feat: stream agent message deltas

MCP server: route structured tool-call requests and expose mcp_protocol [Stack 2/3] (#1751 )
- Expose mcp_protocol from mcp-server for reuse in tests and callers. - In MessageProcessor, detect structured ToolCallRequestParams in tools/call and forward to a new handler. - Add handle_new_tool_calls scaffold (returns error for now). - Test helper: add send_send_user_message_tool_call to McpProcess to send ConversationSendMessage requests; This is the second PR in a stack. Stack: Final: #1686 Intermediate: #1751 First: #1750
2026-05-12 15:22:39 +00:00 · 2025-07-31 21:13:10 -07:00 · 2025-08-01 02:46:04 +00:00 · 2025-08-01 02:30:03 +00:00 · 2025-08-01 00:30:44 +00:00 · 2025-07-31 17:15:26 -07:00
119 changed files with 5725 additions and 4495 deletions
--- a/.github/codex/labels/codex-rust-review.md
+++ b/.github/codex/labels/codex-rust-review.md
@@ -0,0 +1,23 @@
+Review this PR and respond with a very concise final message, formatted in Markdown.
+
+There should be a summary of the changes (1-2 sentences) and a few bullet points if necessary.
+
+Then provide the **review** (1-2 sentences plus bullet points, friendly tone).
+
+Things to look out for when doing the review:
+
+- **Make sure the pull request body explains the motivation behind the change.** If the author has failed to do this, call it out, and if you think you can deduce the motivation behind the change, propose copy.
+- Ideally, the PR body also contains a small summary of the change. For small changes, the PR title may be sufficient.
+- Each PR should ideally do one conceptual thing. For example, if a PR does a refactoring as well as introducing a new feature, push back and suggest the refactoring be done in a separate PR. This makes things easier for the reviewer, as refactoring changes can often be far-reaching, yet quick to review.
+- If the nature of the change seems to have a visual component (which is often the case for changes to `codex-rs/tui`), recommend including a screenshot or video to demonstrate the change, if appropriate.
+- Rust files should generally be organized such that the public parts of the API appear near the top of the file and helper functions go below. This is analagous to the "inverted pyramid" structure that is favored in journalism.
+- Encourage the use of small enums or the newtype pattern in Rust if it helps readability without adding significant cognitive load or lines of code.
+- Be wary of large files and offer suggestions for how to break things into more reasonably-sized files.
+- When modifying a `Cargo.toml` file, make sure that dependency lists stay alphabetically sorted. Also consider whether a new dependency is added to the appropriate place (e.g., `[dependencies]` versus `[dev-dependencies]`)
+- If you see opportunities for the changes in a diff to use more idiomatic Rust, please make specific recommendations. For example, favor the use of expressions over `return`.
+- When introducing new code, be on the lookout for code that duplicates existing code. When found, propose a way to refactor the existing code such that it should be reused.
+- Each create in the Cargo workspace in `codex-rs` has a specific purpose: make a note if you believe new code is not introduced in the correct crate.
+- When possible, try to keep the `core` crate as small as possible. Non-core but shared logic is often a good candidate for `codex-rs/common`.
+- References to existing GitHub issues and PRs are encouraged, where appropriate, though you likely do not have network access, so may not be able to help here.
+
+{CODEX_ACTION_GITHUB_EVENT_PATH} contains the JSON that triggered this GitHub workflow. It contains the `base` and `head` refs that define this PR. Both refs are available locally.
--- a/.github/workflows/codex.yml
+++ b/.github/workflows/codex.yml
@@ -20,7 +20,7 @@ jobs:
      (github.event_name == 'issues' && (
        (github.event.action == 'labeled' && (github.event.label.name == 'codex-attempt' || github.event.label.name == 'codex-triage'))
      )) ||
-      (github.event_name == 'pull_request' && github.event.action == 'labeled' && github.event.label.name == 'codex-review')
+      (github.event_name == 'pull_request' && github.event.action == 'labeled' && (github.event.label.name == 'codex-review' || github.event.label.name == 'codex-rust-review'))
    runs-on: ubuntu-latest
    permissions:
      contents: write # can push or create branches
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -0,0 +1,5 @@
+{
+    "recommendations": [
+        "tamasfe.even-better-toml",
+    ]
+}
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -6,5 +6,11 @@
    "[rust]": {
        "editor.defaultFormatter": "rust-lang.rust-analyzer",
        "editor.formatOnSave": true,
-    }
+    },
+    "[toml]": {
+        "editor.defaultFormatter": "tamasfe.even-better-toml",
+        "editor.formatOnSave": true,
+    },
+    "evenBetterToml.formatter.reorderArrays": true,
+    "evenBetterToml.formatter.reorderKeys": true,
 }
--- a/4
+++ b/4
@@ -1,2 +1,6 @@
 OpenAI Codex
 Copyright 2025 OpenAI
+
+This project includes code derived from [Ratatui](https://github.com/ratatui/ratatui), licensed under the MIT license.
+Copyright (c) 2016-2022 Florian Dehau
+Copyright (c) 2023-2025 The Ratatui Developers
--- a/README.md
+++ b/README.md
@@ -95,6 +95,12 @@ codex login

 If you complete the process successfully, you should have a `~/.codex/auth.json` file that contains the credentials that Codex will use.

+To verify whether you are currently logged in, run:
+
+```
+codex login status
+```
+
 If you encounter problems with the login flow, please comment on <https://github.com/openai/codex/issues/1243>.

 <details>
--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
@@ -463,18 +463,18 @@ checksum = "df8670b8c7b9dae1793364eafadf7239c40d669904660c5960d74cfd80b46a53"

 [[package]]
 name = "castaway"
-version = "0.2.3"
+version = "0.2.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0abae9be0aaf9ea96a3b1b8b1b55c602ca751eba1b1500220cea4ecbafe7c0d5"
+checksum = "dec551ab6e7578819132c713a93c022a05d60159dc86e7a7050223577484c55a"
 dependencies = [
 "rustversion",
 ]

 [[package]]
 name = "cc"
-version = "1.2.29"
+version = "1.2.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5c1599538de2394445747c8cf7935946e3cc27e9625f889d979bfb2aaf569362"
+checksum = "deec109607ca693028562ed836a5f1c4b8bd77755c4e132fc5ce11b0b6211ae7"
 dependencies = [
 "jobserver",
 "libc",
@@ -570,9 +570,9 @@ checksum = "b94f61472cee1439c0b966b47e3aca9ae07e45d070759512cd390ea2bebc6675"

 [[package]]
 name = "clipboard-win"
-version = "5.4.0"
+version = "5.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "15efe7a882b08f34e38556b14f2fb3daa98769d06c7f0c1b076dfd0d983bc892"
+checksum = "bde03770d3df201d4fb868f2c9c59e66a3e4e2bd06692a0fe701e7103c7e84d4"
 dependencies = [
 "error-code",
 ]
@@ -605,6 +605,18 @@ dependencies = [
 "tree-sitter-bash",
 ]

+[[package]]
+name = "codex-arg0"
+version = "0.0.0"
+dependencies = [
+ "anyhow",
+ "codex-apply-patch",
+ "codex-core",
+ "codex-linux-sandbox",
+ "dotenvy",
+ "tokio",
+]
+
 [[package]]
 name = "codex-chatgpt"
 version = "0.0.0"
@@ -626,27 +638,20 @@ name = "codex-cli"
 version = "0.0.0"
 dependencies = [
 "anyhow",
- "assert_cmd",
- "chrono",
 "clap",
 "clap_complete",
+ "codex-arg0",
 "codex-chatgpt",
 "codex-common",
 "codex-core",
 "codex-exec",
- "codex-linux-sandbox",
 "codex-login",
- "codex-mcp-client",
 "codex-mcp-server",
 "codex-tui",
- "mcp-types",
- "serde",
 "serde_json",
- "tempfile",
 "tokio",
 "tracing",
 "tracing-subscriber",
- "uuid",
 ]

 [[package]]
@@ -668,7 +673,9 @@ dependencies = [
 "async-channel",
 "base64 0.22.1",
 "bytes",
+ "chrono",
 "codex-apply-patch",
+ "codex-login",
 "codex-mcp-client",
 "core_test_support",
 "dirs",
@@ -714,14 +721,17 @@ name = "codex-exec"
 version = "0.0.0"
 dependencies = [
 "anyhow",
+ "assert_cmd",
 "chrono",
 "clap",
+ "codex-arg0",
 "codex-common",
 "codex-core",
- "codex-linux-sandbox",
 "owo-colors",
+ "predicates",
 "serde_json",
 "shlex",
+ "tempfile",
 "tokio",
 "tracing",
 "tracing-subscriber",
@@ -768,7 +778,6 @@ dependencies = [
 "clap",
 "codex-common",
 "codex-core",
- "dotenvy",
 "landlock",
 "libc",
 "seccompiler",
@@ -784,6 +793,7 @@ dependencies = [
 "reqwest",
 "serde",
 "serde_json",
+ "tempfile",
 "tokio",
 ]

@@ -806,8 +816,8 @@ version = "0.0.0"
 dependencies = [
 "anyhow",
 "assert_cmd",
+ "codex-arg0",
 "codex-core",
- "codex-linux-sandbox",
 "mcp-types",
 "mcp_test_support",
 "pretty_assertions",
@@ -815,6 +825,7 @@ dependencies = [
 "serde",
 "serde_json",
 "shlex",
+ "strum_macros 0.27.2",
 "tempfile",
 "tokio",
 "tokio-test",
@@ -833,10 +844,10 @@ dependencies = [
 "base64 0.22.1",
 "clap",
 "codex-ansi-escape",
+ "codex-arg0",
 "codex-common",
 "codex-core",
 "codex-file-search",
- "codex-linux-sandbox",
 "codex-login",
 "color-eyre",
 "crossterm",
@@ -985,9 +996,9 @@ dependencies = [

 [[package]]
 name = "crc32fast"
-version = "1.4.2"
+version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a97769d94ddab943e4510d138150169a2758b5ef3eb191a9ee688de3e23ef7b3"
+checksum = "9481c1c90cbf2ac953f07c8d4a58aa3945c425b7185c9154d67a65e4230da511"
 dependencies = [
 "cfg-if",
 ]
@@ -1534,7 +1545,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0ce92ff622d6dadf7349484f42c93271a0d49b7cc4d466a936405bacbe10aa78"
 dependencies = [
 "cfg-if",
- "rustix 1.0.7",
+ "rustix 1.0.8",
 "windows-sys 0.59.0",
 ]

@@ -1983,9 +1994,9 @@ dependencies = [

 [[package]]
 name = "hyper-util"
-version = "0.1.15"
+version = "0.1.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7f66d5bd4c6f02bf0542fad85d626775bab9258cf795a4256dcaf3161114d1df"
+checksum = "8d9b05277c7e8da2c93a568989bb6207bef0112e8d17df7a6eda4a3cf143bc5e"
 dependencies = [
 "base64 0.22.1",
 "bytes",
@@ -1999,7 +2010,7 @@ dependencies = [
 "libc",
 "percent-encoding",
 "pin-project-lite",
- "socket2",
+ "socket2 0.6.0",
 "system-configuration",
 "tokio",
 "tower-service",
@@ -2252,9 +2263,9 @@ dependencies = [

 [[package]]
 name = "instability"
-version = "0.3.7"
+version = "0.3.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0bf9fed6d91cfb734e7476a06bde8300a1b94e217e1b523b6f0cd1a01998c71d"
+checksum = "435d80800b936787d62688c927b6490e887c7ef5ff9ce922c6c6050fca75eb9a"
 dependencies = [
 "darling",
 "indoc",
@@ -2285,9 +2296,9 @@ dependencies = [

 [[package]]
 name = "io-uring"
-version = "0.7.8"
+version = "0.7.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b86e202f00093dcba4275d4636b93ef9dd75d025ae560d2521b45ea28ab49013"
+checksum = "d93587f37623a1a17d94ef2bc9ada592f5465fe7732084ab7beefabe5c77c0c4"
 dependencies = [
 "bitflags 2.9.1",
 "cfg-if",
@@ -2491,9 +2502,9 @@ dependencies = [

 [[package]]
 name = "libredox"
-version = "0.1.4"
+version = "0.1.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1580801010e535496706ba011c15f8532df6b42297d2e471fec38ceadd8c0638"
+checksum = "4488594b9328dee448adb906d8b126d9b7deb7cf5c22161ee591610bb1be83c0"
 dependencies = [
 "bitflags 2.9.1",
 "libc",
@@ -2632,6 +2643,7 @@ version = "0.0.0"
 dependencies = [
 "anyhow",
 "assert_cmd",
+ "codex-core",
 "codex-mcp-server",
 "mcp-types",
 "pretty_assertions",
@@ -2639,6 +2651,7 @@ dependencies = [
 "shlex",
 "tempfile",
 "tokio",
+ "uuid",
 "wiremock",
 ]

@@ -3366,8 +3379,7 @@ dependencies = [
 [[package]]
 name = "ratatui"
 version = "0.29.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eabd94c2f37801c20583fc49dd5cd6b0ba68c716787c2dd6ed18571e1e63117b"
+source = "git+https://github.com/nornagon/ratatui?branch=nornagon-v0.29.0-patch#bca287ddc5d38fe088c79e2eda22422b96226f2e"
 dependencies = [
 "bitflags 2.9.1",
 "cassowary",
@@ -3472,9 +3484,9 @@ dependencies = [

 [[package]]
 name = "redox_syscall"
-version = "0.5.13"
+version = "0.5.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0d04b7d0ee6b4a0207a0a7adb104d23ecb0b47d6beae7152d0fa34b692b29fd6"
+checksum = "7e8af0dde094006011e6a740d4879319439489813bd0bcdc7d821beaeeff48ec"
 dependencies = [
 "bitflags 2.9.1",
 ]
@@ -3622,9 +3634,9 @@ dependencies = [

 [[package]]
 name = "rgb"
-version = "0.8.51"
+version = "0.8.52"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a457e416a0f90d246a4c3288bd7a25b2304ca727f253f95be383dd17af56be8f"
+checksum = "0c6a884d2998352bb4daf0183589aec883f16a6da1f4dde84d8e2e9a5409a1ce"

 [[package]]
 name = "ring"
@@ -3700,22 +3712,22 @@ dependencies = [

 [[package]]
 name = "rustix"
-version = "1.0.7"
+version = "1.0.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c71e83d6afe7ff64890ec6b71d6a69bb8a610ab78ce364b3352876bb4c801266"
+checksum = "11181fbabf243db407ef8df94a6ce0b2f9a733bd8be4ad02b4eda9602296cac8"
 dependencies = [
 "bitflags 2.9.1",
 "errno",
 "libc",
 "linux-raw-sys 0.9.4",
- "windows-sys 0.59.0",
+ "windows-sys 0.60.2",
 ]

 [[package]]
 name = "rustls"
-version = "0.23.28"
+version = "0.23.29"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7160e3e10bf4535308537f3c4e1641468cd0e485175d6163087c0393c7d46643"
+checksum = "2491382039b29b9b11ff08b76ff6c97cf287671dbb74f0be44bda389fffe9bd1"
 dependencies = [
 "once_cell",
 "rustls-pki-types",
@@ -3735,9 +3747,9 @@ dependencies = [

 [[package]]
 name = "rustls-webpki"
-version = "0.103.3"
+version = "0.103.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e4a72fe2bcf7a6ac6fd7d0b9e5cb68aeb7d4c0a0271730218b3e92d43b4eb435"
+checksum = "0a17884ae0c1b773f1ccd2bd4a8c72f16da897310a98b0e84bf349ad5ead92fc"
 dependencies = [
 "ring",
 "rustls-pki-types",
@@ -3963,9 +3975,9 @@ dependencies = [

 [[package]]
 name = "serde_json"
-version = "1.0.140"
+version = "1.0.141"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "20068b6e96dc6c9bd23e01df8827e6c7e1f2fddd43c21810382803c136b99373"
+checksum = "30b9eff21ebe718216c6ec64e1d9ac57087aad11efc64e32002bce4a0d4c03d3"
 dependencies = [
 "indexmap 2.10.0",
 "itoa",
@@ -4158,6 +4170,16 @@ dependencies = [
 "windows-sys 0.52.0",
 ]

+[[package]]
+name = "socket2"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "233504af464074f9d066d7b5416c5f9b894a5862a6506e306f7b816cdd6f1807"
+dependencies = [
+ "libc",
+ "windows-sys 0.59.0",
+]
+
 [[package]]
 name = "stable_deref_trait"
 version = "1.2.0"
@@ -4449,7 +4471,7 @@ dependencies = [
 "fastrand",
 "getrandom 0.3.3",
 "once_cell",
- "rustix 1.0.7",
+ "rustix 1.0.8",
 "windows-sys 0.59.0",
 ]

@@ -4470,7 +4492,7 @@ version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "45c6481c4829e4cc63825e62c49186a34538b7b2750b73b266581ffb612fb5ed"
 dependencies = [
- "rustix 1.0.7",
+ "rustix 1.0.8",
 "windows-sys 0.59.0",
 ]

@@ -4616,7 +4638,7 @@ dependencies = [
 "pin-project-lite",
 "signal-hook-registry",
 "slab",
- "socket2",
+ "socket2 0.5.10",
 "tokio-macros",
 "windows-sys 0.52.0",
 ]
@@ -4758,9 +4780,9 @@ dependencies = [

 [[package]]
 name = "toml_writer"
-version = "1.0.0"
+version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b679217f2848de74cabd3e8fc5e6d66f40b7da40f8e1954d92054d9010690fd5"
+checksum = "fcc842091f2def52017664b53082ecbbeb5c7731092bad69d2c63050401dfd64"

 [[package]]
 name = "tower"
@@ -5582,9 +5604,9 @@ checksum = "271414315aff87387382ec3d271b52d7ae78726f5d44ac98b4f4030c91880486"

 [[package]]
 name = "winnow"
-version = "0.7.11"
+version = "0.7.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "74c7b26e3480b707944fc872477815d29a8e429d2f93a1ce000f5fa84a15cbcd"
+checksum = "f3edebf492c8125044983378ecb5766203ad3b4c2f7a922bd7dd207f6d443e95"
 dependencies = [
 "memchr",
 ]
--- a/codex-rs/Cargo.toml
+++ b/codex-rs/Cargo.toml
@@ -1,8 +1,8 @@
 [workspace]
-resolver = "2"
 members = [
    "ansi-escape",
    "apply-patch",
+    "arg0",
    "cli",
    "common",
    "core",
@@ -16,6 +16,7 @@ members = [
    "mcp-types",
    "tui",
 ]
+resolver = "2"

 [workspace.package]
 version = "0.0.0"
@@ -40,3 +41,7 @@ strip = "symbols"

 # See https://github.com/openai/codex/issues/1411 for details.
 codegen-units = 1
+
+[patch.crates-io]
+# ratatui = { path = "../../ratatui" }
+ratatui = { git = "https://github.com/nornagon/ratatui", branch = "nornagon-v0.29.0-patch" }
--- a/codex-rs/ansi-escape/Cargo.toml
+++ b/codex-rs/ansi-escape/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
+edition = "2024"
 name = "codex-ansi-escape"
 version = { workspace = true }
-edition = "2024"

 [lib]
 name = "codex_ansi_escape"
@@ -10,7 +10,7 @@ path = "src/lib.rs"
 [dependencies]
 ansi-to-tui = "7.0.0"
 ratatui = { version = "0.29.0", features = [
-    "unstable-widget-ref",
    "unstable-rendered-line-info",
+    "unstable-widget-ref",
 ] }
 tracing = { version = "0.1.41", features = ["log"] }
--- a/codex-rs/apply-patch/Cargo.toml
+++ b/codex-rs/apply-patch/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
+edition = "2024"
 name = "codex-apply-patch"
 version = { workspace = true }
-edition = "2024"

 [lib]
 name = "codex_apply_patch"
--- a/codex-rs/apply-patch/src/lib.rs
+++ b/codex-rs/apply-patch/src/lib.rs
@@ -58,16 +58,24 @@ impl PartialEq for IoError {

 #[derive(Debug, PartialEq)]
 pub enum MaybeApplyPatch {
-    Body(Vec<Hunk>),
+    Body(ApplyPatchArgs),
    ShellParseError(ExtractHeredocError),
    PatchParseError(ParseError),
    NotApplyPatch,
 }

+/// Both the raw PATCH argument to `apply_patch` as well as the PATCH argument
+/// parsed into hunks.
+#[derive(Debug, PartialEq)]
+pub struct ApplyPatchArgs {
+    pub patch: String,
+    pub hunks: Vec<Hunk>,
+}
+
 pub fn maybe_parse_apply_patch(argv: &[String]) -> MaybeApplyPatch {
    match argv {
        [cmd, body] if cmd == "apply_patch" => match parse_patch(body) {
-            Ok(hunks) => MaybeApplyPatch::Body(hunks),
+            Ok(source) => MaybeApplyPatch::Body(source),
            Err(e) => MaybeApplyPatch::PatchParseError(e),
        },
        [bash, flag, script]
@@ -77,7 +85,7 @@ pub fn maybe_parse_apply_patch(argv: &[String]) -> MaybeApplyPatch {
        {
            match extract_heredoc_body_from_apply_patch_command(script) {
                Ok(body) => match parse_patch(&body) {
-                    Ok(hunks) => MaybeApplyPatch::Body(hunks),
+                    Ok(source) => MaybeApplyPatch::Body(source),
                    Err(e) => MaybeApplyPatch::PatchParseError(e),
                },
                Err(e) => MaybeApplyPatch::ShellParseError(e),
@@ -116,11 +124,19 @@ pub enum MaybeApplyPatchVerified {
    NotApplyPatch,
 }

-#[derive(Debug, PartialEq)]
 /// ApplyPatchAction is the result of parsing an `apply_patch` command. By
 /// construction, all paths should be absolute paths.
+#[derive(Debug, PartialEq)]
 pub struct ApplyPatchAction {
    changes: HashMap<PathBuf, ApplyPatchFileChange>,
+
+    /// The raw patch argument that can be used with `apply_patch` as an exec
+    /// call. i.e., if the original arg was parsed in "lenient" mode with a
+    /// heredoc, this should be the value without the heredoc wrapper.
+    pub patch: String,
+
+    /// The working directory that was used to resolve relative paths in the patch.
+    pub cwd: PathBuf,
 }

 impl ApplyPatchAction {
@@ -140,8 +156,28 @@ impl ApplyPatchAction {
            panic!("path must be absolute");
        }

+        #[allow(clippy::expect_used)]
+        let filename = path
+            .file_name()
+            .expect("path should not be empty")
+            .to_string_lossy();
+        let patch = format!(
+            r#"*** Begin Patch
+*** Update File: {filename}
+@@
+ {content}
+*** End Patch"#,
+        );
        let changes = HashMap::from([(path.to_path_buf(), ApplyPatchFileChange::Add { content })]);
-        Self { changes }
+        #[allow(clippy::expect_used)]
+        Self {
+            changes,
+            cwd: path
+                .parent()
+                .expect("path should have parent")
+                .to_path_buf(),
+            patch,
+        }
    }
 }

@@ -149,7 +185,7 @@ impl ApplyPatchAction {
 /// patch.
 pub fn maybe_parse_apply_patch_verified(argv: &[String], cwd: &Path) -> MaybeApplyPatchVerified {
    match maybe_parse_apply_patch(argv) {
-        MaybeApplyPatch::Body(hunks) => {
+        MaybeApplyPatch::Body(ApplyPatchArgs { patch, hunks }) => {
            let mut changes = HashMap::new();
            for hunk in hunks {
                let path = hunk.resolve_path(cwd);
@@ -183,7 +219,11 @@ pub fn maybe_parse_apply_patch_verified(argv: &[String], cwd: &Path) -> MaybeApp
                    }
                }
            }
-            MaybeApplyPatchVerified::Body(ApplyPatchAction { changes })
+            MaybeApplyPatchVerified::Body(ApplyPatchAction {
+                changes,
+                patch,
+                cwd: cwd.to_path_buf(),
+            })
        }
        MaybeApplyPatch::ShellParseError(e) => MaybeApplyPatchVerified::ShellParseError(e),
        MaybeApplyPatch::PatchParseError(e) => MaybeApplyPatchVerified::CorrectnessError(e.into()),
@@ -264,7 +304,7 @@ pub fn apply_patch(
    stderr: &mut impl std::io::Write,
 ) -> Result<(), ApplyPatchError> {
    let hunks = match parse_patch(patch) {
-        Ok(hunks) => hunks,
+        Ok(source) => source.hunks,
        Err(e) => {
            match &e {
                InvalidPatchError(message) => {
@@ -652,7 +692,7 @@ mod tests {
        ]);

        match maybe_parse_apply_patch(&args) {
-            MaybeApplyPatch::Body(hunks) => {
+            MaybeApplyPatch::Body(ApplyPatchArgs { hunks, patch: _ }) => {
                assert_eq!(
                    hunks,
                    vec![Hunk::AddFile {
@@ -679,7 +719,7 @@ PATCH"#,
        ]);

        match maybe_parse_apply_patch(&args) {
-            MaybeApplyPatch::Body(hunks) => {
+            MaybeApplyPatch::Body(ApplyPatchArgs { hunks, patch: _ }) => {
                assert_eq!(
                    hunks,
                    vec![Hunk::AddFile {
@@ -954,7 +994,7 @@ PATCH"#,
        ));
        let patch = parse_patch(&patch).unwrap();

-        let update_file_chunks = match patch.as_slice() {
+        let update_file_chunks = match patch.hunks.as_slice() {
            [Hunk::UpdateFile { chunks, .. }] => chunks,
            _ => panic!("Expected a single UpdateFile hunk"),
        };
@@ -992,7 +1032,7 @@ PATCH"#,
        ));

        let patch = parse_patch(&patch).unwrap();
-        let chunks = match patch.as_slice() {
+        let chunks = match patch.hunks.as_slice() {
            [Hunk::UpdateFile { chunks, .. }] => chunks,
            _ => panic!("Expected a single UpdateFile hunk"),
        };
@@ -1029,7 +1069,7 @@ PATCH"#,
        ));

        let patch = parse_patch(&patch).unwrap();
-        let chunks = match patch.as_slice() {
+        let chunks = match patch.hunks.as_slice() {
            [Hunk::UpdateFile { chunks, .. }] => chunks,
            _ => panic!("Expected a single UpdateFile hunk"),
        };
@@ -1064,7 +1104,7 @@ PATCH"#,
        ));

        let patch = parse_patch(&patch).unwrap();
-        let chunks = match patch.as_slice() {
+        let chunks = match patch.hunks.as_slice() {
            [Hunk::UpdateFile { chunks, .. }] => chunks,
            _ => panic!("Expected a single UpdateFile hunk"),
        };
@@ -1110,7 +1150,7 @@ PATCH"#,

        // Extract chunks then build the unified diff.
        let parsed = parse_patch(&patch).unwrap();
-        let chunks = match parsed.as_slice() {
+        let chunks = match parsed.hunks.as_slice() {
            [Hunk::UpdateFile { chunks, .. }] => chunks,
            _ => panic!("Expected a single UpdateFile hunk"),
        };
@@ -1193,6 +1233,8 @@ g
                        new_content: "updated session directory content\n".to_string(),
                    },
                )]),
+                patch: argv[1].clone(),
+                cwd: session_dir.path().to_path_buf(),
            })
        );
    }
--- a/codex-rs/apply-patch/src/parser.rs
+++ b/codex-rs/apply-patch/src/parser.rs
@@ -22,6 +22,7 @@
 //!
 //! The parser below is a little more lenient than the explicit spec and allows for
 //! leading/trailing whitespace around patch markers.
+use crate::ApplyPatchArgs;
 use std::path::Path;
 use std::path::PathBuf;

@@ -102,7 +103,7 @@ pub struct UpdateFileChunk {
    pub is_end_of_file: bool,
 }

-pub fn parse_patch(patch: &str) -> Result<Vec<Hunk>, ParseError> {
+pub fn parse_patch(patch: &str) -> Result<ApplyPatchArgs, ParseError> {
    let mode = if PARSE_IN_STRICT_MODE {
        ParseMode::Strict
    } else {
@@ -150,7 +151,7 @@ enum ParseMode {
    Lenient,
 }

-fn parse_patch_text(patch: &str, mode: ParseMode) -> Result<Vec<Hunk>, ParseError> {
+fn parse_patch_text(patch: &str, mode: ParseMode) -> Result<ApplyPatchArgs, ParseError> {
    let lines: Vec<&str> = patch.trim().lines().collect();
    let lines: &[&str] = match check_patch_boundaries_strict(&lines) {
        Ok(()) => &lines,
@@ -173,7 +174,8 @@ fn parse_patch_text(patch: &str, mode: ParseMode) -> Result<Vec<Hunk>, ParseErro
        line_number += hunk_lines;
        remaining_lines = &remaining_lines[hunk_lines..]
    }
-    Ok(hunks)
+    let patch = lines.join("\n");
+    Ok(ApplyPatchArgs { hunks, patch })
 }

 /// Checks the start and end lines of the patch text for `apply_patch`,
@@ -425,6 +427,7 @@ fn parse_update_file_chunk(
 }

 #[test]
+#[allow(clippy::unwrap_used)]
 fn test_parse_patch() {
    assert_eq!(
        parse_patch_text("bad", ParseMode::Strict),
@@ -455,8 +458,10 @@ fn test_parse_patch() {
            "*** Begin Patch\n\
             *** End Patch",
            ParseMode::Strict
-        ),
-        Ok(Vec::new())
+        )
+        .unwrap()
+        .hunks,
+        Vec::new()
    );
    assert_eq!(
        parse_patch_text(
@@ -472,8 +477,10 @@ fn test_parse_patch() {
             +    return 123\n\
             *** End Patch",
            ParseMode::Strict
-        ),
-        Ok(vec![
+        )
+        .unwrap()
+        .hunks,
+        vec![
            AddFile {
                path: PathBuf::from("path/add.py"),
                contents: "abc\ndef\n".to_string()
@@ -491,7 +498,7 @@ fn test_parse_patch() {
                    is_end_of_file: false
                }]
            }
-        ])
+        ]
    );
    // Update hunk followed by another hunk (Add File).
    assert_eq!(
@@ -504,8 +511,10 @@ fn test_parse_patch() {
             +content\n\
             *** End Patch",
            ParseMode::Strict
-        ),
-        Ok(vec![
+        )
+        .unwrap()
+        .hunks,
+        vec![
            UpdateFile {
                path: PathBuf::from("file.py"),
                move_path: None,
@@ -520,7 +529,7 @@ fn test_parse_patch() {
                path: PathBuf::from("other.py"),
                contents: "content\n".to_string()
            }
-        ])
+        ]
    );

    // Update hunk without an explicit @@ header for the first chunk should parse.
@@ -533,8 +542,10 @@ fn test_parse_patch() {
 +bar
 *** End Patch"#,
            ParseMode::Strict
-        ),
-        Ok(vec![UpdateFile {
+        )
+        .unwrap()
+        .hunks,
+        vec![UpdateFile {
            path: PathBuf::from("file2.py"),
            move_path: None,
            chunks: vec![UpdateFileChunk {
@@ -543,7 +554,7 @@ fn test_parse_patch() {
                new_lines: vec!["import foo".to_string(), "bar".to_string()],
                is_end_of_file: false,
            }],
-        }])
+        }]
    );
 }

@@ -574,7 +585,10 @@ fn test_parse_patch_lenient() {
    );
    assert_eq!(
        parse_patch_text(&patch_text_in_heredoc, ParseMode::Lenient),
-        Ok(expected_patch.clone())
+        Ok(ApplyPatchArgs {
+            hunks: expected_patch.clone(),
+            patch: patch_text.to_string()
+        })
    );

    let patch_text_in_single_quoted_heredoc = format!("<<'EOF'\n{patch_text}\nEOF\n");
@@ -584,7 +598,10 @@ fn test_parse_patch_lenient() {
    );
    assert_eq!(
        parse_patch_text(&patch_text_in_single_quoted_heredoc, ParseMode::Lenient),
-        Ok(expected_patch.clone())
+        Ok(ApplyPatchArgs {
+            hunks: expected_patch.clone(),
+            patch: patch_text.to_string()
+        })
    );

    let patch_text_in_double_quoted_heredoc = format!("<<\"EOF\"\n{patch_text}\nEOF\n");
@@ -594,7 +611,10 @@ fn test_parse_patch_lenient() {
    );
    assert_eq!(
        parse_patch_text(&patch_text_in_double_quoted_heredoc, ParseMode::Lenient),
-        Ok(expected_patch.clone())
+        Ok(ApplyPatchArgs {
+            hunks: expected_patch.clone(),
+            patch: patch_text.to_string()
+        })
    );

    let patch_text_in_mismatched_quotes_heredoc = format!("<<\"EOF'\n{patch_text}\nEOF\n");
--- a/codex-rs/arg0/Cargo.toml
+++ b/codex-rs/arg0/Cargo.toml
@@ -0,0 +1,19 @@
+[package]
+edition = "2024"
+name = "codex-arg0"
+version = { workspace = true }
+
+[lib]
+name = "codex_arg0"
+path = "src/lib.rs"
+
+[lints]
+workspace = true
+
+[dependencies]
+anyhow = "1"
+codex-apply-patch = { path = "../apply-patch" }
+codex-core = { path = "../core" }
+codex-linux-sandbox = { path = "../linux-sandbox" }
+dotenvy = "0.15.7"
+tokio = { version = "1", features = ["rt-multi-thread"] }
--- a/codex-rs/arg0/src/lib.rs
+++ b/codex-rs/arg0/src/lib.rs
@@ -0,0 +1,91 @@
+use std::future::Future;
+use std::path::Path;
+use std::path::PathBuf;
+
+use codex_core::CODEX_APPLY_PATCH_ARG1;
+
+/// While we want to deploy the Codex CLI as a single executable for simplicity,
+/// we also want to expose some of its functionality as distinct CLIs, so we use
+/// the "arg0 trick" to determine which CLI to dispatch. This effectively allows
+/// us to simulate deploying multiple executables as a single binary on Mac and
+/// Linux (but not Windows).
+///
+/// When the current executable is invoked through the hard-link or alias named
+/// `codex-linux-sandbox` we *directly* execute
+/// [`codex_linux_sandbox::run_main`] (which never returns). Otherwise we:
+///
+/// 1.  Use [`dotenvy::from_path`] and [`dotenvy::dotenv`] to modify the
+///     environment before creating any threads.
+/// 2.  Construct a Tokio multi-thread runtime.
+/// 3.  Derive the path to the current executable (so children can re-invoke the
+///     sandbox) when running on Linux.
+/// 4.  Execute the provided async `main_fn` inside that runtime, forwarding any
+///     error. Note that `main_fn` receives `codex_linux_sandbox_exe:
+///     Option<PathBuf>`, as an argument, which is generally needed as part of
+///     constructing [`codex_core::config::Config`].
+///
+/// This function should be used to wrap any `main()` function in binary crates
+/// in this workspace that depends on these helper CLIs.
+pub fn arg0_dispatch_or_else<F, Fut>(main_fn: F) -> anyhow::Result<()>
+where
+    F: FnOnce(Option<PathBuf>) -> Fut,
+    Fut: Future<Output = anyhow::Result<()>>,
+{
+    // Determine if we were invoked via the special alias.
+    let mut args = std::env::args_os();
+    let argv0 = args.next().unwrap_or_default();
+    let exe_name = Path::new(&argv0)
+        .file_name()
+        .and_then(|s| s.to_str())
+        .unwrap_or("");
+
+    if exe_name == "codex-linux-sandbox" {
+        // Safety: [`run_main`] never returns.
+        codex_linux_sandbox::run_main();
+    }
+
+    let argv1 = args.next().unwrap_or_default();
+    if argv1 == CODEX_APPLY_PATCH_ARG1 {
+        let patch_arg = args.next().and_then(|s| s.to_str().map(|s| s.to_owned()));
+        let exit_code = match patch_arg {
+            Some(patch_arg) => {
+                let mut stdout = std::io::stdout();
+                let mut stderr = std::io::stderr();
+                match codex_apply_patch::apply_patch(&patch_arg, &mut stdout, &mut stderr) {
+                    Ok(()) => 0,
+                    Err(_) => 1,
+                }
+            }
+            None => {
+                eprintln!("Error: {CODEX_APPLY_PATCH_ARG1} requires a UTF-8 PATCH argument.");
+                1
+            }
+        };
+        std::process::exit(exit_code);
+    }
+
+    // This modifies the environment, which is not thread-safe, so do this
+    // before creating any threads/the Tokio runtime.
+    load_dotenv();
+
+    // Regular invocation – create a Tokio runtime and execute the provided
+    // async entry-point.
+    let runtime = tokio::runtime::Runtime::new()?;
+    runtime.block_on(async move {
+        let codex_linux_sandbox_exe: Option<PathBuf> = if cfg!(target_os = "linux") {
+            std::env::current_exe().ok()
+        } else {
+            None
+        };
+
+        main_fn(codex_linux_sandbox_exe).await
+    })
+}
+
+/// Load env vars from ~/.codex/.env and `$(pwd)/.env`.
+fn load_dotenv() {
+    if let Ok(codex_home) = codex_core::config::find_codex_home() {
+        dotenvy::from_path(codex_home.join(".env")).ok();
+    }
+    dotenvy::dotenv().ok();
+}
--- a/codex-rs/chatgpt/Cargo.toml
+++ b/codex-rs/chatgpt/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
+edition = "2024"
 name = "codex-chatgpt"
 version = { workspace = true }
-edition = "2024"

 [lints]
 workspace = true
@@ -9,12 +9,12 @@ workspace = true
 [dependencies]
 anyhow = "1"
 clap = { version = "4", features = ["derive"] }
-serde = { version = "1", features = ["derive"] }
-serde_json = "1"
 codex-common = { path = "../common", features = ["cli"] }
 codex-core = { path = "../core" }
 codex-login = { path = "../login" }
 reqwest = { version = "0.12", features = ["json", "stream"] }
+serde = { version = "1", features = ["derive"] }
+serde_json = "1"
 tokio = { version = "1", features = ["full"] }

 [dev-dependencies]
--- a/codex-rs/chatgpt/src/chatgpt_client.rs
+++ b/codex-rs/chatgpt/src/chatgpt_client.rs
@@ -21,10 +21,14 @@ pub(crate) async fn chatgpt_get_request<T: DeserializeOwned>(
    let token =
        get_chatgpt_token_data().ok_or_else(|| anyhow::anyhow!("ChatGPT token not available"))?;

+    let account_id = token.account_id.ok_or_else(|| {
+        anyhow::anyhow!("ChatGPT account ID not available, please re-run `codex login`")
+    });
+
    let response = client
        .get(&url)
        .bearer_auth(&token.access_token)
-        .header("chatgpt-account-id", &token.account_id)
+        .header("chatgpt-account-id", account_id?)
        .header("Content-Type", "application/json")
        .header("User-Agent", "codex-cli")
        .send()
--- a/codex-rs/chatgpt/src/chatgpt_token.rs
+++ b/codex-rs/chatgpt/src/chatgpt_token.rs
@@ -18,7 +18,10 @@ pub fn set_chatgpt_token_data(value: TokenData) {

 /// Initialize the ChatGPT token from auth.json file
 pub async fn init_chatgpt_token_from_auth(codex_home: &Path) -> std::io::Result<()> {
-    let auth_json = codex_login::try_read_auth_json(codex_home).await?;
-    set_chatgpt_token_data(auth_json.tokens.clone());
+    let auth = codex_login::load_auth(codex_home, true)?;
+    if let Some(auth) = auth {
+        let token_data = auth.get_token_data().await?;
+        set_chatgpt_token_data(token_data);
+    }
    Ok(())
 }
--- a/codex-rs/chatgpt/tests/apply_command_e2e.rs
+++ b/codex-rs/chatgpt/tests/apply_command_e2e.rs
@@ -10,8 +10,13 @@ use tokio::process::Command;
 async fn create_temp_git_repo() -> anyhow::Result<TempDir> {
    let temp_dir = TempDir::new()?;
    let repo_path = temp_dir.path();
+    let envs = vec![
+        ("GIT_CONFIG_GLOBAL", "/dev/null"),
+        ("GIT_CONFIG_NOSYSTEM", "1"),
+    ];

    let output = Command::new("git")
+        .envs(envs.clone())
        .args(["init"])
        .current_dir(repo_path)
        .output()
@@ -25,12 +30,14 @@ async fn create_temp_git_repo() -> anyhow::Result<TempDir> {
    }

    Command::new("git")
+        .envs(envs.clone())
        .args(["config", "user.email", "test@example.com"])
        .current_dir(repo_path)
        .output()
        .await?;

    Command::new("git")
+        .envs(envs.clone())
        .args(["config", "user.name", "Test User"])
        .current_dir(repo_path)
        .output()
@@ -39,12 +46,14 @@ async fn create_temp_git_repo() -> anyhow::Result<TempDir> {
    std::fs::write(repo_path.join("README.md"), "# Test Repo\n")?;

    Command::new("git")
+        .envs(envs.clone())
        .args(["add", "README.md"])
        .current_dir(repo_path)
        .output()
        .await?;

    let output = Command::new("git")
+        .envs(envs.clone())
        .args(["commit", "-m", "Initial commit"])
        .current_dir(repo_path)
        .output()
--- a/codex-rs/cli/Cargo.toml
+++ b/codex-rs/cli/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
+edition = "2024"
 name = "codex-cli"
 version = { workspace = true }
-edition = "2024"

