Shard Windows arm64 nextest runs

Add a dynamic rust-ci-full test matrix so workflow_dispatch or shard-specific full-ci branch names can split the Windows arm64 nextest lane across 2 or 4 hosts while leaving the default push behavior unchanged. Co-authored-by: Codex <noreply@openai.com>
Keep sccache stats alive through CI jobs
2026-05-09 05:42:32 +00:00 · 2026-05-07 17:11:16 -07:00 · 2026-05-07 15:59:45 -07:00 · 2026-05-07 15:20:40 -07:00 · 2026-05-07 15:20:40 -07:00 · 2026-05-07 15:20:39 -07:00
540 changed files with 8568 additions and 14286 deletions
--- a/.github/ISSUE_TEMPLATE/3-cli.yml
+++ b/.github/ISSUE_TEMPLATE/3-cli.yml
@@ -2,6 +2,7 @@ name: 💻 CLI Bug
 description: Report an issue in the Codex CLI
 labels:
  - bug
+  - needs triage
 body:
  - type: markdown
    attributes:
@@ -40,9 +41,9 @@ body:
    id: terminal
    attributes:
      label: What terminal emulator and version are you using (if applicable)?
+      description: Also note any multiplexer in use (screen / tmux / zellij)
      description: |
-        Also note any multiplexer in use (screen / tmux / zellij).
-        E.g., VS Code, Terminal.app, iTerm2, Ghostty, Windows Terminal (WSL / PowerShell)
+        E.g, VSCode, Terminal.app, iTerm2, Ghostty, Windows Terminal (WSL / PowerShell)
  - type: textarea
    id: actual
    attributes:
--- a/.github/ISSUE_TEMPLATE/5-feature-request.yml
+++ b/.github/ISSUE_TEMPLATE/5-feature-request.yml
@@ -10,7 +10,7 @@ body:

        Before you submit a feature:
        1. Search existing issues for similar features. If you find one, 👍 it rather than opening a new one.
-        2. The Codex team will try to balance the varying needs of the community when prioritizing or rejecting new features. Not all features will be accepted. See [Contributing](https://github.com/openai/codex/blob/main/docs/contributing.md) for more details.
+        2. The Codex team will try to balance the varying needs of the community when prioritizing or rejecting new features. Not all features will be accepted. See [Contributing](https://github.com/openai/codex#contributing) for more details.

  - type: input
    id: variant
--- a/.github/ISSUE_TEMPLATE/6-docs-issue.yml
+++ b/.github/ISSUE_TEMPLATE/6-docs-issue.yml
@@ -1,6 +1,6 @@
 name: 📗 Documentation Issue
 description: Tell us if there is missing or incorrect documentation
-labels: [documentation]
+labels: [docs]
 body:
  - type: markdown
    attributes:
@@ -24,4 +24,4 @@ body:
  - type: textarea
    attributes:
      label: Where did you find it?
-      description: If possible, please provide the URL(s) where you found this issue.
+      description: If possible, please provide the URL(s) where you found this issue.
--- a/.github/actions/setup-bazel-ci/action.yml
+++ b/.github/actions/setup-bazel-ci/action.yml
@@ -35,6 +35,11 @@ runs:
    - name: Set up Bazel
      uses: bazel-contrib/setup-bazel@c5acdfb288317d0b5c0bbd7a396a3dc868bb0f86 # 0.19.0

+    - name: Configure Dev Drive (Windows)
+      if: runner.os == 'Windows'
+      shell: pwsh
+      run: ./.github/scripts/setup-dev-drive.ps1
+
    - name: Configure Bazel repository cache
      id: configure_bazel_repository_cache
      shell: pwsh
@@ -42,7 +47,12 @@ runs:
        # Keep the repository cache under HOME on all runners. Windows `D:\a`
        # cache paths match `.bazelrc`, but `actions/cache/restore` currently
        # returns HTTP 400 for that path in the Windows clippy job.
-        $repositoryCachePath = Join-Path $HOME '.cache/bazel-repo-cache'
+        $cacheRoot = if ($env:RUNNER_OS -eq 'Windows' -and $env:DEV_DRIVE) {
+          $env:DEV_DRIVE
+        } else {
+          $HOME
+        }
+        $repositoryCachePath = Join-Path $cacheRoot '.cache/bazel-repo-cache'
        "repository-cache-path=$repositoryCachePath" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
        "BAZEL_REPOSITORY_CACHE=$repositoryCachePath" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append

@@ -50,11 +60,10 @@ runs:
      if: runner.os == 'Windows'
      shell: pwsh
      run: |
-        # Use the shortest available drive to reduce argv/path length issues,
-        # but avoid the drive root because some Windows test launchers mis-handle
-        # MANIFEST paths there.
-        $hasDDrive = Test-Path 'D:\'
-        $bazelOutputUserRoot = if ($hasDDrive) { 'D:\b' } else { 'C:\b' }
+        # Keep Bazel on the fast Windows work drive, but avoid the drive root
+        # because some Windows test launchers mis-handle MANIFEST paths there.
+        $driveRoot = if ($env:DEV_DRIVE) { $env:DEV_DRIVE } elseif (Test-Path 'D:\') { 'D:' } else { 'C:' }
+        $bazelOutputUserRoot = Join-Path $driveRoot 'b'
        $repoContentsCache = Join-Path $env:RUNNER_TEMP "bazel-repo-contents-cache-$env:GITHUB_RUN_ID-$env:GITHUB_JOB"
        "BAZEL_OUTPUT_USER_ROOT=$bazelOutputUserRoot" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
        "BAZEL_REPO_CONTENTS_CACHE=$repoContentsCache" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
--- a/.github/dependabot.yaml
+++ b/.github/dependabot.yaml
@@ -6,37 +6,25 @@ updates:
    directory: .github/actions/codex
    schedule:
      interval: weekly
-    cooldown:
-      default-days: 7
  - package-ecosystem: cargo
    directories:
      - codex-rs
      - codex-rs/*
    schedule:
      interval: weekly
-    cooldown:
-      default-days: 7
  - package-ecosystem: devcontainers
    directory: /
    schedule:
      interval: weekly
-    cooldown:
-      default-days: 7
  - package-ecosystem: docker
    directory: codex-cli
    schedule:
      interval: weekly
-    cooldown:
-      default-days: 7
  - package-ecosystem: github-actions
    directory: /
    schedule:
      interval: weekly
-    cooldown:
-      default-days: 7
  - package-ecosystem: rust-toolchain
    directory: codex-rs
    schedule:
      interval: weekly
-    cooldown:
-      default-days: 7
--- a/.github/scripts/setup-dev-drive.ps1
+++ b/.github/scripts/setup-dev-drive.ps1
@@ -0,0 +1,62 @@
+# Configure a fast drive for Windows CI jobs.
+#
+# GitHub-hosted Windows runners do not always expose a secondary D: volume. When
+# they do not, try to create a Dev Drive VHD and fall back to C: if the runner
+# image does not allow that provisioning path.
+
+function Use-FallbackDrive {
+    param([string]$Reason)
+
+    Write-Warning "$Reason Falling back to C:"
+    return "C:"
+}
+
+function Invoke-BestEffort {
+    param([scriptblock]$Script, [string]$Description)
+
+    try {
+        & $Script
+    } catch {
+        Write-Warning "$Description failed: $($_.Exception.Message)"
+    }
+}
+
+if (Test-Path "D:\") {
+    Write-Output "Using existing drive at D:"
+    $Drive = "D:"
+} else {
+    try {
+        $VhdPath = Join-Path $env:RUNNER_TEMP "codex-dev-drive.vhdx"
+        $SizeBytes = 64GB
+
+        if (Test-Path $VhdPath) {
+            Remove-Item -Path $VhdPath -Force
+        }
+
+        New-VHD -Path $VhdPath -SizeBytes $SizeBytes -Dynamic -ErrorAction Stop | Out-Null
+        $Mounted = Mount-VHD -Path $VhdPath -Passthru -ErrorAction Stop
+        $Disk = $Mounted | Get-Disk -ErrorAction Stop
+        $Disk | Initialize-Disk -PartitionStyle GPT -ErrorAction Stop
+        $Partition = $Disk | New-Partition -AssignDriveLetter -UseMaximumSize -ErrorAction Stop
+        $Volume = $Partition | Format-Volume -FileSystem ReFS -NewFileSystemLabel "CodexDevDrive" -DevDrive -Confirm:$false -Force -ErrorAction Stop
+
+        $Drive = "$($Volume.DriveLetter):"
+
+        Invoke-BestEffort { fsutil devdrv trust $Drive } "Trusting Dev Drive $Drive"
+        Invoke-BestEffort { fsutil devdrv enable /disallowAv } "Disabling AV filter attachment for Dev Drives"
+        Invoke-BestEffort { fsutil devdrv query $Drive } "Querying Dev Drive $Drive"
+
+        Write-Output "Using Dev Drive at $Drive"
+    } catch {
+        $Drive = Use-FallbackDrive "Failed to create Dev Drive: $($_.Exception.Message)"
+    }
+}
+
+$Tmp = "$Drive\codex-tmp"
+New-Item -Path $Tmp -ItemType Directory -Force | Out-Null
+
+@(
+    "DEV_DRIVE=$Drive"
+    "TMP=$Tmp"
+    "TEMP=$Tmp"
+) | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
--- a/.github/workflows/bazel.yml
+++ b/.github/workflows/bazel.yml
@@ -57,9 +57,6 @@ jobs:

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false

      - name: Check rusty_v8 MODULE.bazel checksums
        if: matrix.os == 'ubuntu-24.04' && matrix.target == 'x86_64-unknown-linux-gnu'
@@ -152,9 +149,6 @@ jobs:

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false

      - name: Prepare Bazel CI
        id: prepare_bazel
@@ -238,9 +232,6 @@ jobs:

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false

      - name: Prepare Bazel CI
        id: prepare_bazel
@@ -328,9 +319,6 @@ jobs:

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false

      - name: Prepare Bazel CI
        id: prepare_bazel
--- a/.github/workflows/blob-size-policy.yml
+++ b/.github/workflows/blob-size-policy.yml
@@ -10,17 +10,15 @@ jobs:
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
          fetch-depth: 0
-          persist-credentials: false

      - name: Determine PR comparison range
        id: range
        shell: bash
        run: |
          set -euo pipefail
-          echo "base=${{ github.event.pull_request.base.sha }}" >> "$GITHUB_OUTPUT"
-          echo "head=${{ github.event.pull_request.head.sha }}" >> "$GITHUB_OUTPUT"
+          echo "base=$(git rev-parse HEAD^1)" >> "$GITHUB_OUTPUT"
+          echo "head=$(git rev-parse HEAD^2)" >> "$GITHUB_OUTPUT"

      - name: Check changed blob sizes
        env:
--- a/.github/workflows/cargo-deny.yml
+++ b/.github/workflows/cargo-deny.yml
@@ -15,9 +15,6 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false

      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,9 +13,6 @@ jobs:
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false

      - name: Verify codex-rs Cargo manifests inherit workspace settings
        run: python3 .github/scripts/verify_cargo_workspace_manifests.py
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -19,9 +19,6 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false
      - name: Annotate locations with typos
        uses: codespell-project/codespell-problem-matcher@b80729f885d32f78a716c2f107b4db1025001c42 # v1.1.0
      - name: Codespell
--- a/.github/workflows/issue-deduplicator.yml
+++ b/.github/workflows/issue-deduplicator.yml
@@ -20,8 +20,6 @@ jobs:
      has_matches: ${{ steps.normalize-all.outputs.has_matches }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false

      - name: Prepare Codex inputs
        env:
@@ -158,8 +156,6 @@ jobs:
      has_matches: ${{ steps.normalize-open.outputs.has_matches }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false

      - name: Prepare Codex inputs
        env:
--- a/.github/workflows/issue-labeler.yml
+++ b/.github/workflows/issue-labeler.yml
@@ -18,8 +18,6 @@ jobs:
      codex_output: ${{ steps.codex.outputs.final-message }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false

      - id: codex
        uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02 # v1.7
--- a/.github/workflows/rust-ci-full.yml
+++ b/.github/workflows/rust-ci-full.yml
@@ -1,17 +1,34 @@
 name: rust-ci-full
+run-name: >-
+  rust-ci-full${{
+    github.event_name == 'workflow_dispatch' &&
+    format(' windows-nextest-{0} arm64-shards-{1}', inputs.windows_nextest_threads || 'default', inputs.windows_arm64_partitions || '1') ||
+    contains(github.ref_name, 'arm64-shards-4') && ' arm64-shards-4' ||
+    contains(github.ref_name, 'arm64-shards-2') && ' arm64-shards-2' ||
+    ''
+  }}
 on:
  push:
    branches:
      - main
      - "**full-ci**"
  workflow_dispatch:
+    inputs:
+      windows_nextest_threads:
+        description: "Optional nextest --test-threads override for Windows test jobs"
+        required: false
+        type: string
+      windows_arm64_partitions:
+        description: "Number of Windows arm64 nextest partitions"
+        required: false
+        default: "1"
+        type: choice
+        options:
+          - "1"
+          - "2"
+          - "4"

 # CI builds in debug (dev) for faster signal.
-env:
-  # Cargo's libgit2 transport has been flaky on macOS when fetching git
-  # dependencies with nested submodules. Use the system git CLI, which has
-  # better network/proxy behavior and matches Cargo's own suggested fallback.
-  CARGO_NET_GIT_FETCH_WITH_CLI: "true"

 jobs:
  # --- CI that doesn't need specific targets ---------------------------------
@@ -23,8 +40,6 @@ jobs:
        working-directory: codex-rs
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
        with:
          components: rustfmt
@@ -39,14 +54,13 @@ jobs:
        working-directory: codex-rs
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
      - uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2.62.49
        with:
-          tool: cargo-shear@1.11.2
+          tool: cargo-shear
+          version: 1.11.2
      - name: cargo shear
-        run: cargo shear --deny-warnings
+        run: cargo shear

  argument_comment_lint_package:
    name: Argument comment lint package
@@ -56,8 +70,6 @@ jobs:
      DYLINT_LINK_VERSION: 5.0.0
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
        with:
          toolchain: nightly-2025-09-18
@@ -108,8 +120,6 @@ jobs:
              labels: codex-windows-x64
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
      - uses: ./.github/actions/setup-bazel-ci
        with:
          target: ${{ runner.os }}
@@ -159,9 +169,10 @@ jobs:
      # Speed up repeated builds across CI runs by caching compiled objects, except on
      # arm64 macOS runners cross-targeting x86_64 where ring/cc-rs can produce
      # mixed-architecture archives under sccache.
-      USE_SCCACHE: ${{ (startsWith(matrix.runner, 'windows') || (matrix.runner == 'macos-15-xlarge' && matrix.target == 'x86_64-apple-darwin')) && 'false' || 'true' }}
+      USE_SCCACHE: ${{ (matrix.runner == 'macos-15-xlarge' && matrix.target == 'x86_64-apple-darwin') && 'false' || 'true' }}
      CARGO_INCREMENTAL: "0"
      SCCACHE_CACHE_SIZE: 10G
+      SCCACHE_IDLE_TIMEOUT: "0"
      # In rust-ci, representative release-profile checks use thin LTO for faster feedback.
      CARGO_PROFILE_RELEASE_LTO: ${{ matrix.profile == 'release' && 'thin' || 'fat' }}

@@ -246,8 +257,10 @@ jobs:

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+      - name: Configure Dev Drive (Windows)
+        if: ${{ runner.os == 'Windows' }}
+        shell: pwsh
+        run: ../.github/scripts/setup-dev-drive.ps1
      - name: Install Linux build dependencies
        if: ${{ runner.os == 'Linux' }}
        shell: bash
@@ -308,10 +321,10 @@ jobs:
      # Install and restore sccache cache
      - name: Install sccache
        if: ${{ env.USE_SCCACHE == 'true' }}
-        uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2.62.49
+        uses: taiki-e/install-action@cca35edeb1d01366c2843b68fc3ca441446d73d3 # v2.77.1
        with:
-          tool: sccache
-          version: 0.7.5
+          tool: sccache@0.14.0
+          fallback: none

      - name: Configure sccache backend
        if: ${{ env.USE_SCCACHE == 'true' }}
@@ -323,32 +336,52 @@ jobs:
            echo "Using sccache GitHub backend"
          else
            echo "SCCACHE_GHA_ENABLED=false" >> "$GITHUB_ENV"
-            echo "SCCACHE_DIR=${{ github.workspace }}/.sccache" >> "$GITHUB_ENV"
+            if [[ -n "${DEV_DRIVE:-}" ]]; then
+              echo "SCCACHE_DIR=${DEV_DRIVE}\\.sccache" >> "$GITHUB_ENV"
+            else
+              echo "SCCACHE_DIR=${{ github.workspace }}/.sccache" >> "$GITHUB_ENV"
+            fi
            echo "Using sccache local disk + actions/cache fallback"
          fi

      - name: Enable sccache wrapper
        if: ${{ env.USE_SCCACHE == 'true' }}
        shell: bash
-        run: echo "RUSTC_WRAPPER=sccache" >> "$GITHUB_ENV"
+        run: |
+          set -euo pipefail
+          wrapper="$(command -v sccache)"
+          if [[ "${RUNNER_OS}" == "Windows" ]] && command -v cygpath >/dev/null 2>&1; then
+            wrapper="$(cygpath -w "${wrapper}")"
+          fi
+          echo "RUSTC_WRAPPER=${wrapper}" >> "$GITHUB_ENV"
+          echo "CARGO_BUILD_RUSTC_WRAPPER=${wrapper}" >> "$GITHUB_ENV"

      - name: Restore sccache cache (fallback)
        if: ${{ env.USE_SCCACHE == 'true' && env.SCCACHE_GHA_ENABLED != 'true' }}
        id: cache_sccache_restore
        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
-          path: ${{ github.workspace }}/.sccache/
+          path: ${{ env.SCCACHE_DIR }}
          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
          restore-keys: |
            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-
            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-

+      - name: Start sccache server (Windows)
+        if: ${{ env.USE_SCCACHE == 'true' && runner.os == 'Windows' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          sccache --start-server
+          sccache --show-stats
+
      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
        name: Disable sccache wrapper (musl)
        shell: bash
        run: |
          set -euo pipefail
          echo "RUSTC_WRAPPER=" >> "$GITHUB_ENV"
+          echo "CARGO_BUILD_RUSTC_WRAPPER=" >> "$GITHUB_ENV"
          echo "RUSTC_WORKSPACE_WRAPPER=" >> "$GITHUB_ENV"

      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
@@ -492,7 +525,7 @@ jobs:
        continue-on-error: true
        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
-          path: ${{ github.workspace }}/.sccache/
+          path: ${{ env.SCCACHE_DIR }}
          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}

      - name: sccache stats
@@ -521,13 +554,119 @@ jobs:
            /var/cache/apt
          key: apt-${{ matrix.runner }}-${{ matrix.target }}-v1

+  test_matrix:
+    name: Select test matrix
+    runs-on: ubuntu-24.04
+    outputs:
+      matrix: ${{ steps.matrix.outputs.matrix }}
+    env:
+      WINDOWS_ARM64_PARTITIONS: >-
+        ${{
+          github.event_name == 'workflow_dispatch' && inputs.windows_arm64_partitions ||
+          contains(github.ref_name, 'arm64-shards-4') && '4' ||
+          contains(github.ref_name, 'arm64-shards-2') && '2' ||
+          '1'
+        }}
+    steps:
+      - name: Build test matrix
+        id: matrix
+        shell: bash
+        run: |
+          set -euo pipefail
+          case "${WINDOWS_ARM64_PARTITIONS}" in
+            1|2|4) ;;
+            *)
+              echo "Unsupported WINDOWS_ARM64_PARTITIONS=${WINDOWS_ARM64_PARTITIONS}" >&2
+              exit 1
+              ;;
+          esac
+
+          python3 - <<'PY' >> "$GITHUB_OUTPUT"
+          import json
+          import os
+
+          windows_arm64_partitions = int(os.environ["WINDOWS_ARM64_PARTITIONS"])
+
+          def row(runner, target, profile, *, timeout_minutes=None, remote_env=None, runs_on=None, partition_index=None):
+              partition_suffix = ""
+              partition_name = ""
+              nextest_partition = ""
+              if partition_index is not None and windows_arm64_partitions > 1:
+                  partition_suffix = f"-part-{partition_index}-of-{windows_arm64_partitions}"
+                  partition_name = f" (part {partition_index}/{windows_arm64_partitions})"
+                  nextest_partition = f"hash:{partition_index}/{windows_arm64_partitions}"
+
+              entry = {
+                  "runner": runner,
+                  "target": target,
+                  "profile": profile,
+                  "partition_suffix": partition_suffix,
+                  "partition_name": partition_name,
+                  "nextest_partition": nextest_partition,
+              }
+              if timeout_minutes is not None:
+                  entry["timeout_minutes"] = timeout_minutes
+              if remote_env is not None:
+                  entry["remote_env"] = remote_env
+              if runs_on is not None:
+                  entry["runs_on"] = runs_on
+              return entry
+
+          codex_runners = {
+              "linux-x64": {"group": "codex-runners", "labels": "codex-linux-x64"},
+              "linux-arm64": {"group": "codex-runners", "labels": "codex-linux-arm64"},
+              "windows-x64": {"group": "codex-runners", "labels": "codex-windows-x64"},
+              "windows-arm64": {"group": "codex-runners", "labels": "codex-windows-arm64"},
+          }
+
+          include = [
+              row("macos-15-xlarge", "aarch64-apple-darwin", "dev"),
+              row(
+                  "ubuntu-24.04",
+                  "x86_64-unknown-linux-gnu",
+                  "dev",
+                  remote_env="true",
+                  runs_on=codex_runners["linux-x64"],
+              ),
+              row(
+                  "ubuntu-24.04-arm",
+                  "aarch64-unknown-linux-gnu",
+                  "dev",
+                  runs_on=codex_runners["linux-arm64"],
+              ),
+              row(
+                  "windows-x64",
+                  "x86_64-pc-windows-msvc",
+                  "dev",
+                  runs_on=codex_runners["windows-x64"],
+              ),
+          ]
+
+          for partition_index in range(1, windows_arm64_partitions + 1):
+              include.append(
+                  row(
+                      "windows-arm64",
+                      "aarch64-pc-windows-msvc",
+                      "dev",
+                      timeout_minutes=75,
+                      runs_on=codex_runners["windows-arm64"],
+                      partition_index=partition_index,
+                  )
+              )
+
+          print("matrix<<JSON")
+          print(json.dumps({"include": include}, separators=(",", ":")))
+          print("JSON")
+          PY
+
  tests:
-    name: Tests — ${{ matrix.runner }} - ${{ matrix.target }}${{ matrix.remote_env == 'true' && ' (remote)' || '' }}
+    name: Tests — ${{ matrix.runner }} - ${{ matrix.target }}${{ matrix.remote_env == 'true' && ' (remote)' || '' }}${{ matrix.partition_name }}
+    needs: test_matrix
    runs-on: ${{ matrix.runs_on || matrix.runner }}
-    # Perhaps we can bring this back down to 30m once we finish the cutover
-    # from tui_app_server/ to tui/. Incidentally, windows-arm64 was the main
-    # offender for exceeding the timeout.
-    timeout-minutes: 45
+    # Perhaps we can bring this back down once we finish the cutover from
+    # tui_app_server/ to tui/. Incidentally, windows-arm64 was the main offender
+    # for exceeding the timeout.
+    timeout-minutes: ${{ matrix.timeout_minutes || 45 }}
    defaults:
      run:
        working-directory: codex-rs
@@ -535,47 +674,22 @@ jobs:
      # Speed up repeated builds across CI runs by caching compiled objects, except on
      # arm64 macOS runners cross-targeting x86_64 where ring/cc-rs can produce
      # mixed-architecture archives under sccache.
-      USE_SCCACHE: ${{ (startsWith(matrix.runner, 'windows') || (matrix.runner == 'macos-15-xlarge' && matrix.target == 'x86_64-apple-darwin')) && 'false' || 'true' }}
+      USE_SCCACHE: ${{ (matrix.runner == 'macos-15-xlarge' && matrix.target == 'x86_64-apple-darwin') && 'false' || 'true' }}
      CARGO_INCREMENTAL: "0"
      SCCACHE_CACHE_SIZE: 10G
+      SCCACHE_IDLE_TIMEOUT: "0"
+      WINDOWS_NEXTEST_THREADS: ${{ github.event_name == 'workflow_dispatch' && inputs.windows_nextest_threads || '' }}

    strategy:
      fail-fast: false
-      matrix:
-        include:
-          - runner: macos-15-xlarge
-            target: aarch64-apple-darwin
-            profile: dev
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-gnu
-            profile: dev
-            remote_env: "true"
-            runs_on:
-              group: codex-runners
-              labels: codex-linux-x64
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-gnu
-            profile: dev
-            runs_on:
-              group: codex-runners
-              labels: codex-linux-arm64
-          - runner: windows-x64
-            target: x86_64-pc-windows-msvc
-            profile: dev
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-x64
-          - runner: windows-arm64
-            target: aarch64-pc-windows-msvc
-            profile: dev
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-arm64
+      matrix: ${{ fromJSON(needs.test_matrix.outputs.matrix) }}

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+      - name: Configure Dev Drive (Windows)
+        if: ${{ runner.os == 'Windows' }}
+        shell: pwsh
+        run: ../.github/scripts/setup-dev-drive.ps1
      - name: Install Linux build dependencies
        if: ${{ runner.os == 'Linux' }}
        shell: bash
@@ -583,7 +697,7 @@ jobs:
          set -euo pipefail
          if command -v apt-get >/dev/null 2>&1; then
            sudo apt-get update -y
-            sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends pkg-config libcap-dev bubblewrap
+            sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends pkg-config libcap-dev
          fi

      # Some integration tests rely on DotSlash being installed.
@@ -619,10 +733,10 @@ jobs:

      - name: Install sccache
        if: ${{ env.USE_SCCACHE == 'true' }}
-        uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2.62.49
+        uses: taiki-e/install-action@cca35edeb1d01366c2843b68fc3ca441446d73d3 # v2.77.1
        with:
-          tool: sccache
-          version: 0.7.5
+          tool: sccache@0.14.0
+          fallback: none

      - name: Configure sccache backend
        if: ${{ env.USE_SCCACHE == 'true' }}
@@ -634,30 +748,49 @@ jobs:
            echo "Using sccache GitHub backend"
          else
            echo "SCCACHE_GHA_ENABLED=false" >> "$GITHUB_ENV"
-            echo "SCCACHE_DIR=${{ github.workspace }}/.sccache" >> "$GITHUB_ENV"
+            if [[ -n "${DEV_DRIVE:-}" ]]; then
+              echo "SCCACHE_DIR=${DEV_DRIVE}\\.sccache" >> "$GITHUB_ENV"
+            else
+              echo "SCCACHE_DIR=${{ github.workspace }}/.sccache" >> "$GITHUB_ENV"
+            fi
            echo "Using sccache local disk + actions/cache fallback"
          fi

      - name: Enable sccache wrapper
        if: ${{ env.USE_SCCACHE == 'true' }}
        shell: bash
-        run: echo "RUSTC_WRAPPER=sccache" >> "$GITHUB_ENV"
+        run: |
+          set -euo pipefail
+          wrapper="$(command -v sccache)"
+          if [[ "${RUNNER_OS}" == "Windows" ]] && command -v cygpath >/dev/null 2>&1; then
+            wrapper="$(cygpath -w "${wrapper}")"
+          fi
+          echo "RUSTC_WRAPPER=${wrapper}" >> "$GITHUB_ENV"
+          echo "CARGO_BUILD_RUSTC_WRAPPER=${wrapper}" >> "$GITHUB_ENV"

      - name: Restore sccache cache (fallback)
        if: ${{ env.USE_SCCACHE == 'true' && env.SCCACHE_GHA_ENABLED != 'true' }}
        id: cache_sccache_restore
        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
-          path: ${{ github.workspace }}/.sccache/
-          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
+          path: ${{ env.SCCACHE_DIR }}
+          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}${{ matrix.partition_suffix }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
          restore-keys: |
+            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}${{ matrix.partition_suffix }}-${{ steps.lockhash.outputs.hash }}-
            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-
            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-

+      - name: Start sccache server (Windows)
+        if: ${{ env.USE_SCCACHE == 'true' && runner.os == 'Windows' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          sccache --start-server
+          sccache --show-stats
+
      - uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2.62.49
        with:
-          tool: nextest
-          version: 0.9.103
+          tool: nextest@0.9.103

      - name: Enable unprivileged user namespaces (Linux)
        if: runner.os == 'Linux'
@@ -682,17 +815,33 @@ jobs:

      - name: tests
        id: test
-        run: cargo nextest run --no-fail-fast --target ${{ matrix.target }} --cargo-profile ci-test --timings
+        shell: bash
+        run: |
+          set -euo pipefail
+          nextest_args=(
+            --no-fail-fast
+            --target "${{ matrix.target }}"
+            --cargo-profile ci-test
+            --timings
+          )
+          if [[ "${{ runner.os }}" == "Windows" && -n "${WINDOWS_NEXTEST_THREADS}" ]]; then
+            nextest_args+=(--test-threads "${WINDOWS_NEXTEST_THREADS}")
+          fi
+          if [[ -n "${NEXTEST_PARTITION}" ]]; then
+            nextest_args+=(--partition "${NEXTEST_PARTITION}")
+          fi
+          cargo nextest run "${nextest_args[@]}"
        env:
          RUST_BACKTRACE: 1
          RUST_MIN_STACK: "8388608" # 8 MiB
          NEXTEST_STATUS_LEVEL: leak
+          NEXTEST_PARTITION: ${{ matrix.nextest_partition }}

      - name: Upload Cargo timings (nextest)
        if: always()
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
-          name: cargo-timings-rust-ci-nextest-${{ matrix.target }}-${{ matrix.profile }}
+          name: cargo-timings-rust-ci-nextest-${{ matrix.target }}-${{ matrix.profile }}${{ matrix.partition_suffix }}
          path: codex-rs/target/**/cargo-timings/cargo-timing.html
          if-no-files-found: warn

@@ -713,8 +862,8 @@ jobs:
        continue-on-error: true
        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
-          path: ${{ github.workspace }}/.sccache/
-          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
+          path: ${{ env.SCCACHE_DIR }}
+          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}${{ matrix.partition_suffix }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}

      - name: sccache stats
        if: always() && env.USE_SCCACHE == 'true'
@@ -738,12 +887,10 @@ jobs:
        shell: bash
        run: |
          set +e
-          if [[ "${STEPS_TEST_OUTCOME}" != "success" ]]; then
+          if [[ "${{ steps.test.outcome }}" != "success" ]]; then
            docker logs codex-remote-test-env || true
          fi
          docker rm -f codex-remote-test-env >/dev/null 2>&1 || true
-        env:
-          STEPS_TEST_OUTCOME: ${{ steps.test.outcome }}

