Update install.md

docs: refresh install guidance
chore: rework tools execution workflow (#5278 )
2026-02-02 15:03:38 +00:00 · 2025-10-20 16:25:16 -07:00 · 2025-10-20 14:52:06 -07:00 · 2025-10-20 20:57:37 +01:00 · 2025-10-20 12:26:46 -07:00 · 2025-10-20 12:08:06 -07:00
222 changed files with 13313 additions and 5349 deletions
--- a/.github/workflows/rust-release.yml
+++ b/.github/workflows/rust-release.yml
@@ -206,6 +206,69 @@ jobs:
            codesign --force --options runtime --timestamp --sign "$APPLE_CODESIGN_IDENTITY" "${keychain_args[@]}" "$path"
          done

+      - if: ${{ matrix.runner == 'macos-14' }}
+        name: Notarize macOS binaries
+        shell: bash
+        env:
+          APPLE_NOTARIZATION_KEY_P8: ${{ secrets.APPLE_NOTARIZATION_KEY_P8 }}
+          APPLE_NOTARIZATION_KEY_ID: ${{ secrets.APPLE_NOTARIZATION_KEY_ID }}
+          APPLE_NOTARIZATION_ISSUER_ID: ${{ secrets.APPLE_NOTARIZATION_ISSUER_ID }}
+        run: |
+          set -euo pipefail
+
+          for var in APPLE_NOTARIZATION_KEY_P8 APPLE_NOTARIZATION_KEY_ID APPLE_NOTARIZATION_ISSUER_ID; do
+            if [[ -z "${!var:-}" ]]; then
+              echo "$var is required for notarization"
+              exit 1
+            fi
+          done
+
+          notary_key_path="${RUNNER_TEMP}/notarytool.key.p8"
+          echo "$APPLE_NOTARIZATION_KEY_P8" | base64 -d > "$notary_key_path"
+          cleanup_notary() {
+            rm -f "$notary_key_path"
+          }
+          trap cleanup_notary EXIT
+
+          notarize_binary() {
+            local binary="$1"
+            local source_path="target/${{ matrix.target }}/release/${binary}"
+            local archive_path="${RUNNER_TEMP}/${binary}.zip"
+
+            if [[ ! -f "$source_path" ]]; then
+              echo "Binary $source_path not found"
+              exit 1
+            fi
+
+            rm -f "$archive_path"
+            ditto -c -k --keepParent "$source_path" "$archive_path"
+
+            submission_json=$(xcrun notarytool submit "$archive_path" \
+              --key "$notary_key_path" \
+              --key-id "$APPLE_NOTARIZATION_KEY_ID" \
+              --issuer "$APPLE_NOTARIZATION_ISSUER_ID" \
+              --output-format json \
+              --wait)
+
+            status=$(printf '%s\n' "$submission_json" | jq -r '.status // "Unknown"')
+            submission_id=$(printf '%s\n' "$submission_json" | jq -r '.id // ""')
+
+            if [[ -z "$submission_id" ]]; then
+              echo "Failed to retrieve submission ID for $binary"
+              exit 1
+            fi
+
+            echo "::notice title=Notarization::$binary submission ${submission_id} completed with status ${status}"
+
+            if [[ "$status" != "Accepted" ]]; then
+              echo "Notarization failed for ${binary} (submission ${submission_id}, status ${status})"
+              exit 1
+            fi
+          }
+
+          notarize_binary "codex"
+          notarize_binary "codex-responses-api-proxy"
+
      - name: Stage artifacts
        shell: bash
        run: |
--- a/.gitignore
+++ b/.gitignore
@@ -30,6 +30,7 @@ result
 # cli tools
 CLAUDE.md
 .claude/
+AGENTS.override.md

 # caches
 .cache/
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -3,6 +3,7 @@
    "rust-analyzer.check.command": "clippy",
    "rust-analyzer.check.extraArgs": ["--all-features", "--tests"],
    "rust-analyzer.rustfmt.extraArgs": ["--config", "imports_granularity=Item"],
+    "rust-analyzer.cargo.targetDir": "${workspaceFolder}/codex-rs/target/rust-analyzer",
    "[rust]": {
        "editor.defaultFormatter": "rust-lang.rust-analyzer",
        "editor.formatOnSave": true,
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -11,7 +11,9 @@ In the codex-rs folder where the rust code lives:
 - Always collapse if statements per https://rust-lang.github.io/rust-clippy/master/index.html#collapsible_if
 - Always inline format! args when possible per https://rust-lang.github.io/rust-clippy/master/index.html#uninlined_format_args
 - Use method references over closures when possible per https://rust-lang.github.io/rust-clippy/master/index.html#redundant_closure_for_method_calls
+- Do not use unsigned integer even if the number cannot be negative.
 - When writing tests, prefer comparing the equality of entire objects over fields one by one.
+- When making a change that adds or changes an API, ensure that the documentation in the `docs/` folder is up to date if applicable.

 Run `just fmt` (in `codex-rs` directory) automatically after making Rust code changes; do not ask for approval to run it. Before finalizing a change to `codex-rs`, run `just fix -p <project>` (in `codex-rs` directory) to fix any linter issues in the code. Prefer scoping with `-p` to avoid slow workspace‑wide Clippy builds; only run `just fix` without `-p` if you changed shared crates. Additionally, run the tests:

--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-<p align="center"><code>npm i -g @openai/codex</code><br />or <code>brew install codex</code></p>
+<p align="center"><code>npm i -g @openai/codex</code><br />or <code>brew install --cask codex</code></p>

 <p align="center"><strong>Codex CLI</strong> is a coding agent from OpenAI that runs locally on your computer.
 </br>
@@ -24,7 +24,7 @@ npm install -g @openai/codex
 Alternatively, if you use Homebrew:

 ```shell
-brew install codex
+brew install --cask codex
 ```

 Then simply run `codex` to get started:
@@ -75,6 +75,7 @@ Codex CLI supports a rich set of configuration options, with preferences stored
  - [CLI usage](./docs/getting-started.md#cli-usage)
  - [Running with a prompt as input](./docs/getting-started.md#running-with-a-prompt-as-input)
  - [Example prompts](./docs/getting-started.md#example-prompts)
+  - [Custom prompts](./docs/prompts.md)
  - [Memory with AGENTS.md](./docs/getting-started.md#memory-with-agentsmd)
  - [Configuration](./docs/config.md)
 - [**Sandbox & approvals**](./docs/sandbox.md)
--- a/cliff.toml
+++ b/cliff.toml
@@ -4,7 +4,7 @@
 header = """
 # Changelog

-You can install any of these versions: `npm install -g codex@version`
+You can install any of these versions: `npm install -g @openai/codex@<version>`
 """

 body = """
--- a/codex-rs/.gitignore
+++ b/codex-rs/.gitignore
@@ -1,4 +1,5 @@
 /target/
+/target-*/

 # Recommended value of CARGO_TARGET_DIR when using Docker as explained in .devcontainer/README.md.
 /target-amd64/
--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
@@ -861,9 +861,11 @@ name = "codex-app-server-protocol"
 version = "0.0.0"
 dependencies = [
 "anyhow",
+ "clap",
 "codex-protocol",
 "paste",
 "pretty_assertions",
+ "schemars 0.8.22",
 "serde",
 "serde_json",
 "strum_macros 0.27.2",
@@ -899,6 +901,16 @@ dependencies = [
 "tokio",
 ]

+[[package]]
+name = "codex-async-utils"
+version = "0.0.0"
+dependencies = [
+ "async-trait",
+ "pretty_assertions",
+ "tokio",
+ "tokio-util",
+]
+
 [[package]]
 name = "codex-backend-client"
 version = "0.0.0"
@@ -958,6 +970,7 @@ dependencies = [
 "codex-protocol-ts",
 "codex-responses-api-proxy",
 "codex-rmcp-client",
+ "codex-stdio-to-uds",
 "codex-tui",
 "ctor 0.5.0",
 "owo-colors",
@@ -1037,11 +1050,13 @@ dependencies = [
 "chrono",
 "codex-app-server-protocol",
 "codex-apply-patch",
+ "codex-async-utils",
 "codex-file-search",
 "codex-mcp-client",
 "codex-otel",
 "codex-protocol",
 "codex-rmcp-client",
+ "codex-utils-pty",
 "codex-utils-string",
 "core-foundation 0.9.4",
 "core_test_support",
@@ -1058,7 +1073,6 @@ dependencies = [
 "mcp-types",
 "openssl-sys",
 "os_info",
- "portable-pty",
 "predicates",
 "pretty_assertions",
 "rand 0.9.2",
@@ -1073,6 +1087,7 @@ dependencies = [
 "similar",
 "strum_macros 0.27.2",
 "tempfile",
+ "test-log",
 "thiserror 2.0.16",
 "time",
 "tokio",
@@ -1144,6 +1159,17 @@ dependencies = [
 "tempfile",
 ]

+[[package]]
+name = "codex-feedback"
+version = "0.0.0"
+dependencies = [
+ "anyhow",
+ "codex-protocol",
+ "pretty_assertions",
+ "sentry",
+ "tracing-subscriber",
+]
+
 [[package]]
 name = "codex-file-search"
 version = "0.0.0"
@@ -1308,6 +1334,7 @@ dependencies = [
 "icu_locale_core",
 "mcp-types",
 "mime_guess",
+ "schemars 0.8.22",
 "serde",
 "serde_json",
 "serde_with",
@@ -1354,6 +1381,7 @@ dependencies = [
 "axum",
 "codex-protocol",
 "dirs",
+ "escargot",
 "futures",
 "keyring",
 "mcp-types",
@@ -1363,6 +1391,7 @@ dependencies = [
 "rmcp",
 "serde",
 "serde_json",
+ "serial_test",
 "sha2",
 "tempfile",
 "tiny_http",
@@ -1372,6 +1401,17 @@ dependencies = [
 "webbrowser",
 ]

+[[package]]
+name = "codex-stdio-to-uds"
+version = "0.0.0"
+dependencies = [
+ "anyhow",
+ "assert_cmd",
+ "pretty_assertions",
+ "tempfile",
+ "uds_windows",
+]
+
 [[package]]
 name = "codex-tui"
 version = "0.0.0"
@@ -1388,6 +1428,7 @@ dependencies = [
 "codex-arg0",
 "codex-common",
 "codex-core",
+ "codex-feedback",
 "codex-file-search",
 "codex-git-tooling",
 "codex-login",
@@ -1422,6 +1463,7 @@ dependencies = [
 "textwrap 0.16.2",
 "tokio",
 "tokio-stream",
+ "toml",
 "tracing",
 "tracing-appender",
 "tracing-subscriber",
@@ -1442,6 +1484,15 @@ dependencies = [
 "toml",
 ]

+[[package]]
+name = "codex-utils-pty"
+version = "0.0.0"
+dependencies = [
+ "anyhow",
+ "portable-pty",
+ "tokio",
+]
+
 [[package]]
 name = "codex-utils-readiness"
 version = "0.0.0"
@@ -1823,6 +1874,16 @@ version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "092966b41edc516079bdf31ec78a2e0588d1d0c08f78b91d8307215928642b2b"

+[[package]]
+name = "debugid"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bef552e6f588e446098f6ba40d89ac146c8c7b64aade83c051ee00bb5d2bc18d"
+dependencies = [
+ "serde",
+ "uuid",
+]
+
 [[package]]
 name = "debugserver-types"
 version = "0.5.0"
@@ -2301,6 +2362,18 @@ dependencies = [
 "winapi",
 ]

+[[package]]
+name = "findshlibs"
+version = "0.10.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "40b9e59cd0f7e0806cca4be089683ecb6434e602038df21fe6bf6711b2f07f64"
+dependencies = [
+ "cc",
+ "lazy_static",
+ "libc",
+ "winapi",
+]
+
 [[package]]
 name = "fixed_decimal"
 version = "0.7.0"
@@ -2669,6 +2742,17 @@ dependencies = [
 "windows-sys 0.59.0",
 ]

+[[package]]
+name = "hostname"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a56f203cd1c76362b69e3863fd987520ac36cf70a8c92627449b2f64a8cf7d65"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "windows-link 0.1.3",
+]
+
 [[package]]
 name = "http"
 version = "1.3.1"
@@ -3507,6 +3591,7 @@ checksum = "47e1ffaa40ddd1f3ed91f717a33c8c0ee23fff369e3aa8772b9605cc1d22f4c3"
 name = "mcp-types"
 version = "0.0.0"
 dependencies = [
+ "schemars 0.8.22",
 "serde",
 "serde_json",
 "ts-rs",
@@ -4905,6 +4990,15 @@ version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "357703d41365b4b27c590e3ed91eabb1b663f07c4c084095e60cbed4362dff0d"

+[[package]]
+name = "rustc_version"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cfcb3a22ef46e85b45de6ee7e79d063319ebb6594faafcf1c225ea92ab6e9b92"
+dependencies = [
+ "semver",
+]
+
 [[package]]
 name = "rustix"
 version = "0.38.44"
@@ -5219,6 +5313,120 @@ dependencies = [
 "libc",
 ]

+[[package]]
+name = "semver"
+version = "1.0.27"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d767eb0aabc880b29956c35734170f26ed551a859dbd361d140cdbeca61ab1e2"
+
+[[package]]
+name = "sentry"
+version = "0.34.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5484316556650182f03b43d4c746ce0e3e48074a21e2f51244b648b6542e1066"
+dependencies = [
+ "httpdate",
+ "native-tls",
+ "reqwest",
+ "sentry-backtrace",
+ "sentry-contexts",
+ "sentry-core",
+ "sentry-debug-images",
+ "sentry-panic",
+ "sentry-tracing",
+ "tokio",
+ "ureq",
+]
+
+[[package]]
+name = "sentry-backtrace"
+version = "0.34.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "40aa225bb41e2ec9d7c90886834367f560efc1af028f1c5478a6cce6a59c463a"
+dependencies = [
+ "backtrace",
+ "once_cell",
+ "regex",
+ "sentry-core",
+]
+
+[[package]]
+name = "sentry-contexts"
+version = "0.34.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1a8dd746da3d16cb8c39751619cefd4fcdbd6df9610f3310fd646b55f6e39910"
+dependencies = [
+ "hostname",
+ "libc",
+ "os_info",
+ "rustc_version",
+ "sentry-core",
+ "uname",
+]
+
+[[package]]
+name = "sentry-core"
+version = "0.34.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "161283cfe8e99c8f6f236a402b9ccf726b201f365988b5bb637ebca0abbd4a30"
+dependencies = [
+ "once_cell",
+ "rand 0.8.5",
+ "sentry-types",
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "sentry-debug-images"
+version = "0.34.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8fc6b25e945fcaa5e97c43faee0267eebda9f18d4b09a251775d8fef1086238a"
+dependencies = [
+ "findshlibs",
+ "once_cell",
+ "sentry-core",
+]
+
+[[package]]
+name = "sentry-panic"
+version = "0.34.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bc74f229c7186dd971a9491ffcbe7883544aa064d1589bd30b83fb856cd22d63"
+dependencies = [
+ "sentry-backtrace",
+ "sentry-core",
+]
+
+[[package]]
+name = "sentry-tracing"
+version = "0.34.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cd3c5faf2103cd01eeda779ea439b68c4ee15adcdb16600836e97feafab362ec"
+dependencies = [
+ "sentry-backtrace",
+ "sentry-core",
+ "tracing-core",
+ "tracing-subscriber",
+]
+
+[[package]]
+name = "sentry-types"
+version = "0.34.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5d68cdf6bc41b8ff3ae2a9c4671e97426dcdd154cc1d4b6b72813f285d6b163f"
+dependencies = [
+ "debugid",
+ "hex",
+ "rand 0.8.5",
+ "serde",
+ "serde_json",
+ "thiserror 1.0.69",
+ "time",
+ "url",
+ "uuid",
+]
+
 [[package]]
 name = "serde"
 version = "1.0.226"
@@ -5851,6 +6059,28 @@ version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8f50febec83f5ee1df3015341d8bd429f2d1cc62bcba7ea2076759d315084683"

+[[package]]
+name = "test-log"
+version = "0.2.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e33b98a582ea0be1168eba097538ee8dd4bbe0f2b01b22ac92ea30054e5be7b"
+dependencies = [
+ "env_logger",
+ "test-log-macros",
+ "tracing-subscriber",
+]
+
+[[package]]
+name = "test-log-macros"
+version = "0.2.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "451b374529930d7601b1eef8d32bc79ae870b6079b069401709c2a8bf9e75f36"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
 [[package]]
 name = "textwrap"
 version = "0.11.0"
@@ -6426,6 +6656,15 @@ dependencies = [
 "winapi",
 ]

+[[package]]
+name = "uname"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b72f89f0ca32e4db1c04e2a72f5345d59796d4866a1ee0609084569f73683dc8"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "unicase"
 version = "2.8.1"
@@ -6485,6 +6724,19 @@ version = "0.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"

