "timeout", None, duration);
        }
    }

@@ -229,7 +218,7 @@ fn sandbox_roots_for_prompt(policy: &SandboxPolicy, cwd: &Path) -> Vec<PathBuf>
 fn sandbox_assessment_schema() -> serde_json::Value {
    json!({
        "type": "object",
-        "required": ["description", "risk_level", "risk_categories"],
+        "required": ["description", "risk_level"],
        "properties": {
            "description": {
                "type": "string",
@@ -240,13 +229,6 @@ fn sandbox_assessment_schema() -> serde_json::Value {
                "type": "string",
                "enum": ["low", "medium", "high"]
            },
-            "risk_categories": {
-                "type": "array",
-                "items": {
-                    "type": "string",
-                    "enum": SANDBOX_RISK_CATEGORY_VALUES
-                }
-            }
        },
        "additionalProperties": false
    })
--- a/codex-rs/core/src/tools/orchestrator.rs
+++ b/codex-rs/core/src/tools/orchestrator.rs
@@ -54,12 +54,21 @@ impl ToolOrchestrator {
        let mut already_approved = false;

        if needs_initial_approval {
+            let mut risk = None;
+
+            if let Some(metadata) = req.sandbox_retry_data() {
+                risk = tool_ctx
+                    .session
+                    .assess_sandbox_command(turn_ctx, &tool_ctx.call_id, &metadata.command, None)
+                    .await;
+            }
+
            let approval_ctx = ApprovalCtx {
                session: tool_ctx.session,
                turn: turn_ctx,
                call_id: &tool_ctx.call_id,
                retry_reason: None,
-                risk: None,
+                risk,
            };
            let decision = tool.start_approval_async(req, approval_ctx).await;

--- a/codex-rs/core/src/user_instructions.rs
+++ b/codex-rs/core/src/user_instructions.rs
@@ -3,29 +3,25 @@ use serde::Serialize;

 use codex_protocol::models::ContentItem;
 use codex_protocol::models::ResponseItem;
-use codex_protocol::protocol::USER_INSTRUCTIONS_CLOSE_TAG;
-use codex_protocol::protocol::USER_INSTRUCTIONS_OPEN_TAG;

-/// Wraps user instructions in a tag so the model can classify them easily.
+pub const USER_INSTRUCTIONS_OPEN_TAG_LEGACY: &str = "<user_instructions>";
+pub const USER_INSTRUCTIONS_PREFIX: &str = "# AGENTS.md instructions for ";

 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
 #[serde(rename = "user_instructions", rename_all = "snake_case")]
 pub(crate) struct UserInstructions {
-    text: String,
+    pub directory: String,
+    pub text: String,
 }

 impl UserInstructions {
-    pub fn new<T: Into<String>>(text: T) -> Self {
-        Self { text: text.into() }
-    }
-
-    /// Serializes the user instructions to an XML-like tagged block that starts
-    /// with <user_instructions> so clients can classify it.
-    pub fn serialize_to_xml(self) -> String {
-        format!(
-            "{USER_INSTRUCTIONS_OPEN_TAG}\n\n{}\n\n{USER_INSTRUCTIONS_CLOSE_TAG}",
-            self.text
-        )
+    pub fn is_user_instructions(message: &[ContentItem]) -> bool {
+        if let [ContentItem::InputText { text }] = message {
+            text.starts_with(USER_INSTRUCTIONS_PREFIX)
+                || text.starts_with(USER_INSTRUCTIONS_OPEN_TAG_LEGACY)
+        } else {
+            false
+        }
    }
 }

@@ -35,7 +31,11 @@ impl From<UserInstructions> for ResponseItem {
            id: None,
            role: "user".to_string(),
            content: vec![ContentItem::InputText {
-                text: ui.serialize_to_xml(),
+                text: format!(
+                    "{USER_INSTRUCTIONS_PREFIX}{directory}\n\n<INSTRUCTIONS>\n{contents}\n</INSTRUCTIONS>",
+                    directory = ui.directory,
+                    contents = ui.text
+                ),
            }],
        }
    }
@@ -68,3 +68,51 @@ impl From<DeveloperInstructions> for ResponseItem {
        }
    }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_user_instructions() {
+        let user_instructions = UserInstructions {
+            directory: "test_directory".to_string(),
+            text: "test_text".to_string(),
+        };
+        let response_item: ResponseItem = user_instructions.into();
+
+        let ResponseItem::Message { role, content, .. } = response_item else {
+            panic!("expected ResponseItem::Message");
+        };
+
+        assert_eq!(role, "user");
+
+        let [ContentItem::InputText { text }] = content.as_slice() else {
+            panic!("expected one InputText content item");
+        };
+
+        assert_eq!(
+            text,
+            "# AGENTS.md instructions for test_directory\n\n<INSTRUCTIONS>\ntest_text\n</INSTRUCTIONS>",
+        );
+    }
+
+    #[test]
+    fn test_is_user_instructions() {
+        assert!(UserInstructions::is_user_instructions(
+            &[ContentItem::InputText {
+                text: "# AGENTS.md instructions for test_directory\n\n<INSTRUCTIONS>\ntest_text\n</INSTRUCTIONS>".to_string(),
+            }]
+        ));
+        assert!(UserInstructions::is_user_instructions(&[
+            ContentItem::InputText {
+                text: "<user_instructions>test_text</user_instructions>".to_string(),
+            }
+        ]));
+        assert!(!UserInstructions::is_user_instructions(&[
+            ContentItem::InputText {
+                text: "test_text".to_string(),
+            }
+        ]));
+    }
+}
--- a/codex-rs/core/templates/compact/history_bridge.md
+++ b/codex-rs/core/templates/compact/history_bridge.md
@@ -1,7 +0,0 @@
-You were originally given instructions from a user over one or more turns. Here were the user messages:
-
-{{ user_messages_text }}
-
-Another language model started to solve this problem and produced a summary of its thinking process. You also have access to the state of the tools that were used by that language model. Use this to build on the work that has already been done and avoid duplicating work. Here is the summary produced by the other language model, use the information in this summary to assist with your own analysis:
-
-{{ summary_text }}
--- a/codex-rs/core/templates/compact/prompt.md
+++ b/codex-rs/core/templates/compact/prompt.md
@@ -1,5 +1,9 @@
-You have exceeded the maximum number of tokens, please stop coding and instead write a short memento message for the next agent. Your note should:
- Summarize what you finished and what still needs work. If there was a recent update_plan call, repeat its steps verbatim.
- List outstanding TODOs with file paths / line numbers so they're easy to find.
- Flag code that needs more tests (edge cases, performance, integration, etc.).
- Record any open bugs, quirks, or setup steps that will make it easier for the next agent to pick up where you left off.
+You are performing a CONTEXT CHECKPOINT COMPACTION. Create a handoff summary for another LLM that will resume the task.
+
+Include:
+- Current progress and key decisions made
+- Important context, constraints, or user preferences
+- What remains to be done (clear next steps)
+- Any critical data, examples, or references needed to continue
+
+Be concise, structured, and focused on helping the next LLM seamlessly continue the work.
--- a/codex-rs/core/templates/sandboxing/assessment_prompt.md
+++ b/codex-rs/core/templates/sandboxing/assessment_prompt.md
@@ -1,13 +1,10 @@
-You are a security analyst evaluating shell commands that were blocked by a sandbox. Given the provided metadata, summarize the command's likely intent and assess the risk. Return strictly valid JSON with the keys:
- description (concise summary, at most two sentences)
+You are a security analyst evaluating shell commands that were blocked by a sandbox. Given the provided metadata, summarize the command's likely intent and assess the risk to help the user decide whether to approve command execution. Return strictly valid JSON with the keys:
+- description (concise summary of command intent and potential effects, no more than one sentence, use present tense)
 - risk_level ("low", "medium", or "high")
- risk_categories (optional array of zero or more category strings)
 Risk level examples:
- low: read-only inspections, listing files, printing configuration
- medium: modifying project files, installing dependencies, fetching artifacts from trusted sources
+- low: read-only inspections, listing files, printing configuration, fetching artifacts from trusted sources
+- medium: modifying project files, installing dependencies
 - high: deleting or overwriting data, exfiltrating secrets, escalating privileges, or disabling security controls
-Recognized risk_categories: data_deletion, data_exfiltration, privilege_escalation, system_modification, network_access, resource_exhaustion, compliance.
-Use multiple categories when appropriate.
 If information is insufficient, choose the most cautious risk level supported by the evidence.
 Respond with JSON only, without markdown code fences or extra commentary.

--- a/codex-rs/core/tests/common/responses.rs
+++ b/codex-rs/core/tests/common/responses.rs
@@ -479,6 +479,7 @@ pub async fn mount_sse_sequence(server: &MockServer, bodies: Vec<String>) -> Res

    let (mock, response_mock) = base_mock();
    mock.respond_with(responder)
+        .up_to_n_times(num_calls as u64)
        .expect(num_calls as u64)
        .mount(server)
        .await;
--- a/codex-rs/core/tests/suite/client.rs
+++ b/codex-rs/core/tests/suite/client.rs
@@ -613,8 +613,13 @@ async fn includes_user_instructions_message_in_request() {
            .contains("be nice")
    );
    assert_message_role(&request_body["input"][0], "user");
-    assert_message_starts_with(&request_body["input"][0], "<user_instructions>");
-    assert_message_ends_with(&request_body["input"][0], "</user_instructions>");
+    assert_message_starts_with(&request_body["input"][0], "# AGENTS.md instructions for ");
+    assert_message_ends_with(&request_body["input"][0], "</INSTRUCTIONS>");
+    let ui_text = request_body["input"][0]["content"][0]["text"]
+        .as_str()
+        .expect("invalid message content");
+    assert!(ui_text.contains("<INSTRUCTIONS>"));
+    assert!(ui_text.contains("be nice"));
    assert_message_role(&request_body["input"][1], "user");
    assert_message_starts_with(&request_body["input"][1], "<environment_context>");
    assert_message_ends_with(&request_body["input"][1], "</environment_context>");
@@ -671,8 +676,13 @@ async fn includes_developer_instructions_message_in_request() {
    assert_message_role(&request_body["input"][0], "developer");
    assert_message_equals(&request_body["input"][0], "be useful");
    assert_message_role(&request_body["input"][1], "user");
-    assert_message_starts_with(&request_body["input"][1], "<user_instructions>");
-    assert_message_ends_with(&request_body["input"][1], "</user_instructions>");
+    assert_message_starts_with(&request_body["input"][1], "# AGENTS.md instructions for ");
+    assert_message_ends_with(&request_body["input"][1], "</INSTRUCTIONS>");
+    let ui_text = request_body["input"][1]["content"][0]["text"]
+        .as_str()
+        .expect("invalid message content");
+    assert!(ui_text.contains("<INSTRUCTIONS>"));
+    assert!(ui_text.contains("be nice"));
    assert_message_role(&request_body["input"][2], "user");
    assert_message_starts_with(&request_body["input"][2], "<environment_context>");
    assert_message_ends_with(&request_body["input"][2], "</environment_context>");
--- a/codex-rs/core/tests/suite/compact.rs
+++ b/codex-rs/core/tests/suite/compact.rs
@@ -3,18 +3,20 @@ use codex_core::ConversationManager;
 use codex_core::ModelProviderInfo;
 use codex_core::NewConversation;
 use codex_core::built_in_model_providers;
+use codex_core::config::Config;
 use codex_core::protocol::ErrorEvent;
 use codex_core::protocol::EventMsg;
 use codex_core::protocol::Op;
 use codex_core::protocol::RolloutItem;
 use codex_core::protocol::RolloutLine;
+use codex_core::protocol::WarningEvent;
 use codex_protocol::user_input::UserInput;
 use core_test_support::load_default_config_for_test;
 use core_test_support::skip_if_no_network;
 use core_test_support::wait_for_event;
+use std::collections::VecDeque;
 use tempfile::TempDir;

-use codex_core::codex::compact::SUMMARIZATION_PROMPT;
 use core_test_support::responses::ev_assistant_message;
 use core_test_support::responses::ev_completed;
 use core_test_support::responses::ev_completed_with_tokens;
@@ -26,6 +28,7 @@ use core_test_support::responses::sse;
 use core_test_support::responses::sse_failed;
 use core_test_support::responses::start_mock_server;
 use pretty_assertions::assert_eq;
+use serde_json::json;
 // --- Test helpers -----------------------------------------------------------

 pub(super) const FIRST_REPLY: &str = "FIRST_REPLY";
@@ -45,6 +48,38 @@ const CONTEXT_LIMIT_MESSAGE: &str =
 const DUMMY_FUNCTION_NAME: &str = "unsupported_tool";
 const DUMMY_CALL_ID: &str = "call-multi-auto";
 const FUNCTION_CALL_LIMIT_MSG: &str = "function call limit push";
+const POST_AUTO_USER_MSG: &str = "post auto follow-up";
+const COMPACT_PROMPT_MARKER: &str =
+    "You are performing a CONTEXT CHECKPOINT COMPACTION for a tool.";
+pub(super) const TEST_COMPACT_PROMPT: &str =
+    "You are performing a CONTEXT CHECKPOINT COMPACTION for a tool.\nTest-only compact prompt.";
+
+pub(super) const COMPACT_WARNING_MESSAGE: &str = "Heads up: Long conversations and multiple compactions can cause the model to be less accurate. Start new a new conversation when possible to keep conversations small and targeted.";
+
+fn auto_summary(summary: &str) -> String {
+    summary.to_string()
+}
+
+fn drop_call_id(value: &mut serde_json::Value) {
+    match value {
+        serde_json::Value::Object(obj) => {
+            obj.retain(|k, _| k != "call_id");
+            for v in obj.values_mut() {
+                drop_call_id(v);
+            }
+        }
+        serde_json::Value::Array(arr) => {
+            for v in arr {
+                drop_call_id(v);
+            }
+        }
+        _ => {}
+    }
+}
+
+fn set_test_compact_prompt(config: &mut Config) {
+    config.compact_prompt = Some(TEST_COMPACT_PROMPT.to_string());
+}

 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 async fn summarize_context_three_requests_and_instructions() {
@@ -71,14 +106,13 @@ async fn summarize_context_three_requests_and_instructions() {
    // Mount three expectations, one per request, matched by body content.
    let first_matcher = |req: &wiremock::Request| {
        let body = std::str::from_utf8(&req.body).unwrap_or("");
-        body.contains("\"text\":\"hello world\"")
-            && !body.contains("You have exceeded the maximum number of tokens")
+        body.contains("\"text\":\"hello world\"") && !body.contains(COMPACT_PROMPT_MARKER)
    };
    mount_sse_once_match(&server, first_matcher, sse1).await;

    let second_matcher = |req: &wiremock::Request| {
        let body = std::str::from_utf8(&req.body).unwrap_or("");
-        body.contains("You have exceeded the maximum number of tokens")
+        body.contains(COMPACT_PROMPT_MARKER)
    };
    mount_sse_once_match(&server, second_matcher, sse2).await;

@@ -96,6 +130,7 @@ async fn summarize_context_three_requests_and_instructions() {
    let home = TempDir::new().unwrap();
    let mut config = load_default_config_for_test(&home);
    config.model_provider = model_provider;
+    set_test_compact_prompt(&mut config);
    config.model_auto_compact_token_limit = Some(200_000);
    let conversation_manager = ConversationManager::with_auth(CodexAuth::from_api_key("dummy"));
    let NewConversation {
@@ -118,6 +153,11 @@ async fn summarize_context_three_requests_and_instructions() {

    // 2) Summarize – second hit should include the summarization prompt.
    codex.submit(Op::Compact).await.unwrap();
+    let warning_event = wait_for_event(&codex, |ev| matches!(ev, EventMsg::Warning(_))).await;
+    let EventMsg::Warning(WarningEvent { message }) = warning_event else {
+        panic!("expected warning event after compact");
+    };
+    assert_eq!(message, COMPACT_WARNING_MESSAGE);
    wait_for_event(&codex, |ev| matches!(ev, EventMsg::TaskComplete(_))).await;

    // 3) Next user input – third hit; history should include only the summary.
@@ -159,11 +199,11 @@ async fn summarize_context_three_requests_and_instructions() {
    assert_eq!(last2.get("role").unwrap().as_str().unwrap(), "user");
    let text2 = last2["content"][0]["text"].as_str().unwrap();
    assert_eq!(
-        text2, SUMMARIZATION_PROMPT,
+        text2, TEST_COMPACT_PROMPT,
        "expected summarize trigger, got `{text2}`"
    );

