fix(tui): allow clearing hidden github pr title item

Treat an empty `/title` confirmation as an intentional clear when `github-pr` is hidden because `gh` is unavailable. Preserve hidden title items only when visible selections remain.
fix(tui): allow clearing hidden github pr status item
2026-04-12 00:34:47 +00:00 · 2026-04-11 18:37:09 -03:00 · 2026-04-11 18:16:29 -03:00 · 2026-04-11 17:16:37 -03:00 · 2026-04-11 16:56:00 -03:00 · 2026-04-11 14:23:52 -03:00
486 changed files with 24435 additions and 4428 deletions
--- a/.devcontainer/Dockerfile.secure
+++ b/.devcontainer/Dockerfile.secure
@@ -0,0 +1,71 @@
+FROM mcr.microsoft.com/devcontainers/base:ubuntu-24.04
+
+ARG TZ
+ARG DEBIAN_FRONTEND=noninteractive
+ARG NODE_MAJOR=22
+ARG RUST_TOOLCHAIN=1.92.0
+ARG CODEX_NPM_VERSION=latest
+
+ENV TZ="$TZ"
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+        build-essential \
+        curl \
+        git \
+        ca-certificates \
+        pkg-config \
+        clang \
+        musl-tools \
+        libssl-dev \
+        libsqlite3-dev \
+        just \
+        python3 \
+        python3-pip \
+        jq \
+        less \
+        man-db \
+        unzip \
+        ripgrep \
+        fzf \
+        fd-find \
+        zsh \
+        dnsutils \
+        iproute2 \
+        ipset \
+        iptables \
+        aggregate \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN curl -fsSL "https://deb.nodesource.com/setup_${NODE_MAJOR}.x" | bash - \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends nodejs \
+    && npm install -g corepack@latest "@openai/codex@${CODEX_NPM_VERSION}" \
+    && corepack enable \
+    && corepack prepare pnpm@10.28.2 --activate \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY .devcontainer/init-firewall.sh /usr/local/bin/init-firewall.sh
+COPY .devcontainer/post_install.py /opt/post_install.py
+COPY .devcontainer/post-start.sh /opt/post_start.sh
+
+RUN chmod 500 /usr/local/bin/init-firewall.sh \
+    && chmod 755 /opt/post_start.sh \
+    && chmod 644 /opt/post_install.py \
+    && chown vscode:vscode /opt/post_install.py
+
+RUN install -d -m 0775 -o vscode -g vscode /commandhistory /workspace \
+    && touch /commandhistory/.bash_history /commandhistory/.zsh_history \
+    && chown vscode:vscode /commandhistory/.bash_history /commandhistory/.zsh_history
+
+USER vscode
+ENV PATH="/home/vscode/.cargo/bin:${PATH}"
+WORKDIR /workspace
+
+RUN curl -sSf https://sh.rustup.rs | sh -s -- -y --profile minimal --default-toolchain "${RUST_TOOLCHAIN}" \
+    && rustup component add clippy rustfmt rust-src \
+    && rustup target add x86_64-unknown-linux-musl aarch64-unknown-linux-musl
--- a/.devcontainer/README.md
+++ b/.devcontainer/README.md
@@ -1,10 +1,36 @@
 # Containerized Development

-We provide the following options to facilitate Codex development in a container. This is particularly useful for verifying the Linux build when working on a macOS host.
+We provide two container paths:
+
+- `devcontainer.json` keeps the existing Codex contributor setup for working on this repository.
+- `devcontainer.secure.json` adds a customer-oriented profile with stricter outbound network controls.
+
+## Codex contributor profile
+
+Use `devcontainer.json` when you are developing Codex itself. This is the same lightweight arm64 container that already exists in the repo.
+
+## Secure customer profile
+
+Use `devcontainer.secure.json` when you want a stricter runtime profile for running Codex inside a project container:
+
+- installs the Codex CLI plus common build tools
+- enables firewall startup with an allowlist-driven outbound policy
+- blocks IPv6 by default so the allowlist cannot be bypassed over AAAA routes
+- requires `NET_ADMIN` and `NET_RAW` so the firewall can be installed at startup
+
+This profile keeps the stricter networking isolated to the customer path instead of changing the default Codex contributor container.
+
+Start it from the CLI with:
+
+```bash
+devcontainer up --workspace-folder . --config .devcontainer/devcontainer.secure.json
+```
+
+In VS Code, choose **Dev Containers: Open Folder in Container...** and select `.devcontainer/devcontainer.secure.json`.

 ## Docker

-To build the Docker image locally for x64 and then run it with the repo mounted under `/workspace`:
+To build the contributor image locally for x64 and then run it with the repo mounted under `/workspace`:

 ```shell
 CODEX_DOCKER_IMAGE_NAME=codex-linux-dev
@@ -14,17 +40,6 @@ docker run --platform=linux/amd64 --rm -it -e CARGO_TARGET_DIR=/workspace/codex-

 Note that `/workspace/target` will contain the binaries built for your host platform, so we include `-e CARGO_TARGET_DIR=/workspace/codex-rs/target-amd64` in the `docker run` command so that the binaries built inside your container are written to a separate directory.

-For arm64, specify `--platform=linux/amd64` instead for both `docker build` and `docker run`.
+For arm64, specify `--platform=linux/arm64` instead for both `docker build` and `docker run`.

-Currently, the `Dockerfile` works for both x64 and arm64 Linux, though you need to run `rustup target add x86_64-unknown-linux-musl` yourself to install the musl toolchain for x64.
-
-## VS Code
-
-VS Code recognizes the `devcontainer.json` file and gives you the option to develop Codex in a container. Currently, `devcontainer.json` builds and runs the `arm64` flavor of the container.
-
-From the integrated terminal in VS Code, you can build either flavor of the `arm64` build (GNU or musl):
-
-```shell
-cargo build --target aarch64-unknown-linux-musl
-cargo build --target aarch64-unknown-linux-gnu
-```
+Currently, the contributor `Dockerfile` works for both x64 and arm64 Linux, though you need to run `rustup target add x86_64-unknown-linux-musl` yourself to install the musl toolchain for x64.
--- a/.devcontainer/devcontainer.secure.json
+++ b/.devcontainer/devcontainer.secure.json
@@ -0,0 +1,76 @@
+{
+  "$schema": "https://raw.githubusercontent.com/devcontainers/spec/main/schemas/devContainer.schema.json",
+  "name": "Codex (Secure)",
+  "build": {
+    "dockerfile": "Dockerfile.secure",
+    "context": "..",
+    "args": {
+      "TZ": "${localEnv:TZ:UTC}",
+      "NODE_MAJOR": "22",
+      "RUST_TOOLCHAIN": "1.92.0",
+      "CODEX_NPM_VERSION": "latest"
+    }
+  },
+  "runArgs": [
+    "--cap-add=NET_ADMIN",
+    "--cap-add=NET_RAW"
+  ],
+  "init": true,
+  "updateRemoteUserUID": true,
+  "remoteUser": "vscode",
+  "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=delegated",
+  "workspaceFolder": "/workspace",
+  "mounts": [
+    "source=codex-commandhistory-${devcontainerId},target=/commandhistory,type=volume",
+    "source=codex-home-${devcontainerId},target=/home/vscode/.codex,type=volume",
+    "source=codex-gh-${devcontainerId},target=/home/vscode/.config/gh,type=volume",
+    "source=codex-cargo-registry-${devcontainerId},target=/home/vscode/.cargo/registry,type=volume",
+    "source=codex-cargo-git-${devcontainerId},target=/home/vscode/.cargo/git,type=volume",
+    "source=codex-rustup-${devcontainerId},target=/home/vscode/.rustup,type=volume",
+    "source=${localEnv:HOME}/.gitconfig,target=/home/vscode/.gitconfig,type=bind,readonly"
+  ],
+  "containerEnv": {
+    "RUST_BACKTRACE": "1",
+    "CODEX_UNSAFE_ALLOW_NO_SANDBOX": "1",
+    "CODEX_ENABLE_FIREWALL": "1",
+    "CODEX_INCLUDE_GITHUB_META_RANGES": "1",
+    "OPENAI_ALLOWED_DOMAINS": "api.openai.com auth.openai.com github.com api.github.com codeload.github.com raw.githubusercontent.com objects.githubusercontent.com crates.io index.crates.io static.crates.io static.rust-lang.org registry.npmjs.org pypi.org files.pythonhosted.org",
+    "CARGO_TARGET_DIR": "/workspace/.cache/cargo-target",
+    "GIT_CONFIG_GLOBAL": "/home/vscode/.gitconfig.local",
+    "COREPACK_ENABLE_DOWNLOAD_PROMPT": "0",
+    "PYTHONDONTWRITEBYTECODE": "1",
+    "PIP_DISABLE_PIP_VERSION_CHECK": "1"
+  },
+  "remoteEnv": {
+    "OPENAI_API_KEY": "${localEnv:OPENAI_API_KEY}"
+  },
+  "postCreateCommand": "python3 /opt/post_install.py",
+  "postStartCommand": "bash /opt/post_start.sh",
+  "waitFor": "postStartCommand",
+  "customizations": {
+    "vscode": {
+      "settings": {
+        "terminal.integrated.defaultProfile.linux": "zsh",
+        "terminal.integrated.profiles.linux": {
+          "bash": {
+            "path": "bash",
+            "icon": "terminal-bash"
+          },
+          "zsh": {
+            "path": "zsh"
+          }
+        },
+        "files.trimTrailingWhitespace": true,
+        "files.insertFinalNewline": true,
+        "files.trimFinalNewlines": true
+      },
+      "extensions": [
+        "openai.chatgpt",
+        "rust-lang.rust-analyzer",
+        "tamasfe.even-better-toml",
+        "vadimcn.vscode-lldb",
+        "ms-azuretools.vscode-docker"
+      ]
+    }
+  }
+}
--- a/.devcontainer/init-firewall.sh
+++ b/.devcontainer/init-firewall.sh
@@ -0,0 +1,170 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+
+allowed_domains_file="/etc/codex/allowed_domains.txt"
+include_github_meta_ranges="${CODEX_INCLUDE_GITHUB_META_RANGES:-1}"
+
+if [ -f "$allowed_domains_file" ]; then
+  mapfile -t allowed_domains < <(sed '/^\s*#/d;/^\s*$/d' "$allowed_domains_file")
+else
+  allowed_domains=("api.openai.com")
+fi
+
+if [ "${#allowed_domains[@]}" -eq 0 ]; then
+  echo "ERROR: No allowed domains configured"
+  exit 1
+fi
+
+add_ipv4_cidr_to_allowlist() {
+  local source="$1"
+  local cidr="$2"
+
+  if [[ ! "$cidr" =~ ^[0-9]{1,3}(\.[0-9]{1,3}){3}/[0-9]{1,2}$ ]]; then
+    echo "ERROR: Invalid ${source} CIDR range: $cidr"
+    exit 1
+  fi
+
+  ipset add allowed-domains "$cidr" -exist
+}
+
+configure_ipv6_default_deny() {
+  if ! command -v ip6tables >/dev/null 2>&1; then
+    echo "ERROR: ip6tables is required to enforce IPv6 default-deny policy"
+    exit 1
+  fi
+
+  ip6tables -F
+  ip6tables -X
+  ip6tables -t mangle -F
+  ip6tables -t mangle -X
+  ip6tables -t nat -F 2>/dev/null || true
+  ip6tables -t nat -X 2>/dev/null || true
+
+  ip6tables -A INPUT -i lo -j ACCEPT
+  ip6tables -A OUTPUT -o lo -j ACCEPT
+  ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+  ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+  ip6tables -P INPUT DROP
+  ip6tables -P FORWARD DROP
+  ip6tables -P OUTPUT DROP
+
+  echo "IPv6 firewall policy configured (default-deny)"
+}
+
+# Preserve docker-managed DNS NAT rules before clearing tables.
+docker_dns_rules="$(iptables-save -t nat | grep "127\\.0\\.0\\.11" || true)"
+
+iptables -F
+iptables -X
+iptables -t nat -F
+iptables -t nat -X
+iptables -t mangle -F
+iptables -t mangle -X
+ipset destroy allowed-domains 2>/dev/null || true
+
+if [ -n "$docker_dns_rules" ]; then
+  echo "Restoring Docker DNS NAT rules"
+  iptables -t nat -N DOCKER_OUTPUT 2>/dev/null || true
+  iptables -t nat -N DOCKER_POSTROUTING 2>/dev/null || true
+  while IFS= read -r rule; do
+    [ -z "$rule" ] && continue
+    iptables -t nat $rule
+  done <<< "$docker_dns_rules"
+fi
+
+# Allow DNS resolution and localhost communication.
+iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
+iptables -A INPUT -p udp --sport 53 -j ACCEPT
+iptables -A INPUT -p tcp --sport 53 -j ACCEPT
+iptables -A INPUT -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
+
+ipset create allowed-domains hash:net
+
+for domain in "${allowed_domains[@]}"; do
+  echo "Resolving $domain"
+  ips="$(dig +short A "$domain" | sed '/^\s*$/d')"
+  if [ -z "$ips" ]; then
+    echo "ERROR: Failed to resolve $domain"
+    exit 1
+  fi
+
+  while IFS= read -r ip; do
+    if [[ ! "$ip" =~ ^[0-9]{1,3}(\.[0-9]{1,3}){3}$ ]]; then
+      echo "ERROR: Invalid IPv4 address from DNS for $domain: $ip"
+      exit 1
+    fi
+    ipset add allowed-domains "$ip" -exist
+  done <<< "$ips"
+done
+
+if [ "$include_github_meta_ranges" = "1" ]; then
+  echo "Fetching GitHub meta ranges"
+  github_meta="$(curl -fsSL --connect-timeout 10 https://api.github.com/meta)"
+
+  if ! echo "$github_meta" | jq -e '.web and .api and .git' >/dev/null; then
+    echo "ERROR: GitHub meta response missing expected fields"
+    exit 1
+  fi
+
+  while IFS= read -r cidr; do
+    [ -z "$cidr" ] && continue
+    if [[ "$cidr" == *:* ]]; then
+      # Current policy enforces IPv4-only ipset entries.
+      continue
+    fi
+    add_ipv4_cidr_to_allowlist "GitHub" "$cidr"
+  done < <(echo "$github_meta" | jq -r '((.web // []) + (.api // []) + (.git // []))[]' | sort -u)
+fi
+
+host_ip="$(ip route | awk '/default/ {print $3; exit}')"
+if [ -z "$host_ip" ]; then
+  echo "ERROR: Failed to detect host IP"
+  exit 1
+fi
+
+host_network="$(echo "$host_ip" | sed 's/\.[0-9]*$/.0\/24/')"
+iptables -A INPUT -s "$host_network" -j ACCEPT
+iptables -A OUTPUT -d "$host_network" -j ACCEPT
+
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT DROP
+
+iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -A OUTPUT -m set --match-set allowed-domains dst -j ACCEPT
+
+# Reject rather than silently drop to make policy failures obvious.
+iptables -A INPUT -j REJECT --reject-with icmp-admin-prohibited
+iptables -A OUTPUT -j REJECT --reject-with icmp-admin-prohibited
+iptables -A FORWARD -j REJECT --reject-with icmp-admin-prohibited
+
+configure_ipv6_default_deny
+
+echo "Firewall configuration complete"
+
+if curl --connect-timeout 5 https://example.com >/dev/null 2>&1; then
+  echo "ERROR: Firewall verification failed - was able to reach https://example.com"
+  exit 1
+fi
+
+if ! curl --connect-timeout 5 https://api.openai.com >/dev/null 2>&1; then
+  echo "ERROR: Firewall verification failed - unable to reach https://api.openai.com"
+  exit 1
+fi
+
+if [ "$include_github_meta_ranges" = "1" ] && ! curl --connect-timeout 5 https://api.github.com/zen >/dev/null 2>&1; then
+  echo "ERROR: Firewall verification failed - unable to reach https://api.github.com"
+  exit 1
+fi
+
+if curl --connect-timeout 5 -6 https://example.com >/dev/null 2>&1; then
+  echo "ERROR: Firewall verification failed - was able to reach https://example.com over IPv6"
+  exit 1
+fi
+
+echo "Firewall verification passed"
--- a/.devcontainer/post-start.sh
+++ b/.devcontainer/post-start.sh
@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [ "${CODEX_ENABLE_FIREWALL:-1}" != "1" ]; then
+  echo "[devcontainer] Firewall mode: permissive (CODEX_ENABLE_FIREWALL=${CODEX_ENABLE_FIREWALL:-unset})."
+  exit 0
+fi
+
+echo "[devcontainer] Firewall mode: strict"
+
+domains_raw="${OPENAI_ALLOWED_DOMAINS:-api.openai.com}"
+mapfile -t domains < <(printf '%s\n' "$domains_raw" | tr ', ' '\n\n' | sed '/^$/d' | sort -u)
+
+if [ "${#domains[@]}" -eq 0 ]; then
+  echo "[devcontainer] No allowed domains configured."
+  exit 1
+fi
+
+tmp_file="$(mktemp)"
+for domain in "${domains[@]}"; do
+  if [[ ! "$domain" =~ ^[a-zA-Z0-9][a-zA-Z0-9.-]*\.[a-zA-Z]{2,}$ ]]; then
+    echo "[devcontainer] Invalid domain in OPENAI_ALLOWED_DOMAINS: $domain"
+    rm -f "$tmp_file"
+    exit 1
+  fi
+  printf '%s\n' "$domain" >> "$tmp_file"
+done
+
+sudo install -d -m 0755 /etc/codex
+sudo cp "$tmp_file" /etc/codex/allowed_domains.txt
+sudo chown root:root /etc/codex/allowed_domains.txt
+sudo chmod 0444 /etc/codex/allowed_domains.txt
+rm -f "$tmp_file"
+
+echo "[devcontainer] Applying firewall policy for domains: ${domains[*]}"
+sudo --preserve-env=CODEX_INCLUDE_GITHUB_META_RANGES /usr/local/bin/init-firewall.sh
--- a/.devcontainer/post_install.py
+++ b/.devcontainer/post_install.py
@@ -0,0 +1,113 @@
+#!/usr/bin/env python3
+"""Post-install configuration for the Codex devcontainer."""