+[[package]]
+name = "ureq"
+version = "2.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "02d1a66277ed75f640d608235660df48c8e3c19f3b4edb6a263315626cc3c01d"
+dependencies = [
+ "base64",
+ "log",
+ "native-tls",
+ "once_cell",
+ "url",
+]
+
 [[package]]
 name = "url"
 version = "2.5.4"
--- a/codex-rs/Cargo.toml
+++ b/codex-rs/Cargo.toml
@@ -2,10 +2,12 @@
 members = [
    "backend-client",
    "ansi-escape",
+    "async-utils",
    "app-server",
    "app-server-protocol",
    "apply-patch",
    "arg0",
+    "feedback",
    "codex-backend-openapi-models",
    "cloud-tasks",
    "cloud-tasks-client",
@@ -27,11 +29,13 @@ members = [
    "protocol-ts",
    "rmcp-client",
    "responses-api-proxy",
+    "stdio-to-uds",
    "otel",
    "tui",
    "git-apply",
    "utils/json-to-toml",
    "utils/readiness",
+    "utils/pty",
    "utils/string",
 ]
 resolver = "2"
@@ -52,10 +56,12 @@ codex-app-server = { path = "app-server" }
 codex-app-server-protocol = { path = "app-server-protocol" }
 codex-apply-patch = { path = "apply-patch" }
 codex-arg0 = { path = "arg0" }
+codex-async-utils = { path = "async-utils" }
 codex-chatgpt = { path = "chatgpt" }
 codex-common = { path = "common" }
 codex-core = { path = "core" }
 codex-exec = { path = "exec" }
+codex-feedback = { path = "feedback" }
 codex-file-search = { path = "file-search" }
 codex-git-tooling = { path = "git-tooling" }
 codex-linux-sandbox = { path = "linux-sandbox" }
@@ -69,9 +75,11 @@ codex-protocol = { path = "protocol" }
 codex-protocol-ts = { path = "protocol-ts" }
 codex-responses-api-proxy = { path = "responses-api-proxy" }
 codex-rmcp-client = { path = "rmcp-client" }
+codex-stdio-to-uds = { path = "stdio-to-uds" }
 codex-tui = { path = "tui" }
 codex-utils-json-to-toml = { path = "utils/json-to-toml" }
 codex-utils-readiness = { path = "utils/readiness" }
+codex-utils-pty = { path = "utils/pty" }
 codex-utils-string = { path = "utils/string" }
 core_test_support = { path = "core/tests/common" }
 mcp-types = { path = "mcp-types" }
@@ -83,8 +91,8 @@ ansi-to-tui = "7.0.0"
 anyhow = "1"
 arboard = "3"
 askama = "0.12"
-assert_matches = "1.5.0"
 assert_cmd = "2"
+assert_matches = "1.5.0"
 async-channel = "2.3.1"
 async-stream = "0.3.6"
 async-trait = "0.1.89"
@@ -147,6 +155,7 @@ reqwest = "0.12"
 rmcp = { version = "0.8.0", default-features = false }
 schemars = "0.8.22"
 seccompiler = "0.5.0"
+sentry = "0.34.0"
 serde = "1"
 serde_json = "1"
 serde_with = "3.14"
@@ -161,6 +170,7 @@ strum_macros = "0.27.2"
 supports-color = "3.0.2"
 sys-locale = "0.3.2"
 tempfile = "3.23.0"
+test-log = "0.2.18"
 textwrap = "0.16.2"
 thiserror = "2.0.16"
 time = "0.3"
@@ -180,6 +190,7 @@ tree-sitter = "0.25.10"
 tree-sitter-bash = "0.25"
 tree-sitter-highlight = "0.25.10"
 ts-rs = "11"
+uds_windows = "1.1.0"
 unicode-segmentation = "1.12.0"
 unicode-width = "0.2"
 url = "2"
--- a/codex-rs/README.md
+++ b/codex-rs/README.md
@@ -11,7 +11,12 @@ npm i -g @openai/codex
 codex
 ```

-You can also install via Homebrew (`brew install codex`) or download a platform-specific release directly from our [GitHub Releases](https://github.com/openai/codex/releases).
+You can also install via Homebrew (`brew install --cask codex`) or download a platform-specific release directly from our [GitHub Releases](https://github.com/openai/codex/releases).
+
+## Documentation quickstart
+
+- First run with Codex? Follow the walkthrough in [`docs/getting-started.md`](../docs/getting-started.md) for prompts, keyboard shortcuts, and session management.
+- Already shipping with Codex and want deeper control? Jump to [`docs/advanced.md`](../docs/advanced.md) and the configuration reference at [`docs/config.md`](../docs/config.md).

 ## What's new in the Rust CLI

@@ -47,30 +52,6 @@ You can enable notifications by configuring a script that is run whenever the ag

 To run Codex non-interactively, run `codex exec PROMPT` (you can also pass the prompt via `stdin`) and Codex will work on your task until it decides that it is done and exits. Output is printed to the terminal directly. You can set the `RUST_LOG` environment variable to see more about what's going on.

-### Use `@` for file search
-
-Typing `@` triggers a fuzzy-filename search over the workspace root. Use up/down to select among the results and Tab or Enter to replace the `@` with the selected path. You can use Esc to cancel the search.
-
-### Esc–Esc to edit a previous message
-
-When the chat composer is empty, press Esc to prime “backtrack” mode. Press Esc again to open a transcript preview highlighting the last user message; press Esc repeatedly to step to older user messages. Press Enter to confirm and Codex will fork the conversation from that point, trim the visible transcript accordingly, and pre‑fill the composer with the selected user message so you can edit and resubmit it.
-
-In the transcript preview, the footer shows an `Esc edit prev` hint while editing is active.
-
-### `--cd`/`-C` flag
-
-Sometimes it is not convenient to `cd` to the directory you want Codex to use as the "working root" before running Codex. Fortunately, `codex` supports a `--cd` option so you can specify whatever folder you want. You can confirm that Codex is honoring `--cd` by double-checking the **workdir** it reports in the TUI at the start of a new session.
-
-### Shell completions
-
-Generate shell completion scripts via:
-
-```shell
-codex completion bash
-codex completion zsh
-codex completion fish
-```
-
 ### Experimenting with the Codex Sandbox

 To test to see what happens when a command is run under the sandbox provided by Codex, we provide the following subcommands in Codex CLI:
--- a/codex-rs/app-server-protocol/Cargo.toml
+++ b/codex-rs/app-server-protocol/Cargo.toml
@@ -11,8 +11,11 @@ path = "src/lib.rs"
 workspace = true

 [dependencies]
+anyhow = { workspace = true }
+clap = { workspace = true, features = ["derive"] }
 codex-protocol = { workspace = true }
 paste = { workspace = true }
+schemars = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
 serde_json = { workspace = true }
 strum_macros = { workspace = true }
--- a/codex-rs/app-server-protocol/src/bin/export.rs
+++ b/codex-rs/app-server-protocol/src/bin/export.rs
@@ -0,0 +1,22 @@
+use anyhow::Result;
+use clap::Parser;
+use std::path::PathBuf;
+
+#[derive(Parser, Debug)]
+#[command(
+    about = "Generate TypeScript bindings and JSON Schemas for the Codex app-server protocol"
+)]
+struct Args {
+    /// Output directory where generated files will be written
+    #[arg(short = 'o', long = "out", value_name = "DIR")]
+    out_dir: PathBuf,
+
+    /// Optional Prettier executable path to format generated TypeScript files
+    #[arg(short = 'p', long = "prettier", value_name = "PRETTIER_BIN")]
+    prettier: Option<PathBuf>,
+}
+
+fn main() -> Result<()> {
+    let args = Args::parse();
+    codex_app_server_protocol::generate_types(&args.out_dir, args.prettier.as_deref())
+}
--- a/codex-rs/app-server-protocol/src/export.rs
+++ b/codex-rs/app-server-protocol/src/export.rs
@@ -0,0 +1,404 @@
+use crate::ClientNotification;
+use crate::ClientRequest;
+use crate::ServerNotification;
+use crate::ServerRequest;
+use crate::export_client_response_schemas;
+use crate::export_client_responses;
+use crate::export_server_response_schemas;
+use crate::export_server_responses;
+use anyhow::Context;
+use anyhow::Result;
+use anyhow::anyhow;
+use schemars::JsonSchema;
+use schemars::schema::RootSchema;
+use schemars::schema_for;
+use serde::Serialize;
+use serde_json::Map;
+use serde_json::Value;
+use std::collections::BTreeMap;
+use std::ffi::OsStr;
+use std::fs;
+use std::io::Read;
+use std::io::Write;
+use std::path::Path;
+use std::path::PathBuf;
+use std::process::Command;
+use ts_rs::TS;
+
+const HEADER: &str = "// GENERATED CODE! DO NOT MODIFY BY HAND!\n\n";
+
+macro_rules! for_each_schema_type {
+    ($macro:ident) => {
+        $macro!(crate::RequestId);
+        $macro!(crate::JSONRPCMessage);
+        $macro!(crate::JSONRPCRequest);
+        $macro!(crate::JSONRPCNotification);
+        $macro!(crate::JSONRPCResponse);
+        $macro!(crate::JSONRPCError);
+        $macro!(crate::JSONRPCErrorError);
+        $macro!(crate::AddConversationListenerParams);
+        $macro!(crate::AddConversationSubscriptionResponse);
+        $macro!(crate::ApplyPatchApprovalParams);
+        $macro!(crate::ApplyPatchApprovalResponse);
+        $macro!(crate::ArchiveConversationParams);
+        $macro!(crate::ArchiveConversationResponse);
+        $macro!(crate::AuthMode);
+        $macro!(crate::AuthStatusChangeNotification);
+        $macro!(crate::CancelLoginChatGptParams);
+        $macro!(crate::CancelLoginChatGptResponse);
+        $macro!(crate::ClientInfo);
+        $macro!(crate::ClientNotification);
+        $macro!(crate::ClientRequest);
+        $macro!(crate::ConversationSummary);
+        $macro!(crate::ExecCommandApprovalParams);
+        $macro!(crate::ExecCommandApprovalResponse);
+        $macro!(crate::ExecOneOffCommandParams);
+        $macro!(crate::ExecOneOffCommandResponse);
+        $macro!(crate::FuzzyFileSearchParams);
+        $macro!(crate::FuzzyFileSearchResponse);
+        $macro!(crate::FuzzyFileSearchResult);
+        $macro!(crate::GetAuthStatusParams);
+        $macro!(crate::GetAuthStatusResponse);
+        $macro!(crate::GetUserAgentResponse);
+        $macro!(crate::GetUserSavedConfigResponse);
+        $macro!(crate::GitDiffToRemoteParams);
+        $macro!(crate::GitDiffToRemoteResponse);
+        $macro!(crate::GitSha);
+        $macro!(crate::InitializeParams);
+        $macro!(crate::InitializeResponse);
+        $macro!(crate::InputItem);
+        $macro!(crate::InterruptConversationParams);
+        $macro!(crate::InterruptConversationResponse);
+        $macro!(crate::ListConversationsParams);
+        $macro!(crate::ListConversationsResponse);
+        $macro!(crate::LoginApiKeyParams);
+        $macro!(crate::LoginApiKeyResponse);
+        $macro!(crate::LoginChatGptCompleteNotification);
+        $macro!(crate::LoginChatGptResponse);
+        $macro!(crate::LogoutChatGptParams);
+        $macro!(crate::LogoutChatGptResponse);
+        $macro!(crate::NewConversationParams);
+        $macro!(crate::NewConversationResponse);
+        $macro!(crate::Profile);
+        $macro!(crate::RemoveConversationListenerParams);
+        $macro!(crate::RemoveConversationSubscriptionResponse);
+        $macro!(crate::ResumeConversationParams);
+        $macro!(crate::ResumeConversationResponse);
+        $macro!(crate::SandboxSettings);
+        $macro!(crate::SendUserMessageParams);
+        $macro!(crate::SendUserMessageResponse);
+        $macro!(crate::SendUserTurnParams);
+        $macro!(crate::SendUserTurnResponse);
+        $macro!(crate::ServerNotification);
+        $macro!(crate::ServerRequest);
+        $macro!(crate::SessionConfiguredNotification);
+        $macro!(crate::SetDefaultModelParams);
+        $macro!(crate::SetDefaultModelResponse);
+        $macro!(crate::Tools);
+        $macro!(crate::UserInfoResponse);
+        $macro!(crate::UserSavedConfig);
+        $macro!(codex_protocol::protocol::EventMsg);
+        $macro!(codex_protocol::protocol::FileChange);
+        $macro!(codex_protocol::parse_command::ParsedCommand);
+        $macro!(codex_protocol::protocol::SandboxPolicy);
+    };
+}
+
+pub fn generate_types(out_dir: &Path, prettier: Option<&Path>) -> Result<()> {
+    generate_ts(out_dir, prettier)?;
+    generate_json(out_dir)?;
+    Ok(())
+}
+
+pub fn generate_ts(out_dir: &Path, prettier: Option<&Path>) -> Result<()> {
+    ensure_dir(out_dir)?;
+
+    ClientRequest::export_all_to(out_dir)?;
+    export_client_responses(out_dir)?;
+    ClientNotification::export_all_to(out_dir)?;
+
+    ServerRequest::export_all_to(out_dir)?;
+    export_server_responses(out_dir)?;
+    ServerNotification::export_all_to(out_dir)?;
+
+    generate_index_ts(out_dir)?;
+
+    let ts_files = ts_files_in(out_dir)?;
+    for file in &ts_files {
+        prepend_header_if_missing(file)?;
+    }
+
+    if let Some(prettier_bin) = prettier
+        && !ts_files.is_empty()
+    {
+        let status = Command::new(prettier_bin)
+            .arg("--write")
+            .args(ts_files.iter().map(|p| p.as_os_str()))
+            .status()
+            .with_context(|| format!("Failed to invoke Prettier at {}", prettier_bin.display()))?;
+        if !status.success() {
+            return Err(anyhow!("Prettier failed with status {status}"));
+        }
+    }
+
+    Ok(())
+}
+
+pub fn generate_json(out_dir: &Path) -> Result<()> {
+    ensure_dir(out_dir)?;
+    let mut bundle: BTreeMap<String, RootSchema> = BTreeMap::new();
+
+    macro_rules! add_schema {
+        ($ty:path) => {{
+            let name = type_basename(stringify!($ty));
+            let schema = write_json_schema_with_return::<$ty>(out_dir, &name)?;
+            bundle.insert(name, schema);
+        }};
+    }
+
+    for_each_schema_type!(add_schema);
+
+    export_client_response_schemas(out_dir)?;
+    export_server_response_schemas(out_dir)?;
+
+    let mut definitions = Map::new();
+
+    const SPECIAL_DEFINITIONS: &[&str] = &[
+        "ClientNotification",
+        "ClientRequest",
+        "EventMsg",
+        "FileChange",
+        "InputItem",
+        "ParsedCommand",
+        "SandboxPolicy",
+        "ServerNotification",
+        "ServerRequest",
+    ];
+
+    for (name, schema) in bundle {
+        let mut schema_value = serde_json::to_value(schema)?;
+        if let Value::Object(ref mut obj) = schema_value {
+            if let Some(defs) = obj.remove("definitions")
+                && let Value::Object(defs_obj) = defs
+            {
+                for (def_name, def_schema) in defs_obj {
+                    if !SPECIAL_DEFINITIONS.contains(&def_name.as_str()) {
+                        definitions.insert(def_name, def_schema);
+                    }
+                }
+            }
+
+            if let Some(Value::Array(one_of)) = obj.get_mut("oneOf") {
+                for variant in one_of.iter_mut() {
+                    if let Some(variant_name) = variant_definition_name(&name, variant)
+                        && let Value::Object(variant_obj) = variant
+                    {
+                        variant_obj.insert("title".into(), Value::String(variant_name));
+                    }
+                }
+            }
+        }
+        definitions.insert(name, schema_value);
+    }
+
+    let mut root = Map::new();
+    root.insert(
+        "$schema".to_string(),
+        Value::String("http://json-schema.org/draft-07/schema#".into()),
+    );
+    root.insert(
+        "title".to_string(),
+        Value::String("CodexAppServerProtocol".into()),
+    );
+    root.insert("type".to_string(), Value::String("object".into()));
+    root.insert("definitions".to_string(), Value::Object(definitions));
+
+    write_pretty_json(
+        out_dir.join("codex_app_server_protocol.schemas.json"),
+        &Value::Object(root),
+    )?;
+
+    Ok(())
+}
+
+fn write_json_schema_with_return<T>(out_dir: &Path, name: &str) -> Result<RootSchema>
+where
+    T: JsonSchema,
+{
+    let file_stem = name.trim();
+    let schema = schema_for!(T);
+    write_pretty_json(out_dir.join(format!("{file_stem}.json")), &schema)
+        .with_context(|| format!("Failed to write JSON schema for {file_stem}"))?;
+    Ok(schema)
+}
+
+pub(crate) fn write_json_schema<T>(out_dir: &Path, name: &str) -> Result<()>
+where
+    T: JsonSchema,
+{
+    write_json_schema_with_return::<T>(out_dir, name).map(|_| ())
+}
+
+fn write_pretty_json(path: PathBuf, value: &impl Serialize) -> Result<()> {
+    let json = serde_json::to_vec_pretty(value)
+        .with_context(|| format!("Failed to serialize JSON schema to {}", path.display()))?;
+    fs::write(&path, json).with_context(|| format!("Failed to write {}", path.display()))?;
+    Ok(())
+}
+fn type_basename(type_path: &str) -> String {
+    type_path
+        .rsplit_once("::")
+        .map(|(_, name)| name)
+        .unwrap_or(type_path)
+        .trim()
+        .to_string()
+}
+
+fn variant_definition_name(base: &str, variant: &Value) -> Option<String> {
+    if let Some(props) = variant.get("properties").and_then(Value::as_object) {
+        if let Some(method_literal) = literal_from_property(props, "method") {
+            let pascal = to_pascal_case(method_literal);
+            return Some(match base {
+                "ClientRequest" | "ServerRequest" => format!("{pascal}Request"),
+                "ClientNotification" | "ServerNotification" => format!("{pascal}Notification"),
+                _ => format!("{pascal}{base}"),
+            });
+        }
+
+        if let Some(type_literal) = literal_from_property(props, "type") {
+            let pascal = to_pascal_case(type_literal);
+            return Some(match base {
+                "EventMsg" => format!("{pascal}EventMsg"),
+                _ => format!("{pascal}{base}"),
+            });
+        }
+
+        if let Some(mode_literal) = literal_from_property(props, "mode") {
+            let pascal = to_pascal_case(mode_literal);
+            return Some(match base {
+                "SandboxPolicy" => format!("{pascal}SandboxPolicy"),
+                _ => format!("{pascal}{base}"),
+            });
+        }
+
+        if props.len() == 1
+            && let Some(key) = props.keys().next()
+        {
+            let pascal = to_pascal_case(key);
+            return Some(format!("{pascal}{base}"));
+        }
+    }
+
+    if let Some(required) = variant.get("required").and_then(Value::as_array)
+        && required.len() == 1
+        && let Some(key) = required[0].as_str()
+    {
+        let pascal = to_pascal_case(key);
+        return Some(format!("{pascal}{base}"));
+    }
+
+    None
+}
+
+fn literal_from_property<'a>(props: &'a Map<String, Value>, key: &str) -> Option<&'a str> {
+    props
+        .get(key)
+        .and_then(|value| value.get("enum"))
+        .and_then(Value::as_array)
+        .and_then(|arr| arr.first())
+        .and_then(Value::as_str)
+}
+
+fn to_pascal_case(input: &str) -> String {
+    let mut result = String::new();
+    let mut capitalize_next = true;
+
+    for c in input.chars() {
+        if c == '_' || c == '-' {
+            capitalize_next = true;
+            continue;
+        }
+
+        if capitalize_next {
+            result.extend(c.to_uppercase());
+            capitalize_next = false;
+        } else {
+            result.push(c);
+        }
+    }
+
+    result
+}
+
+fn ensure_dir(dir: &Path) -> Result<()> {
+    fs::create_dir_all(dir)
+        .with_context(|| format!("Failed to create output directory {}", dir.display()))
+}
+
+fn prepend_header_if_missing(path: &Path) -> Result<()> {
+    let mut content = String::new();
+    {
+        let mut f = fs::File::open(path)
+            .with_context(|| format!("Failed to open {} for reading", path.display()))?;
+        f.read_to_string(&mut content)
+            .with_context(|| format!("Failed to read {}", path.display()))?;
+    }
+
+    if content.starts_with(HEADER) {
+        return Ok(());
+    }
+
+    let mut f = fs::File::create(path)
+        .with_context(|| format!("Failed to open {} for writing", path.display()))?;
+    f.write_all(HEADER.as_bytes())
+        .with_context(|| format!("Failed to write header to {}", path.display()))?;
+    f.write_all(content.as_bytes())
+        .with_context(|| format!("Failed to write content to {}", path.display()))?;
+    Ok(())
+}
+
+fn ts_files_in(dir: &Path) -> Result<Vec<PathBuf>> {
+    let mut files = Vec::new();
+    for entry in
+        fs::read_dir(dir).with_context(|| format!("Failed to read dir {}", dir.display()))?
+    {
+        let entry = entry?;
+        let path = entry.path();
+        if path.is_file() && path.extension() == Some(OsStr::new("ts")) {
+            files.push(path);
+        }
+    }
+    files.sort();
+    Ok(files)
+}
+
+fn generate_index_ts(out_dir: &Path) -> Result<PathBuf> {
+    let mut entries: Vec<String> = Vec::new();
+    let mut stems: Vec<String> = ts_files_in(out_dir)?
+        .into_iter()
+        .filter_map(|p| {
+            let stem = p.file_stem()?.to_string_lossy().into_owned();
+            if stem == "index" { None } else { Some(stem) }
+        })
+        .collect();
+    stems.sort();
+    stems.dedup();
+
+    for name in stems {
+        entries.push(format!("export type {{ {name} }} from \"./{name}\";\n"));
+    }
+
+    let mut content =
+        String::with_capacity(HEADER.len() + entries.iter().map(String::len).sum::<usize>());
+    content.push_str(HEADER);
+    for line in &entries {
+        content.push_str(line);
+    }
+
+    let index_path = out_dir.join("index.ts");
+    let mut f = fs::File::create(&index_path)
+        .with_context(|| format!("Failed to create {}", index_path.display()))?;
+    f.write_all(content.as_bytes())
+        .with_context(|| format!("Failed to write {}", index_path.display()))?;
+    Ok(index_path)
+}
--- a/codex-rs/app-server-protocol/src/jsonrpc_lite.rs
+++ b/codex-rs/app-server-protocol/src/jsonrpc_lite.rs
@@ -1,13 +1,14 @@
 //! We do not do true JSON-RPC 2.0, as we neither send nor expect the
 //! "jsonrpc": "2.0" field.

+use schemars::JsonSchema;
 use serde::Deserialize;
 use serde::Serialize;
 use ts_rs::TS;

 pub const JSONRPC_VERSION: &str = "2.0";

-#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, Hash, Eq, TS)]
+#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, Hash, Eq, JsonSchema, TS)]
 #[serde(untagged)]
 pub enum RequestId {
    String(String),
@@ -18,7 +19,7 @@ pub enum RequestId {
 pub type Result = serde_json::Value;

 /// Refers to any valid JSON-RPC object that can be decoded off the wire, or encoded to be sent.
-#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, TS)]
+#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, JsonSchema, TS)]
 #[serde(untagged)]
 pub enum JSONRPCMessage {
    Request(JSONRPCRequest),
@@ -28,7 +29,7 @@ pub enum JSONRPCMessage {
 }

 /// A request that expects a response.
-#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, TS)]
+#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, JsonSchema, TS)]
 pub struct JSONRPCRequest {
    pub id: RequestId,
    pub method: String,
@@ -37,7 +38,7 @@ pub struct JSONRPCRequest {
 }

 /// A notification which does not expect a response.
-#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, TS)]
+#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, JsonSchema, TS)]
 pub struct JSONRPCNotification {
    pub method: String,
    #[serde(default, skip_serializing_if = "Option::is_none")]
@@ -45,20 +46,20 @@ pub struct JSONRPCNotification {
 }

 /// A successful (non-error) response to a request.
-#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, TS)]
+#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, JsonSchema, TS)]
 pub struct JSONRPCResponse {
    pub id: RequestId,
    pub result: Result,
 }

 /// A response to a request that indicates an error occurred.
-#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, TS)]
+#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, JsonSchema, TS)]
 pub struct JSONRPCError {
    pub error: JSONRPCErrorError,
    pub id: RequestId,
 }

-#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, TS)]
+#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, JsonSchema, TS)]
 pub struct JSONRPCErrorError {
    pub code: i64,
    #[serde(default, skip_serializing_if = "Option::is_none")]
--- a/codex-rs/app-server-protocol/src/lib.rs
+++ b/codex-rs/app-server-protocol/src/lib.rs
@@ -1,5 +1,9 @@
+mod export;
 mod jsonrpc_lite;
 mod protocol;

+pub use export::generate_json;
+pub use export::generate_ts;
+pub use export::generate_types;
 pub use jsonrpc_lite::*;
 pub use protocol::*;
--- a/codex-rs/app-server-protocol/src/protocol.rs
+++ b/codex-rs/app-server-protocol/src/protocol.rs
@@ -5,10 +5,12 @@ use crate::JSONRPCNotification;
 use crate::JSONRPCRequest;
 use crate::RequestId;
 use codex_protocol::ConversationId;
+use codex_protocol::config_types::ForcedLoginMethod;
 use codex_protocol::config_types::ReasoningEffort;
 use codex_protocol::config_types::ReasoningSummary;
 use codex_protocol::config_types::SandboxMode;
 use codex_protocol::config_types::Verbosity;
+use codex_protocol::parse_command::ParsedCommand;
 use codex_protocol::protocol::AskForApproval;
 use codex_protocol::protocol::EventMsg;
 use codex_protocol::protocol::FileChange;
@@ -16,13 +18,14 @@ use codex_protocol::protocol::ReviewDecision;
 use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::protocol::TurnAbortReason;
 use paste::paste;
+use schemars::JsonSchema;
 use serde::Deserialize;
 use serde::Serialize;
 use strum_macros::Display;
 use ts_rs::TS;
 use uuid::Uuid;

-#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema, TS)]
 #[ts(type = "string")]
 pub struct GitSha(pub String);

@@ -32,7 +35,7 @@ impl GitSha {
    }
 }

-#[derive(Serialize, Deserialize, Debug, Clone, Copy, PartialEq, Eq, Display, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, Copy, PartialEq, Eq, Display, JsonSchema, TS)]
 #[serde(rename_all = "lowercase")]
 pub enum AuthMode {
    ApiKey,
@@ -54,7 +57,7 @@ macro_rules! client_request_definitions {
        ),* $(,)?
    ) => {
        /// Request from the client to the server.
-        #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+        #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
        #[serde(tag = "method", rename_all = "camelCase")]
        pub enum ClientRequest {
            $(
@@ -76,6 +79,15 @@ macro_rules! client_request_definitions {
            )*
            Ok(())
        }
+
+        pub fn export_client_response_schemas(
+            out_dir: &::std::path::Path,
+        ) -> ::anyhow::Result<()> {
+            $(
+                crate::export::write_json_schema::<$response>(out_dir, stringify!($response))?;
+            )*
+            Ok(())
+        }
    };
 }

@@ -173,13 +185,13 @@ client_request_definitions! {
    },
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct InitializeParams {
    pub client_info: ClientInfo,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct ClientInfo {
    pub name: String,
@@ -188,13 +200,13 @@ pub struct ClientInfo {
    pub version: String,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct InitializeResponse {
    pub user_agent: String,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct NewConversationParams {
    /// Optional override for the model name (e.g. "o3", "o4-mini").
@@ -237,7 +249,7 @@ pub struct NewConversationParams {
    pub include_apply_patch_tool: Option<bool>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct NewConversationResponse {
    pub conversation_id: ConversationId,
@@ -248,7 +260,7 @@ pub struct NewConversationResponse {
    pub rollout_path: PathBuf,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct ResumeConversationResponse {
    pub conversation_id: ConversationId,
@@ -257,7 +269,7 @@ pub struct ResumeConversationResponse {
    pub initial_messages: Option<Vec<EventMsg>>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct ListConversationsParams {
    /// Optional page size; defaults to a reasonable server-side value.
@@ -268,7 +280,7 @@ pub struct ListConversationsParams {
    pub cursor: Option<String>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct ConversationSummary {
    pub conversation_id: ConversationId,
@@ -279,7 +291,7 @@ pub struct ConversationSummary {
    pub timestamp: Option<String>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct ListConversationsResponse {
    pub items: Vec<ConversationSummary>,
@@ -289,7 +301,7 @@ pub struct ListConversationsResponse {
    pub next_cursor: Option<String>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct ResumeConversationParams {
    /// Absolute path to the rollout JSONL file.
@@ -299,78 +311,81 @@ pub struct ResumeConversationParams {
    pub overrides: Option<NewConversationParams>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct AddConversationSubscriptionResponse {
+    #[schemars(with = "String")]
    pub subscription_id: Uuid,
 }

 /// The [`ConversationId`] must match the `rollout_path`.
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct ArchiveConversationParams {
    pub conversation_id: ConversationId,
    pub rollout_path: PathBuf,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct ArchiveConversationResponse {}

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct RemoveConversationSubscriptionResponse {}

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct LoginApiKeyParams {
    pub api_key: String,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct LoginApiKeyResponse {}

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct LoginChatGptResponse {
+    #[schemars(with = "String")]
    pub login_id: Uuid,
    /// URL the client should open in a browser to initiate the OAuth flow.
    pub auth_url: String,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct GitDiffToRemoteResponse {
    pub sha: GitSha,
    pub diff: String,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct CancelLoginChatGptParams {
+    #[schemars(with = "String")]
    pub login_id: Uuid,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct GitDiffToRemoteParams {
    pub cwd: PathBuf,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct CancelLoginChatGptResponse {}

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct LogoutChatGptParams {}

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct LogoutChatGptResponse {}

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct GetAuthStatusParams {
    /// If true, include the current auth token (if available) in the response.
@@ -381,7 +396,7 @@ pub struct GetAuthStatusParams {
    pub refresh_token: Option<bool>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct ExecOneOffCommandParams {
    /// Command argv to execute.
@@ -397,7 +412,7 @@ pub struct ExecOneOffCommandParams {
    pub sandbox_policy: Option<SandboxPolicy>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct ExecOneOffCommandResponse {
    pub exit_code: i32,
@@ -405,7 +420,7 @@ pub struct ExecOneOffCommandResponse {
    pub stderr: String,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct GetAuthStatusResponse {
    #[serde(skip_serializing_if = "Option::is_none")]
@@ -420,13 +435,13 @@ pub struct GetAuthStatusResponse {
    pub requires_openai_auth: Option<bool>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct GetUserAgentResponse {
    pub user_agent: String,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct UserInfoResponse {
    /// Note: `alleged_user_email` is not currently verified. We read it from
@@ -436,13 +451,13 @@ pub struct UserInfoResponse {
    pub alleged_user_email: Option<String>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct GetUserSavedConfigResponse {
    pub config: UserSavedConfig,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct SetDefaultModelParams {
    /// If set to None, this means `model` should be cleared in config.toml.
@@ -454,14 +469,14 @@ pub struct SetDefaultModelParams {
    pub reasoning_effort: Option<ReasoningEffort>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct SetDefaultModelResponse {}

 /// UserSavedConfig contains a subset of the config. It is meant to expose mcp
 /// client-configurable settings that can be specified in the NewConversation
 /// and SendUserTurn requests.
-#[derive(Deserialize, Debug, Clone, PartialEq, Serialize, TS)]
+#[derive(Deserialize, Debug, Clone, PartialEq, Serialize, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct UserSavedConfig {
    /// Approvals
@@ -472,6 +487,11 @@ pub struct UserSavedConfig {
    #[serde(skip_serializing_if = "Option::is_none")]
    pub sandbox_settings: Option<SandboxSettings>,

+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub forced_chatgpt_workspace_id: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub forced_login_method: Option<ForcedLoginMethod>,
+
    /// Model-specific configuration
    #[serde(skip_serializing_if = "Option::is_none")]
    pub model: Option<String>,
@@ -494,7 +514,7 @@ pub struct UserSavedConfig {
 }

 /// MCP representation of a [`codex_core::config_profile::ConfigProfile`].
-#[derive(Deserialize, Debug, Clone, PartialEq, Serialize, TS)]
+#[derive(Deserialize, Debug, Clone, PartialEq, Serialize, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct Profile {
    pub model: Option<String>,
@@ -508,7 +528,7 @@ pub struct Profile {
    pub chatgpt_base_url: Option<String>,
 }
 /// MCP representation of a [`codex_core::config::ToolsToml`].
-#[derive(Deserialize, Debug, Clone, PartialEq, Serialize, TS)]
+#[derive(Deserialize, Debug, Clone, PartialEq, Serialize, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct Tools {
    #[serde(skip_serializing_if = "Option::is_none")]
@@ -518,7 +538,7 @@ pub struct Tools {
 }

 /// MCP representation of a [`codex_core::config_types::SandboxWorkspaceWrite`].
-#[derive(Deserialize, Debug, Clone, PartialEq, Serialize, TS)]
+#[derive(Deserialize, Debug, Clone, PartialEq, Serialize, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct SandboxSettings {
    #[serde(default)]
@@ -531,14 +551,14 @@ pub struct SandboxSettings {
    pub exclude_slash_tmp: Option<bool>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct SendUserMessageParams {
    pub conversation_id: ConversationId,
    pub items: Vec<InputItem>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct SendUserTurnParams {
    pub conversation_id: ConversationId,
@@ -552,39 +572,40 @@ pub struct SendUserTurnParams {
    pub summary: ReasoningSummary,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct SendUserTurnResponse {}

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct InterruptConversationParams {
    pub conversation_id: ConversationId,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct InterruptConversationResponse {
    pub abort_reason: TurnAbortReason,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct SendUserMessageResponse {}

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct AddConversationListenerParams {
    pub conversation_id: ConversationId,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct RemoveConversationListenerParams {
+    #[schemars(with = "String")]
    pub subscription_id: Uuid,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[serde(tag = "type", content = "data")]
 pub enum InputItem {
@@ -616,7 +637,7 @@ macro_rules! server_request_definitions {
    ) => {
        paste! {
            /// Request initiated from the server and sent to the client.
-            #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+            #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
            #[serde(tag = "method", rename_all = "camelCase")]
            pub enum ServerRequest {
                $(
@@ -629,7 +650,7 @@ macro_rules! server_request_definitions {
                )*
            }

-            #[derive(Debug, Clone, PartialEq)]
+            #[derive(Debug, Clone, PartialEq, JsonSchema)]
            pub enum ServerRequestPayload {
                $( $variant([<$variant Params>]), )*
            }
@@ -651,6 +672,15 @@ macro_rules! server_request_definitions {
            }
            Ok(())
        }
+
+        pub fn export_server_response_schemas(
+            out_dir: &::std::path::Path,
+        ) -> ::anyhow::Result<()> {
+            paste! {
+                $(crate::export::write_json_schema::<[<$variant Response>]>(out_dir, stringify!([<$variant Response>]))?;)*
+            }
+            Ok(())
+        }
    };
 }

@@ -669,7 +699,7 @@ server_request_definitions! {
    ExecCommandApproval,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct ApplyPatchApprovalParams {
    pub conversation_id: ConversationId,
@@ -686,7 +716,7 @@ pub struct ApplyPatchApprovalParams {
    pub grant_root: Option<PathBuf>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct ExecCommandApprovalParams {
    pub conversation_id: ConversationId,
@@ -697,19 +727,20 @@ pub struct ExecCommandApprovalParams {
    pub cwd: PathBuf,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub reason: Option<String>,
+    pub parsed_cmd: Vec<ParsedCommand>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 pub struct ExecCommandApprovalResponse {
    pub decision: ReviewDecision,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 pub struct ApplyPatchApprovalResponse {
    pub decision: ReviewDecision,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(rename_all = "camelCase")]
 pub struct FuzzyFileSearchParams {
@@ -721,7 +752,7 @@ pub struct FuzzyFileSearchParams {
 }

 /// Superset of [`codex_file_search::FileMatch`]
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 pub struct FuzzyFileSearchResult {
    pub root: String,
    pub path: String,
@@ -731,21 +762,22 @@ pub struct FuzzyFileSearchResult {
    pub indices: Option<Vec<u32>>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 pub struct FuzzyFileSearchResponse {
    pub files: Vec<FuzzyFileSearchResult>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct LoginChatGptCompleteNotification {
+    #[schemars(with = "String")]
    pub login_id: Uuid,
    pub success: bool,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub error: Option<String>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct SessionConfiguredNotification {
    /// Name left as session_id instead of conversation_id for backwards compatibility.
@@ -773,7 +805,7 @@ pub struct SessionConfiguredNotification {
    pub rollout_path: PathBuf,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct AuthStatusChangeNotification {
    /// Current authentication method; omitted if signed out.
@@ -782,7 +814,7 @@ pub struct AuthStatusChangeNotification {
 }

 /// Notification sent from the server to the client.
-#[derive(Serialize, Deserialize, Debug, Clone, TS, Display)]
+#[derive(Serialize, Deserialize, Debug, Clone, JsonSchema, TS, Display)]
 #[serde(tag = "method", content = "params", rename_all = "camelCase")]
 #[strum(serialize_all = "camelCase")]
 pub enum ServerNotification {
@@ -815,7 +847,7 @@ impl TryFrom<JSONRPCNotification> for ServerNotification {
 }

 /// Notification sent from the client to the server.
-#[derive(Serialize, Deserialize, Debug, Clone, TS, Display)]
+#[derive(Serialize, Deserialize, Debug, Clone, JsonSchema, TS, Display)]
 #[serde(tag = "method", content = "params", rename_all = "camelCase")]
 #[strum(serialize_all = "camelCase")]
 pub enum ClientNotification {
@@ -904,6 +936,9 @@ mod tests {
            command: vec!["echo".to_string(), "hello".to_string()],
            cwd: PathBuf::from("/tmp"),
            reason: Some("because tests".to_string()),
+            parsed_cmd: vec![ParsedCommand::Unknown {
+                cmd: "echo hello".to_string(),
+            }],
        };
        let request = ServerRequest::ExecCommandApproval {
            request_id: RequestId::Integer(7),
@@ -920,6 +955,12 @@ mod tests {
                    "command": ["echo", "hello"],
                    "cwd": "/tmp",
                    "reason": "because tests",
+                    "parsedCmd": [
+                        {
+                            "type": "unknown",
+                            "cmd": "echo hello"
+                        }
+                    ]
                }
            }),
            serde_json::to_value(&request)?,
--- a/codex-rs/app-server/src/codex_message_processor.rs
+++ b/codex-rs/app-server/src/codex_message_processor.rs
@@ -84,6 +84,7 @@ use codex_login::ServerOptions as LoginServerOptions;
 use codex_login::ShutdownHandle;
 use codex_login::run_login_server;
 use codex_protocol::ConversationId;
+use codex_protocol::config_types::ForcedLoginMethod;
 use codex_protocol::models::ContentItem;
 use codex_protocol::models::ResponseItem;
 use codex_protocol::protocol::InputMessageKind;
@@ -243,6 +244,19 @@ impl CodexMessageProcessor {
    }

    async fn login_api_key(&mut self, request_id: RequestId, params: LoginApiKeyParams) {
+        if matches!(
+            self.config.forced_login_method,
+            Some(ForcedLoginMethod::Chatgpt)
+        ) {
+            let error = JSONRPCErrorError {
+                code: INVALID_REQUEST_ERROR_CODE,
+                message: "API key login is disabled. Use ChatGPT login instead.".to_string(),
+                data: None,
+            };
+            self.outgoing.send_error(request_id, error).await;
+            return;
+        }
+
        {
            let mut guard = self.active_login.lock().await;
            if let Some(active) = guard.take() {
@@ -278,9 +292,23 @@ impl CodexMessageProcessor {
    async fn login_chatgpt(&mut self, request_id: RequestId) {
        let config = self.config.as_ref();

+        if matches!(config.forced_login_method, Some(ForcedLoginMethod::Api)) {
+            let error = JSONRPCErrorError {
+                code: INVALID_REQUEST_ERROR_CODE,
+                message: "ChatGPT login is disabled. Use API key login instead.".to_string(),
+                data: None,
+            };
+            self.outgoing.send_error(request_id, error).await;
+            return;
+        }
+
        let opts = LoginServerOptions {
            open_browser: false,
-            ..LoginServerOptions::new(config.codex_home.clone(), CLIENT_ID.to_string())
+            ..LoginServerOptions::new(
+                config.codex_home.clone(),
+                CLIENT_ID.to_string(),
+                config.forced_chatgpt_workspace_id.clone(),
+            )
        };

        enum LoginChatGptReply {
@@ -603,6 +631,7 @@ impl CodexMessageProcessor {
            env,
            with_escalated_permissions: None,
            justification: None,
+            arg0: None,
        };

        let effective_policy = params
@@ -1284,6 +1313,7 @@ async fn apply_bespoke_event_handling(
            command,
            cwd,
            reason,
+            parsed_cmd,
        }) => {
            let params = ExecCommandApprovalParams {
                conversation_id,
@@ -1291,6 +1321,7 @@ async fn apply_bespoke_event_handling(
                command,
                cwd,
                reason,
+                parsed_cmd,
            };
            let rx = outgoing
                .send_request(ServerRequestPayload::ExecCommandApproval(params))
@@ -1351,6 +1382,7 @@ async fn derive_config_from_params(
        include_view_image_tool: None,
        show_raw_agent_reasoning: None,
        tools_web_search_request: None,
+        additional_writable_roots: Vec::new(),
    };

    let cli_overrides = cli_overrides
--- a/codex-rs/app-server/tests/suite/auth.rs
+++ b/codex-rs/app-server/tests/suite/auth.rs
@@ -5,6 +5,7 @@ use app_test_support::to_response;
 use codex_app_server_protocol::AuthMode;
 use codex_app_server_protocol::GetAuthStatusParams;
 use codex_app_server_protocol::GetAuthStatusResponse;
+use codex_app_server_protocol::JSONRPCError;
 use codex_app_server_protocol::JSONRPCResponse;
 use codex_app_server_protocol::LoginApiKeyParams;
 use codex_app_server_protocol::LoginApiKeyResponse;
@@ -57,6 +58,19 @@ sandbox_mode = "danger-full-access"
    )
 }

+fn create_config_toml_forced_login(codex_home: &Path, forced_method: &str) -> std::io::Result<()> {
+    let config_toml = codex_home.join("config.toml");
+    let contents = format!(
+        r#"
+model = "mock-model"
+approval_policy = "never"
+sandbox_mode = "danger-full-access"
+forced_login_method = "{forced_method}"
+"#
+    );
+    std::fs::write(config_toml, contents)
+}
+
 async fn login_with_api_key_via_request(mcp: &mut McpProcess, api_key: &str) {
    let request_id = mcp
        .send_login_api_key_request(LoginApiKeyParams {
@@ -221,3 +235,38 @@ async fn get_auth_status_with_api_key_no_include_token() {
    assert_eq!(status.auth_method, Some(AuthMode::ApiKey));
    assert!(status.auth_token.is_none(), "token must be omitted");
 }
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn login_api_key_rejected_when_forced_chatgpt() {
+    let codex_home = TempDir::new().unwrap_or_else(|e| panic!("create tempdir: {e}"));
+    create_config_toml_forced_login(codex_home.path(), "chatgpt")
+        .unwrap_or_else(|err| panic!("write config.toml: {err}"));
+
+    let mut mcp = McpProcess::new(codex_home.path())
+        .await
+        .expect("spawn mcp process");
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize())
+        .await
+        .expect("init timeout")
+        .expect("init failed");
+
+    let request_id = mcp
+        .send_login_api_key_request(LoginApiKeyParams {
+            api_key: "sk-test-key".to_string(),
+        })
+        .await
+        .expect("send loginApiKey");
+
+    let err: JSONRPCError = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_error_message(RequestId::Integer(request_id)),
+    )
+    .await
+    .expect("loginApiKey error timeout")
+    .expect("loginApiKey error");
+
+    assert_eq!(
+        err.error.message,
+        "API key login is disabled. Use ChatGPT login instead."
+    );
+}
--- a/codex-rs/app-server/tests/suite/codex_message_processor_flow.rs
+++ b/codex-rs/app-server/tests/suite/codex_message_processor_flow.rs
@@ -27,6 +27,7 @@ use codex_core::protocol_config_types::ReasoningEffort;
 use codex_core::protocol_config_types::ReasoningSummary;
 use codex_core::spawn::CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR;
 use codex_protocol::config_types::SandboxMode;
+use codex_protocol::parse_command::ParsedCommand;
 use codex_protocol::protocol::Event;
 use codex_protocol::protocol::EventMsg;
 use codex_protocol::protocol::InputMessageKind;
@@ -311,6 +312,9 @@ async fn test_send_user_turn_changes_approval_policy_behavior() {
            ],
            cwd: working_directory.clone(),
            reason: None,
+            parsed_cmd: vec![ParsedCommand::Unknown {
+                cmd: "python3 -c 'print(42)'".to_string()
+            }],
        },
        params
    );
--- a/codex-rs/app-server/tests/suite/config.rs
+++ b/codex-rs/app-server/tests/suite/config.rs
@@ -11,6 +11,7 @@ use codex_app_server_protocol::SandboxSettings;
 use codex_app_server_protocol::Tools;
 use codex_app_server_protocol::UserSavedConfig;
 use codex_core::protocol::AskForApproval;
+use codex_protocol::config_types::ForcedLoginMethod;
 use codex_protocol::config_types::ReasoningEffort;
 use codex_protocol::config_types::ReasoningSummary;
 use codex_protocol::config_types::SandboxMode;
@@ -33,6 +34,8 @@ model_reasoning_summary = "detailed"
 model_reasoning_effort = "high"
 model_verbosity = "medium"
 profile = "test"
+forced_chatgpt_workspace_id = "12345678-0000-0000-0000-000000000000"
+forced_login_method = "chatgpt"

 [sandbox_workspace_write]
 writable_roots = ["/tmp"]
@@ -92,6 +95,8 @@ async fn get_config_toml_parses_all_fields() {
                exclude_tmpdir_env_var: Some(true),
                exclude_slash_tmp: Some(true),
            }),
+            forced_chatgpt_workspace_id: Some("12345678-0000-0000-0000-000000000000".into()),
+            forced_login_method: Some(ForcedLoginMethod::Chatgpt),
            model: Some("gpt-5-codex".into()),
            model_reasoning_effort: Some(ReasoningEffort::High),
            model_reasoning_summary: Some(ReasoningSummary::Detailed),
@@ -149,6 +154,8 @@ async fn get_config_toml_empty() {
            approval_policy: None,
            sandbox_mode: None,
            sandbox_settings: None,
+            forced_chatgpt_workspace_id: None,
+            forced_login_method: None,
            model: None,
            model_reasoning_effort: None,
            model_reasoning_summary: None,
--- a/codex-rs/app-server/tests/suite/login.rs
+++ b/codex-rs/app-server/tests/suite/login.rs
@@ -7,6 +7,7 @@ use codex_app_server_protocol::CancelLoginChatGptParams;
 use codex_app_server_protocol::CancelLoginChatGptResponse;
 use codex_app_server_protocol::GetAuthStatusParams;
 use codex_app_server_protocol::GetAuthStatusResponse;
+use codex_app_server_protocol::JSONRPCError;
 use codex_app_server_protocol::JSONRPCResponse;
 use codex_app_server_protocol::LoginChatGptResponse;
 use codex_app_server_protocol::LogoutChatGptResponse;
@@ -144,3 +145,97 @@ async fn login_and_cancel_chatgpt() {
        eprintln!("warning: did not observe login_chat_gpt_complete notification after cancel");
    }
 }
+
+fn create_config_toml_forced_login(codex_home: &Path, forced_method: &str) -> std::io::Result<()> {
+    let config_toml = codex_home.join("config.toml");
+    let contents = format!(
+        r#"
+model = "mock-model"
+approval_policy = "never"
+sandbox_mode = "danger-full-access"
+forced_login_method = "{forced_method}"
+"#
+    );
+    std::fs::write(config_toml, contents)
+}
+
+fn create_config_toml_forced_workspace(
+    codex_home: &Path,
+    workspace_id: &str,
+) -> std::io::Result<()> {
+    let config_toml = codex_home.join("config.toml");
+    let contents = format!(
+        r#"
+model = "mock-model"
+approval_policy = "never"
+sandbox_mode = "danger-full-access"
+forced_chatgpt_workspace_id = "{workspace_id}"
+"#
+    );
+    std::fs::write(config_toml, contents)
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn login_chatgpt_rejected_when_forced_api() {
+    let codex_home = TempDir::new().unwrap_or_else(|e| panic!("create tempdir: {e}"));
+    create_config_toml_forced_login(codex_home.path(), "api")
+        .unwrap_or_else(|err| panic!("write config.toml: {err}"));
+
+    let mut mcp = McpProcess::new(codex_home.path())
+        .await
+        .expect("spawn mcp process");
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize())
+        .await
+        .expect("init timeout")
+        .expect("init failed");
+
+    let request_id = mcp
+        .send_login_chat_gpt_request()
+        .await
+        .expect("send loginChatGpt");
+    let err: JSONRPCError = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_error_message(RequestId::Integer(request_id)),
+    )
+    .await
+    .expect("loginChatGpt error timeout")
+    .expect("loginChatGpt error");
+
+    assert_eq!(
+        err.error.message,
+        "ChatGPT login is disabled. Use API key login instead."
+    );
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn login_chatgpt_includes_forced_workspace_query_param() {
+    let codex_home = TempDir::new().unwrap_or_else(|e| panic!("create tempdir: {e}"));
+    create_config_toml_forced_workspace(codex_home.path(), "ws-forced")
+        .unwrap_or_else(|err| panic!("write config.toml: {err}"));
+
+    let mut mcp = McpProcess::new(codex_home.path())
+        .await
+        .expect("spawn mcp process");
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize())
+        .await
+        .expect("init timeout")
+        .expect("init failed");
+
+    let request_id = mcp
+        .send_login_chat_gpt_request()
+        .await
+        .expect("send loginChatGpt");
+    let resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
+    )
+    .await
+    .expect("loginChatGpt timeout")
+    .expect("loginChatGpt response");
+
+    let login: LoginChatGptResponse = to_response(resp).expect("deserialize login resp");
+    assert!(
+        login.auth_url.contains("allowed_workspace_id=ws-forced"),
+        "auth URL should include forced workspace"
+    );
+}
--- a/codex-rs/async-utils/Cargo.toml
+++ b/codex-rs/async-utils/Cargo.toml
@@ -0,0 +1,15 @@
+[package]
+edition.workspace = true
+name = "codex-async-utils"
+version.workspace = true
+
+[lints]
+workspace = true
+
+[dependencies]
+async-trait.workspace = true
+tokio = { workspace = true, features = ["macros", "rt", "rt-multi-thread", "time"] }
+tokio-util.workspace = true
+
+[dev-dependencies]
+pretty_assertions.workspace = true
--- a/codex-rs/async-utils/src/lib.rs
+++ b/codex-rs/async-utils/src/lib.rs
@@ -0,0 +1,86 @@
+use async_trait::async_trait;
+use std::future::Future;
+use tokio_util::sync::CancellationToken;
+
+#[derive(Debug, PartialEq, Eq)]
+pub enum CancelErr {
+    Cancelled,
+}
+
+#[async_trait]
+pub trait OrCancelExt: Sized {
+    type Output;
+
+    async fn or_cancel(self, token: &CancellationToken) -> Result<Self::Output, CancelErr>;
+}
+
+#[async_trait]
+impl<F> OrCancelExt for F
+where
+    F: Future + Send,
+    F::Output: Send,
+{
+    type Output = F::Output;
+
+    async fn or_cancel(self, token: &CancellationToken) -> Result<Self::Output, CancelErr> {
+        tokio::select! {
+            _ = token.cancelled() => Err(CancelErr::Cancelled),
+            res = self => Ok(res),
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use pretty_assertions::assert_eq;
+    use std::time::Duration;
+    use tokio::task;
+    use tokio::time::sleep;
+
+    #[tokio::test]
+    async fn returns_ok_when_future_completes_first() {
+        let token = CancellationToken::new();
+        let value = async { 42 };
+
+        let result = value.or_cancel(&token).await;
+
+        assert_eq!(Ok(42), result);
+    }
+
+    #[tokio::test]
+    async fn returns_err_when_token_cancelled_first() {
+        let token = CancellationToken::new();
+        let token_clone = token.clone();
+
+        let cancel_handle = task::spawn(async move {
+            sleep(Duration::from_millis(10)).await;
+            token_clone.cancel();
+        });
+
+        let result = async {
+            sleep(Duration::from_millis(100)).await;
+            7
+        }
+        .or_cancel(&token)
+        .await;
+
+        cancel_handle.await.expect("cancel task panicked");
+        assert_eq!(Err(CancelErr::Cancelled), result);
+    }
+
+    #[tokio::test]
+    async fn returns_err_when_token_already_cancelled() {
+        let token = CancellationToken::new();
+        token.cancel();
+
+        let result = async {
+            sleep(Duration::from_millis(50)).await;
+            5
+        }
+        .or_cancel(&token)
+        .await;
+
+        assert_eq!(Err(CancelErr::Cancelled), result);
+    }
+}
--- a/codex-rs/cli/Cargo.toml
+++ b/codex-rs/cli/Cargo.toml
@@ -19,8 +19,10 @@ anyhow = { workspace = true }
 clap = { workspace = true, features = ["derive"] }
 clap_complete = { workspace = true }
 codex-app-server = { workspace = true }
+codex-app-server-protocol = { workspace = true }
 codex-arg0 = { workspace = true }
 codex-chatgpt = { workspace = true }
+codex-cloud-tasks = { path = "../cloud-tasks" }
 codex-common = { workspace = true, features = ["cli"] }
 codex-core = { workspace = true }
 codex-exec = { workspace = true }
@@ -28,12 +30,11 @@ codex-login = { workspace = true }
 codex-mcp-server = { workspace = true }
 codex-process-hardening = { workspace = true }
 codex-protocol = { workspace = true }
-codex-app-server-protocol = { workspace = true }
 codex-protocol-ts = { workspace = true }
 codex-responses-api-proxy = { workspace = true }
-codex-tui = { workspace = true }
 codex-rmcp-client = { workspace = true }
-codex-cloud-tasks = { path = "../cloud-tasks" }
+codex-stdio-to-uds = { workspace = true }
+codex-tui = { workspace = true }
 ctor = { workspace = true }