-    // Third request must contain the refreshed instructions, bridge summary message and new user msg.
+    // Third request must contain the refreshed instructions, compacted user history, and new user message.
    let input3 = body3.get("input").and_then(|v| v.as_array()).unwrap();

    assert!(
@@ -171,13 +211,21 @@ async fn summarize_context_three_requests_and_instructions() {
        "expected refreshed context and new user message in third request"
    );

-    // Collect all (role, text) message tuples.
    let mut messages: Vec<(String, String)> = Vec::new();
+
    for item in input3 {
-        if item["type"].as_str() == Some("message") {
-            let role = item["role"].as_str().unwrap_or_default().to_string();
-            let text = item["content"][0]["text"]
-                .as_str()
+        if let Some("message") = item.get("type").and_then(|v| v.as_str()) {
+            let role = item
+                .get("role")
+                .and_then(|v| v.as_str())
+                .unwrap_or_default()
+                .to_string();
+            let text = item
+                .get("content")
+                .and_then(|v| v.as_array())
+                .and_then(|arr| arr.first())
+                .and_then(|entry| entry.get("text"))
+                .and_then(|v| v.as_str())
                .unwrap_or_default()
                .to_string();
            messages.push((role, text));
@@ -193,26 +241,22 @@ async fn summarize_context_three_requests_and_instructions() {
            .any(|(r, t)| r == "user" && t == THIRD_USER_MSG),
        "third request should include the new user message"
    );
-    let Some((_, bridge_text)) = messages.iter().find(|(role, text)| {
-        role == "user"
-            && (text.contains("Here were the user messages")
-                || text.contains("Here are all the user messages"))
-            && text.contains(SUMMARY_TEXT)
-    }) else {
-        panic!("expected a bridge message containing the summary");
-    };
    assert!(
-        bridge_text.contains("hello world"),
-        "bridge should capture earlier user messages"
+        messages
+            .iter()
+            .any(|(r, t)| r == "user" && t == "hello world"),
+        "third request should include the original user message"
    );
    assert!(
-        !bridge_text.contains(SUMMARIZATION_PROMPT),
-        "bridge text should not echo the summarize trigger"
+        messages
+            .iter()
+            .any(|(r, t)| r == "user" && t == SUMMARY_TEXT),
+        "third request should include the summary message"
    );
    assert!(
        !messages
            .iter()
-            .any(|(_, text)| text.contains(SUMMARIZATION_PROMPT)),
+            .any(|(_, text)| text.contains(TEST_COMPACT_PROMPT)),
        "third request should not include the summarize trigger"
    );

@@ -288,6 +332,11 @@ async fn manual_compact_uses_custom_prompt() {
        .conversation;

    codex.submit(Op::Compact).await.expect("trigger compact");
+    let warning_event = wait_for_event(&codex, |ev| matches!(ev, EventMsg::Warning(_))).await;
+    let EventMsg::Warning(WarningEvent { message }) = warning_event else {
+        panic!("expected warning event after compact");
+    };
+    assert_eq!(message, COMPACT_WARNING_MESSAGE);
    wait_for_event(&codex, |ev| matches!(ev, EventMsg::TaskComplete(_))).await;

    let requests = server.received_requests().await.expect("collect requests");
@@ -311,7 +360,7 @@ async fn manual_compact_uses_custom_prompt() {
        if text == custom_prompt {
            found_custom_prompt = true;
        }
-        if text == SUMMARIZATION_PROMPT {
+        if text == TEST_COMPACT_PROMPT {
            found_default_prompt = true;
        }
    }
@@ -342,12 +391,17 @@ async fn auto_compact_runs_after_token_limit_hit() {
        ev_assistant_message("m3", AUTO_SUMMARY_TEXT),
        ev_completed_with_tokens("r3", 200),
    ]);
+    let sse_resume = sse(vec![ev_completed("r3-resume")]);
+    let sse4 = sse(vec![
+        ev_assistant_message("m4", FINAL_REPLY),
+        ev_completed_with_tokens("r4", 120),
+    ]);

    let first_matcher = |req: &wiremock::Request| {
        let body = std::str::from_utf8(&req.body).unwrap_or("");
        body.contains(FIRST_AUTO_MSG)
            && !body.contains(SECOND_AUTO_MSG)
-            && !body.contains("You have exceeded the maximum number of tokens")
+            && !body.contains(COMPACT_PROMPT_MARKER)
    };
    mount_sse_once_match(&server, first_matcher, sse1).await;

@@ -355,16 +409,30 @@ async fn auto_compact_runs_after_token_limit_hit() {
        let body = std::str::from_utf8(&req.body).unwrap_or("");
        body.contains(SECOND_AUTO_MSG)
            && body.contains(FIRST_AUTO_MSG)
-            && !body.contains("You have exceeded the maximum number of tokens")
+            && !body.contains(COMPACT_PROMPT_MARKER)
    };
    mount_sse_once_match(&server, second_matcher, sse2).await;

    let third_matcher = |req: &wiremock::Request| {
        let body = std::str::from_utf8(&req.body).unwrap_or("");
-        body.contains("You have exceeded the maximum number of tokens")
+        body.contains(COMPACT_PROMPT_MARKER)
    };
    mount_sse_once_match(&server, third_matcher, sse3).await;

+    let resume_matcher = |req: &wiremock::Request| {
+        let body = std::str::from_utf8(&req.body).unwrap_or("");
+        body.contains(AUTO_SUMMARY_TEXT)
+            && !body.contains(COMPACT_PROMPT_MARKER)
+            && !body.contains(POST_AUTO_USER_MSG)
+    };
+    mount_sse_once_match(&server, resume_matcher, sse_resume).await;
+
+    let fourth_matcher = |req: &wiremock::Request| {
+        let body = std::str::from_utf8(&req.body).unwrap_or("");
+        body.contains(POST_AUTO_USER_MSG) && !body.contains(COMPACT_PROMPT_MARKER)
+    };
+    mount_sse_once_match(&server, fourth_matcher, sse4).await;
+
    let model_provider = ModelProviderInfo {
        base_url: Some(format!("{}/v1", server.uri())),
        ..built_in_model_providers()["openai"].clone()
@@ -373,6 +441,7 @@ async fn auto_compact_runs_after_token_limit_hit() {
    let home = TempDir::new().unwrap();
    let mut config = load_default_config_for_test(&home);
    config.model_provider = model_provider;
+    set_test_compact_prompt(&mut config);
    config.model_auto_compact_token_limit = Some(200_000);
    let conversation_manager = ConversationManager::with_auth(CodexAuth::from_api_key("dummy"));
    let codex = conversation_manager
@@ -402,18 +471,29 @@ async fn auto_compact_runs_after_token_limit_hit() {
        .unwrap();

    wait_for_event(&codex, |ev| matches!(ev, EventMsg::TaskComplete(_))).await;
-    // wait_for_event(&codex, |ev| matches!(ev, EventMsg::TaskComplete(_))).await;
+
+    codex
+        .submit(Op::UserInput {
+            items: vec![UserInput::Text {
+                text: POST_AUTO_USER_MSG.into(),
+            }],
+        })
+        .await
+        .unwrap();
+
+    wait_for_event(&codex, |ev| matches!(ev, EventMsg::TaskComplete(_))).await;

    let requests = server.received_requests().await.unwrap();
-    assert!(
-        requests.len() >= 3,
-        "auto compact should add at least a third request, got {}",
+    assert_eq!(
+        requests.len(),
+        5,
+        "expected user turns, a compaction request, a resumed turn, and the follow-up turn; got {}",
        requests.len()
    );
    let is_auto_compact = |req: &wiremock::Request| {
        std::str::from_utf8(&req.body)
            .unwrap_or("")
-            .contains("You have exceeded the maximum number of tokens")
+            .contains(COMPACT_PROMPT_MARKER)
    };
    let auto_compact_count = requests.iter().filter(|req| is_auto_compact(req)).count();
    assert_eq!(
@@ -430,11 +510,41 @@ async fn auto_compact_runs_after_token_limit_hit() {
        "auto compact should add a third request"
    );

+    let resume_index = requests
+        .iter()
+        .enumerate()
+        .find_map(|(idx, req)| {
+            let body = std::str::from_utf8(&req.body).unwrap_or("");
+            (body.contains(AUTO_SUMMARY_TEXT)
+                && !body.contains(COMPACT_PROMPT_MARKER)
+                && !body.contains(POST_AUTO_USER_MSG))
+            .then_some(idx)
+        })
+        .expect("resume request missing after compaction");
+
+    let follow_up_index = requests
+        .iter()
+        .enumerate()
+        .rev()
+        .find_map(|(idx, req)| {
+            let body = std::str::from_utf8(&req.body).unwrap_or("");
+            (body.contains(POST_AUTO_USER_MSG) && !body.contains(COMPACT_PROMPT_MARKER))
+                .then_some(idx)
+        })
+        .expect("follow-up request missing");
+    assert_eq!(follow_up_index, 4, "follow-up request should be last");
+
    let body_first = requests[0].body_json::<serde_json::Value>().unwrap();
-    let body3 = requests[auto_compact_index]
+    let body_auto = requests[auto_compact_index]
        .body_json::<serde_json::Value>()
        .unwrap();
-    let instructions = body3
+    let body_resume = requests[resume_index]
+        .body_json::<serde_json::Value>()
+        .unwrap();
+    let body_follow_up = requests[follow_up_index]
+        .body_json::<serde_json::Value>()
+        .unwrap();
+    let instructions = body_auto
        .get("instructions")
        .and_then(|v| v.as_str())
        .unwrap_or_default();
@@ -448,13 +558,16 @@ async fn auto_compact_runs_after_token_limit_hit() {
        "auto compact should keep the standard developer instructions",
    );

-    let input3 = body3.get("input").and_then(|v| v.as_array()).unwrap();
-    let last3 = input3
+    let input_auto = body_auto.get("input").and_then(|v| v.as_array()).unwrap();
+    let last_auto = input_auto
        .last()
        .expect("auto compact request should append a user message");
-    assert_eq!(last3.get("type").and_then(|v| v.as_str()), Some("message"));
-    assert_eq!(last3.get("role").and_then(|v| v.as_str()), Some("user"));
-    let last_text = last3
+    assert_eq!(
+        last_auto.get("type").and_then(|v| v.as_str()),
+        Some("message")
+    );
+    assert_eq!(last_auto.get("role").and_then(|v| v.as_str()), Some("user"));
+    let last_text = last_auto
        .get("content")
        .and_then(|v| v.as_array())
        .and_then(|items| items.first())
@@ -462,9 +575,59 @@ async fn auto_compact_runs_after_token_limit_hit() {
        .and_then(|text| text.as_str())
        .unwrap_or_default();
    assert_eq!(
-        last_text, SUMMARIZATION_PROMPT,
+        last_text, TEST_COMPACT_PROMPT,
        "auto compact should send the summarization prompt as a user message",
    );
+
+    let input_resume = body_resume.get("input").and_then(|v| v.as_array()).unwrap();
+    assert!(
+        input_resume.iter().any(|item| {
+            item.get("type").and_then(|v| v.as_str()) == Some("message")
+                && item.get("role").and_then(|v| v.as_str()) == Some("user")
+                && item
+                    .get("content")
+                    .and_then(|v| v.as_array())
+                    .and_then(|arr| arr.first())
+                    .and_then(|entry| entry.get("text"))
+                    .and_then(|v| v.as_str())
+                    == Some(AUTO_SUMMARY_TEXT)
+        }),
+        "resume request should include compacted history"
+    );
+
+    let input_follow_up = body_follow_up
+        .get("input")
+        .and_then(|v| v.as_array())
+        .unwrap();
+    let user_texts: Vec<String> = input_follow_up
+        .iter()
+        .filter(|item| item.get("type").and_then(|v| v.as_str()) == Some("message"))
+        .filter(|item| item.get("role").and_then(|v| v.as_str()) == Some("user"))
+        .filter_map(|item| {
+            item.get("content")
+                .and_then(|v| v.as_array())
+                .and_then(|arr| arr.first())
+                .and_then(|entry| entry.get("text"))
+                .and_then(|v| v.as_str())
+                .map(std::string::ToString::to_string)
+        })
+        .collect();
+    assert!(
+        user_texts.iter().any(|text| text == FIRST_AUTO_MSG),
+        "auto compact follow-up request should include the first user message"
+    );
+    assert!(
+        user_texts.iter().any(|text| text == SECOND_AUTO_MSG),
+        "auto compact follow-up request should include the second user message"
+    );
+    assert!(
+        user_texts.iter().any(|text| text == POST_AUTO_USER_MSG),
+        "auto compact follow-up request should include the new user message"
+    );
+    assert!(
+        user_texts.iter().any(|text| text == AUTO_SUMMARY_TEXT),
+        "auto compact follow-up request should include the summary message"
+    );
 }

 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
@@ -483,8 +646,9 @@ async fn auto_compact_persists_rollout_entries() {
        ev_completed_with_tokens("r2", 330_000),
    ]);

+    let auto_summary_payload = auto_summary(AUTO_SUMMARY_TEXT);
    let sse3 = sse(vec![
-        ev_assistant_message("m3", AUTO_SUMMARY_TEXT),
+        ev_assistant_message("m3", &auto_summary_payload),
        ev_completed_with_tokens("r3", 200),
    ]);

@@ -492,7 +656,7 @@ async fn auto_compact_persists_rollout_entries() {
        let body = std::str::from_utf8(&req.body).unwrap_or("");
        body.contains(FIRST_AUTO_MSG)
            && !body.contains(SECOND_AUTO_MSG)
-            && !body.contains("You have exceeded the maximum number of tokens")
+            && !body.contains(COMPACT_PROMPT_MARKER)
    };
    mount_sse_once_match(&server, first_matcher, sse1).await;

@@ -500,13 +664,13 @@ async fn auto_compact_persists_rollout_entries() {
        let body = std::str::from_utf8(&req.body).unwrap_or("");
        body.contains(SECOND_AUTO_MSG)
            && body.contains(FIRST_AUTO_MSG)
-            && !body.contains("You have exceeded the maximum number of tokens")
+            && !body.contains(COMPACT_PROMPT_MARKER)
    };
    mount_sse_once_match(&server, second_matcher, sse2).await;

    let third_matcher = |req: &wiremock::Request| {
        let body = std::str::from_utf8(&req.body).unwrap_or("");
-        body.contains("You have exceeded the maximum number of tokens")
+        body.contains(COMPACT_PROMPT_MARKER)
    };
    mount_sse_once_match(&server, third_matcher, sse3).await;

@@ -518,6 +682,7 @@ async fn auto_compact_persists_rollout_entries() {
    let home = TempDir::new().unwrap();
    let mut config = load_default_config_for_test(&home);
    config.model_provider = model_provider;
+    set_test_compact_prompt(&mut config);
    let conversation_manager = ConversationManager::with_auth(CodexAuth::from_api_key("dummy"));
    let NewConversation {
        conversation: codex,
@@ -591,8 +756,9 @@ async fn auto_compact_stops_after_failed_attempt() {
        ev_completed_with_tokens("r1", 500),
    ]);

+    let summary_payload = auto_summary(SUMMARY_TEXT);
    let sse2 = sse(vec![
-        ev_assistant_message("m2", SUMMARY_TEXT),
+        ev_assistant_message("m2", &summary_payload),
        ev_completed_with_tokens("r2", 50),
    ]);

@@ -603,21 +769,19 @@ async fn auto_compact_stops_after_failed_attempt() {

    let first_matcher = |req: &wiremock::Request| {
        let body = std::str::from_utf8(&req.body).unwrap_or("");
-        body.contains(FIRST_AUTO_MSG)
-            && !body.contains("You have exceeded the maximum number of tokens")
+        body.contains(FIRST_AUTO_MSG) && !body.contains(COMPACT_PROMPT_MARKER)
    };
    mount_sse_once_match(&server, first_matcher, sse1.clone()).await;

    let second_matcher = |req: &wiremock::Request| {
        let body = std::str::from_utf8(&req.body).unwrap_or("");
-        body.contains("You have exceeded the maximum number of tokens")
+        body.contains(COMPACT_PROMPT_MARKER)
    };
    mount_sse_once_match(&server, second_matcher, sse2.clone()).await;

    let third_matcher = |req: &wiremock::Request| {
        let body = std::str::from_utf8(&req.body).unwrap_or("");
-        !body.contains("You have exceeded the maximum number of tokens")
-            && body.contains(SUMMARY_TEXT)
+        !body.contains(COMPACT_PROMPT_MARKER) && body.contains(SUMMARY_TEXT)
    };
    mount_sse_once_match(&server, third_matcher, sse3.clone()).await;