+
+from __future__ import annotations
+
+import os
+import subprocess
+import sys
+from pathlib import Path
+
+
+def ensure_history_files() -> None:
+    command_history_dir = Path("/commandhistory")
+    command_history_dir.mkdir(parents=True, exist_ok=True)
+
+    for filename in (".bash_history", ".zsh_history"):
+        (command_history_dir / filename).touch(exist_ok=True)
+
+
+def fix_directory_ownership() -> None:
+    uid = os.getuid()
+    gid = os.getgid()
+
+    paths = [
+        Path.home() / ".codex",
+        Path.home() / ".config" / "gh",
+        Path.home() / ".cargo",
+        Path.home() / ".rustup",
+        Path("/commandhistory"),
+    ]
+
+    for path in paths:
+        if not path.exists():
+            continue
+
+        stat_info = path.stat()
+        if stat_info.st_uid == uid and stat_info.st_gid == gid:
+            continue
+
+        try:
+            subprocess.run(
+                ["sudo", "chown", "-R", f"{uid}:{gid}", str(path)],
+                check=True,
+                capture_output=True,
+                text=True,
+            )
+            print(f"[post_install] fixed ownership: {path}", file=sys.stderr)
+        except subprocess.CalledProcessError as err:
+            print(
+                f"[post_install] warning: could not fix ownership of {path}: {err.stderr.strip()}",
+                file=sys.stderr,
+            )
+
+
+def setup_git_config() -> None:
+    home = Path.home()
+    host_gitconfig = home / ".gitconfig"
+    local_gitconfig = home / ".gitconfig.local"
+    gitignore_global = home / ".gitignore_global"
+
+    gitignore_global.write_text(
+        """# Codex
+.codex/
+
+# Rust
+/target/
+
+# Node
+node_modules/
+
+# Python
+__pycache__/
+*.pyc
+
+# Editors
+.vscode/
+.idea/
+
+# macOS
+.DS_Store
+""",
+        encoding="utf-8",
+    )
+
+    include_line = (
+        f"[include]\n    path = {host_gitconfig}\n\n" if host_gitconfig.exists() else ""
+    )
+
+    local_gitconfig.write_text(
+        f"""# Container-local git configuration
+{include_line}[core]
+    excludesfile = {gitignore_global}
+
+[merge]
+    conflictstyle = diff3
+
+[diff]
+    colorMoved = default
+""",
+        encoding="utf-8",
+    )
+
+
+def main() -> None:
+    print("[post_install] configuring devcontainer...", file=sys.stderr)
+    ensure_history_files()
+    fix_directory_ownership()
+    setup_git_config()
+    print("[post_install] complete", file=sys.stderr)
+
+
+if __name__ == "__main__":
+    main()
--- a/.github/scripts/verify_tui_core_boundary.py
+++ b/.github/scripts/verify_tui_core_boundary.py
@@ -0,0 +1,89 @@
+#!/usr/bin/env python3
+
+"""Verify codex-tui does not depend on or import codex-core directly."""
+
+from __future__ import annotations
+
+import re
+import sys
+import tomllib
+from pathlib import Path
+
+
+ROOT = Path(__file__).resolve().parents[2]
+TUI_ROOT = ROOT / "codex-rs" / "tui"
+TUI_MANIFEST = TUI_ROOT / "Cargo.toml"
+FORBIDDEN_PACKAGE = "codex-core"
+FORBIDDEN_SOURCE_PATTERNS = (
+    re.compile(r"\bcodex_core::"),
+    re.compile(r"\buse\s+codex_core\b"),
+    re.compile(r"\bextern\s+crate\s+codex_core\b"),
+)
+
+
+def main() -> int:
+    failures = []
+    failures.extend(manifest_failures())
+    failures.extend(source_failures())
+
+    if not failures:
+        return 0
+
+    print("codex-tui must not depend on or import codex-core directly.")
+    print(
+        "Use the app-server protocol/client boundary instead; temporary embedded "
+        "startup gaps belong behind codex_app_server_client::legacy_core."
+    )
+    print()
+    for failure in failures:
+        print(f"- {failure}")
+
+    return 1
+
+
+def manifest_failures() -> list[str]:
+    manifest = tomllib.loads(TUI_MANIFEST.read_text())
+    failures = []
+    for section_name, dependencies in dependency_sections(manifest):
+        if FORBIDDEN_PACKAGE in dependencies:
+            failures.append(
+                f"{relative_path(TUI_MANIFEST)} declares `{FORBIDDEN_PACKAGE}` "
+                f"in `[{section_name}]`"
+            )
+    return failures
+
+
+def dependency_sections(manifest: dict) -> list[tuple[str, dict]]:
+    sections: list[tuple[str, dict]] = []
+    for section_name in ("dependencies", "dev-dependencies", "build-dependencies"):
+        dependencies = manifest.get(section_name)
+        if isinstance(dependencies, dict):
+            sections.append((section_name, dependencies))
+
+    for target_name, target in manifest.get("target", {}).items():
+        if not isinstance(target, dict):
+            continue
+        for section_name in ("dependencies", "dev-dependencies", "build-dependencies"):
+            dependencies = target.get(section_name)
+            if isinstance(dependencies, dict):
+                sections.append((f'target.{target_name}.{section_name}', dependencies))
+
+    return sections
+
+
+def source_failures() -> list[str]:
+    failures = []
+    for path in sorted(TUI_ROOT.glob("**/*.rs")):
+        text = path.read_text()
+        for line_number, line in enumerate(text.splitlines(), start=1):
+            if any(pattern.search(line) for pattern in FORBIDDEN_SOURCE_PATTERNS):
+                failures.append(f"{relative_path(path)}:{line_number} imports `codex_core`")
+    return failures
+
+
+def relative_path(path: Path) -> str:
+    return str(path.relative_to(ROOT))
+
+
+if __name__ == "__main__":
+    sys.exit(main())
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -17,6 +17,9 @@ jobs:
      - name: Verify codex-rs Cargo manifests inherit workspace settings
        run: python3 .github/scripts/verify_cargo_workspace_manifests.py

+      - name: Verify codex-tui does not import codex-core directly
+        run: python3 .github/scripts/verify_tui_core_boundary.py
+
      - name: Verify Bazel clippy flags match Cargo workspace lints
        run: python3 .github/scripts/verify_bazel_clippy_lints.py

--- a/AGENTS.md
+++ b/AGENTS.md
@@ -23,6 +23,7 @@ In the codex-rs folder where the rust code lives:
 - When making a change that adds or changes an API, ensure that the documentation in the `docs/` folder is up to date if applicable.
 - Prefer private modules and explicitly exported public crate API.
 - If you change `ConfigToml` or nested config types, run `just write-config-schema` to update `codex-rs/core/config.schema.json`.
+- When working with MCP tool calls, prefer using `codex-rs/codex-mcp/src/mcp_connection_manager.rs` to handle mutation of tools and tool calls. Aim to minimize the footprint of changes and leverage existing abstractions rather than plumbing code through multiple levels of function calls.
 - If you change Rust dependencies (`Cargo.toml` or `Cargo.lock`), run `just bazel-lock-update` from the
  repo root to refresh `MODULE.bazel.lock`, and include that lockfile update in the same change.
 - After dependency changes, run `just bazel-lock-check` from the repo root so lockfile drift is caught
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -40,9 +40,17 @@ osx.frameworks(names = [
    "ColorSync",
    "CoreFoundation",
    "CoreGraphics",
+    "CoreImage",
+    "CoreMedia",
+    "CoreMIDI",
    "CoreServices",
    "CoreText",
+    "CoreVideo",
+    "DiskArbitration",
    "AudioToolbox",
+    "AVFoundation",
+    "AVFAudio",
+    "AVRouting",
    "CFNetwork",
    "FontServices",
    "AudioUnit",
@@ -50,11 +58,19 @@ osx.frameworks(names = [
    "CoreAudioTypes",
    "Foundation",
    "ImageIO",
+    "IOSurface",
    "IOKit",
    "Kernel",
+    "Metal",
+    "MetalKit",
+    "OpenGL",
    "OSLog",
+    "QuartzCore",
+    "ScreenCaptureKit",
    "Security",
    "SystemConfiguration",
+    "UniformTypeIdentifiers",
+    "VideoToolbox",
 ])
 use_repo(osx, "macos_sdk")

@@ -345,6 +361,23 @@ crate.annotation(

 inject_repo(crate, "llvm", "llvm-project", "macos_sdk")

+crate.annotation(
+    # Provide the hermetic SDK path so the build script doesn't try to invoke an unavailable `xcrun --show-sdk-path`.
+    build_script_data = [
+        "@macos_sdk//sysroot",
+    ],
+    build_script_env = {
+        "WEBRTC_SYS_DARWIN_SDK_PATH": "$(location @macos_sdk//sysroot)",
+        "WEBRTC_SYS_LINK_OUT_DIR": "1",
+    },
+    crate = "webrtc-sys",
+    gen_build_script = "on",
+    patch_args = ["-p1"],
+    patches = [
+        "//patches:webrtc-sys_hermetic_darwin_sysroot.patch",
+    ],
+)
+
 # Fix readme inclusions
 crate.annotation(
    crate = "windows-link",
--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
@@ -1414,6 +1414,7 @@ dependencies = [
 "reqwest",
 "serde",
 "serde_json",
+ "tempfile",
 "thiserror 2.0.18",
 "tokio",
 "tokio-test",
@@ -1508,6 +1509,7 @@ dependencies = [
 "codex-exec-server",
 "codex-feedback",
 "codex-protocol",
+ "codex-utils-rustls-provider",
 "futures",
 "pretty_assertions",
 "serde",
@@ -1676,6 +1678,7 @@ dependencies = [
 "codex-config",
 "codex-core",
 "codex-exec",
+ "codex-exec-server",
 "codex-execpolicy",
 "codex-features",
 "codex-login",
@@ -1994,6 +1997,7 @@ dependencies = [
 "uuid",
 "walkdir",
 "which 8.0.0",
+ "whoami",
 "windows-sys 0.52.0",
 "wiremock",
 "zip 2.4.2",
@@ -2109,6 +2113,7 @@ dependencies = [
 "tokio",
 "tokio-tungstenite",
 "tracing",
+ "uuid",
 ]

 [[package]]
@@ -2840,7 +2845,6 @@ dependencies = [
 "codex-cli",
 "codex-cloud-requirements",
 "codex-config",
- "codex-core",
 "codex-exec-server",
 "codex-features",
 "codex-feedback",
@@ -2926,6 +2930,7 @@ name = "codex-utils-absolute-path"
 version = "0.0.0"
 dependencies = [
 "dirs",
+ "dunce",
 "pretty_assertions",
 "schemars 0.8.22",
 "serde",
@@ -11762,6 +11767,7 @@ checksum = "5d4a4db5077702ca3015d3d02d74974948aba2ad9e12ab7df718ee64ccd7e97d"
 dependencies = [
 "libredox",
 "wasite",
+ "web-sys",
 ]

 [[package]]
--- a/codex-rs/Cargo.toml
+++ b/codex-rs/Cargo.toml
@@ -352,6 +352,7 @@ vt100 = "0.16.2"
 walkdir = "2.5.0"
 webbrowser = "1.0"
 which = "8"
+whoami = "1.6.1"
 wildmatch = "2.6.1"
 zip = "2.4.2"
 zstd = "0.13"
--- a/codex-rs/analytics/Cargo.toml
+++ b/codex-rs/analytics/Cargo.toml
@@ -20,6 +20,7 @@ codex-plugin = { workspace = true }
 codex-protocol = { workspace = true }
 os_info = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
+serde_json = { workspace = true }
 sha1 = { workspace = true }
 tokio = { workspace = true, features = [
    "macros",
@@ -29,4 +30,3 @@ tracing = { workspace = true, features = ["log"] }

 [dev-dependencies]
 pretty_assertions = { workspace = true }
-serde_json = { workspace = true }
--- a/codex-rs/analytics/src/analytics_client_tests.rs
+++ b/codex-rs/analytics/src/analytics_client_tests.rs
@@ -3,6 +3,7 @@ use crate::events::AppServerRpcTransport;
 use crate::events::CodexAppMentionedEventRequest;
 use crate::events::CodexAppServerClientMetadata;
 use crate::events::CodexAppUsedEventRequest;
+use crate::events::CodexCompactionEventRequest;
 use crate::events::CodexPluginEventRequest;
 use crate::events::CodexPluginUsedEventRequest;
 use crate::events::CodexRuntimeMetadata;
@@ -18,6 +19,13 @@ use crate::facts::AnalyticsFact;
 use crate::facts::AppInvocation;
 use crate::facts::AppMentionedInput;
 use crate::facts::AppUsedInput;
+use crate::facts::CodexCompactionEvent;
+use crate::facts::CompactionImplementation;
+use crate::facts::CompactionPhase;
+use crate::facts::CompactionReason;
+use crate::facts::CompactionStatus;
+use crate::facts::CompactionStrategy;
+use crate::facts::CompactionTrigger;
 use crate::facts::CustomAnalyticsFact;
 use crate::facts::InvocationType;
 use crate::facts::PluginState;
@@ -59,6 +67,14 @@ use std::sync::Mutex;
 use tokio::sync::mpsc;

 fn sample_thread(thread_id: &str, ephemeral: bool) -> Thread {
+    sample_thread_with_source(thread_id, ephemeral, AppServerSessionSource::Exec)
+}
+
+fn sample_thread_with_source(
+    thread_id: &str,
+    ephemeral: bool,
+    source: AppServerSessionSource,
+) -> Thread {
    Thread {
        id: thread_id.to_string(),
        forked_from_id: None,
@@ -71,7 +87,7 @@ fn sample_thread(thread_id: &str, ephemeral: bool) -> Thread {
        path: None,
        cwd: PathBuf::from("/tmp"),
        cli_version: "0.0.0".to_string(),
-        source: AppServerSessionSource::Exec,
+        source,
        agent_nickname: None,
        agent_role: None,
        git_info: None,
@@ -97,11 +113,44 @@ fn sample_thread_start_response(thread_id: &str, ephemeral: bool, model: &str) -
    }
 }

+fn sample_app_server_client_metadata() -> CodexAppServerClientMetadata {
+    CodexAppServerClientMetadata {
+        product_client_id: DEFAULT_ORIGINATOR.to_string(),
+        client_name: Some("codex-tui".to_string()),
+        client_version: Some("1.0.0".to_string()),
+        rpc_transport: AppServerRpcTransport::Stdio,
+        experimental_api_enabled: Some(true),
+    }
+}
+
+fn sample_runtime_metadata() -> CodexRuntimeMetadata {
+    CodexRuntimeMetadata {
+        codex_rs_version: "0.1.0".to_string(),
+        runtime_os: "macos".to_string(),
+        runtime_os_version: "15.3.1".to_string(),
+        runtime_arch: "aarch64".to_string(),
+    }
+}
+
 fn sample_thread_resume_response(thread_id: &str, ephemeral: bool, model: &str) -> ClientResponse {
+    sample_thread_resume_response_with_source(
+        thread_id,
+        ephemeral,
+        model,
+        AppServerSessionSource::Exec,
+    )
+}
+
+fn sample_thread_resume_response_with_source(
+    thread_id: &str,
+    ephemeral: bool,
+    model: &str,
+    source: AppServerSessionSource,
+) -> ClientResponse {
    ClientResponse::ThreadResume {
        request_id: RequestId::Integer(2),
        response: ThreadResumeResponse {
-            thread: sample_thread(thread_id, ephemeral),
+            thread: sample_thread_with_source(thread_id, ephemeral, source),
            model: model.to_string(),
            model_provider: "openai".to_string(),
            service_tier: None,
@@ -254,6 +303,77 @@ fn app_used_event_serializes_expected_shape() {
    );
 }

+#[test]
+fn compaction_event_serializes_expected_shape() {
+    let event = TrackEventRequest::Compaction(Box::new(CodexCompactionEventRequest {
+        event_type: "codex_compaction_event",
+        event_params: crate::events::codex_compaction_event_params(
+            CodexCompactionEvent {
+                thread_id: "thread-1".to_string(),
+                turn_id: "turn-1".to_string(),
+                trigger: CompactionTrigger::Auto,
+                reason: CompactionReason::ContextLimit,
+                implementation: CompactionImplementation::ResponsesCompact,
+                phase: CompactionPhase::MidTurn,
+                strategy: CompactionStrategy::Memento,
+                status: CompactionStatus::Completed,
+                error: None,
+                active_context_tokens_before: 120_000,
+                active_context_tokens_after: 18_000,
+                started_at: 100,
+                completed_at: 106,
+                duration_ms: Some(6543),
+            },
+            sample_app_server_client_metadata(),
+            sample_runtime_metadata(),
+            Some("user"),
+            /*subagent_source*/ None,
+            /*parent_thread_id*/ None,
+        ),
+    }));
+
+    let payload = serde_json::to_value(&event).expect("serialize compaction event");
+
+    assert_eq!(
+        payload,
+        json!({
+            "event_type": "codex_compaction_event",
+            "event_params": {
+                "thread_id": "thread-1",
+                "turn_id": "turn-1",
+                "app_server_client": {
+                    "product_client_id": DEFAULT_ORIGINATOR,
+                    "client_name": "codex-tui",
+                    "client_version": "1.0.0",
+                    "rpc_transport": "stdio",
+                    "experimental_api_enabled": true
+                },
+                "runtime": {
+                    "codex_rs_version": "0.1.0",
+                    "runtime_os": "macos",
+                    "runtime_os_version": "15.3.1",
+                    "runtime_arch": "aarch64"
+                },
+                "thread_source": "user",
+                "subagent_source": null,
+                "parent_thread_id": null,
+                "trigger": "auto",
+                "reason": "context_limit",
+                "implementation": "responses_compact",
+                "phase": "mid_turn",
+                "strategy": "memento",
+                "status": "completed",
+                "error": null,
+                "active_context_tokens_before": 120000,
+                "active_context_tokens_after": 18000,
+                "started_at": 100,
+                "completed_at": 106,
+                "duration_ms": 6543
+            }
+        })
+    );
+}
+
 #[test]
 fn app_used_dedupe_is_keyed_by_turn_and_connector() {
    let (sender, _receiver) = mpsc::channel(1);
@@ -449,11 +569,126 @@ async fn initialize_caches_client_and_thread_lifecycle_publishes_once_initialize
    assert_eq!(payload[0]["event_params"]["parent_thread_id"], json!(null));
 }

+#[tokio::test]
+async fn compaction_event_ingests_custom_fact() {
+    let mut reducer = AnalyticsReducer::default();
+    let mut events = Vec::new();
+    let parent_thread_id =
+        codex_protocol::ThreadId::from_string("22222222-2222-2222-2222-222222222222")
+            .expect("valid parent thread id");
+
+    reducer
+        .ingest(
+            AnalyticsFact::Initialize {
+                connection_id: 7,
+                params: InitializeParams {
+                    client_info: ClientInfo {
+                        name: "codex-tui".to_string(),
+                        title: None,
+                        version: "1.0.0".to_string(),
+                    },
+                    capabilities: Some(InitializeCapabilities {
+                        experimental_api: false,
+                        opt_out_notification_methods: None,
+                    }),
+                },
+                product_client_id: DEFAULT_ORIGINATOR.to_string(),
+                runtime: sample_runtime_metadata(),
+                rpc_transport: AppServerRpcTransport::Websocket,
+            },
+            &mut events,
+        )
+        .await;
+    reducer
+        .ingest(
+            AnalyticsFact::Response {
+                connection_id: 7,
+                response: Box::new(sample_thread_resume_response_with_source(
+                    "thread-1",
