async

2026-02-08 18:03:37 +00:00 · 2025-12-04 13:16:21 -08:00
1162 changed files with 7747 additions and 89800 deletions
--- a/.codespellignore
+++ b/.codespellignore
@@ -1,2 +1 @@
 iTerm
-psuedo
--- a/.github/actions/linux-code-sign/action.yml
+++ b/.github/actions/linux-code-sign/action.yml
@@ -1,44 +0,0 @@
-name: linux-code-sign
-description: Sign Linux artifacts with cosign.
-inputs:
-  target:
-    description: Target triple for the artifacts to sign.
-    required: true
-  artifacts-dir:
-    description: Absolute path to the directory containing built binaries to sign.
-    required: true
-
-runs:
-  using: composite
-  steps:
-    - name: Install cosign
-      uses: sigstore/cosign-installer@v3.7.0
-
-    - name: Cosign Linux artifacts
-      shell: bash
-      env:
-        COSIGN_EXPERIMENTAL: "1"
-        COSIGN_YES: "true"
-        COSIGN_OIDC_CLIENT_ID: "sigstore"
-        COSIGN_OIDC_ISSUER: "https://oauth2.sigstore.dev/auth"
-      run: |
-        set -euo pipefail
-
-        dest="${{ inputs.artifacts-dir }}"
-        if [[ ! -d "$dest" ]]; then
-          echo "Destination $dest does not exist"
-          exit 1
-        fi
-
-        for binary in codex codex-responses-api-proxy; do
-          artifact="${dest}/${binary}"
-          if [[ ! -f "$artifact" ]]; then
-            echo "Binary $artifact not found"
-            exit 1
-          fi
-
-          cosign sign-blob \
-            --yes \
-            --bundle "${artifact}.sigstore" \
-            "$artifact"
-        done
--- a/.github/actions/macos-code-sign/action.yml
+++ b/.github/actions/macos-code-sign/action.yml
@@ -1,212 +0,0 @@
-name: macos-code-sign
-description: Configure, sign, notarize, and clean up macOS code signing artifacts.
-inputs:
-  target:
-    description: Rust compilation target triple (e.g. aarch64-apple-darwin).
-    required: true
-  apple-certificate:
-    description: Base64-encoded Apple signing certificate (P12).
-    required: true
-  apple-certificate-password:
-    description: Password for the signing certificate.
-    required: true
-  apple-notarization-key-p8:
-    description: Base64-encoded Apple notarization key (P8).
-    required: true
-  apple-notarization-key-id:
-    description: Apple notarization key ID.
-    required: true
-  apple-notarization-issuer-id:
-    description: Apple notarization issuer ID.
-    required: true
-runs:
-  using: composite
-  steps:
-    - name: Configure Apple code signing
-      shell: bash
-      env:
-        KEYCHAIN_PASSWORD: actions
-        APPLE_CERTIFICATE: ${{ inputs.apple-certificate }}
-        APPLE_CERTIFICATE_PASSWORD: ${{ inputs.apple-certificate-password }}
-      run: |
-        set -euo pipefail
-
-        if [[ -z "${APPLE_CERTIFICATE:-}" ]]; then
-          echo "APPLE_CERTIFICATE is required for macOS signing"
-          exit 1
-        fi
-
-        if [[ -z "${APPLE_CERTIFICATE_PASSWORD:-}" ]]; then
-          echo "APPLE_CERTIFICATE_PASSWORD is required for macOS signing"
-          exit 1
-        fi
-
-        cert_path="${RUNNER_TEMP}/apple_signing_certificate.p12"
-        echo "$APPLE_CERTIFICATE" | base64 -d > "$cert_path"
-
-        keychain_path="${RUNNER_TEMP}/codex-signing.keychain-db"
-        security create-keychain -p "$KEYCHAIN_PASSWORD" "$keychain_path"
-        security set-keychain-settings -lut 21600 "$keychain_path"
-        security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$keychain_path"
-
-        keychain_args=()
-        cleanup_keychain() {
-          if ((${#keychain_args[@]} > 0)); then
-            security list-keychains -s "${keychain_args[@]}" || true
-            security default-keychain -s "${keychain_args[0]}" || true
-          else
-            security list-keychains -s || true
-          fi
-          if [[ -f "$keychain_path" ]]; then
-            security delete-keychain "$keychain_path" || true
-          fi
-        }
-
-        while IFS= read -r keychain; do
-          [[ -n "$keychain" ]] && keychain_args+=("$keychain")
-        done < <(security list-keychains | sed 's/^[[:space:]]*//;s/[[:space:]]*$//;s/"//g')
-
-        if ((${#keychain_args[@]} > 0)); then
-          security list-keychains -s "$keychain_path" "${keychain_args[@]}"
-        else
-          security list-keychains -s "$keychain_path"
-        fi
-
-        security default-keychain -s "$keychain_path"
-        security import "$cert_path" -k "$keychain_path" -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security
-        security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$keychain_path" > /dev/null
-
-        codesign_hashes=()
-        while IFS= read -r hash; do
-          [[ -n "$hash" ]] && codesign_hashes+=("$hash")
-        done < <(security find-identity -v -p codesigning "$keychain_path" \
-          | sed -n 's/.*\([0-9A-F]\{40\}\).*/\1/p' \
-          | sort -u)
-
-        if ((${#codesign_hashes[@]} == 0)); then
-          echo "No signing identities found in $keychain_path"
-          cleanup_keychain
-          rm -f "$cert_path"
-          exit 1
-        fi
-
-        if ((${#codesign_hashes[@]} > 1)); then
-          echo "Multiple signing identities found in $keychain_path:"
-          printf '  %s\n' "${codesign_hashes[@]}"
-          cleanup_keychain
-          rm -f "$cert_path"
-          exit 1
-        fi
-
-        APPLE_CODESIGN_IDENTITY="${codesign_hashes[0]}"
-
-        rm -f "$cert_path"
-
-        echo "APPLE_CODESIGN_IDENTITY=$APPLE_CODESIGN_IDENTITY" >> "$GITHUB_ENV"
-        echo "APPLE_CODESIGN_KEYCHAIN=$keychain_path" >> "$GITHUB_ENV"
-        echo "::add-mask::$APPLE_CODESIGN_IDENTITY"
-
-    - name: Sign macOS binaries
-      shell: bash
-      run: |
-        set -euo pipefail
-
-        if [[ -z "${APPLE_CODESIGN_IDENTITY:-}" ]]; then
-          echo "APPLE_CODESIGN_IDENTITY is required for macOS signing"
-          exit 1
-        fi
-
-        keychain_args=()
-        if [[ -n "${APPLE_CODESIGN_KEYCHAIN:-}" && -f "${APPLE_CODESIGN_KEYCHAIN}" ]]; then
-          keychain_args+=(--keychain "${APPLE_CODESIGN_KEYCHAIN}")
-        fi
-
-        for binary in codex codex-responses-api-proxy; do
-          path="codex-rs/target/${{ inputs.target }}/release/${binary}"
-          codesign --force --options runtime --timestamp --sign "$APPLE_CODESIGN_IDENTITY" "${keychain_args[@]}" "$path"
-        done
-
-    - name: Notarize macOS binaries
-      shell: bash
-      env:
-        APPLE_NOTARIZATION_KEY_P8: ${{ inputs.apple-notarization-key-p8 }}
-        APPLE_NOTARIZATION_KEY_ID: ${{ inputs.apple-notarization-key-id }}
-        APPLE_NOTARIZATION_ISSUER_ID: ${{ inputs.apple-notarization-issuer-id }}
-      run: |
-        set -euo pipefail
-
-        for var in APPLE_NOTARIZATION_KEY_P8 APPLE_NOTARIZATION_KEY_ID APPLE_NOTARIZATION_ISSUER_ID; do
-          if [[ -z "${!var:-}" ]]; then
-            echo "$var is required for notarization"
-            exit 1
-          fi
-        done
-
-        notary_key_path="${RUNNER_TEMP}/notarytool.key.p8"
-        echo "$APPLE_NOTARIZATION_KEY_P8" | base64 -d > "$notary_key_path"
-        cleanup_notary() {
-          rm -f "$notary_key_path"
-        }
-        trap cleanup_notary EXIT
-
-        notarize_binary() {
-          local binary="$1"
-          local source_path="codex-rs/target/${{ inputs.target }}/release/${binary}"
-          local archive_path="${RUNNER_TEMP}/${binary}.zip"
-
-          if [[ ! -f "$source_path" ]]; then
-            echo "Binary $source_path not found"
-            exit 1
-          fi
-
-          rm -f "$archive_path"
-          ditto -c -k --keepParent "$source_path" "$archive_path"
-
-          submission_json=$(xcrun notarytool submit "$archive_path" \
-            --key "$notary_key_path" \
-            --key-id "$APPLE_NOTARIZATION_KEY_ID" \
-            --issuer "$APPLE_NOTARIZATION_ISSUER_ID" \
-            --output-format json \
-            --wait)
-
-          status=$(printf '%s\n' "$submission_json" | jq -r '.status // "Unknown"')
-          submission_id=$(printf '%s\n' "$submission_json" | jq -r '.id // ""')
-
-          if [[ -z "$submission_id" ]]; then
-            echo "Failed to retrieve submission ID for $binary"
-            exit 1
-          fi
-
-          echo "::notice title=Notarization::$binary submission ${submission_id} completed with status ${status}"
-
-          if [[ "$status" != "Accepted" ]]; then
-            echo "Notarization failed for ${binary} (submission ${submission_id}, status ${status})"
-            exit 1
-          fi
-        }
-
-        notarize_binary "codex"
-        notarize_binary "codex-responses-api-proxy"
-
-    - name: Remove signing keychain
-      if: ${{ always() }}
-      shell: bash
-      env:
-        APPLE_CODESIGN_KEYCHAIN: ${{ env.APPLE_CODESIGN_KEYCHAIN }}
-      run: |
-        set -euo pipefail
-        if [[ -n "${APPLE_CODESIGN_KEYCHAIN:-}" ]]; then
-          keychain_args=()
-          while IFS= read -r keychain; do
-            [[ "$keychain" == "$APPLE_CODESIGN_KEYCHAIN" ]] && continue
-            [[ -n "$keychain" ]] && keychain_args+=("$keychain")
-          done < <(security list-keychains | sed 's/^[[:space:]]*//;s/[[:space:]]*$//;s/"//g')
-          if ((${#keychain_args[@]} > 0)); then
-            security list-keychains -s "${keychain_args[@]}"
-            security default-keychain -s "${keychain_args[0]}"
-          fi
-
-          if [[ -f "$APPLE_CODESIGN_KEYCHAIN" ]]; then
-            security delete-keychain "$APPLE_CODESIGN_KEYCHAIN"
-          fi
-        fi
--- a/.github/actions/windows-code-sign/action.yml
+++ b/.github/actions/windows-code-sign/action.yml
@@ -1,57 +0,0 @@
-name: windows-code-sign
-description: Sign Windows binaries with Azure Trusted Signing.
-inputs:
-  target:
-    description: Target triple for the artifacts to sign.
-    required: true
-  client-id:
-    description: Azure Trusted Signing client ID.
-    required: true
-  tenant-id:
-    description: Azure tenant ID for Trusted Signing.
-    required: true
-  subscription-id:
-    description: Azure subscription ID for Trusted Signing.
-    required: true
-  endpoint:
-    description: Azure Trusted Signing endpoint.
-    required: true
-  account-name:
-    description: Azure Trusted Signing account name.
-    required: true
-  certificate-profile-name:
-    description: Certificate profile name for signing.
-    required: true
-
-runs:
-  using: composite
-  steps:
-    - name: Azure login for Trusted Signing (OIDC)
-      uses: azure/login@v2
-      with:
-        client-id: ${{ inputs.client-id }}
-        tenant-id: ${{ inputs.tenant-id }}
-        subscription-id: ${{ inputs.subscription-id }}
-
-    - name: Sign Windows binaries with Azure Trusted Signing
-      uses: azure/trusted-signing-action@v0
-      with:
-        endpoint: ${{ inputs.endpoint }}
-        trusted-signing-account-name: ${{ inputs.account-name }}
-        certificate-profile-name: ${{ inputs.certificate-profile-name }}
-        exclude-environment-credential: true
-        exclude-workload-identity-credential: true
-        exclude-managed-identity-credential: true
-        exclude-shared-token-cache-credential: true
-        exclude-visual-studio-credential: true
-        exclude-visual-studio-code-credential: true
-        exclude-azure-cli-credential: false
-        exclude-azure-powershell-credential: true
-        exclude-azure-developer-cli-credential: true
-        exclude-interactive-browser-credential: true
-        cache-dependencies: false
-        files: |
-          ${{ github.workspace }}/codex-rs/target/${{ inputs.target }}/release/codex.exe
-          ${{ github.workspace }}/codex-rs/target/${{ inputs.target }}/release/codex-responses-api-proxy.exe
-          ${{ github.workspace }}/codex-rs/target/${{ inputs.target }}/release/codex-windows-sandbox-setup.exe
-          ${{ github.workspace }}/codex-rs/target/${{ inputs.target }}/release/codex-command-runner.exe
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -20,7 +20,7 @@ jobs:
          run_install: false

      - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
        with:
          node-version: 22

@@ -46,7 +46,7 @@ jobs:
          echo "pack_output=$PACK_OUTPUT" >> "$GITHUB_OUTPUT"

      - name: Upload staged npm package artifact
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v5
        with:
          name: codex-npm-staging
          path: ${{ steps.stage_npm_package.outputs.pack_output }}
--- a/.github/workflows/rust-ci.yml
+++ b/.github/workflows/rust-ci.yml
@@ -166,7 +166,7 @@ jobs:
      # avoid caching the large target dir on the gnu-dev job.
      - name: Restore cargo home cache
        id: cache_cargo_home_restore
-        uses: actions/cache/restore@v5
+        uses: actions/cache/restore@v4
        with:
          path: |
            ~/.cargo/bin/
@@ -207,7 +207,7 @@ jobs:
      - name: Restore sccache cache (fallback)
        if: ${{ env.USE_SCCACHE == 'true' && env.SCCACHE_GHA_ENABLED != 'true' }}
        id: cache_sccache_restore
-        uses: actions/cache/restore@v5
+        uses: actions/cache/restore@v4
        with:
          path: ${{ github.workspace }}/.sccache/
          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
@@ -226,7 +226,7 @@ jobs:
      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
        name: Restore APT cache (musl)
        id: cache_apt_restore
-        uses: actions/cache/restore@v5
+        uses: actions/cache/restore@v4
        with:
          path: |
            /var/cache/apt
@@ -280,7 +280,7 @@ jobs:
      - name: Save cargo home cache
        if: always() && !cancelled() && steps.cache_cargo_home_restore.outputs.cache-hit != 'true'
        continue-on-error: true
-        uses: actions/cache/save@v5
+        uses: actions/cache/save@v4
        with:
          path: |
            ~/.cargo/bin/
@@ -292,7 +292,7 @@ jobs:
      - name: Save sccache cache (fallback)
        if: always() && !cancelled() && env.USE_SCCACHE == 'true' && env.SCCACHE_GHA_ENABLED != 'true'
        continue-on-error: true
-        uses: actions/cache/save@v5
+        uses: actions/cache/save@v4
        with:
          path: ${{ github.workspace }}/.sccache/
          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
@@ -317,7 +317,7 @@ jobs:
      - name: Save APT cache (musl)
        if: always() && !cancelled() && (matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl') && steps.cache_apt_restore.outputs.cache-hit != 'true'
        continue-on-error: true
-        uses: actions/cache/save@v5
+        uses: actions/cache/save@v4
        with:
          path: |
            /var/cache/apt
@@ -369,27 +369,6 @@ jobs:

    steps:
      - uses: actions/checkout@v6
-
-      # We have been running out of space when running this job on Linux for
-      # x86_64-unknown-linux-gnu, so remove some unnecessary dependencies.
-      - name: Remove unnecessary dependencies to save space
-        if: ${{ startsWith(matrix.runner, 'ubuntu') }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          sudo rm -rf \
-            /usr/local/lib/android \
-            /usr/share/dotnet \
-            /usr/local/share/boost \
-            /usr/local/lib/node_modules \
-            /opt/ghc
-          sudo apt-get remove -y docker.io docker-compose podman buildah
-
-      # Some integration tests rely on DotSlash being installed.
-      # See https://github.com/openai/codex/pull/7617.
-      - name: Install DotSlash
-        uses: facebook/install-dotslash@v2
-
      - uses: dtolnay/rust-toolchain@1.90
        with:
          targets: ${{ matrix.target }}
@@ -405,7 +384,7 @@ jobs:

      - name: Restore cargo home cache
        id: cache_cargo_home_restore
-        uses: actions/cache/restore@v5
+        uses: actions/cache/restore@v4
        with:
          path: |
            ~/.cargo/bin/
@@ -445,7 +424,7 @@ jobs:
      - name: Restore sccache cache (fallback)
        if: ${{ env.USE_SCCACHE == 'true' && env.SCCACHE_GHA_ENABLED != 'true' }}
        id: cache_sccache_restore
-        uses: actions/cache/restore@v5
+        uses: actions/cache/restore@v4
        with:
          path: ${{ github.workspace }}/.sccache/
          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
@@ -468,7 +447,7 @@ jobs:
      - name: Save cargo home cache
        if: always() && !cancelled() && steps.cache_cargo_home_restore.outputs.cache-hit != 'true'
        continue-on-error: true
-        uses: actions/cache/save@v5
+        uses: actions/cache/save@v4
        with:
          path: |
            ~/.cargo/bin/
@@ -480,7 +459,7 @@ jobs:
      - name: Save sccache cache (fallback)
        if: always() && !cancelled() && env.USE_SCCACHE == 'true' && env.SCCACHE_GHA_ENABLED != 'true'
        continue-on-error: true
-        uses: actions/cache/save@v5
+        uses: actions/cache/save@v4
        with:
          path: ${{ github.workspace }}/.sccache/
          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
--- a/.github/workflows/rust-release.yml
+++ b/.github/workflows/rust-release.yml
@@ -50,9 +50,6 @@ jobs:
    name: Build - ${{ matrix.runner }} - ${{ matrix.target }}
    runs-on: ${{ matrix.runner }}
    timeout-minutes: 30
-    permissions:
-      contents: read
-      id-token: write
    defaults:
      run:
        working-directory: codex-rs
@@ -84,7 +81,7 @@ jobs:
        with:
          targets: ${{ matrix.target }}

-      - uses: actions/cache@v5
+      - uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/bin/
@@ -101,43 +98,176 @@ jobs:
          sudo apt-get install -y musl-tools pkg-config

      - name: Cargo build
-        shell: bash
-        run: |
-          if [[ "${{ contains(matrix.target, 'windows') }}" == 'true' ]]; then
-            cargo build --target ${{ matrix.target }} --release --bin codex --bin codex-responses-api-proxy --bin codex-windows-sandbox-setup --bin codex-command-runner
-          else
-            cargo build --target ${{ matrix.target }} --release --bin codex --bin codex-responses-api-proxy
-          fi
-
-      - if: ${{ contains(matrix.target, 'linux') }}
-        name: Cosign Linux artifacts
-        uses: ./.github/actions/linux-code-sign
-        with:
-          target: ${{ matrix.target }}
-          artifacts-dir: ${{ github.workspace }}/codex-rs/target/${{ matrix.target }}/release
-
-      - if: ${{ contains(matrix.target, 'windows') }}
-        name: Sign Windows binaries with Azure Trusted Signing
-        uses: ./.github/actions/windows-code-sign
-        with:
-          target: ${{ matrix.target }}
-          client-id: ${{ secrets.AZURE_TRUSTED_SIGNING_CLIENT_ID }}
-          tenant-id: ${{ secrets.AZURE_TRUSTED_SIGNING_TENANT_ID }}
-          subscription-id: ${{ secrets.AZURE_TRUSTED_SIGNING_SUBSCRIPTION_ID }}
-          endpoint: ${{ secrets.AZURE_TRUSTED_SIGNING_ENDPOINT }}
-          account-name: ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }}
-          certificate-profile-name: ${{ secrets.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME }}
+        run: cargo build --target ${{ matrix.target }} --release --bin codex --bin codex-responses-api-proxy

      - if: ${{ matrix.runner == 'macos-15-xlarge' }}
-        name: MacOS code signing
-        uses: ./.github/actions/macos-code-sign
-        with:
-          target: ${{ matrix.target }}
-          apple-certificate: ${{ secrets.APPLE_CERTIFICATE_P12 }}
-          apple-certificate-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
-          apple-notarization-key-p8: ${{ secrets.APPLE_NOTARIZATION_KEY_P8 }}
-          apple-notarization-key-id: ${{ secrets.APPLE_NOTARIZATION_KEY_ID }}
-          apple-notarization-issuer-id: ${{ secrets.APPLE_NOTARIZATION_ISSUER_ID }}
+        name: Configure Apple code signing
+        shell: bash
+        env:
+          KEYCHAIN_PASSWORD: actions
+          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE_P12 }}
+          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+        run: |
+          set -euo pipefail
+
+          if [[ -z "${APPLE_CERTIFICATE:-}" ]]; then
+            echo "APPLE_CERTIFICATE is required for macOS signing"
+            exit 1
+          fi
+
+          if [[ -z "${APPLE_CERTIFICATE_PASSWORD:-}" ]]; then
+            echo "APPLE_CERTIFICATE_PASSWORD is required for macOS signing"
+            exit 1
+          fi
+
+          cert_path="${RUNNER_TEMP}/apple_signing_certificate.p12"
+          echo "$APPLE_CERTIFICATE" | base64 -d > "$cert_path"
+
+          keychain_path="${RUNNER_TEMP}/codex-signing.keychain-db"
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$keychain_path"
+          security set-keychain-settings -lut 21600 "$keychain_path"
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$keychain_path"
+
+          keychain_args=()
+          cleanup_keychain() {
+            if ((${#keychain_args[@]} > 0)); then
+              security list-keychains -s "${keychain_args[@]}" || true
+              security default-keychain -s "${keychain_args[0]}" || true
+            else
+              security list-keychains -s || true
+            fi
+            if [[ -f "$keychain_path" ]]; then
+              security delete-keychain "$keychain_path" || true
+            fi
+          }
+
+          while IFS= read -r keychain; do
+            [[ -n "$keychain" ]] && keychain_args+=("$keychain")
+          done < <(security list-keychains | sed 's/^[[:space:]]*//;s/[[:space:]]*$//;s/"//g')
+
+          if ((${#keychain_args[@]} > 0)); then
+            security list-keychains -s "$keychain_path" "${keychain_args[@]}"
+          else
+            security list-keychains -s "$keychain_path"
+          fi
+
+          security default-keychain -s "$keychain_path"
+          security import "$cert_path" -k "$keychain_path" -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security
+          security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$keychain_path" > /dev/null
+
+          codesign_hashes=()
+          while IFS= read -r hash; do
+            [[ -n "$hash" ]] && codesign_hashes+=("$hash")
+          done < <(security find-identity -v -p codesigning "$keychain_path" \
+            | sed -n 's/.*\([0-9A-F]\{40\}\).*/\1/p' \
+            | sort -u)
+
+          if ((${#codesign_hashes[@]} == 0)); then
+            echo "No signing identities found in $keychain_path"
+            cleanup_keychain
+            rm -f "$cert_path"
+            exit 1
+          fi
+
+          if ((${#codesign_hashes[@]} > 1)); then
+            echo "Multiple signing identities found in $keychain_path:"
+            printf '  %s\n' "${codesign_hashes[@]}"
+            cleanup_keychain
+            rm -f "$cert_path"
+            exit 1
+          fi
+
+          APPLE_CODESIGN_IDENTITY="${codesign_hashes[0]}"
+
+          rm -f "$cert_path"
+
+          echo "APPLE_CODESIGN_IDENTITY=$APPLE_CODESIGN_IDENTITY" >> "$GITHUB_ENV"
+          echo "APPLE_CODESIGN_KEYCHAIN=$keychain_path" >> "$GITHUB_ENV"
+          echo "::add-mask::$APPLE_CODESIGN_IDENTITY"
+
+      - if: ${{ matrix.runner == 'macos-15-xlarge' }}
+        name: Sign macOS binaries
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          if [[ -z "${APPLE_CODESIGN_IDENTITY:-}" ]]; then
+            echo "APPLE_CODESIGN_IDENTITY is required for macOS signing"
+            exit 1
+          fi
+
+          keychain_args=()
+          if [[ -n "${APPLE_CODESIGN_KEYCHAIN:-}" && -f "${APPLE_CODESIGN_KEYCHAIN}" ]]; then
+            keychain_args+=(--keychain "${APPLE_CODESIGN_KEYCHAIN}")
+          fi
+
+          for binary in codex codex-responses-api-proxy; do
+            path="target/${{ matrix.target }}/release/${binary}"
+            codesign --force --options runtime --timestamp --sign "$APPLE_CODESIGN_IDENTITY" "${keychain_args[@]}" "$path"
+          done
+
+      - if: ${{ matrix.runner == 'macos-15-xlarge' }}
+        name: Notarize macOS binaries
+        shell: bash
+        env:
+          APPLE_NOTARIZATION_KEY_P8: ${{ secrets.APPLE_NOTARIZATION_KEY_P8 }}
+          APPLE_NOTARIZATION_KEY_ID: ${{ secrets.APPLE_NOTARIZATION_KEY_ID }}
+          APPLE_NOTARIZATION_ISSUER_ID: ${{ secrets.APPLE_NOTARIZATION_ISSUER_ID }}
+        run: |
+          set -euo pipefail
+
+          for var in APPLE_NOTARIZATION_KEY_P8 APPLE_NOTARIZATION_KEY_ID APPLE_NOTARIZATION_ISSUER_ID; do
+            if [[ -z "${!var:-}" ]]; then
+              echo "$var is required for notarization"
+              exit 1
+            fi
+          done
+
+          notary_key_path="${RUNNER_TEMP}/notarytool.key.p8"
+          echo "$APPLE_NOTARIZATION_KEY_P8" | base64 -d > "$notary_key_path"
+          cleanup_notary() {
+            rm -f "$notary_key_path"
+          }
+          trap cleanup_notary EXIT
+
+          notarize_binary() {
+            local binary="$1"
+            local source_path="target/${{ matrix.target }}/release/${binary}"
+            local archive_path="${RUNNER_TEMP}/${binary}.zip"
+
+            if [[ ! -f "$source_path" ]]; then
+              echo "Binary $source_path not found"
+              exit 1
+            fi
+
+            rm -f "$archive_path"
+            ditto -c -k --keepParent "$source_path" "$archive_path"
+
+            submission_json=$(xcrun notarytool submit "$archive_path" \
+              --key "$notary_key_path" \
+              --key-id "$APPLE_NOTARIZATION_KEY_ID" \
+              --issuer "$APPLE_NOTARIZATION_ISSUER_ID" \
+              --output-format json \
+              --wait)
+
+            status=$(printf '%s\n' "$submission_json" | jq -r '.status // "Unknown"')
+            submission_id=$(printf '%s\n' "$submission_json" | jq -r '.id // ""')
+
+            if [[ -z "$submission_id" ]]; then
+              echo "Failed to retrieve submission ID for $binary"
+              exit 1
+            fi
+
+            echo "::notice title=Notarization::$binary submission ${submission_id} completed with status ${status}"
+
+            if [[ "$status" != "Accepted" ]]; then
+              echo "Notarization failed for ${binary} (submission ${submission_id}, status ${status})"
+              exit 1
+            fi
+          }
+
+          notarize_binary "codex"
+          notarize_binary "codex-responses-api-proxy"