@@ -629,6 +793,7 @@ async fn auto_compact_stops_after_failed_attempt() {
    let home = TempDir::new().unwrap();
    let mut config = load_default_config_for_test(&home);
    config.model_provider = model_provider;
+    set_test_compact_prompt(&mut config);
    config.model_auto_compact_token_limit = Some(200);
    let conversation_manager = ConversationManager::with_auth(CodexAuth::from_api_key("dummy"));
    let codex = conversation_manager
@@ -677,7 +842,7 @@ async fn auto_compact_stops_after_failed_attempt() {
                .and_then(|items| items.first())
                .and_then(|entry| entry.get("text"))
                .and_then(|text| text.as_str())
-                .map(|text| text == SUMMARIZATION_PROMPT)
+                .map(|text| text == TEST_COMPACT_PROMPT)
                .unwrap_or(false)
    });
    assert!(
@@ -724,6 +889,7 @@ async fn manual_compact_retries_after_context_window_error() {
    let home = TempDir::new().unwrap();
    let mut config = load_default_config_for_test(&home);
    config.model_provider = model_provider;
+    set_test_compact_prompt(&mut config);
    config.model_auto_compact_token_limit = Some(200_000);
    let codex = ConversationManager::with_auth(CodexAuth::from_api_key("dummy"))
        .new_conversation(config)
@@ -742,7 +908,6 @@ async fn manual_compact_retries_after_context_window_error() {
    wait_for_event(&codex, |ev| matches!(ev, EventMsg::TaskComplete(_))).await;

    codex.submit(Op::Compact).await.unwrap();
-
    let EventMsg::BackgroundEvent(event) =
        wait_for_event(&codex, |ev| matches!(ev, EventMsg::BackgroundEvent(_))).await
    else {
@@ -753,6 +918,11 @@ async fn manual_compact_retries_after_context_window_error() {
        "background event should mention trimmed item count: {}",
        event.message
    );
+    let warning_event = wait_for_event(&codex, |ev| matches!(ev, EventMsg::Warning(_))).await;
+    let EventMsg::Warning(WarningEvent { message }) = warning_event else {
+        panic!("expected warning event after compact retry");
+    };
+    assert_eq!(message, COMPACT_WARNING_MESSAGE);
    wait_for_event(&codex, |ev| matches!(ev, EventMsg::TaskComplete(_))).await;

    let requests = request_log.requests();
@@ -779,7 +949,7 @@ async fn manual_compact_retries_after_context_window_error() {
            .and_then(|items| items.first())
            .and_then(|entry| entry.get("text"))
            .and_then(|text| text.as_str()),
-        Some(SUMMARIZATION_PROMPT),
+        Some(TEST_COMPACT_PROMPT),
        "compact attempt should include summarization prompt"
    );
    assert_eq!(
@@ -790,7 +960,7 @@ async fn manual_compact_retries_after_context_window_error() {
            .and_then(|items| items.first())
            .and_then(|entry| entry.get("text"))
            .and_then(|text| text.as_str()),
-        Some(SUMMARIZATION_PROMPT),
+        Some(TEST_COMPACT_PROMPT),
        "retry attempt should include summarization prompt"
    );
    assert_eq!(
@@ -810,6 +980,228 @@ async fn manual_compact_retries_after_context_window_error() {
    }
 }

+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn manual_compact_twice_preserves_latest_user_messages() {
+    skip_if_no_network!();
+
+    let first_user_message = "first manual turn";
+    let second_user_message = "second manual turn";
+    let final_user_message = "post compact follow-up";
+    let first_summary = "FIRST_MANUAL_SUMMARY";
+    let second_summary = "SECOND_MANUAL_SUMMARY";
+
+    let server = start_mock_server().await;
+
+    let first_turn = sse(vec![
+        ev_assistant_message("m1", FIRST_REPLY),
+        ev_completed("r1"),
+    ]);
+    let first_compact_summary = auto_summary(first_summary);
+    let first_compact = sse(vec![
+        ev_assistant_message("m2", &first_compact_summary),
+        ev_completed("r2"),
+    ]);
+    let second_turn = sse(vec![
+        ev_assistant_message("m3", SECOND_LARGE_REPLY),
+        ev_completed("r3"),
+    ]);
+    let second_compact_summary = auto_summary(second_summary);
+    let second_compact = sse(vec![
+        ev_assistant_message("m4", &second_compact_summary),
+        ev_completed("r4"),
+    ]);
+    let final_turn = sse(vec![
+        ev_assistant_message("m5", FINAL_REPLY),
+        ev_completed("r5"),
+    ]);
+
+    let responses_mock = mount_sse_sequence(
+        &server,
+        vec![
+            first_turn,
+            first_compact,
+            second_turn,
+            second_compact,
+            final_turn,
+        ],
+    )
+    .await;
+
+    let model_provider = ModelProviderInfo {
+        base_url: Some(format!("{}/v1", server.uri())),
+        ..built_in_model_providers()["openai"].clone()
+    };
+
+    let home = TempDir::new().unwrap();
+    let mut config = load_default_config_for_test(&home);
+    config.model_provider = model_provider;
+    set_test_compact_prompt(&mut config);
+    let codex = ConversationManager::with_auth(CodexAuth::from_api_key("dummy"))
+        .new_conversation(config)
+        .await
+        .unwrap()
+        .conversation;
+
+    codex
+        .submit(Op::UserInput {
+            items: vec![UserInput::Text {
+                text: first_user_message.into(),
+            }],
+        })
+        .await
+        .unwrap();
+    wait_for_event(&codex, |ev| matches!(ev, EventMsg::TaskComplete(_))).await;
+
+    codex.submit(Op::Compact).await.unwrap();
+    wait_for_event(&codex, |ev| matches!(ev, EventMsg::TaskComplete(_))).await;
+
+    codex
+        .submit(Op::UserInput {
+            items: vec![UserInput::Text {
+                text: second_user_message.into(),
+            }],
+        })
+        .await
+        .unwrap();
+    wait_for_event(&codex, |ev| matches!(ev, EventMsg::TaskComplete(_))).await;
+
+    codex.submit(Op::Compact).await.unwrap();
+    wait_for_event(&codex, |ev| matches!(ev, EventMsg::TaskComplete(_))).await;
+
+    codex
+        .submit(Op::UserInput {
+            items: vec![UserInput::Text {
+                text: final_user_message.into(),
+            }],
+        })
+        .await
+        .unwrap();
+    wait_for_event(&codex, |ev| matches!(ev, EventMsg::TaskComplete(_))).await;
+
+    let requests = responses_mock.requests();
+    assert_eq!(
+        requests.len(),
+        5,
+        "expected exactly 5 requests (user turn, compact, user turn, compact, final turn)"
+    );
+    let contains_user_text = |input: &[serde_json::Value], expected: &str| -> bool {
+        input.iter().any(|item| {
+            item.get("type").and_then(|v| v.as_str()) == Some("message")
+                && item.get("role").and_then(|v| v.as_str()) == Some("user")
+                && item
+                    .get("content")
+                    .and_then(|v| v.as_array())
+                    .map(|arr| {
+                        arr.iter().any(|entry| {
+                            entry.get("text").and_then(|v| v.as_str()) == Some(expected)
+                        })
+                    })
+                    .unwrap_or(false)
+        })
+    };
+
+    let first_turn_input = requests[0].input();
+    assert!(
+        contains_user_text(&first_turn_input, first_user_message),
+        "first turn request missing first user message"
+    );
+    assert!(
+        !contains_user_text(&first_turn_input, TEST_COMPACT_PROMPT),
+        "first turn request should not include summarization prompt"
+    );
+
+    let first_compact_input = requests[1].input();
+    assert!(
+        contains_user_text(&first_compact_input, TEST_COMPACT_PROMPT),
+        "first compact request should include summarization prompt"
+    );
+    assert!(
+        contains_user_text(&first_compact_input, first_user_message),
+        "first compact request should include history before compaction"
+    );
+
+    let second_turn_input = requests[2].input();
+    assert!(
+        contains_user_text(&second_turn_input, second_user_message),
+        "second turn request missing second user message"
+    );
+    assert!(
+        contains_user_text(&second_turn_input, first_user_message),
+        "second turn request should include the compacted user history"
+    );
+
+    let second_compact_input = requests[3].input();
+    assert!(
+        contains_user_text(&second_compact_input, TEST_COMPACT_PROMPT),
+        "second compact request should include summarization prompt"
+    );
+    assert!(
+        contains_user_text(&second_compact_input, second_user_message),
+        "second compact request should include latest history"
+    );
+
+    let mut final_output = requests
+        .last()
+        .unwrap_or_else(|| panic!("final turn request missing for {final_user_message}"))
+        .input()
+        .into_iter()
+        .collect::<VecDeque<_>>();
+
+    // System prompt
+    final_output.pop_front();
+    // Developer instructions
+    final_output.pop_front();
+
+    let _ = final_output
+        .iter_mut()
+        .map(drop_call_id)
+        .collect::<Vec<_>>();
+
+    let expected = vec![
+        json!({
+            "content": vec![json!({
+                "text": first_user_message,
+                "type": "input_text",
+            })],
+            "role": "user",
+            "type": "message",
+        }),
+        json!({
+            "content": vec![json!({
+                "text": first_summary,
+                "type": "input_text",
+            })],
+            "role": "user",
+            "type": "message",
+        }),
+        json!({
+            "content": vec![json!({
+                "text": second_user_message,
+                "type": "input_text",
+            })],
+            "role": "user",
+            "type": "message",
+        }),
+        json!({
+            "content": vec![json!({
+                "text": second_summary,
+                "type": "input_text",
+            })],
+            "role": "user",
+            "type": "message",
+        }),
+        json!({
+            "content": vec![json!({
+                "text": final_user_message,
+                "type": "input_text",
+            })],
+            "role": "user",
+            "type": "message",
+        }),
+    ];
+    assert_eq!(final_output, expected);
+}
+
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 async fn auto_compact_allows_multiple_attempts_when_interleaved_with_other_turn_events() {
    skip_if_no_network!();
@@ -820,8 +1212,9 @@ async fn auto_compact_allows_multiple_attempts_when_interleaved_with_other_turn_
        ev_assistant_message("m1", FIRST_REPLY),
        ev_completed_with_tokens("r1", 500),
    ]);
+    let first_summary_payload = auto_summary(FIRST_AUTO_SUMMARY);
    let sse2 = sse(vec![
-        ev_assistant_message("m2", FIRST_AUTO_SUMMARY),
+        ev_assistant_message("m2", &first_summary_payload),
        ev_completed_with_tokens("r2", 50),
    ]);
    let sse3 = sse(vec![
@@ -832,8 +1225,9 @@ async fn auto_compact_allows_multiple_attempts_when_interleaved_with_other_turn_
        ev_assistant_message("m4", SECOND_LARGE_REPLY),
        ev_completed_with_tokens("r4", 450),
    ]);
+    let second_summary_payload = auto_summary(SECOND_AUTO_SUMMARY);
    let sse5 = sse(vec![
-        ev_assistant_message("m5", SECOND_AUTO_SUMMARY),
+        ev_assistant_message("m5", &second_summary_payload),
        ev_completed_with_tokens("r5", 60),
    ]);
    let sse6 = sse(vec![
@@ -851,6 +1245,7 @@ async fn auto_compact_allows_multiple_attempts_when_interleaved_with_other_turn_
    let home = TempDir::new().unwrap();
    let mut config = load_default_config_for_test(&home);
    config.model_provider = model_provider;
+    set_test_compact_prompt(&mut config);
    config.model_auto_compact_token_limit = Some(200);
    let conversation_manager = ConversationManager::with_auth(CodexAuth::from_api_key("dummy"));
    let codex = conversation_manager
@@ -909,7 +1304,7 @@ async fn auto_compact_allows_multiple_attempts_when_interleaved_with_other_turn_
        "first request should contain the user input"
    );
    assert!(
-        request_bodies[1].contains("You have exceeded the maximum number of tokens"),
+        request_bodies[1].contains(COMPACT_PROMPT_MARKER),
        "first auto compact request should include the summarization prompt"
    );
    assert!(
@@ -917,7 +1312,7 @@ async fn auto_compact_allows_multiple_attempts_when_interleaved_with_other_turn_
        "function call output should be sent before the second auto compact"
    );
    assert!(
-        request_bodies[4].contains("You have exceeded the maximum number of tokens"),
+        request_bodies[4].contains(COMPACT_PROMPT_MARKER),
        "second auto compact request should include the summarization prompt"
    );
 }
@@ -940,8 +1335,9 @@ async fn auto_compact_triggers_after_function_call_over_95_percent_usage() {
        ev_assistant_message("m2", FINAL_REPLY),
        ev_completed_with_tokens("r2", over_limit_tokens),
    ]);
+    let auto_summary_payload = auto_summary(AUTO_SUMMARY_TEXT);
    let auto_compact_turn = sse(vec![
-        ev_assistant_message("m3", AUTO_SUMMARY_TEXT),
+        ev_assistant_message("m3", &auto_summary_payload),
        ev_completed_with_tokens("r3", 10),
    ]);
    let post_auto_compact_turn = sse(vec![ev_completed_with_tokens("r4", 10)]);
@@ -961,6 +1357,7 @@ async fn auto_compact_triggers_after_function_call_over_95_percent_usage() {
    let home = TempDir::new().unwrap();
    let mut config = load_default_config_for_test(&home);
    config.model_provider = model_provider;
+    set_test_compact_prompt(&mut config);
    config.model_context_window = Some(context_window);
    config.model_auto_compact_token_limit = Some(limit);

@@ -1011,7 +1408,7 @@ async fn auto_compact_triggers_after_function_call_over_95_percent_usage() {

    let auto_compact_body = auto_compact_mock.single_request().body_json().to_string();
    assert!(
-        auto_compact_body.contains("You have exceeded the maximum number of tokens"),
+        auto_compact_body.contains(COMPACT_PROMPT_MARKER),
        "auto compact request should include the summarization prompt after exceeding 95% (limit {limit})"
    );
 }
--- a/codex-rs/core/tests/suite/compact_resume_fork.rs
+++ b/codex-rs/core/tests/suite/compact_resume_fork.rs
@@ -7,19 +7,21 @@
 //! request payload that Codex would send to the model and assert that the
 //! model-visible history matches the expected sequence of messages.

+use super::compact::COMPACT_WARNING_MESSAGE;
 use super::compact::FIRST_REPLY;
 use super::compact::SUMMARY_TEXT;
+use super::compact::TEST_COMPACT_PROMPT;
 use codex_core::CodexAuth;
 use codex_core::CodexConversation;
 use codex_core::ConversationManager;
 use codex_core::ModelProviderInfo;
 use codex_core::NewConversation;
 use codex_core::built_in_model_providers;
-use codex_core::codex::compact::SUMMARIZATION_PROMPT;
 use codex_core::config::Config;
 use codex_core::config::OPENAI_DEFAULT_MODEL;
 use codex_core::protocol::EventMsg;
 use codex_core::protocol::Op;
+use codex_core::protocol::WarningEvent;
 use codex_core::spawn::CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR;
 use codex_protocol::user_input::UserInput;
 use core_test_support::load_default_config_for_test;
@@ -36,6 +38,8 @@ use tempfile::TempDir;
 use wiremock::MockServer;

 const AFTER_SECOND_RESUME: &str = "AFTER_SECOND_RESUME";
+const COMPACT_PROMPT_MARKER: &str =
+    "You are performing a CONTEXT CHECKPOINT COMPACTION for a tool.";

 fn network_disabled() -> bool {
    std::env::var(CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR).is_ok()
@@ -64,6 +68,27 @@ fn is_ghost_snapshot_message(item: &Value) -> bool {
        .is_some_and(|text| text.trim_start().starts_with("<ghost_snapshot>"))
 }