 [[bin]]
 name = "codex"
@@ -18,21 +18,15 @@ workspace = true
 anyhow = "1"
 clap = { version = "4", features = ["derive"] }
 clap_complete = "4"
+codex-arg0 = { path = "../arg0" }
 codex-chatgpt = { path = "../chatgpt" }
-codex-core = { path = "../core" }
 codex-common = { path = "../common", features = ["cli"] }
+codex-core = { path = "../core" }
 codex-exec = { path = "../exec" }
 codex-login = { path = "../login" }
-codex-linux-sandbox = { path = "../linux-sandbox" }
 codex-mcp-server = { path = "../mcp-server" }
-# Added for `codex pap` subcommand to act as an MCP client to the `codex mcp` server.
-codex-mcp-client = { path = "../mcp-client" }
-# Direct dependency for types used in pap subcommand
-mcp-types = { path = "../mcp-types" }
 codex-tui = { path = "../tui" }
 serde_json = "1"
-serde = { version = "1", features = ["derive"] }
-chrono = { version = "0.4", default-features = false, features = ["clock"] }
 tokio = { version = "1", features = [
    "io-std",
    "macros",
@@ -42,10 +36,3 @@ tokio = { version = "1", features = [
 ] }
 tracing = "0.1.41"
 tracing-subscriber = "0.3.19"
-uuid = { version = "1", features = ["v4"] }
-
-[dev-dependencies]
-assert_cmd = "2"
-serde = { version = "1", features = ["derive"] }
-serde_json = "1"
-tempfile = "3"
--- a/codex-rs/cli/src/concurrent/mod.rs
+++ b/codex-rs/cli/src/concurrent/mod.rs
@@ -1,368 +0,0 @@
-use std::fs::File;
-use std::path::PathBuf;
-use std::process::{Command, Stdio};
-use std::io::Write; // added for write_all / flush
-
-use anyhow::Context;
-use codex_common::ApprovalModeCliArg;
-use codex_tui::Cli as TuiCli;
-
-/// Attempt to handle a concurrent background run. Returns Ok(true) if a background exec
-/// process was spawned (in which case the caller should NOT start the TUI), or Ok(false)
-/// to proceed with normal interactive execution.
-pub fn maybe_spawn_concurrent(
-    tui_cli: &mut TuiCli,
-    root_raw_overrides: &[String],
-    concurrent: bool,
-    concurrent_automerge: Option<bool>,
-    concurrent_branch_name: &Option<String>,
-) -> anyhow::Result<bool> {
-    if !concurrent { return Ok(false); }
-
-    // Enforce autonomous execution conditions when running interactive mode.
-    // Validate git repository presence (required for --concurrent) only if we're in interactive path.
-    {
-        let dir_to_check = tui_cli
-            .cwd
-            .clone()
-            .unwrap_or_else(|| std::env::current_dir().unwrap_or_else(|_| PathBuf::from(".")));
-        let status = Command::new("git")
-            .arg("-C")
-            .arg(&dir_to_check)
-            .arg("rev-parse")
-            .arg("--git-dir")
-            .stdout(Stdio::null())
-            .stderr(Stdio::null())
-            .status();
-        if status.as_ref().map(|s| !s.success()).unwrap_or(true) {
-            eprintln!(
-                "Error: --concurrent requires a git repository (directory {:?} is not managed by git).",
-                dir_to_check
-            );
-            std::process::exit(2);
-        }
-    }
-
-    let ap = tui_cli.approval_policy;
-    let approval_on_failure = matches!(ap, Some(ApprovalModeCliArg::OnFailure));
-    // (removed unused `autonomous` variable – full_auto logic applied directly below where needed)
-
-    // Build exec args from interactive CLI for autonomous run without TUI (background).
-    // todo: pap dynamically get those
-    let mut worker_args: Vec<String> = Vec::new();
-    // Map model/profile directly.
-    if let Some(model) = &tui_cli.model { worker_args.push("--model".into()); worker_args.push(model.clone()); }
-    if let Some(profile) = &tui_cli.config_profile { worker_args.push("--profile".into()); worker_args.push(profile.clone()); }
-    // Derive approval-policy & sandbox (respect explicit flags first, then full-auto / dangerous shortcuts).
-    let mut approval_policy: Option<String> = tui_cli.approval_policy.map(|a| format!("{a:?}").to_lowercase().replace('_', "-"));
-    let mut sandbox: Option<String> = tui_cli.sandbox_mode.map(|s| format!("{s:?}").to_lowercase().replace('_', "-"));
-    if approval_policy.is_none() && tui_cli.full_auto { approval_policy = Some("on-failure".into()); }
-    if sandbox.is_none() && tui_cli.full_auto { sandbox = Some("workspace-write".into()); }
-    if tui_cli.dangerously_bypass_approvals_and_sandbox { approval_policy = Some("never".into()); sandbox = Some("danger-full-access".into()); }
-    if let Some(ap) = approval_policy { worker_args.push("--approval-policy".into()); worker_args.push(ap); }
-    if let Some(sb) = sandbox { worker_args.push("--sandbox".into()); worker_args.push(sb); }
-    // Config overrides (-c) from root and interactive CLI.
-    for raw in root_raw_overrides { worker_args.push("--worker-config".into()); worker_args.push(raw.clone()); }
-    for raw in &tui_cli.config_overrides.raw_overrides { worker_args.push("--worker-config".into()); worker_args.push(raw.clone()); }
-
-    // Derive a single slug (shared by worktree branch & log filename) from the prompt.
-    let raw_prompt = tui_cli.prompt.as_deref().unwrap_or("");
-    let snippet = raw_prompt.chars().take(32).collect::<String>();
-    let mut slug: String = snippet
-        .chars()
-        .map(|c| if c.is_ascii_alphanumeric() { c.to_ascii_lowercase() } else { '-' })
-        .collect();
-    while slug.contains("--") { slug = slug.replace("--", "-"); }
-    slug = slug.trim_matches('-').to_string();
-    if slug.is_empty() { slug = "prompt".into(); }
-
-    // Determine concurrent defaults from env (no config file), then apply CLI precedence.
-    let env_automerge = parse_env_bool("CONCURRENT_AUTOMERGE");
-    let env_branch_name = std::env::var("CONCURRENT_BRANCH_NAME").ok();
-    let effective_automerge = concurrent_automerge.or(env_automerge).unwrap_or(true);
-    let user_branch_name_opt = concurrent_branch_name.clone().or(env_branch_name);
-    let branch_name_effective = if let Some(bn_raw) = user_branch_name_opt.as_ref() {
-        let bn_trim = bn_raw.trim();
-        if bn_trim.is_empty() { format!("codex/{slug}") } else { bn_trim.to_string() }
-    } else {
-        format!("codex/{slug}")
-    };
-
-    // Unique job id for this concurrent run (used for log file naming instead of slug).
-    let task_id = uuid::Uuid::new_v4().to_string();
-
-    // Prepare log file path early so we can write pre-spawn logs (e.g. worktree creation output) into it.
-    let log_dir = match codex_base_dir() {
-        Ok(base) => {
-            let d = base.join("log");
-            let _ = std::fs::create_dir_all(&d);
-            d
-        }
-        Err(_) => PathBuf::from("/tmp"),
-    };
-    let log_path = log_dir.join(format!("codex-logs-{}.log", task_id));
-
-    // If user did NOT specify an explicit cwd, create an isolated git worktree.
-    let mut created_worktree: Option<(PathBuf, String)> = None; // (path, branch)
-    let mut original_branch: Option<String> = None;
-    let mut original_commit: Option<String> = None;
-    let mut pre_spawn_logs = String::new();
-    if tui_cli.cwd.is_none() {
-        original_branch = git_capture(["rev-parse", "--abbrev-ref", "HEAD"]).ok();
-        original_commit = git_capture(["rev-parse", "HEAD"]).ok();
-        match create_concurrent_worktree(&branch_name_effective) {
-            Ok(Some(info)) => {
-                // Record worktree path to pass as --cwd to worker
-                worker_args.push("--cwd".into());
-                worker_args.push(info.worktree_path.display().to_string());
-                created_worktree = Some((info.worktree_path, info.branch_name.clone()));
-                // Keep the original git output plus a concise created line (for log file only).
-                pre_spawn_logs.push_str(&info.logs);
-                pre_spawn_logs.push_str(&format!(
-                    "Created git worktree at {} (branch {}) for concurrent run\n",
-                    created_worktree.as_ref().unwrap().0.display(), info.branch_name
-                ));
-            }
-            Ok(None) => {
-                // Silence console noise: do not warn here to keep stdout clean; we still proceed.
-            }
-            Err(e) => {
-                eprintln!("Error: failed to create git worktree for --concurrent: {e}");
-                eprintln!("Hint: remove or rename existing branch '{branch_name_effective}', or pass --concurrent-branch-name to choose a unique name.");
-                std::process::exit(3);
-            }
-        }
-    } else if let Some(explicit) = &tui_cli.cwd {
-        worker_args.push("--cwd".into());
-        worker_args.push(explicit.display().to_string());
-    }
-
-    // Prompt (safe to unwrap due to earlier validation in autonomous case). For non-autonomous
-    // (interactive later) runs we intentionally do NOT pass the prompt to the subprocess so it
-    // will wait for a Submission over stdin.
-    if let Some(prompt) = tui_cli.prompt.clone() { worker_args.push("--prompt".into()); worker_args.push(prompt); } else { eprintln!("Error: --concurrent requires a prompt."); return Ok(false); }
-
-    // Create (or truncate) the log file and write any pre-spawn logs we captured.
-    let file = match File::create(&log_path) {
-        Ok(mut f) => {
-            if !pre_spawn_logs.is_empty() {
-                let _ = f.write_all(pre_spawn_logs.as_bytes());
-                let _ = f.flush();
-            }
-            f
-        }
-        Err(e) => {
-            eprintln!("Failed to create log file {}: {e}. Falling back to interactive mode.", log_path.display());
-            return Ok(false);
-        }
-    };
-    let file_err = file.try_clone().ok();
-    let mut cmd = Command::new(
-        std::env::current_exe().unwrap_or_else(|_| PathBuf::from("codex"))
-    );
-    cmd.arg("worker");
-    for a in &worker_args { cmd.arg(a); }
-    if let Some((wt_path, branch)) = &created_worktree {
-        if effective_automerge { cmd.env("CODEX_CONCURRENT_AUTOMERGE", "1"); }
-        cmd.env("CODEX_CONCURRENT_BRANCH", branch);
-        cmd.env("CODEX_CONCURRENT_WORKTREE", wt_path);
-        if let Some(ob) = &original_branch { cmd.env("CODEX_ORIGINAL_BRANCH", ob); }
-        if let Some(oc) = &original_commit { cmd.env("CODEX_ORIGINAL_COMMIT", oc); }
-        if let Ok(orig_root) = std::env::current_dir() { cmd.env("CODEX_ORIGINAL_ROOT", orig_root); }
-    }
-    cmd.env("CODEX_TASK_ID", &task_id);
-    cmd.stdout(Stdio::from(file));
-    if let Some(f2) = file_err { cmd.stderr(Stdio::from(f2)); }
-    match cmd.spawn() {
-        Ok(mut child) => {
-            let branch_val = created_worktree.as_ref().map(|(_, b)| b.as_str()).unwrap_or("(none)");
-            let worktree_val = created_worktree
-                .as_ref()
-                .map(|(p, _)| p.display().to_string())
-                .unwrap_or_else(|| "(original cwd)".to_string());
-            println!("\x1b[1mTask ID:\x1b[0m {}", task_id);
-            println!("\x1b[1mPID:\x1b[0m {}", child.id());
-            println!("\x1b[1mBranch:\x1b[0m {}", branch_val);
-            println!("\x1b[1mWorktree:\x1b[0m {}", worktree_val);
-            let initial_state = "started";
-            println!("\x1b[1mState:\x1b[0m {}", initial_state);
-            println!("\nStreaming logs (press Ctrl+C to abort view; task will continue)...\n");
-            let record_time = std::time::SystemTime::now()
-                .duration_since(std::time::UNIX_EPOCH)
-                .map(|d| d.as_secs())
-                .unwrap_or(0);
-            if let Ok(base) = codex_base_dir() {
-                let tasks_path = base.join("tasks.jsonl");
-                let record = serde_json::json!({
-                    "task_id": task_id,
-                    "pid": child.id(),
-                    "worktree": created_worktree.as_ref().map(|(p, _)| p.display().to_string()),
-                    "branch": created_worktree.as_ref().map(|(_, b)| b.clone()),
-                    "original_branch": original_branch,
-                    "original_commit": original_commit,
-                    "log_path": log_path.display().to_string(),
-                    "prompt": raw_prompt,
-                    "model": tui_cli.model.clone(),
-                    "start_time": record_time,
-                    "automerge": effective_automerge,
-                    "explicit_branch_name": user_branch_name_opt,
-                    "token_count": serde_json::Value::Null,
-                    "state": initial_state,
-                });
-                if let Ok(mut f) = std::fs::OpenOptions::new().create(true).append(true).open(&tasks_path) {
-                    use std::io::Write;
-                    let _ = writeln!(f, "{}", record.to_string());
-                }
-            }
-            if let Err(e) = stream_log_until_exit(&log_path, &mut child) {
-                eprintln!("Error streaming logs: {e}");
-            }
-            return Ok(true);
-        }
-        Err(e) => {
-            eprintln!("Failed to start background exec: {e}. Falling back to interactive mode.");
-        }
-    }
-
-    Ok(false)
-}
-
-/// Return the base Codex directory under the user's home (~/.codex), creating it if necessary.
-fn codex_base_dir() -> anyhow::Result<PathBuf> {
-    if let Ok(val) = std::env::var("CODEX_HOME") {
-        if !val.is_empty() {
-            return Ok(PathBuf::from(val).canonicalize()?);
-        }
-    }
-    let home = std::env::var_os("HOME").ok_or_else(|| anyhow::anyhow!("Could not find home directory"))?;
-    let base = PathBuf::from(home).join(".codex");
-    std::fs::create_dir_all(&base)?;
-    Ok(base)
-}
-
-/// Attempt to create a git worktree for an isolated concurrent run capturing git output.
-struct WorktreeInfo { worktree_path: PathBuf, branch_name: String, logs: String }
-fn create_concurrent_worktree(branch_name: &str) -> anyhow::Result<Option<WorktreeInfo>> {
-    // Determine repository root.
-    let output = Command::new("git").arg("rev-parse").arg("--show-toplevel").output();
-    let repo_root = match output {
-        Ok(out) if out.status.success() => {
-            let s = String::from_utf8_lossy(&out.stdout).trim().to_string();
-            if s.is_empty() { return Ok(None); }
-            PathBuf::from(s)
-        }
-        _ => return Ok(None),
-    };
-
-    // Derive repo name from root directory.
-    let repo_name = repo_root
-        .file_name()
-        .and_then(|s| s.to_str())
-        .unwrap_or("repo");
-
-    // Fast-fail if branch already exists.
-    if Command::new("git")
-        .current_dir(&repo_root)
-        .arg("rev-parse")
-        .arg("--verify")
-        .arg(branch_name)
-        .stdout(Stdio::null())
-        .stderr(Stdio::null())
-        .status()
-        .map(|s| s.success())
-        .unwrap_or(false) {
-        anyhow::bail!("branch '{branch_name}' already exists");
-    }
-
-    // Construct worktree directory under ~/.codex/worktrees/<repo_name>/.
-    let base_dir = codex_base_dir()?.join("worktrees").join(repo_name);
-    std::fs::create_dir_all(&base_dir)?;
-    let mut worktree_path = base_dir.join(branch_name.replace('/', "-"));
-
-    if worktree_path.exists() {
-        for i in 1..1000 {
-            let candidate = base_dir.join(format!("{}-{}", branch_name.replace('/', "-"), i));
-            if !candidate.exists() { worktree_path = candidate; break; }
-        }
-    }
-
-    // Run git worktree add capturing output (stdout+stderr).
-    let add_out = Command::new("git")
-        .current_dir(&repo_root)
-        .arg("worktree")
-        .arg("add")
-        .arg("-b")
-        .arg(&branch_name)
-        .arg(&worktree_path)
-        .arg("HEAD")
-        .output()?;
-    if !add_out.status.success() {
-        anyhow::bail!("git worktree add failed with status {}", add_out.status);
-    }
-    let mut logs = String::new();
-    if !add_out.stdout.is_empty() { logs.push_str(&String::from_utf8_lossy(&add_out.stdout)); }
-    if !add_out.stderr.is_empty() { logs.push_str(&String::from_utf8_lossy(&add_out.stderr)); }
-
-    Ok(Some(WorktreeInfo { worktree_path, branch_name: branch_name.to_string(), logs }))
-}
-
-/// Helper: capture trimmed stdout of a git command.
-fn git_capture<I, S>(args: I) -> anyhow::Result<String>
-where
-    I: IntoIterator<Item = S>,
-    S: AsRef<str>,
-{
-    let mut cmd = Command::new("git");
-    for a in args { cmd.arg(a.as_ref()); }
-    let out = cmd.output().context("running git command")?;
-    if !out.status.success() { anyhow::bail!("git command failed"); }
-    Ok(String::from_utf8_lossy(&out.stdout).trim().to_string())
-}
-
-/// Parse common boolean environment variable representations.
-fn parse_env_bool(name: &str) -> Option<bool> {
-    let raw = std::env::var(name).ok()?;
-    let lower = raw.to_ascii_lowercase();
-    match lower.as_str() {
-        "1" | "true" | "yes" | "on" => Some(true),
-        "0" | "false" | "no" | "off" => Some(false),
-        _ => None,
-    }
-}
-
-// Attach helper: follow the log file while the child runs.
-// todo: remove this once we have a tui
-fn stream_log_until_exit(log_path: &std::path::Path, child: &mut std::process::Child) -> anyhow::Result<()> {
-    use std::io::{Read, Seek, SeekFrom};
-    use std::time::Duration;
-    let mut f = std::fs::OpenOptions::new().read(true).open(log_path)?;
-    // Print any existing content first.
-    let mut existing = String::new();
-    f.read_to_string(&mut existing)?;
-    print!("{}", existing);
-    let mut pos: u64 = existing.len() as u64;
-    loop {
-        // Check if process has exited.
-        if let Some(status) = child.try_wait()? {
-            // Drain any remaining bytes.
-            let mut tail = String::new();
-            f.seek(SeekFrom::Start(pos))?;
-            f.read_to_string(&mut tail)?;
-            if !tail.is_empty() { print!("{}", tail); }
-            println!("\n\x1b[1mTask exited with status: {}\x1b[0m", status);
-            break;
-        }
-        // Read new bytes if any.
-        let meta = f.metadata()?;
-        let len = meta.len();
-        if len > pos {
-            f.seek(SeekFrom::Start(pos))?;
-            let mut buf = String::new();
-            f.read_to_string(&mut buf)?;
-            if !buf.is_empty() { print!("{}", buf); }
-            pos = len;
-        }
-        std::thread::sleep(Duration::from_millis(500));
-    }
-    Ok(())
-} 
--- a/codex-rs/cli/src/debug_sandbox.rs
+++ b/codex-rs/cli/src/debug_sandbox.rs
@@ -4,10 +4,10 @@ use codex_common::CliConfigOverrides;
 use codex_core::config::Config;
 use codex_core::config::ConfigOverrides;
 use codex_core::config_types::SandboxMode;
-use codex_core::exec::StdioPolicy;
 use codex_core::exec::spawn_command_under_linux_sandbox;
-use codex_core::exec::spawn_command_under_seatbelt;
 use codex_core::exec_env::create_env;
+use codex_core::seatbelt::spawn_command_under_seatbelt;
+use codex_core::spawn::StdioPolicy;

 use crate::LandlockCommand;
 use crate::SeatbeltCommand;
--- a/codex-rs/cli/src/inspect.rs
+++ b/codex-rs/cli/src/inspect.rs
@@ -1,185 +0,0 @@
-use clap::Parser;
-use serde::Deserialize;
-use std::fs::File;
-use std::io::{BufRead, BufReader};
-use std::path::PathBuf;
-use std::fs;
-
-#[derive(Debug, Parser)]
-pub struct InspectCli {
-    /// Task identifier (full/short task id or exact branch name)
-    pub id: String,
-    /// Output JSON instead of human table
-    #[arg(long)]
-    pub json: bool,
-}
-
-#[derive(Debug, Deserialize)]
-struct RawRecord {
-    task_id: Option<String>,
-    pid: Option<u64>,
-    worktree: Option<String>,
-    branch: Option<String>,
-    original_branch: Option<String>,
-    original_commit: Option<String>,
-    log_path: Option<String>,
-    prompt: Option<String>,
-    model: Option<String>,
-    start_time: Option<u64>,
-    update_time: Option<u64>,
-    token_count: Option<serde_json::Value>,
-    state: Option<String>,
-    completion_time: Option<u64>,
-    end_time: Option<u64>,
-    automerge: Option<bool>,
-    explicit_branch_name: Option<String>,
-}
-
-#[derive(Debug, serde::Serialize, Default, Clone)]
-struct TaskFull {
-    task_id: String,
-    pid: Option<u64>,
-    branch: Option<String>,
-    worktree: Option<String>,
-    original_branch: Option<String>,
-    original_commit: Option<String>,
-    log_path: Option<String>,
-    prompt: Option<String>,
-    model: Option<String>,
-    start_time: Option<u64>,
-    end_time: Option<u64>,
-    state: Option<String>,
-    total_tokens: Option<u64>,
-    input_tokens: Option<u64>,
-    output_tokens: Option<u64>,
-    reasoning_output_tokens: Option<u64>,
-    automerge: Option<bool>,
-    explicit_branch_name: Option<String>,
-    last_update_time: Option<u64>,
-    duration_secs: Option<u64>,
-}
-
-pub fn run_inspect(cli: InspectCli) -> anyhow::Result<()> {
-    let id = cli.id.to_lowercase();
-    let tasks = load_task_records()?;
-    let matches: Vec<TaskFull> = tasks
-        .into_iter()
-        .filter(|t| t.task_id.starts_with(&id) || t.branch.as_deref().map(|b| b == id).unwrap_or(false))
-        .collect();
-    if matches.is_empty() {
-        eprintln!("No task matches identifier '{}'.", id);
-        return Ok(());
-    }
-    if matches.len() > 1 {
-        eprintln!("Identifier '{}' is ambiguous; matches: {}", id, matches.iter().map(|m| &m.task_id[..8]).collect::<Vec<_>>().join(", "));
-        return Ok(());
-    }
-    let task = &matches[0];
-    if cli.json {
-        println!("{}", serde_json::to_string_pretty(task)?);
-        return Ok(());
-    }
-    print_human(task);
-    Ok(())
-}
-
-fn base_dir() -> Option<PathBuf> {
-    if let Ok(val) = std::env::var("CODEX_HOME") { if !val.is_empty() { return std::fs::canonicalize(val).ok(); } }
-    let home = std::env::var_os("HOME")?;
-    Some(PathBuf::from(home).join(".codex"))
-}
-
-fn load_task_records() -> anyhow::Result<Vec<TaskFull>> {
-    let mut map: std::collections::HashMap<String, TaskFull> = std::collections::HashMap::new();
-    let Some(base) = base_dir() else { return Ok(vec![]); };
-    let tasks = base.join("tasks.jsonl");
-    if !tasks.exists() { return Ok(vec![]); }
-    let f = File::open(tasks)?;
-    let reader = BufReader::new(f);
-    for line in reader.lines() {
-        let Ok(line) = line else { continue };
-        if line.trim().is_empty() { continue; }
-        let Ok(val) = serde_json::from_str::<serde_json::Value>(&line) else { continue };
-        let Ok(rec) = serde_json::from_value::<RawRecord>(val) else { continue };
-        let Some(task_id) = rec.task_id.clone() else { continue };
-        let entry = map.entry(task_id.clone()).or_insert_with(|| TaskFull { task_id: task_id.clone(), ..Default::default() });
-        // Initial metadata fields
-        if rec.start_time.is_some() {
-            entry.pid = rec.pid.or(entry.pid);
-            entry.branch = rec.branch.or(entry.branch.clone());
-            entry.worktree = rec.worktree.or(entry.worktree.clone());
-            entry.original_branch = rec.original_branch.or(entry.original_branch.clone());
-            entry.original_commit = rec.original_commit.or(entry.original_commit.clone());
-            entry.log_path = rec.log_path.or(entry.log_path.clone());
-            entry.prompt = rec.prompt.or(entry.prompt.clone());
-            entry.model = rec.model.or(entry.model.clone());
-            entry.start_time = rec.start_time.or(entry.start_time);
-            entry.automerge = rec.automerge.or(entry.automerge);
-            entry.explicit_branch_name = rec.explicit_branch_name.or(entry.explicit_branch_name.clone());
-        }
-        if let Some(state) = rec.state { entry.state = Some(state); }
-        if rec.update_time.is_some() { entry.last_update_time = rec.update_time; }
-        if rec.end_time.is_some() || rec.completion_time.is_some() {
-            entry.end_time = rec.end_time.or(rec.completion_time).or(entry.end_time);
-        }
-        if let Some(tc) = rec.token_count.as_ref() {
-            if let Some(total) = tc.get("total_tokens").and_then(|v| v.as_u64()) { entry.total_tokens = Some(total); }
-            if let Some(inp) = tc.get("input_tokens").and_then(|v| v.as_u64()) { entry.input_tokens = Some(inp); }
-            if let Some(out) = tc.get("output_tokens").and_then(|v| v.as_u64()) { entry.output_tokens = Some(out); }
-            if let Some(rout) = tc.get("reasoning_output_tokens").and_then(|v| v.as_u64()) { entry.reasoning_output_tokens = Some(rout); }
-        }
-    }
-    // Compute duration
-    for t in map.values_mut() {
-        if let (Some(s), Some(e)) = (t.start_time, t.end_time) { t.duration_secs = Some(e.saturating_sub(s)); }
-    }
-    Ok(map.into_values().collect())
-}
-
-fn print_human(task: &TaskFull) {
-    println!("Task {}", task.task_id);
-    println!("State: {}", task.state.as_deref().unwrap_or("?"));
-    if let Some(model) = &task.model { println!("Model: {}", model); } else { println!("Model: {}", resolve_default_model()); }
-    if let Some(branch) = &task.branch { println!("Branch: {}", branch); }
-    if let Some(wt) = &task.worktree { println!("Worktree: {}", wt); }
-    if let Some(ob) = &task.original_branch { println!("Original branch: {}", ob); }
-    if let Some(oc) = &task.original_commit { println!("Original commit: {}", oc); }
-    if let Some(start) = task.start_time { println!("Start: {}", format_epoch(start)); }
-    if let Some(end) = task.end_time { println!("End: {}", format_epoch(end)); }
-    if let Some(d) = task.duration_secs { println!("Duration: {}s", d); }
-    if let Some(pid) = task.pid { println!("PID: {}", pid); }
-    if let Some(log) = &task.log_path { println!("Log: {}", log); }
-    if let Some(am) = task.automerge { println!("Automerge: {}", am); }
-    if let Some(exp) = &task.explicit_branch_name { println!("Explicit branch name: {}", exp); }
-    if let Some(total) = task.total_tokens { println!("Total tokens: {}", total); }
-    if task.input_tokens.is_some() || task.output_tokens.is_some() {
-        println!("  Input: {:?} Output: {:?} Reasoning: {:?}", task.input_tokens, task.output_tokens, task.reasoning_output_tokens);
-    }
-    if let Some(p) = &task.prompt { println!("Prompt:\n{}", p); }
-}
-
-fn format_epoch(secs: u64) -> String {
-    use chrono::{TimeZone, Utc};
-    if let Some(dt) = Utc.timestamp_opt(secs as i64, 0).single() { dt.to_rfc3339() } else { secs.to_string() }
-}
-
-fn resolve_default_model() -> String {
-    if let Some(base) = base_dir() {
-        let candidates = ["config.json", "config.yaml", "config.yml"];
-        for name in candidates {
-            let p = base.join(name);
-            if p.exists() {
-                if let Ok(raw) = fs::read_to_string(&p) {
-                    if name.ends_with(".json") {
-                        if let Ok(v) = serde_json::from_str::<serde_json::Value>(&raw) {
-                            if let Some(m) = v.get("model").and_then(|x| x.as_str()) { if !m.trim().is_empty() { return m.to_string(); } }
-                        }
-                    } else {
-                        for line in raw.lines() { if let Some(rest) = line.trim().strip_prefix("model:") { let val = rest.trim().trim_matches('"'); if !val.is_empty() { return val.to_string(); } } }
-                    }
-                }
-            }
-        }
-    }
-    "codex-mini-latest".to_string()
-} 
--- a/codex-rs/cli/src/lib.rs
+++ b/codex-rs/cli/src/lib.rs
@@ -1,11 +1,7 @@
-pub mod concurrent;
 pub mod debug_sandbox;
 mod exit_status;
 pub mod login;
 pub mod proto;
-pub mod tasks;
-pub mod logs;
-pub mod inspect;

 use clap::Parser;
 use codex_common::CliConfigOverrides;
--- a/codex-rs/cli/src/login.rs
+++ b/codex-rs/cli/src/login.rs
@@ -1,25 +1,16 @@
+use std::env;
+
 use codex_common::CliConfigOverrides;
 use codex_core::config::Config;
 use codex_core::config::ConfigOverrides;
+use codex_login::AuthMode;
+use codex_login::OPENAI_API_KEY_ENV_VAR;
+use codex_login::load_auth;
+use codex_login::login_with_api_key;
 use codex_login::login_with_chatgpt;

 pub async fn run_login_with_chatgpt(cli_config_overrides: CliConfigOverrides) -> ! {
-    let cli_overrides = match cli_config_overrides.parse_overrides() {
-        Ok(v) => v,
-        Err(e) => {
-            eprintln!("Error parsing -c overrides: {e}");
-            std::process::exit(1);
-        }
-    };
-
-    let config_overrides = ConfigOverrides::default();
-    let config = match Config::load_with_cli_overrides(cli_overrides, config_overrides) {
-        Ok(config) => config,
-        Err(e) => {
-            eprintln!("Error loading configuration: {e}");
-            std::process::exit(1);
-        }
-    };
+    let config = load_config_or_exit(cli_config_overrides);

    let capture_output = false;
    match login_with_chatgpt(&config.codex_home, capture_output).await {
@@ -33,3 +24,103 @@ pub async fn run_login_with_chatgpt(cli_config_overrides: CliConfigOverrides) ->
        }
    }
 }
+
+pub async fn run_login_with_api_key(
+    cli_config_overrides: CliConfigOverrides,
+    api_key: String,
+) -> ! {
+    let config = load_config_or_exit(cli_config_overrides);
+
+    match login_with_api_key(&config.codex_home, &api_key) {
+        Ok(_) => {
+            eprintln!("Successfully logged in");
+            std::process::exit(0);
+        }
+        Err(e) => {
+            eprintln!("Error logging in: {e}");
+            std::process::exit(1);
+        }
+    }
+}
+
+pub async fn run_login_status(cli_config_overrides: CliConfigOverrides) -> ! {
+    let config = load_config_or_exit(cli_config_overrides);
+
+    match load_auth(&config.codex_home, true) {
+        Ok(Some(auth)) => match auth.mode {
+            AuthMode::ApiKey => {
+                if let Some(api_key) = auth.api_key.as_deref() {
+                    eprintln!("Logged in using an API key - {}", safe_format_key(api_key));
+
+                    if let Ok(env_api_key) = env::var(OPENAI_API_KEY_ENV_VAR) {
+                        if env_api_key == api_key {
+                            eprintln!(
+                                "   API loaded from OPENAI_API_KEY environment variable or .env file"
+                            );
+                        }
+                    }
+                } else {
+                    eprintln!("Logged in using an API key");
+                }
+                std::process::exit(0);
+            }
+            AuthMode::ChatGPT => {
+                eprintln!("Logged in using ChatGPT");
+                std::process::exit(0);
+            }
+        },
+        Ok(None) => {
+            eprintln!("Not logged in");
+            std::process::exit(1);
+        }
+        Err(e) => {
+            eprintln!("Error checking login status: {e}");
+            std::process::exit(1);
+        }
+    }
+}
+
+fn load_config_or_exit(cli_config_overrides: CliConfigOverrides) -> Config {
+    let cli_overrides = match cli_config_overrides.parse_overrides() {
+        Ok(v) => v,
+        Err(e) => {
+            eprintln!("Error parsing -c overrides: {e}");
+            std::process::exit(1);
+        }
+    };
+
+    let config_overrides = ConfigOverrides::default();
+    match Config::load_with_cli_overrides(cli_overrides, config_overrides) {
+        Ok(config) => config,
+        Err(e) => {
+            eprintln!("Error loading configuration: {e}");
+            std::process::exit(1);
+        }
+    }
+}
+
+fn safe_format_key(key: &str) -> String {
+    if key.len() <= 13 {
+        return "***".to_string();
+    }
+    let prefix = &key[..8];
+    let suffix = &key[key.len() - 5..];
+    format!("{prefix}***{suffix}")
+}
+
+#[cfg(test)]
+mod tests {
+    use super::safe_format_key;
+
+    #[test]
+    fn formats_long_key() {
+        let key = "sk-proj-1234567890ABCDE";
+        assert_eq!(safe_format_key(key), "sk-proj-***ABCDE");
+    }
+
+    #[test]
+    fn short_key_returns_stars() {
+        let key = "sk-proj-12345";
+        assert_eq!(safe_format_key(key), "***");
+    }
+}
--- a/codex-rs/cli/src/logs.rs
+++ b/codex-rs/cli/src/logs.rs
@@ -1,145 +0,0 @@
-use clap::Parser;
-use serde::Deserialize;
-use std::collections::HashMap;
-use std::fs::File;
-use std::io::{BufRead, BufReader, Read, Seek, SeekFrom};
-use std::path::PathBuf;
-use std::thread;
-use std::time::Duration;
-
-#[derive(Debug, Parser)]
-pub struct LogsCli {
-    /// Task identifier: full/short task UUID or branch name
-    pub id: String,
-    /// Follow log output (stream new lines)
-    #[arg(short = 'f', long = "follow")]
-    pub follow: bool,
-    /// Show only the last N lines (like tail -n). If omitted, show full file.
-    #[arg(short = 'n', long = "lines")]
-    pub lines: Option<usize>,
-}
-
-#[derive(Debug, Deserialize)]
-struct RawRecord {
-    task_id: Option<String>,
-    branch: Option<String>,
-    log_path: Option<String>,
-    start_time: Option<u64>,
-}
-
-#[derive(Debug, Clone)]
-struct TaskMeta {
-    task_id: String,
-    branch: Option<String>,
-    log_path: String,
-    start_time: Option<u64>,
-}
-
-pub fn run_logs(cli: LogsCli) -> anyhow::Result<()> {
-    let id = cli.id.to_lowercase();
-    let tasks = load_tasks_index()?;
-    if tasks.is_empty() {
-        eprintln!("No tasks found in tasks.jsonl");
-        return Ok(());
-    }
-    let matches: Vec<&TaskMeta> = tasks
-        .values()
-        .filter(|meta| {
-            meta.task_id.starts_with(&id) || meta.branch.as_deref().map(|b| b == id).unwrap_or(false)
-        })
-        .collect();
-    if matches.is_empty() {
-        eprintln!("No task matches identifier '{}'.", id);
-        return Ok(());
-    }
-    if matches.len() > 1 {
-        eprintln!("Identifier '{}' is ambiguous; matches: {}", id, matches.iter().map(|m| &m.task_id[..8]).collect::<Vec<_>>().join(", "));
-        return Ok(());
-    }
-    let task = matches[0];
-    let path = PathBuf::from(&task.log_path);
-    if !path.exists() {
-        eprintln!("Log file not found at {}", path.display());
-        return Ok(());
-    }
-
-    if cli.follow {
-        tail_file(&path, cli.lines)?;
-    } else {
-        print_file(&path, cli.lines)?;
-    }
-    Ok(())
-}
-
-fn base_dir() -> Option<PathBuf> {
-    if let Ok(val) = std::env::var("CODEX_HOME") { if !val.is_empty() { return std::fs::canonicalize(val).ok(); } }
-    let home = std::env::var_os("HOME")?;
-    Some(PathBuf::from(home).join(".codex"))
-}
-
-fn load_tasks_index() -> anyhow::Result<HashMap<String, TaskMeta>> {
-    let mut map: HashMap<String, TaskMeta> = HashMap::new();
-    let Some(base) = base_dir() else { return Ok(map); };
-    let tasks = base.join("tasks.jsonl");
-    if !tasks.exists() { return Ok(map); }
-    let f = File::open(tasks)?;
-    let reader = BufReader::new(f);
-    for line in reader.lines() {
-        let Ok(line) = line else { continue };
-        if line.trim().is_empty() { continue; }
-        let Ok(val) = serde_json::from_str::<serde_json::Value>(&line) else { continue };
-        let Ok(rec) = serde_json::from_value::<RawRecord>(val) else { continue };
-        let (Some(task_id), Some(log_path)) = (rec.task_id.clone(), rec.log_path.clone()) else { continue };
-        // Insert or update only if not already present (we just need initial metadata)
-        map.entry(task_id.clone()).or_insert(TaskMeta {
-            task_id,
-            branch: rec.branch,
-            log_path,
-            start_time: rec.start_time,
-        });
-    }
-    Ok(map)
-}
-
-fn print_file(path: &PathBuf, last_lines: Option<usize>) -> anyhow::Result<()> {
-    if let Some(n) = last_lines {
-        let f = File::open(path)?;
-        let reader = BufReader::new(f);
-        let mut buf: std::collections::VecDeque<String> = std::collections::VecDeque::with_capacity(n);
-        for line in reader.lines() {
-            if let Ok(l) = line { if buf.len() == n { buf.pop_front(); } buf.push_back(l); }
-        }
-        for l in buf { println!("{}", l); }
-        return Ok(());
-    }
-    // Full file
-    let mut f = File::open(path)?;
-    let mut contents = String::new();
-    f.read_to_string(&mut contents)?;
-    print!("{}", contents);
-    Ok(())
-}
-
-fn tail_file(path: &PathBuf, last_lines: Option<usize>) -> anyhow::Result<()> {
-    use std::io::{self};
-    // Initial output
-    if let Some(n) = last_lines { print_file(path, Some(n))?; } else { print_file(path, None)?; }
-    let mut f = File::open(path)?;
-    let mut pos = f.metadata()?.len();
-    loop {
-        thread::sleep(Duration::from_millis(500));
-        let meta = match f.metadata() { Ok(m) => m, Err(_) => break };
-        let len = meta.len();
-        if len < pos { // truncated
-            pos = 0;
-        }
-        if len > pos {
-            f.seek(SeekFrom::Start(pos))?;
-            let mut buf = String::new();
-            f.read_to_string(&mut buf)?;
-            if !buf.is_empty() { print!("{}", buf); io::Write::flush(&mut std::io::stdout())?; }
-            pos = len;
-        }
-    }
-    Ok(())
-} 
--- a/codex-rs/cli/src/main.rs
+++ b/codex-rs/cli/src/main.rs
@@ -2,11 +2,13 @@ use clap::CommandFactory;
 use clap::Parser;
 use clap_complete::Shell;
 use clap_complete::generate;
+use codex_arg0::arg0_dispatch_or_else;
 use codex_chatgpt::apply_command::ApplyCommand;
 use codex_chatgpt::apply_command::run_apply_command;
-use codex_cli::concurrent::maybe_spawn_concurrent;
 use codex_cli::LandlockCommand;
 use codex_cli::SeatbeltCommand;
+use codex_cli::login::run_login_status;
+use codex_cli::login::run_login_with_api_key;
 use codex_cli::login::run_login_with_chatgpt;
 use codex_cli::proto;
 use codex_common::CliConfigOverrides;
@@ -15,11 +17,6 @@ use codex_tui::Cli as TuiCli;
 use std::path::PathBuf;

 use crate::proto::ProtoCli;
-use codex_mcp_client::McpClient;
-use mcp_types::{ClientCapabilities, Implementation};
-use serde_json::json;
-use std::time::Duration;
-use tracing::{debug, info};

 /// Codex CLI
 ///
@@ -38,25 +35,6 @@ struct MultitoolCli {
    #[clap(flatten)]
    interactive: TuiCli,

-    /// Autonomous mode: run the command in the background & concurrently using a git worktree.
-    /// Requires the current directory (or --cd provided path) to be a git repository.
-    #[clap(long)]
-    concurrent: bool,
-
-    /// Control whether the concurrent run auto-merges the worktree branch back into the original branch.
-    /// Defaults to true (may also be set via CONCURRENT_AUTOMERGE env var).
-    #[clap(long = "concurrent-automerge", value_name = "BOOL")]
-    concurrent_automerge: Option<bool>,
-
-    /// Explicit branch name to use for the concurrent worktree instead of the default `codex/<slug>`.
-    /// May also be set via CONCURRENT_BRANCH_NAME env var.
-    #[clap(long = "concurrent-branch-name", value_name = "BRANCH")]
-    concurrent_branch_name: Option<String>,
-
-    /// Best-of-n: run n concurrent worktrees (1-4) and let user pick the best result. Implies --concurrent and disables automerge.
-    #[clap(long = "best-of-n", short = 'n', value_name = "N", default_value_t = 1)]
-    pub best_of_n: u8,
-
    #[clap(subcommand)]
    subcommand: Option<Subcommand>,
 }
@@ -67,7 +45,7 @@ enum Subcommand {
    #[clap(visible_alias = "e")]
    Exec(ExecCli),

-    /// Login with ChatGPT.
+    /// Manage login.
    Login(LoginCommand),

    /// Experimental: run Codex as an MCP server.
@@ -86,19 +64,6 @@ enum Subcommand {
    /// Apply the latest diff produced by Codex agent as a `git apply` to your local working tree.
    #[clap(visible_alias = "a")]
    Apply(ApplyCommand),
-
-    /// Manage / inspect concurrent background tasks.
-    Tasks(codex_cli::tasks::TasksCli),
-
-    /// Show or follow logs for a specific task.
-    Logs(codex_cli::logs::LogsCli),
-
-    /// Inspect full metadata for a task.
-    Inspect(codex_cli::inspect::InspectCli),
-
-    /// Hidden: internal worker used for --concurrent MCP-based runs.
-    #[clap(hide = true)]
-    Worker(ConcurrentWorkerCli),
 }

 #[derive(Debug, Parser)]
@@ -127,31 +92,22 @@ enum DebugCommand {
 struct LoginCommand {
    #[clap(skip)]
    config_overrides: CliConfigOverrides,
+
+    #[arg(long = "api-key", value_name = "API_KEY")]
+    api_key: Option<String>,
+
+    #[command(subcommand)]
+    action: Option<LoginSubcommand>,
 }

-#[derive(Debug, Parser)]
-struct ConcurrentWorkerCli {
-    #[clap(long)]
-    prompt: String,
-    #[clap(long)]
-    model: Option<String>,
-    #[clap(long)]
-    profile: Option<String>,
-    #[clap(long, value_name = "POLICY")] // untrusted | on-failure | never
-    approval_policy: Option<String>,
-    #[clap(long, value_name = "MODE")] // read-only | workspace-write | danger-full-access
-    sandbox: Option<String>,
-    #[clap(long)]
-    cwd: Option<String>,
-    #[clap(flatten)]
-    config_overrides: CliConfigOverrides,
-    /// Optional base instructions override
-    #[clap(long = "base-instructions")]
-    base_instructions: Option<String>,
+#[derive(Debug, clap::Subcommand)]
+enum LoginSubcommand {
+    /// Show login status.
+    Status,
 }

 fn main() -> anyhow::Result<()> {
-    codex_linux_sandbox::run_with_sandbox(|codex_linux_sandbox_exe| async move {
+    arg0_dispatch_or_else(|codex_linux_sandbox_exe| async move {
        cli_main(codex_linux_sandbox_exe).await?;
        Ok(())
    })
@@ -163,25 +119,9 @@ async fn cli_main(codex_linux_sandbox_exe: Option<PathBuf>) -> anyhow::Result<()
    match cli.subcommand {
        None => {
            let mut tui_cli = cli.interactive;
-            let root_raw_overrides = cli.config_overrides.raw_overrides.clone();
            prepend_config_flags(&mut tui_cli.config_overrides, cli.config_overrides);
-            // Attempt concurrent background spawn; if it returns true we skip launching the TUI.
-            if let Ok(spawned) = maybe_spawn_concurrent(
-                &mut tui_cli,
-                &root_raw_overrides,
-                cli.concurrent,
-                cli.concurrent_automerge,
-                &cli.concurrent_branch_name,
-            ) {
-                if !spawned {
-                    let usage = codex_tui::run_main(tui_cli, codex_linux_sandbox_exe)?;
-                    println!("{}", codex_core::protocol::FinalOutput::from(usage));
-                }
-            } else {
-                // On error fallback to interactive.
-                let usage = codex_tui::run_main(tui_cli, codex_linux_sandbox_exe)?;
-                println!("{}", codex_core::protocol::FinalOutput::from(usage));
-            }
+            let usage = codex_tui::run_main(tui_cli, codex_linux_sandbox_exe).await?;
+            println!("{}", codex_core::protocol::FinalOutput::from(usage));
        }
        Some(Subcommand::Exec(mut exec_cli)) => {
            prepend_config_flags(&mut exec_cli.config_overrides, cli.config_overrides);
@@ -190,139 +130,20 @@ async fn cli_main(codex_linux_sandbox_exe: Option<PathBuf>) -> anyhow::Result<()
        Some(Subcommand::Mcp) => {
            codex_mcp_server::run_main(codex_linux_sandbox_exe).await?;
        }
-        Some(Subcommand::Worker(worker_cli)) => {
-            // Internal worker invoked by maybe_spawn_concurrent. Runs a single Codex MCP tool-call.
-            debug!(?worker_cli.prompt, "starting concurrent worker");
-            // Build MCP client by spawning current binary with `mcp` subcommand.
-            let exe = std::env::current_exe()?;
-            let exe_str = exe.to_string_lossy().to_string();
-            // Pass through OPENAI_API_KEY (and related) so MCP server can access the model provider.
-            let mut extra_env: std::collections::HashMap<String, String> = std::collections::HashMap::new();
-            // TODO: pap check if this is needed + check if we can use the same env vars as the main process (overall)
-            if let Ok(v) = std::env::var("OPENAI_API_KEY") { extra_env.insert("OPENAI_API_KEY".into(), v); }
-            if let Ok(v) = std::env::var("OPENAI_BASE_URL") { extra_env.insert("OPENAI_BASE_URL".into(), v); }
-            let client = McpClient::new_stdio_client(exe_str, vec!["mcp".to_string()], Some(extra_env)).await?;
-            // Initialize MCP session.
-            let init_params = mcp_types::InitializeRequestParams {
-                capabilities: ClientCapabilities { experimental: None, roots: None, sampling: None, elicitation: Some(json!({})) },
-                client_info: Implementation { name: "codex-concurrent-worker".into(), version: env!("CARGO_PKG_VERSION").into(), title: Some("Codex Concurrent Worker".into()) },
-                protocol_version: mcp_types::MCP_SCHEMA_VERSION.to_string(),
-            };
-            let _init_res = client.initialize(init_params, None, Some(Duration::from_secs(15))).await?;
-            debug!("initialized MCP session for worker");
-            // Build arguments for codex tool call using kebab-case keys expected by MCP server.
-            let mut arg_obj = serde_json::Map::new();
-            // todo: how to pass all variables dynamically?
-            arg_obj.insert("prompt".to_string(), worker_cli.prompt.clone().into());
-            if let Some(m) = worker_cli.model.clone() { arg_obj.insert("model".into(), m.into()); }
-            if let Some(p) = worker_cli.profile.clone() { arg_obj.insert("profile".into(), p.into()); }
-            if let Some(ap) = worker_cli.approval_policy.clone() { arg_obj.insert("approval-policy".into(), ap.into()); }
-            if let Some(sb) = worker_cli.sandbox.clone() { arg_obj.insert("sandbox".into(), sb.into()); }
-            if let Some(cwd) = worker_cli.cwd.clone() { arg_obj.insert("cwd".into(), cwd.into()); }
-            if let Some(bi) = worker_cli.base_instructions.clone() { arg_obj.insert("base-instructions".into(), bi.into()); }
-            let config_json = serde_json::to_value(&worker_cli.config_overrides)?;
-            arg_obj.insert("config".into(), config_json);
-            let args_json = serde_json::Value::Object(arg_obj);
-            debug!(?args_json, "calling codex tool via MCP");
-            let mut session_id: Option<String> = None;
-            // Grab notifications receiver to watch for SessionConfigured (to extract sessionId) while first tool call runs.
-            let mut notif_rx = client.take_notification_receiver().await;
-            // Spawn a task to extract sessionId and print filtered events.
-            if let Some(mut rx) = notif_rx.take() {
-                tokio::spawn(async move {
-                    use serde_json::Value;
-                    while let Some(n) = rx.recv().await {
-                        if let Some(p) = &n.params {
-                            if let Some(root) = p.as_object() {
-                                if let Some(val) = root.get("sessionId").or_else(|| root.get("session_id")) {
-                                    // todo: reuse session id as task id
-                                    if let Some(s) = val.as_str() { if !s.is_empty() { println!("SESSION ID: {}", s); } }
-                                }
-                                if let Some(Value::Object(msg)) = root.get("msg") {
-                                    if let Some(Value::String(typ)) = msg.get("type") {
-                                        if typ.ends_with("_delta") { continue; }
-                                        // todo: use the tui once it manages multi processes
-                                        match typ.as_str() {
-                                            "agent_reasoning" => {
-                                                if let Some(Value::String(text)) = msg.get("text") { println!("\x1b[36mreasoning:\x1b[0m {}", text); }
-                                            }
-                                            "exec_approval_request" => {
-                                                let cmd = msg.get("command").and_then(|v| v.as_array()).map(|arr| arr.iter().filter_map(|x| x.as_str()).collect::<Vec<_>>().join(" ")).unwrap_or_default();
-                                                let cwd = msg.get("cwd").and_then(|v| v.as_str()).unwrap_or("");
-                                                println!("\x1b[33mexec approval requested:\x1b[0m {cmd} (cwd: {cwd})");
-                                            }
-                                            "apply_patch_approval_request" => {
-                                                let reason = msg.get("reason").and_then(|v| v.as_str()).unwrap_or("");
-                                                println!("\x1b[35mpatch approval requested:\x1b[0m {reason}");
-                                            }
-                                            "task_complete" => {
-                                                println!("\x1b[32mtask complete\x1b[0m");
-                                            }
-                                            _ => { /* suppress other event types */ }
-                                        }
-                                    }
-                                }
-                            }
-                        }
-                    }
-                });
-            }
-            let first_result = client.call_tool("codex".to_string(), Some(args_json), None).await;
-            // todo: to test we have not implemented the tool call yet
-            match &first_result {
-                Ok(r) => debug!(blocks = r.content.len(), "codex initial tool call completed"),
-                Err(e) => debug!(error = %e, "codex tool call failed"),
-            }
-            let first_result = first_result?;
-            // Print any text content to stdout.
-            let mut printed_any = false;
-            for block in &first_result.content {
-                if let mcp_types::ContentBlock::TextContent(t) = block { println!("{}", t.text); printed_any = true; }
-            }
-            if !printed_any { info!("no text content blocks returned from initial codex tool call"); }
-            // Attempt to parse session id from printed notifications (fallback approach): scan stdout not feasible here; so rely on user-visible marker.
-            // Interactive loop for follow-up prompts.
-            use std::io::{stdin, stdout, Write};
-            loop {
-                print!("codex> "); let _ = stdout().flush();
-                let mut line = String::new();
-                if stdin().read_line(&mut line).is_err() { break; }
-                let trimmed = line.trim();
-                if trimmed.is_empty() || trimmed == "/exit" || trimmed == ":q" { break; }
-                // If session id still unknown, ask user to paste it.
-                if session_id.is_none() {
-                    if trimmed.starts_with("session ") { session_id = Some(trimmed[8..].trim().to_string()); println!("Stored session id."); continue; }
-                }
-                if session_id.is_none() { println!("(Need session id; when you see 'SESSION ID: <uuid>' above, copy it or type 'session <uuid>')"); continue; }
-                let args = serde_json::json!({ "sessionId": session_id.clone().unwrap(), "prompt": trimmed });
-                let reply = client.call_tool("codex-reply".to_string(), Some(args), None).await;
-                match reply {
-                    Ok(r) => {
-                        for block in r.content {
-                            if let mcp_types::ContentBlock::TextContent(t) = block { println!("{}", t.text); }
-                        }
-                    }
-                    Err(e) => println!("Error: {e}"),
-                }
-            }
-            // Append completion record to tasks.jsonl now that interactive loop ends.
-            if let Ok(task_id) = std::env::var("CODEX_TASK_ID") {
-                if let Some(base) = codex_base_dir_for_worker() {
-                    let tasks_path = base.join("tasks.jsonl");
-                    let ts = std::time::SystemTime::now().duration_since(std::time::UNIX_EPOCH).map(|d| d.as_secs()).unwrap_or(0);
-                    let obj = serde_json::json!({
-                        "task_id": task_id,
-                        "completion_time": ts,
-                        "end_time": ts,
-                        "state": "done",
-                    });
-                    let _ = append_json_line(&tasks_path, &obj);
-                }
-            }
-        }
        Some(Subcommand::Login(mut login_cli)) => {
            prepend_config_flags(&mut login_cli.config_overrides, cli.config_overrides);
-            run_login_with_chatgpt(login_cli.config_overrides).await;
+            match login_cli.action {
+                Some(LoginSubcommand::Status) => {
+                    run_login_status(login_cli.config_overrides).await;
+                }
+                None => {
+                    if let Some(api_key) = login_cli.api_key {
+                        run_login_with_api_key(login_cli.config_overrides, api_key).await;
+                    } else {
+                        run_login_with_chatgpt(login_cli.config_overrides).await;
+                    }
+                }
+            }
        }
        Some(Subcommand::Proto(mut proto_cli)) => {
            prepend_config_flags(&mut proto_cli.config_overrides, cli.config_overrides);
@@ -353,15 +174,6 @@ async fn cli_main(codex_linux_sandbox_exe: Option<PathBuf>) -> anyhow::Result<()
            prepend_config_flags(&mut apply_cli.config_overrides, cli.config_overrides);
            run_apply_command(apply_cli, None).await?;
        }
-        Some(Subcommand::Tasks(tasks_cli)) => {
-            codex_cli::tasks::run_tasks(tasks_cli)?;
-        }
-        Some(Subcommand::Logs(logs_cli)) => {
-            codex_cli::logs::run_logs(logs_cli)?;
-        }
-        Some(Subcommand::Inspect(inspect_cli)) => {
-            codex_cli::inspect::run_inspect(inspect_cli)?;
-        }
    }