+                    /*ephemeral*/ false,
+                    "gpt-5",
+                    AppServerSessionSource::SubAgent(SubAgentSource::ThreadSpawn {
+                        parent_thread_id,
+                        depth: 1,
+                        agent_path: None,
+                        agent_nickname: None,
+                        agent_role: None,
+                    }),
+                )),
+            },
+            &mut events,
+        )
+        .await;
+    events.clear();
+
+    reducer
+        .ingest(
+            AnalyticsFact::Custom(CustomAnalyticsFact::Compaction(Box::new(
+                CodexCompactionEvent {
+                    thread_id: "thread-1".to_string(),
+                    turn_id: "turn-compact".to_string(),
+                    trigger: CompactionTrigger::Manual,
+                    reason: CompactionReason::UserRequested,
+                    implementation: CompactionImplementation::Responses,
+                    phase: CompactionPhase::StandaloneTurn,
+                    strategy: CompactionStrategy::Memento,
+                    status: CompactionStatus::Failed,
+                    error: Some("context limit exceeded".to_string()),
+                    active_context_tokens_before: 131_000,
+                    active_context_tokens_after: 131_000,
+                    started_at: 100,
+                    completed_at: 101,
+                    duration_ms: Some(1200),
+                },
+            ))),
+            &mut events,
+        )
+        .await;
+
+    let payload = serde_json::to_value(&events).expect("serialize events");
+    assert_eq!(payload.as_array().expect("events array").len(), 1);
+    assert_eq!(payload[0]["event_type"], "codex_compaction_event");
+    assert_eq!(payload[0]["event_params"]["thread_id"], "thread-1");
+    assert_eq!(payload[0]["event_params"]["turn_id"], "turn-compact");
+    assert_eq!(
+        payload[0]["event_params"]["app_server_client"]["product_client_id"],
+        DEFAULT_ORIGINATOR
+    );
+    assert_eq!(
+        payload[0]["event_params"]["app_server_client"]["client_name"],
+        "codex-tui"
+    );
+    assert_eq!(
+        payload[0]["event_params"]["app_server_client"]["rpc_transport"],
+        "websocket"
+    );
+    assert_eq!(
+        payload[0]["event_params"]["runtime"]["codex_rs_version"],
+        "0.1.0"
+    );
+    assert_eq!(payload[0]["event_params"]["thread_source"], "subagent");
+    assert_eq!(
+        payload[0]["event_params"]["subagent_source"],
+        "thread_spawn"
+    );
+    assert_eq!(
+        payload[0]["event_params"]["parent_thread_id"],
+        "22222222-2222-2222-2222-222222222222"
+    );
+    assert_eq!(payload[0]["event_params"]["trigger"], "manual");
+    assert_eq!(payload[0]["event_params"]["reason"], "user_requested");
+    assert_eq!(payload[0]["event_params"]["implementation"], "responses");
+    assert_eq!(payload[0]["event_params"]["phase"], "standalone_turn");
+    assert_eq!(payload[0]["event_params"]["strategy"], "memento");
+    assert_eq!(payload[0]["event_params"]["status"], "failed");
+}
+
 #[test]
 fn subagent_thread_started_review_serializes_expected_shape() {
    let event = TrackEventRequest::ThreadInitialized(subagent_thread_started_event_request(
        SubAgentThreadStartedInput {
            thread_id: "thread-review".to_string(),
+            parent_thread_id: None,
            product_client_id: "codex-tui".to_string(),
            client_name: "codex-tui".to_string(),
            client_version: "1.0.0".to_string(),
@@ -496,6 +731,7 @@ fn subagent_thread_started_thread_spawn_serializes_parent_thread_id() {
    let event = TrackEventRequest::ThreadInitialized(subagent_thread_started_event_request(
        SubAgentThreadStartedInput {
            thread_id: "thread-spawn".to_string(),
+            parent_thread_id: None,
            product_client_id: "codex-tui".to_string(),
            client_name: "codex-tui".to_string(),
            client_version: "1.0.0".to_string(),
@@ -526,6 +762,7 @@ fn subagent_thread_started_memory_consolidation_serializes_expected_shape() {
    let event = TrackEventRequest::ThreadInitialized(subagent_thread_started_event_request(
        SubAgentThreadStartedInput {
            thread_id: "thread-memory".to_string(),
+            parent_thread_id: None,
            product_client_id: "codex-tui".to_string(),
            client_name: "codex-tui".to_string(),
            client_version: "1.0.0".to_string(),
@@ -550,6 +787,7 @@ fn subagent_thread_started_other_serializes_expected_shape() {
    let event = TrackEventRequest::ThreadInitialized(subagent_thread_started_event_request(
        SubAgentThreadStartedInput {
            thread_id: "thread-guardian".to_string(),
+            parent_thread_id: None,
            product_client_id: "codex-tui".to_string(),
            client_name: "codex-tui".to_string(),
            client_version: "1.0.0".to_string(),
@@ -562,6 +800,31 @@ fn subagent_thread_started_other_serializes_expected_shape() {

    let payload = serde_json::to_value(&event).expect("serialize other subagent event");
    assert_eq!(payload["event_params"]["subagent_source"], "guardian");
+    assert_eq!(payload["event_params"]["parent_thread_id"], json!(null));
+}
+
+#[test]
+fn subagent_thread_started_other_serializes_explicit_parent_thread_id() {
+    let event = TrackEventRequest::ThreadInitialized(subagent_thread_started_event_request(
+        SubAgentThreadStartedInput {
+            thread_id: "thread-guardian".to_string(),
+            parent_thread_id: Some("parent-thread-guardian".to_string()),
+            product_client_id: "codex-tui".to_string(),
+            client_name: "codex-tui".to_string(),
+            client_version: "1.0.0".to_string(),
+            model: "gpt-5".to_string(),
+            ephemeral: false,
+            subagent_source: SubAgentSource::Other("guardian".to_string()),
+            created_at: 126,
+        },
+    ));
+
+    let payload = serde_json::to_value(&event).expect("serialize guardian subagent event");
+    assert_eq!(payload["event_params"]["subagent_source"], "guardian");
+    assert_eq!(
+        payload["event_params"]["parent_thread_id"],
+        "parent-thread-guardian"
+    );
 }

 #[tokio::test]
@@ -574,6 +837,7 @@ async fn subagent_thread_started_publishes_without_initialize() {
            AnalyticsFact::Custom(CustomAnalyticsFact::SubAgentThreadStarted(
                SubAgentThreadStartedInput {
                    thread_id: "thread-review".to_string(),
+                    parent_thread_id: None,
                    product_client_id: "codex-tui".to_string(),
                    client_name: "codex-tui".to_string(),
                    client_version: "1.0.0".to_string(),
--- a/codex-rs/analytics/src/client.rs
+++ b/codex-rs/analytics/src/client.rs
@@ -1,4 +1,5 @@
 use crate::events::AppServerRpcTransport;
+use crate::events::GuardianReviewEventParams;
 use crate::events::TrackEventRequest;
 use crate::events::TrackEventsRequest;
 use crate::events::current_runtime_metadata;
@@ -151,6 +152,12 @@ impl AnalyticsEventsClient {
        ));
    }

+    pub fn track_guardian_review(&self, input: GuardianReviewEventParams) {
+        self.record_fact(AnalyticsFact::Custom(CustomAnalyticsFact::GuardianReview(
+            Box::new(input),
+        )));
+    }
+
    pub fn track_app_mentioned(&self, tracking: TrackEventsContext, mentions: Vec<AppInvocation>) {
        if mentions.is_empty() {
            return;
@@ -178,6 +185,12 @@ impl AnalyticsEventsClient {
        )));
    }

+    pub fn track_compaction(&self, event: crate::facts::CodexCompactionEvent) {
+        self.record_fact(AnalyticsFact::Custom(CustomAnalyticsFact::Compaction(
+            Box::new(event),
+        )));
+    }
+
    pub fn track_plugin_installed(&self, plugin: PluginTelemetryMetadata) {
        self.record_fact(AnalyticsFact::Custom(
            CustomAnalyticsFact::PluginStateChanged(PluginStateChangedInput {
--- a/codex-rs/analytics/src/events.rs
+++ b/codex-rs/analytics/src/events.rs
@@ -1,10 +1,14 @@
 use crate::facts::AppInvocation;
+use crate::facts::CodexCompactionEvent;
 use crate::facts::InvocationType;
 use crate::facts::PluginState;
 use crate::facts::SubAgentThreadStartedInput;
 use crate::facts::TrackEventsContext;
 use codex_login::default_client::originator;
 use codex_plugin::PluginTelemetryMetadata;
+use codex_protocol::approvals::NetworkApprovalProtocol;
+use codex_protocol::models::PermissionProfile;
+use codex_protocol::models::SandboxPermissions;
 use codex_protocol::protocol::SessionSource;
 use codex_protocol::protocol::SubAgentSource;
 use serde::Serialize;
@@ -35,8 +39,10 @@ pub(crate) struct TrackEventsRequest {
 pub(crate) enum TrackEventRequest {
    SkillInvocation(SkillInvocationEventRequest),
    ThreadInitialized(ThreadInitializedEvent),
+    GuardianReview(Box<GuardianReviewEventRequest>),
    AppMentioned(CodexAppMentionedEventRequest),
    AppUsed(CodexAppUsedEventRequest),
+    Compaction(Box<CodexCompactionEventRequest>),
    PluginUsed(CodexPluginUsedEventRequest),
    PluginInstalled(CodexPluginEventRequest),
    PluginUninstalled(CodexPluginEventRequest),
@@ -99,6 +105,179 @@ pub(crate) struct ThreadInitializedEvent {
    pub(crate) event_params: ThreadInitializedEventParams,
 }

+#[derive(Serialize)]
+pub(crate) struct GuardianReviewEventRequest {
+    pub(crate) event_type: &'static str,
+    pub(crate) event_params: GuardianReviewEventPayload,
+}
+
+#[derive(Clone, Copy, Debug, Serialize)]
+#[serde(rename_all = "snake_case")]
+pub enum GuardianReviewDecision {
+    Approved,
+    Denied,
+    Aborted,
+}
+
+#[derive(Clone, Copy, Debug, Serialize)]
+#[serde(rename_all = "snake_case")]
+pub enum GuardianReviewTerminalStatus {
+    Approved,
+    Denied,
+    Aborted,
+    TimedOut,
+    FailedClosed,
+}
+
+#[derive(Clone, Copy, Debug, Serialize)]
+#[serde(rename_all = "snake_case")]
+pub enum GuardianReviewFailureReason {
+    Timeout,
+    Cancelled,
+    PromptBuildError,
+    SessionError,
+    ParseError,
+}
+
+#[derive(Clone, Copy, Debug, Serialize)]
+#[serde(rename_all = "snake_case")]
+pub enum GuardianReviewSessionKind {
+    TrunkNew,
+    TrunkReused,
+    EphemeralForked,
+}
+
+#[derive(Clone, Copy, Debug, Serialize)]
+#[serde(rename_all = "lowercase")]
+pub enum GuardianReviewRiskLevel {
+    Low,
+    Medium,
+    High,
+    Critical,
+}
+
+#[derive(Clone, Copy, Debug, Serialize)]
+#[serde(rename_all = "lowercase")]
+pub enum GuardianReviewUserAuthorization {
+    Unknown,
+    Low,
+    Medium,
+    High,
+}
+
+#[derive(Clone, Copy, Debug, Serialize)]
+#[serde(rename_all = "lowercase")]
+pub enum GuardianReviewOutcome {
+    Allow,
+    Deny,
+}
+
+#[derive(Clone, Copy, Debug, Serialize)]
+#[serde(rename_all = "snake_case")]
+pub enum GuardianApprovalRequestSource {
+    /// Approval requested directly by the main Codex turn.
+    MainTurn,
+    /// Approval requested by a delegated subagent and routed through the parent
+    /// session for guardian review.
+    DelegatedSubagent,
+}
+
+#[derive(Clone, Debug, Serialize)]
+#[serde(tag = "type", rename_all = "snake_case")]
+pub enum GuardianReviewedAction {
+    Shell {
+        command: Vec<String>,
+        command_display: String,
+        cwd: String,
+        sandbox_permissions: SandboxPermissions,
+        additional_permissions: Option<PermissionProfile>,
+        justification: Option<String>,
+    },
+    UnifiedExec {
+        command: Vec<String>,
+        command_display: String,
+        cwd: String,
+        sandbox_permissions: SandboxPermissions,
+        additional_permissions: Option<PermissionProfile>,
+        justification: Option<String>,
+        tty: bool,
+    },
+    Execve {
+        source: GuardianCommandSource,
+        program: String,
+        argv: Vec<String>,
+        cwd: String,
+        additional_permissions: Option<PermissionProfile>,
+    },
+    ApplyPatch {
+        cwd: String,
+        files: Vec<String>,
+    },
+    NetworkAccess {
+        target: String,
+        host: String,
+        protocol: NetworkApprovalProtocol,
+        port: u16,
+    },
+    McpToolCall {
+        server: String,
+        tool_name: String,
+        connector_id: Option<String>,
+        connector_name: Option<String>,
+        tool_title: Option<String>,
+    },
+}
+
+#[derive(Clone, Copy, Debug, Serialize)]
+#[serde(rename_all = "snake_case")]
+pub enum GuardianCommandSource {
+    Shell,
+    UnifiedExec,
+}
+
+#[derive(Clone, Serialize)]
+pub struct GuardianReviewEventParams {
+    pub thread_id: String,
+    pub turn_id: String,
+    pub review_id: String,
+    pub target_item_id: String,
+    pub retry_reason: Option<String>,
+    pub approval_request_source: GuardianApprovalRequestSource,
+    pub reviewed_action: GuardianReviewedAction,
+    pub reviewed_action_truncated: bool,
+    pub decision: GuardianReviewDecision,
+    pub terminal_status: GuardianReviewTerminalStatus,
+    pub failure_reason: Option<GuardianReviewFailureReason>,
+    pub risk_level: Option<GuardianReviewRiskLevel>,
+    pub user_authorization: Option<GuardianReviewUserAuthorization>,
+    pub outcome: Option<GuardianReviewOutcome>,
+    pub rationale: Option<String>,
+    pub guardian_thread_id: Option<String>,
+    pub guardian_session_kind: Option<GuardianReviewSessionKind>,
+    pub guardian_model: Option<String>,
+    pub guardian_reasoning_effort: Option<String>,
+    pub had_prior_review_context: Option<bool>,
+    pub review_timeout_ms: u64,
+    pub tool_call_count: u64,
+    pub time_to_first_token_ms: Option<u64>,
+    pub completion_latency_ms: Option<u64>,
+    pub started_at: u64,
+    pub completed_at: Option<u64>,
+    pub input_tokens: Option<i64>,
+    pub cached_input_tokens: Option<i64>,
+    pub output_tokens: Option<i64>,
+    pub reasoning_output_tokens: Option<i64>,
+    pub total_tokens: Option<i64>,
+}
+
+#[derive(Serialize)]
+pub(crate) struct GuardianReviewEventPayload {
+    pub(crate) app_server_client: CodexAppServerClientMetadata,
+    pub(crate) runtime: CodexRuntimeMetadata,
+    #[serde(flatten)]
+    pub(crate) guardian_review: GuardianReviewEventParams,
+}
+
 #[derive(Serialize)]
 pub(crate) struct CodexAppMetadata {
    pub(crate) connector_id: Option<String>,
@@ -122,6 +301,35 @@ pub(crate) struct CodexAppUsedEventRequest {
    pub(crate) event_params: CodexAppMetadata,
 }

+#[derive(Serialize)]
+pub(crate) struct CodexCompactionEventParams {
+    pub(crate) thread_id: String,
+    pub(crate) turn_id: String,
+    pub(crate) app_server_client: CodexAppServerClientMetadata,
+    pub(crate) runtime: CodexRuntimeMetadata,
+    pub(crate) thread_source: Option<&'static str>,
+    pub(crate) subagent_source: Option<String>,
+    pub(crate) parent_thread_id: Option<String>,
+    pub(crate) trigger: crate::facts::CompactionTrigger,
+    pub(crate) reason: crate::facts::CompactionReason,
+    pub(crate) implementation: crate::facts::CompactionImplementation,
+    pub(crate) phase: crate::facts::CompactionPhase,
+    pub(crate) strategy: crate::facts::CompactionStrategy,
+    pub(crate) status: crate::facts::CompactionStatus,
+    pub(crate) error: Option<String>,
+    pub(crate) active_context_tokens_before: i64,
+    pub(crate) active_context_tokens_after: i64,
+    pub(crate) started_at: u64,
+    pub(crate) completed_at: u64,
+    pub(crate) duration_ms: Option<u64>,
+}
+
+#[derive(Serialize)]
+pub(crate) struct CodexCompactionEventRequest {
+    pub(crate) event_type: &'static str,
+    pub(crate) event_params: CodexCompactionEventParams,
+}
+
 #[derive(Serialize)]
 pub(crate) struct CodexPluginMetadata {
    pub(crate) plugin_id: Option<String>,
@@ -201,6 +409,37 @@ pub(crate) fn codex_plugin_metadata(plugin: PluginTelemetryMetadata) -> CodexPlu
    }
 }

+pub(crate) fn codex_compaction_event_params(
+    input: CodexCompactionEvent,
+    app_server_client: CodexAppServerClientMetadata,
+    runtime: CodexRuntimeMetadata,
+    thread_source: Option<&'static str>,
+    subagent_source: Option<String>,
+    parent_thread_id: Option<String>,
+) -> CodexCompactionEventParams {
+    CodexCompactionEventParams {
+        thread_id: input.thread_id,
+        turn_id: input.turn_id,
+        app_server_client,
+        runtime,
+        thread_source,
+        subagent_source,
+        parent_thread_id,
+        trigger: input.trigger,
+        reason: input.reason,
+        implementation: input.implementation,
+        phase: input.phase,
+        strategy: input.strategy,
+        status: input.status,
+        error: input.error,
+        active_context_tokens_before: input.active_context_tokens_before,
+        active_context_tokens_after: input.active_context_tokens_after,
+        started_at: input.started_at,
+        completed_at: input.completed_at,
+        duration_ms: input.duration_ms,
+    }
+}
+
 pub(crate) fn codex_plugin_used_metadata(
    tracking: &TrackEventsContext,
    plugin: PluginTelemetryMetadata,
@@ -249,7 +488,9 @@ pub(crate) fn subagent_thread_started_event_request(
        thread_source: Some("subagent"),
        initialization_mode: ThreadInitializationMode::New,
        subagent_source: Some(subagent_source_name(&input.subagent_source)),
-        parent_thread_id: subagent_parent_thread_id(&input.subagent_source),
+        parent_thread_id: input
+            .parent_thread_id
+            .or_else(|| subagent_parent_thread_id(&input.subagent_source)),
        created_at: input.created_at,
    };
    ThreadInitializedEvent {
@@ -258,7 +499,7 @@ pub(crate) fn subagent_thread_started_event_request(
    }
 }

-fn subagent_source_name(subagent_source: &SubAgentSource) -> String {
+pub(crate) fn subagent_source_name(subagent_source: &SubAgentSource) -> String {
    match subagent_source {
        SubAgentSource::Review => "review".to_string(),
        SubAgentSource::Compact => "compact".to_string(),
@@ -268,7 +509,7 @@ fn subagent_source_name(subagent_source: &SubAgentSource) -> String {
    }
 }

-fn subagent_parent_thread_id(subagent_source: &SubAgentSource) -> Option<String> {
+pub(crate) fn subagent_parent_thread_id(subagent_source: &SubAgentSource) -> Option<String> {
    match subagent_source {
        SubAgentSource::ThreadSpawn {
            parent_thread_id, ..