      - name: Stage artifacts
        shell: bash
@@ -148,18 +278,11 @@ jobs:
          if [[ "${{ matrix.runner }}" == windows* ]]; then
            cp target/${{ matrix.target }}/release/codex.exe "$dest/codex-${{ matrix.target }}.exe"
            cp target/${{ matrix.target }}/release/codex-responses-api-proxy.exe "$dest/codex-responses-api-proxy-${{ matrix.target }}.exe"
-            cp target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe "$dest/codex-windows-sandbox-setup-${{ matrix.target }}.exe"
-            cp target/${{ matrix.target }}/release/codex-command-runner.exe "$dest/codex-command-runner-${{ matrix.target }}.exe"
          else
            cp target/${{ matrix.target }}/release/codex "$dest/codex-${{ matrix.target }}"
            cp target/${{ matrix.target }}/release/codex-responses-api-proxy "$dest/codex-responses-api-proxy-${{ matrix.target }}"
          fi

-          if [[ "${{ matrix.target }}" == *linux* ]]; then
-            cp target/${{ matrix.target }}/release/codex.sigstore "$dest/codex-${{ matrix.target }}.sigstore"
-            cp target/${{ matrix.target }}/release/codex-responses-api-proxy.sigstore "$dest/codex-responses-api-proxy-${{ matrix.target }}.sigstore"
-          fi
-
      - if: ${{ matrix.runner == 'windows-11-arm' }}
        name: Install zstd
        shell: powershell
@@ -198,11 +321,6 @@ jobs:
              continue
            fi

-            # Don't try to compress signature bundles.
-            if [[ "$base" == *.sigstore ]]; then
-              continue
-            fi
-
            # Create per-binary tar.gz
            tar -C "$dest" -czf "$dest/${base}.tar.gz" "$base"

@@ -222,7 +340,30 @@ jobs:
            zstd "${zstd_args[@]}" "$dest/$base"
          done

-      - uses: actions/upload-artifact@v6
+      - name: Remove signing keychain
+        if: ${{ always() && matrix.runner == 'macos-15-xlarge' }}
+        shell: bash
+        env:
+          APPLE_CODESIGN_KEYCHAIN: ${{ env.APPLE_CODESIGN_KEYCHAIN }}
+        run: |
+          set -euo pipefail
+          if [[ -n "${APPLE_CODESIGN_KEYCHAIN:-}" ]]; then
+            keychain_args=()
+            while IFS= read -r keychain; do
+              [[ "$keychain" == "$APPLE_CODESIGN_KEYCHAIN" ]] && continue
+              [[ -n "$keychain" ]] && keychain_args+=("$keychain")
+            done < <(security list-keychains | sed 's/^[[:space:]]*//;s/[[:space:]]*$//;s/"//g')
+            if ((${#keychain_args[@]} > 0)); then
+              security list-keychains -s "${keychain_args[@]}"
+              security default-keychain -s "${keychain_args[0]}"
+            fi
+
+            if [[ -f "$APPLE_CODESIGN_KEYCHAIN" ]]; then
+              security delete-keychain "$APPLE_CODESIGN_KEYCHAIN"
+            fi
+          fi
+
+      - uses: actions/upload-artifact@v5
        with:
          name: ${{ matrix.target }}
          # Upload the per-binary .zst files as well as the new .tar.gz
@@ -258,7 +399,7 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@v6

-      - uses: actions/download-artifact@v7
+      - uses: actions/download-artifact@v4
        with:
          path: dist

@@ -306,7 +447,7 @@ jobs:
          run_install: false

      - name: Setup Node.js for npm packaging
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
        with:
          node-version: 22

@@ -357,7 +498,7 @@ jobs:

    steps:
      - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
        with:
          node-version: 22
          registry-url: "https://registry.npmjs.org"
--- a/.github/workflows/sdk.yml
+++ b/.github/workflows/sdk.yml
@@ -19,7 +19,7 @@ jobs:
          run_install: false

      - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
        with:
          node-version: 22
          cache: pnpm
--- a/.github/workflows/shell-tool-mcp-ci.yml
+++ b/.github/workflows/shell-tool-mcp-ci.yml
@@ -30,7 +30,7 @@ jobs:
          run_install: false

      - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
        with:
          node-version: ${{ env.NODE_VERSION }}
          cache: "pnpm"
--- a/.github/workflows/shell-tool-mcp.yml
+++ b/.github/workflows/shell-tool-mcp.yml
@@ -113,7 +113,7 @@ jobs:
          cp "target/${{ matrix.target }}/release/codex-exec-mcp-server" "$dest/"
          cp "target/${{ matrix.target }}/release/codex-execve-wrapper" "$dest/"

-      - uses: actions/upload-artifact@v6
+      - uses: actions/upload-artifact@v5
        with:
          name: shell-tool-mcp-rust-${{ matrix.target }}
          path: artifacts/**
@@ -211,7 +211,7 @@ jobs:
          mkdir -p "$dest"
          cp bash "$dest/bash"

-      - uses: actions/upload-artifact@v6
+      - uses: actions/upload-artifact@v5
        with:
          name: shell-tool-mcp-bash-${{ matrix.target }}-${{ matrix.variant }}
          path: artifacts/**
@@ -253,7 +253,7 @@ jobs:
          mkdir -p "$dest"
          cp bash "$dest/bash"

-      - uses: actions/upload-artifact@v6
+      - uses: actions/upload-artifact@v5
        with:
          name: shell-tool-mcp-bash-${{ matrix.target }}-${{ matrix.variant }}
          path: artifacts/**
@@ -280,7 +280,7 @@ jobs:
          run_install: false

      - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
        with:
          node-version: ${{ env.NODE_VERSION }}

@@ -291,7 +291,7 @@ jobs:
        run: pnpm --filter @openai/codex-shell-tool-mcp run build

      - name: Download build artifacts
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@v4
        with:
          path: artifacts

@@ -352,7 +352,7 @@ jobs:
          filename=$(PACK_INFO="$pack_info" node -e 'const data = JSON.parse(process.env.PACK_INFO); console.log(data[0].filename);')
          mv "dist/npm/${filename}" "dist/npm/codex-shell-tool-mcp-npm-${PACKAGE_VERSION}.tgz"

-      - uses: actions/upload-artifact@v6
+      - uses: actions/upload-artifact@v5
        with:
          name: codex-shell-tool-mcp-npm
          path: dist/npm/codex-shell-tool-mcp-npm-${{ env.PACKAGE_VERSION }}.tgz
@@ -376,7 +376,7 @@ jobs:
          run_install: false

      - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
        with:
          node-version: ${{ env.NODE_VERSION }}
          registry-url: https://registry.npmjs.org
@@ -386,7 +386,7 @@ jobs:
        run: npm install -g npm@latest

      - name: Download npm tarball
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@v4
        with:
          name: codex-shell-tool-mcp-npm
          path: dist/npm
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -11,8 +11,10 @@ In the codex-rs folder where the rust code lives:
 - Always collapse if statements per https://rust-lang.github.io/rust-clippy/master/index.html#collapsible_if
 - Always inline format! args when possible per https://rust-lang.github.io/rust-clippy/master/index.html#uninlined_format_args
 - Use method references over closures when possible per https://rust-lang.github.io/rust-clippy/master/index.html#redundant_closure_for_method_calls
+- Do not use unsigned integer even if the number cannot be negative.
 - When writing tests, prefer comparing the equality of entire objects over fields one by one.
 - When making a change that adds or changes an API, ensure that the documentation in the `docs/` folder is up to date if applicable.
+- Always prefer async functions when possible.

 Run `just fmt` (in `codex-rs` directory) automatically after making Rust code changes; do not ask for approval to run it. Before finalizing a change to `codex-rs`, run `just fix -p <project>` (in `codex-rs` directory) to fix any linter issues in the code. Prefer scoping with `-p` to avoid slow workspace‑wide Clippy builds; only run `just fix` without `-p` if you changed shared crates. Additionally, run the tests:

@@ -74,7 +76,6 @@ If you don’t have the tool:
 ### Test assertions

 - Tests should use pretty_assertions::assert_eq for clearer diffs. Import this at the top of the test module if it isn't already.
- Prefer deep equals comparisons whenever possible. Perform `assert_eq!()` on entire objects, rather than individual fields.

 ### Integration tests (core)

--- a/codex-cli/bin/codex.js
+++ b/codex-cli/bin/codex.js
@@ -95,14 +95,6 @@ function detectPackageManager() {
    return "bun";
  }

-
-  if (
-    __dirname.includes(".bun/install/global") ||
-    __dirname.includes(".bun\\install\\global")
-  ) {
-    return "bun";
-  }
-
  return userAgent ? "npm" : null;
 }

--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
--- a/codex-rs/Cargo.toml
+++ b/codex-rs/Cargo.toml
@@ -34,8 +34,6 @@ members = [
    "stdio-to-uds",
    "otel",
    "tui",
-    "tui2",
-    "utils/absolute-path",
    "utils/git",
    "utils/cache",
    "utils/image",
@@ -90,8 +88,6 @@ codex-responses-api-proxy = { path = "responses-api-proxy" }
 codex-rmcp-client = { path = "rmcp-client" }
 codex-stdio-to-uds = { path = "stdio-to-uds" }
 codex-tui = { path = "tui" }
-codex-tui2 = { path = "tui2" }
-codex-utils-absolute-path = { path = "utils/absolute-path" }
 codex-utils-cache = { path = "utils/cache" }
 codex-utils-image = { path = "utils/image" }
 codex-utils-json-to-toml = { path = "utils/json-to-toml" }
@@ -100,7 +96,6 @@ codex-utils-readiness = { path = "utils/readiness" }
 codex-utils-string = { path = "utils/string" }
 codex-windows-sandbox = { path = "windows-sandbox-rs" }
 core_test_support = { path = "core/tests/common" }
-exec_server_test_support = { path = "exec-server/tests/common" }
 mcp-types = { path = "mcp-types" }
 mcp_test_support = { path = "mcp-server/tests/common" }

@@ -109,6 +104,7 @@ allocative = "0.3.3"
 ansi-to-tui = "7.0.0"
 anyhow = "1"
 arboard = { version = "3", features = ["wayland-data-control"] }
+askama = "0.14"
 assert_cmd = "2"
 assert_matches = "1.5.0"
 async-channel = "2.3.1"
@@ -142,14 +138,14 @@ icu_provider = { version = "2.1", features = ["sync"] }
 ignore = "0.4.23"
 image = { version = "^0.25.9", default-features = false }
 indexmap = "2.12.0"
-insta = "1.44.3"
+insta = "1.43.2"
 itertools = "0.14.0"
 keyring = { version = "3.6", default-features = false }
 landlock = "0.4.1"
 lazy_static = "1"
 libc = "0.2.177"
 log = "0.4"
-lru = "0.16.2"
+lru = "0.12.5"
 maplit = "1.0.2"
 mime_guess = "2.0.5"
 multimap = "0.10.0"
@@ -162,7 +158,6 @@ opentelemetry-appender-tracing = "0.30.0"
 opentelemetry-otlp = "0.30.0"
 opentelemetry-semantic-conventions = "0.30.0"
 opentelemetry_sdk = "0.30.0"
-tracing-opentelemetry = "0.31.0"
 os_info = "3.12.0"
 owo-colors = "4.2.0"
 path-absolutize = "3.1.1"
@@ -180,17 +175,17 @@ reqwest = "0.12"
 rmcp = { version = "0.10.0", default-features = false }
 schemars = "0.8.22"
 seccompiler = "0.5.0"
-sentry = "0.46.0"
+sentry = "0.34.0"
 serde = "1"
 serde_json = "1"
-serde_with = "3.16"
 serde_yaml = "0.9"
+serde_with = "3.16"
 serial_test = "3.2.0"
 sha1 = "0.10.6"
 sha2 = "0.10"
 shlex = "1.3.0"
 similar = "2.7.0"
-socket2 = "0.6.1"
+socket2 = "0.6.0"
 starlark = "0.13.0"
 strum = "0.27.2"
 strum_macros = "0.27.2"
@@ -227,7 +222,7 @@ vt100 = "0.16.2"
 walkdir = "2.5.0"
 webbrowser = "1.0"
 which = "6"
-wildmatch = "2.6.1"
+wildmatch = "2.5.0"

 wiremock = "0.6"
 zeroize = "1.8.2"
--- a/codex-rs/README.md
+++ b/codex-rs/README.md
@@ -46,7 +46,7 @@ Use `codex mcp` to add/list/get/remove MCP server launchers defined in `config.t

 ### Notifications

-You can enable notifications by configuring a script that is run whenever the agent finishes a turn. The [notify documentation](../docs/config.md#notify) includes a detailed example that explains how to get desktop notifications via [terminal-notifier](https://github.com/julienXX/terminal-notifier) on macOS. When Codex detects that it is running under WSL 2 inside Windows Terminal (`WT_SESSION` is set), the TUI automatically falls back to native Windows toast notifications so approval prompts and completed turns surface even though Windows Terminal does not implement OSC 9.
+You can enable notifications by configuring a script that is run whenever the agent finishes a turn. The [notify documentation](../docs/config.md#notify) includes a detailed example that explains how to get desktop notifications via [terminal-notifier](https://github.com/julienXX/terminal-notifier) on macOS.

 ### `codex exec` to run Codex programmatically/non-interactively

--- a/codex-rs/app-server-protocol/Cargo.toml
+++ b/codex-rs/app-server-protocol/Cargo.toml
@@ -15,7 +15,6 @@ workspace = true
 anyhow = { workspace = true }
 clap = { workspace = true, features = ["derive"] }
 codex-protocol = { workspace = true }
-codex-utils-absolute-path = { workspace = true }
 mcp-types = { workspace = true }
 schemars = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
--- a/codex-rs/app-server-protocol/src/export.rs
+++ b/codex-rs/app-server-protocol/src/export.rs
@@ -31,7 +31,6 @@ use std::process::Command;
 use ts_rs::TS;

 const HEADER: &str = "// GENERATED CODE! DO NOT MODIFY BY HAND!\n\n";
-const IGNORED_DEFINITIONS: &[&str] = &["Option<()>"];

 #[derive(Clone)]
 pub struct GeneratedSchema {
@@ -185,6 +184,7 @@ fn build_schema_bundle(schemas: Vec<GeneratedSchema>) -> Result<Value> {
        "ServerNotification",
        "ServerRequest",
    ];
+    const IGNORED_DEFINITIONS: &[&str] = &["Option<()>"];

    let namespaced_types = collect_namespaced_types(&schemas);
    let mut definitions = Map::new();
@@ -304,11 +304,8 @@ where
        out_dir.join(format!("{file_stem}.json"))
    };

-    if !IGNORED_DEFINITIONS.contains(&logical_name) {
-        write_pretty_json(out_path, &schema_value)
-            .with_context(|| format!("Failed to write JSON schema for {file_stem}"))?;
-    }
-
+    write_pretty_json(out_path, &schema_value)
+        .with_context(|| format!("Failed to write JSON schema for {file_stem}"))?;
    let namespace = match raw_namespace {
        Some("v1") | None => None,
        Some(ns) => Some(ns.to_string()),
--- a/codex-rs/app-server-protocol/src/protocol/common.rs
+++ b/codex-rs/app-server-protocol/src/protocol/common.rs
@@ -117,9 +117,9 @@ client_request_definitions! {
        params: v2::ThreadListParams,
        response: v2::ThreadListResponse,
    },
-    SkillsList => "skills/list" {
-        params: v2::SkillsListParams,
-        response: v2::SkillsListResponse,
+    ThreadCompact => "thread/compact" {
+        params: v2::ThreadCompactParams,
+        response: v2::ThreadCompactResponse,
    },
    TurnStart => "turn/start" {
        params: v2::TurnStartParams,
@@ -139,11 +139,6 @@ client_request_definitions! {
        response: v2::ModelListResponse,
    },

-    McpServerOauthLogin => "mcpServer/oauth/login" {
-        params: v2::McpServerOauthLoginParams,
-        response: v2::McpServerOauthLoginResponse,
-    },
-
    McpServersList => "mcpServers/list" {
        params: v2::ListMcpServersParams,
        response: v2::ListMcpServersResponse,
@@ -527,12 +522,9 @@ server_notification_definitions! {
    ItemCompleted => "item/completed" (v2::ItemCompletedNotification),
    AgentMessageDelta => "item/agentMessage/delta" (v2::AgentMessageDeltaNotification),
    CommandExecutionOutputDelta => "item/commandExecution/outputDelta" (v2::CommandExecutionOutputDeltaNotification),
-    TerminalInteraction => "item/commandExecution/terminalInteraction" (v2::TerminalInteractionNotification),
    FileChangeOutputDelta => "item/fileChange/outputDelta" (v2::FileChangeOutputDeltaNotification),
    McpToolCallProgress => "item/mcpToolCall/progress" (v2::McpToolCallProgressNotification),
-    McpServerOauthLoginCompleted => "mcpServer/oauthLogin/completed" (v2::McpServerOauthLoginCompletedNotification),
    AccountUpdated => "account/updated" (v2::AccountUpdatedNotification),
-    ModelPresetsUpdated => "model/presets/updated" (v2::ModelPresetsUpdatedNotification),
    AccountRateLimitsUpdated => "account/rateLimits/updated" (v2::AccountRateLimitsUpdatedNotification),
    ReasoningSummaryTextDelta => "item/reasoning/summaryTextDelta" (v2::ReasoningSummaryTextDeltaNotification),
    ReasoningSummaryPartAdded => "item/reasoning/summaryPartAdded" (v2::ReasoningSummaryPartAddedNotification),
@@ -655,6 +647,7 @@ mod tests {
            command: vec!["echo".to_string(), "hello".to_string()],
            cwd: PathBuf::from("/tmp"),
            reason: Some("because tests".to_string()),
+            risk: None,
            parsed_cmd: vec![ParsedCommand::Unknown {
                cmd: "echo hello".to_string(),
            }],
@@ -674,6 +667,7 @@ mod tests {
                    "command": ["echo", "hello"],
                    "cwd": "/tmp",
                    "reason": "because tests",
+                    "risk": null,
                    "parsedCmd": [
                        {
                            "type": "unknown",
--- a/codex-rs/app-server-protocol/src/protocol/v1.rs
+++ b/codex-rs/app-server-protocol/src/protocol/v1.rs
@@ -13,10 +13,10 @@ use codex_protocol::protocol::AskForApproval;
 use codex_protocol::protocol::EventMsg;
 use codex_protocol::protocol::FileChange;
 use codex_protocol::protocol::ReviewDecision;
+use codex_protocol::protocol::SandboxCommandAssessment;
 use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::protocol::SessionSource;
 use codex_protocol::protocol::TurnAbortReason;
-use codex_utils_absolute_path::AbsolutePathBuf;
 use schemars::JsonSchema;
 use serde::Deserialize;
 use serde::Serialize;
@@ -226,6 +226,7 @@ pub struct ExecCommandApprovalParams {
    pub command: Vec<String>,
    pub cwd: PathBuf,
    pub reason: Option<String>,
+    pub risk: Option<SandboxCommandAssessment>,
    pub parsed_cmd: Vec<ParsedCommand>,
 }

@@ -360,7 +361,7 @@ pub struct Tools {
 #[serde(rename_all = "camelCase")]
 pub struct SandboxSettings {
    #[serde(default)]
-    pub writable_roots: Vec<AbsolutePathBuf>,
+    pub writable_roots: Vec<PathBuf>,
    pub network_access: Option<bool>,
    pub exclude_tmpdir_env_var: Option<bool>,
    pub exclude_slash_tmp: Option<bool>,
--- a/codex-rs/app-server-protocol/src/protocol/v2.rs
+++ b/codex-rs/app-server-protocol/src/protocol/v2.rs
@@ -3,11 +3,8 @@ use std::path::PathBuf;

 use crate::protocol::common::AuthMode;
 use codex_protocol::account::PlanType;
-use codex_protocol::approvals::ExecPolicyAmendment as CoreExecPolicyAmendment;
-use codex_protocol::config_types::ForcedLoginMethod;
+use codex_protocol::approvals::SandboxCommandAssessment as CoreSandboxCommandAssessment;
 use codex_protocol::config_types::ReasoningSummary;
-use codex_protocol::config_types::SandboxMode as CoreSandboxMode;
-use codex_protocol::config_types::Verbosity;
 use codex_protocol::items::AgentMessageContent as CoreAgentMessageContent;
 use codex_protocol::items::TurnItem as CoreTurnItem;
 use codex_protocol::models::ResponseItem;
@@ -15,19 +12,14 @@ use codex_protocol::openai_models::ReasoningEffort;
 use codex_protocol::parse_command::ParsedCommand as CoreParsedCommand;
 use codex_protocol::plan_tool::PlanItemArg as CorePlanItemArg;
 use codex_protocol::plan_tool::StepStatus as CorePlanStepStatus;
-use codex_protocol::protocol::AskForApproval as CoreAskForApproval;
 use codex_protocol::protocol::CodexErrorInfo as CoreCodexErrorInfo;
 use codex_protocol::protocol::CreditsSnapshot as CoreCreditsSnapshot;
 use codex_protocol::protocol::RateLimitSnapshot as CoreRateLimitSnapshot;
 use codex_protocol::protocol::RateLimitWindow as CoreRateLimitWindow;
 use codex_protocol::protocol::SessionSource as CoreSessionSource;
-use codex_protocol::protocol::SkillErrorInfo as CoreSkillErrorInfo;
-use codex_protocol::protocol::SkillMetadata as CoreSkillMetadata;
-use codex_protocol::protocol::SkillScope as CoreSkillScope;
 use codex_protocol::protocol::TokenUsage as CoreTokenUsage;
 use codex_protocol::protocol::TokenUsageInfo as CoreTokenUsageInfo;
 use codex_protocol::user_input::UserInput as CoreUserInput;
-use codex_utils_absolute_path::AbsolutePathBuf;
 use mcp_types::ContentBlock as McpContentBlock;
 use mcp_types::Resource as McpResource;
 use mcp_types::ResourceTemplate as McpResourceTemplate;
@@ -130,68 +122,17 @@ impl From<CoreCodexErrorInfo> for CodexErrorInfo {
    }
 }

-#[derive(Serialize, Deserialize, Debug, Clone, Copy, PartialEq, Eq, JsonSchema, TS)]
-#[serde(rename_all = "kebab-case")]
-#[ts(rename_all = "kebab-case", export_to = "v2/")]
-pub enum AskForApproval {
-    #[serde(rename = "untrusted")]
-    #[ts(rename = "untrusted")]
-    UnlessTrusted,
-    OnFailure,
-    OnRequest,
-    Never,
-}
-
-impl AskForApproval {
-    pub fn to_core(self) -> CoreAskForApproval {
-        match self {
-            AskForApproval::UnlessTrusted => CoreAskForApproval::UnlessTrusted,
-            AskForApproval::OnFailure => CoreAskForApproval::OnFailure,
-            AskForApproval::OnRequest => CoreAskForApproval::OnRequest,
-            AskForApproval::Never => CoreAskForApproval::Never,
-        }
+v2_enum_from_core!(
+    pub enum AskForApproval from codex_protocol::protocol::AskForApproval {
+        UnlessTrusted, OnFailure, OnRequest, Never
    }
-}
+);