    Ok(())
@@ -383,18 +195,3 @@ fn print_completion(cmd: CompletionCommand) {
    let name = "codex";
    generate(cmd.shell, &mut app, name, &mut std::io::stdout());
 }
-
-// Helper functions for worker
-fn codex_base_dir_for_worker() -> Option<std::path::PathBuf> {
-    if let Ok(val) = std::env::var("CODEX_HOME") { if !val.is_empty() { return std::fs::canonicalize(val).ok(); } }
-    let home = std::env::var_os("HOME")?;
-    let base = std::path::PathBuf::from(home).join(".codex");
-    let _ = std::fs::create_dir_all(&base);
-    Some(base)
-}
-
-fn append_json_line(path: &std::path::PathBuf, val: &serde_json::Value) -> std::io::Result<()> {
-    use std::io::Write;
-    let mut f = std::fs::OpenOptions::new().create(true).append(true).open(path)?;
-    writeln!(f, "{}", val.to_string())
-}
--- a/codex-rs/cli/src/proto.rs
+++ b/codex-rs/cli/src/proto.rs
@@ -4,10 +4,12 @@ use std::sync::Arc;
 use clap::Parser;
 use codex_common::CliConfigOverrides;
 use codex_core::Codex;
+use codex_core::CodexSpawnOk;
 use codex_core::config::Config;
 use codex_core::config::ConfigOverrides;
 use codex_core::protocol::Submission;
 use codex_core::util::notify_on_sigint;
+use codex_login::load_auth;
 use tokio::io::AsyncBufReadExt;
 use tokio::io::BufReader;
 use tracing::error;
@@ -34,8 +36,9 @@ pub async fn run_main(opts: ProtoCli) -> anyhow::Result<()> {
        .map_err(anyhow::Error::msg)?;

    let config = Config::load_with_cli_overrides(overrides_vec, ConfigOverrides::default())?;
+    let auth = load_auth(&config.codex_home, true)?;
    let ctrl_c = notify_on_sigint();
-    let (codex, _init_id, _session_id) = Codex::spawn(config, ctrl_c.clone()).await?;
+    let CodexSpawnOk { codex, .. } = Codex::spawn(config, auth, ctrl_c.clone()).await?;
    let codex = Arc::new(codex);

    // Task that reads JSON lines from stdin and forwards to Submission Queue
--- a/codex-rs/cli/src/tasks.rs
+++ b/codex-rs/cli/src/tasks.rs
@@ -1,212 +0,0 @@
-use clap::{Parser, Subcommand};
-use serde::{Deserialize, Serialize};
-use std::collections::HashMap;
-use std::fs::File;
-use std::io::{BufRead, BufReader};
-use std::fs;
-use chrono::Local;
-use codex_common::elapsed::format_duration;
-
-#[derive(Debug, Parser)]
-pub struct TasksCli {
-    #[command(subcommand)]
-    pub cmd: TasksCommand,
-}
-
-#[derive(Debug, Subcommand)]
-pub enum TasksCommand {
-    /// List background concurrent tasks (from ~/.codex/tasks.jsonl)
-    Ls(TasksListArgs),
-}
-
-#[derive(Debug, Parser)]
-pub struct TasksListArgs {
-    /// Output raw JSON instead of table
-    #[arg(long)]
-    pub json: bool,
-    /// Limit number of tasks displayed (most recent first)
-    #[arg(long)]
-    pub limit: Option<usize>,
-    /// Show completed tasks as well (by default only running tasks)
-    #[arg(short = 'a', long = "all")]
-    pub all: bool,
-    /// Show all columns including prompt text
-    #[arg(long = "all-columns")]
-    pub all_columns: bool,
-}
-
-#[derive(Debug, Deserialize)]
-struct RawRecord {
-    task_id: Option<String>,
-    pid: Option<u64>,
-    worktree: Option<String>,
-    branch: Option<String>,
-    original_branch: Option<String>,
-    original_commit: Option<String>,
-    log_path: Option<String>,
-    prompt: Option<String>,
-    model: Option<String>,
-    start_time: Option<u64>,
-    update_time: Option<u64>,
-    token_count: Option<serde_json::Value>,
-    state: Option<String>,
-    completion_time: Option<u64>,
-    end_time: Option<u64>,
-}
-
-#[derive(Debug, Serialize, Default, Clone)]
-struct TaskAggregate {
-    task_id: String,
-    pid: Option<u64>,
-    branch: Option<String>,
-    worktree: Option<String>,
-    prompt: Option<String>,
-    model: Option<String>,
-    start_time: Option<u64>,
-    last_update_time: Option<u64>,
-    total_tokens: Option<u64>,
-    state: Option<String>,
-    end_time: Option<u64>,
-}
-
-pub fn run_tasks(cmd: TasksCli) -> anyhow::Result<()> {
-    match cmd.cmd {
-        TasksCommand::Ls(args) => list_tasks(args),
-    }
-}
-
-fn base_dir() -> Option<std::path::PathBuf> {
-    if let Ok(val) = std::env::var("CODEX_HOME") { if !val.is_empty() { return std::fs::canonicalize(val).ok(); } }
-    let home = std::env::var_os("HOME")?;
-    let base = std::path::PathBuf::from(home).join(".codex");
-    Some(base)
-}
-
-fn list_tasks(args: TasksListArgs) -> anyhow::Result<()> {
-    let Some(base) = base_dir() else {
-        println!("No home directory found; cannot locate tasks.jsonl");
-        return Ok(());
-    };
-    let path = base.join("tasks.jsonl");
-    if !path.exists() {
-        println!("No tasks.jsonl found (no concurrent tasks recorded yet)");
-        return Ok(());
-    }
-
-    let f = File::open(&path)?;
-    let reader = BufReader::new(f);
-
-    let mut agg: HashMap<String, TaskAggregate> = HashMap::new();
-    for line_res in reader.lines() {
-        let line = match line_res { Ok(l) => l, Err(_) => continue };
-        if line.trim().is_empty() { continue; }
-        let raw: serde_json::Value = match serde_json::from_str(&line) { Ok(v) => v, Err(_) => continue };
-        let rec: RawRecord = match serde_json::from_value(raw) { Ok(r) => r, Err(_) => continue };
-        let Some(task_id) = rec.task_id.clone() else { continue }; // must have task_id
-        let entry = agg.entry(task_id.clone()).or_insert_with(|| TaskAggregate { task_id: task_id.clone(), ..Default::default() });
-        if rec.start_time.is_some() { // initial metadata line
-            entry.pid = rec.pid.or(entry.pid);
-            entry.branch = rec.branch.or(entry.branch.clone());
-            entry.worktree = rec.worktree.or(entry.worktree.clone());
-            entry.prompt = rec.prompt.or(entry.prompt.clone());
-            entry.model = rec.model.or(entry.model.clone());
-            entry.start_time = rec.start_time.or(entry.start_time);
-        }
-        if let Some(tc_val) = rec.token_count.as_ref() { if tc_val.is_object() { if let Some(total) = tc_val.get("total_tokens").and_then(|v| v.as_u64()) { entry.total_tokens = Some(total); } } }
-        if rec.update_time.is_some() { entry.last_update_time = rec.update_time; }
-        if let Some(state) = rec.state { entry.state = Some(state); }
-        if rec.completion_time.is_some() || rec.end_time.is_some() {
-            entry.end_time = rec.end_time.or(rec.completion_time).or(entry.end_time);
-        }
-    }
-
-    // Collect and sort by start_time desc
-    let mut tasks: Vec<TaskAggregate> = agg.into_values().collect();
-    tasks.sort_by_key(|j| std::cmp::Reverse(j.start_time.unwrap_or(0)));
-
-    if !args.all { tasks.retain(|j| j.state.as_deref() != Some("done")); }
-    if let Some(limit) = args.limit { tasks.truncate(limit); }
-
-    if args.json {
-        println!("{}", serde_json::to_string_pretty(&tasks)?);
-        return Ok(());
-    }
-
-    if tasks.is_empty() {
-        println!("No tasks found");
-        return Ok(());
-    }
-
-    // Table header
-    if args.all_columns {
-        println!("\x1b[1m{:<8} {:>6} {:<22} {:<12} {:<8} {:>8} {:<12} {}\x1b[0m", "TASK_ID", "PID", "BRANCH", "START", "STATE", "TOKENS", "MODEL", "PROMPT");
-    } else {
-        // Widened branch column to 22 chars for better readability.
-        println!("\x1b[1m{:<8} {:>6} {:<22} {:<12} {:<8} {:>8} {:<12}\x1b[0m", "TASK_ID", "PID", "BRANCH", "START", "STATE", "TOKENS", "MODEL");
-    }
-    for t in tasks {
-        let task_short = if t.task_id.len() > 8 { &t.task_id[..8] } else { &t.task_id };
-        let pid_str = t.pid.map(|p| p.to_string()).unwrap_or_default();
-        let mut branch = t.branch.clone().unwrap_or_default();
-        let branch_limit = if args.all_columns { 22 } else { 22 }; // unified width
-        if branch.len() > branch_limit { branch.truncate(branch_limit); }
-        let start = t.start_time.map(|start_secs| {
-            let now = Local::now().timestamp() as u64;
-            if now > start_secs {
-                let elapsed = std::time::Duration::from_secs(now - start_secs);
-                format!("{} ago", format_duration(elapsed))
-            } else {
-                "just now".to_string()
-            }
-        }).unwrap_or_default();
-        let tokens = t.total_tokens.map(|t| t.to_string()).unwrap_or_default();
-        let state = t.state.clone().unwrap_or_else(|| "?".into());
-        let mut model = t.model.clone().unwrap_or_default();
-        if model.trim().is_empty() { model = resolve_default_model(); }
-        if model.is_empty() { model.push('-'); }
-        if model.len() > 12 { model.truncate(12); }
-        if args.all_columns {
-            let mut prompt = t.prompt.clone().unwrap_or_default().replace('\n', " ");
-            if prompt.len() > 60 { prompt.truncate(60); }
-            println!("{:<8} {:>6} {:<22} {:<12} {:<8} {:>8} {:<12} {}", task_short, pid_str, branch, start, state, tokens, model, prompt);
-        } else {
-            println!("{:<8} {:>6} {:<22} {:<12} {:<8} {:>8} {:<12}", task_short, pid_str, branch, start, state, tokens, model);
-        }
-    }
-
-    Ok(())
-}
-
-fn resolve_default_model() -> String {
-    // Attempt to read config json/yaml for model, otherwise fallback to hardcoded default.
-    if let Some(base) = base_dir() {
-        let candidates = ["config.json", "config.yaml", "config.yml"];
-        for name in candidates {
-            let p = base.join(name);
-            if p.exists() {
-                if let Ok(raw) = fs::read_to_string(&p) {
-                    // Try JSON first.
-                    if name.ends_with(".json") {
-                        if let Ok(v) = serde_json::from_str::<serde_json::Value>(&raw) {
-                            if let Some(m) = v.get("model").and_then(|x| x.as_str()) {
-                                if !m.trim().is_empty() { return m.to_string(); }
-                            }
-                        }
-                    } else {
-                        // Very lightweight YAML parse: look for line starting with model:
-                        for line in raw.lines() {
-                            if let Some(rest) = line.trim().strip_prefix("model:") {
-                                let val = rest.trim().trim_matches('"');
-                                if !val.is_empty() {
-                                    return val.to_string();
-                                }
-                            }
-                        }
-                    }
-                }
-            }
-        }
-    }
-    // Fallback default agentic model used elsewhere.
-    "codex-mini-latest".to_string()
-} 
--- a/codex-rs/cli/tests/concurrent_background.rs
+++ b/codex-rs/cli/tests/concurrent_background.rs
@@ -1,101 +0,0 @@
-// Minimal integration test for --concurrent background spawning.
-// Verifies that invoking the top-level CLI with --concurrent records a task entry
-// in CODEX_HOME/tasks.jsonl and that multiple invocations append distinct task_ids.
-
-use std::fs;
-use std::io::Write;
-use std::process::Command;
-use std::time::{Duration, Instant};
-
-use tempfile::TempDir;
-
-// Skip helper when sandbox network disabled (mirrors existing tests' behavior).
-fn network_disabled() -> bool {
-    std::env::var(codex_core::exec::CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR).is_ok()
-}
-
-#[test]
-fn concurrent_creates_task_records() {
-    if network_disabled() {
-        eprintln!("Skipping concurrent_creates_task_records due to sandbox network-disabled env");
-        return;
-    }
-
-    // Temp home (CODEX_HOME) and separate temp git repo.
-    let home = TempDir::new().expect("temp home");
-    let repo = TempDir::new().expect("temp repo");
-
-    // Initialize a minimal git repository (needed for --concurrent worktree logic).
-    assert!(Command::new("git").arg("init").current_dir(repo.path()).status().unwrap().success());
-    fs::write(repo.path().join("README.md"), "# temp\n").unwrap();
-    assert!(Command::new("git").arg("add").arg(".").current_dir(repo.path()).status().unwrap().success());
-    assert!(Command::new("git")
-        .args(["commit", "-m", "init"]) // may warn about user/email; allow non-zero if commit already exists
-        .current_dir(repo.path())
-        .status()
-        .map(|s| s.success())
-        .unwrap_or(true));
-
-    // SSE fixture so the spawned background exec does not perform a real network call.
-    let fixture = home.path().join("fixture.sse");
-    let mut f = fs::File::create(&fixture).unwrap();
-    writeln!(f, "data: {{\"choices\":[{{\"delta\":{{\"content\":\"ok\"}}}}]}}\n").unwrap();
-    writeln!(f, "data: {{\"choices\":[{{\"delta\":{{}}}}]}}\n").unwrap();
-    writeln!(f, "data: [DONE]\n").unwrap();
-
-    // Helper to run one concurrent invocation with a given prompt.
-    let run_once = |prompt: &str| {
-        let mut cmd = Command::new("cargo");
-        cmd.arg("run")
-            .arg("-p")
-            .arg("codex-cli")
-            .arg("--quiet")
-            .arg("--")
-            .arg("--concurrent")
-            .arg("--full-auto")
-            .arg("-C")
-            .arg(repo.path())
-            .arg(prompt);
-        cmd.env("CODEX_HOME", home.path())
-            .env("OPENAI_API_KEY", "dummy")
-            .env("CODEX_RS_SSE_FIXTURE", &fixture)
-            .env("OPENAI_BASE_URL", "http://unused.local");
-        let output = cmd.output().expect("spawn codex");
-        assert!(output.status.success(), "concurrent codex run failed: stderr={}", String::from_utf8_lossy(&output.stderr));
-    };
-
-    run_once("Add a cat in ASCII");
-    run_once("Add hello world comment");
-
-    // Wait for tasks.jsonl to contain at least two lines with task records.
-    let tasks_path = home.path().join("tasks.jsonl");
-    let deadline = Instant::now() + Duration::from_secs(10);
-    let mut lines: Vec<String> = Vec::new();
-    while Instant::now() < deadline {
-        if tasks_path.exists() {
-            let content = fs::read_to_string(&tasks_path).unwrap_or_default();
-            lines = content.lines().filter(|l| !l.trim().is_empty()).map(|s| s.to_string()).collect();
-            if lines.len() >= 2 { break; }
-        }
-        std::thread::sleep(Duration::from_millis(100));
-    }
-    assert!(lines.len() >= 2, "Expected at least 2 task records, got {}", lines.len());
-
-    // Parse JSON and ensure distinct task_ids and prompts present.
-    let mut task_ids = std::collections::HashSet::new();
-    let mut saw_cat = false;
-    let mut saw_hello = false;
-    for line in &lines {
-        if let Ok(val) = serde_json::from_str::<serde_json::Value>(line) {
-            if let Some(tid) = val.get("task_id").and_then(|v| v.as_str()) { task_ids.insert(tid.to_string()); }
-            if let Some(p) = val.get("prompt").and_then(|v| v.as_str()) {
-                if p.contains("cat") { saw_cat = true; }
-                if p.contains("hello") { saw_hello = true; }
-            }
-            assert_eq!(val.get("state").and_then(|v| v.as_str()), Some("started"), "task record missing started state");
-        }
-    }
-    assert!(task_ids.len() >= 2, "Expected distinct task_ids, got {:?}", task_ids);
-    assert!(saw_cat, "Did not find cat prompt in tasks.jsonl");
-    assert!(saw_hello, "Did not find hello prompt in tasks.jsonl");
-} 
--- a/codex-rs/common/Cargo.toml
+++ b/codex-rs/common/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
+edition = "2024"
 name = "codex-common"
 version = { workspace = true }
-edition = "2024"

 [lints]
 workspace = true
@@ -9,11 +9,11 @@ workspace = true
 [dependencies]
 clap = { version = "4", features = ["derive", "wrap_help"], optional = true }
 codex-core = { path = "../core" }
+serde = { version = "1", optional = true }
 toml = { version = "0.9", optional = true }
-serde = { version = "1", features = ["derive"], optional = true }

 [features]
 # Separate feature so that `clap` is not a mandatory dependency.
-cli = ["clap", "toml", "serde"]
+cli = ["clap", "serde", "toml"]
 elapsed = []
 sandbox_summary = []
--- a/codex-rs/common/src/config_override.rs
+++ b/codex-rs/common/src/config_override.rs
@@ -15,7 +15,7 @@ use toml::Value;
 /// CLI option that captures arbitrary configuration overrides specified as
 /// `-c key=value`. It intentionally keeps both halves **unparsed** so that the
 /// calling code can decide how to interpret the right-hand side.
-#[derive(Parser, Debug, Default, Clone, serde::Serialize)]
+#[derive(Parser, Debug, Default, Clone)]
 pub struct CliConfigOverrides {
    /// Override a configuration value that would otherwise be loaded from
    /// `~/.codex/config.toml`. Use a dotted path (`foo.bar.baz`) to override
--- a/codex-rs/common/src/elapsed.rs
+++ b/codex-rs/common/src/elapsed.rs
@@ -22,8 +22,7 @@ fn format_elapsed_millis(millis: i64) -> String {
    if millis < 1000 {
        format!("{millis}ms")
    } else if millis < 60_000 {
-        let secs = millis / 1000;
-        format!("{secs}s")
+        format!("{:.2}s", millis as f64 / 1000.0)
    } else {
        let minutes = millis / 60_000;
        let seconds = (millis % 60_000) / 1000;
@@ -49,12 +48,13 @@ mod tests {
    #[test]
    fn test_format_duration_seconds() {
        // Durations between 1s (inclusive) and 60s (exclusive) should be
-        // printed as whole seconds.
+        // printed with 2-decimal-place seconds.
        let dur = Duration::from_millis(1_500); // 1.5s
-        assert_eq!(format_duration(dur), "1s");
+        assert_eq!(format_duration(dur), "1.50s");

+        // 59.999s rounds to 60.00s
        let dur2 = Duration::from_millis(59_999);
-        assert_eq!(format_duration(dur2), "59s");
+        assert_eq!(format_duration(dur2), "60.00s");
    }