      - name: verify tests passed
        if: steps.test.outcome == 'failure'
@@ -761,6 +908,7 @@ jobs:
        argument_comment_lint_package,
        argument_comment_lint_prebuilt,
        lint_build,
+        test_matrix,
        tests,
      ]
    if: always()
@@ -774,12 +922,14 @@ jobs:
          echo "general: ${{ needs.general.result }}"
          echo "shear  : ${{ needs.cargo_shear.result }}"
          echo "lint   : ${{ needs.lint_build.result }}"
+          echo "matrix : ${{ needs.test_matrix.result }}"
          echo "tests  : ${{ needs.tests.result }}"
          [[ '${{ needs.argument_comment_lint_package.result }}' == 'success' ]] || { echo 'argument_comment_lint_package failed'; exit 1; }
          [[ '${{ needs.argument_comment_lint_prebuilt.result }}' == 'success' ]] || { echo 'argument_comment_lint_prebuilt failed'; exit 1; }
          [[ '${{ needs.general.result }}' == 'success' ]] || { echo 'general failed'; exit 1; }
          [[ '${{ needs.cargo_shear.result }}' == 'success' ]] || { echo 'cargo_shear failed'; exit 1; }
          [[ '${{ needs.lint_build.result }}' == 'success' ]] || { echo 'lint_build failed'; exit 1; }
+          [[ '${{ needs.test_matrix.result }}' == 'success' ]] || { echo 'test_matrix failed'; exit 1; }
          [[ '${{ needs.tests.result }}' == 'success' ]] || { echo 'tests failed'; exit 1; }

      - name: sccache summary note
--- a/.github/workflows/rust-ci.yml
+++ b/.github/workflows/rust-ci.yml
@@ -16,9 +16,7 @@ jobs:
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
          fetch-depth: 0
-          persist-credentials: false
      - name: Detect changed paths (no external action)
        id: detect
        shell: bash
@@ -64,9 +62,6 @@ jobs:
        working-directory: codex-rs
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false
      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
        with:
          components: rustfmt
@@ -83,15 +78,13 @@ jobs:
        working-directory: codex-rs
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false
      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
      - uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2.62.49
        with:
-          tool: cargo-shear@1.11.2
+          tool: cargo-shear
+          version: 1.11.2
      - name: cargo shear
-        run: cargo shear --deny-warnings
+        run: cargo shear

  argument_comment_lint_package:
    name: Argument comment lint package
@@ -103,9 +96,6 @@ jobs:
      DYLINT_LINK_VERSION: 5.0.0
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false
      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
      - name: Install nightly argument-comment-lint toolchain
        shell: bash
@@ -182,9 +172,6 @@ jobs:
          echo "run=false" >> "$GITHUB_OUTPUT"
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        if: ${{ steps.argument_comment_lint_gate.outputs.run == 'true' }}
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false
      - name: Run argument comment lint on codex-rs via Bazel
        if: ${{ steps.argument_comment_lint_gate.outputs.run == 'true' }}
        uses: ./.github/actions/run-argument-comment-lint
@@ -216,25 +203,20 @@ jobs:

          # If nothing relevant changed (PR touching only root README, etc.),
          # declare success regardless of other jobs.
-          if [[ "${NEEDS_CHANGED_OUTPUTS_ARGUMENT_COMMENT_LINT}" != 'true' && "${NEEDS_CHANGED_OUTPUTS_CODEX}" != 'true' && "${NEEDS_CHANGED_OUTPUTS_WORKFLOWS}" != 'true' ]]; then
+          if [[ '${{ needs.changed.outputs.argument_comment_lint }}' != 'true' && '${{ needs.changed.outputs.codex }}' != 'true' && '${{ needs.changed.outputs.workflows }}' != 'true' ]]; then
            echo 'No relevant changes -> CI not required.'
            exit 0
          fi

-          if [[ "${NEEDS_CHANGED_OUTPUTS_ARGUMENT_COMMENT_LINT_PACKAGE}" == 'true' ]]; then
+          if [[ '${{ needs.changed.outputs.argument_comment_lint_package }}' == 'true' ]]; then
            [[ '${{ needs.argument_comment_lint_package.result }}' == 'success' ]] || { echo 'argument_comment_lint_package failed'; exit 1; }
          fi

-          if [[ "${NEEDS_CHANGED_OUTPUTS_ARGUMENT_COMMENT_LINT}" == 'true' || "${NEEDS_CHANGED_OUTPUTS_WORKFLOWS}" == 'true' ]]; then
+          if [[ '${{ needs.changed.outputs.argument_comment_lint }}' == 'true' || '${{ needs.changed.outputs.workflows }}' == 'true' ]]; then
            [[ '${{ needs.argument_comment_lint_prebuilt.result }}' == 'success' ]] || { echo 'argument_comment_lint_prebuilt failed'; exit 1; }
          fi

-          if [[ "${NEEDS_CHANGED_OUTPUTS_CODEX}" == 'true' || "${NEEDS_CHANGED_OUTPUTS_WORKFLOWS}" == 'true' ]]; then
+          if [[ '${{ needs.changed.outputs.codex }}' == 'true' || '${{ needs.changed.outputs.workflows }}' == 'true' ]]; then
            [[ '${{ needs.general.result }}' == 'success' ]] || { echo 'general failed'; exit 1; }
            [[ '${{ needs.cargo_shear.result }}' == 'success' ]] || { echo 'cargo_shear failed'; exit 1; }
          fi
-        env:
-          NEEDS_CHANGED_OUTPUTS_ARGUMENT_COMMENT_LINT: ${{ needs.changed.outputs.argument_comment_lint }}
-          NEEDS_CHANGED_OUTPUTS_CODEX: ${{ needs.changed.outputs.codex }}
-          NEEDS_CHANGED_OUTPUTS_WORKFLOWS: ${{ needs.changed.outputs.workflows }}
-          NEEDS_CHANGED_OUTPUTS_ARGUMENT_COMMENT_LINT_PACKAGE: ${{ needs.changed.outputs.argument_comment_lint_package }}
--- a/.github/workflows/rust-release-argument-comment-lint.yml
+++ b/.github/workflows/rust-release-argument-comment-lint.yml
@@ -57,8 +57,6 @@ jobs:

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false

      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
        with:
--- a/.github/workflows/rust-release-prepare.yml
+++ b/.github/workflows/rust-release-prepare.yml
@@ -22,7 +22,6 @@ jobs:
        with:
          ref: main
          fetch-depth: 0
-          persist-credentials: false

      - name: Update models.json
        env:
--- a/.github/workflows/rust-release-windows.yml
+++ b/.github/workflows/rust-release-windows.yml
@@ -84,8 +84,6 @@ jobs:

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
      - name: Print runner specs (Windows)
        shell: powershell
        run: |
@@ -168,8 +166,6 @@ jobs:

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false

      - name: Download prebuilt Windows primary binaries
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
--- a/.github/workflows/rust-release-zsh.yml
+++ b/.github/workflows/rust-release-zsh.yml
@@ -46,8 +46,6 @@ jobs:
            libncursesw5-dev

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false

      - name: Build, smoke-test, and stage zsh artifact
        shell: bash
@@ -84,8 +82,6 @@ jobs:
          fi

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false

      - name: Build, smoke-test, and stage zsh artifact
        shell: bash
--- a/.github/workflows/rust-release.yml
+++ b/.github/workflows/rust-release.yml
@@ -20,8 +20,6 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
      - name: Validate tag matches Cargo.toml version
        shell: bash
@@ -121,8 +119,6 @@ jobs:

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
      - name: Print runner specs (Linux)
        if: ${{ runner.os == 'Linux' }}
        shell: bash
@@ -188,7 +184,6 @@ jobs:
        uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2.2.1
        with:
          version: 0.14.0
-          use-cache: false

      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
        name: Install musl build tools
@@ -482,8 +477,6 @@ jobs:
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false

      - name: Generate release notes from tag commit message
        id: release_notes
--- a/.github/workflows/rusty-v8-release.yml
+++ b/.github/workflows/rusty-v8-release.yml
@@ -18,8 +18,6 @@ jobs:

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false

      - name: Set up Python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
@@ -72,8 +70,6 @@ jobs:

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false

      - name: Set up Bazel
        uses: ./.github/actions/setup-bazel-ci
--- a/.github/workflows/sdk.yml
+++ b/.github/workflows/sdk.yml
@@ -14,9 +14,6 @@ jobs:
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false

      - name: Install Linux bwrap build dependencies
        shell: bash
--- a/.github/workflows/v8-canary.yml
+++ b/.github/workflows/v8-canary.yml
@@ -41,9 +41,6 @@ jobs:

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false

      - name: Set up Python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
@@ -78,9 +75,6 @@ jobs:

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
-          persist-credentials: false

      - name: Set up Bazel
        uses: ./.github/actions/setup-bazel-ci
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -26,7 +26,7 @@ In the codex-rs folder where the rust code lives:
  - Implementations may still use `async fn foo(&self, ...) -> T` when they satisfy that contract.
  - Do not use `#[allow(async_fn_in_trait)]` as a shortcut around spelling the future contract explicitly.
 - When writing tests, prefer comparing the equality of entire objects over fields one by one.
- Do not add general product or user-facing documentation to the `docs/` folder. The official Codex documentation lives elsewhere. The exception is app-server API documentation, which is covered by the app-server guidance below.
+- When making a change that adds or changes an API, ensure that the documentation in the `docs/` folder is up to date if applicable.
 - Prefer private modules and explicitly exported public crate API.
 - If you change `ConfigToml` or nested config types, run `just write-config-schema` to update `codex-rs/core/config.schema.json`.
 - When working with MCP tool calls, prefer using `codex-rs/codex-mcp/src/mcp_connection_manager.rs` to handle mutation of tools and tool calls. Aim to minimize the footprint of changes and leverage existing abstractions rather than plumbing code through multiple levels of function calls.
@@ -130,7 +130,7 @@ When UI or text output changes intentionally, update the snapshots as follows:

 If you don’t have the tool:

- `cargo install --locked cargo-insta`
+- `cargo install cargo-insta`

 ### Test assertions

@@ -210,7 +210,7 @@ These guidelines apply to app-server protocol work in `codex-rs`, especially:

 ### Development Workflow

- Update app-server docs/examples when API behavior changes (at minimum `app-server/README.md`).
+- Update docs/examples when API behavior changes (at minimum `app-server/README.md`).
 - Regenerate schema fixtures when API shapes change:
  `just write-app-server-schema`
  (and `just write-app-server-schema --experimental` when experimental API fixtures are affected).
--- a/MODULE.bazel.lock
+++ b/MODULE.bazel.lock
@@ -665,7 +665,6 @@
      "aws-lc-rs_1.16.2": "{\"dependencies\":[{\"name\":\"aws-lc-fips-sys\",\"optional\":true,\"req\":\"^0.13.1\"},{\"default_features\":false,\"name\":\"aws-lc-sys\",\"optional\":true,\"req\":\"^0.39.0\"},{\"features\":[\"derive\"],\"kind\":\"dev\",\"name\":\"clap\",\"req\":\"^4.4\"},{\"kind\":\"dev\",\"name\":\"hex\",\"req\":\"^0.4.3\"},{\"kind\":\"dev\",\"name\":\"lazy_static\",\"req\":\"^1.5.0\"},{\"kind\":\"dev\",\"name\":\"paste\",\"req\":\"^1.0.15\"},{\"kind\":\"dev\",\"name\":\"regex\",\"req\":\"^1.11.1\"},{\"name\":\"untrusted\",\"optional\":true,\"req\":\"^0.7.1\"},{\"name\":\"zeroize\",\"req\":\"^1.8.1\"}],\"features\":{\"alloc\":[],\"asan\":[\"aws-lc-sys?/asan\",\"aws-lc-fips-sys?/asan\"],\"bindgen\":[\"aws-lc-sys?/bindgen\",\"aws-lc-fips-sys?/bindgen\"],\"default\":[\"aws-lc-sys\",\"alloc\",\"ring-io\",\"ring-sig-verify\"],\"dev-tests-only\":[],\"fips\":[\"dep:aws-lc-fips-sys\"],\"non-fips\":[\"aws-lc-sys\"],\"prebuilt-nasm\":[\"aws-lc-sys?/prebuilt-nasm\"],\"ring-io\":[\"dep:untrusted\"],\"ring-sig-verify\":[\"dep:untrusted\"],\"test_logging\":[],\"unstable\":[]}}",
      "aws-lc-sys_0.39.0": "{\"dependencies\":[{\"kind\":\"build\",\"name\":\"bindgen\",\"optional\":true,\"req\":\"^0.72.0\"},{\"features\":[\"parallel\"],\"kind\":\"build\",\"name\":\"cc\",\"req\":\"^1.2.26\"},{\"kind\":\"build\",\"name\":\"cmake\",\"req\":\"^0.1.54\"},{\"kind\":\"build\",\"name\":\"dunce\",\"req\":\"^1.0.5\"},{\"kind\":\"build\",\"name\":\"fs_extra\",\"req\":\"^1.3.0\"}],\"features\":{\"all-bindings\":[],\"asan\":[],\"bindgen\":[\"dep:bindgen\"],\"default\":[\"all-bindings\"],\"disable-prebuilt-nasm\":[],\"fips\":[\"dep:bindgen\"],\"prebuilt-nasm\":[],\"ssl\":[\"bindgen\",\"all-bindings\"]}}",
      "aws-runtime_1.5.17": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"arbitrary\",\"req\":\"^1.3\"},{\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"features\":[\"http0-compat\"],\"name\":\"aws-sigv4\",\"req\":\"^1.3.7\"},{\"name\":\"aws-smithy-async\",\"req\":\"^1.2.7\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-smithy-async\",\"req\":\"^1.2.7\"},{\"name\":\"aws-smithy-eventstream\",\"optional\":true,\"req\":\"^0.60.14\"},{\"name\":\"aws-smithy-http\",\"req\":\"^0.62.6\"},{\"kind\":\"dev\",\"name\":\"aws-smithy-protocol-test\",\"req\":\"^0.63.7\"},{\"features\":[\"client\"],\"name\":\"aws-smithy-runtime\",\"req\":\"^1.9.5\"},{\"features\":[\"client\"],\"name\":\"aws-smithy-runtime-api\",\"req\":\"^1.9.3\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-smithy-runtime-api\",\"req\":\"^1.9.3\"},{\"name\":\"aws-smithy-types\",\"req\":\"^1.3.5\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-smithy-types\",\"req\":\"^1.3.5\"},{\"name\":\"aws-types\",\"req\":\"^1.3.11\"},{\"name\":\"bytes\",\"req\":\"^1.10.0\"},{\"kind\":\"dev\",\"name\":\"bytes-utils\",\"req\":\"^0.1.2\"},{\"kind\":\"dev\",\"name\":\"convert_case\",\"req\":\"^0.6.0\"},{\"name\":\"fastrand\",\"req\":\"^2.3.0\"},{\"default_features\":false,\"kind\":\"dev\",\"name\":\"futures-util\",\"req\":\"^0.3.29\"},{\"name\":\"http-02x\",\"package\":\"http\",\"req\":\"^0.2.9\"},{\"name\":\"http-1x\",\"optional\":true,\"package\":\"http\",\"req\":\"^1.1.0\"},{\"name\":\"http-body-04x\",\"package\":\"http-body\",\"req\":\"^0.4.5\"},{\"name\":\"http-body-1x\",\"optional\":true,\"package\":\"http-body\",\"req\":\"^1.0.0\"},{\"name\":\"percent-encoding\",\"req\":\"^2.3.1\"},{\"name\":\"pin-project-lite\",\"req\":\"^0.2.14\"},{\"kind\":\"dev\",\"name\":\"proptest\",\"req\":\"^1.2\"},{\"name\":\"regex-lite\",\"optional\":true,\"req\":\"^0.1.5\"},{\"features\":[\"derive\"],\"kind\":\"dev\",\"name\":\"serde\",\"req\":\"^1\"},{\"kind\":\"dev\",\"name\":\"serde_json\",\"req\":\"^1\"},{\"features\":[\"macros\",\"rt\",\"time\"],\"kind\":\"dev\",\"name\":\"tokio\",\"req\":\"^1.23.1\"},{\"name\":\"tracing\",\"req\":\"^0.1.40\"},{\"features\":[\"env-filter\"],\"kind\":\"dev\",\"name\":\"tracing-subscriber\",\"req\":\"^0.3.17\"},{\"kind\":\"dev\",\"name\":\"tracing-test\",\"req\":\"^0.2.4\"},{\"name\":\"uuid\",\"req\":\"^1\"}],\"features\":{\"event-stream\":[\"dep:aws-smithy-eventstream\",\"aws-sigv4/sign-eventstream\"],\"http-02x\":[],\"http-1x\":[\"dep:http-1x\",\"dep:http-body-1x\"],\"sigv4a\":[\"aws-sigv4/sigv4a\"],\"test-util\":[\"dep:regex-lite\"]}}",
-      "aws-sdk-signin_1.2.0": "{\"dependencies\":[{\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"name\":\"aws-runtime\",\"req\":\"^1.5.17\"},{\"name\":\"aws-smithy-async\",\"req\":\"^1.2.7\"},{\"name\":\"aws-smithy-http\",\"req\":\"^0.62.6\"},{\"name\":\"aws-smithy-json\",\"req\":\"^0.61.8\"},{\"features\":[\"client\"],\"name\":\"aws-smithy-runtime\",\"req\":\"^1.9.5\"},{\"features\":[\"client\",\"http-02x\"],\"name\":\"aws-smithy-runtime-api\",\"req\":\"^1.9.3\"},{\"name\":\"aws-smithy-types\",\"req\":\"^1.3.5\"},{\"name\":\"aws-types\",\"req\":\"^1.3.11\"},{\"name\":\"bytes\",\"req\":\"^1.4.0\"},{\"name\":\"fastrand\",\"req\":\"^2.0.0\"},{\"name\":\"http\",\"req\":\"^0.2.9\"},{\"kind\":\"dev\",\"name\":\"proptest\",\"req\":\"^1\"},{\"name\":\"regex-lite\",\"req\":\"^0.1.5\"},{\"features\":[\"macros\",\"test-util\",\"rt-multi-thread\"],\"kind\":\"dev\",\"name\":\"tokio\",\"req\":\"^1.23.1\"},{\"name\":\"tracing\",\"req\":\"^0.1\"}],\"features\":{\"behavior-version-latest\":[],\"default\":[\"rustls\",\"default-https-client\",\"rt-tokio\"],\"default-https-client\":[\"aws-smithy-runtime/default-https-client\"],\"gated-tests\":[],\"rt-tokio\":[\"aws-smithy-async/rt-tokio\",\"aws-smithy-types/rt-tokio\"],\"rustls\":[\"aws-smithy-runtime/tls-rustls\"],\"test-util\":[\"aws-credential-types/test-util\",\"aws-smithy-runtime/test-util\"]}}",
      "aws-sdk-sso_1.91.0": "{\"dependencies\":[{\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"name\":\"aws-runtime\",\"req\":\"^1.5.17\"},{\"name\":\"aws-smithy-async\",\"req\":\"^1.2.7\"},{\"name\":\"aws-smithy-http\",\"req\":\"^0.62.6\"},{\"name\":\"aws-smithy-json\",\"req\":\"^0.61.8\"},{\"features\":[\"client\"],\"name\":\"aws-smithy-runtime\",\"req\":\"^1.9.5\"},{\"features\":[\"client\",\"http-02x\"],\"name\":\"aws-smithy-runtime-api\",\"req\":\"^1.9.3\"},{\"name\":\"aws-smithy-types\",\"req\":\"^1.3.5\"},{\"name\":\"aws-types\",\"req\":\"^1.3.11\"},{\"name\":\"bytes\",\"req\":\"^1.4.0\"},{\"name\":\"fastrand\",\"req\":\"^2.0.0\"},{\"name\":\"http\",\"req\":\"^0.2.9\"},{\"kind\":\"dev\",\"name\":\"proptest\",\"req\":\"^1\"},{\"name\":\"regex-lite\",\"req\":\"^0.1.5\"},{\"features\":[\"macros\",\"test-util\",\"rt-multi-thread\"],\"kind\":\"dev\",\"name\":\"tokio\",\"req\":\"^1.23.1\"},{\"name\":\"tracing\",\"req\":\"^0.1\"}],\"features\":{\"behavior-version-latest\":[],\"default\":[\"rustls\",\"default-https-client\",\"rt-tokio\"],\"default-https-client\":[\"aws-smithy-runtime/default-https-client\"],\"gated-tests\":[],\"rt-tokio\":[\"aws-smithy-async/rt-tokio\",\"aws-smithy-types/rt-tokio\"],\"rustls\":[\"aws-smithy-runtime/tls-rustls\"],\"test-util\":[\"aws-credential-types/test-util\",\"aws-smithy-runtime/test-util\"]}}",
      "aws-sdk-ssooidc_1.93.0": "{\"dependencies\":[{\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"name\":\"aws-runtime\",\"req\":\"^1.5.17\"},{\"name\":\"aws-smithy-async\",\"req\":\"^1.2.7\"},{\"name\":\"aws-smithy-http\",\"req\":\"^0.62.6\"},{\"name\":\"aws-smithy-json\",\"req\":\"^0.61.8\"},{\"features\":[\"client\"],\"name\":\"aws-smithy-runtime\",\"req\":\"^1.9.5\"},{\"features\":[\"client\",\"http-02x\"],\"name\":\"aws-smithy-runtime-api\",\"req\":\"^1.9.3\"},{\"name\":\"aws-smithy-types\",\"req\":\"^1.3.5\"},{\"name\":\"aws-types\",\"req\":\"^1.3.11\"},{\"name\":\"bytes\",\"req\":\"^1.4.0\"},{\"name\":\"fastrand\",\"req\":\"^2.0.0\"},{\"name\":\"http\",\"req\":\"^0.2.9\"},{\"kind\":\"dev\",\"name\":\"proptest\",\"req\":\"^1\"},{\"name\":\"regex-lite\",\"req\":\"^0.1.5\"},{\"features\":[\"macros\",\"test-util\",\"rt-multi-thread\"],\"kind\":\"dev\",\"name\":\"tokio\",\"req\":\"^1.23.1\"},{\"name\":\"tracing\",\"req\":\"^0.1\"}],\"features\":{\"behavior-version-latest\":[],\"default\":[\"rustls\",\"default-https-client\",\"rt-tokio\"],\"default-https-client\":[\"aws-smithy-runtime/default-https-client\"],\"gated-tests\":[],\"rt-tokio\":[\"aws-smithy-async/rt-tokio\",\"aws-smithy-types/rt-tokio\"],\"rustls\":[\"aws-smithy-runtime/tls-rustls\"],\"test-util\":[\"aws-credential-types/test-util\",\"aws-smithy-runtime/test-util\"]}}",
      "aws-sdk-sts_1.95.0": "{\"dependencies\":[{\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"name\":\"aws-runtime\",\"req\":\"^1.5.17\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-runtime\",\"req\":\"^1.5.17\"},{\"name\":\"aws-smithy-async\",\"req\":\"^1.2.7\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-smithy-async\",\"req\":\"^1.2.7\"},{\"name\":\"aws-smithy-http\",\"req\":\"^0.62.6\"},{\"features\":[\"test-util\",\"wire-mock\"],\"kind\":\"dev\",\"name\":\"aws-smithy-http-client\",\"req\":\"^1.1.5\"},{\"name\":\"aws-smithy-json\",\"req\":\"^0.61.8\"},{\"kind\":\"dev\",\"name\":\"aws-smithy-protocol-test\",\"req\":\"^0.63.7\"},{\"name\":\"aws-smithy-query\",\"req\":\"^0.60.9\"},{\"features\":[\"client\"],\"name\":\"aws-smithy-runtime\",\"req\":\"^1.9.5\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-smithy-runtime\",\"req\":\"^1.9.5\"},{\"features\":[\"client\",\"http-02x\"],\"name\":\"aws-smithy-runtime-api\",\"req\":\"^1.9.3\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-smithy-runtime-api\",\"req\":\"^1.9.3\"},{\"name\":\"aws-smithy-types\",\"req\":\"^1.3.5\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-smithy-types\",\"req\":\"^1.3.5\"},{\"name\":\"aws-smithy-xml\",\"req\":\"^0.60.13\"},{\"name\":\"aws-types\",\"req\":\"^1.3.11\"},{\"name\":\"fastrand\",\"req\":\"^2.0.0\"},{\"default_features\":false,\"features\":[\"alloc\"],\"kind\":\"dev\",\"name\":\"futures-util\",\"req\":\"^0.3.25\"},{\"name\":\"http\",\"req\":\"^0.2.9\"},{\"kind\":\"dev\",\"name\":\"http-1x\",\"package\":\"http\",\"req\":\"^1\"},{\"kind\":\"dev\",\"name\":\"proptest\",\"req\":\"^1\"},{\"name\":\"regex-lite\",\"req\":\"^0.1.5\"},{\"kind\":\"dev\",\"name\":\"serde_json\",\"req\":\"^1.0.0\"},{\"features\":[\"macros\",\"test-util\",\"rt-multi-thread\"],\"kind\":\"dev\",\"name\":\"tokio\",\"req\":\"^1.23.1\"},{\"name\":\"tracing\",\"req\":\"^0.1\"},{\"features\":[\"env-filter\",\"json\"],\"kind\":\"dev\",\"name\":\"tracing-subscriber\",\"req\":\"^0.3.16\"}],\"features\":{\"behavior-version-latest\":[],\"default\":[\"rustls\",\"default-https-client\",\"rt-tokio\"],\"default-https-client\":[\"aws-smithy-runtime/default-https-client\"],\"gated-tests\":[],\"rt-tokio\":[\"aws-smithy-async/rt-tokio\",\"aws-smithy-types/rt-tokio\"],\"rustls\":[\"aws-smithy-runtime/tls-rustls\"],\"test-util\":[\"aws-credential-types/test-util\",\"aws-smithy-runtime/test-util\"]}}",
--- a/codex-rs/.config/nextest.toml
+++ b/codex-rs/.config/nextest.toml
@@ -14,6 +14,9 @@ max-threads = 1
 [test-groups.windows_sandbox_legacy_sessions]
 max-threads = 1

+[test-groups.windows_process_heavy]
+max-threads = 1
+
 [[profile.default.overrides]]
 # Do not add new tests here
 filter = 'test(rmcp_client) | test(humanlike_typing_1000_chars_appears_live_no_placeholder)'
@@ -27,6 +30,41 @@ slow-timeout = { period = "30s", terminate-after = 2 }
 filter = 'package(codex-app-server-protocol) & (test(typescript_schema_fixtures_match_generated) | test(json_schema_fixtures_match_generated) | test(generate_ts_with_experimental_api_retains_experimental_entries) | test(generated_ts_optional_nullable_fields_only_in_params) | test(generate_json_filters_experimental_fields_and_methods))'
 test-group = 'app_server_protocol_codegen'

+[[profile.default.overrides]]
+# These Windows CI tests launch full Codex/app-server process trees. They have
+# repeatedly timed out when nextest schedules them alongside similar tests.
+platform = 'cfg(windows)'
+filter = 'package(codex-core) & kind(test) & (test(cli_stream) | test(realtime_conversation))'
+test-group = 'windows_process_heavy'
+threads-required = "num-test-threads"
+slow-timeout = { period = "1m", terminate-after = 4 }
+
+[[profile.default.overrides]]
+# The exec resume tests spawn the CLI and touch shared session state on disk.
+platform = 'cfg(windows)'
+filter = 'package(codex-exec) & kind(test) & test(exec_resume)'
+test-group = 'windows_process_heavy'
+threads-required = "num-test-threads"
+slow-timeout = { period = "1m", terminate-after = 4 }
+
+[[profile.default.overrides]]
+# Keep the specific app-server subprocess-heavy cases isolated on Windows. This
+# must stay before the broader codex-app-server override below.
+platform = 'cfg(windows)'
+filter = 'package(codex-app-server) & kind(test) & (test(thread_fork_can_exclude_turns_and_skip_restored_token_usage) | test(turn_start_resolves_sticky_thread_environments_and_turn_overrides) | test(message_processor_tracing_tests))'
+test-group = 'windows_process_heavy'
+threads-required = "num-test-threads"
+slow-timeout = { period = "1m", terminate-after = 4 }
+
+[[profile.default.overrides]]
+# These tests create restricted-token Windows child processes and private
+# desktops. Running them alone avoids contention with other subprocess tests.
+platform = 'cfg(windows)'
+filter = 'package(codex-windows-sandbox) & kind(test) & test(legacy_)'
+test-group = 'windows_process_heavy'
+threads-required = "num-test-threads"
+slow-timeout = { period = "1m", terminate-after = 4 }
+
 [[profile.default.overrides]]
 # These integration tests spawn a fresh app-server subprocess per case.
 # Keep the library unit tests parallel.
--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
@@ -757,7 +757,6 @@ checksum = "96571e6996817bf3d58f6b569e4b9fd2e9d2fcf9f7424eed07b2ce9bb87535e5"
 dependencies = [
 "aws-credential-types",
 "aws-runtime",
- "aws-sdk-signin",
 "aws-sdk-sso",
 "aws-sdk-ssooidc",
 "aws-sdk-sts",
@@ -768,20 +767,15 @@ dependencies = [
 "aws-smithy-runtime-api",
 "aws-smithy-types",
 "aws-types",
- "base64-simd",
 "bytes",
 "fastrand",
 "hex",
 "http 1.4.0",
- "p256",
- "rand 0.8.5",
 "ring",
- "sha2",
 "time",
 "tokio",
 "tracing",
 "url",
- "uuid",
 "zeroize",
 ]

@@ -844,28 +838,6 @@ dependencies = [
 "uuid",
 ]

-[[package]]
-name = "aws-sdk-signin"
-version = "1.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c084bd63941916e1348cb8d9e05ac2e49bdd40a380e9167702683184c6c6be53"
-dependencies = [
- "aws-credential-types",
- "aws-runtime",
- "aws-smithy-async",
- "aws-smithy-http",
- "aws-smithy-json",
- "aws-smithy-runtime",
- "aws-smithy-runtime-api",
- "aws-smithy-types",
- "aws-types",
- "bytes",
- "fastrand",
- "http 0.2.12",
- "regex-lite",
- "tracing",
-]
-
 [[package]]
 name = "aws-sdk-sso"
 version = "1.91.0"
@@ -1900,7 +1872,6 @@ dependencies = [
 "codex-features",
 "codex-feedback",
 "codex-file-search",
- "codex-file-watcher",
 "codex-git-utils",
 "codex-hooks",
 "codex-login",
@@ -1980,26 +1951,6 @@ dependencies = [
 "url",
 ]

-[[package]]
-name = "codex-app-server-daemon"
-version = "0.0.0"
-dependencies = [
- "anyhow",
- "codex-app-server-protocol",
- "codex-app-server-transport",
- "codex-core",
- "codex-uds",
- "futures",
- "libc",
- "pretty_assertions",
- "reqwest",
- "serde",
- "serde_json",
- "tempfile",
- "tokio",
- "tokio-tungstenite",
-]
-
 [[package]]
 name = "codex-app-server-protocol"
 version = "0.0.0"
@@ -2227,7 +2178,6 @@ dependencies = [
 "clap",
 "clap_complete",
 "codex-app-server",
- "codex-app-server-daemon",
 "codex-app-server-protocol",
 "codex-app-server-test-client",
 "codex-arg0",
@@ -2463,11 +2413,7 @@ dependencies = [
 "codex-app-server-protocol",
 "pretty_assertions",
 "serde",
- "serde_json",
- "sha1",
- "tempfile",
 "tokio",
- "tracing",
 "urlencoding",
 ]