--- a/codex-rs/analytics/src/facts.rs
+++ b/codex-rs/analytics/src/facts.rs
@@ -1,5 +1,6 @@
 use crate::events::AppServerRpcTransport;
 use crate::events::CodexRuntimeMetadata;
+use crate::events::GuardianReviewEventParams;
 use codex_app_server_protocol::ClientRequest;
 use codex_app_server_protocol::ClientResponse;
 use codex_app_server_protocol::InitializeParams;
@@ -54,6 +55,7 @@ pub struct AppInvocation {
 #[derive(Clone)]
 pub struct SubAgentThreadStartedInput {
    pub thread_id: String,
+    pub parent_thread_id: Option<String>,
    pub product_client_id: String,
    pub client_name: String,
    pub client_version: String,
@@ -63,6 +65,69 @@ pub struct SubAgentThreadStartedInput {
    pub created_at: u64,
 }

+#[derive(Clone, Copy, Debug, Serialize)]
+#[serde(rename_all = "snake_case")]
+pub enum CompactionTrigger {
+    Manual,
+    Auto,
+}
+
+#[derive(Clone, Copy, Debug, Serialize)]
+#[serde(rename_all = "snake_case")]
+pub enum CompactionReason {
+    UserRequested,
+    ContextLimit,
+    ModelDownshift,
+}
+
+#[derive(Clone, Copy, Debug, Serialize)]
+#[serde(rename_all = "snake_case")]
+pub enum CompactionImplementation {
+    Responses,
+    ResponsesCompact,
+}
+
+#[derive(Clone, Copy, Debug, Serialize)]
+#[serde(rename_all = "snake_case")]
+pub enum CompactionPhase {
+    StandaloneTurn,
+    PreTurn,
+    MidTurn,
+}
+
+#[derive(Clone, Copy, Debug, Serialize)]
+#[serde(rename_all = "snake_case")]
+pub enum CompactionStrategy {
+    Memento,
+    PrefixCompaction,
+}
+
+#[derive(Clone, Copy, Debug, Serialize)]
+#[serde(rename_all = "snake_case")]
+pub enum CompactionStatus {
+    Completed,
+    Failed,
+    Interrupted,
+}
+
+#[derive(Clone)]
+pub struct CodexCompactionEvent {
+    pub thread_id: String,
+    pub turn_id: String,
+    pub trigger: CompactionTrigger,
+    pub reason: CompactionReason,
+    pub implementation: CompactionImplementation,
+    pub phase: CompactionPhase,
+    pub strategy: CompactionStrategy,
+    pub status: CompactionStatus,
+    pub error: Option<String>,
+    pub active_context_tokens_before: i64,
+    pub active_context_tokens_after: i64,
+    pub started_at: u64,
+    pub completed_at: u64,
+    pub duration_ms: Option<u64>,
+}
+
 #[allow(dead_code)]
 pub(crate) enum AnalyticsFact {
    Initialize {
@@ -89,6 +154,8 @@ pub(crate) enum AnalyticsFact {

 pub(crate) enum CustomAnalyticsFact {
    SubAgentThreadStarted(SubAgentThreadStartedInput),
+    Compaction(Box<CodexCompactionEvent>),
+    GuardianReview(Box<GuardianReviewEventParams>),
    SkillInvoked(SkillInvokedInput),
    AppMentioned(AppMentionedInput),
    AppUsed(AppUsedInput),
--- a/codex-rs/analytics/src/lib.rs
+++ b/codex-rs/analytics/src/lib.rs
@@ -5,7 +5,25 @@ mod reducer;

 pub use client::AnalyticsEventsClient;
 pub use events::AppServerRpcTransport;
+pub use events::GuardianApprovalRequestSource;
+pub use events::GuardianCommandSource;
+pub use events::GuardianReviewDecision;
+pub use events::GuardianReviewEventParams;
+pub use events::GuardianReviewFailureReason;
+pub use events::GuardianReviewOutcome;
+pub use events::GuardianReviewRiskLevel;
+pub use events::GuardianReviewSessionKind;
+pub use events::GuardianReviewTerminalStatus;
+pub use events::GuardianReviewUserAuthorization;
+pub use events::GuardianReviewedAction;
 pub use facts::AppInvocation;
+pub use facts::CodexCompactionEvent;
+pub use facts::CompactionImplementation;
+pub use facts::CompactionPhase;
+pub use facts::CompactionReason;
+pub use facts::CompactionStatus;
+pub use facts::CompactionStrategy;
+pub use facts::CompactionTrigger;
 pub use facts::InvocationType;
 pub use facts::SkillInvocation;
 pub use facts::SubAgentThreadStartedInput;
--- a/codex-rs/analytics/src/reducer.rs
+++ b/codex-rs/analytics/src/reducer.rs
@@ -2,9 +2,13 @@ use crate::events::AppServerRpcTransport;
 use crate::events::CodexAppMentionedEventRequest;
 use crate::events::CodexAppServerClientMetadata;
 use crate::events::CodexAppUsedEventRequest;
+use crate::events::CodexCompactionEventRequest;
 use crate::events::CodexPluginEventRequest;
 use crate::events::CodexPluginUsedEventRequest;
 use crate::events::CodexRuntimeMetadata;
+use crate::events::GuardianReviewEventParams;
+use crate::events::GuardianReviewEventPayload;
+use crate::events::GuardianReviewEventRequest;
 use crate::events::SkillInvocationEventParams;
 use crate::events::SkillInvocationEventRequest;
 use crate::events::ThreadInitializationMode;
@@ -12,14 +16,18 @@ use crate::events::ThreadInitializedEvent;
 use crate::events::ThreadInitializedEventParams;
 use crate::events::TrackEventRequest;
 use crate::events::codex_app_metadata;
+use crate::events::codex_compaction_event_params;
 use crate::events::codex_plugin_metadata;
 use crate::events::codex_plugin_used_metadata;
 use crate::events::plugin_state_event_type;
+use crate::events::subagent_parent_thread_id;
+use crate::events::subagent_source_name;
 use crate::events::subagent_thread_started_event_request;
 use crate::events::thread_source_name;
 use crate::facts::AnalyticsFact;
 use crate::facts::AppMentionedInput;
 use crate::facts::AppUsedInput;
+use crate::facts::CodexCompactionEvent;
 use crate::facts::CustomAnalyticsFact;
 use crate::facts::PluginState;
 use crate::facts::PluginStateChangedInput;
@@ -40,6 +48,8 @@ use std::path::Path;
 #[derive(Default)]
 pub(crate) struct AnalyticsReducer {
    connections: HashMap<u64, ConnectionState>,
+    thread_connections: HashMap<String, u64>,
+    thread_metadata: HashMap<String, ThreadMetadataState>,
 }

 struct ConnectionState {
@@ -47,6 +57,35 @@ struct ConnectionState {
    runtime: CodexRuntimeMetadata,
 }

+#[derive(Clone)]
+struct ThreadMetadataState {
+    thread_source: Option<&'static str>,
+    subagent_source: Option<String>,
+    parent_thread_id: Option<String>,
+}
+
+impl ThreadMetadataState {
+    fn from_session_source(session_source: &SessionSource) -> Self {
+        let (subagent_source, parent_thread_id) = match session_source {
+            SessionSource::SubAgent(subagent_source) => (
+                Some(subagent_source_name(subagent_source)),
+                subagent_parent_thread_id(subagent_source),
+            ),
+            SessionSource::Cli
+            | SessionSource::VSCode
+            | SessionSource::Exec
+            | SessionSource::Mcp
+            | SessionSource::Custom(_)
+            | SessionSource::Unknown => (None, None),
+        };
+        Self {
+            thread_source: thread_source_name(session_source),
+            subagent_source,
+            parent_thread_id,
+        }
+    }
+}
+
 impl AnalyticsReducer {
    pub(crate) async fn ingest(&mut self, input: AnalyticsFact, out: &mut Vec<TrackEventRequest>) {
        match input {
@@ -81,6 +120,12 @@ impl AnalyticsReducer {
                CustomAnalyticsFact::SubAgentThreadStarted(input) => {
                    self.ingest_subagent_thread_started(input, out);
                }
+                CustomAnalyticsFact::Compaction(input) => {
+                    self.ingest_compaction(*input, out);
+                }
+                CustomAnalyticsFact::GuardianReview(input) => {
+                    self.ingest_guardian_review(*input, out);
+                }
                CustomAnalyticsFact::SkillInvoked(input) => {
                    self.ingest_skill_invoked(input, out).await;
                }
@@ -135,6 +180,42 @@ impl AnalyticsReducer {
        ));
    }

+    fn ingest_guardian_review(
+        &mut self,
+        input: GuardianReviewEventParams,
+        out: &mut Vec<TrackEventRequest>,
+    ) {
+        let Some(connection_id) = self.thread_connections.get(&input.thread_id) else {
+            tracing::warn!(
+                thread_id = %input.thread_id,
+                turn_id = %input.turn_id,
+                review_id = %input.review_id,
+                "dropping guardian analytics event: missing thread connection metadata"
+            );
+            return;
+        };
+        let Some(connection_state) = self.connections.get(connection_id) else {
+            tracing::warn!(
+                thread_id = %input.thread_id,
+                turn_id = %input.turn_id,
+                review_id = %input.review_id,
+                connection_id,
+                "dropping guardian analytics event: missing connection metadata"
+            );
+            return;
+        };
+        out.push(TrackEventRequest::GuardianReview(Box::new(
+            GuardianReviewEventRequest {
+                event_type: "codex_guardian_review",
+                event_params: GuardianReviewEventPayload {
+                    app_server_client: connection_state.app_server_client.clone(),
+                    runtime: connection_state.runtime.clone(),
+                    guardian_review: input,
+                },
+            },
+        )));
+    }
+
    async fn ingest_skill_invoked(
        &mut self,
        input: SkillInvokedInput,
@@ -254,27 +335,74 @@ impl AnalyticsReducer {
            _ => return,
        };
        let thread_source: SessionSource = thread.source.into();
+        let thread_id = thread.id;
        let Some(connection_state) = self.connections.get(&connection_id) else {
            return;
        };
+        let thread_metadata = ThreadMetadataState::from_session_source(&thread_source);
+        self.thread_connections
+            .insert(thread_id.clone(), connection_id);
+        self.thread_metadata
+            .insert(thread_id.clone(), thread_metadata.clone());
        out.push(TrackEventRequest::ThreadInitialized(
            ThreadInitializedEvent {
                event_type: "codex_thread_initialized",
                event_params: ThreadInitializedEventParams {
-                    thread_id: thread.id,
+                    thread_id,
                    app_server_client: connection_state.app_server_client.clone(),
                    runtime: connection_state.runtime.clone(),
                    model,
                    ephemeral: thread.ephemeral,
-                    thread_source: thread_source_name(&thread_source),
+                    thread_source: thread_metadata.thread_source,
                    initialization_mode,
-                    subagent_source: None,
-                    parent_thread_id: None,
+                    subagent_source: thread_metadata.subagent_source,
+                    parent_thread_id: thread_metadata.parent_thread_id,
                    created_at: u64::try_from(thread.created_at).unwrap_or_default(),
                },
            },
        ));
    }
+
+    fn ingest_compaction(&mut self, input: CodexCompactionEvent, out: &mut Vec<TrackEventRequest>) {
+        let Some(connection_id) = self.thread_connections.get(&input.thread_id) else {
+            tracing::warn!(
+                thread_id = %input.thread_id,
+                turn_id = %input.turn_id,
+                "dropping compaction analytics event: missing thread connection metadata"
+            );
+            return;
+        };
+        let Some(connection_state) = self.connections.get(connection_id) else {
+            tracing::warn!(
+                thread_id = %input.thread_id,
+                turn_id = %input.turn_id,
+                connection_id,
+                "dropping compaction analytics event: missing connection metadata"
+            );
+            return;
+        };
+        let Some(thread_metadata) = self.thread_metadata.get(&input.thread_id) else {
+            tracing::warn!(
+                thread_id = %input.thread_id,
+                turn_id = %input.turn_id,
+                "dropping compaction analytics event: missing thread lifecycle metadata"
+            );
+            return;
+        };
+        out.push(TrackEventRequest::Compaction(Box::new(
+            CodexCompactionEventRequest {
+                event_type: "codex_compaction_event",
+                event_params: codex_compaction_event_params(
+                    input,
+                    connection_state.app_server_client.clone(),
+                    connection_state.runtime.clone(),
+                    thread_metadata.thread_source,
+                    thread_metadata.subagent_source.clone(),
+                    thread_metadata.parent_thread_id.clone(),
+                ),
+            },
+        )));
+    }
 }

 pub(crate) fn skill_id_for_local_skill(
--- a/codex-rs/app-server-client/Cargo.toml
+++ b/codex-rs/app-server-client/Cargo.toml
@@ -19,6 +19,7 @@ codex-core = { workspace = true }
 codex-exec-server = { workspace = true }
 codex-feedback = { workspace = true }
 codex-protocol = { workspace = true }
+codex-utils-rustls-provider = { workspace = true }
 futures = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
--- a/codex-rs/app-server-client/src/lib.rs
+++ b/codex-rs/app-server-client/src/lib.rs
@@ -56,6 +56,90 @@ use tracing::warn;
 pub use crate::remote::RemoteAppServerClient;
 pub use crate::remote::RemoteAppServerConnectArgs;

+/// Transitional access to core-only embedded app-server types.
+///
+/// New TUI behavior should prefer the app-server protocol methods. This
+/// module exists so clients can remove a direct `codex-core` dependency
+/// while legacy startup/config paths are migrated to RPCs.
+pub mod legacy_core {
+    pub use codex_core::Cursor;
+    pub use codex_core::DEFAULT_PROJECT_DOC_FILENAME;
+    pub use codex_core::INTERACTIVE_SESSION_SOURCES;
+    pub use codex_core::LOCAL_PROJECT_DOC_FILENAME;
+    pub use codex_core::McpManager;
+    pub use codex_core::PLUGIN_TEXT_MENTION_SIGIL;
+    pub use codex_core::RolloutRecorder;
+    pub use codex_core::TOOL_MENTION_SIGIL;
+    pub use codex_core::ThreadItem;
+    pub use codex_core::ThreadSortKey;
+    pub use codex_core::ThreadsPage;
+    pub use codex_core::append_message_history_entry;
+    pub use codex_core::check_execpolicy_for_warnings;
+    pub use codex_core::discover_project_doc_paths;
+    pub use codex_core::find_thread_meta_by_name_str;
+    pub use codex_core::find_thread_name_by_id;
+    pub use codex_core::find_thread_names_by_ids;
+    pub use codex_core::format_exec_policy_error_with_source;
+    pub use codex_core::grant_read_root_non_elevated;
+    pub use codex_core::lookup_message_history_entry;
+    pub use codex_core::message_history_metadata;
+    pub use codex_core::path_utils;
+    pub use codex_core::read_session_meta_line;
+    pub use codex_core::web_search_detail;
+
+    pub mod config {
+        pub use codex_core::config::*;
+
+        pub mod edit {
+            pub use codex_core::config::edit::*;
+        }
+    }
+
+    pub mod config_loader {
+        pub use codex_core::config_loader::*;
+    }
+
+    pub mod connectors {
+        pub use codex_core::connectors::*;
+    }
+
+    pub mod otel_init {
+        pub use codex_core::otel_init::*;
+    }
+
+    pub mod personality_migration {
+        pub use codex_core::personality_migration::*;
+    }
+
+    pub mod plugins {
+        pub use codex_core::plugins::*;
+    }
+
+    pub mod review_format {
+        pub use codex_core::review_format::*;
+    }
+
+    pub mod review_prompts {
+        pub use codex_core::review_prompts::*;
+    }
+
+    pub mod skills {
+        pub use codex_core::skills::*;
+    }
+
+    pub mod test_support {
+        pub use codex_core::test_support::*;
+    }
+
+    pub mod util {
+        pub use codex_core::util::*;
+    }
+
+    pub mod windows_sandbox {
+        pub use codex_core::windows_sandbox::*;
+    }
+}
+
 const SHUTDOWN_TIMEOUT: Duration = Duration::from_secs(5);

 /// Raw app-server request result for typed in-process requests.