    #[test]
--- a/codex-rs/config.md
+++ b/codex-rs/config.md
@@ -110,12 +110,15 @@ stream_idle_timeout_ms = 300000    # 5m idle timeout
 ```

 #### request_max_retries
+
 How many times Codex will retry a failed HTTP request to the model provider. Defaults to `4`.

 #### stream_max_retries
+
 Number of times Codex will attempt to reconnect when a streaming response is interrupted. Defaults to `10`.

 #### stream_idle_timeout_ms
+
 How long Codex will wait for activity on a streaming response before treating the connection as lost. Defaults to `300_000` (5 minutes).

 ## model_provider
--- a/codex-rs/core/Cargo.toml
+++ b/codex-rs/core/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
+edition = "2024"
 name = "codex-core"
 version = { workspace = true }
-edition = "2024"

 [lib]
 name = "codex_core"
@@ -15,7 +15,9 @@ anyhow = "1"
 async-channel = "2.3.1"
 base64 = "0.22"
 bytes = "1.10.1"
+chrono = { version = "0.4", features = ["serde"] }
 codex-apply-patch = { path = "../apply-patch" }
+codex-login = { path = "../login" }
 codex-mcp-client = { path = "../mcp-client" }
 dirs = "6"
 env-flags = "0.1.1"
@@ -47,8 +49,8 @@ tracing = { version = "0.1.41", features = ["log"] }
 tree-sitter = "0.25.8"
 tree-sitter-bash = "0.25.0"
 uuid = { version = "1", features = ["serde", "v4"] }
-wildmatch = "2.4.0"
 whoami = "1.6.0"
+wildmatch = "2.4.0"


 [target.'cfg(target_os = "linux")'.dependencies]
--- a/codex-rs/core/README.md
+++ b/codex-rs/core/README.md
@@ -2,9 +2,18 @@

 This crate implements the business logic for Codex. It is designed to be used by the various Codex UIs written in Rust.

-Though for non-Rust UIs, we are also working to define a _protocol_ for talking to Codex. See:
+## Dependencies

- [Specification](../docs/protocol_v1.md)
- [Rust types](./src/protocol.rs)
+Note that `codex-core` makes some assumptions about certain helper utilities being available in the environment. Currently, this

-You can use the `proto` subcommand using the executable in the [`cli` crate](../cli) to speak the protocol using newline-delimited-JSON over stdin/stdout.
+### macOS
+
+Expects `/usr/bin/sandbox-exec` to be present.
+
+### Linux
+
+Expects the binary containing `codex-core` to run the equivalent of `codex debug landlock` when `arg0` is `codex-linux-sandbox`. See the `codex-arg0` crate for details.
+
+### All Platforms
+
+Expects the binary containing `codex-core` to simulate the virtual `apply_patch` CLI when `arg1` is `--codex-run-as-apply-patch`. See the `codex-arg0` crate for details.
--- a/codex-rs/core/prompt.md
+++ b/codex-rs/core/prompt.md
@@ -96,3 +96,12 @@ You can invoke apply_patch like:
 ```
 shell {"command":["apply_patch","*** Begin Patch\n*** Add File: hello.txt\n+Hello, world!\n*** End Patch\n"]}
 ```
+
+Plan updates
+
+A tool named `update_plan` is available. Use it to keep an up‑to‑date, step‑by‑step plan for the task so you can follow your progress. When making your plans, keep in mind that you are a deployed coding agent - `update_plan` calls should not involve doing anything that you aren't capable of doing. For example, `update_plan` calls should NEVER contain tasks to merge your own pull requests. Only stop to ask the user if you genuinely need their feedback on a change.
+
+- At the start of the task, call `update_plan` with an initial plan: a short list of 1‑sentence steps with a `status` for each step (`pending`, `in_progress`, or `completed`). There should always be exactly one `in_progress` step until everything is done.
+- Whenever you finish a step, call `update_plan` again, marking the finished step as `completed` and the next step as `in_progress`.
+- If your plan needs to change, call `update_plan` with the revised steps and include an `explanation` describing the change.
+- When all steps are complete, make a final `update_plan` call with all steps marked `completed`.
--- a/codex-rs/core/src/apply_patch.rs
+++ b/codex-rs/core/src/apply_patch.rs
@@ -0,0 +1,157 @@
+use crate::codex::Session;
+use crate::models::FunctionCallOutputPayload;
+use crate::models::ResponseInputItem;
+use crate::protocol::FileChange;
+use crate::protocol::ReviewDecision;
+use crate::safety::SafetyCheck;
+use crate::safety::assess_patch_safety;
+use codex_apply_patch::ApplyPatchAction;
+use codex_apply_patch::ApplyPatchFileChange;
+use std::collections::HashMap;
+use std::path::Path;
+use std::path::PathBuf;
+
+pub const CODEX_APPLY_PATCH_ARG1: &str = "--codex-run-as-apply-patch";
+
+pub(crate) enum InternalApplyPatchInvocation {
+    /// The `apply_patch` call was handled programmatically, without any sort
+    /// of sandbox, because the user explicitly approved it. This is the
+    /// result to use with the `shell` function call that contained `apply_patch`.
+    Output(ResponseInputItem),
+
+    /// The `apply_patch` call was approved, either automatically because it
+    /// appears that it should be allowed based on the user's sandbox policy
+    /// *or* because the user explicitly approved it. In either case, we use
+    /// exec with [`CODEX_APPLY_PATCH_ARG1`] to realize the `apply_patch` call,
+    /// but [`ApplyPatchExec::auto_approved`] is used to determine the sandbox
+    /// used with the `exec()`.
+    DelegateToExec(ApplyPatchExec),
+}
+
+pub(crate) struct ApplyPatchExec {
+    pub(crate) action: ApplyPatchAction,
+    pub(crate) user_explicitly_approved_this_action: bool,
+}
+
+impl From<ResponseInputItem> for InternalApplyPatchInvocation {
+    fn from(item: ResponseInputItem) -> Self {
+        InternalApplyPatchInvocation::Output(item)
+    }
+}
+
+pub(crate) async fn apply_patch(
+    sess: &Session,
+    sub_id: &str,
+    call_id: &str,
+    action: ApplyPatchAction,
+) -> InternalApplyPatchInvocation {
+    let writable_roots_snapshot = {
+        #[allow(clippy::unwrap_used)]
+        let guard = sess.writable_roots.lock().unwrap();
+        guard.clone()
+    };
+
+    match assess_patch_safety(
+        &action,
+        sess.approval_policy,
+        &writable_roots_snapshot,
+        &sess.cwd,
+    ) {
+        SafetyCheck::AutoApprove { .. } => {
+            InternalApplyPatchInvocation::DelegateToExec(ApplyPatchExec {
+                action,
+                user_explicitly_approved_this_action: false,
+            })
+        }
+        SafetyCheck::AskUser => {
+            // Compute a readable summary of path changes to include in the
+            // approval request so the user can make an informed decision.
+            //
+            // Note that it might be worth expanding this approval request to
+            // give the user the option to expand the set of writable roots so
+            // that similar patches can be auto-approved in the future during
+            // this session.
+            let rx_approve = sess
+                .request_patch_approval(sub_id.to_owned(), call_id.to_owned(), &action, None, None)
+                .await;
+            match rx_approve.await.unwrap_or_default() {
+                ReviewDecision::Approved | ReviewDecision::ApprovedForSession => {
+                    InternalApplyPatchInvocation::DelegateToExec(ApplyPatchExec {
+                        action,
+                        user_explicitly_approved_this_action: true,
+                    })
+                }
+                ReviewDecision::Denied | ReviewDecision::Abort => {
+                    ResponseInputItem::FunctionCallOutput {
+                        call_id: call_id.to_owned(),
+                        output: FunctionCallOutputPayload {
+                            content: "patch rejected by user".to_string(),
+                            success: Some(false),
+                        },
+                    }
+                    .into()
+                }
+            }
+        }
+        SafetyCheck::Reject { reason } => ResponseInputItem::FunctionCallOutput {
+            call_id: call_id.to_owned(),
+            output: FunctionCallOutputPayload {
+                content: format!("patch rejected: {reason}"),
+                success: Some(false),
+            },
+        }
+        .into(),
+    }
+}
+
+pub(crate) fn convert_apply_patch_to_protocol(
+    action: &ApplyPatchAction,
+) -> HashMap<PathBuf, FileChange> {
+    let changes = action.changes();
+    let mut result = HashMap::with_capacity(changes.len());
+    for (path, change) in changes {
+        let protocol_change = match change {
+            ApplyPatchFileChange::Add { content } => FileChange::Add {
+                content: content.clone(),
+            },
+            ApplyPatchFileChange::Delete => FileChange::Delete,
+            ApplyPatchFileChange::Update {
+                unified_diff,
+                move_path,
+                new_content: _new_content,
+            } => FileChange::Update {
+                unified_diff: unified_diff.clone(),
+                move_path: move_path.clone(),
+            },
+        };
+        result.insert(path.clone(), protocol_change);
+    }
+    result
+}
+
+pub(crate) fn get_writable_roots(cwd: &Path) -> Vec<PathBuf> {
+    let mut writable_roots = Vec::new();
+    if cfg!(target_os = "macos") {
+        // On macOS, $TMPDIR is private to the user.
+        writable_roots.push(std::env::temp_dir());
+
+        // Allow pyenv to update its shims directory. Without this, any tool
+        // that happens to be managed by `pyenv` will fail with an error like:
+        //
+        //   pyenv: cannot rehash: $HOME/.pyenv/shims isn't writable
+        //
+        // which is emitted every time `pyenv` tries to run `rehash` (for
+        // example, after installing a new Python package that drops an entry
+        // point). Although the sandbox is intentionally read‑only by default,
+        // writing to the user's local `pyenv` directory is safe because it
+        // is already user‑writable and scoped to the current user account.
+        if let Ok(home_dir) = std::env::var("HOME") {
+            let pyenv_dir = PathBuf::from(home_dir).join(".pyenv");
+            writable_roots.push(pyenv_dir);
+        }
+    }
+
+    writable_roots.push(cwd.to_path_buf());
+
+    writable_roots
+}
--- a/codex-rs/core/src/chat_completions.rs
+++ b/codex-rs/core/src/chat_completions.rs
@@ -30,6 +30,7 @@ use crate::util::backoff;
 pub(crate) async fn stream_chat_completions(
    prompt: &Prompt,
    model: &str,
+    include_plan_tool: bool,
    client: &reqwest::Client,
    provider: &ModelProviderInfo,
 ) -> Result<ResponseStream> {
@@ -39,6 +40,10 @@ pub(crate) async fn stream_chat_completions(
    let full_instructions = prompt.get_full_instructions(model);
    messages.push(json!({"role": "system", "content": full_instructions}));

+    if let Some(instr) = &prompt.user_instructions {
+        messages.push(json!({"role": "user", "content": instr}));
+    }
+
    for item in &prompt.input {
        match item {
            ResponseItem::Message { role, content, .. } => {
@@ -105,7 +110,7 @@ pub(crate) async fn stream_chat_completions(
        }
    }

-    let tools_json = create_tools_json_for_chat_completions_api(prompt, model)?;
+    let tools_json = create_tools_json_for_chat_completions_api(prompt, model, include_plan_tool)?;
    let payload = json!({
        "model": model,
        "messages": messages,
--- a/codex-rs/core/src/client.rs
+++ b/codex-rs/core/src/client.rs
@@ -3,6 +3,8 @@ use std::path::Path;
 use std::time::Duration;

 use bytes::Bytes;
+use codex_login::AuthMode;
+use codex_login::CodexAuth;
 use eventsource_stream::Eventsource;
 use futures::prelude::*;
 use reqwest::StatusCode;
@@ -28,10 +30,12 @@ use crate::config::Config;
 use crate::config_types::ReasoningEffort as ReasoningEffortConfig;
 use crate::config_types::ReasoningSummary as ReasoningSummaryConfig;
 use crate::error::CodexErr;
+use crate::error::EnvVarError;
 use crate::error::Result;
 use crate::flags::CODEX_RS_SSE_FIXTURE;
 use crate::model_provider_info::ModelProviderInfo;
 use crate::model_provider_info::WireApi;
+use crate::models::ContentItem;
 use crate::models::ResponseItem;
 use crate::openai_tools::create_tools_json_for_responses_api;
 use crate::protocol::TokenUsage;
@@ -41,6 +45,7 @@ use std::sync::Arc;
 #[derive(Clone)]
 pub struct ModelClient {
    config: Arc<Config>,
+    auth: Option<CodexAuth>,
    client: reqwest::Client,
    provider: ModelProviderInfo,
    session_id: Uuid,
@@ -51,6 +56,7 @@ pub struct ModelClient {
 impl ModelClient {
    pub fn new(
        config: Arc<Config>,
+        auth: Option<CodexAuth>,
        provider: ModelProviderInfo,
        effort: ReasoningEffortConfig,
        summary: ReasoningSummaryConfig,
@@ -58,6 +64,7 @@ impl ModelClient {
    ) -> Self {
        Self {
            config,
+            auth,
            client: reqwest::Client::new(),
            provider,
            session_id,
@@ -77,6 +84,7 @@ impl ModelClient {
                let response_stream = stream_chat_completions(
                    prompt,
                    &self.config.model,
+                    self.config.include_plan_tool,
                    &self.client,
                    &self.provider,
                )
@@ -114,28 +122,60 @@ impl ModelClient {
            return stream_from_fixture(path, self.provider.clone()).await;
        }

+        let auth = self.auth.as_ref().ok_or_else(|| {
+            CodexErr::EnvVar(EnvVarError {
+                var: "OPENAI_API_KEY".to_string(),
+                instructions: Some("Create an API key (https://platform.openai.com) and export it as an environment variable.".to_string()),
+            })
+        })?;
+
+        let store = prompt.store && auth.mode != AuthMode::ChatGPT;
+
+        let base_url = match self.provider.base_url.clone() {
+            Some(url) => url,
+            None => match auth.mode {
+                AuthMode::ChatGPT => "https://chatgpt.com/backend-api/codex".to_string(),
+                AuthMode::ApiKey => "https://api.openai.com/v1".to_string(),
+            },
+        };
+
+        let token = auth.get_token().await?;
+
        let full_instructions = prompt.get_full_instructions(&self.config.model);
-        let tools_json = create_tools_json_for_responses_api(prompt, &self.config.model)?;
+        let tools_json = create_tools_json_for_responses_api(
+            prompt,
+            &self.config.model,
+            self.config.include_plan_tool,
+        )?;
        let reasoning = create_reasoning_param_for_request(&self.config, self.effort, self.summary);

        // Request encrypted COT if we are not storing responses,
        // otherwise reasoning items will be referenced by ID
-        let include = if !prompt.store && reasoning.is_some() {
+        let include: Vec<String> = if !store && reasoning.is_some() {
            vec!["reasoning.encrypted_content".to_string()]
        } else {
            vec![]
        };

+        let mut input_with_instructions = Vec::with_capacity(prompt.input.len() + 1);
+        if let Some(ui) = &prompt.user_instructions {
+            input_with_instructions.push(ResponseItem::Message {
+                id: None,
+                role: "user".to_string(),
+                content: vec![ContentItem::InputText { text: ui.clone() }],
+            });
+        }
+        input_with_instructions.extend(prompt.input.clone());
+
        let payload = ResponsesApiRequest {
            model: &self.config.model,
            instructions: &full_instructions,
-            input: &prompt.input,
+            input: &input_with_instructions,
            tools: &tools_json,
            tool_choice: "auto",
            parallel_tool_calls: false,
            reasoning,
-            store: prompt.store,
-            // TODO: make this configurable
+            store,
            stream: true,
            include,
        };
@@ -148,17 +188,27 @@ impl ModelClient {

        let mut attempt = 0;
        let max_retries = self.provider.request_max_retries();
+
        loop {
            attempt += 1;

-            let req_builder = self
-                .provider
-                .create_request_builder(&self.client)?
+            let mut req_builder = self
+                .client
+                .post(format!("{base_url}/responses"))
                .header("OpenAI-Beta", "responses=experimental")
                .header("session_id", self.session_id.to_string())
+                .bearer_auth(&token)
                .header(reqwest::header::ACCEPT, "text/event-stream")
                .json(&payload);

+            if auth.mode == AuthMode::ChatGPT {
+                if let Some(account_id) = auth.get_account_id().await {
+                    req_builder = req_builder.header("chatgpt-account-id", account_id);
+                }
+            }
+
+            let req_builder = self.provider.apply_http_headers(req_builder);
+
            let res = req_builder.send().await;
            if let Ok(resp) = &res {
                trace!(
@@ -567,7 +617,7 @@ mod tests {

        let provider = ModelProviderInfo {
            name: "test".to_string(),
-            base_url: "https://test.com".to_string(),
+            base_url: Some("https://test.com".to_string()),
            env_key: Some("TEST_API_KEY".to_string()),
            env_key_instructions: None,
            wire_api: WireApi::Responses,
@@ -577,6 +627,7 @@ mod tests {
            request_max_retries: Some(0),
            stream_max_retries: Some(0),
            stream_idle_timeout_ms: Some(1000),
+            requires_auth: false,
        };

        let events = collect_events(
@@ -626,7 +677,7 @@ mod tests {
        let sse1 = format!("event: response.output_item.done\ndata: {item1}\n\n");
        let provider = ModelProviderInfo {
            name: "test".to_string(),
-            base_url: "https://test.com".to_string(),
+            base_url: Some("https://test.com".to_string()),
            env_key: Some("TEST_API_KEY".to_string()),
            env_key_instructions: None,
            wire_api: WireApi::Responses,
@@ -636,6 +687,7 @@ mod tests {
            request_max_retries: Some(0),
            stream_max_retries: Some(0),
            stream_idle_timeout_ms: Some(1000),
+            requires_auth: false,
        };

        let events = collect_events(&[sse1.as_bytes()], provider).await;
@@ -728,7 +780,7 @@ mod tests {

            let provider = ModelProviderInfo {
                name: "test".to_string(),
-                base_url: "https://test.com".to_string(),
+                base_url: Some("https://test.com".to_string()),
                env_key: Some("TEST_API_KEY".to_string()),
                env_key_instructions: None,
                wire_api: WireApi::Responses,
@@ -738,6 +790,7 @@ mod tests {
                request_max_retries: Some(0),
                stream_max_retries: Some(0),
                stream_idle_timeout_ms: Some(1000),
+                requires_auth: false,
            };

            let out = run_sse(evs, provider).await;
--- a/codex-rs/core/src/client_common.rs
+++ b/codex-rs/core/src/client_common.rs
@@ -44,9 +44,6 @@ impl Prompt {
            .as_deref()
            .unwrap_or(BASE_INSTRUCTIONS);
        let mut sections: Vec<&str> = vec![base];
-        if let Some(ref user) = self.user_instructions {
-            sections.push(user);
-        }
        if model.starts_with("gpt-4.1") {
            sections.push(APPLY_PATCH_TOOL_INSTRUCTIONS);
        }
@@ -188,3 +185,19 @@ impl Stream for ResponseStream {
        self.rx_event.poll_recv(cx)
    }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn get_full_instructions_no_user_content() {
+        let prompt = Prompt {
+            user_instructions: Some("custom instruction".to_string()),
+            ..Default::default()
+        };
+        let expected = format!("{BASE_INSTRUCTIONS}\n{APPLY_PATCH_TOOL_INSTRUCTIONS}");
+        let full = prompt.get_full_instructions("gpt-4.1");
+        assert_eq!(full, expected);
+    }
+}
--- a/codex-rs/core/src/codex.rs
+++ b/codex-rs/core/src/codex.rs
@@ -4,22 +4,18 @@
 use std::borrow::Cow;
 use std::collections::HashMap;
 use std::collections::HashSet;
-use std::path::Path;
 use std::path::PathBuf;
 use std::sync::Arc;
 use std::sync::Mutex;
 use std::sync::atomic::AtomicU64;
 use std::time::Duration;

-use anyhow::Context;
 use async_channel::Receiver;
 use async_channel::Sender;
-use codex_apply_patch::AffectedPaths;
 use codex_apply_patch::ApplyPatchAction;
-use codex_apply_patch::ApplyPatchFileChange;
 use codex_apply_patch::MaybeApplyPatchVerified;
 use codex_apply_patch::maybe_parse_apply_patch_verified;
-use codex_apply_patch::print_summary;
+use codex_login::CodexAuth;
 use futures::prelude::*;
 use mcp_types::CallToolResult;
 use serde::Serialize;
@@ -34,6 +30,12 @@ use tracing::trace;
 use tracing::warn;
 use uuid::Uuid;

+use crate::apply_patch::ApplyPatchExec;
+use crate::apply_patch::CODEX_APPLY_PATCH_ARG1;
+use crate::apply_patch::InternalApplyPatchInvocation;
+use crate::apply_patch::convert_apply_patch_to_protocol;
+use crate::apply_patch::get_writable_roots;
+use crate::apply_patch::{self};
 use crate::client::ModelClient;
 use crate::client_common::Prompt;
 use crate::client_common::ResponseEvent;
@@ -57,6 +59,7 @@ use crate::models::ReasoningItemReasoningSummary;
 use crate::models::ResponseInputItem;
 use crate::models::ResponseItem;
 use crate::models::ShellToolCallParams;
+use crate::plan_tool::handle_update_plan;
 use crate::project_doc::get_user_instructions;
 use crate::protocol::AgentMessageDeltaEvent;
 use crate::protocol::AgentMessageEvent;
@@ -84,7 +87,7 @@ use crate::protocol::TaskCompleteEvent;
 use crate::rollout::RolloutRecorder;
 use crate::safety::SafetyCheck;
 use crate::safety::assess_command_safety;
-use crate::safety::assess_patch_safety;
+use crate::safety::assess_safety_for_untrusted_command;
 use crate::shell;
 use crate::user_notification::UserNotification;
 use crate::util::backoff;
@@ -97,11 +100,22 @@ pub struct Codex {
    rx_event: Receiver<Event>,
 }

+/// Wrapper returned by [`Codex::spawn`] containing the spawned [`Codex`],
+/// the submission id for the initial `ConfigureSession` request and the
+/// unique session id.
+pub struct CodexSpawnOk {
+    pub codex: Codex,
+    pub init_id: String,
+    pub session_id: Uuid,
+}
+
 impl Codex {
-    /// Spawn a new [`Codex`] and initialize the session. Returns the instance
-    /// of `Codex` and the ID of the `SessionInitialized` event that was
-    /// submitted to start the session.
-    pub async fn spawn(config: Config, ctrl_c: Arc<Notify>) -> CodexResult<(Codex, String, Uuid)> {
+    /// Spawn a new [`Codex`] and initialize the session.
+    pub async fn spawn(
+        config: Config,
+        auth: Option<CodexAuth>,
+        ctrl_c: Arc<Notify>,
+    ) -> CodexResult<CodexSpawnOk> {
        // experimental resume path (undocumented)
        let resume_path = config.experimental_resume.clone();
        info!("resume_path: {resume_path:?}");
@@ -130,7 +144,7 @@ impl Codex {
        // Generate a unique ID for the lifetime of this Codex session.
        let session_id = Uuid::new_v4();
        tokio::spawn(submission_loop(
-            session_id, config, rx_sub, tx_event, ctrl_c,
+            session_id, config, auth, rx_sub, tx_event, ctrl_c,
        ));
        let codex = Codex {
            next_id: AtomicU64::new(0),
@@ -139,7 +153,11 @@ impl Codex {
        };
        let init_id = codex.submit(configure_session).await?;

-        Ok((codex, init_id, session_id))
+        Ok(CodexSpawnOk {
+            codex,
+            init_id,
+            session_id,
+        })
    }

    /// Submit the `op` wrapped in a `Submission` with a unique ID.
@@ -178,19 +196,19 @@ impl Codex {
 /// A session has at most 1 running task at a time, and can be interrupted by user input.
 pub(crate) struct Session {
    client: ModelClient,
-    tx_event: Sender<Event>,
+    pub(crate) tx_event: Sender<Event>,
    ctrl_c: Arc<Notify>,

    /// The session's current working directory. All relative paths provided by
    /// the model as well as sandbox policies are resolved against this path
    /// instead of `std::env::current_dir()`.
-    cwd: PathBuf,
+    pub(crate) cwd: PathBuf,
    base_instructions: Option<String>,
    user_instructions: Option<String>,
-    approval_policy: AskForApproval,
+    pub(crate) approval_policy: AskForApproval,
    sandbox_policy: SandboxPolicy,
    shell_environment_policy: ShellEnvironmentPolicy,
-    writable_roots: Mutex<Vec<PathBuf>>,
+    pub(crate) writable_roots: Mutex<Vec<PathBuf>>,
    disable_response_storage: bool,

    /// Manager for external MCP servers/tools.
@@ -343,14 +361,32 @@ impl Session {
        }
    }

-    async fn notify_exec_command_begin(&self, sub_id: &str, call_id: &str, params: &ExecParams) {
+    async fn notify_exec_command_begin(&self, exec_command_context: ExecCommandContext) {
+        let ExecCommandContext {
+            sub_id,
+            call_id,
+            command_for_display,
+            cwd,
+            apply_patch,
+        } = exec_command_context;
+        let msg = match apply_patch {
+            Some(ApplyPatchCommandContext {
+                user_explicitly_approved_this_action,
+                changes,
+            }) => EventMsg::PatchApplyBegin(PatchApplyBeginEvent {
+                call_id,
+                auto_approved: !user_explicitly_approved_this_action,
+                changes,
+            }),
+            None => EventMsg::ExecCommandBegin(ExecCommandBeginEvent {
+                call_id,
+                command: command_for_display.clone(),
+                cwd,
+            }),
+        };
        let event = Event {
            id: sub_id.to_string(),
-            msg: EventMsg::ExecCommandBegin(ExecCommandBeginEvent {
-                call_id: call_id.to_string(),
-                command: params.command.clone(),
-                cwd: params.cwd.clone(),
-            }),
+            msg,
        };
        let _ = self.tx_event.send(event).await;
    }
@@ -362,18 +398,33 @@ impl Session {
        stdout: &str,
        stderr: &str,
        exit_code: i32,
+        is_apply_patch: bool,
    ) {
+        // Because stdout and stderr could each be up to 100 KiB, we send
+        // truncated versions.
        const MAX_STREAM_OUTPUT: usize = 5 * 1024; // 5KiB
+        let stdout = stdout.chars().take(MAX_STREAM_OUTPUT).collect();
+        let stderr = stderr.chars().take(MAX_STREAM_OUTPUT).collect();
+
+        let msg = if is_apply_patch {
+            EventMsg::PatchApplyEnd(PatchApplyEndEvent {
+                call_id: call_id.to_string(),
+                stdout,
+                stderr,
+                success: exit_code == 0,
+            })
+        } else {
+            EventMsg::ExecCommandEnd(ExecCommandEndEvent {
+                call_id: call_id.to_string(),
+                stdout,
+                stderr,
+                exit_code,
+            })
+        };
+
        let event = Event {
            id: sub_id.to_string(),
-            // Because stdout and stderr could each be up to 100 KiB, we send
-            // truncated versions.
-            msg: EventMsg::ExecCommandEnd(ExecCommandEndEvent {
-                call_id: call_id.to_string(),
-                stdout: stdout.chars().take(MAX_STREAM_OUTPUT).collect(),
-                stderr: stderr.chars().take(MAX_STREAM_OUTPUT).collect(),
-                exit_code,
-            }),
+            msg,
        };
        let _ = self.tx_event.send(event).await;
    }
@@ -481,6 +532,21 @@ impl State {
    }
 }

+#[derive(Clone, Debug)]
+pub(crate) struct ExecCommandContext {
+    pub(crate) sub_id: String,
+    pub(crate) call_id: String,
+    pub(crate) command_for_display: Vec<String>,
+    pub(crate) cwd: PathBuf,
+    pub(crate) apply_patch: Option<ApplyPatchCommandContext>,
+}
+
+#[derive(Clone, Debug)]
+pub(crate) struct ApplyPatchCommandContext {
+    pub(crate) user_explicitly_approved_this_action: bool,
+    pub(crate) changes: HashMap<PathBuf, FileChange>,
+}
+
 /// A series of Turns in response to user input.
 pub(crate) struct AgentTask {
    sess: Arc<Session>,
@@ -519,6 +585,7 @@ impl AgentTask {
 async fn submission_loop(
    mut session_id: Uuid,
    config: Arc<Config>,
+    auth: Option<CodexAuth>,
    rx_sub: Receiver<Submission>,
    tx_event: Sender<Event>,
    ctrl_c: Arc<Notify>,
@@ -630,6 +697,7 @@ async fn submission_loop(

                let client = ModelClient::new(
                    config.clone(),
+                    auth.clone(),
                    provider.clone(),
                    model_reasoning_effort,
                    model_reasoning_summary,
@@ -1331,6 +1399,7 @@ async fn handle_function_call(
            };
            handle_container_exec_with_params(params, sess, sub_id, call_id).await
        }
+        "update_plan" => handle_update_plan(sess, arguments, sub_id, call_id).await,
        _ => {
            match sess.mcp_connection_manager.parse_tool_name(&name) {
                Some((server, tool_name)) => {
@@ -1406,9 +1475,14 @@ async fn handle_container_exec_with_params(
    call_id: String,
 ) -> ResponseInputItem {
    // check if this was a patch, and apply it if so
-    match maybe_parse_apply_patch_verified(&params.command, &params.cwd) {
+    let apply_patch_exec = match maybe_parse_apply_patch_verified(&params.command, &params.cwd) {
        MaybeApplyPatchVerified::Body(changes) => {
-            return apply_patch(sess, sub_id, call_id, changes).await;
+            match apply_patch::apply_patch(sess, &sub_id, &call_id, changes).await {
+                InternalApplyPatchInvocation::Output(item) => return item,
+                InternalApplyPatchInvocation::DelegateToExec(apply_patch_exec) => {
+                    Some(apply_patch_exec)
+                }
+            }
        }
        MaybeApplyPatchVerified::CorrectnessError(parse_error) => {
            // It looks like an invocation of `apply_patch`, but we
@@ -1424,20 +1498,67 @@ async fn handle_container_exec_with_params(
        }
        MaybeApplyPatchVerified::ShellParseError(error) => {
            trace!("Failed to parse shell command, {error:?}");
+            None
        }
-        MaybeApplyPatchVerified::NotApplyPatch => (),
-    }
-
-    // safety checks
-    let safety = {
-        let state = sess.state.lock().unwrap();
-        assess_command_safety(
-            &params.command,
-            sess.approval_policy,
-            &sess.sandbox_policy,
-            &state.approved_commands,
-        )
+        MaybeApplyPatchVerified::NotApplyPatch => None,
    };
+
+    let (params, safety, command_for_display) = match &apply_patch_exec {
+        Some(ApplyPatchExec {
+            action: ApplyPatchAction { patch, cwd, .. },
+            user_explicitly_approved_this_action,
+        }) => {
+            let path_to_codex = std::env::current_exe()
+                .ok()
+                .map(|p| p.to_string_lossy().to_string());
+            let Some(path_to_codex) = path_to_codex else {
+                return ResponseInputItem::FunctionCallOutput {
+                    call_id,
+                    output: FunctionCallOutputPayload {
+                        content: "failed to determine path to codex executable".to_string(),
+                        success: None,
+                    },
+                };
+            };
+
+            let params = ExecParams {
+                command: vec![
+                    path_to_codex,
+                    CODEX_APPLY_PATCH_ARG1.to_string(),
+                    patch.clone(),
+                ],
+                cwd: cwd.clone(),
+                timeout_ms: params.timeout_ms,
+                env: HashMap::new(),
+            };
+            let safety = if *user_explicitly_approved_this_action {
+                SafetyCheck::AutoApprove {
+                    sandbox_type: SandboxType::None,
+                }
+            } else {
+                assess_safety_for_untrusted_command(sess.approval_policy, &sess.sandbox_policy)
+            };
+            (
+                params,
+                safety,
+                vec!["apply_patch".to_string(), patch.clone()],
+            )
+        }
+        None => {
+            let safety = {
+                let state = sess.state.lock().unwrap();
+                assess_command_safety(
+                    &params.command,
+                    sess.approval_policy,
+                    &sess.sandbox_policy,
+                    &state.approved_commands,
+                )
+            };
+            let command_for_display = params.command.clone();
+            (params, safety, command_for_display)
+        }
+    };
+
    let sandbox_type = match safety {
        SafetyCheck::AutoApprove { sandbox_type } => sandbox_type,
        SafetyCheck::AskUser => {
@@ -1482,7 +1603,22 @@ async fn handle_container_exec_with_params(
        }
    };

-    sess.notify_exec_command_begin(&sub_id, &call_id, &params)
+    let exec_command_context = ExecCommandContext {
+        sub_id: sub_id.clone(),
+        call_id: call_id.clone(),
+        command_for_display: command_for_display.clone(),
+        cwd: params.cwd.clone(),
+        apply_patch: apply_patch_exec.map(
+            |ApplyPatchExec {
+                 action,
+                 user_explicitly_approved_this_action,
+             }| ApplyPatchCommandContext {
+                user_explicitly_approved_this_action,
+                changes: convert_apply_patch_to_protocol(&action),
+            },
+        ),
+    };
+    sess.notify_exec_command_begin(exec_command_context.clone())
        .await;

    let params = maybe_run_with_user_profile(params, sess);
@@ -1504,8 +1640,15 @@ async fn handle_container_exec_with_params(
                duration,
            } = output;

-            sess.notify_exec_command_end(&sub_id, &call_id, &stdout, &stderr, exit_code)
-                .await;
+            sess.notify_exec_command_end(
+                &sub_id,
+                &call_id,
+                &stdout,
+                &stderr,
+                exit_code,
+                exec_command_context.apply_patch.is_some(),
+            )
+            .await;

            let is_success = exit_code == 0;
            let content = format_exec_output(
@@ -1523,7 +1666,7 @@ async fn handle_container_exec_with_params(
            }
        }
        Err(CodexErr::Sandbox(error)) => {
-            handle_sandbox_error(error, sandbox_type, params, sess, sub_id, call_id).await
+            handle_sandbox_error(params, exec_command_context, error, sandbox_type, sess).await
        }
        Err(e) => {
            // Handle non-sandbox errors
@@ -1539,13 +1682,17 @@ async fn handle_container_exec_with_params(
 }

 async fn handle_sandbox_error(
+    params: ExecParams,
+    exec_command_context: ExecCommandContext,
    error: SandboxErr,
    sandbox_type: SandboxType,
-    params: ExecParams,
    sess: &Session,
-    sub_id: String,
-    call_id: String,
 ) -> ResponseInputItem {
+    let call_id = exec_command_context.call_id.clone();
+    let sub_id = exec_command_context.sub_id.clone();
+    let cwd = exec_command_context.cwd.clone();
+    let is_apply_patch = exec_command_context.apply_patch.is_some();
+
    // Early out if the user never wants to be asked for approval; just return to the model immediately
    if sess.approval_policy == AskForApproval::Never {
        return ResponseInputItem::FunctionCallOutput {
@@ -1575,7 +1722,7 @@ async fn handle_sandbox_error(
            sub_id.clone(),
            call_id.clone(),
            params.command.clone(),
-            params.cwd.clone(),
+            cwd.clone(),
            Some("command failed; retry without sandbox?".to_string()),
        )
        .await;
@@ -1591,8 +1738,7 @@ async fn handle_sandbox_error(
            sess.notify_background_event(&sub_id, "retrying command without sandbox")
                .await;

-            sess.notify_exec_command_begin(&sub_id, &call_id, &params)
-                .await;
+            sess.notify_exec_command_begin(exec_command_context).await;

            // This is an escalated retry; the policy will not be
            // examined and the sandbox has been set to `None`.
@@ -1614,8 +1760,15 @@ async fn handle_sandbox_error(
                        duration,
                    } = retry_output;

-                    sess.notify_exec_command_end(&sub_id, &call_id, &stdout, &stderr, exit_code)
-                        .await;
+                    sess.notify_exec_command_end(
+                        &sub_id,
+                        &call_id,
+                        &stdout,
+                        &stderr,
+                        exit_code,
+                        is_apply_patch,
+                    )
+                    .await;

                    let is_success = exit_code == 0;
                    let content = format_exec_output(
@@ -1657,384 +1810,6 @@ async fn handle_sandbox_error(
    }
 }

-async fn apply_patch(
-    sess: &Session,
-    sub_id: String,
-    call_id: String,
-    action: ApplyPatchAction,
-) -> ResponseInputItem {
-    let writable_roots_snapshot = {
-        let guard = sess.writable_roots.lock().unwrap();
-        guard.clone()
-    };
-
-    let auto_approved = match assess_patch_safety(
-        &action,
-        sess.approval_policy,
-        &writable_roots_snapshot,
-        &sess.cwd,
-    ) {
-        SafetyCheck::AutoApprove { .. } => true,
-        SafetyCheck::AskUser => {
-            // Compute a readable summary of path changes to include in the
-            // approval request so the user can make an informed decision.
-            let rx_approve = sess
-                .request_patch_approval(sub_id.clone(), call_id.clone(), &action, None, None)
-                .await;
-            match rx_approve.await.unwrap_or_default() {
-                ReviewDecision::Approved | ReviewDecision::ApprovedForSession => false,
-                ReviewDecision::Denied | ReviewDecision::Abort => {
-                    return ResponseInputItem::FunctionCallOutput {
-                        call_id,
-                        output: FunctionCallOutputPayload {
-                            content: "patch rejected by user".to_string(),
-                            success: Some(false),
-                        },
-                    };
-                }
-            }
-        }
-        SafetyCheck::Reject { reason } => {
-            return ResponseInputItem::FunctionCallOutput {
-                call_id,
-                output: FunctionCallOutputPayload {
-                    content: format!("patch rejected: {reason}"),
-                    success: Some(false),
-                },
-            };
-        }
-    };
-
-    // Verify write permissions before touching the filesystem.
-    let writable_snapshot = { sess.writable_roots.lock().unwrap().clone() };
-
-    if let Some(offending) = first_offending_path(&action, &writable_snapshot, &sess.cwd) {
-        let root = offending.parent().unwrap_or(&offending).to_path_buf();
-
-        let reason = Some(format!(
-            "grant write access to {} for this session",
-            root.display()
-        ));
-
-        let rx = sess
-            .request_patch_approval(
-                sub_id.clone(),
-                call_id.clone(),
-                &action,
-                reason.clone(),
-                Some(root.clone()),
-            )
-            .await;
-
-        if !matches!(
-            rx.await.unwrap_or_default(),
-            ReviewDecision::Approved | ReviewDecision::ApprovedForSession
-        ) {
-            return ResponseInputItem::FunctionCallOutput {
-                call_id,
-                output: FunctionCallOutputPayload {
-                    content: "patch rejected by user".to_string(),
-                    success: Some(false),
-                },
-            };
-        }
-
-        // user approved, extend writable roots for this session
-        sess.writable_roots.lock().unwrap().push(root);
-    }
-
-    let _ = sess
-        .tx_event
-        .send(Event {
-            id: sub_id.clone(),
-            msg: EventMsg::PatchApplyBegin(PatchApplyBeginEvent {
-                call_id: call_id.clone(),
-                auto_approved,
-                changes: convert_apply_patch_to_protocol(&action),
-            }),
-        })
-        .await;
-
-    let mut stdout = Vec::new();
-    let mut stderr = Vec::new();
-    // Enforce writable roots. If a write is blocked, collect offending root
-    // and prompt the user to extend permissions.
-    let mut result = apply_changes_from_apply_patch_and_report(&action, &mut stdout, &mut stderr);
-
-    if let Err(err) = &result {
-        if err.kind() == std::io::ErrorKind::PermissionDenied {
-            // Determine first offending path.
-            let offending_opt = action
-                .changes()
-                .iter()
-                .flat_map(|(path, change)| match change {
-                    ApplyPatchFileChange::Add { .. } => vec![path.as_ref()],
-                    ApplyPatchFileChange::Delete => vec![path.as_ref()],
-                    ApplyPatchFileChange::Update {
-                        move_path: Some(move_path),
-                        ..
-                    } => {
-                        vec![path.as_ref(), move_path.as_ref()]
-                    }
-                    ApplyPatchFileChange::Update {
-                        move_path: None, ..
-                    } => vec![path.as_ref()],
-                })
-                .find_map(|path: &Path| {
-                    // ApplyPatchAction promises to guarantee absolute paths.
-                    if !path.is_absolute() {
-                        panic!("apply_patch invariant failed: path is not absolute: {path:?}");
-                    }
-
-                    let writable = {
-                        let roots = sess.writable_roots.lock().unwrap();
-                        roots.iter().any(|root| path.starts_with(root))
-                    };
-                    if writable {
-                        None
-                    } else {
-                        Some(path.to_path_buf())
-                    }
-                });
-
-            if let Some(offending) = offending_opt {
-                let root = offending.parent().unwrap_or(&offending).to_path_buf();
-
-                let reason = Some(format!(
-                    "grant write access to {} for this session",
-                    root.display()
-                ));
-                let rx = sess
-                    .request_patch_approval(
-                        sub_id.clone(),
-                        call_id.clone(),
-                        &action,
-                        reason.clone(),
-                        Some(root.clone()),
-                    )
-                    .await;
-                if matches!(
-                    rx.await.unwrap_or_default(),
-                    ReviewDecision::Approved | ReviewDecision::ApprovedForSession
-                ) {
-                    // Extend writable roots.
-                    sess.writable_roots.lock().unwrap().push(root);
-                    stdout.clear();
-                    stderr.clear();
-                    result = apply_changes_from_apply_patch_and_report(
-                        &action,
-                        &mut stdout,
-                        &mut stderr,
-                    );
-                }
-            }
-        }
-    }
-
-    // Emit PatchApplyEnd event.
-    let success_flag = result.is_ok();
-    let _ = sess
-        .tx_event
-        .send(Event {
-            id: sub_id.clone(),
-            msg: EventMsg::PatchApplyEnd(PatchApplyEndEvent {
-                call_id: call_id.clone(),
-                stdout: String::from_utf8_lossy(&stdout).to_string(),
-                stderr: String::from_utf8_lossy(&stderr).to_string(),
-                success: success_flag,
-            }),
-        })
-        .await;
-
-    match result {
-        Ok(_) => ResponseInputItem::FunctionCallOutput {
-            call_id,
-            output: FunctionCallOutputPayload {
-                content: String::from_utf8_lossy(&stdout).to_string(),
-                success: None,
-            },
-        },
-        Err(e) => ResponseInputItem::FunctionCallOutput {
-            call_id,
-            output: FunctionCallOutputPayload {
-                content: format!("error: {e:#}, stderr: {}", String::from_utf8_lossy(&stderr)),
-                success: Some(false),
-            },
-        },
-    }
-}
-
-/// Return the first path in `hunks` that is NOT under any of the
-/// `writable_roots` (after normalising). If all paths are acceptable,
-/// returns None.
-fn first_offending_path(
-    action: &ApplyPatchAction,
-    writable_roots: &[PathBuf],
-    cwd: &Path,
-) -> Option<PathBuf> {
-    let changes = action.changes();
-    for (path, change) in changes {
-        let candidate = match change {
-            ApplyPatchFileChange::Add { .. } => path,
-            ApplyPatchFileChange::Delete => path,
-            ApplyPatchFileChange::Update { move_path, .. } => move_path.as_ref().unwrap_or(path),
-        };
-
-        let abs = if candidate.is_absolute() {
-            candidate.clone()
-        } else {
-            cwd.join(candidate)
-        };
-
-        let mut allowed = false;
-        for root in writable_roots {
-            let root_abs = if root.is_absolute() {
-                root.clone()
-            } else {
-                cwd.join(root)
-            };
-            if abs.starts_with(&root_abs) {
-                allowed = true;
-                break;
-            }
-        }
-
-        if !allowed {
-            return Some(candidate.clone());
-        }
-    }
-    None
-}
-
-fn convert_apply_patch_to_protocol(action: &ApplyPatchAction) -> HashMap<PathBuf, FileChange> {
-    let changes = action.changes();
-    let mut result = HashMap::with_capacity(changes.len());
-    for (path, change) in changes {
-        let protocol_change = match change {
-            ApplyPatchFileChange::Add { content } => FileChange::Add {
-                content: content.clone(),
-            },
-            ApplyPatchFileChange::Delete => FileChange::Delete,
-            ApplyPatchFileChange::Update {
-                unified_diff,
-                move_path,
-                new_content: _new_content,
-            } => FileChange::Update {
-                unified_diff: unified_diff.clone(),
-                move_path: move_path.clone(),
-            },
-        };
-        result.insert(path.clone(), protocol_change);
-    }
-    result
-}
-
-fn apply_changes_from_apply_patch_and_report(
-    action: &ApplyPatchAction,
-    stdout: &mut impl std::io::Write,
-    stderr: &mut impl std::io::Write,
-) -> std::io::Result<()> {
-    match apply_changes_from_apply_patch(action) {
-        Ok(affected_paths) => {
-            print_summary(&affected_paths, stdout)?;
-        }
-        Err(err) => {
-            writeln!(stderr, "{err:?}")?;
-        }
-    }
-
-    Ok(())
-}
-
-fn apply_changes_from_apply_patch(action: &ApplyPatchAction) -> anyhow::Result<AffectedPaths> {
-    let mut added: Vec<PathBuf> = Vec::new();
-    let mut modified: Vec<PathBuf> = Vec::new();
-    let mut deleted: Vec<PathBuf> = Vec::new();
-
-    let changes = action.changes();
-    for (path, change) in changes {
-        match change {
-            ApplyPatchFileChange::Add { content } => {
-                if let Some(parent) = path.parent() {
-                    if !parent.as_os_str().is_empty() {
-                        std::fs::create_dir_all(parent).with_context(|| {
-                            format!("Failed to create parent directories for {}", path.display())
-                        })?;
-                    }
-                }
-                std::fs::write(path, content)
-                    .with_context(|| format!("Failed to write file {}", path.display()))?;
-                added.push(path.clone());
-            }
-            ApplyPatchFileChange::Delete => {
-                std::fs::remove_file(path)
-                    .with_context(|| format!("Failed to delete file {}", path.display()))?;
-                deleted.push(path.clone());
-            }
-            ApplyPatchFileChange::Update {
-                unified_diff: _unified_diff,
-                move_path,
-                new_content,
-            } => {
-                if let Some(move_path) = move_path {
-                    if let Some(parent) = move_path.parent() {
-                        if !parent.as_os_str().is_empty() {
-                            std::fs::create_dir_all(parent).with_context(|| {
-                                format!(
-                                    "Failed to create parent directories for {}",
-                                    move_path.display()
-                                )
-                            })?;
-                        }
-                    }
-
-                    std::fs::rename(path, move_path)
-                        .with_context(|| format!("Failed to rename file {}", path.display()))?;
-                    std::fs::write(move_path, new_content)?;
-                    modified.push(move_path.clone());
-                    deleted.push(path.clone());
-                } else {
-                    std::fs::write(path, new_content)?;
-                    modified.push(path.clone());
-                }
-            }
-        }
-    }
-
-    Ok(AffectedPaths {
-        added,
-        modified,
-        deleted,
-    })
-}
-
-fn get_writable_roots(cwd: &Path) -> Vec<PathBuf> {
-    let mut writable_roots = Vec::new();
-    if cfg!(target_os = "macos") {
-        // On macOS, $TMPDIR is private to the user.
-        writable_roots.push(std::env::temp_dir());
-
-        // Allow pyenv to update its shims directory. Without this, any tool
-        // that happens to be managed by `pyenv` will fail with an error like:
-        //
-        //   pyenv: cannot rehash: $HOME/.pyenv/shims isn't writable
-        //
-        // which is emitted every time `pyenv` tries to run `rehash` (for
-        // example, after installing a new Python package that drops an entry
-        // point). Although the sandbox is intentionally read‑only by default,
-        // writing to the user's local `pyenv` directory is safe because it
-        // is already user‑writable and scoped to the current user account.
-        if let Ok(home_dir) = std::env::var("HOME") {
-            let pyenv_dir = PathBuf::from(home_dir).join(".pyenv");
-            writable_roots.push(pyenv_dir);
-        }
-    }
-
-    writable_roots.push(cwd.to_path_buf());
-
-    writable_roots
-}
-
 /// Exec output is a pre-serialized JSON payload
 fn format_exec_output(output: &str, exit_code: i32, duration: Duration) -> String {
    #[derive(Serialize)]
--- a/codex-rs/core/src/codex_wrapper.rs
+++ b/codex-rs/core/src/codex_wrapper.rs
@@ -1,21 +1,37 @@
 use std::sync::Arc;

 use crate::Codex;
+use crate::CodexSpawnOk;
 use crate::config::Config;
 use crate::protocol::Event;
 use crate::protocol::EventMsg;
 use crate::util::notify_on_sigint;
+use codex_login::load_auth;
 use tokio::sync::Notify;
 use uuid::Uuid;

+/// Represents an active Codex conversation, including the first event
+/// (which is [`EventMsg::SessionConfigured`]).
+pub struct CodexConversation {
+    pub codex: Codex,
+    pub session_id: Uuid,
+    pub session_configured: Event,
+    pub ctrl_c: Arc<Notify>,
+}
+
 /// Spawn a new [`Codex`] and initialize the session.
 ///
 /// Returns the wrapped [`Codex`] **and** the `SessionInitialized` event that
 /// is received as a response to the initial `ConfigureSession` submission so
 /// that callers can surface the information to the UI.
-pub async fn init_codex(config: Config) -> anyhow::Result<(Codex, Event, Arc<Notify>, Uuid)> {
+pub async fn init_codex(config: Config) -> anyhow::Result<CodexConversation> {
    let ctrl_c = notify_on_sigint();
-    let (codex, init_id, session_id) = Codex::spawn(config, ctrl_c.clone()).await?;