+fn extract_summary_message(request: &Value, summary_text: &str) -> Value {
+    request
+        .get("input")
+        .and_then(Value::as_array)
+        .and_then(|items| {
+            items.iter().find(|item| {
+                item.get("type").and_then(Value::as_str) == Some("message")
+                    && item.get("role").and_then(Value::as_str) == Some("user")
+                    && item
+                        .get("content")
+                        .and_then(Value::as_array)
+                        .and_then(|arr| arr.first())
+                        .and_then(|entry| entry.get("text"))
+                        .and_then(Value::as_str)
+                        == Some(summary_text)
+            })
+        })
+        .cloned()
+        .unwrap_or_else(|| panic!("expected summary message {summary_text}"))
+}
+
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 /// Scenario: compact an initial conversation, resume it, fork one turn back, and
 /// ensure the model-visible history matches expectations at each request.
@@ -155,6 +180,9 @@ async fn compact_resume_and_fork_preserve_model_history_view() {
        .unwrap_or_default()
        .to_string();
    let expected_model = OPENAI_DEFAULT_MODEL;
+    let summary_after_compact = extract_summary_message(&requests[2], SUMMARY_TEXT);
+    let summary_after_resume = extract_summary_message(&requests[3], SUMMARY_TEXT);
+    let summary_after_fork = extract_summary_message(&requests[4], SUMMARY_TEXT);
    let user_turn_1 = json!(
    {
      "model": expected_model,
@@ -255,7 +283,7 @@ async fn compact_resume_and_fork_preserve_model_history_view() {
          "content": [
            {
              "type": "input_text",
-              "text": SUMMARIZATION_PROMPT
+              "text": TEST_COMPACT_PROMPT
            }
          ]
        }
@@ -304,16 +332,11 @@ async fn compact_resume_and_fork_preserve_model_history_view() {
          "content": [
            {
              "type": "input_text",
-              "text": "You were originally given instructions from a user over one or more turns. Here were the user messages:
-
-hello world
-
-Another language model started to solve this problem and produced a summary of its thinking process. You also have access to the state of the tools that were used by that language model. Use this to build on the work that has already been done and avoid duplicating work. Here is the summary produced by the other language model, use the information in this summary to assist with your own analysis:
-
-SUMMARY_ONLY_CONTEXT"
+              "text": "hello world"
            }
          ]
        },
+        summary_after_compact,
        {
          "type": "message",
          "role": "user",
@@ -369,16 +392,11 @@ SUMMARY_ONLY_CONTEXT"
          "content": [
            {
              "type": "input_text",
-              "text": "You were originally given instructions from a user over one or more turns. Here were the user messages:
-
-hello world
-
-Another language model started to solve this problem and produced a summary of its thinking process. You also have access to the state of the tools that were used by that language model. Use this to build on the work that has already been done and avoid duplicating work. Here is the summary produced by the other language model, use the information in this summary to assist with your own analysis:
-
-SUMMARY_ONLY_CONTEXT"
+              "text": "hello world"
            }
          ]
        },
+        summary_after_resume,
        {
          "type": "message",
          "role": "user",
@@ -454,16 +472,11 @@ SUMMARY_ONLY_CONTEXT"
          "content": [
            {
              "type": "input_text",
-              "text": "You were originally given instructions from a user over one or more turns. Here were the user messages:
-
-hello world
-
-Another language model started to solve this problem and produced a summary of its thinking process. You also have access to the state of the tools that were used by that language model. Use this to build on the work that has already been done and avoid duplicating work. Here is the summary produced by the other language model, use the information in this summary to assist with your own analysis:
-
-SUMMARY_ONLY_CONTEXT"
+              "text": "hello world"
            }
          ]
        },
+        summary_after_fork,
        {
          "type": "message",
          "role": "user",
@@ -603,6 +616,11 @@ async fn compact_resume_after_second_compaction_preserves_history() {
        .unwrap_or_default()
        .to_string();

+    // Build expected final request input: initial context + forked user message +
+    // compacted summary + post-compact user message + resumed user message.
+    let summary_after_second_compact =
+        extract_summary_message(&requests[requests.len() - 3], SUMMARY_TEXT);
+
    let mut expected = json!([
      {
        "instructions": prompt,
@@ -633,10 +651,11 @@ async fn compact_resume_after_second_compaction_preserves_history() {
            "content": [
              {
                "type": "input_text",
-                "text": "You were originally given instructions from a user over one or more turns. Here were the user messages:\n\nAFTER_FORK\n\nAnother language model started to solve this problem and produced a summary of its thinking process. You also have access to the state of the tools that were used by that language model. Use this to build on the work that has already been done and avoid duplicating work. Here is the summary produced by the other language model, use the information in this summary to assist with your own analysis:\n\nSUMMARY_ONLY_CONTEXT"
+                "text": "AFTER_FORK"
              }
            ]
          },
+          summary_after_second_compact,
          {
            "type": "message",
            "role": "user",
@@ -722,7 +741,7 @@ async fn mount_initial_flow(server: &MockServer) {
    let match_first = |req: &wiremock::Request| {
        let body = std::str::from_utf8(&req.body).unwrap_or("");
        body.contains("\"text\":\"hello world\"")
-            && !body.contains("You have exceeded the maximum number of tokens")
+            && !body.contains(COMPACT_PROMPT_MARKER)
            && !body.contains(&format!("\"text\":\"{SUMMARY_TEXT}\""))
            && !body.contains("\"text\":\"AFTER_COMPACT\"")
            && !body.contains("\"text\":\"AFTER_RESUME\"")
@@ -732,7 +751,7 @@ async fn mount_initial_flow(server: &MockServer) {

    let match_compact = |req: &wiremock::Request| {
        let body = std::str::from_utf8(&req.body).unwrap_or("");
-        body.contains("You have exceeded the maximum number of tokens")
+        body.contains(COMPACT_PROMPT_MARKER)
    };
    mount_sse_once_match(server, match_compact, sse2).await;

@@ -766,8 +785,7 @@ async fn mount_second_compact_flow(server: &MockServer) {

    let match_second_compact = |req: &wiremock::Request| {
        let body = std::str::from_utf8(&req.body).unwrap_or("");
-        body.contains("You have exceeded the maximum number of tokens")
-            && body.contains("AFTER_FORK")
+        body.contains(COMPACT_PROMPT_MARKER) && body.contains("AFTER_FORK")
    };
    mount_sse_once_match(server, match_second_compact, sse6).await;

@@ -788,6 +806,7 @@ async fn start_test_conversation(
    let home = TempDir::new().expect("create temp dir");
    let mut config = load_default_config_for_test(&home);
    config.model_provider = model_provider;
+    config.compact_prompt = Some(TEST_COMPACT_PROMPT.to_string());

    let manager = ConversationManager::with_auth(CodexAuth::from_api_key("dummy"));
    let NewConversation { conversation, .. } = manager
@@ -813,6 +832,11 @@ async fn compact_conversation(conversation: &Arc<CodexConversation>) {
        .submit(Op::Compact)
        .await
        .expect("compact conversation");
+    let warning_event = wait_for_event(conversation, |ev| matches!(ev, EventMsg::Warning(_))).await;
+    let EventMsg::Warning(WarningEvent { message }) = warning_event else {
+        panic!("expected warning event after compact");
+    };
+    assert_eq!(message, COMPACT_WARNING_MESSAGE);
    wait_for_event(conversation, |ev| matches!(ev, EventMsg::TaskComplete(_))).await;
 }

--- a/codex-rs/core/tests/suite/mod.rs
+++ b/codex-rs/core/tests/suite/mod.rs
@@ -38,6 +38,7 @@ mod tool_harness;
 mod tool_parallelism;
 mod tools;
 mod truncation;
+mod undo;
 mod unified_exec;
 mod user_notification;
 mod user_shell_cmd;
--- a/codex-rs/core/tests/suite/prompt_caching.rs
+++ b/codex-rs/core/tests/suite/prompt_caching.rs
@@ -36,19 +36,53 @@ fn text_user_input(text: String) -> serde_json::Value {
    })
 }

+#[allow(dead_code)]
+fn has_wsl_env_markers() -> bool {
+    std::env::var_os("WSL_INTEROP").is_some()
+        || std::env::var_os("WSLENV").is_some()
+        || std::env::var_os("WSL_DISTRO_NAME").is_some()
+}
+
+fn operating_system_context_block() -> String {
+    #[cfg(target_os = "windows")]
+    {
+        let info = os_info::get();
+        let name = info.os_type().to_string();
+        let version = info.version().to_string();
+        let is_wsl = has_wsl_env_markers();
+        format!(
+            "  <operating_system>\n    <name>{name}</name>\n    <version>{version}</version>\n    <is_likely_windows_subsystem_for_linux>{is_wsl}</is_likely_windows_subsystem_for_linux>\n  </operating_system>\n"
+        )
+    }
+
+    #[cfg(all(unix, not(target_os = "macos")))]
+    {
+        if has_wsl_env_markers() {
+            "  <operating_system>\n    <name>{name}</name>\n    <version></version>\n    <is_likely_windows_subsystem_for_linux>true</is_likely_windows_subsystem_for_linux>\n  </operating_system>\n".to_string()
+        } else {
+            String::new()
+        }
+    }
+
+    #[cfg(target_os = "macos")]
+    {
+        String::new()
+    }
+}
+
 fn default_env_context_str(cwd: &str, shell: &Shell) -> String {
+    let shell_line = match shell.name() {
+        Some(name) => format!("  <shell>{name}</shell>\n"),
+        None => String::new(),
+    };
+    let os_block = operating_system_context_block();
    format!(
        r#"<environment_context>
-  <cwd>{}</cwd>
+  <cwd>{cwd}</cwd>
  <approval_policy>on-request</approval_policy>
  <sandbox_mode>read-only</sandbox_mode>
  <network_access>restricted</network_access>
-{}</environment_context>"#,
-        cwd,
-        match shell.name() {
-            Some(name) => format!("  <shell>{name}</shell>\n"),
-            None => String::new(),
-        }
+{shell_line}{os_block}</environment_context>"#
    )
 }

@@ -341,21 +375,11 @@ async fn prefixes_context_and_instructions_once_and_consistently_across_requests

    let shell = default_user_shell().await;

-    let expected_env_text = format!(
-        r#"<environment_context>
-  <cwd>{}</cwd>
-  <approval_policy>on-request</approval_policy>
-  <sandbox_mode>read-only</sandbox_mode>
-  <network_access>restricted</network_access>
-{}</environment_context>"#,
-        cwd.path().to_string_lossy(),
-        match shell.name() {
-            Some(name) => format!("  <shell>{name}</shell>\n"),
-            None => String::new(),
-        }
+    let cwd_str = cwd.path().to_string_lossy().into_owned();
+    let expected_env_text = default_env_context_str(&cwd_str, &shell);
+    let expected_ui_text = format!(
+        "# AGENTS.md instructions for {cwd_str}\n\n<INSTRUCTIONS>\nbe consistent and helpful\n</INSTRUCTIONS>"
    );
-    let expected_ui_text =
-        "<user_instructions>\n\nbe consistent and helpful\n\n</user_instructions>";

    let expected_env_msg = serde_json::json!({
        "type": "message",
@@ -734,9 +758,11 @@ async fn send_user_turn_with_no_changes_does_not_send_environment_context() {
    let body2 = requests[1].body_json::<serde_json::Value>().unwrap();

    let shell = default_user_shell().await;
-    let expected_ui_text =
-        "<user_instructions>\n\nbe consistent and helpful\n\n</user_instructions>";
-    let expected_ui_msg = text_user_input(expected_ui_text.to_string());
+    let expected_ui_text = format!(
+        "# AGENTS.md instructions for {}\n\n<INSTRUCTIONS>\nbe consistent and helpful\n</INSTRUCTIONS>",
+        default_cwd.to_string_lossy()
+    );
+    let expected_ui_msg = text_user_input(expected_ui_text);

    let expected_env_msg_1 = text_user_input(default_env_context_str(
        &cwd.path().to_string_lossy(),
@@ -848,8 +874,10 @@ async fn send_user_turn_with_changes_sends_environment_context() {
    let body2 = requests[1].body_json::<serde_json::Value>().unwrap();

    let shell = default_user_shell().await;
-    let expected_ui_text =
-        "<user_instructions>\n\nbe consistent and helpful\n\n</user_instructions>";
+    let expected_ui_text = format!(
+        "# AGENTS.md instructions for {}\n\n<INSTRUCTIONS>\nbe consistent and helpful\n</INSTRUCTIONS>",
+        default_cwd.to_string_lossy()
+    );
    let expected_ui_msg = serde_json::json!({
        "type": "message",
        "role": "user",
--- a/codex-rs/core/tests/suite/shell_serialization.rs
+++ b/codex-rs/core/tests/suite/shell_serialization.rs
@@ -30,6 +30,18 @@ use serde_json::Value;
 use serde_json::json;
 use std::fs;

+const FIXTURE_JSON: &str = r#"{
+    "description": "This is an example JSON file.",
+    "foo": "bar",
+    "isTest": true,
+    "testNumber": 123,
+    "testArray": [1, 2, 3],
+    "testObject": {
+        "foo": "bar"
+    }
+}
+"#;
+
 async fn submit_turn(test: &TestCodex, prompt: &str, sandbox_policy: SandboxPolicy) -> Result<()> {
    let session_model = test.session_configured.model.clone();

@@ -225,6 +237,154 @@ freeform shell
    Ok(())
 }

+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn shell_output_preserves_fixture_json_without_serialization() -> Result<()> {
+    skip_if_no_network!(Ok(()));
+
+    let server = start_mock_server().await;
+    let mut builder = test_codex().with_config(|config| {
+        config.features.disable(Feature::ApplyPatchFreeform);
+        config.model = "gpt-5".to_string();
+        config.model_family = find_family_for_model("gpt-5").expect("gpt-5 is a model family");
+    });
+    let test = builder.build(&server).await?;
+
+    let fixture_path = test.cwd.path().join("fixture.json");
+    fs::write(&fixture_path, FIXTURE_JSON)?;
+    let fixture_path_str = fixture_path.to_string_lossy().to_string();
+
+    let call_id = "shell-json-fixture";
+    let args = json!({
+        "command": ["/usr/bin/sed", "-n", "p", fixture_path_str],
+        "timeout_ms": 1_000,
+    });
+    let responses = vec![
+        sse(vec![
+            ev_response_created("resp-1"),
+            ev_function_call(call_id, "shell", &serde_json::to_string(&args)?),
+            ev_completed("resp-1"),
+        ]),
+        sse(vec![
+            ev_assistant_message("msg-1", "done"),
+            ev_completed("resp-2"),
+        ]),
+    ];
+    mount_sse_sequence(&server, responses).await;
+
+    submit_turn(
+        &test,
+        "read the fixture JSON with sed",
+        SandboxPolicy::DangerFullAccess,
+    )
+    .await?;
+
+    let requests = server
+        .received_requests()
+        .await
+        .expect("recorded requests present");
+    let bodies = request_bodies(&requests)?;
+    let output_item = find_function_call_output(&bodies, call_id).expect("shell output present");
+    let output = output_item
+        .get("output")
+        .and_then(Value::as_str)
+        .expect("shell output string");
+
+    let mut parsed: Value = serde_json::from_str(output)?;
+    if let Some(metadata) = parsed.get_mut("metadata").and_then(Value::as_object_mut) {
+        let _ = metadata.remove("duration_seconds");
+    }
+
+    assert_eq!(
+        parsed
+            .get("metadata")
+            .and_then(|metadata| metadata.get("exit_code"))
+            .and_then(Value::as_i64),
+        Some(0),
+        "expected zero exit code when serialization is disabled",
+    );
+    let stdout = parsed
+        .get("output")
+        .and_then(Value::as_str)
+        .unwrap_or_default()
+        .to_string();
+    assert_eq!(
+        stdout, FIXTURE_JSON,
+        "expected shell output to match the fixture contents"
+    );
+
+    Ok(())
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn shell_output_structures_fixture_with_serialization() -> Result<()> {
+    skip_if_no_network!(Ok(()));
+
+    let server = start_mock_server().await;
+    let mut builder = test_codex().with_config(|config| {
+        config.features.enable(Feature::ApplyPatchFreeform);
+    });
+    let test = builder.build(&server).await?;
+
+    let fixture_path = test.cwd.path().join("fixture.json");
+    fs::write(&fixture_path, FIXTURE_JSON)?;
+    let fixture_path_str = fixture_path.to_string_lossy().to_string();
+
+    let call_id = "shell-structured-fixture";
+    let args = json!({
+        "command": ["/usr/bin/sed", "-n", "p", fixture_path_str],
+        "timeout_ms": 1_000,
+    });
+    let responses = vec![
+        sse(vec![
+            ev_response_created("resp-1"),
+            ev_function_call(call_id, "shell", &serde_json::to_string(&args)?),
+            ev_completed("resp-1"),
+        ]),
+        sse(vec![
+            ev_assistant_message("msg-1", "done"),
+            ev_completed("resp-2"),
+        ]),
+    ];
+    mount_sse_sequence(&server, responses).await;
+
+    submit_turn(
+        &test,
+        "read the fixture JSON with structured output",
+        SandboxPolicy::DangerFullAccess,
+    )
+    .await?;
+
+    let requests = server
+        .received_requests()
+        .await
+        .expect("recorded requests present");
+    let bodies = request_bodies(&requests)?;
+    let output_item =
+        find_function_call_output(&bodies, call_id).expect("structured output present");
+    let output = output_item
+        .get("output")
+        .and_then(Value::as_str)
+        .expect("structured output string");
+
+    assert!(
+        serde_json::from_str::<Value>(output).is_err(),
+        "expected structured output to be plain text"
+    );
+    let (header, body) = output
+        .split_once("Output:\n")
+        .expect("structured output contains an Output section");
+    assert_regex_match(
+        r"(?s)^Exit code: 0\nWall time: [0-9]+(?:\.[0-9]+)? seconds$",
+        header.trim_end(),
+    );
+    assert_eq!(
+        body, FIXTURE_JSON,
+        "expected Output section to include the fixture contents"
+    );
+
+    Ok(())
+}
+
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 async fn shell_output_for_freeform_tool_records_duration() -> Result<()> {
    skip_if_no_network!(Ok(()));
--- a/codex-rs/core/tests/suite/truncation.rs
+++ b/codex-rs/core/tests/suite/truncation.rs
@@ -3,9 +3,16 @@

 use anyhow::Context;
 use anyhow::Result;
+use codex_core::config::types::McpServerConfig;
+use codex_core::config::types::McpServerTransportConfig;
 use codex_core::features::Feature;
 use codex_core::model_family::find_family_for_model;
+use codex_core::protocol::AskForApproval;
+use codex_core::protocol::EventMsg;
+use codex_core::protocol::Op;
 use codex_core::protocol::SandboxPolicy;
+use codex_protocol::config_types::ReasoningSummary;
+use codex_protocol::user_input::UserInput;
 use core_test_support::assert_regex_match;
 use core_test_support::responses;
 use core_test_support::responses::ev_assistant_message;
@@ -18,10 +25,13 @@ use core_test_support::responses::sse;
 use core_test_support::responses::start_mock_server;
 use core_test_support::skip_if_no_network;
 use core_test_support::test_codex::test_codex;
+use core_test_support::wait_for_event;
 use escargot::CargoBuild;
 use regex_lite::Regex;
 use serde_json::Value;
 use serde_json::json;
+use std::collections::HashMap;
+use std::time::Duration;
 use wiremock::matchers::any;