-impl From<CoreAskForApproval> for AskForApproval {
-    fn from(value: CoreAskForApproval) -> Self {
-        match value {
-            CoreAskForApproval::UnlessTrusted => AskForApproval::UnlessTrusted,
-            CoreAskForApproval::OnFailure => AskForApproval::OnFailure,
-            CoreAskForApproval::OnRequest => AskForApproval::OnRequest,
-            CoreAskForApproval::Never => AskForApproval::Never,
-        }
+v2_enum_from_core!(
+    pub enum SandboxMode from codex_protocol::config_types::SandboxMode {
+        ReadOnly, WorkspaceWrite, DangerFullAccess
    }
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, Copy, PartialEq, Eq, JsonSchema, TS)]
-#[serde(rename_all = "kebab-case")]
-#[ts(rename_all = "kebab-case", export_to = "v2/")]
-pub enum SandboxMode {
-    ReadOnly,
-    WorkspaceWrite,
-    DangerFullAccess,
-}
-
-impl SandboxMode {
-    pub fn to_core(self) -> CoreSandboxMode {
-        match self {
-            SandboxMode::ReadOnly => CoreSandboxMode::ReadOnly,
-            SandboxMode::WorkspaceWrite => CoreSandboxMode::WorkspaceWrite,
-            SandboxMode::DangerFullAccess => CoreSandboxMode::DangerFullAccess,
-        }
-    }
-}
-
-impl From<CoreSandboxMode> for SandboxMode {
-    fn from(value: CoreSandboxMode) -> Self {
-        match value {
-            CoreSandboxMode::ReadOnly => SandboxMode::ReadOnly,
-            CoreSandboxMode::WorkspaceWrite => SandboxMode::WorkspaceWrite,
-            CoreSandboxMode::DangerFullAccess => SandboxMode::DangerFullAccess,
-        }
-    }
-}
+);

 v2_enum_from_core!(
    pub enum ReviewDelivery from codex_protocol::protocol::ReviewDelivery {
@@ -218,72 +159,6 @@ pub enum ConfigLayerName {
    User,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, JsonSchema, TS)]
-#[serde(rename_all = "snake_case")]
-#[ts(export_to = "v2/")]
-pub struct SandboxWorkspaceWrite {
-    #[serde(default)]
-    pub writable_roots: Vec<PathBuf>,
-    #[serde(default)]
-    pub network_access: bool,
-    #[serde(default)]
-    pub exclude_tmpdir_env_var: bool,
-    #[serde(default)]
-    pub exclude_slash_tmp: bool,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "snake_case")]
-#[ts(export_to = "v2/")]
-pub struct ToolsV2 {
-    #[serde(alias = "web_search_request")]
-    pub web_search: Option<bool>,
-    pub view_image: Option<bool>,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "snake_case")]
-#[ts(export_to = "v2/")]
-pub struct ProfileV2 {
-    pub model: Option<String>,
-    pub model_provider: Option<String>,
-    pub approval_policy: Option<AskForApproval>,
-    pub model_reasoning_effort: Option<ReasoningEffort>,
-    pub model_reasoning_summary: Option<ReasoningSummary>,
-    pub model_verbosity: Option<Verbosity>,
-    pub chatgpt_base_url: Option<String>,
-    #[serde(default, flatten)]
-    pub additional: HashMap<String, JsonValue>,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "snake_case")]
-#[ts(export_to = "v2/")]
-pub struct Config {
-    pub model: Option<String>,
-    pub review_model: Option<String>,
-    pub model_context_window: Option<i64>,
-    pub model_auto_compact_token_limit: Option<i64>,
-    pub model_provider: Option<String>,
-    pub approval_policy: Option<AskForApproval>,
-    pub sandbox_mode: Option<SandboxMode>,
-    pub sandbox_workspace_write: Option<SandboxWorkspaceWrite>,
-    pub forced_chatgpt_workspace_id: Option<String>,
-    pub forced_login_method: Option<ForcedLoginMethod>,
-    pub tools: Option<ToolsV2>,
-    pub profile: Option<String>,
-    #[serde(default)]
-    pub profiles: HashMap<String, ProfileV2>,
-    pub instructions: Option<String>,
-    pub developer_instructions: Option<String>,
-    pub compact_prompt: Option<String>,
-    pub model_reasoning_effort: Option<ReasoningEffort>,
-    pub model_reasoning_summary: Option<ReasoningSummary>,
-    pub model_verbosity: Option<Verbosity>,
-    #[serde(default, flatten)]
-    pub additional: HashMap<String, JsonValue>,
-}
-
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
@@ -362,7 +237,7 @@ pub struct ConfigReadParams {
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
 pub struct ConfigReadResponse {
-    pub config: Config,
+    pub config: JsonValue,
    pub origins: HashMap<String, ConfigLayerMetadata>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub layers: Option<Vec<ConfigLayer>>,
@@ -399,16 +274,19 @@ pub struct ConfigEdit {
    pub merge_strategy: MergeStrategy,
 }

+v2_enum_from_core!(
+    pub enum CommandRiskLevel from codex_protocol::approvals::SandboxRiskLevel {
+        Low,
+        Medium,
+        High
+    }
+);
+
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
 pub enum ApprovalDecision {
    Accept,
-    /// Approve and remember the approval for the session.
-    AcceptForSession,
-    AcceptWithExecpolicyAmendment {
-        execpolicy_amendment: ExecPolicyAmendment,
-    },
    Decline,
    Cancel,
 }
@@ -424,7 +302,7 @@ pub enum SandboxPolicy {
    #[ts(rename_all = "camelCase")]
    WorkspaceWrite {
        #[serde(default)]
-        writable_roots: Vec<AbsolutePathBuf>,
+        writable_roots: Vec<PathBuf>,
        #[serde(default)]
        network_access: bool,
        #[serde(default)]
@@ -478,23 +356,28 @@ impl From<codex_protocol::protocol::SandboxPolicy> for SandboxPolicy {
    }
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, JsonSchema, TS)]
-#[serde(transparent)]
-#[ts(type = "Array<string>", export_to = "v2/")]
-pub struct ExecPolicyAmendment {
-    pub command: Vec<String>,
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct SandboxCommandAssessment {
+    pub description: String,
+    pub risk_level: CommandRiskLevel,
 }

-impl ExecPolicyAmendment {
-    pub fn into_core(self) -> CoreExecPolicyAmendment {
-        CoreExecPolicyAmendment::new(self.command)
+impl SandboxCommandAssessment {
+    pub fn into_core(self) -> CoreSandboxCommandAssessment {
+        CoreSandboxCommandAssessment {
+            description: self.description,
+            risk_level: self.risk_level.to_core(),
+        }
    }
 }

-impl From<CoreExecPolicyAmendment> for ExecPolicyAmendment {
-    fn from(value: CoreExecPolicyAmendment) -> Self {
+impl From<CoreSandboxCommandAssessment> for SandboxCommandAssessment {
+    fn from(value: CoreSandboxCommandAssessment) -> Self {
        Self {
-            command: value.command().to_vec(),
+            description: value.description,
+            risk_level: CommandRiskLevel::from(value.risk_level),
        }
    }
 }
@@ -672,21 +555,10 @@ pub struct CancelLoginAccountParams {
    pub login_id: String,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-#[ts(rename_all = "camelCase")]
-#[ts(export_to = "v2/")]
-pub enum CancelLoginAccountStatus {
-    Canceled,
-    NotFound,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, JsonSchema, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
-pub struct CancelLoginAccountResponse {
-    pub status: CancelLoginAccountStatus,
-}
+pub struct CancelLoginAccountResponse {}

 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
@@ -751,7 +623,12 @@ pub struct ReasoningEffortOption {
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
-pub struct ModelListResponse {}
+pub struct ModelListResponse {
+    pub data: Vec<Model>,
+    /// Opaque cursor to pass to the next call to continue after the last item.
+    /// If None, there are no more items to return.
+    pub next_cursor: Option<String>,
+}

 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
@@ -784,26 +661,6 @@ pub struct ListMcpServersResponse {
    pub next_cursor: Option<String>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-#[ts(export_to = "v2/")]
-pub struct McpServerOauthLoginParams {
-    pub name: String,
-    #[serde(default, skip_serializing_if = "Option::is_none")]
-    #[ts(optional)]
-    pub scopes: Option<Vec<String>>,
-    #[serde(default, skip_serializing_if = "Option::is_none")]
-    #[ts(optional)]
-    pub timeout_secs: Option<i64>,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-#[ts(export_to = "v2/")]
-pub struct McpServerOauthLoginResponse {
-    pub authorization_url: String,
-}
-
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
@@ -956,83 +813,14 @@ pub struct ThreadListResponse {
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
-pub struct SkillsListParams {
-    /// When empty, defaults to the current session working directory.
-    #[serde(default, skip_serializing_if = "Vec::is_empty")]
-    pub cwds: Vec<PathBuf>,
+pub struct ThreadCompactParams {
+    pub thread_id: String,
 }

 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
-pub struct SkillsListResponse {
-    pub data: Vec<SkillsListEntry>,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, Copy, PartialEq, Eq, JsonSchema, TS)]
-#[serde(rename_all = "snake_case")]
-#[ts(rename_all = "snake_case")]
-#[ts(export_to = "v2/")]
-pub enum SkillScope {
-    User,
-    Repo,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-#[ts(export_to = "v2/")]
-pub struct SkillMetadata {
-    pub name: String,
-    pub description: String,
-    pub path: PathBuf,
-    pub scope: SkillScope,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-#[ts(export_to = "v2/")]
-pub struct SkillErrorInfo {
-    pub path: PathBuf,
-    pub message: String,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-#[ts(export_to = "v2/")]
-pub struct SkillsListEntry {
-    pub cwd: PathBuf,
-    pub skills: Vec<SkillMetadata>,
-    pub errors: Vec<SkillErrorInfo>,
-}
-
-impl From<CoreSkillMetadata> for SkillMetadata {
-    fn from(value: CoreSkillMetadata) -> Self {
-        Self {
-            name: value.name,
-            description: value.description,
-            path: value.path,
-            scope: value.scope.into(),
-        }
-    }
-}
-
-impl From<CoreSkillScope> for SkillScope {
-    fn from(value: CoreSkillScope) -> Self {
-        match value {
-            CoreSkillScope::User => Self::User,
-            CoreSkillScope::Repo => Self::Repo,
-        }
-    }
-}
-
-impl From<CoreSkillErrorInfo> for SkillErrorInfo {
-    fn from(value: CoreSkillErrorInfo) -> Self {
-        Self {
-            path: value.path,
-            message: value.message,
-        }
-    }
-}
+pub struct ThreadCompactResponse {}

 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
@@ -1069,13 +857,6 @@ pub struct AccountUpdatedNotification {
    pub auth_mode: Option<AuthMode>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-#[ts(export_to = "v2/")]
-pub struct ModelPresetsUpdatedNotification {
-    pub models: Vec<Model>,
-}
-
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
@@ -1161,9 +942,6 @@ pub struct TurnError {
 #[ts(export_to = "v2/")]
 pub struct ErrorNotification {
    pub error: TurnError,
-    // Set to true if the error is transient and the app-server process will automatically retry.
-    // If true, this will not interrupt a turn.
-    pub will_retry: bool,
    pub thread_id: String,
    pub turn_id: String,
 }
@@ -1363,9 +1141,6 @@ pub enum ThreadItem {
        arguments: JsonValue,
        result: Option<McpToolCallResult>,
        error: Option<McpToolCallError>,
-        /// The duration of the MCP tool call in milliseconds.
-        #[ts(type = "number | null")]
-        duration_ms: Option<i64>,
    },
    #[serde(rename_all = "camelCase")]
    #[ts(rename_all = "camelCase")]
@@ -1629,17 +1404,6 @@ pub struct ReasoningTextDeltaNotification {
    pub content_index: i64,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-#[ts(export_to = "v2/")]
-pub struct TerminalInteractionNotification {
-    pub thread_id: String,
-    pub turn_id: String,
-    pub item_id: String,
-    pub process_id: String,
-    pub stdin: String,
-}
-
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
@@ -1670,17 +1434,6 @@ pub struct McpToolCallProgressNotification {
    pub message: String,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-#[ts(export_to = "v2/")]
-pub struct McpServerOauthLoginCompletedNotification {
-    pub name: String,
-    pub success: bool,
-    #[serde(default, skip_serializing_if = "Option::is_none")]
-    #[ts(optional)]
-    pub error: Option<String>,
-}
-
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
@@ -1707,8 +1460,17 @@ pub struct CommandExecutionRequestApprovalParams {
    pub item_id: String,
    /// Optional explanatory reason (e.g. request for network access).
    pub reason: Option<String>,
-    /// Optional proposed execpolicy amendment to allow similar commands without prompting.
-    pub proposed_execpolicy_amendment: Option<ExecPolicyAmendment>,
+    /// Optional model-provided risk assessment describing the blocked command.
+    pub risk: Option<SandboxCommandAssessment>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct CommandExecutionRequestAcceptSettings {
+    /// If true, automatically approve this command for the duration of the session.
+    #[serde(default)]
+    pub for_session: bool,
 }

 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
@@ -1716,6 +1478,10 @@ pub struct CommandExecutionRequestApprovalParams {
 #[ts(export_to = "v2/")]
 pub struct CommandExecutionRequestApprovalResponse {
    pub decision: ApprovalDecision,
+    /// Optional approval settings for when the decision is `accept`.
+    /// Ignored if the decision is `decline` or `cancel`.
+    #[serde(default)]
+    pub accept_settings: Option<CommandExecutionRequestAcceptSettings>,
 }

 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
@@ -1752,7 +1518,6 @@ pub struct RateLimitSnapshot {
    pub primary: Option<RateLimitWindow>,
    pub secondary: Option<RateLimitWindow>,
    pub credits: Option<CreditsSnapshot>,
-    pub plan_type: Option<PlanType>,
 }

 impl From<CoreRateLimitSnapshot> for RateLimitSnapshot {
@@ -1761,7 +1526,6 @@ impl From<CoreRateLimitSnapshot> for RateLimitSnapshot {
            primary: value.primary.map(RateLimitWindow::from),
            secondary: value.secondary.map(RateLimitWindow::from),
            credits: value.credits.map(CreditsSnapshot::from),
-            plan_type: value.plan_type,
        }
    }
 }
--- a/codex-rs/app-server-test-client/src/main.rs
+++ b/codex-rs/app-server-test-client/src/main.rs
@@ -21,6 +21,7 @@ use codex_app_server_protocol::ApprovalDecision;
 use codex_app_server_protocol::AskForApproval;
 use codex_app_server_protocol::ClientInfo;
 use codex_app_server_protocol::ClientRequest;
+use codex_app_server_protocol::CommandExecutionRequestAcceptSettings;
 use codex_app_server_protocol::CommandExecutionRequestApprovalParams;
 use codex_app_server_protocol::CommandExecutionRequestApprovalResponse;
 use codex_app_server_protocol::FileChangeRequestApprovalParams;
@@ -553,10 +554,6 @@ impl CodexClient {
                    print!("{}", delta.delta);
                    std::io::stdout().flush().ok();
                }
-                ServerNotification::TerminalInteraction(delta) => {
-                    println!("[stdin sent: {}]", delta.stdin);
-                    std::io::stdout().flush().ok();
-                }
                ServerNotification::ItemStarted(payload) => {
                    println!("\n< item started: {:?}", payload.item);
                }
@@ -756,7 +753,7 @@ impl CodexClient {
            turn_id,
            item_id,
            reason,
-            proposed_execpolicy_amendment,
+            risk,
        } = params;

        println!(
@@ -765,12 +762,13 @@ impl CodexClient {
        if let Some(reason) = reason.as_deref() {
            println!("< reason: {reason}");
        }
-        if let Some(execpolicy_amendment) = proposed_execpolicy_amendment.as_ref() {
-            println!("< proposed execpolicy amendment: {execpolicy_amendment:?}");
+        if let Some(risk) = risk.as_ref() {
+            println!("< risk assessment: {risk:?}");
        }

        let response = CommandExecutionRequestApprovalResponse {
            decision: ApprovalDecision::Accept,
+            accept_settings: Some(CommandExecutionRequestAcceptSettings { for_session: false }),
        };
        self.send_server_request_response(request_id, &response)?;
        println!("< approved commandExecution request for item {item_id}");
--- a/codex-rs/app-server/Cargo.toml
+++ b/codex-rs/app-server/Cargo.toml
@@ -26,11 +26,11 @@ codex-login = { workspace = true }
 codex-protocol = { workspace = true }
 codex-app-server-protocol = { workspace = true }
 codex-feedback = { workspace = true }
-codex-rmcp-client = { workspace = true }
 codex-utils-json-to-toml = { workspace = true }
 chrono = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
 serde_json = { workspace = true }
+sha2 = { workspace = true }
 mcp-types = { workspace = true }
 tempfile = { workspace = true }
 toml = { workspace = true }
@@ -43,6 +43,7 @@ tokio = { workspace = true, features = [
 ] }
 tracing = { workspace = true, features = ["log"] }
 tracing-subscriber = { workspace = true, features = ["env-filter", "fmt"] }
+opentelemetry-appender-tracing = { workspace = true }
 uuid = { workspace = true, features = ["serde", "v7"] }

 [dev-dependencies]
--- a/codex-rs/app-server/README.md
+++ b/codex-rs/app-server/README.md
@@ -64,10 +64,7 @@ Example (from OpenAI's official VSCode extension):
 - `turn/interrupt` — request cancellation of an in-flight turn by `(thread_id, turn_id)`; success is an empty `{}` response and the turn finishes with `status: "interrupted"`.
 - `review/start` — kick off Codex’s automated reviewer for a thread; responds like `turn/start` and emits `item/started`/`item/completed` notifications with `enteredReviewMode` and `exitedReviewMode` items, plus a final assistant `agentMessage` containing the review.
 - `command/exec` — run a single command under the server sandbox without starting a thread/turn (handy for utilities and validation).
- `model/list` — request the available models; responds with `{}` and asynchronously emits `model/presets/updated` containing the catalog.
- `skills/list` — list skills for one or more `cwd` values.
- `mcpServer/oauth/login` — start an OAuth login for a configured MCP server; returns an `authorization_url` and later emits `mcpServer/oauthLogin/completed` once the browser flow finishes.
- `mcpServers/list` — enumerate configured MCP servers with their tools, resources, resource templates, and auth status; supports cursor+limit pagination.
+- `model/list` — list available models (with reasoning effort options).
 - `feedback/upload` — submit a feedback report (classification + optional reason/logs and conversation_id); returns the tracking thread id.
 - `command/exec` — run a single command under the server sandbox without starting a thread/turn (handy for utilities and validation).
 - `config/read` — fetch the effective config on disk after resolving config layering.
@@ -369,8 +366,6 @@ The JSON-RPC auth/account surface exposes request/response methods plus server-i
 - `account/logout` — sign out; triggers `account/updated`.
 - `account/updated` (notify) — emitted whenever auth mode changes (`authMode`: `apikey`, `chatgpt`, or `null`).
 - `account/rateLimits/read` — fetch ChatGPT rate limits; updates arrive via `account/rateLimits/updated` (notify).
- `account/rateLimits/updated` (notify) — emitted whenever a user's ChatGPT rate limits change.
- `mcpServer/oauthLogin/completed` (notify) — emitted after a `mcpServer/oauth/login` flow finishes for a server; payload includes `{ name, success, error? }`.

 ### 1) Check auth state

--- a/codex-rs/app-server/src/bespoke_event_handling.rs
+++ b/codex-rs/app-server/src/bespoke_event_handling.rs
@@ -18,7 +18,6 @@ use codex_app_server_protocol::ContextCompactedNotification;
 use codex_app_server_protocol::ErrorNotification;
 use codex_app_server_protocol::ExecCommandApprovalParams;
 use codex_app_server_protocol::ExecCommandApprovalResponse;
-use codex_app_server_protocol::ExecPolicyAmendment as V2ExecPolicyAmendment;
 use codex_app_server_protocol::FileChangeOutputDeltaNotification;
 use codex_app_server_protocol::FileChangeRequestApprovalParams;
 use codex_app_server_protocol::FileChangeRequestApprovalResponse;
@@ -34,9 +33,9 @@ use codex_app_server_protocol::PatchChangeKind as V2PatchChangeKind;
 use codex_app_server_protocol::ReasoningSummaryPartAddedNotification;
 use codex_app_server_protocol::ReasoningSummaryTextDeltaNotification;
 use codex_app_server_protocol::ReasoningTextDeltaNotification;
+use codex_app_server_protocol::SandboxCommandAssessment as V2SandboxCommandAssessment;
 use codex_app_server_protocol::ServerNotification;
 use codex_app_server_protocol::ServerRequestPayload;
-use codex_app_server_protocol::TerminalInteractionNotification;
 use codex_app_server_protocol::ThreadItem;
 use codex_app_server_protocol::ThreadTokenUsage;
 use codex_app_server_protocol::ThreadTokenUsageUpdatedNotification;
@@ -179,7 +178,8 @@ pub(crate) async fn apply_bespoke_event_handling(
            command,
            cwd,
            reason,
-            proposed_execpolicy_amendment,
+            risk,
+            proposed_execpolicy_amendment: _,
            parsed_cmd,
        }) => match api_version {
            ApiVersion::V1 => {
@@ -189,6 +189,7 @@ pub(crate) async fn apply_bespoke_event_handling(
                    command,
                    cwd,
                    reason,
+                    risk,
                    parsed_cmd,
                };
                let rx = outgoing
@@ -206,8 +207,6 @@ pub(crate) async fn apply_bespoke_event_handling(
                    .map(V2ParsedCommand::from)
                    .collect::<Vec<_>>();
                let command_string = shlex_join(&command);
-                let proposed_execpolicy_amendment_v2 =
-                    proposed_execpolicy_amendment.map(V2ExecPolicyAmendment::from);

                let params = CommandExecutionRequestApprovalParams {
                    thread_id: conversation_id.to_string(),
@@ -216,7 +215,7 @@ pub(crate) async fn apply_bespoke_event_handling(
                    // and emit the corresponding EventMsg, we repurpose the call_id as the item_id.
                    item_id: item_id.clone(),
                    reason,
-                    proposed_execpolicy_amendment: proposed_execpolicy_amendment_v2,
+                    risk: risk.map(V2SandboxCommandAssessment::from),
                };
                let rx = outgoing
                    .send_request(ServerRequestPayload::CommandExecutionRequestApproval(
@@ -334,7 +333,6 @@ pub(crate) async fn apply_bespoke_event_handling(
            outgoing
                .send_server_notification(ServerNotification::Error(ErrorNotification {
                    error: turn_error,
-                    will_retry: false,
                    thread_id: conversation_id.to_string(),
                    turn_id: event_turn_id.clone(),
                }))
@@ -350,7 +348,6 @@ pub(crate) async fn apply_bespoke_event_handling(
            outgoing
                .send_server_notification(ServerNotification::Error(ErrorNotification {
                    error: turn_error,
-                    will_retry: true,
                    thread_id: conversation_id.to_string(),
                    turn_id: event_turn_id.clone(),
                }))
@@ -570,20 +567,6 @@ pub(crate) async fn apply_bespoke_event_handling(
                    .await;
            }
        }
-        EventMsg::TerminalInteraction(terminal_event) => {
-            let item_id = terminal_event.call_id.clone();
-
-            let notification = TerminalInteractionNotification {
-                thread_id: conversation_id.to_string(),
-                turn_id: event_turn_id.clone(),
-                item_id,
-                process_id: terminal_event.process_id,
-                stdin: terminal_event.stdin,
-            };
-            outgoing
-                .send_server_notification(ServerNotification::TerminalInteraction(notification))
-                .await;
-        }
        EventMsg::ExecCommandEnd(exec_command_end_event) => {
            let ExecCommandEndEvent {
                call_id,
@@ -1062,11 +1045,7 @@ async fn on_file_change_request_approval_response(
                });

            let (decision, completion_status) = match response.decision {
-                ApprovalDecision::Accept
-                | ApprovalDecision::AcceptForSession
-                | ApprovalDecision::AcceptWithExecpolicyAmendment { .. } => {
-                    (ReviewDecision::Approved, None)
-                }
+                ApprovalDecision::Accept => (ReviewDecision::Approved, None),
                ApprovalDecision::Decline => {
                    (ReviewDecision::Denied, Some(PatchApplyStatus::Declined))
                }
@@ -1128,27 +1107,25 @@ async fn on_command_execution_request_approval_response(
                    error!("failed to deserialize CommandExecutionRequestApprovalResponse: {err}");
                    CommandExecutionRequestApprovalResponse {
                        decision: ApprovalDecision::Decline,
+                        accept_settings: None,
                    }
                });

-            let decision = response.decision;
+            let CommandExecutionRequestApprovalResponse {
+                decision,
+                accept_settings,
+            } = response;

-            let (decision, completion_status) = match decision {
-                ApprovalDecision::Accept => (ReviewDecision::Approved, None),
-                ApprovalDecision::AcceptForSession => (ReviewDecision::ApprovedForSession, None),
-                ApprovalDecision::AcceptWithExecpolicyAmendment {
-                    execpolicy_amendment,
-                } => (
-                    ReviewDecision::ApprovedExecpolicyAmendment {
-                        proposed_execpolicy_amendment: execpolicy_amendment.into_core(),
-                    },
-                    None,
-                ),
-                ApprovalDecision::Decline => (
+            let (decision, completion_status) = match (decision, accept_settings) {
+                (ApprovalDecision::Accept, Some(settings)) if settings.for_session => {
+                    (ReviewDecision::ApprovedForSession, None)
+                }
+                (ApprovalDecision::Accept, _) => (ReviewDecision::Approved, None),
+                (ApprovalDecision::Decline, _) => (
                    ReviewDecision::Denied,
                    Some(CommandExecutionStatus::Declined),
                ),
-                ApprovalDecision::Cancel => (
+                (ApprovalDecision::Cancel, _) => (
                    ReviewDecision::Abort,
                    Some(CommandExecutionStatus::Declined),
                ),
@@ -1201,7 +1178,6 @@ async fn construct_mcp_tool_call_notification(
        arguments: begin_event.invocation.arguments.unwrap_or(JsonValue::Null),
        result: None,
        error: None,
-        duration_ms: None,
    };
    ItemStartedNotification {
        thread_id,
@@ -1210,7 +1186,7 @@ async fn construct_mcp_tool_call_notification(
    }
 }

-/// similar to handle_mcp_tool_call_end in exec
+/// simiilar to handle_mcp_tool_call_end in exec
 async fn construct_mcp_tool_call_end_notification(
    end_event: McpToolCallEndEvent,
    thread_id: String,
@@ -1221,7 +1197,6 @@ async fn construct_mcp_tool_call_end_notification(
    } else {
        McpToolCallStatus::Failed
    };
-    let duration_ms = i64::try_from(end_event.duration.as_millis()).ok();

    let (result, error) = match &end_event.result {
        Ok(value) => (
@@ -1247,7 +1222,6 @@ async fn construct_mcp_tool_call_end_notification(
        arguments: end_event.invocation.arguments.unwrap_or(JsonValue::Null),
        result,
        error,
-        duration_ms,
    };
    ItemCompletedNotification {
        thread_id,
@@ -1520,7 +1494,6 @@ mod tests {
                unlimited: false,
                balance: Some("5".to_string()),
            }),
-            plan_type: None,
        };

        handle_token_count_event(
@@ -1625,7 +1598,6 @@ mod tests {
                arguments: serde_json::json!({"server": ""}),
                result: None,
                error: None,
-                duration_ms: None,
            },
        };

@@ -1779,7 +1751,6 @@ mod tests {
                arguments: JsonValue::Null,
                result: None,
                error: None,
-                duration_ms: None,
            },
        };

@@ -1833,7 +1804,6 @@ mod tests {
                    structured_content: None,
                }),
                error: None,
-                duration_ms: Some(0),
            },
        };