@@ -2552,6 +2498,7 @@ dependencies = [
 "insta",
 "libc",
 "maplit",
+ "notify",
 "once_cell",
 "openssl-sys",
 "opentelemetry",
@@ -2758,13 +2705,13 @@ dependencies = [
 "serde",
 "serde_json",
 "serial_test",
+ "sha2",
 "tempfile",
 "test-case",
 "thiserror 2.0.18",
 "tokio",
 "tokio-tungstenite",
 "tokio-util",
- "toml 0.9.11+spec-1.1.0",
 "tracing",
 "uuid",
 "wiremock",
@@ -2894,17 +2841,6 @@ dependencies = [
 "serde",
 ]

-[[package]]
-name = "codex-file-watcher"
-version = "0.0.0"
-dependencies = [
- "notify",
- "pretty_assertions",
- "tempfile",
- "tokio",
- "tracing",
-]
-
 [[package]]
 name = "codex-git-utils"
 version = "0.0.0"
@@ -3366,6 +3302,7 @@ dependencies = [
 "codex-utils-absolute-path",
 "codex-utils-image",
 "codex-utils-string",
+ "codex-utils-template",
 "encoding_rs",
 "globset",
 "http 1.4.0",
@@ -3672,11 +3609,16 @@ dependencies = [
 "codex-rollout",
 "codex-state",
 "pretty_assertions",
+ "prost 0.14.3",
 "serde",
 "serde_json",
 "tempfile",
 "thiserror 2.0.18",
 "tokio",
+ "tokio-stream",
+ "tonic",
+ "tonic-prost",
+ "tonic-prost-build",
 "tracing",
 "uuid",
 ]
--- a/codex-rs/Cargo.toml
+++ b/codex-rs/Cargo.toml
@@ -11,7 +11,6 @@ members = [
    "async-utils",
    "app-server",
    "app-server-transport",
-    "app-server-daemon",
    "app-server-client",
    "app-server-protocol",
    "app-server-test-client",
@@ -49,7 +48,6 @@ members = [
    "external-agent-sessions",
    "keyring-store",
    "file-search",
-    "file-watcher",
    "linux-sandbox",
    "lmstudio",
    "login",
@@ -133,7 +131,6 @@ codex-api = { path = "codex-api" }
 codex-aws-auth = { path = "aws-auth" }
 codex-app-server = { path = "app-server" }
 codex-app-server-transport = { path = "app-server-transport" }
-codex-app-server-daemon = { path = "app-server-daemon" }
 codex-app-server-client = { path = "app-server-client" }
 codex-app-server-protocol = { path = "app-server-protocol" }
 codex-app-server-test-client = { path = "app-server-test-client" }
@@ -167,7 +164,6 @@ codex-features = { path = "features" }
 codex-feedback = { path = "feedback" }
 codex-install-context = { path = "install-context" }
 codex-file-search = { path = "file-search" }
-codex-file-watcher = { path = "file-watcher" }
 codex-git-utils = { path = "git-utils" }
 codex-hooks = { path = "hooks" }
 codex-keyring-store = { path = "keyring-store" }
@@ -468,8 +464,11 @@ unwrap_used = "deny"
 [workspace.metadata.cargo-shear]
 ignored = [
    "codex-agent-graph-store",
+    "codex-memories-mcp",
    "icu_provider",
    "openssl-sys",
+    "codex-utils-readiness",
+    "codex-utils-template",
    "codex-v8-poc",
 ]

--- a/codex-rs/agent-graph-store/Cargo.toml
+++ b/codex-rs/agent-graph-store/Cargo.toml
@@ -7,7 +7,6 @@ version.workspace = true
 [lib]
 name = "codex_agent_graph_store"
 path = "src/lib.rs"
-doctest = false

 [lints]
 workspace = true
--- a/codex-rs/analytics/src/accepted_lines.rs
+++ b/codex-rs/analytics/src/accepted_lines.rs
@@ -1,298 +0,0 @@
-use crate::events::CodexAcceptedLineFingerprintsEventParams;
-use crate::events::CodexAcceptedLineFingerprintsEventRequest;
-use crate::events::TrackEventRequest;
-use crate::facts::AcceptedLineFingerprint;
-use codex_git_utils::canonicalize_git_remote_url;
-use codex_git_utils::get_git_remote_urls_assume_git_repo;
-use sha1::Digest;
-use std::path::Path;
-
-const ACCEPTED_LINE_FINGERPRINT_EVENT_TARGET_BYTES: usize = 2 * 1024 * 1024;
-const ACCEPTED_LINE_FINGERPRINT_EVENT_FIXED_BYTES: usize = 1024;
-
-#[derive(Clone, Debug, PartialEq, Eq)]
-pub struct AcceptedLineFingerprintSummary {
-    pub accepted_added_lines: u64,
-    pub accepted_deleted_lines: u64,
-    pub line_fingerprints: Vec<AcceptedLineFingerprint>,
-}
-
-pub(crate) struct AcceptedLineFingerprintEventInput {
-    pub(crate) event_type: &'static str,
-    pub(crate) turn_id: String,
-    pub(crate) thread_id: String,
-    pub(crate) product_surface: Option<String>,
-    pub(crate) model_slug: Option<String>,
-    pub(crate) completed_at: u64,
-    pub(crate) repo_hash: Option<String>,
-    pub(crate) accepted_added_lines: u64,
-    pub(crate) accepted_deleted_lines: u64,
-    pub(crate) line_fingerprints: Vec<AcceptedLineFingerprint>,
-}
-
-pub fn accepted_line_fingerprints_from_unified_diff(
-    unified_diff: &str,
-) -> AcceptedLineFingerprintSummary {
-    let mut current_path: Option<String> = None;
-    let mut in_hunk = false;
-    let mut accepted_added_lines = 0;
-    let mut accepted_deleted_lines = 0;
-    let mut line_fingerprints = Vec::new();
-
-    for line in unified_diff.lines() {
-        if line.starts_with("diff --git ") {
-            current_path = None;
-            in_hunk = false;
-            continue;
-        }
-
-        if line.starts_with("@@ ") {
-            in_hunk = true;
-            continue;
-        }
-
-        if !in_hunk && let Some(path) = line.strip_prefix("+++ ") {
-            current_path = normalize_diff_path(path);
-            continue;
-        }
-
-        if !in_hunk && line.starts_with("--- ") {
-            continue;
-        }
-
-        if let Some(added_line) = line.strip_prefix('+') {
-            accepted_added_lines += 1;
-            if let Some(path) = current_path.as_deref()
-                && let Some(normalized_line) = normalize_effective_line(added_line)
-            {
-                line_fingerprints.push(AcceptedLineFingerprint {
-                    path_hash: fingerprint_hash("path", path),
-                    line_hash: fingerprint_hash("line", &normalized_line),
-                });
-            }
-            continue;
-        }
-
-        if line.starts_with('-') {
-            accepted_deleted_lines += 1;
-        }
-    }
-
-    AcceptedLineFingerprintSummary {
-        accepted_added_lines,
-        accepted_deleted_lines,
-        line_fingerprints,
-    }
-}
-
-pub fn fingerprint_hash(domain: &str, value: &str) -> String {
-    let mut hasher = sha1::Sha1::new();
-    hasher.update(b"file-line-v1\0");
-    hasher.update(domain.as_bytes());
-    hasher.update(b"\0");
-    hasher.update(value.as_bytes());
-    format!("{:x}", hasher.finalize())
-}
-
-pub(crate) fn accepted_line_fingerprint_event_requests(
-    input: AcceptedLineFingerprintEventInput,
-) -> Vec<TrackEventRequest> {
-    let chunks = accepted_line_fingerprint_chunks(input.line_fingerprints);
-    chunks
-        .into_iter()
-        .enumerate()
-        .map(|(index, line_fingerprints)| {
-            let is_first_chunk = index == 0;
-            TrackEventRequest::AcceptedLineFingerprints(Box::new(
-                CodexAcceptedLineFingerprintsEventRequest {
-                    event_type: "codex_accepted_line_fingerprints",
-                    event_params: CodexAcceptedLineFingerprintsEventParams {
-                        event_type: input.event_type,
-                        turn_id: input.turn_id.clone(),
-                        thread_id: input.thread_id.clone(),
-                        product_surface: input.product_surface.clone(),
-                        model_slug: input.model_slug.clone(),
-                        completed_at: input.completed_at,
-                        repo_hash: input.repo_hash.clone(),
-                        accepted_added_lines: if is_first_chunk {
-                            input.accepted_added_lines
-                        } else {
-                            0
-                        },
-                        accepted_deleted_lines: if is_first_chunk {
-                            input.accepted_deleted_lines
-                        } else {
-                            0
-                        },
-                        line_fingerprints,
-                    },
-                },
-            ))
-        })
-        .collect()
-}
-
-pub async fn accepted_line_repo_hash_for_cwd(cwd: &Path) -> Option<String> {
-    let remotes = get_git_remote_urls_assume_git_repo(cwd).await?;
-    remotes
-        .get("origin")
-        .or_else(|| remotes.values().next())
-        .map(|remote_url| {
-            let canonical_remote_url =
-                canonicalize_git_remote_url(remote_url).unwrap_or_else(|| remote_url.to_string());
-            fingerprint_hash("repo", &canonical_remote_url)
-        })
-}
-
-fn normalize_diff_path(path: &str) -> Option<String> {
-    let path = path.trim();
-    if path == "/dev/null" {
-        return None;
-    }
-
-    Some(
-        path.strip_prefix("b/")
-            .or_else(|| path.strip_prefix("a/"))
-            .unwrap_or(path)
-            .to_string(),
-    )
-}
-
-fn normalize_effective_line(line: &str) -> Option<String> {
-    let normalized = line.split_whitespace().collect::<Vec<_>>().join(" ");
-    if normalized.len() <= 3 {
-        return None;
-    }
-    if !normalized
-        .chars()
-        .any(|ch| ch.is_alphanumeric() || ch == '_')
-    {
-        return None;
-    }
-    Some(normalized)
-}
-
-fn accepted_line_fingerprint_chunks(
-    line_fingerprints: Vec<AcceptedLineFingerprint>,
-) -> Vec<Vec<AcceptedLineFingerprint>> {
-    if line_fingerprints.is_empty() {
-        return vec![Vec::new()];
-    }
-
-    let mut chunks = Vec::new();
-    let mut current = Vec::new();
-    let mut current_bytes = ACCEPTED_LINE_FINGERPRINT_EVENT_FIXED_BYTES;
-
-    for fingerprint in line_fingerprints {
-        let item_bytes = accepted_line_fingerprint_json_bytes(&fingerprint);
-        let separator_bytes = usize::from(!current.is_empty());
-        if !current.is_empty()
-            && current_bytes + separator_bytes + item_bytes
-                > ACCEPTED_LINE_FINGERPRINT_EVENT_TARGET_BYTES
-        {
-            chunks.push(current);
-            current = Vec::new();
-            current_bytes = ACCEPTED_LINE_FINGERPRINT_EVENT_FIXED_BYTES;
-        }
-        current_bytes += usize::from(!current.is_empty()) + item_bytes;
-        current.push(fingerprint);
-    }
-
-    if !current.is_empty() {
-        chunks.push(current);
-    }
-    chunks
-}
-
-fn accepted_line_fingerprint_json_bytes(fingerprint: &AcceptedLineFingerprint) -> usize {
-    // {"path_hash":"...","line_hash":"..."} plus one byte of array comma
-    // accounted for by the caller when needed.
-    32 + fingerprint.path_hash.len() + fingerprint.line_hash.len()
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn parses_counts_and_effective_added_fingerprints() {
-        let diff = "\
-diff --git a/src/lib.rs b/src/lib.rs
-index 1111111..2222222
--- a/src/lib.rs
-+++ b/src/lib.rs
-@@ -1,3 +1,5 @@
-old line
-+fn useful() {
-+}
-+    return user.id;
- context
-";
-
-        let summary = accepted_line_fingerprints_from_unified_diff(diff);
-
-        assert_eq!(
-            summary,
-            AcceptedLineFingerprintSummary {
-                accepted_added_lines: 3,
-                accepted_deleted_lines: 1,
-                line_fingerprints: vec![
-                    AcceptedLineFingerprint {
-                        path_hash: fingerprint_hash("path", "src/lib.rs"),
-                        line_hash: fingerprint_hash("line", "fn useful() {"),
-                    },
-                    AcceptedLineFingerprint {
-                        path_hash: fingerprint_hash("path", "src/lib.rs"),
-                        line_hash: fingerprint_hash("line", "return user.id;"),
-                    },
-                ],
-            }
-        );
-    }
-
-    #[test]
-    fn skips_added_file_metadata_headers() {
-        let diff = "\
-diff --git a/new.py b/new.py
-new file mode 100644
-index 0000000..1111111
--- /dev/null
-+++ b/new.py
-@@ -0,0 +1 @@
-+print('hello')
-";
-
-        let summary = accepted_line_fingerprints_from_unified_diff(diff);
-
-        assert_eq!(summary.accepted_added_lines, 1);
-        assert_eq!(summary.accepted_deleted_lines, 0);
-        assert_eq!(summary.line_fingerprints.len(), 1);
-    }
-
-    #[test]
-    fn parses_hunk_lines_that_look_like_file_headers() {
-        let diff = "\
-diff --git a/src/lib.rs b/src/lib.rs
-index 1111111..2222222
--- a/src/lib.rs
-+++ b/src/lib.rs
-@@ -1,2 +1,2 @@
--- old value
-+++ new value
-";
-
-        let summary = accepted_line_fingerprints_from_unified_diff(diff);
-
-        assert_eq!(
-            summary,
-            AcceptedLineFingerprintSummary {
-                accepted_added_lines: 1,
-                accepted_deleted_lines: 1,
-                line_fingerprints: vec![AcceptedLineFingerprint {
-                    path_hash: fingerprint_hash("path", "src/lib.rs"),
-                    line_hash: fingerprint_hash("line", "++ new value"),
-                }],
-            }
-        );
-    }
-}
--- a/codex-rs/analytics/src/analytics_client_tests.rs
+++ b/codex-rs/analytics/src/analytics_client_tests.rs
@@ -1,7 +1,5 @@
 use crate::client::AnalyticsEventsQueue;
 use crate::events::AppServerRpcTransport;
-use crate::events::CodexAcceptedLineFingerprintsEventParams;
-use crate::events::CodexAcceptedLineFingerprintsEventRequest;
 use crate::events::CodexAppMentionedEventRequest;
 use crate::events::CodexAppServerClientMetadata;
 use crate::events::CodexAppUsedEventRequest;
@@ -30,7 +28,6 @@ use crate::events::codex_hook_run_metadata;
 use crate::events::codex_plugin_metadata;
 use crate::events::codex_plugin_used_metadata;
 use crate::events::subagent_thread_started_event_request;
-use crate::facts::AcceptedLineFingerprint;
 use crate::facts::AnalyticsFact;
 use crate::facts::AnalyticsJsonRpcError;
 use crate::facts::AppInvocation;
@@ -92,7 +89,6 @@ use codex_app_server_protocol::ThreadStartResponse;
 use codex_app_server_protocol::ThreadStatus as AppServerThreadStatus;
 use codex_app_server_protocol::Turn;
 use codex_app_server_protocol::TurnCompletedNotification;
-use codex_app_server_protocol::TurnDiffUpdatedNotification;
 use codex_app_server_protocol::TurnError as AppServerTurnError;
 use codex_app_server_protocol::TurnStartParams;
 use codex_app_server_protocol::TurnStartedNotification;
@@ -640,7 +636,6 @@ fn sample_initialize_fact(connection_id: u64) -> AnalyticsFact {
            },
            capabilities: Some(InitializeCapabilities {
                experimental_api: false,
-                request_attestation: false,
                opt_out_notification_methods: None,
            }),
        },
@@ -832,206 +827,6 @@ fn app_used_event_serializes_expected_shape() {
    );
 }

-#[test]
-fn accepted_line_fingerprints_event_serializes_expected_shape() {
-    let event = TrackEventRequest::AcceptedLineFingerprints(Box::new(
-        CodexAcceptedLineFingerprintsEventRequest {
-            event_type: "codex_accepted_line_fingerprints",
-            event_params: CodexAcceptedLineFingerprintsEventParams {
-                event_type: "codex.accepted_line_fingerprints",
-                turn_id: "turn-1".to_string(),
-                thread_id: "thread-1".to_string(),
-                product_surface: Some("codex".to_string()),
-                model_slug: Some("gpt-5.1-codex".to_string()),
-                completed_at: 1710000000,
-                repo_hash: Some("repo-hash-1".to_string()),
-                accepted_added_lines: 42,
-                accepted_deleted_lines: 40,
-                line_fingerprints: vec![AcceptedLineFingerprint {
-                    path_hash: "path-hash-1".to_string(),
-                    line_hash: "line-hash-1".to_string(),
-                }],
-            },
-        },
-    ));
-
-    let payload = serde_json::to_value(&event).expect("serialize accepted line fingerprints event");
-
-    assert_eq!(
-        payload,
-        json!({
-            "event_type": "codex_accepted_line_fingerprints",
-            "event_params": {
-                "event_type": "codex.accepted_line_fingerprints",
-                "turn_id": "turn-1",
-                "thread_id": "thread-1",
-                "product_surface": "codex",
-                "model_slug": "gpt-5.1-codex",
-                "completed_at": 1710000000,
-                "repo_hash": "repo-hash-1",
-                "accepted_added_lines": 42,
-                "accepted_deleted_lines": 40,
-                "line_fingerprints": [
-                    {
-                        "path_hash": "path-hash-1",
-                        "line_hash": "line-hash-1"
-                    }
-                ]
-            }
-        })
-    );
-}
-
-#[tokio::test]
-async fn reducer_chunks_large_accepted_line_fingerprint_events_without_repeating_counts() {
-    let mut reducer = AnalyticsReducer::default();
-    let mut events = Vec::new();
-
-    ingest_turn_prerequisites(
-        &mut reducer,
-        &mut events,
-        /*include_initialize*/ true,
-        /*include_resolved_config*/ true,
-        /*include_started*/ true,
-        /*include_token_usage*/ true,
-    )
-    .await;
-    events.clear();
-
-    let mut diff = "\
-diff --git a/src/lib.rs b/src/lib.rs
-index 1111111..2222222
--- a/src/lib.rs
-+++ b/src/lib.rs
-@@ -0,0 +1,20000 @@
-"
-    .to_string();
-    for index in 0..20_000 {
-        diff.push_str(&format!("+let value_{index} = {index};\n"));
-    }
-
-    reducer
-        .ingest(
-            AnalyticsFact::Notification(Box::new(ServerNotification::TurnDiffUpdated(
-                TurnDiffUpdatedNotification {
-                    thread_id: "thread-2".to_string(),
-                    turn_id: "turn-2".to_string(),
-                    diff,
-                },
-            ))),
-            &mut events,
-        )
-        .await;
-    assert!(events.is_empty());
-
-    reducer
-        .ingest(
-            AnalyticsFact::Notification(Box::new(sample_turn_completed_notification(
-                "thread-2",
-                "turn-2",
-                AppServerTurnStatus::Completed,
-                /*codex_error_info*/ None,
-            ))),
-            &mut events,
-        )
-        .await;
-
-    let accepted_line_events = events
-        .iter()
-        .filter_map(|event| match event {
-            TrackEventRequest::AcceptedLineFingerprints(event) => Some(event),
-            _ => None,
-        })
-        .collect::<Vec<_>>();
-    assert!(accepted_line_events.len() > 1);
-    let mut total_fingerprints = 0;
-    for (index, event) in accepted_line_events.iter().enumerate() {
-        assert_eq!(event.event_params.turn_id, "turn-2");
-        assert_eq!(event.event_params.thread_id, "thread-2");
-        total_fingerprints += event.event_params.line_fingerprints.len();
-        if index == 0 {
-            assert_eq!(event.event_params.accepted_added_lines, 20_000);
-            assert_eq!(event.event_params.accepted_deleted_lines, 0);
-        } else {
-            assert_eq!(event.event_params.accepted_added_lines, 0);
-            assert_eq!(event.event_params.accepted_deleted_lines, 0);
-        }
-        assert!(serde_json::to_vec(event).expect("serialize chunk").len() < 2_100_000);
-    }
-    assert_eq!(total_fingerprints, 20_000);
-}
-
-#[tokio::test]
-async fn reducer_emits_accepted_line_fingerprints_once_from_latest_turn_diff_on_completion() {
-    let mut reducer = AnalyticsReducer::default();
-    let mut events = Vec::new();
-
-    ingest_turn_prerequisites(
-        &mut reducer,
-        &mut events,
-        /*include_initialize*/ true,
-        /*include_resolved_config*/ true,
-        /*include_started*/ true,
-        /*include_token_usage*/ true,
-    )
-    .await;
-    events.clear();
-
-    for line in ["let old_value = 1;", "let latest_value = 2;"] {
-        let diff = format!(
-            "\
-diff --git a/src/lib.rs b/src/lib.rs
-index 1111111..2222222
--- a/src/lib.rs
-+++ b/src/lib.rs
-@@ -0,0 +1 @@
-+{line}
-"
-        );
-        reducer
-            .ingest(
-                AnalyticsFact::Notification(Box::new(ServerNotification::TurnDiffUpdated(
-                    TurnDiffUpdatedNotification {
-                        thread_id: "thread-2".to_string(),
-                        turn_id: "turn-2".to_string(),
-                        diff,
-                    },
-                ))),
-                &mut events,
-            )
-            .await;
-    }
-    assert!(events.is_empty());
-
-    reducer
-        .ingest(
-            AnalyticsFact::Notification(Box::new(sample_turn_completed_notification(
-                "thread-2",
-                "turn-2",
-                AppServerTurnStatus::Completed,
-                /*codex_error_info*/ None,
-            ))),
-            &mut events,
-        )
-        .await;
-
-    let accepted_line_events = events
-        .iter()
-        .filter_map(|event| match event {
-            TrackEventRequest::AcceptedLineFingerprints(event) => Some(event),
-            _ => None,
-        })
-        .collect::<Vec<_>>();
-    assert_eq!(accepted_line_events.len(), 1);
-    let event = accepted_line_events[0];
-    assert_eq!(event.event_params.accepted_added_lines, 1);
-    assert_eq!(event.event_params.line_fingerprints.len(), 1);
-    assert_eq!(
-        event.event_params.line_fingerprints[0].line_hash,
-        crate::fingerprint_hash("line", "let latest_value = 2;")
-    );
-}
-
 #[test]
 fn compaction_event_serializes_expected_shape() {
    let event = TrackEventRequest::Compaction(Box::new(CodexCompactionEventRequest {
@@ -1327,7 +1122,6 @@ async fn initialize_caches_client_and_thread_lifecycle_publishes_once_initialize
                    },
                    capabilities: Some(InitializeCapabilities {
                        experimental_api: false,
-                        request_attestation: false,
                        opt_out_notification_methods: None,
                    }),
                },
@@ -1475,7 +1269,6 @@ async fn compaction_event_ingests_custom_fact() {
                    },
                    capabilities: Some(InitializeCapabilities {
                        experimental_api: false,
-                        request_attestation: false,
                        opt_out_notification_methods: None,
                    }),
                },
@@ -1589,7 +1382,6 @@ async fn guardian_review_event_ingests_custom_fact_with_optional_target_item() {
                    },
                    capabilities: Some(InitializeCapabilities {
                        experimental_api: false,
-                        request_attestation: false,
                        opt_out_notification_methods: None,
                    }),
                },
--- a/codex-rs/analytics/src/client.rs
+++ b/codex-rs/analytics/src/client.rs
@@ -30,7 +30,6 @@ use codex_app_server_protocol::ServerNotification;
 use codex_app_server_protocol::ServerRequest;
 use codex_app_server_protocol::ServerResponse;
 use codex_login::AuthManager;
-use codex_login::CodexAuth;
 use codex_login::default_client::create_client;
 use codex_plugin::PluginTelemetryMetadata;
 use std::collections::HashSet;
@@ -341,9 +340,8 @@ impl AnalyticsEventsClient {
        });
    }

-    pub fn track_server_response(&self, completed_at_ms: u64, response: ServerResponse) {
+    pub fn track_server_response(&self, response: ServerResponse) {
        self.record_fact(AnalyticsFact::ServerResponse {
-            completed_at_ms,
            response: Box::new(response),
        });
    }
@@ -353,7 +351,6 @@ impl AnalyticsEventsClient {
            notification,
            ServerNotification::TurnStarted(_)
                | ServerNotification::TurnCompleted(_)
-                | ServerNotification::TurnDiffUpdated(_)
                | ServerNotification::ItemStarted(_)
                | ServerNotification::ItemCompleted(_)
                | ServerNotification::ItemGuardianApprovalReviewStarted(_)
@@ -373,7 +370,6 @@ async fn send_track_events(
    if events.is_empty() {
        return;
    }
-
    let Some(auth) = auth_manager.auth().await else {
        return;
    };
@@ -383,45 +379,12 @@ async fn send_track_events(

    let base_url = base_url.trim_end_matches('/');
    let url = format!("{base_url}/codex/analytics-events/events");
-    for events in track_event_request_batches(events) {
-        send_track_events_request(&auth, &url, events).await;
-    }
-}
-
-fn track_event_request_batches(events: Vec<TrackEventRequest>) -> Vec<Vec<TrackEventRequest>> {
-    let mut batches = Vec::new();
-    let mut current_batch = Vec::new();
-
-    for event in events {
-        if event.should_send_in_isolated_request() {
-            if !current_batch.is_empty() {
-                batches.push(current_batch);
-                current_batch = Vec::new();
-            }
-            batches.push(vec![event]);
-        } else {
-            current_batch.push(event);
-        }
-    }
-
-    if !current_batch.is_empty() {
-        batches.push(current_batch);
-    }
-
-    batches
-}
-
-async fn send_track_events_request(auth: &CodexAuth, url: &str, events: Vec<TrackEventRequest>) {
-    if events.is_empty() {
-        return;
-    }
-
    let payload = TrackEventsRequest { events };

    let response = create_client()
-        .post(url)
+        .post(&url)
        .timeout(ANALYTICS_EVENTS_TIMEOUT)
-        .headers(codex_model_provider::auth_provider_from_auth(auth).to_auth_headers())
+        .headers(codex_model_provider::auth_provider_from_auth(&auth).to_auth_headers())
        .header("Content-Type", "application/json")
        .json(&payload)
        .send()
--- a/codex-rs/analytics/src/client_tests.rs
+++ b/codex-rs/analytics/src/client_tests.rs
@@ -1,14 +1,6 @@
 use super::AnalyticsEventsClient;
 use super::AnalyticsEventsQueue;
-use super::track_event_request_batches;
-use crate::events::CodexAcceptedLineFingerprintsEventParams;
-use crate::events::CodexAcceptedLineFingerprintsEventRequest;
-use crate::events::SkillInvocationEventParams;
-use crate::events::SkillInvocationEventRequest;
-use crate::events::TrackEventRequest;
-use crate::facts::AcceptedLineFingerprint;
 use crate::facts::AnalyticsFact;
-use crate::facts::InvocationType;
 use codex_app_server_protocol::ApprovalsReviewer as AppServerApprovalsReviewer;
 use codex_app_server_protocol::AskForApproval as AppServerAskForApproval;
 use codex_app_server_protocol::ClientRequest;
@@ -39,47 +31,6 @@ use std::sync::Mutex;
 use tokio::sync::mpsc;
 use tokio::sync::mpsc::error::TryRecvError;

-fn sample_accepted_line_fingerprint_event(thread_id: &str) -> TrackEventRequest {
-    TrackEventRequest::AcceptedLineFingerprints(Box::new(
-        CodexAcceptedLineFingerprintsEventRequest {
-            event_type: "codex_accepted_line_fingerprints",
-            event_params: CodexAcceptedLineFingerprintsEventParams {
-                event_type: "codex.accepted_line_fingerprints",
-                turn_id: "turn-1".to_string(),
-                thread_id: thread_id.to_string(),
-                product_surface: Some("codex".to_string()),
-                model_slug: Some("gpt-5.1-codex".to_string()),
-                completed_at: 1,
-                repo_hash: None,
-                accepted_added_lines: 1,
-                accepted_deleted_lines: 0,
-                line_fingerprints: vec![AcceptedLineFingerprint {
-                    path_hash: "path-hash".to_string(),
-                    line_hash: "line-hash".to_string(),
-                }],
-            },
-        },
-    ))
-}
-
-fn sample_regular_track_event(thread_id: &str) -> TrackEventRequest {
-    TrackEventRequest::SkillInvocation(SkillInvocationEventRequest {
-        event_type: "skill_invocation",
-        skill_id: format!("skill-{thread_id}"),
-        skill_name: "doc".to_string(),
-        event_params: SkillInvocationEventParams {
-            product_client_id: None,
-            skill_scope: None,
-            plugin_id: None,
-            repo_url: None,
-            thread_id: Some(thread_id.to_string()),
-            turn_id: Some("turn-1".to_string()),
-            invoke_type: Some(InvocationType::Explicit),
-            model_slug: Some("gpt-5.1-codex".to_string()),
-        },
-    })
-}
-
 fn client_with_receiver() -> (AnalyticsEventsClient, mpsc::Receiver<AnalyticsFact>) {
    let (sender, receiver) = mpsc::channel(8);
    let queue = AnalyticsEventsQueue {
@@ -271,23 +222,3 @@ fn track_response_only_enqueues_analytics_relevant_responses() {
    );
    assert!(matches!(receiver.try_recv(), Err(TryRecvError::Empty)));
 }
-
-#[test]
-fn track_event_request_batches_only_isolates_accepted_line_fingerprint_events() {
-    let batches = track_event_request_batches(vec![
-        sample_regular_track_event("thread-1"),
-        sample_regular_track_event("thread-2"),
-        sample_accepted_line_fingerprint_event("thread-3"),
-        sample_accepted_line_fingerprint_event("thread-4"),
-        sample_regular_track_event("thread-5"),
-        sample_regular_track_event("thread-6"),
-    ]);
-
-    assert_eq!(batches.len(), 4);
-    assert_eq!(batches[0].len(), 2);
-    assert_eq!(batches[1].len(), 1);
-    assert_eq!(batches[2].len(), 1);
-    assert_eq!(batches[3].len(), 2);
-    assert!(batches[1][0].should_send_in_isolated_request());
-    assert!(batches[2][0].should_send_in_isolated_request());
-}
--- a/codex-rs/analytics/src/events.rs
+++ b/codex-rs/analytics/src/events.rs
@@ -1,6 +1,5 @@
 use std::time::Instant;