 // Verifies byte-truncation formatting for function error output (RespondToModel errors)
@@ -268,3 +278,105 @@ async fn mcp_tool_call_output_exceeds_limit_truncated_for_model() -> Result<()>

    Ok(())
 }
+
+// Verifies that an MCP image tool output is serialized as content_items array with
+// the image preserved and no truncation summary appended (since there are no text items).
+#[tokio::test(flavor = "multi_thread", worker_threads = 1)]
+async fn mcp_image_output_preserves_image_and_no_text_summary() -> Result<()> {
+    skip_if_no_network!(Ok(()));
+
+    let server = start_mock_server().await;
+
+    let call_id = "rmcp-image-no-trunc";
+    let server_name = "rmcp";
+    let tool_name = format!("mcp__{server_name}__image");
+
+    mount_sse_once_match(
+        &server,
+        any(),
+        sse(vec![
+            ev_response_created("resp-1"),
+            ev_function_call(call_id, &tool_name, "{}"),
+            ev_completed("resp-1"),
+        ]),
+    )
+    .await;
+    let final_mock = mount_sse_once_match(
+        &server,
+        any(),
+        sse(vec![
+            ev_assistant_message("msg-1", "done"),
+            ev_completed("resp-2"),
+        ]),
+    )
+    .await;
+
+    // Build the stdio rmcp server and pass a tiny PNG via data URL so it can construct ImageContent.
+    let rmcp_test_server_bin = CargoBuild::new()
+        .package("codex-rmcp-client")
+        .bin("test_stdio_server")
+        .run()?
+        .path()
+        .to_string_lossy()
+        .into_owned();
+
+    // 1x1 PNG data URL
+    let openai_png = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8/x8AAwMB/ee9bQAAAABJRU5ErkJggg==";
+
+    let mut builder = test_codex().with_config(move |config| {
+        config.features.enable(Feature::RmcpClient);
+        config.mcp_servers.insert(
+            server_name.to_string(),
+            McpServerConfig {
+                transport: McpServerTransportConfig::Stdio {
+                    command: rmcp_test_server_bin,
+                    args: Vec::new(),
+                    env: Some(HashMap::from([(
+                        "MCP_TEST_IMAGE_DATA_URL".to_string(),
+                        openai_png.to_string(),
+                    )])),
+                    env_vars: Vec::new(),
+                    cwd: None,
+                },
+                enabled: true,
+                startup_timeout_sec: Some(Duration::from_secs(10)),
+                tool_timeout_sec: None,
+                enabled_tools: None,
+                disabled_tools: None,
+            },
+        );
+    });
+    let fixture = builder.build(&server).await?;
+    let session_model = fixture.session_configured.model.clone();
+
+    fixture
+        .codex
+        .submit(Op::UserTurn {
+            items: vec![UserInput::Text {
+                text: "call the rmcp image tool".into(),
+            }],
+            final_output_json_schema: None,
+            cwd: fixture.cwd.path().to_path_buf(),
+            approval_policy: AskForApproval::Never,
+            sandbox_policy: SandboxPolicy::ReadOnly,
+            model: session_model,
+            effort: None,
+            summary: ReasoningSummary::Auto,
+        })
+        .await?;
+
+    // Wait for completion to ensure the outbound request is captured.
+    wait_for_event(&fixture.codex, |ev| matches!(ev, EventMsg::TaskComplete(_))).await;
+    let output_item = final_mock.single_request().function_call_output(call_id);
+    // Expect exactly one array element: the image item; and no trailing summary text.
+    let output = output_item.get("output").expect("output");
+    assert!(output.is_array(), "expected array output");
+    let arr = output.as_array().unwrap();
+    assert_eq!(arr.len(), 1, "no truncation summary should be appended");
+    assert_eq!(
+        arr[0],
+        json!({"type": "input_image", "image_url": openai_png})
+    );
+
+    Ok(())
+}
--- a/codex-rs/core/tests/suite/undo.rs
+++ b/codex-rs/core/tests/suite/undo.rs
@@ -0,0 +1,491 @@
+#![cfg(not(target_os = "windows"))]
+
+use std::fs;
+use std::path::Path;
+use std::process::Command;
+use std::sync::Arc;
+
+use anyhow::Context;
+use anyhow::Result;
+use anyhow::bail;
+use codex_core::CodexConversation;
+use codex_core::config::Config;
+use codex_core::features::Feature;
+use codex_core::model_family::find_family_for_model;
+use codex_core::protocol::EventMsg;
+use codex_core::protocol::Op;
+use codex_core::protocol::UndoCompletedEvent;
+use core_test_support::responses::ev_apply_patch_function_call;
+use core_test_support::responses::ev_assistant_message;
+use core_test_support::responses::ev_completed;
+use core_test_support::responses::ev_response_created;
+use core_test_support::responses::mount_sse_sequence;
+use core_test_support::responses::sse;
+use core_test_support::skip_if_no_network;
+use core_test_support::test_codex::TestCodexHarness;
+use core_test_support::wait_for_event_match;
+use pretty_assertions::assert_eq;
+
+#[allow(clippy::expect_used)]
+async fn undo_harness() -> Result<TestCodexHarness> {
+    TestCodexHarness::with_config(|config: &mut Config| {
+        config.include_apply_patch_tool = true;
+        config.model = "gpt-5".to_string();
+        config.model_family = find_family_for_model("gpt-5").expect("gpt-5 is valid");
+        config.features.enable(Feature::GhostCommit);
+    })
+    .await
+}
+
+fn git(path: &Path, args: &[&str]) -> Result<()> {
+    let status = Command::new("git")
+        .args(args)
+        .current_dir(path)
+        .status()
+        .with_context(|| format!("failed to run git {args:?}"))?;
+    if status.success() {
+        return Ok(());
+    }
+    let exit_status = status;
+    bail!("git {args:?} exited with {exit_status}");
+}
+
+fn git_output(path: &Path, args: &[&str]) -> Result<String> {
+    let output = Command::new("git")
+        .args(args)
+        .current_dir(path)
+        .output()
+        .with_context(|| format!("failed to run git {args:?}"))?;
+    if !output.status.success() {
+        let exit_status = output.status;
+        bail!("git {args:?} exited with {exit_status}");
+    }
+    String::from_utf8(output.stdout).context("stdout was not valid utf8")
+}
+
+fn init_git_repo(path: &Path) -> Result<()> {
+    // Use a consistent initial branch and config across environments to avoid
+    // CI variance (default-branch hints, line ending differences, etc.).
+    git(path, &["init", "--initial-branch=main"])?;
+    git(path, &["config", "core.autocrlf", "false"])?;
+    git(path, &["config", "user.name", "Codex Tests"])?;
+    git(path, &["config", "user.email", "codex-tests@example.com"])?;
+
+    // Create README.txt
+    let readme_path = path.join("README.txt");
+    fs::write(&readme_path, "Test repository initialized by Codex.\n")?;
+
+    // Stage and commit
+    git(path, &["add", "README.txt"])?;
+    git(path, &["commit", "-m", "Add README.txt"])?;
+
+    Ok(())
+}
+
+fn apply_patch_responses(call_id: &str, patch: &str, assistant_msg: &str) -> Vec<String> {
+    vec![
+        sse(vec![
+            ev_response_created("resp-1"),
+            ev_apply_patch_function_call(call_id, patch),
+            ev_completed("resp-1"),
+        ]),
+        sse(vec![
+            ev_assistant_message("msg-1", assistant_msg),
+            ev_completed("resp-2"),
+        ]),
+    ]
+}
+
+async fn run_apply_patch_turn(
+    harness: &TestCodexHarness,
+    prompt: &str,
+    call_id: &str,
+    patch: &str,
+    assistant_msg: &str,
+) -> Result<()> {
+    mount_sse_sequence(
+        harness.server(),
+        apply_patch_responses(call_id, patch, assistant_msg),
+    )
+    .await;
+    harness.submit(prompt).await
+}
+
+async fn invoke_undo(codex: &Arc<CodexConversation>) -> Result<UndoCompletedEvent> {
+    codex.submit(Op::Undo).await?;
+    let event = wait_for_event_match(codex, |msg| match msg {
+        EventMsg::UndoCompleted(done) => Some(done.clone()),
+        _ => None,
+    })
+    .await;
+    Ok(event)
+}
+
+async fn expect_successful_undo(codex: &Arc<CodexConversation>) -> Result<UndoCompletedEvent> {
+    let event = invoke_undo(codex).await?;
+    assert!(
+        event.success,
+        "expected undo to succeed but failed with message {:?}",
+        event.message
+    );
+    Ok(event)
+}
+
+async fn expect_failed_undo(codex: &Arc<CodexConversation>) -> Result<UndoCompletedEvent> {
+    let event = invoke_undo(codex).await?;
+    assert!(
+        !event.success,
+        "expected undo to fail but succeeded with message {:?}",
+        event.message
+    );
+    assert_eq!(
+        event.message.as_deref(),
+        Some("No ghost snapshot available to undo.")
+    );
+    Ok(event)
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn undo_removes_new_file_created_during_turn() -> Result<()> {
+    skip_if_no_network!(Ok(()));
+
+    let harness = undo_harness().await?;
+    init_git_repo(harness.cwd())?;
+
+    let call_id = "undo-create-file";
+    let patch = "*** Begin Patch\n*** Add File: new_file.txt\n+from turn\n*** End Patch";
+    run_apply_patch_turn(&harness, "create file", call_id, patch, "ok").await?;
+
+    let new_path = harness.path("new_file.txt");
+    assert_eq!(fs::read_to_string(&new_path)?, "from turn\n");
+
+    let codex = Arc::clone(&harness.test().codex);
+    let completed = expect_successful_undo(&codex).await?;
+    assert!(completed.success, "undo failed: {:?}", completed.message);
+
+    assert!(!new_path.exists());
+
+    Ok(())
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn undo_restores_tracked_file_edit() -> Result<()> {
+    skip_if_no_network!(Ok(()));
+
+    let harness = undo_harness().await?;
+    init_git_repo(harness.cwd())?;
+
+    let tracked = harness.path("tracked.txt");
+    fs::write(&tracked, "before\n")?;
+    git(harness.cwd(), &["add", "tracked.txt"])?;
+    git(harness.cwd(), &["commit", "-m", "track file"])?;
+
+    let patch = "*** Begin Patch\n*** Update File: tracked.txt\n@@\n-before\n+after\n*** End Patch";
+    run_apply_patch_turn(
+        &harness,
+        "update tracked file",
+        "undo-tracked-edit",
+        patch,
+        "done",
+    )
+    .await?;
+    println!(
+        "apply_patch output: {}",
+        harness.function_call_stdout("undo-tracked-edit").await
+    );
+
+    assert_eq!(fs::read_to_string(&tracked)?, "after\n");
+
+    let codex = Arc::clone(&harness.test().codex);
+    let completed = expect_successful_undo(&codex).await?;
+    assert!(completed.success, "undo failed: {:?}", completed.message);
+
+    assert_eq!(fs::read_to_string(&tracked)?, "before\n");
+    let status = git_output(harness.cwd(), &["status", "--short"])?;
+    assert_eq!(status, "");
+
+    Ok(())
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn undo_restores_untracked_file_edit() -> Result<()> {
+    skip_if_no_network!(Ok(()));
+
+    let harness = undo_harness().await?;
+    init_git_repo(harness.cwd())?;
+    git(harness.cwd(), &["commit", "--allow-empty", "-m", "init"])?;
+
+    let notes = harness.path("notes.txt");
+    fs::write(&notes, "original\n")?;
+    let status_before = git_output(harness.cwd(), &["status", "--short", "--ignored"])?;
+    assert!(status_before.contains("?? notes.txt"));
+
+    let patch =
+        "*** Begin Patch\n*** Update File: notes.txt\n@@\n-original\n+modified\n*** End Patch";
+    run_apply_patch_turn(
+        &harness,
+        "edit untracked",
+        "undo-untracked-edit",
+        patch,
+        "done",
+    )
+    .await?;
+
+    assert_eq!(fs::read_to_string(&notes)?, "modified\n");
+
+    let codex = Arc::clone(&harness.test().codex);
+    let completed = expect_successful_undo(&codex).await?;
+    assert!(completed.success, "undo failed: {:?}", completed.message);
+
+    assert_eq!(fs::read_to_string(&notes)?, "original\n");
+
+    Ok(())
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn undo_reverts_only_latest_turn() -> Result<()> {
+    skip_if_no_network!(Ok(()));
+
+    let harness = undo_harness().await?;
+    init_git_repo(harness.cwd())?;
+
+    let call_id_one = "undo-turn-one";
+    let add_patch = "*** Begin Patch\n*** Add File: story.txt\n+first version\n*** End Patch";
+    run_apply_patch_turn(&harness, "create story", call_id_one, add_patch, "done").await?;
+    let story = harness.path("story.txt");
+    assert_eq!(fs::read_to_string(&story)?, "first version\n");
+
+    let call_id_two = "undo-turn-two";
+    let update_patch = "*** Begin Patch\n*** Update File: story.txt\n@@\n-first version\n+second version\n*** End Patch";
+    run_apply_patch_turn(&harness, "revise story", call_id_two, update_patch, "done").await?;
+    assert_eq!(fs::read_to_string(&story)?, "second version\n");
+
+    let codex = Arc::clone(&harness.test().codex);
+    let completed = expect_successful_undo(&codex).await?;
+    assert!(completed.success, "undo failed: {:?}", completed.message);
+
+    assert_eq!(fs::read_to_string(&story)?, "first version\n");
+
+    Ok(())
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn undo_does_not_touch_unrelated_files() -> Result<()> {
+    skip_if_no_network!(Ok(()));
+
+    let harness = undo_harness().await?;
+    init_git_repo(harness.cwd())?;
+
+    let tracked_constant = harness.path("stable.txt");
+    fs::write(&tracked_constant, "stable\n")?;
+    let target = harness.path("target.txt");
+    fs::write(&target, "start\n")?;
+    let gitignore = harness.path(".gitignore");
+    fs::write(&gitignore, "ignored-stable.log\n")?;
+    git(
+        harness.cwd(),
+        &["add", "stable.txt", "target.txt", ".gitignore"],
+    )?;
+    git(harness.cwd(), &["commit", "-m", "seed tracked"])?;
+
+    let preexisting_untracked = harness.path("scratch.txt");
+    fs::write(&preexisting_untracked, "scratch before\n")?;
+    let ignored = harness.path("ignored-stable.log");
+    fs::write(&ignored, "ignored before\n")?;
+
+    let full_patch = "*** Begin Patch\n*** Update File: target.txt\n@@\n-start\n+edited\n*** Add File: temp.txt\n+ephemeral\n*** End Patch";
+    run_apply_patch_turn(
+        &harness,
+        "modify target",
+        "undo-unrelated",
+        full_patch,
+        "done",
+    )
+    .await?;
+    let temp = harness.path("temp.txt");
+    assert_eq!(fs::read_to_string(&target)?, "edited\n");
+    assert_eq!(fs::read_to_string(&temp)?, "ephemeral\n");
+
+    let codex = Arc::clone(&harness.test().codex);
+    let completed = expect_successful_undo(&codex).await?;
+    assert!(completed.success, "undo failed: {:?}", completed.message);
+
+    assert_eq!(fs::read_to_string(&tracked_constant)?, "stable\n");
+    assert_eq!(fs::read_to_string(&target)?, "start\n");
+    assert_eq!(
+        fs::read_to_string(&preexisting_untracked)?,
+        "scratch before\n"
+    );
+    assert_eq!(fs::read_to_string(&ignored)?, "ignored before\n");
+    assert!(!temp.exists());
+
+    Ok(())
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn undo_sequential_turns_consumes_snapshots() -> Result<()> {
+    skip_if_no_network!(Ok(()));
+
+    let harness = undo_harness().await?;
+    init_git_repo(harness.cwd())?;
+
+    let story = harness.path("story.txt");
+    fs::write(&story, "initial\n")?;
+    git(harness.cwd(), &["add", "story.txt"])?;
+    git(harness.cwd(), &["commit", "-m", "seed story"])?;
+
+    run_apply_patch_turn(
+        &harness,
+        "first change",
+        "seq-turn-1",
+        "*** Begin Patch\n*** Update File: story.txt\n@@\n-initial\n+turn one\n*** End Patch",
+        "ok",
+    )
+    .await?;
+    assert_eq!(fs::read_to_string(&story)?, "turn one\n");
+
+    run_apply_patch_turn(
+        &harness,
+        "second change",
+        "seq-turn-2",
+        "*** Begin Patch\n*** Update File: story.txt\n@@\n-turn one\n+turn two\n*** End Patch",
+        "ok",
+    )
+    .await?;
+    assert_eq!(fs::read_to_string(&story)?, "turn two\n");
+
+    run_apply_patch_turn(
+        &harness,
+        "third change",
+        "seq-turn-3",
+        "*** Begin Patch\n*** Update File: story.txt\n@@\n-turn two\n+turn three\n*** End Patch",
+        "ok",
+    )
+    .await?;
+    assert_eq!(fs::read_to_string(&story)?, "turn three\n");
+
+    let codex = Arc::clone(&harness.test().codex);
+    expect_successful_undo(&codex).await?;
+    assert_eq!(fs::read_to_string(&story)?, "turn two\n");
+
+    expect_successful_undo(&codex).await?;
+    assert_eq!(fs::read_to_string(&story)?, "turn one\n");
+
+    expect_successful_undo(&codex).await?;
+    assert_eq!(fs::read_to_string(&story)?, "initial\n");
+
+    expect_failed_undo(&codex).await?;
+
+    Ok(())
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn undo_without_snapshot_reports_failure() -> Result<()> {
+    skip_if_no_network!(Ok(()));
+
+    let harness = undo_harness().await?;
+    let codex = Arc::clone(&harness.test().codex);
+
+    expect_failed_undo(&codex).await?;
+
+    Ok(())
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn undo_restores_moves_and_renames() -> Result<()> {
+    skip_if_no_network!(Ok(()));
+
+    let harness = undo_harness().await?;
+    init_git_repo(harness.cwd())?;
+
+    let source = harness.path("rename_me.txt");
+    fs::write(&source, "original\n")?;
+    git(harness.cwd(), &["add", "rename_me.txt"])?;
+    git(harness.cwd(), &["commit", "-m", "add rename target"])?;
+
+    let patch = "*** Begin Patch\n*** Update File: rename_me.txt\n*** Move to: relocated/renamed.txt\n@@\n-original\n+renamed content\n*** End Patch";
+    run_apply_patch_turn(&harness, "rename file", "undo-rename", patch, "done").await?;
+
+    let destination = harness.path("relocated/renamed.txt");
+    assert!(!source.exists());
+    assert_eq!(fs::read_to_string(&destination)?, "renamed content\n");
+
+    let codex = Arc::clone(&harness.test().codex);
+    expect_successful_undo(&codex).await?;
+
+    assert_eq!(fs::read_to_string(&source)?, "original\n");
+    assert!(!destination.exists());
+
+    Ok(())
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn undo_does_not_touch_ignored_directory_contents() -> Result<()> {
+    skip_if_no_network!(Ok(()));
+
+    let harness = undo_harness().await?;
+    init_git_repo(harness.cwd())?;
+
+    let gitignore = harness.path(".gitignore");
+    fs::write(&gitignore, "logs/\n")?;
+    git(harness.cwd(), &["add", ".gitignore"])?;
+    git(harness.cwd(), &["commit", "-m", "ignore logs directory"])?;
+
+    let logs_dir = harness.path("logs");
+    fs::create_dir_all(&logs_dir)?;
+    let preserved = logs_dir.join("persistent.log");
+    fs::write(&preserved, "keep me\n")?;
+
+    run_apply_patch_turn(
+        &harness,
+        "write log",
+        "undo-log",
+        "*** Begin Patch\n*** Add File: logs/session.log\n+ephemeral log\n*** End Patch",
+        "ok",
+    )
+    .await?;
+
+    let new_log = logs_dir.join("session.log");
+    assert_eq!(fs::read_to_string(&new_log)?, "ephemeral log\n");
+
+    let codex = Arc::clone(&harness.test().codex);
+    expect_successful_undo(&codex).await?;
+
+    assert!(new_log.exists());
+    assert_eq!(fs::read_to_string(&preserved)?, "keep me\n");
+
+    Ok(())
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn undo_overwrites_manual_edits_after_turn() -> Result<()> {
+    skip_if_no_network!(Ok(()));
+
+    let harness = undo_harness().await?;
+    init_git_repo(harness.cwd())?;
+
+    let tracked = harness.path("tracked.txt");
+    fs::write(&tracked, "baseline\n")?;
+    git(harness.cwd(), &["add", "tracked.txt"])?;
+    git(harness.cwd(), &["commit", "-m", "baseline tracked"])?;
+
+    run_apply_patch_turn(
+        &harness,
+        "modify tracked",
+        "undo-manual-overwrite",
+        "*** Begin Patch\n*** Update File: tracked.txt\n@@\n-baseline\n+turn change\n*** End Patch",
+        "ok",
+    )
+    .await?;
+    assert_eq!(fs::read_to_string(&tracked)?, "turn change\n");
+
+    fs::write(&tracked, "manual edit\n")?;
+    assert_eq!(fs::read_to_string(&tracked)?, "manual edit\n");
+
+    let codex = Arc::clone(&harness.test().codex);
+    expect_successful_undo(&codex).await?;
+
+    assert_eq!(fs::read_to_string(&tracked)?, "baseline\n");
+
+    Ok(())
+}
--- a/codex-rs/docs/protocol_v1.md
+++ b/codex-rs/docs/protocol_v1.md
@@ -73,6 +73,7 @@ For complete documentation of the `Op` and `EventMsg` variants, refer to [protoc
  - `EventMsg::ExecApprovalRequest` – Request approval from user to execute a command
  - `EventMsg::TaskComplete` – A task completed successfully
  - `EventMsg::Error` – A task stopped with an error
+  - `EventMsg::Warning` – A non-fatal warning that the client should surface to the user
  - `EventMsg::TurnComplete` – Contains a `response_id` bookmark for last `response_id` executed by the task. This can be used to continue the task at a later point in time, perhaps with additional user input.