@@ -1875,7 +1845,6 @@ mod tests {
                error: Some(McpToolCallError {
                    message: "boom".to_string(),
                }),
-                duration_ms: Some(1),
            },
        };

--- a/codex-rs/app-server/src/codex_message_processor.rs
+++ b/codex-rs/app-server/src/codex_message_processor.rs
@@ -19,7 +19,6 @@ use codex_app_server_protocol::AuthMode;
 use codex_app_server_protocol::AuthStatusChangeNotification;
 use codex_app_server_protocol::CancelLoginAccountParams;
 use codex_app_server_protocol::CancelLoginAccountResponse;
-use codex_app_server_protocol::CancelLoginAccountStatus;
 use codex_app_server_protocol::CancelLoginChatGptResponse;
 use codex_app_server_protocol::ClientRequest;
 use codex_app_server_protocol::CommandExecParams;
@@ -56,12 +55,8 @@ use codex_app_server_protocol::LoginChatGptResponse;
 use codex_app_server_protocol::LogoutAccountResponse;
 use codex_app_server_protocol::LogoutChatGptResponse;
 use codex_app_server_protocol::McpServer;
-use codex_app_server_protocol::McpServerOauthLoginCompletedNotification;
-use codex_app_server_protocol::McpServerOauthLoginParams;
-use codex_app_server_protocol::McpServerOauthLoginResponse;
 use codex_app_server_protocol::ModelListParams;
 use codex_app_server_protocol::ModelListResponse;
-use codex_app_server_protocol::ModelPresetsUpdatedNotification;
 use codex_app_server_protocol::NewConversationParams;
 use codex_app_server_protocol::NewConversationResponse;
 use codex_app_server_protocol::RemoveConversationListenerParams;
@@ -82,8 +77,6 @@ use codex_app_server_protocol::ServerNotification;
 use codex_app_server_protocol::SessionConfiguredNotification;
 use codex_app_server_protocol::SetDefaultModelParams;
 use codex_app_server_protocol::SetDefaultModelResponse;
-use codex_app_server_protocol::SkillsListParams;
-use codex_app_server_protocol::SkillsListResponse;
 use codex_app_server_protocol::Thread;
 use codex_app_server_protocol::ThreadArchiveParams;
 use codex_app_server_protocol::ThreadArchiveResponse;
@@ -120,9 +113,9 @@ use codex_core::auth::CLIENT_ID;
 use codex_core::auth::login_with_api_key;
 use codex_core::config::Config;
 use codex_core::config::ConfigOverrides;
-use codex_core::config::ConfigService;
+use codex_core::config::ConfigToml;
 use codex_core::config::edit::ConfigEditsBuilder;
-use codex_core::config::types::McpServerTransportConfig;
+use codex_core::config_loader::load_config_as_toml;
 use codex_core::default_client::get_codex_user_agent;
 use codex_core::exec::ExecParams;
 use codex_core::exec_env::create_env;
@@ -139,7 +132,6 @@ use codex_core::protocol::ReviewRequest;
 use codex_core::protocol::ReviewTarget as CoreReviewTarget;
 use codex_core::protocol::SessionConfiguredEvent;
 use codex_core::read_head_for_summary;
-use codex_core::sandboxing::SandboxPermissions;
 use codex_feedback::CodexFeedback;
 use codex_login::ServerOptions as LoginServerOptions;
 use codex_login::ShutdownHandle;
@@ -155,7 +147,6 @@ use codex_protocol::protocol::RolloutItem;
 use codex_protocol::protocol::SessionMetaLine;
 use codex_protocol::protocol::USER_MESSAGE_BEGIN;
 use codex_protocol::user_input::UserInput as CoreInputItem;
-use codex_rmcp_client::perform_oauth_login_return_url;
 use codex_utils_json_to_toml::json_to_toml;
 use std::collections::HashMap;
 use std::collections::HashSet;
@@ -170,7 +161,6 @@ use std::time::Duration;
 use tokio::select;
 use tokio::sync::Mutex;
 use tokio::sync::oneshot;
-use toml::Value as TomlValue;
 use tracing::error;
 use tracing::info;
 use tracing::warn;
@@ -188,9 +178,6 @@ pub(crate) struct TurnSummary {

 pub(crate) type TurnSummaryStore = Arc<Mutex<HashMap<ConversationId, TurnSummary>>>;

-const THREAD_LIST_DEFAULT_LIMIT: usize = 25;
-const THREAD_LIST_MAX_LIMIT: usize = 100;
-
 // Duration before a ChatGPT login attempt is abandoned.
 const LOGIN_CHATGPT_TIMEOUT: Duration = Duration::from_secs(10 * 60);
 struct ActiveLogin {
@@ -198,11 +185,6 @@ struct ActiveLogin {
    login_id: Uuid,
 }

-#[derive(Clone, Copy, Debug)]
-enum CancelLoginError {
-    NotFound(Uuid),
-}
-
 impl Drop for ActiveLogin {
    fn drop(&mut self) {
        self.shutdown_handle.shutdown();
@@ -216,7 +198,6 @@ pub(crate) struct CodexMessageProcessor {
    outgoing: Arc<OutgoingMessageSender>,
    codex_linux_sandbox_exe: Option<PathBuf>,
    config: Arc<Config>,
-    cli_overrides: Vec<(String, TomlValue)>,
    conversation_listeners: HashMap<Uuid, oneshot::Sender<()>>,
    active_login: Arc<Mutex<Option<ActiveLogin>>>,
    // Queue of pending interrupt requests per conversation. We reply when TurnAborted arrives.
@@ -232,19 +213,6 @@ pub(crate) enum ApiVersion {
    V2,
 }

-fn spawn_model_presets_notification(
-    outgoing: Arc<OutgoingMessageSender>,
-    conversation_manager: Arc<ConversationManager>,
-    config: Arc<Config>,
-) {
-    tokio::spawn(async move {
-        let models = supported_models(conversation_manager, &config).await;
-        let notification =
-            ServerNotification::ModelPresetsUpdated(ModelPresetsUpdatedNotification { models });
-        outgoing.send_server_notification(notification).await;
-    });
-}
-
 impl CodexMessageProcessor {
    async fn conversation_from_thread_id(
        &self,
@@ -276,7 +244,6 @@ impl CodexMessageProcessor {
        outgoing: Arc<OutgoingMessageSender>,
        codex_linux_sandbox_exe: Option<PathBuf>,
        config: Arc<Config>,
-        cli_overrides: Vec<(String, TomlValue)>,
        feedback: CodexFeedback,
    ) -> Self {
        Self {
@@ -285,7 +252,6 @@ impl CodexMessageProcessor {
            outgoing,
            codex_linux_sandbox_exe,
            config,
-            cli_overrides,
            conversation_listeners: HashMap::new(),
            active_login: Arc::new(Mutex::new(None)),
            pending_interrupts: Arc::new(Mutex::new(HashMap::new())),
@@ -295,24 +261,6 @@ impl CodexMessageProcessor {
        }
    }

-    pub(crate) fn spawn_model_presets_notification(&self) {
-        spawn_model_presets_notification(
-            self.outgoing.clone(),
-            self.conversation_manager.clone(),
-            self.config.clone(),
-        );
-    }
-
-    async fn load_latest_config(&self) -> Result<Config, JSONRPCErrorError> {
-        Config::load_with_cli_overrides(self.cli_overrides.clone(), ConfigOverrides::default())
-            .await
-            .map_err(|err| JSONRPCErrorError {
-                code: INTERNAL_ERROR_CODE,
-                message: format!("failed to reload config: {err}"),
-                data: None,
-            })
-    }
-
    fn review_request_from_target(
        target: ApiReviewTarget,
    ) -> Result<(ReviewRequest, String), JSONRPCErrorError> {
@@ -390,8 +338,12 @@ impl CodexMessageProcessor {
            ClientRequest::ThreadList { request_id, params } => {
                self.thread_list(request_id, params).await;
            }
-            ClientRequest::SkillsList { request_id, params } => {
-                self.skills_list(request_id, params).await;
+            ClientRequest::ThreadCompact {
+                request_id,
+                params: _,
+            } => {
+                self.send_unimplemented_error(request_id, "thread/compact")
+                    .await;
            }
            ClientRequest::TurnStart { request_id, params } => {
                self.turn_start(request_id, params).await;
@@ -417,9 +369,6 @@ impl CodexMessageProcessor {
            ClientRequest::ModelList { request_id, params } => {
                self.list_models(request_id, params).await;
            }
-            ClientRequest::McpServerOauthLogin { request_id, params } => {
-                self.mcp_server_oauth_login(request_id, params).await;
-            }
            ClientRequest::McpServersList { request_id, params } => {
                self.list_mcp_servers(request_id, params).await;
            }
@@ -530,6 +479,15 @@ impl CodexMessageProcessor {
        }
    }

+    async fn send_unimplemented_error(&self, request_id: RequestId, method: &str) {
+        let error = JSONRPCErrorError {
+            code: INTERNAL_ERROR_CODE,
+            message: format!("{method} is not implemented yet"),
+            data: None,
+        };
+        self.outgoing.send_error(request_id, error).await;
+    }
+
    async fn login_v2(&mut self, request_id: RequestId, params: LoginAccountParams) {
        match params {
            LoginAccountParams::ApiKey { api_key } => {
@@ -595,7 +553,6 @@ impl CodexMessageProcessor {
                self.outgoing
                    .send_server_notification(ServerNotification::AuthStatusChange(payload))
                    .await;
-                self.spawn_model_presets_notification();
            }
            Err(error) => {
                self.outgoing.send_error(request_id, error).await;
@@ -626,7 +583,6 @@ impl CodexMessageProcessor {
                self.outgoing
                    .send_server_notification(ServerNotification::AccountUpdated(payload_v2))
                    .await;
-                self.spawn_model_presets_notification();
            }
            Err(error) => {
                self.outgoing.send_error(request_id, error).await;
@@ -683,8 +639,6 @@ impl CodexMessageProcessor {
                    let outgoing_clone = self.outgoing.clone();
                    let active_login = self.active_login.clone();
                    let auth_manager = self.auth_manager.clone();
-                    let conversation_manager = self.conversation_manager.clone();
-                    let config = self.config.clone();
                    let auth_url = server.auth_url.clone();
                    tokio::spawn(async move {
                        let (success, error_msg) = match tokio::time::timeout(
@@ -725,11 +679,6 @@ impl CodexMessageProcessor {
                                    payload,
                                ))
                                .await;
-                            spawn_model_presets_notification(
-                                outgoing_clone,
-                                conversation_manager,
-                                config,
-                            );
                        }

                        // Clear the active login if it matches this attempt. It may have been replaced or cancelled.
@@ -780,8 +729,6 @@ impl CodexMessageProcessor {
                    let outgoing_clone = self.outgoing.clone();
                    let active_login = self.active_login.clone();
                    let auth_manager = self.auth_manager.clone();
-                    let conversation_manager = self.conversation_manager.clone();
-                    let config = self.config.clone();
                    let auth_url = server.auth_url.clone();
                    tokio::spawn(async move {
                        let (success, error_msg) = match tokio::time::timeout(
@@ -822,11 +769,6 @@ impl CodexMessageProcessor {
                                    payload_v2,
                                ))
                                .await;
-                            spawn_model_presets_notification(
-                                outgoing_clone,
-                                conversation_manager,
-                                config,
-                            );
                        }

                        // Clear the active login if it matches this attempt. It may have been replaced or cancelled.
@@ -860,7 +802,7 @@ impl CodexMessageProcessor {
    async fn cancel_login_chatgpt_common(
        &mut self,
        login_id: Uuid,
-    ) -> std::result::Result<(), CancelLoginError> {
+    ) -> std::result::Result<(), JSONRPCErrorError> {
        let mut guard = self.active_login.lock().await;
        if guard.as_ref().map(|l| l.login_id) == Some(login_id) {
            if let Some(active) = guard.take() {
@@ -868,7 +810,11 @@ impl CodexMessageProcessor {
            }
            Ok(())
        } else {
-            Err(CancelLoginError::NotFound(login_id))
+            Err(JSONRPCErrorError {
+                code: INVALID_REQUEST_ERROR_CODE,
+                message: format!("login id not found: {login_id}"),
+                data: None,
+            })
        }
    }

@@ -879,12 +825,7 @@ impl CodexMessageProcessor {
                    .send_response(request_id, CancelLoginChatGptResponse {})
                    .await;
            }
-            Err(CancelLoginError::NotFound(missing_login_id)) => {
-                let error = JSONRPCErrorError {
-                    code: INVALID_REQUEST_ERROR_CODE,
-                    message: format!("login id not found: {missing_login_id}"),
-                    data: None,
-                };
+            Err(error) => {
                self.outgoing.send_error(request_id, error).await;
            }
        }
@@ -893,14 +834,16 @@ impl CodexMessageProcessor {
    async fn cancel_login_v2(&mut self, request_id: RequestId, params: CancelLoginAccountParams) {
        let login_id = params.login_id;
        match Uuid::parse_str(&login_id) {
-            Ok(uuid) => {
-                let status = match self.cancel_login_chatgpt_common(uuid).await {
-                    Ok(()) => CancelLoginAccountStatus::Canceled,
-                    Err(CancelLoginError::NotFound(_)) => CancelLoginAccountStatus::NotFound,
-                };
-                let response = CancelLoginAccountResponse { status };
-                self.outgoing.send_response(request_id, response).await;
-            }
+            Ok(uuid) => match self.cancel_login_chatgpt_common(uuid).await {
+                Ok(()) => {
+                    self.outgoing
+                        .send_response(request_id, CancelLoginAccountResponse {})
+                        .await;
+                }
+                Err(error) => {
+                    self.outgoing.send_error(request_id, error).await;
+                }
+            },
            Err(_) => {
                let error = JSONRPCErrorError {
                    code: INVALID_REQUEST_ERROR_CODE,
@@ -946,7 +889,6 @@ impl CodexMessageProcessor {
                self.outgoing
                    .send_server_notification(ServerNotification::AuthStatusChange(payload))
                    .await;
-                self.spawn_model_presets_notification();
            }
            Err(error) => {
                self.outgoing.send_error(request_id, error).await;
@@ -967,7 +909,6 @@ impl CodexMessageProcessor {
                self.outgoing
                    .send_server_notification(ServerNotification::AccountUpdated(payload_v2))
                    .await;
-                self.spawn_model_presets_notification();
            }
            Err(error) => {
                self.outgoing.send_error(request_id, error).await;
@@ -1136,13 +1077,12 @@ impl CodexMessageProcessor {
    }

    async fn get_user_saved_config(&self, request_id: RequestId) {
-        let service = ConfigService::new(self.config.codex_home.clone(), Vec::new());
-        let user_saved_config: UserSavedConfig = match service.load_user_saved_config().await {
-            Ok(config) => config,
+        let toml_value = match load_config_as_toml(&self.config.codex_home).await {
+            Ok(val) => val,
            Err(err) => {
                let error = JSONRPCErrorError {
                    code: INTERNAL_ERROR_CODE,
-                    message: err.to_string(),
+                    message: format!("failed to load config.toml: {err}"),
                    data: None,
                };
                self.outgoing.send_error(request_id, error).await;
@@ -1150,6 +1090,21 @@ impl CodexMessageProcessor {
            }
        };

+        let cfg: ConfigToml = match toml_value.try_into() {
+            Ok(cfg) => cfg,
+            Err(err) => {
+                let error = JSONRPCErrorError {
+                    code: INTERNAL_ERROR_CODE,
+                    message: format!("failed to parse config.toml: {err}"),
+                    data: None,
+                };
+                self.outgoing.send_error(request_id, error).await;
+                return;
+            }
+        };
+
+        let user_saved_config: UserSavedConfig = cfg.into();
+
        let response = GetUserSavedConfigResponse {
            config: user_saved_config,
        };
@@ -1214,7 +1169,7 @@ impl CodexMessageProcessor {
            cwd,
            expiration: timeout_ms.into(),
            env,
-            sandbox_permissions: SandboxPermissions::UseDefault,
+            with_escalated_permissions: None,
            justification: None,
            arg0: None,
        };
@@ -1294,7 +1249,7 @@ impl CodexMessageProcessor {
        let mut cli_overrides = cli_overrides.unwrap_or_default();
        if cfg!(windows) && self.config.features.enabled(Feature::WindowsSandbox) {
            cli_overrides.insert(
-                "features.experimental_windows_sandbox".to_string(),
+                "features.enable_experimental_windows_sandbox".to_string(),
                serde_json::json!(true),
            );
        }
@@ -1530,12 +1485,10 @@ impl CodexMessageProcessor {
            model_providers,
        } = params;

-        let requested_page_size = limit
-            .map(|value| value as usize)
-            .unwrap_or(THREAD_LIST_DEFAULT_LIMIT)
-            .clamp(1, THREAD_LIST_MAX_LIMIT);
+        let page_size = limit.unwrap_or(25).max(1) as usize;
+
        let (summaries, next_cursor) = match self
-            .list_conversations_common(requested_page_size, cursor, model_providers)
+            .list_conversations_common(page_size, cursor, model_providers)
            .await
        {
            Ok(r) => r,
@@ -1546,6 +1499,7 @@ impl CodexMessageProcessor {
        };

        let data = summaries.into_iter().map(summary_to_thread).collect();
+
        let response = ThreadListResponse { data, next_cursor };
        self.outgoing.send_response(request_id, response).await;
    }
@@ -1823,12 +1777,10 @@ impl CodexMessageProcessor {
            cursor,
            model_providers,
        } = params;
-        let requested_page_size = page_size
-            .unwrap_or(THREAD_LIST_DEFAULT_LIMIT)
-            .clamp(1, THREAD_LIST_MAX_LIMIT);
+        let page_size = page_size.unwrap_or(25).max(1);

        match self
-            .list_conversations_common(requested_page_size, cursor, model_providers)
+            .list_conversations_common(page_size, cursor, model_providers)
            .await
        {
            Ok((items, next_cursor)) => {
@@ -1843,15 +1795,12 @@ impl CodexMessageProcessor {

    async fn list_conversations_common(
        &self,
-        requested_page_size: usize,
+        page_size: usize,
        cursor: Option<String>,
        model_providers: Option<Vec<String>>,
    ) -> Result<(Vec<ConversationSummary>, Option<String>), JSONRPCErrorError> {
-        let mut cursor_obj: Option<RolloutCursor> = cursor.as_ref().and_then(|s| parse_cursor(s));
-        let mut last_cursor = cursor_obj.clone();
-        let mut remaining = requested_page_size;
-        let mut items = Vec::with_capacity(requested_page_size);
-        let mut next_cursor: Option<String> = None;
+        let cursor_obj: Option<RolloutCursor> = cursor.as_ref().and_then(|s| parse_cursor(s));
+        let cursor_ref = cursor_obj.as_ref();

        let model_provider_filter = match model_providers {
            Some(providers) => {
@@ -1865,199 +1814,115 @@ impl CodexMessageProcessor {
        };
        let fallback_provider = self.config.model_provider_id.clone();

-        while remaining > 0 {
-            let page_size = remaining.min(THREAD_LIST_MAX_LIMIT);
-            let page = RolloutRecorder::list_conversations(
-                &self.config.codex_home,
-                page_size,
-                cursor_obj.as_ref(),
-                INTERACTIVE_SESSION_SOURCES,
-                model_provider_filter.as_deref(),
-                fallback_provider.as_str(),
-            )
-            .await
-            .map_err(|err| JSONRPCErrorError {
-                code: INTERNAL_ERROR_CODE,
-                message: format!("failed to list conversations: {err}"),
-                data: None,
-            })?;
-
-            let mut filtered = page
-                .items
-                .into_iter()
-                .filter_map(|it| {
-                    let session_meta_line = it.head.first().and_then(|first| {
-                        serde_json::from_value::<SessionMetaLine>(first.clone()).ok()
-                    })?;
-                    extract_conversation_summary(
-                        it.path,
-                        &it.head,
-                        &session_meta_line.meta,
-                        session_meta_line.git.as_ref(),
-                        fallback_provider.as_str(),
-                    )
-                })
-                .collect::<Vec<_>>();
-            if filtered.len() > remaining {
-                filtered.truncate(remaining);
+        let page = match RolloutRecorder::list_conversations(
+            &self.config.codex_home,
+            page_size,
+            cursor_ref,
+            INTERACTIVE_SESSION_SOURCES,
+            model_provider_filter.as_deref(),
+            fallback_provider.as_str(),
+        )
+        .await
+        {
+            Ok(p) => p,
+            Err(err) => {
+                return Err(JSONRPCErrorError {
+                    code: INTERNAL_ERROR_CODE,
+                    message: format!("failed to list conversations: {err}"),
+                    data: None,
+                });
            }
-            items.extend(filtered);
-            remaining = requested_page_size.saturating_sub(items.len());
+        };

-            // Encode RolloutCursor into the JSON-RPC string form returned to clients.
-            let next_cursor_value = page.next_cursor.clone();
-            next_cursor = next_cursor_value
-                .as_ref()
-                .and_then(|cursor| serde_json::to_value(cursor).ok())
-                .and_then(|value| value.as_str().map(str::to_owned));
-            if remaining == 0 {
-                break;
-            }
+        let items = page
+            .items
+            .into_iter()
+            .filter_map(|it| {
+                let session_meta_line = it.head.first().and_then(|first| {
+                    serde_json::from_value::<SessionMetaLine>(first.clone()).ok()
+                })?;
+                extract_conversation_summary(
+                    it.path,
+                    &it.head,
+                    &session_meta_line.meta,
+                    session_meta_line.git.as_ref(),
+                    fallback_provider.as_str(),
+                )
+            })
+            .collect::<Vec<_>>();

-            match next_cursor_value {
-                Some(cursor_val) if remaining > 0 => {
-                    // Break if our pagination would reuse the same cursor again; this avoids
-                    // an infinite loop when filtering drops everything on the page.
-                    if last_cursor.as_ref() == Some(&cursor_val) {
-                        next_cursor = None;
-                        break;
-                    }
-                    last_cursor = Some(cursor_val.clone());
-                    cursor_obj = Some(cursor_val);
-                }
-                _ => break,
-            }
-        }
+        // Encode next_cursor as a plain string
+        let next_cursor = page
+            .next_cursor
+            .and_then(|cursor| serde_json::to_value(&cursor).ok())
+            .and_then(|value| value.as_str().map(str::to_owned));

        Ok((items, next_cursor))
    }

    async fn list_models(&self, request_id: RequestId, params: ModelListParams) {
-        let _ = params;
-        let response = ModelListResponse {};
-        self.outgoing.send_response(request_id, response).await;
+        let ModelListParams { limit, cursor } = params;
+        let models = supported_models(self.conversation_manager.clone()).await;
+        let total = models.len();

-        self.spawn_model_presets_notification();
-    }
-
-    async fn mcp_server_oauth_login(
-        &self,
-        request_id: RequestId,
-        params: McpServerOauthLoginParams,
-    ) {
-        let config = match self.load_latest_config().await {
-            Ok(config) => config,
-            Err(error) => {
-                self.outgoing.send_error(request_id, error).await;
-                return;
-            }
-        };
-
-        if !config.features.enabled(Feature::RmcpClient) {
-            let error = JSONRPCErrorError {
-                code: INVALID_REQUEST_ERROR_CODE,
-                message: "OAuth login is only supported when [features].rmcp_client is true in config.toml".to_string(),
-                data: None,
+        if total == 0 {
+            let response = ModelListResponse {
+                data: Vec::new(),
+                next_cursor: None,
            };
-            self.outgoing.send_error(request_id, error).await;
+            self.outgoing.send_response(request_id, response).await;
            return;
        }

-        let McpServerOauthLoginParams {
-            name,
-            scopes,
-            timeout_secs,
-        } = params;
-
-        let Some(server) = config.mcp_servers.get(&name) else {
-            let error = JSONRPCErrorError {
-                code: INVALID_REQUEST_ERROR_CODE,
-                message: format!("No MCP server named '{name}' found."),
-                data: None,
-            };
-            self.outgoing.send_error(request_id, error).await;
-            return;
-        };
-
-        let (url, http_headers, env_http_headers) = match &server.transport {
-            McpServerTransportConfig::StreamableHttp {
-                url,
-                http_headers,
-                env_http_headers,
-                ..
-            } => (url.clone(), http_headers.clone(), env_http_headers.clone()),
-            _ => {
-                let error = JSONRPCErrorError {
-                    code: INVALID_REQUEST_ERROR_CODE,
-                    message: "OAuth login is only supported for streamable HTTP servers."
-                        .to_string(),
-                    data: None,
-                };
-                self.outgoing.send_error(request_id, error).await;
-                return;
-            }
-        };
-
-        match perform_oauth_login_return_url(
-            &name,
-            &url,
-            config.mcp_oauth_credentials_store_mode,
-            http_headers,
-            env_http_headers,
-            scopes.as_deref().unwrap_or_default(),
-            timeout_secs,
-        )
-        .await
-        {
-            Ok(handle) => {
-                let authorization_url = handle.authorization_url().to_string();
-                let notification_name = name.clone();
-                let outgoing = Arc::clone(&self.outgoing);
-
-                tokio::spawn(async move {
-                    let (success, error) = match handle.wait().await {
-                        Ok(()) => (true, None),
-                        Err(err) => (false, Some(err.to_string())),
+        let effective_limit = limit.unwrap_or(total as u32).max(1) as usize;
+        let effective_limit = effective_limit.min(total);
+        let start = match cursor {
+            Some(cursor) => match cursor.parse::<usize>() {
+                Ok(idx) => idx,
+                Err(_) => {
+                    let error = JSONRPCErrorError {
+                        code: INVALID_REQUEST_ERROR_CODE,
+                        message: format!("invalid cursor: {cursor}"),
+                        data: None,
                    };
+                    self.outgoing.send_error(request_id, error).await;
+                    return;
+                }
+            },
+            None => 0,
+        };