-use crate::facts::AcceptedLineFingerprint;
 use crate::facts::AppInvocation;
 use crate::facts::CodexCompactionEvent;
 use crate::facts::CompactionImplementation;
@@ -19,7 +18,6 @@ use crate::facts::TurnStatus;
 use crate::facts::TurnSteerRejectionReason;
 use crate::facts::TurnSteerResult;
 use crate::facts::TurnSubmissionType;
-use crate::now_unix_millis;
 use crate::now_unix_seconds;
 use codex_app_server_protocol::CodexErrorInfo;
 use codex_app_server_protocol::CommandExecutionSource;
@@ -72,7 +70,6 @@ pub(crate) enum TrackEventRequest {
    CollabAgentToolCall(CodexCollabAgentToolCallEventRequest),
    WebSearch(CodexWebSearchEventRequest),
    ImageGeneration(CodexImageGenerationEventRequest),
-    AcceptedLineFingerprints(Box<CodexAcceptedLineFingerprintsEventRequest>),
    #[allow(dead_code)]
    ReviewEvent(CodexReviewEventRequest),
    PluginUsed(CodexPluginUsedEventRequest),
@@ -82,32 +79,6 @@ pub(crate) enum TrackEventRequest {
    PluginDisabled(CodexPluginEventRequest),
 }

-impl TrackEventRequest {
-    pub(crate) fn should_send_in_isolated_request(&self) -> bool {
-        matches!(self, Self::AcceptedLineFingerprints(_))
-    }
-}
-
-#[derive(Serialize)]
-pub(crate) struct CodexAcceptedLineFingerprintsEventParams {
-    pub(crate) event_type: &'static str,
-    pub(crate) turn_id: String,
-    pub(crate) thread_id: String,
-    pub(crate) product_surface: Option<String>,
-    pub(crate) model_slug: Option<String>,
-    pub(crate) completed_at: u64,
-    pub(crate) repo_hash: Option<String>,
-    pub(crate) accepted_added_lines: u64,
-    pub(crate) accepted_deleted_lines: u64,
-    pub(crate) line_fingerprints: Vec<AcceptedLineFingerprint>,
-}
-
-#[derive(Serialize)]
-pub(crate) struct CodexAcceptedLineFingerprintsEventRequest {
-    pub(crate) event_type: &'static str,
-    pub(crate) event_params: CodexAcceptedLineFingerprintsEventParams,
-}
-
 #[derive(Serialize)]
 pub(crate) struct SkillInvocationEventRequest {
    pub(crate) event_type: &'static str,
@@ -290,7 +261,7 @@ pub struct GuardianReviewTrackContext {
    approval_request_source: GuardianApprovalRequestSource,
    reviewed_action: GuardianReviewedAction,
    review_timeout_ms: u64,
-    pub started_at_ms: u64,
+    started_at: u64,
    started_instant: Instant,
 }

@@ -312,7 +283,7 @@ impl GuardianReviewTrackContext {
            approval_request_source,
            reviewed_action,
            review_timeout_ms,
-            started_at_ms: now_unix_millis(),
+            started_at: now_unix_seconds(),
            started_instant: Instant::now(),
        }
    }
@@ -345,7 +316,7 @@ impl GuardianReviewTrackContext {
            tool_call_count: None,
            time_to_first_token_ms: result.time_to_first_token_ms,
            completion_latency_ms: Some(self.started_instant.elapsed().as_millis() as u64),
-            started_at: self.started_at_ms / 1_000,
+            started_at: self.started_at,
            completed_at: Some(now_unix_seconds()),
            input_tokens: result.token_usage.as_ref().map(|usage| usage.input_tokens),
            cached_input_tokens: result
--- a/codex-rs/analytics/src/facts.rs
+++ b/codex-rs/analytics/src/facts.rs
@@ -28,12 +28,6 @@ use codex_protocol::protocol::TokenUsage;
 use serde::Serialize;
 use std::path::PathBuf;

-#[derive(Clone, Debug, PartialEq, Eq, Serialize)]
-pub struct AcceptedLineFingerprint {
-    pub path_hash: String,
-    pub line_hash: String,
-}
-
 #[derive(Clone)]
 pub struct TrackEventsContext {
    pub model_slug: String,
@@ -302,7 +296,6 @@ pub(crate) enum AnalyticsFact {
        request: Box<ServerRequest>,
    },
    ServerResponse {
-        completed_at_ms: u64,
        response: Box<ServerResponse>,
    },
    Notification(Box<ServerNotification>),
--- a/codex-rs/analytics/src/lib.rs
+++ b/codex-rs/analytics/src/lib.rs
@@ -1,4 +1,3 @@
-mod accepted_lines;
 mod client;
 mod events;
 mod facts;
@@ -7,8 +6,6 @@ mod reducer;
 use std::time::SystemTime;
 use std::time::UNIX_EPOCH;

-pub use accepted_lines::accepted_line_fingerprints_from_unified_diff;
-pub use accepted_lines::fingerprint_hash;
 pub use client::AnalyticsEventsClient;
 pub use events::AppServerRpcTransport;
 pub use events::GuardianApprovalRequestSource;
@@ -20,7 +17,6 @@ pub use events::GuardianReviewSessionKind;
 pub use events::GuardianReviewTerminalStatus;
 pub use events::GuardianReviewTrackContext;
 pub use events::GuardianReviewedAction;
-pub use facts::AcceptedLineFingerprint;
 pub use facts::AnalyticsJsonRpcError;
 pub use facts::AppInvocation;
 pub use facts::CodexCompactionEvent;
--- a/codex-rs/analytics/src/reducer.rs
+++ b/codex-rs/analytics/src/reducer.rs
@@ -1,7 +1,3 @@
-use crate::accepted_lines::AcceptedLineFingerprintEventInput;
-use crate::accepted_lines::accepted_line_fingerprint_event_requests;
-use crate::accepted_lines::accepted_line_fingerprints_from_unified_diff;
-use crate::accepted_lines::accepted_line_repo_hash_for_cwd;
 use crate::events::AppServerRpcTransport;
 use crate::events::CodexAppMentionedEventRequest;
 use crate::events::CodexAppServerClientMetadata;
@@ -108,7 +104,6 @@ use codex_protocol::protocol::TokenUsage;
 use sha1::Digest;
 use std::collections::HashMap;
 use std::path::Path;
-use std::path::PathBuf;

 #[derive(Default)]
 pub(crate) struct AnalyticsReducer {
@@ -269,7 +264,6 @@ struct TurnState {
    started_at: Option<u64>,
    token_usage: Option<TokenUsage>,
    completed: Option<CompletedTurnState>,
-    latest_diff: Option<String>,
    steer_count: usize,
 }

@@ -311,7 +305,7 @@ impl AnalyticsReducer {
                response,
            } => {
                if let Some(response) = response.into_client_response(request_id) {
-                    self.ingest_response(connection_id, response, out).await;
+                    self.ingest_response(connection_id, response, out);
                }
            }
            AnalyticsFact::ErrorResponse {
@@ -323,7 +317,7 @@ impl AnalyticsReducer {
                self.ingest_error_response(connection_id, request_id, error_type, out);
            }
            AnalyticsFact::Notification(notification) => {
-                self.ingest_notification(*notification, out).await;
+                self.ingest_notification(*notification, out);
            }
            AnalyticsFact::ServerRequest {
                connection_id: _connection_id,
@@ -331,7 +325,6 @@ impl AnalyticsReducer {
            } => {}
            AnalyticsFact::ServerResponse {
                response: _response,
-                ..
            } => {}
            AnalyticsFact::Custom(input) => match input {
                CustomAnalyticsFact::SubAgentThreadStarted(input) => {
@@ -344,10 +337,10 @@ impl AnalyticsReducer {
                    self.ingest_guardian_review(*input, out);
                }
                CustomAnalyticsFact::TurnResolvedConfig(input) => {
-                    self.ingest_turn_resolved_config(*input, out).await;
+                    self.ingest_turn_resolved_config(*input, out);
                }
                CustomAnalyticsFact::TurnTokenUsage(input) => {
-                    self.ingest_turn_token_usage(*input, out).await;
+                    self.ingest_turn_token_usage(*input, out);
                }
                CustomAnalyticsFact::SkillInvoked(input) => {
                    self.ingest_skill_invoked(input, out).await;
@@ -479,7 +472,7 @@ impl AnalyticsReducer {
        }
    }

-    async fn ingest_turn_resolved_config(
+    fn ingest_turn_resolved_config(
        &mut self,
        input: TurnResolvedConfigFact,
        out: &mut Vec<TrackEventRequest>,
@@ -495,16 +488,15 @@ impl AnalyticsReducer {
            started_at: None,
            token_usage: None,
            completed: None,
-            latest_diff: None,
            steer_count: 0,
        });
        turn_state.thread_id = Some(thread_id);
        turn_state.num_input_images = Some(num_input_images);
        turn_state.resolved_config = Some(input);
-        self.maybe_emit_turn_event(&turn_id, out).await;
+        self.maybe_emit_turn_event(&turn_id, out);
    }

-    async fn ingest_turn_token_usage(
+    fn ingest_turn_token_usage(
        &mut self,
        input: TurnTokenUsageFact,
        out: &mut Vec<TrackEventRequest>,
@@ -518,12 +510,11 @@ impl AnalyticsReducer {
            started_at: None,
            token_usage: None,
            completed: None,
-            latest_diff: None,
            steer_count: 0,
        });
        turn_state.thread_id = Some(input.thread_id);
        turn_state.token_usage = Some(input.token_usage);
-        self.maybe_emit_turn_event(&turn_id, out).await;
+        self.maybe_emit_turn_event(&turn_id, out);
    }

    async fn ingest_skill_invoked(
@@ -630,7 +621,7 @@ impl AnalyticsReducer {
        });
    }

-    async fn ingest_response(
+    fn ingest_response(
        &mut self,
        connection_id: u64,
        response: ClientResponse,
@@ -682,13 +673,12 @@ impl AnalyticsReducer {
                    started_at: None,
                    token_usage: None,
                    completed: None,
-                    latest_diff: None,
                    steer_count: 0,
                });
                turn_state.connection_id = Some(connection_id);
                turn_state.thread_id = Some(pending_request.thread_id);
                turn_state.num_input_images = Some(pending_request.num_input_images);
-                self.maybe_emit_turn_event(&turn_id, out).await;
+                self.maybe_emit_turn_event(&turn_id, out);
            }
            ClientResponse::TurnSteer {
                request_id,
@@ -750,7 +740,7 @@ impl AnalyticsReducer {
        );
    }

-    async fn ingest_notification(
+    fn ingest_notification(
        &mut self,
        notification: ServerNotification,
        out: &mut Vec<TrackEventRequest>,
@@ -821,7 +811,6 @@ impl AnalyticsReducer {
                    started_at: None,
                    token_usage: None,
                    completed: None,
-                    latest_diff: None,
                    steer_count: 0,
                });
                turn_state.started_at = notification
@@ -829,24 +818,6 @@ impl AnalyticsReducer {
                    .started_at
                    .and_then(|started_at| u64::try_from(started_at).ok());
            }
-            ServerNotification::TurnDiffUpdated(notification) => {
-                let turn_state =
-                    self.turns
-                        .entry(notification.turn_id.clone())
-                        .or_insert(TurnState {
-                            connection_id: None,
-                            thread_id: None,
-                            num_input_images: None,
-                            resolved_config: None,
-                            started_at: None,
-                            token_usage: None,
-                            completed: None,
-                            latest_diff: None,
-                            steer_count: 0,
-                        });
-                turn_state.thread_id = Some(notification.thread_id);
-                turn_state.latest_diff = Some(notification.diff);
-            }
            ServerNotification::TurnCompleted(notification) => {
                let turn_state =
                    self.turns
@@ -859,7 +830,6 @@ impl AnalyticsReducer {
                            started_at: None,
                            token_usage: None,
                            completed: None,
-                            latest_diff: None,
                            steer_count: 0,
                        });
                turn_state.completed = Some(CompletedTurnState {
@@ -879,7 +849,7 @@ impl AnalyticsReducer {
                        .and_then(|duration_ms| u64::try_from(duration_ms).ok()),
                });
                let turn_id = notification.turn.id;
-                self.maybe_emit_turn_event(&turn_id, out).await;
+                self.maybe_emit_turn_event(&turn_id, out);
            }
            _ => {}
        }
@@ -1015,7 +985,7 @@ impl AnalyticsReducer {
        }));
    }

-    async fn maybe_emit_turn_event(&mut self, turn_id: &str, out: &mut Vec<TrackEventRequest>) {
+    fn maybe_emit_turn_event(&mut self, turn_id: &str, out: &mut Vec<TrackEventRequest>) {
        let Some(turn_state) = self.turns.get(turn_id) else {
            return;
        };
@@ -1048,23 +1018,18 @@ impl AnalyticsReducer {
            warn_missing_analytics_context(&drop_site, MissingAnalyticsContext::ThreadMetadata);
            return;
        };
-        let turn_event = TrackEventRequest::TurnEvent(Box::new(CodexTurnEventRequest {
-            event_type: "codex_turn_event",
-            event_params: codex_turn_event_params(
-                connection_state.app_server_client.clone(),
-                connection_state.runtime.clone(),
-                turn_id.to_string(),
-                turn_state,
-                thread_metadata,
-            ),
-        }));
-        let accepted_line_event = accepted_line_event_input(turn_id, turn_state);
-
-        out.push(turn_event);
-        if let Some((mut input, cwd)) = accepted_line_event {
-            input.repo_hash = accepted_line_repo_hash_for_cwd(cwd.as_path()).await;
-            out.extend(accepted_line_fingerprint_event_requests(input));
-        }
+        out.push(TrackEventRequest::TurnEvent(Box::new(
+            CodexTurnEventRequest {
+                event_type: "codex_turn_event",
+                event_params: codex_turn_event_params(
+                    connection_state.app_server_client.clone(),
+                    connection_state.runtime.clone(),
+                    turn_id.to_string(),
+                    turn_state,
+                    thread_metadata,
+                ),
+            },
+        )));
        self.turns.remove(turn_id);
    }

@@ -1676,36 +1641,6 @@ fn web_search_query_count(query: &str, action: Option<&WebSearchAction>) -> Opti
    }
 }

-fn accepted_line_event_input(
-    turn_id: &str,
-    turn_state: &TurnState,
-) -> Option<(AcceptedLineFingerprintEventInput, PathBuf)> {
-    let latest_diff = turn_state.latest_diff.as_deref()?;
-    let summary = accepted_line_fingerprints_from_unified_diff(latest_diff);
-    if summary.accepted_added_lines == 0 && summary.accepted_deleted_lines == 0 {
-        return None;
-    }
-
-    let thread_id = turn_state.thread_id.clone()?;
-    let resolved_config = turn_state.resolved_config.clone()?;
-
-    Some((
-        AcceptedLineFingerprintEventInput {
-            event_type: "codex.accepted_line_fingerprints",
-            turn_id: turn_id.to_string(),
-            thread_id,
-            product_surface: Some("codex".to_string()),
-            model_slug: Some(resolved_config.model.clone()),
-            completed_at: now_unix_seconds(),
-            repo_hash: None,
-            accepted_added_lines: summary.accepted_added_lines,
-            accepted_deleted_lines: summary.accepted_deleted_lines,
-            line_fingerprints: summary.line_fingerprints,
-        },
-        resolved_config.permission_profile_cwd,
-    ))
-}
-
 fn codex_turn_event_params(
    app_server_client: CodexAppServerClientMetadata,
    runtime: CodexRuntimeMetadata,
--- a/codex-rs/ansi-escape/Cargo.toml
+++ b/codex-rs/ansi-escape/Cargo.toml
@@ -7,8 +7,6 @@ license.workspace = true
 [lib]
 name = "codex_ansi_escape"
 path = "src/lib.rs"
-test = false
-doctest = false

 [lints]
 workspace = true
--- a/codex-rs/app-server-client/Cargo.toml
+++ b/codex-rs/app-server-client/Cargo.toml
@@ -7,7 +7,6 @@ license.workspace = true
 [lib]
 name = "codex_app_server_client"
 path = "src/lib.rs"
-doctest = false