 The `response_id` returned from each task matches the OpenAI `response_id` stored in the API's `/responses` endpoint. It can be stored and used in future `Sessions` to resume threads of work.
--- a/codex-rs/exec/src/event_processor_with_human_output.rs
+++ b/codex-rs/exec/src/event_processor_with_human_output.rs
@@ -21,6 +21,7 @@ use codex_core::protocol::StreamErrorEvent;
 use codex_core::protocol::TaskCompleteEvent;
 use codex_core::protocol::TurnAbortReason;
 use codex_core::protocol::TurnDiffEvent;
+use codex_core::protocol::WarningEvent;
 use codex_core::protocol::WebSearchEndEvent;
 use codex_protocol::num_format::format_with_separators;
 use owo_colors::OwoColorize;
@@ -54,6 +55,7 @@ pub(crate) struct EventProcessorWithHumanOutput {
    red: Style,
    green: Style,
    cyan: Style,
+    yellow: Style,

    /// Whether to include `AgentReasoning` events in the output.
    show_agent_reasoning: bool,
@@ -81,6 +83,7 @@ impl EventProcessorWithHumanOutput {
                red: Style::new().red(),
                green: Style::new().green(),
                cyan: Style::new().cyan(),
+                yellow: Style::new().yellow(),
                show_agent_reasoning: !config.hide_agent_reasoning,
                show_raw_agent_reasoning: config.show_raw_agent_reasoning,
                last_message_path,
@@ -97,6 +100,7 @@ impl EventProcessorWithHumanOutput {
                red: Style::new(),
                green: Style::new(),
                cyan: Style::new(),
+                yellow: Style::new(),
                show_agent_reasoning: !config.hide_agent_reasoning,
                show_raw_agent_reasoning: config.show_raw_agent_reasoning,
                last_message_path,
@@ -161,6 +165,13 @@ impl EventProcessor for EventProcessorWithHumanOutput {
                let prefix = "ERROR:".style(self.red);
                ts_msg!(self, "{prefix} {message}");
            }
+            EventMsg::Warning(WarningEvent { message }) => {
+                ts_msg!(
+                    self,
+                    "{} {message}",
+                    "warning:".style(self.yellow).style(self.bold)
+                );
+            }
            EventMsg::DeprecationNotice(DeprecationNoticeEvent { summary, details }) => {
                ts_msg!(
                    self,
--- a/codex-rs/exec/src/event_processor_with_jsonl_output.rs
+++ b/codex-rs/exec/src/event_processor_with_jsonl_output.rs
@@ -8,6 +8,7 @@ use crate::event_processor::handle_last_message;
 use crate::exec_events::AgentMessageItem;
 use crate::exec_events::CommandExecutionItem;
 use crate::exec_events::CommandExecutionStatus;
+use crate::exec_events::ErrorItem;
 use crate::exec_events::FileChangeItem;
 use crate::exec_events::FileUpdateChange;
 use crate::exec_events::ItemCompletedEvent;
@@ -129,6 +130,15 @@ impl EventProcessorWithJsonOutput {
                self.last_critical_error = Some(error.clone());
                vec![ThreadEvent::Error(error)]
            }
+            EventMsg::Warning(ev) => {
+                let item = ThreadItem {
+                    id: self.get_next_item_id(),
+                    details: ThreadItemDetails::Error(ErrorItem {
+                        message: ev.message.clone(),
+                    }),
+                };
+                vec![ThreadEvent::ItemCompleted(ItemCompletedEvent { item })]
+            }
            EventMsg::StreamError(ev) => vec![ThreadEvent::Error(ThreadErrorEvent {
                message: ev.message.clone(),
            })],
--- a/codex-rs/exec/tests/event_processor_with_json_output.rs
+++ b/codex-rs/exec/tests/event_processor_with_json_output.rs
@@ -12,11 +12,13 @@ use codex_core::protocol::McpToolCallEndEvent;
 use codex_core::protocol::PatchApplyBeginEvent;
 use codex_core::protocol::PatchApplyEndEvent;
 use codex_core::protocol::SessionConfiguredEvent;
+use codex_core::protocol::WarningEvent;
 use codex_core::protocol::WebSearchEndEvent;
 use codex_exec::event_processor_with_jsonl_output::EventProcessorWithJsonOutput;
 use codex_exec::exec_events::AgentMessageItem;
 use codex_exec::exec_events::CommandExecutionItem;
 use codex_exec::exec_events::CommandExecutionStatus;
+use codex_exec::exec_events::ErrorItem;
 use codex_exec::exec_events::ItemCompletedEvent;
 use codex_exec::exec_events::ItemStartedEvent;
 use codex_exec::exec_events::ItemUpdatedEvent;
@@ -540,6 +542,28 @@ fn error_event_produces_error() {
    );
 }

+#[test]
+fn warning_event_produces_error_item() {
+    let mut ep = EventProcessorWithJsonOutput::new(None);
+    let out = ep.collect_thread_events(&event(
+        "e1",
+        EventMsg::Warning(WarningEvent {
+            message: "Heads up: Long conversations and multiple compactions can cause the model to be less accurate. Start new a new conversation when possible to keep conversations small and targeted.".to_string(),
+        }),
+    ));
+    assert_eq!(
+        out,
+        vec![ThreadEvent::ItemCompleted(ItemCompletedEvent {
+            item: ThreadItem {
+                id: "item_0".to_string(),
+                details: ThreadItemDetails::Error(ErrorItem {
+                    message: "Heads up: Long conversations and multiple compactions can cause the model to be less accurate. Start new a new conversation when possible to keep conversations small and targeted.".to_string(),
+                }),
+            },
+        })]
+    );
+}
+
 #[test]
 fn stream_error_event_produces_error() {
    let mut ep = EventProcessorWithJsonOutput::new(None);
--- a/codex-rs/mcp-server/src/codex_tool_runner.rs
+++ b/codex-rs/mcp-server/src/codex_tool_runner.rs
@@ -204,6 +204,9 @@ async fn run_codex_tool_session_inner(
                        outgoing.send_response(request_id.clone(), result).await;
                        break;
                    }
+                    EventMsg::Warning(_) => {
+                        continue;
+                    }
                    EventMsg::ApplyPatchApprovalRequest(ApplyPatchApprovalRequestEvent {
                        call_id,
                        reason,
--- a/codex-rs/otel/src/otel_event_manager.rs
+++ b/codex-rs/otel/src/otel_event_manager.rs
@@ -8,7 +8,6 @@ use codex_protocol::models::ResponseItem;
 use codex_protocol::protocol::AskForApproval;
 use codex_protocol::protocol::ReviewDecision;
 use codex_protocol::protocol::SandboxPolicy;
-use codex_protocol::protocol::SandboxRiskCategory;
 use codex_protocol::protocol::SandboxRiskLevel;
 use codex_protocol::user_input::UserInput;
 use eventsource_stream::Event as StreamEvent;
@@ -373,19 +372,9 @@ impl OtelEventManager {
        call_id: &str,
        status: &str,
        risk_level: Option<SandboxRiskLevel>,
-        risk_categories: &[SandboxRiskCategory],
        duration: Duration,
    ) {
        let level = risk_level.map(|level| level.as_str());
-        let categories = if risk_categories.is_empty() {
-            String::new()
-        } else {
-            risk_categories
-                .iter()
-                .map(SandboxRiskCategory::as_str)
-                .collect::<Vec<_>>()
-                .join(", ")
-        };

        tracing::event!(
            tracing::Level::INFO,
@@ -402,7 +391,6 @@ impl OtelEventManager {
            call_id = %call_id,
            status = %status,
            risk_level = level,
-            risk_categories = categories,
            duration_ms = %duration.as_millis(),
        );
    }
--- a/codex-rs/protocol/src/approvals.rs
+++ b/codex-rs/protocol/src/approvals.rs
@@ -16,24 +16,10 @@ pub enum SandboxRiskLevel {
    High,
 }

-#[derive(Debug, Clone, Copy, Deserialize, Serialize, PartialEq, Eq, Hash, JsonSchema, TS)]
-#[serde(rename_all = "snake_case")]
-pub enum SandboxRiskCategory {
-    DataDeletion,
-    DataExfiltration,
-    PrivilegeEscalation,
-    SystemModification,
-    NetworkAccess,
-    ResourceExhaustion,
-    Compliance,
-}
-
 #[derive(Debug, Clone, Deserialize, Serialize, PartialEq, Eq, JsonSchema, TS)]
 pub struct SandboxCommandAssessment {
    pub description: String,
    pub risk_level: SandboxRiskLevel,
-    #[serde(default, skip_serializing_if = "Vec::is_empty")]
-    pub risk_categories: Vec<SandboxRiskCategory>,
 }

 impl SandboxRiskLevel {
@@ -46,20 +32,6 @@ impl SandboxRiskLevel {
    }
 }

-impl SandboxRiskCategory {
-    pub fn as_str(&self) -> &'static str {
-        match self {
-            Self::DataDeletion => "data_deletion",
-            Self::DataExfiltration => "data_exfiltration",
-            Self::PrivilegeEscalation => "privilege_escalation",
-            Self::SystemModification => "system_modification",
-            Self::NetworkAccess => "network_access",
-            Self::ResourceExhaustion => "resource_exhaustion",
-            Self::Compliance => "compliance",
-        }
-    }
-}
-
 #[derive(Debug, Clone, Deserialize, Serialize, JsonSchema, TS)]
 pub struct ExecApprovalRequestEvent {
    /// Identifier for the associated exec call, if available.
--- a/codex-rs/protocol/src/protocol.rs
+++ b/codex-rs/protocol/src/protocol.rs
@@ -37,7 +37,6 @@ use ts_rs::TS;
 pub use crate::approvals::ApplyPatchApprovalRequestEvent;
 pub use crate::approvals::ExecApprovalRequestEvent;
 pub use crate::approvals::SandboxCommandAssessment;
-pub use crate::approvals::SandboxRiskCategory;
 pub use crate::approvals::SandboxRiskLevel;