-                    let notification = ServerNotification::McpServerOauthLoginCompleted(
-                        McpServerOauthLoginCompletedNotification {
-                            name: notification_name,
-                            success,
-                            error,
-                        },
-                    );
-                    outgoing.send_server_notification(notification).await;
-                });
-
-                let response = McpServerOauthLoginResponse { authorization_url };
-                self.outgoing.send_response(request_id, response).await;
-            }
-            Err(err) => {
-                let error = JSONRPCErrorError {
-                    code: INTERNAL_ERROR_CODE,
-                    message: format!("failed to login to MCP server '{name}': {err}"),
-                    data: None,
-                };
-                self.outgoing.send_error(request_id, error).await;
-            }
+        if start > total {
+            let error = JSONRPCErrorError {
+                code: INVALID_REQUEST_ERROR_CODE,
+                message: format!("cursor {start} exceeds total models {total}"),
+                data: None,
+            };
+            self.outgoing.send_error(request_id, error).await;
+            return;
        }
+
+        let end = start.saturating_add(effective_limit).min(total);
+        let items = models[start..end].to_vec();
+        let next_cursor = if end < total {
+            Some(end.to_string())
+        } else {
+            None
+        };
+        let response = ModelListResponse {
+            data: items,
+            next_cursor,
+        };
+        self.outgoing.send_response(request_id, response).await;
    }

    async fn list_mcp_servers(&self, request_id: RequestId, params: ListMcpServersParams) {
-        let config = match self.load_latest_config().await {
-            Ok(config) => config,
-            Err(error) => {
-                self.outgoing.send_error(request_id, error).await;
-                return;
-            }
-        };
-
-        let snapshot = collect_mcp_snapshot(&config).await;
+        let snapshot = collect_mcp_snapshot(self.config.as_ref()).await;

        let tools_by_server = group_tools_by_server(&snapshot.tools);

-        let mut server_names: Vec<String> = config
+        let mut server_names: Vec<String> = self
+            .config
            .mcp_servers
            .keys()
            .cloned()
@@ -2163,7 +2028,7 @@ impl CodexMessageProcessor {
                let mut cli_overrides = cli_overrides.unwrap_or_default();
                if cfg!(windows) && self.config.features.enabled(Feature::WindowsSandbox) {
                    cli_overrides.insert(
-                        "features.experimental_windows_sandbox".to_string(),
+                        "features.enable_experimental_windows_sandbox".to_string(),
                        serde_json::json!(true),
                    );
                }
@@ -2596,42 +2461,6 @@ impl CodexMessageProcessor {
            .await;
    }

-    async fn skills_list(&self, request_id: RequestId, params: SkillsListParams) {
-        let SkillsListParams { cwds } = params;
-        let cwds = if cwds.is_empty() {
-            vec![self.config.cwd.clone()]
-        } else {
-            cwds
-        };
-
-        let data = if self.config.features.enabled(Feature::Skills) {
-            let skills_manager = self.conversation_manager.skills_manager();
-            cwds.into_iter()
-                .map(|cwd| {
-                    let outcome = skills_manager.skills_for_cwd(&cwd);
-                    let errors = errors_to_info(&outcome.errors);
-                    let skills = skills_to_info(&outcome.skills);
-                    codex_app_server_protocol::SkillsListEntry {
-                        cwd,
-                        skills,
-                        errors,
-                    }
-                })
-                .collect()
-        } else {
-            cwds.into_iter()
-                .map(|cwd| codex_app_server_protocol::SkillsListEntry {
-                    cwd,
-                    skills: Vec::new(),
-                    errors: Vec::new(),
-                })
-                .collect()
-        };
-        self.outgoing
-            .send_response(request_id, SkillsListResponse { data })
-            .await;
-    }
-
    async fn interrupt_conversation(
        &mut self,
        request_id: RequestId,
@@ -2840,7 +2669,7 @@ impl CodexMessageProcessor {
        })?;

        let mut config = self.config.as_ref().clone();
-        config.model = Some(self.config.review_model.clone());
+        config.model = self.config.review_model.clone();

        let NewConversation {
            conversation_id,
@@ -3277,32 +3106,6 @@ impl CodexMessageProcessor {
    }
 }

-fn skills_to_info(
-    skills: &[codex_core::skills::SkillMetadata],
-) -> Vec<codex_app_server_protocol::SkillMetadata> {
-    skills
-        .iter()
-        .map(|skill| codex_app_server_protocol::SkillMetadata {
-            name: skill.name.clone(),
-            description: skill.description.clone(),
-            path: skill.path.clone(),
-            scope: skill.scope.into(),
-        })
-        .collect()
-}
-
-fn errors_to_info(
-    errors: &[codex_core::skills::SkillError],
-) -> Vec<codex_app_server_protocol::SkillErrorInfo> {
-    errors
-        .iter()
-        .map(|err| codex_app_server_protocol::SkillErrorInfo {
-            path: err.path.clone(),
-            message: err.message.clone(),
-        })
-        .collect()
-}
-
 async fn derive_config_from_params(
    overrides: ConfigOverrides,
    cli_overrides: Option<std::collections::HashMap<String, serde_json::Value>>,
--- a/codex-rs/app-server/src/config_api.rs
+++ b/codex-rs/app-server/src/config_api.rs
--- a/codex-rs/app-server/src/lib.rs
+++ b/codex-rs/app-server/src/lib.rs
@@ -3,6 +3,7 @@
 use codex_common::CliConfigOverrides;
 use codex_core::config::Config;
 use codex_core::config::ConfigOverrides;
+use opentelemetry_appender_tracing::layer::OpenTelemetryTracingBridge;
 use std::io::ErrorKind;
 use std::io::Result as IoResult;
 use std::path::PathBuf;
@@ -102,7 +103,6 @@ pub async fn run_main(
    // control the log level with `RUST_LOG`.
    let stderr_fmt = tracing_subscriber::fmt::layer()
        .with_writer(std::io::stderr)
-        .with_span_events(tracing_subscriber::fmt::format::FmtSpan::FULL)
        .with_filter(EnvFilter::from_default_env());

    let feedback_layer = tracing_subscriber::fmt::layer()
@@ -111,15 +111,14 @@ pub async fn run_main(
        .with_target(false)
        .with_filter(Targets::new().with_default(Level::TRACE));

-    let otel_logger_layer = otel.as_ref().and_then(|o| o.logger_layer());
-
-    let otel_tracing_layer = otel.as_ref().and_then(|o| o.tracing_layer());
-
    let _ = tracing_subscriber::registry()
        .with(stderr_fmt)
        .with(feedback_layer)
-        .with(otel_logger_layer)
-        .with(otel_tracing_layer)
+        .with(otel.as_ref().map(|provider| {
+            OpenTelemetryTracingBridge::new(&provider.logger).with_filter(
+                tracing_subscriber::filter::filter_fn(codex_core::otel_init::codex_export_filter),
+            )
+        }))
        .try_init();

    // Task: process incoming messages.
--- a/codex-rs/app-server/src/message_processor.rs
+++ b/codex-rs/app-server/src/message_processor.rs
@@ -59,7 +59,6 @@ impl MessageProcessor {
            outgoing.clone(),
            codex_linux_sandbox_exe,
            Arc::clone(&config),
-            cli_overrides.clone(),
            feedback,
        );
        let config_api = ConfigApi::new(config.codex_home.clone(), cli_overrides);
@@ -128,8 +127,6 @@ impl MessageProcessor {
                    self.outgoing.send_response(request_id, response).await;

                    self.initialized = true;
-                    self.codex_message_processor
-                        .spawn_model_presets_notification();

                    return;
                }
--- a/codex-rs/app-server/src/models.rs
+++ b/codex-rs/app-server/src/models.rs
@@ -3,16 +3,12 @@ use std::sync::Arc;
 use codex_app_server_protocol::Model;
 use codex_app_server_protocol::ReasoningEffortOption;
 use codex_core::ConversationManager;
-use codex_core::config::Config;
 use codex_protocol::openai_models::ModelPreset;
 use codex_protocol::openai_models::ReasoningEffortPreset;

-pub async fn supported_models(
-    conversation_manager: Arc<ConversationManager>,
-    config: &Config,
-) -> Vec<Model> {
+pub async fn supported_models(conversation_manager: Arc<ConversationManager>) -> Vec<Model> {
    conversation_manager
-        .list_models(config)
+        .list_models()
        .await
        .into_iter()
        .map(model_from_preset)
--- a/codex-rs/app-server/src/outgoing_message.rs
+++ b/codex-rs/app-server/src/outgoing_message.rs
@@ -16,9 +16,6 @@ use tracing::warn;

 use crate::error_code::INTERNAL_ERROR_CODE;

-#[cfg(test)]
-use codex_protocol::account::PlanType;
-
 /// Sends messages to the client and manages request callbacks.
 pub(crate) struct OutgoingMessageSender {
    next_request_id: AtomicI64,
@@ -233,7 +230,6 @@ mod tests {
                    }),
                    secondary: None,
                    credits: None,
-                    plan_type: Some(PlanType::Plus),
                },
            });

@@ -249,8 +245,7 @@ mod tests {
                            "resetsAt": 123
                        },
                        "secondary": null,
-                        "credits": null,
-                        "planType": "plus"
+                        "credits": null
                    }
                },
            }),
--- a/codex-rs/app-server/tests/common/Cargo.toml
+++ b/codex-rs/app-server/tests/common/Cargo.toml
@@ -13,7 +13,7 @@ assert_cmd = { workspace = true }
 base64 = { workspace = true }
 chrono = { workspace = true }
 codex-app-server-protocol = { workspace = true }
-codex-core = { workspace = true, features = ["test-support"] }
+codex-core = { workspace = true }
 codex-protocol = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
--- a/codex-rs/app-server/tests/common/lib.rs
+++ b/codex-rs/app-server/tests/common/lib.rs
@@ -1,7 +1,6 @@
 mod auth_fixtures;
 mod mcp_process;
 mod mock_model_server;
-mod models_cache;
 mod responses;
 mod rollout;

@@ -12,16 +11,9 @@ pub use auth_fixtures::write_chatgpt_auth;
 use codex_app_server_protocol::JSONRPCResponse;
 pub use core_test_support::format_with_current_shell;
 pub use core_test_support::format_with_current_shell_display;
-pub use core_test_support::format_with_current_shell_display_non_login;
-pub use core_test_support::format_with_current_shell_non_login;
-pub use core_test_support::test_path_buf_with_windows;
-pub use core_test_support::test_tmp_path;
-pub use core_test_support::test_tmp_path_buf;
 pub use mcp_process::McpProcess;
 pub use mock_model_server::create_mock_chat_completions_server;
 pub use mock_model_server::create_mock_chat_completions_server_unchecked;
-pub use models_cache::write_models_cache;
-pub use models_cache::write_models_cache_with_models;
 pub use responses::create_apply_patch_sse_response;
 pub use responses::create_exec_command_sse_response;
 pub use responses::create_final_assistant_message_sse_response;
--- a/codex-rs/app-server/tests/common/models_cache.rs
+++ b/codex-rs/app-server/tests/common/models_cache.rs
@@ -1,85 +0,0 @@
-use chrono::DateTime;
-use chrono::Utc;
-use codex_core::openai_models::model_presets::all_model_presets;
-use codex_protocol::openai_models::ClientVersion;
-use codex_protocol::openai_models::ConfigShellToolType;
-use codex_protocol::openai_models::ModelInfo;
-use codex_protocol::openai_models::ModelPreset;
-use codex_protocol::openai_models::ModelVisibility;
-use codex_protocol::openai_models::ReasoningSummaryFormat;
-use codex_protocol::openai_models::TruncationPolicyConfig;
-use serde_json::json;
-use std::path::Path;
-
-/// Convert a ModelPreset to ModelInfo for cache storage.
-fn preset_to_info(preset: &ModelPreset, priority: i32) -> ModelInfo {
-    ModelInfo {
-        slug: preset.id.clone(),
-        display_name: preset.display_name.clone(),
-        description: Some(preset.description.clone()),
-        default_reasoning_level: preset.default_reasoning_effort,
-        supported_reasoning_levels: preset.supported_reasoning_efforts.clone(),
-        shell_type: ConfigShellToolType::ShellCommand,
-        visibility: if preset.show_in_picker {
-            ModelVisibility::List
-        } else {
-            ModelVisibility::Hide
-        },
-        minimal_client_version: ClientVersion(0, 1, 0),
-        supported_in_api: true,
-        priority,
-        upgrade: preset.upgrade.as_ref().map(|u| u.id.clone()),
-        base_instructions: None,
-        supports_reasoning_summaries: false,
-        support_verbosity: false,
-        default_verbosity: None,
-        apply_patch_tool_type: None,
-        truncation_policy: TruncationPolicyConfig::bytes(10_000),
-        supports_parallel_tool_calls: false,
-        context_window: None,
-        reasoning_summary_format: ReasoningSummaryFormat::None,
-        experimental_supported_tools: Vec::new(),
-    }
-}
-
-/// Write a models_cache.json file to the codex home directory.
-/// This prevents ModelsManager from making network requests to refresh models.
-/// The cache will be treated as fresh (within TTL) and used instead of fetching from the network.
-/// Uses the built-in model presets from ModelsManager, converted to ModelInfo format.
-pub fn write_models_cache(codex_home: &Path) -> std::io::Result<()> {
-    // Get all presets and filter for show_in_picker (same as builtin_model_presets does)
-    let presets: Vec<&ModelPreset> = all_model_presets()
-        .iter()
-        .filter(|preset| preset.show_in_picker)
-        .collect();
-    // Convert presets to ModelInfo, assigning priorities (higher = earlier in list)
-    // Priority is used for sorting, so first model gets highest priority
-    let models: Vec<ModelInfo> = presets
-        .iter()
-        .enumerate()
-        .map(|(idx, preset)| {
-            // Higher priority = earlier in list, so reverse the index
-            let priority = (presets.len() - idx) as i32;
-            preset_to_info(preset, priority)
-        })
-        .collect();
-
-    write_models_cache_with_models(codex_home, models)
-}
-
-/// Write a models_cache.json file with specific models.
-/// Useful when tests need specific models to be available.
-pub fn write_models_cache_with_models(
-    codex_home: &Path,
-    models: Vec<ModelInfo>,
-) -> std::io::Result<()> {
-    let cache_path = codex_home.join("models_cache.json");
-    // DateTime<Utc> serializes to RFC3339 format by default with serde
-    let fetched_at: DateTime<Utc> = Utc::now();
-    let cache = json!({
-        "fetched_at": fetched_at,
-        "etag": null,
-        "models": models
-    });
-    std::fs::write(cache_path, serde_json::to_string_pretty(&cache)?)
-}
--- a/codex-rs/app-server/tests/suite/codex_message_processor_flow.rs
+++ b/codex-rs/app-server/tests/suite/codex_message_processor_flow.rs
@@ -271,6 +271,7 @@ async fn test_send_user_turn_changes_approval_policy_behavior() -> Result<()> {
            command: format_with_current_shell("python3 -c 'print(42)'"),
            cwd: working_directory.clone(),
            reason: None,
+            risk: None,
            parsed_cmd: vec![ParsedCommand::Unknown {
                cmd: "python3 -c 'print(42)'".to_string()
            }],
@@ -410,7 +411,7 @@ async fn test_send_user_turn_updates_sandbox_and_cwd_between_turns() -> Result<(
            cwd: first_cwd.clone(),
            approval_policy: AskForApproval::Never,
            sandbox_policy: SandboxPolicy::WorkspaceWrite {
-                writable_roots: vec![first_cwd.try_into()?],
+                writable_roots: vec![first_cwd.clone()],
                network_access: false,
                exclude_tmpdir_env_var: false,
                exclude_slash_tmp: false,
--- a/codex-rs/app-server/tests/suite/config.rs
+++ b/codex-rs/app-server/tests/suite/config.rs
@@ -1,6 +1,5 @@
 use anyhow::Result;
 use app_test_support::McpProcess;
-use app_test_support::test_tmp_path;
 use app_test_support::to_response;
 use codex_app_server_protocol::GetUserSavedConfigResponse;
 use codex_app_server_protocol::JSONRPCResponse;
@@ -24,12 +23,10 @@ use tokio::time::timeout;
 const DEFAULT_READ_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(10);

 fn create_config_toml(codex_home: &Path) -> std::io::Result<()> {
-    let writable_root = test_tmp_path();
    let config_toml = codex_home.join("config.toml");
    std::fs::write(
        config_toml,
-        format!(
-            r#"
+        r#"
 model = "gpt-5.1-codex-max"
 approval_policy = "on-request"
 sandbox_mode = "workspace-write"
@@ -41,7 +38,7 @@ forced_chatgpt_workspace_id = "12345678-0000-0000-0000-000000000000"
 forced_login_method = "chatgpt"

 [sandbox_workspace_write]
-writable_roots = [{}]
+writable_roots = ["/tmp"]
 network_access = true
 exclude_tmpdir_env_var = true
 exclude_slash_tmp = true
@@ -59,8 +56,6 @@ model_verbosity = "medium"
 model_provider = "openai"
 chatgpt_base_url = "https://api.chatgpt.com"
 "#,
-            serde_json::json!(writable_root)
-        ),
    )
 }

@@ -80,13 +75,12 @@ async fn get_config_toml_parses_all_fields() -> Result<()> {
    .await??;

    let config: GetUserSavedConfigResponse = to_response(resp)?;
-    let writable_root = test_tmp_path();
    let expected = GetUserSavedConfigResponse {
        config: UserSavedConfig {
            approval_policy: Some(AskForApproval::OnRequest),
            sandbox_mode: Some(SandboxMode::WorkspaceWrite),
            sandbox_settings: Some(SandboxSettings {
-                writable_roots: vec![writable_root],
+                writable_roots: vec!["/tmp".into()],
                network_access: Some(true),
                exclude_tmpdir_env_var: Some(true),
                exclude_slash_tmp: Some(true),
--- a/codex-rs/app-server/tests/suite/list_resume.rs
+++ b/codex-rs/app-server/tests/suite/list_resume.rs
@@ -358,81 +358,3 @@ async fn test_list_and_resume_conversations() -> Result<()> {

    Ok(())
 }
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn list_conversations_fetches_through_filtered_pages() -> Result<()> {
-    let codex_home = TempDir::new()?;
-
-    // Only the last 3 conversations match the provider filter; request 3 and
-    // ensure pagination keeps fetching past non-matching pages.
-    let cases = [
-        (
-            "2025-03-04T12-00-00",
-            "2025-03-04T12:00:00Z",
-            "skip_provider",
-        ),
-        (
-            "2025-03-03T12-00-00",
-            "2025-03-03T12:00:00Z",
-            "skip_provider",
-        ),
-        (
-            "2025-03-02T12-00-00",
-            "2025-03-02T12:00:00Z",
-            "target_provider",
-        ),
-        (
-            "2025-03-01T12-00-00",
-            "2025-03-01T12:00:00Z",
-            "target_provider",
-        ),
-        (
-            "2025-02-28T12-00-00",
-            "2025-02-28T12:00:00Z",
-            "target_provider",
-        ),
-    ];
-
-    for (ts_file, ts_rfc, provider) in cases {
-        create_fake_rollout(
-            codex_home.path(),
-            ts_file,
-            ts_rfc,
-            "Hello",
-            Some(provider),
-            None,
-        )?;
-    }
-
-    let mut mcp = McpProcess::new(codex_home.path()).await?;
-    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
-
-    let req_id = mcp
-        .send_list_conversations_request(ListConversationsParams {
-            page_size: Some(3),
-            cursor: None,
-            model_providers: Some(vec!["target_provider".to_string()]),
-        })
-        .await?;
-    let resp: JSONRPCResponse = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(req_id)),
-    )
-    .await??;
-    let ListConversationsResponse { items, next_cursor } =
-        to_response::<ListConversationsResponse>(resp)?;
-
-    assert_eq!(
-        items.len(),
-        3,
-        "should fetch across pages to satisfy the limit"
-    );
-    assert!(
-        items
-            .iter()
-            .all(|item| item.model_provider == "target_provider")
-    );
-    assert_eq!(next_cursor, None);
-
-    Ok(())
-}
--- a/codex-rs/app-server/tests/suite/login.rs
+++ b/codex-rs/app-server/tests/suite/login.rs
@@ -1,6 +1,8 @@
 use anyhow::Result;
 use app_test_support::McpProcess;
 use app_test_support::to_response;
+use codex_app_server_protocol::CancelLoginChatGptParams;
+use codex_app_server_protocol::CancelLoginChatGptResponse;
 use codex_app_server_protocol::GetAuthStatusParams;
 use codex_app_server_protocol::GetAuthStatusResponse;
 use codex_app_server_protocol::JSONRPCError;
@@ -12,6 +14,7 @@ use codex_core::auth::AuthCredentialsStoreMode;
 use codex_login::login_with_api_key;
 use serial_test::serial;
 use std::path::Path;
+use std::time::Duration;
 use tempfile::TempDir;
 use tokio::time::timeout;

@@ -84,6 +87,48 @@ async fn logout_chatgpt_removes_auth() -> Result<()> {
    Ok(())
 }

+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+// Serialize tests that launch the login server since it binds to a fixed port.
+#[serial(login_port)]
+async fn login_and_cancel_chatgpt() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    create_config_toml(codex_home.path())?;
+
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let login_id = mcp.send_login_chat_gpt_request().await?;
+    let login_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(login_id)),
+    )
+    .await??;
+    let login: LoginChatGptResponse = to_response(login_resp)?;
+
+    let cancel_id = mcp
+        .send_cancel_login_chat_gpt_request(CancelLoginChatGptParams {
+            login_id: login.login_id,
+        })
+        .await?;
+    let cancel_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(cancel_id)),
+    )
+    .await??;
+    let _ok: CancelLoginChatGptResponse = to_response(cancel_resp)?;
+
+    // Optionally observe the completion notification; do not fail if it races.
+    let maybe_note = timeout(
+        Duration::from_secs(2),
+        mcp.read_stream_until_notification_message("codex/event/login_chat_gpt_complete"),
+    )
+    .await;
+    if maybe_note.is_err() {
+        eprintln!("warning: did not observe login_chat_gpt_complete notification after cancel");
+    }
+    Ok(())
+}
+
 fn create_config_toml_forced_login(codex_home: &Path, forced_method: &str) -> std::io::Result<()> {
    let config_toml = codex_home.join("config.toml");
    let contents = format!(
--- a/codex-rs/app-server/tests/suite/v2/account.rs
+++ b/codex-rs/app-server/tests/suite/v2/account.rs
@@ -241,7 +241,7 @@ async fn login_account_chatgpt_rejected_when_forced_api() -> Result<()> {
 #[tokio::test]
 // Serialize tests that launch the login server since it binds to a fixed port.
 #[serial(login_port)]
-async fn login_account_chatgpt_start_can_be_cancelled() -> Result<()> {
+async fn login_account_chatgpt_start() -> Result<()> {
    let codex_home = TempDir::new()?;
    create_config_toml(codex_home.path(), CreateConfigTomlParams::default())?;

--- a/codex-rs/app-server/tests/suite/v2/config_rpc.rs
+++ b/codex-rs/app-server/tests/suite/v2/config_rpc.rs
@@ -1,9 +1,6 @@
 use anyhow::Result;
 use app_test_support::McpProcess;
-use app_test_support::test_path_buf_with_windows;
-use app_test_support::test_tmp_path_buf;
 use app_test_support::to_response;
-use codex_app_server_protocol::AskForApproval;
 use codex_app_server_protocol::ConfigBatchWriteParams;
 use codex_app_server_protocol::ConfigEdit;
 use codex_app_server_protocol::ConfigLayerName;
@@ -15,8 +12,6 @@ use codex_app_server_protocol::JSONRPCError;
 use codex_app_server_protocol::JSONRPCResponse;
 use codex_app_server_protocol::MergeStrategy;
 use codex_app_server_protocol::RequestId;
-use codex_app_server_protocol::SandboxMode;
-use codex_app_server_protocol::ToolsV2;
 use codex_app_server_protocol::WriteStatus;
 use pretty_assertions::assert_eq;
 use serde_json::json;
@@ -62,7 +57,7 @@ sandbox_mode = "workspace-write"
        layers,
    } = to_response(resp)?;

-    assert_eq!(config.model.as_deref(), Some("gpt-user"));
+    assert_eq!(config.get("model"), Some(&json!("gpt-user")));
    assert_eq!(
        origins.get("model").expect("origin").name,
        ConfigLayerName::User
@@ -76,97 +71,31 @@ sandbox_mode = "workspace-write"
 }

 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn config_read_includes_tools() -> Result<()> {
+async fn config_read_includes_system_layer_and_overrides() -> Result<()> {
    let codex_home = TempDir::new()?;
    write_config(
        &codex_home,
        r#"
 model = "gpt-user"
-
-[tools]
-web_search = true
-view_image = false
-"#,
-    )?;
-
-    let mut mcp = McpProcess::new(codex_home.path()).await?;
-    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
-
-    let request_id = mcp
-        .send_config_read_request(ConfigReadParams {
-            include_layers: true,
-        })
-        .await?;
-    let resp: JSONRPCResponse = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
-    )
-    .await??;
-    let ConfigReadResponse {
-        config,
-        origins,
-        layers,
-    } = to_response(resp)?;
-
-    let tools = config.tools.expect("tools present");
-    assert_eq!(
-        tools,
-        ToolsV2 {
-            web_search: Some(true),
-            view_image: Some(false),
-        }
-    );
-    assert_eq!(
-        origins.get("tools.web_search").expect("origin").name,
-        ConfigLayerName::User
-    );
-    assert_eq!(
-        origins.get("tools.view_image").expect("origin").name,
-        ConfigLayerName::User
-    );
-
-    let layers = layers.expect("layers present");
-    assert_eq!(layers.len(), 2);
-    assert_eq!(layers[0].name, ConfigLayerName::SessionFlags);
-    assert_eq!(layers[1].name, ConfigLayerName::User);
-
-    Ok(())
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn config_read_includes_system_layer_and_overrides() -> Result<()> {
-    let codex_home = TempDir::new()?;
-    let user_dir = test_path_buf_with_windows("/user", Some(r"C:\Users\user"));
-    let system_dir = test_path_buf_with_windows("/system", Some(r"C:\System"));
-    write_config(
-        &codex_home,
-        &format!(
-            r#"
-model = "gpt-user"
 approval_policy = "on-request"
 sandbox_mode = "workspace-write"

 [sandbox_workspace_write]
-writable_roots = [{}]
+writable_roots = ["/user"]
 network_access = true
 "#,
-            serde_json::json!(user_dir)
-        ),
    )?;

    let managed_path = codex_home.path().join("managed_config.toml");
    std::fs::write(
        &managed_path,
-        format!(
-            r#"
+        r#"
 model = "gpt-system"
 approval_policy = "never"