--- a/codex-rs/app-server-client/src/remote.rs
+++ b/codex-rs/app-server-client/src/remote.rs
@@ -36,6 +36,7 @@ use codex_app_server_protocol::RequestId;
 use codex_app_server_protocol::Result as JsonRpcResult;
 use codex_app_server_protocol::ServerNotification;
 use codex_app_server_protocol::ServerRequest;
+use codex_utils_rustls_provider::ensure_rustls_crypto_provider;
 use futures::SinkExt;
 use futures::StreamExt;
 use serde::de::DeserializeOwned;
@@ -169,6 +170,7 @@ impl RemoteAppServerClient {
                })?;
            request.headers_mut().insert(AUTHORIZATION, header_value);
        }
+        ensure_rustls_crypto_provider();
        let stream = timeout(CONNECT_TIMEOUT, connect_async(request))
            .await
            .map_err(|_| {
--- a/codex-rs/app-server-protocol/schema/json/ApplyPatchApprovalResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/ApplyPatchApprovalResponse.json
@@ -94,6 +94,13 @@
          ],
          "type": "string"
        },
+        {
+          "description": "Automatic approval review timed out before reaching a decision.",
+          "enum": [
+            "timed_out"
+          ],
+          "type": "string"
+        },
        {
          "description": "User has denied this command and the agent should not do anything until the user's next command.",
          "enum": [
--- a/codex-rs/app-server-protocol/schema/json/ClientRequest.json
+++ b/codex-rs/app-server-protocol/schema/json/ClientRequest.json
@@ -647,6 +647,15 @@
            "null"
          ]
        },
+        "tags": {
+          "additionalProperties": {
+            "type": "string"
+          },
+          "type": [
+            "object",
+            "null"
+          ]
+        },
        "threadId": {
          "type": [
            "string",
@@ -1277,6 +1286,27 @@
      ],
      "type": "string"
    },
+    "McpServerToolCallParams": {
+      "properties": {
+        "_meta": true,
+        "arguments": true,
+        "server": {
+          "type": "string"
+        },
+        "threadId": {
+          "type": "string"
+        },
+        "tool": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "server",
+        "threadId",
+        "tool"
+      ],
+      "type": "object"
+    },
    "MergeStrategy": {
      "enum": [
        "replace",
@@ -1469,6 +1499,30 @@
        }
      ]
    },
+    "RealtimeVoice": {
+      "enum": [
+        "alloy",
+        "arbor",
+        "ash",
+        "ballad",
+        "breeze",
+        "cedar",
+        "coral",
+        "cove",
+        "echo",
+        "ember",
+        "juniper",
+        "maple",
+        "marin",
+        "sage",
+        "shimmer",
+        "sol",
+        "spruce",
+        "vale",
+        "verse"
+      ],
+      "type": "string"
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -3186,10 +3240,27 @@
              "type": "null"
            }
          ]
+        },
+        "sessionStartSource": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/ThreadStartSource"
+            },
+            {
+              "type": "null"
+            }
+          ]
        }
      },
      "type": "object"
    },
+    "ThreadStartSource": {
+      "enum": [
+        "startup",
+        "clear"
+      ],
+      "type": "string"
+    },
    "ThreadUnarchiveParams": {
      "properties": {
        "threadId": {
@@ -4528,6 +4599,30 @@
      "title": "McpServer/resource/readRequest",
      "type": "object"
    },
+    {
+      "properties": {
+        "id": {
+          "$ref": "#/definitions/RequestId"
+        },
+        "method": {
+          "enum": [
+            "mcpServer/tool/call"
+          ],
+          "title": "McpServer/tool/callRequestMethod",
+          "type": "string"
+        },
+        "params": {
+          "$ref": "#/definitions/McpServerToolCallParams"
+        }
+      },
+      "required": [
+        "id",
+        "method",
+        "params"
+      ],
+      "title": "McpServer/tool/callRequest",
+      "type": "object"
+    },
    {
      "properties": {
        "id": {
--- a/codex-rs/app-server-protocol/schema/json/ExecCommandApprovalResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/ExecCommandApprovalResponse.json
@@ -94,6 +94,13 @@
          ],
          "type": "string"
        },
+        {
+          "description": "Automatic approval review timed out before reaching a decision.",
+          "enum": [
+            "timed_out"
+          ],
+          "type": "string"
+        },
        {
          "description": "User has denied this command and the agent should not do anything until the user's next command.",
          "enum": [
--- a/codex-rs/app-server-protocol/schema/json/ServerNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/ServerNotification.json
@@ -388,6 +388,13 @@
        }
      ]
    },
+    "AutoReviewDecisionSource": {
+      "description": "[UNSTABLE] Source that produced a terminal guardian approval review decision.",
+      "enum": [
+        "agent"
+      ],
+      "type": "string"
+    },
    "ByteRange": {
      "properties": {
        "end": {
@@ -1146,16 +1153,18 @@
            }
          ]
        },
-        "riskScore": {
-          "format": "uint8",
-          "minimum": 0.0,
-          "type": [
-            "integer",
-            "null"
-          ]
-        },
        "status": {
          "$ref": "#/definitions/GuardianApprovalReviewStatus"
+        },
+        "userAuthorization": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/GuardianUserAuthorization"
+            },
+            {
+              "type": "null"
+            }
+          ]
        }
      },
      "required": [
@@ -1339,6 +1348,7 @@
        "inProgress",
        "approved",
        "denied",
+        "timedOut",
        "aborted"
      ],
      "type": "string"
@@ -1353,6 +1363,17 @@
    "GuardianRiskLevel": {
      "description": "[UNSTABLE] Risk level assigned by guardian approval review.",
      "enum": [
+        "low",
+        "medium",
+        "high",
+        "critical"
+      ],
+      "type": "string"
+    },
+    "GuardianUserAuthorization": {
+      "description": "[UNSTABLE] Authorization level assigned by guardian approval review.",
+      "enum": [
+        "unknown",
        "low",
        "medium",
        "high"
@@ -1575,17 +1596,28 @@
      "type": "object"
    },
    "ItemGuardianApprovalReviewCompletedNotification": {
-      "description": "[UNSTABLE] Temporary notification payload for guardian automatic approval review. This shape is expected to change soon.\n\nTODO(ccunningham): Attach guardian review state to the reviewed tool item's lifecycle instead of sending separate standalone review notifications so the app-server API can persist and replay review state via `thread/read`.",
+      "description": "[UNSTABLE] Temporary notification payload for guardian automatic approval review. This shape is expected to change soon.",
      "properties": {
        "action": {
          "$ref": "#/definitions/GuardianApprovalReviewAction"
        },
+        "decisionSource": {
+          "$ref": "#/definitions/AutoReviewDecisionSource"
+        },
        "review": {
          "$ref": "#/definitions/GuardianApprovalReview"
        },
-        "targetItemId": {
+        "reviewId": {
+          "description": "Stable identifier for this review.",
          "type": "string"
        },
+        "targetItemId": {
+          "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
+          "type": [
+            "string",
+            "null"
+          ]
+        },
        "threadId": {
          "type": "string"
        },
@@ -1595,15 +1627,16 @@
      },
      "required": [
        "action",
+        "decisionSource",
        "review",
-        "targetItemId",
+        "reviewId",
        "threadId",
        "turnId"
      ],
      "type": "object"
    },
    "ItemGuardianApprovalReviewStartedNotification": {
-      "description": "[UNSTABLE] Temporary notification payload for guardian automatic approval review. This shape is expected to change soon.\n\nTODO(ccunningham): Attach guardian review state to the reviewed tool item's lifecycle instead of sending separate standalone review notifications so the app-server API can persist and replay review state via `thread/read`.",
+      "description": "[UNSTABLE] Temporary notification payload for guardian automatic approval review. This shape is expected to change soon.",
      "properties": {
        "action": {
          "$ref": "#/definitions/GuardianApprovalReviewAction"
@@ -1611,9 +1644,17 @@
        "review": {
          "$ref": "#/definitions/GuardianApprovalReview"
        },
-        "targetItemId": {
+        "reviewId": {
+          "description": "Stable identifier for this review.",
          "type": "string"
        },
+        "targetItemId": {
+          "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
+          "type": [
+            "string",
+            "null"
+          ]
+        },
        "threadId": {
          "type": "string"
        },
@@ -1624,7 +1665,7 @@
      "required": [
        "action",
        "review",
-        "targetItemId",
+        "reviewId",
        "threadId",
        "turnId"
      ],
--- a/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json
+++ b/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json
@@ -1225,6 +1225,30 @@
          "title": "McpServer/resource/readRequest",
          "type": "object"
        },
+        {
+          "properties": {
+            "id": {
+              "$ref": "#/definitions/v2/RequestId"
+            },
+            "method": {
+              "enum": [
+                "mcpServer/tool/call"
+              ],
+              "title": "McpServer/tool/callRequestMethod",
+              "type": "string"
+            },
+            "params": {
+              "$ref": "#/definitions/v2/McpServerToolCallParams"
+            }
+          },
+          "required": [
+            "id",
+            "method",
+            "params"
+          ],
+          "title": "McpServer/tool/callRequest",
+          "type": "object"
+        },
        {
          "properties": {
            "id": {
@@ -3398,6 +3422,13 @@
          ],
          "type": "string"
        },
+        {
+          "description": "Automatic approval review timed out before reaching a decision.",
+          "enum": [
+            "timed_out"
+          ],
+          "type": "string"
+        },
        {
          "description": "User has denied this command and the agent should not do anything until the user's next command.",
          "enum": [
@@ -5536,6 +5567,13 @@
          }
        ]
      },
+      "AutoReviewDecisionSource": {
+        "description": "[UNSTABLE] Source that produced a terminal guardian approval review decision.",
+        "enum": [
+          "agent"
+        ],
+        "type": "string"
+      },
      "ByteRange": {
        "properties": {
          "end": {
@@ -7441,6 +7479,15 @@
              "null"
            ]
          },
+          "tags": {
+            "additionalProperties": {
+              "type": "string"
+            },
+            "type": [
+              "object",
+              "null"
+            ]
+          },
          "threadId": {
            "type": [
              "string",
@@ -8095,16 +8142,18 @@
              }
            ]
          },
-          "riskScore": {
-            "format": "uint8",
-            "minimum": 0.0,
-            "type": [
-              "integer",
-              "null"
-            ]
-          },
          "status": {
            "$ref": "#/definitions/v2/GuardianApprovalReviewStatus"
+          },
+          "userAuthorization": {
+            "anyOf": [
+              {
+                "$ref": "#/definitions/v2/GuardianUserAuthorization"
+              },
+              {
+                "type": "null"
+              }
+            ]
          }
        },
        "required": [
@@ -8288,6 +8337,7 @@
          "inProgress",
          "approved",
          "denied",
+          "timedOut",
          "aborted"
        ],
        "type": "string"
@@ -8302,6 +8352,17 @@
      "GuardianRiskLevel": {
        "description": "[UNSTABLE] Risk level assigned by guardian approval review.",
        "enum": [
+          "low",
+          "medium",
+          "high",
+          "critical"
+        ],
+        "type": "string"
+      },
+      "GuardianUserAuthorization": {
+        "description": "[UNSTABLE] Authorization level assigned by guardian approval review.",
+        "enum": [
+          "unknown",
          "low",
          "medium",
          "high"
@@ -8559,17 +8620,28 @@
      },
      "ItemGuardianApprovalReviewCompletedNotification": {
        "$schema": "http://json-schema.org/draft-07/schema#",
-        "description": "[UNSTABLE] Temporary notification payload for guardian automatic approval review. This shape is expected to change soon.\n\nTODO(ccunningham): Attach guardian review state to the reviewed tool item's lifecycle instead of sending separate standalone review notifications so the app-server API can persist and replay review state via `thread/read`.",
+        "description": "[UNSTABLE] Temporary notification payload for guardian automatic approval review. This shape is expected to change soon.",
        "properties": {
          "action": {
            "$ref": "#/definitions/v2/GuardianApprovalReviewAction"
          },
+          "decisionSource": {
+            "$ref": "#/definitions/v2/AutoReviewDecisionSource"
+          },
          "review": {
            "$ref": "#/definitions/v2/GuardianApprovalReview"
          },
-          "targetItemId": {
+          "reviewId": {
+            "description": "Stable identifier for this review.",
            "type": "string"
          },
+          "targetItemId": {
+            "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
+            "type": [
+              "string",
+              "null"
+            ]
+          },
          "threadId": {
            "type": "string"
          },
@@ -8579,8 +8651,9 @@
        },
        "required": [
          "action",
+          "decisionSource",
          "review",
-          "targetItemId",
+          "reviewId",
          "threadId",
          "turnId"
        ],
@@ -8589,7 +8662,7 @@
      },
      "ItemGuardianApprovalReviewStartedNotification": {
        "$schema": "http://json-schema.org/draft-07/schema#",
-        "description": "[UNSTABLE] Temporary notification payload for guardian automatic approval review. This shape is expected to change soon.\n\nTODO(ccunningham): Attach guardian review state to the reviewed tool item's lifecycle instead of sending separate standalone review notifications so the app-server API can persist and replay review state via `thread/read`.",
+        "description": "[UNSTABLE] Temporary notification payload for guardian automatic approval review. This shape is expected to change soon.",
        "properties": {
          "action": {
            "$ref": "#/definitions/v2/GuardianApprovalReviewAction"
@@ -8597,9 +8670,17 @@
          "review": {
            "$ref": "#/definitions/v2/GuardianApprovalReview"
          },
-          "targetItemId": {
+          "reviewId": {
+            "description": "Stable identifier for this review.",
            "type": "string"
          },
+          "targetItemId": {
+            "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
+            "type": [
+              "string",
+              "null"
+            ]
+          },
          "threadId": {
            "type": "string"
          },
@@ -8610,7 +8691,7 @@
        "required": [
          "action",
          "review",
-          "targetItemId",
+          "reviewId",
          "threadId",
          "turnId"
        ],
@@ -9166,6 +9247,51 @@
        "title": "McpServerStatusUpdatedNotification",
        "type": "object"
      },
+      "McpServerToolCallParams": {
+        "$schema": "http://json-schema.org/draft-07/schema#",
+        "properties": {
+          "_meta": true,
+          "arguments": true,
+          "server": {
+            "type": "string"
+          },
+          "threadId": {
+            "type": "string"
+          },
+          "tool": {
+            "type": "string"
+          }
+        },
+        "required": [
+          "server",
+          "threadId",
+          "tool"
+        ],
+        "title": "McpServerToolCallParams",
+        "type": "object"
+      },
+      "McpServerToolCallResponse": {
+        "$schema": "http://json-schema.org/draft-07/schema#",
+        "properties": {
+          "_meta": true,
+          "content": {
+            "items": true,
+            "type": "array"
+          },
+          "isError": {
+            "type": [
+              "boolean",
+              "null"
+            ]
+          },
+          "structuredContent": true
+        },
+        "required": [
+          "content"
+        ],
+        "title": "McpServerToolCallResponse",
+        "type": "object"
+      },
      "McpToolCallError": {
        "properties": {
          "message": {
@@ -10488,6 +10614,59 @@
        ],
        "type": "string"
      },
+      "RealtimeVoice": {
+        "enum": [
+          "alloy",
+          "arbor",
+          "ash",
+          "ballad",
+          "breeze",
+          "cedar",
+          "coral",
+          "cove",
+          "echo",
+          "ember",
+          "juniper",
+          "maple",
+          "marin",
+          "sage",
+          "shimmer",
+          "sol",
+          "spruce",
+          "vale",
+          "verse"
+        ],
+        "type": "string"
+      },
+      "RealtimeVoicesList": {
+        "properties": {
+          "defaultV1": {
+            "$ref": "#/definitions/v2/RealtimeVoice"
+          },
+          "defaultV2": {
+            "$ref": "#/definitions/v2/RealtimeVoice"
+          },
+          "v1": {
+            "items": {
+              "$ref": "#/definitions/v2/RealtimeVoice"
+            },
+            "type": "array"
+          },
+          "v2": {
+            "items": {
+              "$ref": "#/definitions/v2/RealtimeVoice"
+            },
+            "type": "array"
+          }
+        },
+        "required": [
+          "defaultV1",
+          "defaultV2",
+          "v1",
+          "v2"
+        ],
+        "type": "object"
+      },
      "ReasoningEffort": {
        "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
        "enum": [
@@ -14174,6 +14353,16 @@
                "type": "null"
              }
            ]
+          },
+          "sessionStartSource": {
+            "anyOf": [
+              {
+                "$ref": "#/definitions/v2/ThreadStartSource"
+              },
+              {
+                "type": "null"
+              }
+            ]
          }
        },
        "title": "ThreadStartParams",
@@ -14241,6 +14430,13 @@
        "title": "ThreadStartResponse",
        "type": "object"
      },
+      "ThreadStartSource": {
+        "enum": [
+          "startup",
+          "clear"
+        ],
+        "type": "string"
+      },
      "ThreadStartedNotification": {
        "$schema": "http://json-schema.org/draft-07/schema#",
        "properties": {
--- a/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.v2.schemas.json
+++ b/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.v2.schemas.json
@@ -715,6 +715,13 @@
        }
      ]
    },
+    "AutoReviewDecisionSource": {
+      "description": "[UNSTABLE] Source that produced a terminal guardian approval review decision.",
+      "enum": [
+        "agent"
+      ],
+      "type": "string"
+    },
    "ByteRange": {
      "properties": {
        "end": {
@@ -1800,6 +1807,30 @@
          "title": "McpServer/resource/readRequest",
          "type": "object"
        },
+        {
+          "properties": {
+            "id": {
+              "$ref": "#/definitions/RequestId"
+            },
+            "method": {
+              "enum": [
+                "mcpServer/tool/call"
+              ],
+              "title": "McpServer/tool/callRequestMethod",
+              "type": "string"
+            },
+            "params": {
+              "$ref": "#/definitions/McpServerToolCallParams"
+            }
+          },
+          "required": [
+            "id",
+            "method",
+            "params"
+          ],
+          "title": "McpServer/tool/callRequest",
+          "type": "object"