 owo-colors = { workspace = true }
 serde_json = { workspace = true }
@@ -47,8 +48,8 @@ tokio = { workspace = true, features = [
 ] }

 [dev-dependencies]
-assert_matches = { workspace = true }
 assert_cmd = { workspace = true }
+assert_matches = { workspace = true }
 predicates = { workspace = true }
 pretty_assertions = { workspace = true }
 tempfile = { workspace = true }
--- a/codex-rs/cli/src/login.rs
+++ b/codex-rs/cli/src/login.rs
@@ -9,12 +9,20 @@ use codex_core::config::ConfigOverrides;
 use codex_login::ServerOptions;
 use codex_login::run_device_code_login;
 use codex_login::run_login_server;
+use codex_protocol::config_types::ForcedLoginMethod;
 use std::io::IsTerminal;
 use std::io::Read;
 use std::path::PathBuf;

-pub async fn login_with_chatgpt(codex_home: PathBuf) -> std::io::Result<()> {
-    let opts = ServerOptions::new(codex_home, CLIENT_ID.to_string());
+pub async fn login_with_chatgpt(
+    codex_home: PathBuf,
+    forced_chatgpt_workspace_id: Option<String>,
+) -> std::io::Result<()> {
+    let opts = ServerOptions::new(
+        codex_home,
+        CLIENT_ID.to_string(),
+        forced_chatgpt_workspace_id,
+    );
    let server = run_login_server(opts)?;

    eprintln!(
@@ -28,7 +36,14 @@ pub async fn login_with_chatgpt(codex_home: PathBuf) -> std::io::Result<()> {
 pub async fn run_login_with_chatgpt(cli_config_overrides: CliConfigOverrides) -> ! {
    let config = load_config_or_exit(cli_config_overrides).await;

-    match login_with_chatgpt(config.codex_home).await {
+    if matches!(config.forced_login_method, Some(ForcedLoginMethod::Api)) {
+        eprintln!("ChatGPT login is disabled. Use API key login instead.");
+        std::process::exit(1);
+    }
+
+    let forced_chatgpt_workspace_id = config.forced_chatgpt_workspace_id.clone();
+
+    match login_with_chatgpt(config.codex_home, forced_chatgpt_workspace_id).await {
        Ok(_) => {
            eprintln!("Successfully logged in");
            std::process::exit(0);
@@ -46,6 +61,11 @@ pub async fn run_login_with_api_key(
 ) -> ! {
    let config = load_config_or_exit(cli_config_overrides).await;

+    if matches!(config.forced_login_method, Some(ForcedLoginMethod::Chatgpt)) {
+        eprintln!("API key login is disabled. Use ChatGPT login instead.");
+        std::process::exit(1);
+    }
+
    match login_with_api_key(&config.codex_home, &api_key) {
        Ok(_) => {
            eprintln!("Successfully logged in");
@@ -92,9 +112,15 @@ pub async fn run_login_with_device_code(
    client_id: Option<String>,
 ) -> ! {
    let config = load_config_or_exit(cli_config_overrides).await;
+    if matches!(config.forced_login_method, Some(ForcedLoginMethod::Api)) {
+        eprintln!("ChatGPT login is disabled. Use API key login instead.");
+        std::process::exit(1);
+    }
+    let forced_chatgpt_workspace_id = config.forced_chatgpt_workspace_id.clone();
    let mut opts = ServerOptions::new(
        config.codex_home,
        client_id.unwrap_or(CLIENT_ID.to_string()),
+        forced_chatgpt_workspace_id,
    );
    if let Some(iss) = issuer_base_url {
        opts.issuer = iss;
--- a/codex-rs/cli/src/main.rs
+++ b/codex-rs/cli/src/main.rs
@@ -19,6 +19,7 @@ use codex_exec::Cli as ExecCli;
 use codex_responses_api_proxy::Args as ResponsesApiProxyArgs;
 use codex_tui::AppExitInfo;
 use codex_tui::Cli as TuiCli;
+use codex_tui::UpdateAction;
 use owo_colors::OwoColorize;
 use std::path::PathBuf;
 use supports_color::Stream;
@@ -41,7 +42,8 @@ use codex_core::config::ConfigOverrides;
    // The executable is sometimes invoked via a platform‑specific name like
    // `codex-x86_64-unknown-linux-musl`, but the help output should always use
    // the generic `codex` command name that users run.
-    bin_name = "codex"
+    bin_name = "codex",
+    override_usage = "codex [OPTIONS] [PROMPT]\n       codex [OPTIONS] <COMMAND> [ARGS]"
 )]
 struct MultitoolCli {
    #[clap(flatten)]
@@ -103,6 +105,10 @@ enum Subcommand {
    #[clap(hide = true)]
    ResponsesApiProxy(ResponsesApiProxyArgs),

+    /// Internal: relay stdio to a Unix domain socket.
+    #[clap(hide = true, name = "stdio-to-uds")]
+    StdioToUds(StdioToUdsCommand),
+
    /// Inspect feature flags.
    Features(FeaturesCli),
 }
@@ -204,10 +210,18 @@ struct GenerateTsCommand {
    prettier: Option<PathBuf>,
 }

+#[derive(Debug, Parser)]
+struct StdioToUdsCommand {
+    /// Path to the Unix domain socket to connect to.
+    #[arg(value_name = "SOCKET_PATH")]
+    socket_path: PathBuf,
+}
+
 fn format_exit_messages(exit_info: AppExitInfo, color_enabled: bool) -> Vec<String> {
    let AppExitInfo {
        token_usage,
        conversation_id,
+        ..
    } = exit_info;

    if token_usage.is_zero() {
@@ -232,11 +246,32 @@ fn format_exit_messages(exit_info: AppExitInfo, color_enabled: bool) -> Vec<Stri
    lines
 }

-fn print_exit_messages(exit_info: AppExitInfo) {
+/// Handle the app exit and print the results. Optionally run the update action.
+fn handle_app_exit(exit_info: AppExitInfo) -> anyhow::Result<()> {
+    let update_action = exit_info.update_action;
    let color_enabled = supports_color::on(Stream::Stdout).is_some();
    for line in format_exit_messages(exit_info, color_enabled) {
        println!("{line}");
    }
+    if let Some(action) = update_action {
+        run_update_action(action)?;
+    }
+    Ok(())
+}
+
+/// Run the update action and print the result.
+fn run_update_action(action: UpdateAction) -> anyhow::Result<()> {
+    println!();
+    let (cmd, args) = action.command_args();
+    let cmd_str = action.command_str();
+    println!("Updating Codex via `{cmd_str}`...");
+    let status = std::process::Command::new(cmd).args(args).status()?;
+    if !status.success() {
+        anyhow::bail!("`{cmd_str}` failed with status {status}");
+    }
+    println!();
+    println!("🎉 Update ran successfully! Please restart Codex.");
+    Ok(())
 }

 #[derive(Debug, Default, Parser, Clone)]
@@ -321,7 +356,7 @@ async fn cli_main(codex_linux_sandbox_exe: Option<PathBuf>) -> anyhow::Result<()
                root_config_overrides.clone(),
            );
            let exit_info = codex_tui::run_main(interactive, codex_linux_sandbox_exe).await?;
-            print_exit_messages(exit_info);
+            handle_app_exit(exit_info)?;
        }
        Some(Subcommand::Exec(mut exec_cli)) => {
            prepend_config_flags(
@@ -354,7 +389,7 @@ async fn cli_main(codex_linux_sandbox_exe: Option<PathBuf>) -> anyhow::Result<()
                config_overrides,
            );
            let exit_info = codex_tui::run_main(interactive, codex_linux_sandbox_exe).await?;
-            print_exit_messages(exit_info);
+            handle_app_exit(exit_info)?;
        }
        Some(Subcommand::Login(mut login_cli)) => {
            prepend_config_flags(
@@ -439,6 +474,11 @@ async fn cli_main(codex_linux_sandbox_exe: Option<PathBuf>) -> anyhow::Result<()
            tokio::task::spawn_blocking(move || codex_responses_api_proxy::run_main(args))
                .await??;
        }
+        Some(Subcommand::StdioToUds(cmd)) => {
+            let socket_path = cmd.socket_path;
+            tokio::task::spawn_blocking(move || codex_stdio_to_uds::run(socket_path.as_path()))
+                .await??;
+        }
        Some(Subcommand::GenerateTs(gen_cli)) => {
            codex_protocol_ts::generate_ts(&gen_cli.out_dir, gen_cli.prettier.as_deref())?;
        }
@@ -540,6 +580,9 @@ fn merge_resume_cli_flags(interactive: &mut TuiCli, resume_cli: TuiCli) {
    if !resume_cli.images.is_empty() {
        interactive.images = resume_cli.images;
    }
+    if !resume_cli.add_dir.is_empty() {
+        interactive.add_dir.extend(resume_cli.add_dir);
+    }
    if let Some(prompt) = resume_cli.prompt {
        interactive.prompt = Some(prompt);
    }
@@ -595,6 +638,7 @@ mod tests {
            conversation_id: conversation
                .map(ConversationId::from_string)
                .map(Result::unwrap),
+            update_action: None,
        }
    }

@@ -603,6 +647,7 @@ mod tests {
        let exit_info = AppExitInfo {
            token_usage: TokenUsage::default(),
            conversation_id: None,
+            update_action: None,
        };
        let lines = format_exit_messages(exit_info, false);
        assert!(lines.is_empty());
--- a/codex-rs/cli/src/mcp_cmd.rs
+++ b/codex-rs/cli/src/mcp_cmd.rs
@@ -6,6 +6,7 @@ use anyhow::anyhow;
 use anyhow::bail;
 use clap::ArgGroup;
 use codex_common::CliConfigOverrides;
+use codex_common::format_env_display::format_env_display;
 use codex_core::config::Config;
 use codex_core::config::ConfigOverrides;
 use codex_core::config::find_codex_home;
@@ -227,6 +228,8 @@ async fn run_add(config_overrides: &CliConfigOverrides, add_args: AddArgs) -> Re
                command: command_bin,
                args: command_args,
                env: env_map,
+                env_vars: Vec::new(),
+                cwd: None,
            }
        }
        AddMcpTransportArgs {
@@ -239,6 +242,8 @@ async fn run_add(config_overrides: &CliConfigOverrides, add_args: AddArgs) -> Re
        } => McpServerTransportConfig::StreamableHttp {
            url,
            bearer_token_env_var,
+            http_headers: None,
+            env_http_headers: None,
        },
        AddMcpTransportArgs { .. } => bail!("exactly one of --command or --url must be provided"),
    };
@@ -260,11 +265,20 @@ async fn run_add(config_overrides: &CliConfigOverrides, add_args: AddArgs) -> Re
    if let McpServerTransportConfig::StreamableHttp {
        url,
        bearer_token_env_var: None,
+        http_headers,
+        env_http_headers,
    } = transport
        && matches!(supports_oauth_login(&url).await, Ok(true))
    {
        println!("Detected OAuth support. Starting OAuth flow…");
-        perform_oauth_login(&name, &url, config.mcp_oauth_credentials_store_mode).await?;
+        perform_oauth_login(
+            &name,
+            &url,
+            config.mcp_oauth_credentials_store_mode,
+            http_headers.clone(),
+            env_http_headers.clone(),
+        )
+        .await?;
        println!("Successfully logged in.");
    }

@@ -317,12 +331,24 @@ async fn run_login(config_overrides: &CliConfigOverrides, login_args: LoginArgs)
        bail!("No MCP server named '{name}' found.");
    };

-    let url = match &server.transport {
-        McpServerTransportConfig::StreamableHttp { url, .. } => url.clone(),
+    let (url, http_headers, env_http_headers) = match &server.transport {
+        McpServerTransportConfig::StreamableHttp {
+            url,
+            http_headers,
+            env_http_headers,
+            ..
+        } => (url.clone(), http_headers.clone(), env_http_headers.clone()),
        _ => bail!("OAuth login is only supported for streamable HTTP servers."),
    };

-    perform_oauth_login(&name, &url, config.mcp_oauth_credentials_store_mode).await?;
+    perform_oauth_login(
+        &name,
+        &url,
+        config.mcp_oauth_credentials_store_mode,
+        http_headers,
+        env_http_headers,
+    )
+    .await?;
    println!("Successfully logged in to MCP server '{name}'.");
    Ok(())
 }
@@ -377,20 +403,32 @@ async fn run_list(config_overrides: &CliConfigOverrides, list_args: ListArgs) ->
                    .copied()
                    .unwrap_or(McpAuthStatus::Unsupported);
                let transport = match &cfg.transport {
-                    McpServerTransportConfig::Stdio { command, args, env } => serde_json::json!({
+                    McpServerTransportConfig::Stdio {
+                        command,
+                        args,
+                        env,
+                        env_vars,
+                        cwd,
+                    } => serde_json::json!({
                        "type": "stdio",
                        "command": command,
                        "args": args,
                        "env": env,
+                        "env_vars": env_vars,
+                        "cwd": cwd,
                    }),
                    McpServerTransportConfig::StreamableHttp {
                        url,
                        bearer_token_env_var,
+                        http_headers,
+                        env_http_headers,
                    } => {
                        serde_json::json!({
                            "type": "streamable_http",
                            "url": url,
                            "bearer_token_env_var": bearer_token_env_var,
+                            "http_headers": http_headers,
+                            "env_http_headers": env_http_headers,
                        })
                    }
                };
@@ -419,30 +457,29 @@ async fn run_list(config_overrides: &CliConfigOverrides, list_args: ListArgs) ->
        return Ok(());
    }

-    let mut stdio_rows: Vec<[String; 6]> = Vec::new();
+    let mut stdio_rows: Vec<[String; 7]> = Vec::new();
    let mut http_rows: Vec<[String; 5]> = Vec::new();

    for (name, cfg) in entries {
        match &cfg.transport {
-            McpServerTransportConfig::Stdio { command, args, env } => {
+            McpServerTransportConfig::Stdio {
+                command,
+                args,
+                env,
+                env_vars,
+                cwd,
+            } => {
                let args_display = if args.is_empty() {
                    "-".to_string()
                } else {
                    args.join(" ")
                };
-                let env_display = match env.as_ref() {
-                    None => "-".to_string(),
-                    Some(map) if map.is_empty() => "-".to_string(),
-                    Some(map) => {
-                        let mut pairs: Vec<_> = map.iter().collect();
-                        pairs.sort_by(|(a, _), (b, _)| a.cmp(b));
-                        pairs
-                            .into_iter()
-                            .map(|(k, v)| format!("{k}={v}"))
-                            .collect::<Vec<_>>()
-                            .join(", ")
-                    }
-                };
+                let env_display = format_env_display(env.as_ref(), env_vars);
+                let cwd_display = cwd
+                    .as_ref()
+                    .map(|path| path.display().to_string())
+                    .filter(|value| !value.is_empty())
+                    .unwrap_or_else(|| "-".to_string());
                let status = if cfg.enabled {
                    "enabled".to_string()
                } else {
@@ -458,6 +495,7 @@ async fn run_list(config_overrides: &CliConfigOverrides, list_args: ListArgs) ->
                    command.clone(),
                    args_display,
                    env_display,
+                    cwd_display,
                    status,
                    auth_status,
                ]);
@@ -465,6 +503,7 @@ async fn run_list(config_overrides: &CliConfigOverrides, list_args: ListArgs) ->
            McpServerTransportConfig::StreamableHttp {
                url,
                bearer_token_env_var,
+                ..
            } => {
                let status = if cfg.enabled {
                    "enabled".to_string()
@@ -493,6 +532,7 @@ async fn run_list(config_overrides: &CliConfigOverrides, list_args: ListArgs) ->
            "Command".len(),
            "Args".len(),
            "Env".len(),
+            "Cwd".len(),
            "Status".len(),
            "Auth".len(),
        ];
@@ -503,36 +543,40 @@ async fn run_list(config_overrides: &CliConfigOverrides, list_args: ListArgs) ->
        }

        println!(
-            "{name:<name_w$}  {command:<cmd_w$}  {args:<args_w$}  {env:<env_w$}  {status:<status_w$}  {auth:<auth_w$}",
+            "{name:<name_w$}  {command:<cmd_w$}  {args:<args_w$}  {env:<env_w$}  {cwd:<cwd_w$}  {status:<status_w$}  {auth:<auth_w$}",
            name = "Name",
            command = "Command",
            args = "Args",
            env = "Env",
+            cwd = "Cwd",
            status = "Status",
            auth = "Auth",
            name_w = widths[0],
            cmd_w = widths[1],
            args_w = widths[2],
            env_w = widths[3],
-            status_w = widths[4],
-            auth_w = widths[5],
+            cwd_w = widths[4],
+            status_w = widths[5],
+            auth_w = widths[6],
        );

        for row in &stdio_rows {
            println!(
-                "{name:<name_w$}  {command:<cmd_w$}  {args:<args_w$}  {env:<env_w$}  {status:<status_w$}  {auth:<auth_w$}",
+                "{name:<name_w$}  {command:<cmd_w$}  {args:<args_w$}  {env:<env_w$}  {cwd:<cwd_w$}  {status:<status_w$}  {auth:<auth_w$}",
                name = row[0].as_str(),
                command = row[1].as_str(),
                args = row[2].as_str(),
                env = row[3].as_str(),
-                status = row[4].as_str(),
-                auth = row[5].as_str(),
+                cwd = row[4].as_str(),
+                status = row[5].as_str(),
+                auth = row[6].as_str(),
                name_w = widths[0],
                cmd_w = widths[1],
                args_w = widths[2],
                env_w = widths[3],
-                status_w = widths[4],
-                auth_w = widths[5],
+                cwd_w = widths[4],
+                status_w = widths[5],
+                auth_w = widths[6],
            );
        }
    }
@@ -601,19 +645,31 @@ async fn run_get(config_overrides: &CliConfigOverrides, get_args: GetArgs) -> Re

    if get_args.json {
        let transport = match &server.transport {
-            McpServerTransportConfig::Stdio { command, args, env } => serde_json::json!({
+            McpServerTransportConfig::Stdio {
+                command,
+                args,
+                env,
+                env_vars,
+                cwd,
+            } => serde_json::json!({
                "type": "stdio",
                "command": command,
                "args": args,
                "env": env,
+                "env_vars": env_vars,
+                "cwd": cwd,
            }),
            McpServerTransportConfig::StreamableHttp {
                url,
                bearer_token_env_var,
+                http_headers,
+                env_http_headers,
            } => serde_json::json!({
                "type": "streamable_http",
                "url": url,
                "bearer_token_env_var": bearer_token_env_var,
+                "http_headers": http_headers,
+                "env_http_headers": env_http_headers,
            }),
        };
        let output = serde_json::to_string_pretty(&serde_json::json!({
@@ -634,7 +690,13 @@ async fn run_get(config_overrides: &CliConfigOverrides, get_args: GetArgs) -> Re
    println!("{}", get_args.name);
    println!("  enabled: {}", server.enabled);
    match &server.transport {
-        McpServerTransportConfig::Stdio { command, args, env } => {
+        McpServerTransportConfig::Stdio {
+            command,
+            args,
+            env,
+            env_vars,
+            cwd,
+        } => {
            println!("  transport: stdio");
            println!("  command: {command}");
            let args_display = if args.is_empty() {
@@ -643,10 +705,27 @@ async fn run_get(config_overrides: &CliConfigOverrides, get_args: GetArgs) -> Re
                args.join(" ")
            };
            println!("  args: {args_display}");
-            let env_display = match env.as_ref() {
-                None => "-".to_string(),
-                Some(map) if map.is_empty() => "-".to_string(),
-                Some(map) => {
+            let cwd_display = cwd
+                .as_ref()
+                .map(|path| path.display().to_string())
+                .filter(|value| !value.is_empty())
+                .unwrap_or_else(|| "-".to_string());
+            println!("  cwd: {cwd_display}");
+            let env_display = format_env_display(env.as_ref(), env_vars);
+            println!("  env: {env_display}");
+        }
+        McpServerTransportConfig::StreamableHttp {
+            url,
+            bearer_token_env_var,
+            http_headers,
+            env_http_headers,
+        } => {
+            println!("  transport: streamable_http");
+            println!("  url: {url}");
+            let env_var = bearer_token_env_var.as_deref().unwrap_or("-");
+            println!("  bearer_token_env_var: {env_var}");
+            let headers_display = match http_headers {
+                Some(map) if !map.is_empty() => {
                    let mut pairs: Vec<_> = map.iter().collect();
                    pairs.sort_by(|(a, _), (b, _)| a.cmp(b));
                    pairs
@@ -655,17 +734,22 @@ async fn run_get(config_overrides: &CliConfigOverrides, get_args: GetArgs) -> Re
                        .collect::<Vec<_>>()
                        .join(", ")
                }
+                _ => "-".to_string(),
            };
-            println!("  env: {env_display}");
-        }
-        McpServerTransportConfig::StreamableHttp {
-            url,
-            bearer_token_env_var,
-        } => {
-            println!("  transport: streamable_http");
-            println!("  url: {url}");
-            let env_var = bearer_token_env_var.as_deref().unwrap_or("-");
-            println!("  bearer_token_env_var: {env_var}");
+            println!("  http_headers: {headers_display}");
+            let env_headers_display = match env_http_headers {
+                Some(map) if !map.is_empty() => {
+                    let mut pairs: Vec<_> = map.iter().collect();
+                    pairs.sort_by(|(a, _), (b, _)| a.cmp(b));
+                    pairs
+                        .into_iter()
+                        .map(|(k, v)| format!("{k}={v}"))
+                        .collect::<Vec<_>>()
+                        .join(", ")
+                }
+                _ => "-".to_string(),
+            };
+            println!("  env_http_headers: {env_headers_display}");
        }
    }
    if let Some(timeout) = server.startup_timeout_sec {
--- a/codex-rs/cli/tests/mcp_add_remove.rs
+++ b/codex-rs/cli/tests/mcp_add_remove.rs
@@ -28,10 +28,18 @@ async fn add_and_remove_server_updates_global_config() -> Result<()> {
    assert_eq!(servers.len(), 1);
    let docs = servers.get("docs").expect("server should exist");
    match &docs.transport {
-        McpServerTransportConfig::Stdio { command, args, env } => {
+        McpServerTransportConfig::Stdio {
+            command,
+            args,
+            env,
+            env_vars,
+            cwd,
+        } => {
            assert_eq!(command, "echo");
            assert_eq!(args, &vec!["hello".to_string()]);
            assert!(env.is_none());
+            assert!(env_vars.is_empty());
+            assert!(cwd.is_none());
        }
        other => panic!("unexpected transport: {other:?}"),
    }
@@ -112,9 +120,13 @@ async fn add_streamable_http_without_manual_token() -> Result<()> {
        McpServerTransportConfig::StreamableHttp {
            url,
            bearer_token_env_var,
+            http_headers,
+            env_http_headers,
        } => {
            assert_eq!(url, "https://example.com/mcp");
            assert!(bearer_token_env_var.is_none());
+            assert!(http_headers.is_none());
+            assert!(env_http_headers.is_none());
        }
        other => panic!("unexpected transport: {other:?}"),
    }
@@ -150,9 +162,13 @@ async fn add_streamable_http_with_custom_env_var() -> Result<()> {
        McpServerTransportConfig::StreamableHttp {
            url,
            bearer_token_env_var,
+            http_headers,
+            env_http_headers,
        } => {
            assert_eq!(url, "https://example.com/issues");
            assert_eq!(bearer_token_env_var.as_deref(), Some("GITHUB_TOKEN"));
+            assert!(http_headers.is_none());
+            assert!(env_http_headers.is_none());
        }
        other => panic!("unexpected transport: {other:?}"),
    }
--- a/codex-rs/cli/tests/mcp_list.rs
+++ b/codex-rs/cli/tests/mcp_list.rs
@@ -1,6 +1,9 @@
 use std::path::Path;

 use anyhow::Result;
+use codex_core::config::load_global_mcp_servers;
+use codex_core::config::write_global_mcp_servers;
+use codex_core::config_types::McpServerTransportConfig;
 use predicates::prelude::PredicateBooleanExt;
 use predicates::str::contains;
 use pretty_assertions::assert_eq;
@@ -27,8 +30,8 @@ fn list_shows_empty_state() -> Result<()> {
    Ok(())
 }

-#[test]
-fn list_and_get_render_expected_output() -> Result<()> {
+#[tokio::test]
+async fn list_and_get_render_expected_output() -> Result<()> {
    let codex_home = TempDir::new()?;

    let mut add = codex_command(codex_home.path())?;
@@ -46,6 +49,18 @@ fn list_and_get_render_expected_output() -> Result<()> {
    .assert()
    .success();

+    let mut servers = load_global_mcp_servers(codex_home.path()).await?;
+    let docs_entry = servers
+        .get_mut("docs")
+        .expect("docs server should exist after add");
+    match &mut docs_entry.transport {
+        McpServerTransportConfig::Stdio { env_vars, .. } => {
+            *env_vars = vec!["APP_TOKEN".to_string(), "WORKSPACE_ID".to_string()];
+        }
+        other => panic!("unexpected transport: {other:?}"),
+    }
+    write_global_mcp_servers(codex_home.path(), &servers)?;
+
    let mut list_cmd = codex_command(codex_home.path())?;
    let list_output = list_cmd.args(["mcp", "list"]).output()?;
    assert!(list_output.status.success());
@@ -54,6 +69,8 @@ fn list_and_get_render_expected_output() -> Result<()> {
    assert!(stdout.contains("docs"));
    assert!(stdout.contains("docs-server"));
    assert!(stdout.contains("TOKEN=secret"));
+    assert!(stdout.contains("APP_TOKEN=$APP_TOKEN"));
+    assert!(stdout.contains("WORKSPACE_ID=$WORKSPACE_ID"));
    assert!(stdout.contains("Status"));
    assert!(stdout.contains("Auth"));
    assert!(stdout.contains("enabled"));
@@ -79,7 +96,12 @@ fn list_and_get_render_expected_output() -> Result<()> {
              ],
              "env": {
                "TOKEN": "secret"
-              }
+              },
+              "env_vars": [
+                "APP_TOKEN",
+                "WORKSPACE_ID"
+              ],
+              "cwd": null
            },
            "startup_timeout_sec": null,
            "tool_timeout_sec": null,
@@ -98,6 +120,8 @@ fn list_and_get_render_expected_output() -> Result<()> {
    assert!(stdout.contains("command: docs-server"));
    assert!(stdout.contains("args: --port 4000"));
    assert!(stdout.contains("env: TOKEN=secret"));
+    assert!(stdout.contains("APP_TOKEN=$APP_TOKEN"));
+    assert!(stdout.contains("WORKSPACE_ID=$WORKSPACE_ID"));
    assert!(stdout.contains("enabled: true"));
    assert!(stdout.contains("remove: codex mcp remove docs"));

--- a/codex-rs/clippy.toml
+++ b/codex-rs/clippy.toml
@@ -7,3 +7,7 @@ disallowed-methods = [
    { path = "ratatui::style::Stylize::black", reason = "Avoid hardcoding black; prefer default fg or dim/bold. Exception: Disable this rule if rendering over a hardcoded ANSI background." },
    { path = "ratatui::style::Stylize::yellow", reason = "Avoid yellow; prefer other colors in `tui/styles.md`." },
 ]
+
+# Increase the size threshold for result_large_err to accommodate
+# richer error variants.
+large-error-threshold = 256
--- a/codex-rs/common/src/format_env_display.rs
+++ b/codex-rs/common/src/format_env_display.rs
@@ -0,0 +1,66 @@
+use std::collections::HashMap;
+
+pub fn format_env_display(env: Option<&HashMap<String, String>>, env_vars: &[String]) -> String {
+    let mut parts: Vec<String> = Vec::new();
+
+    if let Some(map) = env {
+        let mut pairs: Vec<_> = map.iter().collect();
+        pairs.sort_by(|(a, _), (b, _)| a.cmp(b));
+        parts.extend(
+            pairs
+                .into_iter()
+                .map(|(key, value)| format!("{key}={value}")),
+        );
+    }
+
+    if !env_vars.is_empty() {
+        parts.extend(env_vars.iter().map(|var| format!("{var}=${var}")));
+    }
+
+    if parts.is_empty() {
+        "-".to_string()
+    } else {
+        parts.join(", ")
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn returns_dash_when_empty() {
+        assert_eq!(format_env_display(None, &[]), "-");
+
+        let empty_map = HashMap::new();
+        assert_eq!(format_env_display(Some(&empty_map), &[]), "-");
+    }
+
+    #[test]
+    fn formats_sorted_env_pairs() {
+        let mut env = HashMap::new();
+        env.insert("B".to_string(), "two".to_string());
+        env.insert("A".to_string(), "one".to_string());
+
+        assert_eq!(format_env_display(Some(&env), &[]), "A=one, B=two");
+    }
+
+    #[test]
+    fn formats_env_vars_with_dollar_prefix() {
+        let vars = vec!["TOKEN".to_string(), "PATH".to_string()];
+
+        assert_eq!(format_env_display(None, &vars), "TOKEN=$TOKEN, PATH=$PATH");
+    }
+
+    #[test]
+    fn combines_env_pairs_and_vars() {
+        let mut env = HashMap::new();
+        env.insert("HOME".to_string(), "/tmp".to_string());
+        let vars = vec!["TOKEN".to_string()];
+
+        assert_eq!(
+            format_env_display(Some(&env), &vars),
+            "HOME=/tmp, TOKEN=$TOKEN"
+        );
+    }
+}
--- a/codex-rs/common/src/lib.rs
+++ b/codex-rs/common/src/lib.rs
@@ -13,6 +13,9 @@ mod sandbox_mode_cli_arg;
 #[cfg(feature = "cli")]
 pub use sandbox_mode_cli_arg::SandboxModeCliArg;

+#[cfg(feature = "cli")]
+pub mod format_env_display;
+
 #[cfg(any(feature = "cli", test))]
 mod config_override;

--- a/codex-rs/config.md
+++ b/codex-rs/config.md
@@ -3,4 +3,4 @@
 This file has moved. Please see the latest configuration documentation here:

 - Full config docs: [docs/config.md](../docs/config.md)
- MCP servers section: [docs/config.md#mcp_servers](../docs/config.md#mcp_servers) 
+- MCP servers section: [docs/config.md#connecting-to-mcp-servers](../docs/config.md#connecting-to-mcp-servers)
--- a/codex-rs/core/Cargo.toml
+++ b/codex-rs/core/Cargo.toml
@@ -26,7 +26,9 @@ codex-mcp-client = { workspace = true }
 codex-otel = { workspace = true, features = ["otel"] }
 codex-protocol = { workspace = true }
 codex-rmcp-client = { workspace = true }
+codex-async-utils = { workspace = true }
 codex-utils-string = { workspace = true }
+codex-utils-pty = { workspace = true }
 dirs = { workspace = true }
 dunce = { workspace = true }
 env-flags = { workspace = true }
@@ -36,7 +38,6 @@ indexmap = { workspace = true }
 libc = { workspace = true }
 mcp-types = { workspace = true }
 os_info = { workspace = true }
-portable-pty = { workspace = true }
 rand = { workspace = true }
 regex-lite = { workspace = true }
 reqwest = { workspace = true, features = ["json", "stream"] }
@@ -47,6 +48,7 @@ shlex = { workspace = true }
 similar = { workspace = true }
 strum_macros = { workspace = true }
 tempfile = { workspace = true }
+test-log = { workspace = true }
 thiserror = { workspace = true }
 time = { workspace = true, features = [
    "formatting",
--- a/codex-rs/core/README.md
+++ b/codex-rs/core/README.md
@@ -4,7 +4,7 @@ This crate implements the business logic for Codex. It is designed to be used by

 ## Dependencies

-Note that `codex-core` makes some assumptions about certain helper utilities being available in the environment. Currently, this
+Note that `codex-core` makes some assumptions about certain helper utilities being available in the environment. Currently, this support matrix is:

 ### macOS

--- a/codex-rs/core/src/auth.rs
+++ b/codex-rs/core/src/auth.rs
@@ -2,6 +2,8 @@ use chrono::DateTime;
 use chrono::Utc;
 use serde::Deserialize;
 use serde::Serialize;
+#[cfg(test)]
+use serial_test::serial;
 use std::env;
 use std::fs::File;
 use std::fs::OpenOptions;
@@ -16,7 +18,9 @@ use std::sync::Mutex;
 use std::time::Duration;

 use codex_app_server_protocol::AuthMode;
+use codex_protocol::config_types::ForcedLoginMethod;

+use crate::config::Config;
 use crate::token_data::PlanType;
 use crate::token_data::TokenData;
 use crate::token_data::parse_id_token;
@@ -135,6 +139,10 @@ impl CodexAuth {
        self.get_current_token_data().and_then(|t| t.account_id)
    }

+    pub fn get_account_email(&self) -> Option<String> {
+        self.get_current_token_data().and_then(|t| t.id_token.email)
+    }
+
    pub(crate) fn get_plan_type(&self) -> Option<PlanType> {
        self.get_current_token_data()
            .and_then(|t| t.id_token.chatgpt_plan_type)
@@ -229,6 +237,74 @@ pub fn login_with_api_key(codex_home: &Path, api_key: &str) -> std::io::Result<(
    write_auth_json(&get_auth_file(codex_home), &auth_dot_json)
 }

+pub async fn enforce_login_restrictions(config: &Config) -> std::io::Result<()> {
+    let Some(auth) = load_auth(&config.codex_home, true)? else {
+        return Ok(());
+    };
+
+    if let Some(required_method) = config.forced_login_method {
+        let method_violation = match (required_method, auth.mode) {
+            (ForcedLoginMethod::Api, AuthMode::ApiKey) => None,
+            (ForcedLoginMethod::Chatgpt, AuthMode::ChatGPT) => None,
+            (ForcedLoginMethod::Api, AuthMode::ChatGPT) => Some(
+                "API key login is required, but ChatGPT is currently being used. Logging out."
+                    .to_string(),
+            ),
+            (ForcedLoginMethod::Chatgpt, AuthMode::ApiKey) => Some(
+                "ChatGPT login is required, but an API key is currently being used. Logging out."
+                    .to_string(),
+            ),
+        };
+
+        if let Some(message) = method_violation {
+            return logout_with_message(&config.codex_home, message);
+        }
+    }
+
+    if let Some(expected_account_id) = config.forced_chatgpt_workspace_id.as_deref() {
+        if auth.mode != AuthMode::ChatGPT {
+            return Ok(());
+        }
+
+        let token_data = match auth.get_token_data().await {
+            Ok(data) => data,
+            Err(err) => {
+                return logout_with_message(
+                    &config.codex_home,
+                    format!(
+                        "Failed to load ChatGPT credentials while enforcing workspace restrictions: {err}. Logging out."
+                    ),
+                );
+            }
+        };
+
+        // workspace is the external identifier for account id.
+        let chatgpt_account_id = token_data.id_token.chatgpt_account_id.as_deref();
+        if chatgpt_account_id != Some(expected_account_id) {
+            let message = match chatgpt_account_id {
+                Some(actual) => format!(
+                    "Login is restricted to workspace {expected_account_id}, but current credentials belong to {actual}. Logging out."
+                ),
+                None => format!(
+                    "Login is restricted to workspace {expected_account_id}, but current credentials lack a workspace identifier. Logging out."
+                ),
+            };
+            return logout_with_message(&config.codex_home, message);
+        }
+    }
+
+    Ok(())
+}
+
+fn logout_with_message(codex_home: &Path, message: String) -> std::io::Result<()> {
+    match logout(codex_home) {
+        Ok(_) => Err(std::io::Error::other(message)),
+        Err(err) => Err(std::io::Error::other(format!(
+            "{message}. Failed to remove auth.json: {err}"
+        ))),
+    }
+}
+
 fn load_auth(
    codex_home: &Path,
    enable_codex_api_key_env: bool,
@@ -245,9 +321,8 @@ fn load_auth(
    let client = crate::default_client::create_client();
    let auth_dot_json = match try_read_auth_json(&auth_file) {
        Ok(auth) => auth,
-        Err(e) => {
-            return Err(e);
-        }
+        Err(err) if err.kind() == std::io::ErrorKind::NotFound => return Ok(None),
+        Err(err) => return Err(err),
    };

    let AuthDotJson {
@@ -399,17 +474,19 @@ struct CachedAuth {
 #[cfg(test)]
 mod tests {
    use super::*;
+    use crate::config::Config;
+    use crate::config::ConfigOverrides;
+    use crate::config::ConfigToml;
    use crate::token_data::IdTokenInfo;
    use crate::token_data::KnownPlan;
    use crate::token_data::PlanType;
    use base64::Engine;
+    use codex_protocol::config_types::ForcedLoginMethod;
    use pretty_assertions::assert_eq;
    use serde::Serialize;
    use serde_json::json;
    use tempfile::tempdir;

-    const LAST_REFRESH: &str = "2025-08-06T20:41:36.232376Z";
-
    #[tokio::test]
    async fn roundtrip_auth_dot_json() {
        let codex_home = tempdir().unwrap();
@@ -417,6 +494,7 @@ mod tests {
            AuthFileParams {
                openai_api_key: None,
                chatgpt_plan_type: "pro".to_string(),
+                chatgpt_account_id: None,
            },
            codex_home.path(),
        )
@@ -456,6 +534,13 @@ mod tests {
        assert!(auth.tokens.is_none(), "tokens should be cleared");
    }

+    #[test]
+    fn missing_auth_json_returns_none() {
+        let dir = tempdir().unwrap();
+        let auth = CodexAuth::from_codex_home(dir.path()).expect("call should succeed");
+        assert_eq!(auth, None);
+    }
+
    #[tokio::test]
    async fn pro_account_with_no_api_key_uses_chatgpt_auth() {
        let codex_home = tempdir().unwrap();
@@ -463,6 +548,7 @@ mod tests {
            AuthFileParams {
                openai_api_key: None,
                chatgpt_plan_type: "pro".to_string(),
+                chatgpt_account_id: None,
            },
            codex_home.path(),
        )
@@ -480,6 +566,10 @@ mod tests {

        let guard = auth_dot_json.lock().unwrap();
        let auth_dot_json = guard.as_ref().expect("AuthDotJson should exist");
+        let last_refresh = auth_dot_json
+            .last_refresh
+            .expect("last_refresh should be recorded");
+
        assert_eq!(
            &AuthDotJson {
                openai_api_key: None,
@@ -487,20 +577,17 @@ mod tests {
                    id_token: IdTokenInfo {
                        email: Some("user@example.com".to_string()),
                        chatgpt_plan_type: Some(PlanType::Known(KnownPlan::Pro)),
+                        chatgpt_account_id: None,
                        raw_jwt: fake_jwt,
                    },
                    access_token: "test-access-token".to_string(),
                    refresh_token: "test-refresh-token".to_string(),
                    account_id: None,
                }),
-                last_refresh: Some(
-                    DateTime::parse_from_rfc3339(LAST_REFRESH)
-                        .unwrap()
-                        .with_timezone(&Utc)
-                ),
+                last_refresh: Some(last_refresh),
            },
            auth_dot_json
-        )
+        );
    }

    #[tokio::test]
@@ -539,6 +626,7 @@ mod tests {
    struct AuthFileParams {
        openai_api_key: Option<String>,
        chatgpt_plan_type: String,
+        chatgpt_account_id: Option<String>,
    }

    fn write_auth_file(params: AuthFileParams, codex_home: &Path) -> std::io::Result<String> {
@@ -553,15 +641,21 @@ mod tests {
            alg: "none",
            typ: "JWT",
        };
+        let mut auth_payload = serde_json::json!({
+            "chatgpt_plan_type": params.chatgpt_plan_type,
+            "chatgpt_user_id": "user-12345",
+            "user_id": "user-12345",
+        });
+
+        if let Some(chatgpt_account_id) = params.chatgpt_account_id {
+            let org_value = serde_json::Value::String(chatgpt_account_id);
+            auth_payload["chatgpt_account_id"] = org_value;
+        }
+
        let payload = serde_json::json!({
            "email": "user@example.com",
            "email_verified": true,
-            "https://api.openai.com/auth": {
-                "chatgpt_account_id": "bc3618e3-489d-4d49-9362-1561dc53ba53",
-                "chatgpt_plan_type": params.chatgpt_plan_type,
-                "chatgpt_user_id": "user-12345",
-                "user_id": "user-12345",
-            }
+            "https://api.openai.com/auth": auth_payload,
        });
        let b64 = |b: &[u8]| base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(b);
        let header_b64 = b64(&serde_json::to_vec(&header)?);
@@ -576,12 +670,159 @@ mod tests {
                "access_token": "test-access-token",
                "refresh_token": "test-refresh-token"
            },
-            "last_refresh": LAST_REFRESH,
+            "last_refresh": Utc::now(),
        });
        let auth_json = serde_json::to_string_pretty(&auth_json_data)?;
        std::fs::write(auth_file, auth_json)?;
        Ok(fake_jwt)
    }
+
+    fn build_config(
+        codex_home: &Path,
+        forced_login_method: Option<ForcedLoginMethod>,
+        forced_chatgpt_workspace_id: Option<String>,
+    ) -> Config {
+        let mut config = Config::load_from_base_config_with_overrides(
+            ConfigToml::default(),
+            ConfigOverrides::default(),
+            codex_home.to_path_buf(),
+        )
+        .expect("config should load");
+        config.forced_login_method = forced_login_method;
+        config.forced_chatgpt_workspace_id = forced_chatgpt_workspace_id;
+        config
+    }
+
+    /// Use sparingly.
+    /// TODO (gpeal): replace this with an injectable env var provider.
+    #[cfg(test)]
+    struct EnvVarGuard {
+        key: &'static str,
+        original: Option<std::ffi::OsString>,
+    }
+
+    #[cfg(test)]
+    impl EnvVarGuard {
+        fn set(key: &'static str, value: &str) -> Self {
+            let original = env::var_os(key);
+            unsafe {
+                env::set_var(key, value);
+            }
+            Self { key, original }
+        }
+    }
+
+    #[cfg(test)]
+    impl Drop for EnvVarGuard {
+        fn drop(&mut self) {
+            unsafe {
+                match &self.original {
+                    Some(value) => env::set_var(self.key, value),
+                    None => env::remove_var(self.key),
+                }
+            }
+        }
+    }
+
+    #[tokio::test]
+    async fn enforce_login_restrictions_logs_out_for_method_mismatch() {
+        let codex_home = tempdir().unwrap();
+        login_with_api_key(codex_home.path(), "sk-test").expect("seed api key");
+
+        let config = build_config(codex_home.path(), Some(ForcedLoginMethod::Chatgpt), None);
+
+        let err = super::enforce_login_restrictions(&config)
+            .await
+            .expect_err("expected method mismatch to error");
+        assert!(err.to_string().contains("ChatGPT login is required"));
+        assert!(
+            !codex_home.path().join("auth.json").exists(),
+            "auth.json should be removed on mismatch"
+        );
+    }
+
+    #[tokio::test]
+    async fn enforce_login_restrictions_logs_out_for_workspace_mismatch() {
+        let codex_home = tempdir().unwrap();
+        let _jwt = write_auth_file(
+            AuthFileParams {
+                openai_api_key: None,
+                chatgpt_plan_type: "pro".to_string(),
+                chatgpt_account_id: Some("org_another_org".to_string()),
+            },
+            codex_home.path(),
+        )
+        .expect("failed to write auth file");
+
+        let config = build_config(codex_home.path(), None, Some("org_mine".to_string()));
+
+        let err = super::enforce_login_restrictions(&config)
+            .await
+            .expect_err("expected workspace mismatch to error");
+        assert!(err.to_string().contains("workspace org_mine"));
+        assert!(
+            !codex_home.path().join("auth.json").exists(),
+            "auth.json should be removed on mismatch"
+        );
+    }
+
+    #[tokio::test]
+    async fn enforce_login_restrictions_allows_matching_workspace() {
+        let codex_home = tempdir().unwrap();
+        let _jwt = write_auth_file(
+            AuthFileParams {
+                openai_api_key: None,
+                chatgpt_plan_type: "pro".to_string(),
+                chatgpt_account_id: Some("org_mine".to_string()),
+            },
+            codex_home.path(),
+        )
+        .expect("failed to write auth file");
+
+        let config = build_config(codex_home.path(), None, Some("org_mine".to_string()));
+
+        super::enforce_login_restrictions(&config)
+            .await
+            .expect("matching workspace should succeed");
+        assert!(
+            codex_home.path().join("auth.json").exists(),
+            "auth.json should remain when restrictions pass"
+        );
+    }
+
+    #[tokio::test]
+    async fn enforce_login_restrictions_allows_api_key_if_login_method_not_set_but_forced_chatgpt_workspace_id_is_set()
+     {
+        let codex_home = tempdir().unwrap();
+        login_with_api_key(codex_home.path(), "sk-test").expect("seed api key");
+
+        let config = build_config(codex_home.path(), None, Some("org_mine".to_string()));
+
+        super::enforce_login_restrictions(&config)
+            .await
+            .expect("matching workspace should succeed");
+        assert!(
+            codex_home.path().join("auth.json").exists(),
+            "auth.json should remain when restrictions pass"
+        );
+    }
+
+    #[tokio::test]
+    #[serial(codex_api_key)]
+    async fn enforce_login_restrictions_blocks_env_api_key_when_chatgpt_required() {
+        let _guard = EnvVarGuard::set(CODEX_API_KEY_ENV_VAR, "sk-env");
+        let codex_home = tempdir().unwrap();
+
+        let config = build_config(codex_home.path(), Some(ForcedLoginMethod::Chatgpt), None);
+
+        let err = super::enforce_login_restrictions(&config)
+            .await
+            .expect_err("environment API key should not satisfy forced ChatGPT login");
+        assert!(
+            err.to_string()
+                .contains("ChatGPT login is required, but an API key is currently being used.")
+        );
+    }
 }

 /// Central manager providing a single source of truth for auth.json derived
--- a/codex-rs/core/src/chat_completions.rs
+++ b/codex-rs/core/src/chat_completions.rs
@@ -5,11 +5,13 @@ use crate::client_common::Prompt;
 use crate::client_common::ResponseEvent;
 use crate::client_common::ResponseStream;
 use crate::error::CodexErr;
+use crate::error::ConnectionFailedError;
+use crate::error::ResponseStreamFailed;
 use crate::error::Result;
 use crate::error::RetryLimitReachedError;
 use crate::error::UnexpectedResponseError;
 use crate::model_family::ModelFamily;
-use crate::openai_tools::create_tools_json_for_chat_completions_api;
+use crate::tools::spec::create_tools_json_for_chat_completions_api;
 use crate::util::backoff;
 use bytes::Bytes;
 use codex_otel::otel_event_manager::OtelEventManager;
@@ -309,7 +311,12 @@ pub(crate) async fn stream_chat_completions(
        match res {
            Ok(resp) if resp.status().is_success() => {
                let (tx_event, rx_event) = mpsc::channel::<Result<ResponseEvent>>(1600);
-                let stream = resp.bytes_stream().map_err(CodexErr::Reqwest);
+                let stream = resp.bytes_stream().map_err(|e| {
+                    CodexErr::ResponseStreamFailed(ResponseStreamFailed {
+                        source: e,
+                        request_id: None,
+                    })
+                });
                tokio::spawn(process_chat_sse(
                    stream,
                    tx_event,
@@ -349,7 +356,9 @@ pub(crate) async fn stream_chat_completions(
            }
            Err(e) => {
                if attempt > max_retries {
-                    return Err(e.into());
+                    return Err(CodexErr::ConnectionFailed(ConnectionFailedError {
+                        source: e,
+                    }));
                }
                let delay = backoff(attempt);
                tokio::time::sleep(delay).await;
--- a/codex-rs/core/src/client.rs
+++ b/codex-rs/core/src/client.rs
@@ -5,6 +5,8 @@ use std::time::Duration;

 use crate::AuthManager;
 use crate::auth::CodexAuth;
+use crate::error::ConnectionFailedError;
+use crate::error::ResponseStreamFailed;
 use crate::error::RetryLimitReachedError;
 use crate::error::UnexpectedResponseError;
 use bytes::Bytes;
@@ -43,13 +45,15 @@ use crate::model_family::ModelFamily;
 use crate::model_provider_info::ModelProviderInfo;
 use crate::model_provider_info::WireApi;
 use crate::openai_model_info::get_model_info;
-use crate::openai_tools::create_tools_json_for_responses_api;
 use crate::protocol::RateLimitSnapshot;
 use crate::protocol::RateLimitWindow;
 use crate::protocol::TokenUsage;
 use crate::state::TaskKind;
 use crate::token_data::PlanType;
+use crate::tools::spec::create_tools_json_for_responses_api;
 use crate::util::backoff;
+use chrono::DateTime;
+use chrono::Utc;
 use codex_otel::otel_event_manager::OtelEventManager;
 use codex_protocol::config_types::ReasoningEffort as ReasoningEffortConfig;
 use codex_protocol::config_types::ReasoningSummary as ReasoningSummaryConfig;
@@ -69,7 +73,7 @@ struct Error {

    // Optional fields available on "usage_limit_reached" and "usage_not_included" errors
    plan_type: Option<PlanType>,
-    resets_in_seconds: Option<u64>,
+    resets_at: Option<i64>,
 }

 #[derive(Debug, Clone)]
@@ -108,10 +112,12 @@ impl ModelClient {
        }
    }

-    pub fn get_model_context_window(&self) -> Option<u64> {
+    pub fn get_model_context_window(&self) -> Option<i64> {
+        let pct = self.config.model_family.effective_context_window_percent;
        self.config
            .model_context_window
            .or_else(|| get_model_info(&self.config.model_family).map(|info| info.context_window))
+            .map(|w| w.saturating_mul(pct) / 100)
    }

    pub fn get_auto_compact_token_limit(&self) -> Option<i64> {
@@ -351,7 +357,12 @@ impl ModelClient {
                }

                // spawn task to process SSE
-                let stream = resp.bytes_stream().map_err(CodexErr::Reqwest);
+                let stream = resp.bytes_stream().map_err(move |e| {
+                    CodexErr::ResponseStreamFailed(ResponseStreamFailed {
+                        source: e,
+                        request_id: request_id.clone(),
+                    })
+                });
                tokio::spawn(process_sse(
                    stream,
                    tx_event,
@@ -412,10 +423,12 @@ impl ModelClient {
                            let plan_type = error
                                .plan_type
                                .or_else(|| auth.as_ref().and_then(CodexAuth::get_plan_type));
-                            let resets_in_seconds = error.resets_in_seconds;
+                            let resets_at = error
+                                .resets_at
+                                .and_then(|seconds| DateTime::<Utc>::from_timestamp(seconds, 0));
                            let codex_err = CodexErr::UsageLimitReached(UsageLimitReachedError {
                                plan_type,
-                                resets_in_seconds,
+                                resets_at,
                                rate_limits: rate_limit_snapshot,
                            });
                            return Err(StreamAttemptError::Fatal(codex_err));
@@ -431,7 +444,9 @@ impl ModelClient {
                    request_id,
                })
            }
-            Err(e) => Err(StreamAttemptError::RetryableTransportError(e.into())),
+            Err(e) => Err(StreamAttemptError::RetryableTransportError(
+                CodexErr::ConnectionFailed(ConnectionFailedError { source: e }),
+            )),
        }
    }

@@ -529,11 +544,11 @@ struct ResponseCompleted {

 #[derive(Debug, Deserialize)]
 struct ResponseCompletedUsage {
-    input_tokens: u64,
+    input_tokens: i64,
    input_tokens_details: Option<ResponseCompletedInputTokensDetails>,
-    output_tokens: u64,
+    output_tokens: i64,
    output_tokens_details: Option<ResponseCompletedOutputTokensDetails>,
-    total_tokens: u64,
+    total_tokens: i64,
 }

 impl From<ResponseCompletedUsage> for TokenUsage {
@@ -556,12 +571,12 @@ impl From<ResponseCompletedUsage> for TokenUsage {

 #[derive(Debug, Deserialize)]
 struct ResponseCompletedInputTokensDetails {
-    cached_tokens: u64,
+    cached_tokens: i64,
 }

 #[derive(Debug, Deserialize)]
 struct ResponseCompletedOutputTokensDetails {
-    reasoning_tokens: u64,
+    reasoning_tokens: i64,
 }

 fn attach_item_ids(payload_json: &mut Value, original_items: &[ResponseItem]) {
@@ -596,14 +611,14 @@ fn parse_rate_limit_snapshot(headers: &HeaderMap) -> Option<RateLimitSnapshot> {
        headers,
        "x-codex-primary-used-percent",
        "x-codex-primary-window-minutes",
-        "x-codex-primary-reset-after-seconds",
+        "x-codex-primary-reset-at",
    );

    let secondary = parse_rate_limit_window(
        headers,
        "x-codex-secondary-used-percent",
        "x-codex-secondary-window-minutes",
-        "x-codex-secondary-reset-after-seconds",
+        "x-codex-secondary-reset-at",
    );

    Some(RateLimitSnapshot { primary, secondary })
@@ -618,17 +633,17 @@ fn parse_rate_limit_window(
    let used_percent: Option<f64> = parse_header_f64(headers, used_percent_header);

    used_percent.and_then(|used_percent| {
-        let window_minutes = parse_header_u64(headers, window_minutes_header);
-        let resets_in_seconds = parse_header_u64(headers, resets_header);
+        let window_minutes = parse_header_i64(headers, window_minutes_header);
+        let resets_at = parse_header_i64(headers, resets_header);

        let has_data = used_percent != 0.0
            || window_minutes.is_some_and(|minutes| minutes != 0)
-            || resets_in_seconds.is_some_and(|seconds| seconds != 0);
+            || resets_at.is_some();

        has_data.then_some(RateLimitWindow {
            used_percent,
            window_minutes,
-            resets_in_seconds,
+            resets_at,
        })
    })
 }
@@ -640,8 +655,8 @@ fn parse_header_f64(headers: &HeaderMap, name: &str) -> Option<f64> {
        .filter(|v| v.is_finite())
 }

-fn parse_header_u64(headers: &HeaderMap, name: &str) -> Option<u64> {
-    parse_header_str(headers, name)?.parse::<u64>().ok()
+fn parse_header_i64(headers: &HeaderMap, name: &str) -> Option<i64> {
+    parse_header_str(headers, name)?.parse::<i64>().ok()
 }

 fn parse_header_str<'a>(headers: &'a HeaderMap, name: &str) -> Option<&'a str> {
@@ -1030,6 +1045,7 @@ mod tests {
            "test",
            "test",
            None,
+            Some("test@test.com".to_string()),
            Some(AuthMode::ChatGPT),
            false,
            "test".to_string(),
@@ -1380,7 +1396,7 @@ mod tests {
            message: Some("Rate limit reached for gpt-5 in organization org- on tokens per min (TPM): Limit 1, Used 1, Requested 19304. Please try again in 28ms. Visit https://platform.openai.com/account/rate-limits to learn more.".to_string()),
            code: Some("rate_limit_exceeded".to_string()),
            plan_type: None,
-            resets_in_seconds: None
+            resets_at: None
        };

        let delay = try_parse_retry_after(&err);
@@ -1394,20 +1410,20 @@ mod tests {