 [sandbox_workspace_write]
-writable_roots = [{}]
+writable_roots = ["/system"]
 "#,
-            serde_json::json!(system_dir.clone())
-        ),
    )?;

    let managed_path_str = managed_path.display().to_string();
@@ -194,29 +123,30 @@ writable_roots = [{}]
        layers,
    } = to_response(resp)?;

-    assert_eq!(config.model.as_deref(), Some("gpt-system"));
+    assert_eq!(config.get("model"), Some(&json!("gpt-system")));
    assert_eq!(
        origins.get("model").expect("origin").name,
        ConfigLayerName::System
    );

-    assert_eq!(config.approval_policy, Some(AskForApproval::Never));
+    assert_eq!(config.get("approval_policy"), Some(&json!("never")));
    assert_eq!(
        origins.get("approval_policy").expect("origin").name,
        ConfigLayerName::System
    );

-    assert_eq!(config.sandbox_mode, Some(SandboxMode::WorkspaceWrite));
+    assert_eq!(config.get("sandbox_mode"), Some(&json!("workspace-write")));
    assert_eq!(
        origins.get("sandbox_mode").expect("origin").name,
        ConfigLayerName::User
    );

-    let sandbox = config
-        .sandbox_workspace_write
-        .as_ref()
-        .expect("sandbox workspace write");
-    assert_eq!(sandbox.writable_roots, vec![system_dir]);
+    assert_eq!(
+        config
+            .get("sandbox_workspace_write")
+            .and_then(|v| v.get("writable_roots")),
+        Some(&json!(["/system"]))
+    );
    assert_eq!(
        origins
            .get("sandbox_workspace_write.writable_roots.0")
@@ -225,7 +155,12 @@ writable_roots = [{}]
        ConfigLayerName::System
    );

-    assert!(sandbox.network_access);
+    assert_eq!(
+        config
+            .get("sandbox_workspace_write")
+            .and_then(|v| v.get("network_access")),
+        Some(&json!(true))
+    );
    assert_eq!(
        origins
            .get("sandbox_workspace_write.network_access")
@@ -307,7 +242,7 @@ model = "gpt-old"
    )
    .await??;
    let verify: ConfigReadResponse = to_response(verify_resp)?;
-    assert_eq!(verify.config.model.as_deref(), Some("gpt-new"));
+    assert_eq!(verify.config.get("model"), Some(&json!("gpt-new")));

    Ok(())
 }
@@ -359,7 +294,6 @@ async fn config_batch_write_applies_multiple_edits() -> Result<()> {
    let mut mcp = McpProcess::new(codex_home.path()).await?;
    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;

-    let writable_root = test_tmp_path_buf();
    let batch_id = mcp
        .send_config_batch_write_request(ConfigBatchWriteParams {
            file_path: Some(codex_home.path().join("config.toml").display().to_string()),
@@ -372,7 +306,7 @@ async fn config_batch_write_applies_multiple_edits() -> Result<()> {
                ConfigEdit {
                    key_path: "sandbox_workspace_write".to_string(),
                    value: json!({
-                        "writable_roots": [writable_root.clone()],
+                        "writable_roots": ["/tmp"],
                        "network_access": false
                    }),
                    merge_strategy: MergeStrategy::Replace,
@@ -408,14 +342,22 @@ async fn config_batch_write_applies_multiple_edits() -> Result<()> {
    )
    .await??;
    let read: ConfigReadResponse = to_response(read_resp)?;
-    assert_eq!(read.config.sandbox_mode, Some(SandboxMode::WorkspaceWrite));
-    let sandbox = read
-        .config
-        .sandbox_workspace_write
-        .as_ref()
-        .expect("sandbox workspace write");
-    assert_eq!(sandbox.writable_roots, vec![writable_root]);
-    assert!(!sandbox.network_access);
+    assert_eq!(
+        read.config.get("sandbox_mode"),
+        Some(&json!("workspace-write"))
+    );
+    assert_eq!(
+        read.config
+            .get("sandbox_workspace_write")
+            .and_then(|v| v.get("writable_roots")),
+        Some(&json!(["/tmp"]))
+    );
+    assert_eq!(
+        read.config
+            .get("sandbox_workspace_write")
+            .and_then(|v| v.get("network_access")),
+        Some(&json!(false))
+    );

    Ok(())
 }
--- a/codex-rs/app-server/tests/suite/v2/model_list.rs
+++ b/codex-rs/app-server/tests/suite/v2/model_list.rs
@@ -1,36 +1,35 @@
 use std::time::Duration;

 use anyhow::Result;
+use anyhow::anyhow;
 use app_test_support::McpProcess;
 use app_test_support::to_response;
-use app_test_support::write_models_cache;
-use codex_app_server_protocol::JSONRPCNotification;
+use codex_app_server_protocol::JSONRPCError;
 use codex_app_server_protocol::JSONRPCResponse;
 use codex_app_server_protocol::Model;
 use codex_app_server_protocol::ModelListParams;
 use codex_app_server_protocol::ModelListResponse;
 use codex_app_server_protocol::ReasoningEffortOption;
 use codex_app_server_protocol::RequestId;
-use codex_app_server_protocol::ServerNotification;
 use codex_protocol::openai_models::ReasoningEffort;
 use pretty_assertions::assert_eq;
 use tempfile::TempDir;
 use tokio::time::timeout;

 const DEFAULT_TIMEOUT: Duration = Duration::from_secs(10);
+const INVALID_REQUEST_ERROR_CODE: i64 = -32600;

 #[tokio::test]
-async fn list_models_returns_empty_response_and_notification() -> Result<()> {
+async fn list_models_returns_all_models_with_large_limit() -> Result<()> {
    let codex_home = TempDir::new()?;
-    write_models_cache(codex_home.path())?;
    let mut mcp = McpProcess::new(codex_home.path()).await?;

    timeout(DEFAULT_TIMEOUT, mcp.initialize()).await??;

    let request_id = mcp
        .send_list_models_request(ModelListParams {
-            limit: Some(1),
-            cursor: Some("ignored".to_string()),
+            limit: Some(100),
+            cursor: None,
        })
        .await?;

@@ -40,24 +39,12 @@ async fn list_models_returns_empty_response_and_notification() -> Result<()> {
    )
    .await??;

-    let ModelListResponse {} = to_response::<ModelListResponse>(response)?;
+    let ModelListResponse {
+        data: items,
+        next_cursor,
+    } = to_response::<ModelListResponse>(response)?;

-    let notification: JSONRPCNotification = timeout(
-        DEFAULT_TIMEOUT,
-        mcp.read_stream_until_notification_message("model/presets/updated"),
-    )
-    .await??;
-    let server_notification: ServerNotification = notification.try_into()?;
-    let ServerNotification::ModelPresetsUpdated(payload) = server_notification else {
-        unreachable!("expected model/presets/updated notification");
-    };
-
-    assert_eq!(payload.models, expected_models());
-    Ok(())
-}
-
-fn expected_models() -> Vec<Model> {
-    vec![
+    let expected_models = vec![
        Model {
            id: "gpt-5.1-codex-max".to_string(),
            model: "gpt-5.1-codex-max".to_string(),
@@ -75,7 +62,7 @@ fn expected_models() -> Vec<Model> {
                },
                ReasoningEffortOption {
                    reasoning_effort: ReasoningEffort::High,
-                    description: "Greater reasoning depth for complex problems".to_string(),
+                    description: "Maximizes reasoning depth for complex problems".to_string(),
                },
                ReasoningEffortOption {
                    reasoning_effort: ReasoningEffort::XHigh,
@@ -127,39 +114,6 @@ fn expected_models() -> Vec<Model> {
            default_reasoning_effort: ReasoningEffort::Medium,
            is_default: false,
        },
-        Model {
-            id: "gpt-5.2".to_string(),
-            model: "gpt-5.2".to_string(),
-            display_name: "gpt-5.2".to_string(),
-            description:
-                "Latest frontier model with improvements across knowledge, reasoning and coding"
-                    .to_string(),
-            supported_reasoning_efforts: vec![
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::Low,
-                    description: "Balances speed with some reasoning; useful for straightforward \
-                                   queries and short explanations"
-                        .to_string(),
-                },
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::Medium,
-                    description: "Provides a solid balance of reasoning depth and latency for \
-                         general-purpose tasks"
-                        .to_string(),
-                },
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::High,
-                    description: "Greater reasoning depth for complex or ambiguous problems"
-                        .to_string(),
-                },
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::XHigh,
-                    description: "Extra high reasoning for complex problems".to_string(),
-                },
-            ],
-            default_reasoning_effort: ReasoningEffort::Medium,
-            is_default: false,
-        },
        Model {
            id: "gpt-5.1".to_string(),
            model: "gpt-5.1".to_string(),
@@ -187,5 +141,132 @@ fn expected_models() -> Vec<Model> {
            default_reasoning_effort: ReasoningEffort::Medium,
            is_default: false,
        },
-    ]
+    ];
+
+    assert_eq!(items, expected_models);
+    assert!(next_cursor.is_none());
+    Ok(())
+}
+
+#[tokio::test]
+async fn list_models_pagination_works() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+
+    timeout(DEFAULT_TIMEOUT, mcp.initialize()).await??;
+
+    let first_request = mcp
+        .send_list_models_request(ModelListParams {
+            limit: Some(1),
+            cursor: None,
+        })
+        .await?;
+
+    let first_response: JSONRPCResponse = timeout(
+        DEFAULT_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(first_request)),
+    )
+    .await??;
+
+    let ModelListResponse {
+        data: first_items,
+        next_cursor: first_cursor,
+    } = to_response::<ModelListResponse>(first_response)?;
+
+    assert_eq!(first_items.len(), 1);
+    assert_eq!(first_items[0].id, "gpt-5.1-codex-max");
+    let next_cursor = first_cursor.ok_or_else(|| anyhow!("cursor for second page"))?;
+
+    let second_request = mcp
+        .send_list_models_request(ModelListParams {
+            limit: Some(1),
+            cursor: Some(next_cursor.clone()),
+        })
+        .await?;
+
+    let second_response: JSONRPCResponse = timeout(
+        DEFAULT_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(second_request)),
+    )
+    .await??;
+
+    let ModelListResponse {
+        data: second_items,
+        next_cursor: second_cursor,
+    } = to_response::<ModelListResponse>(second_response)?;
+
+    assert_eq!(second_items.len(), 1);
+    assert_eq!(second_items[0].id, "gpt-5.1-codex");
+    let third_cursor = second_cursor.ok_or_else(|| anyhow!("cursor for third page"))?;
+
+    let third_request = mcp
+        .send_list_models_request(ModelListParams {
+            limit: Some(1),
+            cursor: Some(third_cursor.clone()),
+        })
+        .await?;
+
+    let third_response: JSONRPCResponse = timeout(
+        DEFAULT_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(third_request)),
+    )
+    .await??;
+
+    let ModelListResponse {
+        data: third_items,
+        next_cursor: third_cursor,
+    } = to_response::<ModelListResponse>(third_response)?;
+
+    assert_eq!(third_items.len(), 1);
+    assert_eq!(third_items[0].id, "gpt-5.1-codex-mini");
+    let fourth_cursor = third_cursor.ok_or_else(|| anyhow!("cursor for fourth page"))?;
+
+    let fourth_request = mcp
+        .send_list_models_request(ModelListParams {
+            limit: Some(1),
+            cursor: Some(fourth_cursor.clone()),
+        })
+        .await?;
+
+    let fourth_response: JSONRPCResponse = timeout(
+        DEFAULT_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(fourth_request)),
+    )
+    .await??;
+
+    let ModelListResponse {
+        data: fourth_items,
+        next_cursor: fourth_cursor,
+    } = to_response::<ModelListResponse>(fourth_response)?;
+
+    assert_eq!(fourth_items.len(), 1);
+    assert_eq!(fourth_items[0].id, "gpt-5.1");
+    assert!(fourth_cursor.is_none());
+    Ok(())
+}
+
+#[tokio::test]
+async fn list_models_rejects_invalid_cursor() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+
+    timeout(DEFAULT_TIMEOUT, mcp.initialize()).await??;
+
+    let request_id = mcp
+        .send_list_models_request(ModelListParams {
+            limit: None,
+            cursor: Some("invalid".to_string()),
+        })
+        .await?;
+
+    let error: JSONRPCError = timeout(
+        DEFAULT_TIMEOUT,
+        mcp.read_stream_until_error_message(RequestId::Integer(request_id)),
+    )
+    .await??;
+
+    assert_eq!(error.id, RequestId::Integer(request_id));
+    assert_eq!(error.error.code, INVALID_REQUEST_ERROR_CODE);
+    assert_eq!(error.error.message, "invalid cursor: invalid");
+    Ok(())
 }
--- a/codex-rs/app-server/tests/suite/v2/rate_limits.rs
+++ b/codex-rs/app-server/tests/suite/v2/rate_limits.rs
@@ -11,7 +11,6 @@ use codex_app_server_protocol::RateLimitSnapshot;
 use codex_app_server_protocol::RateLimitWindow;
 use codex_app_server_protocol::RequestId;
 use codex_core::auth::AuthCredentialsStoreMode;
-use codex_protocol::account::PlanType as AccountPlanType;
 use pretty_assertions::assert_eq;
 use serde_json::json;
 use std::path::Path;
@@ -154,7 +153,6 @@ async fn get_account_rate_limits_returns_snapshot() -> Result<()> {
                resets_at: Some(secondary_reset_timestamp),
            }),
            credits: None,
-            plan_type: Some(AccountPlanType::Pro),
        },
    };
    assert_eq!(received, expected);
--- a/codex-rs/app-server/tests/suite/v2/thread_list.rs
+++ b/codex-rs/app-server/tests/suite/v2/thread_list.rs
@@ -6,96 +6,37 @@ use codex_app_server_protocol::GitInfo as ApiGitInfo;
 use codex_app_server_protocol::JSONRPCResponse;
 use codex_app_server_protocol::RequestId;
 use codex_app_server_protocol::SessionSource;
+use codex_app_server_protocol::ThreadListParams;
 use codex_app_server_protocol::ThreadListResponse;
 use codex_protocol::protocol::GitInfo as CoreGitInfo;
-use std::path::Path;
 use std::path::PathBuf;
 use tempfile::TempDir;
 use tokio::time::timeout;

 const DEFAULT_READ_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(10);

-async fn init_mcp(codex_home: &Path) -> Result<McpProcess> {
-    let mut mcp = McpProcess::new(codex_home).await?;
-    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
-    Ok(mcp)
-}
-
-async fn list_threads(
-    mcp: &mut McpProcess,
-    cursor: Option<String>,
-    limit: Option<u32>,
-    providers: Option<Vec<String>>,
-) -> Result<ThreadListResponse> {
-    let request_id = mcp
-        .send_thread_list_request(codex_app_server_protocol::ThreadListParams {
-            cursor,
-            limit,
-            model_providers: providers,
-        })
-        .await?;
-    let resp: JSONRPCResponse = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
-    )
-    .await??;
-    to_response::<ThreadListResponse>(resp)
-}
-
-fn create_fake_rollouts<F, G>(
-    codex_home: &Path,
-    count: usize,
-    provider_for_index: F,
-    timestamp_for_index: G,
-    preview: &str,
-) -> Result<Vec<String>>
-where
-    F: Fn(usize) -> &'static str,
-    G: Fn(usize) -> (String, String),
-{
-    let mut ids = Vec::with_capacity(count);
-    for i in 0..count {
-        let (ts_file, ts_rfc) = timestamp_for_index(i);
-        ids.push(create_fake_rollout(
-            codex_home,
-            &ts_file,
-            &ts_rfc,
-            preview,
-            Some(provider_for_index(i)),
-            None,
-        )?);
-    }
-    Ok(ids)
-}
-
-fn timestamp_at(
-    year: i32,
-    month: u32,
-    day: u32,
-    hour: u32,
-    minute: u32,
-    second: u32,
-) -> (String, String) {
-    (
-        format!("{year:04}-{month:02}-{day:02}T{hour:02}-{minute:02}-{second:02}"),
-        format!("{year:04}-{month:02}-{day:02}T{hour:02}:{minute:02}:{second:02}Z"),
-    )
-}
-
 #[tokio::test]
 async fn thread_list_basic_empty() -> Result<()> {
    let codex_home = TempDir::new()?;
    create_minimal_config(codex_home.path())?;

-    let mut mcp = init_mcp(codex_home.path()).await?;
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;

-    let ThreadListResponse { data, next_cursor } = list_threads(
-        &mut mcp,
-        None,
-        Some(10),
-        Some(vec!["mock_provider".to_string()]),
+    // List threads in an empty CODEX_HOME; should return an empty page with nextCursor: null.
+    let list_id = mcp
+        .send_thread_list_request(ThreadListParams {
+            cursor: None,
+            limit: Some(10),
+            model_providers: Some(vec!["mock_provider".to_string()]),
+        })
+        .await?;
+    let list_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(list_id)),
    )
-    .await?;
+    .await??;
+    let ThreadListResponse { data, next_cursor } = to_response::<ThreadListResponse>(list_resp)?;
    assert!(data.is_empty());
    assert_eq!(next_cursor, None);

@@ -145,19 +86,26 @@ async fn thread_list_pagination_next_cursor_none_on_last_page() -> Result<()> {
        None,
    )?;

-    let mut mcp = init_mcp(codex_home.path()).await?;
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;

    // Page 1: limit 2 → expect next_cursor Some.
+    let page1_id = mcp
+        .send_thread_list_request(ThreadListParams {
+            cursor: None,
+            limit: Some(2),
+            model_providers: Some(vec!["mock_provider".to_string()]),
+        })
+        .await?;
+    let page1_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(page1_id)),
+    )
+    .await??;
    let ThreadListResponse {
        data: data1,
        next_cursor: cursor1,
-    } = list_threads(
-        &mut mcp,
-        None,
-        Some(2),
-        Some(vec!["mock_provider".to_string()]),
-    )
-    .await?;
+    } = to_response::<ThreadListResponse>(page1_resp)?;
    assert_eq!(data1.len(), 2);
    for thread in &data1 {
        assert_eq!(thread.preview, "Hello");
@@ -171,16 +119,22 @@ async fn thread_list_pagination_next_cursor_none_on_last_page() -> Result<()> {
    let cursor1 = cursor1.expect("expected nextCursor on first page");

    // Page 2: with cursor → expect next_cursor None when no more results.
+    let page2_id = mcp
+        .send_thread_list_request(ThreadListParams {
+            cursor: Some(cursor1),
+            limit: Some(2),
+            model_providers: Some(vec!["mock_provider".to_string()]),
+        })
+        .await?;
+    let page2_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(page2_id)),
+    )
+    .await??;
    let ThreadListResponse {
        data: data2,
        next_cursor: cursor2,
-    } = list_threads(
-        &mut mcp,
-        Some(cursor1),
-        Some(2),
-        Some(vec!["mock_provider".to_string()]),
-    )
-    .await?;
+    } = to_response::<ThreadListResponse>(page2_resp)?;
    assert!(data2.len() <= 2);
    for thread in &data2 {
        assert_eq!(thread.preview, "Hello");
@@ -219,16 +173,23 @@ async fn thread_list_respects_provider_filter() -> Result<()> {
        None,
    )?;

-    let mut mcp = init_mcp(codex_home.path()).await?;
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;

    // Filter to only other_provider; expect 1 item, nextCursor None.
-    let ThreadListResponse { data, next_cursor } = list_threads(
-        &mut mcp,
-        None,
-        Some(10),
-        Some(vec!["other_provider".to_string()]),
+    let list_id = mcp
+        .send_thread_list_request(ThreadListParams {
+            cursor: None,
+            limit: Some(10),
+            model_providers: Some(vec!["other_provider".to_string()]),
+        })
+        .await?;
+    let resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(list_id)),
    )
-    .await?;
+    .await??;
+    let ThreadListResponse { data, next_cursor } = to_response::<ThreadListResponse>(resp)?;
    assert_eq!(data.len(), 1);
    assert_eq!(next_cursor, None);
    let thread = &data[0];
@@ -244,146 +205,6 @@ async fn thread_list_respects_provider_filter() -> Result<()> {
    Ok(())
 }

-#[tokio::test]
-async fn thread_list_fetches_until_limit_or_exhausted() -> Result<()> {
-    let codex_home = TempDir::new()?;
-    create_minimal_config(codex_home.path())?;
-
-    // Newest 16 conversations belong to a different provider; the older 8 are the
-    // only ones that match the filter. We request 8 so the server must keep
-    // paging past the first two pages to reach the desired count.
-    create_fake_rollouts(
-        codex_home.path(),
-        24,
-        |i| {
-            if i < 16 {
-                "skip_provider"
-            } else {
-                "target_provider"
-            }
-        },
-        |i| timestamp_at(2025, 3, 30 - i as u32, 12, 0, 0),
-        "Hello",
-    )?;
-
-    let mut mcp = init_mcp(codex_home.path()).await?;
-
-    // Request 8 threads for the target provider; the matches only start on the
-    // third page so we rely on pagination to reach the limit.
-    let ThreadListResponse { data, next_cursor } = list_threads(
-        &mut mcp,
-        None,
-        Some(8),
-        Some(vec!["target_provider".to_string()]),
-    )
-    .await?;
-    assert_eq!(
-        data.len(),
-        8,
-        "should keep paging until the requested count is filled"
-    );
-    assert!(
-        data.iter()
-            .all(|thread| thread.model_provider == "target_provider"),
-        "all returned threads must match the requested provider"
-    );
-    assert_eq!(
-        next_cursor, None,
-        "once the requested count is satisfied on the final page, nextCursor should be None"
-    );
-
-    Ok(())
-}
-
-#[tokio::test]
-async fn thread_list_enforces_max_limit() -> Result<()> {
-    let codex_home = TempDir::new()?;
-    create_minimal_config(codex_home.path())?;
-
-    create_fake_rollouts(
-        codex_home.path(),
-        105,
-        |_| "mock_provider",
-        |i| {
-            let month = 5 + (i / 28);
-            let day = (i % 28) + 1;
-            timestamp_at(2025, month as u32, day as u32, 0, 0, 0)
-        },
-        "Hello",
-    )?;
-
-    let mut mcp = init_mcp(codex_home.path()).await?;
-
-    let ThreadListResponse { data, next_cursor } = list_threads(
-        &mut mcp,
-        None,
-        Some(200),
-        Some(vec!["mock_provider".to_string()]),
-    )
-    .await?;
-    assert_eq!(
-        data.len(),
-        100,
-        "limit should be clamped to the maximum page size"
-    );
-    assert!(
-        next_cursor.is_some(),
-        "when more than the maximum exist, nextCursor should continue pagination"
-    );
-
-    Ok(())
-}
-
-#[tokio::test]
-async fn thread_list_stops_when_not_enough_filtered_results_exist() -> Result<()> {
-    let codex_home = TempDir::new()?;
-    create_minimal_config(codex_home.path())?;
-
-    // Only the last 7 conversations match the provider filter; we ask for 10 to
-    // ensure the server exhausts pagination without looping forever.
-    create_fake_rollouts(
-        codex_home.path(),
-        22,
-        |i| {
-            if i < 15 {
-                "skip_provider"
-            } else {
-                "target_provider"
-            }
-        },
-        |i| timestamp_at(2025, 4, 28 - i as u32, 8, 0, 0),
-        "Hello",
-    )?;
-
-    let mut mcp = init_mcp(codex_home.path()).await?;
-
-    // Request more threads than exist after filtering; expect all matches to be
-    // returned with nextCursor None.
-    let ThreadListResponse { data, next_cursor } = list_threads(
-        &mut mcp,
-        None,
-        Some(10),
-        Some(vec!["target_provider".to_string()]),
-    )
-    .await?;
-    assert_eq!(
-        data.len(),
-        7,
-        "all available filtered threads should be returned"
-    );
-    assert!(
-        data.iter()
-            .all(|thread| thread.model_provider == "target_provider"),
-        "results should still respect the provider filter"
-    );
-    assert_eq!(
-        next_cursor, None,
-        "when results are exhausted before reaching the limit, nextCursor should be None"
-    );
-
-    Ok(())
-}
-
 #[tokio::test]
 async fn thread_list_includes_git_info() -> Result<()> {
    let codex_home = TempDir::new()?;
@@ -403,15 +224,22 @@ async fn thread_list_includes_git_info() -> Result<()> {
        Some(git_info),
    )?;

-    let mut mcp = init_mcp(codex_home.path()).await?;
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;