+        },
        {
          "properties": {
            "id": {
@@ -4089,6 +4120,15 @@
            "null"
          ]
        },
+        "tags": {
+          "additionalProperties": {
+            "type": "string"
+          },
+          "type": [
+            "object",
+            "null"
+          ]
+        },
        "threadId": {
          "type": [
            "string",
@@ -4854,16 +4894,18 @@
            }
          ]
        },
-        "riskScore": {
-          "format": "uint8",
-          "minimum": 0.0,
-          "type": [
-            "integer",
-            "null"
-          ]
-        },
        "status": {
          "$ref": "#/definitions/GuardianApprovalReviewStatus"
+        },
+        "userAuthorization": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/GuardianUserAuthorization"
+            },
+            {
+              "type": "null"
+            }
+          ]
        }
      },
      "required": [
@@ -5047,6 +5089,7 @@
        "inProgress",
        "approved",
        "denied",
+        "timedOut",
        "aborted"
      ],
      "type": "string"
@@ -5061,6 +5104,17 @@
    "GuardianRiskLevel": {
      "description": "[UNSTABLE] Risk level assigned by guardian approval review.",
      "enum": [
+        "low",
+        "medium",
+        "high",
+        "critical"
+      ],
+      "type": "string"
+    },
+    "GuardianUserAuthorization": {
+      "description": "[UNSTABLE] Authorization level assigned by guardian approval review.",
+      "enum": [
+        "unknown",
        "low",
        "medium",
        "high"
@@ -5362,17 +5416,28 @@
    },
    "ItemGuardianApprovalReviewCompletedNotification": {
      "$schema": "http://json-schema.org/draft-07/schema#",
-      "description": "[UNSTABLE] Temporary notification payload for guardian automatic approval review. This shape is expected to change soon.\n\nTODO(ccunningham): Attach guardian review state to the reviewed tool item's lifecycle instead of sending separate standalone review notifications so the app-server API can persist and replay review state via `thread/read`.",
+      "description": "[UNSTABLE] Temporary notification payload for guardian automatic approval review. This shape is expected to change soon.",
      "properties": {
        "action": {
          "$ref": "#/definitions/GuardianApprovalReviewAction"
        },
+        "decisionSource": {
+          "$ref": "#/definitions/AutoReviewDecisionSource"
+        },
        "review": {
          "$ref": "#/definitions/GuardianApprovalReview"
        },
-        "targetItemId": {
+        "reviewId": {
+          "description": "Stable identifier for this review.",
          "type": "string"
        },
+        "targetItemId": {
+          "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
+          "type": [
+            "string",
+            "null"
+          ]
+        },
        "threadId": {
          "type": "string"
        },
@@ -5382,8 +5447,9 @@
      },
      "required": [
        "action",
+        "decisionSource",
        "review",
-        "targetItemId",
+        "reviewId",
        "threadId",
        "turnId"
      ],
@@ -5392,7 +5458,7 @@
    },
    "ItemGuardianApprovalReviewStartedNotification": {
      "$schema": "http://json-schema.org/draft-07/schema#",
-      "description": "[UNSTABLE] Temporary notification payload for guardian automatic approval review. This shape is expected to change soon.\n\nTODO(ccunningham): Attach guardian review state to the reviewed tool item's lifecycle instead of sending separate standalone review notifications so the app-server API can persist and replay review state via `thread/read`.",
+      "description": "[UNSTABLE] Temporary notification payload for guardian automatic approval review. This shape is expected to change soon.",
      "properties": {
        "action": {
          "$ref": "#/definitions/GuardianApprovalReviewAction"
@@ -5400,9 +5466,17 @@
        "review": {
          "$ref": "#/definitions/GuardianApprovalReview"
        },
-        "targetItemId": {
+        "reviewId": {
+          "description": "Stable identifier for this review.",
          "type": "string"
        },
+        "targetItemId": {
+          "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
+          "type": [
+            "string",
+            "null"
+          ]
+        },
        "threadId": {
          "type": "string"
        },
@@ -5413,7 +5487,7 @@
      "required": [
        "action",
        "review",
-        "targetItemId",
+        "reviewId",
        "threadId",
        "turnId"
      ],
@@ -5969,6 +6043,51 @@
      "title": "McpServerStatusUpdatedNotification",
      "type": "object"
    },
+    "McpServerToolCallParams": {
+      "$schema": "http://json-schema.org/draft-07/schema#",
+      "properties": {
+        "_meta": true,
+        "arguments": true,
+        "server": {
+          "type": "string"
+        },
+        "threadId": {
+          "type": "string"
+        },
+        "tool": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "server",
+        "threadId",
+        "tool"
+      ],
+      "title": "McpServerToolCallParams",
+      "type": "object"
+    },
+    "McpServerToolCallResponse": {
+      "$schema": "http://json-schema.org/draft-07/schema#",
+      "properties": {
+        "_meta": true,
+        "content": {
+          "items": true,
+          "type": "array"
+        },
+        "isError": {
+          "type": [
+            "boolean",
+            "null"
+          ]
+        },
+        "structuredContent": true
+      },
+      "required": [
+        "content"
+      ],
+      "title": "McpServerToolCallResponse",
+      "type": "object"
+    },
    "McpToolCallError": {
      "properties": {
        "message": {
@@ -7291,6 +7410,59 @@
      ],
      "type": "string"
    },
+    "RealtimeVoice": {
+      "enum": [
+        "alloy",
+        "arbor",
+        "ash",
+        "ballad",
+        "breeze",
+        "cedar",
+        "coral",
+        "cove",
+        "echo",
+        "ember",
+        "juniper",
+        "maple",
+        "marin",
+        "sage",
+        "shimmer",
+        "sol",
+        "spruce",
+        "vale",
+        "verse"
+      ],
+      "type": "string"
+    },
+    "RealtimeVoicesList": {
+      "properties": {
+        "defaultV1": {
+          "$ref": "#/definitions/RealtimeVoice"
+        },
+        "defaultV2": {
+          "$ref": "#/definitions/RealtimeVoice"
+        },
+        "v1": {
+          "items": {
+            "$ref": "#/definitions/RealtimeVoice"
+          },
+          "type": "array"
+        },
+        "v2": {
+          "items": {
+            "$ref": "#/definitions/RealtimeVoice"
+          },
+          "type": "array"
+        }
+      },
+      "required": [
+        "defaultV1",
+        "defaultV2",
+        "v1",
+        "v2"
+      ],
+      "type": "object"
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -12029,6 +12201,16 @@
              "type": "null"
            }
          ]
+        },
+        "sessionStartSource": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/ThreadStartSource"
+            },
+            {
+              "type": "null"
+            }
+          ]
        }
      },
      "title": "ThreadStartParams",
@@ -12096,6 +12278,13 @@
      "title": "ThreadStartResponse",
      "type": "object"
    },
+    "ThreadStartSource": {
+      "enum": [
+        "startup",
+        "clear"
+      ],
+      "type": "string"
+    },
    "ThreadStartedNotification": {
      "$schema": "http://json-schema.org/draft-07/schema#",
      "properties": {
--- a/codex-rs/app-server-protocol/schema/json/v2/FeedbackUploadParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/FeedbackUploadParams.json
@@ -22,6 +22,15 @@
        "null"
      ]
    },
+    "tags": {
+      "additionalProperties": {
+        "type": "string"
+      },
+      "type": [
+        "object",
+        "null"
+      ]
+    },
    "threadId": {
      "type": [
        "string",
--- a/codex-rs/app-server-protocol/schema/json/v2/ItemGuardianApprovalReviewCompletedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ItemGuardianApprovalReviewCompletedNotification.json
@@ -1,6 +1,13 @@
 {
  "$schema": "http://json-schema.org/draft-07/schema#",
  "definitions": {
+    "AutoReviewDecisionSource": {
+      "description": "[UNSTABLE] Source that produced a terminal guardian approval review decision.",
+      "enum": [
+        "agent"
+      ],
+      "type": "string"
+    },
    "GuardianApprovalReview": {
      "description": "[UNSTABLE] Temporary guardian approval review payload used by `item/autoApprovalReview/*` notifications. This shape is expected to change soon.",
      "properties": {
@@ -20,16 +27,18 @@
            }
          ]
        },
-        "riskScore": {
-          "format": "uint8",
-          "minimum": 0.0,
-          "type": [
-            "integer",
-            "null"
-          ]
-        },
        "status": {
          "$ref": "#/definitions/GuardianApprovalReviewStatus"
+        },
+        "userAuthorization": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/GuardianUserAuthorization"
+            },
+            {
+              "type": "null"
+            }
+          ]
        }
      },
      "required": [
@@ -213,6 +222,7 @@
        "inProgress",
        "approved",
        "denied",
+        "timedOut",
        "aborted"
      ],
      "type": "string"
@@ -227,6 +237,17 @@
    "GuardianRiskLevel": {
      "description": "[UNSTABLE] Risk level assigned by guardian approval review.",
      "enum": [
+        "low",
+        "medium",
+        "high",
+        "critical"
+      ],
+      "type": "string"
+    },
+    "GuardianUserAuthorization": {
+      "description": "[UNSTABLE] Authorization level assigned by guardian approval review.",
+      "enum": [
+        "unknown",
        "low",
        "medium",
        "high"
@@ -243,17 +264,28 @@
      "type": "string"
    }
  },
-  "description": "[UNSTABLE] Temporary notification payload for guardian automatic approval review. This shape is expected to change soon.\n\nTODO(ccunningham): Attach guardian review state to the reviewed tool item's lifecycle instead of sending separate standalone review notifications so the app-server API can persist and replay review state via `thread/read`.",
+  "description": "[UNSTABLE] Temporary notification payload for guardian automatic approval review. This shape is expected to change soon.",
  "properties": {
    "action": {
      "$ref": "#/definitions/GuardianApprovalReviewAction"
    },
+    "decisionSource": {
+      "$ref": "#/definitions/AutoReviewDecisionSource"
+    },
    "review": {
      "$ref": "#/definitions/GuardianApprovalReview"
    },
-    "targetItemId": {
+    "reviewId": {
+      "description": "Stable identifier for this review.",
      "type": "string"
    },
+    "targetItemId": {
+      "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
+      "type": [
+        "string",
+        "null"
+      ]
+    },
    "threadId": {
      "type": "string"
    },
@@ -263,8 +295,9 @@
  },
  "required": [
    "action",
+    "decisionSource",
    "review",
-    "targetItemId",
+    "reviewId",
    "threadId",
    "turnId"
  ],
--- a/codex-rs/app-server-protocol/schema/json/v2/ItemGuardianApprovalReviewStartedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ItemGuardianApprovalReviewStartedNotification.json
@@ -20,16 +20,18 @@
            }
          ]
        },
-        "riskScore": {
-          "format": "uint8",
-          "minimum": 0.0,
-          "type": [
-            "integer",
-            "null"
-          ]
-        },
        "status": {
          "$ref": "#/definitions/GuardianApprovalReviewStatus"
+        },
+        "userAuthorization": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/GuardianUserAuthorization"
+            },
+            {
+              "type": "null"
+            }
+          ]
        }
      },
      "required": [
@@ -213,6 +215,7 @@
        "inProgress",
        "approved",
        "denied",
+        "timedOut",
        "aborted"
      ],
      "type": "string"
@@ -227,6 +230,17 @@
    "GuardianRiskLevel": {
      "description": "[UNSTABLE] Risk level assigned by guardian approval review.",
      "enum": [
+        "low",
+        "medium",
+        "high",
+        "critical"
+      ],
+      "type": "string"
+    },
+    "GuardianUserAuthorization": {
+      "description": "[UNSTABLE] Authorization level assigned by guardian approval review.",
+      "enum": [
+        "unknown",
        "low",
        "medium",
        "high"
@@ -243,7 +257,7 @@
      "type": "string"
    }
  },
-  "description": "[UNSTABLE] Temporary notification payload for guardian automatic approval review. This shape is expected to change soon.\n\nTODO(ccunningham): Attach guardian review state to the reviewed tool item's lifecycle instead of sending separate standalone review notifications so the app-server API can persist and replay review state via `thread/read`.",
+  "description": "[UNSTABLE] Temporary notification payload for guardian automatic approval review. This shape is expected to change soon.",
  "properties": {
    "action": {
      "$ref": "#/definitions/GuardianApprovalReviewAction"
@@ -251,9 +265,17 @@
    "review": {
      "$ref": "#/definitions/GuardianApprovalReview"
    },
-    "targetItemId": {
+    "reviewId": {
+      "description": "Stable identifier for this review.",
      "type": "string"
    },
+    "targetItemId": {
+      "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
+      "type": [
+        "string",
+        "null"
+      ]
+    },
    "threadId": {
      "type": "string"
    },
@@ -264,7 +286,7 @@
  "required": [
    "action",
    "review",
-    "targetItemId",
+    "reviewId",
    "threadId",
    "turnId"
  ],
--- a/codex-rs/app-server-protocol/schema/json/v2/McpServerToolCallParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/McpServerToolCallParams.json
@@ -0,0 +1,23 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "properties": {
+    "_meta": true,
+    "arguments": true,
+    "server": {
+      "type": "string"
+    },
+    "threadId": {
+      "type": "string"
+    },
+    "tool": {
+      "type": "string"
+    }
+  },
+  "required": [
+    "server",
+    "threadId",
+    "tool"
+  ],
+  "title": "McpServerToolCallParams",
+  "type": "object"
+}
--- a/codex-rs/app-server-protocol/schema/json/v2/McpServerToolCallResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/McpServerToolCallResponse.json
@@ -0,0 +1,22 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "properties": {
+    "_meta": true,
+    "content": {
+      "items": true,
+      "type": "array"
+    },
+    "isError": {
+      "type": [
+        "boolean",
+        "null"
+      ]
+    },
+    "structuredContent": true
+  },
+  "required": [
+    "content"
+  ],
+  "title": "McpServerToolCallResponse",
+  "type": "object"
+}
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadStartParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadStartParams.json
@@ -101,6 +101,13 @@
        "flex"
      ],
      "type": "string"
+    },
+    "ThreadStartSource": {
+      "enum": [
+        "startup",
+        "clear"
+      ],
+      "type": "string"
    }
  },
  "properties": {
@@ -210,6 +217,16 @@
          "type": "null"
        }
      ]
+    },
+    "sessionStartSource": {
+      "anyOf": [
+        {
+          "$ref": "#/definitions/ThreadStartSource"
+        },
+        {
+          "type": "null"
+        }
+      ]
    }
  },
  "title": "ThreadStartParams",
--- a/codex-rs/app-server-protocol/schema/typescript/ApplyPatchApprovalParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/ApplyPatchApprovalParams.ts
@@ -4,16 +4,16 @@
 import type { FileChange } from "./FileChange";
 import type { ThreadId } from "./ThreadId";

-export type ApplyPatchApprovalParams = { conversationId: ThreadId, 
+export type ApplyPatchApprovalParams = { conversationId: ThreadId,
 /**
 * Use to correlate this with [codex_protocol::protocol::PatchApplyBeginEvent]
 * and [codex_protocol::protocol::PatchApplyEndEvent].
 */
-callId: string, fileChanges: { [key in string]?: FileChange }, 
+callId: string, fileChanges: { [key in string]?: FileChange },
 /**
 * Optional explanatory reason (e.g. request for extra write access).
 */
-reason: string | null, 
+reason: string | null,
 /**
 * When set, the agent is asking the user to allow writes under this root
 * for the remainder of the session (unclear if this is honored today).
--- a/codex-rs/app-server-protocol/schema/typescript/ClientRequest.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/ClientRequest.ts
--- a/codex-rs/app-server-protocol/schema/typescript/ExecCommandApprovalParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/ExecCommandApprovalParams.ts
@@ -4,12 +4,12 @@
 import type { ParsedCommand } from "./ParsedCommand";
 import type { ThreadId } from "./ThreadId";

-export type ExecCommandApprovalParams = { conversationId: ThreadId, 
+export type ExecCommandApprovalParams = { conversationId: ThreadId,
 /**
 * Use to correlate this with [codex_protocol::protocol::ExecCommandBeginEvent]
 * and [codex_protocol::protocol::ExecCommandEndEvent].
 */
-callId: string, 
+callId: string,
 /**
 * Identifier for this specific approval callback.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/InitializeCapabilities.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/InitializeCapabilities.ts
@@ -5,11 +5,11 @@
 /**
 * Client-declared capabilities negotiated during initialize.
 */
-export type InitializeCapabilities = { 
+export type InitializeCapabilities = {
 /**
 * Opt into receiving experimental API methods and fields.
 */
-experimentalApi: boolean, 
+experimentalApi: boolean,
 /**
 * Exact notification method names that should be suppressed for this
 * connection (for example `thread/started`).
--- a/codex-rs/app-server-protocol/schema/typescript/InitializeResponse.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/InitializeResponse.ts
@@ -3,16 +3,16 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { AbsolutePathBuf } from "./AbsolutePathBuf";

-export type InitializeResponse = { userAgent: string, 
+export type InitializeResponse = { userAgent: string,
 /**
 * Absolute path to the server's $CODEX_HOME directory.
 */
-codexHome: AbsolutePathBuf, 
+codexHome: AbsolutePathBuf,
 /**
 * Platform family for the running app-server target, for example
 * `"unix"` or `"windows"`.
 */
-platformFamily: string, 
+platformFamily: string,
 /**
 * Operating system for the running app-server target, for example
 * `"macos"`, `"linux"`, or `"windows"`.
--- a/codex-rs/app-server-protocol/schema/typescript/ParsedCommand.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/ParsedCommand.ts
@@ -2,7 +2,7 @@

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.

-export type ParsedCommand = { "type": "read", cmd: string, name: string, 
+export type ParsedCommand = { "type": "read", cmd: string, name: string,
 /**
 * (Best effort) Path to the file being read by the command. When
 * possible, this is an absolute path, though when relative, it should
--- a/codex-rs/app-server-protocol/schema/typescript/RealtimeVoice.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/RealtimeVoice.ts
@@ -0,0 +1,5 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+export type RealtimeVoice = "alloy" | "arbor" | "ash" | "ballad" | "breeze" | "cedar" | "coral" | "cove" | "echo" | "ember" | "juniper" | "maple" | "marin" | "sage" | "shimmer" | "sol" | "spruce" | "vale" | "verse";
--- a/codex-rs/app-server-protocol/schema/typescript/RealtimeVoicesList.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/RealtimeVoicesList.ts
@@ -0,0 +1,6 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { RealtimeVoice } from "./RealtimeVoice";
+
+export type RealtimeVoicesList = { v1: Array<RealtimeVoice>, v2: Array<RealtimeVoice>, defaultV1: RealtimeVoice, defaultV2: RealtimeVoice, };
--- a/codex-rs/app-server-protocol/schema/typescript/ResourceContent.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/ResourceContent.ts
@@ -6,11 +6,11 @@ import type { JsonValue } from "./serde_json/JsonValue";
 /**
 * Contents returned when reading a resource from an MCP server.
 */
-export type ResourceContent = { 
+export type ResourceContent = {
 /**
 * The URI of this resource.