            message: Some("Rate limit reached for gpt-5 in organization <ORG> on tokens per min (TPM): Limit 30000, Used 6899, Requested 24050. Please try again in 1.898s. Visit https://platform.openai.com/account/rate-limits to learn more.".to_string()),
            code: Some("rate_limit_exceeded".to_string()),
            plan_type: None,
-            resets_in_seconds: None
+            resets_at: None
        };
        let delay = try_parse_retry_after(&err);
        assert_eq!(delay, Some(Duration::from_secs_f64(1.898)));
    }

    #[test]
-    fn error_response_deserializes_old_schema_known_plan_type_and_serializes_back() {
+    fn error_response_deserializes_schema_known_plan_type_and_serializes_back() {
        use crate::token_data::KnownPlan;
        use crate::token_data::PlanType;

-        let json = r#"{"error":{"type":"usage_limit_reached","plan_type":"pro","resets_in_seconds":3600}}"#;
-        let resp: ErrorResponse =
-            serde_json::from_str(json).expect("should deserialize old schema");
+        let json =
+            r#"{"error":{"type":"usage_limit_reached","plan_type":"pro","resets_at":1704067200}}"#;
+        let resp: ErrorResponse = serde_json::from_str(json).expect("should deserialize schema");

        assert_matches!(resp.error.plan_type, Some(PlanType::Known(KnownPlan::Pro)));

@@ -1416,13 +1432,12 @@ mod tests {
    }

    #[test]
-    fn error_response_deserializes_old_schema_unknown_plan_type_and_serializes_back() {
+    fn error_response_deserializes_schema_unknown_plan_type_and_serializes_back() {
        use crate::token_data::PlanType;

        let json =
-            r#"{"error":{"type":"usage_limit_reached","plan_type":"vip","resets_in_seconds":60}}"#;
-        let resp: ErrorResponse =
-            serde_json::from_str(json).expect("should deserialize old schema");
+            r#"{"error":{"type":"usage_limit_reached","plan_type":"vip","resets_at":1704067260}}"#;
+        let resp: ErrorResponse = serde_json::from_str(json).expect("should deserialize schema");

        assert_matches!(resp.error.plan_type, Some(PlanType::Unknown(ref s)) if s == "vip");

--- a/codex-rs/core/src/client_common.rs
+++ b/codex-rs/core/src/client_common.rs
@@ -281,7 +281,7 @@ pub(crate) struct ResponsesApiRequest<'a> {
 }

 pub(crate) mod tools {
-    use crate::openai_tools::JsonSchema;
+    use crate::tools::spec::JsonSchema;
    use serde::Deserialize;
    use serde::Serialize;

--- a/codex-rs/core/src/codex.rs
+++ b/codex-rs/core/src/codex.rs
--- a/codex-rs/core/src/command_safety/is_safe_command.rs
+++ b/codex-rs/core/src/command_safety/is_safe_command.rs
@@ -1,15 +1,25 @@
 use crate::bash::parse_bash_lc_plain_commands;

 pub fn is_known_safe_command(command: &[String]) -> bool {
+    let command: Vec<String> = command
+        .iter()
+        .map(|s| {
+            if s == "zsh" {
+                "bash".to_string()
+            } else {
+                s.clone()
+            }
+        })
+        .collect();
    #[cfg(target_os = "windows")]
    {
        use super::windows_safe_commands::is_safe_command_windows;
-        if is_safe_command_windows(command) {
+        if is_safe_command_windows(&command) {
            return true;
        }
    }

-    if is_safe_to_call_with_exec(command) {
+    if is_safe_to_call_with_exec(&command) {
        return true;
    }

@@ -19,7 +29,7 @@ pub fn is_known_safe_command(command: &[String]) -> bool {
    // introduce side effects ( "&&", "||", ";", and "|" ). If every
    // individual command in the script is itself a known‑safe command, then
    // the composite expression is considered safe.
-    if let Some(all_commands) = parse_bash_lc_plain_commands(command)
+    if let Some(all_commands) = parse_bash_lc_plain_commands(&command)
        && !all_commands.is_empty()
        && all_commands
            .iter()
@@ -31,9 +41,14 @@ pub fn is_known_safe_command(command: &[String]) -> bool {
 }

 fn is_safe_to_call_with_exec(command: &[String]) -> bool {
-    let cmd0 = command.first().map(String::as_str);
+    let Some(cmd0) = command.first().map(String::as_str) else {
+        return false;
+    };

-    match cmd0 {
+    match std::path::Path::new(&cmd0)
+        .file_name()
+        .and_then(|osstr| osstr.to_str())
+    {
        #[rustfmt::skip]
        Some(
            "cat" |
@@ -103,13 +118,12 @@ fn is_safe_to_call_with_exec(command: &[String]) -> bool {
        // Rust
        Some("cargo") if command.get(1).map(String::as_str) == Some("check") => true,

-        // Special-case `sed -n {N|M,N}p FILE`
+        // Special-case `sed -n {N|M,N}p`
        Some("sed")
            if {
-                command.len() == 4
+                command.len() <= 4
                    && command.get(1).map(String::as_str) == Some("-n")
                    && is_valid_sed_n_arg(command.get(2).map(String::as_str))
-                    && command.get(3).map(String::is_empty) == Some(false)
            } =>
        {
            true
--- a/codex-rs/core/src/config.rs
+++ b/codex-rs/core/src/config.rs
--- a/codex-rs/core/src/config_types.rs
+++ b/codex-rs/core/src/config_types.rs
@@ -44,16 +44,26 @@ impl<'de> Deserialize<'de> for McpServerConfig {
    {
        #[derive(Deserialize)]
        struct RawMcpServerConfig {
+            // stdio
            command: Option<String>,
            #[serde(default)]
            args: Option<Vec<String>>,
            #[serde(default)]
            env: Option<HashMap<String, String>>,
+            #[serde(default)]
+            env_vars: Option<Vec<String>>,
+            #[serde(default)]
+            cwd: Option<PathBuf>,
+            http_headers: Option<HashMap<String, String>>,
+            #[serde(default)]
+            env_http_headers: Option<HashMap<String, String>>,

+            // streamable_http
            url: Option<String>,
            bearer_token: Option<String>,
            bearer_token_env_var: Option<String>,

+            // shared
            #[serde(default)]
            startup_timeout_sec: Option<f64>,
            #[serde(default)]
@@ -92,8 +102,12 @@ impl<'de> Deserialize<'de> for McpServerConfig {
                command: Some(command),
                args,
                env,
+                env_vars,
+                cwd,
                url,
                bearer_token_env_var,
+                http_headers,
+                env_http_headers,
                ..
            } => {
                throw_if_set("stdio", "url", url.as_ref())?;
@@ -102,10 +116,14 @@ impl<'de> Deserialize<'de> for McpServerConfig {
                    "bearer_token_env_var",
                    bearer_token_env_var.as_ref(),
                )?;
+                throw_if_set("stdio", "http_headers", http_headers.as_ref())?;
+                throw_if_set("stdio", "env_http_headers", env_http_headers.as_ref())?;
                McpServerTransportConfig::Stdio {
                    command,
                    args: args.unwrap_or_default(),
                    env,
+                    env_vars: env_vars.unwrap_or_default(),
+                    cwd,
                }
            }
            RawMcpServerConfig {
@@ -115,15 +133,26 @@ impl<'de> Deserialize<'de> for McpServerConfig {
                command,
                args,
                env,
-                ..
+                env_vars,
+                cwd,
+                http_headers,
+                env_http_headers,
+                startup_timeout_sec: _,
+                tool_timeout_sec: _,
+                startup_timeout_ms: _,
+                enabled: _,
            } => {
                throw_if_set("streamable_http", "command", command.as_ref())?;
                throw_if_set("streamable_http", "args", args.as_ref())?;
                throw_if_set("streamable_http", "env", env.as_ref())?;
+                throw_if_set("streamable_http", "env_vars", env_vars.as_ref())?;
+                throw_if_set("streamable_http", "cwd", cwd.as_ref())?;
                throw_if_set("streamable_http", "bearer_token", bearer_token.as_ref())?;
                McpServerTransportConfig::StreamableHttp {
                    url,
                    bearer_token_env_var,
+                    http_headers,
+                    env_http_headers,
                }
            }
            _ => return Err(SerdeError::custom("invalid transport")),
@@ -152,6 +181,10 @@ pub enum McpServerTransportConfig {
        args: Vec<String>,
        #[serde(default, skip_serializing_if = "Option::is_none")]
        env: Option<HashMap<String, String>>,
+        #[serde(default, skip_serializing_if = "Vec::is_empty")]
+        env_vars: Vec<String>,
+        #[serde(default, skip_serializing_if = "Option::is_none")]
+        cwd: Option<PathBuf>,
    },
    /// https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#streamable-http
    StreamableHttp {
@@ -161,6 +194,12 @@ pub enum McpServerTransportConfig {
        /// The actual secret value must be provided via the environment.
        #[serde(default, skip_serializing_if = "Option::is_none")]
        bearer_token_env_var: Option<String>,
+        /// Additional HTTP headers to include in requests to this server.
+        #[serde(default, skip_serializing_if = "Option::is_none")]
+        http_headers: Option<HashMap<String, String>>,
+        /// HTTP headers where the value is sourced from an environment variable.
+        #[serde(default, skip_serializing_if = "Option::is_none")]
+        env_http_headers: Option<HashMap<String, String>>,
    },
 }

@@ -322,6 +361,20 @@ pub struct Tui {
    pub notifications: Notifications,
 }

+/// Settings for notices we display to users via the tui and app-server clients
+/// (primarily the Codex IDE extension). NOTE: these are different from
+/// notifications - notices are warnings, NUX screens, acknowledgements, etc.
+#[derive(Deserialize, Debug, Clone, PartialEq, Default)]
+pub struct Notice {
+    /// Tracks whether the user has acknowledged the full access warning prompt.
+    pub hide_full_access_warning: Option<bool>,
+}
+
+impl Notice {
+    /// used by set_hide_full_access_warning until we refactor config updates
+    pub(crate) const TABLE_KEY: &'static str = "notice";
+}
+
 #[derive(Deserialize, Debug, Clone, PartialEq, Default)]
 pub struct SandboxWorkspaceWrite {
    #[serde(default)]
@@ -468,7 +521,9 @@ mod tests {
            McpServerTransportConfig::Stdio {
                command: "echo".to_string(),
                args: vec![],
-                env: None
+                env: None,
+                env_vars: Vec::new(),
+                cwd: None,
            }
        );
        assert!(cfg.enabled);
@@ -489,7 +544,9 @@ mod tests {
            McpServerTransportConfig::Stdio {
                command: "echo".to_string(),
                args: vec!["hello".to_string(), "world".to_string()],
-                env: None
+                env: None,
+                env_vars: Vec::new(),
+                cwd: None,
            }
        );
        assert!(cfg.enabled);
@@ -511,12 +568,58 @@ mod tests {
            McpServerTransportConfig::Stdio {
                command: "echo".to_string(),
                args: vec!["hello".to_string(), "world".to_string()],
-                env: Some(HashMap::from([("FOO".to_string(), "BAR".to_string())]))
+                env: Some(HashMap::from([("FOO".to_string(), "BAR".to_string())])),
+                env_vars: Vec::new(),
+                cwd: None,
            }
        );
        assert!(cfg.enabled);
    }

+    #[test]
+    fn deserialize_stdio_command_server_config_with_env_vars() {
+        let cfg: McpServerConfig = toml::from_str(
+            r#"
+            command = "echo"
+            env_vars = ["FOO", "BAR"]
+        "#,
+        )
+        .expect("should deserialize command config with env_vars");
+
+        assert_eq!(
+            cfg.transport,
+            McpServerTransportConfig::Stdio {
+                command: "echo".to_string(),
+                args: vec![],
+                env: None,
+                env_vars: vec!["FOO".to_string(), "BAR".to_string()],
+                cwd: None,
+            }
+        );
+    }
+
+    #[test]
+    fn deserialize_stdio_command_server_config_with_cwd() {
+        let cfg: McpServerConfig = toml::from_str(
+            r#"
+            command = "echo"
+            cwd = "/tmp"
+        "#,
+        )
+        .expect("should deserialize command config with cwd");
+
+        assert_eq!(
+            cfg.transport,
+            McpServerTransportConfig::Stdio {
+                command: "echo".to_string(),
+                args: vec![],
+                env: None,
+                env_vars: Vec::new(),
+                cwd: Some(PathBuf::from("/tmp")),
+            }
+        );
+    }
+
    #[test]
    fn deserialize_disabled_server_config() {
        let cfg: McpServerConfig = toml::from_str(
@@ -543,7 +646,9 @@ mod tests {
            cfg.transport,
            McpServerTransportConfig::StreamableHttp {
                url: "https://example.com/mcp".to_string(),
-                bearer_token_env_var: None
+                bearer_token_env_var: None,
+                http_headers: None,
+                env_http_headers: None,
            }
        );
        assert!(cfg.enabled);
@@ -563,12 +668,39 @@ mod tests {
            cfg.transport,
            McpServerTransportConfig::StreamableHttp {
                url: "https://example.com/mcp".to_string(),
-                bearer_token_env_var: Some("GITHUB_TOKEN".to_string())
+                bearer_token_env_var: Some("GITHUB_TOKEN".to_string()),
+                http_headers: None,
+                env_http_headers: None,
            }
        );
        assert!(cfg.enabled);
    }

+    #[test]
+    fn deserialize_streamable_http_server_config_with_headers() {
+        let cfg: McpServerConfig = toml::from_str(
+            r#"
+            url = "https://example.com/mcp"
+            http_headers = { "X-Foo" = "bar" }
+            env_http_headers = { "X-Token" = "TOKEN_ENV" }
+        "#,
+        )
+        .expect("should deserialize http config with headers");
+
+        assert_eq!(
+            cfg.transport,
+            McpServerTransportConfig::StreamableHttp {
+                url: "https://example.com/mcp".to_string(),
+                bearer_token_env_var: None,
+                http_headers: Some(HashMap::from([("X-Foo".to_string(), "bar".to_string())])),
+                env_http_headers: Some(HashMap::from([(
+                    "X-Token".to_string(),
+                    "TOKEN_ENV".to_string()
+                )])),
+            }
+        );
+    }
+
    #[test]
    fn deserialize_rejects_command_and_url() {
        toml::from_str::<McpServerConfig>(
@@ -591,6 +723,25 @@ mod tests {
        .expect_err("should reject env for http transport");
    }

+    #[test]
+    fn deserialize_rejects_headers_for_stdio() {
+        toml::from_str::<McpServerConfig>(
+            r#"
+            command = "echo"
+            http_headers = { "X-Foo" = "bar" }
+        "#,
+        )
+        .expect_err("should reject http_headers for stdio transport");
+
+        toml::from_str::<McpServerConfig>(
+            r#"
+            command = "echo"
+            env_http_headers = { "X-Foo" = "BAR_ENV" }
+        "#,
+        )
+        .expect_err("should reject env_http_headers for stdio transport");
+    }
+
    #[test]
    fn deserialize_rejects_inline_bearer_token_field() {
        let err = toml::from_str::<McpServerConfig>(
--- a/codex-rs/core/src/environment_context.rs
+++ b/codex-rs/core/src/environment_context.rs
@@ -93,6 +93,25 @@ impl EnvironmentContext {
            && self.network_access == *network_access
            && self.writable_roots == *writable_roots
    }
+
+    pub fn diff(before: &TurnContext, after: &TurnContext) -> Self {
+        let cwd = if before.cwd != after.cwd {
+            Some(after.cwd.clone())
+        } else {
+            None
+        };
+        let approval_policy = if before.approval_policy != after.approval_policy {
+            Some(after.approval_policy)
+        } else {
+            None
+        };
+        let sandbox_policy = if before.sandbox_policy != after.sandbox_policy {
+            Some(after.sandbox_policy.clone())
+        } else {
+            None
+        };
+        EnvironmentContext::new(cwd, approval_policy, sandbox_policy, None)
+    }
 }

 impl From<&TurnContext> for EnvironmentContext {
--- a/codex-rs/core/src/error.rs
+++ b/codex-rs/core/src/error.rs
@@ -2,6 +2,9 @@ use crate::exec::ExecToolCallOutput;
 use crate::token_data::KnownPlan;
 use crate::token_data::PlanType;
 use crate::truncate::truncate_middle;
+use chrono::DateTime;
+use chrono::Utc;
+use codex_async_utils::CancelErr;
 use codex_protocol::ConversationId;
 use codex_protocol::protocol::RateLimitSnapshot;
 use reqwest::StatusCode;
@@ -50,6 +53,9 @@ pub enum SandboxErr {

 #[derive(Error, Debug)]
 pub enum CodexErr {
+    #[error("turn aborted")]
+    TurnAborted,
+
    /// Returned by ResponsesClient when the SSE stream disconnects or errors out **after** the HTTP
    /// handshake has succeeded but **before** it finished emitting `response.completed`.
    ///
@@ -91,6 +97,12 @@ pub enum CodexErr {
    #[error("{0}")]
    UsageLimitReached(UsageLimitReachedError),

+    #[error("{0}")]
+    ResponseStreamFailed(ResponseStreamFailed),
+
+    #[error("{0}")]
+    ConnectionFailed(ConnectionFailedError),
+
    #[error(
        "To use Codex with your ChatGPT plan, upgrade to Plus: https://openai.com/chatgpt/pricing."
    )]
@@ -126,9 +138,6 @@ pub enum CodexErr {
    #[error(transparent)]
    Io(#[from] io::Error),

-    #[error(transparent)]
-    Reqwest(#[from] reqwest::Error),
-
    #[error(transparent)]
    Json(#[from] serde_json::Error),

@@ -147,6 +156,43 @@ pub enum CodexErr {
    EnvVar(EnvVarError),
 }

+impl From<CancelErr> for CodexErr {
+    fn from(_: CancelErr) -> Self {
+        CodexErr::TurnAborted
+    }
+}
+
+#[derive(Debug)]
+pub struct ConnectionFailedError {
+    pub source: reqwest::Error,
+}
+
+impl std::fmt::Display for ConnectionFailedError {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        write!(f, "Connection failed: {}", self.source)
+    }
+}
+
+#[derive(Debug)]
+pub struct ResponseStreamFailed {
+    pub source: reqwest::Error,
+    pub request_id: Option<String>,
+}
+
+impl std::fmt::Display for ResponseStreamFailed {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        write!(
+            f,
+            "Error while reading the server response: {}{}",
+            self.source,
+            self.request_id
+                .as_ref()
+                .map(|id| format!(", request id: {id}"))
+                .unwrap_or_default()
+        )
+    }
+}
+
 #[derive(Debug)]
 pub struct UnexpectedResponseError {
    pub status: StatusCode,
@@ -193,7 +239,7 @@ impl std::fmt::Display for RetryLimitReachedError {
 #[derive(Debug)]
 pub struct UsageLimitReachedError {
    pub(crate) plan_type: Option<PlanType>,
-    pub(crate) resets_in_seconds: Option<u64>,
+    pub(crate) resets_at: Option<DateTime<Utc>>,
    pub(crate) rate_limits: Option<RateLimitSnapshot>,
 }

@@ -202,12 +248,12 @@ impl std::fmt::Display for UsageLimitReachedError {
        let message = match self.plan_type.as_ref() {
            Some(PlanType::Known(KnownPlan::Plus)) => format!(
                "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing){}",
-                retry_suffix_after_or(self.resets_in_seconds)
+                retry_suffix_after_or(self.resets_at.as_ref())
            ),
            Some(PlanType::Known(KnownPlan::Team)) | Some(PlanType::Known(KnownPlan::Business)) => {
                format!(
                    "You've hit your usage limit. To get more access now, send a request to your admin{}",
-                    retry_suffix_after_or(self.resets_in_seconds)
+                    retry_suffix_after_or(self.resets_at.as_ref())
                )
            }
            Some(PlanType::Known(KnownPlan::Free)) => {
@@ -218,11 +264,11 @@ impl std::fmt::Display for UsageLimitReachedError {
            | Some(PlanType::Known(KnownPlan::Enterprise))
            | Some(PlanType::Known(KnownPlan::Edu)) => format!(
                "You've hit your usage limit.{}",
-                retry_suffix(self.resets_in_seconds)
+                retry_suffix(self.resets_at.as_ref())
            ),
            Some(PlanType::Unknown(_)) | None => format!(
                "You've hit your usage limit.{}",
-                retry_suffix(self.resets_in_seconds)
+                retry_suffix(self.resets_at.as_ref())
            ),
        };

@@ -230,8 +276,8 @@ impl std::fmt::Display for UsageLimitReachedError {
    }
 }

-fn retry_suffix(resets_in_seconds: Option<u64>) -> String {
-    if let Some(secs) = resets_in_seconds {
+fn retry_suffix(resets_at: Option<&DateTime<Utc>>) -> String {
+    if let Some(secs) = remaining_seconds(resets_at) {
        let reset_duration = format_reset_duration(secs);
        format!(" Try again in {reset_duration}.")
    } else {
@@ -239,8 +285,8 @@ fn retry_suffix(resets_in_seconds: Option<u64>) -> String {
    }
 }

-fn retry_suffix_after_or(resets_in_seconds: Option<u64>) -> String {
-    if let Some(secs) = resets_in_seconds {
+fn retry_suffix_after_or(resets_at: Option<&DateTime<Utc>>) -> String {
+    if let Some(secs) = remaining_seconds(resets_at) {
        let reset_duration = format_reset_duration(secs);
        format!(" or try again in {reset_duration}.")
    } else {
@@ -248,6 +294,29 @@ fn retry_suffix_after_or(resets_in_seconds: Option<u64>) -> String {
    }
 }

+fn remaining_seconds(resets_at: Option<&DateTime<Utc>>) -> Option<u64> {
+    let resets_at = resets_at.cloned()?;
+    let now = now_for_retry();
+    let secs = resets_at.signed_duration_since(now).num_seconds();
+    Some(if secs <= 0 { 0 } else { secs as u64 })
+}
+
+#[cfg(test)]
+thread_local! {
+    static NOW_OVERRIDE: std::cell::RefCell<Option<DateTime<Utc>>> =
+        const { std::cell::RefCell::new(None) };
+}
+
+fn now_for_retry() -> DateTime<Utc> {
+    #[cfg(test)]
+    {
+        if let Some(now) = NOW_OVERRIDE.with(|cell| *cell.borrow()) {
+            return now;
+        }
+    }
+    Utc::now()
+}
+
 fn format_reset_duration(total_secs: u64) -> String {
    let days = total_secs / 86_400;
    let hours = (total_secs % 86_400) / 3_600;
@@ -344,29 +413,50 @@ pub fn get_error_message_ui(e: &CodexErr) -> String {
 mod tests {
    use super::*;
    use crate::exec::StreamOutput;
+    use chrono::DateTime;
+    use chrono::Duration as ChronoDuration;
+    use chrono::TimeZone;
+    use chrono::Utc;
    use codex_protocol::protocol::RateLimitWindow;
    use pretty_assertions::assert_eq;

    fn rate_limit_snapshot() -> RateLimitSnapshot {
+        let primary_reset_at = Utc
+            .with_ymd_and_hms(2024, 1, 1, 1, 0, 0)
+            .unwrap()
+            .timestamp();
+        let secondary_reset_at = Utc
+            .with_ymd_and_hms(2024, 1, 1, 2, 0, 0)
+            .unwrap()
+            .timestamp();
        RateLimitSnapshot {
            primary: Some(RateLimitWindow {
                used_percent: 50.0,
                window_minutes: Some(60),
-                resets_in_seconds: Some(3600),
+                resets_at: Some(primary_reset_at),
            }),
            secondary: Some(RateLimitWindow {
                used_percent: 30.0,
                window_minutes: Some(120),
-                resets_in_seconds: Some(7200),
+                resets_at: Some(secondary_reset_at),
            }),
        }
    }

+    fn with_now_override<T>(now: DateTime<Utc>, f: impl FnOnce() -> T) -> T {
+        NOW_OVERRIDE.with(|cell| {
+            *cell.borrow_mut() = Some(now);
+            let result = f();
+            *cell.borrow_mut() = None;
+            result
+        })
+    }
+
    #[test]
    fn usage_limit_reached_error_formats_plus_plan() {
        let err = UsageLimitReachedError {
            plan_type: Some(PlanType::Known(KnownPlan::Plus)),
-            resets_in_seconds: None,
+            resets_at: None,
            rate_limits: Some(rate_limit_snapshot()),
        };
        assert_eq!(
@@ -446,7 +536,7 @@ mod tests {
    fn usage_limit_reached_error_formats_free_plan() {
        let err = UsageLimitReachedError {
            plan_type: Some(PlanType::Known(KnownPlan::Free)),
-            resets_in_seconds: Some(3600),
+            resets_at: None,
            rate_limits: Some(rate_limit_snapshot()),
        };
        assert_eq!(
@@ -459,7 +549,7 @@ mod tests {
    fn usage_limit_reached_error_formats_default_when_none() {
        let err = UsageLimitReachedError {
            plan_type: None,
-            resets_in_seconds: None,
+            resets_at: None,
            rate_limits: Some(rate_limit_snapshot()),
        };
        assert_eq!(
@@ -470,22 +560,26 @@ mod tests {

    #[test]
    fn usage_limit_reached_error_formats_team_plan() {
-        let err = UsageLimitReachedError {
-            plan_type: Some(PlanType::Known(KnownPlan::Team)),
-            resets_in_seconds: Some(3600),
-            rate_limits: Some(rate_limit_snapshot()),
-        };
-        assert_eq!(
-            err.to_string(),
-            "You've hit your usage limit. To get more access now, send a request to your admin or try again in 1 hour."
-        );
+        let base = Utc.with_ymd_and_hms(2024, 1, 1, 0, 0, 0).unwrap();
+        let resets_at = base + ChronoDuration::hours(1);
+        with_now_override(base, move || {
+            let err = UsageLimitReachedError {
+                plan_type: Some(PlanType::Known(KnownPlan::Team)),
+                resets_at: Some(resets_at),
+                rate_limits: Some(rate_limit_snapshot()),
+            };
+            assert_eq!(
+                err.to_string(),
+                "You've hit your usage limit. To get more access now, send a request to your admin or try again in 1 hour."
+            );
+        });
    }

    #[test]
    fn usage_limit_reached_error_formats_business_plan_without_reset() {
        let err = UsageLimitReachedError {
            plan_type: Some(PlanType::Known(KnownPlan::Business)),
-            resets_in_seconds: None,
+            resets_at: None,
            rate_limits: Some(rate_limit_snapshot()),
        };
        assert_eq!(
@@ -498,7 +592,7 @@ mod tests {
    fn usage_limit_reached_error_formats_default_for_other_plans() {
        let err = UsageLimitReachedError {
            plan_type: Some(PlanType::Known(KnownPlan::Pro)),
-            resets_in_seconds: None,
+            resets_at: None,
            rate_limits: Some(rate_limit_snapshot()),
        };
        assert_eq!(
@@ -509,53 +603,70 @@ mod tests {

    #[test]
    fn usage_limit_reached_includes_minutes_when_available() {
-        let err = UsageLimitReachedError {
-            plan_type: None,
-            resets_in_seconds: Some(5 * 60),
-            rate_limits: Some(rate_limit_snapshot()),
-        };
-        assert_eq!(
-            err.to_string(),
-            "You've hit your usage limit. Try again in 5 minutes."
-        );
+        let base = Utc.with_ymd_and_hms(2024, 1, 1, 0, 0, 0).unwrap();
+        let resets_at = base + ChronoDuration::minutes(5);
+        with_now_override(base, move || {
+            let err = UsageLimitReachedError {
+                plan_type: None,
+                resets_at: Some(resets_at),
+                rate_limits: Some(rate_limit_snapshot()),
+            };
+            assert_eq!(
+                err.to_string(),
+                "You've hit your usage limit. Try again in 5 minutes."
+            );
+        });
    }

    #[test]
    fn usage_limit_reached_includes_hours_and_minutes() {
-        let err = UsageLimitReachedError {
-            plan_type: Some(PlanType::Known(KnownPlan::Plus)),
-            resets_in_seconds: Some(3 * 3600 + 32 * 60),
-            rate_limits: Some(rate_limit_snapshot()),
-        };
-        assert_eq!(
-            err.to_string(),
-            "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing) or try again in 3 hours 32 minutes."
-        );
+        let base = Utc.with_ymd_and_hms(2024, 1, 1, 0, 0, 0).unwrap();
+        let resets_at = base + ChronoDuration::hours(3) + ChronoDuration::minutes(32);
+        with_now_override(base, move || {
+            let err = UsageLimitReachedError {
+                plan_type: Some(PlanType::Known(KnownPlan::Plus)),
+                resets_at: Some(resets_at),
+                rate_limits: Some(rate_limit_snapshot()),
+            };
+            assert_eq!(
+                err.to_string(),
+                "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing) or try again in 3 hours 32 minutes."
+            );
+        });
    }

    #[test]
    fn usage_limit_reached_includes_days_hours_minutes() {
-        let err = UsageLimitReachedError {
-            plan_type: None,
-            resets_in_seconds: Some(2 * 86_400 + 3 * 3600 + 5 * 60),
-            rate_limits: Some(rate_limit_snapshot()),
-        };
-        assert_eq!(
-            err.to_string(),
-            "You've hit your usage limit. Try again in 2 days 3 hours 5 minutes."
-        );
+        let base = Utc.with_ymd_and_hms(2024, 1, 1, 0, 0, 0).unwrap();
+        let resets_at =
+            base + ChronoDuration::days(2) + ChronoDuration::hours(3) + ChronoDuration::minutes(5);
+        with_now_override(base, move || {
+            let err = UsageLimitReachedError {
+                plan_type: None,
+                resets_at: Some(resets_at),
+                rate_limits: Some(rate_limit_snapshot()),
+            };
+            assert_eq!(
+                err.to_string(),
+                "You've hit your usage limit. Try again in 2 days 3 hours 5 minutes."
+            );
+        });
    }

    #[test]
    fn usage_limit_reached_less_than_minute() {
-        let err = UsageLimitReachedError {
-            plan_type: None,
-            resets_in_seconds: Some(30),
-            rate_limits: Some(rate_limit_snapshot()),
-        };
-        assert_eq!(
-            err.to_string(),
-            "You've hit your usage limit. Try again in less than a minute."
-        );
+        let base = Utc.with_ymd_and_hms(2024, 1, 1, 0, 0, 0).unwrap();
+        let resets_at = base + ChronoDuration::seconds(30);
+        with_now_override(base, move || {
+            let err = UsageLimitReachedError {
+                plan_type: None,
+                resets_at: Some(resets_at),
+                rate_limits: Some(rate_limit_snapshot()),
+            };
+            assert_eq!(
+                err.to_string(),
+                "You've hit your usage limit. Try again in less than a minute."
+            );
+        });
    }
 }
--- a/codex-rs/core/src/exec.rs
+++ b/codex-rs/core/src/exec.rs
@@ -18,13 +18,14 @@ use tokio::process::Child;
 use crate::error::CodexErr;
 use crate::error::Result;
 use crate::error::SandboxErr;
-use crate::landlock::spawn_command_under_linux_sandbox;
 use crate::protocol::Event;
 use crate::protocol::EventMsg;
 use crate::protocol::ExecCommandOutputDeltaEvent;
 use crate::protocol::ExecOutputStream;
 use crate::protocol::SandboxPolicy;
-use crate::seatbelt::spawn_command_under_seatbelt;
+use crate::sandboxing::CommandSpec;
+use crate::sandboxing::ExecEnv;
+use crate::sandboxing::SandboxManager;
 use crate::spawn::StdioPolicy;
 use crate::spawn::spawn_child_async;

@@ -53,6 +54,7 @@ pub struct ExecParams {
    pub env: HashMap<String, String>,
    pub with_escalated_permissions: Option<bool>,
    pub justification: Option<String>,
+    pub arg0: Option<String>,
 }

 impl ExecParams {
@@ -87,57 +89,85 @@ pub async fn process_exec_tool_call(
    codex_linux_sandbox_exe: &Option<PathBuf>,
    stdout_stream: Option<StdoutStream>,
 ) -> Result<ExecToolCallOutput> {
-    let start = Instant::now();
+    let ExecParams {
+        command,
+        cwd,
+        timeout_ms,
+        env,
+        with_escalated_permissions,
+        justification,
+        arg0: _,
+    } = params;

-    let timeout_duration = params.timeout_duration();
+    let (program, args) = command.split_first().ok_or_else(|| {
+        CodexErr::Io(io::Error::new(
+            io::ErrorKind::InvalidInput,
+            "command args are empty",
+        ))
+    })?;

-    let raw_output_result: std::result::Result<RawExecToolCallOutput, CodexErr> = match sandbox_type
-    {
-        SandboxType::None => exec(params, sandbox_policy, stdout_stream.clone()).await,
-        SandboxType::MacosSeatbelt => {
-            let ExecParams {
-                command,
-                cwd: command_cwd,
-                env,
-                ..
-            } = params;
-            let child = spawn_command_under_seatbelt(
-                command,
-                command_cwd,
-                sandbox_policy,
-                sandbox_cwd,
-                StdioPolicy::RedirectForShellTool,
-                env,
-            )
-            .await?;
-            consume_truncated_output(child, timeout_duration, stdout_stream.clone()).await
-        }
-        SandboxType::LinuxSeccomp => {
-            let ExecParams {
-                command,
-                cwd: command_cwd,
-                env,
-                ..
-            } = params;
-
-            let codex_linux_sandbox_exe = codex_linux_sandbox_exe
-                .as_ref()
-                .ok_or(CodexErr::LandlockSandboxExecutableNotProvided)?;
-            let child = spawn_command_under_linux_sandbox(
-                codex_linux_sandbox_exe,
-                command,
-                command_cwd,
-                sandbox_policy,
-                sandbox_cwd,
-                StdioPolicy::RedirectForShellTool,
-                env,
-            )
-            .await?;
-
-            consume_truncated_output(child, timeout_duration, stdout_stream).await
-        }
+    let spec = CommandSpec {
+        program: program.clone(),
+        args: args.to_vec(),
+        cwd,
+        env,
+        timeout_ms,
+        with_escalated_permissions,
+        justification,
    };
+
+    let manager = SandboxManager::new();
+    let exec_env = manager
+        .transform(
+            &spec,
+            sandbox_policy,
+            sandbox_type,
+            sandbox_cwd,
+            codex_linux_sandbox_exe.as_ref(),
+        )
+        .map_err(CodexErr::from)?;
+
+    // Route through the sandboxing module for a single, unified execution path.
+    crate::sandboxing::execute_env(&exec_env, sandbox_policy, stdout_stream).await
+}
+
+pub(crate) async fn execute_exec_env(
+    env: ExecEnv,
+    sandbox_policy: &SandboxPolicy,
+    stdout_stream: Option<StdoutStream>,
+) -> Result<ExecToolCallOutput> {
+    let ExecEnv {
+        command,
+        cwd,
+        env,
+        timeout_ms,
+        sandbox,
+        with_escalated_permissions,
+        justification,
+        arg0,
+    } = env;
+
+    let params = ExecParams {
+        command,
+        cwd,
+        timeout_ms,
+        env,
+        with_escalated_permissions,
+        justification,
+        arg0,
+    };
+
+    let start = Instant::now();
+    let raw_output_result = exec(params, sandbox_policy, stdout_stream).await;
    let duration = start.elapsed();
+    finalize_exec_result(raw_output_result, sandbox, duration)
+}
+
+fn finalize_exec_result(
+    raw_output_result: std::result::Result<RawExecToolCallOutput, CodexErr>,
+    sandbox_type: SandboxType,
+    duration: Duration,
+) -> Result<ExecToolCallOutput> {
    match raw_output_result {
        Ok(raw_output) => {
            #[allow(unused_mut)]
@@ -192,12 +222,30 @@ pub async fn process_exec_tool_call(
    }
 }

+pub(crate) mod errors {
+    use super::CodexErr;
+    use crate::sandboxing::SandboxTransformError;
+
+    impl From<SandboxTransformError> for CodexErr {
+        fn from(err: SandboxTransformError) -> Self {
+            match err {
+                SandboxTransformError::MissingLinuxSandboxExecutable => {
+                    CodexErr::LandlockSandboxExecutableNotProvided
+                }
+            }
+        }
+    }
+}
+
 /// We don't have a fully deterministic way to tell if our command failed
 /// because of the sandbox - a command in the user's zshrc file might hit an
 /// error, but the command itself might fail or succeed for other reasons.
 /// For now, we conservatively check for well known command failure exit codes and
 /// also look for common sandbox denial keywords in the command output.
-fn is_likely_sandbox_denied(sandbox_type: SandboxType, exec_output: &ExecToolCallOutput) -> bool {
+pub(crate) fn is_likely_sandbox_denied(
+    sandbox_type: SandboxType,
+    exec_output: &ExecToolCallOutput,
+) -> bool {
    if sandbox_type == SandboxType::None || exec_output.exit_code == 0 {
        return false;
    }
@@ -206,21 +254,17 @@ fn is_likely_sandbox_denied(sandbox_type: SandboxType, exec_output: &ExecToolCal
    // 2: misuse of shell builtins
    // 126: permission denied
    // 127: command not found
-    const QUICK_REJECT_EXIT_CODES: [i32; 3] = [2, 126, 127];
-    if QUICK_REJECT_EXIT_CODES.contains(&exec_output.exit_code) {
-        return false;
-    }
-
-    const SANDBOX_DENIED_KEYWORDS: [&str; 6] = [
+    const SANDBOX_DENIED_KEYWORDS: [&str; 7] = [
        "operation not permitted",
        "permission denied",
        "read-only file system",
        "seccomp",
        "sandbox",
        "landlock",
+        "failed to write file",
    ];

-    if [
+    let has_sandbox_keyword = [
        &exec_output.stderr.text,
        &exec_output.stdout.text,
        &exec_output.aggregated_output.text,
@@ -231,10 +275,17 @@ fn is_likely_sandbox_denied(sandbox_type: SandboxType, exec_output: &ExecToolCal
        SANDBOX_DENIED_KEYWORDS
            .iter()
            .any(|needle| lower.contains(needle))
-    }) {
+    });
+
+    if has_sandbox_keyword {
        return true;
    }

+    const QUICK_REJECT_EXIT_CODES: [i32; 3] = [2, 126, 127];
+    if QUICK_REJECT_EXIT_CODES.contains(&exec_output.exit_code) {
+        return false;
+    }
+
    #[cfg(unix)]
    {
        const SIGSYS_CODE: i32 = libc::SIGSYS;
@@ -248,11 +299,12 @@ fn is_likely_sandbox_denied(sandbox_type: SandboxType, exec_output: &ExecToolCal
    false
 }

-#[derive(Debug)]
-pub struct StreamOutput<T> {
+#[derive(Debug, Clone)]
+pub struct StreamOutput<T: Clone> {
    pub text: T,
    pub truncated_after_lines: Option<u32>,
 }
+
 #[derive(Debug)]
 struct RawExecToolCallOutput {
    pub exit_status: ExitStatus,
@@ -285,7 +337,7 @@ fn append_all(dst: &mut Vec<u8>, src: &[u8]) {
    dst.extend_from_slice(src);
 }

-#[derive(Debug)]
+#[derive(Clone, Debug)]
 pub struct ExecToolCallOutput {
    pub exit_code: i32,
    pub stdout: StreamOutput<String>,
@@ -302,7 +354,11 @@ async fn exec(
 ) -> Result<RawExecToolCallOutput> {
    let timeout = params.timeout_duration();
    let ExecParams {
-        command, cwd, env, ..
+        command,
+        cwd,
+        env,
+        arg0,
+        ..
    } = params;

    let (program, args) = command.split_first().ok_or_else(|| {
@@ -311,11 +367,11 @@ async fn exec(
            "command args are empty",
        ))
    })?;
-    let arg0 = None;
+    let arg0_ref = arg0.as_deref();
    let child = spawn_child_async(
        PathBuf::from(program),
        args.into(),
-        arg0,
+        arg0_ref,
        cwd,
        sandbox_policy,
        StdioPolicy::RedirectForShellTool,
--- a/codex-rs/core/src/exec_command/exec_command_params.rs
+++ b/codex-rs/core/src/exec_command/exec_command_params.rs
@@ -1,57 +0,0 @@
-use serde::Deserialize;
-use serde::Serialize;
-
-use crate::exec_command::session_id::SessionId;
-
-#[derive(Debug, Clone, Deserialize)]
-pub struct ExecCommandParams {
-    pub(crate) cmd: String,
-
-    #[serde(default = "default_yield_time")]
-    pub(crate) yield_time_ms: u64,
-
-    #[serde(default = "max_output_tokens")]
-    pub(crate) max_output_tokens: u64,
-
-    #[serde(default = "default_shell")]
-    pub(crate) shell: String,
-
-    #[serde(default = "default_login")]
-    pub(crate) login: bool,
-}
-
-fn default_yield_time() -> u64 {
-    10_000
-}
-
-fn max_output_tokens() -> u64 {
-    10_000
-}
-
-fn default_login() -> bool {
-    true
-}
-
-fn default_shell() -> String {
-    "/bin/bash".to_string()
-}
-
-#[derive(Debug, Deserialize, Serialize)]
-pub struct WriteStdinParams {
-    pub(crate) session_id: SessionId,
-    pub(crate) chars: String,
-
-    #[serde(default = "write_stdin_default_yield_time_ms")]
-    pub(crate) yield_time_ms: u64,
-
-    #[serde(default = "write_stdin_default_max_output_tokens")]
-    pub(crate) max_output_tokens: u64,
-}
-
-fn write_stdin_default_yield_time_ms() -> u64 {
-    250
-}
-
-fn write_stdin_default_max_output_tokens() -> u64 {
-    10_000
-}
--- a/codex-rs/core/src/exec_command/exec_command_session.rs
+++ b/codex-rs/core/src/exec_command/exec_command_session.rs
@@ -1,96 +0,0 @@
-use std::sync::Mutex as StdMutex;
-
-use tokio::sync::broadcast;
-use tokio::sync::mpsc;
-use tokio::task::JoinHandle;
-
-#[derive(Debug)]
-pub(crate) struct ExecCommandSession {
-    /// Queue for writing bytes to the process stdin (PTY master write side).
-    writer_tx: mpsc::Sender<Vec<u8>>,
-    /// Broadcast stream of output chunks read from the PTY. New subscribers
-    /// receive only chunks emitted after they subscribe.
-    output_tx: broadcast::Sender<Vec<u8>>,
-
-    /// Child killer handle for termination on drop (can signal independently
-    /// of a thread blocked in `.wait()`).
-    killer: StdMutex<Option<Box<dyn portable_pty::ChildKiller + Send + Sync>>>,
-
-    /// JoinHandle for the blocking PTY reader task.
-    reader_handle: StdMutex<Option<JoinHandle<()>>>,
-
-    /// JoinHandle for the stdin writer task.
-    writer_handle: StdMutex<Option<JoinHandle<()>>>,
-
-    /// JoinHandle for the child wait task.
-    wait_handle: StdMutex<Option<JoinHandle<()>>>,
-
-    /// Tracks whether the underlying process has exited.
-    exit_status: std::sync::Arc<std::sync::atomic::AtomicBool>,
-}
-
-impl ExecCommandSession {
-    pub(crate) fn new(
-        writer_tx: mpsc::Sender<Vec<u8>>,
-        output_tx: broadcast::Sender<Vec<u8>>,
-        killer: Box<dyn portable_pty::ChildKiller + Send + Sync>,
-        reader_handle: JoinHandle<()>,
-        writer_handle: JoinHandle<()>,
-        wait_handle: JoinHandle<()>,
-        exit_status: std::sync::Arc<std::sync::atomic::AtomicBool>,
-    ) -> (Self, broadcast::Receiver<Vec<u8>>) {
-        let initial_output_rx = output_tx.subscribe();
-        (
-            Self {
-                writer_tx,
-                output_tx,
-                killer: StdMutex::new(Some(killer)),
-                reader_handle: StdMutex::new(Some(reader_handle)),
-                writer_handle: StdMutex::new(Some(writer_handle)),
-                wait_handle: StdMutex::new(Some(wait_handle)),
-                exit_status,
-            },
-            initial_output_rx,
-        )
-    }
-
-    pub(crate) fn writer_sender(&self) -> mpsc::Sender<Vec<u8>> {
-        self.writer_tx.clone()
-    }
-
-    pub(crate) fn output_receiver(&self) -> broadcast::Receiver<Vec<u8>> {
-        self.output_tx.subscribe()
-    }
-
-    pub(crate) fn has_exited(&self) -> bool {
-        self.exit_status.load(std::sync::atomic::Ordering::SeqCst)
-    }
-}
-
-impl Drop for ExecCommandSession {
-    fn drop(&mut self) {
-        // Best-effort: terminate child first so blocking tasks can complete.
-        if let Ok(mut killer_opt) = self.killer.lock()
-            && let Some(mut killer) = killer_opt.take()
-        {
-            let _ = killer.kill();
-        }
-
-        // Abort background tasks; they may already have exited after kill.
-        if let Ok(mut h) = self.reader_handle.lock()
-            && let Some(handle) = h.take()
-        {
-            handle.abort();
-        }
-        if let Ok(mut h) = self.writer_handle.lock()
-            && let Some(handle) = h.take()
-        {
-            handle.abort();
-        }
-        if let Ok(mut h) = self.wait_handle.lock()
-            && let Some(handle) = h.take()
-        {
-            handle.abort();
-        }
-    }
-}
--- a/codex-rs/core/src/exec_command/mod.rs
+++ b/codex-rs/core/src/exec_command/mod.rs
@@ -1,14 +0,0 @@
-mod exec_command_params;
-mod exec_command_session;
-mod responses_api;
-mod session_id;
-mod session_manager;
-
-pub use exec_command_params::ExecCommandParams;
-pub use exec_command_params::WriteStdinParams;
-pub(crate) use exec_command_session::ExecCommandSession;
-pub use responses_api::EXEC_COMMAND_TOOL_NAME;
-pub use responses_api::WRITE_STDIN_TOOL_NAME;
-pub use responses_api::create_exec_command_tool_for_responses_api;
-pub use responses_api::create_write_stdin_tool_for_responses_api;
-pub use session_manager::SessionManager as ExecSessionManager;
--- a/codex-rs/core/src/exec_command/responses_api.rs
+++ b/codex-rs/core/src/exec_command/responses_api.rs
@@ -1,98 +0,0 @@
-use std::collections::BTreeMap;
-
-use crate::client_common::tools::ResponsesApiTool;
-use crate::openai_tools::JsonSchema;
-
-pub const EXEC_COMMAND_TOOL_NAME: &str = "exec_command";
-pub const WRITE_STDIN_TOOL_NAME: &str = "write_stdin";
-
-pub fn create_exec_command_tool_for_responses_api() -> ResponsesApiTool {
-    let mut properties = BTreeMap::<String, JsonSchema>::new();
-    properties.insert(
-        "cmd".to_string(),
-        JsonSchema::String {
-            description: Some("The shell command to execute.".to_string()),
-        },
-    );
-    properties.insert(
-        "yield_time_ms".to_string(),
-        JsonSchema::Number {
-            description: Some("The maximum time in milliseconds to wait for output.".to_string()),
-        },
-    );
-    properties.insert(
-        "max_output_tokens".to_string(),
-        JsonSchema::Number {
-            description: Some("The maximum number of tokens to output.".to_string()),
-        },
-    );
-    properties.insert(
-        "shell".to_string(),
-        JsonSchema::String {
-            description: Some("The shell to use. Defaults to \"/bin/bash\".".to_string()),
-        },
-    );
-    properties.insert(
-        "login".to_string(),
-        JsonSchema::Boolean {
-            description: Some(
-                "Whether to run the command as a login shell. Defaults to true.".to_string(),
-            ),
-        },
-    );
-
-    ResponsesApiTool {
-        name: EXEC_COMMAND_TOOL_NAME.to_owned(),
-        description: r#"Execute shell commands on the local machine with streaming output."#
-            .to_string(),
-        strict: false,
-        parameters: JsonSchema::Object {
-            properties,
-            required: Some(vec!["cmd".to_string()]),
-            additional_properties: Some(false.into()),
-        },
-    }
-}
-
-pub fn create_write_stdin_tool_for_responses_api() -> ResponsesApiTool {
-    let mut properties = BTreeMap::<String, JsonSchema>::new();
-    properties.insert(
-        "session_id".to_string(),
-        JsonSchema::Number {
-            description: Some("The ID of the exec_command session.".to_string()),
-        },
-    );
-    properties.insert(
-        "chars".to_string(),
-        JsonSchema::String {
-            description: Some("The characters to write to stdin.".to_string()),
-        },
-    );
-    properties.insert(
-        "yield_time_ms".to_string(),
-        JsonSchema::Number {
-            description: Some(
-                "The maximum time in milliseconds to wait for output after writing.".to_string(),
-            ),
-        },
-    );
-    properties.insert(
-        "max_output_tokens".to_string(),
-        JsonSchema::Number {
-            description: Some("The maximum number of tokens to output.".to_string()),
-        },
-    );
-
-    ResponsesApiTool {
-        name: WRITE_STDIN_TOOL_NAME.to_owned(),
-        description: r#"Write characters to an exec session's stdin. Returns all stdout+stderr received within yield_time_ms.
-Can write control characters (\u0003 for Ctrl-C), or an empty string to just poll stdout+stderr."#
-            .to_string(),
-        strict: false,
-        parameters: JsonSchema::Object {
-            properties,
-            required: Some(vec!["session_id".to_string(), "chars".to_string()]),
-            additional_properties: Some(false.into()),
-        },
-    }
-}
--- a/codex-rs/core/src/exec_command/session_id.rs
+++ b/codex-rs/core/src/exec_command/session_id.rs
@@ -1,5 +0,0 @@
-use serde::Deserialize;
-use serde::Serialize;
-
-#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
-pub(crate) struct SessionId(pub u32);
--- a/codex-rs/core/src/exec_command/session_manager.rs
+++ b/codex-rs/core/src/exec_command/session_manager.rs
@@ -1,506 +0,0 @@
-use std::collections::HashMap;
-use std::io::ErrorKind;
-use std::io::Read;
-use std::sync::Arc;
-use std::sync::Mutex as StdMutex;
-use std::sync::atomic::AtomicBool;
-use std::sync::atomic::AtomicU32;
-
-use portable_pty::CommandBuilder;
-use portable_pty::PtySize;
-use portable_pty::native_pty_system;
-use tokio::sync::Mutex;
-use tokio::sync::mpsc;
-use tokio::sync::oneshot;
-use tokio::time::Duration;
-use tokio::time::Instant;
-use tokio::time::timeout;
-
-use crate::exec_command::exec_command_params::ExecCommandParams;
-use crate::exec_command::exec_command_params::WriteStdinParams;
-use crate::exec_command::exec_command_session::ExecCommandSession;
-use crate::exec_command::session_id::SessionId;
-use crate::truncate::truncate_middle;
-
-#[derive(Debug, Default)]
-pub struct SessionManager {
-    next_session_id: AtomicU32,
-    sessions: Mutex<HashMap<SessionId, ExecCommandSession>>,
-}
-
-#[derive(Debug)]
-pub struct ExecCommandOutput {
-    wall_time: Duration,
-    exit_status: ExitStatus,
-    original_token_count: Option<u64>,
-    output: String,
-}
-
-impl ExecCommandOutput {
-    pub(crate) fn to_text_output(&self) -> String {
-        let wall_time_secs = self.wall_time.as_secs_f32();
-        let termination_status = match self.exit_status {
-            ExitStatus::Exited(code) => format!("Process exited with code {code}"),
-            ExitStatus::Ongoing(session_id) => {
-                format!("Process running with session ID {}", session_id.0)
-            }
-        };
-        let truncation_status = match self.original_token_count {
-            Some(tokens) => {
-                format!("\nWarning: truncated output (original token count: {tokens})")
-            }
-            None => "".to_string(),
-        };
-        format!(
-            r#"Wall time: {wall_time_secs:.3} seconds
-{termination_status}{truncation_status}
-Output:
-{output}"#,
-            output = self.output
-        )
-    }
-}
-
-#[derive(Debug)]
-pub enum ExitStatus {
-    Exited(i32),
-    Ongoing(SessionId),
-}
-
-impl SessionManager {
-    /// Processes the request and is required to send a response via `outgoing`.
-    pub async fn handle_exec_command_request(
-        &self,
-        params: ExecCommandParams,
-    ) -> Result<ExecCommandOutput, String> {
-        // Allocate a session id.
-        let session_id = SessionId(
-            self.next_session_id
-                .fetch_add(1, std::sync::atomic::Ordering::SeqCst),
-        );
-
-        let (session, mut output_rx, mut exit_rx) = create_exec_command_session(params.clone())
-            .await
-            .map_err(|err| {
-                format!(
-                    "failed to create exec command session for session id {}: {err}",
-                    session_id.0
-                )
-            })?;
-
-        // Insert into session map.
-        self.sessions.lock().await.insert(session_id, session);
-
-        // Collect output until either timeout expires or process exits.
-        // Do not cap during collection; truncate at the end if needed.
-        // Use a modest initial capacity to avoid large preallocation.
-        let cap_bytes_u64 = params.max_output_tokens.saturating_mul(4);
-        let cap_bytes: usize = cap_bytes_u64.min(usize::MAX as u64) as usize;
-        let mut collected: Vec<u8> = Vec::with_capacity(4096);
-
-        let start_time = Instant::now();
-        let deadline = start_time + Duration::from_millis(params.yield_time_ms);
-        let mut exit_code: Option<i32> = None;
-
-        loop {
-            if Instant::now() >= deadline {
-                break;
-            }
-            let remaining = deadline.saturating_duration_since(Instant::now());
-            tokio::select! {
-                biased;
-                exit = &mut exit_rx => {
-                    exit_code = exit.ok();
-                    // Small grace period to pull remaining buffered output
-                    let grace_deadline = Instant::now() + Duration::from_millis(25);
-                    while Instant::now() < grace_deadline {
-                        match timeout(Duration::from_millis(1), output_rx.recv()).await {
-                            Ok(Ok(chunk)) => {
-                                collected.extend_from_slice(&chunk);
-                            }
-                            Ok(Err(tokio::sync::broadcast::error::RecvError::Lagged(_))) => {
-                                // Skip missed messages; keep trying within grace period.
-                                continue;
-                            }
-                            Ok(Err(tokio::sync::broadcast::error::RecvError::Closed)) => break,
-                            Err(_) => break,
-                        }
-                    }
-                    break;
-                }
-                chunk = timeout(remaining, output_rx.recv()) => {
-                    match chunk {
-                        Ok(Ok(chunk)) => {
-                            collected.extend_from_slice(&chunk);
-                        }
-                        Ok(Err(tokio::sync::broadcast::error::RecvError::Lagged(_))) => {
-                            // Skip missed messages; continue collecting fresh output.
-                        }
-                        Ok(Err(tokio::sync::broadcast::error::RecvError::Closed)) => { break; }
-                        Err(_) => { break; }
-                    }
-                }
-            }
-        }
-
-        let output = String::from_utf8_lossy(&collected).to_string();
-
-        let exit_status = if let Some(code) = exit_code {
-            ExitStatus::Exited(code)
-        } else {
-            ExitStatus::Ongoing(session_id)
-        };
-
-        // If output exceeds cap, truncate the middle and record original token estimate.
-        let (output, original_token_count) = truncate_middle(&output, cap_bytes);
-        Ok(ExecCommandOutput {
-            wall_time: Instant::now().duration_since(start_time),
-            exit_status,
-            original_token_count,
-            output,
-        })
-    }
-
-    /// Write characters to a session's stdin and collect combined output for up to `yield_time_ms`.
-    pub async fn handle_write_stdin_request(