-    let ThreadListResponse { data, .. } = list_threads(
-        &mut mcp,
-        None,
-        Some(10),
-        Some(vec!["mock_provider".to_string()]),
+    let list_id = mcp
+        .send_thread_list_request(ThreadListParams {
+            cursor: None,
+            limit: Some(10),
+            model_providers: Some(vec!["mock_provider".to_string()]),
+        })
+        .await?;
+    let resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(list_id)),
    )
-    .await?;
+    .await??;
+    let ThreadListResponse { data, .. } = to_response::<ThreadListResponse>(resp)?;
    let thread = data
        .iter()
        .find(|t| t.id == conversation_id)
--- a/codex-rs/app-server/tests/suite/v2/turn_start.rs
+++ b/codex-rs/app-server/tests/suite/v2/turn_start.rs
@@ -427,6 +427,7 @@ async fn turn_start_exec_approval_decline_v2() -> Result<()> {
        request_id,
        serde_json::to_value(CommandExecutionRequestApprovalResponse {
            decision: ApprovalDecision::Decline,
+            accept_settings: None,
        })?,
    )
    .await?;
@@ -532,7 +533,7 @@ async fn turn_start_updates_sandbox_and_cwd_between_turns_v2() -> Result<()> {
            cwd: Some(first_cwd.clone()),
            approval_policy: Some(codex_app_server_protocol::AskForApproval::Never),
            sandbox_policy: Some(codex_app_server_protocol::SandboxPolicy::WorkspaceWrite {
-                writable_roots: vec![first_cwd.try_into()?],
+                writable_roots: vec![first_cwd.clone()],
                network_access: false,
                exclude_tmpdir_env_var: false,
                exclude_slash_tmp: false,
--- a/codex-rs/apply-patch/src/invocation.rs
+++ b/codex-rs/apply-patch/src/invocation.rs
@@ -1,369 +0,0 @@
-use std::collections::HashMap;
-use std::path::Path;
-use std::sync::LazyLock;
-
-use tree_sitter::Parser;
-use tree_sitter::Query;
-use tree_sitter::QueryCursor;
-use tree_sitter::StreamingIterator;
-use tree_sitter_bash::LANGUAGE as BASH;
-
-use crate::ApplyPatchAction;
-use crate::ApplyPatchArgs;
-use crate::ApplyPatchError;
-use crate::ApplyPatchFileChange;
-use crate::ApplyPatchFileUpdate;
-use crate::IoError;
-use crate::MaybeApplyPatchVerified;
-use crate::parser::Hunk;
-use crate::parser::ParseError;
-use crate::parser::parse_patch;
-use crate::unified_diff_from_chunks;
-use std::str::Utf8Error;
-use tree_sitter::LanguageError;
-
-const APPLY_PATCH_COMMANDS: [&str; 2] = ["apply_patch", "applypatch"];
-
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
-enum ApplyPatchShell {
-    Unix,
-    PowerShell,
-    Cmd,
-}
-
-#[derive(Debug, PartialEq)]
-pub enum MaybeApplyPatch {
-    Body(ApplyPatchArgs),
-    ShellParseError(ExtractHeredocError),
-    PatchParseError(ParseError),
-    NotApplyPatch,
-}
-
-#[derive(Debug, PartialEq)]
-pub enum ExtractHeredocError {
-    CommandDidNotStartWithApplyPatch,
-    FailedToLoadBashGrammar(LanguageError),
-    HeredocNotUtf8(Utf8Error),
-    FailedToParsePatchIntoAst,
-    FailedToFindHeredocBody,
-}
-
-fn classify_shell_name(shell: &str) -> Option<String> {
-    std::path::Path::new(shell)
-        .file_stem()
-        .and_then(|name| name.to_str())
-        .map(str::to_ascii_lowercase)
-}
-
-fn classify_shell(shell: &str, flag: &str) -> Option<ApplyPatchShell> {
-    classify_shell_name(shell).and_then(|name| match name.as_str() {
-        "bash" | "zsh" | "sh" if matches!(flag, "-lc" | "-c") => Some(ApplyPatchShell::Unix),
-        "pwsh" | "powershell" if flag.eq_ignore_ascii_case("-command") => {
-            Some(ApplyPatchShell::PowerShell)
-        }
-        "cmd" if flag.eq_ignore_ascii_case("/c") => Some(ApplyPatchShell::Cmd),
-        _ => None,
-    })
-}
-
-fn can_skip_flag(shell: &str, flag: &str) -> bool {
-    classify_shell_name(shell).is_some_and(|name| {
-        matches!(name.as_str(), "pwsh" | "powershell") && flag.eq_ignore_ascii_case("-noprofile")
-    })
-}
-
-fn parse_shell_script(argv: &[String]) -> Option<(ApplyPatchShell, &str)> {
-    match argv {
-        [shell, flag, script] => classify_shell(shell, flag).map(|shell_type| {
-            let script = script.as_str();
-            (shell_type, script)
-        }),
-        [shell, skip_flag, flag, script] if can_skip_flag(shell, skip_flag) => {
-            classify_shell(shell, flag).map(|shell_type| {
-                let script = script.as_str();
-                (shell_type, script)
-            })
-        }
-        _ => None,
-    }
-}
-
-fn extract_apply_patch_from_shell(
-    shell: ApplyPatchShell,
-    script: &str,
-) -> std::result::Result<(String, Option<String>), ExtractHeredocError> {
-    match shell {
-        ApplyPatchShell::Unix | ApplyPatchShell::PowerShell | ApplyPatchShell::Cmd => {
-            extract_apply_patch_from_bash(script)
-        }
-    }
-}
-
-// TODO: make private once we remove tests in lib.rs
-pub fn maybe_parse_apply_patch(argv: &[String]) -> MaybeApplyPatch {
-    match argv {
-        // Direct invocation: apply_patch <patch>
-        [cmd, body] if APPLY_PATCH_COMMANDS.contains(&cmd.as_str()) => match parse_patch(body) {
-            Ok(source) => MaybeApplyPatch::Body(source),
-            Err(e) => MaybeApplyPatch::PatchParseError(e),
-        },
-        // Shell heredoc form: (optional `cd <path> &&`) apply_patch <<'EOF' ...
-        _ => match parse_shell_script(argv) {
-            Some((shell, script)) => match extract_apply_patch_from_shell(shell, script) {
-                Ok((body, workdir)) => match parse_patch(&body) {
-                    Ok(mut source) => {
-                        source.workdir = workdir;
-                        MaybeApplyPatch::Body(source)
-                    }
-                    Err(e) => MaybeApplyPatch::PatchParseError(e),
-                },
-                Err(ExtractHeredocError::CommandDidNotStartWithApplyPatch) => {
-                    MaybeApplyPatch::NotApplyPatch
-                }
-                Err(e) => MaybeApplyPatch::ShellParseError(e),
-            },
-            None => MaybeApplyPatch::NotApplyPatch,
-        },
-    }
-}
-
-/// cwd must be an absolute path so that we can resolve relative paths in the
-/// patch.
-pub fn maybe_parse_apply_patch_verified(argv: &[String], cwd: &Path) -> MaybeApplyPatchVerified {
-    // Detect a raw patch body passed directly as the command or as the body of a shell
-    // script. In these cases, report an explicit error rather than applying the patch.
-    if let [body] = argv
-        && parse_patch(body).is_ok()
-    {
-        return MaybeApplyPatchVerified::CorrectnessError(ApplyPatchError::ImplicitInvocation);
-    }
-    if let Some((_, script)) = parse_shell_script(argv)
-        && parse_patch(script).is_ok()
-    {
-        return MaybeApplyPatchVerified::CorrectnessError(ApplyPatchError::ImplicitInvocation);
-    }
-
-    match maybe_parse_apply_patch(argv) {
-        MaybeApplyPatch::Body(ApplyPatchArgs {
-            patch,
-            hunks,
-            workdir,
-        }) => {
-            let effective_cwd = workdir
-                .as_ref()
-                .map(|dir| {
-                    let path = Path::new(dir);
-                    if path.is_absolute() {
-                        path.to_path_buf()
-                    } else {
-                        cwd.join(path)
-                    }
-                })
-                .unwrap_or_else(|| cwd.to_path_buf());
-            let mut changes = HashMap::new();
-            for hunk in hunks {
-                let path = hunk.resolve_path(&effective_cwd);
-                match hunk {
-                    Hunk::AddFile { contents, .. } => {
-                        changes.insert(path, ApplyPatchFileChange::Add { content: contents });
-                    }
-                    Hunk::DeleteFile { .. } => {
-                        let content = match std::fs::read_to_string(&path) {
-                            Ok(content) => content,
-                            Err(e) => {
-                                return MaybeApplyPatchVerified::CorrectnessError(
-                                    ApplyPatchError::IoError(IoError {
-                                        context: format!("Failed to read {}", path.display()),
-                                        source: e,
-                                    }),
-                                );
-                            }
-                        };
-                        changes.insert(path, ApplyPatchFileChange::Delete { content });
-                    }
-                    Hunk::UpdateFile {
-                        move_path, chunks, ..
-                    } => {
-                        let ApplyPatchFileUpdate {
-                            unified_diff,
-                            content: contents,
-                        } = match unified_diff_from_chunks(&path, &chunks) {
-                            Ok(diff) => diff,
-                            Err(e) => {
-                                return MaybeApplyPatchVerified::CorrectnessError(e);
-                            }
-                        };
-                        changes.insert(
-                            path,
-                            ApplyPatchFileChange::Update {
-                                unified_diff,
-                                move_path: move_path.map(|p| effective_cwd.join(p)),
-                                new_content: contents,
-                            },
-                        );
-                    }
-                }
-            }
-            MaybeApplyPatchVerified::Body(ApplyPatchAction {
-                changes,
-                patch,
-                cwd: effective_cwd,
-            })
-        }
-        MaybeApplyPatch::ShellParseError(e) => MaybeApplyPatchVerified::ShellParseError(e),
-        MaybeApplyPatch::PatchParseError(e) => MaybeApplyPatchVerified::CorrectnessError(e.into()),
-        MaybeApplyPatch::NotApplyPatch => MaybeApplyPatchVerified::NotApplyPatch,
-    }
-}
-
-/// Extract the heredoc body (and optional `cd` workdir) from a `bash -lc` script
-/// that invokes the apply_patch tool using a heredoc.
-///
-/// Supported top‑level forms (must be the only top‑level statement):
-/// - `apply_patch <<'EOF'\n...\nEOF`
-/// - `cd <path> && apply_patch <<'EOF'\n...\nEOF`
-///
-/// Notes about matching:
-/// - Parsed with Tree‑sitter Bash and a strict query that uses anchors so the
-///   heredoc‑redirected statement is the only top‑level statement.
-/// - The connector between `cd` and `apply_patch` must be `&&` (not `|` or `||`).
-/// - Exactly one positional `word` argument is allowed for `cd` (no flags, no quoted
-///   strings, no second argument).
-/// - The apply command is validated in‑query via `#any-of?` to allow `apply_patch`
-///   or `applypatch`.
-/// - Preceding or trailing commands (e.g., `echo ...;` or `... && echo done`) do not match.
-///
-/// Returns `(heredoc_body, Some(path))` when the `cd` variant matches, or
-/// `(heredoc_body, None)` for the direct form. Errors are returned if the script
-/// cannot be parsed or does not match the allowed patterns.
-fn extract_apply_patch_from_bash(
-    src: &str,
-) -> std::result::Result<(String, Option<String>), ExtractHeredocError> {
-    // This function uses a Tree-sitter query to recognize one of two
-    // whole-script forms, each expressed as a single top-level statement:
-    //
-    // 1. apply_patch <<'EOF'\n...\nEOF
-    // 2. cd <path> && apply_patch <<'EOF'\n...\nEOF
-    //
-    // Key ideas when reading the query:
-    // - dots (`.`) between named nodes enforces adjacency among named children and
-    //   anchor to the start/end of the expression.
-    // - we match a single redirected_statement directly under program with leading
-    //   and trailing anchors (`.`). This ensures it is the only top-level statement
-    //   (so prefixes like `echo ...;` or suffixes like `... && echo done` do not match).
-    //
-    // Overall, we want to be conservative and only match the intended forms, as other
-    // forms are likely to be model errors, or incorrectly interpreted by later code.
-    //
-    // If you're editing this query, it's helpful to start by creating a debugging binary
-    // which will let you see the AST of an arbitrary bash script passed in, and optionally
-    // also run an arbitrary query against the AST. This is useful for understanding
-    // how tree-sitter parses the script and whether the query syntax is correct. Be sure
-    // to test both positive and negative cases.
-    static APPLY_PATCH_QUERY: LazyLock<Query> = LazyLock::new(|| {
-        let language = BASH.into();
-        #[expect(clippy::expect_used)]
-        Query::new(
-            &language,
-            r#"
-            (
-              program
-                . (redirected_statement
-                    body: (command
-                            name: (command_name (word) @apply_name) .)
-                    (#any-of? @apply_name "apply_patch" "applypatch")
-                    redirect: (heredoc_redirect
-                                . (heredoc_start)
-                                . (heredoc_body) @heredoc
-                                . (heredoc_end)
-                                .))
-                .)
-
-            (
-              program
-                . (redirected_statement
-                    body: (list
-                            . (command
-                                name: (command_name (word) @cd_name) .
-                                argument: [
-                                  (word) @cd_path
-                                  (string (string_content) @cd_path)
-                                  (raw_string) @cd_raw_string
-                                ] .)
-                            "&&"
-                            . (command
-                                name: (command_name (word) @apply_name))
-                            .)
-                    (#eq? @cd_name "cd")
-                    (#any-of? @apply_name "apply_patch" "applypatch")
-                    redirect: (heredoc_redirect
-                                . (heredoc_start)
-                                . (heredoc_body) @heredoc
-                                . (heredoc_end)
-                                .))
-                .)
-            "#,
-        )
-        .expect("valid bash query")
-    });
-
-    let lang = BASH.into();
-    let mut parser = Parser::new();
-    parser
-        .set_language(&lang)
-        .map_err(ExtractHeredocError::FailedToLoadBashGrammar)?;
-    let tree = parser
-        .parse(src, None)
-        .ok_or(ExtractHeredocError::FailedToParsePatchIntoAst)?;
-
-    let bytes = src.as_bytes();
-    let root = tree.root_node();
-
-    let mut cursor = QueryCursor::new();
-    let mut matches = cursor.matches(&APPLY_PATCH_QUERY, root, bytes);
-    while let Some(m) = matches.next() {
-        let mut heredoc_text: Option<String> = None;
-        let mut cd_path: Option<String> = None;
-
-        for capture in m.captures.iter() {
-            let name = APPLY_PATCH_QUERY.capture_names()[capture.index as usize];
-            match name {
-                "heredoc" => {
-                    let text = capture
-                        .node
-                        .utf8_text(bytes)
-                        .map_err(ExtractHeredocError::HeredocNotUtf8)?
-                        .trim_end_matches('\n')
-                        .to_string();
-                    heredoc_text = Some(text);
-                }
-                "cd_path" => {
-                    let text = capture
-                        .node
-                        .utf8_text(bytes)
-                        .map_err(ExtractHeredocError::HeredocNotUtf8)?
-                        .to_string();
-                    cd_path = Some(text);
-                }
-                "cd_raw_string" => {
-                    let raw = capture
-                        .node
-                        .utf8_text(bytes)
-                        .map_err(ExtractHeredocError::HeredocNotUtf8)?;
-                    let trimmed = raw
-                        .strip_prefix('\'')
-                        .and_then(|s| s.strip_suffix('\''))
-                        .unwrap_or(raw);
-                    cd_path = Some(trimmed.to_string());
-                }
-                _ => {}
-            }
-        }
-
-        if let Some(heredoc) = heredoc_text {
-            return Ok((heredoc, cd_path));
-        }
-    }
-
-    Err(ExtractHeredocError::CommandDidNotStartWithApplyPatch)
-}
--- a/codex-rs/apply-patch/src/lib.rs
+++ b/codex-rs/apply-patch/src/lib.rs
@@ -1,4 +1,3 @@
-mod invocation;
 mod parser;
 mod seek_sequence;
 mod standalone_executable;
@@ -6,6 +5,8 @@ mod standalone_executable;
 use std::collections::HashMap;
 use std::path::Path;
 use std::path::PathBuf;
+use std::str::Utf8Error;
+use std::sync::LazyLock;

 use anyhow::Context;
 use anyhow::Result;
@@ -16,15 +17,27 @@ use parser::UpdateFileChunk;
 pub use parser::parse_patch;
 use similar::TextDiff;
 use thiserror::Error;
+use tree_sitter::LanguageError;
+use tree_sitter::Parser;
+use tree_sitter::Query;
+use tree_sitter::QueryCursor;
+use tree_sitter::StreamingIterator;
+use tree_sitter_bash::LANGUAGE as BASH;

-pub use invocation::maybe_parse_apply_patch_verified;
 pub use standalone_executable::main;

-use crate::invocation::ExtractHeredocError;
-
 /// Detailed instructions for gpt-4.1 on how to use the `apply_patch` tool.
 pub const APPLY_PATCH_TOOL_INSTRUCTIONS: &str = include_str!("../apply_patch_tool_instructions.md");

+const APPLY_PATCH_COMMANDS: [&str; 2] = ["apply_patch", "applypatch"];
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+enum ApplyPatchShell {
+    Unix,
+    PowerShell,
+    Cmd,
+}
+
 #[derive(Debug, Error, PartialEq)]
 pub enum ApplyPatchError {
    #[error(transparent)]
@@ -73,6 +86,14 @@ impl PartialEq for IoError {
    }
 }

+#[derive(Debug, PartialEq)]
+pub enum MaybeApplyPatch {
+    Body(ApplyPatchArgs),
+    ShellParseError(ExtractHeredocError),
+    PatchParseError(ParseError),
+    NotApplyPatch,
+}
+
 /// Both the raw PATCH argument to `apply_patch` as well as the PATCH argument
 /// parsed into hunks.
 #[derive(Debug, PartialEq)]
@@ -82,6 +103,84 @@ pub struct ApplyPatchArgs {
    pub workdir: Option<String>,
 }

+fn classify_shell_name(shell: &str) -> Option<String> {
+    std::path::Path::new(shell)
+        .file_stem()
+        .and_then(|name| name.to_str())
+        .map(str::to_ascii_lowercase)
+}
+
+fn classify_shell(shell: &str, flag: &str) -> Option<ApplyPatchShell> {
+    classify_shell_name(shell).and_then(|name| match name.as_str() {
+        "bash" | "zsh" | "sh" if flag == "-lc" => Some(ApplyPatchShell::Unix),
+        "pwsh" | "powershell" if flag.eq_ignore_ascii_case("-command") => {
+            Some(ApplyPatchShell::PowerShell)
+        }
+        "cmd" if flag.eq_ignore_ascii_case("/c") => Some(ApplyPatchShell::Cmd),
+        _ => None,
+    })
+}
+
+fn can_skip_flag(shell: &str, flag: &str) -> bool {
+    classify_shell_name(shell).is_some_and(|name| {
+        matches!(name.as_str(), "pwsh" | "powershell") && flag.eq_ignore_ascii_case("-noprofile")
+    })
+}
+
+fn parse_shell_script(argv: &[String]) -> Option<(ApplyPatchShell, &str)> {
+    match argv {
+        [shell, flag, script] => classify_shell(shell, flag).map(|shell_type| {
+            let script = script.as_str();
+            (shell_type, script)
+        }),
+        [shell, skip_flag, flag, script] if can_skip_flag(shell, skip_flag) => {
+            classify_shell(shell, flag).map(|shell_type| {
+                let script = script.as_str();
+                (shell_type, script)
+            })
+        }
+        _ => None,
+    }
+}
+
+fn extract_apply_patch_from_shell(
+    shell: ApplyPatchShell,
+    script: &str,
+) -> std::result::Result<(String, Option<String>), ExtractHeredocError> {
+    match shell {
+        ApplyPatchShell::Unix | ApplyPatchShell::PowerShell | ApplyPatchShell::Cmd => {
+            extract_apply_patch_from_bash(script)
+        }
+    }
+}
+
+pub fn maybe_parse_apply_patch(argv: &[String]) -> MaybeApplyPatch {
+    match argv {
+        // Direct invocation: apply_patch <patch>
+        [cmd, body] if APPLY_PATCH_COMMANDS.contains(&cmd.as_str()) => match parse_patch(body) {
+            Ok(source) => MaybeApplyPatch::Body(source),
+            Err(e) => MaybeApplyPatch::PatchParseError(e),
+        },
+        // Shell heredoc form: (optional `cd <path> &&`) apply_patch <<'EOF' ...
+        _ => match parse_shell_script(argv) {
+            Some((shell, script)) => match extract_apply_patch_from_shell(shell, script) {
+                Ok((body, workdir)) => match parse_patch(&body) {
+                    Ok(mut source) => {
+                        source.workdir = workdir;
+                        MaybeApplyPatch::Body(source)
+                    }
+                    Err(e) => MaybeApplyPatch::PatchParseError(e),
+                },
+                Err(ExtractHeredocError::CommandDidNotStartWithApplyPatch) => {
+                    MaybeApplyPatch::NotApplyPatch
+                }
+                Err(e) => MaybeApplyPatch::ShellParseError(e),
+            },
+            None => MaybeApplyPatch::NotApplyPatch,
+        },
+    }
+}
+
 #[derive(Debug, PartialEq)]
 pub enum ApplyPatchFileChange {
    Add {
@@ -170,6 +269,256 @@ impl ApplyPatchAction {
    }
 }

+/// cwd must be an absolute path so that we can resolve relative paths in the
+/// patch.
+pub fn maybe_parse_apply_patch_verified(argv: &[String], cwd: &Path) -> MaybeApplyPatchVerified {
+    // Detect a raw patch body passed directly as the command or as the body of a shell
+    // script. In these cases, report an explicit error rather than applying the patch.
+    if let [body] = argv
+        && parse_patch(body).is_ok()
+    {
+        return MaybeApplyPatchVerified::CorrectnessError(ApplyPatchError::ImplicitInvocation);
+    }
+    if let Some((_, script)) = parse_shell_script(argv)
+        && parse_patch(script).is_ok()
+    {
+        return MaybeApplyPatchVerified::CorrectnessError(ApplyPatchError::ImplicitInvocation);
+    }
+
+    match maybe_parse_apply_patch(argv) {
+        MaybeApplyPatch::Body(ApplyPatchArgs {
+            patch,
+            hunks,
+            workdir,
+        }) => {
+            let effective_cwd = workdir
+                .as_ref()
+                .map(|dir| {
+                    let path = Path::new(dir);
+                    if path.is_absolute() {
+                        path.to_path_buf()
+                    } else {
+                        cwd.join(path)
+                    }
+                })
+                .unwrap_or_else(|| cwd.to_path_buf());
+            let mut changes = HashMap::new();
+            for hunk in hunks {
+                let path = hunk.resolve_path(&effective_cwd);
+                match hunk {
+                    Hunk::AddFile { contents, .. } => {
+                        changes.insert(path, ApplyPatchFileChange::Add { content: contents });
+                    }
+                    Hunk::DeleteFile { .. } => {
+                        let content = match std::fs::read_to_string(&path) {
+                            Ok(content) => content,
+                            Err(e) => {
+                                return MaybeApplyPatchVerified::CorrectnessError(
+                                    ApplyPatchError::IoError(IoError {
+                                        context: format!("Failed to read {}", path.display()),
+                                        source: e,
+                                    }),
+                                );
+                            }
+                        };
+                        changes.insert(path, ApplyPatchFileChange::Delete { content });
+                    }
+                    Hunk::UpdateFile {
+                        move_path, chunks, ..
+                    } => {
+                        let ApplyPatchFileUpdate {
+                            unified_diff,
+                            content: contents,
+                        } = match unified_diff_from_chunks(&path, &chunks) {
+                            Ok(diff) => diff,
+                            Err(e) => {
+                                return MaybeApplyPatchVerified::CorrectnessError(e);
+                            }
+                        };
+                        changes.insert(
+                            path,
+                            ApplyPatchFileChange::Update {
+                                unified_diff,
+                                move_path: move_path.map(|p| effective_cwd.join(p)),
+                                new_content: contents,
+                            },
+                        );
+                    }
+                }
+            }
+            MaybeApplyPatchVerified::Body(ApplyPatchAction {
+                changes,
+                patch,
+                cwd: effective_cwd,
+            })
+        }
+        MaybeApplyPatch::ShellParseError(e) => MaybeApplyPatchVerified::ShellParseError(e),
+        MaybeApplyPatch::PatchParseError(e) => MaybeApplyPatchVerified::CorrectnessError(e.into()),
+        MaybeApplyPatch::NotApplyPatch => MaybeApplyPatchVerified::NotApplyPatch,
+    }
+}
+
+/// Extract the heredoc body (and optional `cd` workdir) from a `bash -lc` script
+/// that invokes the apply_patch tool using a heredoc.
+///
+/// Supported top‑level forms (must be the only top‑level statement):
+/// - `apply_patch <<'EOF'\n...\nEOF`
+/// - `cd <path> && apply_patch <<'EOF'\n...\nEOF`
+///
+/// Notes about matching:
+/// - Parsed with Tree‑sitter Bash and a strict query that uses anchors so the
+///   heredoc‑redirected statement is the only top‑level statement.
+/// - The connector between `cd` and `apply_patch` must be `&&` (not `|` or `||`).
+/// - Exactly one positional `word` argument is allowed for `cd` (no flags, no quoted
+///   strings, no second argument).
+/// - The apply command is validated in‑query via `#any-of?` to allow `apply_patch`
+///   or `applypatch`.
+/// - Preceding or trailing commands (e.g., `echo ...;` or `... && echo done`) do not match.
+///
+/// Returns `(heredoc_body, Some(path))` when the `cd` variant matches, or
+/// `(heredoc_body, None)` for the direct form. Errors are returned if the script
+/// cannot be parsed or does not match the allowed patterns.
+fn extract_apply_patch_from_bash(
+    src: &str,
+) -> std::result::Result<(String, Option<String>), ExtractHeredocError> {
+    // This function uses a Tree-sitter query to recognize one of two
+    // whole-script forms, each expressed as a single top-level statement:
+    //
+    // 1. apply_patch <<'EOF'\n...\nEOF
+    // 2. cd <path> && apply_patch <<'EOF'\n...\nEOF
+    //
+    // Key ideas when reading the query:
+    // - dots (`.`) between named nodes enforces adjacency among named children and
+    //   anchor to the start/end of the expression.
+    // - we match a single redirected_statement directly under program with leading
+    //   and trailing anchors (`.`). This ensures it is the only top-level statement
+    //   (so prefixes like `echo ...;` or suffixes like `... && echo done` do not match).
+    //
+    // Overall, we want to be conservative and only match the intended forms, as other
+    // forms are likely to be model errors, or incorrectly interpreted by later code.
+    //
+    // If you're editing this query, it's helpful to start by creating a debugging binary
+    // which will let you see the AST of an arbitrary bash script passed in, and optionally
+    // also run an arbitrary query against the AST. This is useful for understanding
+    // how tree-sitter parses the script and whether the query syntax is correct. Be sure
+    // to test both positive and negative cases.
+    static APPLY_PATCH_QUERY: LazyLock<Query> = LazyLock::new(|| {
+        let language = BASH.into();
+        #[expect(clippy::expect_used)]
+        Query::new(
+            &language,
+            r#"
+            (
+              program
+                . (redirected_statement
+                    body: (command
+                            name: (command_name (word) @apply_name) .)
+                    (#any-of? @apply_name "apply_patch" "applypatch")
+                    redirect: (heredoc_redirect
+                                . (heredoc_start)
+                                . (heredoc_body) @heredoc
+                                . (heredoc_end)
+                                .))
+                .)
+
+            (
+              program
+                . (redirected_statement
+                    body: (list
+                            . (command
+                                name: (command_name (word) @cd_name) .
+                                argument: [
+                                  (word) @cd_path
+                                  (string (string_content) @cd_path)
+                                  (raw_string) @cd_raw_string
+                                ] .)
+                            "&&"
+                            . (command
+                                name: (command_name (word) @apply_name))
+                            .)
+                    (#eq? @cd_name "cd")
+                    (#any-of? @apply_name "apply_patch" "applypatch")
+                    redirect: (heredoc_redirect
+                                . (heredoc_start)
+                                . (heredoc_body) @heredoc
+                                . (heredoc_end)
+                                .))
+                .)
+            "#,
+        )
+        .expect("valid bash query")
+    });
+
+    let lang = BASH.into();
+    let mut parser = Parser::new();
+    parser
+        .set_language(&lang)
+        .map_err(ExtractHeredocError::FailedToLoadBashGrammar)?;
+    let tree = parser
+        .parse(src, None)
+        .ok_or(ExtractHeredocError::FailedToParsePatchIntoAst)?;
+
+    let bytes = src.as_bytes();
+    let root = tree.root_node();
+
+    let mut cursor = QueryCursor::new();
+    let mut matches = cursor.matches(&APPLY_PATCH_QUERY, root, bytes);
+    while let Some(m) = matches.next() {
+        let mut heredoc_text: Option<String> = None;
+        let mut cd_path: Option<String> = None;
+
+        for capture in m.captures.iter() {
+            let name = APPLY_PATCH_QUERY.capture_names()[capture.index as usize];
+            match name {
+                "heredoc" => {
+                    let text = capture
+                        .node
+                        .utf8_text(bytes)
+                        .map_err(ExtractHeredocError::HeredocNotUtf8)?
+                        .trim_end_matches('\n')
+                        .to_string();
+                    heredoc_text = Some(text);
+                }
+                "cd_path" => {
+                    let text = capture
+                        .node
+                        .utf8_text(bytes)
+                        .map_err(ExtractHeredocError::HeredocNotUtf8)?
+                        .to_string();
+                    cd_path = Some(text);
+                }
+                "cd_raw_string" => {
+                    let raw = capture
+                        .node
+                        .utf8_text(bytes)
+                        .map_err(ExtractHeredocError::HeredocNotUtf8)?;
+                    let trimmed = raw
+                        .strip_prefix('\'')
+                        .and_then(|s| s.strip_suffix('\''))
+                        .unwrap_or(raw);
+                    cd_path = Some(trimmed.to_string());
+                }
+                _ => {}
+            }
+        }
+
+        if let Some(heredoc) = heredoc_text {
+            return Ok((heredoc, cd_path));
+        }
+    }
+
+    Err(ExtractHeredocError::CommandDidNotStartWithApplyPatch)
+}
+
+#[derive(Debug, PartialEq)]
+pub enum ExtractHeredocError {
+    CommandDidNotStartWithApplyPatch,
+    FailedToLoadBashGrammar(LanguageError),
+    HeredocNotUtf8(Utf8Error),
+    FailedToParsePatchIntoAst,
+    FailedToFindHeredocBody,
+}
+
 /// Applies the patch and prints the result to stdout/stderr.
 pub fn apply_patch(
    patch: &str,
@@ -544,9 +893,6 @@ pub fn print_summary(