 */
-uri: string, mimeType?: string, text: string, _meta?: JsonValue, } | { 
+uri: string, mimeType?: string, text: string, _meta?: JsonValue, } | {
 /**
 * The URI of this resource.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/ResponseItem.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/ResponseItem.ts
@@ -11,7 +11,7 @@ import type { ReasoningItemContent } from "./ReasoningItemContent";
 import type { ReasoningItemReasoningSummary } from "./ReasoningItemReasoningSummary";
 import type { WebSearchAction } from "./WebSearchAction";

-export type ResponseItem = { "type": "message", role: string, content: Array<ContentItem>, end_turn?: boolean, phase?: MessagePhase, } | { "type": "reasoning", summary: Array<ReasoningItemReasoningSummary>, content?: Array<ReasoningItemContent>, encrypted_content: string | null, } | { "type": "local_shell_call", 
+export type ResponseItem = { "type": "message", role: string, content: Array<ContentItem>, end_turn?: boolean, phase?: MessagePhase, } | { "type": "reasoning", summary: Array<ReasoningItemReasoningSummary>, content?: Array<ReasoningItemContent>, encrypted_content: string | null, } | { "type": "local_shell_call",
 /**
 * Set when using the Responses API.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/ReviewDecision.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/ReviewDecision.ts
@@ -7,4 +7,4 @@ import type { NetworkPolicyAmendment } from "./NetworkPolicyAmendment";
 /**
 * User's decision in response to an ExecApprovalRequest.
 */
-export type ReviewDecision = "approved" | { "approved_execpolicy_amendment": { proposed_execpolicy_amendment: ExecPolicyAmendment, } } | "approved_for_session" | { "network_policy_amendment": { network_policy_amendment: NetworkPolicyAmendment, } } | "denied" | "abort";
+export type ReviewDecision = "approved" | { "approved_execpolicy_amendment": { proposed_execpolicy_amendment: ExecPolicyAmendment, } } | "approved_for_session" | { "network_policy_amendment": { network_policy_amendment: NetworkPolicyAmendment, } } | "denied" | "timed_out" | "abort";
--- a/codex-rs/app-server-protocol/schema/typescript/index.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/index.ts
@@ -49,6 +49,8 @@ export type { ParsedCommand } from "./ParsedCommand";
 export type { Personality } from "./Personality";
 export type { PlanType } from "./PlanType";
 export type { RealtimeConversationVersion } from "./RealtimeConversationVersion";
+export type { RealtimeVoice } from "./RealtimeVoice";
+export type { RealtimeVoicesList } from "./RealtimeVoicesList";
 export type { ReasoningEffort } from "./ReasoningEffort";
 export type { ReasoningItemContent } from "./ReasoningItemContent";
 export type { ReasoningItemReasoningSummary } from "./ReasoningItemReasoningSummary";
--- a/codex-rs/app-server-protocol/schema/typescript/v2/AppInfo.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/AppInfo.ts
@@ -7,7 +7,7 @@ import type { AppMetadata } from "./AppMetadata";
 /**
 * EXPERIMENTAL - app metadata returned by app-list APIs.
 */
-export type AppInfo = { id: string, name: string, description: string | null, logoUrl: string | null, logoUrlDark: string | null, distributionChannel: string | null, branding: AppBranding | null, appMetadata: AppMetadata | null, labels: { [key in string]?: string } | null, installUrl: string | null, isAccessible: boolean, 
+export type AppInfo = { id: string, name: string, description: string | null, logoUrl: string | null, logoUrlDark: string | null, distributionChannel: string | null, branding: AppBranding | null, appMetadata: AppMetadata | null, labels: { [key in string]?: string } | null, installUrl: string | null, isAccessible: boolean,
 /**
 * Whether this app is enabled in config.toml.
 * Example:
--- a/codex-rs/app-server-protocol/schema/typescript/v2/AppsListParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/AppsListParams.ts
@@ -5,19 +5,19 @@
 /**
 * EXPERIMENTAL - list available apps/connectors.
 */
-export type AppsListParams = { 
+export type AppsListParams = {
 /**
 * Opaque pagination cursor returned by a previous call.
 */
-cursor?: string | null, 
+cursor?: string | null,
 /**
 * Optional page size; defaults to a reasonable server-side value.
 */
-limit?: number | null, 
+limit?: number | null,
 /**
 * Optional thread id used to evaluate app feature gating from that thread's config.
 */
-threadId?: string | null, 
+threadId?: string | null,
 /**
 * When true, bypass app caches and fetch the latest data from sources.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/AppsListResponse.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/AppsListResponse.ts
@@ -6,7 +6,7 @@ import type { AppInfo } from "./AppInfo";
 /**
 * EXPERIMENTAL - app list response.
 */
-export type AppsListResponse = { data: Array<AppInfo>, 
+export type AppsListResponse = { data: Array<AppInfo>,
 /**
 * Opaque cursor to pass to the next call to continue after the last item.
 * If None, there are no more items to return.
--- a/codex-rs/app-server-protocol/schema/typescript/v2/AutoReviewDecisionSource.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/AutoReviewDecisionSource.ts
@@ -0,0 +1,8 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+/**
+ * [UNSTABLE] Source that produced a terminal guardian approval review decision.
+ */
+export type AutoReviewDecisionSource = "agent";
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ChatgptAuthTokensRefreshParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ChatgptAuthTokensRefreshParams.ts
@@ -3,7 +3,7 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { ChatgptAuthTokensRefreshReason } from "./ChatgptAuthTokensRefreshReason";

-export type ChatgptAuthTokensRefreshParams = { reason: ChatgptAuthTokensRefreshReason, 
+export type ChatgptAuthTokensRefreshParams = { reason: ChatgptAuthTokensRefreshReason,
 /**
 * Workspace/account identifier that Codex was previously using.
 *
--- a/codex-rs/app-server-protocol/schema/typescript/v2/CommandExecOutputDeltaNotification.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/CommandExecOutputDeltaNotification.ts
@@ -9,20 +9,20 @@ import type { CommandExecOutputStream } from "./CommandExecOutputStream";
 * These notifications are connection-scoped. If the originating connection
 * closes, the server terminates the process.
 */
-export type CommandExecOutputDeltaNotification = { 
+export type CommandExecOutputDeltaNotification = {
 /**
 * Client-supplied, connection-scoped `processId` from the original
 * `command/exec` request.
 */
-processId: string, 
+processId: string,
 /**
 * Output stream for this chunk.
 */
-stream: CommandExecOutputStream, 
+stream: CommandExecOutputStream,
 /**
 * Base64-encoded output bytes.
 */
-deltaBase64: string, 
+deltaBase64: string,
 /**
 * `true` on the final streamed chunk for a stream when `outputBytesCap`
 * truncated later output on that stream.
--- a/codex-rs/app-server-protocol/schema/typescript/v2/CommandExecParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/CommandExecParams.ts
@@ -12,11 +12,11 @@ import type { SandboxPolicy } from "./SandboxPolicy";
 * sent only after all `command/exec/outputDelta` notifications for that
 * connection have been emitted.
 */
-export type CommandExecParams = { 
+export type CommandExecParams = {
 /**
 * Command argv vector. Empty arrays are rejected.
 */
-command: Array<string>, 
+command: Array<string>,
 /**
 * Optional client-supplied, connection-scoped process id.
 *
@@ -25,56 +25,56 @@ command: Array<string>,
 * `command/exec/terminate` calls. When omitted, buffered execution gets an
 * internal id that is not exposed to the client.
 */
-processId?: string | null, 
+processId?: string | null,
 /**
 * Enable PTY mode.
 *
 * This implies `streamStdin` and `streamStdoutStderr`.
 */
-tty?: boolean, 
+tty?: boolean,
 /**
 * Allow follow-up `command/exec/write` requests to write stdin bytes.
 *
 * Requires a client-supplied `processId`.
 */
-streamStdin?: boolean, 
+streamStdin?: boolean,
 /**
 * Stream stdout/stderr via `command/exec/outputDelta` notifications.
 *
 * Streamed bytes are not duplicated into the final response and require a
 * client-supplied `processId`.
 */
-streamStdoutStderr?: boolean, 
+streamStdoutStderr?: boolean,
 /**
 * Optional per-stream stdout/stderr capture cap in bytes.
 *
 * When omitted, the server default applies. Cannot be combined with
 * `disableOutputCap`.
 */
-outputBytesCap?: number | null, 
+outputBytesCap?: number | null,
 /**
 * Disable stdout/stderr capture truncation for this request.
 *
 * Cannot be combined with `outputBytesCap`.
 */
-disableOutputCap?: boolean, 
+disableOutputCap?: boolean,
 /**
 * Disable the timeout entirely for this request.
 *
 * Cannot be combined with `timeoutMs`.
 */
-disableTimeout?: boolean, 
+disableTimeout?: boolean,
 /**
 * Optional timeout in milliseconds.
 *
 * When omitted, the server default applies. Cannot be combined with
 * `disableTimeout`.
 */
-timeoutMs?: number | null, 
+timeoutMs?: number | null,
 /**
 * Optional working directory. Defaults to the server cwd.
 */
-cwd?: string | null, 
+cwd?: string | null,
 /**
 * Optional environment overrides merged into the server-computed
 * environment.
@@ -82,12 +82,12 @@ cwd?: string | null,
 * Matching names override inherited values. Set a key to `null` to unset
 * an inherited variable.
 */
-env?: { [key in string]?: string | null } | null, 
+env?: { [key in string]?: string | null } | null,
 /**
 * Optional initial PTY size in character cells. Only valid when `tty` is
 * true.
 */
-size?: CommandExecTerminalSize | null, 
+size?: CommandExecTerminalSize | null,
 /**
 * Optional sandbox policy for this command.
 *
--- a/codex-rs/app-server-protocol/schema/typescript/v2/CommandExecResizeParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/CommandExecResizeParams.ts
@@ -6,12 +6,12 @@ import type { CommandExecTerminalSize } from "./CommandExecTerminalSize";
 /**
 * Resize a running PTY-backed `command/exec` session.
 */
-export type CommandExecResizeParams = { 
+export type CommandExecResizeParams = {
 /**
 * Client-supplied, connection-scoped `processId` from the original
 * `command/exec` request.
 */
-processId: string, 
+processId: string,
 /**
 * New PTY size in character cells.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/CommandExecResponse.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/CommandExecResponse.ts
@@ -5,17 +5,17 @@
 /**
 * Final buffered result for `command/exec`.
 */
-export type CommandExecResponse = { 
+export type CommandExecResponse = {
 /**
 * Process exit code.
 */
-exitCode: number, 
+exitCode: number,
 /**
 * Buffered stdout capture.
 *
 * Empty when stdout was streamed via `command/exec/outputDelta`.
 */
-stdout: string, 
+stdout: string,
 /**
 * Buffered stderr capture.
 *
--- a/codex-rs/app-server-protocol/schema/typescript/v2/CommandExecTerminalSize.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/CommandExecTerminalSize.ts
@@ -5,11 +5,11 @@
 /**
 * PTY size in character cells for `command/exec` PTY sessions.
 */
-export type CommandExecTerminalSize = { 
+export type CommandExecTerminalSize = {
 /**
 * Terminal height in character cells.
 */
-rows: number, 
+rows: number,
 /**
 * Terminal width in character cells.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/CommandExecTerminateParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/CommandExecTerminateParams.ts
@@ -5,7 +5,7 @@
 /**
 * Terminate a running `command/exec` session.
 */
-export type CommandExecTerminateParams = { 
+export type CommandExecTerminateParams = {
 /**
 * Client-supplied, connection-scoped `processId` from the original
 * `command/exec` request.
--- a/codex-rs/app-server-protocol/schema/typescript/v2/CommandExecWriteParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/CommandExecWriteParams.ts
@@ -6,16 +6,16 @@
 * Write stdin bytes to a running `command/exec` session, close stdin, or
 * both.
 */
-export type CommandExecWriteParams = { 
+export type CommandExecWriteParams = {
 /**
 * Client-supplied, connection-scoped `processId` from the original
 * `command/exec` request.
 */
-processId: string, 
+processId: string,
 /**
 * Optional base64-encoded stdin bytes to write.
 */
-deltaBase64?: string | null, 
+deltaBase64?: string | null,
 /**
 * Close stdin after writing `deltaBase64`, if present.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/CommandExecutionRequestApprovalParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/CommandExecutionRequestApprovalParams.ts
@@ -8,7 +8,7 @@ import type { ExecPolicyAmendment } from "./ExecPolicyAmendment";
 import type { NetworkApprovalContext } from "./NetworkApprovalContext";
 import type { NetworkPolicyAmendment } from "./NetworkPolicyAmendment";

-export type CommandExecutionRequestApprovalParams = { threadId: string, turnId: string, itemId: string, 
+export type CommandExecutionRequestApprovalParams = { threadId: string, turnId: string, itemId: string,
 /**
 * Unique identifier for this specific approval callback.
 *
@@ -18,39 +18,39 @@ export type CommandExecutionRequestApprovalParams = { threadId: string, turnId:
 * one parent `itemId`, so `approvalId` is a distinct opaque callback id
 * (a UUID) used to disambiguate routing.
 */
-approvalId?: string | null, 
+approvalId?: string | null,
 /**
 * Optional explanatory reason (e.g. request for network access).
 */
-reason?: string | null, 
+reason?: string | null,
 /**
 * Optional context for a managed-network approval prompt.
 */
-networkApprovalContext?: NetworkApprovalContext | null, 
+networkApprovalContext?: NetworkApprovalContext | null,
 /**
 * The command to be executed.
 */
-command?: string | null, 
+command?: string | null,
 /**
 * The command's working directory.
 */
-cwd?: string | null, 
+cwd?: string | null,
 /**
 * Best-effort parsed command actions for friendly display.
 */
-commandActions?: Array<CommandAction> | null, 
+commandActions?: Array<CommandAction> | null,
 /**
 * Optional additional permissions requested for this command.
 */
-additionalPermissions?: AdditionalPermissionProfile | null, 
+additionalPermissions?: AdditionalPermissionProfile | null,
 /**
 * Optional proposed execpolicy amendment to allow similar commands without prompting.
 */
-proposedExecpolicyAmendment?: ExecPolicyAmendment | null, 
+proposedExecpolicyAmendment?: ExecPolicyAmendment | null,
 /**
 * Optional proposed network policy amendments (allow/deny host) for future requests.
 */
-proposedNetworkPolicyAmendments?: Array<NetworkPolicyAmendment> | null, 
+proposedNetworkPolicyAmendments?: Array<NetworkPolicyAmendment> | null,
 /**
 * Ordered list of decisions the client may present for this prompt.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ConfigBatchWriteParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ConfigBatchWriteParams.ts
@@ -3,11 +3,11 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { ConfigEdit } from "./ConfigEdit";

-export type ConfigBatchWriteParams = { edits: Array<ConfigEdit>, 
+export type ConfigBatchWriteParams = { edits: Array<ConfigEdit>,
 /**
 * Path to the config file to write; defaults to the user's `config.toml` when omitted.
 */
-filePath?: string | null, expectedVersion?: string | null, 
+filePath?: string | null, expectedVersion?: string | null,
 /**
 * When true, hot-reload the updated user config into all loaded threads after writing.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ConfigLayerSource.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ConfigLayerSource.ts
@@ -3,12 +3,12 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { AbsolutePathBuf } from "../AbsolutePathBuf";

-export type ConfigLayerSource = { "type": "mdm", domain: string, key: string, } | { "type": "system", 
+export type ConfigLayerSource = { "type": "mdm", domain: string, key: string, } | { "type": "system",
 /**
 * This is the path to the system config.toml file, though it is not
 * guaranteed to exist.
 */
-file: AbsolutePathBuf, } | { "type": "user", 
+file: AbsolutePathBuf, } | { "type": "user",
 /**
 * This is the path to the user's config.toml file, though it is not
 * guaranteed to exist.
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ConfigReadParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ConfigReadParams.ts
@@ -2,7 +2,7 @@

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.

-export type ConfigReadParams = { includeLayers: boolean, 
+export type ConfigReadParams = { includeLayers: boolean,
 /**
 * Optional working directory to resolve project config layers. If specified,
 * return the effective config as seen from that directory (i.e., including any
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ConfigRequirementsReadResponse.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ConfigRequirementsReadResponse.ts
@@ -3,7 +3,7 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { ConfigRequirements } from "./ConfigRequirements";

-export type ConfigRequirementsReadResponse = { 
+export type ConfigRequirementsReadResponse = {
 /**
 * Null if no requirements are configured (e.g. no requirements.toml/MDM entries).
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ConfigValueWriteParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ConfigValueWriteParams.ts
@@ -4,7 +4,7 @@
 import type { JsonValue } from "../serde_json/JsonValue";
 import type { MergeStrategy } from "./MergeStrategy";

-export type ConfigValueWriteParams = { keyPath: string, value: JsonValue, mergeStrategy: MergeStrategy, 
+export type ConfigValueWriteParams = { keyPath: string, value: JsonValue, mergeStrategy: MergeStrategy,
 /**
 * Path to the config file to write; defaults to the user's `config.toml` when omitted.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ConfigWarningNotification.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ConfigWarningNotification.ts
@@ -3,19 +3,19 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { TextRange } from "./TextRange";

-export type ConfigWarningNotification = { 
+export type ConfigWarningNotification = {
 /**
 * Concise summary of the warning.
 */
-summary: string, 
+summary: string,
 /**
 * Optional extra guidance or error details.
 */
-details: string | null, 
+details: string | null,
 /**
 * Optional path to the config file that triggered the warning.
 */
-path?: string, 
+path?: string,
 /**
 * Optional range for the error location inside the config file.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ConfigWriteResponse.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ConfigWriteResponse.ts
@@ -5,7 +5,7 @@ import type { AbsolutePathBuf } from "../AbsolutePathBuf";
 import type { OverriddenMetadata } from "./OverriddenMetadata";
 import type { WriteStatus } from "./WriteStatus";

-export type ConfigWriteResponse = { status: WriteStatus, version: string, 
+export type ConfigWriteResponse = { status: WriteStatus, version: string,
 /**
 * Canonical path to the config file that was written.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/DeprecationNoticeNotification.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/DeprecationNoticeNotification.ts
@@ -2,11 +2,11 @@

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.

-export type DeprecationNoticeNotification = { 
+export type DeprecationNoticeNotification = {
 /**
 * Concise summary of what is deprecated.
 */
-summary: string, 
+summary: string,
 /**
 * Optional extra guidance, such as migration steps or rationale.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ExperimentalFeature.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ExperimentalFeature.ts
@@ -3,34 +3,34 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { ExperimentalFeatureStage } from "./ExperimentalFeatureStage";

-export type ExperimentalFeature = { 
+export type ExperimentalFeature = {
 /**
 * Stable key used in config.toml and CLI flag toggles.