 [lints]
 workspace = true
--- a/codex-rs/app-server-client/src/lib.rs
+++ b/codex-rs/app-server-client/src/lib.rs
@@ -49,6 +49,7 @@ use codex_config::RemoteThreadConfigLoader;
 use codex_config::ThreadConfigLoader;
 use codex_core::config::Config;
 pub use codex_exec_server::EnvironmentManager;
+pub use codex_exec_server::EnvironmentManagerArgs;
 pub use codex_exec_server::ExecServerRuntimePaths;
 use codex_feedback::CodexFeedback;
 use codex_protocol::protocol::SessionSource;
@@ -374,7 +375,6 @@ impl InProcessClientStartArgs {
    pub fn initialize_params(&self) -> InitializeParams {
        let capabilities = InitializeCapabilities {
            experimental_api: self.experimental_api,
-            request_attestation: false,
            opt_out_notification_methods: if self.opt_out_notification_methods.is_empty() {
                None
            } else {
--- a/codex-rs/app-server-client/src/remote.rs
+++ b/codex-rs/app-server-client/src/remote.rs
@@ -73,7 +73,6 @@ impl RemoteAppServerConnectArgs {
    fn initialize_params(&self) -> InitializeParams {
        let capabilities = InitializeCapabilities {
            experimental_api: self.experimental_api,
-            request_attestation: false,
            opt_out_notification_methods: if self.opt_out_notification_methods.is_empty() {
                None
            } else {
--- a/codex-rs/app-server-daemon/BUILD.bazel
+++ b/codex-rs/app-server-daemon/BUILD.bazel
@@ -1,6 +0,0 @@
-load("//:defs.bzl", "codex_rust_crate")
-
-codex_rust_crate(
-    name = "app-server-daemon",
-    crate_name = "codex_app_server_daemon",
-)
--- a/codex-rs/app-server-daemon/Cargo.toml
+++ b/codex-rs/app-server-daemon/Cargo.toml
@@ -1,39 +0,0 @@
-[package]
-name = "codex-app-server-daemon"
-version.workspace = true
-edition.workspace = true
-license.workspace = true
-
-[lib]
-name = "codex_app_server_daemon"
-path = "src/lib.rs"
-doctest = false
-
-[lints]
-workspace = true
-
-[dependencies]
-anyhow = { workspace = true }
-codex-app-server-protocol = { workspace = true }
-codex-app-server-transport = { workspace = true }
-codex-core = { workspace = true }
-codex-uds = { workspace = true }
-futures = { workspace = true }
-libc = { workspace = true }
-reqwest = { workspace = true, features = ["rustls-tls"] }
-serde = { workspace = true, features = ["derive"] }
-serde_json = { workspace = true }
-tokio = { workspace = true, features = [
-    "fs",
-    "io-util",
-    "macros",
-    "process",
-    "rt-multi-thread",
-    "signal",
-    "time",
-] }
-tokio-tungstenite = { workspace = true }
-
-[dev-dependencies]
-pretty_assertions = { workspace = true }
-tempfile = { workspace = true }
--- a/codex-rs/app-server-daemon/README.md
+++ b/codex-rs/app-server-daemon/README.md
@@ -1,104 +0,0 @@
-# codex-app-server-daemon
-
-> `codex-app-server-daemon` is experimental and its lifecycle contract may
-> change while the remote-management flow is still being developed.
-
-`codex-app-server-daemon` backs the machine-readable `codex app-server`
-lifecycle commands used by remote clients such as the desktop and mobile apps.
-It is intended for Codex instances launched over SSH, including fresh developer
-machines that should expose app-server with `remote_control` enabled.
-
-## Platform support
-
-The current daemon implementation is Unix-only. It uses pidfile-backed
-daemonization plus Unix process and file-locking primitives, and does not yet
-support Windows lifecycle management.
-
-## Commands
-
-```sh
-codex app-server daemon start
-codex app-server daemon restart
-codex app-server daemon enable-remote-control
-codex app-server daemon disable-remote-control
-codex app-server daemon stop
-codex app-server daemon version
-codex app-server daemon bootstrap --remote-control
-```
-
-On success, every command writes exactly one JSON object to stdout. Consumers
-should parse that JSON rather than relying on human-readable text. Lifecycle
-responses report the resolved backend, socket path, local CLI version, and
-running app-server version when applicable.
-
-## Bootstrap flow
-
-For a new remote machine:
-
-```sh
-curl -fsSL https://chatgpt.com/codex/install.sh | sh
-$HOME/.codex/packages/standalone/current/codex app-server daemon bootstrap --remote-control
-```
-
-`bootstrap` requires the standalone managed install. It records the daemon
-settings under `CODEX_HOME/app-server-daemon/`, starts app-server as a
-pidfile-backed detached process, and launches a detached updater loop.
-
-## Installation and update cases
-
-The daemon assumes Codex is installed through `install.sh` and always launches
-the standalone managed binary under `CODEX_HOME`.
-
-| Situation | What starts | Does this daemon fetch new binaries? | Does a running app-server eventually move to a newer binary on its own? |
-| --- | --- | --- | --- |
-| `install.sh` has run, but only `start` is used | `start` uses `CODEX_HOME/packages/standalone/current/codex` | No | No. The managed path is used when starting or restarting, but no updater is installed. |
-| `install.sh` has run, then `bootstrap` is used | The pidfile backend uses `CODEX_HOME/packages/standalone/current/codex` | Yes. Bootstrap launches a detached updater loop that runs `install.sh` hourly. | Yes, while that updater process is alive. After a successful fetch, it restarts a currently running app-server only when the managed binary reports a different version. |
-| Some other tool updates the managed binary path | The next fresh start or restart uses the updated file at that path | No | Not automatically. The existing process keeps the old executable image until an explicit `restart`. |
-
-### Standalone installs
-
-For installs created by `install.sh`:
-
- lifecycle commands always use the standalone managed binary path
- `bootstrap` is supported
- `bootstrap` starts a detached pid-backed updater loop that fetches via
-  `install.sh`, then restarts app-server if it is running on a different version
- the updater loop is not reboot-persistent; it must be started again by
-  rerunning `bootstrap` after a reboot
-
-### Out-of-band updates
-
-This daemon does not watch arbitrary executable files for replacement. If some
-other tool updates a binary that the daemon would use on its next launch:
-
- a currently running app-server remains on the old executable image
- `restart` will launch the updated binary
- for bootstrapped daemons, the detached updater loop only reacts to updates it
-  fetched itself; it does not watch arbitrary file replacement
-
-## Lifecycle semantics
-
-`start` is idempotent and returns after app-server is ready to answer the normal
-JSON-RPC initialize handshake on the Unix control socket.
-
-`restart` stops any managed daemon and starts it again.
-
-`enable-remote-control` and `disable-remote-control` persist the launch setting
-for future starts. If a managed app-server is already running, they restart it
-so the new setting takes effect immediately.
-
-`stop` sends a graceful termination request first, then sends a second
-termination signal after the grace window if the process is still alive.
-
-All mutating lifecycle commands are serialized per `CODEX_HOME`, so a concurrent
-`start`, `restart`, `enable-remote-control`, `disable-remote-control`, `stop`,
-or `bootstrap` does not race another in-flight lifecycle operation.
-
-## State
-
-The daemon stores its local state under `CODEX_HOME/app-server-daemon/`:
-
- `settings.json` for persisted launch settings
- `app-server.pid` for the app-server process record
- `app-server-updater.pid` for the pid-backed standalone updater loop
- `daemon.lock` for daemon-wide lifecycle serialization
--- a/codex-rs/app-server-daemon/src/backend/mod.rs
+++ b/codex-rs/app-server-daemon/src/backend/mod.rs
@@ -1,33 +0,0 @@
-mod pid;
-
-use std::path::PathBuf;
-
-use serde::Serialize;
-
-pub(crate) use pid::PidBackend;
-
-#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize)]
-#[serde(rename_all = "camelCase")]
-pub enum BackendKind {
-    Pid,
-}
-
-#[derive(Debug, Clone)]
-pub(crate) struct BackendPaths {
-    pub(crate) codex_bin: PathBuf,
-    pub(crate) pid_file: PathBuf,
-    pub(crate) update_pid_file: PathBuf,
-    pub(crate) remote_control_enabled: bool,
-}
-
-pub(crate) fn pid_backend(paths: BackendPaths) -> PidBackend {
-    PidBackend::new(
-        paths.codex_bin,
-        paths.pid_file,
-        paths.remote_control_enabled,
-    )
-}
-
-pub(crate) fn pid_update_loop_backend(paths: BackendPaths) -> PidBackend {
-    PidBackend::new_update_loop(paths.codex_bin, paths.update_pid_file)
-}
--- a/codex-rs/app-server-daemon/src/backend/pid.rs
+++ b/codex-rs/app-server-daemon/src/backend/pid.rs
@@ -1,600 +0,0 @@
-use std::path::Path;
-use std::path::PathBuf;
-#[cfg(unix)]
-use std::process::Stdio;
-use std::time::Duration;
-
-use anyhow::Context;
-use anyhow::Result;
-use anyhow::bail;
-use serde::Deserialize;
-use serde::Serialize;
-use tokio::fs;
-#[cfg(unix)]
-use tokio::process::Command;
-use tokio::time::sleep;
-
-const STOP_POLL_INTERVAL: Duration = Duration::from_millis(50);
-const STOP_GRACE_PERIOD: Duration = Duration::from_secs(60);
-const STOP_TIMEOUT: Duration = Duration::from_secs(70);
-const START_TIMEOUT: Duration = Duration::from_secs(10);
-
-#[derive(Debug)]
-#[cfg_attr(not(unix), allow(dead_code))]
-pub(crate) struct PidBackend {
-    codex_bin: PathBuf,
-    pid_file: PathBuf,
-    lock_file: PathBuf,
-    command_kind: PidCommandKind,
-}
-
-#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
-#[serde(rename_all = "camelCase")]
-struct PidRecord {
-    pid: u32,
-    process_start_time: String,
-}
-
-#[derive(Debug, Clone, PartialEq, Eq)]
-enum PidFileState {
-    Missing,
-    Starting,
-    Running(PidRecord),
-}
-
-#[derive(Debug, Clone, Copy)]
-#[cfg_attr(not(unix), allow(dead_code))]
-enum PidCommandKind {
-    AppServer { remote_control_enabled: bool },
-    UpdateLoop,
-}
-
-impl PidBackend {
-    pub(crate) fn new(codex_bin: PathBuf, pid_file: PathBuf, remote_control_enabled: bool) -> Self {
-        let lock_file = pid_file.with_extension("pid.lock");
-        Self {
-            codex_bin,
-            pid_file,
-            lock_file,
-            command_kind: PidCommandKind::AppServer {
-                remote_control_enabled,
-            },
-        }
-    }
-
-    pub(crate) fn new_update_loop(codex_bin: PathBuf, pid_file: PathBuf) -> Self {
-        let lock_file = pid_file.with_extension("pid.lock");
-        Self {
-            codex_bin,
-            pid_file,
-            lock_file,
-            command_kind: PidCommandKind::UpdateLoop,
-        }
-    }
-
-    pub(crate) async fn is_starting_or_running(&self) -> Result<bool> {
-        loop {
-            match self.read_pid_file_state().await? {
-                PidFileState::Missing => return Ok(false),
-                PidFileState::Starting => return Ok(true),
-                PidFileState::Running(record) => {
-                    if self.record_is_active(&record).await? {
-                        return Ok(true);
-                    }
-                    match self.refresh_after_stale_record(&record).await? {
-                        PidFileState::Missing => return Ok(false),
-                        PidFileState::Starting | PidFileState::Running(_) => continue,
-                    }
-                }
-            }
-        }
-    }
-
-    #[cfg(unix)]
-    pub(crate) async fn start(&self) -> Result<Option<u32>> {
-        if let Some(parent) = self.pid_file.parent() {
-            fs::create_dir_all(parent)
-                .await
-                .with_context(|| format!("failed to create pid directory {}", parent.display()))?;
-        }
-        let reservation_lock = self.acquire_reservation_lock().await?;
-        let _pid_file = loop {
-            match fs::OpenOptions::new()
-                .create_new(true)
-                .write(true)
-                .open(&self.pid_file)
-                .await
-            {
-                Ok(pid_file) => break pid_file,
-                Err(err) if err.kind() == std::io::ErrorKind::AlreadyExists => {
-                    match self.read_pid_file_state_with_lock_held().await? {
-                        PidFileState::Missing => continue,
-                        PidFileState::Running(record) => {
-                            if self.record_is_active(&record).await? {
-                                return Ok(None);
-                            }
-                            let _ = fs::remove_file(&self.pid_file).await;
-                            continue;
-                        }
-                        PidFileState::Starting => {
-                            unreachable!("lock holder cannot observe starting")
-                        }
-                    }
-                }
-                Err(err) => {
-                    return Err(err).with_context(|| {
-                        format!("failed to reserve pid file {}", self.pid_file.display())
-                    });
-                }
-            }
-        };
-        let mut command = Command::new(&self.codex_bin);
-        command
-            .args(self.command_args())
-            .stdin(Stdio::null())
-            .stdout(Stdio::null())
-            .stderr(Stdio::null());
-
-        #[cfg(unix)]
-        {
-            unsafe {
-                command.pre_exec(|| {
-                    if libc::setsid() == -1 {
-                        return Err(std::io::Error::last_os_error());
-                    }
-                    Ok(())
-                });
-            }
-        }
-
-        let child = match command.spawn() {
-            Ok(child) => child,
-            Err(err) => {
-                let _ = fs::remove_file(&self.pid_file).await;
-                return Err(err).with_context(|| {
-                    format!(
-                        "failed to spawn detached app-server process using {}",
-                        self.codex_bin.display()
-                    )
-                });
-            }
-        };
-        let pid = child
-            .id()
-            .context("spawned app-server process has no pid")?;
-        let record = match read_process_start_time(pid).await {
-            Ok(process_start_time) => PidRecord {
-                pid,
-                process_start_time,
-            },
-            Err(err) => {
-                let _ = self.terminate_process(pid);
-                let _ = fs::remove_file(&self.pid_file).await;
-                return Err(err);
-            }
-        };
-        let contents = serde_json::to_vec(&record).context("failed to serialize pid record")?;
-        let temp_pid_file = self.pid_file.with_extension("pid.tmp");
-        if let Err(err) = fs::write(&temp_pid_file, &contents).await {
-            let _ = self.terminate_process(pid);
-            let _ = fs::remove_file(&self.pid_file).await;
-            return Err(err).with_context(|| {
-                format!("failed to write pid temp file {}", temp_pid_file.display())
-            });
-        }
-        if let Err(err) = fs::rename(&temp_pid_file, &self.pid_file).await {
-            let _ = self.terminate_process(pid);
-            let _ = fs::remove_file(&temp_pid_file).await;
-            let _ = fs::remove_file(&self.pid_file).await;
-            return Err(err).with_context(|| {
-                format!("failed to publish pid file {}", self.pid_file.display())
-            });
-        }
-        drop(reservation_lock);
-        Ok(Some(pid))
-    }
-
-    #[cfg(not(unix))]
-    pub(crate) async fn start(&self) -> Result<Option<u32>> {
-        bail!("pid-managed app-server startup is unsupported on this platform")
-    }
-
-    pub(crate) async fn stop(&self) -> Result<()> {
-        loop {
-            let Some(record) = self.wait_for_pid_start().await? else {
-                return Ok(());
-            };
-            if !self.record_is_active(&record).await? {
-                match self.refresh_after_stale_record(&record).await? {
-                    PidFileState::Missing => return Ok(()),
-                    PidFileState::Starting | PidFileState::Running(_) => continue,
-                }
-            }
-
-            let pid = record.pid;
-            self.terminate_process(pid)?;
-            let started_at = tokio::time::Instant::now();
-            let deadline = tokio::time::Instant::now() + STOP_TIMEOUT;
-            let mut forced = false;
-            while tokio::time::Instant::now() < deadline {
-                if !self.record_is_active(&record).await? {
-                    match self.refresh_after_stale_record(&record).await? {
-                        PidFileState::Missing => return Ok(()),
-                        PidFileState::Starting | PidFileState::Running(_) => break,
-                    }
-                }
-                if !forced && started_at.elapsed() >= STOP_GRACE_PERIOD {
-                    self.force_terminate_process(pid)?;
-                    forced = true;
-                }
-                sleep(STOP_POLL_INTERVAL).await;
-            }
-
-            if self.record_is_active(&record).await? {
-                bail!("timed out waiting for pid-managed app server {pid} to stop");
-            }
-        }
-    }
-
-    async fn wait_for_pid_start(&self) -> Result<Option<PidRecord>> {
-        let deadline = tokio::time::Instant::now() + START_TIMEOUT;
-        loop {
-            match self.read_pid_file_state().await? {
-                PidFileState::Missing => return Ok(None),
-                PidFileState::Running(record) => return Ok(Some(record)),
-                PidFileState::Starting if tokio::time::Instant::now() < deadline => {
-                    sleep(STOP_POLL_INTERVAL).await;
-                }
-                PidFileState::Starting => {
-                    bail!(
-                        "timed out waiting for pid reservation in {} to finish initializing",
-                        self.pid_file.display()
-                    );
-                }
-            }
-        }
-    }
-
-    async fn read_pid_file_state(&self) -> Result<PidFileState> {
-        let contents = match fs::read_to_string(&self.pid_file).await {
-            Ok(contents) => contents,
-            Err(err) if err.kind() == std::io::ErrorKind::NotFound => {
-                return if reservation_lock_is_active(&self.lock_file).await? {
-                    Ok(PidFileState::Starting)
-                } else {
-                    Ok(PidFileState::Missing)
-                };
-            }
-            Err(err) => {
-                return Err(err).with_context(|| {
-                    format!("failed to read pid file {}", self.pid_file.display())
-                });
-            }
-        };
-        if contents.trim().is_empty() {
-            match inspect_empty_pid_reservation(&self.pid_file, &self.lock_file).await? {
-                EmptyPidReservation::Active => {
-                    return Ok(PidFileState::Starting);
-                }
-                EmptyPidReservation::Stale => {
-                    return Ok(PidFileState::Missing);
-                }
-                EmptyPidReservation::Record(record) => return Ok(PidFileState::Running(record)),
-            }
-        }
-        let record = serde_json::from_str(&contents)
-            .with_context(|| format!("invalid pid file contents in {}", self.pid_file.display()))?;
-        Ok(PidFileState::Running(record))
-    }
-
-    async fn read_pid_file_state_with_lock_held(&self) -> Result<PidFileState> {
-        let contents = match fs::read_to_string(&self.pid_file).await {
-            Ok(contents) => contents,
-            Err(err) if err.kind() == std::io::ErrorKind::NotFound => {
-                return Ok(PidFileState::Missing);
-            }
-            Err(err) => {
-                return Err(err).with_context(|| {
-                    format!("failed to read pid file {}", self.pid_file.display())
-                });
-            }
-        };
-        if contents.trim().is_empty() {
-            let _ = fs::remove_file(&self.pid_file).await;
-            return Ok(PidFileState::Missing);
-        }
-        let record = serde_json::from_str(&contents)
-            .with_context(|| format!("invalid pid file contents in {}", self.pid_file.display()))?;
-        Ok(PidFileState::Running(record))
-    }
-
-    async fn refresh_after_stale_record(&self, expected: &PidRecord) -> Result<PidFileState> {
-        let reservation_lock = self.acquire_reservation_lock().await?;
-        let state = match self.read_pid_file_state_with_lock_held().await? {
-            PidFileState::Running(record) if record == *expected => {
-                let _ = fs::remove_file(&self.pid_file).await;
-                PidFileState::Missing
-            }
-            state => state,
-        };
-        drop(reservation_lock);
-        Ok(state)
-    }
-
-    async fn acquire_reservation_lock(&self) -> Result<fs::File> {
-        let reservation_lock = fs::OpenOptions::new()
-            .create(true)
-            .truncate(false)
-            .write(true)
-            .open(&self.lock_file)
-            .await
-            .with_context(|| {
-                format!("failed to open pid lock file {}", self.lock_file.display())
-            })?;
-        let lock_deadline = tokio::time::Instant::now() + START_TIMEOUT;
-        while !try_lock_file(&reservation_lock)? {
-            if tokio::time::Instant::now() >= lock_deadline {
-                bail!(
-                    "timed out waiting for pid lock {}",
-                    self.lock_file.display()
-                );
-            }
-            sleep(STOP_POLL_INTERVAL).await;
-        }
-        Ok(reservation_lock)
-    }
-
-    #[cfg(unix)]
-    fn command_args(&self) -> Vec<&'static str> {
-        match self.command_kind {
-            PidCommandKind::AppServer {
-                remote_control_enabled: true,
-            } => vec![
-                "--enable",
-                "remote_control",
-                "app-server",
-                "--listen",
-                "unix://",
-            ],
-            PidCommandKind::AppServer {
-                remote_control_enabled: false,
-            } => vec!["app-server", "--listen", "unix://"],
-            PidCommandKind::UpdateLoop => vec!["app-server", "daemon", "pid-update-loop"],
-        }
-    }
-
-    fn terminate_process(&self, pid: u32) -> Result<()> {
-        match self.command_kind {
-            PidCommandKind::AppServer { .. } => terminate_process(pid),
-            PidCommandKind::UpdateLoop => terminate_process(pid),
-        }
-    }
-
-    fn force_terminate_process(&self, pid: u32) -> Result<()> {
-        match self.command_kind {
-            PidCommandKind::AppServer { .. } => force_terminate_process(pid),
-            PidCommandKind::UpdateLoop => force_terminate_process_group(pid),
-        }
-    }
-
-    async fn record_is_active(&self, record: &PidRecord) -> Result<bool> {
-        process_matches_record(record).await
-    }
-}
-
-#[cfg(unix)]
-fn process_exists(pid: u32) -> bool {
-    let Ok(pid) = libc::pid_t::try_from(pid) else {
-        return false;
-    };
-    let result = unsafe { libc::kill(pid, 0) };
-    result == 0 || std::io::Error::last_os_error().raw_os_error() == Some(libc::EPERM)
-}
-
-#[cfg(unix)]
-fn terminate_process(pid: u32) -> Result<()> {
-    let raw_pid = libc::pid_t::try_from(pid)
-        .with_context(|| format!("pid-managed app server pid {pid} is out of range"))?;
-    let result = unsafe { libc::kill(raw_pid, libc::SIGTERM) };
-    if result == 0 {
-        return Ok(());
-    }
-    let err = std::io::Error::last_os_error();
-    if err.raw_os_error() == Some(libc::ESRCH) {
-        return Ok(());
-    }
-    Err(err).with_context(|| format!("failed to terminate pid-managed app server {pid}"))
-}
-
-#[cfg(unix)]
-fn force_terminate_process(pid: u32) -> Result<()> {
-    let raw_pid = libc::pid_t::try_from(pid)
-        .with_context(|| format!("pid-managed app server pid {pid} is out of range"))?;
-    let result = unsafe { libc::kill(raw_pid, libc::SIGKILL) };
-    if result == 0 {
-        return Ok(());
-    }
-    let err = std::io::Error::last_os_error();
-    if err.raw_os_error() == Some(libc::ESRCH) {
-        return Ok(());
-    }
-    Err(err).with_context(|| format!("failed to force terminate pid-managed app server {pid}"))
-}
-
-#[cfg(unix)]
-fn force_terminate_process_group(pid: u32) -> Result<()> {
-    let raw_pid = libc::pid_t::try_from(pid)
-        .with_context(|| format!("pid-managed updater pid {pid} is out of range"))?;
-    let result = unsafe { libc::kill(-raw_pid, libc::SIGKILL) };
-    if result == 0 {
-        return Ok(());
-    }
-    let err = std::io::Error::last_os_error();
-    if err.raw_os_error() == Some(libc::ESRCH) {
-        return Ok(());
-    }
-    Err(err).with_context(|| format!("failed to force terminate pid-managed updater group {pid}"))
-}
-
-#[cfg(not(unix))]
-fn terminate_process(_pid: u32) -> Result<()> {
-    bail!("pid-managed app-server shutdown is unsupported on this platform")
-}
-
-#[cfg(not(unix))]
-fn force_terminate_process(_pid: u32) -> Result<()> {
-    bail!("pid-managed app-server shutdown is unsupported on this platform")
-}
-
-#[cfg(not(unix))]
-fn force_terminate_process_group(_pid: u32) -> Result<()> {
-    bail!("pid-managed updater shutdown is unsupported on this platform")
-}
-
-#[cfg(unix)]
-async fn process_matches_record(record: &PidRecord) -> Result<bool> {
-    if !process_exists(record.pid) {
-        return Ok(false);
-    }
-
-    match read_process_start_time(record.pid).await {
-        Ok(start_time) => Ok(start_time == record.process_start_time),
-        Err(_err) if !process_exists(record.pid) => Ok(false),
-        Err(err) => Err(err),
-    }
-}
-
-#[cfg(not(unix))]
-async fn process_matches_record(_record: &PidRecord) -> Result<bool> {
-    Ok(false)
-}
-
-#[derive(Debug, Clone, PartialEq, Eq)]
-#[cfg_attr(not(unix), allow(dead_code))]
-enum EmptyPidReservation {
-    Active,
-    Stale,
-    Record(PidRecord),
-}
-
-#[cfg(unix)]
-fn try_lock_file(file: &fs::File) -> Result<bool> {
-    use std::os::fd::AsRawFd;
-
-    let result = unsafe { libc::flock(file.as_raw_fd(), libc::LOCK_EX | libc::LOCK_NB) };
-    if result == 0 {
-        return Ok(true);
-    }
-
-    let err = std::io::Error::last_os_error();
-    if err.raw_os_error() == Some(libc::EWOULDBLOCK) {
-        return Ok(false);
-    }
-    Err(err).context("failed to lock pid reservation")
-}
-
-#[cfg(not(unix))]
-fn try_lock_file(_file: &fs::File) -> Result<bool> {
-    bail!("pid-managed app-server startup is unsupported on this platform")
-}
-
-#[cfg(unix)]
-async fn reservation_lock_is_active(path: &Path) -> Result<bool> {
-    let file = match fs::OpenOptions::new()
-        .write(true)
-        .create(true)
-        .truncate(false)
-        .open(path)
-        .await
-    {
-        Ok(file) => file,
-        Err(err) if err.kind() == std::io::ErrorKind::NotFound => {
-            return Ok(false);
-        }
-        Err(err) => {
-            return Err(err)
-                .with_context(|| format!("failed to inspect pid lock file {}", path.display()));
-        }
-    };
-    Ok(!try_lock_file(&file)?)
-}
-
-#[cfg(not(unix))]
-async fn reservation_lock_is_active(_path: &Path) -> Result<bool> {
-    Ok(false)
-}
-
-#[cfg(unix)]
-async fn inspect_empty_pid_reservation(
-    pid_path: &Path,
-    lock_path: &Path,
-) -> Result<EmptyPidReservation> {
-    let file = match fs::OpenOptions::new()
-        .write(true)
-        .create(true)
-        .truncate(false)
-        .open(lock_path)
-        .await
-    {
-        Ok(file) => file,
-        Err(err) => {
-            return Err(err).with_context(|| {
-                format!("failed to inspect pid lock file {}", lock_path.display())
-            });
-        }
-    };
-    if !try_lock_file(&file)? {
-        return Ok(EmptyPidReservation::Active);
-    }
-
-    let contents = match fs::read_to_string(pid_path).await {
-        Ok(contents) => contents,
-        Err(err) if err.kind() == std::io::ErrorKind::NotFound => {
-            return Ok(EmptyPidReservation::Stale);
-        }
-        Err(err) => {
-            return Err(err)
-                .with_context(|| format!("failed to reread pid file {}", pid_path.display()));
-        }
-    };
-    if contents.trim().is_empty() {
-        let _ = fs::remove_file(pid_path).await;
-        return Ok(EmptyPidReservation::Stale);
-    }
-
-    let record = serde_json::from_str(&contents)
-        .with_context(|| format!("invalid pid file contents in {}", pid_path.display()))?;
-    Ok(EmptyPidReservation::Record(record))
-}
-
-#[cfg(not(unix))]
-async fn inspect_empty_pid_reservation(
-    _pid_path: &Path,
-    _lock_path: &Path,
-) -> Result<EmptyPidReservation> {
-    Ok(EmptyPidReservation::Stale)
-}
-
-#[cfg(unix)]
-async fn read_process_start_time(pid: u32) -> Result<String> {
-    let output = Command::new("ps")
-        .args(["-p", &pid.to_string(), "-o", "lstart="])
-        .output()
-        .await
-        .context("failed to invoke ps for pid-managed app server")?;
-    if !output.status.success() {
-        bail!("failed to read start time for pid-managed app server {pid}");
-    }
-
-    let start_time = String::from_utf8(output.stdout)
-        .context("pid-managed app server start time was not utf-8")?;
-    let start_time = start_time.trim();
-    if start_time.is_empty() {
-        bail!("pid-managed app server {pid} has no recorded start time");
-    }
-    Ok(start_time.to_string())
-}
-
-#[cfg(all(test, unix))]
-#[path = "pid_tests.rs"]
-mod tests;
--- a/codex-rs/app-server-daemon/src/backend/pid_tests.rs
+++ b/codex-rs/app-server-daemon/src/backend/pid_tests.rs
@@ -1,158 +0,0 @@
-use std::time::Duration;
-
-use pretty_assertions::assert_eq;
-use tempfile::TempDir;
-
-use super::PidBackend;
-use super::PidCommandKind;
-use super::PidFileState;
-use super::PidRecord;
-use super::try_lock_file;
-
-#[tokio::test]
-async fn locked_empty_pid_file_is_treated_as_active_reservation() {
-    let temp_dir = TempDir::new().expect("temp dir");
-    let pid_file = temp_dir.path().join("app-server.pid");
-    tokio::fs::write(&pid_file, "")
-        .await
-        .expect("write pid file");
-    let backend = PidBackend::new(
-        temp_dir.path().join("codex"),
-        pid_file.clone(),
-        /*remote_control_enabled*/ false,
-    );
-    let reservation = tokio::fs::OpenOptions::new()
-        .create(true)
-        .truncate(false)
-        .write(true)
-        .open(&backend.lock_file)
-        .await
-        .expect("open pid lock file");
-    assert!(try_lock_file(&reservation).expect("lock reservation"));
-
-    assert_eq!(
-        backend.read_pid_file_state().await.expect("read pid"),
-        PidFileState::Starting
-    );
-    assert!(pid_file.exists());
-}
-
-#[tokio::test]
-async fn unlocked_empty_pid_file_is_treated_as_stale_reservation() {
-    let temp_dir = TempDir::new().expect("temp dir");
-    let pid_file = temp_dir.path().join("app-server.pid");
-    tokio::fs::write(&pid_file, "")
-        .await
-        .expect("write pid file");
-    let backend = PidBackend::new(
-        temp_dir.path().join("codex"),
-        pid_file.clone(),
-        /*remote_control_enabled*/ false,
-    );
-
-    assert_eq!(
-        backend.read_pid_file_state().await.expect("read pid"),
-        PidFileState::Missing
-    );
-    assert!(!pid_file.exists());
-}
-
-#[tokio::test]
-async fn stop_waits_for_live_reservation_to_resolve() {
-    let temp_dir = TempDir::new().expect("temp dir");
-    let pid_file = temp_dir.path().join("app-server.pid");
-    tokio::fs::write(&pid_file, "")
-        .await
-        .expect("write pid file");
-    let backend = PidBackend::new(
-        temp_dir.path().join("codex"),
-        pid_file.clone(),
-        /*remote_control_enabled*/ false,
-    );
-    let reservation = tokio::fs::OpenOptions::new()
-        .create(true)
-        .truncate(false)
-        .write(true)
-        .open(&backend.lock_file)
-        .await
-        .expect("open pid lock file");
-    assert!(try_lock_file(&reservation).expect("lock reservation"));
-    let cleanup = tokio::spawn(async move {
-        tokio::time::sleep(Duration::from_millis(50)).await;
-        drop(reservation);
-        tokio::fs::remove_file(pid_file)
-            .await
-            .expect("remove pid file");
-    });
-
-    backend.stop().await.expect("stop");
-    cleanup.await.expect("cleanup task");
-}
-
-#[tokio::test]
-async fn start_retries_stale_empty_pid_file_under_its_own_lock() {
-    let temp_dir = TempDir::new().expect("temp dir");
-    let pid_file = temp_dir.path().join("app-server.pid");
-    tokio::fs::write(&pid_file, "")
-        .await
-        .expect("write pid file");
-    let backend = PidBackend::new(
-        temp_dir.path().join("missing-codex"),
-        pid_file,
-        /*remote_control_enabled*/ false,
-    );
-
-    let err = backend.start().await.expect_err("start");
-    assert!(
-        err.to_string()
-            .starts_with("failed to spawn detached app-server process using ")
-    );
-}
-
-#[tokio::test]
-async fn stale_record_cleanup_preserves_replacement_record() {
-    let temp_dir = TempDir::new().expect("temp dir");
-    let pid_file = temp_dir.path().join("app-server.pid");
-    let backend = PidBackend::new(
-        temp_dir.path().join("codex"),
-        pid_file.clone(),
-        /*remote_control_enabled*/ false,
-    );
-    let stale = PidRecord {
-        pid: 1,
-        process_start_time: "old".to_string(),
-    };
-    let replacement = PidRecord {
-        pid: 2,
-        process_start_time: "new".to_string(),
-    };
-    tokio::fs::write(
-        &pid_file,
-        serde_json::to_vec(&replacement).expect("serialize replacement"),
-    )
-    .await
-    .expect("write replacement pid file");
-
-    assert_eq!(
-        backend
-            .refresh_after_stale_record(&stale)
-            .await
-            .expect("cleanup"),
-        PidFileState::Running(replacement)
-    );
-}
-
-#[test]
-fn update_loop_uses_hidden_app_server_subcommand() {
-    let backend = PidBackend {
-        codex_bin: "codex".into(),
-        pid_file: "updater.pid".into(),
-        lock_file: "updater.pid.lock".into(),