-        &self,
-        params: WriteStdinParams,
-    ) -> Result<ExecCommandOutput, String> {
-        let WriteStdinParams {
-            session_id,
-            chars,
-            yield_time_ms,
-            max_output_tokens,
-        } = params;
-
-        // Grab handles without holding the sessions lock across await points.
-        let (writer_tx, mut output_rx) = {
-            let sessions = self.sessions.lock().await;
-            match sessions.get(&session_id) {
-                Some(session) => (session.writer_sender(), session.output_receiver()),
-                None => {
-                    return Err(format!("unknown session id {}", session_id.0));
-                }
-            }
-        };
-
-        // Write stdin if provided.
-        if !chars.is_empty() && writer_tx.send(chars.into_bytes()).await.is_err() {
-            return Err("failed to write to stdin".to_string());
-        }
-
-        // Collect output up to yield_time_ms, truncating to max_output_tokens bytes.
-        let mut collected: Vec<u8> = Vec::with_capacity(4096);
-        let start_time = Instant::now();
-        let deadline = start_time + Duration::from_millis(yield_time_ms);
-        loop {
-            let now = Instant::now();
-            if now >= deadline {
-                break;
-            }
-            let remaining = deadline - now;
-            match timeout(remaining, output_rx.recv()).await {
-                Ok(Ok(chunk)) => {
-                    // Collect all output within the time budget; truncate at the end.
-                    collected.extend_from_slice(&chunk);
-                }
-                Ok(Err(tokio::sync::broadcast::error::RecvError::Lagged(_))) => {
-                    // Skip missed messages; continue collecting fresh output.
-                }
-                Ok(Err(tokio::sync::broadcast::error::RecvError::Closed)) => break,
-                Err(_) => break, // timeout
-            }
-        }
-
-        // Return structured output, truncating middle if over cap.
-        let output = String::from_utf8_lossy(&collected).to_string();
-        let cap_bytes_u64 = max_output_tokens.saturating_mul(4);
-        let cap_bytes: usize = cap_bytes_u64.min(usize::MAX as u64) as usize;
-        let (output, original_token_count) = truncate_middle(&output, cap_bytes);
-        Ok(ExecCommandOutput {
-            wall_time: Instant::now().duration_since(start_time),
-            exit_status: ExitStatus::Ongoing(session_id),
-            original_token_count,
-            output,
-        })
-    }
-}
-
-/// Spawn PTY and child process per spawn_exec_command_session logic.
-async fn create_exec_command_session(
-    params: ExecCommandParams,
-) -> anyhow::Result<(
-    ExecCommandSession,
-    tokio::sync::broadcast::Receiver<Vec<u8>>,
-    oneshot::Receiver<i32>,
-)> {
-    let ExecCommandParams {
-        cmd,
-        yield_time_ms: _,
-        max_output_tokens: _,
-        shell,
-        login,
-    } = params;
-
-    // Use the native pty implementation for the system
-    let pty_system = native_pty_system();
-
-    // Create a new pty
-    let pair = pty_system.openpty(PtySize {
-        rows: 24,
-        cols: 80,
-        pixel_width: 0,
-        pixel_height: 0,
-    })?;
-
-    // Spawn a shell into the pty
-    let mut command_builder = CommandBuilder::new(shell);
-    let shell_mode_opt = if login { "-lc" } else { "-c" };
-    command_builder.arg(shell_mode_opt);
-    command_builder.arg(cmd);
-
-    let mut child = pair.slave.spawn_command(command_builder)?;
-    // Obtain a killer that can signal the process independently of `.wait()`.
-    let killer = child.clone_killer();
-
-    // Channel to forward write requests to the PTY writer.
-    let (writer_tx, mut writer_rx) = mpsc::channel::<Vec<u8>>(128);
-    // Broadcast for streaming PTY output to readers: subscribers receive from subscription time.
-    let (output_tx, _) = tokio::sync::broadcast::channel::<Vec<u8>>(256);
-    // Reader task: drain PTY and forward chunks to output channel.
-    let mut reader = pair.master.try_clone_reader()?;
-    let output_tx_clone = output_tx.clone();
-    let reader_handle = tokio::task::spawn_blocking(move || {
-        let mut buf = [0u8; 8192];
-        loop {
-            match reader.read(&mut buf) {
-                Ok(0) => break, // EOF
-                Ok(n) => {
-                    // Forward to broadcast; best-effort if there are subscribers.
-                    let _ = output_tx_clone.send(buf[..n].to_vec());
-                }
-                Err(ref e) if e.kind() == ErrorKind::Interrupted => {
-                    // Retry on EINTR
-                    continue;
-                }
-                Err(ref e) if e.kind() == ErrorKind::WouldBlock => {
-                    // We're in a blocking thread; back off briefly and retry.
-                    std::thread::sleep(Duration::from_millis(5));
-                    continue;
-                }
-                Err(_) => break,
-            }
-        }
-    });
-
-    // Writer task: apply stdin writes to the PTY writer.
-    let writer = pair.master.take_writer()?;
-    let writer = Arc::new(StdMutex::new(writer));
-    let writer_handle = tokio::spawn({
-        let writer = writer.clone();
-        async move {
-            while let Some(bytes) = writer_rx.recv().await {
-                let writer = writer.clone();
-                // Perform blocking write on a blocking thread.
-                let _ = tokio::task::spawn_blocking(move || {
-                    if let Ok(mut guard) = writer.lock() {
-                        use std::io::Write;
-                        let _ = guard.write_all(&bytes);
-                        let _ = guard.flush();
-                    }
-                })
-                .await;
-            }
-        }
-    });
-
-    // Keep the child alive until it exits, then signal exit code.
-    let (exit_tx, exit_rx) = oneshot::channel::<i32>();
-    let exit_status = Arc::new(AtomicBool::new(false));
-    let wait_exit_status = exit_status.clone();
-    let wait_handle = tokio::task::spawn_blocking(move || {
-        let code = match child.wait() {
-            Ok(status) => status.exit_code() as i32,
-            Err(_) => -1,
-        };
-        wait_exit_status.store(true, std::sync::atomic::Ordering::SeqCst);
-        let _ = exit_tx.send(code);
-    });
-
-    // Create and store the session with channels.
-    let (session, initial_output_rx) = ExecCommandSession::new(
-        writer_tx,
-        output_tx,
-        killer,
-        reader_handle,
-        writer_handle,
-        wait_handle,
-        exit_status,
-    );
-    Ok((session, initial_output_rx, exit_rx))
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use crate::exec_command::session_id::SessionId;
-
-    /// Test that verifies that [`SessionManager::handle_exec_command_request()`]
-    /// and [`SessionManager::handle_write_stdin_request()`] work as expected
-    /// in the presence of a process that never terminates (but produces
-    /// output continuously).
-    #[cfg(unix)]
-    #[allow(clippy::print_stderr)]
-    #[tokio::test(flavor = "multi_thread", worker_threads = 4)]
-    async fn session_manager_streams_and_truncates_from_now() {
-        use crate::exec_command::exec_command_params::ExecCommandParams;
-        use crate::exec_command::exec_command_params::WriteStdinParams;
-        use tokio::time::sleep;
-
-        let session_manager = SessionManager::default();
-        // Long-running loop that prints an increasing counter every ~100ms.
-        // Use Python for a portable, reliable sleep across shells/PTYs.
-        let cmd = r#"python3 - <<'PY'
-import sys, time
-count = 0
-while True:
-    print(count)
-    sys.stdout.flush()
-    count += 100
-    time.sleep(0.1)
-PY"#
-        .to_string();
-
-        // Start the session and collect ~3s of output.
-        let params = ExecCommandParams {
-            cmd,
-            yield_time_ms: 3_000,
-            max_output_tokens: 1_000, // large enough to avoid truncation here
-            shell: "/bin/bash".to_string(),
-            login: false,
-        };
-        let initial_output = match session_manager
-            .handle_exec_command_request(params.clone())
-            .await
-        {
-            Ok(v) => v,
-            Err(e) => {
-                // PTY may be restricted in some sandboxes; skip in that case.
-                if e.contains("openpty") || e.contains("Operation not permitted") {
-                    eprintln!("skipping test due to restricted PTY: {e}");
-                    return;
-                }
-                panic!("exec request failed unexpectedly: {e}");
-            }
-        };
-        eprintln!("initial output: {initial_output:?}");
-
-        // Should be ongoing (we launched a never-ending loop).
-        let session_id = match initial_output.exit_status {
-            ExitStatus::Ongoing(id) => id,
-            _ => panic!("expected ongoing session"),
-        };
-
-        // Parse the numeric lines and get the max observed value in the first window.
-        let first_nums = extract_monotonic_numbers(&initial_output.output);
-        assert!(
-            !first_nums.is_empty(),
-            "expected some output from first window"
-        );
-        let first_max = *first_nums.iter().max().unwrap();
-
-        // Wait ~4s so counters progress while we're not reading.
-        sleep(Duration::from_millis(4_000)).await;
-
-        // Now read ~3s of output "from now" only.
-        // Use a small token cap so truncation occurs and we test middle truncation.
-        let write_params = WriteStdinParams {
-            session_id,
-            chars: String::new(),
-            yield_time_ms: 3_000,
-            max_output_tokens: 16, // 16 tokens ~= 64 bytes -> likely truncation
-        };
-        let second = session_manager
-            .handle_write_stdin_request(write_params)
-            .await
-            .expect("write stdin should succeed");
-
-        // Verify truncation metadata and size bound (cap is tokens*4 bytes).
-        assert!(second.original_token_count.is_some());
-        let cap_bytes = (16u64 * 4) as usize;
-        assert!(second.output.len() <= cap_bytes);
-        // New middle marker should be present.
-        assert!(
-            second.output.contains("tokens truncated") && second.output.contains('…'),
-            "expected truncation marker in output, got: {}",
-            second.output
-        );
-
-        // Minimal freshness check: the earliest number we see in the second window
-        // should be significantly larger than the last from the first window.
-        let second_nums = extract_monotonic_numbers(&second.output);
-        assert!(
-            !second_nums.is_empty(),
-            "expected some numeric output from second window"
-        );
-        let second_min = *second_nums.iter().min().unwrap();
-
-        // We slept 4 seconds (~40 ticks at 100ms/tick, each +100), so expect
-        // an increase of roughly 4000 or more. Allow a generous margin.
-        assert!(
-            second_min >= first_max + 2000,
-            "second_min={second_min} first_max={first_max}",
-        );
-    }
-
-    #[cfg(unix)]
-    fn extract_monotonic_numbers(s: &str) -> Vec<i64> {
-        s.lines()
-            .filter_map(|line| {
-                if !line.is_empty()
-                    && line.chars().all(|c| c.is_ascii_digit())
-                    && let Ok(n) = line.parse::<i64>()
-                {
-                    // Our generator increments by 100; ignore spurious fragments.
-                    if n % 100 == 0 {
-                        return Some(n);
-                    }
-                }
-                None
-            })
-            .collect()
-    }
-
-    #[test]
-    fn to_text_output_exited_no_truncation() {
-        let out = ExecCommandOutput {
-            wall_time: Duration::from_millis(1234),
-            exit_status: ExitStatus::Exited(0),
-            original_token_count: None,
-            output: "hello".to_string(),
-        };
-        let text = out.to_text_output();
-        let expected = r#"Wall time: 1.234 seconds
-Process exited with code 0
-Output:
-hello"#;
-        assert_eq!(expected, text);
-    }
-
-    #[test]
-    fn to_text_output_ongoing_with_truncation() {
-        let out = ExecCommandOutput {
-            wall_time: Duration::from_millis(500),
-            exit_status: ExitStatus::Ongoing(SessionId(42)),
-            original_token_count: Some(1000),
-            output: "abc".to_string(),
-        };
-        let text = out.to_text_output();
-        let expected = r#"Wall time: 0.500 seconds
-Process running with session ID 42
-Warning: truncated output (original token count: 1000)
-Output:
-abc"#;
-        assert_eq!(expected, text);
-    }
-}
--- a/codex-rs/core/src/executor/backends.rs
+++ b/codex-rs/core/src/executor/backends.rs
@@ -1,109 +0,0 @@
-use std::collections::HashMap;
-use std::env;
-
-use async_trait::async_trait;
-
-use crate::CODEX_APPLY_PATCH_ARG1;
-use crate::apply_patch::ApplyPatchExec;
-use crate::exec::ExecParams;
-use crate::executor::ExecutorConfig;
-use crate::function_tool::FunctionCallError;
-
-pub(crate) enum ExecutionMode {
-    Shell,
-    ApplyPatch(ApplyPatchExec),
-}
-
-#[async_trait]
-/// Backend-specific hooks that prepare and post-process execution requests for a
-/// given [`ExecutionMode`].
-pub(crate) trait ExecutionBackend: Send + Sync {
-    fn prepare(
-        &self,
-        params: ExecParams,
-        // Required for downcasting the apply_patch.
-        mode: &ExecutionMode,
-        config: &ExecutorConfig,
-    ) -> Result<ExecParams, FunctionCallError>;
-
-    fn stream_stdout(&self, _mode: &ExecutionMode) -> bool {
-        true
-    }
-}
-
-static SHELL_BACKEND: ShellBackend = ShellBackend;
-static APPLY_PATCH_BACKEND: ApplyPatchBackend = ApplyPatchBackend;
-
-pub(crate) fn backend_for_mode(mode: &ExecutionMode) -> &'static dyn ExecutionBackend {
-    match mode {
-        ExecutionMode::Shell => &SHELL_BACKEND,
-        ExecutionMode::ApplyPatch(_) => &APPLY_PATCH_BACKEND,
-    }
-}
-
-struct ShellBackend;
-
-#[async_trait]
-impl ExecutionBackend for ShellBackend {
-    fn prepare(
-        &self,
-        params: ExecParams,
-        mode: &ExecutionMode,
-        _config: &ExecutorConfig,
-    ) -> Result<ExecParams, FunctionCallError> {
-        match mode {
-            ExecutionMode::Shell => Ok(params),
-            _ => Err(FunctionCallError::RespondToModel(
-                "shell backend invoked with non-shell mode".to_string(),
-            )),
-        }
-    }
-}
-
-struct ApplyPatchBackend;
-
-#[async_trait]
-impl ExecutionBackend for ApplyPatchBackend {
-    fn prepare(
-        &self,
-        params: ExecParams,
-        mode: &ExecutionMode,
-        config: &ExecutorConfig,
-    ) -> Result<ExecParams, FunctionCallError> {
-        match mode {
-            ExecutionMode::ApplyPatch(exec) => {
-                let path_to_codex = if let Some(exe_path) = &config.codex_exe {
-                    exe_path.to_string_lossy().to_string()
-                } else {
-                    env::current_exe()
-                        .ok()
-                        .map(|p| p.to_string_lossy().to_string())
-                        .ok_or_else(|| {
-                            FunctionCallError::RespondToModel(
-                                "failed to determine path to codex executable".to_string(),
-                            )
-                        })?
-                };
-
-                let patch = exec.action.patch.clone();
-                Ok(ExecParams {
-                    command: vec![path_to_codex, CODEX_APPLY_PATCH_ARG1.to_string(), patch],
-                    cwd: exec.action.cwd.clone(),
-                    timeout_ms: params.timeout_ms,
-                    // Run apply_patch with a minimal environment for determinism and to
-                    // avoid leaking host environment variables into the patch process.
-                    env: HashMap::new(),
-                    with_escalated_permissions: params.with_escalated_permissions,
-                    justification: params.justification,
-                })
-            }
-            ExecutionMode::Shell => Err(FunctionCallError::RespondToModel(
-                "apply_patch backend invoked without patch context".to_string(),
-            )),
-        }
-    }
-
-    fn stream_stdout(&self, _mode: &ExecutionMode) -> bool {
-        false
-    }
-}
--- a/codex-rs/core/src/executor/cache.rs
+++ b/codex-rs/core/src/executor/cache.rs
@@ -1,51 +0,0 @@
-use std::collections::HashSet;
-use std::sync::Arc;
-use std::sync::Mutex;
-
-#[derive(Clone, Debug, Default)]
-/// Thread-safe store of user approvals so repeated commands can reuse
-/// previously granted trust.
-pub(crate) struct ApprovalCache {
-    inner: Arc<Mutex<HashSet<Vec<String>>>>,
-}
-
-impl ApprovalCache {
-    pub(crate) fn insert(&self, command: Vec<String>) {
-        if command.is_empty() {
-            return;
-        }
-        if let Ok(mut guard) = self.inner.lock() {
-            guard.insert(command);
-        }
-    }
-
-    pub(crate) fn snapshot(&self) -> HashSet<Vec<String>> {
-        self.inner.lock().map(|g| g.clone()).unwrap_or_default()
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use pretty_assertions::assert_eq;
-
-    #[test]
-    fn insert_ignores_empty_and_dedupes() {
-        let cache = ApprovalCache::default();
-
-        // Empty should be ignored
-        cache.insert(vec![]);
-        assert!(cache.snapshot().is_empty());
-
-        // Insert a command and verify snapshot contains it
-        let cmd = vec!["foo".to_string(), "bar".to_string()];
-        cache.insert(cmd.clone());
-        let snap1 = cache.snapshot();
-        assert!(snap1.contains(&cmd));
-
-        // Reinserting should not create duplicates
-        cache.insert(cmd);
-        let snap2 = cache.snapshot();
-        assert_eq!(snap1, snap2);
-    }
-}
--- a/codex-rs/core/src/executor/mod.rs
+++ b/codex-rs/core/src/executor/mod.rs
@@ -1,64 +0,0 @@
-mod backends;
-mod cache;
-mod runner;
-mod sandbox;
-
-pub(crate) use backends::ExecutionMode;
-pub(crate) use runner::ExecutionRequest;
-pub(crate) use runner::Executor;
-pub(crate) use runner::ExecutorConfig;
-pub(crate) use runner::normalize_exec_result;
-
-pub(crate) mod linkers {
-    use crate::exec::ExecParams;
-    use crate::exec::StdoutStream;
-    use crate::executor::backends::ExecutionMode;
-    use crate::executor::runner::ExecutionRequest;
-    use crate::tools::context::ExecCommandContext;
-
-    pub struct PreparedExec {
-        pub(crate) context: ExecCommandContext,
-        pub(crate) request: ExecutionRequest,
-    }
-
-    impl PreparedExec {
-        pub fn new(
-            context: ExecCommandContext,
-            params: ExecParams,
-            approval_command: Vec<String>,
-            mode: ExecutionMode,
-            stdout_stream: Option<StdoutStream>,
-            use_shell_profile: bool,
-        ) -> Self {
-            let request = ExecutionRequest {
-                params,
-                approval_command,
-                mode,
-                stdout_stream,
-                use_shell_profile,
-            };
-
-            Self { context, request }
-        }
-    }
-}
-
-pub mod errors {
-    use crate::error::CodexErr;
-    use crate::function_tool::FunctionCallError;
-    use thiserror::Error;
-
-    #[derive(Debug, Error)]
-    pub enum ExecError {
-        #[error(transparent)]
-        Function(#[from] FunctionCallError),
-        #[error(transparent)]
-        Codex(#[from] CodexErr),
-    }
-
-    impl ExecError {
-        pub(crate) fn rejection(msg: impl Into<String>) -> Self {
-            FunctionCallError::RespondToModel(msg.into()).into()
-        }
-    }
-}
--- a/codex-rs/core/src/executor/runner.rs
+++ b/codex-rs/core/src/executor/runner.rs
@@ -1,426 +0,0 @@
-use std::path::PathBuf;
-use std::sync::Arc;
-use std::sync::RwLock;
-use std::time::Duration;
-
-use super::backends::ExecutionMode;
-use super::backends::backend_for_mode;
-use super::cache::ApprovalCache;
-use crate::codex::Session;
-use crate::error::CodexErr;
-use crate::error::SandboxErr;
-use crate::error::get_error_message_ui;
-use crate::exec::ExecParams;
-use crate::exec::ExecToolCallOutput;
-use crate::exec::SandboxType;
-use crate::exec::StdoutStream;
-use crate::exec::StreamOutput;
-use crate::exec::process_exec_tool_call;
-use crate::executor::errors::ExecError;
-use crate::executor::sandbox::select_sandbox;
-use crate::function_tool::FunctionCallError;
-use crate::protocol::AskForApproval;
-use crate::protocol::ReviewDecision;
-use crate::protocol::SandboxPolicy;
-use crate::shell;
-use crate::tools::context::ExecCommandContext;
-use codex_otel::otel_event_manager::ToolDecisionSource;
-
-#[derive(Clone, Debug)]
-pub(crate) struct ExecutorConfig {
-    pub(crate) sandbox_policy: SandboxPolicy,
-    pub(crate) sandbox_cwd: PathBuf,
-    pub(crate) codex_exe: Option<PathBuf>,
-}
-
-impl ExecutorConfig {
-    pub(crate) fn new(
-        sandbox_policy: SandboxPolicy,
-        sandbox_cwd: PathBuf,
-        codex_exe: Option<PathBuf>,
-    ) -> Self {
-        Self {
-            sandbox_policy,
-            sandbox_cwd,
-            codex_exe,
-        }
-    }
-}
-
-/// Coordinates sandbox selection, backend-specific preparation, and command
-/// execution for tool calls requested by the model.
-pub(crate) struct Executor {
-    approval_cache: ApprovalCache,
-    config: Arc<RwLock<ExecutorConfig>>,
-}
-
-impl Executor {
-    pub(crate) fn new(config: ExecutorConfig) -> Self {
-        Self {
-            approval_cache: ApprovalCache::default(),
-            config: Arc::new(RwLock::new(config)),
-        }
-    }
-
-    /// Updates the sandbox policy and working directory used for future
-    /// executions without recreating the executor.
-    pub(crate) fn update_environment(&self, sandbox_policy: SandboxPolicy, sandbox_cwd: PathBuf) {
-        if let Ok(mut cfg) = self.config.write() {
-            cfg.sandbox_policy = sandbox_policy;
-            cfg.sandbox_cwd = sandbox_cwd;
-        }
-    }
-
-    /// Runs a prepared execution request end-to-end: prepares parameters, decides on
-    /// sandbox placement (prompting the user when necessary), launches the command,
-    /// and lets the backend post-process the final output.
-    pub(crate) async fn run(
-        &self,
-        mut request: ExecutionRequest,
-        session: &Session,
-        approval_policy: AskForApproval,
-        context: &ExecCommandContext,
-    ) -> Result<ExecToolCallOutput, ExecError> {
-        if matches!(request.mode, ExecutionMode::Shell) {
-            request.params =
-                maybe_translate_shell_command(request.params, session, request.use_shell_profile);
-        }
-
-        // Step 1: Snapshot sandbox configuration so it stays stable for this run.
-        let config = self
-            .config
-            .read()
-            .map_err(|_| ExecError::rejection("executor config poisoned"))?
-            .clone();
-
-        // Step 2: Normalise parameters via the selected backend.
-        let backend = backend_for_mode(&request.mode);
-        let stdout_stream = if backend.stream_stdout(&request.mode) {
-            request.stdout_stream.clone()
-        } else {
-            None
-        };
-        request.params = backend
-            .prepare(request.params, &request.mode, &config)
-            .map_err(ExecError::from)?;
-
-        // Step 3: Decide sandbox placement, prompting for approval when needed.
-        let sandbox_decision = select_sandbox(
-            &request,
-            approval_policy,
-            self.approval_cache.snapshot(),
-            &config,
-            session,
-            &context.sub_id,
-            &context.call_id,
-            &context.otel_event_manager,
-        )
-        .await?;
-        if sandbox_decision.record_session_approval {
-            self.approval_cache.insert(request.approval_command.clone());
-        }
-
-        // Step 4: Launch the command within the chosen sandbox.
-        let first_attempt = self
-            .spawn(
-                request.params.clone(),
-                sandbox_decision.initial_sandbox,
-                &config,
-                stdout_stream.clone(),
-            )
-            .await;
-
-        // Step 5: Handle sandbox outcomes, optionally escalating to an unsandboxed retry.
-        match first_attempt {
-            Ok(output) => Ok(output),
-            Err(CodexErr::Sandbox(SandboxErr::Timeout { output })) => {
-                Err(CodexErr::Sandbox(SandboxErr::Timeout { output }).into())
-            }
-            Err(CodexErr::Sandbox(error)) => {
-                if sandbox_decision.escalate_on_failure {
-                    self.retry_without_sandbox(
-                        &request,
-                        &config,
-                        session,
-                        context,
-                        stdout_stream,
-                        error,
-                    )
-                    .await
-                } else {
-                    let message = sandbox_failure_message(error);
-                    Err(ExecError::rejection(message))
-                }
-            }
-            Err(err) => Err(err.into()),
-        }
-    }
-
-    /// Fallback path invoked when a sandboxed run is denied so the user can
-    /// approve rerunning without isolation.
-    async fn retry_without_sandbox(
-        &self,
-        request: &ExecutionRequest,
-        config: &ExecutorConfig,
-        session: &Session,
-        context: &ExecCommandContext,
-        stdout_stream: Option<StdoutStream>,
-        sandbox_error: SandboxErr,
-    ) -> Result<ExecToolCallOutput, ExecError> {
-        session
-            .notify_background_event(
-                &context.sub_id,
-                format!("Execution failed: {sandbox_error}"),
-            )
-            .await;
-        let decision = session
-            .request_command_approval(
-                context.sub_id.to_string(),
-                context.call_id.to_string(),
-                request.approval_command.clone(),
-                request.params.cwd.clone(),
-                Some("command failed; retry without sandbox?".to_string()),
-            )
-            .await;
-
-        context.otel_event_manager.tool_decision(
-            &context.tool_name,
-            &context.call_id,
-            decision,
-            ToolDecisionSource::User,
-        );
-        match decision {
-            ReviewDecision::Approved | ReviewDecision::ApprovedForSession => {
-                if matches!(decision, ReviewDecision::ApprovedForSession) {
-                    self.approval_cache.insert(request.approval_command.clone());
-                }
-                session
-                    .notify_background_event(&context.sub_id, "retrying command without sandbox")
-                    .await;
-
-                let retry_output = self
-                    .spawn(
-                        request.params.clone(),
-                        SandboxType::None,
-                        config,
-                        stdout_stream,
-                    )
-                    .await?;
-
-                Ok(retry_output)
-            }
-            ReviewDecision::Denied | ReviewDecision::Abort => {
-                Err(ExecError::rejection("exec command rejected by user"))
-            }
-        }
-    }
-
-    async fn spawn(
-        &self,
-        params: ExecParams,
-        sandbox: SandboxType,
-        config: &ExecutorConfig,
-        stdout_stream: Option<StdoutStream>,
-    ) -> Result<ExecToolCallOutput, CodexErr> {
-        process_exec_tool_call(
-            params,
-            sandbox,
-            &config.sandbox_policy,
-            &config.sandbox_cwd,
-            &config.codex_exe,
-            stdout_stream,
-        )
-        .await
-    }
-}
-
-fn maybe_translate_shell_command(
-    params: ExecParams,
-    session: &Session,
-    use_shell_profile: bool,
-) -> ExecParams {
-    let should_translate =
-        matches!(session.user_shell(), shell::Shell::PowerShell(_)) || use_shell_profile;
-
-    if should_translate
-        && let Some(command) = session
-            .user_shell()
-            .format_default_shell_invocation(params.command.clone())
-    {
-        return ExecParams { command, ..params };
-    }
-
-    params
-}
-
-fn sandbox_failure_message(error: SandboxErr) -> String {
-    let codex_error = CodexErr::Sandbox(error);
-    let friendly = get_error_message_ui(&codex_error);
-    format!("failed in sandbox: {friendly}")
-}
-
-pub(crate) struct ExecutionRequest {
-    pub params: ExecParams,
-    pub approval_command: Vec<String>,
-    pub mode: ExecutionMode,
-    pub stdout_stream: Option<StdoutStream>,
-    pub use_shell_profile: bool,
-}
-
-pub(crate) struct NormalizedExecOutput<'a> {
-    borrowed: Option<&'a ExecToolCallOutput>,
-    synthetic: Option<ExecToolCallOutput>,
-}
-
-impl<'a> NormalizedExecOutput<'a> {
-    pub(crate) fn event_output(&'a self) -> &'a ExecToolCallOutput {
-        match (self.borrowed, self.synthetic.as_ref()) {
-            (Some(output), _) => output,
-            (None, Some(output)) => output,
-            (None, None) => unreachable!("normalized exec output missing data"),
-        }
-    }
-}
-
-/// Converts a raw execution result into a uniform view that always exposes an
-/// [`ExecToolCallOutput`], synthesizing error output when the command fails
-/// before producing a response.
-pub(crate) fn normalize_exec_result(
-    result: &Result<ExecToolCallOutput, ExecError>,
-) -> NormalizedExecOutput<'_> {
-    match result {
-        Ok(output) => NormalizedExecOutput {
-            borrowed: Some(output),
-            synthetic: None,
-        },
-        Err(ExecError::Codex(CodexErr::Sandbox(SandboxErr::Timeout { output }))) => {
-            NormalizedExecOutput {
-                borrowed: Some(output.as_ref()),
-                synthetic: None,
-            }
-        }
-        Err(err) => {
-            let message = match err {
-                ExecError::Function(FunctionCallError::RespondToModel(msg)) => msg.clone(),
-                ExecError::Codex(e) => get_error_message_ui(e),
-                err => err.to_string(),
-            };
-            let synthetic = ExecToolCallOutput {
-                exit_code: -1,
-                stdout: StreamOutput::new(String::new()),
-                stderr: StreamOutput::new(message.clone()),
-                aggregated_output: StreamOutput::new(message),
-                duration: Duration::default(),
-                timed_out: false,
-            };
-            NormalizedExecOutput {
-                borrowed: None,
-                synthetic: Some(synthetic),
-            }
-        }
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use crate::error::CodexErr;
-    use crate::error::EnvVarError;
-    use crate::error::SandboxErr;
-    use crate::exec::StreamOutput;
-    use pretty_assertions::assert_eq;
-
-    fn make_output(text: &str) -> ExecToolCallOutput {
-        ExecToolCallOutput {
-            exit_code: 1,
-            stdout: StreamOutput::new(String::new()),
-            stderr: StreamOutput::new(String::new()),
-            aggregated_output: StreamOutput::new(text.to_string()),
-            duration: Duration::from_millis(123),
-            timed_out: false,
-        }
-    }
-
-    #[test]
-    fn normalize_success_borrows() {
-        let out = make_output("ok");
-        let result: Result<ExecToolCallOutput, ExecError> = Ok(out);
-        let normalized = normalize_exec_result(&result);
-        assert_eq!(normalized.event_output().aggregated_output.text, "ok");
-    }
-
-    #[test]
-    fn normalize_timeout_borrows_embedded_output() {
-        let out = make_output("timed out payload");
-        let err = CodexErr::Sandbox(SandboxErr::Timeout {
-            output: Box::new(out),
-        });
-        let result: Result<ExecToolCallOutput, ExecError> = Err(ExecError::Codex(err));
-        let normalized = normalize_exec_result(&result);
-        assert_eq!(
-            normalized.event_output().aggregated_output.text,
-            "timed out payload"
-        );
-    }
-
-    #[test]
-    fn sandbox_failure_message_uses_denied_stderr() {
-        let output = ExecToolCallOutput {
-            exit_code: 101,
-            stdout: StreamOutput::new(String::new()),
-            stderr: StreamOutput::new("sandbox stderr".to_string()),
-            aggregated_output: StreamOutput::new(String::new()),
-            duration: Duration::from_millis(10),
-            timed_out: false,
-        };
-        let err = SandboxErr::Denied {
-            output: Box::new(output),
-        };
-        let message = sandbox_failure_message(err);
-        assert_eq!(message, "failed in sandbox: sandbox stderr");
-    }
-
-    #[test]
-    fn sandbox_failure_message_falls_back_to_aggregated_output() {
-        let output = ExecToolCallOutput {
-            exit_code: 101,
-            stdout: StreamOutput::new(String::new()),
-            stderr: StreamOutput::new(String::new()),
-            aggregated_output: StreamOutput::new("aggregate text".to_string()),
-            duration: Duration::from_millis(10),
-            timed_out: false,
-        };
-        let err = SandboxErr::Denied {
-            output: Box::new(output),
-        };
-        let message = sandbox_failure_message(err);
-        assert_eq!(message, "failed in sandbox: aggregate text");
-    }
-
-    #[test]
-    fn normalize_function_error_synthesizes_payload() {
-        let err = FunctionCallError::RespondToModel("boom".to_string());
-        let result: Result<ExecToolCallOutput, ExecError> = Err(ExecError::Function(err));
-        let normalized = normalize_exec_result(&result);
-        assert_eq!(normalized.event_output().aggregated_output.text, "boom");
-    }
-
-    #[test]
-    fn normalize_codex_error_synthesizes_user_message() {
-        // Use a simple EnvVar error which formats to a clear message
-        let e = CodexErr::EnvVar(EnvVarError {
-            var: "FOO".to_string(),
-            instructions: Some("set it".to_string()),
-        });
-        let result: Result<ExecToolCallOutput, ExecError> = Err(ExecError::Codex(e));
-        let normalized = normalize_exec_result(&result);
-        assert!(
-            normalized
-                .event_output()
-                .aggregated_output
-                .text
-                .contains("Missing environment variable: `FOO`"),
-            "expected synthesized user-friendly message"
-        );
-    }
-}
--- a/codex-rs/core/src/executor/sandbox.rs
+++ b/codex-rs/core/src/executor/sandbox.rs
@@ -1,405 +0,0 @@
-use crate::apply_patch::ApplyPatchExec;
-use crate::codex::Session;
-use crate::exec::SandboxType;
-use crate::executor::ExecutionMode;
-use crate::executor::ExecutionRequest;
-use crate::executor::ExecutorConfig;
-use crate::executor::errors::ExecError;
-use crate::safety::SafetyCheck;
-use crate::safety::assess_command_safety;
-use crate::safety::assess_patch_safety;
-use codex_otel::otel_event_manager::OtelEventManager;
-use codex_otel::otel_event_manager::ToolDecisionSource;
-use codex_protocol::protocol::AskForApproval;
-use codex_protocol::protocol::ReviewDecision;
-use std::collections::HashSet;
-
-/// Sandbox placement options selected for an execution run, including whether
-/// to escalate after failures and whether approvals should persist.
-pub(crate) struct SandboxDecision {
-    pub(crate) initial_sandbox: SandboxType,
-    pub(crate) escalate_on_failure: bool,
-    pub(crate) record_session_approval: bool,
-}
-
-impl SandboxDecision {
-    fn auto(sandbox: SandboxType, escalate_on_failure: bool) -> Self {
-        Self {
-            initial_sandbox: sandbox,
-            escalate_on_failure,
-            record_session_approval: false,
-        }
-    }
-
-    fn user_override(record_session_approval: bool) -> Self {
-        Self {
-            initial_sandbox: SandboxType::None,
-            escalate_on_failure: false,
-            record_session_approval,
-        }
-    }
-}
-
-fn should_escalate_on_failure(approval: AskForApproval, sandbox: SandboxType) -> bool {
-    matches!(
-        (approval, sandbox),
-        (
-            AskForApproval::UnlessTrusted | AskForApproval::OnFailure,
-            SandboxType::MacosSeatbelt | SandboxType::LinuxSeccomp
-        )
-    )
-}
-
-/// Determines how a command should be sandboxed, prompting the user when
-/// policy requires explicit approval.
-#[allow(clippy::too_many_arguments)]
-pub async fn select_sandbox(
-    request: &ExecutionRequest,
-    approval_policy: AskForApproval,
-    approval_cache: HashSet<Vec<String>>,
-    config: &ExecutorConfig,
-    session: &Session,
-    sub_id: &str,
-    call_id: &str,
-    otel_event_manager: &OtelEventManager,
-) -> Result<SandboxDecision, ExecError> {
-    match &request.mode {
-        ExecutionMode::Shell => {
-            select_shell_sandbox(
-                request,
-                approval_policy,
-                approval_cache,
-                config,
-                session,
-                sub_id,
-                call_id,
-                otel_event_manager,
-            )
-            .await
-        }
-        ExecutionMode::ApplyPatch(exec) => {
-            select_apply_patch_sandbox(exec, approval_policy, config)
-        }
-    }
-}
-
-#[allow(clippy::too_many_arguments)]
-async fn select_shell_sandbox(
-    request: &ExecutionRequest,
-    approval_policy: AskForApproval,
-    approved_snapshot: HashSet<Vec<String>>,
-    config: &ExecutorConfig,
-    session: &Session,
-    sub_id: &str,
-    call_id: &str,
-    otel_event_manager: &OtelEventManager,
-) -> Result<SandboxDecision, ExecError> {
-    let command_for_safety = if request.approval_command.is_empty() {
-        request.params.command.clone()
-    } else {
-        request.approval_command.clone()
-    };
-
-    let safety = assess_command_safety(
-        &command_for_safety,
-        approval_policy,
-        &config.sandbox_policy,
-        &approved_snapshot,
-        request.params.with_escalated_permissions.unwrap_or(false),
-    );
-
-    match safety {
-        SafetyCheck::AutoApprove {
-            sandbox_type,
-            user_explicitly_approved,
-        } => {
-            let mut decision = SandboxDecision::auto(
-                sandbox_type,
-                should_escalate_on_failure(approval_policy, sandbox_type),
-            );
-            if user_explicitly_approved {
-                decision.record_session_approval = true;
-            }
-            let (decision_for_event, source) = if user_explicitly_approved {
-                (ReviewDecision::ApprovedForSession, ToolDecisionSource::User)
-            } else {
-                (ReviewDecision::Approved, ToolDecisionSource::Config)
-            };
-            otel_event_manager.tool_decision("local_shell", call_id, decision_for_event, source);
-            Ok(decision)
-        }
-        SafetyCheck::AskUser => {
-            let decision = session
-                .request_command_approval(
-                    sub_id.to_string(),
-                    call_id.to_string(),
-                    request.approval_command.clone(),
-                    request.params.cwd.clone(),
-                    request.params.justification.clone(),
-                )
-                .await;
-
-            otel_event_manager.tool_decision(
-                "local_shell",
-                call_id,
-                decision,
-                ToolDecisionSource::User,
-            );
-            match decision {
-                ReviewDecision::Approved => Ok(SandboxDecision::user_override(false)),
-                ReviewDecision::ApprovedForSession => Ok(SandboxDecision::user_override(true)),
-                ReviewDecision::Denied | ReviewDecision::Abort => {
-                    Err(ExecError::rejection("exec command rejected by user"))
-                }
-            }
-        }
-        SafetyCheck::Reject { reason } => Err(ExecError::rejection(format!(
-            "exec command rejected: {reason}"
-        ))),
-    }
-}
-
-fn select_apply_patch_sandbox(
-    exec: &ApplyPatchExec,
-    approval_policy: AskForApproval,
-    config: &ExecutorConfig,
-) -> Result<SandboxDecision, ExecError> {
-    if exec.user_explicitly_approved_this_action {
-        return Ok(SandboxDecision::user_override(false));
-    }
-
-    match assess_patch_safety(
-        &exec.action,
-        approval_policy,
-        &config.sandbox_policy,
-        &config.sandbox_cwd,
-    ) {
-        SafetyCheck::AutoApprove { sandbox_type, .. } => Ok(SandboxDecision::auto(
-            sandbox_type,
-            should_escalate_on_failure(approval_policy, sandbox_type),
-        )),
-        SafetyCheck::AskUser => Err(ExecError::rejection(
-            "patch requires approval but none was recorded",
-        )),
-        SafetyCheck::Reject { reason } => {
-            Err(ExecError::rejection(format!("patch rejected: {reason}")))
-        }
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use crate::codex::make_session_and_context;
-    use crate::exec::ExecParams;
-    use crate::function_tool::FunctionCallError;
-    use crate::protocol::SandboxPolicy;
-    use codex_apply_patch::ApplyPatchAction;
-    use pretty_assertions::assert_eq;
-
-    #[tokio::test]
-    async fn select_apply_patch_user_override_when_explicit() {
-        let (session, ctx) = make_session_and_context();
-        let tmp = tempfile::tempdir().expect("tmp");
-        let p = tmp.path().join("a.txt");
-        let action = ApplyPatchAction::new_add_for_test(&p, "hello".to_string());
-        let exec = ApplyPatchExec {
-            action,
-            user_explicitly_approved_this_action: true,
-        };
-        let cfg = ExecutorConfig::new(SandboxPolicy::ReadOnly, std::env::temp_dir(), None);
-        let request = ExecutionRequest {
-            params: ExecParams {
-                command: vec!["apply_patch".into()],
-                cwd: std::env::temp_dir(),
-                timeout_ms: None,
-                env: std::collections::HashMap::new(),
-                with_escalated_permissions: None,
-                justification: None,
-            },
-            approval_command: vec!["apply_patch".into()],
-            mode: ExecutionMode::ApplyPatch(exec),
-            stdout_stream: None,
-            use_shell_profile: false,
-        };
-        let otel_event_manager = ctx.client.get_otel_event_manager();
-        let decision = select_sandbox(
-            &request,
-            AskForApproval::OnRequest,
-            Default::default(),
-            &cfg,
-            &session,
-            "sub",
-            "call",
-            &otel_event_manager,
-        )
-        .await
-        .expect("ok");
-        // Explicit user override runs without sandbox
-        assert_eq!(decision.initial_sandbox, SandboxType::None);
-        assert_eq!(decision.escalate_on_failure, false);
-    }
-
-    #[tokio::test]
-    async fn select_apply_patch_autoapprove_in_danger() {
-        let (session, ctx) = make_session_and_context();
-        let tmp = tempfile::tempdir().expect("tmp");
-        let p = tmp.path().join("a.txt");
-        let action = ApplyPatchAction::new_add_for_test(&p, "hello".to_string());
-        let exec = ApplyPatchExec {
-            action,
-            user_explicitly_approved_this_action: false,
-        };
-        let cfg = ExecutorConfig::new(SandboxPolicy::DangerFullAccess, std::env::temp_dir(), None);
-        let request = ExecutionRequest {
-            params: ExecParams {
-                command: vec!["apply_patch".into()],
-                cwd: std::env::temp_dir(),
-                timeout_ms: None,
-                env: std::collections::HashMap::new(),
-                with_escalated_permissions: None,
-                justification: None,
-            },
-            approval_command: vec!["apply_patch".into()],
-            mode: ExecutionMode::ApplyPatch(exec),
-            stdout_stream: None,
-            use_shell_profile: false,
-        };
-        let otel_event_manager = ctx.client.get_otel_event_manager();
-        let decision = select_sandbox(
-            &request,
-            AskForApproval::OnRequest,
-            Default::default(),
-            &cfg,
-            &session,
-            "sub",
-            "call",
-            &otel_event_manager,
-        )
-        .await
-        .expect("ok");
-        // On platforms with a sandbox, DangerFullAccess still prefers it
-        let expected = crate::safety::get_platform_sandbox().unwrap_or(SandboxType::None);
-        assert_eq!(decision.initial_sandbox, expected);
-        assert_eq!(decision.escalate_on_failure, false);
-    }
-
-    #[tokio::test]
-    async fn select_apply_patch_requires_approval_on_unless_trusted() {
-        let (session, ctx) = make_session_and_context();
-        let tempdir = tempfile::tempdir().expect("tmpdir");
-        let p = tempdir.path().join("a.txt");
-        let action = ApplyPatchAction::new_add_for_test(&p, "hello".to_string());
-        let exec = ApplyPatchExec {
-            action,
-            user_explicitly_approved_this_action: false,
-        };
-        let cfg = ExecutorConfig::new(SandboxPolicy::ReadOnly, std::env::temp_dir(), None);
-        let request = ExecutionRequest {
-            params: ExecParams {
-                command: vec!["apply_patch".into()],
-                cwd: std::env::temp_dir(),
-                timeout_ms: None,
-                env: std::collections::HashMap::new(),
-                with_escalated_permissions: None,
-                justification: None,
-            },
-            approval_command: vec!["apply_patch".into()],
-            mode: ExecutionMode::ApplyPatch(exec),
-            stdout_stream: None,
-            use_shell_profile: false,
-        };
-        let otel_event_manager = ctx.client.get_otel_event_manager();
-        let result = select_sandbox(
-            &request,
-            AskForApproval::UnlessTrusted,
-            Default::default(),
-            &cfg,
-            &session,
-            "sub",
-            "call",
-            &otel_event_manager,
-        )
-        .await;
-        match result {
-            Ok(_) => panic!("expected error"),
-            Err(ExecError::Function(FunctionCallError::RespondToModel(msg))) => {
-                assert!(msg.contains("requires approval"))
-            }
-            Err(other) => panic!("unexpected error: {other:?}"),
-        }
-    }
-
-    #[tokio::test]
-    async fn select_shell_autoapprove_in_danger_mode() {
-        let (session, ctx) = make_session_and_context();
-        let cfg = ExecutorConfig::new(SandboxPolicy::DangerFullAccess, std::env::temp_dir(), None);
-        let request = ExecutionRequest {
-            params: ExecParams {
-                command: vec!["some-unknown".into()],
-                cwd: std::env::temp_dir(),
-                timeout_ms: None,
-                env: std::collections::HashMap::new(),
-                with_escalated_permissions: None,
-                justification: None,
-            },
-            approval_command: vec!["some-unknown".into()],
-            mode: ExecutionMode::Shell,
-            stdout_stream: None,
-            use_shell_profile: false,
-        };
-        let otel_event_manager = ctx.client.get_otel_event_manager();
-        let decision = select_sandbox(
-            &request,
-            AskForApproval::OnRequest,
-            Default::default(),
-            &cfg,
-            &session,
-            "sub",
-            "call",
-            &otel_event_manager,
-        )
-        .await
-        .expect("ok");
-        assert_eq!(decision.initial_sandbox, SandboxType::None);
-        assert_eq!(decision.escalate_on_failure, false);
-    }
-
-    #[cfg(any(target_os = "macos", target_os = "linux"))]
-    #[tokio::test]
-    async fn select_shell_escalates_on_failure_with_platform_sandbox() {
-        let (session, ctx) = make_session_and_context();
-        let cfg = ExecutorConfig::new(SandboxPolicy::ReadOnly, std::env::temp_dir(), None);
-        let request = ExecutionRequest {
-            params: ExecParams {
-                // Unknown command => untrusted but not flagged dangerous
-                command: vec!["some-unknown".into()],
-                cwd: std::env::temp_dir(),
-                timeout_ms: None,
-                env: std::collections::HashMap::new(),
-                with_escalated_permissions: None,
-                justification: None,
-            },
-            approval_command: vec!["some-unknown".into()],
-            mode: ExecutionMode::Shell,
-            stdout_stream: None,
-            use_shell_profile: false,
-        };
-        let otel_event_manager = ctx.client.get_otel_event_manager();
-        let decision = select_sandbox(
-            &request,
-            AskForApproval::OnFailure,
-            Default::default(),
-            &cfg,
-            &session,
-            "sub",
-            "call",
-            &otel_event_manager,
-        )
-        .await
-        .expect("ok");
-        // On macOS/Linux we should have a platform sandbox and escalate on failure
-        assert_ne!(decision.initial_sandbox, SandboxType::None);
-        assert_eq!(decision.escalate_on_failure, true);
-    }
-}
--- a/codex-rs/core/src/features.rs
+++ b/codex-rs/core/src/features.rs
@@ -41,6 +41,8 @@ pub enum Feature {
    ViewImageTool,
    /// Allow the model to request web searches.
    WebSearchRequest,
+    /// Automatically approve all approval requests from the harness.
+    ApproveAll,
 }

 impl Feature {
@@ -247,4 +249,10 @@ pub const FEATURES: &[FeatureSpec] = &[
        stage: Stage::Stable,
        default_enabled: false,
    },
+    FeatureSpec {
+        id: Feature::ApproveAll,
+        key: "approve_all",
+        stage: Stage::Experimental,
+        default_enabled: false,
+    },
 ];
--- a/codex-rs/core/src/function_tool.rs
+++ b/codex-rs/core/src/function_tool.rs
@@ -4,6 +4,9 @@ use thiserror::Error;
 pub enum FunctionCallError {
    #[error("{0}")]
    RespondToModel(String),
+    #[error("{0}")]
+    #[allow(dead_code)] // TODO(jif) fix in a follow-up PR
+    Denied(String),
    #[error("LocalShellCall without call_id or id")]
    MissingLocalShellCallId,
    #[error("Fatal error: {0}")]
--- a/codex-rs/core/src/landlock.rs
+++ b/codex-rs/core/src/landlock.rs
@@ -40,7 +40,7 @@ where
 }

 /// Converts the sandbox policy into the CLI invocation for `codex-linux-sandbox`.
-fn create_linux_sandbox_command_args(
+pub(crate) fn create_linux_sandbox_command_args(
    command: Vec<String>,
    sandbox_policy: &SandboxPolicy,
    sandbox_policy_cwd: &Path,
@@ -56,7 +56,9 @@ fn create_linux_sandbox_command_args(
        serde_json::to_string(sandbox_policy).expect("Failed to serialize SandboxPolicy to JSON");

    let mut linux_cmd: Vec<String> = vec![
+        "--sandbox-policy-cwd".to_string(),
        sandbox_policy_cwd,
+        "--sandbox-policy".to_string(),
        sandbox_policy_json,
        // Separator so that command arguments starting with `-` are not parsed as
        // options of the helper itself.
--- a/codex-rs/core/src/lib.rs
+++ b/codex-rs/core/src/lib.rs
@@ -13,7 +13,6 @@ mod client;
 mod client_common;
 pub mod codex;
 mod codex_conversation;
-pub mod token_data;
 pub use codex_conversation::CodexConversation;
 mod command_safety;
 pub mod config;
@@ -26,9 +25,7 @@ pub mod custom_prompts;
 mod environment_context;
 pub mod error;
 pub mod exec;
-mod exec_command;
 pub mod exec_env;
-pub mod executor;
 pub mod features;
 mod flags;
 pub mod git_info;
@@ -39,6 +36,8 @@ mod mcp_tool_call;
 mod message_history;
 mod model_provider_info;
 pub mod parse_command;
+pub mod sandboxing;
+pub mod token_data;
 mod truncate;
 mod unified_exec;
 mod user_instructions;
@@ -59,7 +58,6 @@ pub use auth::CodexAuth;
 pub mod default_client;
 pub mod model_family;
 mod openai_model_info;
-mod openai_tools;
 pub mod project_doc;
 mod rollout;
 pub(crate) mod safety;
@@ -107,5 +105,4 @@ pub use codex_protocol::models::LocalShellExecAction;
 pub use codex_protocol::models::LocalShellStatus;
 pub use codex_protocol::models::ReasoningItemContent;
 pub use codex_protocol::models::ResponseItem;
-
 pub mod otel_init;
--- a/codex-rs/core/src/mcp/auth.rs
+++ b/codex-rs/core/src/mcp/auth.rs
@@ -45,11 +45,15 @@ async fn compute_auth_status(
        McpServerTransportConfig::StreamableHttp {
            url,
            bearer_token_env_var,
+            http_headers,
+            env_http_headers,
        } => {
            determine_streamable_http_auth_status(
                server_name,
                url,
                bearer_token_env_var.as_deref(),
+                http_headers.clone(),
+                env_http_headers.clone(),
                store_mode,
            )
            .await
--- a/codex-rs/core/src/mcp_connection_manager.rs
+++ b/codex-rs/core/src/mcp_connection_manager.rs
@@ -10,6 +10,7 @@ use std::collections::HashMap;
 use std::collections::HashSet;
 use std::env;
 use std::ffi::OsString;
+use std::path::PathBuf;
 use std::sync::Arc;
 use std::time::Duration;

@@ -21,6 +22,14 @@ use codex_rmcp_client::OAuthCredentialsStoreMode;
 use codex_rmcp_client::RmcpClient;
 use mcp_types::ClientCapabilities;
 use mcp_types::Implementation;
+use mcp_types::ListResourceTemplatesRequestParams;
+use mcp_types::ListResourceTemplatesResult;
+use mcp_types::ListResourcesRequestParams;
+use mcp_types::ListResourcesResult;
+use mcp_types::ReadResourceRequestParams;
+use mcp_types::ReadResourceResult;
+use mcp_types::Resource;
+use mcp_types::ResourceTemplate;
 use mcp_types::Tool;

 use serde_json::json;
@@ -56,8 +65,8 @@ fn qualify_tools(tools: Vec<ToolInfo>) -> HashMap<String, ToolInfo> {
    let mut qualified_tools = HashMap::new();
    for tool in tools {
        let mut qualified_name = format!(
-            "{}{}{}",
-            tool.server_name, MCP_TOOL_NAME_DELIMITER, tool.tool_name
+            "mcp{}{}{}{}",
+            MCP_TOOL_NAME_DELIMITER, tool.server_name, MCP_TOOL_NAME_DELIMITER, tool.tool_name
        );
        if qualified_name.len() > MAX_TOOL_NAME_LENGTH {
            let mut hasher = Sha1::new();
@@ -102,36 +111,51 @@ enum McpClientAdapter {
 }

 impl McpClientAdapter {
+    #[allow(clippy::too_many_arguments)]
    async fn new_stdio_client(
        use_rmcp_client: bool,
        program: OsString,
        args: Vec<OsString>,
        env: Option<HashMap<String, String>>,
+        env_vars: Vec<String>,
+        cwd: Option<PathBuf>,
        params: mcp_types::InitializeRequestParams,
        startup_timeout: Duration,