 */
-name: string, 
+name: string,
 /**
 * Lifecycle stage of this feature flag.
 */
-stage: ExperimentalFeatureStage, 
+stage: ExperimentalFeatureStage,
 /**
 * User-facing display name shown in the experimental features UI.
 * Null when this feature is not in beta.
 */
-displayName: string | null, 
+displayName: string | null,
 /**
 * Short summary describing what the feature does.
 * Null when this feature is not in beta.
 */
-description: string | null, 
+description: string | null,
 /**
 * Announcement copy shown to users when the feature is introduced.
 * Null when this feature is not in beta.
 */
-announcement: string | null, 
+announcement: string | null,
 /**
 * Whether this feature is currently enabled in the loaded config.
 */
-enabled: boolean, 
+enabled: boolean,
 /**
 * Whether this feature is enabled by default.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ExperimentalFeatureEnablementSetParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ExperimentalFeatureEnablementSetParams.ts
@@ -2,7 +2,7 @@

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.

-export type ExperimentalFeatureEnablementSetParams = { 
+export type ExperimentalFeatureEnablementSetParams = {
 /**
 * Process-wide runtime feature enablement keyed by canonical feature name.
 *
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ExperimentalFeatureEnablementSetResponse.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ExperimentalFeatureEnablementSetResponse.ts
@@ -2,7 +2,7 @@

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.

-export type ExperimentalFeatureEnablementSetResponse = { 
+export type ExperimentalFeatureEnablementSetResponse = {
 /**
 * Feature enablement entries updated by this request.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ExperimentalFeatureListParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ExperimentalFeatureListParams.ts
@@ -2,11 +2,11 @@

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.

-export type ExperimentalFeatureListParams = { 
+export type ExperimentalFeatureListParams = {
 /**
 * Opaque pagination cursor returned by a previous call.
 */
-cursor?: string | null, 
+cursor?: string | null,
 /**
 * Optional page size; defaults to a reasonable server-side value.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ExperimentalFeatureListResponse.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ExperimentalFeatureListResponse.ts
@@ -3,7 +3,7 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { ExperimentalFeature } from "./ExperimentalFeature";

-export type ExperimentalFeatureListResponse = { data: Array<ExperimentalFeature>, 
+export type ExperimentalFeatureListResponse = { data: Array<ExperimentalFeature>,
 /**
 * Opaque cursor to pass to the next call to continue after the last item.
 * If None, there are no more items to return.
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ExternalAgentConfigDetectParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ExternalAgentConfigDetectParams.ts
@@ -2,11 +2,11 @@

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.

-export type ExternalAgentConfigDetectParams = { 
+export type ExternalAgentConfigDetectParams = {
 /**
 * If true, include detection under the user's home (~/.claude, ~/.codex, etc.).
 */
-includeHome?: boolean, 
+includeHome?: boolean,
 /**
 * Zero or more working directories to include for repo-scoped detection.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ExternalAgentConfigMigrationItem.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ExternalAgentConfigMigrationItem.ts
@@ -3,7 +3,7 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { ExternalAgentConfigMigrationItemType } from "./ExternalAgentConfigMigrationItemType";

-export type ExternalAgentConfigMigrationItem = { itemType: ExternalAgentConfigMigrationItemType, description: string, 
+export type ExternalAgentConfigMigrationItem = { itemType: ExternalAgentConfigMigrationItemType, description: string,
 /**
 * Null or empty means home-scoped migration; non-empty means repo-scoped migration.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/FeedbackUploadParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/FeedbackUploadParams.ts
@@ -2,4 +2,4 @@

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.

-export type FeedbackUploadParams = { classification: string, reason?: string | null, threadId?: string | null, includeLogs: boolean, extraLogFiles?: Array<string> | null, };
+export type FeedbackUploadParams = { classification: string, reason?: string | null, threadId?: string | null, includeLogs: boolean, extraLogFiles?: Array<string> | null, tags?: { [key in string]?: string } | null, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/FileChangeRequestApprovalParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/FileChangeRequestApprovalParams.ts
@@ -2,11 +2,11 @@

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.

-export type FileChangeRequestApprovalParams = { threadId: string, turnId: string, itemId: string, 
+export type FileChangeRequestApprovalParams = { threadId: string, turnId: string, itemId: string,
 /**
 * Optional explanatory reason (e.g. request for extra write access).
 */
-reason?: string | null, 
+reason?: string | null,
 /**
 * [UNSTABLE] When set, the agent is asking the user to allow writes under this root
 * for the remainder of the session (unclear if this is honored today).
--- a/codex-rs/app-server-protocol/schema/typescript/v2/FsChangedNotification.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/FsChangedNotification.ts
@@ -6,11 +6,11 @@ import type { AbsolutePathBuf } from "../AbsolutePathBuf";
 /**
 * Filesystem watch notification emitted for `fs/watch` subscribers.
 */
-export type FsChangedNotification = { 
+export type FsChangedNotification = {
 /**
 * Watch identifier previously provided to `fs/watch`.
 */
-watchId: string, 
+watchId: string,
 /**
 * File or directory paths associated with this event.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/FsCopyParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/FsCopyParams.ts
@@ -6,15 +6,15 @@ import type { AbsolutePathBuf } from "../AbsolutePathBuf";
 /**
 * Copy a file or directory tree on the host filesystem.
 */
-export type FsCopyParams = { 
+export type FsCopyParams = {
 /**
 * Absolute source path.
 */
-sourcePath: AbsolutePathBuf, 
+sourcePath: AbsolutePathBuf,
 /**
 * Absolute destination path.
 */
-destinationPath: AbsolutePathBuf, 
+destinationPath: AbsolutePathBuf,
 /**
 * Required for directory copies; ignored for file copies.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/FsCreateDirectoryParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/FsCreateDirectoryParams.ts
@@ -6,11 +6,11 @@ import type { AbsolutePathBuf } from "../AbsolutePathBuf";
 /**
 * Create a directory on the host filesystem.
 */
-export type FsCreateDirectoryParams = { 
+export type FsCreateDirectoryParams = {
 /**
 * Absolute directory path to create.
 */
-path: AbsolutePathBuf, 
+path: AbsolutePathBuf,
 /**
 * Whether parent directories should also be created. Defaults to `true`.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/FsGetMetadataParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/FsGetMetadataParams.ts
@@ -6,7 +6,7 @@ import type { AbsolutePathBuf } from "../AbsolutePathBuf";
 /**
 * Request metadata for an absolute path.
 */
-export type FsGetMetadataParams = { 
+export type FsGetMetadataParams = {
 /**
 * Absolute path to inspect.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/FsGetMetadataResponse.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/FsGetMetadataResponse.ts
@@ -5,19 +5,19 @@
 /**
 * Metadata returned by `fs/getMetadata`.
 */
-export type FsGetMetadataResponse = { 
+export type FsGetMetadataResponse = {
 /**
 * Whether the path currently resolves to a directory.
 */
-isDirectory: boolean, 
+isDirectory: boolean,
 /**
 * Whether the path currently resolves to a regular file.
 */
-isFile: boolean, 
+isFile: boolean,
 /**
 * File creation time in Unix milliseconds when available, otherwise `0`.
 */
-createdAtMs: number, 
+createdAtMs: number,
 /**
 * File modification time in Unix milliseconds when available, otherwise `0`.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/FsReadDirectoryEntry.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/FsReadDirectoryEntry.ts
@@ -5,15 +5,15 @@
 /**
 * A directory entry returned by `fs/readDirectory`.
 */
-export type FsReadDirectoryEntry = { 
+export type FsReadDirectoryEntry = {
 /**
 * Direct child entry name only, not an absolute or relative path.
 */
-fileName: string, 
+fileName: string,
 /**
 * Whether this entry resolves to a directory.
 */
-isDirectory: boolean, 
+isDirectory: boolean,
 /**
 * Whether this entry resolves to a regular file.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/FsReadDirectoryParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/FsReadDirectoryParams.ts
@@ -6,7 +6,7 @@ import type { AbsolutePathBuf } from "../AbsolutePathBuf";
 /**
 * List direct child names for a directory.
 */
-export type FsReadDirectoryParams = { 
+export type FsReadDirectoryParams = {
 /**
 * Absolute directory path to read.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/FsReadDirectoryResponse.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/FsReadDirectoryResponse.ts
@@ -6,7 +6,7 @@ import type { FsReadDirectoryEntry } from "./FsReadDirectoryEntry";
 /**
 * Directory entries returned by `fs/readDirectory`.
 */
-export type FsReadDirectoryResponse = { 
+export type FsReadDirectoryResponse = {
 /**
 * Direct child entries in the requested directory.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/FsReadFileParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/FsReadFileParams.ts
@@ -6,7 +6,7 @@ import type { AbsolutePathBuf } from "../AbsolutePathBuf";
 /**
 * Read a file from the host filesystem.
 */
-export type FsReadFileParams = { 
+export type FsReadFileParams = {
 /**
 * Absolute path to read.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/FsReadFileResponse.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/FsReadFileResponse.ts
@@ -5,7 +5,7 @@
 /**
 * Base64-encoded file contents returned by `fs/readFile`.
 */
-export type FsReadFileResponse = { 
+export type FsReadFileResponse = {
 /**
 * File contents encoded as base64.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/FsRemoveParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/FsRemoveParams.ts
@@ -6,15 +6,15 @@ import type { AbsolutePathBuf } from "../AbsolutePathBuf";
 /**
 * Remove a file or directory tree from the host filesystem.
 */
-export type FsRemoveParams = { 
+export type FsRemoveParams = {
 /**
 * Absolute path to remove.
 */
-path: AbsolutePathBuf, 
+path: AbsolutePathBuf,
 /**
 * Whether directory removal should recurse. Defaults to `true`.
 */
-recursive?: boolean | null, 
+recursive?: boolean | null,
 /**
 * Whether missing paths should be ignored. Defaults to `true`.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/FsUnwatchParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/FsUnwatchParams.ts
@@ -5,7 +5,7 @@
 /**
 * Stop filesystem watch notifications for a prior `fs/watch`.
 */
-export type FsUnwatchParams = { 
+export type FsUnwatchParams = {
 /**
 * Watch identifier previously provided to `fs/watch`.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/FsWatchParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/FsWatchParams.ts
@@ -6,11 +6,11 @@ import type { AbsolutePathBuf } from "../AbsolutePathBuf";
 /**
 * Start filesystem watch notifications for an absolute path.
 */
-export type FsWatchParams = { 
+export type FsWatchParams = {
 /**
 * Connection-scoped watch identifier used for `fs/unwatch` and `fs/changed`.
 */
-watchId: string, 
+watchId: string,
 /**
 * Absolute file or directory path to watch.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/FsWatchResponse.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/FsWatchResponse.ts
@@ -6,7 +6,7 @@ import type { AbsolutePathBuf } from "../AbsolutePathBuf";
 /**
 * Successful response for `fs/watch`.
 */
-export type FsWatchResponse = { 
+export type FsWatchResponse = {
 /**
 * Canonicalized path associated with the watch.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/FsWriteFileParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/FsWriteFileParams.ts
@@ -6,11 +6,11 @@ import type { AbsolutePathBuf } from "../AbsolutePathBuf";
 /**
 * Write a file on the host filesystem.
 */
-export type FsWriteFileParams = { 
+export type FsWriteFileParams = {
 /**
 * Absolute path to write.
 */
-path: AbsolutePathBuf, 
+path: AbsolutePathBuf,
 /**
 * File contents encoded as base64.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/GetAccountParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/GetAccountParams.ts
@@ -2,7 +2,7 @@

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.

-export type GetAccountParams = { 
+export type GetAccountParams = {
 /**
 * When `true`, requests a proactive token refresh before returning.
 *
--- a/codex-rs/app-server-protocol/schema/typescript/v2/GetAccountRateLimitsResponse.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/GetAccountRateLimitsResponse.ts
@@ -3,11 +3,11 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { RateLimitSnapshot } from "./RateLimitSnapshot";

-export type GetAccountRateLimitsResponse = { 
+export type GetAccountRateLimitsResponse = {
 /**
 * Backward-compatible single-bucket view; mirrors the historical payload.
 */
-rateLimits: RateLimitSnapshot, 
+rateLimits: RateLimitSnapshot,
 /**
 * Multi-bucket view keyed by metered `limit_id` (for example, `codex`).
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/GuardianApprovalReview.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/GuardianApprovalReview.ts
@@ -3,10 +3,11 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { GuardianApprovalReviewStatus } from "./GuardianApprovalReviewStatus";
 import type { GuardianRiskLevel } from "./GuardianRiskLevel";
+import type { GuardianUserAuthorization } from "./GuardianUserAuthorization";

 /**
 * [UNSTABLE] Temporary guardian approval review payload used by
 * `item/autoApprovalReview/*` notifications. This shape is expected to change
 * soon.
 */
-export type GuardianApprovalReview = { status: GuardianApprovalReviewStatus, riskScore: number | null, riskLevel: GuardianRiskLevel | null, rationale: string | null, };
+export type GuardianApprovalReview = { status: GuardianApprovalReviewStatus, riskLevel: GuardianRiskLevel | null, userAuthorization: GuardianUserAuthorization | null, rationale: string | null, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/GuardianApprovalReviewStatus.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/GuardianApprovalReviewStatus.ts
@@ -5,4 +5,4 @@
 /**
 * [UNSTABLE] Lifecycle state for a guardian approval review.
 */
-export type GuardianApprovalReviewStatus = "inProgress" | "approved" | "denied" | "aborted";
+export type GuardianApprovalReviewStatus = "inProgress" | "approved" | "denied" | "timedOut" | "aborted";
--- a/codex-rs/app-server-protocol/schema/typescript/v2/GuardianRiskLevel.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/GuardianRiskLevel.ts
@@ -5,4 +5,4 @@
 /**
 * [UNSTABLE] Risk level assigned by guardian approval review.
 */
-export type GuardianRiskLevel = "low" | "medium" | "high";
+export type GuardianRiskLevel = "low" | "medium" | "high" | "critical";
--- a/codex-rs/app-server-protocol/schema/typescript/v2/GuardianUserAuthorization.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/GuardianUserAuthorization.ts
@@ -0,0 +1,8 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+/**
+ * [UNSTABLE] Authorization level assigned by guardian approval review.
+ */
+export type GuardianUserAuthorization = "unknown" | "low" | "medium" | "high";
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ItemGuardianApprovalReviewCompletedNotification.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ItemGuardianApprovalReviewCompletedNotification.ts
@@ -1,15 +1,30 @@
 // GENERATED CODE! DO NOT MODIFY BY HAND!

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { AutoReviewDecisionSource } from "./AutoReviewDecisionSource";
 import type { GuardianApprovalReview } from "./GuardianApprovalReview";
 import type { GuardianApprovalReviewAction } from "./GuardianApprovalReviewAction";

 /**
 * [UNSTABLE] Temporary notification payload for guardian automatic approval
 * review. This shape is expected to change soon.
- *
- * TODO(ccunningham): Attach guardian review state to the reviewed tool item's
- * lifecycle instead of sending separate standalone review notifications so the
- * app-server API can persist and replay review state via `thread/read`.
 */
-export type ItemGuardianApprovalReviewCompletedNotification = { threadId: string, turnId: string, targetItemId: string, review: GuardianApprovalReview, action: GuardianApprovalReviewAction, };
+export type ItemGuardianApprovalReviewCompletedNotification = { threadId: string, turnId: string,
+/**
+ * Stable identifier for this review.
+ */
+reviewId: string,
+/**
+ * Identifier for the reviewed item or tool call when one exists.
+ *
+ * In most cases, one review maps to one target item. The exceptions are
+ * - execve reviews, where a single command may contain multiple execve
+ *   calls to review (only possible when using the shell_zsh_fork feature)
+ * - network policy reviews, where there is no target item
+ *
+ * A network call is triggered by a CommandExecution item, so having a
+ * target_item_id set to the CommandExecution item would be misleading
+ * because the review is about the network call, not the command execution.
+ * Therefore, target_item_id is set to None for network policy reviews.
+ */
+targetItemId: string | null, decisionSource: AutoReviewDecisionSource, review: GuardianApprovalReview, action: GuardianApprovalReviewAction, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ItemGuardianApprovalReviewStartedNotification.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ItemGuardianApprovalReviewStartedNotification.ts
@@ -7,9 +7,23 @@ import type { GuardianApprovalReviewAction } from "./GuardianApprovalReviewActio
 /**
 * [UNSTABLE] Temporary notification payload for guardian automatic approval
 * review. This shape is expected to change soon.
- *
- * TODO(ccunningham): Attach guardian review state to the reviewed tool item's
- * lifecycle instead of sending separate standalone review notifications so the
- * app-server API can persist and replay review state via `thread/read`.
 */
-export type ItemGuardianApprovalReviewStartedNotification = { threadId: string, turnId: string, targetItemId: string, review: GuardianApprovalReview, action: GuardianApprovalReviewAction, };
+export type ItemGuardianApprovalReviewStartedNotification = { threadId: string, turnId: string,
+/**
+ * Stable identifier for this review.
+ */
+reviewId: string,
+/**
+ * Identifier for the reviewed item or tool call when one exists.
+ *
+ * In most cases, one review maps to one target item. The exceptions are
+ * - execve reviews, where a single command may contain multiple execve
+ *   calls to review (only possible when using the shell_zsh_fork feature)
+ * - network policy reviews, where there is no target item
+ *
+ * A network call is triggered by a CommandExecution item, so having a
+ * target_item_id set to the CommandExecution item would be misleading
+ * because the review is about the network call, not the command execution.
+ * Therefore, target_item_id is set to None for network policy reviews.
+ */
+targetItemId: string | null, review: GuardianApprovalReview, action: GuardianApprovalReviewAction, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ListMcpServerStatusParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ListMcpServerStatusParams.ts
@@ -3,15 +3,15 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { McpServerStatusDetail } from "./McpServerStatusDetail";

-export type ListMcpServerStatusParams = { 
+export type ListMcpServerStatusParams = {
 /**
 * Opaque pagination cursor returned by a previous call.
 */
-cursor?: string | null, 
+cursor?: string | null,
 /**
 * Optional page size; defaults to a server-defined value.
 */
-limit?: number | null, 
+limit?: number | null,
 /**
 * Controls how much MCP inventory data to fetch for each server.
 * Defaults to `Full` when omitted.
--- a/Show More
+++ b/Show More