-        command_kind: PidCommandKind::UpdateLoop,
-    };
-
-    assert_eq!(
-        backend.command_args(),
-        vec!["app-server", "daemon", "pid-update-loop"]
-    );
-}
--- a/codex-rs/app-server-daemon/src/client.rs
+++ b/codex-rs/app-server-daemon/src/client.rs
@@ -1,131 +0,0 @@
-use std::path::Path;
-use std::time::Duration;
-
-use anyhow::Context;
-use anyhow::Result;
-use anyhow::anyhow;
-use codex_app_server_protocol::ClientInfo;
-use codex_app_server_protocol::InitializeParams;
-use codex_app_server_protocol::InitializeResponse;
-use codex_app_server_protocol::JSONRPCMessage;
-use codex_app_server_protocol::JSONRPCNotification;
-use codex_app_server_protocol::JSONRPCRequest;
-use codex_app_server_protocol::RequestId;
-use codex_uds::UnixStream;
-use futures::SinkExt;
-use futures::StreamExt;
-use tokio::time::timeout;
-use tokio_tungstenite::client_async;
-use tokio_tungstenite::tungstenite::Message;
-
-const PROBE_TIMEOUT: Duration = Duration::from_secs(2);
-const CLIENT_NAME: &str = "codex_app_server_daemon";
-
-#[derive(Debug, Clone, PartialEq, Eq)]
-pub(crate) struct ProbeInfo {
-    pub(crate) app_server_version: String,
-}
-
-pub(crate) async fn probe(socket_path: &Path) -> Result<ProbeInfo> {
-    timeout(PROBE_TIMEOUT, probe_inner(socket_path))
-        .await
-        .with_context(|| {
-            format!(
-                "timed out probing app-server control socket {}",
-                socket_path.display()
-            )
-        })?
-}
-
-async fn probe_inner(socket_path: &Path) -> Result<ProbeInfo> {
-    let stream = UnixStream::connect(socket_path)
-        .await
-        .with_context(|| format!("failed to connect to {}", socket_path.display()))?;
-    let (mut websocket, _response) = client_async("ws://localhost/", stream)
-        .await
-        .with_context(|| format!("failed to upgrade {}", socket_path.display()))?;
-
-    let initialize = JSONRPCMessage::Request(JSONRPCRequest {
-        id: RequestId::Integer(1),
-        method: "initialize".to_string(),
-        params: Some(serde_json::to_value(InitializeParams {
-            client_info: ClientInfo {
-                name: CLIENT_NAME.to_string(),
-                title: Some("Codex App Server Daemon".to_string()),
-                version: env!("CARGO_PKG_VERSION").to_string(),
-            },
-            capabilities: None,
-        })?),
-        trace: None,
-    });
-    websocket
-        .send(Message::Text(serde_json::to_string(&initialize)?.into()))
-        .await
-        .context("failed to send initialize request")?;
-
-    let response = loop {
-        let frame = websocket
-            .next()
-            .await
-            .ok_or_else(|| anyhow!("app-server closed before initialize response"))??;
-        let Message::Text(payload) = frame else {
-            continue;
-        };
-        let message = serde_json::from_str::<JSONRPCMessage>(&payload)?;
-        if let JSONRPCMessage::Response(response) = message
-            && response.id == RequestId::Integer(1)
-        {
-            break response;
-        }
-    };
-    let initialize_response = serde_json::from_value::<InitializeResponse>(response.result)?;
-
-    let initialized = JSONRPCMessage::Notification(JSONRPCNotification {
-        method: "initialized".to_string(),
-        params: None,
-    });
-    websocket
-        .send(Message::Text(serde_json::to_string(&initialized)?.into()))
-        .await
-        .context("failed to send initialized notification")?;
-    websocket.close(None).await.ok();
-
-    Ok(ProbeInfo {
-        app_server_version: parse_version_from_user_agent(&initialize_response.user_agent)?,
-    })
-}
-
-fn parse_version_from_user_agent(user_agent: &str) -> Result<String> {
-    let (_originator, rest) = user_agent
-        .split_once('/')
-        .ok_or_else(|| anyhow!("app-server user-agent omitted version separator"))?;
-    let version = rest
-        .split_whitespace()
-        .next()
-        .filter(|version| !version.is_empty())
-        .ok_or_else(|| anyhow!("app-server user-agent omitted version"))?;
-    Ok(version.to_string())
-}
-
-#[cfg(all(test, unix))]
-mod tests {
-    use pretty_assertions::assert_eq;
-
-    use super::parse_version_from_user_agent;
-
-    #[test]
-    fn parses_version_from_codex_user_agent() {
-        assert_eq!(
-            parse_version_from_user_agent(
-                "codex_app_server_daemon/1.2.3 (Linux 6.8.0; x86_64) codex_cli_rs/1.2.3",
-            )
-            .expect("version"),
-            "1.2.3"
-        );
-    }
-
-    #[test]
-    fn rejects_user_agent_without_version() {
-        assert!(parse_version_from_user_agent("codex_app_server_daemon").is_err());
-    }
-}
--- a/codex-rs/app-server-daemon/src/lib.rs
+++ b/codex-rs/app-server-daemon/src/lib.rs
@@ -1,630 +0,0 @@
-mod backend;
-mod client;
-mod managed_install;
-mod settings;
-mod update_loop;
-
-use std::path::PathBuf;
-use std::time::Duration;
-
-use anyhow::Context;
-use anyhow::Result;
-use anyhow::anyhow;
-pub use backend::BackendKind;
-use backend::BackendPaths;
-use codex_app_server_transport::app_server_control_socket_path;
-use codex_core::config::find_codex_home;
-use managed_install::managed_codex_bin;
-#[cfg(unix)]
-use managed_install::managed_codex_version;
-use serde::Serialize;
-use settings::DaemonSettings;
-use tokio::time::sleep;
-
-const START_POLL_INTERVAL: Duration = Duration::from_millis(50);
-const START_TIMEOUT: Duration = Duration::from_secs(10);
-const OPERATION_LOCK_TIMEOUT: Duration = Duration::from_secs(75);
-const PID_FILE_NAME: &str = "app-server.pid";
-const UPDATE_PID_FILE_NAME: &str = "app-server-updater.pid";
-const OPERATION_LOCK_FILE_NAME: &str = "daemon.lock";
-const SETTINGS_FILE_NAME: &str = "settings.json";
-const STATE_DIR_NAME: &str = "app-server-daemon";
-
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
-pub enum LifecycleCommand {
-    Start,
-    Restart,
-    Stop,
-    Version,
-}
-
-#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize)]
-#[serde(rename_all = "camelCase")]
-pub enum LifecycleStatus {
-    AlreadyRunning,
-    Started,
-    Restarted,
-    Stopped,
-    NotRunning,
-    Running,
-}
-
-#[derive(Debug, Clone, PartialEq, Eq, Serialize)]
-#[serde(rename_all = "camelCase")]
-pub struct LifecycleOutput {
-    pub status: LifecycleStatus,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub backend: Option<BackendKind>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub pid: Option<u32>,
-    pub socket_path: PathBuf,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub cli_version: Option<String>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub app_server_version: Option<String>,
-}
-
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
-pub struct BootstrapOptions {
-    pub remote_control_enabled: bool,
-}
-
-#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize)]
-#[serde(rename_all = "camelCase")]
-pub enum BootstrapStatus {
-    Bootstrapped,
-}
-
-#[derive(Debug, Clone, PartialEq, Eq, Serialize)]
-#[serde(rename_all = "camelCase")]
-pub struct BootstrapOutput {
-    pub status: BootstrapStatus,
-    pub backend: BackendKind,
-    pub auto_update_enabled: bool,
-    pub remote_control_enabled: bool,
-    pub managed_codex_path: PathBuf,
-    pub socket_path: PathBuf,
-    pub cli_version: String,
-    pub app_server_version: String,
-}
-
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
-pub enum RemoteControlMode {
-    Enabled,
-    Disabled,
-}
-
-impl RemoteControlMode {
-    fn is_enabled(self) -> bool {
-        matches!(self, Self::Enabled)
-    }
-}
-
-#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize)]
-#[serde(rename_all = "camelCase")]
-pub enum RemoteControlStatus {
-    Enabled,
-    Disabled,
-    AlreadyEnabled,
-    AlreadyDisabled,
-}
-
-#[derive(Debug, Clone, PartialEq, Eq, Serialize)]
-#[serde(rename_all = "camelCase")]
-pub struct RemoteControlOutput {
-    pub status: RemoteControlStatus,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub backend: Option<BackendKind>,
-    pub remote_control_enabled: bool,
-    pub socket_path: PathBuf,
-    pub cli_version: String,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub app_server_version: Option<String>,
-}
-
-#[cfg(unix)]
-pub(crate) enum RestartIfRunningOutcome {
-    Completed,
-    Busy,
-}
-
-pub async fn run(command: LifecycleCommand) -> Result<LifecycleOutput> {
-    ensure_supported_platform()?;
-    Daemon::from_environment()?.run(command).await
-}
-
-pub async fn bootstrap(options: BootstrapOptions) -> Result<BootstrapOutput> {
-    ensure_supported_platform()?;
-    Daemon::from_environment()?.bootstrap(options).await
-}
-
-pub async fn set_remote_control(mode: RemoteControlMode) -> Result<RemoteControlOutput> {
-    ensure_supported_platform()?;
-    Daemon::from_environment()?.set_remote_control(mode).await
-}
-
-pub async fn run_pid_update_loop() -> Result<()> {
-    ensure_supported_platform()?;
-    update_loop::run().await
-}
-
-#[cfg(unix)]
-fn ensure_supported_platform() -> Result<()> {
-    Ok(())
-}
-
-#[cfg(not(unix))]
-fn ensure_supported_platform() -> Result<()> {
-    Err(anyhow!(
-        "codex app-server daemon lifecycle is only supported on Unix platforms"
-    ))
-}
-
-struct Daemon {
-    socket_path: PathBuf,
-    pid_file: PathBuf,
-    update_pid_file: PathBuf,
-    operation_lock_file: PathBuf,
-    settings_file: PathBuf,
-    managed_codex_bin: PathBuf,
-}
-
-impl Daemon {
-    fn from_environment() -> Result<Self> {
-        let codex_home = find_codex_home().context("failed to resolve CODEX_HOME")?;
-        let socket_path = app_server_control_socket_path(codex_home.as_path())?
-            .as_path()
-            .to_path_buf();
-        let state_dir = codex_home.as_path().join(STATE_DIR_NAME);
-        Ok(Self {
-            socket_path,
-            pid_file: state_dir.join(PID_FILE_NAME),
-            update_pid_file: state_dir.join(UPDATE_PID_FILE_NAME),
-            operation_lock_file: state_dir.join(OPERATION_LOCK_FILE_NAME),
-            settings_file: state_dir.join(SETTINGS_FILE_NAME),
-            managed_codex_bin: managed_codex_bin(codex_home.as_path()),
-        })
-    }
-
-    async fn run(&self, command: LifecycleCommand) -> Result<LifecycleOutput> {
-        match command {
-            LifecycleCommand::Start => {
-                let _operation_lock = self.acquire_operation_lock().await?;
-                self.start().await
-            }
-            LifecycleCommand::Restart => {
-                let _operation_lock = self.acquire_operation_lock().await?;
-                self.restart().await
-            }
-            LifecycleCommand::Stop => {
-                let _operation_lock = self.acquire_operation_lock().await?;
-                self.stop().await
-            }
-            LifecycleCommand::Version => self.version().await,
-        }
-    }
-
-    async fn start(&self) -> Result<LifecycleOutput> {
-        let settings = self.load_settings().await?;
-        if let Ok(info) = client::probe(&self.socket_path).await {
-            return Ok(self.output(
-                LifecycleStatus::AlreadyRunning,
-                self.running_backend(&settings).await?,
-                /*pid*/ None,
-                Some(info.app_server_version),
-            ));
-        }
-
-        if self.running_backend_instance(&settings).await?.is_some() {
-            let info = self.wait_until_ready().await?;
-            return Ok(self.output(
-                LifecycleStatus::AlreadyRunning,
-                Some(BackendKind::Pid),
-                /*pid*/ None,
-                Some(info.app_server_version),
-            ));
-        }
-
-        self.ensure_managed_codex_bin()?;
-        let pid = self.start_managed_backend(&settings).await?;
-        let info = self.wait_until_ready().await?;
-        Ok(self.output(
-            LifecycleStatus::Started,
-            Some(BackendKind::Pid),
-            pid,
-            Some(info.app_server_version),
-        ))
-    }
-
-    async fn restart(&self) -> Result<LifecycleOutput> {
-        let settings = self.load_settings().await?;
-        if client::probe(&self.socket_path).await.is_ok()
-            && self.running_backend(&settings).await?.is_none()
-        {
-            return Err(anyhow!(
-                "app server is running but is not managed by codex app-server daemon"
-            ));
-        }
-
-        self.ensure_managed_codex_bin()?;
-        if let Some(backend) = self.running_backend_instance(&settings).await? {
-            backend.stop().await?;
-        }
-
-        let pid = self.start_managed_backend(&settings).await?;
-        let info = self.wait_until_ready().await?;
-        Ok(self.output(
-            LifecycleStatus::Restarted,
-            Some(BackendKind::Pid),
-            pid,
-            Some(info.app_server_version),
-        ))
-    }
-
-    #[cfg(unix)]
-    pub(crate) async fn try_restart_if_running(&self) -> Result<RestartIfRunningOutcome> {
-        let operation_lock = self.open_operation_lock_file().await?;
-        if !try_lock_file(&operation_lock)? {
-            return Ok(RestartIfRunningOutcome::Busy);
-        }
-        let settings = self.load_settings().await?;
-        if let Some(backend) = self.running_backend_instance(&settings).await? {
-            let Ok(info) = client::probe(&self.socket_path).await else {
-                return Ok(RestartIfRunningOutcome::Completed);
-            };
-            let managed_version = managed_codex_version(&self.managed_codex_bin).await?;
-            if info.app_server_version == managed_version {
-                return Ok(RestartIfRunningOutcome::Completed);
-            }
-            backend.stop().await?;
-            let _ = self.start_managed_backend(&settings).await?;
-            self.wait_until_ready().await?;
-            return Ok(RestartIfRunningOutcome::Completed);
-        }
-
-        if client::probe(&self.socket_path).await.is_ok() {
-            return Err(anyhow!(
-                "app server is running but is not managed by codex app-server daemon"
-            ));
-        }
-
-        Ok(RestartIfRunningOutcome::Completed)
-    }
-
-    async fn stop(&self) -> Result<LifecycleOutput> {
-        let settings = self.load_settings().await?;
-        if let Some(backend) = self.running_backend_instance(&settings).await? {
-            backend.stop().await?;
-            return Ok(self.output(
-                LifecycleStatus::Stopped,
-                Some(BackendKind::Pid),
-                /*pid*/ None,
-                /*app_server_version*/ None,
-            ));
-        }
-
-        if client::probe(&self.socket_path).await.is_ok() {
-            return Err(anyhow!(
-                "app server is running but is not managed by codex app-server daemon"
-            ));
-        }
-
-        Ok(self.output(
-            LifecycleStatus::NotRunning,
-            /*backend*/ None,
-            /*pid*/ None,
-            /*app_server_version*/ None,
-        ))
-    }
-
-    async fn version(&self) -> Result<LifecycleOutput> {
-        let settings = self.load_settings().await?;
-        let info = client::probe(&self.socket_path).await?;
-        Ok(self.output(
-            LifecycleStatus::Running,
-            self.running_backend(&settings).await?,
-            /*pid*/ None,
-            Some(info.app_server_version),
-        ))
-    }
-
-    async fn wait_until_ready(&self) -> Result<client::ProbeInfo> {
-        let deadline = tokio::time::Instant::now() + START_TIMEOUT;
-        loop {
-            match client::probe(&self.socket_path).await {
-                Ok(info) => return Ok(info),
-                Err(err) if tokio::time::Instant::now() < deadline => {
-                    let _ = err;
-                    sleep(START_POLL_INTERVAL).await;
-                }
-                Err(err) => {
-                    return Err(err).with_context(|| {
-                        format!(
-                            "app server did not become ready on {}",
-                            self.socket_path.display()
-                        )
-                    });
-                }
-            }
-        }
-    }
-
-    async fn bootstrap(&self, options: BootstrapOptions) -> Result<BootstrapOutput> {
-        let _operation_lock = self.acquire_operation_lock().await?;
-        self.bootstrap_locked(options).await
-    }
-
-    async fn set_remote_control(&self, mode: RemoteControlMode) -> Result<RemoteControlOutput> {
-        let _operation_lock = self.acquire_operation_lock().await?;
-        let previous_settings = self.load_settings().await?;
-        let mut settings = previous_settings.clone();
-        let remote_control_enabled = mode.is_enabled();
-        let backend = self.running_backend_instance(&previous_settings).await?;
-
-        if backend.is_none() && client::probe(&self.socket_path).await.is_ok() {
-            return Err(anyhow!(
-                "app server is running but is not managed by codex app-server daemon"
-            ));
-        }
-
-        if settings.remote_control_enabled == remote_control_enabled {
-            let info = if backend.is_some() {
-                Some(self.wait_until_ready().await?)
-            } else {
-                None
-            };
-            return Ok(self.remote_control_output(
-                already_remote_control_status(mode),
-                backend.map(|_| BackendKind::Pid),
-                remote_control_enabled,
-                info.map(|info| info.app_server_version),
-            ));
-        }
-
-        settings.remote_control_enabled = remote_control_enabled;
-        settings.save(&self.settings_file).await?;
-
-        let app_server_version = if let Some(backend) = backend {
-            self.ensure_managed_codex_bin()?;
-            backend.stop().await?;
-            let _ = self.start_managed_backend(&settings).await?;
-            Some(self.wait_until_ready().await?.app_server_version)
-        } else {
-            None
-        };
-
-        Ok(self.remote_control_output(
-            remote_control_status(mode),
-            app_server_version.as_ref().map(|_| BackendKind::Pid),
-            remote_control_enabled,
-            app_server_version,
-        ))
-    }
-
-    async fn bootstrap_locked(&self, options: BootstrapOptions) -> Result<BootstrapOutput> {
-        self.ensure_managed_codex_bin()?;
-
-        let settings = DaemonSettings {
-            remote_control_enabled: options.remote_control_enabled,
-        };
-        if client::probe(&self.socket_path).await.is_ok()
-            && self.running_backend(&settings).await?.is_none()
-        {
-            return Err(anyhow!(
-                "app server is running but is not managed by codex app-server daemon"
-            ));
-        }
-        settings.save(&self.settings_file).await?;
-
-        if let Some(backend) = self.running_backend_instance(&settings).await? {
-            backend.stop().await?;
-        }
-
-        let backend = backend::pid_backend(self.backend_paths(&settings));
-        backend.start().await?;
-        let updater = backend::pid_update_loop_backend(self.backend_paths(&settings));
-        if updater.is_starting_or_running().await? {
-            updater.stop().await?;
-        }
-        updater.start().await?;
-
-        let info = self.wait_until_ready().await?;
-        Ok(BootstrapOutput {
-            status: BootstrapStatus::Bootstrapped,
-            backend: BackendKind::Pid,
-            auto_update_enabled: true,
-            remote_control_enabled: settings.remote_control_enabled,
-            managed_codex_path: self.managed_codex_bin.clone(),
-            socket_path: self.socket_path.clone(),
-            cli_version: env!("CARGO_PKG_VERSION").to_string(),
-            app_server_version: info.app_server_version,
-        })
-    }
-
-    async fn running_backend(&self, settings: &DaemonSettings) -> Result<Option<BackendKind>> {
-        Ok(self
-            .running_backend_instance(settings)
-            .await?
-            .map(|_| BackendKind::Pid))
-    }
-
-    async fn running_backend_instance(
-        &self,
-        settings: &DaemonSettings,
-    ) -> Result<Option<backend::PidBackend>> {
-        let backend = backend::pid_backend(self.backend_paths(settings));
-        if backend.is_starting_or_running().await? {
-            return Ok(Some(backend));
-        }
-        Ok(None)
-    }
-
-    async fn start_managed_backend(&self, settings: &DaemonSettings) -> Result<Option<u32>> {
-        let backend = backend::pid_backend(self.backend_paths(settings));
-        backend.start().await
-    }
-
-    fn ensure_managed_codex_bin(&self) -> Result<()> {
-        if self.managed_codex_bin.is_file() {
-            return Ok(());
-        }
-
-        Err(anyhow!(
-            "managed standalone Codex install not found at {}; install Codex first",
-            self.managed_codex_bin.display()
-        ))
-    }
-
-    fn backend_paths(&self, settings: &DaemonSettings) -> BackendPaths {
-        BackendPaths {
-            codex_bin: self.managed_codex_bin.clone(),
-            pid_file: self.pid_file.clone(),
-            update_pid_file: self.update_pid_file.clone(),
-            remote_control_enabled: settings.remote_control_enabled,
-        }
-    }
-
-    async fn load_settings(&self) -> Result<DaemonSettings> {
-        DaemonSettings::load(&self.settings_file).await
-    }
-
-    async fn acquire_operation_lock(&self) -> Result<tokio::fs::File> {
-        let operation_lock = self.open_operation_lock_file().await?;
-        let deadline = tokio::time::Instant::now() + OPERATION_LOCK_TIMEOUT;
-        while !try_lock_file(&operation_lock)? {
-            if tokio::time::Instant::now() >= deadline {
-                return Err(anyhow!(
-                    "timed out waiting for daemon operation lock {}",
-                    self.operation_lock_file.display()
-                ));
-            }
-            sleep(START_POLL_INTERVAL).await;
-        }
-        Ok(operation_lock)
-    }
-
-    async fn open_operation_lock_file(&self) -> Result<tokio::fs::File> {
-        if let Some(parent) = self.operation_lock_file.parent() {
-            tokio::fs::create_dir_all(parent).await.with_context(|| {
-                format!(
-                    "failed to create daemon state directory {}",
-                    parent.display()
-                )
-            })?;
-        }
-        tokio::fs::OpenOptions::new()
-            .create(true)
-            .truncate(false)
-            .write(true)
-            .open(&self.operation_lock_file)
-            .await
-            .with_context(|| {
-                format!(
-                    "failed to open daemon operation lock {}",
-                    self.operation_lock_file.display()
-                )
-            })
-    }
-
-    fn output(
-        &self,
-        status: LifecycleStatus,
-        backend: Option<BackendKind>,
-        pid: Option<u32>,
-        app_server_version: Option<String>,
-    ) -> LifecycleOutput {
-        LifecycleOutput {
-            status,
-            backend,
-            pid,
-            socket_path: self.socket_path.clone(),
-            cli_version: Some(env!("CARGO_PKG_VERSION").to_string()),
-            app_server_version,
-        }
-    }
-
-    fn remote_control_output(
-        &self,
-        status: RemoteControlStatus,
-        backend: Option<BackendKind>,
-        remote_control_enabled: bool,
-        app_server_version: Option<String>,
-    ) -> RemoteControlOutput {
-        RemoteControlOutput {
-            status,
-            backend,
-            remote_control_enabled,
-            socket_path: self.socket_path.clone(),
-            cli_version: env!("CARGO_PKG_VERSION").to_string(),
-            app_server_version,
-        }
-    }
-}
-
-fn remote_control_status(mode: RemoteControlMode) -> RemoteControlStatus {
-    match mode {
-        RemoteControlMode::Enabled => RemoteControlStatus::Enabled,
-        RemoteControlMode::Disabled => RemoteControlStatus::Disabled,
-    }
-}
-
-fn already_remote_control_status(mode: RemoteControlMode) -> RemoteControlStatus {
-    match mode {
-        RemoteControlMode::Enabled => RemoteControlStatus::AlreadyEnabled,
-        RemoteControlMode::Disabled => RemoteControlStatus::AlreadyDisabled,
-    }
-}
-
-#[cfg(unix)]
-fn try_lock_file(file: &tokio::fs::File) -> Result<bool> {
-    use std::os::fd::AsRawFd;
-
-    let result = unsafe { libc::flock(file.as_raw_fd(), libc::LOCK_EX | libc::LOCK_NB) };
-    if result == 0 {
-        return Ok(true);
-    }
-
-    let err = std::io::Error::last_os_error();
-    if err.raw_os_error() == Some(libc::EWOULDBLOCK) {
-        return Ok(false);
-    }
-    Err(err).context("failed to lock daemon operation")
-}
-
-#[cfg(not(unix))]
-fn try_lock_file(_file: &tokio::fs::File) -> Result<bool> {
-    Ok(true)
-}
-
-#[cfg(all(test, unix))]
-mod tests {
-    use pretty_assertions::assert_eq;
-
-    use super::BootstrapStatus;
-    use super::LifecycleStatus;
-    use super::RemoteControlStatus;
-
-    #[test]
-    fn lifecycle_status_uses_camel_case_json() {
-        assert_eq!(
-            serde_json::to_string(&LifecycleStatus::AlreadyRunning).expect("serialize"),
-            "\"alreadyRunning\""
-        );
-    }
-
-    #[test]
-    fn bootstrap_status_uses_camel_case_json() {
-        assert_eq!(
-            serde_json::to_string(&BootstrapStatus::Bootstrapped).expect("serialize"),
-            "\"bootstrapped\""
-        );
-    }
-
-    #[test]
-    fn remote_control_status_uses_camel_case_json() {
-        assert_eq!(
-            serde_json::to_string(&RemoteControlStatus::AlreadyEnabled).expect("serialize"),
-            "\"alreadyEnabled\""
-        );
-    }
-}
--- a/codex-rs/app-server-daemon/src/managed_install.rs
+++ b/codex-rs/app-server-daemon/src/managed_install.rs
@@ -1,66 +0,0 @@
-use std::path::Path;
-use std::path::PathBuf;
-
-#[cfg(unix)]
-use anyhow::Context;
-#[cfg(unix)]
-use anyhow::Result;
-#[cfg(unix)]
-use anyhow::anyhow;
-#[cfg(unix)]
-use tokio::process::Command;
-
-pub(crate) fn managed_codex_bin(codex_home: &Path) -> PathBuf {
-    codex_home
-        .join("packages")
-        .join("standalone")
-        .join("current")
-        .join(managed_codex_file_name())
-}
-
-#[cfg(unix)]
-pub(crate) async fn managed_codex_version(codex_bin: &Path) -> Result<String> {
-    let output = Command::new(codex_bin)
-        .arg("--version")
-        .output()
-        .await
-        .with_context(|| {
-            format!(
-                "failed to invoke managed Codex binary {}",
-                codex_bin.display()
-            )
-        })?;
-    if !output.status.success() {
-        return Err(anyhow!(
-            "managed Codex binary {} exited with status {}",
-            codex_bin.display(),
-            output.status
-        ));
-    }
-
-    let stdout = String::from_utf8(output.stdout).with_context(|| {
-        format!(
-            "managed Codex version was not utf-8: {}",
-            codex_bin.display()
-        )
-    })?;
-    parse_codex_version(&stdout)
-}
-
-fn managed_codex_file_name() -> &'static str {
-    if cfg!(windows) { "codex.exe" } else { "codex" }
-}
-
-#[cfg(unix)]
-fn parse_codex_version(output: &str) -> Result<String> {
-    let version = output
-        .split_whitespace()
-        .nth(1)
-        .filter(|version| !version.is_empty())
-        .ok_or_else(|| anyhow!("managed Codex version output was malformed"))?;
-    Ok(version.to_string())
-}
-
-#[cfg(all(test, unix))]
-#[path = "managed_install_tests.rs"]
-mod tests;
--- a/codex-rs/app-server-daemon/src/managed_install_tests.rs
+++ b/codex-rs/app-server-daemon/src/managed_install_tests.rs
@@ -1,16 +0,0 @@
-use pretty_assertions::assert_eq;
-
-use super::parse_codex_version;
-
-#[test]
-fn parses_codex_cli_version_output() {
-    assert_eq!(
-        parse_codex_version("codex 1.2.3\n").expect("version"),
-        "1.2.3"
-    );
-}
-
-#[test]
-fn rejects_malformed_codex_cli_version_output() {
-    assert!(parse_codex_version("codex\n").is_err());
-}
--- a/codex-rs/app-server-daemon/src/settings.rs
+++ b/codex-rs/app-server-daemon/src/settings.rs
@@ -1,63 +0,0 @@
-use std::path::Path;
-
-use anyhow::Context;
-use anyhow::Result;
-use serde::Deserialize;
-use serde::Serialize;
-use tokio::fs;
-
-#[derive(Debug, Clone, Default, PartialEq, Eq, Serialize, Deserialize)]
-#[serde(rename_all = "camelCase")]
-pub(crate) struct DaemonSettings {
-    pub(crate) remote_control_enabled: bool,
-}
-
-impl DaemonSettings {
-    pub(crate) async fn load(path: &Path) -> Result<Self> {
-        let contents = match fs::read_to_string(path).await {
-            Ok(contents) => contents,
-            Err(err) if err.kind() == std::io::ErrorKind::NotFound => return Ok(Self::default()),
-            Err(err) => {
-                return Err(err)
-                    .with_context(|| format!("failed to read daemon settings {}", path.display()));
-            }
-        };
-
-        serde_json::from_str(&contents)
-            .with_context(|| format!("failed to parse daemon settings {}", path.display()))
-    }
-
-    pub(crate) async fn save(&self, path: &Path) -> Result<()> {
-        if let Some(parent) = path.parent() {
-            fs::create_dir_all(parent).await.with_context(|| {
-                format!(
-                    "failed to create daemon settings directory {}",
-                    parent.display()
-                )
-            })?;
-        }
-
-        let contents = serde_json::to_vec_pretty(self).context("failed to serialize settings")?;
-        fs::write(path, contents)
-            .await
-            .with_context(|| format!("failed to write daemon settings {}", path.display()))
-    }
-}
-
-#[cfg(all(test, unix))]
-mod tests {
-    use pretty_assertions::assert_eq;
-
-    use super::DaemonSettings;
-
-    #[test]
-    fn daemon_settings_use_camel_case_json() {
-        assert_eq!(
-            serde_json::to_string(&DaemonSettings {
-                remote_control_enabled: true,
-            })
-            .expect("serialize"),
-            r#"{"remoteControlEnabled":true}"#
-        );
-    }
-}
--- a/codex-rs/app-server-daemon/src/update_loop.rs
+++ b/codex-rs/app-server-daemon/src/update_loop.rs
@@ -1,132 +0,0 @@
-#[cfg(unix)]
-use std::process::Stdio;
-#[cfg(unix)]
-use std::time::Duration;
-
-#[cfg(unix)]
-use anyhow::Context;
-use anyhow::Result;
-#[cfg(not(unix))]
-use anyhow::bail;
-#[cfg(unix)]
-use futures::FutureExt;
-#[cfg(unix)]
-use tokio::io::AsyncWriteExt;
-#[cfg(unix)]
-use tokio::process::Command;
-#[cfg(unix)]
-use tokio::signal::unix::Signal;
-#[cfg(unix)]
-use tokio::signal::unix::SignalKind;
-#[cfg(unix)]
-use tokio::signal::unix::signal;
-#[cfg(unix)]
-use tokio::time::sleep;
-
-#[cfg(unix)]
-use crate::Daemon;
-#[cfg(unix)]
-use crate::RestartIfRunningOutcome;
-
-#[cfg(unix)]
-const INITIAL_UPDATE_DELAY: Duration = Duration::from_secs(5 * 60);
-#[cfg(unix)]
-const RESTART_RETRY_INTERVAL: Duration = Duration::from_millis(50);
-#[cfg(unix)]
-const UPDATE_INTERVAL: Duration = Duration::from_secs(60 * 60);
-
-#[cfg(unix)]
-pub(crate) async fn run() -> Result<()> {
-    let mut terminate =
-        signal(SignalKind::terminate()).context("failed to install updater shutdown handler")?;
-    if sleep_or_terminate(INITIAL_UPDATE_DELAY, &mut terminate).await {
-        return Ok(());
-    }
-    loop {
-        match update_once(&mut terminate).await {
-            Ok(UpdateLoopControl::Continue) | Err(_) => {}
-            Ok(UpdateLoopControl::Stop) => return Ok(()),
-        }
-        if sleep_or_terminate(UPDATE_INTERVAL, &mut terminate).await {
-            return Ok(());
-        }
-    }
-}
-
-#[cfg(not(unix))]
-pub(crate) async fn run() -> Result<()> {
-    bail!("pid-managed updater loop is unsupported on this platform")
-}
-
-#[cfg(unix)]
-async fn sleep_or_terminate(duration: Duration, terminate: &mut Signal) -> bool {
-    tokio::select! {
-        _ = sleep(duration) => false,
-        _ = terminate.recv() => true,
-    }
-}
-
-#[cfg(unix)]
-enum UpdateLoopControl {
-    Continue,
-    Stop,
-}
-
-#[cfg(unix)]
-async fn update_once(terminate: &mut Signal) -> Result<UpdateLoopControl> {
-    install_latest_standalone().await?;
-
-    let daemon = Daemon::from_environment()?;
-    loop {
-        if terminate.recv().now_or_never().flatten().is_some() {
-            return Ok(UpdateLoopControl::Stop);
-        }
-        match daemon.try_restart_if_running().await? {
-            RestartIfRunningOutcome::Completed => return Ok(UpdateLoopControl::Continue),
-            RestartIfRunningOutcome::Busy => {
-                if sleep_or_terminate(RESTART_RETRY_INTERVAL, terminate).await {
-                    return Ok(UpdateLoopControl::Stop);
-                }
-            }
-        }
-    }
-}
-
-#[cfg(unix)]
-async fn install_latest_standalone() -> Result<()> {
-    let script = reqwest::get("https://chatgpt.com/codex/install.sh")
-        .await
-        .context("failed to fetch standalone Codex updater")?
-        .error_for_status()
-        .context("standalone Codex updater request failed")?
-        .bytes()
-        .await
-        .context("failed to read standalone Codex updater")?;
-
-    let mut child = Command::new("/bin/sh")
-        .arg("-s")
-        .stdin(Stdio::piped())
-        .stdout(Stdio::null())
-        .stderr(Stdio::null())
-        .spawn()
-        .context("failed to invoke standalone Codex updater")?;
-    let mut stdin = child
-        .stdin
-        .take()
-        .context("standalone Codex updater stdin was unavailable")?;
-    stdin
-        .write_all(&script)
-        .await
-        .context("failed to pass standalone Codex updater to shell")?;
-    drop(stdin);
-    let status = child
-        .wait()
-        .await
-        .context("failed to wait for standalone Codex updater")?;
-
-    if status.success() {
-        Ok(())
-    } else {
-        anyhow::bail!("standalone Codex updater exited with status {status}")
-    }
-}
--- a/codex-rs/app-server-protocol/Cargo.toml
+++ b/codex-rs/app-server-protocol/Cargo.toml
@@ -7,7 +7,6 @@ license.workspace = true
 [lib]
 name = "codex_app_server_protocol"
 path = "src/lib.rs"
-doctest = false