    ) -> Result<Self> {
        if use_rmcp_client {
-            let client = Arc::new(RmcpClient::new_stdio_client(program, args, env).await?);
+            let client =
+                Arc::new(RmcpClient::new_stdio_client(program, args, env, &env_vars, cwd).await?);
            client.initialize(params, Some(startup_timeout)).await?;
            Ok(McpClientAdapter::Rmcp(client))
        } else {
-            let client = Arc::new(McpClient::new_stdio_client(program, args, env).await?);
+            let client =
+                Arc::new(McpClient::new_stdio_client(program, args, env, &env_vars, cwd).await?);
            client.initialize(params, Some(startup_timeout)).await?;
            Ok(McpClientAdapter::Legacy(client))
        }
    }

+    #[allow(clippy::too_many_arguments)]
    async fn new_streamable_http_client(
        server_name: String,
        url: String,
        bearer_token: Option<String>,
+        http_headers: Option<HashMap<String, String>>,
+        env_http_headers: Option<HashMap<String, String>>,
        params: mcp_types::InitializeRequestParams,
        startup_timeout: Duration,
        store_mode: OAuthCredentialsStoreMode,
    ) -> Result<Self> {
        let client = Arc::new(
-            RmcpClient::new_streamable_http_client(&server_name, &url, bearer_token, store_mode)
-                .await?,
+            RmcpClient::new_streamable_http_client(
+                &server_name,
+                &url,
+                bearer_token,
+                http_headers,
+                env_http_headers,
+                store_mode,
+            )
+            .await?,
        );
        client.initialize(params, Some(startup_timeout)).await?;
        Ok(McpClientAdapter::Rmcp(client))
@@ -148,6 +172,47 @@ impl McpClientAdapter {
        }
    }

+    async fn list_resources(
+        &self,
+        params: Option<mcp_types::ListResourcesRequestParams>,
+        timeout: Option<Duration>,
+    ) -> Result<mcp_types::ListResourcesResult> {
+        match self {
+            McpClientAdapter::Legacy(_) => Ok(ListResourcesResult {
+                next_cursor: None,
+                resources: Vec::new(),
+            }),
+            McpClientAdapter::Rmcp(client) => client.list_resources(params, timeout).await,
+        }
+    }
+
+    async fn read_resource(
+        &self,
+        params: mcp_types::ReadResourceRequestParams,
+        timeout: Option<Duration>,
+    ) -> Result<mcp_types::ReadResourceResult> {
+        match self {
+            McpClientAdapter::Legacy(_) => Err(anyhow!(
+                "resources/read is not supported by legacy MCP clients"
+            )),
+            McpClientAdapter::Rmcp(client) => client.read_resource(params, timeout).await,
+        }
+    }
+
+    async fn list_resource_templates(
+        &self,
+        params: Option<mcp_types::ListResourceTemplatesRequestParams>,
+        timeout: Option<Duration>,
+    ) -> Result<mcp_types::ListResourceTemplatesResult> {
+        match self {
+            McpClientAdapter::Legacy(_) => Ok(ListResourceTemplatesResult {
+                next_cursor: None,
+                resource_templates: Vec::new(),
+            }),
+            McpClientAdapter::Rmcp(client) => client.list_resource_templates(params, timeout).await,
+        }
+    }
+
    async fn call_tool(
        &self,
        name: String,
@@ -246,7 +311,13 @@ impl McpConnectionManager {
                };

                let client = match transport {
-                    McpServerTransportConfig::Stdio { command, args, env } => {
+                    McpServerTransportConfig::Stdio {
+                        command,
+                        args,
+                        env,
+                        env_vars,
+                        cwd,
+                    } => {
                        let command_os: OsString = command.into();
                        let args_os: Vec<OsString> = args.into_iter().map(Into::into).collect();
                        McpClientAdapter::new_stdio_client(
@@ -254,16 +325,25 @@ impl McpConnectionManager {
                            command_os,
                            args_os,
                            env,
+                            env_vars,
+                            cwd,
                            params,
                            startup_timeout,
                        )
                        .await
                    }
-                    McpServerTransportConfig::StreamableHttp { url, .. } => {
+                    McpServerTransportConfig::StreamableHttp {
+                        url,
+                        http_headers,
+                        env_http_headers,
+                        ..
+                    } => {
                        McpClientAdapter::new_streamable_http_client(
                            server_name.clone(),
                            url,
                            resolved_bearer_token.unwrap_or_default(),
+                            http_headers,
+                            env_http_headers,
                            params,
                            startup_timeout,
                            store_mode,
@@ -318,7 +398,7 @@ impl McpConnectionManager {
        Ok((Self { clients, tools }, errors))
    }

-    /// Returns a single map that contains **all** tools. Each key is the
+    /// Returns a single map that contains all tools. Each key is the
    /// fully-qualified name for the tool.
    pub fn list_all_tools(&self) -> HashMap<String, Tool> {
        self.tools
@@ -327,6 +407,133 @@ impl McpConnectionManager {
            .collect()
    }

+    /// Returns a single map that contains all resources. Each key is the
+    /// server name and the value is a vector of resources.
+    pub async fn list_all_resources(&self) -> HashMap<String, Vec<Resource>> {
+        let mut join_set = JoinSet::new();
+
+        for (server_name, managed_client) in &self.clients {
+            let server_name_cloned = server_name.clone();
+            let client_clone = managed_client.client.clone();
+            let timeout = managed_client.tool_timeout;
+
+            join_set.spawn(async move {
+                let mut collected: Vec<Resource> = Vec::new();
+                let mut cursor: Option<String> = None;
+
+                loop {
+                    let params = cursor.as_ref().map(|next| ListResourcesRequestParams {
+                        cursor: Some(next.clone()),
+                    });
+                    let response = match client_clone.list_resources(params, timeout).await {
+                        Ok(result) => result,
+                        Err(err) => return (server_name_cloned, Err(err)),
+                    };
+
+                    collected.extend(response.resources);
+
+                    match response.next_cursor {
+                        Some(next) => {
+                            if cursor.as_ref() == Some(&next) {
+                                return (
+                                    server_name_cloned,
+                                    Err(anyhow!("resources/list returned duplicate cursor")),
+                                );
+                            }
+                            cursor = Some(next);
+                        }
+                        None => return (server_name_cloned, Ok(collected)),
+                    }
+                }
+            });
+        }
+
+        let mut aggregated: HashMap<String, Vec<Resource>> = HashMap::new();
+
+        while let Some(join_res) = join_set.join_next().await {
+            match join_res {
+                Ok((server_name, Ok(resources))) => {
+                    aggregated.insert(server_name, resources);
+                }
+                Ok((server_name, Err(err))) => {
+                    warn!("Failed to list resources for MCP server '{server_name}': {err:#}");
+                }
+                Err(err) => {
+                    warn!("Task panic when listing resources for MCP server: {err:#}");
+                }
+            }
+        }
+
+        aggregated
+    }
+
+    /// Returns a single map that contains all resource templates. Each key is the
+    /// server name and the value is a vector of resource templates.
+    pub async fn list_all_resource_templates(&self) -> HashMap<String, Vec<ResourceTemplate>> {
+        let mut join_set = JoinSet::new();
+
+        for (server_name, managed_client) in &self.clients {
+            let server_name_cloned = server_name.clone();
+            let client_clone = managed_client.client.clone();
+            let timeout = managed_client.tool_timeout;
+
+            join_set.spawn(async move {
+                let mut collected: Vec<ResourceTemplate> = Vec::new();
+                let mut cursor: Option<String> = None;
+
+                loop {
+                    let params = cursor
+                        .as_ref()
+                        .map(|next| ListResourceTemplatesRequestParams {
+                            cursor: Some(next.clone()),
+                        });
+                    let response = match client_clone.list_resource_templates(params, timeout).await
+                    {
+                        Ok(result) => result,
+                        Err(err) => return (server_name_cloned, Err(err)),
+                    };
+
+                    collected.extend(response.resource_templates);
+
+                    match response.next_cursor {
+                        Some(next) => {
+                            if cursor.as_ref() == Some(&next) {
+                                return (
+                                    server_name_cloned,
+                                    Err(anyhow!(
+                                        "resources/templates/list returned duplicate cursor"
+                                    )),
+                                );
+                            }
+                            cursor = Some(next);
+                        }
+                        None => return (server_name_cloned, Ok(collected)),
+                    }
+                }
+            });
+        }
+
+        let mut aggregated: HashMap<String, Vec<ResourceTemplate>> = HashMap::new();
+
+        while let Some(join_res) = join_set.join_next().await {
+            match join_res {
+                Ok((server_name, Ok(templates))) => {
+                    aggregated.insert(server_name, templates);
+                }
+                Ok((server_name, Err(err))) => {
+                    warn!(
+                        "Failed to list resource templates for MCP server '{server_name}': {err:#}"
+                    );
+                }
+                Err(err) => {
+                    warn!("Task panic when listing resource templates for MCP server: {err:#}");
+                }
+            }
+        }
+
+        aggregated
+    }
+
    /// Invoke the tool indicated by the (server, tool) pair.
    pub async fn call_tool(
        &self,
@@ -338,7 +545,7 @@ impl McpConnectionManager {
            .clients
            .get(server)
            .ok_or_else(|| anyhow!("unknown MCP server '{server}'"))?;
-        let client = managed.client.clone();
+        let client = &managed.client;
        let timeout = managed.tool_timeout;

        client
@@ -347,6 +554,64 @@ impl McpConnectionManager {
            .with_context(|| format!("tool call failed for `{server}/{tool}`"))
    }

+    /// List resources from the specified server.
+    pub async fn list_resources(
+        &self,
+        server: &str,
+        params: Option<ListResourcesRequestParams>,
+    ) -> Result<ListResourcesResult> {
+        let managed = self
+            .clients
+            .get(server)
+            .ok_or_else(|| anyhow!("unknown MCP server '{server}'"))?;
+        let client = managed.client.clone();
+        let timeout = managed.tool_timeout;
+
+        client
+            .list_resources(params, timeout)
+            .await
+            .with_context(|| format!("resources/list failed for `{server}`"))
+    }
+
+    /// List resource templates from the specified server.
+    pub async fn list_resource_templates(
+        &self,
+        server: &str,
+        params: Option<ListResourceTemplatesRequestParams>,
+    ) -> Result<ListResourceTemplatesResult> {
+        let managed = self
+            .clients
+            .get(server)
+            .ok_or_else(|| anyhow!("unknown MCP server '{server}'"))?;
+        let client = managed.client.clone();
+        let timeout = managed.tool_timeout;
+
+        client
+            .list_resource_templates(params, timeout)
+            .await
+            .with_context(|| format!("resources/templates/list failed for `{server}`"))
+    }
+
+    /// Read a resource from the specified server.
+    pub async fn read_resource(
+        &self,
+        server: &str,
+        params: ReadResourceRequestParams,
+    ) -> Result<ReadResourceResult> {
+        let managed = self
+            .clients
+            .get(server)
+            .ok_or_else(|| anyhow!("unknown MCP server '{server}'"))?;
+        let client = managed.client.clone();
+        let timeout = managed.tool_timeout;
+        let uri = params.uri.clone();
+
+        client
+            .read_resource(params, timeout)
+            .await
+            .with_context(|| format!("resources/read failed for `{server}` ({uri})"))
+    }
+
    pub fn parse_tool_name(&self, tool_name: &str) -> Option<(String, String)> {
        self.tools
            .get(tool_name)
@@ -382,7 +647,7 @@ fn resolve_bearer_token(
 }

 /// Query every server for its available tools and return a single map that
-/// contains **all** tools. Each key is the fully-qualified name for the tool.
+/// contains all tools. Each key is the fully-qualified name for the tool.
 async fn list_all_tools(clients: &HashMap<String, ManagedClient>) -> Result<Vec<ToolInfo>> {
    let mut join_set = JoinSet::new();

@@ -476,8 +741,8 @@ mod tests {
        let qualified_tools = qualify_tools(tools);

        assert_eq!(qualified_tools.len(), 2);
-        assert!(qualified_tools.contains_key("server1__tool1"));
-        assert!(qualified_tools.contains_key("server1__tool2"));
+        assert!(qualified_tools.contains_key("mcp__server1__tool1"));
+        assert!(qualified_tools.contains_key("mcp__server1__tool2"));
    }

    #[test]
@@ -491,7 +756,7 @@ mod tests {

        // Only the first tool should remain, the second is skipped
        assert_eq!(qualified_tools.len(), 1);
-        assert!(qualified_tools.contains_key("server1__duplicate_tool"));
+        assert!(qualified_tools.contains_key("mcp__server1__duplicate_tool"));
    }

    #[test]
@@ -519,13 +784,13 @@ mod tests {
        assert_eq!(keys[0].len(), 64);
        assert_eq!(
            keys[0],
-            "my_server__extremely_lena02e507efc5a9de88637e436690364fd4219e4ef"
+            "mcp__my_server__extremel119a2b97664e41363932dc84de21e2ff1b93b3e9"
        );

        assert_eq!(keys[1].len(), 64);
        assert_eq!(
            keys[1],
-            "my_server__yet_another_e1c3987bd9c50b826cbe1687966f79f0c602d19ca"
+            "mcp__my_server__yet_anot419a82a89325c1b477274a41f8c65ea5f3a7f341"
        );
    }
 }
--- a/codex-rs/core/src/mcp_tool_call.rs
+++ b/codex-rs/core/src/mcp_tool_call.rs
@@ -58,7 +58,10 @@ pub(crate) async fn handle_mcp_tool_call(
    let result = sess
        .call_tool(&server, &tool_name, arguments_value.clone())
        .await
-        .map_err(|e| format!("tool call error: {e}"));
+        .map_err(|e| format!("tool call error: {e:?}"));
+    if let Err(e) = &result {
+        tracing::warn!("MCP tool call error: {e:?}");
+    }
    let tool_call_end_event = EventMsg::McpToolCallEnd(McpToolCallEndEvent {
        call_id: call_id.clone(),
        invocation,
--- a/codex-rs/core/src/model_family.rs
+++ b/codex-rs/core/src/model_family.rs
@@ -48,6 +48,12 @@ pub struct ModelFamily {

    /// Names of beta tools that should be exposed to this model family.
    pub experimental_supported_tools: Vec<String>,
+
+    /// Percentage of the context window considered usable for inputs, after
+    /// reserving headroom for system prompts, tool overhead, and model output.
+    /// This is applied when computing the effective context window seen by
+    /// consumers.
+    pub effective_context_window_percent: i64,
 }

 macro_rules! model_family {
@@ -66,6 +72,7 @@ macro_rules! model_family {
            apply_patch_tool_type: None,
            base_instructions: BASE_INSTRUCTIONS.to_string(),
            experimental_supported_tools: Vec::new(),
+            effective_context_window_percent: 95,
        };
        // apply overrides
        $(
@@ -175,5 +182,6 @@ pub fn derive_default_model_family(model: &str) -> ModelFamily {
        apply_patch_tool_type: None,
        base_instructions: BASE_INSTRUCTIONS.to_string(),
        experimental_supported_tools: Vec::new(),
+        effective_context_window_percent: 95,
    }
 }
--- a/codex-rs/core/src/openai_model_info.rs
+++ b/codex-rs/core/src/openai_model_info.rs
@@ -1,5 +1,9 @@
 use crate::model_family::ModelFamily;

+// Shared constants for commonly used window/token sizes.
+pub(crate) const CONTEXT_WINDOW_272K: i64 = 272_000;
+pub(crate) const MAX_OUTPUT_TOKENS_128K: i64 = 128_000;
+
 /// Metadata about a model, particularly OpenAI models.
 /// We may want to consider including details like the pricing for
 /// input tokens, output tokens, etc., though users will need to be able to
@@ -8,10 +12,10 @@ use crate::model_family::ModelFamily;
 #[derive(Debug)]
 pub(crate) struct ModelInfo {
    /// Size of the context window in tokens. This is the maximum size of the input context.
-    pub(crate) context_window: u64,
+    pub(crate) context_window: i64,

    /// Maximum number of output tokens that can be generated for the model.
-    pub(crate) max_output_tokens: u64,
+    pub(crate) max_output_tokens: i64,

    /// Token threshold where we should automatically compact conversation history. This considers
    /// input tokens + output tokens of this turn.
@@ -19,13 +23,17 @@ pub(crate) struct ModelInfo {
 }

 impl ModelInfo {
-    const fn new(context_window: u64, max_output_tokens: u64) -> Self {
+    const fn new(context_window: i64, max_output_tokens: i64) -> Self {
        Self {
            context_window,
            max_output_tokens,
-            auto_compact_token_limit: None,
+            auto_compact_token_limit: Some(Self::default_auto_compact_limit(context_window)),
        }
    }
+
+    const fn default_auto_compact_limit(context_window: i64) -> i64 {
+        (context_window * 9) / 10
+    }
 }

 pub(crate) fn get_model_info(model_family: &ModelFamily) -> Option<ModelInfo> {
@@ -62,15 +70,17 @@ pub(crate) fn get_model_info(model_family: &ModelFamily) -> Option<ModelInfo> {
        // https://platform.openai.com/docs/models/gpt-3.5-turbo
        "gpt-3.5-turbo" => Some(ModelInfo::new(16_385, 4_096)),

-        _ if slug.starts_with("gpt-5-codex") => Some(ModelInfo {
-            context_window: 272_000,
-            max_output_tokens: 128_000,
-            auto_compact_token_limit: Some(350_000),
-        }),
+        _ if slug.starts_with("gpt-5-codex") => {
+            Some(ModelInfo::new(CONTEXT_WINDOW_272K, MAX_OUTPUT_TOKENS_128K))
+        }

-        _ if slug.starts_with("gpt-5") => Some(ModelInfo::new(272_000, 128_000)),
+        _ if slug.starts_with("gpt-5") => {
+            Some(ModelInfo::new(CONTEXT_WINDOW_272K, MAX_OUTPUT_TOKENS_128K))
+        }

-        _ if slug.starts_with("codex-") => Some(ModelInfo::new(272_000, 128_000)),
+        _ if slug.starts_with("codex-") => {
+            Some(ModelInfo::new(CONTEXT_WINDOW_272K, MAX_OUTPUT_TOKENS_128K))
+        }

        _ => None,
    }
--- a/codex-rs/core/src/openai_tools.rs
+++ b/codex-rs/core/src/openai_tools.rs
@@ -1 +0,0 @@
-pub use crate::tools::spec::*;
--- a/codex-rs/core/src/parse_command.rs
+++ b/codex-rs/core/src/parse_command.rs
@@ -1,43 +1,9 @@
 use crate::bash::try_parse_bash;
 use crate::bash::try_parse_word_only_commands_sequence;
-use serde::Deserialize;
-use serde::Serialize;
+use codex_protocol::parse_command::ParsedCommand;
 use shlex::split as shlex_split;
 use shlex::try_join as shlex_try_join;
-
-#[derive(Debug, Clone, PartialEq, Eq, Deserialize, Serialize)]
-pub enum ParsedCommand {
-    Read {
-        cmd: String,
-        name: String,
-    },
-    ListFiles {
-        cmd: String,
-        path: Option<String>,
-    },
-    Search {
-        cmd: String,
-        query: Option<String>,
-        path: Option<String>,
-    },
-    Unknown {
-        cmd: String,
-    },
-}
-
-// Convert core's parsed command enum into the protocol's simplified type so
-// events can carry the canonical representation across process boundaries.
-impl From<ParsedCommand> for codex_protocol::parse_command::ParsedCommand {
-    fn from(v: ParsedCommand) -> Self {
-        use codex_protocol::parse_command::ParsedCommand as P;
-        match v {
-            ParsedCommand::Read { cmd, name } => P::Read { cmd, name },
-            ParsedCommand::ListFiles { cmd, path } => P::ListFiles { cmd, path },
-            ParsedCommand::Search { cmd, query, path } => P::Search { cmd, query, path },
-            ParsedCommand::Unknown { cmd } => P::Unknown { cmd },
-        }
-    }
-}
+use std::path::PathBuf;

 fn shlex_join(tokens: &[String]) -> String {
    shlex_try_join(tokens.iter().map(String::as_str))
@@ -72,6 +38,7 @@ pub fn parse_command(command: &[String]) -> Vec<ParsedCommand> {
 /// Tests are at the top to encourage using TDD + Codex to fix the implementation.
 mod tests {
    use super::*;
+    use std::path::PathBuf;
    use std::string::ToString;

    fn shlex_split_safe(s: &str) -> Vec<String> {
@@ -221,6 +188,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: inner.to_string(),
                name: "README.md".to_string(),
+                path: PathBuf::from("webview/README.md"),
            }],
        );
    }
@@ -232,6 +200,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: "cat foo.txt".to_string(),
                name: "foo.txt".to_string(),
+                path: PathBuf::from("foo/foo.txt"),
            }],
        );
    }
@@ -254,6 +223,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: "cat foo.txt".to_string(),
                name: "foo.txt".to_string(),
+                path: PathBuf::from("foo/foo.txt"),
            }],
        );
    }
@@ -278,6 +248,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: inner.to_string(),
                name: "Cargo.toml".to_string(),
+                path: PathBuf::from("Cargo.toml"),
            }],
        );
    }
@@ -290,6 +261,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: inner.to_string(),
                name: "Cargo.toml".to_string(),
+                path: PathBuf::from("tui/Cargo.toml"),
            }],
        );
    }
@@ -302,6 +274,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: inner.to_string(),
                name: "README.md".to_string(),
+                path: PathBuf::from("README.md"),
            }],
        );
    }
@@ -315,6 +288,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: inner.to_string(),
                name: "README.md".to_string(),
+                path: PathBuf::from("README.md"),
            }]
        );
    }
@@ -484,6 +458,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: inner.to_string(),
                name: "parse_command.rs".to_string(),
+                path: PathBuf::from("core/src/parse_command.rs"),
            }],
        );
    }
@@ -496,6 +471,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: inner.to_string(),
                name: "history_cell.rs".to_string(),
+                path: PathBuf::from("tui/src/history_cell.rs"),
            }],
        );
    }
@@ -509,6 +485,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: "cat -- ansi-escape/Cargo.toml".to_string(),
                name: "Cargo.toml".to_string(),
+                path: PathBuf::from("ansi-escape/Cargo.toml"),
            }],
        );
    }
@@ -538,6 +515,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: "sed -n '260,640p' exec/src/event_processor_with_human_output.rs".to_string(),
                name: "event_processor_with_human_output.rs".to_string(),
+                path: PathBuf::from("exec/src/event_processor_with_human_output.rs"),
            }],
        );
    }
@@ -697,6 +675,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: r#"cat "pkg\\src\\main.rs""#.to_string(),
                name: "main.rs".to_string(),
+                path: PathBuf::from(r#"pkg\src\main.rs"#),
            }],
        );
    }
@@ -708,6 +687,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: "head -n50 Cargo.toml".to_string(),
                name: "Cargo.toml".to_string(),
+                path: PathBuf::from("Cargo.toml"),
            }],
        );
    }
@@ -738,6 +718,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: "tail -n+10 README.md".to_string(),
                name: "README.md".to_string(),
+                path: PathBuf::from("README.md"),
            }],
        );
    }
@@ -774,6 +755,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: "cat -- ./-strange-file-name".to_string(),
                name: "-strange-file-name".to_string(),
+                path: PathBuf::from("./-strange-file-name"),
            }],
        );

@@ -783,6 +765,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: "sed -n '12,20p' Cargo.toml".to_string(),
                name: "Cargo.toml".to_string(),
+                path: PathBuf::from("Cargo.toml"),
            }],
        );
    }
@@ -875,11 +858,39 @@ pub fn parse_command_impl(command: &[String]) -> Vec<ParsedCommand> {
    // Preserve left-to-right execution order for all commands, including bash -c/-lc
    // so summaries reflect the order they will run.

-    // Map each pipeline segment to its parsed summary.
-    let mut commands: Vec<ParsedCommand> = parts
-        .iter()
-        .map(|tokens| summarize_main_tokens(tokens))
-        .collect();
+    // Map each pipeline segment to its parsed summary, tracking `cd` to compute paths.
+    let mut commands: Vec<ParsedCommand> = Vec::new();
+    let mut cwd: Option<String> = None;
+    for tokens in &parts {
+        if let Some((head, tail)) = tokens.split_first()
+            && head == "cd"
+        {
+            if let Some(dir) = tail.first() {
+                cwd = Some(match &cwd {
+                    Some(base) => join_paths(base, dir),
+                    None => dir.clone(),
+                });
+            }
+            continue;
+        }
+        let parsed = summarize_main_tokens(tokens);
+        let parsed = match parsed {
+            ParsedCommand::Read { cmd, name, path } => {
+                if let Some(base) = &cwd {
+                    let full = join_paths(base, &path.to_string_lossy());
+                    ParsedCommand::Read {
+                        cmd,
+                        name,
+                        path: PathBuf::from(full),
+                    }
+                } else {
+                    ParsedCommand::Read { cmd, name, path }
+                }
+            }
+            other => other,
+        };
+        commands.push(parsed);
+    }

    while let Some(next) = simplify_once(&commands) {
        commands = next;
@@ -1164,10 +1175,39 @@ fn parse_bash_lc_commands(original: &[String]) -> Option<Vec<ParsedCommand>> {
                cmd: script.clone(),
            }]);
        }
-        let mut commands: Vec<ParsedCommand> = filtered_commands
-            .into_iter()
-            .map(|tokens| summarize_main_tokens(&tokens))
-            .collect();
+        // Build parsed commands, tracking `cd` segments to compute effective file paths.
+        let mut commands: Vec<ParsedCommand> = Vec::new();
+        let mut cwd: Option<String> = None;
+        for tokens in filtered_commands.into_iter() {
+            if let Some((head, tail)) = tokens.split_first()
+                && head == "cd"
+            {
+                if let Some(dir) = tail.first() {
+                    cwd = Some(match &cwd {
+                        Some(base) => join_paths(base, dir),
+                        None => dir.clone(),
+                    });
+                }
+                continue;
+            }
+            let parsed = summarize_main_tokens(&tokens);
+            let parsed = match parsed {
+                ParsedCommand::Read { cmd, name, path } => {
+                    if let Some(base) = &cwd {
+                        let full = join_paths(base, &path.to_string_lossy());
+                        ParsedCommand::Read {
+                            cmd,
+                            name,
+                            path: PathBuf::from(full),
+                        }
+                    } else {
+                        ParsedCommand::Read { cmd, name, path }
+                    }
+                }
+                other => other,
+            };
+            commands.push(parsed);
+        }
        if commands.len() > 1 {
            commands.retain(|pc| !matches!(pc, ParsedCommand::Unknown { cmd } if cmd == "true"));
            // Apply the same simplifications used for non-bash parsing, e.g., drop leading `cd`.
@@ -1187,7 +1227,7 @@ fn parse_bash_lc_commands(original: &[String]) -> Option<Vec<ParsedCommand>> {
            commands = commands
                .into_iter()
                .map(|pc| match pc {
-                    ParsedCommand::Read { name, cmd, .. } => {
+                    ParsedCommand::Read { name, cmd, path } => {
                        if had_connectors {
                            let has_pipe = script_tokens.iter().any(|t| t == "|");
                            let has_sed_n = script_tokens.windows(2).any(|w| {
@@ -1198,14 +1238,16 @@ fn parse_bash_lc_commands(original: &[String]) -> Option<Vec<ParsedCommand>> {
                                ParsedCommand::Read {
                                    cmd: script.clone(),
                                    name,
+                                    path,
                                }
                            } else {
-                                ParsedCommand::Read { cmd, name }
+                                ParsedCommand::Read { cmd, name, path }
                            }
                        } else {
                            ParsedCommand::Read {
                                cmd: shlex_join(&script_tokens),
                                name,
+                                path,
                            }
                        }
                    }
@@ -1370,10 +1412,12 @@ fn summarize_main_tokens(main_cmd: &[String]) -> ParsedCommand {
                tail
            };
            if effective_tail.len() == 1 {
-                let name = short_display_path(&effective_tail[0]);
+                let path = effective_tail[0].clone();
+                let name = short_display_path(&path);
                ParsedCommand::Read {
                    cmd: shlex_join(main_cmd),
                    name,
+                    path: PathBuf::from(path),
                }
            } else {
                ParsedCommand::Unknown {
@@ -1408,10 +1452,12 @@ fn summarize_main_tokens(main_cmd: &[String]) -> ParsedCommand {
                    i += 1;
                }
                if let Some(p) = candidates.into_iter().find(|p| !p.starts_with('-')) {
-                    let name = short_display_path(p);
+                    let path = p.clone();
+                    let name = short_display_path(&path);
                    return ParsedCommand::Read {
                        cmd: shlex_join(main_cmd),
                        name,
+                        path: PathBuf::from(path),
                    };
                }
            }
@@ -1450,10 +1496,12 @@ fn summarize_main_tokens(main_cmd: &[String]) -> ParsedCommand {
                    i += 1;
                }
                if let Some(p) = candidates.into_iter().find(|p| !p.starts_with('-')) {
-                    let name = short_display_path(p);
+                    let path = p.clone();
+                    let name = short_display_path(&path);
                    return ParsedCommand::Read {
                        cmd: shlex_join(main_cmd),
                        name,
+                        path: PathBuf::from(path),
                    };
                }
            }
@@ -1465,10 +1513,12 @@ fn summarize_main_tokens(main_cmd: &[String]) -> ParsedCommand {
            // Avoid treating option values as paths (e.g., nl -s "  ").
            let candidates = skip_flag_values(tail, &["-s", "-w", "-v", "-i", "-b"]);
            if let Some(p) = candidates.into_iter().find(|p| !p.starts_with('-')) {
-                let name = short_display_path(p);
+                let path = p.clone();
+                let name = short_display_path(&path);
                ParsedCommand::Read {
                    cmd: shlex_join(main_cmd),
                    name,
+                    path: PathBuf::from(path),
                }
            } else {
                ParsedCommand::Unknown {
@@ -1483,10 +1533,12 @@ fn summarize_main_tokens(main_cmd: &[String]) -> ParsedCommand {
                && is_valid_sed_n_arg(tail.get(1).map(String::as_str)) =>
        {
            if let Some(path) = tail.get(2) {
-                let name = short_display_path(path);
+                let path = path.clone();
+                let name = short_display_path(&path);
                ParsedCommand::Read {
                    cmd: shlex_join(main_cmd),
                    name,
+                    path: PathBuf::from(path),
                }
            } else {
                ParsedCommand::Unknown {
@@ -1500,3 +1552,30 @@ fn summarize_main_tokens(main_cmd: &[String]) -> ParsedCommand {
        },
    }
 }
+
+fn is_abs_like(path: &str) -> bool {
+    if std::path::Path::new(path).is_absolute() {
+        return true;
+    }
+    let mut chars = path.chars();
+    match (chars.next(), chars.next(), chars.next()) {
+        // Windows drive path like C:\
+        (Some(d), Some(':'), Some('\\')) if d.is_ascii_alphabetic() => return true,
+        // UNC path like \\server\share
+        (Some('\\'), Some('\\'), _) => return true,
+        _ => {}
+    }
+    false
+}
+
+fn join_paths(base: &str, rel: &str) -> String {
+    if is_abs_like(rel) {
+        return rel.to_string();
+    }
+    if base.is_empty() {
+        return rel.to_string();
+    }
+    let mut buf = PathBuf::from(base);
+    buf.push(rel);
+    buf.to_string_lossy().to_string()
+}
--- a/codex-rs/core/src/project_doc.rs
+++ b/codex-rs/core/src/project_doc.rs
@@ -21,6 +21,8 @@ use tracing::error;

 /// Default filename scanned for project-level docs.
 pub const DEFAULT_PROJECT_DOC_FILENAME: &str = "AGENTS.md";
+/// Preferred local override for project-level docs.
+pub const LOCAL_PROJECT_DOC_FILENAME: &str = "AGENTS.override.md";

 /// When both `Config::instructions` and the project doc are present, they will
 /// be concatenated with the following separator.
@@ -178,7 +180,8 @@ pub fn discover_project_doc_paths(config: &Config) -> std::io::Result<Vec<PathBu

 fn candidate_filenames<'a>(config: &'a Config) -> Vec<&'a str> {
    let mut names: Vec<&'a str> =
-        Vec::with_capacity(1 + config.project_doc_fallback_filenames.len());
+        Vec::with_capacity(2 + config.project_doc_fallback_filenames.len());
+    names.push(LOCAL_PROJECT_DOC_FILENAME);
    names.push(DEFAULT_PROJECT_DOC_FILENAME);
    for candidate in &config.project_doc_fallback_filenames {
        let candidate = candidate.as_str();
@@ -381,6 +384,29 @@ mod tests {
        assert_eq!(res, "root doc\n\ncrate doc");
    }

+    /// AGENTS.override.md is preferred over AGENTS.md when both are present.
+    #[tokio::test]
+    async fn agents_local_md_preferred() {
+        let tmp = tempfile::tempdir().expect("tempdir");
+        fs::write(tmp.path().join(DEFAULT_PROJECT_DOC_FILENAME), "versioned").unwrap();
+        fs::write(tmp.path().join(LOCAL_PROJECT_DOC_FILENAME), "local").unwrap();
+
+        let cfg = make_config(&tmp, 4096, None);
+
+        let res = get_user_instructions(&cfg)
+            .await
+            .expect("local doc expected");
+
+        assert_eq!(res, "local");
+
+        let discovery = discover_project_doc_paths(&cfg).expect("discover paths");
+        assert_eq!(discovery.len(), 1);
+        assert_eq!(
+            discovery[0].file_name().unwrap().to_string_lossy(),
+            LOCAL_PROJECT_DOC_FILENAME
+        );
+    }
+
    /// When AGENTS.md is absent but a configured fallback exists, the fallback is used.
    #[tokio::test]
    async fn uses_configured_fallback_when_agents_missing() {
--- a/codex-rs/core/src/safety.rs
+++ b/codex-rs/core/src/safety.rs
@@ -1,4 +1,3 @@
-use std::collections::HashSet;
 use std::path::Component;
 use std::path::Path;
 use std::path::PathBuf;
@@ -8,8 +7,6 @@ use codex_apply_patch::ApplyPatchFileChange;

 use crate::exec::SandboxType;

-use crate::command_safety::is_dangerous_command::command_might_be_dangerous;
-use crate::command_safety::is_safe_command::is_known_safe_command;
 use crate::protocol::AskForApproval;
 use crate::protocol::SandboxPolicy;

@@ -48,30 +45,29 @@ pub fn assess_patch_safety(
        }
    }

-    // Even though the patch *appears* to be constrained to writable paths, it
-    // is possible that paths in the patch are hard links to files outside the
-    // writable roots, so we should still run `apply_patch` in a sandbox in that
-    // case.
+    // Even though the patch appears to be constrained to writable paths, it is
+    // possible that paths in the patch are hard links to files outside the
+    // writable roots, so we should still run `apply_patch` in a sandbox in that case.
    if is_write_patch_constrained_to_writable_paths(action, sandbox_policy, cwd)
        || policy == AskForApproval::OnFailure
    {
-        // Only auto‑approve when we can actually enforce a sandbox. Otherwise
-        // fall back to asking the user because the patch may touch arbitrary
-        // paths outside the project.
-        match get_platform_sandbox() {
-            Some(sandbox_type) => SafetyCheck::AutoApprove {
-                sandbox_type,
+        if matches!(sandbox_policy, SandboxPolicy::DangerFullAccess) {
+            // DangerFullAccess is intended to bypass sandboxing entirely.
+            SafetyCheck::AutoApprove {
+                sandbox_type: SandboxType::None,
                user_explicitly_approved: false,
-            },
-            None if sandbox_policy == &SandboxPolicy::DangerFullAccess => {
-                // If the user has explicitly requested DangerFullAccess, then
-                // we can auto-approve even without a sandbox.
-                SafetyCheck::AutoApprove {
-                    sandbox_type: SandboxType::None,
-                    user_explicitly_approved: false,
-                }
            }
-            None => SafetyCheck::AskUser,
+        } else {
+            // Only auto‑approve when we can actually enforce a sandbox. Otherwise
+            // fall back to asking the user because the patch may touch arbitrary
+            // paths outside the project.
+            match get_platform_sandbox() {
+                Some(sandbox_type) => SafetyCheck::AutoApprove {
+                    sandbox_type,
+                    user_explicitly_approved: false,
+                },
+                None => SafetyCheck::AskUser,
+            }
        }
    } else if policy == AskForApproval::Never {
        SafetyCheck::Reject {
@@ -83,124 +79,6 @@ pub fn assess_patch_safety(
    }
 }

-/// For a command to be run _without_ a sandbox, one of the following must be
-/// true:
-///
-/// - the user has explicitly approved the command
-/// - the command is on the "known safe" list
-/// - `DangerFullAccess` was specified and `UnlessTrusted` was not
-pub fn assess_command_safety(
-    command: &[String],
-    approval_policy: AskForApproval,
-    sandbox_policy: &SandboxPolicy,
-    approved: &HashSet<Vec<String>>,
-    with_escalated_permissions: bool,
-) -> SafetyCheck {
-    // Some commands look dangerous. Even if they are run inside a sandbox,
-    // unless the user has explicitly approved them, we should ask,
-    // or reject if the approval_policy tells us not to ask.
-    if command_might_be_dangerous(command) && !approved.contains(command) {
-        if approval_policy == AskForApproval::Never {
-            return SafetyCheck::Reject {
-                reason: "dangerous command detected; rejected by user approval settings"
-                    .to_string(),
-            };
-        }
-
-        return SafetyCheck::AskUser;
-    }
-
-    // A command is "trusted" because either:
-    // - it belongs to a set of commands we consider "safe" by default, or
-    // - the user has explicitly approved the command for this session
-    //
-    // Currently, whether a command is "trusted" is a simple boolean, but we
-    // should include more metadata on this command test to indicate whether it
-    // should be run inside a sandbox or not. (This could be something the user
-    // defines as part of `execpolicy`.)
-    //
-    // For example, when `is_known_safe_command(command)` returns `true`, it
-    // would probably be fine to run the command in a sandbox, but when
-    // `approved.contains(command)` is `true`, the user may have approved it for
-    // the session _because_ they know it needs to run outside a sandbox.
-
-    if is_known_safe_command(command) || approved.contains(command) {
-        let user_explicitly_approved = approved.contains(command);
-        return SafetyCheck::AutoApprove {
-            sandbox_type: SandboxType::None,
-            user_explicitly_approved,
-        };
-    }
-
-    assess_safety_for_untrusted_command(approval_policy, sandbox_policy, with_escalated_permissions)
-}
-
-pub(crate) fn assess_safety_for_untrusted_command(
-    approval_policy: AskForApproval,
-    sandbox_policy: &SandboxPolicy,
-    with_escalated_permissions: bool,
-) -> SafetyCheck {
-    use AskForApproval::*;
-    use SandboxPolicy::*;
-
-    match (approval_policy, sandbox_policy) {
-        (UnlessTrusted, _) => {
-            // Even though the user may have opted into DangerFullAccess,
-            // they also requested that we ask for approval for untrusted
-            // commands.
-            SafetyCheck::AskUser
-        }
-        (OnFailure, DangerFullAccess)
-        | (Never, DangerFullAccess)
-        | (OnRequest, DangerFullAccess) => SafetyCheck::AutoApprove {
-            sandbox_type: SandboxType::None,
-            user_explicitly_approved: false,
-        },
-        (OnRequest, ReadOnly) | (OnRequest, WorkspaceWrite { .. }) => {
-            if with_escalated_permissions {
-                SafetyCheck::AskUser
-            } else {
-                match get_platform_sandbox() {
-                    Some(sandbox_type) => SafetyCheck::AutoApprove {
-                        sandbox_type,
-                        user_explicitly_approved: false,
-                    },
-                    // Fall back to asking since the command is untrusted and
-                    // we do not have a sandbox available
-                    None => SafetyCheck::AskUser,
-                }
-            }
-        }
-        (Never, ReadOnly)
-        | (Never, WorkspaceWrite { .. })
-        | (OnFailure, ReadOnly)
-        | (OnFailure, WorkspaceWrite { .. }) => {
-            match get_platform_sandbox() {
-                Some(sandbox_type) => SafetyCheck::AutoApprove {
-                    sandbox_type,
-                    user_explicitly_approved: false,
-                },
-                None => {
-                    if matches!(approval_policy, OnFailure) {
-                        // Since the command is not trusted, even though the
-                        // user has requested to only ask for approval on
-                        // failure, we will ask the user because no sandbox is
-                        // available.
-                        SafetyCheck::AskUser
-                    } else {
-                        // We are in non-interactive mode and lack approval, so
-                        // all we can do is reject the command.
-                        SafetyCheck::Reject {
-                            reason: "auto-rejected because command is not on trusted list"
-                                .to_string(),
-                        }
-                    }
-                }
-            }
-        }
-    }
-}
-
 pub fn get_platform_sandbox() -> Option<SandboxType> {
    if cfg!(target_os = "macos") {
        Some(SandboxType::MacosSeatbelt)
@@ -339,101 +217,4 @@ mod tests {
            &cwd,
        ));
    }
-
-    #[test]
-    fn test_request_escalated_privileges() {
-        // Should not be a trusted command
-        let command = vec!["git commit".to_string()];
-        let approval_policy = AskForApproval::OnRequest;
-        let sandbox_policy = SandboxPolicy::ReadOnly;
-        let approved: HashSet<Vec<String>> = HashSet::new();
-        let request_escalated_privileges = true;
-
-        let safety_check = assess_command_safety(
-            &command,
-            approval_policy,
-            &sandbox_policy,
-            &approved,
-            request_escalated_privileges,
-        );
-
-        assert_eq!(safety_check, SafetyCheck::AskUser);
-    }
-
-    #[test]
-    fn dangerous_command_allowed_if_explicitly_approved() {
-        let command = vec!["git".to_string(), "reset".to_string(), "--hard".to_string()];
-        let approval_policy = AskForApproval::OnRequest;
-        let sandbox_policy = SandboxPolicy::ReadOnly;
-        let mut approved: HashSet<Vec<String>> = HashSet::new();
-        approved.insert(command.clone());
-        let request_escalated_privileges = false;
-
-        let safety_check = assess_command_safety(
-            &command,
-            approval_policy,
-            &sandbox_policy,
-            &approved,
-            request_escalated_privileges,
-        );
-
-        assert_eq!(
-            safety_check,
-            SafetyCheck::AutoApprove {
-                sandbox_type: SandboxType::None,
-                user_explicitly_approved: true,
-            }
-        );
-    }
-
-    #[test]
-    fn dangerous_command_not_allowed_if_not_explicitly_approved() {
-        let command = vec!["git".to_string(), "reset".to_string(), "--hard".to_string()];
-        let approval_policy = AskForApproval::Never;
-        let sandbox_policy = SandboxPolicy::ReadOnly;
-        let approved: HashSet<Vec<String>> = HashSet::new();
-        let request_escalated_privileges = false;
-
-        let safety_check = assess_command_safety(
-            &command,
-            approval_policy,
-            &sandbox_policy,
-            &approved,
-            request_escalated_privileges,
-        );
-
-        assert_eq!(
-            safety_check,
-            SafetyCheck::Reject {
-                reason: "dangerous command detected; rejected by user approval settings"
-                    .to_string(),
-            }
-        );
-    }
-
-    #[test]
-    fn test_request_escalated_privileges_no_sandbox_fallback() {
-        let command = vec!["git".to_string(), "commit".to_string()];
-        let approval_policy = AskForApproval::OnRequest;
-        let sandbox_policy = SandboxPolicy::ReadOnly;
-        let approved: HashSet<Vec<String>> = HashSet::new();
-        let request_escalated_privileges = false;
-
-        let safety_check = assess_command_safety(
-            &command,
-            approval_policy,
-            &sandbox_policy,
-            &approved,
-            request_escalated_privileges,
-        );
-
-        let expected = match get_platform_sandbox() {
-            Some(sandbox_type) => SafetyCheck::AutoApprove {
-                sandbox_type,
-                user_explicitly_approved: false,
-            },
-            None => SafetyCheck::AskUser,
-        };
-        assert_eq!(safety_check, expected);
-    }
 }
--- a/codex-rs/core/src/sandboxing/mod.rs
+++ b/codex-rs/core/src/sandboxing/mod.rs
@@ -0,0 +1,170 @@
+/*
+Module: sandboxing
+
+Build platform wrappers and produce ExecEnv for execution. Owns low‑level
+sandbox placement and transformation of portable CommandSpec into a
+ready‑to‑spawn environment.
+*/
+use crate::exec::ExecToolCallOutput;
+use crate::exec::SandboxType;
+use crate::exec::StdoutStream;
+use crate::exec::execute_exec_env;
+use crate::landlock::create_linux_sandbox_command_args;
+use crate::protocol::SandboxPolicy;
+use crate::seatbelt::MACOS_PATH_TO_SEATBELT_EXECUTABLE;
+use crate::seatbelt::create_seatbelt_command_args;
+use crate::spawn::CODEX_SANDBOX_ENV_VAR;
+use crate::spawn::CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR;
+use crate::tools::sandboxing::SandboxablePreference;
+use std::collections::HashMap;
+use std::path::Path;
+use std::path::PathBuf;
+
+#[derive(Clone, Debug)]
+pub struct CommandSpec {
+    pub program: String,
+    pub args: Vec<String>,
+    pub cwd: PathBuf,
+    pub env: HashMap<String, String>,
+    pub timeout_ms: Option<u64>,
+    pub with_escalated_permissions: Option<bool>,
+    pub justification: Option<String>,
+}
+
+#[derive(Clone, Debug)]
+pub struct ExecEnv {
+    pub command: Vec<String>,
+    pub cwd: PathBuf,
+    pub env: HashMap<String, String>,
+    pub timeout_ms: Option<u64>,
+    pub sandbox: SandboxType,
+    pub with_escalated_permissions: Option<bool>,
+    pub justification: Option<String>,
+    pub arg0: Option<String>,
+}
+
+pub enum SandboxPreference {
+    Auto,
+    Require,
+    Forbid,
+}
+
+#[derive(Debug, thiserror::Error)]
+pub(crate) enum SandboxTransformError {
+    #[error("missing codex-linux-sandbox executable path")]
+    MissingLinuxSandboxExecutable,
+}
+
+#[derive(Default)]
+pub struct SandboxManager;
+
+impl SandboxManager {
+    pub fn new() -> Self {
+        Self
+    }
+
+    pub(crate) fn select_initial(
+        &self,
+        policy: &SandboxPolicy,
+        pref: SandboxablePreference,
+    ) -> SandboxType {
+        match pref {
+            SandboxablePreference::Forbid => SandboxType::None,
+            SandboxablePreference::Require => {
+                #[cfg(target_os = "macos")]
+                {
+                    return SandboxType::MacosSeatbelt;
+                }
+                #[cfg(target_os = "linux")]
+                {
+                    return SandboxType::LinuxSeccomp;
+                }
+                #[allow(unreachable_code)]
+                SandboxType::None
+            }
+            SandboxablePreference::Auto => match policy {
+                SandboxPolicy::DangerFullAccess => SandboxType::None,
+                #[cfg(target_os = "macos")]
+                _ => SandboxType::MacosSeatbelt,
+                #[cfg(target_os = "linux")]
+                _ => SandboxType::LinuxSeccomp,
+                #[cfg(not(any(target_os = "macos", target_os = "linux")))]
+                _ => SandboxType::None,
+            },
+        }
+    }
+
+    pub(crate) fn transform(
+        &self,
+        spec: &CommandSpec,
+        policy: &SandboxPolicy,
+        sandbox: SandboxType,
+        sandbox_policy_cwd: &Path,
+        codex_linux_sandbox_exe: Option<&PathBuf>,
+    ) -> Result<ExecEnv, SandboxTransformError> {
+        let mut env = spec.env.clone();
+        if !policy.has_full_network_access() {
+            env.insert(
+                CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR.to_string(),
+                "1".to_string(),
+            );
+        }
+
+        let mut command = Vec::with_capacity(1 + spec.args.len());
+        command.push(spec.program.clone());
+        command.extend(spec.args.iter().cloned());
+
+        let (command, sandbox_env, arg0_override) = match sandbox {
+            SandboxType::None => (command, HashMap::new(), None),
+            SandboxType::MacosSeatbelt => {
+                let mut seatbelt_env = HashMap::new();
+                seatbelt_env.insert(CODEX_SANDBOX_ENV_VAR.to_string(), "seatbelt".to_string());
+                let mut args =
+                    create_seatbelt_command_args(command.clone(), policy, sandbox_policy_cwd);
+                let mut full_command = Vec::with_capacity(1 + args.len());
+                full_command.push(MACOS_PATH_TO_SEATBELT_EXECUTABLE.to_string());
+                full_command.append(&mut args);
+                (full_command, seatbelt_env, None)
+            }
+            SandboxType::LinuxSeccomp => {
+                let exe = codex_linux_sandbox_exe
+                    .ok_or(SandboxTransformError::MissingLinuxSandboxExecutable)?;
+                let mut args =
+                    create_linux_sandbox_command_args(command.clone(), policy, sandbox_policy_cwd);
+                let mut full_command = Vec::with_capacity(1 + args.len());
+                full_command.push(exe.to_string_lossy().to_string());
+                full_command.append(&mut args);
+                (
+                    full_command,
+                    HashMap::new(),
+                    Some("codex-linux-sandbox".to_string()),
+                )
+            }
+        };
+
+        env.extend(sandbox_env);
+
+        Ok(ExecEnv {
+            command,
+            cwd: spec.cwd.clone(),
+            env,
+            timeout_ms: spec.timeout_ms,
+            sandbox,
+            with_escalated_permissions: spec.with_escalated_permissions,
+            justification: spec.justification.clone(),
+            arg0: arg0_override,
+        })
+    }
+
+    pub fn denied(&self, sandbox: SandboxType, out: &ExecToolCallOutput) -> bool {
+        crate::exec::is_likely_sandbox_denied(sandbox, out)
+    }
+}
+
+pub async fn execute_env(
+    env: &ExecEnv,
+    policy: &SandboxPolicy,
+    stdout_stream: Option<StdoutStream>,
+) -> crate::error::Result<ExecToolCallOutput> {
+    execute_exec_env(env.clone(), policy, stdout_stream).await
+}
--- a/codex-rs/core/src/seatbelt.rs
+++ b/codex-rs/core/src/seatbelt.rs
@@ -14,7 +14,7 @@ const MACOS_SEATBELT_BASE_POLICY: &str = include_str!("seatbelt_base_policy.sbpl
 /// to defend against an attacker trying to inject a malicious version on the
 /// PATH. If /usr/bin/sandbox-exec has been tampered with, then the attacker
 /// already has root access.
-const MACOS_PATH_TO_SEATBELT_EXECUTABLE: &str = "/usr/bin/sandbox-exec";
+pub(crate) const MACOS_PATH_TO_SEATBELT_EXECUTABLE: &str = "/usr/bin/sandbox-exec";

 pub async fn spawn_command_under_seatbelt(
    command: Vec<String>,
@@ -39,7 +39,7 @@ pub async fn spawn_command_under_seatbelt(
    .await
 }

-fn create_seatbelt_command_args(
+pub(crate) fn create_seatbelt_command_args(
    command: Vec<String>,
    sandbox_policy: &SandboxPolicy,
    sandbox_policy_cwd: &Path,
--- a/codex-rs/core/src/shell.rs
+++ b/codex-rs/core/src/shell.rs