+    let auth = load_auth(&config.codex_home, true)?;
+    let CodexSpawnOk {
+        codex,
+        init_id,
+        session_id,
+    } = Codex::spawn(config, auth, ctrl_c.clone()).await?;

    // The first event must be `SessionInitialized`. Validate and forward it to
    // the caller so that they can display it in the conversation history.
@@ -34,5 +50,10 @@ pub async fn init_codex(config: Config) -> anyhow::Result<(Codex, Event, Arc<Not
        ));
    }

-    Ok((codex, event, ctrl_c, session_id))
+    Ok(CodexConversation {
+        codex,
+        session_id,
+        session_configured: event,
+        ctrl_c,
+    })
 }
--- a/codex-rs/core/src/config.rs
+++ b/codex-rs/core/src/config.rs
@@ -143,6 +143,9 @@ pub struct Config {

    /// Experimental rollout resume path (absolute path to .jsonl; undocumented).
    pub experimental_resume: Option<PathBuf>,
+
+    /// Include an experimental plan tool that the model can use to update its current plan and status of each step.
+    pub include_plan_tool: bool,
 }

 impl Config {
@@ -366,6 +369,7 @@ pub struct ConfigOverrides {
    pub config_profile: Option<String>,
    pub codex_linux_sandbox_exe: Option<PathBuf>,
    pub base_instructions: Option<String>,
+    pub include_plan_tool: Option<bool>,
 }

 impl Config {
@@ -388,6 +392,7 @@ impl Config {
            config_profile: config_profile_key,
            codex_linux_sandbox_exe,
            base_instructions,
+            include_plan_tool,
        } = overrides;

        let config_profile = match config_profile_key.as_ref().or(cfg.profile.as_ref()) {
@@ -465,9 +470,14 @@ impl Config {

        let experimental_resume = cfg.experimental_resume;

-        let base_instructions = base_instructions.or(Self::get_base_instructions(
+        // Load base instructions override from a file if specified. If the
+        // path is relative, resolve it against the effective cwd so the
+        // behaviour matches other path-like config values.
+        let file_base_instructions = Self::get_base_instructions(
            cfg.experimental_instructions_file.as_ref(),
-        ));
+            &resolved_cwd,
+        )?;
+        let base_instructions = base_instructions.or(file_base_instructions);

        let config = Self {
            model,
@@ -518,6 +528,7 @@ impl Config {
                .unwrap_or("https://chatgpt.com/backend-api/".to_string()),

            experimental_resume,
+            include_plan_tool: include_plan_tool.unwrap_or(false),
        };
        Ok(config)
    }
@@ -539,13 +550,46 @@ impl Config {
        })
    }

-    fn get_base_instructions(path: Option<&PathBuf>) -> Option<String> {
-        let path = path.as_ref()?;
+    fn get_base_instructions(
+        path: Option<&PathBuf>,
+        cwd: &Path,
+    ) -> std::io::Result<Option<String>> {
+        let p = match path.as_ref() {
+            None => return Ok(None),
+            Some(p) => p,
+        };

-        std::fs::read_to_string(path)
-            .ok()
-            .map(|s| s.trim().to_string())
-            .filter(|s| !s.is_empty())
+        // Resolve relative paths against the provided cwd to make CLI
+        // overrides consistent regardless of where the process was launched
+        // from.
+        let full_path = if p.is_relative() {
+            cwd.join(p)
+        } else {
+            p.to_path_buf()
+        };
+
+        let contents = std::fs::read_to_string(&full_path).map_err(|e| {
+            std::io::Error::new(
+                e.kind(),
+                format!(
+                    "failed to read experimental instructions file {}: {e}",
+                    full_path.display()
+                ),
+            )
+        })?;
+
+        let s = contents.trim().to_string();
+        if s.is_empty() {
+            Err(std::io::Error::new(
+                std::io::ErrorKind::InvalidData,
+                format!(
+                    "experimental instructions file is empty: {}",
+                    full_path.display()
+                ),
+            ))
+        } else {
+            Ok(Some(s))
+        }
    }
 }

@@ -751,7 +795,7 @@ disable_response_storage = true

        let openai_chat_completions_provider = ModelProviderInfo {
            name: "OpenAI using Chat Completions".to_string(),
-            base_url: "https://api.openai.com/v1".to_string(),
+            base_url: Some("https://api.openai.com/v1".to_string()),
            env_key: Some("OPENAI_API_KEY".to_string()),
            wire_api: crate::WireApi::Chat,
            env_key_instructions: None,
@@ -761,6 +805,7 @@ disable_response_storage = true
            request_max_retries: Some(4),
            stream_max_retries: Some(10),
            stream_idle_timeout_ms: Some(300_000),
+            requires_auth: false,
        };
        let model_provider_map = {
            let mut model_provider_map = built_in_model_providers();
@@ -791,7 +836,7 @@ disable_response_storage = true
    ///
    /// 1. custom command-line argument, e.g. `--model o3`
    /// 2. as part of a profile, where the `--profile` is specified via a CLI
-    ///    (or in the config file itelf)
+    ///    (or in the config file itself)
    /// 3. as an entry in `config.toml`, e.g. `model = "o3"`
    /// 4. the default value for a required field defined in code, e.g.,
    ///    `crate::flags::OPENAI_DEFAULT_MODEL`
@@ -841,6 +886,7 @@ disable_response_storage = true
                chatgpt_base_url: "https://chatgpt.com/backend-api/".to_string(),
                experimental_resume: None,
                base_instructions: None,
+                include_plan_tool: false,
            },
            o3_profile_config
        );
@@ -889,6 +935,7 @@ disable_response_storage = true
            chatgpt_base_url: "https://chatgpt.com/backend-api/".to_string(),
            experimental_resume: None,
            base_instructions: None,
+            include_plan_tool: false,
        };

        assert_eq!(expected_gpt3_profile_config, gpt3_profile_config);
@@ -952,6 +999,7 @@ disable_response_storage = true
            chatgpt_base_url: "https://chatgpt.com/backend-api/".to_string(),
            experimental_resume: None,
            base_instructions: None,
+            include_plan_tool: false,
        };

        assert_eq!(expected_zdr_profile_config, zdr_profile_config);
--- a/codex-rs/core/src/config_types.rs
+++ b/codex-rs/core/src/config_types.rs
@@ -78,7 +78,7 @@ pub enum HistoryPersistence {
 #[derive(Deserialize, Debug, Clone, PartialEq, Default)]
 pub struct Tui {}

-#[derive(Deserialize, Debug, Clone, Copy, PartialEq, Default)]
+#[derive(Deserialize, Debug, Clone, Copy, PartialEq, Default, Serialize)]
 #[serde(rename_all = "kebab-case")]
 pub enum SandboxMode {
    #[serde(rename = "read-only")]
--- a/codex-rs/core/src/exec.rs
+++ b/codex-rs/core/src/exec.rs
@@ -6,7 +6,6 @@ use std::io;
 use std::path::Path;
 use std::path::PathBuf;
 use std::process::ExitStatus;
-use std::process::Stdio;
 use std::sync::Arc;
 use std::time::Duration;
 use std::time::Instant;
@@ -15,14 +14,15 @@ use tokio::io::AsyncRead;
 use tokio::io::AsyncReadExt;
 use tokio::io::BufReader;
 use tokio::process::Child;
-use tokio::process::Command;
 use tokio::sync::Notify;
-use tracing::trace;

 use crate::error::CodexErr;
 use crate::error::Result;
 use crate::error::SandboxErr;
 use crate::protocol::SandboxPolicy;
+use crate::seatbelt::spawn_command_under_seatbelt;
+use crate::spawn::StdioPolicy;
+use crate::spawn::spawn_child_async;

 // Maximum we send for each stream, which is either:
 // - 10KiB OR
@@ -37,24 +37,6 @@ const DEFAULT_TIMEOUT_MS: u64 = 10_000;
 const SIGKILL_CODE: i32 = 9;
 const TIMEOUT_CODE: i32 = 64;

-const MACOS_SEATBELT_BASE_POLICY: &str = include_str!("seatbelt_base_policy.sbpl");
-
-/// When working with `sandbox-exec`, only consider `sandbox-exec` in `/usr/bin`
-/// to defend against an attacker trying to inject a malicious version on the
-/// PATH. If /usr/bin/sandbox-exec has been tampered with, then the attacker
-/// already has root access.
-const MACOS_PATH_TO_SEATBELT_EXECUTABLE: &str = "/usr/bin/sandbox-exec";
-
-/// Experimental environment variable that will be set to some non-empty value
-/// if both of the following are true:
-///
-/// 1. The process was spawned by Codex as part of a shell tool call.
-/// 2. SandboxPolicy.has_full_network_access() was false for the tool call.
-///
-/// We may try to have just one environment variable for all sandboxing
-/// attributes, so this may change in the future.
-pub const CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR: &str = "CODEX_SANDBOX_NETWORK_DISABLED";
-
 #[derive(Debug, Clone)]
 pub struct ExecParams {
    pub command: Vec<String>,
@@ -168,27 +150,6 @@ pub async fn process_exec_tool_call(
    }
 }

-pub async fn spawn_command_under_seatbelt(
-    command: Vec<String>,
-    sandbox_policy: &SandboxPolicy,
-    cwd: PathBuf,
-    stdio_policy: StdioPolicy,
-    env: HashMap<String, String>,
-) -> std::io::Result<Child> {
-    let args = create_seatbelt_command_args(command, sandbox_policy, &cwd);
-    let arg0 = None;
-    spawn_child_async(
-        PathBuf::from(MACOS_PATH_TO_SEATBELT_EXECUTABLE),
-        args,
-        arg0,
-        cwd,
-        sandbox_policy,
-        stdio_policy,
-        env,
-    )
-    .await
-}
-
 /// Spawn a shell tool command under the Linux Landlock+seccomp sandbox helper
 /// (codex-linux-sandbox).
 ///
@@ -248,65 +209,6 @@ fn create_linux_sandbox_command_args(
    linux_cmd
 }

-fn create_seatbelt_command_args(
-    command: Vec<String>,
-    sandbox_policy: &SandboxPolicy,
-    cwd: &Path,
-) -> Vec<String> {
-    let (file_write_policy, extra_cli_args) = {
-        if sandbox_policy.has_full_disk_write_access() {
-            // Allegedly, this is more permissive than `(allow file-write*)`.
-            (
-                r#"(allow file-write* (regex #"^/"))"#.to_string(),
-                Vec::<String>::new(),
-            )
-        } else {
-            let writable_roots = sandbox_policy.get_writable_roots_with_cwd(cwd);
-            let (writable_folder_policies, cli_args): (Vec<String>, Vec<String>) = writable_roots
-                .iter()
-                .enumerate()
-                .map(|(index, root)| {
-                    let param_name = format!("WRITABLE_ROOT_{index}");
-                    let policy: String = format!("(subpath (param \"{param_name}\"))");
-                    let cli_arg = format!("-D{param_name}={}", root.to_string_lossy());
-                    (policy, cli_arg)
-                })
-                .unzip();
-            if writable_folder_policies.is_empty() {
-                ("".to_string(), Vec::<String>::new())
-            } else {
-                let file_write_policy = format!(
-                    "(allow file-write*\n{}\n)",
-                    writable_folder_policies.join(" ")
-                );
-                (file_write_policy, cli_args)
-            }
-        }
-    };
-
-    let file_read_policy = if sandbox_policy.has_full_disk_read_access() {
-        "; allow read-only file operations\n(allow file-read*)"
-    } else {
-        ""
-    };
-
-    // TODO(mbolin): apply_patch calls must also honor the SandboxPolicy.
-    let network_policy = if sandbox_policy.has_full_network_access() {
-        "(allow network-outbound)\n(allow network-inbound)\n(allow system-socket)"
-    } else {
-        ""
-    };
-
-    let full_policy = format!(
-        "{MACOS_SEATBELT_BASE_POLICY}\n{file_read_policy}\n{file_write_policy}\n{network_policy}"
-    );
-    let mut seatbelt_args: Vec<String> = vec!["-p".to_string(), full_policy];
-    seatbelt_args.extend(extra_cli_args);
-    seatbelt_args.push("--".to_string());
-    seatbelt_args.extend(command);
-    seatbelt_args
-}
-
 #[derive(Debug)]
 pub struct RawExecToolCallOutput {
    pub exit_status: ExitStatus,
@@ -352,90 +254,6 @@ async fn exec(
    consume_truncated_output(child, ctrl_c, timeout_ms).await
 }

-#[derive(Debug, Clone, Copy)]
-pub enum StdioPolicy {
-    RedirectForShellTool,
-    Inherit,
-}
-
-/// Spawns the appropriate child process for the ExecParams and SandboxPolicy,
-/// ensuring the args and environment variables used to create the `Command`
-/// (and `Child`) honor the configuration.
-///
-/// For now, we take `SandboxPolicy` as a parameter to spawn_child() because
-/// we need to determine whether to set the
-/// `CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR` environment variable.
-async fn spawn_child_async(
-    program: PathBuf,
-    args: Vec<String>,
-    #[cfg_attr(not(unix), allow(unused_variables))] arg0: Option<&str>,
-    cwd: PathBuf,
-    sandbox_policy: &SandboxPolicy,
-    stdio_policy: StdioPolicy,
-    env: HashMap<String, String>,
-) -> std::io::Result<Child> {
-    trace!(
-        "spawn_child_async: {program:?} {args:?} {arg0:?} {cwd:?} {sandbox_policy:?} {stdio_policy:?} {env:?}"
-    );
-
-    let mut cmd = Command::new(&program);
-    #[cfg(unix)]
-    cmd.arg0(arg0.map_or_else(|| program.to_string_lossy().to_string(), String::from));
-    cmd.args(args);
-    cmd.current_dir(cwd);
-    cmd.env_clear();
-    cmd.envs(env);
-
-    if !sandbox_policy.has_full_network_access() {
-        cmd.env(CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR, "1");
-    }
-
-    // If this Codex process dies (including being killed via SIGKILL), we want
-    // any child processes that were spawned as part of a `"shell"` tool call
-    // to also be terminated.
-
-    // This relies on prctl(2), so it only works on Linux.
-    #[cfg(target_os = "linux")]
-    unsafe {
-        cmd.pre_exec(|| {
-            // This prctl call effectively requests, "deliver SIGTERM when my
-            // current parent dies."
-            if libc::prctl(libc::PR_SET_PDEATHSIG, libc::SIGTERM) == -1 {
-                return Err(io::Error::last_os_error());
-            }
-
-            // Though if there was a race condition and this pre_exec() block is
-            // run _after_ the parent (i.e., the Codex process) has already
-            // exited, then the parent is the _init_ process (which will never
-            // die), so we should just terminate the child process now.
-            if libc::getppid() == 1 {
-                libc::raise(libc::SIGTERM);
-            }
-            Ok(())
-        });
-    }
-
-    match stdio_policy {
-        StdioPolicy::RedirectForShellTool => {
-            // Do not create a file descriptor for stdin because otherwise some
-            // commands may hang forever waiting for input. For example, ripgrep has
-            // a heuristic where it may try to read from stdin as explained here:
-            // https://github.com/BurntSushi/ripgrep/blob/e2362d4d5185d02fa857bf381e7bd52e66fafc73/crates/core/flags/hiargs.rs#L1101-L1103
-            cmd.stdin(Stdio::null());
-
-            cmd.stdout(Stdio::piped()).stderr(Stdio::piped());
-        }
-        StdioPolicy::Inherit => {
-            // Inherit stdin, stdout, and stderr from the parent process.
-            cmd.stdin(Stdio::inherit())
-                .stdout(Stdio::inherit())
-                .stderr(Stdio::inherit());
-        }
-    }
-
-    cmd.kill_on_drop(true).spawn()
-}
-
 /// Consumes the output of a child process, truncating it so it is suitable for
 /// use as the output of a `shell` tool call. Also enforces specified timeout.
 pub(crate) async fn consume_truncated_output(
--- a/codex-rs/core/src/git_info.rs
+++ b/codex-rs/core/src/git_info.rs
@@ -111,9 +111,14 @@ mod tests {
    // Helper function to create a test git repository
    async fn create_test_git_repo(temp_dir: &TempDir) -> PathBuf {
        let repo_path = temp_dir.path().to_path_buf();
+        let envs = vec![
+            ("GIT_CONFIG_GLOBAL", "/dev/null"),
+            ("GIT_CONFIG_NOSYSTEM", "1"),
+        ];

        // Initialize git repo
        Command::new("git")
+            .envs(envs.clone())
            .args(["init"])
            .current_dir(&repo_path)
            .output()
@@ -122,6 +127,7 @@ mod tests {

        // Configure git user (required for commits)
        Command::new("git")
+            .envs(envs.clone())
            .args(["config", "user.name", "Test User"])
            .current_dir(&repo_path)
            .output()
@@ -129,6 +135,7 @@ mod tests {
            .expect("Failed to set git user name");

        Command::new("git")
+            .envs(envs.clone())
            .args(["config", "user.email", "test@example.com"])
            .current_dir(&repo_path)
            .output()
@@ -140,6 +147,7 @@ mod tests {
        fs::write(&test_file, "test content").expect("Failed to write test file");

        Command::new("git")
+            .envs(envs.clone())
            .args(["add", "."])
            .current_dir(&repo_path)
            .output()
@@ -147,6 +155,7 @@ mod tests {
            .expect("Failed to add files");

        Command::new("git")
+            .envs(envs.clone())
            .args(["commit", "-m", "Initial commit"])
            .current_dir(&repo_path)
            .output()
--- a/codex-rs/core/src/lib.rs
+++ b/codex-rs/core/src/lib.rs
@@ -5,12 +5,14 @@
 // the TUI or the tracing stack).
 #![deny(clippy::print_stdout, clippy::print_stderr)]

+mod apply_patch;
 mod bash;
 mod chat_completions;
 mod client;
 mod client_common;
 pub mod codex;
 pub use codex::Codex;
+pub use codex::CodexSpawnOk;
 pub mod codex_wrapper;
 pub mod config;
 pub mod config_profile;
@@ -28,16 +30,20 @@ mod message_history;
 mod model_provider_info;
 pub use model_provider_info::ModelProviderInfo;
 pub use model_provider_info::WireApi;
+pub use model_provider_info::built_in_model_providers;
 mod models;
-pub mod openai_api_key;
 mod openai_model_info;
 mod openai_tools;
+pub mod plan_tool;
 mod project_doc;
 pub mod protocol;
 mod rollout;
 mod safety;
+pub mod seatbelt;
 pub mod shell;
+pub mod spawn;
 mod user_notification;
 pub mod util;

+pub use apply_patch::CODEX_APPLY_PATCH_ARG1;
 pub use client_common::model_supports_reasoning_summaries;
--- a/codex-rs/core/src/mcp_connection_manager.rs
+++ b/codex-rs/core/src/mcp_connection_manager.rs
@@ -8,6 +8,7 @@

 use std::collections::HashMap;
 use std::collections::HashSet;
+use std::ffi::OsString;
 use std::time::Duration;

 use anyhow::Context;
@@ -127,7 +128,12 @@ impl McpConnectionManager {

            join_set.spawn(async move {
                let McpServerConfig { command, args, env } = cfg;
-                let client_res = McpClient::new_stdio_client(command, args, env).await;
+                let client_res = McpClient::new_stdio_client(
+                    command.into(),
+                    args.into_iter().map(OsString::from).collect(),
+                    env,
+                )
+                .await;
                match client_res {
                    Ok(client) => {
                        // Initialize the client.
--- a/codex-rs/core/src/mcp_tool_call.rs
+++ b/codex-rs/core/src/mcp_tool_call.rs
@@ -1,4 +1,5 @@
 use std::time::Duration;
+use std::time::Instant;

 use tracing::error;

@@ -7,6 +8,7 @@ use crate::models::FunctionCallOutputPayload;
 use crate::models::ResponseInputItem;
 use crate::protocol::Event;
 use crate::protocol::EventMsg;
+use crate::protocol::McpInvocation;
 use crate::protocol::McpToolCallBeginEvent;
 use crate::protocol::McpToolCallEndEvent;

@@ -41,21 +43,28 @@ pub(crate) async fn handle_mcp_tool_call(
        }
    };

-    let tool_call_begin_event = EventMsg::McpToolCallBegin(McpToolCallBeginEvent {
-        call_id: call_id.clone(),
+    let invocation = McpInvocation {
        server: server.clone(),
        tool: tool_name.clone(),
        arguments: arguments_value.clone(),
+    };
+
+    let tool_call_begin_event = EventMsg::McpToolCallBegin(McpToolCallBeginEvent {
+        call_id: call_id.clone(),
+        invocation: invocation.clone(),
    });
    notify_mcp_tool_call_event(sess, sub_id, tool_call_begin_event).await;

+    let start = Instant::now();
    // Perform the tool call.
    let result = sess
-        .call_tool(&server, &tool_name, arguments_value, timeout)
+        .call_tool(&server, &tool_name, arguments_value.clone(), timeout)
        .await
        .map_err(|e| format!("tool call error: {e}"));
    let tool_call_end_event = EventMsg::McpToolCallEnd(McpToolCallEndEvent {
        call_id: call_id.clone(),
+        invocation,
+        duration: start.elapsed(),
        result: result.clone(),
    });

--- a/codex-rs/core/src/model_provider_info.rs
+++ b/codex-rs/core/src/model_provider_info.rs
@@ -12,7 +12,6 @@ use std::env::VarError;
 use std::time::Duration;

 use crate::error::EnvVarError;
-use crate::openai_api_key::get_openai_api_key;

 /// Value for the `OpenAI-Originator` header that is sent with requests to
 /// OpenAI.
@@ -30,7 +29,7 @@ const DEFAULT_REQUEST_MAX_RETRIES: u64 = 4;
 #[derive(Debug, Clone, Copy, Default, PartialEq, Eq, Serialize, Deserialize)]
 #[serde(rename_all = "lowercase")]
 pub enum WireApi {
-    /// The experimental "Responses" API exposed by OpenAI at `/v1/responses`.
+    /// The Responses API exposed by OpenAI at `/v1/responses`.
    Responses,

    /// Regular Chat Completions compatible with `/v1/chat/completions`.
@@ -44,7 +43,7 @@ pub struct ModelProviderInfo {
    /// Friendly display name.
    pub name: String,
    /// Base URL for the provider's OpenAI-compatible API.
-    pub base_url: String,
+    pub base_url: Option<String>,
    /// Environment variable that stores the user's API key for this provider.
    pub env_key: Option<String>,

@@ -78,6 +77,10 @@ pub struct ModelProviderInfo {
    /// Idle timeout (in milliseconds) to wait for activity on a streaming response before treating
    /// the connection as lost.
    pub stream_idle_timeout_ms: Option<u64>,
+
+    /// Whether this provider requires some form of standard authentication (API key, ChatGPT token).
+    #[serde(default)]
+    pub requires_auth: bool,
 }

 impl ModelProviderInfo {
@@ -93,11 +96,11 @@ impl ModelProviderInfo {
        &'a self,
        client: &'a reqwest::Client,
    ) -> crate::error::Result<reqwest::RequestBuilder> {
-        let api_key = self.api_key()?;
-
        let url = self.get_full_url();

        let mut builder = client.post(url);
+
+        let api_key = self.api_key()?;
        if let Some(key) = api_key {
            builder = builder.bearer_auth(key);
        }
@@ -117,9 +120,15 @@ impl ModelProviderInfo {
                    .join("&");
                format!("?{full_params}")
            });
-        let base_url = &self.base_url;
+        let base_url = self
+            .base_url
+            .clone()
+            .unwrap_or("https://api.openai.com/v1".to_string());
+
        match self.wire_api {
-            WireApi::Responses => format!("{base_url}/responses{query_string}"),
+            WireApi::Responses => {
+                format!("{base_url}/responses{query_string}")
+            }
            WireApi::Chat => format!("{base_url}/chat/completions{query_string}"),
        }
    }
@@ -127,7 +136,10 @@ impl ModelProviderInfo {
    /// Apply provider-specific HTTP headers (both static and environment-based)
    /// onto an existing `reqwest::RequestBuilder` and return the updated
    /// builder.
-    fn apply_http_headers(&self, mut builder: reqwest::RequestBuilder) -> reqwest::RequestBuilder {
+    pub fn apply_http_headers(
+        &self,
+        mut builder: reqwest::RequestBuilder,
+    ) -> reqwest::RequestBuilder {
        if let Some(extra) = &self.http_headers {
            for (k, v) in extra {
                builder = builder.header(k, v);
@@ -152,11 +164,7 @@ impl ModelProviderInfo {
    fn api_key(&self) -> crate::error::Result<Option<String>> {
        match &self.env_key {
            Some(env_key) => {
-                let env_value = if env_key == crate::openai_api_key::OPENAI_API_KEY_ENV_VAR {
-                    get_openai_api_key().map_or_else(|| Err(VarError::NotPresent), Ok)
-                } else {
-                    std::env::var(env_key)
-                };
+                let env_value = std::env::var(env_key);
                env_value
                    .and_then(|v| {
                        if v.trim().is_empty() {
@@ -204,47 +212,51 @@ pub fn built_in_model_providers() -> HashMap<String, ModelProviderInfo> {
    // providers are bundled with Codex CLI, so we only include the OpenAI
    // provider by default. Users are encouraged to add to `model_providers`
    // in config.toml to add their own providers.
-    [
-        (
-            "openai",
-            P {
-                name: "OpenAI".into(),
-                // Allow users to override the default OpenAI endpoint by
-                // exporting `OPENAI_BASE_URL`. This is useful when pointing
-                // Codex at a proxy, mock server, or Azure-style deployment
-                // without requiring a full TOML override for the built-in
-                // OpenAI provider.
-                base_url: std::env::var("OPENAI_BASE_URL")
-                    .ok()
-                    .filter(|v| !v.trim().is_empty())
-                    .unwrap_or_else(|| "https://api.openai.com/v1".to_string()),
-                env_key: Some("OPENAI_API_KEY".into()),
-                env_key_instructions: Some("Create an API key (https://platform.openai.com) and export it as an environment variable.".into()),
-                wire_api: WireApi::Responses,
-                query_params: None,
-                http_headers: Some(
-                    [
-                        ("originator".to_string(), OPENAI_ORIGINATOR_HEADER.to_string()),
-                        ("version".to_string(), env!("CARGO_PKG_VERSION").to_string()),
-                    ]
-                        .into_iter()
-                        .collect(),
-                ),
-                env_http_headers: Some(
-                    [
-                        ("OpenAI-Organization".to_string(), "OPENAI_ORGANIZATION".to_string()),
-                        ("OpenAI-Project".to_string(), "OPENAI_PROJECT".to_string()),
-                    ]
-                        .into_iter()
-                        .collect(),
-                ),
-                // Use global defaults for retry/timeout unless overridden in config.toml.
-                request_max_retries: None,
-                stream_max_retries: None,
-                stream_idle_timeout_ms: None,
-            },
-        ),
-    ]
+    [(
+        "openai",
+        P {
+            name: "OpenAI".into(),
+            // Allow users to override the default OpenAI endpoint by
+            // exporting `OPENAI_BASE_URL`. This is useful when pointing
+            // Codex at a proxy, mock server, or Azure-style deployment
+            // without requiring a full TOML override for the built-in
+            // OpenAI provider.
+            base_url: std::env::var("OPENAI_BASE_URL")
+                .ok()
+                .filter(|v| !v.trim().is_empty()),
+            env_key: None,
+            env_key_instructions: None,
+            wire_api: WireApi::Responses,
+            query_params: None,
+            http_headers: Some(
+                [
+                    (
+                        "originator".to_string(),
+                        OPENAI_ORIGINATOR_HEADER.to_string(),
+                    ),
+                    ("version".to_string(), env!("CARGO_PKG_VERSION").to_string()),
+                ]
+                .into_iter()
+                .collect(),
+            ),
+            env_http_headers: Some(
+                [
+                    (
+                        "OpenAI-Organization".to_string(),
+                        "OPENAI_ORGANIZATION".to_string(),
+                    ),
+                    ("OpenAI-Project".to_string(), "OPENAI_PROJECT".to_string()),
+                ]
+                .into_iter()
+                .collect(),
+            ),
+            // Use global defaults for retry/timeout unless overridden in config.toml.
+            request_max_retries: None,
+            stream_max_retries: None,
+            stream_idle_timeout_ms: None,
+            requires_auth: true,
+        },
+    )]
    .into_iter()
    .map(|(k, v)| (k.to_string(), v))
    .collect()
@@ -264,7 +276,7 @@ base_url = "http://localhost:11434/v1"
        "#;
        let expected_provider = ModelProviderInfo {
            name: "Ollama".into(),
-            base_url: "http://localhost:11434/v1".into(),
+            base_url: Some("http://localhost:11434/v1".into()),
            env_key: None,
            env_key_instructions: None,
            wire_api: WireApi::Chat,
@@ -274,6 +286,7 @@ base_url = "http://localhost:11434/v1"
            request_max_retries: None,
            stream_max_retries: None,
            stream_idle_timeout_ms: None,
+            requires_auth: false,
        };

        let provider: ModelProviderInfo = toml::from_str(azure_provider_toml).unwrap();
@@ -290,7 +303,7 @@ query_params = { api-version = "2025-04-01-preview" }
        "#;
        let expected_provider = ModelProviderInfo {
            name: "Azure".into(),
-            base_url: "https://xxxxx.openai.azure.com/openai".into(),
+            base_url: Some("https://xxxxx.openai.azure.com/openai".into()),
            env_key: Some("AZURE_OPENAI_API_KEY".into()),
            env_key_instructions: None,
            wire_api: WireApi::Chat,
@@ -302,6 +315,7 @@ query_params = { api-version = "2025-04-01-preview" }
            request_max_retries: None,
            stream_max_retries: None,
            stream_idle_timeout_ms: None,
+            requires_auth: false,
        };

        let provider: ModelProviderInfo = toml::from_str(azure_provider_toml).unwrap();
@@ -319,7 +333,7 @@ env_http_headers = { "X-Example-Env-Header" = "EXAMPLE_ENV_VAR" }
        "#;
        let expected_provider = ModelProviderInfo {
            name: "Example".into(),
-            base_url: "https://example.com".into(),
+            base_url: Some("https://example.com".into()),
            env_key: Some("API_KEY".into()),
            env_key_instructions: None,
            wire_api: WireApi::Chat,
@@ -333,6 +347,7 @@ env_http_headers = { "X-Example-Env-Header" = "EXAMPLE_ENV_VAR" }
            request_max_retries: None,
            stream_max_retries: None,
            stream_idle_timeout_ms: None,
+            requires_auth: false,
        };

        let provider: ModelProviderInfo = toml::from_str(azure_provider_toml).unwrap();
--- a/codex-rs/core/src/openai_api_key.rs
+++ b/codex-rs/core/src/openai_api_key.rs
@@ -1,24 +0,0 @@
-use std::env;
-use std::sync::LazyLock;
-use std::sync::RwLock;
-
-pub const OPENAI_API_KEY_ENV_VAR: &str = "OPENAI_API_KEY";
-
-static OPENAI_API_KEY: LazyLock<RwLock<Option<String>>> = LazyLock::new(|| {
-    let val = env::var(OPENAI_API_KEY_ENV_VAR)
-        .ok()
-        .and_then(|s| if s.is_empty() { None } else { Some(s) });
-    RwLock::new(val)
-});
-
-pub fn get_openai_api_key() -> Option<String> {
-    #![allow(clippy::unwrap_used)]
-    OPENAI_API_KEY.read().unwrap().clone()
-}
-
-pub fn set_openai_api_key(value: String) {
-    #![allow(clippy::unwrap_used)]
-    if !value.is_empty() {
-        *OPENAI_API_KEY.write().unwrap() = Some(value);
-    }
-}
--- a/codex-rs/core/src/openai_tools.rs
+++ b/codex-rs/core/src/openai_tools.rs
@@ -4,13 +4,14 @@ use std::collections::BTreeMap;
 use std::sync::LazyLock;

 use crate::client_common::Prompt;
+use crate::plan_tool::PLAN_TOOL;

 #[derive(Debug, Clone, Serialize)]
 pub(crate) struct ResponsesApiTool {
-    name: &'static str,
-    description: &'static str,
-    strict: bool,
-    parameters: JsonSchema,
+    pub(crate) name: &'static str,
+    pub(crate) description: &'static str,
+    pub(crate) strict: bool,
+    pub(crate) parameters: JsonSchema,
 }

 /// When serialized as JSON, this produces a valid "Tool" in the OpenAI
@@ -74,6 +75,7 @@ static DEFAULT_CODEX_MODEL_TOOLS: LazyLock<Vec<OpenAiTool>> =
 pub(crate) fn create_tools_json_for_responses_api(
    prompt: &Prompt,
    model: &str,
+    include_plan_tool: bool,
 ) -> crate::error::Result<Vec<serde_json::Value>> {
    // Assemble tool list: built-in tools + any extra tools from the prompt.
    let default_tools = if model.starts_with("codex") {
@@ -93,6 +95,10 @@ pub(crate) fn create_tools_json_for_responses_api(
            .map(|(name, tool)| mcp_tool_to_openai_tool(name, tool)),
    );

+    if include_plan_tool {
+        tools_json.push(serde_json::to_value(PLAN_TOOL.clone())?);
+    }
+
    Ok(tools_json)
 }

@@ -102,10 +108,12 @@ pub(crate) fn create_tools_json_for_responses_api(
 pub(crate) fn create_tools_json_for_chat_completions_api(
    prompt: &Prompt,
    model: &str,
+    include_plan_tool: bool,
 ) -> crate::error::Result<Vec<serde_json::Value>> {
    // We start with the JSON for the Responses API and than rewrite it to match
    // the chat completions tool call format.
-    let responses_api_tools_json = create_tools_json_for_responses_api(prompt, model)?;
+    let responses_api_tools_json =
+        create_tools_json_for_responses_api(prompt, model, include_plan_tool)?;
    let tools_json = responses_api_tools_json
        .into_iter()
        .filter_map(|mut tool| {
--- a/codex-rs/core/src/plan_tool.rs
+++ b/codex-rs/core/src/plan_tool.rs
@@ -0,0 +1,126 @@
+use std::collections::BTreeMap;
+use std::sync::LazyLock;
+
+use serde::Deserialize;
+use serde::Serialize;
+
+use crate::codex::Session;
+use crate::models::FunctionCallOutputPayload;
+use crate::models::ResponseInputItem;
+use crate::openai_tools::JsonSchema;
+use crate::openai_tools::OpenAiTool;
+use crate::openai_tools::ResponsesApiTool;
+use crate::protocol::Event;
+use crate::protocol::EventMsg;
+
+// Types for the TODO tool arguments matching codex-vscode/todo-mcp/src/main.rs
+#[derive(Debug, Clone, Serialize, Deserialize)]
+#[serde(rename_all = "snake_case")]
+pub enum StepStatus {
+    Pending,
+    InProgress,
+    Completed,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+#[serde(deny_unknown_fields)]
+pub struct PlanItemArg {
+    pub step: String,
+    pub status: StepStatus,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+#[serde(deny_unknown_fields)]
+pub struct UpdatePlanArgs {
+    #[serde(default)]
+    pub explanation: Option<String>,
+    pub plan: Vec<PlanItemArg>,
+}
+
+pub(crate) static PLAN_TOOL: LazyLock<OpenAiTool> = LazyLock::new(|| {
+    let mut plan_item_props = BTreeMap::new();
+    plan_item_props.insert("step".to_string(), JsonSchema::String);
+    plan_item_props.insert("status".to_string(), JsonSchema::String);
+
+    let plan_items_schema = JsonSchema::Array {
+        items: Box::new(JsonSchema::Object {
+            properties: plan_item_props,
+            required: &["step", "status"],
+            additional_properties: false,
+        }),
+    };
+
+    let mut properties = BTreeMap::new();
+    properties.insert("explanation".to_string(), JsonSchema::String);
+    properties.insert("plan".to_string(), plan_items_schema);
+
+    OpenAiTool::Function(ResponsesApiTool {
+        name: "update_plan",
+        description: r#"Use the update_plan tool to keep the user updated on the current plan for the task.
+After understanding the user's task, call the update_plan tool with an initial plan. An example of a plan:
+1. Explore the codebase to find relevant files (status: in_progress)
+2. Implement the feature in the XYZ component (status: pending)
+3. Commit changes and make a pull request (status: pending)
+Each step should be a short, 1-sentence description.
+Until all the steps are finished, there should always be exactly one in_progress step in the plan.
+Call the update_plan tool whenever you finish a step, marking the completed step as `completed` and marking the next step as `in_progress`.
+Before running a command, consider whether or not you have completed the previous step, and make sure to mark it as completed before moving on to the next step.
+Sometimes, you may need to change plans in the middle of a task: call `update_plan` with the updated plan and make sure to provide an `explanation` of the rationale when doing so.
+When all steps are completed, call update_plan one last time with all steps marked as `completed`."#,
+        strict: false,
+        parameters: JsonSchema::Object {
+            properties,
+            required: &["plan"],
+            additional_properties: false,
+        },
+    })
+});
+
+/// This function doesn't do anything useful. However, it gives the model a structured way to record its plan that clients can read and render.
+/// So it's the _inputs_ to this function that are useful to clients, not the outputs and neither are actually useful for the model other
+/// than forcing it to come up and document a plan (TBD how that affects performance).
+pub(crate) async fn handle_update_plan(
+    session: &Session,
+    arguments: String,
+    sub_id: String,
+    call_id: String,
+) -> ResponseInputItem {
+    match parse_update_plan_arguments(arguments, &call_id) {
+        Ok(args) => {
+            let output = ResponseInputItem::FunctionCallOutput {
+                call_id,
+                output: FunctionCallOutputPayload {
+                    content: "Plan updated".to_string(),
+                    success: Some(true),
+                },
+            };
+            session
+                .send_event(Event {
+                    id: sub_id.to_string(),
+                    msg: EventMsg::PlanUpdate(args),
+                })
+                .await;
+            output
+        }
+        Err(output) => *output,
+    }
+}
+
+fn parse_update_plan_arguments(
+    arguments: String,
+    call_id: &str,
+) -> Result<UpdatePlanArgs, Box<ResponseInputItem>> {
+    match serde_json::from_str::<UpdatePlanArgs>(&arguments) {
+        Ok(args) => Ok(args),
+        Err(e) => {
+            let output = ResponseInputItem::FunctionCallOutput {
+                call_id: call_id.to_string(),
+                output: FunctionCallOutputPayload {
+                    content: format!("failed to parse function arguments: {e}"),
+                    success: None,
+                },
+            };
+            Err(Box::new(output))
+        }
+    }
+}
--- a/codex-rs/core/src/protocol.rs
+++ b/codex-rs/core/src/protocol.rs
@@ -7,7 +7,8 @@ use std::collections::HashMap;
 use std::fmt;
 use std::path::Path;
 use std::path::PathBuf;
-use std::str::FromStr; // Added for FinalOutput Display implementation
+use std::str::FromStr;
+use std::time::Duration;

 use mcp_types::CallToolResult;
 use serde::Deserialize;
@@ -19,6 +20,7 @@ use crate::config_types::ReasoningEffort as ReasoningEffortConfig;
 use crate::config_types::ReasoningSummary as ReasoningSummaryConfig;
 use crate::message_history::HistoryEntry;
 use crate::model_provider_info::ModelProviderInfo;
+use crate::plan_tool::UpdatePlanArgs;

 /// Submission Queue Entry - requests from user
 #[derive(Debug, Clone, Deserialize, Serialize)]
@@ -278,8 +280,9 @@ pub struct Event {
 }

 /// Response event from the agent
-#[derive(Debug, Clone, Deserialize, Serialize)]
+#[derive(Debug, Clone, Deserialize, Serialize, Display)]
 #[serde(tag = "type", rename_all = "snake_case")]
+#[strum(serialize_all = "snake_case")]
 pub enum EventMsg {
    /// Error while executing a submission
    Error(ErrorEvent),
@@ -334,6 +337,8 @@ pub enum EventMsg {
    /// Response to GetHistoryEntryRequest.
    GetHistoryEntryResponse(GetHistoryEntryResponseEvent),

+    PlanUpdate(UpdatePlanArgs),
+
    /// Notification that the agent is shutting down.
    ShutdownComplete,
 }
@@ -410,9 +415,7 @@ pub struct AgentReasoningDeltaEvent {
 }

 #[derive(Debug, Clone, Deserialize, Serialize)]
-pub struct McpToolCallBeginEvent {
-    /// Identifier so this can be paired with the McpToolCallEnd event.
-    pub call_id: String,
+pub struct McpInvocation {
    /// Name of the MCP server as defined in the config.
    pub server: String,
    /// Name of the tool as given by the MCP server.
@@ -421,10 +424,19 @@ pub struct McpToolCallBeginEvent {
    pub arguments: Option<serde_json::Value>,
 }

+#[derive(Debug, Clone, Deserialize, Serialize)]
+pub struct McpToolCallBeginEvent {
+    /// Identifier so this can be paired with the McpToolCallEnd event.
+    pub call_id: String,
+    pub invocation: McpInvocation,
+}
+
 #[derive(Debug, Clone, Deserialize, Serialize)]
 pub struct McpToolCallEndEvent {
    /// Identifier for the corresponding McpToolCallBegin that finished.
    pub call_id: String,
+    pub invocation: McpInvocation,
+    pub duration: Duration,
    /// Result of the tool call. Note this could be an error.
    pub result: Result<CallToolResult, String>,
 }
--- a/codex-rs/core/src/safety.rs
+++ b/codex-rs/core/src/safety.rs
@@ -41,11 +41,13 @@ pub fn assess_patch_safety(
        }
    }

-    if is_write_patch_constrained_to_writable_paths(action, writable_roots, cwd) {
-        SafetyCheck::AutoApprove {
-            sandbox_type: SandboxType::None,
-        }
-    } else if policy == AskForApproval::OnFailure {
+    // Even though the patch *appears* to be constrained to writable paths, it
+    // is possible that paths in the patch are hard links to files outside the
+    // writable roots, so we should still run `apply_patch` in a sandbox in that
+    // case.
+    if is_write_patch_constrained_to_writable_paths(action, writable_roots, cwd)
+        || policy == AskForApproval::OnFailure
+    {
        // Only auto‑approve when we can actually enforce a sandbox. Otherwise
        // fall back to asking the user because the patch may touch arbitrary
        // paths outside the project.
@@ -75,9 +77,6 @@ pub fn assess_command_safety(
    sandbox_policy: &SandboxPolicy,
    approved: &HashSet<Vec<String>>,
 ) -> SafetyCheck {
-    use AskForApproval::*;
-    use SandboxPolicy::*;
-
    // A command is "trusted" because either:
    // - it belongs to a set of commands we consider "safe" by default, or
    // - the user has explicitly approved the command for this session
@@ -97,6 +96,16 @@ pub fn assess_command_safety(
        };
    }

+    assess_safety_for_untrusted_command(approval_policy, sandbox_policy)
+}
+
+pub(crate) fn assess_safety_for_untrusted_command(
+    approval_policy: AskForApproval,
+    sandbox_policy: &SandboxPolicy,
+) -> SafetyCheck {
+    use AskForApproval::*;
+    use SandboxPolicy::*;
+
    match (approval_policy, sandbox_policy) {
        (UnlessTrusted, _) => {
            // Even though the user may have opted into DangerFullAccess,
--- a/codex-rs/core/src/seatbelt.rs
+++ b/codex-rs/core/src/seatbelt.rs
@@ -0,0 +1,96 @@
+use std::collections::HashMap;
+use std::path::Path;
+use std::path::PathBuf;
+use tokio::process::Child;
+
+use crate::protocol::SandboxPolicy;
+use crate::spawn::StdioPolicy;
+use crate::spawn::spawn_child_async;
+
+const MACOS_SEATBELT_BASE_POLICY: &str = include_str!("seatbelt_base_policy.sbpl");
+
+/// When working with `sandbox-exec`, only consider `sandbox-exec` in `/usr/bin`
+/// to defend against an attacker trying to inject a malicious version on the
+/// PATH. If /usr/bin/sandbox-exec has been tampered with, then the attacker
+/// already has root access.
+const MACOS_PATH_TO_SEATBELT_EXECUTABLE: &str = "/usr/bin/sandbox-exec";
+
+pub async fn spawn_command_under_seatbelt(
+    command: Vec<String>,
+    sandbox_policy: &SandboxPolicy,
+    cwd: PathBuf,
+    stdio_policy: StdioPolicy,
+    env: HashMap<String, String>,
+) -> std::io::Result<Child> {
+    let args = create_seatbelt_command_args(command, sandbox_policy, &cwd);
+    let arg0 = None;
+    spawn_child_async(
+        PathBuf::from(MACOS_PATH_TO_SEATBELT_EXECUTABLE),
+        args,
+        arg0,
+        cwd,
+        sandbox_policy,
+        stdio_policy,
+        env,
+    )
+    .await
+}
+
+fn create_seatbelt_command_args(
+    command: Vec<String>,
+    sandbox_policy: &SandboxPolicy,
+    cwd: &Path,
+) -> Vec<String> {
+    let (file_write_policy, extra_cli_args) = {
+        if sandbox_policy.has_full_disk_write_access() {
+            // Allegedly, this is more permissive than `(allow file-write*)`.
+            (
+                r#"(allow file-write* (regex #"^/"))"#.to_string(),
+                Vec::<String>::new(),
+            )
+        } else {
+            let writable_roots = sandbox_policy.get_writable_roots_with_cwd(cwd);
+            let (writable_folder_policies, cli_args): (Vec<String>, Vec<String>) = writable_roots
+                .iter()
+                .enumerate()
+                .map(|(index, root)| {
+                    let param_name = format!("WRITABLE_ROOT_{index}");
+                    let policy: String = format!("(subpath (param \"{param_name}\"))");
+                    let cli_arg = format!("-D{param_name}={}", root.to_string_lossy());
+                    (policy, cli_arg)
+                })
+                .unzip();
+            if writable_folder_policies.is_empty() {
+                ("".to_string(), Vec::<String>::new())
+            } else {
+                let file_write_policy = format!(
+                    "(allow file-write*\n{}\n)",
+                    writable_folder_policies.join(" ")
+                );
+                (file_write_policy, cli_args)
+            }
+        }
+    };
+
+    let file_read_policy = if sandbox_policy.has_full_disk_read_access() {
+        "; allow read-only file operations\n(allow file-read*)"
+    } else {
+        ""
+    };
+
+    // TODO(mbolin): apply_patch calls must also honor the SandboxPolicy.
+    let network_policy = if sandbox_policy.has_full_network_access() {
+        "(allow network-outbound)\n(allow network-inbound)\n(allow system-socket)"
+    } else {
+        ""
+    };
+
+    let full_policy = format!(
+        "{MACOS_SEATBELT_BASE_POLICY}\n{file_read_policy}\n{file_write_policy}\n{network_policy}"
+    );
+    let mut seatbelt_args: Vec<String> = vec!["-p".to_string(), full_policy];
+    seatbelt_args.extend(extra_cli_args);
+    seatbelt_args.push("--".to_string());
+    seatbelt_args.extend(command);
+    seatbelt_args
+}
--- a/codex-rs/core/src/shell.rs
+++ b/codex-rs/core/src/shell.rs
@@ -20,8 +20,13 @@ impl Shell {
                    return None;
                }

-                let mut result = vec![zsh.shell_path.clone(), "-c".to_string()];
-                if let Ok(joined) = shlex::try_join(command.iter().map(|s| s.as_str())) {
+                let mut result = vec![zsh.shell_path.clone()];
+                result.push("-lc".to_string());
+
+                let joined = strip_bash_lc(&command)
+                    .or_else(|| shlex::try_join(command.iter().map(|s| s.as_str())).ok());
+
+                if let Some(joined) = joined {
                    result.push(format!("source {} && ({joined})", zsh.zshrc_path));
                } else {
                    return None;
@@ -33,6 +38,19 @@ impl Shell {
    }
 }

+fn strip_bash_lc(command: &Vec<String>) -> Option<String> {
+    match command.as_slice() {
+        // exactly three items
+        [first, second, third]
+            // first two must be "bash", "-lc"
+            if first == "bash" && second == "-lc" =>
+        {
+            Some(third.clone())
+        }
+        _ => None,
+    }
+}
+
 #[cfg(target_os = "macos")]
 pub async fn default_user_shell() -> Shell {
    use tokio::process::Command;
@@ -119,15 +137,29 @@ mod tests {
        let cases = vec![
            (
                vec!["myecho"],
-                vec![shell_path, "-c", "source ZSHRC_PATH && (myecho)"],
+                vec![shell_path, "-lc", "source ZSHRC_PATH && (myecho)"],
                Some("It works!\n"),
            ),
+            (
+                vec!["myecho"],
+                vec![shell_path, "-lc", "source ZSHRC_PATH && (myecho)"],
+                Some("It works!\n"),
+            ),
+            (
+                vec!["bash", "-c", "echo 'single' \"double\""],
+                vec![
+                    shell_path,
+                    "-lc",
+                    "source ZSHRC_PATH && (bash -c \"echo 'single' \\\"double\\\"\")",
+                ],
+                Some("single double\n"),
+            ),
            (
                vec!["bash", "-lc", "echo 'single' \"double\""],
                vec![
                    shell_path,
-                    "-c",
-                    "source ZSHRC_PATH && (bash -lc \"echo 'single' \\\"double\\\"\")",
+                    "-lc",
+                    "source ZSHRC_PATH && (echo 'single' \"double\")",
                ],
                Some("single double\n"),
            ),
--- a/codex-rs/core/src/spawn.rs
+++ b/codex-rs/core/src/spawn.rs
@@ -0,0 +1,102 @@
+use std::collections::HashMap;
+use std::path::PathBuf;
+use std::process::Stdio;
+use tokio::process::Child;
+use tokio::process::Command;
+use tracing::trace;
+
+use crate::protocol::SandboxPolicy;
+
+/// Experimental environment variable that will be set to some non-empty value
+/// if both of the following are true:
+///
+/// 1. The process was spawned by Codex as part of a shell tool call.
+/// 2. SandboxPolicy.has_full_network_access() was false for the tool call.
+///
+/// We may try to have just one environment variable for all sandboxing
+/// attributes, so this may change in the future.
+pub const CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR: &str = "CODEX_SANDBOX_NETWORK_DISABLED";
+
+#[derive(Debug, Clone, Copy)]
+pub enum StdioPolicy {
+    RedirectForShellTool,
+    Inherit,
+}
+
+/// Spawns the appropriate child process for the ExecParams and SandboxPolicy,
+/// ensuring the args and environment variables used to create the `Command`
+/// (and `Child`) honor the configuration.
+///
+/// For now, we take `SandboxPolicy` as a parameter to spawn_child() because
+/// we need to determine whether to set the
+/// `CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR` environment variable.
+pub(crate) async fn spawn_child_async(
+    program: PathBuf,
+    args: Vec<String>,
+    #[cfg_attr(not(unix), allow(unused_variables))] arg0: Option<&str>,
+    cwd: PathBuf,
+    sandbox_policy: &SandboxPolicy,
+    stdio_policy: StdioPolicy,
+    env: HashMap<String, String>,
+) -> std::io::Result<Child> {
+    trace!(
+        "spawn_child_async: {program:?} {args:?} {arg0:?} {cwd:?} {sandbox_policy:?} {stdio_policy:?} {env:?}"
+    );
+
+    let mut cmd = Command::new(&program);
+    #[cfg(unix)]
+    cmd.arg0(arg0.map_or_else(|| program.to_string_lossy().to_string(), String::from));
+    cmd.args(args);
+    cmd.current_dir(cwd);
+    cmd.env_clear();
+    cmd.envs(env);
+
+    if !sandbox_policy.has_full_network_access() {
+        cmd.env(CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR, "1");
+    }
+
+    // If this Codex process dies (including being killed via SIGKILL), we want
+    // any child processes that were spawned as part of a `"shell"` tool call
+    // to also be terminated.
+
+    // This relies on prctl(2), so it only works on Linux.
+    #[cfg(target_os = "linux")]
+    unsafe {
+        cmd.pre_exec(|| {
+            // This prctl call effectively requests, "deliver SIGTERM when my
+            // current parent dies."
+            if libc::prctl(libc::PR_SET_PDEATHSIG, libc::SIGTERM) == -1 {
+                return Err(std::io::Error::last_os_error());
+            }
+
+            // Though if there was a race condition and this pre_exec() block is
+            // run _after_ the parent (i.e., the Codex process) has already
+            // exited, then the parent is the _init_ process (which will never
+            // die), so we should just terminate the child process now.
+            if libc::getppid() == 1 {
+                libc::raise(libc::SIGTERM);
+            }
+            Ok(())
+        });
+    }
+
+    match stdio_policy {
+        StdioPolicy::RedirectForShellTool => {
+            // Do not create a file descriptor for stdin because otherwise some
+            // commands may hang forever waiting for input. For example, ripgrep has
+            // a heuristic where it may try to read from stdin as explained here:
+            // https://github.com/BurntSushi/ripgrep/blob/e2362d4d5185d02fa857bf381e7bd52e66fafc73/crates/core/flags/hiargs.rs#L1101-L1103
+            cmd.stdin(Stdio::null());
+
+            cmd.stdout(Stdio::piped()).stderr(Stdio::piped());
+        }
+        StdioPolicy::Inherit => {
+            // Inherit stdin, stdout, and stderr from the parent process.
+            cmd.stdin(Stdio::inherit())
+                .stdout(Stdio::inherit())
+                .stderr(Stdio::inherit());
+        }
+    }
+
+    cmd.kill_on_drop(true).spawn()
+}
--- a/codex-rs/core/tests/cli_stream.rs
+++ b/codex-rs/core/tests/cli_stream.rs
@@ -1,7 +1,7 @@
 #![expect(clippy::unwrap_used)]

 use assert_cmd::Command as AssertCommand;
-use codex_core::exec::CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR;
+use codex_core::spawn::CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR;
 use std::time::Duration;
 use std::time::Instant;
 use tempfile::TempDir;
@@ -81,6 +81,96 @@ async fn chat_mode_stream_cli() {
    server.verify().await;
 }

+/// Verify that passing `-c experimental_instructions_file=...` to the CLI
+/// overrides the built-in base instructions by inspecting the request body
+/// received by a mock OpenAI Responses endpoint.
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn exec_cli_applies_experimental_instructions_file() {
+    if std::env::var(CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR).is_ok() {
+        println!(
+            "Skipping test because it cannot execute when network is disabled in a Codex sandbox."
+        );
+        return;
+    }
+
+    // Start mock server which will capture the request and return a minimal
+    // SSE stream for a single turn.
+    let server = MockServer::start().await;
+    let sse = concat!(
+        "data: {\"type\":\"response.created\",\"response\":{}}\n\n",
+        "data: {\"type\":\"response.completed\",\"response\":{\"id\":\"r1\"}}\n\n"
+    );
+    Mock::given(method("POST"))
+        .and(path("/v1/responses"))
+        .respond_with(
+            ResponseTemplate::new(200)
+                .insert_header("content-type", "text/event-stream")
+                .set_body_raw(sse, "text/event-stream"),
+        )
+        .expect(1)
+        .mount(&server)
+        .await;
+
+    // Create a temporary instructions file with a unique marker we can assert
+    // appears in the outbound request payload.
+    let custom = TempDir::new().unwrap();
+    let marker = "cli-experimental-instructions-marker";
+    let custom_path = custom.path().join("instr.md");
+    std::fs::write(&custom_path, marker).unwrap();
+    let custom_path_str = custom_path.to_string_lossy().replace('\\', "/");
+
+    // Build a provider override that points at the mock server and instructs
+    // Codex to use the Responses API with the dummy env var.
+    let provider_override = format!(
+        "model_providers.mock={{ name = \"mock\", base_url = \"{}/v1\", env_key = \"PATH\", wire_api = \"responses\" }}",
+        server.uri()
+    );
+
+    let home = TempDir::new().unwrap();
+    let mut cmd = AssertCommand::new("cargo");
+    cmd.arg("run")
+        .arg("-p")
+        .arg("codex-cli")
+        .arg("--quiet")
+        .arg("--")
+        .arg("exec")
+        .arg("--skip-git-repo-check")
+        .arg("-c")
+        .arg(&provider_override)
+        .arg("-c")
+        .arg("model_provider=\"mock\"")
+        .arg("-c")
+        .arg(format!(
+            "experimental_instructions_file=\"{custom_path_str}\""
+        ))
+        .arg("-C")
+        .arg(env!("CARGO_MANIFEST_DIR"))
+        .arg("hello?\n");
+    cmd.env("CODEX_HOME", home.path())
+        .env("OPENAI_API_KEY", "dummy")
+        .env("OPENAI_BASE_URL", format!("{}/v1", server.uri()));
+
+    let output = cmd.output().unwrap();
+    println!("Status: {}", output.status);
+    println!("Stdout:\n{}", String::from_utf8_lossy(&output.stdout));
+    println!("Stderr:\n{}", String::from_utf8_lossy(&output.stderr));
+    assert!(output.status.success());
+
+    // Inspect the captured request and verify our custom base instructions were
+    // included in the `instructions` field.
+    let request = &server.received_requests().await.unwrap()[0];
+    let body = request.body_json::<serde_json::Value>().unwrap();
+    let instructions = body
+        .get("instructions")
+        .and_then(|v| v.as_str())
+        .unwrap_or_default()
+        .to_string();
+    assert!(
+        instructions.contains(marker),
+        "instructions did not contain custom marker; got: {instructions}"
+    );
+}
+
 /// Tests streaming responses through the CLI using a local SSE fixture file.
 /// This test:
 /// 1. Uses a pre-recorded SSE response fixture instead of a live server
@@ -370,9 +460,14 @@ async fn integration_git_info_unit_test() {
    // 1. Create temp directory for git repo
    let temp_dir = TempDir::new().unwrap();
    let git_repo = temp_dir.path().to_path_buf();
+    let envs = vec![
+        ("GIT_CONFIG_GLOBAL", "/dev/null"),
+        ("GIT_CONFIG_NOSYSTEM", "1"),
+    ];

    // 2. Initialize a git repository with some content
    let init_output = std::process::Command::new("git")
+        .envs(envs.clone())
        .args(["init"])
        .current_dir(&git_repo)
        .output()
@@ -381,12 +476,14 @@ async fn integration_git_info_unit_test() {

    // Configure git user (required for commits)
    std::process::Command::new("git")
+        .envs(envs.clone())
        .args(["config", "user.name", "Integration Test"])
        .current_dir(&git_repo)
        .output()
        .unwrap();

    std::process::Command::new("git")
+        .envs(envs.clone())
        .args(["config", "user.email", "test@example.com"])
        .current_dir(&git_repo)
        .output()
@@ -397,12 +494,14 @@ async fn integration_git_info_unit_test() {
    std::fs::write(&test_file, "integration test content").unwrap();

    std::process::Command::new("git")
+        .envs(envs.clone())
        .args(["add", "."])
        .current_dir(&git_repo)
        .output()
        .unwrap();

    let commit_output = std::process::Command::new("git")
+        .envs(envs.clone())
        .args(["commit", "-m", "Integration test commit"])
        .current_dir(&git_repo)
        .output()
@@ -411,6 +510,7 @@ async fn integration_git_info_unit_test() {

    // Create a branch to test branch detection
    std::process::Command::new("git")
+        .envs(envs.clone())
        .args(["checkout", "-b", "integration-test-branch"])
        .current_dir(&git_repo)
        .output()
@@ -418,6 +518,7 @@ async fn integration_git_info_unit_test() {

    // Add a remote to test repository URL detection
    std::process::Command::new("git")
+        .envs(envs.clone())
        .args([
            "remote",
            "add",
--- a/codex-rs/core/tests/client.rs
+++ b/codex-rs/core/tests/client.rs
@@ -1,10 +1,19 @@
+use std::path::PathBuf;
+
+use chrono::Utc;
 use codex_core::Codex;
+use codex_core::CodexSpawnOk;
 use codex_core::ModelProviderInfo;
-use codex_core::exec::CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR;
+use codex_core::built_in_model_providers;
 use codex_core::protocol::EventMsg;
 use codex_core::protocol::InputItem;
 use codex_core::protocol::Op;
 use codex_core::protocol::SessionConfiguredEvent;
+use codex_core::spawn::CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR;
+use codex_login::AuthDotJson;
+use codex_login::AuthMode;
+use codex_login::CodexAuth;
+use codex_login::TokenData;
 use core_test_support::load_default_config_for_test;
 use core_test_support::load_sse_fixture_with_id;
 use core_test_support::wait_for_event;
@@ -47,32 +56,23 @@ async fn includes_session_id_and_model_headers_in_request() {
        .await;

    let model_provider = ModelProviderInfo {
-        name: "openai".into(),
-        base_url: format!("{}/v1", server.uri()),
-        // Environment variable that should exist in the test environment.
-        // ModelClient will return an error if the environment variable for the
-        // provider is not set.
-        env_key: Some("PATH".into()),
-        env_key_instructions: None,
-        wire_api: codex_core::WireApi::Responses,
-        query_params: None,
-        http_headers: Some(
-            [("originator".to_string(), "codex_cli_rs".to_string())]
-                .into_iter()
-                .collect(),
-        ),
-        env_http_headers: None,
-        request_max_retries: Some(0),
-        stream_max_retries: Some(0),
-        stream_idle_timeout_ms: None,
+        base_url: Some(format!("{}/v1", server.uri())),
+        ..built_in_model_providers()["openai"].clone()
    };

    // Init session
    let codex_home = TempDir::new().unwrap();
    let mut config = load_default_config_for_test(&codex_home);
    config.model_provider = model_provider;
+
    let ctrl_c = std::sync::Arc::new(tokio::sync::Notify::new());
-    let (codex, _init_id, _session_id) = Codex::spawn(config, ctrl_c.clone()).await.unwrap();
+    let CodexSpawnOk { codex, .. } = Codex::spawn(
+        config,
+        Some(CodexAuth::from_api_key("Test API Key".to_string())),
+        ctrl_c.clone(),
+    )
+    .await
+    .unwrap();

    codex
        .submit(Op::UserInput {
@@ -94,15 +94,20 @@ async fn includes_session_id_and_model_headers_in_request() {

    // get request from the server
    let request = &server.received_requests().await.unwrap()[0];
-    let request_body = request.headers.get("session_id").unwrap();
-    let originator = request.headers.get("originator").unwrap();
+    let request_session_id = request.headers.get("session_id").unwrap();
+    let request_originator = request.headers.get("originator").unwrap();
+    let request_authorization = request.headers.get("authorization").unwrap();

    assert!(current_session_id.is_some());
    assert_eq!(
-        request_body.to_str().unwrap(),
+        request_session_id.to_str().unwrap(),
        current_session_id.as_ref().unwrap()
    );
-    assert_eq!(originator.to_str().unwrap(), "codex_cli_rs");
+    assert_eq!(request_originator.to_str().unwrap(), "codex_cli_rs");
+    assert_eq!(
+        request_authorization.to_str().unwrap(),
+        "Bearer Test API Key"
+    );
 }

 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
@@ -125,22 +130,9 @@ async fn includes_base_instructions_override_in_request() {
        .await;

    let model_provider = ModelProviderInfo {
-        name: "openai".into(),
-        base_url: format!("{}/v1", server.uri()),
-        // Environment variable that should exist in the test environment.
-        // ModelClient will return an error if the environment variable for the
-        // provider is not set.
-        env_key: Some("PATH".into()),
-        env_key_instructions: None,
-        wire_api: codex_core::WireApi::Responses,
-        query_params: None,
-        http_headers: None,
-        env_http_headers: None,
-        request_max_retries: Some(0),
-        stream_max_retries: Some(0),
-        stream_idle_timeout_ms: None,
+        base_url: Some(format!("{}/v1", server.uri())),
+        ..built_in_model_providers()["openai"].clone()
    };
-
    let codex_home = TempDir::new().unwrap();
    let mut config = load_default_config_for_test(&codex_home);

@@ -148,7 +140,13 @@ async fn includes_base_instructions_override_in_request() {
    config.model_provider = model_provider;

    let ctrl_c = std::sync::Arc::new(tokio::sync::Notify::new());
-    let (codex, ..) = Codex::spawn(config, ctrl_c.clone()).await.unwrap();
+    let CodexSpawnOk { codex, .. } = Codex::spawn(
+        config,
+        Some(CodexAuth::from_api_key("Test API Key".to_string())),
+        ctrl_c.clone(),
+    )
+    .await
+    .unwrap();

    codex
        .submit(Op::UserInput {
@@ -171,3 +169,174 @@ async fn includes_base_instructions_override_in_request() {
            .contains("test instructions")
    );
 }
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn chatgpt_auth_sends_correct_request() {
+    #![allow(clippy::unwrap_used)]
+
+    if std::env::var(CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR).is_ok() {
+        println!(
+            "Skipping test because it cannot execute when network is disabled in a Codex sandbox."
+        );
+        return;
+    }
+
+    // Mock server
+    let server = MockServer::start().await;
+
+    // First request – must NOT include `previous_response_id`.
+    let first = ResponseTemplate::new(200)
+        .insert_header("content-type", "text/event-stream")
+        .set_body_raw(sse_completed("resp1"), "text/event-stream");
+
+    Mock::given(method("POST"))
+        .and(path("/api/codex/responses"))
+        .respond_with(first)
+        .expect(1)
+        .mount(&server)
+        .await;
+
+    let model_provider = ModelProviderInfo {
+        base_url: Some(format!("{}/api/codex", server.uri())),
+        ..built_in_model_providers()["openai"].clone()
+    };
+
+    // Init session
+    let codex_home = TempDir::new().unwrap();
+    let mut config = load_default_config_for_test(&codex_home);
+    config.model_provider = model_provider;
+    let ctrl_c = std::sync::Arc::new(tokio::sync::Notify::new());
+    let CodexSpawnOk { codex, .. } = Codex::spawn(
+        config,
+        Some(auth_from_token("Access Token".to_string())),
+        ctrl_c.clone(),
+    )
+    .await
+    .unwrap();
+
+    codex
+        .submit(Op::UserInput {
+            items: vec![InputItem::Text {
+                text: "hello".into(),
+            }],
+        })
+        .await
+        .unwrap();
+
+    let EventMsg::SessionConfigured(SessionConfiguredEvent { session_id, .. }) =
+        wait_for_event(&codex, |ev| matches!(ev, EventMsg::SessionConfigured(_))).await
+    else {
+        unreachable!()
+    };
+
+    let current_session_id = Some(session_id.to_string());
+    wait_for_event(&codex, |ev| matches!(ev, EventMsg::TaskComplete(_))).await;
+
+    // get request from the server
+    let request = &server.received_requests().await.unwrap()[0];
+    let request_session_id = request.headers.get("session_id").unwrap();
+    let request_originator = request.headers.get("originator").unwrap();
+    let request_authorization = request.headers.get("authorization").unwrap();
+    let request_chatgpt_account_id = request.headers.get("chatgpt-account-id").unwrap();
+    let request_body = request.body_json::<serde_json::Value>().unwrap();
+
+    assert!(current_session_id.is_some());
+    assert_eq!(
+        request_session_id.to_str().unwrap(),
+        current_session_id.as_ref().unwrap()
+    );
+    assert_eq!(request_originator.to_str().unwrap(), "codex_cli_rs");
+    assert_eq!(
+        request_authorization.to_str().unwrap(),
+        "Bearer Access Token"
+    );
+    assert_eq!(request_chatgpt_account_id.to_str().unwrap(), "account_id");
+    assert!(!request_body["store"].as_bool().unwrap());
+    assert!(request_body["stream"].as_bool().unwrap());
+    assert_eq!(
+        request_body["include"][0].as_str().unwrap(),
+        "reasoning.encrypted_content"
+    );
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn includes_user_instructions_message_in_request() {
+    #![allow(clippy::unwrap_used)]
+
+    let server = MockServer::start().await;
+
+    let first = ResponseTemplate::new(200)
+        .insert_header("content-type", "text/event-stream")
+        .set_body_raw(sse_completed("resp1"), "text/event-stream");
+
+    Mock::given(method("POST"))
+        .and(path("/v1/responses"))
+        .respond_with(first)
+        .expect(1)
+        .mount(&server)
+        .await;
+
+    let model_provider = ModelProviderInfo {
+        base_url: Some(format!("{}/v1", server.uri())),
+        ..built_in_model_providers()["openai"].clone()
+    };
+
+    let codex_home = TempDir::new().unwrap();
+    let mut config = load_default_config_for_test(&codex_home);
+    config.model_provider = model_provider;
+    config.user_instructions = Some("be nice".to_string());
+
+    let ctrl_c = std::sync::Arc::new(tokio::sync::Notify::new());
+    let CodexSpawnOk { codex, .. } = Codex::spawn(
+        config,
+        Some(CodexAuth::from_api_key("Test API Key".to_string())),
+        ctrl_c.clone(),
+    )
+    .await
+    .unwrap();
+
+    codex
+        .submit(Op::UserInput {
+            items: vec![InputItem::Text {
+                text: "hello".into(),
+            }],
+        })
+        .await
+        .unwrap();
+
+    wait_for_event(&codex, |ev| matches!(ev, EventMsg::TaskComplete(_))).await;
+
+    let request = &server.received_requests().await.unwrap()[0];
+    let request_body = request.body_json::<serde_json::Value>().unwrap();
+
+    assert!(
+        !request_body["instructions"]
+            .as_str()
+            .unwrap()
+            .contains("be nice")
+    );
+    assert_eq!(request_body["input"][0]["role"], "user");
+    assert!(
+        request_body["input"][0]["content"][0]["text"]
+            .as_str()
+            .unwrap()
+            .starts_with("be nice")
+    );
+}
+fn auth_from_token(id_token: String) -> CodexAuth {
+    CodexAuth::new(
+        None,
+        AuthMode::ChatGPT,
+        PathBuf::new(),
+        Some(AuthDotJson {
+            openai_api_key: None,
+            tokens: Some(TokenData {
+                id_token,
+                access_token: "Access Token".to_string(),
+                refresh_token: "test".to_string(),
+                account_id: Some("account_id".to_string()),
+            }),
+            last_refresh: Some(Utc::now()),
+        }),
+    )
+}
--- a/codex-rs/core/tests/live_agent.rs
+++ b/codex-rs/core/tests/live_agent.rs
@@ -20,6 +20,7 @@
 use std::time::Duration;

 use codex_core::Codex;
+use codex_core::CodexSpawnOk;
 use codex_core::error::CodexErr;
 use codex_core::protocol::AgentMessageEvent;
 use codex_core::protocol::ErrorEvent;
@@ -48,8 +49,8 @@ async fn spawn_codex() -> Result<Codex, CodexErr> {
    let mut config = load_default_config_for_test(&codex_home);
    config.model_provider.request_max_retries = Some(2);
    config.model_provider.stream_max_retries = Some(2);
-    let (agent, _init_id, _session_id) =
-        Codex::spawn(config, std::sync::Arc::new(Notify::new())).await?;
+    let CodexSpawnOk { codex: agent, .. } =
+        Codex::spawn(config, None, std::sync::Arc::new(Notify::new())).await?;

    Ok(agent)
 }
--- a/codex-rs/core/tests/stream_no_completed.rs
+++ b/codex-rs/core/tests/stream_no_completed.rs
@@ -4,11 +4,13 @@
 use std::time::Duration;

 use codex_core::Codex;
+use codex_core::CodexSpawnOk;
 use codex_core::ModelProviderInfo;
-use codex_core::exec::CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR;
 use codex_core::protocol::EventMsg;
 use codex_core::protocol::InputItem;
 use codex_core::protocol::Op;
+use codex_core::spawn::CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR;
+use codex_login::CodexAuth;
 use core_test_support::load_default_config_for_test;
 use core_test_support::load_sse_fixture;
 use core_test_support::load_sse_fixture_with_id;
@@ -74,7 +76,7 @@ async fn retries_on_early_close() {

    let model_provider = ModelProviderInfo {
        name: "openai".into(),
-        base_url: format!("{}/v1", server.uri()),
+        base_url: Some(format!("{}/v1", server.uri())),
        // Environment variable that should exist in the test environment.
        // ModelClient will return an error if the environment variable for the
        // provider is not set.
@@ -88,13 +90,20 @@ async fn retries_on_early_close() {
        request_max_retries: Some(0),
        stream_max_retries: Some(1),
        stream_idle_timeout_ms: Some(2000),
+        requires_auth: false,
    };

    let ctrl_c = std::sync::Arc::new(tokio::sync::Notify::new());
    let codex_home = TempDir::new().unwrap();
    let mut config = load_default_config_for_test(&codex_home);
    config.model_provider = model_provider;
-    let (codex, _init_id, _session_id) = Codex::spawn(config, ctrl_c).await.unwrap();
+    let CodexSpawnOk { codex, .. } = Codex::spawn(
+        config,
+        Some(CodexAuth::from_api_key("Test API Key".to_string())),
+        ctrl_c,
+    )
+    .await
+    .unwrap();

    codex
        .submit(Op::UserInput {
--- a/codex-rs/exec/Cargo.toml
+++ b/codex-rs/exec/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
+edition = "2024"
 name = "codex-exec"
 version = { workspace = true }
-edition = "2024"

 [[bin]]
 name = "codex-exec"
@@ -18,13 +18,13 @@ workspace = true
 anyhow = "1"
 chrono = "0.4.40"
 clap = { version = "4", features = ["derive"] }
-codex-core = { path = "../core" }
+codex-arg0 = { path = "../arg0" }
 codex-common = { path = "../common", features = [
    "cli",
    "elapsed",
    "sandbox_summary",
 ] }
-codex-linux-sandbox = { path = "../linux-sandbox" }
+codex-core = { path = "../core" }
 owo-colors = "4.2.0"
 serde_json = "1"
 shlex = "1.3.0"
@@ -37,3 +37,8 @@ tokio = { version = "1", features = [
 ] }
 tracing = { version = "0.1.41", features = ["log"] }
 tracing-subscriber = { version = "0.3.19", features = ["env-filter"] }
+
+[dev-dependencies]
+assert_cmd = "2"
+predicates = "3"
+tempfile = "3.13.0"
--- a/codex-rs/exec/src/event_processor_with_human_output.rs
+++ b/codex-rs/exec/src/event_processor_with_human_output.rs
@@ -1,5 +1,7 @@
+use codex_common::elapsed::format_duration;
 use codex_common::elapsed::format_elapsed;
 use codex_core::config::Config;
+use codex_core::plan_tool::UpdatePlanArgs;
 use codex_core::protocol::AgentMessageDeltaEvent;
 use codex_core::protocol::AgentMessageEvent;
 use codex_core::protocol::AgentReasoningDeltaEvent;
@@ -10,6 +12,7 @@ use codex_core::protocol::EventMsg;
 use codex_core::protocol::ExecCommandBeginEvent;
 use codex_core::protocol::ExecCommandEndEvent;
 use codex_core::protocol::FileChange;
+use codex_core::protocol::McpInvocation;
 use codex_core::protocol::McpToolCallBeginEvent;
 use codex_core::protocol::McpToolCallEndEvent;
 use codex_core::protocol::PatchApplyBeginEvent;
@@ -24,28 +27,12 @@ use std::collections::HashMap;
 use std::io::Write;
 use std::path::PathBuf;
 use std::time::Instant;
-use std::path::Path;

 use crate::event_processor::CodexStatus;
 use crate::event_processor::EventProcessor;
 use crate::event_processor::create_config_summary_entries;
 use crate::event_processor::handle_last_message;

-// Helper: determine base ~/.codex directory similar to concurrent module.
-fn codex_base_dir_for_logging() -> Option<std::path::PathBuf> {
-    if let Ok(val) = std::env::var("CODEX_HOME") { if !val.is_empty() { return std::fs::canonicalize(val).ok(); } }
-    let home = std::env::var_os("HOME")?;
-    let base = std::path::PathBuf::from(home).join(".codex");
-    let _ = std::fs::create_dir_all(&base);
-    Some(base)
-}
-
-fn append_json_line(path: &Path, value: &serde_json::Value) -> std::io::Result<()> {
-    use std::io::Write as _;
-    let mut f = std::fs::OpenOptions::new().create(true).append(true).open(path)?;
-    writeln!(f, "{}", value.to_string())
-}
-
 /// This should be configurable. When used in CI, users may not want to impose
 /// a limit so they can see the full transcript.
 const MAX_OUTPUT_LINES_FOR_EXEC_TOOL_CALL: usize = 20;
@@ -53,11 +40,6 @@ pub(crate) struct EventProcessorWithHumanOutput {
    call_id_to_command: HashMap<String, ExecCommandBegin>,
    call_id_to_patch: HashMap<String, PatchApplyBegin>,

-    /// Tracks in-flight MCP tool calls so we can calculate duration and print
-    /// a concise summary when the corresponding `McpToolCallEnd` event is
-    /// received.
-    call_id_to_tool_call: HashMap<String, McpToolCallBegin>,
-
    // To ensure that --color=never is respected, ANSI escapes _must_ be added
    // using .style() with one of these fields. If you need a new style, add a
    // new field here.
@@ -75,7 +57,6 @@ pub(crate) struct EventProcessorWithHumanOutput {
    answer_started: bool,
    reasoning_started: bool,
    last_message_path: Option<PathBuf>,
-    last_token_usage: Option<TokenUsage>,
 }

 impl EventProcessorWithHumanOutput {
@@ -86,7 +67,6 @@ impl EventProcessorWithHumanOutput {
    ) -> Self {
        let call_id_to_command = HashMap::new();
        let call_id_to_patch = HashMap::new();
-        let call_id_to_tool_call = HashMap::new();

        if with_ansi {
            Self {
@@ -99,12 +79,10 @@ impl EventProcessorWithHumanOutput {
                red: Style::new().red(),
                green: Style::new().green(),
                cyan: Style::new().cyan(),
-                call_id_to_tool_call,
                show_agent_reasoning: !config.hide_agent_reasoning,
                answer_started: false,
                reasoning_started: false,
                last_message_path,
-                last_token_usage: None,
            }
        } else {
            Self {
@@ -117,12 +95,10 @@ impl EventProcessorWithHumanOutput {
                red: Style::new(),
                green: Style::new(),
                cyan: Style::new(),
-                call_id_to_tool_call,
                show_agent_reasoning: !config.hide_agent_reasoning,
                answer_started: false,
                reasoning_started: false,
                last_message_path,
-                last_token_usage: None,
            }
        }
    }
@@ -133,14 +109,6 @@ struct ExecCommandBegin {
    start_time: Instant,
 }

-/// Metadata captured when an `McpToolCallBegin` event is received.
-struct McpToolCallBegin {
-    /// Formatted invocation string, e.g. `server.tool({"city":"sf"})`.
-    invocation: String,
-    /// Timestamp when the call started so we can compute duration later.
-    start_time: Instant,
-}
-
 struct PatchApplyBegin {
    start_time: Instant,
    auto_approved: bool,
@@ -199,74 +167,17 @@ impl EventProcessor for EventProcessorWithHumanOutput {
                ts_println!(self, "{}", message.style(self.dimmed));
            }
            EventMsg::TaskStarted => {
-                if let Ok(task_id) = std::env::var("CODEX_TASK_ID") {
-                    if let Some(base) = codex_base_dir_for_logging() {
-                        let tasks_path = base.join("tasks.jsonl");
-                        let ts = std::time::SystemTime::now()
-                            .duration_since(std::time::UNIX_EPOCH)
-                            .map(|d| d.as_secs())
-                            .unwrap_or(0);
-                        let obj = serde_json::json!({
-                            "task_id": task_id,
-                            "update_time": ts,
-                            "state": "started",
-                        });
-                        let _ = append_json_line(&tasks_path, &obj);
-                    }
-                }
+                // Ignore.
            }
            EventMsg::TaskComplete(TaskCompleteEvent { last_agent_message }) => {
-                
                handle_last_message(
                    last_agent_message.as_deref(),
                    self.last_message_path.as_deref(),
                );
-                // On completion, append a final state entry with last token count snapshot.
-                if let Ok(task_id) = std::env::var("CODEX_TASK_ID") {
-                    if let Some(base) = codex_base_dir_for_logging() {
-                        let tasks_path = base.join("tasks.jsonl");
-                        let ts = std::time::SystemTime::now()
-                            .duration_since(std::time::UNIX_EPOCH)
-                            .map(|d| d.as_secs())
-                            .unwrap_or(0);
-                        let token_json = self.last_token_usage.as_ref().map(|u| serde_json::json!({
-                            "input_tokens": u.input_tokens,
-                            "cached_input_tokens": u.cached_input_tokens,
-                            "output_tokens": u.output_tokens,
-                            "reasoning_output_tokens": u.reasoning_output_tokens,
-                            "total_tokens": u.total_tokens,
-                        }));
-                        let mut obj = serde_json::json!({
-                            "task_id": task_id,
-                            "completion_time": ts,
-                            "end_time": ts,
-                            "state": "done",
-                        });
-                        if let Some(tj) = token_json { if let serde_json::Value::Object(ref mut map) = obj { map.insert("token_count".to_string(), tj); } }
-                        let _ = append_json_line(&tasks_path, &obj);
-                    }
-                }
                return CodexStatus::InitiateShutdown;
            }
            EventMsg::TokenCount(TokenUsage { total_tokens, .. }) => {
                ts_println!(self, "tokens used: {total_tokens}");
-                if let Ok(task_id) = std::env::var("CODEX_TASK_ID") {
-                    if let Some(base) = codex_base_dir_for_logging() {
-                        let tasks_path = base.join("tasks.jsonl");
-                        let ts = std::time::SystemTime::now()
-                            .duration_since(std::time::UNIX_EPOCH)
-                            .map(|d| d.as_secs())
-                            .unwrap_or(0);
-                        let full = serde_json::json!({
-                            "task_id": task_id,
-                            "update_time": ts,
-                            "token_count": {
-                                "total_tokens": total_tokens,
-                            }
-                        });
-                        let _ = append_json_line(&tasks_path, &full);
-                    }
-                }
            }
            EventMsg::AgentMessageDelta(AgentMessageDeltaEvent { delta }) => {
                if !self.answer_started {
@@ -367,63 +278,33 @@ impl EventProcessor for EventProcessorWithHumanOutput {
                println!("{}", truncated_output.style(self.dimmed));
            }
            EventMsg::McpToolCallBegin(McpToolCallBeginEvent {
-                call_id,
-                server,
-                tool,
-                arguments,
+                call_id: _,
+                invocation,
            }) => {
-                // Build fully-qualified tool name: server.tool
-                let fq_tool_name = format!("{server}.{tool}");
-
-                // Format arguments as compact JSON so they fit on one line.
-                let args_str = arguments
-                    .as_ref()
-                    .map(|v: &serde_json::Value| {
-                        serde_json::to_string(v).unwrap_or_else(|_| v.to_string())
-                    })
-                    .unwrap_or_default();
-
-                let invocation = if args_str.is_empty() {
-                    format!("{fq_tool_name}()")
-                } else {
-                    format!("{fq_tool_name}({args_str})")
-                };
-
-                self.call_id_to_tool_call.insert(
-                    call_id.clone(),
-                    McpToolCallBegin {
-                        invocation: invocation.clone(),
-                        start_time: Instant::now(),
-                    },
-                );
-
                ts_println!(
                    self,
                    "{} {}",
                    "tool".style(self.magenta),
-                    invocation.style(self.bold),
+                    format_mcp_invocation(&invocation).style(self.bold),
                );
            }
            EventMsg::McpToolCallEnd(tool_call_end_event) => {
                let is_success = tool_call_end_event.is_success();
-                let McpToolCallEndEvent { call_id, result } = tool_call_end_event;
-                // Retrieve start time and invocation for duration calculation and labeling.
-                let info = self.call_id_to_tool_call.remove(&call_id);
-
-                let (duration, invocation) = if let Some(McpToolCallBegin {
+                let McpToolCallEndEvent {
+                    call_id: _,
+                    result,
                    invocation,
-                    start_time,
-                    ..
-                }) = info
-                {
-                    (format!(" in {}", format_elapsed(start_time)), invocation)
-                } else {
-                    (String::new(), format!("tool('{call_id}')"))
-                };
+                    duration,
+                } = tool_call_end_event;
+
+                let duration = format!(" in {}", format_duration(duration));

                let status_str = if is_success { "success" } else { "failed" };
                let title_style = if is_success { self.green } else { self.red };
-                let title = format!("{invocation} {status_str}{duration}:");
+                let title = format!(
+                    "{} {status_str}{duration}:",
+                    format_mcp_invocation(&invocation)
+                );

                ts_println!(self, "{}", title.style(title_style));

@@ -551,41 +432,10 @@ impl EventProcessor for EventProcessorWithHumanOutput {
                }
            }
            EventMsg::ExecApprovalRequest(_) => {
-                // When a background task requests execution approval, persist a state transition
-                // so `codex tasks ls` can reflect that it is waiting on user input.
-                if let Ok(task_id) = std::env::var("CODEX_TASK_ID") {
-                    if let Some(base) = codex_base_dir_for_logging() {
-                        let tasks_path = base.join("tasks.jsonl");
-                        let ts = std::time::SystemTime::now()
-                            .duration_since(std::time::UNIX_EPOCH)
-                            .map(|d| d.as_secs())
-                            .unwrap_or(0);
-                        let obj = serde_json::json!({
-                            "task_id": task_id,
-                            "update_time": ts,
-                            "state": "waiting_exec_approval",
-                        });
-                        let _ = append_json_line(&tasks_path, &obj);
-                    }
-                }
+                // Should we exit?
            }
            EventMsg::ApplyPatchApprovalRequest(_) => {
-                // todo: test/verify and verify if useful to keep now
-                if let Ok(task_id) = std::env::var("CODEX_TASK_ID") {
-                    if let Some(base) = codex_base_dir_for_logging() {
-                        let tasks_path = base.join("tasks.jsonl");
-                        let ts = std::time::SystemTime::now()
-                            .duration_since(std::time::UNIX_EPOCH)
-                            .map(|d| d.as_secs())
-                            .unwrap_or(0);
-                        let obj = serde_json::json!({
-                            "task_id": task_id,
-                            "update_time": ts,
-                            "state": "waiting_patch_approval",
-                        });
-                        let _ = append_json_line(&tasks_path, &obj);
-                    }
-                }
+                // Should we exit?
            }
            EventMsg::AgentReasoning(agent_reasoning_event) => {
                if self.show_agent_reasoning {
@@ -620,6 +470,11 @@ impl EventProcessor for EventProcessorWithHumanOutput {
                ts_println!(self, "model: {}", model);
                println!();
            }
+            EventMsg::PlanUpdate(plan_update_event) => {
+                let UpdatePlanArgs { explanation, plan } = plan_update_event;
+                ts_println!(self, "explanation: {explanation:?}");
+                ts_println!(self, "plan: {plan:?}");
+            }
            EventMsg::GetHistoryEntryResponse(_) => {
                // Currently ignored in exec output.
            }
@@ -645,3 +500,21 @@ fn format_file_change(change: &FileChange) -> &'static str {
        } => "M",
    }
 }
+
+fn format_mcp_invocation(invocation: &McpInvocation) -> String {
+    // Build fully-qualified tool name: server.tool
+    let fq_tool_name = format!("{}.{}", invocation.server, invocation.tool);
+
+    // Format arguments as compact JSON so they fit on one line.
+    let args_str = invocation
+        .arguments
+        .as_ref()
+        .map(|v: &serde_json::Value| serde_json::to_string(v).unwrap_or_else(|_| v.to_string()))
+        .unwrap_or_default();
+
+    if args_str.is_empty() {
+        format!("{fq_tool_name}()")
+    } else {
+        format!("{fq_tool_name}({args_str})")
+    }
+}
--- a/codex-rs/exec/src/lib.rs
+++ b/codex-rs/exec/src/lib.rs
@@ -7,10 +7,10 @@ use std::io::IsTerminal;
 use std::io::Read;
 use std::path::PathBuf;
 use std::sync::Arc;
-use std::path::Path;

 pub use cli::Cli;
-use codex_core::codex_wrapper;
+use codex_core::codex_wrapper::CodexConversation;
+use codex_core::codex_wrapper::{self};
 use codex_core::config::Config;
 use codex_core::config::ConfigOverrides;
 use codex_core::config_types::SandboxMode;
@@ -92,6 +92,20 @@ pub async fn run_main(cli: Cli, codex_linux_sandbox_exe: Option<PathBuf>) -> any
        ),
    };

+    // TODO(mbolin): Take a more thoughtful approach to logging.
+    let default_level = "error";
+    let _ = tracing_subscriber::fmt()
+        // Fallback to the `default_level` log filter if the environment
+        // variable is not set _or_ contains an invalid value
+        .with_env_filter(
+            EnvFilter::try_from_default_env()
+                .or_else(|_| EnvFilter::try_new(default_level))
+                .unwrap_or_else(|_| EnvFilter::new(default_level)),
+        )
+        .with_ansi(stderr_with_ansi)
+        .with_writer(std::io::stderr)
+        .try_init();
+
    let sandbox_mode = if full_auto {
        Some(SandboxMode::WorkspaceWrite)
    } else if dangerously_bypass_approvals_and_sandbox {
@@ -112,6 +126,7 @@ pub async fn run_main(cli: Cli, codex_linux_sandbox_exe: Option<PathBuf>) -> any
        model_provider: None,
        codex_linux_sandbox_exe,
        base_instructions: None,
+        include_plan_tool: None,
    };
    // Parse `-c` overrides.
    let cli_kv_overrides = match config_overrides.parse_overrides() {
@@ -142,23 +157,14 @@ pub async fn run_main(cli: Cli, codex_linux_sandbox_exe: Option<PathBuf>) -> any
        std::process::exit(1);
    }

-    // TODO(mbolin): Take a more thoughtful approach to logging.
-    let default_level = "error";
-    let _ = tracing_subscriber::fmt()
-        // Fallback to the `default_level` log filter if the environment
-        // variable is not set _or_ contains an invalid value
-        .with_env_filter(
-            EnvFilter::try_from_default_env()
-                .or_else(|_| EnvFilter::try_new(default_level))
-                .unwrap_or_else(|_| EnvFilter::new(default_level)),
-        )
-        .with_ansi(stderr_with_ansi)
-        .with_writer(std::io::stderr)
-        .try_init();
-
-    let (codex_wrapper, event, ctrl_c, _session_id) = codex_wrapper::init_codex(config).await?;
+    let CodexConversation {
+        codex: codex_wrapper,
+        session_configured,
+        ctrl_c,
+        ..
+    } = codex_wrapper::init_codex(config).await?;
    let codex = Arc::new(codex_wrapper);
-    info!("Codex initialized with event: {event:?}");
+    info!("Codex initialized with event: {session_configured:?}");

    let (tx, mut rx) = tokio::sync::mpsc::unbounded_channel::<Event>();
    {
@@ -238,119 +244,5 @@ pub async fn run_main(cli: Cli, codex_linux_sandbox_exe: Option<PathBuf>) -> any
        }
    }

-    // If running in concurrent auto-merge mode, attempt to commit and merge original branch.
-    if std::env::var("CODEX_CONCURRENT_AUTOMERGE").ok().as_deref() == Some("1") {
-        if let Err(e) = auto_commit_and_fast_forward_original_branch() {
-            eprintln!("[codex-concurrent] Auto-merge skipped: {e}");
-        }
-    }
-
-    Ok(())
-}
-
-fn handle_last_message(
-    last_agent_message: Option<String>,
-    last_message_file: Option<&Path>,
-) -> std::io::Result<()> {
-    match (last_agent_message, last_message_file) {
-        (Some(last_agent_message), Some(last_message_file)) => {
-            // Last message and a file to write to.
-            std::fs::write(last_message_file, last_agent_message)?;
-        }
-        (None, Some(last_message_file)) => {
-            eprintln!(
-                "Warning: No last message to write to file: {}",
-                last_message_file.to_string_lossy()
-            );
-        }
-        (_, None) => {
-            // No last message and no file to write to.
-        }
-    }
-    Ok(())
-}
-
-/// Auto-commit changes in the concurrent worktree branch and integrate them back into the original branch.
-/// Strategy:
-/// 1. Commit any pending changes on the concurrent branch.
-/// 2. Checkout the original branch in the original root and perform a --no-ff merge.
-/// Safety: Only performs merge operations if repository state allows; on conflicts it aborts and reports.
-fn auto_commit_and_fast_forward_original_branch() -> anyhow::Result<()> {
-    use std::process::Command;
-    let concurrent_branch = std::env::var("CODEX_CONCURRENT_BRANCH").ok().ok_or_else(|| anyhow::anyhow!("missing concurrent branch env"))?;
-    let original_branch = std::env::var("CODEX_ORIGINAL_BRANCH").ok().ok_or_else(|| anyhow::anyhow!("missing original branch env"))?;
-    let original_commit = std::env::var("CODEX_ORIGINAL_COMMIT").ok().ok_or_else(|| anyhow::anyhow!("missing original commit env"))?;
-    let worktree_dir_env = std::env::var("CODEX_CONCURRENT_WORKTREE").ok();
-    let original_root_env = std::env::var("CODEX_ORIGINAL_ROOT").ok();
-
-    // Determine directory to run git commit for concurrent branch (worktree if provided, else repo root from rev-parse).
-    let worktree_dir = if let Some(wt) = worktree_dir_env.clone() {
-        std::path::PathBuf::from(wt)
-    } else {
-        let repo_root = Command::new("git").args(["rev-parse", "--show-toplevel"]).output()?;
-        if !repo_root.status.success() { anyhow::bail!("not a git repo"); }
-        std::path::PathBuf::from(String::from_utf8_lossy(&repo_root.stdout).trim().to_string())
-    };
-
-    // Commit pending changes (git add ., git commit -m ...).
-    let status_out = Command::new("git")
-        .current_dir(&worktree_dir)
-        .args(["status", "--porcelain"]).output()?;
-    if !status_out.status.success() { anyhow::bail!("git status failed"); }
-    if !status_out.stdout.is_empty() {
-        let add_status = Command::new("git")
-            .current_dir(&worktree_dir)
-            .args(["add", "."]).status()?;
-        if !add_status.success() { anyhow::bail!("git add failed"); }
-        let commit_msg = format!("Codex concurrent run auto-commit on branch {concurrent_branch}");
-        let commit_status = Command::new("git")
-            .current_dir(&worktree_dir)
-            .args(["commit", "-m", &commit_msg]).status()?;
-        if !commit_status.success() { anyhow::bail!("git commit failed"); }
-        eprintln!("[codex-concurrent] Created commit in {concurrent_branch}.");
-    } else {
-        eprintln!("[codex-concurrent] No changes to commit in {concurrent_branch}.");
-    }
-
-    // Capture head of concurrent branch (for potential future use / diagnostics).
-    let concurrent_head_out = Command::new("git")
-        .current_dir(&worktree_dir)
-        .args(["rev-parse", &concurrent_branch]).output()?;
-    if !concurrent_head_out.status.success() { anyhow::bail!("failed to rev-parse concurrent branch"); }
-
-    // Determine where to integrate (original root if known, else worktree).
-    let integration_dir = if let Some(root) = original_root_env.clone() { std::path::PathBuf::from(root) } else { worktree_dir.clone() };
-
-    // Checkout original branch.
-    let co_status = Command::new("git")
-        .current_dir(&integration_dir)
-        .args(["checkout", &original_branch])
-        .status()?;
-    if !co_status.success() { anyhow::bail!("git checkout {original_branch} failed in original root"); }
-
-    // Check if concurrent branch already merged (ancestor test).
-    let ancestor_status = Command::new("git")
-        .current_dir(&integration_dir)
-        .args(["merge-base", "--is-ancestor", &concurrent_branch, &original_branch])
-        .status();
-    if let Ok(code) = ancestor_status {
-        if code.success() {
-            eprintln!("[codex-concurrent] {concurrent_branch} already merged into {original_branch}; skipping.");
-            return Ok(());
-        }
-    }
-
-    // Perform a --no-ff merge.
-    let merge_msg = format!("Merge concurrent Codex branch {concurrent_branch} (base {original_commit})");
-    let merge_status = Command::new("git")
-        .current_dir(&integration_dir)
-        .args(["merge", "--no-ff", &concurrent_branch, "-m", &merge_msg])
-        .status()?;
-    if !merge_status.success() {
-        let _ = Command::new("git").current_dir(&integration_dir).args(["merge", "--abort"]).status();
-        anyhow::bail!("git merge --no-ff failed (conflicts?)");
-    }
-    eprintln!("[codex-concurrent] Merged {concurrent_branch} into {original_branch} in original root: {}", integration_dir.display());
-
    Ok(())
 }
--- a/codex-rs/exec/src/main.rs
+++ b/codex-rs/exec/src/main.rs
@@ -10,6 +10,7 @@
 //! This allows us to ship a completely separate set of functionality as part
 //! of the `codex-exec` binary.
 use clap::Parser;
+use codex_arg0::arg0_dispatch_or_else;
 use codex_common::CliConfigOverrides;
 use codex_exec::Cli;
 use codex_exec::run_main;
@@ -24,7 +25,7 @@ struct TopCli {
 }

 fn main() -> anyhow::Result<()> {
-    codex_linux_sandbox::run_with_sandbox(|codex_linux_sandbox_exe| async move {
+    arg0_dispatch_or_else(|codex_linux_sandbox_exe| async move {
        let top_cli = TopCli::parse();
        // Merge root-level overrides into inner CLI struct so downstream logic remains unchanged.
        let mut inner = top_cli.inner;
--- a/codex-rs/exec/tests/apply_patch.rs
+++ b/codex-rs/exec/tests/apply_patch.rs
@@ -0,0 +1,39 @@
+use anyhow::Context;
+use assert_cmd::prelude::*;
+use codex_core::CODEX_APPLY_PATCH_ARG1;
+use std::fs;
+use std::process::Command;
+use tempfile::tempdir;
+
+/// While we may add an `apply-patch` subcommand to the `codex` CLI multitool
+/// at some point, we must ensure that the smaller `codex-exec` CLI can still
+/// emulate the `apply_patch` CLI.
+#[test]
+fn test_standalone_exec_cli_can_use_apply_patch() -> anyhow::Result<()> {
+    let tmp = tempdir()?;
+    let relative_path = "source.txt";
+    let absolute_path = tmp.path().join(relative_path);
+    fs::write(&absolute_path, "original content\n")?;
+
+    Command::cargo_bin("codex-exec")
+        .context("should find binary for codex-exec")?
+        .arg(CODEX_APPLY_PATCH_ARG1)
+        .arg(
+            r#"*** Begin Patch
+*** Update File: source.txt
+@@
+-original content
+modified by apply_patch
+*** End Patch"#,
+        )
+        .current_dir(tmp.path())
+        .assert()
+        .success()
+        .stdout("Success. Updated the following files:\nM source.txt\n")
+        .stderr(predicates::str::is_empty());
+    assert_eq!(
+        fs::read_to_string(absolute_path)?,
+        "modified by apply_patch\n"
+    );
+    Ok(())
+}
--- a/codex-rs/file-search/Cargo.toml
+++ b/codex-rs/file-search/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
+edition = "2024"
 name = "codex-file-search"
 version = { workspace = true }
-edition = "2024"

 [[bin]]
 name = "codex-file-search"
--- a/codex-rs/linux-sandbox/Cargo.toml
+++ b/codex-rs/linux-sandbox/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
+edition = "2024"
 name = "codex-linux-sandbox"
 version = { workspace = true }
-edition = "2024"

 [[bin]]
 name = "codex-linux-sandbox"
@@ -14,15 +14,16 @@ path = "src/lib.rs"
 [lints]
 workspace = true

-[dependencies]
+[target.'cfg(target_os = "linux")'.dependencies]
 anyhow = "1"
 clap = { version = "4", features = ["derive"] }
 codex-common = { path = "../common", features = ["cli"] }
 codex-core = { path = "../core" }
-dotenvy = "0.15.7"
-tokio = { version = "1", features = ["rt-multi-thread"] }
+landlock = "0.4.1"
+libc = "0.2.172"
+seccompiler = "0.5.0"

-[dev-dependencies]
+[target.'cfg(target_os = "linux")'.dev-dependencies]
 tempfile = "3"
 tokio = { version = "1", features = [
    "io-std",
@@ -31,8 +32,3 @@ tokio = { version = "1", features = [
    "rt-multi-thread",
    "signal",
 ] }
-
-[target.'cfg(target_os = "linux")'.dependencies]
-libc = "0.2.172"
-landlock = "0.4.1"
-seccompiler = "0.5.0"
--- a/codex-rs/linux-sandbox/src/lib.rs
+++ b/codex-rs/linux-sandbox/src/lib.rs
@@ -4,72 +4,11 @@ mod landlock;
 mod linux_run_main;

 #[cfg(target_os = "linux")]
-pub use linux_run_main::run_main;
-
-use std::future::Future;
-use std::path::PathBuf;
-
-/// Helper that consolidates the common boilerplate found in several Codex
-/// binaries (`codex`, `codex-exec`, `codex-tui`) around dispatching to the
-/// `codex-linux-sandbox` sub-command.
-///
-/// When the current executable is invoked through the hard-link or alias
-/// named `codex-linux-sandbox` we *directly* execute [`run_main`](crate::run_main)
-/// (which never returns). Otherwise we:
-/// 1.  Construct a Tokio multi-thread runtime.
-/// 2.  Derive the path to the current executable (so children can re-invoke
-///     the sandbox) when running on Linux.
-/// 3.  Execute the provided async `main_fn` inside that runtime, forwarding
-///     any error.
-///
-/// This function eliminates duplicated code across the various `main.rs`
-/// entry-points.
-pub fn run_with_sandbox<F, Fut>(main_fn: F) -> anyhow::Result<()>
-where
-    F: FnOnce(Option<PathBuf>) -> Fut,
-    Fut: Future<Output = anyhow::Result<()>>,
-{
-    use std::path::Path;
-
-    // Determine if we were invoked via the special alias.
-    let argv0 = std::env::args().next().unwrap_or_default();
-    let exe_name = Path::new(&argv0)
-        .file_name()
-        .and_then(|s| s.to_str())
-        .unwrap_or("");
-
-    if exe_name == "codex-linux-sandbox" {
-        // Safety: [`run_main`] never returns.
-        crate::run_main();
-    }
-
-    // This modifies the environment, which is not thread-safe, so do this
-    // before creating any threads/the Tokio runtime.
-    load_dotenv();
-
-    // Regular invocation – create a Tokio runtime and execute the provided
-    // async entry-point.
-    let runtime = tokio::runtime::Runtime::new()?;
-    runtime.block_on(async move {
-        let codex_linux_sandbox_exe: Option<PathBuf> = if cfg!(target_os = "linux") {
-            std::env::current_exe().ok()
-        } else {
-            None
-        };
-
-        main_fn(codex_linux_sandbox_exe).await
-    })
+pub fn run_main() -> ! {
+    linux_run_main::run_main();
 }

 #[cfg(not(target_os = "linux"))]
 pub fn run_main() -> ! {
    panic!("codex-linux-sandbox is only supported on Linux");
 }
-
-/// Load env vars from ~/.codex/.env and `$(pwd)/.env`.
-fn load_dotenv() {
-    if let Ok(codex_home) = codex_core::config::find_codex_home() {
-        dotenvy::from_path(codex_home.join(".env")).ok();
-    }
-    dotenvy::dotenv().ok();
-}
--- a/codex-rs/login/Cargo.toml
+++ b/codex-rs/login/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
+edition = "2024"
 name = "codex-login"
 version = { workspace = true }
-edition = "2024"

 [lints]
 workspace = true
@@ -18,3 +18,6 @@ tokio = { version = "1", features = [
    "rt-multi-thread",
    "signal",
 ] }
+
+[dev-dependencies]
+tempfile = "3"
--- a/codex-rs/login/src/lib.rs
+++ b/codex-rs/login/src/lib.rs
@@ -1,19 +1,187 @@
 use chrono::DateTime;
+
 use chrono::Utc;
 use serde::Deserialize;
 use serde::Serialize;
+use std::env;
 use std::fs::OpenOptions;
 use std::io::Read;
 use std::io::Write;
 #[cfg(unix)]
 use std::os::unix::fs::OpenOptionsExt;
 use std::path::Path;
+use std::path::PathBuf;
 use std::process::Stdio;
+use std::sync::Arc;
+use std::sync::Mutex;
+use std::time::Duration;
 use tokio::process::Command;

 const SOURCE_FOR_PYTHON_SERVER: &str = include_str!("./login_with_chatgpt.py");

 const CLIENT_ID: &str = "app_EMoamEEZ73f0CkXaXp7hrann";
+pub const OPENAI_API_KEY_ENV_VAR: &str = "OPENAI_API_KEY";