 [lints]
 workspace = true
--- a/codex-rs/app-server-protocol/schema/json/AttestationGenerateParams.json
+++ b/codex-rs/app-server-protocol/schema/json/AttestationGenerateParams.json
@@ -1,5 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "title": "AttestationGenerateParams",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/AttestationGenerateResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/AttestationGenerateResponse.json
@@ -1,14 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "properties": {
-    "token": {
-      "description": "Opaque client attestation token.",
-      "type": "string"
-    }
-  },
-  "required": [
-    "token"
-  ],
-  "title": "AttestationGenerateResponse",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/ClientRequest.json
+++ b/codex-rs/app-server-protocol/schema/json/ClientRequest.json
@@ -1259,11 +1259,6 @@
            "array",
            "null"
          ]
-        },
-        "requestAttestation": {
-          "default": false,
-          "description": "Opt into `attestation/generate` requests for upstream `x-oai-attestation`.",
-          "type": "boolean"
        }
      },
      "type": "object"
@@ -2088,37 +2083,16 @@
        },
        "principalType": {
          "$ref": "#/definitions/PluginSharePrincipalType"
-        },
-        "role": {
-          "$ref": "#/definitions/PluginShareTargetRole"
        }
      },
      "required": [
        "principalId",
-        "principalType",
-        "role"
+        "principalType"
      ],
      "type": "object"
    },
-    "PluginShareTargetRole": {
-      "enum": [
-        "reader",
-        "editor"
-      ],
-      "type": "string"
-    },
-    "PluginShareUpdateDiscoverability": {
-      "enum": [
-        "UNLISTED",
-        "PRIVATE"
-      ],
-      "type": "string"
-    },
    "PluginShareUpdateTargetsParams": {
      "properties": {
-        "discoverability": {
-          "$ref": "#/definitions/PluginShareUpdateDiscoverability"
-        },
        "remotePluginId": {
          "type": "string"
        },
@@ -2130,7 +2104,6 @@
        }
      },
      "required": [
-        "discoverability",
        "remotePluginId",
        "shareTargets"
      ],
@@ -3239,6 +3212,24 @@
      ],
      "type": "object"
    },
+    "SkillsListExtraRootsForCwd": {
+      "properties": {
+        "cwd": {
+          "type": "string"
+        },
+        "extraUserRoots": {
+          "items": {
+            "type": "string"
+          },
+          "type": "array"
+        }
+      },
+      "required": [
+        "cwd",
+        "extraUserRoots"
+      ],
+      "type": "object"
+    },
    "SkillsListParams": {
      "properties": {
        "cwds": {
@@ -3251,6 +3242,17 @@
        "forceReload": {
          "description": "When true, bypass the skills cache and re-scan skills from disk.",
          "type": "boolean"
+        },
+        "perCwdExtraUserRoots": {
+          "default": null,
+          "description": "Optional per-cwd extra roots to scan as user-scoped skills.",
+          "items": {
+            "$ref": "#/definitions/SkillsListExtraRootsForCwd"
+          },
+          "type": [
+            "array",
+            "null"
+          ]
        }
      },
      "type": "object"
@@ -4094,31 +4096,6 @@
      ],
      "type": "object"
    },
-    "TurnItemsView": {
-      "oneOf": [
-        {
-          "description": "`items` was not loaded for this turn. The field is intentionally empty.",
-          "enum": [
-            "notLoaded"
-          ],
-          "type": "string"
-        },
-        {
-          "description": "`items` contains only a display summary for this turn.",
-          "enum": [
-            "summary"
-          ],
-          "type": "string"
-        },
-        {
-          "description": "`items` contains every ThreadItem available from persisted app-server history for this turn.",
-          "enum": [
-            "full"
-          ],
-          "type": "string"
-        }
-      ]
-    },
    "TurnStartParams": {
      "properties": {
        "approvalPolicy": {
@@ -6204,4 +6181,4 @@
    }
  ],
  "title": "ClientRequest"
-}
+}
--- a/codex-rs/app-server-protocol/schema/json/CommandExecutionRequestApprovalParams.json
+++ b/codex-rs/app-server-protocol/schema/json/CommandExecutionRequestApprovalParams.json
@@ -593,11 +593,6 @@
        "null"
      ]
    },
-    "startedAtMs": {
-      "description": "Unix timestamp (in milliseconds) when this approval request started.",
-      "format": "int64",
-      "type": "integer"
-    },
    "threadId": {
      "type": "string"
    },
@@ -607,7 +602,6 @@
  },
  "required": [
    "itemId",
-    "startedAtMs",
    "threadId",
    "turnId"
  ],
--- a/codex-rs/app-server-protocol/schema/json/FileChangeRequestApprovalParams.json
+++ b/codex-rs/app-server-protocol/schema/json/FileChangeRequestApprovalParams.json
@@ -18,11 +18,6 @@
        "null"
      ]
    },
-    "startedAtMs": {
-      "description": "Unix timestamp (in milliseconds) when this approval request started.",
-      "format": "int64",
-      "type": "integer"
-    },
    "threadId": {
      "type": "string"
    },
@@ -32,7 +27,6 @@
  },
  "required": [
    "itemId",
-    "startedAtMs",
    "threadId",
    "turnId"
  ],
--- a/codex-rs/app-server-protocol/schema/json/PermissionsRequestApprovalParams.json
+++ b/codex-rs/app-server-protocol/schema/json/PermissionsRequestApprovalParams.json
@@ -297,11 +297,6 @@
        "null"
      ]
    },
-    "startedAtMs": {
-      "description": "Unix timestamp (in milliseconds) when this approval request started.",
-      "format": "int64",
-      "type": "integer"
-    },
    "threadId": {
      "type": "string"
    },
@@ -313,7 +308,6 @@
    "cwd",
    "itemId",
    "permissions",
-    "startedAtMs",
    "threadId",
    "turnId"
  ],
--- a/codex-rs/app-server-protocol/schema/json/ServerNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/ServerNotification.json
@@ -1963,11 +1963,6 @@
        "action": {
          "$ref": "#/definitions/GuardianApprovalReviewAction"
        },
-        "completedAtMs": {
-          "description": "Unix timestamp (in milliseconds) when this review completed.",
-          "format": "int64",
-          "type": "integer"
-        },
        "decisionSource": {
          "$ref": "#/definitions/AutoReviewDecisionSource"
        },
@@ -1978,11 +1973,6 @@
          "description": "Stable identifier for this review.",
          "type": "string"
        },
-        "startedAtMs": {
-          "description": "Unix timestamp (in milliseconds) when this review started.",
-          "format": "int64",
-          "type": "integer"
-        },
        "targetItemId": {
          "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
          "type": [
@@ -1999,11 +1989,9 @@
      },
      "required": [
        "action",
-        "completedAtMs",
        "decisionSource",
        "review",
        "reviewId",
-        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -2022,11 +2010,6 @@
          "description": "Stable identifier for this review.",
          "type": "string"
        },
-        "startedAtMs": {
-          "description": "Unix timestamp (in milliseconds) when this review started.",
-          "format": "int64",
-          "type": "integer"
-        },
        "targetItemId": {
          "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
          "type": [
@@ -2045,7 +2028,6 @@
        "action",
        "review",
        "reviewId",
-        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -2737,7 +2719,7 @@
      "type": "string"
    },
    "RemoteControlStatusChangedNotification": {
-      "description": "Current remote-control connection status and remote identity exposed to clients.",
+      "description": "Current remote-control connection status and environment id exposed to clients.",
      "properties": {
        "environmentId": {
          "type": [
@@ -2745,15 +2727,11 @@
            "null"
          ]
        },
-        "installationId": {
-          "type": "string"
-        },
        "status": {
          "$ref": "#/definitions/RemoteControlConnectionStatus"
        }
      },
      "required": [
-        "installationId",
        "status"
      ],
      "type": "object"
--- a/codex-rs/app-server-protocol/schema/json/ServerRequest.json
+++ b/codex-rs/app-server-protocol/schema/json/ServerRequest.json
@@ -121,9 +121,6 @@
      ],
      "type": "object"
    },
-    "AttestationGenerateParams": {
-      "type": "object"
-    },
    "ChatgptAuthTokensRefreshParams": {
      "properties": {
        "previousAccountId": {
@@ -420,11 +417,6 @@
            "null"
          ]
        },
-        "startedAtMs": {
-          "description": "Unix timestamp (in milliseconds) when this approval request started.",
-          "format": "int64",
-          "type": "integer"
-        },
        "threadId": {
          "type": "string"
        },
@@ -434,7 +426,6 @@
      },
      "required": [
        "itemId",
-        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -607,11 +598,6 @@
            "null"
          ]
        },
-        "startedAtMs": {
-          "description": "Unix timestamp (in milliseconds) when this approval request started.",
-          "format": "int64",
-          "type": "integer"
-        },
        "threadId": {
          "type": "string"
        },
@@ -621,7 +607,6 @@
      },
      "required": [
        "itemId",
-        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -1602,11 +1587,6 @@
            "null"
          ]
        },
-        "startedAtMs": {
-          "description": "Unix timestamp (in milliseconds) when this approval request started.",
-          "format": "int64",
-          "type": "integer"
-        },
        "threadId": {
          "type": "string"
        },
@@ -1618,7 +1598,6 @@
        "cwd",
        "itemId",
        "permissions",
-        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -1921,31 +1900,6 @@
      "title": "Account/chatgptAuthTokens/refreshRequest",
      "type": "object"
    },
-    {
-      "description": "Generate a fresh upstream attestation result on demand.",
-      "properties": {
-        "id": {
-          "$ref": "#/definitions/RequestId"
-        },
-        "method": {
-          "enum": [
-            "attestation/generate"
-          ],
-          "title": "Attestation/generateRequestMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/AttestationGenerateParams"
-        }
-      },
-      "required": [
-        "id",
-        "method",
-        "params"
-      ],
-      "title": "Attestation/generateRequest",
-      "type": "object"
-    },
    {
      "description": "DEPRECATED APIs below Request to approve a patch. This request is used for Turns started via the legacy APIs (i.e. SendUserTurn, SendUserMessage).",
      "properties": {
--- a/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json
+++ b/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json
@@ -83,25 +83,6 @@
      "title": "ApplyPatchApprovalResponse",
      "type": "object"
    },
-    "AttestationGenerateParams": {
-      "$schema": "http://json-schema.org/draft-07/schema#",
-      "title": "AttestationGenerateParams",
-      "type": "object"
-    },
-    "AttestationGenerateResponse": {
-      "$schema": "http://json-schema.org/draft-07/schema#",
-      "properties": {
-        "token": {
-          "description": "Opaque client attestation token.",
-          "type": "string"
-        }
-      },
-      "required": [
-        "token"
-      ],
-      "title": "AttestationGenerateResponse",
-      "type": "object"
-    },
    "ChatgptAuthTokensRefreshParams": {
      "$schema": "http://json-schema.org/draft-07/schema#",
      "properties": {
@@ -2165,11 +2146,6 @@
            "null"
          ]
        },
-        "startedAtMs": {
-          "description": "Unix timestamp (in milliseconds) when this approval request started.",
-          "format": "int64",
-          "type": "integer"
-        },
        "threadId": {
          "type": "string"
        },
@@ -2179,7 +2155,6 @@
      },
      "required": [
        "itemId",
-        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -2436,11 +2411,6 @@
            "null"
          ]
        },
-        "startedAtMs": {
-          "description": "Unix timestamp (in milliseconds) when this approval request started.",
-          "format": "int64",
-          "type": "integer"
-        },
        "threadId": {
          "type": "string"
        },
@@ -2450,7 +2420,6 @@
      },
      "required": [
        "itemId",
-        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -2639,11 +2608,6 @@
            "array",
            "null"
          ]
-        },
-        "requestAttestation": {
-          "default": false,
-          "description": "Opt into `attestation/generate` requests for upstream `x-oai-attestation`.",
-          "type": "boolean"
        }
      },
      "type": "object"
@@ -3627,11 +3591,6 @@
            "null"
          ]
        },
-        "startedAtMs": {
-          "description": "Unix timestamp (in milliseconds) when this approval request started.",
-          "format": "int64",
-          "type": "integer"
-        },
        "threadId": {
          "type": "string"
        },
@@ -3643,7 +3602,6 @@
        "cwd",
        "itemId",
        "permissions",
-        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -5231,31 +5189,6 @@
          "title": "Account/chatgptAuthTokens/refreshRequest",
          "type": "object"
        },
-        {
-          "description": "Generate a fresh upstream attestation result on demand.",
-          "properties": {
-            "id": {
-              "$ref": "#/definitions/v2/RequestId"
-            },
-            "method": {
-              "enum": [
-                "attestation/generate"
-              ],
-              "title": "Attestation/generateRequestMethod",
-              "type": "string"
-            },
-            "params": {
-              "$ref": "#/definitions/AttestationGenerateParams"
-            }
-          },
-          "required": [
-            "id",
-            "method",
-            "params"
-          ],
-          "title": "Attestation/generateRequest",
-          "type": "object"
-        },
        {
          "description": "DEPRECATED APIs below Request to approve a patch. This request is used for Turns started via the legacy APIs (i.e. SendUserTurn, SendUserMessage).",
          "properties": {
@@ -9945,11 +9878,6 @@
          "action": {
            "$ref": "#/definitions/v2/GuardianApprovalReviewAction"
          },
-          "completedAtMs": {
-            "description": "Unix timestamp (in milliseconds) when this review completed.",
-            "format": "int64",
-            "type": "integer"
-          },
          "decisionSource": {
            "$ref": "#/definitions/v2/AutoReviewDecisionSource"
          },
@@ -9960,11 +9888,6 @@
            "description": "Stable identifier for this review.",
            "type": "string"
          },
-          "startedAtMs": {
-            "description": "Unix timestamp (in milliseconds) when this review started.",
-            "format": "int64",
-            "type": "integer"
-          },
          "targetItemId": {
            "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
            "type": [
@@ -9981,11 +9904,9 @@
        },
        "required": [
          "action",
-          "completedAtMs",
          "decisionSource",
          "review",
          "reviewId",
-          "startedAtMs",
          "threadId",
          "turnId"
        ],
@@ -10006,11 +9927,6 @@
            "description": "Stable identifier for this review.",
            "type": "string"
          },
-          "startedAtMs": {
-            "description": "Unix timestamp (in milliseconds) when this review started.",
-            "format": "int64",
-            "type": "integer"
-          },
          "targetItemId": {
            "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
            "type": [
@@ -10029,7 +9945,6 @@
          "action",
          "review",
          "reviewId",
-          "startedAtMs",
          "threadId",
          "turnId"
        ],
@@ -12270,20 +12185,10 @@
              "null"
            ]
          },
-          "discoverability": {
-            "anyOf": [
-              {
-                "$ref": "#/definitions/v2/PluginShareDiscoverability"
-              },
-              {
-                "type": "null"
-              }
-            ]
-          },
          "remotePluginId": {
            "type": "string"
          },
-          "sharePrincipals": {
+          "shareTargets": {
            "items": {
              "$ref": "#/definitions/v2/PluginSharePrincipal"
            },
@@ -12344,10 +12249,14 @@
          },
          "plugin": {
            "$ref": "#/definitions/v2/PluginSummary"
+          },
+          "shareUrl": {
+            "type": "string"
          }
        },
        "required": [
-          "plugin"
+          "plugin",
+          "shareUrl"
        ],
        "type": "object"
      },
@@ -12382,27 +12291,15 @@
          },
          "principalType": {
            "$ref": "#/definitions/v2/PluginSharePrincipalType"
-          },
-          "role": {
-            "$ref": "#/definitions/v2/PluginSharePrincipalRole"
          }
        },
        "required": [
          "name",
          "principalId",
-          "principalType",
-          "role"
+          "principalType"
        ],
        "type": "object"
      },
-      "PluginSharePrincipalRole": {
-        "enum": [
-          "reader",
-          "editor",
-          "owner"
-        ],
-        "type": "string"
-      },
      "PluginSharePrincipalType": {
        "enum": [
          "user",
@@ -12473,38 +12370,17 @@
          },
          "principalType": {
            "$ref": "#/definitions/v2/PluginSharePrincipalType"
-          },
-          "role": {
-            "$ref": "#/definitions/v2/PluginShareTargetRole"
          }
        },
        "required": [
          "principalId",
-          "principalType",
-          "role"
+          "principalType"
        ],
        "type": "object"
      },
-      "PluginShareTargetRole": {
-        "enum": [
-          "reader",
-          "editor"
-        ],
-        "type": "string"
-      },
-      "PluginShareUpdateDiscoverability": {
-        "enum": [
-          "UNLISTED",
-          "PRIVATE"
-        ],
-        "type": "string"
-      },
      "PluginShareUpdateTargetsParams": {
        "$schema": "http://json-schema.org/draft-07/schema#",
        "properties": {
-          "discoverability": {
-            "$ref": "#/definitions/v2/PluginShareUpdateDiscoverability"
-          },
          "remotePluginId": {
            "type": "string"
          },
@@ -12516,7 +12392,6 @@
          }
        },
        "required": [
-          "discoverability",
          "remotePluginId",
          "shareTargets"
        ],
@@ -12526,9 +12401,6 @@
      "PluginShareUpdateTargetsResponse": {
        "$schema": "http://json-schema.org/draft-07/schema#",
        "properties": {
-          "discoverability": {
-            "$ref": "#/definitions/v2/PluginShareDiscoverability"
-          },
          "principals": {
            "items": {
              "$ref": "#/definitions/v2/PluginSharePrincipal"
@@ -12537,7 +12409,6 @@
          }
        },
        "required": [
-          "discoverability",
          "principals"
        ],
        "title": "PluginShareUpdateTargetsResponse",
@@ -13384,7 +13255,7 @@
      },
      "RemoteControlStatusChangedNotification": {
        "$schema": "http://json-schema.org/draft-07/schema#",
-        "description": "Current remote-control connection status and remote identity exposed to clients.",
+        "description": "Current remote-control connection status and environment id exposed to clients.",
        "properties": {
          "environmentId": {
            "type": [
@@ -13392,15 +13263,11 @@
              "null"
            ]
          },
-          "installationId": {
-            "type": "string"
-          },
          "status": {
            "$ref": "#/definitions/v2/RemoteControlConnectionStatus"
          }
        },
        "required": [
-          "installationId",
          "status"
        ],
        "title": "RemoteControlStatusChangedNotification",
@@ -14863,6 +14730,24 @@
        ],
        "type": "object"
      },
+      "SkillsListExtraRootsForCwd": {
+        "properties": {
+          "cwd": {
+            "type": "string"
+          },
+          "extraUserRoots": {
+            "items": {
+              "type": "string"
+            },
+            "type": "array"
+          }
+        },
+        "required": [
+          "cwd",
+          "extraUserRoots"
+        ],
+        "type": "object"
+      },
      "SkillsListParams": {
        "$schema": "http://json-schema.org/draft-07/schema#",
        "properties": {
@@ -14876,6 +14761,17 @@
          "forceReload": {
            "description": "When true, bypass the skills cache and re-scan skills from disk.",
            "type": "boolean"
+          },
+          "perCwdExtraUserRoots": {
+            "default": null,
+            "description": "Optional per-cwd extra roots to scan as user-scoped skills.",
+            "items": {
+              "$ref": "#/definitions/v2/SkillsListExtraRootsForCwd"
+            },
+            "type": [
+              "array",
+              "null"
+            ]
          }
        },
        "title": "SkillsListParams",
@@ -18493,4 +18389,4 @@
  },
  "title": "CodexAppServerProtocol",
  "type": "object"
-}
+}
--- a/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.v2.schemas.json
+++ b/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.v2.schemas.json
@@ -6409,11 +6409,6 @@
            "array",
            "null"
          ]
-        },
-        "requestAttestation": {
-          "default": false,
-          "description": "Opt into `attestation/generate` requests for upstream `x-oai-attestation`.",
-          "type": "boolean"
        }
      },
      "type": "object"
@@ -6494,11 +6489,6 @@
        "action": {
          "$ref": "#/definitions/GuardianApprovalReviewAction"
        },
-        "completedAtMs": {
-          "description": "Unix timestamp (in milliseconds) when this review completed.",
-          "format": "int64",
-          "type": "integer"
-        },
        "decisionSource": {
          "$ref": "#/definitions/AutoReviewDecisionSource"
        },
@@ -6509,11 +6499,6 @@
          "description": "Stable identifier for this review.",
          "type": "string"
        },
-        "startedAtMs": {
-          "description": "Unix timestamp (in milliseconds) when this review started.",
-          "format": "int64",
-          "type": "integer"
-        },
        "targetItemId": {
          "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
          "type": [
@@ -6530,11 +6515,9 @@
      },
      "required": [
        "action",
-        "completedAtMs",
        "decisionSource",
        "review",
        "reviewId",
-        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -6555,11 +6538,6 @@
          "description": "Stable identifier for this review.",
          "type": "string"
        },
-        "startedAtMs": {
-          "description": "Unix timestamp (in milliseconds) when this review started.",
-          "format": "int64",
-          "type": "integer"
-        },
        "targetItemId": {
          "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
          "type": [
@@ -6578,7 +6556,6 @@
        "action",
        "review",
        "reviewId",
-        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -8819,20 +8796,10 @@
            "null"
          ]
        },
-        "discoverability": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/PluginShareDiscoverability"
-            },
-            {
-              "type": "null"
-            }
-          ]
-        },
        "remotePluginId": {
          "type": "string"
        },
-        "sharePrincipals": {
+        "shareTargets": {
          "items": {
            "$ref": "#/definitions/PluginSharePrincipal"
          },
@@ -8893,10 +8860,14 @@
        },
        "plugin": {
          "$ref": "#/definitions/PluginSummary"
+        },
+        "shareUrl": {
+          "type": "string"
        }
      },
      "required": [
-        "plugin"
+        "plugin",
+        "shareUrl"
      ],
      "type": "object"
    },
@@ -8931,27 +8902,15 @@
        },
        "principalType": {
          "$ref": "#/definitions/PluginSharePrincipalType"
-        },
-        "role": {
-          "$ref": "#/definitions/PluginSharePrincipalRole"
        }
      },
      "required": [
        "name",
        "principalId",
-        "principalType",
-        "role"
+        "principalType"
      ],
      "type": "object"
    },
-    "PluginSharePrincipalRole": {
-      "enum": [
-        "reader",
-        "editor",
-        "owner"
-      ],
-      "type": "string"
-    },
    "PluginSharePrincipalType": {
      "enum": [
        "user",
@@ -9022,38 +8981,17 @@
        },
        "principalType": {
          "$ref": "#/definitions/PluginSharePrincipalType"
-        },
-        "role": {
-          "$ref": "#/definitions/PluginShareTargetRole"
        }
      },
      "required": [
        "principalId",
-        "principalType",
-        "role"
+        "principalType"
      ],
      "type": "object"
    },
-    "PluginShareTargetRole": {
-      "enum": [
-        "reader",
-        "editor"
-      ],
-      "type": "string"
-    },
-    "PluginShareUpdateDiscoverability": {
-      "enum": [
-        "UNLISTED",
-        "PRIVATE"
-      ],
-      "type": "string"
-    },
    "PluginShareUpdateTargetsParams": {
      "$schema": "http://json-schema.org/draft-07/schema#",
      "properties": {
-        "discoverability": {
-          "$ref": "#/definitions/PluginShareUpdateDiscoverability"
-        },
        "remotePluginId": {
          "type": "string"
        },
@@ -9065,7 +9003,6 @@
        }
      },
      "required": [
-        "discoverability",
        "remotePluginId",
        "shareTargets"
      ],
@@ -9075,9 +9012,6 @@
    "PluginShareUpdateTargetsResponse": {
      "$schema": "http://json-schema.org/draft-07/schema#",
      "properties": {
-        "discoverability": {
-          "$ref": "#/definitions/PluginShareDiscoverability"
-        },
        "principals": {
          "items": {
            "$ref": "#/definitions/PluginSharePrincipal"
@@ -9086,7 +9020,6 @@
        }
      },
      "required": [
-        "discoverability",
        "principals"
      ],
      "title": "PluginShareUpdateTargetsResponse",
@@ -9933,7 +9866,7 @@
    },
    "RemoteControlStatusChangedNotification": {
      "$schema": "http://json-schema.org/draft-07/schema#",
-      "description": "Current remote-control connection status and remote identity exposed to clients.",
+      "description": "Current remote-control connection status and environment id exposed to clients.",
      "properties": {
        "environmentId": {
          "type": [
@@ -9941,15 +9874,11 @@
            "null"
          ]
        },
-        "installationId": {
-          "type": "string"
-        },
        "status": {
          "$ref": "#/definitions/RemoteControlConnectionStatus"
        }
      },
      "required": [
-        "installationId",
        "status"
      ],
      "title": "RemoteControlStatusChangedNotification",
@@ -12687,6 +12616,24 @@
      ],
      "type": "object"
    },
+    "SkillsListExtraRootsForCwd": {
+      "properties": {
+        "cwd": {
+          "type": "string"
+        },
+        "extraUserRoots": {
+          "items": {
+            "type": "string"
+          },
+          "type": "array"
+        }
+      },
+      "required": [
+        "cwd",
+        "extraUserRoots"
+      ],
+      "type": "object"
+    },
    "SkillsListParams": {
      "$schema": "http://json-schema.org/draft-07/schema#",
      "properties": {
@@ -12700,6 +12647,17 @@
        "forceReload": {
          "description": "When true, bypass the skills cache and re-scan skills from disk.",
          "type": "boolean"
+        },
+        "perCwdExtraUserRoots": {
+          "default": null,
+          "description": "Optional per-cwd extra roots to scan as user-scoped skills.",
+          "items": {
+            "$ref": "#/definitions/SkillsListExtraRootsForCwd"
+          },
+          "type": [
+            "array",
+            "null"
+          ]
        }
      },
      "title": "SkillsListParams",
@@ -16316,4 +16274,4 @@
  },
  "title": "CodexAppServerProtocolV2",
  "type": "object"
-}
+}
--- a/codex-rs/app-server-protocol/schema/json/v1/InitializeParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/InitializeParams.json
@@ -39,11 +39,6 @@
            "array",
            "null"
          ]
-        },
-        "requestAttestation": {
-          "default": false,
-          "description": "Opt into `attestation/generate` requests for upstream `x-oai-attestation`.",
-          "type": "boolean"
        }
      },
      "type": "object"
--- a/codex-rs/app-server-protocol/schema/json/v2/ItemGuardianApprovalReviewCompletedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ItemGuardianApprovalReviewCompletedNotification.json
@@ -574,11 +574,6 @@
    "action": {
      "$ref": "#/definitions/GuardianApprovalReviewAction"
    },
-    "completedAtMs": {
-      "description": "Unix timestamp (in milliseconds) when this review completed.",
-      "format": "int64",
-      "type": "integer"
-    },
    "decisionSource": {
      "$ref": "#/definitions/AutoReviewDecisionSource"
    },
@@ -589,11 +584,6 @@
      "description": "Stable identifier for this review.",
      "type": "string"
    },
-    "startedAtMs": {
-      "description": "Unix timestamp (in milliseconds) when this review started.",
-      "format": "int64",
-      "type": "integer"
-    },
    "targetItemId": {
      "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
      "type": [
@@ -610,11 +600,9 @@
  },
  "required": [
    "action",
-    "completedAtMs",
    "decisionSource",
    "review",
    "reviewId",
-    "startedAtMs",
    "threadId",
    "turnId"
  ],
--- a/codex-rs/app-server-protocol/schema/json/v2/ItemGuardianApprovalReviewStartedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ItemGuardianApprovalReviewStartedNotification.json
@@ -574,11 +574,6 @@
      "description": "Stable identifier for this review.",
      "type": "string"
    },
-    "startedAtMs": {
-      "description": "Unix timestamp (in milliseconds) when this review started.",
-      "format": "int64",
-      "type": "integer"
-    },
    "targetItemId": {
      "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
      "type": [
@@ -597,7 +592,6 @@
    "action",
    "review",
    "reviewId",
-    "startedAtMs",
    "threadId",
    "turnId"
  ],
--- a/codex-rs/app-server-protocol/schema/json/v2/PluginListResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/PluginListResponse.json
@@ -246,20 +246,10 @@
            "null"
          ]
        },
-        "discoverability": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/PluginShareDiscoverability"
-            },
-            {
-              "type": "null"
-            }
-          ]
-        },
        "remotePluginId": {
          "type": "string"
        },
-        "sharePrincipals": {
+        "shareTargets": {
          "items": {
            "$ref": "#/definitions/PluginSharePrincipal"
          },
@@ -280,14 +270,6 @@
      ],
      "type": "object"
    },
-    "PluginShareDiscoverability": {
-      "enum": [
-        "LISTED",
-        "UNLISTED",
-        "PRIVATE"
-      ],
-      "type": "string"
-    },
    "PluginSharePrincipal": {
      "properties": {
        "name": {
@@ -298,27 +280,15 @@
        },
        "principalType": {
          "$ref": "#/definitions/PluginSharePrincipalType"
-        },
-        "role": {
-          "$ref": "#/definitions/PluginSharePrincipalRole"
        }
      },
      "required": [
        "name",
        "principalId",
-        "principalType",
-        "role"
+        "principalType"
      ],
      "type": "object"
    },
-    "PluginSharePrincipalRole": {
-      "enum": [
-        "reader",
-        "editor",
-        "owner"
-      ],
-      "type": "string"
-    },
    "PluginSharePrincipalType": {
      "enum": [
        "user",
--- a/codex-rs/app-server-protocol/schema/json/v2/PluginReadResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/PluginReadResponse.json
@@ -300,20 +300,10 @@
            "null"
          ]
        },
-        "discoverability": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/PluginShareDiscoverability"
-            },
-            {
-              "type": "null"
-            }
-          ]
-        },
        "remotePluginId": {
          "type": "string"
        },
-        "sharePrincipals": {
+        "shareTargets": {
          "items": {
            "$ref": "#/definitions/PluginSharePrincipal"
          },
@@ -334,14 +324,6 @@
      ],
      "type": "object"
    },
-    "PluginShareDiscoverability": {
-      "enum": [
-        "LISTED",
-        "UNLISTED",
-        "PRIVATE"
-      ],
-      "type": "string"
-    },
    "PluginSharePrincipal": {
      "properties": {
        "name": {
@@ -352,27 +334,15 @@
        },
        "principalType": {
          "$ref": "#/definitions/PluginSharePrincipalType"
-        },
-        "role": {
-          "$ref": "#/definitions/PluginSharePrincipalRole"
        }
      },
      "required": [
        "name",
        "principalId",
-        "principalType",
-        "role"
+        "principalType"
      ],
      "type": "object"
    },
-    "PluginSharePrincipalRole": {
-      "enum": [
-        "reader",
-        "editor",
-        "owner"
-      ],
-      "type": "string"
-    },
    "PluginSharePrincipalType": {
      "enum": [
        "user",
--- a/codex-rs/app-server-protocol/schema/json/v2/PluginShareListResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/PluginShareListResponse.json
@@ -181,20 +181,10 @@
            "null"
          ]
        },
-        "discoverability": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/PluginShareDiscoverability"
-            },
-            {
-              "type": "null"
-            }
-          ]
-        },
        "remotePluginId": {
          "type": "string"
        },
-        "sharePrincipals": {
+        "shareTargets": {
          "items": {
            "$ref": "#/definitions/PluginSharePrincipal"
          },
@@ -215,14 +205,6 @@
      ],
      "type": "object"
    },
-    "PluginShareDiscoverability": {
-      "enum": [
-        "LISTED",
-        "UNLISTED",
-        "PRIVATE"
-      ],
-      "type": "string"
-    },
    "PluginShareListItem": {
      "properties": {
        "localPluginPath": {
@@ -237,10 +219,14 @@
        },
        "plugin": {
          "$ref": "#/definitions/PluginSummary"
+        },
+        "shareUrl": {
+          "type": "string"
        }
      },
      "required": [
-        "plugin"
+        "plugin",
+        "shareUrl"
      ],
      "type": "object"
    },
@@ -254,27 +240,15 @@
        },
        "principalType": {
          "$ref": "#/definitions/PluginSharePrincipalType"
-        },
-        "role": {
-          "$ref": "#/definitions/PluginSharePrincipalRole"
        }
      },
      "required": [
        "name",
        "principalId",
-        "principalType",
-        "role"
+        "principalType"
      ],
      "type": "object"
    },
-    "PluginSharePrincipalRole": {
-      "enum": [
-        "reader",
-        "editor",
-        "owner"
-      ],
-      "type": "string"
-    },
    "PluginSharePrincipalType": {
      "enum": [
        "user",
--- a/codex-rs/app-server-protocol/schema/json/v2/PluginShareSaveParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/PluginShareSaveParams.json
@@ -28,24 +28,13 @@
        },
        "principalType": {
          "$ref": "#/definitions/PluginSharePrincipalType"
-        },
-        "role": {
-          "$ref": "#/definitions/PluginShareTargetRole"
        }
      },
      "required": [
        "principalId",
-        "principalType",
-        "role"
+        "principalType"
      ],
      "type": "object"
-    },
-    "PluginShareTargetRole": {
-      "enum": [
-        "reader",
-        "editor"
-      ],
-      "type": "string"
    }
  },
  "properties": {
--- a/codex-rs/app-server-protocol/schema/json/v2/PluginShareUpdateTargetsParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/PluginShareUpdateTargetsParams.json
@@ -16,37 +16,16 @@
        },
        "principalType": {
          "$ref": "#/definitions/PluginSharePrincipalType"
-        },
-        "role": {
-          "$ref": "#/definitions/PluginShareTargetRole"
        }
      },
      "required": [
        "principalId",
-        "principalType",
-        "role"
+        "principalType"
      ],
      "type": "object"
-    },
-    "PluginShareTargetRole": {
-      "enum": [
-        "reader",
-        "editor"
-      ],
-      "type": "string"
-    },
-    "PluginShareUpdateDiscoverability": {
-      "enum": [
-        "UNLISTED",
-        "PRIVATE"
-      ],
-      "type": "string"
    }
  },
  "properties": {
-    "discoverability": {
-      "$ref": "#/definitions/PluginShareUpdateDiscoverability"
-    },
    "remotePluginId": {
      "type": "string"
    },
@@ -58,7 +37,6 @@
    }
  },
  "required": [
-    "discoverability",
    "remotePluginId",
    "shareTargets"
  ],
--- a/codex-rs/app-server-protocol/schema/json/v2/PluginShareUpdateTargetsResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/PluginShareUpdateTargetsResponse.json
@@ -1,14 +1,6 @@
 {
  "$schema": "http://json-schema.org/draft-07/schema#",
  "definitions": {
-    "PluginShareDiscoverability": {
-      "enum": [
-        "LISTED",
-        "UNLISTED",
-        "PRIVATE"
-      ],
-      "type": "string"
-    },
    "PluginSharePrincipal": {
      "properties": {
        "name": {
@@ -19,27 +11,15 @@
        },
        "principalType": {
          "$ref": "#/definitions/PluginSharePrincipalType"
-        },
-        "role": {
-          "$ref": "#/definitions/PluginSharePrincipalRole"
        }
      },
      "required": [
        "name",
        "principalId",
-        "principalType",
-        "role"
+        "principalType"
      ],
      "type": "object"
    },
-    "PluginSharePrincipalRole": {
-      "enum": [
-        "reader",
-        "editor",
-        "owner"
-      ],
-      "type": "string"
-    },
    "PluginSharePrincipalType": {
      "enum": [
        "user",
@@ -50,9 +30,6 @@
    }
  },
  "properties": {
-    "discoverability": {
-      "$ref": "#/definitions/PluginShareDiscoverability"
-    },
    "principals": {
      "items": {
        "$ref": "#/definitions/PluginSharePrincipal"
@@ -61,7 +38,6 @@
    }
  },
  "required": [
-    "discoverability",
    "principals"
  ],
  "title": "PluginShareUpdateTargetsResponse",
--- a/codex-rs/app-server-protocol/schema/json/v2/RemoteControlStatusChangedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/RemoteControlStatusChangedNotification.json
@@ -11,7 +11,7 @@
      "type": "string"
    }
  },
-  "description": "Current remote-control connection status and remote identity exposed to clients.",
+  "description": "Current remote-control connection status and environment id exposed to clients.",
  "properties": {
    "environmentId": {
      "type": [
@@ -19,15 +19,11 @@
        "null"
      ]
    },
-    "installationId": {
-      "type": "string"
-    },
    "status": {
      "$ref": "#/definitions/RemoteControlConnectionStatus"
    }
  },
  "required": [
-    "installationId",
    "status"
  ],
  "title": "RemoteControlStatusChangedNotification",
--- a/codex-rs/app-server-protocol/schema/json/v2/SkillsListParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/SkillsListParams.json
@@ -1,5 +1,25 @@
 {
  "$schema": "http://json-schema.org/draft-07/schema#",
+  "definitions": {
+    "SkillsListExtraRootsForCwd": {
+      "properties": {
+        "cwd": {
+          "type": "string"
+        },
+        "extraUserRoots": {
+          "items": {
+            "type": "string"
+          },
+          "type": "array"
+        }
+      },
+      "required": [
+        "cwd",
+        "extraUserRoots"
+      ],
+      "type": "object"
+    }
+  },
  "properties": {
    "cwds": {
      "description": "When empty, defaults to the current session working directory.",
@@ -11,6 +31,17 @@
    "forceReload": {
      "description": "When true, bypass the skills cache and re-scan skills from disk.",
      "type": "boolean"
+    },
+    "perCwdExtraUserRoots": {
+      "default": null,
+      "description": "Optional per-cwd extra roots to scan as user-scoped skills.",
+      "items": {
+        "$ref": "#/definitions/SkillsListExtraRootsForCwd"
+      },
+      "type": [
+        "array",
+        "null"
+      ]
    }
  },
  "title": "SkillsListParams",
--- a/codex-rs/app-server-protocol/schema/typescript/InitializeCapabilities.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/InitializeCapabilities.ts
@@ -10,10 +10,6 @@ export type InitializeCapabilities = {
 * Opt into receiving experimental API methods and fields.
 */
 experimentalApi: boolean,
-/**
- * Opt into `attestation/generate` requests for upstream `x-oai-attestation`.
- */
-requestAttestation: boolean,
 /**
 * Exact notification method names that should be suppressed for this
 * connection (for example `thread/started`).
--- a/codex-rs/app-server-protocol/schema/typescript/ServerRequest.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/ServerRequest.ts
@@ -4,7 +4,6 @@
 import type { ApplyPatchApprovalParams } from "./ApplyPatchApprovalParams";
 import type { ExecCommandApprovalParams } from "./ExecCommandApprovalParams";
 import type { RequestId } from "./RequestId";
-import type { AttestationGenerateParams } from "./v2/AttestationGenerateParams";
 import type { ChatgptAuthTokensRefreshParams } from "./v2/ChatgptAuthTokensRefreshParams";
 import type { CommandExecutionRequestApprovalParams } from "./v2/CommandExecutionRequestApprovalParams";
 import type { DynamicToolCallParams } from "./v2/DynamicToolCallParams";
@@ -16,4 +15,4 @@ import type { ToolRequestUserInputParams } from "./v2/ToolRequestUserInputParams
 /**
 * Request initiated from the server and sent to the client.
 */
-export type ServerRequest = { "method": "item/commandExecution/requestApproval", id: RequestId, params: CommandExecutionRequestApprovalParams, } | { "method": "item/fileChange/requestApproval", id: RequestId, params: FileChangeRequestApprovalParams, } | { "method": "item/tool/requestUserInput", id: RequestId, params: ToolRequestUserInputParams, } | { "method": "mcpServer/elicitation/request", id: RequestId, params: McpServerElicitationRequestParams, } | { "method": "item/permissions/requestApproval", id: RequestId, params: PermissionsRequestApprovalParams, } | { "method": "item/tool/call", id: RequestId, params: DynamicToolCallParams, } | { "method": "account/chatgptAuthTokens/refresh", id: RequestId, params: ChatgptAuthTokensRefreshParams, } | { "method": "attestation/generate", id: RequestId, params: AttestationGenerateParams, } | { "method": "applyPatchApproval", id: RequestId, params: ApplyPatchApprovalParams, } | { "method": "execCommandApproval", id: RequestId, params: ExecCommandApprovalParams, };
+export type ServerRequest = { "method": "item/commandExecution/requestApproval", id: RequestId, params: CommandExecutionRequestApprovalParams, } | { "method": "item/fileChange/requestApproval", id: RequestId, params: FileChangeRequestApprovalParams, } | { "method": "item/tool/requestUserInput", id: RequestId, params: ToolRequestUserInputParams, } | { "method": "mcpServer/elicitation/request", id: RequestId, params: McpServerElicitationRequestParams, } | { "method": "item/permissions/requestApproval", id: RequestId, params: PermissionsRequestApprovalParams, } | { "method": "item/tool/call", id: RequestId, params: DynamicToolCallParams, } | { "method": "account/chatgptAuthTokens/refresh", id: RequestId, params: ChatgptAuthTokensRefreshParams, } | { "method": "applyPatchApproval", id: RequestId, params: ApplyPatchApprovalParams, } | { "method": "execCommandApproval", id: RequestId, params: ExecCommandApprovalParams, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/AttestationGenerateParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/AttestationGenerateParams.ts
@@ -1,5 +0,0 @@
-// GENERATED CODE! DO NOT MODIFY BY HAND!
-
-// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-
-export type AttestationGenerateParams = Record<string, never>;
--- a/codex-rs/app-server-protocol/schema/typescript/v2/AttestationGenerateResponse.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/AttestationGenerateResponse.ts
@@ -1,9 +0,0 @@
-// GENERATED CODE! DO NOT MODIFY BY HAND!
-
-// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-
-export type AttestationGenerateResponse = {
-/**
- * Opaque client attestation token.
- */
-token: string, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/CommandExecutionRequestApprovalParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/CommandExecutionRequestApprovalParams.ts
@@ -8,9 +8,6 @@ import type { NetworkApprovalContext } from "./NetworkApprovalContext";
 import type { NetworkPolicyAmendment } from "./NetworkPolicyAmendment";