 /// Open/close tags for special user-input blocks. Used across crates to avoid
@@ -438,6 +437,10 @@ pub enum EventMsg {
    /// Error while executing a submission
    Error(ErrorEvent),

+    /// Warning issued while processing a submission. Unlike `Error`, this
+    /// indicates the task continued but the user should still be notified.
+    Warning(WarningEvent),
+
    /// Agent has started a task
    TaskStarted(TaskStartedEvent),

@@ -672,6 +675,11 @@ pub struct ErrorEvent {
    pub message: String,
 }

+#[derive(Debug, Clone, Deserialize, Serialize, JsonSchema, TS)]
+pub struct WarningEvent {
+    pub message: String,
+}
+
 #[derive(Debug, Clone, Deserialize, Serialize, JsonSchema, TS)]
 pub struct TaskCompleteEvent {
    pub last_agent_message: Option<String>,
@@ -804,12 +812,8 @@ impl TokenUsage {
        (self.non_cached_input() + self.output_tokens.max(0)).max(0)
    }

-    /// For estimating what % of the model's context window is used, we need to account
-    /// for reasoning output tokens from prior turns being dropped from the context window.
-    /// We approximate this here by subtracting reasoning output tokens from the total.
-    /// This will be off for the current turn and pending function calls.
    pub fn tokens_in_context_window(&self) -> i64 {
-        (self.total_tokens - self.reasoning_output_tokens).max(0)
+        self.total_tokens
    }

    /// Estimate the remaining user-controllable percentage of the model's context window.
--- a/codex-rs/responses-api-proxy/README.md
+++ b/codex-rs/responses-api-proxy/README.md
@@ -40,12 +40,23 @@ curl --fail --silent --show-error "${PROXY_BASE_URL}/shutdown"
 ## CLI

 ```
-codex-responses-api-proxy [--port <PORT>] [--server-info <FILE>] [--http-shutdown]
+codex-responses-api-proxy [--port <PORT>] [--server-info <FILE>] [--http-shutdown] [--upstream-url <URL>]
 ```

 - `--port <PORT>`: Port to bind on `127.0.0.1`. If omitted, an ephemeral port is chosen.
 - `--server-info <FILE>`: If set, the proxy writes a single line of JSON with `{ "port": <PORT>, "pid": <PID> }` once listening.
 - `--http-shutdown`: If set, enables `GET /shutdown` to exit the process with code `0`.
+- `--upstream-url <URL>`: Absolute URL to forward requests to. Defaults to `https://api.openai.com/v1/responses`.
+- Authentication is fixed to `Authorization: Bearer <key>` to match the Codex CLI expectations.
+
+For Azure, for example (ensure your deployment accepts `Authorization: Bearer <key>`):
+
+```shell
+printenv AZURE_OPENAI_API_KEY | env -u AZURE_OPENAI_API_KEY codex-responses-api-proxy \
+  --http-shutdown \
+  --server-info /tmp/server-info.json \
+  --upstream-url "https://YOUR_PROJECT_NAME.openai.azure.com/openai/deployments/YOUR_DEPLOYMENT/responses?api-version=2025-04-01-preview"
+```

 ## Notes

@@ -57,7 +68,7 @@ codex-responses-api-proxy [--port <PORT>] [--server-info <FILE>] [--http-shutdow
 Care is taken to restrict access/copying to the value of `OPENAI_API_KEY` retained in memory:

 - We leverage [`codex_process_hardening`](https://github.com/openai/codex/blob/main/codex-rs/process-hardening/README.md) so `codex-responses-api-proxy` is run with standard process-hardening techniques.
- At startup, we allocate a `1024` byte buffer on the stack and write `"Bearer "` as the first `7` bytes.
+- At startup, we allocate a `1024` byte buffer on the stack and copy `"Bearer "` into the start of the buffer.
 - We then read from `stdin`, copying the contents into the buffer after `"Bearer "`.
 - After verifying the key matches `/^[a-zA-Z0-9_-]+$/` (and does not exceed the buffer), we create a `String` from that buffer (so the data is now on the heap).
 - We zero out the stack-allocated buffer using https://crates.io/crates/zeroize so it is not optimized away by the compiler.
--- a/codex-rs/responses-api-proxy/src/lib.rs
+++ b/codex-rs/responses-api-proxy/src/lib.rs
@@ -12,6 +12,7 @@ use anyhow::Context;
 use anyhow::Result;
 use anyhow::anyhow;
 use clap::Parser;
+use reqwest::Url;
 use reqwest::blocking::Client;
 use reqwest::header::AUTHORIZATION;
 use reqwest::header::HOST;
@@ -44,6 +45,10 @@ pub struct Args {
    /// Enable HTTP shutdown endpoint at GET /shutdown
    #[arg(long)]
    pub http_shutdown: bool,
+
+    /// Absolute URL the proxy should forward requests to (defaults to OpenAI).
+    #[arg(long, default_value = "https://api.openai.com/v1/responses")]
+    pub upstream_url: String,
 }

 #[derive(Serialize)]
@@ -52,10 +57,29 @@ struct ServerInfo {
    pid: u32,
 }

+struct ForwardConfig {
+    upstream_url: Url,
+    host_header: HeaderValue,
+}
+
 /// Entry point for the library main, for parity with other crates.
 pub fn run_main(args: Args) -> Result<()> {
    let auth_header = read_auth_header_from_stdin()?;

+    let upstream_url = Url::parse(&args.upstream_url).context("parsing --upstream-url")?;
+    let host = match (upstream_url.host_str(), upstream_url.port()) {
+        (Some(host), Some(port)) => format!("{host}:{port}"),
+        (Some(host), None) => host.to_string(),
+        _ => return Err(anyhow!("upstream URL must include a host")),
+    };
+    let host_header =
+        HeaderValue::from_str(&host).context("constructing Host header from upstream URL")?;
+
+    let forward_config = Arc::new(ForwardConfig {
+        upstream_url,
+        host_header,
+    });
+
    let (listener, bound_addr) = bind_listener(args.port)?;
    if let Some(path) = args.server_info.as_ref() {
        write_server_info(path, bound_addr.port())?;
@@ -75,13 +99,14 @@ pub fn run_main(args: Args) -> Result<()> {
    let http_shutdown = args.http_shutdown;
    for request in server.incoming_requests() {
        let client = client.clone();
+        let forward_config = forward_config.clone();
        std::thread::spawn(move || {
            if http_shutdown && request.method() == &Method::Get && request.url() == "/shutdown" {
                let _ = request.respond(Response::new_empty(StatusCode(200)));
                std::process::exit(0);
            }

-            if let Err(e) = forward_request(&client, auth_header, request) {
+            if let Err(e) = forward_request(&client, auth_header, &forward_config, request) {
                eprintln!("forwarding error: {e}");
            }
        });
@@ -115,7 +140,12 @@ fn write_server_info(path: &Path, port: u16) -> Result<()> {
    Ok(())
 }

-fn forward_request(client: &Client, auth_header: &'static str, mut req: Request) -> Result<()> {
+fn forward_request(
+    client: &Client,
+    auth_header: &'static str,
+    config: &ForwardConfig,
+    mut req: Request,
+) -> Result<()> {
    // Only allow POST /v1/responses exactly, no query string.
    let method = req.method().clone();
    let url_path = req.url().to_string();
@@ -157,11 +187,10 @@ fn forward_request(client: &Client, auth_header: &'static str, mut req: Request)
    auth_header_value.set_sensitive(true);
    headers.insert(AUTHORIZATION, auth_header_value);

-    headers.insert(HOST, HeaderValue::from_static("api.openai.com"));
+    headers.insert(HOST, config.host_header.clone());

-    let upstream = "https://api.openai.com/v1/responses";
    let upstream_resp = client
-        .post(upstream)
+        .post(config.upstream_url.clone())
        .headers(headers)
        .body(body)
        .send()
--- a/codex-rs/responses-api-proxy/src/read_api_key.rs
+++ b/codex-rs/responses-api-proxy/src/read_api_key.rs
@@ -121,7 +121,7 @@ where
    if total_read == capacity && !saw_newline && !saw_eof {
        buf.zeroize();
        return Err(anyhow!(
-            "OPENAI_API_KEY is too large to fit in the 512-byte buffer"
+            "API key is too large to fit in the {BUFFER_SIZE}-byte buffer"
        ));
    }

@@ -133,7 +133,7 @@ where
    if total == AUTH_HEADER_PREFIX.len() {
        buf.zeroize();
        return Err(anyhow!(
-            "OPENAI_API_KEY must be provided via stdin (e.g. printenv OPENAI_API_KEY | codex responses-api-proxy)"
+            "API key must be provided via stdin (e.g. printenv OPENAI_API_KEY | codex responses-api-proxy)"
        ));
    }

@@ -214,7 +214,7 @@ fn validate_auth_header_bytes(key_bytes: &[u8]) -> Result<()> {
    }

    Err(anyhow!(
-        "OPENAI_API_KEY may only contain ASCII letters, numbers, '-' or '_'"
+        "API key may only contain ASCII letters, numbers, '-' or '_'"
    ))
 }

@@ -290,7 +290,9 @@ mod tests {
        })
        .unwrap_err();
        let message = format!("{err:#}");
-        assert!(message.contains("OPENAI_API_KEY is too large to fit in the 512-byte buffer"));
+        let expected_error =
+            format!("API key is too large to fit in the {BUFFER_SIZE}-byte buffer");
+        assert!(message.contains(&expected_error));
    }

    #[test]
@@ -317,9 +319,7 @@ mod tests {
        .unwrap_err();

        let message = format!("{err:#}");
-        assert!(
-            message.contains("OPENAI_API_KEY may only contain ASCII letters, numbers, '-' or '_'")
-        );
+        assert!(message.contains("API key may only contain ASCII letters, numbers, '-' or '_'"));
    }

    #[test]
@@ -337,8 +337,6 @@ mod tests {
        .unwrap_err();

        let message = format!("{err:#}");
-        assert!(
-            message.contains("OPENAI_API_KEY may only contain ASCII letters, numbers, '-' or '_'")
-        );
+        assert!(message.contains("API key may only contain ASCII letters, numbers, '-' or '_'"));
    }
 }
--- a/codex-rs/tui/Cargo.toml
+++ b/codex-rs/tui/Cargo.toml
@@ -41,7 +41,10 @@ codex-protocol = { workspace = true }
 codex-app-server-protocol = { workspace = true }
 codex-feedback = { workspace = true }
 color-eyre = { workspace = true }
-crossterm = { workspace = true, features = ["bracketed-paste", "event-stream"] }
+crossterm = { workspace = true, features = [
+    "bracketed-paste",
+    "event-stream",
+] }
 diffy = { workspace = true }
 dirs = { workspace = true }
 dunce = { workspace = true }
--- a/codex-rs/tui/src/bottom_pane/approval_overlay.rs
+++ b/codex-rs/tui/src/bottom_pane/approval_overlay.rs
@@ -20,7 +20,6 @@ use codex_core::protocol::FileChange;
 use codex_core::protocol::Op;
 use codex_core::protocol::ReviewDecision;
 use codex_core::protocol::SandboxCommandAssessment;
-use codex_core::protocol::SandboxRiskCategory;
 use codex_core::protocol::SandboxRiskLevel;
 use crossterm::event::KeyCode;
 use crossterm::event::KeyEvent;
@@ -356,35 +355,11 @@ fn render_risk_lines(risk: &SandboxCommandAssessment) -> Vec<Line<'static>> {
        ]));
    }

-    let mut spans: Vec<Span<'static>> = vec!["Risk: ".into(), level_span];
-    if !risk.risk_categories.is_empty() {
-        spans.push(" (".into());
-        for (idx, category) in risk.risk_categories.iter().enumerate() {
-            if idx > 0 {
-                spans.push(", ".into());
-            }
-            spans.push(risk_category_label(*category).into());
-        }
-        spans.push(")".into());
-    }
-
-    lines.push(Line::from(spans));
+    lines.push(vec!["Risk: ".into(), level_span].into());
    lines.push(Line::from(""));
    lines
 }

-fn risk_category_label(category: SandboxRiskCategory) -> &'static str {
-    match category {
-        SandboxRiskCategory::DataDeletion => "data deletion",
-        SandboxRiskCategory::DataExfiltration => "data exfiltration",
-        SandboxRiskCategory::PrivilegeEscalation => "privilege escalation",
-        SandboxRiskCategory::SystemModification => "system modification",
-        SandboxRiskCategory::NetworkAccess => "network access",
-        SandboxRiskCategory::ResourceExhaustion => "resource exhaustion",
-        SandboxRiskCategory::Compliance => "compliance",
-    }
-}
-
 #[derive(Clone)]
 enum ApprovalVariant {
    Exec { id: String, command: Vec<String> },
--- a/codex-rs/tui/src/chatwidget.rs
+++ b/codex-rs/tui/src/chatwidget.rs
@@ -42,6 +42,7 @@ use codex_core::protocol::UndoCompletedEvent;
 use codex_core::protocol::UndoStartedEvent;
 use codex_core::protocol::UserMessageEvent;
 use codex_core::protocol::ViewImageToolCallEvent;
+use codex_core::protocol::WarningEvent;
 use codex_core::protocol::WebSearchBeginEvent;
 use codex_core::protocol::WebSearchEndEvent;
 use codex_protocol::ConversationId;
@@ -519,6 +520,11 @@ impl ChatWidget {
        self.maybe_send_next_queued_input();
    }

+    fn on_warning(&mut self, message: String) {
+        self.add_to_history(history_cell::new_warning_event(message));
+        self.request_redraw();
+    }
+
    /// Handle a turn aborted due to user interrupt (Esc).
    /// When there are queued user messages, restore them into the composer
    /// separated by newlines rather than auto‑submitting the next one.
@@ -1477,6 +1483,7 @@ impl ChatWidget {
                self.set_token_info(ev.info);
                self.on_rate_limit_snapshot(ev.rate_limits);
            }
+            EventMsg::Warning(WarningEvent { message }) => self.on_warning(message),
            EventMsg::Error(ErrorEvent { message }) => self.on_error(message),
            EventMsg::TurnAborted(ev) => match ev.reason {
                TurnAbortReason::Interrupted => {
--- a/codex-rs/tui/src/chatwidget/tests.rs
+++ b/codex-rs/tui/src/chatwidget/tests.rs
@@ -37,6 +37,7 @@ use codex_core::protocol::TaskStartedEvent;
 use codex_core::protocol::UndoCompletedEvent;
 use codex_core::protocol::UndoStartedEvent;
 use codex_core::protocol::ViewImageToolCallEvent;
+use codex_core::protocol::WarningEvent;
 use codex_protocol::ConversationId;
 use codex_protocol::parse_command::ParsedCommand;
 use codex_protocol::plan_tool::PlanItemArg;
@@ -56,6 +57,8 @@ use tempfile::tempdir;
 use tokio::sync::mpsc::error::TryRecvError;
 use tokio::sync::mpsc::unbounded_channel;

+const TEST_WARNING_MESSAGE: &str = "Heads up: Long conversations and multiple compactions can cause the model to be less accurate. Start new a new conversation when possible to keep conversations small and targeted.";
+
 fn test_config() -> Config {
    // Use base defaults to avoid depending on host state.
    Config::load_from_base_config_with_overrides(
@@ -2445,6 +2448,25 @@ fn stream_error_updates_status_indicator() {
    assert_eq!(status.header(), msg);
 }