+
+#[derive(Clone, Debug, PartialEq)]
+pub enum AuthMode {
+    ApiKey,
+    ChatGPT,
+}
+
+#[derive(Debug, Clone)]
+pub struct CodexAuth {
+    pub api_key: Option<String>,
+    pub mode: AuthMode,
+    auth_dot_json: Arc<Mutex<Option<AuthDotJson>>>,
+    auth_file: PathBuf,
+}
+
+impl PartialEq for CodexAuth {
+    fn eq(&self, other: &Self) -> bool {
+        self.mode == other.mode
+    }
+}
+
+impl CodexAuth {
+    pub fn new(
+        api_key: Option<String>,
+        mode: AuthMode,
+        auth_file: PathBuf,
+        auth_dot_json: Option<AuthDotJson>,
+    ) -> Self {
+        let auth_dot_json = Arc::new(Mutex::new(auth_dot_json));
+        Self {
+            api_key,
+            mode,
+            auth_file,
+            auth_dot_json,
+        }
+    }
+
+    pub fn from_api_key(api_key: String) -> Self {
+        Self {
+            api_key: Some(api_key),
+            mode: AuthMode::ApiKey,
+            auth_file: PathBuf::new(),
+            auth_dot_json: Arc::new(Mutex::new(None)),
+        }
+    }
+
+    pub async fn get_token_data(&self) -> Result<TokenData, std::io::Error> {
+        #[expect(clippy::unwrap_used)]
+        let auth_dot_json = self.auth_dot_json.lock().unwrap().clone();
+        match auth_dot_json {
+            Some(AuthDotJson {
+                tokens: Some(mut tokens),
+                last_refresh: Some(last_refresh),
+                ..
+            }) => {
+                if last_refresh < Utc::now() - chrono::Duration::days(28) {
+                    let refresh_response = tokio::time::timeout(
+                        Duration::from_secs(60),
+                        try_refresh_token(tokens.refresh_token.clone()),
+                    )
+                    .await
+                    .map_err(|_| {
+                        std::io::Error::other("timed out while refreshing OpenAI API key")
+                    })?
+                    .map_err(std::io::Error::other)?;
+
+                    let updated_auth_dot_json = update_tokens(
+                        &self.auth_file,
+                        refresh_response.id_token,
+                        refresh_response.access_token,
+                        refresh_response.refresh_token,
+                    )
+                    .await?;
+
+                    tokens = updated_auth_dot_json
+                        .tokens
+                        .clone()
+                        .ok_or(std::io::Error::other(
+                            "Token data is not available after refresh.",
+                        ))?;
+
+                    #[expect(clippy::unwrap_used)]
+                    let mut auth_lock = self.auth_dot_json.lock().unwrap();
+                    *auth_lock = Some(updated_auth_dot_json);
+                }
+
+                Ok(tokens)
+            }
+            _ => Err(std::io::Error::other("Token data is not available.")),
+        }
+    }
+
+    pub async fn get_token(&self) -> Result<String, std::io::Error> {
+        match self.mode {
+            AuthMode::ApiKey => Ok(self.api_key.clone().unwrap_or_default()),
+            AuthMode::ChatGPT => {
+                let id_token = self.get_token_data().await?.access_token;
+
+                Ok(id_token)
+            }
+        }
+    }
+
+    pub async fn get_account_id(&self) -> Option<String> {
+        match self.mode {
+            AuthMode::ApiKey => None,
+            AuthMode::ChatGPT => {
+                let token_data = self.get_token_data().await.ok()?;
+
+                token_data.account_id.clone()
+            }
+        }
+    }
+}
+
+// Loads the available auth information from the auth.json or OPENAI_API_KEY environment variable.
+pub fn load_auth(codex_home: &Path, include_env_var: bool) -> std::io::Result<Option<CodexAuth>> {
+    let auth_file = get_auth_file(codex_home);
+
+    let auth_dot_json = try_read_auth_json(&auth_file).ok();
+
+    let auth_json_api_key = auth_dot_json
+        .as_ref()
+        .and_then(|a| a.openai_api_key.clone())
+        .filter(|s| !s.is_empty());
+
+    let openai_api_key = if include_env_var {
+        env::var(OPENAI_API_KEY_ENV_VAR)
+            .ok()
+            .filter(|s| !s.is_empty())
+            .or(auth_json_api_key)
+    } else {
+        auth_json_api_key
+    };
+
+    let has_tokens = auth_dot_json
+        .as_ref()
+        .and_then(|a| a.tokens.as_ref())
+        .is_some();
+
+    if openai_api_key.is_none() && !has_tokens {
+        return Ok(None);
+    }
+
+    let mode = if openai_api_key.is_some() {
+        AuthMode::ApiKey
+    } else {
+        AuthMode::ChatGPT
+    };
+
+    Ok(Some(CodexAuth {
+        api_key: openai_api_key,
+        mode,
+        auth_file,
+        auth_dot_json: Arc::new(Mutex::new(auth_dot_json)),
+    }))
+}
+
+fn get_auth_file(codex_home: &Path) -> PathBuf {
+    codex_home.join("auth.json")
+}

 /// Run `python3 -c {{SOURCE_FOR_PYTHON_SERVER}}` with the CODEX_HOME
 /// environment variable set to the provided `codex_home` path. If the
@@ -24,14 +192,12 @@ const CLIENT_ID: &str = "app_EMoamEEZ73f0CkXaXp7hrann";
 /// If `capture_output` is true, the subprocess's output will be captured and
 /// recorded in memory. Otherwise, the subprocess's output will be sent to the
 /// current process's stdout/stderr.
-pub async fn login_with_chatgpt(
-    codex_home: &Path,
-    capture_output: bool,
-) -> std::io::Result<String> {
+pub async fn login_with_chatgpt(codex_home: &Path, capture_output: bool) -> std::io::Result<()> {
    let child = Command::new("python3")
        .arg("-c")
        .arg(SOURCE_FOR_PYTHON_SERVER)
        .env("CODEX_HOME", codex_home)
+        .env("CODEX_CLIENT_ID", CLIENT_ID)
        .stdin(Stdio::null())
        .stdout(if capture_output {
            Stdio::piped()
@@ -47,7 +213,7 @@ pub async fn login_with_chatgpt(

    let output = child.wait_with_output().await?;
    if output.status.success() {
-        try_read_openai_api_key(codex_home).await
+        Ok(())
    } else {
        let stderr = String::from_utf8_lossy(&output.stderr);
        Err(std::io::Error::other(format!(
@@ -56,61 +222,66 @@ pub async fn login_with_chatgpt(
    }
 }

-/// Attempt to read the `OPENAI_API_KEY` from the `auth.json` file in the given
-/// `CODEX_HOME` directory, refreshing it, if necessary.
-pub async fn try_read_openai_api_key(codex_home: &Path) -> std::io::Result<String> {
-    let auth_dot_json = try_read_auth_json(codex_home).await?;
-    Ok(auth_dot_json.openai_api_key)
+pub fn login_with_api_key(codex_home: &Path, api_key: &str) -> std::io::Result<()> {
+    let auth_dot_json = AuthDotJson {
+        openai_api_key: Some(api_key.to_string()),
+        tokens: None,
+        last_refresh: None,
+    };
+    write_auth_json(&get_auth_file(codex_home), &auth_dot_json)
 }

 /// Attempt to read and refresh the `auth.json` file in the given `CODEX_HOME` directory.
 /// Returns the full AuthDotJson structure after refreshing if necessary.
-pub async fn try_read_auth_json(codex_home: &Path) -> std::io::Result<AuthDotJson> {
-    let auth_path = codex_home.join("auth.json");
-    let mut file = std::fs::File::open(&auth_path)?;
+pub fn try_read_auth_json(auth_file: &Path) -> std::io::Result<AuthDotJson> {
+    let mut file = std::fs::File::open(auth_file)?;
    let mut contents = String::new();
    file.read_to_string(&mut contents)?;
    let auth_dot_json: AuthDotJson = serde_json::from_str(&contents)?;

-    if is_expired(&auth_dot_json) {
-        let refresh_response = try_refresh_token(&auth_dot_json).await?;
-        let mut auth_dot_json = auth_dot_json;
-        auth_dot_json.tokens.id_token = refresh_response.id_token;
-        if let Some(refresh_token) = refresh_response.refresh_token {
-            auth_dot_json.tokens.refresh_token = refresh_token;
-        }
-        auth_dot_json.last_refresh = Utc::now();
+    Ok(auth_dot_json)
+}

-        let mut options = OpenOptions::new();
-        options.truncate(true).write(true).create(true);
-        #[cfg(unix)]
-        {
-            options.mode(0o600);
-        }
-
-        let json_data = serde_json::to_string(&auth_dot_json)?;
-        {
-            let mut file = options.open(&auth_path)?;
-            file.write_all(json_data.as_bytes())?;
-            file.flush()?;
-        }
-
-        Ok(auth_dot_json)
-    } else {
-        Ok(auth_dot_json)
+fn write_auth_json(auth_file: &Path, auth_dot_json: &AuthDotJson) -> std::io::Result<()> {
+    let json_data = serde_json::to_string_pretty(auth_dot_json)?;
+    let mut options = OpenOptions::new();
+    options.truncate(true).write(true).create(true);
+    #[cfg(unix)]
+    {
+        options.mode(0o600);
    }
+    let mut file = options.open(auth_file)?;
+    file.write_all(json_data.as_bytes())?;
+    file.flush()?;
+    Ok(())
 }

-fn is_expired(auth_dot_json: &AuthDotJson) -> bool {
-    let last_refresh = auth_dot_json.last_refresh;
-    last_refresh < Utc::now() - chrono::Duration::days(28)
+async fn update_tokens(
+    auth_file: &Path,
+    id_token: String,
+    access_token: Option<String>,
+    refresh_token: Option<String>,
+) -> std::io::Result<AuthDotJson> {
+    let mut auth_dot_json = try_read_auth_json(auth_file)?;
+
+    let tokens = auth_dot_json.tokens.get_or_insert_with(TokenData::default);
+    tokens.id_token = id_token.to_string();
+    if let Some(access_token) = access_token {
+        tokens.access_token = access_token.to_string();
+    }
+    if let Some(refresh_token) = refresh_token {
+        tokens.refresh_token = refresh_token.to_string();
+    }
+    auth_dot_json.last_refresh = Some(Utc::now());
+    write_auth_json(auth_file, &auth_dot_json)?;
+    Ok(auth_dot_json)
 }

-async fn try_refresh_token(auth_dot_json: &AuthDotJson) -> std::io::Result<RefreshResponse> {
+async fn try_refresh_token(refresh_token: String) -> std::io::Result<RefreshResponse> {
    let refresh_request = RefreshRequest {
        client_id: CLIENT_ID,
        grant_type: "refresh_token",
-        refresh_token: auth_dot_json.tokens.refresh_token.clone(),
+        refresh_token,
        scope: "openid profile email",
    };

@@ -145,24 +316,27 @@ struct RefreshRequest {
    scope: &'static str,
 }

-#[derive(Deserialize)]
+#[derive(Deserialize, Clone)]
 struct RefreshResponse {
    id_token: String,
+    access_token: Option<String>,
    refresh_token: Option<String>,
 }

 /// Expected structure for $CODEX_HOME/auth.json.
-#[derive(Deserialize, Serialize)]
+#[derive(Deserialize, Serialize, Clone, Debug, PartialEq)]
 pub struct AuthDotJson {
    #[serde(rename = "OPENAI_API_KEY")]
-    pub openai_api_key: String,
+    pub openai_api_key: Option<String>,

-    pub tokens: TokenData,
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub tokens: Option<TokenData>,

-    pub last_refresh: DateTime<Utc>,
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub last_refresh: Option<DateTime<Utc>>,
 }

-#[derive(Deserialize, Serialize, Clone)]
+#[derive(Deserialize, Serialize, Clone, Debug, PartialEq, Default)]
 pub struct TokenData {
    /// This is a JWT.
    pub id_token: String,
@@ -172,5 +346,97 @@ pub struct TokenData {

    pub refresh_token: String,

-    pub account_id: String,
+    pub account_id: Option<String>,
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use tempfile::tempdir;
+
+    #[test]
+    #[expect(clippy::unwrap_used)]
+    fn writes_api_key_and_loads_auth() {
+        let dir = tempdir().unwrap();
+        login_with_api_key(dir.path(), "sk-test-key").unwrap();
+        let auth = load_auth(dir.path(), false).unwrap().unwrap();
+        assert_eq!(auth.mode, AuthMode::ApiKey);
+        assert_eq!(auth.api_key.as_deref(), Some("sk-test-key"));
+    }
+
+    #[test]
+    #[expect(clippy::unwrap_used)]
+    fn loads_from_env_var_if_env_var_exists() {
+        let dir = tempdir().unwrap();
+
+        let env_var = std::env::var(OPENAI_API_KEY_ENV_VAR);
+
+        if let Ok(env_var) = env_var {
+            let auth = load_auth(dir.path(), true).unwrap().unwrap();
+            assert_eq!(auth.mode, AuthMode::ApiKey);
+            assert_eq!(auth.api_key, Some(env_var));
+        }
+    }
+
+    #[tokio::test]
+    #[expect(clippy::unwrap_used)]
+    async fn loads_token_data_from_auth_json() {
+        let dir = tempdir().unwrap();
+        let auth_file = dir.path().join("auth.json");
+        std::fs::write(
+            auth_file,
+            format!(
+                r#"
+        {{
+            "OPENAI_API_KEY": null,
+            "tokens": {{
+                "id_token": "test-id-token",
+                "access_token": "test-access-token",
+                "refresh_token": "test-refresh-token"
+            }},
+            "last_refresh": "{}"
+        }}
+        "#,
+                Utc::now().to_rfc3339()
+            ),
+        )
+        .unwrap();
+
+        let auth = load_auth(dir.path(), false).unwrap().unwrap();
+        assert_eq!(auth.mode, AuthMode::ChatGPT);
+        assert_eq!(auth.api_key, None);
+        assert_eq!(
+            auth.get_token_data().await.unwrap(),
+            TokenData {
+                id_token: "test-id-token".to_string(),
+                access_token: "test-access-token".to_string(),
+                refresh_token: "test-refresh-token".to_string(),
+                account_id: None,
+            }
+        );
+    }
+
+    #[tokio::test]
+    #[expect(clippy::unwrap_used)]
+    async fn loads_api_key_from_auth_json() {
+        let dir = tempdir().unwrap();
+        let auth_file = dir.path().join("auth.json");
+        std::fs::write(
+            auth_file,
+            r#"
+        {
+            "OPENAI_API_KEY": "sk-test-key",
+            "tokens": null,
+            "last_refresh": null
+        }
+        "#,
+        )
+        .unwrap();
+
+        let auth = load_auth(dir.path(), false).unwrap().unwrap();
+        assert_eq!(auth.mode, AuthMode::ApiKey);
+        assert_eq!(auth.api_key, Some("sk-test-key".to_string()));
+
+        assert!(auth.get_token_data().await.is_err());
+    }
 }
--- a/codex-rs/login/src/login_with_chatgpt.py
+++ b/codex-rs/login/src/login_with_chatgpt.py
@@ -41,7 +41,6 @@ from typing import Any, Dict  # for type hints
 REQUIRED_PORT = 1455
 URL_BASE = f"http://localhost:{REQUIRED_PORT}"
 DEFAULT_ISSUER = "https://auth.openai.com"
-DEFAULT_CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann"

 EXIT_CODE_WHEN_ADDRESS_ALREADY_IN_USE = 13

@@ -58,7 +57,7 @@ class TokenData:
 class AuthBundle:
    """Aggregates authentication data produced after successful OAuth flow."""

-    api_key: str
+    api_key: str | None
    token_data: TokenData
    last_refresh: str

@@ -78,12 +77,18 @@ def main() -> None:
        eprint("ERROR: CODEX_HOME environment variable is not set")
        sys.exit(1)

+    client_id = os.getenv("CODEX_CLIENT_ID")
+    if not client_id:
+        eprint("ERROR: CODEX_CLIENT_ID environment variable is not set")
+        sys.exit(1)
+
    # Spawn server.
    try:
        httpd = _ApiKeyHTTPServer(
            ("127.0.0.1", REQUIRED_PORT),
            _ApiKeyHTTPHandler,
            codex_home=codex_home,
+            client_id=client_id,
            verbose=args.verbose,
        )
    except OSError as e:
@@ -157,7 +162,7 @@ class _ApiKeyHTTPHandler(http.server.BaseHTTPRequestHandler):
                return

            try:
-                auth_bundle, success_url = self._exchange_code_for_api_key(code)
+                auth_bundle, success_url = self._exchange_code(code)
            except Exception as exc:  # noqa: BLE001 – propagate to client
                self.send_error(500, f"Token exchange failed: {exc}")
                return
@@ -211,68 +216,22 @@ class _ApiKeyHTTPHandler(http.server.BaseHTTPRequestHandler):
        if getattr(self.server, "verbose", False):  # type: ignore[attr-defined]
            super().log_message(fmt, *args)

-    def _exchange_code_for_api_key(self, code: str) -> tuple[AuthBundle, str]:
-        """Perform token + token-exchange to obtain an OpenAI API key.
+    def _obtain_api_key(
+        self,
+        token_claims: Dict[str, Any],
+        access_claims: Dict[str, Any],
+        token_data: TokenData,
+    ) -> tuple[str | None, str | None]:
+        """Obtain an API key from the auth service.

-        Returns (AuthBundle, success_url).
+        Returns (api_key, success_url) if successful, None otherwise.
        """

-        token_endpoint = f"{self.server.issuer}/oauth/token"
-
-        # 1. Authorization-code -> (id_token, access_token, refresh_token)
-        data = urllib.parse.urlencode(
-            {
-                "grant_type": "authorization_code",
-                "code": code,
-                "redirect_uri": self.server.redirect_uri,
-                "client_id": self.server.client_id,
-                "code_verifier": self.server.pkce.code_verifier,
-            }
-        ).encode()
-
-        token_data: TokenData
-
-        with urllib.request.urlopen(
-            urllib.request.Request(
-                token_endpoint,
-                data=data,
-                method="POST",
-                headers={"Content-Type": "application/x-www-form-urlencoded"},
-            )
-        ) as resp:
-            payload = json.loads(resp.read().decode())
-            
-            # Extract chatgpt_account_id from id_token
-            id_token_parts = payload["id_token"].split(".")
-            if len(id_token_parts) != 3:
-                raise ValueError("Invalid ID token")
-            id_token_claims = _decode_jwt_segment(id_token_parts[1])
-            auth_claims = id_token_claims.get("https://api.openai.com/auth", {})
-            chatgpt_account_id = auth_claims.get("chatgpt_account_id", "")
-            
-            token_data = TokenData(
-                id_token=payload["id_token"],
-                access_token=payload["access_token"],
-                refresh_token=payload["refresh_token"],
-                account_id=chatgpt_account_id,
-            )
-
-        access_token_parts = token_data.access_token.split(".")
-        if len(access_token_parts) != 3:
-            raise ValueError("Invalid access token")
-
-        access_token_claims = _decode_jwt_segment(access_token_parts[1])
-
-        token_claims = id_token_claims.get("https://api.openai.com/auth", {})
-        access_claims = access_token_claims.get("https://api.openai.com/auth", {})
-
        org_id = token_claims.get("organization_id")
-        if not org_id:
-            raise ValueError("Missing organization in id_token claims")
-
        project_id = token_claims.get("project_id")
-        if not project_id:
-            raise ValueError("Missing project in id_token claims")
+
+        if not org_id or not project_id:
+            return (None, None)

        random_id = secrets.token_hex(6)

@@ -292,7 +251,7 @@ class _ApiKeyHTTPHandler(http.server.BaseHTTPRequestHandler):
        exchanged_access_token: str
        with urllib.request.urlopen(
            urllib.request.Request(
-                token_endpoint,
+                self.server.token_endpoint,
                data=exchange_data,
                method="POST",
                headers={"Content-Type": "application/x-www-form-urlencoded"},
@@ -340,6 +299,65 @@ class _ApiKeyHTTPHandler(http.server.BaseHTTPRequestHandler):
        except Exception as exc:  # pragma: no cover – best-effort only
            eprint(f"Unable to redeem ChatGPT subscriber API credits: {exc}")

+        return (exchanged_access_token, success_url)
+
+    def _exchange_code(self, code: str) -> tuple[AuthBundle, str]:
+        """Perform token + token-exchange to obtain an OpenAI API key.
+
+        Returns (AuthBundle, success_url).
+        """
+
+        # 1. Authorization-code -> (id_token, access_token, refresh_token)
+        data = urllib.parse.urlencode(
+            {
+                "grant_type": "authorization_code",
+                "code": code,
+                "redirect_uri": self.server.redirect_uri,
+                "client_id": self.server.client_id,
+                "code_verifier": self.server.pkce.code_verifier,
+            }
+        ).encode()
+
+        token_data: TokenData
+
+        with urllib.request.urlopen(
+            urllib.request.Request(
+                self.server.token_endpoint,
+                data=data,
+                method="POST",
+                headers={"Content-Type": "application/x-www-form-urlencoded"},
+            )
+        ) as resp:
+            payload = json.loads(resp.read().decode())
+
+            # Extract chatgpt_account_id from id_token
+            id_token_parts = payload["id_token"].split(".")
+            if len(id_token_parts) != 3:
+                raise ValueError("Invalid ID token")
+            id_token_claims = _decode_jwt_segment(id_token_parts[1])
+            auth_claims = id_token_claims.get("https://api.openai.com/auth", {})
+            chatgpt_account_id = auth_claims.get("chatgpt_account_id", "")
+
+            token_data = TokenData(
+                id_token=payload["id_token"],
+                access_token=payload["access_token"],
+                refresh_token=payload["refresh_token"],
+                account_id=chatgpt_account_id,
+            )
+
+        access_token_parts = token_data.access_token.split(".")
+        if len(access_token_parts) != 3:
+            raise ValueError("Invalid access token")
+
+        access_token_claims = _decode_jwt_segment(access_token_parts[1])
+
+        token_claims = id_token_claims.get("https://api.openai.com/auth", {})
+        access_claims = access_token_claims.get("https://api.openai.com/auth", {})
+
+        exchanged_access_token, success_url = self._obtain_api_key(
+            token_claims, access_claims, token_data
+        )
+
        # Persist refresh_token/id_token for future use (redeem credits etc.)
        last_refresh_str = (
            datetime.datetime.now(datetime.timezone.utc)
@@ -353,7 +371,7 @@ class _ApiKeyHTTPHandler(http.server.BaseHTTPRequestHandler):
            last_refresh=last_refresh_str,
        )

-        return (auth_bundle, success_url)
+        return (auth_bundle, success_url or f"{URL_BASE}/success")

    def request_shutdown(self) -> None:
        # shutdown() must be invoked from another thread to avoid
@@ -413,6 +431,7 @@ class _ApiKeyHTTPServer(http.server.HTTPServer):
        request_handler_class: type[http.server.BaseHTTPRequestHandler],
        *,
        codex_home: str,
+        client_id: str,
        verbose: bool = False,
    ) -> None:
        super().__init__(server_address, request_handler_class, bind_and_activate=True)
@@ -422,7 +441,8 @@ class _ApiKeyHTTPServer(http.server.HTTPServer):
        self.verbose: bool = verbose

        self.issuer: str = DEFAULT_ISSUER
-        self.client_id: str = DEFAULT_CLIENT_ID
+        self.token_endpoint: str = f"{self.issuer}/oauth/token"
+        self.client_id: str = client_id
        port = server_address[1]
        self.redirect_uri: str = f"http://localhost:{port}/auth/callback"
        self.pkce: PkceCodes = _generate_pkce()
@@ -581,8 +601,8 @@ def maybe_redeem_credits(
        granted = redeem_data.get("granted_chatgpt_subscriber_api_credits", 0)
        if granted and granted > 0:
            eprint(
-                f"""Thanks for being a ChatGPT {'Plus' if plan_type=='plus' else 'Pro'} subscriber!
-If you haven't already redeemed, you should receive {'$5' if plan_type=='plus' else '$50'} in API credits.
+                f"""Thanks for being a ChatGPT {"Plus" if plan_type == "plus" else "Pro"} subscriber!
+If you haven't already redeemed, you should receive {"$5" if plan_type == "plus" else "$50"} in API credits.

 Credits: https://platform.openai.com/settings/organization/billing/credit-grants
 More info: https://help.openai.com/en/articles/11381614""",
--- a/codex-rs/mcp-client/src/main.rs
+++ b/codex-rs/mcp-client/src/main.rs
@@ -10,6 +10,7 @@
 //! program. The utility connects, issues a `tools/list` request and prints the
 //! server's response as pretty JSON.

+use std::ffi::OsString;
 use std::time::Duration;

 use anyhow::Context;
@@ -37,7 +38,7 @@ async fn main() -> Result<()> {
        .try_init();

    // Collect command-line arguments excluding the program name itself.
-    let mut args: Vec<String> = std::env::args().skip(1).collect();
+    let mut args: Vec<OsString> = std::env::args_os().skip(1).collect();

    if args.is_empty() || args[0] == "--help" || args[0] == "-h" {
        eprintln!("Usage: mcp-client <program> [args..]\n\nExample: mcp-client codex-mcp-server");
--- a/codex-rs/mcp-client/src/mcp_client.rs
+++ b/codex-rs/mcp-client/src/mcp_client.rs
@@ -12,6 +12,7 @@
 //! issue requests and receive strongly-typed results.

 use std::collections::HashMap;
+use std::ffi::OsString;
 use std::sync::Arc;
 use std::sync::atomic::AtomicI64;
 use std::sync::atomic::Ordering;
@@ -75,9 +76,6 @@ pub struct McpClient {

    /// Monotonically increasing counter used to generate request IDs.
    id_counter: AtomicI64,
-
-    /// Channel receiver for notifications (single consumer). Created per client.
-    notifications_rx: Mutex<Option<mpsc::Receiver<JSONRPCNotification>>>,
 }

 impl McpClient {
@@ -85,8 +83,8 @@ impl McpClient {
    /// Caller is responsible for sending the `initialize` request. See
    /// [`initialize`](Self::initialize) for details.
    pub async fn new_stdio_client(
-        program: String,
-        args: Vec<String>,
+        program: OsString,
+        args: Vec<OsString>,
        env: Option<HashMap<String, String>>,
    ) -> std::io::Result<Self> {
        let mut child = Command::new(program)
@@ -113,7 +111,6 @@ impl McpClient {

        let (outgoing_tx, mut outgoing_rx) = mpsc::channel::<JSONRPCMessage>(CHANNEL_CAPACITY);
        let pending: Arc<Mutex<HashMap<i64, PendingSender>>> = Arc::new(Mutex::new(HashMap::new()));
-        let (notif_tx, notif_rx) = mpsc::channel::<JSONRPCNotification>(CHANNEL_CAPACITY);

        // Spawn writer task. It listens on the `outgoing_rx` channel and
        // writes messages to the child's STDIN.
@@ -160,15 +157,8 @@ impl McpClient {
                            Self::dispatch_error(err, &pending).await;
                        }
                        Ok(JSONRPCMessage::Notification(JSONRPCNotification { .. })) => {
-                            // Log and also print notifications so callers (e.g., concurrent worker) can stream progress.
+                            // For now we only log server-initiated notifications.
                            info!("<- notification: {}", line);
-                            // (Filtered printing handled by higher-level caller; suppress raw spam here.)
-                            // Attempt to forward the notification to channel subscribers.
-                            if let Ok(parsed) = serde_json::from_str::<JSONRPCMessage>(&line) {
-                                if let JSONRPCMessage::Notification(n) = parsed {
-                                    let _ = notif_tx.try_send(n);
-                                }
-                            }
                        }
                        Ok(other) => {
                            // Batch responses and requests are currently not
@@ -194,7 +184,6 @@ impl McpClient {
            outgoing_tx,
            pending,
            id_counter: AtomicI64::new(1),
-            notifications_rx: Mutex::new(Some(notif_rx)),
        })
    }

@@ -361,11 +350,6 @@ impl McpClient {
        self.send_request::<CallToolRequest>(params, timeout).await
    }

-    /// Take the notifications receiver (only once). Returns None if already taken.
-    pub async fn take_notification_receiver(&self) -> Option<mpsc::Receiver<JSONRPCNotification>> {
-        self.notifications_rx.lock().await.take()
-    }
-
    /// Internal helper: route a JSON-RPC *response* object to the pending map.
    async fn dispatch_response(
        resp: JSONRPCResponse,
--- a/codex-rs/mcp-server/Cargo.toml
+++ b/codex-rs/mcp-server/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
+edition = "2024"
 name = "codex-mcp-server"
 version = { workspace = true }
-edition = "2024"

 [[bin]]
 name = "codex-mcp-server"
@@ -16,16 +16,14 @@ workspace = true

 [dependencies]
 anyhow = "1"
+codex-arg0 = { path = "../arg0" }
 codex-core = { path = "../core" }
-codex-linux-sandbox = { path = "../linux-sandbox" }
 mcp-types = { path = "../mcp-types" }
 schemars = "0.8.22"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 shlex = "1.3.0"
-toml = "0.9"
-tracing = { version = "0.1.41", features = ["log"] }
-tracing-subscriber = { version = "0.3", features = ["fmt", "env-filter"] }
+strum_macros = "0.27.2"
 tokio = { version = "1", features = [
    "io-std",
    "macros",
@@ -33,6 +31,9 @@ tokio = { version = "1", features = [
    "rt-multi-thread",
    "signal",
 ] }
+toml = "0.9"
+tracing = { version = "0.1.41", features = ["log"] }
+tracing-subscriber = { version = "0.3", features = ["env-filter", "fmt"] }
 uuid = { version = "1", features = ["serde", "v4"] }

 [dev-dependencies]
--- a/codex-rs/mcp-server/src/codex_tool_config.rs
+++ b/codex-rs/mcp-server/src/codex_tool_config.rs
@@ -50,6 +50,10 @@ pub struct CodexToolCallParam {
    /// The set of instructions to use instead of the default ones.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub base_instructions: Option<String>,
+
+    /// Whether to include the plan tool in the conversation.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub include_plan_tool: Option<bool>,
 }

 /// Custom enum mirroring [`AskForApproval`], but has an extra dependency on
@@ -140,9 +144,10 @@ impl CodexToolCallParam {
            sandbox,
            config: cli_overrides,
            base_instructions,
+            include_plan_tool,
        } = self;

-        // Build the `ConfigOverrides` recognised by codex-core.
+        // Build the `ConfigOverrides` recognized by codex-core.
        let overrides = codex_core::config::ConfigOverrides {
            model,
            config_profile: profile,
@@ -152,6 +157,7 @@ impl CodexToolCallParam {
            model_provider: None,
            codex_linux_sandbox_exe,
            base_instructions,
+            include_plan_tool,
        };

        let cli_overrides = cli_overrides
@@ -262,6 +268,10 @@ mod tests {
                "description": "Working directory for the session. If relative, it is resolved against the server process's current working directory.",
                "type": "string"
              },
+              "include-plan-tool": {
+                "description": "Whether to include the plan tool in the conversation.",
+                "type": "boolean"
+              },
              "model": {
                "description": "Optional override for the model name (e.g. \"o3\", \"o4-mini\").",
                "type": "string"
--- a/codex-rs/mcp-server/src/codex_tool_runner.rs
+++ b/codex-rs/mcp-server/src/codex_tool_runner.rs
@@ -6,6 +6,7 @@ use std::collections::HashMap;
 use std::sync::Arc;

 use codex_core::Codex;
+use codex_core::codex_wrapper::CodexConversation;
 use codex_core::codex_wrapper::init_codex;
 use codex_core::config::Config as CodexConfig;
 use codex_core::protocol::AgentMessageEvent;
@@ -26,6 +27,7 @@ use uuid::Uuid;

 use crate::exec_approval::handle_exec_approval_request;
 use crate::outgoing_message::OutgoingMessageSender;
+use crate::outgoing_message::OutgoingNotificationMeta;
 use crate::patch_approval::handle_patch_approval_request;

 pub(crate) const INVALID_PARAMS_ERROR_CODE: i64 = -32602;
@@ -42,7 +44,12 @@ pub async fn run_codex_tool_session(
    session_map: Arc<Mutex<HashMap<Uuid, Arc<Codex>>>>,
    running_requests_id_to_codex_uuid: Arc<Mutex<HashMap<RequestId, Uuid>>>,
 ) {
-    let (codex, first_event, _ctrl_c, session_id) = match init_codex(config).await {
+    let CodexConversation {
+        codex,
+        session_configured,
+        session_id,
+        ..
+    } = match init_codex(config).await {
        Ok(res) => res,
        Err(e) => {
            let result = CallToolResult {
@@ -65,8 +72,12 @@ pub async fn run_codex_tool_session(
    session_map.lock().await.insert(session_id, codex.clone());
    drop(session_map);

-    // Send initial SessionConfigured event.
-    outgoing.send_event_as_notification(&first_event).await;
+    outgoing
+        .send_event_as_notification(
+            &session_configured,
+            Some(OutgoingNotificationMeta::new(Some(id.clone()))),
+        )
+        .await;

    // Use the original MCP request ID as the `sub_id` for the Codex submission so that
    // any events emitted for this tool-call can be correlated with the
@@ -150,7 +161,12 @@ async fn run_codex_tool_session_inner(
    loop {
        match codex.next_event().await {
            Ok(event) => {
-                outgoing.send_event_as_notification(&event).await;
+                outgoing
+                    .send_event_as_notification(
+                        &event,
+                        Some(OutgoingNotificationMeta::new(Some(request_id.clone()))),
+                    )
+                    .await;

                match event.msg {
                    EventMsg::ExecApprovalRequest(ExecApprovalRequestEvent {
@@ -247,6 +263,7 @@ async fn run_codex_tool_session_inner(
                    | EventMsg::PatchApplyBegin(_)
                    | EventMsg::PatchApplyEnd(_)
                    | EventMsg::GetHistoryEntryResponse(_)
+                    | EventMsg::PlanUpdate(_)
                    | EventMsg::ShutdownComplete => {
                        // For now, we do not do anything extra for these
                        // events. Note that
--- a/codex-rs/mcp-server/src/lib.rs
+++ b/codex-rs/mcp-server/src/lib.rs
@@ -19,6 +19,7 @@ mod codex_tool_config;
 mod codex_tool_runner;
 mod exec_approval;
 mod json_to_toml;
+pub mod mcp_protocol;
 mod message_processor;
 mod outgoing_message;
 mod patch_approval;
--- a/codex-rs/mcp-server/src/main.rs
+++ b/codex-rs/mcp-server/src/main.rs
@@ -1,7 +1,8 @@
+use codex_arg0::arg0_dispatch_or_else;
 use codex_mcp_server::run_main;

 fn main() -> anyhow::Result<()> {
-    codex_linux_sandbox::run_with_sandbox(|codex_linux_sandbox_exe| async move {
+    arg0_dispatch_or_else(|codex_linux_sandbox_exe| async move {
        run_main(codex_linux_sandbox_exe).await?;
        Ok(())
    })
--- a/codex-rs/mcp-server/src/mcp_protocol.rs
+++ b/codex-rs/mcp-server/src/mcp_protocol.rs
--- a/codex-rs/mcp-server/src/message_processor.rs
+++ b/codex-rs/mcp-server/src/message_processor.rs
@@ -6,6 +6,7 @@ use crate::codex_tool_config::CodexToolCallParam;
 use crate::codex_tool_config::CodexToolCallReplyParam;
 use crate::codex_tool_config::create_tool_for_codex_tool_call_param;
 use crate::codex_tool_config::create_tool_for_codex_tool_call_reply_param;
+use crate::mcp_protocol::ToolCallRequestParams;
 use crate::outgoing_message::OutgoingMessageSender;

 use codex_core::Codex;
@@ -300,6 +301,14 @@ impl MessageProcessor {
        params: <mcp_types::CallToolRequest as mcp_types::ModelContextProtocolRequest>::Params,
    ) {
        tracing::info!("tools/call -> params: {:?}", params);
+        // Serialize params into JSON and try to parse as new type
+        if let Ok(new_params) =
+            serde_json::to_value(&params).and_then(serde_json::from_value::<ToolCallRequestParams>)
+        {
+            // New tool call matched → forward
+            self.handle_new_tool_calls(id, new_params).await;
+            return;
+        }
        let CallToolRequestParams { name, arguments } = params;

        match name.as_str() {
@@ -323,6 +332,20 @@ impl MessageProcessor {
            }
        }
    }
+    async fn handle_new_tool_calls(&self, request_id: RequestId, _params: ToolCallRequestParams) {
+        // TODO: implement the new tool calls
+        let result = CallToolResult {
+            content: vec![ContentBlock::TextContent(TextContent {
+                r#type: "text".to_string(),
+                text: "Unknown tool".to_string(),
+                annotations: None,
+            })],
+            is_error: Some(true),
+            structured_content: None,
+        };
+        self.send_response::<mcp_types::CallToolRequest>(request_id, result)
+            .await;
+    }

    async fn handle_tool_call_codex(&self, id: RequestId, arguments: Option<serde_json::Value>) {
        let (initial_prompt, config): (String, CodexConfig) = match arguments {
--- a/codex-rs/mcp-server/src/outgoing_message.rs
+++ b/codex-rs/mcp-server/src/outgoing_message.rs
@@ -18,6 +18,7 @@ use tokio::sync::mpsc;
 use tokio::sync::oneshot;
 use tracing::warn;

+/// Sends messages to the client and manages request callbacks.
 pub(crate) struct OutgoingMessageSender {
    next_request_id: AtomicI64,
    sender: mpsc::Sender<OutgoingMessage>,
@@ -78,16 +79,47 @@ impl OutgoingMessageSender {
        let _ = self.sender.send(outgoing_message).await;
    }

-    pub(crate) async fn send_event_as_notification(&self, event: &Event) {
-        #[expect(clippy::expect_used)]
-        let params = Some(serde_json::to_value(event).expect("Event must serialize"));
+    pub(crate) async fn send_event_as_notification(
+        &self,
+        event: &Event,
+        meta: Option<OutgoingNotificationMeta>,
+    ) {
+        #[allow(clippy::expect_used)]
+        let event_json = serde_json::to_value(event).expect("Event must serialize");
+
+        let params = if let Ok(params) = serde_json::to_value(OutgoingNotificationParams {
+            meta,
+            event: event_json.clone(),
+        }) {
+            params
+        } else {
+            warn!("Failed to serialize event as OutgoingNotificationParams");
+            event_json
+        };
+
        let outgoing_message = OutgoingMessage::Notification(OutgoingNotification {
            method: "codex/event".to_string(),
+            params: Some(params.clone()),
+        });
+        let _ = self.sender.send(outgoing_message).await;
+
+        self.send_event_as_notification_new_schema(event, Some(params.clone()))
+            .await;
+    }
+
+    // should be backwards compatible.
+    // it will replace send_event_as_notification eventually.
+    async fn send_event_as_notification_new_schema(
+        &self,
+        event: &Event,
+        params: Option<serde_json::Value>,
+    ) {
+        let outgoing_message = OutgoingMessage::Notification(OutgoingNotification {
+            method: event.msg.to_string(),
            params,
        });
        let _ = self.sender.send(outgoing_message).await;
    }
-
    pub(crate) async fn send_error(&self, id: RequestId, error: JSONRPCErrorError) {
        let outgoing_message = OutgoingMessage::Error(OutgoingError { id, error });
        let _ = self.sender.send(outgoing_message).await;
@@ -152,6 +184,30 @@ pub(crate) struct OutgoingNotification {
    pub params: Option<serde_json::Value>,
 }

+#[derive(Debug, Clone, PartialEq, Serialize)]
+pub(crate) struct OutgoingNotificationParams {
+    #[serde(rename = "_meta", default, skip_serializing_if = "Option::is_none")]
+    pub meta: Option<OutgoingNotificationMeta>,
+
+    #[serde(flatten)]
+    pub event: serde_json::Value,
+}
+
+// Additional mcp-specific data to be added to a [`codex_core::protocol::Event`] as notification.params._meta
+// MCP Spec: https://modelcontextprotocol.io/specification/2025-06-18/basic#meta
+// Typescript Schema: https://github.com/modelcontextprotocol/modelcontextprotocol/blob/0695a497eb50a804fc0e88c18a93a21a675d6b3e/schema/2025-06-18/schema.ts
+#[derive(Debug, Clone, PartialEq, Serialize)]
+#[serde(rename_all = "camelCase")]
+pub(crate) struct OutgoingNotificationMeta {
+    pub request_id: Option<RequestId>,
+}
+
+impl OutgoingNotificationMeta {
+    pub(crate) fn new(request_id: Option<RequestId>) -> Self {
+        Self { request_id }
+    }
+}
+
 #[derive(Debug, Clone, PartialEq, Serialize)]
 pub(crate) struct OutgoingResponse {
    pub id: RequestId,
@@ -163,3 +219,113 @@ pub(crate) struct OutgoingError {
    pub error: JSONRPCErrorError,
    pub id: RequestId,
 }
+
+#[cfg(test)]
+mod tests {
+    #![allow(clippy::unwrap_used)]
+
+    use codex_core::protocol::EventMsg;
+    use codex_core::protocol::SessionConfiguredEvent;
+    use pretty_assertions::assert_eq;
+    use serde_json::json;
+    use uuid::Uuid;
+
+    use super::*;
+
+    #[tokio::test]
+    async fn test_send_event_as_notification() {
+        let (outgoing_tx, mut outgoing_rx) = mpsc::channel::<OutgoingMessage>(2);
+        let outgoing_message_sender = OutgoingMessageSender::new(outgoing_tx);
+
+        let event = Event {
+            id: "1".to_string(),
+            msg: EventMsg::SessionConfigured(SessionConfiguredEvent {
+                session_id: Uuid::new_v4(),
+                model: "gpt-4o".to_string(),
+                history_log_id: 1,
+                history_entry_count: 1000,
+            }),
+        };
+
+        outgoing_message_sender
+            .send_event_as_notification(&event, None)
+            .await;
+
+        let result = outgoing_rx.recv().await.unwrap();
+        let OutgoingMessage::Notification(OutgoingNotification { method, params }) = result else {
+            panic!("expected Notification for first message");
+        };
+        assert_eq!(method, "codex/event");
+
+        let Ok(expected_params) = serde_json::to_value(&event) else {
+            panic!("Event must serialize");
+        };
+        assert_eq!(params, Some(expected_params.clone()));
+
+        let result2 = outgoing_rx.recv().await.unwrap();
+        let OutgoingMessage::Notification(OutgoingNotification {
+            method: method2,
+            params: params2,
+        }) = result2
+        else {
+            panic!("expected Notification for second message");
+        };
+        assert_eq!(method2, event.msg.to_string());
+        assert_eq!(params2, Some(expected_params));
+    }
+
+    #[tokio::test]
+    async fn test_send_event_as_notification_with_meta() {
+        let (outgoing_tx, mut outgoing_rx) = mpsc::channel::<OutgoingMessage>(2);
+        let outgoing_message_sender = OutgoingMessageSender::new(outgoing_tx);
+
+        let session_configured_event = SessionConfiguredEvent {
+            session_id: Uuid::new_v4(),
+            model: "gpt-4o".to_string(),
+            history_log_id: 1,
+            history_entry_count: 1000,
+        };
+        let event = Event {
+            id: "1".to_string(),
+            msg: EventMsg::SessionConfigured(session_configured_event.clone()),
+        };
+        let meta = OutgoingNotificationMeta {
+            request_id: Some(RequestId::String("123".to_string())),
+        };
+
+        outgoing_message_sender
+            .send_event_as_notification(&event, Some(meta))
+            .await;
+
+        let result = outgoing_rx.recv().await.unwrap();
+        let OutgoingMessage::Notification(OutgoingNotification { method, params }) = result else {
+            panic!("expected Notification for first message");
+        };
+        assert_eq!(method, "codex/event");
+        let expected_params = json!({
+            "_meta": {
+                "requestId": "123",
+            },
+            "id": "1",
+            "msg": {
+                "session_id": session_configured_event.session_id,
+                "model": session_configured_event.model,
+                "history_log_id": session_configured_event.history_log_id,
+                "history_entry_count": session_configured_event.history_entry_count,
+                "type": "session_configured",
+            }
+        });
+        assert_eq!(params.unwrap(), expected_params);
+
+        let result2 = outgoing_rx.recv().await.unwrap();
+        let OutgoingMessage::Notification(OutgoingNotification {
+            method: method2,
+            params: params2,
+        }) = result2
+        else {
+            panic!("expected Notification for second message");
+        };
+        assert_eq!(method2, event.msg.to_string());
+        assert_eq!(params2.unwrap(), expected_params);
+    }
+}
--- a/codex-rs/mcp-server/tests/codex_tool.rs
+++ b/codex-rs/mcp-server/tests/codex_tool.rs
@@ -3,9 +3,9 @@ use std::env;
 use std::path::Path;
 use std::path::PathBuf;

-use codex_core::exec::CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR;
 use codex_core::protocol::FileChange;
 use codex_core::protocol::ReviewDecision;
+use codex_core::spawn::CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR;
 use codex_mcp_server::CodexToolCallParam;
 use codex_mcp_server::ExecApprovalElicitRequestParams;
 use codex_mcp_server::ExecApprovalResponse;
--- a/codex-rs/mcp-server/tests/common/Cargo.toml
+++ b/codex-rs/mcp-server/tests/common/Cargo.toml
@@ -10,6 +10,7 @@ path = "lib.rs"
 anyhow = "1"
 assert_cmd = "2"
 codex-mcp-server = { path = "../.." }
+codex-core = { path = "../../../core" }
 mcp-types = { path = "../../../mcp-types" }
 pretty_assertions = "1.4.1"
 serde_json = "1"
@@ -22,3 +23,4 @@ tokio = { version = "1", features = [
    "rt-multi-thread",
 ] }
 wiremock = "0.6"
+uuid = { version = "1", features = ["serde", "v4"] }
--- a/codex-rs/mcp-server/tests/common/mcp_process.rs
+++ b/codex-rs/mcp-server/tests/common/mcp_process.rs
@@ -11,8 +11,13 @@ use tokio::process::ChildStdout;

 use anyhow::Context;
 use assert_cmd::prelude::*;
+use codex_core::protocol::InputItem;
 use codex_mcp_server::CodexToolCallParam;
 use codex_mcp_server::CodexToolCallReplyParam;
+use codex_mcp_server::mcp_protocol::ConversationId;
+use codex_mcp_server::mcp_protocol::ConversationSendMessageArgs;
+use codex_mcp_server::mcp_protocol::ToolCallRequestParams;
+
 use mcp_types::CallToolRequestParams;
 use mcp_types::ClientCapabilities;
 use mcp_types::Implementation;
@@ -29,6 +34,7 @@ use pretty_assertions::assert_eq;
 use serde_json::json;
 use std::process::Command as StdCommand;
 use tokio::process::Command;
+use uuid::Uuid;

 pub struct McpProcess {
    next_request_id: AtomicI64,
@@ -174,6 +180,26 @@ impl McpProcess {
        .await
    }

+    pub async fn send_user_message_tool_call(
+        &mut self,
+        message: &str,
+        session_id: &str,
+    ) -> anyhow::Result<i64> {
+        let params = ToolCallRequestParams::ConversationSendMessage(ConversationSendMessageArgs {
+            conversation_id: ConversationId(Uuid::parse_str(session_id)?),
+            content: vec![InputItem::Text {
+                text: message.to_string(),
+            }],
+            parent_message_id: None,
+            conversation_overrides: None,
+        });
+        self.send_request(
+            mcp_types::CallToolRequest::METHOD,
+            Some(serde_json::to_value(params)?),
+        )
+        .await
+    }
+
    async fn send_request(
        &mut self,
        method: &str,
@@ -270,27 +296,49 @@ impl McpProcess {
    pub async fn read_stream_until_configured_response_message(
        &mut self,
    ) -> anyhow::Result<String> {
+        let mut sid_old: Option<String> = None;
+        let mut sid_new: Option<String> = None;
        loop {
            let message = self.read_jsonrpc_message().await?;
            eprint!("message: {message:?}");

            match message {
                JSONRPCMessage::Notification(notification) => {
-                    if notification.method == "codex/event" {
-                        if let Some(params) = notification.params {
+                    if let Some(params) = notification.params {
+                        // Back-compat schema: method == "codex/event" and msg.type == "session_configured"
+                        if notification.method == "codex/event" {
                            if let Some(msg) = params.get("msg") {
-                                if let Some(msg_type) = msg.get("type") {
-                                    if msg_type == "session_configured" {
-                                        if let Some(session_id) = msg.get("session_id") {
-                                            return Ok(session_id
-                                                .to_string()
-                                                .trim_matches('"')
-                                                .to_string());
-                                        }
+                                if msg.get("type").and_then(|v| v.as_str())
+                                    == Some("session_configured")
+                                {
+                                    if let Some(session_id) =
+                                        msg.get("session_id").and_then(|v| v.as_str())
+                                    {
+                                        sid_old = Some(session_id.to_string());
                                    }
                                }
                            }
                        }
+                        // New schema: method is the Display of EventMsg::SessionConfigured => "SessionConfigured"
+                        if notification.method == "session_configured" {
+                            if let Some(msg) = params.get("msg") {
+                                if let Some(session_id) =
+                                    msg.get("session_id").and_then(|v| v.as_str())
+                                {
+                                    sid_new = Some(session_id.to_string());
+                                }
+                            }
+                        }
+                    }
+
+                    if sid_old.is_some() && sid_new.is_some() {
+                        // Both seen, they must match
+                        assert_eq!(
+                            sid_old.as_ref().unwrap(),
+                            sid_new.as_ref().unwrap(),
+                            "session_id mismatch between old and new schema"
+                        );
+                        return Ok(sid_old.unwrap());
                    }
                }
                JSONRPCMessage::Request(_) => {
--- a/codex-rs/mcp-server/tests/interrupt.rs
+++ b/codex-rs/mcp-server/tests/interrupt.rs
@@ -3,7 +3,7 @@

 use std::path::Path;

-use codex_core::exec::CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR;
+use codex_core::spawn::CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR;
 use codex_mcp_server::CodexToolCallParam;
 use mcp_types::JSONRPCResponse;
 use mcp_types::RequestId;
@@ -81,6 +81,7 @@ async fn shell_command_interruption() -> anyhow::Result<()> {
            sandbox: None,
            config: None,
            base_instructions: None,
+            include_plan_tool: None,
        })
        .await?;

--- a/codex-rs/mcp-types/Cargo.toml
+++ b/codex-rs/mcp-types/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
+edition = "2024"
 name = "mcp-types"
 version = { workspace = true }
-edition = "2024"

 [lints]
 workspace = true
--- a/codex-rs/tui/Cargo.toml
+++ b/codex-rs/tui/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
+edition = "2024"
 name = "codex-tui"
 version = { workspace = true }
-edition = "2024"

 [[bin]]
 name = "codex-tui"
@@ -19,14 +19,14 @@ anyhow = "1"
 base64 = "0.22.1"
 clap = { version = "4", features = ["derive"] }
 codex-ansi-escape = { path = "../ansi-escape" }
-codex-core = { path = "../core" }
+codex-arg0 = { path = "../arg0" }
 codex-common = { path = "../common", features = [
    "cli",
    "elapsed",
    "sandbox_summary",
 ] }
+codex-core = { path = "../core" }
 codex-file-search = { path = "../file-search" }
-codex-linux-sandbox = { path = "../linux-sandbox" }
 codex-login = { path = "../login" }
 color-eyre = "0.6.3"
 crossterm = { version = "0.28.1", features = ["bracketed-paste"] }
@@ -35,8 +35,9 @@ lazy_static = "1"
 mcp-types = { path = "../mcp-types" }
 path-clean = "1.0.1"
 ratatui = { version = "0.29.0", features = [
-    "unstable-widget-ref",
+    "scrolling-regions",
    "unstable-rendered-line-info",
+    "unstable-widget-ref",
 ] }
 ratatui-image = "8.0.0"
 regex-lite = "0.1"
@@ -61,6 +62,8 @@ unicode-segmentation = "1.12.0"
 unicode-width = "0.1"
 uuid = "1"

+
+
 [dev-dependencies]
 insta = "1.43.1"
 pretty_assertions = "1"
--- a/codex-rs/tui/src/app.rs
+++ b/codex-rs/tui/src/app.rs