@@ -347,6 +347,7 @@ mod tests {
                    )]),
                    with_escalated_permissions: None,
                    justification: None,
+                    arg0: None,
                },
                SandboxType::None,
                &SandboxPolicy::DangerFullAccess,
@@ -455,6 +456,7 @@ mod macos_tests {
                    )]),
                    with_escalated_permissions: None,
                    justification: None,
+                    arg0: None,
                },
                SandboxType::None,
                &SandboxPolicy::DangerFullAccess,
--- a/codex-rs/core/src/state/service.rs
+++ b/codex-rs/core/src/state/service.rs
@@ -1,18 +1,22 @@
+use std::sync::Arc;
+
+use crate::AuthManager;
 use crate::RolloutRecorder;
-use crate::exec_command::ExecSessionManager;
-use crate::executor::Executor;
 use crate::mcp_connection_manager::McpConnectionManager;
+use crate::tools::sandboxing::ApprovalStore;
 use crate::unified_exec::UnifiedExecSessionManager;
 use crate::user_notification::UserNotifier;
+use codex_otel::otel_event_manager::OtelEventManager;
 use tokio::sync::Mutex;

 pub(crate) struct SessionServices {
    pub(crate) mcp_connection_manager: McpConnectionManager,
-    pub(crate) session_manager: ExecSessionManager,
    pub(crate) unified_exec_manager: UnifiedExecSessionManager,
    pub(crate) notifier: UserNotifier,
    pub(crate) rollout: Mutex<Option<RolloutRecorder>>,
    pub(crate) user_shell: crate::shell::Shell,
    pub(crate) show_raw_agent_reasoning: bool,
-    pub(crate) executor: Executor,
+    pub(crate) auth_manager: Arc<AuthManager>,
+    pub(crate) otel_event_manager: OtelEventManager,
+    pub(crate) tool_approvals: Mutex<ApprovalStore>,
 }
--- a/codex-rs/core/src/state/session.rs
+++ b/codex-rs/core/src/state/session.rs
@@ -2,14 +2,15 @@

 use codex_protocol::models::ResponseItem;

+use crate::codex::SessionConfiguration;
 use crate::conversation_history::ConversationHistory;
 use crate::protocol::RateLimitSnapshot;
 use crate::protocol::TokenUsage;
 use crate::protocol::TokenUsageInfo;

 /// Persistent, session-scoped state previously stored directly on `Session`.
-#[derive(Default)]
 pub(crate) struct SessionState {
+    pub(crate) session_configuration: SessionConfiguration,
    pub(crate) history: ConversationHistory,
    pub(crate) token_info: Option<TokenUsageInfo>,
    pub(crate) latest_rate_limits: Option<RateLimitSnapshot>,
@@ -17,10 +18,12 @@ pub(crate) struct SessionState {

 impl SessionState {
    /// Create a new session state mirroring previous `State::default()` semantics.
-    pub(crate) fn new() -> Self {
+    pub(crate) fn new(session_configuration: SessionConfiguration) -> Self {
        Self {
+            session_configuration,
            history: ConversationHistory::new(),
-            ..Default::default()
+            token_info: None,
+            latest_rate_limits: None,
        }
    }

@@ -45,7 +48,7 @@ impl SessionState {
    pub(crate) fn update_token_info_from_usage(
        &mut self,
        usage: &TokenUsage,
-        model_context_window: Option<u64>,
+        model_context_window: Option<i64>,
    ) {
        self.token_info = TokenUsageInfo::new_or_append(
            &self.token_info,
@@ -64,7 +67,7 @@ impl SessionState {
        (self.token_info.clone(), self.latest_rate_limits.clone())
    }

-    pub(crate) fn set_token_usage_full(&mut self, context_window: u64) {
+    pub(crate) fn set_token_usage_full(&mut self, context_window: i64) {
        match &mut self.token_info {
            Some(info) => info.fill_to_context_window(context_window),
            None => {
--- a/codex-rs/core/src/state/turn.rs
+++ b/codex-rs/core/src/state/turn.rs
@@ -4,7 +4,9 @@ use indexmap::IndexMap;
 use std::collections::HashMap;
 use std::sync::Arc;
 use tokio::sync::Mutex;
-use tokio::task::AbortHandle;
+use tokio::sync::Notify;
+use tokio_util::sync::CancellationToken;
+use tokio_util::task::AbortOnDropHandle;

 use codex_protocol::models::ResponseInputItem;
 use tokio::sync::oneshot;
@@ -46,9 +48,11 @@ impl TaskKind {

 #[derive(Clone)]
 pub(crate) struct RunningTask {
-    pub(crate) handle: AbortHandle,
+    pub(crate) done: Arc<Notify>,
    pub(crate) kind: TaskKind,
    pub(crate) task: Arc<dyn SessionTask>,
+    pub(crate) cancellation_token: CancellationToken,
+    pub(crate) handle: Arc<AbortOnDropHandle<()>>,
 }

 impl ActiveTurn {
@@ -115,13 +119,6 @@ impl ActiveTurn {
        let mut ts = self.turn_state.lock().await;
        ts.clear_pending();
    }
-
-    /// Best-effort, non-blocking variant for synchronous contexts (Drop/interrupt).
-    pub(crate) fn try_clear_pending_sync(&self) {
-        if let Ok(mut ts) = self.turn_state.try_lock() {
-            ts.clear_pending();
-        }
-    }
 }

 #[cfg(test)]
--- a/codex-rs/core/src/tasks/compact.rs
+++ b/codex-rs/core/src/tasks/compact.rs
@@ -1,6 +1,7 @@
 use std::sync::Arc;

 use async_trait::async_trait;
+use tokio_util::sync::CancellationToken;

 use crate::codex::TurnContext;
 use crate::codex::compact;
@@ -25,6 +26,7 @@ impl SessionTask for CompactTask {
        ctx: Arc<TurnContext>,
        sub_id: String,
        input: Vec<InputItem>,
+        _cancellation_token: CancellationToken,
    ) -> Option<String> {
        compact::run_compact_task(session.clone_session(), ctx, sub_id, input).await
    }
--- a/codex-rs/core/src/tasks/mod.rs
+++ b/codex-rs/core/src/tasks/mod.rs
@@ -3,9 +3,15 @@ mod regular;
 mod review;

 use std::sync::Arc;
+use std::time::Duration;

 use async_trait::async_trait;
+use tokio::select;
+use tokio::sync::Notify;
+use tokio_util::sync::CancellationToken;
+use tokio_util::task::AbortOnDropHandle;
 use tracing::trace;
+use tracing::warn;

 use crate::codex::Session;
 use crate::codex::TurnContext;
@@ -23,6 +29,8 @@ pub(crate) use compact::CompactTask;
 pub(crate) use regular::RegularTask;
 pub(crate) use review::ReviewTask;

+const GRACEFULL_INTERRUPTION_TIMEOUT_MS: u64 = 100;
+
 /// Thin wrapper that exposes the parts of [`Session`] task runners need.
 #[derive(Clone)]
 pub(crate) struct SessionTaskContext {
@@ -49,6 +57,7 @@ pub(crate) trait SessionTask: Send + Sync + 'static {
        ctx: Arc<TurnContext>,
        sub_id: String,
        input: Vec<InputItem>,
+        cancellation_token: CancellationToken,
    ) -> Option<String>;

    async fn abort(&self, session: Arc<SessionTaskContext>, sub_id: &str) {
@@ -69,26 +78,42 @@ impl Session {
        let task: Arc<dyn SessionTask> = Arc::new(task);
        let task_kind = task.kind();

+        let cancellation_token = CancellationToken::new();
+        let done = Arc::new(Notify::new());
+
+        let done_clone = Arc::clone(&done);
        let handle = {
            let session_ctx = Arc::new(SessionTaskContext::new(Arc::clone(self)));
            let ctx = Arc::clone(&turn_context);
            let task_for_run = Arc::clone(&task);
            let sub_clone = sub_id.clone();
+            let task_cancellation_token = cancellation_token.child_token();
            tokio::spawn(async move {
                let last_agent_message = task_for_run
-                    .run(Arc::clone(&session_ctx), ctx, sub_clone.clone(), input)
+                    .run(
+                        Arc::clone(&session_ctx),
+                        ctx,
+                        sub_clone.clone(),
+                        input,
+                        task_cancellation_token.child_token(),
+                    )
                    .await;
-                // Emit completion uniformly from spawn site so all tasks share the same lifecycle.
-                let sess = session_ctx.clone_session();
-                sess.on_task_finished(sub_clone, last_agent_message).await;
+
+                if !task_cancellation_token.is_cancelled() {
+                    // Emit completion uniformly from spawn site so all tasks share the same lifecycle.
+                    let sess = session_ctx.clone_session();
+                    sess.on_task_finished(sub_clone, last_agent_message).await;
+                }
+                done_clone.notify_waiters();
            })
-            .abort_handle()
        };

        let running_task = RunningTask {
-            handle,
+            done,
+            handle: Arc::new(AbortOnDropHandle::new(handle)),
            kind: task_kind,
            task,
+            cancellation_token,
        };
        self.register_new_active_task(sub_id, running_task).await;
    }
@@ -143,14 +168,24 @@ impl Session {
        task: RunningTask,
        reason: TurnAbortReason,
    ) {
-        if task.handle.is_finished() {
+        if task.cancellation_token.is_cancelled() {
            return;
        }

        trace!(task_kind = ?task.kind, sub_id, "aborting running task");
+        task.cancellation_token.cancel();
        let session_task = task.task;
-        let handle = task.handle;
-        handle.abort();
+
+        select! {
+            _ = task.done.notified() => {
+            },
+            _ = tokio::time::sleep(Duration::from_millis(GRACEFULL_INTERRUPTION_TIMEOUT_MS)) => {
+                warn!("task {sub_id} didn't complete gracefully after {}ms", GRACEFULL_INTERRUPTION_TIMEOUT_MS);
+            }
+        }
+
+        task.handle.abort();
+
        let session_ctx = Arc::new(SessionTaskContext::new(Arc::clone(self)));
        session_task.abort(session_ctx, &sub_id).await;

--- a/codex-rs/core/src/tasks/regular.rs
+++ b/codex-rs/core/src/tasks/regular.rs
@@ -1,6 +1,7 @@
 use std::sync::Arc;

 use async_trait::async_trait;
+use tokio_util::sync::CancellationToken;

 use crate::codex::TurnContext;
 use crate::codex::run_task;
@@ -25,8 +26,17 @@ impl SessionTask for RegularTask {
        ctx: Arc<TurnContext>,
        sub_id: String,
        input: Vec<InputItem>,
+        cancellation_token: CancellationToken,
    ) -> Option<String> {
        let sess = session.clone_session();
-        run_task(sess, ctx, sub_id, input, TaskKind::Regular).await
+        run_task(
+            sess,
+            ctx,
+            sub_id,
+            input,
+            TaskKind::Regular,
+            cancellation_token,
+        )
+        .await
    }
 }
--- a/codex-rs/core/src/tasks/review.rs
+++ b/codex-rs/core/src/tasks/review.rs
@@ -1,6 +1,7 @@
 use std::sync::Arc;

 use async_trait::async_trait;
+use tokio_util::sync::CancellationToken;

 use crate::codex::TurnContext;
 use crate::codex::exit_review_mode;
@@ -26,9 +27,18 @@ impl SessionTask for ReviewTask {
        ctx: Arc<TurnContext>,
        sub_id: String,
        input: Vec<InputItem>,
+        cancellation_token: CancellationToken,
    ) -> Option<String> {
        let sess = session.clone_session();
-        run_task(sess, ctx, sub_id, input, TaskKind::Review).await
+        run_task(
+            sess,
+            ctx,
+            sub_id,
+            input,
+            TaskKind::Review,
+            cancellation_token,
+        )
+        .await
    }

    async fn abort(&self, session: Arc<SessionTaskContext>, sub_id: &str) {
--- a/codex-rs/core/src/token_data.rs
+++ b/codex-rs/core/src/token_data.rs
@@ -28,6 +28,8 @@ pub struct IdTokenInfo {
    /// (e.g., "free", "plus", "pro", "business", "enterprise", "edu").
    /// (Note: values may vary by backend.)
    pub(crate) chatgpt_plan_type: Option<PlanType>,
+    /// Organization/workspace identifier associated with the token, if present.
+    pub chatgpt_account_id: Option<String>,
    pub raw_jwt: String,
 }

@@ -71,6 +73,8 @@ struct IdClaims {
 struct AuthClaims {
    #[serde(default)]
    chatgpt_plan_type: Option<PlanType>,
+    #[serde(default)]
+    chatgpt_account_id: Option<String>,
 }

 #[derive(Debug, Error)]
@@ -94,11 +98,20 @@ pub fn parse_id_token(id_token: &str) -> Result<IdTokenInfo, IdTokenInfoError> {
    let payload_bytes = base64::engine::general_purpose::URL_SAFE_NO_PAD.decode(payload_b64)?;
    let claims: IdClaims = serde_json::from_slice(&payload_bytes)?;

-    Ok(IdTokenInfo {
-        email: claims.email,
-        chatgpt_plan_type: claims.auth.and_then(|a| a.chatgpt_plan_type),
-        raw_jwt: id_token.to_string(),
-    })
+    match claims.auth {
+        Some(auth) => Ok(IdTokenInfo {
+            email: claims.email,
+            raw_jwt: id_token.to_string(),
+            chatgpt_plan_type: auth.chatgpt_plan_type,
+            chatgpt_account_id: auth.chatgpt_account_id,
+        }),
+        None => Ok(IdTokenInfo {
+            email: claims.email,
+            raw_jwt: id_token.to_string(),
+            chatgpt_plan_type: None,
+            chatgpt_account_id: None,
+        }),
+    }
 }

 fn deserialize_id_token<'de, D>(deserializer: D) -> Result<IdTokenInfo, D::Error>
--- a/codex-rs/core/src/tools/context.rs
+++ b/codex-rs/core/src/tools/context.rs
@@ -232,6 +232,7 @@ mod tests {
 }

 #[derive(Clone, Debug)]
+#[allow(dead_code)]
 pub(crate) struct ExecCommandContext {
    pub(crate) sub_id: String,
    pub(crate) call_id: String,
@@ -243,6 +244,7 @@ pub(crate) struct ExecCommandContext {
 }

 #[derive(Clone, Debug)]
+#[allow(dead_code)]
 pub(crate) struct ApplyPatchCommandContext {
    pub(crate) user_explicitly_approved_this_action: bool,
    pub(crate) changes: HashMap<PathBuf, FileChange>,
--- a/codex-rs/core/src/tools/events.rs
+++ b/codex-rs/core/src/tools/events.rs
@@ -0,0 +1,235 @@
+use crate::codex::Session;
+use crate::exec::ExecToolCallOutput;
+use crate::parse_command::parse_command;
+use crate::protocol::Event;
+use crate::protocol::EventMsg;
+use crate::protocol::ExecCommandBeginEvent;
+use crate::protocol::ExecCommandEndEvent;
+use crate::protocol::FileChange;
+use crate::protocol::PatchApplyBeginEvent;
+use crate::protocol::PatchApplyEndEvent;
+use crate::protocol::TurnDiffEvent;
+use crate::tools::context::SharedTurnDiffTracker;
+use std::collections::HashMap;
+use std::path::PathBuf;
+use std::time::Duration;
+
+use super::format_exec_output;
+use super::format_exec_output_str;
+
+#[derive(Clone, Copy)]
+pub(crate) struct ToolEventCtx<'a> {
+    pub session: &'a Session,
+    pub sub_id: &'a str,
+    pub call_id: &'a str,
+    pub turn_diff_tracker: Option<&'a SharedTurnDiffTracker>,
+}
+
+impl<'a> ToolEventCtx<'a> {
+    pub fn new(
+        session: &'a Session,
+        sub_id: &'a str,
+        call_id: &'a str,
+        turn_diff_tracker: Option<&'a SharedTurnDiffTracker>,
+    ) -> Self {
+        Self {
+            session,
+            sub_id,
+            call_id,
+            turn_diff_tracker,
+        }
+    }
+}
+
+pub(crate) enum ToolEventStage {
+    Begin,
+    Success(ExecToolCallOutput),
+    Failure(ToolEventFailure),
+}
+
+pub(crate) enum ToolEventFailure {
+    Output(ExecToolCallOutput),
+    Message(String),
+}
+// Concrete, allocation-free emitter: avoid trait objects and boxed futures.
+pub(crate) enum ToolEmitter {
+    Shell {
+        command: Vec<String>,
+        cwd: PathBuf,
+    },
+    ApplyPatch {
+        changes: HashMap<PathBuf, FileChange>,
+        auto_approved: bool,
+    },
+}
+
+impl ToolEmitter {
+    pub fn shell(command: Vec<String>, cwd: PathBuf) -> Self {
+        Self::Shell { command, cwd }
+    }
+
+    pub fn apply_patch(changes: HashMap<PathBuf, FileChange>, auto_approved: bool) -> Self {
+        Self::ApplyPatch {
+            changes,
+            auto_approved,
+        }
+    }
+
+    pub async fn emit(&self, ctx: ToolEventCtx<'_>, stage: ToolEventStage) {
+        match (self, stage) {
+            (Self::Shell { command, cwd }, ToolEventStage::Begin) => {
+                ctx.session
+                    .send_event(Event {
+                        id: ctx.sub_id.to_string(),
+                        msg: EventMsg::ExecCommandBegin(ExecCommandBeginEvent {
+                            call_id: ctx.call_id.to_string(),
+                            command: command.clone(),
+                            cwd: cwd.clone(),
+                            parsed_cmd: parse_command(command),
+                        }),
+                    })
+                    .await;
+            }
+            (Self::Shell { .. }, ToolEventStage::Success(output)) => {
+                emit_exec_end(
+                    ctx,
+                    output.stdout.text.clone(),
+                    output.stderr.text.clone(),
+                    output.aggregated_output.text.clone(),
+                    output.exit_code,
+                    output.duration,
+                    format_exec_output_str(&output),
+                )
+                .await;
+            }
+            (Self::Shell { .. }, ToolEventStage::Failure(ToolEventFailure::Output(output))) => {
+                emit_exec_end(
+                    ctx,
+                    output.stdout.text.clone(),
+                    output.stderr.text.clone(),
+                    output.aggregated_output.text.clone(),
+                    output.exit_code,
+                    output.duration,
+                    format_exec_output_str(&output),
+                )
+                .await;
+            }
+            (Self::Shell { .. }, ToolEventStage::Failure(ToolEventFailure::Message(message))) => {
+                emit_exec_end(
+                    ctx,
+                    String::new(),
+                    (*message).to_string(),
+                    (*message).to_string(),
+                    -1,
+                    Duration::ZERO,
+                    format_exec_output(&message),
+                )
+                .await;
+            }
+
+            (
+                Self::ApplyPatch {
+                    changes,
+                    auto_approved,
+                },
+                ToolEventStage::Begin,
+            ) => {
+                if let Some(tracker) = ctx.turn_diff_tracker {
+                    let mut guard = tracker.lock().await;
+                    guard.on_patch_begin(changes);
+                }
+                ctx.session
+                    .send_event(Event {
+                        id: ctx.sub_id.to_string(),
+                        msg: EventMsg::PatchApplyBegin(PatchApplyBeginEvent {
+                            call_id: ctx.call_id.to_string(),
+                            auto_approved: *auto_approved,
+                            changes: changes.clone(),
+                        }),
+                    })
+                    .await;
+            }
+            (Self::ApplyPatch { .. }, ToolEventStage::Success(output)) => {
+                emit_patch_end(
+                    ctx,
+                    output.stdout.text.clone(),
+                    output.stderr.text.clone(),
+                    output.exit_code == 0,
+                )
+                .await;
+            }
+            (
+                Self::ApplyPatch { .. },
+                ToolEventStage::Failure(ToolEventFailure::Output(output)),
+            ) => {
+                emit_patch_end(
+                    ctx,
+                    output.stdout.text.clone(),
+                    output.stderr.text.clone(),
+                    output.exit_code == 0,
+                )
+                .await;
+            }
+            (
+                Self::ApplyPatch { .. },
+                ToolEventStage::Failure(ToolEventFailure::Message(message)),
+            ) => {
+                emit_patch_end(ctx, String::new(), (*message).to_string(), false).await;
+            }
+        }
+    }
+}
+
+async fn emit_exec_end(
+    ctx: ToolEventCtx<'_>,
+    stdout: String,
+    stderr: String,
+    aggregated_output: String,
+    exit_code: i32,
+    duration: Duration,
+    formatted_output: String,
+) {
+    ctx.session
+        .send_event(Event {
+            id: ctx.sub_id.to_string(),
+            msg: EventMsg::ExecCommandEnd(ExecCommandEndEvent {
+                call_id: ctx.call_id.to_string(),
+                stdout,
+                stderr,
+                aggregated_output,
+                exit_code,
+                duration,
+                formatted_output,
+            }),
+        })
+        .await;
+}
+
+async fn emit_patch_end(ctx: ToolEventCtx<'_>, stdout: String, stderr: String, success: bool) {
+    ctx.session
+        .send_event(Event {
+            id: ctx.sub_id.to_string(),
+            msg: EventMsg::PatchApplyEnd(PatchApplyEndEvent {
+                call_id: ctx.call_id.to_string(),
+                stdout,
+                stderr,
+                success,
+            }),
+        })
+        .await;
+
+    if let Some(tracker) = ctx.turn_diff_tracker {
+        let unified_diff = {
+            let mut guard = tracker.lock().await;
+            guard.get_unified_diff()
+        };
+        if let Ok(Some(unified_diff)) = unified_diff {
+            ctx.session
+                .send_event(Event {
+                    id: ctx.sub_id.to_string(),
+                    msg: EventMsg::TurnDiff(TurnDiffEvent { unified_diff }),
+                })
+                .await;
+        }
+    }
+}
--- a/codex-rs/core/src/tools/handlers/apply_patch.rs
+++ b/codex-rs/core/src/tools/handlers/apply_patch.rs
@@ -8,7 +8,6 @@ use crate::client_common::tools::ResponsesApiTool;
 use crate::client_common::tools::ToolSpec;
 use crate::exec::ExecParams;
 use crate::function_tool::FunctionCallError;
-use crate::openai_tools::JsonSchema;
 use crate::tools::context::ToolInvocation;
 use crate::tools::context::ToolOutput;
 use crate::tools::context::ToolPayload;
@@ -16,6 +15,7 @@ use crate::tools::handle_container_exec_with_params;
 use crate::tools::registry::ToolHandler;
 use crate::tools::registry::ToolKind;
 use crate::tools::spec::ApplyPatchToolArgs;
+use crate::tools::spec::JsonSchema;
 use async_trait::async_trait;
 use serde::Deserialize;
 use serde::Serialize;
@@ -72,6 +72,7 @@ impl ToolHandler for ApplyPatchHandler {
            env: HashMap::new(),
            with_escalated_permissions: None,
            justification: None,
+            arg0: None,
        };

        let content = handle_container_exec_with_params(
--- a/codex-rs/core/src/tools/handlers/exec_stream.rs
+++ b/codex-rs/core/src/tools/handlers/exec_stream.rs
@@ -1,68 +0,0 @@
-use async_trait::async_trait;
-
-use crate::exec_command::EXEC_COMMAND_TOOL_NAME;
-use crate::exec_command::ExecCommandParams;
-use crate::exec_command::WRITE_STDIN_TOOL_NAME;
-use crate::exec_command::WriteStdinParams;
-use crate::function_tool::FunctionCallError;
-use crate::tools::context::ToolInvocation;
-use crate::tools::context::ToolOutput;
-use crate::tools::context::ToolPayload;
-use crate::tools::registry::ToolHandler;
-use crate::tools::registry::ToolKind;
-
-pub struct ExecStreamHandler;
-
-#[async_trait]
-impl ToolHandler for ExecStreamHandler {
-    fn kind(&self) -> ToolKind {
-        ToolKind::Function
-    }
-
-    async fn handle(&self, invocation: ToolInvocation) -> Result<ToolOutput, FunctionCallError> {
-        let ToolInvocation {
-            session,
-            tool_name,
-            payload,
-            ..
-        } = invocation;
-
-        let arguments = match payload {
-            ToolPayload::Function { arguments } => arguments,
-            _ => {
-                return Err(FunctionCallError::RespondToModel(
-                    "exec_stream handler received unsupported payload".to_string(),
-                ));
-            }
-        };
-
-        let content = match tool_name.as_str() {
-            EXEC_COMMAND_TOOL_NAME => {
-                let params: ExecCommandParams = serde_json::from_str(&arguments).map_err(|e| {
-                    FunctionCallError::RespondToModel(format!(
-                        "failed to parse function arguments: {e:?}"
-                    ))
-                })?;
-                session.handle_exec_command_tool(params).await?
-            }
-            WRITE_STDIN_TOOL_NAME => {
-                let params: WriteStdinParams = serde_json::from_str(&arguments).map_err(|e| {
-                    FunctionCallError::RespondToModel(format!(
-                        "failed to parse function arguments: {e:?}"
-                    ))
-                })?;
-                session.handle_write_stdin_tool(params).await?
-            }
-            _ => {
-                return Err(FunctionCallError::RespondToModel(format!(
-                    "exec_stream handler does not support tool {tool_name}"
-                )));
-            }
-        };
-
-        Ok(ToolOutput::Function {
-            content,
-            success: Some(true),
-        })
-    }
-}
--- a/codex-rs/core/src/tools/handlers/mcp_resource.rs
+++ b/codex-rs/core/src/tools/handlers/mcp_resource.rs
@@ -0,0 +1,773 @@
+use std::collections::HashMap;
+use std::sync::Arc;
+use std::time::Duration;
+use std::time::Instant;
+
+use async_trait::async_trait;
+use mcp_types::CallToolResult;
+use mcp_types::ContentBlock;
+use mcp_types::ListResourceTemplatesRequestParams;
+use mcp_types::ListResourceTemplatesResult;
+use mcp_types::ListResourcesRequestParams;
+use mcp_types::ListResourcesResult;
+use mcp_types::ReadResourceRequestParams;
+use mcp_types::ReadResourceResult;
+use mcp_types::Resource;
+use mcp_types::ResourceTemplate;
+use mcp_types::TextContent;
+use serde::Deserialize;
+use serde::Serialize;
+use serde::de::DeserializeOwned;
+use serde_json::Value;
+
+use crate::codex::Session;
+use crate::function_tool::FunctionCallError;
+use crate::protocol::Event;
+use crate::protocol::EventMsg;
+use crate::protocol::McpInvocation;
+use crate::protocol::McpToolCallBeginEvent;
+use crate::protocol::McpToolCallEndEvent;
+use crate::tools::context::ToolInvocation;
+use crate::tools::context::ToolOutput;
+use crate::tools::context::ToolPayload;
+use crate::tools::registry::ToolHandler;
+use crate::tools::registry::ToolKind;
+
+pub struct McpResourceHandler;
+
+#[derive(Debug, Deserialize, Default)]
+struct ListResourcesArgs {
+    /// Lists all resources from all servers if not specified.
+    #[serde(default)]
+    server: Option<String>,
+    #[serde(default)]
+    cursor: Option<String>,
+}
+
+#[derive(Debug, Deserialize, Default)]
+struct ListResourceTemplatesArgs {
+    /// Lists all resource templates from all servers if not specified.
+    #[serde(default)]
+    server: Option<String>,
+    #[serde(default)]
+    cursor: Option<String>,
+}
+
+#[derive(Debug, Deserialize)]
+struct ReadResourceArgs {
+    server: String,
+    uri: String,
+}
+
+#[derive(Debug, Serialize)]
+struct ResourceWithServer {
+    server: String,
+    #[serde(flatten)]
+    resource: Resource,
+}
+
+impl ResourceWithServer {
+    fn new(server: String, resource: Resource) -> Self {
+        Self { server, resource }
+    }
+}
+
+#[derive(Debug, Serialize)]
+struct ResourceTemplateWithServer {
+    server: String,
+    #[serde(flatten)]
+    template: ResourceTemplate,
+}
+
+impl ResourceTemplateWithServer {
+    fn new(server: String, template: ResourceTemplate) -> Self {
+        Self { server, template }
+    }
+}
+
+#[derive(Debug, Serialize)]
+#[serde(rename_all = "camelCase")]
+struct ListResourcesPayload {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    server: Option<String>,
+    resources: Vec<ResourceWithServer>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    next_cursor: Option<String>,
+}
+
+impl ListResourcesPayload {
+    fn from_single_server(server: String, result: ListResourcesResult) -> Self {
+        let resources = result
+            .resources
+            .into_iter()
+            .map(|resource| ResourceWithServer::new(server.clone(), resource))
+            .collect();
+        Self {
+            server: Some(server),
+            resources,
+            next_cursor: result.next_cursor,
+        }
+    }
+
+    fn from_all_servers(resources_by_server: HashMap<String, Vec<Resource>>) -> Self {
+        let mut entries: Vec<(String, Vec<Resource>)> = resources_by_server.into_iter().collect();
+        entries.sort_by(|a, b| a.0.cmp(&b.0));
+
+        let mut resources = Vec::new();
+        for (server, server_resources) in entries {
+            for resource in server_resources {
+                resources.push(ResourceWithServer::new(server.clone(), resource));
+            }
+        }
+
+        Self {
+            server: None,
+            resources,
+            next_cursor: None,
+        }
+    }
+}
+
+#[derive(Debug, Serialize)]
+#[serde(rename_all = "camelCase")]
+struct ListResourceTemplatesPayload {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    server: Option<String>,
+    resource_templates: Vec<ResourceTemplateWithServer>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    next_cursor: Option<String>,
+}
+
+impl ListResourceTemplatesPayload {
+    fn from_single_server(server: String, result: ListResourceTemplatesResult) -> Self {
+        let resource_templates = result
+            .resource_templates
+            .into_iter()
+            .map(|template| ResourceTemplateWithServer::new(server.clone(), template))
+            .collect();
+        Self {
+            server: Some(server),
+            resource_templates,
+            next_cursor: result.next_cursor,
+        }
+    }
+
+    fn from_all_servers(templates_by_server: HashMap<String, Vec<ResourceTemplate>>) -> Self {
+        let mut entries: Vec<(String, Vec<ResourceTemplate>)> =
+            templates_by_server.into_iter().collect();
+        entries.sort_by(|a, b| a.0.cmp(&b.0));
+
+        let mut resource_templates = Vec::new();
+        for (server, server_templates) in entries {
+            for template in server_templates {
+                resource_templates.push(ResourceTemplateWithServer::new(server.clone(), template));
+            }
+        }
+
+        Self {
+            server: None,
+            resource_templates,
+            next_cursor: None,
+        }
+    }
+}
+
+#[derive(Debug, Serialize)]
+struct ReadResourcePayload {
+    server: String,
+    uri: String,
+    #[serde(flatten)]
+    result: ReadResourceResult,
+}
+
+#[async_trait]
+impl ToolHandler for McpResourceHandler {
+    fn kind(&self) -> ToolKind {
+        ToolKind::Function
+    }
+
+    async fn handle(&self, invocation: ToolInvocation) -> Result<ToolOutput, FunctionCallError> {
+        let ToolInvocation {
+            session,
+            sub_id,
+            call_id,
+            tool_name,
+            payload,
+            ..
+        } = invocation;
+
+        let arguments = match payload {
+            ToolPayload::Function { arguments } => arguments,
+            _ => {
+                return Err(FunctionCallError::RespondToModel(
+                    "mcp_resource handler received unsupported payload".to_string(),
+                ));
+            }
+        };
+
+        let arguments_value = parse_arguments(arguments.as_str())?;
+
+        match tool_name.as_str() {
+            "list_mcp_resources" => {
+                handle_list_resources(
+                    Arc::clone(&session),
+                    sub_id.clone(),
+                    call_id.clone(),
+                    arguments_value.clone(),
+                )
+                .await
+            }
+            "list_mcp_resource_templates" => {
+                handle_list_resource_templates(
+                    Arc::clone(&session),
+                    sub_id.clone(),
+                    call_id.clone(),
+                    arguments_value.clone(),
+                )
+                .await
+            }
+            "read_mcp_resource" => {
+                handle_read_resource(Arc::clone(&session), sub_id, call_id, arguments_value).await
+            }
+            other => Err(FunctionCallError::RespondToModel(format!(
+                "unsupported MCP resource tool: {other}"
+            ))),
+        }
+    }
+}
+
+async fn handle_list_resources(
+    session: Arc<Session>,
+    sub_id: String,
+    call_id: String,
+    arguments: Option<Value>,
+) -> Result<ToolOutput, FunctionCallError> {
+    let args: ListResourcesArgs = parse_args_with_default(arguments.clone())?;
+    let ListResourcesArgs { server, cursor } = args;
+    let server = normalize_optional_string(server);
+    let cursor = normalize_optional_string(cursor);
+
+    let invocation = McpInvocation {
+        server: server.clone().unwrap_or_else(|| "codex".to_string()),
+        tool: "list_mcp_resources".to_string(),
+        arguments: arguments.clone(),
+    };
+
+    emit_tool_call_begin(&session, &sub_id, &call_id, invocation.clone()).await;
+    let start = Instant::now();
+
+    let payload_result: Result<ListResourcesPayload, FunctionCallError> = async {
+        if let Some(server_name) = server.clone() {
+            let params = cursor.clone().map(|value| ListResourcesRequestParams {
+                cursor: Some(value),
+            });
+            let result = session
+                .list_resources(&server_name, params)
+                .await
+                .map_err(|err| {
+                    FunctionCallError::RespondToModel(format!("resources/list failed: {err:#}"))
+                })?;
+            Ok(ListResourcesPayload::from_single_server(
+                server_name,
+                result,
+            ))
+        } else {
+            if cursor.is_some() {
+                return Err(FunctionCallError::RespondToModel(
+                    "cursor can only be used when a server is specified".to_string(),
+                ));
+            }
+
+            let resources = session
+                .services
+                .mcp_connection_manager
+                .list_all_resources()
+                .await;
+            Ok(ListResourcesPayload::from_all_servers(resources))
+        }
+    }
+    .await;
+
+    match payload_result {
+        Ok(payload) => match serialize_function_output(payload) {
+            Ok(output) => {
+                let ToolOutput::Function { content, success } = &output else {
+                    unreachable!("MCP resource handler should return function output");
+                };
+                let duration = start.elapsed();
+                emit_tool_call_end(
+                    &session,
+                    &sub_id,
+                    &call_id,
+                    invocation,
+                    duration,
+                    Ok(call_tool_result_from_content(content, *success)),
+                )
+                .await;
+                Ok(output)
+            }
+            Err(err) => {
+                let duration = start.elapsed();
+                let message = err.to_string();
+                emit_tool_call_end(
+                    &session,
+                    &sub_id,
+                    &call_id,
+                    invocation,
+                    duration,
+                    Err(message.clone()),
+                )
+                .await;
+                Err(err)
+            }
+        },
+        Err(err) => {
+            let duration = start.elapsed();
+            let message = err.to_string();
+            emit_tool_call_end(
+                &session,
+                &sub_id,
+                &call_id,
+                invocation,
+                duration,
+                Err(message.clone()),
+            )
+            .await;
+            Err(err)
+        }
+    }
+}
+
+async fn handle_list_resource_templates(
+    session: Arc<Session>,
+    sub_id: String,
+    call_id: String,
+    arguments: Option<Value>,
+) -> Result<ToolOutput, FunctionCallError> {
+    let args: ListResourceTemplatesArgs = parse_args_with_default(arguments.clone())?;
+    let ListResourceTemplatesArgs { server, cursor } = args;
+    let server = normalize_optional_string(server);
+    let cursor = normalize_optional_string(cursor);
+
+    let invocation = McpInvocation {
+        server: server.clone().unwrap_or_else(|| "codex".to_string()),
+        tool: "list_mcp_resource_templates".to_string(),
+        arguments: arguments.clone(),
+    };
+
+    emit_tool_call_begin(&session, &sub_id, &call_id, invocation.clone()).await;
+    let start = Instant::now();
+
+    let payload_result: Result<ListResourceTemplatesPayload, FunctionCallError> = async {
+        if let Some(server_name) = server.clone() {
+            let params = cursor
+                .clone()
+                .map(|value| ListResourceTemplatesRequestParams {
+                    cursor: Some(value),
+                });
+            let result = session
+                .list_resource_templates(&server_name, params)
+                .await
+                .map_err(|err| {
+                    FunctionCallError::RespondToModel(format!(
+                        "resources/templates/list failed: {err:#}"
+                    ))
+                })?;
+            Ok(ListResourceTemplatesPayload::from_single_server(
+                server_name,
+                result,
+            ))
+        } else {
+            if cursor.is_some() {
+                return Err(FunctionCallError::RespondToModel(
+                    "cursor can only be used when a server is specified".to_string(),
+                ));
+            }
+
+            let templates = session
+                .services
+                .mcp_connection_manager
+                .list_all_resource_templates()
+                .await;
+            Ok(ListResourceTemplatesPayload::from_all_servers(templates))
+        }
+    }
+    .await;
+
+    match payload_result {
+        Ok(payload) => match serialize_function_output(payload) {
+            Ok(output) => {
+                let ToolOutput::Function { content, success } = &output else {
+                    unreachable!("MCP resource handler should return function output");
+                };
+                let duration = start.elapsed();
+                emit_tool_call_end(
+                    &session,
+                    &sub_id,
+                    &call_id,
+                    invocation,
+                    duration,
+                    Ok(call_tool_result_from_content(content, *success)),
+                )
+                .await;
+                Ok(output)
+            }
+            Err(err) => {
+                let duration = start.elapsed();
+                let message = err.to_string();
+                emit_tool_call_end(
+                    &session,
+                    &sub_id,
+                    &call_id,
+                    invocation,
+                    duration,
+                    Err(message.clone()),
+                )
+                .await;
+                Err(err)
+            }
+        },
+        Err(err) => {
+            let duration = start.elapsed();
+            let message = err.to_string();
+            emit_tool_call_end(
+                &session,
+                &sub_id,
+                &call_id,
+                invocation,
+                duration,
+                Err(message.clone()),
+            )
+            .await;
+            Err(err)
+        }
+    }
+}
+
+async fn handle_read_resource(
+    session: Arc<Session>,
+    sub_id: String,
+    call_id: String,
+    arguments: Option<Value>,
+) -> Result<ToolOutput, FunctionCallError> {
+    let args: ReadResourceArgs = parse_args(arguments.clone())?;
+    let ReadResourceArgs { server, uri } = args;
+    let server = normalize_required_string("server", server)?;
+    let uri = normalize_required_string("uri", uri)?;
+
+    let invocation = McpInvocation {
+        server: server.clone(),
+        tool: "read_mcp_resource".to_string(),
+        arguments: arguments.clone(),
+    };
+
+    emit_tool_call_begin(&session, &sub_id, &call_id, invocation.clone()).await;
+    let start = Instant::now();
+
+    let payload_result: Result<ReadResourcePayload, FunctionCallError> = async {
+        let result = session
+            .read_resource(&server, ReadResourceRequestParams { uri: uri.clone() })
+            .await
+            .map_err(|err| {
+                FunctionCallError::RespondToModel(format!("resources/read failed: {err:#}"))
+            })?;
+
+        Ok(ReadResourcePayload {
+            server,
+            uri,
+            result,
+        })
+    }
+    .await;
+
+    match payload_result {
+        Ok(payload) => match serialize_function_output(payload) {
+            Ok(output) => {
+                let ToolOutput::Function { content, success } = &output else {
+                    unreachable!("MCP resource handler should return function output");
+                };
+                let duration = start.elapsed();
+                emit_tool_call_end(
+                    &session,
+                    &sub_id,
+                    &call_id,
+                    invocation,
+                    duration,
+                    Ok(call_tool_result_from_content(content, *success)),
+                )
+                .await;
+                Ok(output)
+            }
+            Err(err) => {
+                let duration = start.elapsed();
+                let message = err.to_string();
+                emit_tool_call_end(
+                    &session,
+                    &sub_id,
+                    &call_id,
+                    invocation,
+                    duration,
+                    Err(message.clone()),
+                )
+                .await;
+                Err(err)
+            }
+        },
+        Err(err) => {
+            let duration = start.elapsed();
+            let message = err.to_string();
+            emit_tool_call_end(
+                &session,
+                &sub_id,
+                &call_id,
+                invocation,
+                duration,
+                Err(message.clone()),
+            )
+            .await;
+            Err(err)
+        }
+    }
+}
+
+fn call_tool_result_from_content(content: &str, success: Option<bool>) -> CallToolResult {
+    CallToolResult {
+        content: vec![ContentBlock::TextContent(TextContent {
+            annotations: None,
+            text: content.to_string(),
+            r#type: "text".to_string(),
+        })],
+        is_error: success.map(|value| !value),
+        structured_content: None,
+    }
+}
+
+async fn emit_tool_call_begin(
+    session: &Arc<Session>,
+    sub_id: &str,
+    call_id: &str,
+    invocation: McpInvocation,
+) {
+    session
+        .send_event(Event {
+            id: sub_id.to_string(),
+            msg: EventMsg::McpToolCallBegin(McpToolCallBeginEvent {
+                call_id: call_id.to_string(),
+                invocation,
+            }),
+        })
+        .await;
+}
+
+async fn emit_tool_call_end(
+    session: &Arc<Session>,
+    sub_id: &str,
+    call_id: &str,
+    invocation: McpInvocation,
+    duration: Duration,
+    result: Result<CallToolResult, String>,
+) {
+    session
+        .send_event(Event {
+            id: sub_id.to_string(),
+            msg: EventMsg::McpToolCallEnd(McpToolCallEndEvent {
+                call_id: call_id.to_string(),
+                invocation,
+                duration,
+                result,
+            }),
+        })
+        .await;
+}
+
+fn normalize_optional_string(input: Option<String>) -> Option<String> {
+    input.and_then(|value| {
+        let trimmed = value.trim().to_string();
+        if trimmed.is_empty() {
+            None
+        } else {
+            Some(trimmed)
+        }
+    })
+}
+
+fn normalize_required_string(field: &str, value: String) -> Result<String, FunctionCallError> {
+    match normalize_optional_string(Some(value)) {
+        Some(normalized) => Ok(normalized),
+        None => Err(FunctionCallError::RespondToModel(format!(
+            "{field} must be provided"
+        ))),
+    }
+}
+
+fn serialize_function_output<T>(payload: T) -> Result<ToolOutput, FunctionCallError>
+where
+    T: Serialize,
+{
+    let content = serde_json::to_string(&payload).map_err(|err| {
+        FunctionCallError::RespondToModel(format!(
+            "failed to serialize MCP resource response: {err}"
+        ))
+    })?;
+
+    Ok(ToolOutput::Function {
+        content,
+        success: Some(true),
+    })
+}
+
+fn parse_arguments(raw_args: &str) -> Result<Option<Value>, FunctionCallError> {
+    if raw_args.trim().is_empty() {
+        Ok(None)
+    } else {
+        serde_json::from_str(raw_args).map(Some).map_err(|err| {
+            FunctionCallError::RespondToModel(format!("failed to parse function arguments: {err}"))
+        })
+    }
+}
+
+fn parse_args<T>(arguments: Option<Value>) -> Result<T, FunctionCallError>
+where
+    T: DeserializeOwned,
+{
+    match arguments {
+        Some(value) => serde_json::from_value(value).map_err(|err| {
+            FunctionCallError::RespondToModel(format!("failed to parse function arguments: {err}"))
+        }),
+        None => Err(FunctionCallError::RespondToModel(
+            "failed to parse function arguments: expected value".to_string(),
+        )),
+    }
+}
+
+fn parse_args_with_default<T>(arguments: Option<Value>) -> Result<T, FunctionCallError>
+where
+    T: DeserializeOwned + Default,
+{
+    match arguments {
+        Some(value) => parse_args(Some(value)),
+        None => Ok(T::default()),
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use mcp_types::ListResourcesResult;
+    use mcp_types::ResourceTemplate;
+    use pretty_assertions::assert_eq;
+    use serde_json::json;
+
+    fn resource(uri: &str, name: &str) -> Resource {
+        Resource {
+            annotations: None,
+            description: None,
+            mime_type: None,
+            name: name.to_string(),
+            size: None,
+            title: None,
+            uri: uri.to_string(),
+        }
+    }
+
+    fn template(uri_template: &str, name: &str) -> ResourceTemplate {
+        ResourceTemplate {
+            annotations: None,
+            description: None,
+            mime_type: None,
+            name: name.to_string(),
+            title: None,
+            uri_template: uri_template.to_string(),
+        }
+    }
+
+    #[test]
+    fn resource_with_server_serializes_server_field() {
+        let entry = ResourceWithServer::new("test".to_string(), resource("memo://id", "memo"));
+        let value = serde_json::to_value(&entry).expect("serialize resource");
+
+        assert_eq!(value["server"], json!("test"));
+        assert_eq!(value["uri"], json!("memo://id"));
+        assert_eq!(value["name"], json!("memo"));
+    }
+
+    #[test]
+    fn list_resources_payload_from_single_server_copies_next_cursor() {
+        let result = ListResourcesResult {
+            next_cursor: Some("cursor-1".to_string()),
+            resources: vec![resource("memo://id", "memo")],
+        };
+        let payload = ListResourcesPayload::from_single_server("srv".to_string(), result);
+        let value = serde_json::to_value(&payload).expect("serialize payload");
+
+        assert_eq!(value["server"], json!("srv"));
+        assert_eq!(value["nextCursor"], json!("cursor-1"));
+        let resources = value["resources"].as_array().expect("resources array");
+        assert_eq!(resources.len(), 1);
+        assert_eq!(resources[0]["server"], json!("srv"));
+    }
+
+    #[test]
+    fn list_resources_payload_from_all_servers_is_sorted() {
+        let mut map = HashMap::new();
+        map.insert("beta".to_string(), vec![resource("memo://b-1", "b-1")]);
+        map.insert(
+            "alpha".to_string(),
+            vec![resource("memo://a-1", "a-1"), resource("memo://a-2", "a-2")],
+        );
+
+        let payload = ListResourcesPayload::from_all_servers(map);
+        let value = serde_json::to_value(&payload).expect("serialize payload");
+        let uris: Vec<String> = value["resources"]
+            .as_array()
+            .expect("resources array")
+            .iter()
+            .map(|entry| entry["uri"].as_str().unwrap().to_string())
+            .collect();
+
+        assert_eq!(
+            uris,
+            vec![
+                "memo://a-1".to_string(),
+                "memo://a-2".to_string(),
+                "memo://b-1".to_string()
+            ]
+        );
+    }
+
+    #[test]
+    fn call_tool_result_from_content_marks_success() {
+        let result = call_tool_result_from_content("{}", Some(true));
+        assert_eq!(result.is_error, Some(false));
+        assert_eq!(result.content.len(), 1);
+    }
+
+    #[test]
+    fn parse_arguments_handles_empty_and_json() {
+        assert!(
+            parse_arguments(" \n\t").unwrap().is_none(),
+            "expected None for empty arguments"
+        );
+
+        let value = parse_arguments(r#"{"server":"figma"}"#)
+            .expect("parse json")
+            .expect("value present");
+        assert_eq!(value["server"], json!("figma"));
+    }
+
+    #[test]
+    fn template_with_server_serializes_server_field() {
+        let entry =
+            ResourceTemplateWithServer::new("srv".to_string(), template("memo://{id}", "memo"));
+        let value = serde_json::to_value(&entry).expect("serialize template");
+
+        assert_eq!(
+            value,
+            json!({
+                "server": "srv",
+                "uriTemplate": "memo://{id}",
+                "name": "memo"
+            })
+        );
+    }
+}
--- a/codex-rs/core/src/tools/handlers/mod.rs
+++ b/codex-rs/core/src/tools/handlers/mod.rs
@@ -1,8 +1,8 @@
 pub mod apply_patch;
-mod exec_stream;
 mod grep_files;
 mod list_dir;
 mod mcp;
+mod mcp_resource;
 mod plan;
 mod read_file;
 mod shell;
@@ -13,10 +13,10 @@ mod view_image;
 pub use plan::PLAN_TOOL;

 pub use apply_patch::ApplyPatchHandler;
-pub use exec_stream::ExecStreamHandler;
 pub use grep_files::GrepFilesHandler;
 pub use list_dir::ListDirHandler;
 pub use mcp::McpHandler;
+pub use mcp_resource::McpResourceHandler;
 pub use plan::PlanHandler;
 pub use read_file::ReadFileHandler;
 pub use shell::ShellHandler;
--- a/codex-rs/core/src/tools/handlers/plan.rs
+++ b/codex-rs/core/src/tools/handlers/plan.rs
@@ -2,12 +2,12 @@ use crate::client_common::tools::ResponsesApiTool;
 use crate::client_common::tools::ToolSpec;
 use crate::codex::Session;
 use crate::function_tool::FunctionCallError;
-use crate::openai_tools::JsonSchema;
 use crate::tools::context::ToolInvocation;
 use crate::tools::context::ToolOutput;
 use crate::tools::context::ToolPayload;
 use crate::tools::registry::ToolHandler;
 use crate::tools::registry::ToolKind;
+use crate::tools::spec::JsonSchema;
 use async_trait::async_trait;
 use codex_protocol::plan_tool::UpdatePlanArgs;
 use codex_protocol::protocol::Event;
--- a/codex-rs/core/src/tools/handlers/shell.rs
+++ b/codex-rs/core/src/tools/handlers/shell.rs
@@ -24,6 +24,7 @@ impl ShellHandler {
            env: create_env(&turn_context.shell_environment_policy),
            with_escalated_permissions: params.with_escalated_permissions,
            justification: params.justification,
+            arg0: None,
        }
    }
 }
--- a/codex-rs/core/src/tools/handlers/unified_exec.rs
+++ b/codex-rs/core/src/tools/handlers/unified_exec.rs
@@ -35,7 +35,13 @@ impl ToolHandler for UnifiedExecHandler {

    async fn handle(&self, invocation: ToolInvocation) -> Result<ToolOutput, FunctionCallError> {
        let ToolInvocation {
-            session, payload, ..
+            session,
+            turn,
+            sub_id,
+            call_id,
+            tool_name: _tool_name,
+            payload,
+            ..
        } = invocation;

        let args = match payload {
@@ -73,13 +79,23 @@ impl ToolHandler for UnifiedExecHandler {
        };

        let request = UnifiedExecRequest {
-            session_id: parsed_session_id,
            input_chunks: &input,
            timeout_ms,
        };

        let value = session
-            .run_unified_exec_request(request)
+            .services
+            .unified_exec_manager
+            .handle_request(
+                request,
+                crate::unified_exec::UnifiedExecContext {
+                    session: &session,
+                    turn: turn.as_ref(),
+                    sub_id: &sub_id,
+                    call_id: &call_id,
+                    session_id: parsed_session_id,
+                },
+            )
            .await
            .map_err(|err| {
                FunctionCallError::RespondToModel(format!("unified exec failed: {err:?}"))
--- a/codex-rs/core/src/tools/mod.rs
+++ b/codex-rs/core/src/tools/mod.rs
@@ -1,12 +1,15 @@
 pub mod context;
+pub mod events;
 pub(crate) mod handlers;
+pub mod orchestrator;
 pub mod parallel;
 pub mod registry;
 pub mod router;
+pub mod runtimes;
+pub mod sandboxing;
 pub mod spec;

 use crate::apply_patch;
-use crate::apply_patch::ApplyPatchExec;
 use crate::apply_patch::InternalApplyPatchInvocation;
 use crate::apply_patch::convert_apply_patch_to_protocol;
 use crate::codex::Session;
@@ -15,14 +18,19 @@ use crate::error::CodexErr;
 use crate::error::SandboxErr;
 use crate::exec::ExecParams;
 use crate::exec::ExecToolCallOutput;
-use crate::exec::StdoutStream;
-use crate::executor::ExecutionMode;
-use crate::executor::errors::ExecError;
-use crate::executor::linkers::PreparedExec;
 use crate::function_tool::FunctionCallError;
-use crate::tools::context::ApplyPatchCommandContext;
-use crate::tools::context::ExecCommandContext;
 use crate::tools::context::SharedTurnDiffTracker;
+use crate::tools::events::ToolEmitter;
+use crate::tools::events::ToolEventCtx;
+use crate::tools::events::ToolEventFailure;
+use crate::tools::events::ToolEventStage;
+use crate::tools::orchestrator::ToolOrchestrator;
+use crate::tools::runtimes::apply_patch::ApplyPatchRequest;
+use crate::tools::runtimes::apply_patch::ApplyPatchRuntime;
+use crate::tools::runtimes::shell::ShellRequest;
+use crate::tools::runtimes::shell::ShellRuntime;
+use crate::tools::sandboxing::ToolCtx;
+use crate::tools::sandboxing::ToolError;
 use codex_apply_patch::MaybeApplyPatchVerified;
 use codex_apply_patch::maybe_parse_apply_patch_verified;
 use codex_protocol::protocol::AskForApproval;
@@ -56,7 +64,7 @@ pub(crate) async fn handle_container_exec_with_params(
    sub_id: String,
    call_id: String,
 ) -> Result<String, FunctionCallError> {
-    let otel_event_manager = turn_context.client.get_otel_event_manager();
+    let _otel_event_manager = turn_context.client.get_otel_event_manager();

    if params.with_escalated_permissions.unwrap_or(false)
        && !matches!(turn_context.approval_policy, AskForApproval::OnRequest)
@@ -100,86 +108,142 @@ pub(crate) async fn handle_container_exec_with_params(
        MaybeApplyPatchVerified::NotApplyPatch => None,
    };

-    let command_for_display = if let Some(exec) = apply_patch_exec.as_ref() {
-        vec!["apply_patch".to_string(), exec.action.patch.clone()]
-    } else {
-        params.command.clone()
-    };
-
-    let exec_command_context = ExecCommandContext {
-        sub_id: sub_id.clone(),
-        call_id: call_id.clone(),
-        command_for_display: command_for_display.clone(),
-        cwd: params.cwd.clone(),
-        apply_patch: apply_patch_exec.as_ref().map(
-            |ApplyPatchExec {
-                 action,
-                 user_explicitly_approved_this_action,
-             }| ApplyPatchCommandContext {