 #[cfg(test)]
 mod tests {
-    use crate::invocation::MaybeApplyPatch;
-    use crate::invocation::maybe_parse_apply_patch;
-
    use super::*;
    use assert_matches::assert_matches;
    use pretty_assertions::assert_eq;
@@ -703,13 +1049,6 @@ mod tests {
        assert_match(&heredoc_script(""), None);
    }

-    #[test]
-    fn test_heredoc_non_login_shell() {
-        let script = heredoc_script("");
-        let args = strs_to_strings(&["bash", "-c", &script]);
-        assert_match_args(args, None);
-    }
-
    #[test]
    fn test_heredoc_applypatch() {
        let args = strs_to_strings(&[
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/.gitattributes
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/.gitattributes
@@ -1 +0,0 @@
-** text eol=lf
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/001_add_file/expected/bar.md
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/001_add_file/expected/bar.md
@@ -1 +0,0 @@
-This is a new file
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/001_add_file/patch.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/001_add_file/patch.txt
@@ -1,4 +0,0 @@
-*** Begin Patch
-*** Add File: bar.md
-+This is a new file
-*** End Patch
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/002_multiple_operations/expected/modify.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/002_multiple_operations/expected/modify.txt
@@ -1,2 +0,0 @@
-line1
-changed
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/002_multiple_operations/expected/nested/new.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/002_multiple_operations/expected/nested/new.txt
@@ -1 +0,0 @@
-created
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/002_multiple_operations/input/delete.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/002_multiple_operations/input/delete.txt
@@ -1 +0,0 @@
-obsolete
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/002_multiple_operations/input/modify.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/002_multiple_operations/input/modify.txt
@@ -1,2 +0,0 @@
-line1
-line2
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/002_multiple_operations/patch.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/002_multiple_operations/patch.txt
@@ -1,9 +0,0 @@
-*** Begin Patch
-*** Add File: nested/new.txt
-+created
-*** Delete File: delete.txt
-*** Update File: modify.txt
-@@
-line2
-+changed
-*** End Patch
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/003_multiple_chunks/expected/multi.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/003_multiple_chunks/expected/multi.txt
@@ -1,4 +0,0 @@
-line1
-changed2
-line3
-changed4
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/003_multiple_chunks/input/multi.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/003_multiple_chunks/input/multi.txt
@@ -1,4 +0,0 @@
-line1
-line2
-line3
-line4
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/003_multiple_chunks/patch.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/003_multiple_chunks/patch.txt
@@ -1,9 +0,0 @@
-*** Begin Patch
-*** Update File: multi.txt
-@@
-line2
-+changed2
-@@
-line4
-+changed4
-*** End Patch
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/004_move_to_new_directory/expected/old/other.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/004_move_to_new_directory/expected/old/other.txt
@@ -1 +0,0 @@
-unrelated file
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/004_move_to_new_directory/expected/renamed/dir/name.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/004_move_to_new_directory/expected/renamed/dir/name.txt
@@ -1 +0,0 @@
-new content
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/004_move_to_new_directory/input/old/name.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/004_move_to_new_directory/input/old/name.txt
@@ -1 +0,0 @@
-old content
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/004_move_to_new_directory/input/old/other.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/004_move_to_new_directory/input/old/other.txt
@@ -1 +0,0 @@
-unrelated file
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/004_move_to_new_directory/patch.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/004_move_to_new_directory/patch.txt
@@ -1,7 +0,0 @@
-*** Begin Patch
-*** Update File: old/name.txt
-*** Move to: renamed/dir/name.txt
-@@
-old content
-+new content
-*** End Patch
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/005_rejects_empty_patch/patch.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/005_rejects_empty_patch/patch.txt
@@ -1,2 +0,0 @@
-*** Begin Patch
-*** End Patch
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/006_rejects_missing_context/expected/modify.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/006_rejects_missing_context/expected/modify.txt
@@ -1,2 +0,0 @@
-line1
-line2
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/006_rejects_missing_context/input/modify.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/006_rejects_missing_context/input/modify.txt
@@ -1,2 +0,0 @@
-line1
-line2
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/006_rejects_missing_context/patch.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/006_rejects_missing_context/patch.txt
@@ -1,6 +0,0 @@
-*** Begin Patch
-*** Update File: modify.txt
-@@
-missing
-+changed
-*** End Patch
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/007_rejects_missing_file_delete/patch.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/007_rejects_missing_file_delete/patch.txt
@@ -1,3 +0,0 @@
-*** Begin Patch
-*** Delete File: missing.txt
-*** End Patch
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/008_rejects_empty_update_hunk/patch.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/008_rejects_empty_update_hunk/patch.txt
@@ -1,3 +0,0 @@
-*** Begin Patch
-*** Update File: foo.txt
-*** End Patch
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/009_requires_existing_file_for_update/patch.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/009_requires_existing_file_for_update/patch.txt
@@ -1,6 +0,0 @@
-*** Begin Patch
-*** Update File: missing.txt
-@@
-old
-+new
-*** End Patch
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/010_move_overwrites_existing_destination/expected/old/other.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/010_move_overwrites_existing_destination/expected/old/other.txt
@@ -1 +0,0 @@
-unrelated file
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/010_move_overwrites_existing_destination/expected/renamed/dir/name.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/010_move_overwrites_existing_destination/expected/renamed/dir/name.txt
@@ -1 +0,0 @@
-new
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/010_move_overwrites_existing_destination/input/old/name.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/010_move_overwrites_existing_destination/input/old/name.txt
@@ -1 +0,0 @@
-from
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/010_move_overwrites_existing_destination/input/old/other.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/010_move_overwrites_existing_destination/input/old/other.txt
@@ -1 +0,0 @@
-unrelated file
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/010_move_overwrites_existing_destination/input/renamed/dir/name.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/010_move_overwrites_existing_destination/input/renamed/dir/name.txt
@@ -1 +0,0 @@
-existing
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/010_move_overwrites_existing_destination/patch.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/010_move_overwrites_existing_destination/patch.txt
@@ -1,7 +0,0 @@
-*** Begin Patch
-*** Update File: old/name.txt
-*** Move to: renamed/dir/name.txt
-@@
-from
-+new
-*** End Patch
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/011_add_overwrites_existing_file/expected/duplicate.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/011_add_overwrites_existing_file/expected/duplicate.txt
@@ -1 +0,0 @@
-new content
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/011_add_overwrites_existing_file/input/duplicate.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/011_add_overwrites_existing_file/input/duplicate.txt
@@ -1 +0,0 @@
-old content
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/011_add_overwrites_existing_file/patch.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/011_add_overwrites_existing_file/patch.txt
@@ -1,4 +0,0 @@
-*** Begin Patch
-*** Add File: duplicate.txt
-+new content
-*** End Patch
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/012_delete_directory_fails/patch.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/012_delete_directory_fails/patch.txt
@@ -1,3 +0,0 @@
-*** Begin Patch
-*** Delete File: dir
-*** End Patch
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/013_rejects_invalid_hunk_header/patch.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/013_rejects_invalid_hunk_header/patch.txt
@@ -1,3 +0,0 @@
-*** Begin Patch
-*** Frobnicate File: foo
-*** End Patch
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/014_update_file_appends_trailing_newline/expected/no_newline.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/014_update_file_appends_trailing_newline/expected/no_newline.txt
@@ -1,2 +0,0 @@
-first line
-second line
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/014_update_file_appends_trailing_newline/input/no_newline.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/014_update_file_appends_trailing_newline/input/no_newline.txt
@@ -1 +0,0 @@
-no newline at end
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/014_update_file_appends_trailing_newline/patch.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/014_update_file_appends_trailing_newline/patch.txt
@@ -1,7 +0,0 @@
-*** Begin Patch
-*** Update File: no_newline.txt
-@@
-no newline at end
-+first line
-+second line
-*** End Patch
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/015_failure_after_partial_success_leaves_changes/expected/created.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/015_failure_after_partial_success_leaves_changes/expected/created.txt
@@ -1 +0,0 @@
-hello
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/015_failure_after_partial_success_leaves_changes/patch.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/015_failure_after_partial_success_leaves_changes/patch.txt
@@ -1,8 +0,0 @@
-*** Begin Patch
-*** Add File: created.txt
-+hello
-*** Update File: missing.txt
-@@
-old
-+new
-*** End Patch
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/016_pure_addition_update_chunk/expected/input.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/016_pure_addition_update_chunk/expected/input.txt
@@ -1,4 +0,0 @@
-line1
-line2
-added line 1
-added line 2
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/016_pure_addition_update_chunk/input/input.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/016_pure_addition_update_chunk/input/input.txt
@@ -1,2 +0,0 @@
-line1
-line2
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/016_pure_addition_update_chunk/patch.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/016_pure_addition_update_chunk/patch.txt
@@ -1,6 +0,0 @@
-*** Begin Patch
-*** Update File: input.txt
-@@
-+added line 1
-+added line 2
-*** End Patch
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/017_whitespace_padded_hunk_header/expected/foo.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/017_whitespace_padded_hunk_header/expected/foo.txt
@@ -1 +0,0 @@
-new
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/017_whitespace_padded_hunk_header/input/foo.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/017_whitespace_padded_hunk_header/input/foo.txt
@@ -1 +0,0 @@
-old
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/017_whitespace_padded_hunk_header/patch.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/017_whitespace_padded_hunk_header/patch.txt
@@ -1,6 +0,0 @@
-*** Begin Patch
-  *** Update File: foo.txt
-@@
-old
-+new
-*** End Patch
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/018_whitespace_padded_patch_markers/expected/file.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/018_whitespace_padded_patch_markers/expected/file.txt
@@ -1 +0,0 @@
-two
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/018_whitespace_padded_patch_markers/input/file.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/018_whitespace_padded_patch_markers/input/file.txt
@@ -1 +0,0 @@
-one
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/018_whitespace_padded_patch_markers/patch.txt
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/018_whitespace_padded_patch_markers/patch.txt
@@ -1,6 +0,0 @@
- *** Begin Patch
-*** Update File: file.txt
-@@
-one
-+two
-*** End Patch 
--- a/codex-rs/apply-patch/tests/fixtures/scenarios/README.md
+++ b/codex-rs/apply-patch/tests/fixtures/scenarios/README.md
@@ -1,18 +0,0 @@
-# Overview
-This directory is a collection of end to end tests for the apply-patch specification, meant to be easily portable to other languages or platforms.
-
-
-# Specification
-Each test case is one directory, composed of input state (input/), the patch operation (patch.txt), and the expected final state (expected/). This structure is designed to keep tests simple (i.e. test exactly one patch at a time) while still providing enough flexibility to test any given operation across files.
-
-Here's what this would look like for a simple test apply-patch test case to create a new file:
-
-```
-001_add/
-  input/
-    foo.md
-  expected/
-    foo.md
-    bar.md
-  patch.txt
-```
--- a/codex-rs/apply-patch/tests/suite/mod.rs
+++ b/codex-rs/apply-patch/tests/suite/mod.rs
@@ -1,4 +1,3 @@
 mod cli;
-mod scenarios;
 #[cfg(not(target_os = "windows"))]
 mod tool;
--- a/codex-rs/apply-patch/tests/suite/scenarios.rs
+++ b/codex-rs/apply-patch/tests/suite/scenarios.rs
@@ -1,114 +0,0 @@
-use assert_cmd::prelude::*;
-use pretty_assertions::assert_eq;
-use std::collections::BTreeMap;
-use std::fs;
-use std::path::Path;
-use std::path::PathBuf;
-use std::process::Command;
-use tempfile::tempdir;
-
-#[test]
-fn test_apply_patch_scenarios() -> anyhow::Result<()> {
-    for scenario in fs::read_dir("tests/fixtures/scenarios")? {
-        let scenario = scenario?;
-        let path = scenario.path();
-        if path.is_dir() {
-            run_apply_patch_scenario(&path)?;
-        }
-    }
-    Ok(())
-}
-
-/// Reads a scenario directory, copies the input files to a temporary directory, runs apply-patch,
-/// and asserts that the final state matches the expected state exactly.
-fn run_apply_patch_scenario(dir: &Path) -> anyhow::Result<()> {
-    let tmp = tempdir()?;
-
-    // Copy the input files to the temporary directory
-    let input_dir = dir.join("input");
-    if input_dir.is_dir() {
-        copy_dir_recursive(&input_dir, tmp.path())?;
-    }
-
-    // Read the patch.txt file
-    let patch = fs::read_to_string(dir.join("patch.txt"))?;
-
-    // Run apply_patch in the temporary directory. We intentionally do not assert
-    // on the exit status here; the scenarios are specified purely in terms of
-    // final filesystem state, which we compare below.
-    Command::cargo_bin("apply_patch")?
-        .arg(patch)
-        .current_dir(tmp.path())
-        .output()?;
-
-    // Assert that the final state matches the expected state exactly
-    let expected_dir = dir.join("expected");
-    let expected_snapshot = snapshot_dir(&expected_dir)?;
-    let actual_snapshot = snapshot_dir(tmp.path())?;
-
-    assert_eq!(
-        actual_snapshot,
-        expected_snapshot,
-        "Scenario {} did not match expected final state",
-        dir.display()
-    );
-
-    Ok(())
-}
-
-#[derive(Debug, Clone, PartialEq, Eq)]
-enum Entry {
-    File(Vec<u8>),
-    Dir,
-}
-
-fn snapshot_dir(root: &Path) -> anyhow::Result<BTreeMap<PathBuf, Entry>> {
-    let mut entries = BTreeMap::new();
-    if root.is_dir() {
-        snapshot_dir_recursive(root, root, &mut entries)?;
-    }
-    Ok(entries)
-}
-
-fn snapshot_dir_recursive(
-    base: &Path,
-    dir: &Path,
-    entries: &mut BTreeMap<PathBuf, Entry>,
-) -> anyhow::Result<()> {
-    for entry in fs::read_dir(dir)? {
-        let entry = entry?;
-        let path = entry.path();
-        let Some(stripped) = path.strip_prefix(base).ok() else {
-            continue;
-        };
-        let rel = stripped.to_path_buf();
-        let file_type = entry.file_type()?;
-        if file_type.is_dir() {
-            entries.insert(rel.clone(), Entry::Dir);
-            snapshot_dir_recursive(base, &path, entries)?;
-        } else if file_type.is_file() {
-            let contents = fs::read(&path)?;
-            entries.insert(rel, Entry::File(contents));
-        }
-    }
-    Ok(())
-}
-
-fn copy_dir_recursive(src: &Path, dst: &Path) -> anyhow::Result<()> {
-    for entry in fs::read_dir(src)? {
-        let entry = entry?;
-        let path = entry.path();
-        let file_type = entry.file_type()?;
-        let dest_path = dst.join(entry.file_name());
-        if file_type.is_dir() {
-            fs::create_dir_all(&dest_path)?;
-            copy_dir_recursive(&path, &dest_path)?;
-        } else if file_type.is_file() {
-            if let Some(parent) = dest_path.parent() {
-                fs::create_dir_all(parent)?;
-            }
-            fs::copy(&path, &dest_path)?;
-        }
-    }
-    Ok(())
-}
--- a/codex-rs/backend-client/src/client.rs
+++ b/codex-rs/backend-client/src/client.rs
@@ -7,7 +7,6 @@ use crate::types::TurnAttemptsSiblingTurnsResponse;
 use anyhow::Result;
 use codex_core::auth::CodexAuth;
 use codex_core::default_client::get_codex_user_agent;
-use codex_protocol::account::PlanType as AccountPlanType;
 use codex_protocol::protocol::CreditsSnapshot;
 use codex_protocol::protocol::RateLimitSnapshot;
 use codex_protocol::protocol::RateLimitWindow;
@@ -292,7 +291,6 @@ impl Client {
            primary,
            secondary,
            credits: Self::map_credits(payload.credits),
-            plan_type: Some(Self::map_plan_type(payload.plan_type)),
        }
    }

@@ -327,23 +325,6 @@ impl Client {
        })
    }

-    fn map_plan_type(plan_type: crate::types::PlanType) -> AccountPlanType {
-        match plan_type {
-            crate::types::PlanType::Free => AccountPlanType::Free,
-            crate::types::PlanType::Plus => AccountPlanType::Plus,
-            crate::types::PlanType::Pro => AccountPlanType::Pro,
-            crate::types::PlanType::Team => AccountPlanType::Team,
-            crate::types::PlanType::Business => AccountPlanType::Business,
-            crate::types::PlanType::Enterprise => AccountPlanType::Enterprise,
-            crate::types::PlanType::Edu | crate::types::PlanType::Education => AccountPlanType::Edu,
-            crate::types::PlanType::Guest
-            | crate::types::PlanType::Go
-            | crate::types::PlanType::FreeWorkspace
-            | crate::types::PlanType::Quorum
-            | crate::types::PlanType::K12 => AccountPlanType::Unknown,
-        }
-    }
-
    fn window_minutes_from_seconds(seconds: i32) -> Option<i64> {
        if seconds <= 0 {
            return None;
--- a/codex-rs/cli/Cargo.toml
+++ b/codex-rs/cli/Cargo.toml
@@ -36,7 +36,6 @@ codex-responses-api-proxy = { workspace = true }
 codex-rmcp-client = { workspace = true }
 codex-stdio-to-uds = { workspace = true }
 codex-tui = { workspace = true }
-codex-tui2 = { workspace = true }
 ctor = { workspace = true }
 libc = { workspace = true }
 owo-colors = { workspace = true }
--- a/codex-rs/cli/src/debug_sandbox.rs
+++ b/codex-rs/cli/src/debug_sandbox.rs
@@ -136,9 +136,7 @@ async fn run_command_under_sandbox(
    if let SandboxType::Windows = sandbox_type {
        #[cfg(target_os = "windows")]
        {
-            use codex_core::features::Feature;
            use codex_windows_sandbox::run_windows_sandbox_capture;
-            use codex_windows_sandbox::run_windows_sandbox_capture_elevated;

            let policy_str = serde_json::to_string(&config.sandbox_policy)?;

@@ -147,32 +145,18 @@ async fn run_command_under_sandbox(
            let env_map = env.clone();
            let command_vec = command.clone();
            let base_dir = config.codex_home.clone();
-            let use_elevated = config.features.enabled(Feature::WindowsSandbox)
-                && config.features.enabled(Feature::WindowsSandboxElevated);

            // Preflight audit is invoked elsewhere at the appropriate times.
            let res = tokio::task::spawn_blocking(move || {
-                if use_elevated {
-                    run_windows_sandbox_capture_elevated(
-                        policy_str.as_str(),
-                        &sandbox_cwd,
-                        base_dir.as_path(),
-                        command_vec,
-                        &cwd_clone,
-                        env_map,
-                        None,
-                    )
-                } else {
-                    run_windows_sandbox_capture(
-                        policy_str.as_str(),
-                        &sandbox_cwd,
-                        base_dir.as_path(),
-                        command_vec,
-                        &cwd_clone,
-                        env_map,
-                        None,
-                    )
-                }
+                run_windows_sandbox_capture(
+                    policy_str.as_str(),
+                    &sandbox_cwd,
+                    base_dir.as_path(),
+                    command_vec,
+                    &cwd_clone,
+                    env_map,
+                    None,
+                )
            })
            .await;

--- a/codex-rs/cli/src/main.rs
+++ b/codex-rs/cli/src/main.rs
@@ -25,7 +25,6 @@ use codex_responses_api_proxy::Args as ResponsesApiProxyArgs;
 use codex_tui::AppExitInfo;
 use codex_tui::Cli as TuiCli;
 use codex_tui::update_action::UpdateAction;
-use codex_tui2 as tui2;
 use owo_colors::OwoColorize;
 use std::path::PathBuf;
 use supports_color::Stream;
@@ -38,11 +37,6 @@ use crate::mcp_cmd::McpCli;

 use codex_core::config::Config;
 use codex_core::config::ConfigOverrides;
-use codex_core::config::find_codex_home;
-use codex_core::config::load_config_as_toml_with_cli_overrides;
-use codex_core::features::Feature;
-use codex_core::features::FeatureOverrides;
-use codex_core::features::Features;
 use codex_core::features::is_known_feature_key;

 /// Codex CLI
@@ -450,7 +444,7 @@ async fn cli_main(codex_linux_sandbox_exe: Option<PathBuf>) -> anyhow::Result<()
                &mut interactive.config_overrides,
                root_config_overrides.clone(),
            );
-            let exit_info = run_interactive_tui(interactive, codex_linux_sandbox_exe).await?;
+            let exit_info = codex_tui::run_main(interactive, codex_linux_sandbox_exe).await?;
            handle_app_exit(exit_info)?;
        }
        Some(Subcommand::Exec(mut exec_cli)) => {
@@ -505,7 +499,7 @@ async fn cli_main(codex_linux_sandbox_exe: Option<PathBuf>) -> anyhow::Result<()
                all,
                config_overrides,
            );
-            let exit_info = run_interactive_tui(interactive, codex_linux_sandbox_exe).await?;
+            let exit_info = codex_tui::run_main(interactive, codex_linux_sandbox_exe).await?;
            handle_app_exit(exit_info)?;
        }
        Some(Subcommand::Login(mut login_cli)) => {
@@ -656,40 +650,6 @@ fn prepend_config_flags(
        .splice(0..0, cli_config_overrides.raw_overrides);
 }

-/// Run the interactive Codex TUI, dispatching to either the legacy implementation or the
-/// experimental TUI v2 shim based on feature flags resolved from config.
-async fn run_interactive_tui(
-    interactive: TuiCli,
-    codex_linux_sandbox_exe: Option<PathBuf>,
-) -> std::io::Result<AppExitInfo> {
-    if is_tui2_enabled(&interactive).await? {
-        let result = tui2::run_main(interactive.into(), codex_linux_sandbox_exe).await?;
-        Ok(result.into())
-    } else {
-        codex_tui::run_main(interactive, codex_linux_sandbox_exe).await
-    }
-}
-
-/// Returns `Ok(true)` when the resolved configuration enables the `tui2` feature flag.
-///
-/// This performs a lightweight config load (honoring the same precedence as the lower-level TUI
-/// bootstrap: `$CODEX_HOME`, config.toml, profile, and CLI `-c` overrides) solely to decide which
-/// TUI frontend to launch. The full configuration is still loaded later by the interactive TUI.
-async fn is_tui2_enabled(cli: &TuiCli) -> std::io::Result<bool> {
-    let raw_overrides = cli.config_overrides.raw_overrides.clone();
-    let overrides_cli = codex_common::CliConfigOverrides { raw_overrides };
-    let cli_kv_overrides = overrides_cli
-        .parse_overrides()
-        .map_err(|e| std::io::Error::new(std::io::ErrorKind::InvalidInput, e))?;
-
-    let codex_home = find_codex_home()?;
-    let config_toml = load_config_as_toml_with_cli_overrides(&codex_home, cli_kv_overrides).await?;
-    let config_profile = config_toml.get_config_profile(cli.config_profile.clone())?;
-    let overrides = FeatureOverrides::default();
-    let features = Features::from_config(&config_toml, &config_profile, overrides);
-    Ok(features.enabled(Feature::Tui2))
-}
-
 /// Build the final `TuiCli` for a `codex resume` invocation.
 fn finalize_resume_interactive(
    mut interactive: TuiCli,
--- a/Show More
+++ b/Show More