+#[test]
+fn warning_event_adds_warning_history_cell() {
+    let (mut chat, mut rx, _op_rx) = make_chatwidget_manual();
+    chat.handle_codex_event(Event {
+        id: "sub-1".into(),
+        msg: EventMsg::Warning(WarningEvent {
+            message: TEST_WARNING_MESSAGE.to_string(),
+        }),
+    });
+
+    let cells = drain_insert_history(&mut rx);
+    assert_eq!(cells.len(), 1, "expected one warning history cell");
+    let rendered = lines_to_single_string(&cells[0]);
+    assert!(
+        rendered.contains(TEST_WARNING_MESSAGE),
+        "warning cell missing content: {rendered}"
+    );
+}
+
 #[test]
 fn multiple_agent_messages_in_single_turn_emit_multiple_headers() {
    let (mut chat, mut rx, _op_rx) = make_chatwidget_manual();
--- a/codex-rs/tui/src/onboarding/auth.rs
+++ b/codex-rs/tui/src/onboarding/auth.rs
@@ -10,6 +10,7 @@ use codex_login::ShutdownHandle;
 use codex_login::run_login_server;
 use crossterm::event::KeyCode;
 use crossterm::event::KeyEvent;
+use crossterm::event::KeyEventKind;
 use crossterm::event::KeyModifiers;
 use ratatui::buffer::Buffer;
 use ratatui::layout::Constraint;
@@ -428,7 +429,9 @@ impl AuthModeWidget {
                        should_request_frame = true;
                    }
                    KeyCode::Char(c)
-                        if !key_event.modifiers.contains(KeyModifiers::CONTROL)
+                        if key_event.kind == KeyEventKind::Press
+                            && !key_event.modifiers.contains(KeyModifiers::SUPER)
+                            && !key_event.modifiers.contains(KeyModifiers::CONTROL)
                            && !key_event.modifiers.contains(KeyModifiers::ALT) =>
                    {
                        if state.prepopulated_from_env {
--- a/codex-rs/tui/src/resume_picker.rs
+++ b/codex-rs/tui/src/resume_picker.rs
@@ -989,7 +989,7 @@ mod tests {
                "type": "message",
                "role": "user",
                "content": [
-                    { "type": "input_text", "text": "<user_instructions>hi</user_instructions>" },
+                    { "type": "input_text", "text": "# AGENTS.md instructions for project\n\n<INSTRUCTIONS>\nhi\n</INSTRUCTIONS>" },
                ]
            }),
            json!({
--- a/codex-rs/tui/src/status/card.rs
+++ b/codex-rs/tui/src/status/card.rs
@@ -313,7 +313,9 @@ impl HistoryCell for StatusHistoryCell {

        let note_first_line = Line::from(vec![
            Span::from("Visit ").cyan(),
-            "chatgpt.com/codex/settings/usage".cyan().underlined(),
+            "https://chatgpt.com/codex/settings/usage"
+                .cyan()
+                .underlined(),
            Span::from(" for up-to-date").cyan(),
        ]);
        let note_second_line = Line::from(vec![
--- a/codex-rs/tui/src/status/snapshots/codex_tuistatustests__status_snapshot_includes_monthly_limit.snap
+++ b/codex-rs/tui/src/status/snapshots/codex_tuistatustests__status_snapshot_includes_monthly_limit.snap
@@ -7,7 +7,7 @@ expression: sanitized
 ╭────────────────────────────────────────────────────────────────────────────╮
 │  >_ OpenAI Codex (v0.0.0)                                                  │
 │                                                                            │
-│ Visit chatgpt.com/codex/settings/usage for up-to-date                      │
+│ Visit https://chatgpt.com/codex/settings/usage for up-to-date              │
 │ information on rate limits and credits                                     │
 │                                                                            │
 │  Model:            gpt-5-codex (reasoning none, summaries auto)            │
--- a/codex-rs/tui/src/status/snapshots/codex_tuistatustests__status_snapshot_includes_reasoning_details.snap
+++ b/codex-rs/tui/src/status/snapshots/codex_tuistatustests__status_snapshot_includes_reasoning_details.snap
@@ -7,7 +7,7 @@ expression: sanitized
 ╭─────────────────────────────────────────────────────────────────────╮
 │  >_ OpenAI Codex (v0.0.0)                                           │
 │                                                                     │
-│ Visit chatgpt.com/codex/settings/usage for up-to-date               │
+│ Visit https://chatgpt.com/codex/settings/usage for up-to-date       │
 │ information on rate limits and credits                              │
 │                                                                     │
 │  Model:            gpt-5-codex (reasoning high, summaries detailed) │
@@ -17,7 +17,7 @@ expression: sanitized
 │  Agents.md:        <none>                                           │
 │                                                                     │
 │  Token usage:      1.9K total  (1K input + 900 output)              │
-│  Context window:   100% left (2.1K used / 272K)                     │
+│  Context window:   100% left (2.25K used / 272K)                    │
 │  5h limit:         [███████████████░░░░░] 72% used (resets 03:14)   │
 │  Weekly limit:     [█████████░░░░░░░░░░░] 45% used (resets 03:24)   │
 ╰─────────────────────────────────────────────────────────────────────╯
--- a/codex-rs/tui/src/status/snapshots/codex_tuistatustests__status_snapshot_shows_empty_limits_message.snap
+++ b/codex-rs/tui/src/status/snapshots/codex_tuistatustests__status_snapshot_shows_empty_limits_message.snap
@@ -7,7 +7,7 @@ expression: sanitized
 ╭─────────────────────────────────────────────────────────────────╮
 │  >_ OpenAI Codex (v0.0.0)                                       │
 │                                                                 │
-│ Visit chatgpt.com/codex/settings/usage for up-to-date           │
+│ Visit https://chatgpt.com/codex/settings/usage for up-to-date   │
 │ information on rate limits and credits                          │
 │                                                                 │
 │  Model:            gpt-5-codex (reasoning none, summaries auto) │
--- a/codex-rs/tui/src/status/snapshots/codex_tuistatustests__status_snapshot_shows_missing_limits_message.snap
+++ b/codex-rs/tui/src/status/snapshots/codex_tuistatustests__status_snapshot_shows_missing_limits_message.snap
@@ -7,7 +7,7 @@ expression: sanitized
 ╭─────────────────────────────────────────────────────────────────╮
 │  >_ OpenAI Codex (v0.0.0)                                       │
 │                                                                 │
-│ Visit chatgpt.com/codex/settings/usage for up-to-date           │
+│ Visit https://chatgpt.com/codex/settings/usage for up-to-date   │
 │ information on rate limits and credits                          │
 │                                                                 │
 │  Model:            gpt-5-codex (reasoning none, summaries auto) │
--- a/codex-rs/tui/src/status/snapshots/codex_tuistatustests__status_snapshot_shows_stale_limits_message.snap
+++ b/codex-rs/tui/src/status/snapshots/codex_tuistatustests__status_snapshot_shows_stale_limits_message.snap
@@ -7,7 +7,7 @@ expression: sanitized
 ╭─────────────────────────────────────────────────────────────────────╮
 │  >_ OpenAI Codex (v0.0.0)                                           │
 │                                                                     │
-│ Visit chatgpt.com/codex/settings/usage for up-to-date               │
+│ Visit https://chatgpt.com/codex/settings/usage for up-to-date       │
 │ information on rate limits and credits                              │
 │                                                                     │
 │  Model:            gpt-5-codex (reasoning none, summaries auto)     │
@@ -17,7 +17,7 @@ expression: sanitized
 │  Agents.md:        <none>                                           │
 │                                                                     │
 │  Token usage:      1.9K total  (1K input + 900 output)              │
-│  Context window:   100% left (2.1K used / 272K)                     │
+│  Context window:   100% left (2.25K used / 272K)                    │
 │  5h limit:         [███████████████░░░░░] 72% used (resets 03:14)   │
 │  Weekly limit:     [████████░░░░░░░░░░░░] 40% used (resets 03:34)   │
 │  Warning:          limits may be stale - start new turn to refresh. │
--- a/codex-rs/tui/src/status/snapshots/codex_tuistatustests__status_snapshot_truncates_in_narrow_terminal.snap
+++ b/codex-rs/tui/src/status/snapshots/codex_tuistatustests__status_snapshot_truncates_in_narrow_terminal.snap
@@ -1,5 +1,6 @@
 ---
 source: tui/src/status/tests.rs
+assertion_line: 257
 expression: sanitized
 ---
 /status
@@ -7,8 +8,8 @@ expression: sanitized
 ╭────────────────────────────────────────────╮
 │  >_ OpenAI Codex (v0.0.0)                  │
 │                                            │
-│ Visit chatgpt.com/codex/settings/usage for │
-│ up-to-date                                 │
+│ Visit https://chatgpt.com/codex/settings/  │
+│ usage for up-to-date                       │
 │ information on rate limits and credits     │
 │                                            │
 │  Model:            gpt-5-codex (reasoning  │
@@ -18,7 +19,7 @@ expression: sanitized
 │  Agents.md:        <none>                  │
 │                                            │
 │  Token usage:      1.9K total  (1K input + │
-│  Context window:   100% left (2.1K used /  │
+│  Context window:   100% left (2.25K used / │
 │  5h limit:         [███████████████░░░░░]  │
 │                    (resets 03:14)          │
 ╰────────────────────────────────────────────╯
--- a/codex-rs/tui/src/terminal_palette.rs
+++ b/codex-rs/tui/src/terminal_palette.rs
@@ -50,6 +50,9 @@ pub fn default_bg() -> Option<(u8, u8, u8)> {
 #[cfg(all(unix, not(test)))]
 mod imp {
    use super::DefaultColors;
+    use crossterm::style::Color as CrosstermColor;
+    use crossterm::style::query_background_color;
+    use crossterm::style::query_foreground_color;
    use std::sync::Mutex;
    use std::sync::OnceLock;

@@ -105,128 +108,16 @@ mod imp {
    }

    fn query_default_colors() -> std::io::Result<Option<DefaultColors>> {
-        use std::fs::OpenOptions;
-        use std::io::ErrorKind;
-        use std::io::IsTerminal;
-        use std::io::Read;
-        use std::io::Write;
-        use std::os::fd::AsRawFd;
-        use std::time::Duration;
-        use std::time::Instant;
-
-        let mut stdout_handle = std::io::stdout();
-        if !stdout_handle.is_terminal() {
-            return Ok(None);
-        }
-
-        let mut tty = match OpenOptions::new().read(true).open("/dev/tty") {
-            Ok(file) => file,
-            Err(_) => return Ok(None),
-        };
-
-        let fd = tty.as_raw_fd();
-        unsafe {
-            let flags = libc::fcntl(fd, libc::F_GETFL);
-            if flags >= 0 {
-                libc::fcntl(fd, libc::F_SETFL, flags | libc::O_NONBLOCK);
-            }
-        }
-
-        stdout_handle.write_all(b"\x1b]10;?\x07\x1b]11;?\x07")?;
-        stdout_handle.flush()?;
-
-        let mut deadline = Instant::now() + Duration::from_millis(200);
-        let mut buffer = Vec::new();
-        let mut fg = None;
-        let mut bg = None;
-
-        while Instant::now() < deadline {
-            let mut chunk = [0u8; 128];
-            match tty.read(&mut chunk) {
-                Ok(0) => break,
-                Ok(n) => {
-                    deadline = Instant::now() + Duration::from_millis(200);
-                    buffer.extend_from_slice(&chunk[..n]);
-                    if fg.is_none() {
-                        fg = parse_osc_color(&buffer, 10);
-                    }
-                    if bg.is_none() {
-                        bg = parse_osc_color(&buffer, 11);
-                    }
-                    if let (Some(fg), Some(bg)) = (fg, bg) {
-                        return Ok(Some(DefaultColors { fg, bg }));
-                    }
-                }
-                Err(err) if err.kind() == ErrorKind::WouldBlock => {
-                    std::thread::sleep(Duration::from_millis(5));
-                }
-                Err(err) if err.kind() == ErrorKind::Interrupted => continue,
-                Err(_) => break,
-            }
-        }
-
-        if fg.is_none() {
-            fg = parse_osc_color(&buffer, 10);
-        }
-        if bg.is_none() {
-            bg = parse_osc_color(&buffer, 11);
-        }
-
+        let fg = query_foreground_color()?.and_then(color_to_tuple);
+        let bg = query_background_color()?.and_then(color_to_tuple);
        Ok(fg.zip(bg).map(|(fg, bg)| DefaultColors { fg, bg }))
    }

-    fn parse_component(component: &str) -> Option<u8> {
-        let trimmed = component.trim();
-        if trimmed.is_empty() {
-            return None;
+    fn color_to_tuple(color: CrosstermColor) -> Option<(u8, u8, u8)> {
+        match color {
+            CrosstermColor::Rgb { r, g, b } => Some((r, g, b)),
+            _ => None,
        }
-        let bits = trimmed.len().checked_mul(4)?;
-        if bits == 0 || bits > 64 {
-            return None;
-        }
-        let max = if bits == 64 {
-            u64::MAX
-        } else {
-            (1u64 << bits) - 1
-        };
-        let value = u64::from_str_radix(trimmed, 16).ok()?;
-        Some(((value * 255 + max / 2) / max) as u8)
-    }
-
-    fn parse_osc_color(buffer: &[u8], code: u8) -> Option<(u8, u8, u8)> {
-        let text = std::str::from_utf8(buffer).ok()?;
-        let prefix = match code {
-            10 => "\u{1b}]10;",
-            11 => "\u{1b}]11;",
-            _ => return None,
-        };
-        let start = text.rfind(prefix)?;
-        let after_prefix = &text[start + prefix.len()..];
-        let end_bel = after_prefix.find('\u{7}');
-        let end_st = after_prefix.find("\u{1b}\\");
-        let end_idx = match (end_bel, end_st) {
-            (Some(bel), Some(st)) => bel.min(st),
-            (Some(bel), None) => bel,
-            (None, Some(st)) => st,
-            (None, None) => return None,
-        };
-        let payload = after_prefix[..end_idx].trim();
-        parse_color_payload(payload)
-    }
-
-    fn parse_color_payload(payload: &str) -> Option<(u8, u8, u8)> {
-        if payload.is_empty() || payload == "?" {
-            return None;
-        }
-        let (model, values) = payload.split_once(':')?;
-        if model != "rgb" && model != "rgba" {
-            return None;
-        }
-        let mut parts = values.split('/');
-        let r = parse_component(parts.next()?)?;
-        let g = parse_component(parts.next()?)?;
-        let b = parse_component(parts.next()?)?;
-        Some((r, g, b))
    }
 }

--- a/docs/advanced.md
+++ b/docs/advanced.md
@@ -1,6 +1,6 @@
 ## Advanced

-If you already lean on Codex every day and just need a little more control, this page collects the knobs you are most likely to reach for: tweak defaults in [Config](./config.md), add extra tools through [Model Context Protocol support](./advanced.md#model-context-protocol), and script full runs with [`codex exec`](./exec.md). Jump to the section you need and keep building.
+If you already lean on Codex every day and just need a little more control, this page collects the knobs you are most likely to reach for: tweak defaults in [Config](./config.md), add extra tools through [Model Context Protocol support](#model-context-protocol), and script full runs with [`codex exec`](./exec.md). Jump to the section you need and keep building.

 ## Config quickstart {#config-quickstart}

--- a/docs/config.md
+++ b/docs/config.md
@@ -415,7 +415,7 @@ cwd = "/Users/<user>/code/my-server"

 ```toml
 [mcp_servers.figma]
-url = "https://mcp.linear.app/mcp"
+url = "https://mcp.figma.com/mcp"
 # Optional environment variable containing a bearer token to use for auth
 bearer_token_env_var = "ENV_VAR"
 # Optional map of headers with hard-coded values.
--- a/docs/contributing.md
+++ b/docs/contributing.md
@@ -12,7 +12,7 @@ If you want to add a new feature or change the behavior of an existing one, plea

 - Create a _topic branch_ from `main` - e.g. `feat/interactive-prompt`.
 - Keep your changes focused. Multiple unrelated fixes should be opened as separate PRs.
- Following the [development setup](#development-workflow) instructions above, ensure your change is free of lint warnings and test failures.
+- Ensure your change is free of lint warnings and test failures.

 ### Writing high-impact code changes

--- a/docs/slash_commands.md
+++ b/docs/slash_commands.md
@@ -0,0 +1,31 @@
+## Slash Commands
+
+### What are slash commands?
+
+Slash commands are special commands you can type that start with `/`.
+
+---
+
+### Built-in slash commands
+
+Control Codex’s behavior during an interactive session with slash commands.
+
+| Command      | Purpose                                                     |
+| ------------ | ----------------------------------------------------------- |
+| `/model`     | choose what model and reasoning effort to use               |
+| `/approvals` | choose what Codex can do without approval                   |
+| `/review`    | review my current changes and find issues                   |
+| `/new`       | start a new chat during a conversation                      |
+| `/init`      | create an AGENTS.md file with instructions for Codex        |
+| `/compact`   | summarize conversation to prevent hitting the context limit |
+| `/undo`      | ask Codex to undo a turn                                    |
+| `/diff`      | show git diff (including untracked files)                   |
+| `/mention`   | mention a file                                              |
+| `/status`    | show current session configuration and token usage          |
+| `/mcp`       | list configured MCP tools                                   |
+| `/logout`    | log out of Codex                                            |
+| `/quit`      | exit Codex                                                  |
+| `/exit`      | exit Codex                                                  |
+| `/feedback`  | send logs to maintainers                                    |
+
+---