 export type CommandExecutionRequestApprovalParams = {threadId: string, turnId: string, itemId: string, /**
- * Unix timestamp (in milliseconds) when this approval request started.
- */
-startedAtMs: number, /**
 * Unique identifier for this specific approval callback.
 *
 * For regular shell/unified_exec approvals, this is null.
--- a/codex-rs/app-server-protocol/schema/typescript/v2/FileChangeRequestApprovalParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/FileChangeRequestApprovalParams.ts
@@ -3,10 +3,6 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.

 export type FileChangeRequestApprovalParams = { threadId: string, turnId: string, itemId: string,
-/**
- * Unix timestamp (in milliseconds) when this approval request started.
- */
-startedAtMs: number,
 /**
 * Optional explanatory reason (e.g. request for extra write access).
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ItemGuardianApprovalReviewCompletedNotification.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ItemGuardianApprovalReviewCompletedNotification.ts
@@ -10,14 +10,6 @@ import type { GuardianApprovalReviewAction } from "./GuardianApprovalReviewActio
 * shape is expected to change soon.
 */
 export type ItemGuardianApprovalReviewCompletedNotification = { threadId: string, turnId: string,
-/**
- * Unix timestamp (in milliseconds) when this review started.
- */
-startedAtMs: number,
-/**
- * Unix timestamp (in milliseconds) when this review completed.
- */
-completedAtMs: number,
 /**
 * Stable identifier for this review.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ItemGuardianApprovalReviewStartedNotification.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ItemGuardianApprovalReviewStartedNotification.ts
@@ -9,10 +9,6 @@ import type { GuardianApprovalReviewAction } from "./GuardianApprovalReviewActio
 * shape is expected to change soon.
 */
 export type ItemGuardianApprovalReviewStartedNotification = { threadId: string, turnId: string,
-/**
- * Unix timestamp (in milliseconds) when this review started.
- */
-startedAtMs: number,
 /**
 * Stable identifier for this review.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/PermissionsRequestApprovalParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/PermissionsRequestApprovalParams.ts
@@ -4,8 +4,4 @@
 import type { AbsolutePathBuf } from "../AbsolutePathBuf";
 import type { RequestPermissionProfile } from "./RequestPermissionProfile";

-export type PermissionsRequestApprovalParams = { threadId: string, turnId: string, itemId: string,
-/**
- * Unix timestamp (in milliseconds) when this approval request started.
- */
-startedAtMs: number, cwd: AbsolutePathBuf, reason: string | null, permissions: RequestPermissionProfile, };
+export type PermissionsRequestApprovalParams = { threadId: string, turnId: string, itemId: string, cwd: AbsolutePathBuf, reason: string | null, permissions: RequestPermissionProfile, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/PluginShareContext.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/PluginShareContext.ts
@@ -1,7 +1,6 @@
 // GENERATED CODE! DO NOT MODIFY BY HAND!

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-import type { PluginShareDiscoverability } from "./PluginShareDiscoverability";
 import type { PluginSharePrincipal } from "./PluginSharePrincipal";

-export type PluginShareContext = { remotePluginId: string, discoverability: PluginShareDiscoverability | null, shareUrl: string | null, creatorAccountUserId: string | null, creatorName: string | null, sharePrincipals: Array<PluginSharePrincipal> | null, };
+export type PluginShareContext = { remotePluginId: string, shareUrl: string | null, creatorAccountUserId: string | null, creatorName: string | null, shareTargets: Array<PluginSharePrincipal> | null, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/PluginShareListItem.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/PluginShareListItem.ts
@@ -4,4 +4,4 @@
 import type { AbsolutePathBuf } from "../AbsolutePathBuf";
 import type { PluginSummary } from "./PluginSummary";

-export type PluginShareListItem = { plugin: PluginSummary, localPluginPath: AbsolutePathBuf | null, };
+export type PluginShareListItem = { plugin: PluginSummary, shareUrl: string, localPluginPath: AbsolutePathBuf | null, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/PluginSharePrincipal.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/PluginSharePrincipal.ts
@@ -1,7 +1,6 @@
 // GENERATED CODE! DO NOT MODIFY BY HAND!

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-import type { PluginSharePrincipalRole } from "./PluginSharePrincipalRole";
 import type { PluginSharePrincipalType } from "./PluginSharePrincipalType";

-export type PluginSharePrincipal = { principalType: PluginSharePrincipalType, principalId: string, role: PluginSharePrincipalRole, name: string, };
+export type PluginSharePrincipal = { principalType: PluginSharePrincipalType, principalId: string, name: string, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/PluginSharePrincipalRole.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/PluginSharePrincipalRole.ts
@@ -1,5 +0,0 @@
-// GENERATED CODE! DO NOT MODIFY BY HAND!
-
-// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-
-export type PluginSharePrincipalRole = "reader" | "editor" | "owner";
--- a/codex-rs/app-server-protocol/schema/typescript/v2/PluginShareTarget.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/PluginShareTarget.ts
@@ -2,6 +2,5 @@

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { PluginSharePrincipalType } from "./PluginSharePrincipalType";
-import type { PluginShareTargetRole } from "./PluginShareTargetRole";

-export type PluginShareTarget = { principalType: PluginSharePrincipalType, principalId: string, role: PluginShareTargetRole, };
+export type PluginShareTarget = { principalType: PluginSharePrincipalType, principalId: string, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/PluginShareUpdateDiscoverability.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/PluginShareUpdateDiscoverability.ts
@@ -1,5 +0,0 @@
-// GENERATED CODE! DO NOT MODIFY BY HAND!
-
-// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-
-export type PluginShareUpdateDiscoverability = "UNLISTED" | "PRIVATE";
--- a/codex-rs/app-server-protocol/schema/typescript/v2/PluginShareUpdateTargetsParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/PluginShareUpdateTargetsParams.ts
@@ -2,6 +2,5 @@

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { PluginShareTarget } from "./PluginShareTarget";
-import type { PluginShareUpdateDiscoverability } from "./PluginShareUpdateDiscoverability";

-export type PluginShareUpdateTargetsParams = { remotePluginId: string, discoverability: PluginShareUpdateDiscoverability, shareTargets: Array<PluginShareTarget>, };
+export type PluginShareUpdateTargetsParams = { remotePluginId: string, shareTargets: Array<PluginShareTarget>, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/PluginShareUpdateTargetsResponse.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/PluginShareUpdateTargetsResponse.ts
@@ -1,7 +1,6 @@
 // GENERATED CODE! DO NOT MODIFY BY HAND!

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-import type { PluginShareDiscoverability } from "./PluginShareDiscoverability";
 import type { PluginSharePrincipal } from "./PluginSharePrincipal";

-export type PluginShareUpdateTargetsResponse = { principals: Array<PluginSharePrincipal>, discoverability: PluginShareDiscoverability, };
+export type PluginShareUpdateTargetsResponse = { principals: Array<PluginSharePrincipal>, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/RemoteControlStatusChangedNotification.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/RemoteControlStatusChangedNotification.ts
@@ -4,6 +4,6 @@
 import type { RemoteControlConnectionStatus } from "./RemoteControlConnectionStatus";

 /**
- * Current remote-control connection status and remote identity exposed to clients.
+ * Current remote-control connection status and environment id exposed to clients.
 */
-export type RemoteControlStatusChangedNotification = { status: RemoteControlConnectionStatus, installationId: string, environmentId: string | null, };
+export type RemoteControlStatusChangedNotification = { status: RemoteControlConnectionStatus, environmentId: string | null, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/SkillsListExtraRootsForCwd.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/SkillsListExtraRootsForCwd.ts
@@ -2,4 +2,4 @@

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.

-export type PluginShareTargetRole = "reader" | "editor";
+export type SkillsListExtraRootsForCwd = { cwd: string, extraUserRoots: Array<string>, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/SkillsListParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/SkillsListParams.ts
@@ -1,6 +1,7 @@
 // GENERATED CODE! DO NOT MODIFY BY HAND!

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { SkillsListExtraRootsForCwd } from "./SkillsListExtraRootsForCwd";

 export type SkillsListParams = {
 /**
@@ -10,4 +11,8 @@ cwds?: Array<string>,
 /**
 * When true, bypass the skills cache and re-scan skills from disk.
 */
-forceReload?: boolean, };
+forceReload?: boolean,
+/**
+ * Optional per-cwd extra roots to scan as user-scoped skills.
+ */
+perCwdExtraUserRoots?: Array<SkillsListExtraRootsForCwd> | null, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/index.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/index.ts
@@ -28,8 +28,6 @@ export type { AppsDefaultConfig } from "./AppsDefaultConfig";
 export type { AppsListParams } from "./AppsListParams";
 export type { AppsListResponse } from "./AppsListResponse";
 export type { AskForApproval } from "./AskForApproval";
-export type { AttestationGenerateParams } from "./AttestationGenerateParams";
-export type { AttestationGenerateResponse } from "./AttestationGenerateResponse";
 export type { AutoReviewDecisionSource } from "./AutoReviewDecisionSource";
 export type { ByteRange } from "./ByteRange";
 export type { CancelLoginAccountParams } from "./CancelLoginAccountParams";
@@ -285,13 +283,10 @@ export type { PluginShareListItem } from "./PluginShareListItem";
 export type { PluginShareListParams } from "./PluginShareListParams";
 export type { PluginShareListResponse } from "./PluginShareListResponse";
 export type { PluginSharePrincipal } from "./PluginSharePrincipal";
-export type { PluginSharePrincipalRole } from "./PluginSharePrincipalRole";
 export type { PluginSharePrincipalType } from "./PluginSharePrincipalType";
 export type { PluginShareSaveParams } from "./PluginShareSaveParams";
 export type { PluginShareSaveResponse } from "./PluginShareSaveResponse";
 export type { PluginShareTarget } from "./PluginShareTarget";
-export type { PluginShareTargetRole } from "./PluginShareTargetRole";
-export type { PluginShareUpdateDiscoverability } from "./PluginShareUpdateDiscoverability";
 export type { PluginShareUpdateTargetsParams } from "./PluginShareUpdateTargetsParams";
 export type { PluginShareUpdateTargetsResponse } from "./PluginShareUpdateTargetsResponse";
 export type { PluginSkillReadParams } from "./PluginSkillReadParams";
@@ -341,6 +336,7 @@ export type { SkillsChangedNotification } from "./SkillsChangedNotification";
 export type { SkillsConfigWriteParams } from "./SkillsConfigWriteParams";
 export type { SkillsConfigWriteResponse } from "./SkillsConfigWriteResponse";
 export type { SkillsListEntry } from "./SkillsListEntry";
+export type { SkillsListExtraRootsForCwd } from "./SkillsListExtraRootsForCwd";
 export type { SkillsListParams } from "./SkillsListParams";
 export type { SkillsListResponse } from "./SkillsListResponse";
 export type { SortDirection } from "./SortDirection";
--- a/codex-rs/app-server-protocol/src/protocol/common.rs
+++ b/codex-rs/app-server-protocol/src/protocol/common.rs
@@ -581,13 +581,6 @@ client_request_definitions! {
        serialization: None,
        response: v2::ThreadTurnsListResponse,
    },
-    #[experimental("thread/turns/items/list")]
-    ThreadTurnsItemsList => "thread/turns/items/list" {
-        params: v2::ThreadTurnsItemsListParams,
-        // Explicitly concurrent: this primarily reads append-only rollout storage.
-        serialization: None,
-        response: v2::ThreadTurnsItemsListResponse,
-    },
    /// Append raw Responses API items to the thread history without starting a user turn.
    ThreadInjectItems => "thread/inject_items" {
        params: v2::ThreadInjectItemsParams,
@@ -808,13 +801,6 @@ client_request_definitions! {
        serialization: None,
        response: v2::MockExperimentalMethodResponse,
    },
-    #[experimental("environment/add")]
-    /// Adds or replaces a remote environment by id for later selection.
-    EnvironmentAdd => "environment/add" {
-        params: v2::EnvironmentAddParams,
-        serialization: global("environment"),
-        response: v2::EnvironmentAddResponse,
-    },

    McpServerOauthLogin => "mcpServer/oauth/login" {
        params: v2::McpServerOauthLoginParams,
@@ -1319,12 +1305,6 @@ server_request_definitions! {
        response: v2::ChatgptAuthTokensRefreshResponse,
    },

-    /// Generate a fresh upstream attestation result on demand.
-    AttestationGenerate => "attestation/generate" {
-        params: v2::AttestationGenerateParams,
-        response: v2::AttestationGenerateResponse,
-    },
-
    /// DEPRECATED APIs below
    /// Request to approve a patch.
    /// This request is used for Turns started via the legacy APIs (i.e. SendUserTurn, SendUserMessage).
@@ -1669,6 +1649,7 @@ mod tests {
            params: v2::SkillsListParams {
                cwds: Vec::new(),
                force_reload: false,
+                per_cwd_extra_user_roots: None,
            },
        };
        assert_eq!(
@@ -1803,18 +1784,6 @@ mod tests {
            add_credits_nudge.serialization_scope(),
            Some(ClientRequestSerializationScope::Global("account-auth"))
        );
-
-        let environment_add = ClientRequest::EnvironmentAdd {
-            request_id: request_id(),
-            params: v2::EnvironmentAddParams {
-                environment_id: "remote-a".to_string(),
-                exec_server_url: "ws://127.0.0.1:8765".to_string(),
-            },
-        };
-        assert_eq!(
-            environment_add.serialization_scope(),
-            Some(ClientRequestSerializationScope::Global("environment"))
-        );
    }

    #[test]
@@ -1874,23 +1843,10 @@ mod tests {
                cursor: None,
                limit: None,
                sort_direction: None,
-                items_view: None,
            },
        };
        assert_eq!(thread_turns_list.serialization_scope(), None);

-        let thread_turns_items_list = ClientRequest::ThreadTurnsItemsList {
-            request_id: request_id(),
-            params: v2::ThreadTurnsItemsListParams {
-                thread_id: "thread-1".to_string(),
-                turn_id: "turn-1".to_string(),
-                cursor: None,
-                limit: None,
-                sort_direction: None,
-            },
-        };
-        assert_eq!(thread_turns_items_list.serialization_scope(), None);
-
        let mcp_resource_read = ClientRequest::McpResourceRead {
            request_id: request_id(),
            params: v2::McpResourceReadParams {
@@ -1935,7 +1891,6 @@ mod tests {
                },
                capabilities: Some(v1::InitializeCapabilities {
                    experimental_api: true,
-                    request_attestation: true,
                    opt_out_notification_methods: Some(vec![
                        "thread/started".to_string(),
                        "item/agentMessage/delta".to_string(),
@@ -1956,7 +1911,6 @@ mod tests {
                    },
                    "capabilities": {
                        "experimentalApi": true,
-                        "requestAttestation": true,
                        "optOutNotificationMethods": [
                            "thread/started",
                            "item/agentMessage/delta"
@@ -1982,7 +1936,6 @@ mod tests {
                },
                "capabilities": {
                    "experimentalApi": true,
-                    "requestAttestation": true,
                    "optOutNotificationMethods": [
                        "thread/started",
                        "item/agentMessage/delta"
@@ -2003,7 +1956,6 @@ mod tests {
                    },
                    capabilities: Some(v1::InitializeCapabilities {
                        experimental_api: true,
-                        request_attestation: true,
                        opt_out_notification_methods: Some(vec![
                            "thread/started".to_string(),
                            "item/agentMessage/delta".to_string(),
@@ -2120,28 +2072,6 @@ mod tests {
        Ok(())
    }

-    #[test]
-    fn serialize_attestation_generate_request() -> Result<()> {
-        let params = v2::AttestationGenerateParams {};
-        let request = ServerRequest::AttestationGenerate {
-            request_id: RequestId::Integer(9),
-            params: params.clone(),
-        };
-        assert_eq!(
-            json!({
-                "method": "attestation/generate",
-                "id": 9,
-                "params": {}
-            }),
-            serde_json::to_value(&request)?,
-        );
-
-        let payload = ServerRequestPayload::AttestationGenerate(params);
-        assert_eq!(request.id(), &RequestId::Integer(9));
-        assert_eq!(payload.request_with_id(RequestId::Integer(9)), request);
-        Ok(())
-    }
-
    #[test]
    fn serialize_server_response() -> Result<()> {
        let response = ServerResponse::CommandExecutionRequestApproval {
@@ -2597,33 +2527,10 @@ mod tests {
        Ok(())
    }

-    #[test]
-    fn serialize_environment_add() -> Result<()> {
-        let request = ClientRequest::EnvironmentAdd {
-            request_id: RequestId::Integer(9),
-            params: v2::EnvironmentAddParams {
-                environment_id: "remote-a".to_string(),
-                exec_server_url: "ws://127.0.0.1:8765".to_string(),
-            },
-        };
-        assert_eq!(
-            json!({
-                "method": "environment/add",
-                "id": 9,
-                "params": {
-                    "environmentId": "remote-a",
-                    "execServerUrl": "ws://127.0.0.1:8765"
-                }
-            }),
-            serde_json::to_value(&request)?,
-        );
-        Ok(())
-    }
-
    #[test]
    fn serialize_fs_get_metadata() -> Result<()> {
        let request = ClientRequest::FsGetMetadata {
-            request_id: RequestId::Integer(10),
+            request_id: RequestId::Integer(9),
            params: v2::FsGetMetadataParams {
                path: absolute_path("tmp/example"),
            },
@@ -2631,7 +2538,7 @@ mod tests {
        assert_eq!(
            json!({
                "method": "fs/getMetadata",
-                "id": 10,
+                "id": 9,
                "params": {
                    "path": absolute_path_string("tmp/example")
                }
@@ -2892,19 +2799,6 @@ mod tests {
        assert_eq!(reason, Some("mock/experimentalMethod"));
    }

-    #[test]
-    fn environment_add_is_marked_experimental() {
-        let request = ClientRequest::EnvironmentAdd {
-            request_id: RequestId::Integer(1),
-            params: v2::EnvironmentAddParams {
-                environment_id: "remote-a".to_string(),
-                exec_server_url: "ws://127.0.0.1:8765".to_string(),
-            },
-        };
-        let reason = crate::experimental_api::ExperimentalApi::experimental_reason(&request);
-        assert_eq!(reason, Some("environment/add"));
-    }
-
    #[test]
    fn command_exec_permission_profile_is_marked_experimental() {
        let request = ClientRequest::OneOffCommandExec {
@@ -3053,7 +2947,6 @@ mod tests {
            thread_id: "thr_123".to_string(),
            turn_id: "turn_123".to_string(),
            item_id: "call_123".to_string(),
-            started_at_ms: 0,
            approval_id: None,
            reason: None,
            network_approval_context: None,
--- a/codex-rs/app-server-protocol/src/protocol/item_builders.rs
+++ b/codex-rs/app-server-protocol/src/protocol/item_builders.rs
@@ -243,7 +243,6 @@ pub fn guardian_auto_approval_review_notification(
                    thread_id: conversation_id.to_string(),
                    turn_id,
                    review_id: assessment.id.clone(),
-                    started_at_ms: assessment.started_at_ms,
                    target_item_id: assessment.target_item_id.clone(),
                    review,
                    action,
@@ -259,10 +258,6 @@ pub fn guardian_auto_approval_review_notification(
                    thread_id: conversation_id.to_string(),
                    turn_id,
                    review_id: assessment.id.clone(),
-                    started_at_ms: assessment.started_at_ms,
-                    completed_at_ms: assessment
-                        .completed_at_ms
-                        .unwrap_or(assessment.started_at_ms),
                    target_item_id: assessment.target_item_id.clone(),
                    decision_source: assessment
                        .decision_source
--- a/codex-rs/app-server-protocol/src/protocol/thread_history.rs
+++ b/codex-rs/app-server-protocol/src/protocol/thread_history.rs
@@ -2143,8 +2143,6 @@ mod tests {
                id: "review-guardian-exec".into(),
                target_item_id: Some("guardian-exec".into()),
                turn_id: "turn-1".into(),
-                started_at_ms: 1_000,
-                completed_at_ms: None,
                status: GuardianAssessmentStatus::InProgress,
                risk_level: None,
                user_authorization: None,
@@ -2162,8 +2160,6 @@ mod tests {
                id: "review-guardian-exec".into(),
                target_item_id: Some("guardian-exec".into()),
                turn_id: "turn-1".into(),
-                started_at_ms: 1_000,
-                completed_at_ms: Some(1_042),
                status: GuardianAssessmentStatus::Denied,
                risk_level: Some(codex_protocol::protocol::GuardianRiskLevel::High),
                user_authorization: Some(codex_protocol::protocol::GuardianUserAuthorization::Low),
@@ -2226,8 +2222,6 @@ mod tests {
                id: "review-guardian-execve".into(),
                target_item_id: Some("guardian-execve".into()),
                turn_id: "turn-1".into(),
-                started_at_ms: 2_000,
-                completed_at_ms: None,
                status: GuardianAssessmentStatus::InProgress,
                risk_level: None,
                user_authorization: None,
@@ -2531,7 +2525,6 @@ mod tests {
            EventMsg::ApplyPatchApprovalRequest(ApplyPatchApprovalRequestEvent {
                call_id: "patch-call".into(),
                turn_id: turn_id.to_string(),
-                started_at_ms: 0,
                changes: [(
                    PathBuf::from("README.md"),
                    codex_protocol::protocol::FileChange::Add {
--- a/codex-rs/app-server-protocol/src/protocol/v1.rs
+++ b/codex-rs/app-server-protocol/src/protocol/v1.rs
@@ -46,9 +46,6 @@ pub struct InitializeCapabilities {
    /// Opt into receiving experimental API methods and fields.
    #[serde(default)]
    pub experimental_api: bool,
-    /// Opt into `attestation/generate` requests for upstream `x-oai-attestation`.
-    #[serde(default)]
-    pub request_attestation: bool,
    /// Exact notification method names that should be suppressed for this
    /// connection (for example `thread/started`).
    #[ts(optional = nullable)]
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
starr-openai	755d128add	Shard Windows arm64 nextest runs Add a dynamic rust-ci-full test matrix so workflow_dispatch or shard-specific full-ci branch names can split the Windows arm64 nextest lane across 2 or 4 hosts while leaving the default push behavior unchanged. Co-authored-by: Codex <noreply@openai.com>	2026-05-07 17:11:16 -07:00
starr-openai	cd8ea2f36b	Keep sccache stats alive through CI jobs Disable the sccache daemon idle timeout in rust-ci-full so long test phases can still report the compile-cache stats collected during the build phase. Co-authored-by: Codex <noreply@openai.com>	2026-05-07 15:59:45 -07:00
starr-openai	fcb1fb8ec6	Re-enable Windows sccache in Rust CI Let Windows rust-ci-full jobs use sccache again, store the fallback cache on the configured work drive, and set Cargo's rustc wrapper to an absolute sccache path so Windows subprocesses resolve it consistently. Co-authored-by: Codex <noreply@openai.com>	2026-05-07 15:20:40 -07:00
starr-openai	077a3970d7	Use Dev Drive for Windows CI Configure Windows Rust CI jobs and the shared Bazel CI setup to put temp, repository-cache, and output-root paths on the runner's fast work drive when available. Fall back to C: if no secondary drive or Dev Drive provisioning path is available. Co-authored-by: Codex <noreply@openai.com>	2026-05-07 15:20:40 -07:00
starr-openai	5815dd6a4b	Give Windows arm64 tests enough CI time Let the Windows arm64 test matrix use a longer timeout after CI showed the lane spending most of the default 45 minutes compiling before nextest could finish. Also pin nextest through taiki-e/install-action's supported tool version syntax so the requested version is not ignored. Co-authored-by: Codex <noreply@openai.com>	2026-05-07 15:20:39 -07:00
starr-openai	296fa6df0c	Serialize Windows process-heavy nextest cases Windows rust-ci-full repeatedly times out in subprocess-heavy tests even when the global nextest thread count is capped. Isolate the recurring Windows-only families with nextest overrides so the rest of the suite can keep normal parallelism. Co-authored-by: Codex <noreply@openai.com>	2026-05-07 15:20:39 -07:00
starr-openai	64c684bd57	Add Windows nextest thread override for rust-ci-full Co-authored-by: Codex <noreply@openai.com>	2026-05-07 15:20:39 -07:00
starr-openai	ce5d84e43a	Make pending sideband close test deterministic Replace the realtime websocket accept-delay race with an explicit test-server gate so close is issued while the sideband connection is pending, then prove the closed conversation does not emit stale events or send sideband websocket requests. Co-authored-by: Codex <noreply@openai.com>	2026-05-07 15:20:35 -07:00
starr-openai	926b8d77cd	Tolerate transient Windows metadata denial in memory startup test Keep polling when Windows temporarily denies metadata reads while the phase 2 memory workspace is being cleaned up, so the test still verifies the file is removed and the baseline becomes clean. Co-authored-by: Codex <noreply@openai.com>	2026-05-07 14:48:09 -07:00
starr-openai	7cd5127421	Wait for agent shutdown before resume tests reopen IDs Subscribe before test shutdown and close operations, then wait for the Shutdown status before resuming the same thread IDs. This removes the Windows live-writer race exposed by the full nextest run. Co-authored-by: Codex <noreply@openai.com>	2026-05-07 14:48:09 -07:00
starr-openai	6a2ce743f1	Make Windows realtime shell test use successful cmd echo Use a Windows command form that exits successfully in constrained CI shells and trim the expected newline in the delegated realtime shell-tool assertion. Co-authored-by: Codex <noreply@openai.com>	2026-05-07 14:48:08 -07:00
starr-openai	32deb67fc6	Harden Windows realtime and agent resume tests Avoid PowerShell command forms that depend on method invocation for the delegated realtime shell-tool test, and wait for a shutdown status before resuming the same subagent thread in the nickname/role restore test. Co-authored-by: Codex <noreply@openai.com>	2026-05-07 14:48:08 -07:00
starr-openai	59d9e96d66	Use PowerShell literal output in sandbox tests The legacy sandbox runs PowerShell in constrained language mode, so method calls fail and module-backed cmdlets may not autoload. Use literal string expressions for the PowerShell I/O smoke tests so they exercise process output without depending on cmdlets or method invocation. Co-authored-by: Codex <noreply@openai.com>	2026-05-07 14:48:08 -07:00
starr-openai	097e3ef949	Avoid PowerShell module autoload in sandbox tests Windows arm64 can launch pwsh in the legacy sandbox while still failing Write-Output because Microsoft.PowerShell.Utility cannot autoload. Use Console output in the legacy PowerShell smoke tests so they continue to verify sandbox process I/O without depending on module autoload. Co-authored-by: Codex <noreply@openai.com>	2026-05-07 14:48:07 -07:00
starr-openai	f3afa1132d	Fix rollout cwd fixture import Import the Windows-aware test_path_buf helper from core_test_support where it is defined. Co-authored-by: Codex <noreply@openai.com>	2026-05-07 14:48:07 -07:00
starr-openai	a666109389	Make rollout cwd fixtures drive-stable on Windows Dev Drive setup can put temporary Codex homes on D:, which exposed test fixtures that wrote root-relative '/' rollout cwd values while assertions expected the Windows-aware C:\ root helper. Use the same test_path_buf helper when creating and expecting fake rollout cwd values so the tests remain independent of the process temp drive. Co-authored-by: Codex <noreply@openai.com>	2026-05-07 14:48:07 -07:00
starr-openai	16648c8d1c	Make realtime sideband failure test deterministic Use the existing mock server as the sideband failure endpoint instead of relying on an OS-level connection refusal from 127.0.0.1:1. Disable retries in this failure-path test so Windows CI does not spend the default retry budget before emitting the expected error/close events. Co-authored-by: Codex <noreply@openai.com>	2026-05-07 14:48:06 -07:00
starr-openai	7d2c8dbec4	Fix agent job worker assignment race Claim job items before spawning workers and allow reports to complete unassigned running items, so fast workers cannot lose stop=true reports before the parent records their thread id. Co-authored-by: Codex <noreply@openai.com>	2026-05-07 14:48:06 -07:00
starr-openai	bfe33e5a7a	Make agent job stop cancellation atomic A worker stop request used to record the item result and job cancellation in separate updates, so the job runner could observe the item completion first and continue spawning pending work. Commit both state updates together and prevent completion from overwriting a final cancellation. Co-authored-by: Codex <noreply@openai.com>	2026-05-07 14:48:05 -07:00