@@ -5,17 +5,20 @@ use crate::file_search::FileSearchManager;
 use crate::get_git_diff::get_git_diff;
 use crate::git_warning_screen::GitWarningOutcome;
 use crate::git_warning_screen::GitWarningScreen;
-use crate::login_screen::LoginScreen;
-use crate::scroll_event_helper::ScrollEventHelper;
 use crate::slash_command::SlashCommand;
 use crate::tui;
 use codex_core::config::Config;
 use codex_core::protocol::Event;
+use codex_core::protocol::EventMsg;
 use color_eyre::eyre::Result;
+use crossterm::SynchronizedUpdate;
 use crossterm::event::KeyCode;
 use crossterm::event::KeyEvent;
-use crossterm::event::MouseEvent;
-use crossterm::event::MouseEventKind;
+use crossterm::event::KeyEventKind;
+use crossterm::terminal::supports_keyboard_enhancement;
+use ratatui::layout::Offset;
+use ratatui::prelude::Backend;
+use ratatui::text::Line;
 use std::path::PathBuf;
 use std::sync::Arc;
 use std::sync::atomic::AtomicBool;
@@ -25,6 +28,11 @@ use std::sync::mpsc::channel;
 use std::thread;
 use std::time::Duration;

+enum PendingHistoryOp {
+    Insert(Vec<Line<'static>>),
+    Overwrite(Line<'static>),
+}
+
 /// Time window for debouncing redraw requests.
 const REDRAW_DEBOUNCE: Duration = Duration::from_millis(10);

@@ -37,8 +45,6 @@ enum AppState<'a> {
        /// `AppState`.
        widget: Box<ChatWidget<'a>>,
    },
-    /// The login screen for the OpenAI provider.
-    Login { screen: LoginScreen },
    /// The start-up warning that recommends running codex inside a Git repo.
    GitWarning { screen: GitWarningScreen },
 }
@@ -56,9 +62,13 @@ pub(crate) struct App<'a> {
    /// True when a redraw has been scheduled but not yet executed.
    pending_redraw: Arc<AtomicBool>,

+    pending_history_ops: Vec<PendingHistoryOp>,
+
    /// Stored parameters needed to instantiate the ChatWidget later, e.g.,
    /// after dismissing the Git-repo warning.
    chat_args: Option<ChatWidgetArgs>,
+
+    enhanced_keys_supported: bool,
 }

 /// Aggregate parameters needed to create a `ChatWidget`, as creation may be
@@ -68,20 +78,21 @@ struct ChatWidgetArgs {
    config: Config,
    initial_prompt: Option<String>,
    initial_images: Vec<PathBuf>,
+    enhanced_keys_supported: bool,
 }

 impl App<'_> {
    pub(crate) fn new(
        config: Config,
        initial_prompt: Option<String>,
-        show_login_screen: bool,
        show_git_warning: bool,
        initial_images: Vec<std::path::PathBuf>,
    ) -> Self {
        let (app_event_tx, app_event_rx) = channel();
        let app_event_tx = AppEventSender::new(app_event_tx);
        let pending_redraw = Arc::new(AtomicBool::new(false));
-        let scroll_event_helper = ScrollEventHelper::new(app_event_tx.clone());
+
+        let enhanced_keys_supported = supports_keyboard_enhancement().unwrap_or(false);

        // Spawn a dedicated thread for reading the crossterm event loop and
        // re-publishing the events as AppEvents, as appropriate.
@@ -104,18 +115,6 @@ impl App<'_> {
                                crossterm::event::Event::Resize(_, _) => {
                                    app_event_tx.send(AppEvent::RequestRedraw);
                                }
-                                crossterm::event::Event::Mouse(MouseEvent {
-                                    kind: MouseEventKind::ScrollUp,
-                                    ..
-                                }) => {
-                                    scroll_event_helper.scroll_up();
-                                }
-                                crossterm::event::Event::Mouse(MouseEvent {
-                                    kind: MouseEventKind::ScrollDown,
-                                    ..
-                                }) => {
-                                    scroll_event_helper.scroll_down();
-                                }
                                crossterm::event::Event::Paste(pasted) => {
                                    // Many terminals convert newlines to \r when
                                    // pasting, e.g. [iTerm2][]. But [tui-textarea
@@ -138,18 +137,7 @@ impl App<'_> {
            });
        }

-        let (app_state, chat_args) = if show_login_screen {
-            (
-                AppState::Login {
-                    screen: LoginScreen::new(app_event_tx.clone(), config.codex_home.clone()),
-                },
-                Some(ChatWidgetArgs {
-                    config: config.clone(),
-                    initial_prompt,
-                    initial_images,
-                }),
-            )
-        } else if show_git_warning {
+        let (app_state, chat_args) = if show_git_warning {
            (
                AppState::GitWarning {
                    screen: GitWarningScreen::new(),
@@ -158,6 +146,7 @@ impl App<'_> {
                    config: config.clone(),
                    initial_prompt,
                    initial_images,
+                    enhanced_keys_supported,
                }),
            )
        } else {
@@ -166,6 +155,7 @@ impl App<'_> {
                app_event_tx.clone(),
                initial_prompt,
                initial_images,
+                enhanced_keys_supported,
            );
            (
                AppState::Chat {
@@ -178,12 +168,14 @@ impl App<'_> {
        let file_search = FileSearchManager::new(config.cwd.clone(), app_event_tx.clone());
        Self {
            app_event_tx,
+            pending_history_ops: Vec::new(),
            app_event_rx,
            app_state,
            config,
            file_search,
            pending_redraw,
            chat_args,
+            enhanced_keys_supported,
        }
    }

@@ -223,27 +215,34 @@ impl App<'_> {
        while let Ok(event) = self.app_event_rx.recv() {
            match event {
                AppEvent::InsertHistory(lines) => {
-                    crate::insert_history::insert_history_lines(terminal, lines);
+                    self.pending_history_ops
+                        .push(PendingHistoryOp::Insert(lines));
+                    self.app_event_tx.send(AppEvent::RequestRedraw);
+                }
+                AppEvent::OverwriteHistoryLine(line) => {
+                    self.pending_history_ops
+                        .push(PendingHistoryOp::Overwrite(line));
                    self.app_event_tx.send(AppEvent::RequestRedraw);
                }
                AppEvent::RequestRedraw => {
                    self.schedule_redraw();
                }
                AppEvent::Redraw => {
-                    self.draw_next_frame(terminal)?;
+                    std::io::stdout().sync_update(|_| self.draw_next_frame(terminal))??;
                }
                AppEvent::KeyEvent(key_event) => {
                    match key_event {
                        KeyEvent {
                            code: KeyCode::Char('c'),
                            modifiers: crossterm::event::KeyModifiers::CONTROL,
+                            kind: KeyEventKind::Press,
                            ..
                        } => {
                            match &mut self.app_state {
                                AppState::Chat { widget } => {
                                    widget.on_ctrl_c();
                                }
-                                AppState::Login { .. } | AppState::GitWarning { .. } => {
+                                AppState::GitWarning { .. } => {
                                    // No-op.
                                }
                            }
@@ -251,6 +250,7 @@ impl App<'_> {
                        KeyEvent {
                            code: KeyCode::Char('d'),
                            modifiers: crossterm::event::KeyModifiers::CONTROL,
+                            kind: KeyEventKind::Press,
                            ..
                        } => {
                            match &mut self.app_state {
@@ -264,19 +264,22 @@ impl App<'_> {
                                        self.dispatch_key_event(key_event);
                                    }
                                }
-                                AppState::Login { .. } | AppState::GitWarning { .. } => {
+                                AppState::GitWarning { .. } => {
                                    self.app_event_tx.send(AppEvent::ExitRequest);
                                }
                            }
                        }
-                        _ => {
+                        KeyEvent {
+                            kind: KeyEventKind::Press | KeyEventKind::Repeat,
+                            ..
+                        } => {
                            self.dispatch_key_event(key_event);
                        }
+                        _ => {
+                            // Ignore Release key events for now.
+                        }
                    };
                }
-                AppEvent::Scroll(scroll_delta) => {
-                    self.dispatch_scroll_event(scroll_delta);
-                }
                AppEvent::Paste(text) => {
                    self.dispatch_paste_event(text);
                }
@@ -288,11 +291,11 @@ impl App<'_> {
                }
                AppEvent::CodexOp(op) => match &mut self.app_state {
                    AppState::Chat { widget } => widget.submit_op(op),
-                    AppState::Login { .. } | AppState::GitWarning { .. } => {}
+                    AppState::GitWarning { .. } => {}
                },
                AppEvent::LatestLog(line) => match &mut self.app_state {
                    AppState::Chat { widget } => widget.update_latest_log(line),
-                    AppState::Login { .. } | AppState::GitWarning { .. } => {}
+                    AppState::GitWarning { .. } => {}
                },
                AppEvent::DispatchCommand(command) => match command {
                    SlashCommand::New => {
@@ -301,6 +304,7 @@ impl App<'_> {
                            self.app_event_tx.clone(),
                            None,
                            Vec::new(),
+                            self.enhanced_keys_supported,
                        ));
                        self.app_state = AppState::Chat { widget: new_widget };
                        self.app_event_tx.send(AppEvent::RequestRedraw);
@@ -329,6 +333,45 @@ impl App<'_> {
                            widget.add_diff_output(text);
                        }
                    }
+                    #[cfg(debug_assertions)]
+                    SlashCommand::TestApproval => {
+                        use std::collections::HashMap;
+
+                        use codex_core::protocol::ApplyPatchApprovalRequestEvent;
+                        use codex_core::protocol::FileChange;
+
+                        self.app_event_tx.send(AppEvent::CodexEvent(Event {
+                            id: "1".to_string(),
+                            // msg: EventMsg::ExecApprovalRequest(ExecApprovalRequestEvent {
+                            //     call_id: "1".to_string(),
+                            //     command: vec!["git".into(), "apply".into()],
+                            //     cwd: self.config.cwd.clone(),
+                            //     reason: Some("test".to_string()),
+                            // }),
+                            msg: EventMsg::ApplyPatchApprovalRequest(
+                                ApplyPatchApprovalRequestEvent {
+                                    call_id: "1".to_string(),
+                                    changes: HashMap::from([
+                                        (
+                                            PathBuf::from("/tmp/test.txt"),
+                                            FileChange::Add {
+                                                content: "test".to_string(),
+                                            },
+                                        ),
+                                        (
+                                            PathBuf::from("/tmp/test2.txt"),
+                                            FileChange::Update {
+                                                unified_diff: "+test\n-test2".to_string(),
+                                                move_path: None,
+                                            },
+                                        ),
+                                    ]),
+                                    reason: None,
+                                    grant_root: Some(PathBuf::from("/tmp")),
+                                },
+                            ),
+                        }));
+                    }
                },
                AppEvent::StartFileSearch(query) => {
                    self.file_search.on_user_query(query);
@@ -348,22 +391,66 @@ impl App<'_> {
    pub(crate) fn token_usage(&self) -> codex_core::protocol::TokenUsage {
        match &self.app_state {
            AppState::Chat { widget } => widget.token_usage().clone(),
-            AppState::Login { .. } | AppState::GitWarning { .. } => {
-                codex_core::protocol::TokenUsage::default()
-            }
+            AppState::GitWarning { .. } => codex_core::protocol::TokenUsage::default(),
        }
    }

    fn draw_next_frame(&mut self, terminal: &mut tui::Tui) -> Result<()> {
-        // TODO: add a throttle to avoid redrawing too often
+        let screen_size = terminal.size()?;
+        let last_known_screen_size = terminal.last_known_screen_size;
+        if screen_size != last_known_screen_size {
+            let cursor_pos = terminal.get_cursor_position()?;
+            let last_known_cursor_pos = terminal.last_known_cursor_pos;
+            if cursor_pos.y != last_known_cursor_pos.y {
+                // The terminal was resized. The only point of reference we have for where our viewport
+                // was moved is the cursor position.
+                // NB this assumes that the cursor was not wrapped as part of the resize.
+                let cursor_delta = cursor_pos.y as i32 - last_known_cursor_pos.y as i32;

+                let new_viewport_area = terminal.viewport_area.offset(Offset {
+                    x: 0,
+                    y: cursor_delta,
+                });
+                terminal.set_viewport_area(new_viewport_area);
+                terminal.clear()?;
+            }
+        }
+
+        let size = terminal.size()?;
+        let desired_height = match &self.app_state {
+            AppState::Chat { widget } => widget.desired_height(size.width),
+            AppState::GitWarning { .. } => 10,
+        };
+
+        let mut area = terminal.viewport_area;
+        area.height = desired_height.min(size.height);
+        area.width = size.width;
+        if area.bottom() > size.height {
+            terminal
+                .backend_mut()
+                .scroll_region_up(0..area.top(), area.bottom() - size.height)?;
+            area.y = size.height - area.height;
+        }
+        if area != terminal.viewport_area {
+            terminal.clear()?;
+            terminal.set_viewport_area(area);
+        }
+        if !self.pending_history_ops.is_empty() {
+            for op in self.pending_history_ops.drain(..) {
+                match op {
+                    PendingHistoryOp::Insert(lines) => {
+                        crate::insert_history::insert_history_lines(terminal, lines);
+                    }
+                    PendingHistoryOp::Overwrite(line) => {
+                        crate::insert_history::overwrite_last_history_line(line);
+                    }
+                }
+            }
+        }
        match &mut self.app_state {
            AppState::Chat { widget } => {
                terminal.draw(|frame| frame.render_widget_ref(&**widget, frame.area()))?;
            }
-            AppState::Login { screen } => {
-                terminal.draw(|frame| frame.render_widget_ref(&*screen, frame.area()))?;
-            }
            AppState::GitWarning { screen } => {
                terminal.draw(|frame| frame.render_widget_ref(&*screen, frame.area()))?;
            }
@@ -378,7 +465,6 @@ impl App<'_> {
            AppState::Chat { widget } => {
                widget.handle_key_event(key_event);
            }
-            AppState::Login { screen } => screen.handle_key_event(key_event),
            AppState::GitWarning { screen } => match screen.handle_key_event(key_event) {
                GitWarningOutcome::Continue => {
                    // User accepted – switch to chat view.
@@ -392,6 +478,7 @@ impl App<'_> {
                        self.app_event_tx.clone(),
                        args.initial_prompt,
                        args.initial_images,
+                        args.enhanced_keys_supported,
                    ));
                    self.app_state = AppState::Chat { widget };
                    self.app_event_tx.send(AppEvent::RequestRedraw);
@@ -409,21 +496,14 @@ impl App<'_> {
    fn dispatch_paste_event(&mut self, pasted: String) {
        match &mut self.app_state {
            AppState::Chat { widget } => widget.handle_paste(pasted),
-            AppState::Login { .. } | AppState::GitWarning { .. } => {}
-        }
-    }
-
-    fn dispatch_scroll_event(&mut self, scroll_delta: i32) {
-        match &mut self.app_state {
-            AppState::Chat { widget } => widget.handle_scroll_delta(scroll_delta),
-            AppState::Login { .. } | AppState::GitWarning { .. } => {}
+            AppState::GitWarning { .. } => {}
        }
    }

    fn dispatch_codex_event(&mut self, event: Event) {
        match &mut self.app_state {
            AppState::Chat { widget } => widget.handle_codex_event(event),
-            AppState::Login { .. } | AppState::GitWarning { .. } => {}
+            AppState::GitWarning { .. } => {}
        }
    }
 }
--- a/codex-rs/tui/src/app_event.rs
+++ b/codex-rs/tui/src/app_event.rs
@@ -20,10 +20,6 @@ pub(crate) enum AppEvent {
    /// Text pasted from the terminal clipboard.
    Paste(String),

-    /// Scroll event with a value representing the "scroll delta" as the net
-    /// scroll up/down events within a short time window.
-    Scroll(i32),
-
    /// Request to exit the application gracefully.
    ExitRequest,

@@ -52,4 +48,6 @@ pub(crate) enum AppEvent {
    },

    InsertHistory(Vec<Line<'static>>),
+    /// Overwrite the last line in the scrollback with the provided content.
+    OverwriteHistoryLine(Line<'static>),
 }
--- a/codex-rs/tui/src/bottom_pane/approval_modal_view.rs
+++ b/codex-rs/tui/src/bottom_pane/approval_modal_view.rs
@@ -9,6 +9,7 @@ use crate::user_approval_widget::UserApprovalWidget;

 use super::BottomPane;
 use super::BottomPaneView;
+use super::CancellationEvent;

 /// Modal overlay asking the user to approve/deny a sequence of requests.
 pub(crate) struct ApprovalModalView<'a> {
@@ -46,10 +47,20 @@ impl<'a> BottomPaneView<'a> for ApprovalModalView<'a> {
        self.maybe_advance();
    }

+    fn on_ctrl_c(&mut self, _pane: &mut BottomPane<'a>) -> CancellationEvent {
+        self.current.on_ctrl_c();
+        self.queue.clear();
+        CancellationEvent::Handled
+    }
+
    fn is_complete(&self) -> bool {
        self.current.is_complete() && self.queue.is_empty()
    }

+    fn desired_height(&self, width: u16) -> u16 {
+        self.current.desired_height(width)
+    }
+
    fn render(&self, area: Rect, buf: &mut Buffer) {
        (&self.current).render_ref(area, buf);
    }
@@ -59,3 +70,40 @@ impl<'a> BottomPaneView<'a> for ApprovalModalView<'a> {
        None
    }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::app_event::AppEvent;
+    use std::path::PathBuf;
+    use std::sync::mpsc::channel;
+
+    fn make_exec_request() -> ApprovalRequest {
+        ApprovalRequest::Exec {
+            id: "test".to_string(),
+            command: vec!["echo".to_string(), "hi".to_string()],
+            cwd: PathBuf::from("/tmp"),
+            reason: None,
+        }
+    }
+
+    #[test]
+    fn ctrl_c_aborts_and_clears_queue() {
+        let (tx_raw, _rx) = channel::<AppEvent>();
+        let tx = AppEventSender::new(tx_raw);
+        let first = make_exec_request();
+        let mut view = ApprovalModalView::new(first, tx);
+        view.enqueue_request(make_exec_request());
+
+        let (tx_raw2, _rx2) = channel::<AppEvent>();
+        let mut pane = BottomPane::new(super::super::BottomPaneParams {
+            app_event_tx: AppEventSender::new(tx_raw2),
+            has_input_focus: true,
+            enhanced_keys_supported: false,
+        });
+        assert_eq!(CancellationEvent::Handled, view.on_ctrl_c(&mut pane));
+        assert!(view.queue.is_empty());
+        assert!(view.current.is_complete());
+        assert!(view.is_complete());
+    }
+}
--- a/codex-rs/tui/src/bottom_pane/bottom_pane_view.rs
+++ b/codex-rs/tui/src/bottom_pane/bottom_pane_view.rs
@@ -4,6 +4,7 @@ use ratatui::buffer::Buffer;
 use ratatui::layout::Rect;

 use super::BottomPane;
+use super::CancellationEvent;

 /// Type to use for a method that may require a redraw of the UI.
 pub(crate) enum ConditionalUpdate {
@@ -22,6 +23,14 @@ pub(crate) trait BottomPaneView<'a> {
        false
    }

+    /// Handle Ctrl-C while this view is active.
+    fn on_ctrl_c(&mut self, _pane: &mut BottomPane<'a>) -> CancellationEvent {
+        CancellationEvent::Ignored
+    }
+
+    /// Return the desired height of the view.
+    fn desired_height(&self, width: u16) -> u16;
+
    /// Render the view: this will be displayed in place of the composer.
    fn render(&self, area: Rect, buf: &mut Buffer);

--- a/codex-rs/tui/src/bottom_pane/chat_composer.rs
+++ b/codex-rs/tui/src/bottom_pane/chat_composer.rs
@@ -1,11 +1,13 @@
 use codex_core::protocol::TokenUsage;
 use crossterm::event::KeyEvent;
 use ratatui::buffer::Buffer;
-use ratatui::layout::Alignment;
 use ratatui::layout::Rect;
+use ratatui::style::Color;
 use ratatui::style::Style;
+use ratatui::style::Styled;
 use ratatui::style::Stylize;
 use ratatui::text::Line;
+use ratatui::text::Span;
 use ratatui::widgets::BorderType;
 use ratatui::widgets::Borders;
 use ratatui::widgets::Widget;
@@ -22,7 +24,7 @@ use crate::app_event::AppEvent;
 use crate::app_event_sender::AppEventSender;
 use codex_file_search::FileMatch;

-const BASE_PLACEHOLDER_TEXT: &str = "send a message";
+const BASE_PLACEHOLDER_TEXT: &str = "...";
 /// If the pasted content exceeds this number of characters, replace it with a
 /// placeholder in the UI.
 const LARGE_PASTE_CHAR_THRESHOLD: usize = 1000;
@@ -39,6 +41,7 @@ pub(crate) struct ChatComposer<'a> {
    app_event_tx: AppEventSender,
    history: ChatComposerHistory,
    ctrl_c_quit_hint: bool,
+    use_shift_enter_hint: bool,
    dismissed_file_popup_token: Option<String>,
    current_file_query: Option<String>,
    pending_pastes: Vec<(String, String)>,
@@ -52,17 +55,24 @@ enum ActivePopup {
 }

 impl ChatComposer<'_> {
-    pub fn new(has_input_focus: bool, app_event_tx: AppEventSender) -> Self {
+    pub fn new(
+        has_input_focus: bool,
+        app_event_tx: AppEventSender,
+        enhanced_keys_supported: bool,
+    ) -> Self {
        let mut textarea = TextArea::default();
        textarea.set_placeholder_text(BASE_PLACEHOLDER_TEXT);
        textarea.set_cursor_line_style(ratatui::style::Style::default());

+        let use_shift_enter_hint = enhanced_keys_supported;
+
        let mut this = Self {
            textarea,
            active_popup: ActivePopup::None,
            app_event_tx,
            history: ChatComposerHistory::new(),
            ctrl_c_quit_hint: false,
+            use_shift_enter_hint,
            dismissed_file_popup_token: None,
            current_file_query: None,
            pending_pastes: Vec::new(),
@@ -71,6 +81,15 @@ impl ChatComposer<'_> {
        this
    }

+    pub fn desired_height(&self) -> u16 {
+        self.textarea.lines().len().max(1) as u16
+            + match &self.active_popup {
+                ActivePopup::None => 1u16,
+                ActivePopup::Command(c) => c.calculate_required_height(),
+                ActivePopup::File(c) => c.calculate_required_height(),
+            }
+    }
+
    /// Returns true if the composer currently contains no user input.
    pub(crate) fn is_empty(&self) -> bool {
        self.textarea.is_empty()
@@ -127,10 +146,6 @@ impl ChatComposer<'_> {
            .on_entry_response(log_id, offset, entry, &mut self.textarea)
    }

-    pub fn set_input_focus(&mut self, has_focus: bool) {
-        self.update_border(has_focus);
-    }
-
    pub fn handle_paste(&mut self, pasted: String) -> bool {
        let char_count = pasted.chars().count();
        if char_count > LARGE_PASTE_CHAR_THRESHOLD {
@@ -464,6 +479,20 @@ impl ChatComposer<'_> {
                self.textarea.insert_newline();
                (InputResult::None, true)
            }
+            Input {
+                key: Key::Char('d'),
+                ctrl: true,
+                alt: false,
+                shift: false,
+            } => {
+                self.textarea.input(Input {
+                    key: Key::Delete,
+                    ctrl: false,
+                    alt: false,
+                    shift: false,
+                });
+                (InputResult::None, true)
+            }
            input => self.handle_input_basic(input),
        }
    }
@@ -481,6 +510,17 @@ impl ChatComposer<'_> {
            }
        }

+        if let Input {
+            key: Key::Char('u'),
+            ctrl: true,
+            alt: false,
+            ..
+        } = input
+        {
+            self.textarea.delete_line_by_head();
+            return (InputResult::None, true);
+        }
+
        // Normal input handling
        self.textarea.input(input);
        let text_after = self.textarea.lines().join("\n");
@@ -605,95 +645,99 @@ impl ChatComposer<'_> {
    }

    fn update_border(&mut self, has_focus: bool) {
-        struct BlockState {
-            right_title: Line<'static>,
-            border_style: Style,
-        }
-
-        let bs = if has_focus {
-            if self.ctrl_c_quit_hint {
-                BlockState {
-                    right_title: Line::from("Ctrl+C to quit").alignment(Alignment::Right),
-                    border_style: Style::default(),
-                }
-            } else {
-                BlockState {
-                    right_title: Line::from("Enter to send | Ctrl+D to quit | Ctrl+J for newline")
-                        .alignment(Alignment::Right),
-                    border_style: Style::default(),
-                }
-            }
+        let border_style = if has_focus {
+            Style::default().fg(Color::Cyan)
        } else {
-            BlockState {
-                right_title: Line::from(""),
-                border_style: Style::default().dim(),
-            }
+            Style::default().dim()
        };

        self.textarea.set_block(
            ratatui::widgets::Block::default()
-                .title_bottom(bs.right_title)
-                .borders(Borders::ALL)
-                .border_type(BorderType::Rounded)
-                .border_style(bs.border_style),
+                .borders(Borders::LEFT)
+                .border_type(BorderType::QuadrantOutside)
+                .border_style(border_style),
        );
    }
-
-    pub(crate) fn is_popup_visible(&self) -> bool {
-        match self.active_popup {
-            ActivePopup::Command(_) | ActivePopup::File(_) => true,
-            ActivePopup::None => false,
-        }
-    }
 }

 impl WidgetRef for &ChatComposer<'_> {
    fn render_ref(&self, area: Rect, buf: &mut Buffer) {
        match &self.active_popup {
            ActivePopup::Command(popup) => {
-                let popup_height = popup.calculate_required_height(&area);
+                let popup_height = popup.calculate_required_height();

                // Split the provided rect so that the popup is rendered at the
-                // *top* and the textarea occupies the remaining space below.
-                let popup_rect = Rect {
+                // **bottom** and the textarea occupies the remaining space above.
+                let popup_height = popup_height.min(area.height);
+                let textarea_rect = Rect {
                    x: area.x,
                    y: area.y,
                    width: area.width,
-                    height: popup_height.min(area.height),
+                    height: area.height.saturating_sub(popup_height),
                };
-
-                let textarea_rect = Rect {
+                let popup_rect = Rect {
                    x: area.x,
-                    y: area.y + popup_rect.height,
+                    y: area.y + textarea_rect.height,
                    width: area.width,
-                    height: area.height.saturating_sub(popup_rect.height),
+                    height: popup_height,
                };

                popup.render(popup_rect, buf);
                self.textarea.render(textarea_rect, buf);
            }
            ActivePopup::File(popup) => {
-                let popup_height = popup.calculate_required_height(&area);
+                let popup_height = popup.calculate_required_height();

-                let popup_rect = Rect {
+                let popup_height = popup_height.min(area.height);
+                let textarea_rect = Rect {
                    x: area.x,
                    y: area.y,
                    width: area.width,
-                    height: popup_height.min(area.height),
-                };
-
-                let textarea_rect = Rect {
-                    x: area.x,
-                    y: area.y + popup_rect.height,
-                    width: area.width,
                    height: area.height.saturating_sub(popup_height),
                };
+                let popup_rect = Rect {
+                    x: area.x,
+                    y: area.y + textarea_rect.height,
+                    width: area.width,
+                    height: popup_height,
+                };

                popup.render(popup_rect, buf);
                self.textarea.render(textarea_rect, buf);
            }
            ActivePopup::None => {
-                self.textarea.render(area, buf);
+                let mut textarea_rect = area;
+                textarea_rect.height = textarea_rect.height.saturating_sub(1);
+                self.textarea.render(textarea_rect, buf);
+                let mut bottom_line_rect = area;
+                bottom_line_rect.y += textarea_rect.height;
+                bottom_line_rect.height = 1;
+                let key_hint_style = Style::default().fg(Color::Cyan);
+                let hint = if self.ctrl_c_quit_hint {
+                    vec![
+                        Span::from(" "),
+                        "Ctrl+C again".set_style(key_hint_style),
+                        Span::from(" to quit"),
+                    ]
+                } else {
+                    let newline_hint_key = if self.use_shift_enter_hint {
+                        "Shift+⏎"
+                    } else {
+                        "Ctrl+J"
+                    };
+                    vec![
+                        Span::from(" "),
+                        "⏎".set_style(key_hint_style),
+                        Span::from(" send   "),
+                        newline_hint_key.set_style(key_hint_style),
+                        Span::from(" newline   "),
+                        "Ctrl+C".set_style(key_hint_style),
+                        Span::from(" quit"),
+                    ]
+                };
+                Line::from(hint)
+                    .style(Style::default().dim())
+                    .render_ref(bottom_line_rect, buf);
            }
        }
    }
@@ -859,7 +903,7 @@ mod tests {

        let (tx, _rx) = std::sync::mpsc::channel();
        let sender = AppEventSender::new(tx);
-        let mut composer = ChatComposer::new(true, sender);
+        let mut composer = ChatComposer::new(true, sender, false);

        let needs_redraw = composer.handle_paste("hello".to_string());
        assert!(needs_redraw);
@@ -882,7 +926,7 @@ mod tests {

        let (tx, _rx) = std::sync::mpsc::channel();
        let sender = AppEventSender::new(tx);
-        let mut composer = ChatComposer::new(true, sender);
+        let mut composer = ChatComposer::new(true, sender, false);

        let large = "x".repeat(LARGE_PASTE_CHAR_THRESHOLD + 10);
        let needs_redraw = composer.handle_paste(large.clone());
@@ -911,7 +955,7 @@ mod tests {
        let large = "y".repeat(LARGE_PASTE_CHAR_THRESHOLD + 1);
        let (tx, _rx) = std::sync::mpsc::channel();
        let sender = AppEventSender::new(tx);
-        let mut composer = ChatComposer::new(true, sender);
+        let mut composer = ChatComposer::new(true, sender, false);

        composer.handle_paste(large);
        assert_eq!(composer.pending_pastes.len(), 1);
@@ -947,7 +991,7 @@ mod tests {

        for (name, input) in test_cases {
            // Create a fresh composer for each test case
-            let mut composer = ChatComposer::new(true, sender.clone());
+            let mut composer = ChatComposer::new(true, sender.clone(), false);

            if let Some(text) = input {
                composer.handle_paste(text);
@@ -984,7 +1028,7 @@ mod tests {

        let (tx, _rx) = std::sync::mpsc::channel();
        let sender = AppEventSender::new(tx);
-        let mut composer = ChatComposer::new(true, sender);
+        let mut composer = ChatComposer::new(true, sender, false);

        // Define test cases: (paste content, is_large)
        let test_cases = [
@@ -1057,7 +1101,7 @@ mod tests {

        let (tx, _rx) = std::sync::mpsc::channel();
        let sender = AppEventSender::new(tx);
-        let mut composer = ChatComposer::new(true, sender);
+        let mut composer = ChatComposer::new(true, sender, false);

        // Define test cases: (content, is_large)
        let test_cases = [
@@ -1130,7 +1174,7 @@ mod tests {

        let (tx, _rx) = std::sync::mpsc::channel();
        let sender = AppEventSender::new(tx);
-        let mut composer = ChatComposer::new(true, sender);
+        let mut composer = ChatComposer::new(true, sender, false);

        // Define test cases: (cursor_position_from_end, expected_pending_count)
        let test_cases = [
--- a/codex-rs/tui/src/bottom_pane/command_popup.rs
+++ b/codex-rs/tui/src/bottom_pane/command_popup.rs
@@ -3,9 +3,9 @@ use ratatui::layout::Rect;
 use ratatui::style::Color;
 use ratatui::style::Style;
 use ratatui::style::Stylize;
-use ratatui::widgets::Block;
-use ratatui::widgets::BorderType;
-use ratatui::widgets::Borders;
+use ratatui::symbols::border::QUADRANT_LEFT_HALF;
+use ratatui::text::Line;
+use ratatui::text::Span;
 use ratatui::widgets::Cell;
 use ratatui::widgets::Row;
 use ratatui::widgets::Table;
@@ -71,12 +71,8 @@ impl CommandPopup {
    /// Determine the preferred height of the popup. This is the number of
    /// rows required to show **at most** `MAX_POPUP_ROWS` commands plus the
    /// table/border overhead (one line at the top and one at the bottom).
-    pub(crate) fn calculate_required_height(&self, _area: &Rect) -> u16 {
-        let matches = self.filtered_commands();
-        let row_count = matches.len().clamp(1, MAX_POPUP_ROWS) as u16;
-        // Account for the border added by the Block that wraps the table.
-        // 2 = one line at the top, one at the bottom.
-        row_count + 2
+    pub(crate) fn calculate_required_height(&self) -> u16 {
+        self.filtered_commands().len().clamp(1, MAX_POPUP_ROWS) as u16
    }

    /// Return the list of commands that match the current filter. Matching is
@@ -158,18 +154,19 @@ impl WidgetRef for CommandPopup {
            let default_style = Style::default();
            let command_style = Style::default().fg(Color::LightBlue);
            for (idx, cmd) in visible_matches.iter().enumerate() {
-                let (cmd_style, desc_style) = if Some(idx) == self.selected_idx {
-                    (
-                        command_style.bg(Color::DarkGray),
-                        default_style.bg(Color::DarkGray),
-                    )
-                } else {
-                    (command_style, default_style)
-                };
-
                rows.push(Row::new(vec![
-                    Cell::from(format!("/{}", cmd.command())).style(cmd_style),
-                    Cell::from(cmd.description().to_string()).style(desc_style),
+                    Cell::from(Line::from(vec![
+                        if Some(idx) == self.selected_idx {
+                            Span::styled(
+                                "›",
+                                Style::default().bg(Color::DarkGray).fg(Color::LightCyan),
+                            )
+                        } else {
+                            Span::styled(QUADRANT_LEFT_HALF, Style::default().fg(Color::DarkGray))
+                        },
+                        Span::styled(format!("/{}", cmd.command()), command_style),
+                    ])),
+                    Cell::from(cmd.description().to_string()).style(default_style),
                ]));
            }
        }
@@ -180,12 +177,13 @@ impl WidgetRef for CommandPopup {
            rows,
            [Constraint::Length(FIRST_COLUMN_WIDTH), Constraint::Min(10)],
        )
-        .column_spacing(0)
-        .block(
-            Block::default()
-                .borders(Borders::ALL)
-                .border_type(BorderType::Rounded),
-        );
+        .column_spacing(0);
+        // .block(
+        //     Block::default()
+        //         .borders(Borders::LEFT)
+        //         .border_type(BorderType::QuadrantOutside)
+        //         .border_style(Style::default().fg(Color::DarkGray)),
+        // );

        table.render(area, buf);
    }
--- a/codex-rs/tui/src/bottom_pane/file_search_popup.rs
+++ b/codex-rs/tui/src/bottom_pane/file_search_popup.rs
@@ -109,18 +109,14 @@ impl FileSearchPopup {
    }

    /// Preferred height (rows) including border.
-    pub(crate) fn calculate_required_height(&self, _area: &Rect) -> u16 {
+    pub(crate) fn calculate_required_height(&self) -> u16 {
        // Row count depends on whether we already have matches. If no matches
        // yet (e.g. initial search or query with no results) reserve a single
        // row so the popup is still visible. When matches are present we show
        // up to MAX_RESULTS regardless of the waiting flag so the list
        // remains stable while a newer search is in-flight.
-        let rows = if self.matches.is_empty() {
-            1
-        } else {
-            self.matches.len().clamp(1, MAX_RESULTS)
-        } as u16;
-        rows + 2 // border
+
+        self.matches.len().clamp(1, MAX_RESULTS) as u16
    }
 }

@@ -128,7 +124,14 @@ impl WidgetRef for &FileSearchPopup {
    fn render_ref(&self, area: Rect, buf: &mut Buffer) {
        // Prepare rows.
        let rows: Vec<Row> = if self.matches.is_empty() {
-            vec![Row::new(vec![Cell::from(" no matches ")])]
+            vec![Row::new(vec![
+                Cell::from(if self.waiting {
+                    "(searching …)"
+                } else {
+                    "no matches"
+                })
+                .style(Style::new().add_modifier(Modifier::ITALIC | Modifier::DIM)),
+            ])]
        } else {
            self.matches
                .iter()
@@ -169,17 +172,12 @@ impl WidgetRef for &FileSearchPopup {
                .collect()
        };

-        let mut title = format!(" @{} ", self.pending_query);
-        if self.waiting {
-            title.push_str(" (searching …)");
-        }
-
        let table = Table::new(rows, vec![Constraint::Percentage(100)])
            .block(
                Block::default()
-                    .borders(Borders::ALL)
-                    .border_type(BorderType::Rounded)
-                    .title(title),
+                    .borders(Borders::LEFT)
+                    .border_type(BorderType::QuadrantOutside)
+                    .border_style(Style::default().fg(Color::DarkGray)),
            )
            .widths([Constraint::Percentage(100)]);

--- a/codex-rs/tui/src/bottom_pane/mod.rs
+++ b/codex-rs/tui/src/bottom_pane/mod.rs
@@ -20,6 +20,12 @@ mod command_popup;
 mod file_search_popup;
 mod status_indicator_view;

+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub(crate) enum CancellationEvent {
+    Ignored,
+    Handled,
+}
+
 pub(crate) use chat_composer::ChatComposer;
 pub(crate) use chat_composer::InputResult;

@@ -44,12 +50,18 @@ pub(crate) struct BottomPane<'a> {
 pub(crate) struct BottomPaneParams {
    pub(crate) app_event_tx: AppEventSender,
    pub(crate) has_input_focus: bool,
+    pub(crate) enhanced_keys_supported: bool,
 }

 impl BottomPane<'_> {
    pub fn new(params: BottomPaneParams) -> Self {
+        let enhanced_keys_supported = params.enhanced_keys_supported;
        Self {
-            composer: ChatComposer::new(params.has_input_focus, params.app_event_tx.clone()),
+            composer: ChatComposer::new(
+                params.has_input_focus,
+                params.app_event_tx.clone(),
+                enhanced_keys_supported,
+            ),
            active_view: None,
            app_event_tx: params.app_event_tx,
            has_input_focus: params.has_input_focus,
@@ -58,6 +70,13 @@ impl BottomPane<'_> {
        }
    }

+    pub fn desired_height(&self, width: u16) -> u16 {
+        self.active_view
+            .as_ref()
+            .map(|v| v.desired_height(width))
+            .unwrap_or(self.composer.desired_height())
+    }
+
    /// Forward a key event to the active view or the composer.
    pub fn handle_key_event(&mut self, key_event: KeyEvent) -> InputResult {
        if let Some(mut view) = self.active_view.take() {
@@ -80,6 +99,33 @@ impl BottomPane<'_> {
        }
    }

+    /// Handle Ctrl-C in the bottom pane. If a modal view is active it gets a
+    /// chance to consume the event (e.g. to dismiss itself).
+    pub(crate) fn on_ctrl_c(&mut self) -> CancellationEvent {
+        let mut view = match self.active_view.take() {
+            Some(view) => view,
+            None => return CancellationEvent::Ignored,
+        };
+
+        let event = view.on_ctrl_c(self);
+        match event {
+            CancellationEvent::Handled => {
+                if !view.is_complete() {
+                    self.active_view = Some(view);
+                } else if self.is_task_running {
+                    self.active_view = Some(Box::new(StatusIndicatorView::new(
+                        self.app_event_tx.clone(),
+                    )));
+                }
+                self.show_ctrl_c_quit_hint();
+            }
+            CancellationEvent::Ignored => {
+                self.active_view = Some(view);
+            }
+        }
+        event
+    }
+
    pub fn handle_paste(&mut self, pasted: String) {
        if self.active_view.is_none() {
            let needs_redraw = self.composer.handle_paste(pasted);
@@ -104,12 +150,6 @@ impl BottomPane<'_> {
        }
    }

-    /// Update the UI to reflect whether this `BottomPane` has input focus.
-    pub(crate) fn set_input_focus(&mut self, has_focus: bool) {
-        self.has_input_focus = has_focus;
-        self.composer.set_input_focus(has_focus);
-    }
-
    pub(crate) fn show_ctrl_c_quit_hint(&mut self) {
        self.ctrl_c_quit_hint = true;
        self.composer
@@ -203,11 +243,6 @@ impl BottomPane<'_> {
        self.app_event_tx.send(AppEvent::RequestRedraw)
    }

-    /// Returns true when a popup inside the composer is visible.
-    pub(crate) fn is_popup_visible(&self) -> bool {
-        self.active_view.is_none() && self.composer.is_popup_visible()
-    }
-
    // --- History helpers ---

    pub(crate) fn set_history_metadata(&mut self, log_id: u64, entry_count: usize) {
@@ -245,3 +280,35 @@ impl WidgetRef for &BottomPane<'_> {
        }
    }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::app_event::AppEvent;
+    use std::path::PathBuf;
+    use std::sync::mpsc::channel;
+
+    fn exec_request() -> ApprovalRequest {
+        ApprovalRequest::Exec {
+            id: "1".to_string(),
+            command: vec!["echo".into(), "ok".into()],
+            cwd: PathBuf::from("."),
+            reason: None,
+        }
+    }
+
+    #[test]
+    fn ctrl_c_on_modal_consumes_and_shows_quit_hint() {
+        let (tx_raw, _rx) = channel::<AppEvent>();
+        let tx = AppEventSender::new(tx_raw);
+        let mut pane = BottomPane::new(BottomPaneParams {
+            app_event_tx: tx,
+            has_input_focus: true,
+            enhanced_keys_supported: false,
+        });
+        pane.push_approval_request(exec_request());
+        assert_eq!(CancellationEvent::Handled, pane.on_ctrl_c());
+        assert!(pane.ctrl_c_quit_hint_visible());
+        assert_eq!(CancellationEvent::Ignored, pane.on_ctrl_c());
+    }
+}
--- a/codex-rs/tui/src/bottom_pane/snapshots/codex_tui__bottom_pane__chat_composertestsbackspace_after_pastes.snap
+++ b/codex-rs/tui/src/bottom_pane/snapshots/codex_tui__bottom_pane__chat_composertestsbackspace_after_pastes.snap
@@ -2,13 +2,13 @@
 source: tui/src/bottom_pane/chat_composer.rs
 expression: terminal.backend()
 ---
-"╭──────────────────────────────────────────────────────────────────────────────────────────────────╮"
-"│[Pasted Content 1002 chars][Pasted Content 1004 chars]                                            │"
-"│                                                                                                  │"
-"│                                                                                                  │"
-"│                                                                                                  │"
-"│                                                                                                  │"
-"│                                                                                                  │"
-"│                                                                                                  │"
-"│                                                                                                  │"
-"╰───────────────────────────────────────────────Enter to send | Ctrl+D to quit | Ctrl+J for newline╯"
+"▌[Pasted Content 1002 chars][Pasted Content 1004 chars]                                             "
+"▌                                                                                                   "
+"▌                                                                                                   "
+"▌                                                                                                   "
+"▌                                                                                                   "
+"▌                                                                                                   "
+"▌                                                                                                   "
+"▌                                                                                                   "
+"▌                                                                                                   "
+" ⏎ send   Ctrl+J newline   Ctrl+C quit                                                              "
--- a/codex-rs/tui/src/bottom_pane/snapshots/codex_tui__bottom_pane__chat_composertestsempty.snap
+++ b/codex-rs/tui/src/bottom_pane/snapshots/codex_tui__bottom_pane__chat_composertestsempty.snap
@@ -2,13 +2,13 @@
 source: tui/src/bottom_pane/chat_composer.rs
 expression: terminal.backend()
 ---
-"╭──────────────────────────────────────────────────────────────────────────────────────────────────╮"
-"│ send a message                                                                                   │"
-"│                                                                                                  │"
-"│                                                                                                  │"
-"│                                                                                                  │"
-"│                                                                                                  │"
-"│                                                                                                  │"
-"│                                                                                                  │"
-"│                                                                                                  │"
-"╰───────────────────────────────────────────────Enter to send | Ctrl+D to quit | Ctrl+J for newline╯"
+"▌ ...                                                                                               "
+"▌                                                                                                   "
+"▌                                                                                                   "
+"▌                                                                                                   "
+"▌                                                                                                   "
+"▌                                                                                                   "
+"▌                                                                                                   "
+"▌                                                                                                   "
+"▌                                                                                                   "
+" ⏎ send   Ctrl+J newline   Ctrl+C quit                                                              "
--- a/codex-rs/tui/src/bottom_pane/snapshots/codex_tui__bottom_pane__chat_composertestslarge.snap
+++ b/codex-rs/tui/src/bottom_pane/snapshots/codex_tui__bottom_pane__chat_composertestslarge.snap
@@ -2,13 +2,13 @@
 source: tui/src/bottom_pane/chat_composer.rs
 expression: terminal.backend()
 ---
-"╭──────────────────────────────────────────────────────────────────────────────────────────────────╮"
-"│[Pasted Content 1005 chars]                                                                       │"
-"│                                                                                                  │"
-"│                                                                                                  │"
-"│                                                                                                  │"
-"│                                                                                                  │"
-"│                                                                                                  │"
-"│                                                                                                  │"
-"│                                                                                                  │"
-"╰───────────────────────────────────────────────Enter to send | Ctrl+D to quit | Ctrl+J for newline╯"
+"▌[Pasted Content 1005 chars]                                                                        "
+"▌                                                                                                   "
+"▌                                                                                                   "
+"▌                                                                                                   "
+"▌                                                                                                   "
+"▌                                                                                                   "
+"▌                                                                                                   "
+"▌                                                                                                   "
+"▌                                                                                                   "
+" ⏎ send   Ctrl+J newline   Ctrl+C quit                                                              "
--- a/Show More
+++ b/Show More