-                user_explicitly_approved_this_action: *user_explicitly_approved_this_action,
-                changes: convert_apply_patch_to_protocol(action),
-            },
+    let (event_emitter, diff_opt) = match apply_patch_exec.as_ref() {
+        Some(exec) => (
+            ToolEmitter::apply_patch(
+                convert_apply_patch_to_protocol(&exec.action),
+                !exec.user_explicitly_approved_this_action,
+            ),
+            Some(&turn_diff_tracker),
+        ),
+        None => (
+            ToolEmitter::shell(params.command.clone(), params.cwd.clone()),
+            None,
        ),
-        tool_name: tool_name.to_string(),
-        otel_event_manager,
    };

-    let mode = match apply_patch_exec {
-        Some(exec) => ExecutionMode::ApplyPatch(exec),
-        None => ExecutionMode::Shell,
-    };
+    let event_ctx = ToolEventCtx::new(sess.as_ref(), &sub_id, &call_id, diff_opt);
+    event_emitter.emit(event_ctx, ToolEventStage::Begin).await;

-    sess.services.executor.update_environment(
-        turn_context.sandbox_policy.clone(),
-        turn_context.cwd.clone(),
-    );
+    // Build runtime contexts only when needed (shell/apply_patch below).

-    let prepared_exec = PreparedExec::new(
-        exec_command_context,
-        params,
-        command_for_display,
-        mode,
-        Some(StdoutStream {
+    if let Some(exec) = apply_patch_exec {
+        // Route apply_patch execution through the new orchestrator/runtime.
+        let req = ApplyPatchRequest {
+            patch: exec.action.patch.clone(),
+            cwd: params.cwd.clone(),
+            timeout_ms: params.timeout_ms,
+            user_explicitly_approved: exec.user_explicitly_approved_this_action,
+            codex_exe: turn_context.codex_linux_sandbox_exe.clone(),
+        };
+
+        let mut orchestrator = ToolOrchestrator::new();
+        let mut runtime = ApplyPatchRuntime::new();
+        let tool_ctx = ToolCtx {
+            session: sess.as_ref(),
            sub_id: sub_id.clone(),
            call_id: call_id.clone(),
-            tx_event: sess.get_tx_event(),
-        }),
-        turn_context.shell_environment_policy.use_profile,
-    );
+            tool_name: tool_name.to_string(),
+        };

-    let output_result = sess
-        .run_exec_with_events(
-            turn_diff_tracker.clone(),
-            prepared_exec,
-            turn_context.approval_policy,
-        )
-        .await;
+        let out = orchestrator
+            .run(
+                &mut runtime,
+                &req,
+                &tool_ctx,
+                &turn_context,
+                turn_context.approval_policy,
+            )
+            .await;

-    // always make sure to truncate the output if its length isn't controlled.
-    match output_result {
+        handle_exec_outcome(&event_emitter, event_ctx, out).await
+    } else {
+        // Route shell execution through the new orchestrator/runtime.
+        let req = ShellRequest {
+            command: params.command.clone(),
+            cwd: params.cwd.clone(),
+            timeout_ms: params.timeout_ms,
+            env: params.env.clone(),
+            with_escalated_permissions: params.with_escalated_permissions,
+            justification: params.justification.clone(),
+        };
+
+        let mut orchestrator = ToolOrchestrator::new();
+        let mut runtime = ShellRuntime::new();
+        let tool_ctx = ToolCtx {
+            session: sess.as_ref(),
+            sub_id: sub_id.clone(),
+            call_id: call_id.clone(),
+            tool_name: tool_name.to_string(),
+        };
+
+        let out = orchestrator
+            .run(
+                &mut runtime,
+                &req,
+                &tool_ctx,
+                &turn_context,
+                turn_context.approval_policy,
+            )
+            .await;
+
+        handle_exec_outcome(&event_emitter, event_ctx, out).await
+    }
+}
+
+async fn handle_exec_outcome(
+    event_emitter: &ToolEmitter,
+    event_ctx: ToolEventCtx<'_>,
+    out: Result<ExecToolCallOutput, ToolError>,
+) -> Result<String, FunctionCallError> {
+    let event;
+    let result = match out {
        Ok(output) => {
-            let ExecToolCallOutput { exit_code, .. } = &output;
-            let content = format_exec_output_apply_patch(&output);
-            if *exit_code == 0 {
+            let content = format_exec_output_for_model(&output);
+            let exit_code = output.exit_code;
+            event = ToolEventStage::Success(output);
+            if exit_code == 0 {
                Ok(content)
            } else {
                Err(FunctionCallError::RespondToModel(content))
            }
        }
-        Err(ExecError::Function(err)) => Err(truncate_function_error(err)),
-        Err(ExecError::Codex(CodexErr::Sandbox(SandboxErr::Timeout { output }))) => Err(
-            FunctionCallError::RespondToModel(format_exec_output_apply_patch(&output)),
-        ),
-        Err(ExecError::Codex(err)) => {
+        Err(ToolError::Codex(CodexErr::Sandbox(SandboxErr::Timeout { output })))
+        | Err(ToolError::Codex(CodexErr::Sandbox(SandboxErr::Denied { output }))) => {
+            let response = format_exec_output_for_model(&output);
+            event = ToolEventStage::Failure(ToolEventFailure::Output(*output));
+            Err(FunctionCallError::RespondToModel(response))
+        }
+        Err(ToolError::Codex(err)) => {
            let message = format!("execution error: {err:?}");
+            let response = format_exec_output(&message);
+            event = ToolEventStage::Failure(ToolEventFailure::Message(message));
            Err(FunctionCallError::RespondToModel(format_exec_output(
-                &message,
+                &response,
            )))
        }
-    }
+        Err(ToolError::Rejected(msg)) | Err(ToolError::SandboxDenied(msg)) => {
+            // Normalize common rejection messages for exec tools so tests and
+            // users see a clear, consistent phrase.
+            let normalized = if msg == "rejected by user" {
+                "exec command rejected by user".to_string()
+            } else {
+                msg
+            };
+            let response = format_exec_output(&normalized);
+            event = ToolEventStage::Failure(ToolEventFailure::Message(normalized));
+            Err(FunctionCallError::RespondToModel(format_exec_output(
+                &response,
+            )))
+        }
+    };
+    event_emitter.emit(event_ctx, event).await;
+    result
 }

-pub fn format_exec_output_apply_patch(exec_output: &ExecToolCallOutput) -> String {
+/// Format the combined exec output for sending back to the model.
+/// Includes exit code and duration metadata; truncates large bodies safely.
+pub fn format_exec_output_for_model(exec_output: &ExecToolCallOutput) -> String {
    let ExecToolCallOutput {
        exit_code,
        duration,
@@ -233,17 +297,7 @@ pub fn format_exec_output_str(exec_output: &ExecToolCallOutput) -> String {
    format_exec_output(content)
 }

-fn truncate_function_error(err: FunctionCallError) -> FunctionCallError {
-    match err {
-        FunctionCallError::RespondToModel(msg) => {
-            FunctionCallError::RespondToModel(format_exec_output(&msg))
-        }
-        FunctionCallError::Fatal(msg) => FunctionCallError::Fatal(format_exec_output(&msg)),
-        other => other,
-    }
-}
-
-fn format_exec_output(content: &str) -> String {
+pub(super) fn format_exec_output(content: &str) -> String {
    // Head+tail truncation for the model: show the beginning and end with an elision.
    // Clients still receive full streams; only this formatted summary is capped.
    let total_lines = content.lines().count();
@@ -314,6 +368,17 @@ mod tests {
    use super::*;
    use regex_lite::Regex;

+    fn truncate_function_error(err: FunctionCallError) -> FunctionCallError {
+        match err {
+            FunctionCallError::RespondToModel(msg) => {
+                FunctionCallError::RespondToModel(format_exec_output(&msg))
+            }
+            FunctionCallError::Denied(msg) => FunctionCallError::Denied(format_exec_output(&msg)),
+            FunctionCallError::Fatal(msg) => FunctionCallError::Fatal(format_exec_output(&msg)),
+            other => other,
+        }
+    }
+
    fn assert_truncated_message_matches(message: &str, line: &str, total_lines: usize) {
        let pattern = truncated_message_pattern(line, total_lines);
        let regex = Regex::new(&pattern).unwrap_or_else(|err| {
--- a/codex-rs/core/src/tools/orchestrator.rs
+++ b/codex-rs/core/src/tools/orchestrator.rs
@@ -0,0 +1,172 @@
+/*
+Module: orchestrator
+
+Central place for approvals + sandbox selection + retry semantics. Drives a
+simple sequence for any ToolRuntime: approval → select sandbox → attempt →
+retry without sandbox on denial (no re‑approval thanks to caching).
+*/
+use crate::error::CodexErr;
+use crate::error::SandboxErr;
+use crate::exec::ExecToolCallOutput;
+use crate::sandboxing::SandboxManager;
+use crate::tools::sandboxing::ApprovalCtx;
+use crate::tools::sandboxing::SandboxAttempt;
+use crate::tools::sandboxing::ToolCtx;
+use crate::tools::sandboxing::ToolError;
+use crate::tools::sandboxing::ToolRuntime;
+use codex_protocol::protocol::AskForApproval;
+use codex_protocol::protocol::ReviewDecision;
+
+pub(crate) struct ToolOrchestrator {
+    sandbox: SandboxManager,
+}
+
+impl ToolOrchestrator {
+    pub fn new() -> Self {
+        Self {
+            sandbox: SandboxManager::new(),
+        }
+    }
+
+    pub async fn run<Rq, Out, T>(
+        &mut self,
+        tool: &mut T,
+        req: &Rq,
+        tool_ctx: &ToolCtx<'_>,
+        turn_ctx: &crate::codex::TurnContext,
+        approval_policy: AskForApproval,
+    ) -> Result<Out, ToolError>
+    where
+        T: ToolRuntime<Rq, Out>,
+    {
+        let otel = turn_ctx.client.get_otel_event_manager();
+        let otel_tn = &tool_ctx.tool_name;
+        let otel_ci = &tool_ctx.call_id;
+        let otel_user = codex_otel::otel_event_manager::ToolDecisionSource::User;
+        let otel_cfg = codex_otel::otel_event_manager::ToolDecisionSource::Config;
+
+        // 1) Approval
+        let needs_initial_approval =
+            tool.wants_initial_approval(req, approval_policy, &turn_ctx.sandbox_policy);
+        let mut already_approved = false;
+
+        if needs_initial_approval {
+            let approval_ctx = ApprovalCtx {
+                session: tool_ctx.session,
+                sub_id: &tool_ctx.sub_id,
+                call_id: &tool_ctx.call_id,
+                retry_reason: None,
+            };
+            let decision = tool.start_approval_async(req, approval_ctx).await;
+
+            otel.tool_decision(otel_tn, otel_ci, decision, otel_user.clone());
+
+            match decision {
+                ReviewDecision::Denied | ReviewDecision::Abort => {
+                    return Err(ToolError::Rejected("rejected by user".to_string()));
+                }
+                ReviewDecision::Approved | ReviewDecision::ApprovedForSession => {}
+            }
+            already_approved = true;
+        } else {
+            otel.tool_decision(otel_tn, otel_ci, ReviewDecision::Approved, otel_cfg);
+        }
+
+        // 2) First attempt under the selected sandbox.
+        let mut initial_sandbox = self
+            .sandbox
+            .select_initial(&turn_ctx.sandbox_policy, tool.sandbox_preference());
+        if tool.wants_escalated_first_attempt(req) {
+            initial_sandbox = crate::exec::SandboxType::None;
+        }
+        let initial_attempt = SandboxAttempt {
+            sandbox: initial_sandbox,
+            policy: &turn_ctx.sandbox_policy,
+            manager: &self.sandbox,
+            sandbox_cwd: &turn_ctx.cwd,
+            codex_linux_sandbox_exe: turn_ctx.codex_linux_sandbox_exe.as_ref(),
+        };
+
+        match tool.run(req, &initial_attempt, tool_ctx).await {
+            Ok(out) => {
+                // We have a successful initial result
+                Ok(out)
+            }
+            Err(ToolError::Codex(CodexErr::Sandbox(SandboxErr::Denied { output }))) => {
+                if !tool.escalate_on_failure() {
+                    return Err(ToolError::SandboxDenied(
+                        "sandbox denied and no retry".to_string(),
+                    ));
+                }
+                // Under `Never`, do not retry without sandbox; surface a concise message
+                // derived from the actual output (platform-agnostic).
+                if matches!(approval_policy, AskForApproval::Never) {
+                    let msg = build_never_denied_message_from_output(output.as_ref());
+                    return Err(ToolError::SandboxDenied(msg));
+                }
+
+                // Ask for approval before retrying without sandbox.
+                if !tool.should_bypass_approval(approval_policy, already_approved) {
+                    let reason_msg = build_denial_reason_from_output(output.as_ref());
+                    let approval_ctx = ApprovalCtx {
+                        session: tool_ctx.session,
+                        sub_id: &tool_ctx.sub_id,
+                        call_id: &tool_ctx.call_id,
+                        retry_reason: Some(reason_msg),
+                    };
+
+                    let decision = tool.start_approval_async(req, approval_ctx).await;
+                    otel.tool_decision(otel_tn, otel_ci, decision, otel_user);
+
+                    match decision {
+                        ReviewDecision::Denied | ReviewDecision::Abort => {
+                            return Err(ToolError::Rejected("rejected by user".to_string()));
+                        }
+                        ReviewDecision::Approved | ReviewDecision::ApprovedForSession => {}
+                    }
+                }
+
+                let escalated_attempt = SandboxAttempt {
+                    sandbox: crate::exec::SandboxType::None,
+                    policy: &turn_ctx.sandbox_policy,
+                    manager: &self.sandbox,
+                    sandbox_cwd: &turn_ctx.cwd,
+                    codex_linux_sandbox_exe: None,
+                };
+
+                // Second attempt.
+                (*tool).run(req, &escalated_attempt, tool_ctx).await
+            }
+            other => other,
+        }
+    }
+}
+
+fn build_never_denied_message_from_output(output: &ExecToolCallOutput) -> String {
+    let body = format!(
+        "{}\n{}\n{}",
+        output.stderr.text, output.stdout.text, output.aggregated_output.text
+    )
+    .to_lowercase();
+
+    let detail = if body.contains("permission denied") {
+        Some("Permission denied")
+    } else if body.contains("operation not permitted") {
+        Some("Operation not permitted")
+    } else if body.contains("read-only file system") {
+        Some("Read-only file system")
+    } else {
+        None
+    };
+
+    match detail {
+        Some(tag) => format!("failed in sandbox: {tag}"),
+        None => "failed in sandbox".to_string(),
+    }
+}
+
+fn build_denial_reason_from_output(_output: &ExecToolCallOutput) -> String {
+    // Keep approval reason terse and stable for UX/tests, but accept the
+    // output so we can evolve heuristics later without touching call sites.
+    "command failed; retry without sandbox?".to_string()
+}
--- a/codex-rs/core/src/tools/runtimes/apply_patch.rs
+++ b/codex-rs/core/src/tools/runtimes/apply_patch.rs
@@ -0,0 +1,148 @@
+//! Apply Patch runtime: executes verified patches under the orchestrator.
+//!
+//! Assumes `apply_patch` verification/approval happened upstream. Reuses that
+//! decision to avoid re-prompting, builds the self-invocation command for
+//! `codex --codex-run-as-apply-patch`, and runs under the current
+//! `SandboxAttempt` with a minimal environment.
+use crate::CODEX_APPLY_PATCH_ARG1;
+use crate::exec::ExecToolCallOutput;
+use crate::sandboxing::CommandSpec;
+use crate::sandboxing::execute_env;
+use crate::tools::sandboxing::Approvable;
+use crate::tools::sandboxing::ApprovalCtx;
+use crate::tools::sandboxing::SandboxAttempt;
+use crate::tools::sandboxing::Sandboxable;
+use crate::tools::sandboxing::SandboxablePreference;
+use crate::tools::sandboxing::ToolCtx;
+use crate::tools::sandboxing::ToolError;
+use crate::tools::sandboxing::ToolRuntime;
+use crate::tools::sandboxing::with_cached_approval;
+use codex_protocol::protocol::ReviewDecision;
+use futures::future::BoxFuture;
+use std::collections::HashMap;
+use std::path::PathBuf;
+
+#[derive(Clone, Debug)]
+pub struct ApplyPatchRequest {
+    pub patch: String,
+    pub cwd: PathBuf,
+    pub timeout_ms: Option<u64>,
+    pub user_explicitly_approved: bool,
+    pub codex_exe: Option<PathBuf>,
+}
+
+#[derive(Default)]
+pub struct ApplyPatchRuntime;
+
+#[derive(serde::Serialize, Clone, Debug, Eq, PartialEq, Hash)]
+pub(crate) struct ApprovalKey {
+    patch: String,
+    cwd: PathBuf,
+}
+
+impl ApplyPatchRuntime {
+    pub fn new() -> Self {
+        Self
+    }
+
+    fn build_command_spec(req: &ApplyPatchRequest) -> Result<CommandSpec, ToolError> {
+        use std::env;
+        let exe = if let Some(path) = &req.codex_exe {
+            path.clone()
+        } else {
+            env::current_exe()
+                .map_err(|e| ToolError::Rejected(format!("failed to determine codex exe: {e}")))?
+        };
+        let program = exe.to_string_lossy().to_string();
+        Ok(CommandSpec {
+            program,
+            args: vec![CODEX_APPLY_PATCH_ARG1.to_string(), req.patch.clone()],
+            cwd: req.cwd.clone(),
+            timeout_ms: req.timeout_ms,
+            // Run apply_patch with a minimal environment for determinism and to avoid leaks.
+            env: HashMap::new(),
+            with_escalated_permissions: None,
+            justification: None,
+        })
+    }
+
+    fn stdout_stream(ctx: &ToolCtx<'_>) -> Option<crate::exec::StdoutStream> {
+        Some(crate::exec::StdoutStream {
+            sub_id: ctx.sub_id.clone(),
+            call_id: ctx.call_id.clone(),
+            tx_event: ctx.session.get_tx_event(),
+        })
+    }
+}
+
+impl Sandboxable for ApplyPatchRuntime {
+    fn sandbox_preference(&self) -> SandboxablePreference {
+        SandboxablePreference::Auto
+    }
+    fn escalate_on_failure(&self) -> bool {
+        true
+    }
+}
+
+impl Approvable<ApplyPatchRequest> for ApplyPatchRuntime {
+    type ApprovalKey = ApprovalKey;
+
+    fn approval_key(&self, req: &ApplyPatchRequest) -> Self::ApprovalKey {
+        ApprovalKey {
+            patch: req.patch.clone(),
+            cwd: req.cwd.clone(),
+        }
+    }
+
+    fn start_approval_async<'a>(
+        &'a mut self,
+        req: &'a ApplyPatchRequest,
+        ctx: ApprovalCtx<'a>,
+    ) -> BoxFuture<'a, ReviewDecision> {
+        let key = self.approval_key(req);
+        let session = ctx.session;
+        let sub_id = ctx.sub_id.to_string();
+        let call_id = ctx.call_id.to_string();
+        let cwd = req.cwd.clone();
+        let retry_reason = ctx.retry_reason.clone();
+        let user_explicitly_approved = req.user_explicitly_approved;
+        Box::pin(async move {
+            with_cached_approval(&session.services, key, || async move {
+                if let Some(reason) = retry_reason {
+                    session
+                        .request_command_approval(
+                            sub_id,
+                            call_id,
+                            vec!["apply_patch".to_string()],
+                            cwd,
+                            Some(reason),
+                        )
+                        .await
+                } else if user_explicitly_approved {
+                    ReviewDecision::ApprovedForSession
+                } else {
+                    ReviewDecision::Approved
+                }
+            })
+            .await
+        })
+    }
+}
+
+impl ToolRuntime<ApplyPatchRequest, ExecToolCallOutput> for ApplyPatchRuntime {
+    async fn run(
+        &mut self,
+        req: &ApplyPatchRequest,
+        attempt: &SandboxAttempt<'_>,
+        ctx: &ToolCtx<'_>,
+    ) -> Result<ExecToolCallOutput, ToolError> {
+        let spec = Self::build_command_spec(req)?;
+        let env = attempt
+            .env_for(&spec)
+            .map_err(|err| ToolError::Codex(err.into()))?;
+        let out = execute_env(&env, attempt.policy, Self::stdout_stream(ctx))
+            .await
+            .map_err(ToolError::Codex)?;
+        Ok(out)
+    }
+}
--- a/codex-rs/core/src/tools/runtimes/mod.rs
+++ b/codex-rs/core/src/tools/runtimes/mod.rs
@@ -0,0 +1,38 @@
+/*
+Module: runtimes
+
+Concrete ToolRuntime implementations for specific tools. Each runtime stays
+small and focused and reuses the orchestrator for approvals + sandbox + retry.
+*/
+use crate::sandboxing::CommandSpec;
+use crate::tools::sandboxing::ToolError;
+use std::collections::HashMap;
+use std::path::Path;
+
+pub mod apply_patch;
+pub mod shell;
+pub mod unified_exec;
+
+/// Shared helper to construct a CommandSpec from a tokenized command line.
+/// Validates that at least a program is present.
+pub(crate) fn build_command_spec(
+    command: &[String],
+    cwd: &Path,
+    env: &HashMap<String, String>,
+    timeout_ms: Option<u64>,
+    with_escalated_permissions: Option<bool>,
+    justification: Option<String>,
+) -> Result<CommandSpec, ToolError> {
+    let (program, args) = command
+        .split_first()
+        .ok_or_else(|| ToolError::Rejected("command args are empty".to_string()))?;
+    Ok(CommandSpec {
+        program: program.clone(),
+        args: args.to_vec(),
+        cwd: cwd.to_path_buf(),
+        env: env.clone(),
+        timeout_ms,
+        with_escalated_permissions,
+        justification,
+    })
+}
--- a/codex-rs/core/src/tools/runtimes/shell.rs
+++ b/codex-rs/core/src/tools/runtimes/shell.rs
@@ -0,0 +1,164 @@
+/*
+Runtime: shell
+
+Executes shell requests under the orchestrator: asks for approval when needed,
+builds a CommandSpec, and runs it under the current SandboxAttempt.
+*/
+use crate::command_safety::is_dangerous_command::command_might_be_dangerous;
+use crate::command_safety::is_safe_command::is_known_safe_command;
+use crate::exec::ExecToolCallOutput;
+use crate::protocol::SandboxPolicy;
+use crate::sandboxing::execute_env;
+use crate::tools::runtimes::build_command_spec;
+use crate::tools::sandboxing::Approvable;
+use crate::tools::sandboxing::ApprovalCtx;
+use crate::tools::sandboxing::SandboxAttempt;
+use crate::tools::sandboxing::Sandboxable;
+use crate::tools::sandboxing::SandboxablePreference;
+use crate::tools::sandboxing::ToolCtx;
+use crate::tools::sandboxing::ToolError;
+use crate::tools::sandboxing::ToolRuntime;
+use crate::tools::sandboxing::with_cached_approval;
+use codex_protocol::protocol::AskForApproval;
+use codex_protocol::protocol::ReviewDecision;
+use futures::future::BoxFuture;
+use std::path::PathBuf;
+
+#[derive(Clone, Debug)]
+pub struct ShellRequest {
+    pub command: Vec<String>,
+    pub cwd: PathBuf,
+    pub timeout_ms: Option<u64>,
+    pub env: std::collections::HashMap<String, String>,
+    pub with_escalated_permissions: Option<bool>,
+    pub justification: Option<String>,
+}
+
+#[derive(Default)]
+pub struct ShellRuntime;
+
+#[derive(serde::Serialize, Clone, Debug, Eq, PartialEq, Hash)]
+pub(crate) struct ApprovalKey {
+    command: Vec<String>,
+    cwd: PathBuf,
+    escalated: bool,
+}
+
+impl ShellRuntime {
+    pub fn new() -> Self {
+        Self
+    }
+
+    fn stdout_stream(ctx: &ToolCtx<'_>) -> Option<crate::exec::StdoutStream> {
+        Some(crate::exec::StdoutStream {
+            sub_id: ctx.sub_id.clone(),
+            call_id: ctx.call_id.clone(),
+            tx_event: ctx.session.get_tx_event(),
+        })
+    }
+}
+
+impl Sandboxable for ShellRuntime {
+    fn sandbox_preference(&self) -> SandboxablePreference {
+        SandboxablePreference::Auto
+    }
+    fn escalate_on_failure(&self) -> bool {
+        true
+    }
+}
+
+impl Approvable<ShellRequest> for ShellRuntime {
+    type ApprovalKey = ApprovalKey;
+
+    fn approval_key(&self, req: &ShellRequest) -> Self::ApprovalKey {
+        ApprovalKey {
+            command: req.command.clone(),
+            cwd: req.cwd.clone(),
+            escalated: req.with_escalated_permissions.unwrap_or(false),
+        }
+    }
+
+    fn start_approval_async<'a>(
+        &'a mut self,
+        req: &'a ShellRequest,
+        ctx: ApprovalCtx<'a>,
+    ) -> BoxFuture<'a, ReviewDecision> {
+        let key = self.approval_key(req);
+        let command = req.command.clone();
+        let cwd = req.cwd.clone();
+        let reason = ctx
+            .retry_reason
+            .clone()
+            .or_else(|| req.justification.clone());
+        let session = ctx.session;
+        let sub_id = ctx.sub_id.to_string();
+        let call_id = ctx.call_id.to_string();
+        Box::pin(async move {
+            with_cached_approval(&session.services, key, || async move {
+                session
+                    .request_command_approval(sub_id, call_id, command, cwd, reason)
+                    .await
+            })
+            .await
+        })
+    }
+
+    fn wants_initial_approval(
+        &self,
+        req: &ShellRequest,
+        policy: AskForApproval,
+        sandbox_policy: &SandboxPolicy,
+    ) -> bool {
+        if is_known_safe_command(&req.command) {
+            return false;
+        }
+        match policy {
+            AskForApproval::Never | AskForApproval::OnFailure => false,
+            AskForApproval::OnRequest => {
+                // In DangerFullAccess, only prompt if the command looks dangerous.
+                if matches!(sandbox_policy, SandboxPolicy::DangerFullAccess) {
+                    return command_might_be_dangerous(&req.command);
+                }
+
+                // In restricted sandboxes (ReadOnly/WorkspaceWrite), do not prompt for
+                // non‑escalated, non‑dangerous commands — let the sandbox enforce
+                // restrictions (e.g., block network/write) without a user prompt.
+                let wants_escalation = req.with_escalated_permissions.unwrap_or(false);
+                if wants_escalation {
+                    return true;
+                }
+                command_might_be_dangerous(&req.command)
+            }
+            AskForApproval::UnlessTrusted => !is_known_safe_command(&req.command),
+        }
+    }
+
+    fn wants_escalated_first_attempt(&self, req: &ShellRequest) -> bool {
+        req.with_escalated_permissions.unwrap_or(false)
+    }
+}
+
+impl ToolRuntime<ShellRequest, ExecToolCallOutput> for ShellRuntime {
+    async fn run(
+        &mut self,
+        req: &ShellRequest,
+        attempt: &SandboxAttempt<'_>,
+        ctx: &ToolCtx<'_>,
+    ) -> Result<ExecToolCallOutput, ToolError> {
+        let spec = build_command_spec(
+            &req.command,
+            &req.cwd,
+            &req.env,
+            req.timeout_ms,
+            req.with_escalated_permissions,
+            req.justification.clone(),
+        )?;
+        let env = attempt
+            .env_for(&spec)
+            .map_err(|err| ToolError::Codex(err.into()))?;
+        let out = execute_env(&env, attempt.policy, Self::stdout_stream(ctx))
+            .await
+            .map_err(ToolError::Codex)?;
+        Ok(out)
+    }
+}
--- a/codex-rs/core/src/tools/runtimes/unified_exec.rs
+++ b/codex-rs/core/src/tools/runtimes/unified_exec.rs
@@ -0,0 +1,123 @@
+/*
+Runtime: unified exec
+
+Handles approval + sandbox orchestration for unified exec requests, delegating to
+the session manager to spawn PTYs once an ExecEnv is prepared.
+*/
+use crate::error::CodexErr;
+use crate::error::SandboxErr;
+use crate::tools::runtimes::build_command_spec;
+use crate::tools::sandboxing::Approvable;
+use crate::tools::sandboxing::ApprovalCtx;
+use crate::tools::sandboxing::SandboxAttempt;
+use crate::tools::sandboxing::Sandboxable;
+use crate::tools::sandboxing::SandboxablePreference;
+use crate::tools::sandboxing::ToolCtx;
+use crate::tools::sandboxing::ToolError;
+use crate::tools::sandboxing::ToolRuntime;
+use crate::tools::sandboxing::with_cached_approval;
+use crate::unified_exec::UnifiedExecError;
+use crate::unified_exec::UnifiedExecSession;
+use crate::unified_exec::UnifiedExecSessionManager;
+use codex_protocol::protocol::ReviewDecision;
+use futures::future::BoxFuture;
+use std::collections::HashMap;
+use std::path::PathBuf;
+
+#[derive(Clone, Debug)]
+pub struct UnifiedExecRequest {
+    pub command: Vec<String>,
+    pub cwd: PathBuf,
+    pub env: HashMap<String, String>,
+}
+
+#[derive(serde::Serialize, Clone, Debug, Eq, PartialEq, Hash)]
+pub struct UnifiedExecApprovalKey {
+    pub command: Vec<String>,
+    pub cwd: PathBuf,
+}
+
+pub struct UnifiedExecRuntime<'a> {
+    manager: &'a UnifiedExecSessionManager,
+}
+
+impl UnifiedExecRequest {
+    pub fn new(command: Vec<String>, cwd: PathBuf, env: HashMap<String, String>) -> Self {
+        Self { command, cwd, env }
+    }
+}
+
+impl<'a> UnifiedExecRuntime<'a> {
+    pub fn new(manager: &'a UnifiedExecSessionManager) -> Self {
+        Self { manager }
+    }
+}
+
+impl Sandboxable for UnifiedExecRuntime<'_> {
+    fn sandbox_preference(&self) -> SandboxablePreference {
+        SandboxablePreference::Auto
+    }
+
+    fn escalate_on_failure(&self) -> bool {
+        true
+    }
+}
+
+impl Approvable<UnifiedExecRequest> for UnifiedExecRuntime<'_> {
+    type ApprovalKey = UnifiedExecApprovalKey;
+
+    fn approval_key(&self, req: &UnifiedExecRequest) -> Self::ApprovalKey {
+        UnifiedExecApprovalKey {
+            command: req.command.clone(),
+            cwd: req.cwd.clone(),
+        }
+    }
+
+    fn start_approval_async<'b>(
+        &'b mut self,
+        req: &'b UnifiedExecRequest,
+        ctx: ApprovalCtx<'b>,
+    ) -> BoxFuture<'b, ReviewDecision> {
+        let key = self.approval_key(req);
+        let session = ctx.session;
+        let sub_id = ctx.sub_id.to_string();
+        let call_id = ctx.call_id.to_string();
+        let command = req.command.clone();
+        let cwd = req.cwd.clone();
+        let reason = ctx.retry_reason.clone();
+        Box::pin(async move {
+            with_cached_approval(&session.services, key, || async move {
+                session
+                    .request_command_approval(sub_id, call_id, command, cwd, reason)
+                    .await
+            })
+            .await
+        })
+    }
+}
+
+impl<'a> ToolRuntime<UnifiedExecRequest, UnifiedExecSession> for UnifiedExecRuntime<'a> {
+    async fn run(
+        &mut self,
+        req: &UnifiedExecRequest,
+        attempt: &SandboxAttempt<'_>,
+        _ctx: &ToolCtx<'_>,
+    ) -> Result<UnifiedExecSession, ToolError> {
+        let spec = build_command_spec(&req.command, &req.cwd, &req.env, None, None, None)
+            .map_err(|_| ToolError::Rejected("missing command line for PTY".to_string()))?;
+        let exec_env = attempt
+            .env_for(&spec)
+            .map_err(|err| ToolError::Codex(err.into()))?;
+        self.manager
+            .open_session_with_exec_env(&exec_env)
+            .await
+            .map_err(|err| match err {
+                UnifiedExecError::SandboxDenied { output, .. } => {
+                    ToolError::Codex(CodexErr::Sandbox(SandboxErr::Denied {
+                        output: Box::new(output),
+                    }))
+                }
+                other => ToolError::Rejected(other.to_string()),
+            })
+    }
+}
--- a/codex-rs/core/src/tools/sandboxing.rs
+++ b/codex-rs/core/src/tools/sandboxing.rs
@@ -0,0 +1,190 @@
+//! Shared approvals and sandboxing traits used by tool runtimes.
+//!
+//! Consolidates the approval flow primitives (`ApprovalDecision`, `ApprovalStore`,
+//! `ApprovalCtx`, `Approvable`) together with the sandbox orchestration traits
+//! and helpers (`Sandboxable`, `ToolRuntime`, `SandboxAttempt`, etc.).
+
+use crate::codex::Session;
+use crate::error::CodexErr;
+use crate::protocol::SandboxPolicy;
+use crate::sandboxing::CommandSpec;
+use crate::sandboxing::SandboxManager;
+use crate::sandboxing::SandboxTransformError;
+use crate::state::SessionServices;
+use codex_protocol::protocol::AskForApproval;
+use codex_protocol::protocol::ReviewDecision;
+use std::collections::HashMap;
+use std::fmt::Debug;
+use std::hash::Hash;
+use std::path::Path;
+
+use futures::Future;
+use futures::future::BoxFuture;
+use serde::Serialize;
+
+#[derive(Clone, Default, Debug)]
+pub(crate) struct ApprovalStore {
+    // Store serialized keys for generic caching across requests.
+    map: HashMap<String, ReviewDecision>,
+}
+
+impl ApprovalStore {
+    pub fn get<K>(&self, key: &K) -> Option<ReviewDecision>
+    where
+        K: Serialize,
+    {
+        let s = serde_json::to_string(key).ok()?;
+        self.map.get(&s).cloned()
+    }
+
+    pub fn put<K>(&mut self, key: K, value: ReviewDecision)
+    where
+        K: Serialize,
+    {
+        if let Ok(s) = serde_json::to_string(&key) {
+            self.map.insert(s, value);
+        }
+    }
+}
+
+pub(crate) async fn with_cached_approval<K, F, Fut>(
+    services: &SessionServices,
+    key: K,
+    fetch: F,
+) -> ReviewDecision
+where
+    K: Serialize + Clone,
+    F: FnOnce() -> Fut,
+    Fut: Future<Output = ReviewDecision>,
+{
+    {
+        let store = services.tool_approvals.lock().await;
+        if let Some(decision) = store.get(&key) {
+            return decision;
+        }
+    }
+
+    let decision = fetch().await;
+
+    if matches!(decision, ReviewDecision::ApprovedForSession) {
+        let mut store = services.tool_approvals.lock().await;
+        store.put(key, ReviewDecision::ApprovedForSession);
+    }
+
+    decision
+}
+
+#[derive(Clone)]
+pub(crate) struct ApprovalCtx<'a> {
+    pub session: &'a Session,
+    pub sub_id: &'a str,
+    pub call_id: &'a str,
+    pub retry_reason: Option<String>,
+}
+
+pub(crate) trait Approvable<Req> {
+    type ApprovalKey: Hash + Eq + Clone + Debug + Serialize;
+
+    fn approval_key(&self, req: &Req) -> Self::ApprovalKey;
+
+    /// Some tools may request to skip the sandbox on the first attempt
+    /// (e.g., when the request explicitly asks for escalated permissions).
+    /// Defaults to `false`.
+    fn wants_escalated_first_attempt(&self, _req: &Req) -> bool {
+        false
+    }
+
+    fn should_bypass_approval(&self, policy: AskForApproval, already_approved: bool) -> bool {
+        if already_approved {
+            // We do not ask one more time
+            return true;
+        }
+        matches!(policy, AskForApproval::Never)
+    }
+
+    /// Decide whether an initial user approval should be requested before the
+    /// first attempt. Defaults to the orchestrator's behavior (pre‑refactor):
+    /// - Never, OnFailure: do not ask
+    /// - OnRequest: ask unless sandbox policy is DangerFullAccess
+    /// - UnlessTrusted: always ask
+    fn wants_initial_approval(
+        &self,
+        _req: &Req,
+        policy: AskForApproval,
+        sandbox_policy: &SandboxPolicy,
+    ) -> bool {
+        match policy {
+            AskForApproval::Never | AskForApproval::OnFailure => false,
+            AskForApproval::OnRequest => !matches!(sandbox_policy, SandboxPolicy::DangerFullAccess),
+            AskForApproval::UnlessTrusted => true,
+        }
+    }
+
+    fn start_approval_async<'a>(
+        &'a mut self,
+        req: &'a Req,
+        ctx: ApprovalCtx<'a>,
+    ) -> BoxFuture<'a, ReviewDecision>;
+}
+
+#[derive(Clone, Copy, Debug, PartialEq, Eq)]
+pub(crate) enum SandboxablePreference {
+    Auto,
+    #[allow(dead_code)] // Will be used by later tools.
+    Require,
+    #[allow(dead_code)] // Will be used by later tools.
+    Forbid,
+}
+
+pub(crate) trait Sandboxable {
+    fn sandbox_preference(&self) -> SandboxablePreference;
+    fn escalate_on_failure(&self) -> bool {
+        true
+    }
+}
+
+pub(crate) struct ToolCtx<'a> {
+    pub session: &'a Session,
+    pub sub_id: String,
+    pub call_id: String,
+    pub tool_name: String,
+}
+
+#[derive(Debug)]
+pub(crate) enum ToolError {
+    Rejected(String),
+    SandboxDenied(String),
+    Codex(CodexErr),
+}
+
+pub(crate) trait ToolRuntime<Req, Out>: Approvable<Req> + Sandboxable {
+    async fn run(
+        &mut self,
+        req: &Req,
+        attempt: &SandboxAttempt<'_>,
+        ctx: &ToolCtx,
+    ) -> Result<Out, ToolError>;
+}
+
+pub(crate) struct SandboxAttempt<'a> {
+    pub sandbox: crate::exec::SandboxType,
+    pub policy: &'a crate::protocol::SandboxPolicy,
+    pub(crate) manager: &'a SandboxManager,
+    pub(crate) sandbox_cwd: &'a Path,
+    pub codex_linux_sandbox_exe: Option<&'a std::path::PathBuf>,
+}
+
+impl<'a> SandboxAttempt<'a> {
+    pub fn env_for(
+        &self,
+        spec: &CommandSpec,
+    ) -> Result<crate::sandboxing::ExecEnv, SandboxTransformError> {
+        self.manager.transform(
+            spec,
+            self.policy,
+            self.sandbox,
+            self.sandbox_cwd,
+            self.codex_linux_sandbox_exe,
+        )
+    }
+}
--- a/codex-rs/core/src/tools/spec.rs
+++ b/codex-rs/core/src/tools/spec.rs
@@ -511,6 +511,107 @@ fn create_list_dir_tool() -> ToolSpec {
        },
    })
 }
+
+fn create_list_mcp_resources_tool() -> ToolSpec {
+    let mut properties = BTreeMap::new();
+    properties.insert(
+        "server".to_string(),
+        JsonSchema::String {
+            description: Some(
+                "Optional MCP server name. When omitted, lists resources from every configured server."
+                    .to_string(),
+            ),
+        },
+    );
+    properties.insert(
+        "cursor".to_string(),
+        JsonSchema::String {
+            description: Some(
+                "Opaque cursor returned by a previous list_mcp_resources call for the same server."
+                    .to_string(),
+            ),
+        },
+    );
+
+    ToolSpec::Function(ResponsesApiTool {
+        name: "list_mcp_resources".to_string(),
+        description: "Lists resources provided by MCP servers. Resources allow servers to share data that provides context to language models, such as files, database schemas, or application-specific information. Prefer resources over web search when possible.".to_string(),
+        strict: false,
+        parameters: JsonSchema::Object {
+            properties,
+            required: None,
+            additional_properties: Some(false.into()),
+        },
+    })
+}
+
+fn create_list_mcp_resource_templates_tool() -> ToolSpec {
+    let mut properties = BTreeMap::new();
+    properties.insert(
+        "server".to_string(),
+        JsonSchema::String {
+            description: Some(
+                "Optional MCP server name. When omitted, lists resource templates from all configured servers."
+                    .to_string(),
+            ),
+        },
+    );
+    properties.insert(
+        "cursor".to_string(),
+        JsonSchema::String {
+            description: Some(
+                "Opaque cursor returned by a previous list_mcp_resource_templates call for the same server."
+                    .to_string(),
+            ),
+        },
+    );
+
+    ToolSpec::Function(ResponsesApiTool {
+        name: "list_mcp_resource_templates".to_string(),
+        description: "Lists resource templates provided by MCP servers. Parameterized resource templates allow servers to share data that takes parameters and provides context to language models, such as files, database schemas, or application-specific information. Prefer resource templates over web search when possible.".to_string(),
+        strict: false,
+        parameters: JsonSchema::Object {
+            properties,
+            required: None,
+            additional_properties: Some(false.into()),
+        },
+    })
+}
+
+fn create_read_mcp_resource_tool() -> ToolSpec {
+    let mut properties = BTreeMap::new();
+    properties.insert(
+        "server".to_string(),
+        JsonSchema::String {
+            description: Some(
+                "MCP server name exactly as configured. Must match the 'server' field returned by list_mcp_resources."
+                    .to_string(),
+            ),
+        },
+    );
+    properties.insert(
+        "uri".to_string(),
+        JsonSchema::String {
+            description: Some(
+                "Resource URI to read. Must be one of the URIs returned by list_mcp_resources."
+                    .to_string(),
+            ),
+        },
+    );
+
+    ToolSpec::Function(ResponsesApiTool {
+        name: "read_mcp_resource".to_string(),
+        description:
+            "Read a specific resource from an MCP server given the server name and resource URI."
+                .to_string(),
+        strict: false,
+        parameters: JsonSchema::Object {
+            properties,
+            required: Some(vec!["server".to_string(), "uri".to_string()]),
+            additional_properties: Some(false.into()),
+        },
+    })
+}
 /// TODO(dylan): deprecate once we get rid of json tool
 #[derive(Serialize, Deserialize)]
 pub(crate) struct ApplyPatchToolArgs {
@@ -714,15 +815,11 @@ pub(crate) fn build_specs(
    config: &ToolsConfig,
    mcp_tools: Option<HashMap<String, mcp_types::Tool>>,
 ) -> ToolRegistryBuilder {
-    use crate::exec_command::EXEC_COMMAND_TOOL_NAME;
-    use crate::exec_command::WRITE_STDIN_TOOL_NAME;
-    use crate::exec_command::create_exec_command_tool_for_responses_api;
-    use crate::exec_command::create_write_stdin_tool_for_responses_api;
    use crate::tools::handlers::ApplyPatchHandler;
-    use crate::tools::handlers::ExecStreamHandler;
    use crate::tools::handlers::GrepFilesHandler;
    use crate::tools::handlers::ListDirHandler;
    use crate::tools::handlers::McpHandler;
+    use crate::tools::handlers::McpResourceHandler;
    use crate::tools::handlers::PlanHandler;
    use crate::tools::handlers::ReadFileHandler;
    use crate::tools::handlers::ShellHandler;
@@ -734,14 +831,17 @@ pub(crate) fn build_specs(
    let mut builder = ToolRegistryBuilder::new();

    let shell_handler = Arc::new(ShellHandler);
-    let exec_stream_handler = Arc::new(ExecStreamHandler);
    let unified_exec_handler = Arc::new(UnifiedExecHandler);
    let plan_handler = Arc::new(PlanHandler);
    let apply_patch_handler = Arc::new(ApplyPatchHandler);
    let view_image_handler = Arc::new(ViewImageHandler);
    let mcp_handler = Arc::new(McpHandler);
+    let mcp_resource_handler = Arc::new(McpResourceHandler);

-    if config.experimental_unified_exec_tool {
+    let use_unified_exec = config.experimental_unified_exec_tool
+        || matches!(config.shell_type, ConfigShellToolType::Streamable);
+
+    if use_unified_exec {
        builder.push_spec(create_unified_exec_tool());
        builder.register_handler("unified_exec", unified_exec_handler);
    } else {
@@ -753,14 +853,7 @@ pub(crate) fn build_specs(
                builder.push_spec(ToolSpec::LocalShell {});
            }
            ConfigShellToolType::Streamable => {
-                builder.push_spec(ToolSpec::Function(
-                    create_exec_command_tool_for_responses_api(),
-                ));
-                builder.push_spec(ToolSpec::Function(
-                    create_write_stdin_tool_for_responses_api(),
-                ));
-                builder.register_handler(EXEC_COMMAND_TOOL_NAME, exec_stream_handler.clone());
-                builder.register_handler(WRITE_STDIN_TOOL_NAME, exec_stream_handler);
+                // Already handled by use_unified_exec.
            }
        }
    }
@@ -770,6 +863,13 @@ pub(crate) fn build_specs(
    builder.register_handler("container.exec", shell_handler.clone());
    builder.register_handler("local_shell", shell_handler);

+    builder.push_spec_with_parallel_support(create_list_mcp_resources_tool(), true);
+    builder.push_spec_with_parallel_support(create_list_mcp_resource_templates_tool(), true);
+    builder.push_spec_with_parallel_support(create_read_mcp_resource_tool(), true);
+    builder.register_handler("list_mcp_resources", mcp_resource_handler.clone());
+    builder.register_handler("list_mcp_resource_templates", mcp_resource_handler.clone());
+    builder.register_handler("read_mcp_resource", mcp_resource_handler);
+
    if config.plan_tool {
        builder.push_spec(PLAN_TOOL.clone());
        builder.register_handler("update_plan", plan_handler);
@@ -917,7 +1017,15 @@ mod tests {

        assert_eq_tool_names(
            &tools,
-            &["unified_exec", "update_plan", "web_search", "view_image"],
+            &[
+                "unified_exec",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
+                "update_plan",
+                "web_search",
+                "view_image",
+            ],
        );
    }

@@ -936,7 +1044,15 @@ mod tests {

        assert_eq_tool_names(
            &tools,
-            &["unified_exec", "update_plan", "web_search", "view_image"],
+            &[
+                "unified_exec",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
+                "update_plan",
+                "web_search",
+                "view_image",
+            ],
        );
    }

@@ -1043,15 +1159,19 @@ mod tests {
            &tools,
            &[
                "unified_exec",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
                "web_search",
                "view_image",
                "test_server/do_something_cool",
            ],
        );

+        let tool = find_tool(&tools, "test_server/do_something_cool");
        assert_eq!(
-            tools[3].spec,
-            ToolSpec::Function(ResponsesApiTool {
+            &tool.spec,
+            &ToolSpec::Function(ResponsesApiTool {
                name: "test_server/do_something_cool".to_string(),
                parameters: JsonSchema::Object {
                    properties: BTreeMap::from([
@@ -1158,6 +1278,9 @@ mod tests {
            &tools,
            &[
                "unified_exec",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
                "view_image",
                "test_server/cool",
                "test_server/do",
@@ -1206,6 +1329,9 @@ mod tests {
            &tools,
            &[
                "unified_exec",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
                "apply_patch",
                "web_search",
                "view_image",
@@ -1214,7 +1340,7 @@ mod tests {
        );

        assert_eq!(
-            tools[4].spec,
+            tools[7].spec,
            ToolSpec::Function(ResponsesApiTool {
                name: "dash/search".to_string(),
                parameters: JsonSchema::Object {
@@ -1271,6 +1397,9 @@ mod tests {
            &tools,
            &[
                "unified_exec",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
                "apply_patch",
                "web_search",
                "view_image",
@@ -1278,7 +1407,7 @@ mod tests {
            ],
        );
        assert_eq!(
-            tools[4].spec,
+            tools[7].spec,
            ToolSpec::Function(ResponsesApiTool {
                name: "dash/paginate".to_string(),
                parameters: JsonSchema::Object {
@@ -1334,6 +1463,9 @@ mod tests {
            &tools,
            &[
                "unified_exec",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
                "apply_patch",
                "web_search",
                "view_image",
@@ -1341,7 +1473,7 @@ mod tests {
            ],
        );
        assert_eq!(
-            tools[4].spec,
+            tools[7].spec,
            ToolSpec::Function(ResponsesApiTool {
                name: "dash/tags".to_string(),
                parameters: JsonSchema::Object {
@@ -1399,6 +1531,9 @@ mod tests {
            &tools,
            &[
                "unified_exec",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
                "apply_patch",
                "web_search",
                "view_image",
@@ -1406,7 +1541,7 @@ mod tests {
            ],
        );
        assert_eq!(
-            tools[4].spec,
+            tools[7].spec,
            ToolSpec::Function(ResponsesApiTool {
                name: "dash/value".to_string(),
                parameters: JsonSchema::Object {
@@ -1501,6 +1636,9 @@ mod tests {
            &tools,
            &[
                "unified_exec",
+                "list_mcp_resources",
+                "list_mcp_resource_templates",
+                "read_mcp_resource",
                "apply_patch",
                "web_search",
                "view_image",
@@ -1509,7 +1647,7 @@ mod tests {
        );

        assert_eq!(
-            tools[4].spec,
+            tools[7].spec,
            ToolSpec::Function(ResponsesApiTool {
                name: "test_server/do_something_cool".to_string(),
                parameters: JsonSchema::Object {
--- a/codex-rs/core/src/unified_exec/errors.rs
+++ b/codex-rs/core/src/unified_exec/errors.rs
@@ -1,22 +1,29 @@
+use crate::exec::ExecToolCallOutput;
 use thiserror::Error;

 #[derive(Debug, Error)]
 pub(crate) enum UnifiedExecError {
-    #[error("Failed to create unified exec session: {pty_error}")]
-    CreateSession {
-        #[source]
-        pty_error: anyhow::Error,
-    },
+    #[error("Failed to create unified exec session: {message}")]
+    CreateSession { message: String },
    #[error("Unknown session id {session_id}")]
    UnknownSessionId { session_id: i32 },
    #[error("failed to write to stdin")]
    WriteToStdin,
    #[error("missing command line for unified exec request")]
    MissingCommandLine,
+    #[error("Command denied by sandbox: {message}")]
+    SandboxDenied {
+        message: String,
+        output: ExecToolCallOutput,
+    },
 }

 impl UnifiedExecError {
-    pub(crate) fn create_session(error: anyhow::Error) -> Self {
-        Self::CreateSession { pty_error: error }
+    pub(crate) fn create_session(message: String) -> Self {
+        Self::CreateSession { message }
+    }
+
+    pub(crate) fn sandbox_denied(message: String, output: ExecToolCallOutput) -> Self {
+        Self::SandboxDenied { message, output }
    }
 }
--- a/codex-rs/core/src/unified_exec/mod.rs
+++ b/codex-rs/core/src/unified_exec/mod.rs
@@ -1,36 +1,55 @@
-use portable_pty::CommandBuilder;
-use portable_pty::PtySize;
-use portable_pty::native_pty_system;
-use std::collections::HashMap;
-use std::collections::VecDeque;
-use std::io::ErrorKind;
-use std::io::Read;
-use std::sync::Arc;
-use std::sync::Mutex as StdMutex;
-use std::sync::atomic::AtomicBool;
-use std::sync::atomic::AtomicI32;
-use std::sync::atomic::Ordering;
-use tokio::sync::Mutex;
-use tokio::sync::Notify;
-use tokio::sync::mpsc;
-use tokio::task::JoinHandle;
-use tokio::time::Duration;
-use tokio::time::Instant;
+//! Unified Exec: interactive PTY execution orchestrated with approvals + sandboxing.
+//!
+//! Responsibilities
+//! - Manages interactive PTY sessions (create, reuse, buffer output with caps).
+//! - Uses the shared ToolOrchestrator to handle approval, sandbox selection, and
+//!   retry semantics in a single, descriptive flow.
+//! - Spawns the PTY from a sandbox‑transformed `ExecEnv`; on sandbox denial,
+//!   retries without sandbox when policy allows (no re‑prompt thanks to caching).
+//! - Uses the shared `is_likely_sandbox_denied` heuristic to keep denial messages
+//!   consistent with other exec paths.
+//!
+//! Flow at a glance (open session)
+//! 1) Build a small request `{ command, cwd }`.
+//! 2) Orchestrator: approval (bypass/cache/prompt) → select sandbox → run.
+//! 3) Runtime: transform `CommandSpec` → `ExecEnv` → spawn PTY.
+//! 4) If denial, orchestrator retries with `SandboxType::None`.
+//! 5) Session is returned with streaming output + metadata.
+//!
+//! This keeps policy logic and user interaction centralized while the PTY/session
+//! concerns remain isolated here. The implementation is split between:
+//! - `session.rs`: PTY session lifecycle + output buffering.
+//! - `session_manager.rs`: orchestration (approvals, sandboxing, reuse) and request handling.

-use crate::exec_command::ExecCommandSession;
-use crate::truncate::truncate_middle;
+use std::collections::HashMap;
+use std::sync::atomic::AtomicI32;
+
+use tokio::sync::Mutex;
+
+use crate::codex::Session;
+use crate::codex::TurnContext;

 mod errors;
+mod session;
+mod session_manager;

 pub(crate) use errors::UnifiedExecError;
+pub(crate) use session::UnifiedExecSession;

 const DEFAULT_TIMEOUT_MS: u64 = 1_000;
 const MAX_TIMEOUT_MS: u64 = 60_000;
 const UNIFIED_EXEC_OUTPUT_MAX_BYTES: usize = 128 * 1024; // 128 KiB

+pub(crate) struct UnifiedExecContext<'a> {
+    pub session: &'a Session,
+    pub turn: &'a TurnContext,
+    pub sub_id: &'a str,
+    pub call_id: &'a str,
+    pub session_id: Option<i32>,
+}
+
 #[derive(Debug)]
 pub(crate) struct UnifiedExecRequest<'a> {
-    pub session_id: Option<i32>,
    pub input_chunks: &'a [String],
    pub timeout_ms: Option<u64>,
 }
@@ -44,379 +63,60 @@ pub(crate) struct UnifiedExecResult {
 #[derive(Debug, Default)]
 pub(crate) struct UnifiedExecSessionManager {
    next_session_id: AtomicI32,
-    sessions: Mutex<HashMap<i32, ManagedUnifiedExecSession>>,
-}
-
-#[derive(Debug)]
-struct ManagedUnifiedExecSession {
-    session: ExecCommandSession,
-    output_buffer: OutputBuffer,
-    /// Notifies waiters whenever new output has been appended to
-    /// `output_buffer`, allowing clients to poll for fresh data.
-    output_notify: Arc<Notify>,
-    output_task: JoinHandle<()>,
-}
-
-#[derive(Debug, Default)]
-struct OutputBufferState {
-    chunks: VecDeque<Vec<u8>>,
-    total_bytes: usize,
-}
-
-impl OutputBufferState {
-    fn push_chunk(&mut self, chunk: Vec<u8>) {
-        self.total_bytes = self.total_bytes.saturating_add(chunk.len());
-        self.chunks.push_back(chunk);
-
-        let mut excess = self
-            .total_bytes
-            .saturating_sub(UNIFIED_EXEC_OUTPUT_MAX_BYTES);
-
-        while excess > 0 {
-            match self.chunks.front_mut() {
-                Some(front) if excess >= front.len() => {
-                    excess -= front.len();
-                    self.total_bytes = self.total_bytes.saturating_sub(front.len());
-                    self.chunks.pop_front();
-                }
-                Some(front) => {
-                    front.drain(..excess);
-                    self.total_bytes = self.total_bytes.saturating_sub(excess);
-                    break;
-                }
-                None => break,
-            }
-        }
-    }
-
-    fn drain(&mut self) -> Vec<Vec<u8>> {
-        let drained: Vec<Vec<u8>> = self.chunks.drain(..).collect();
-        self.total_bytes = 0;
-        drained
-    }
-}
-
-type OutputBuffer = Arc<Mutex<OutputBufferState>>;
-type OutputHandles = (OutputBuffer, Arc<Notify>);
-
-impl ManagedUnifiedExecSession {
-    fn new(
-        session: ExecCommandSession,
-        initial_output_rx: tokio::sync::broadcast::Receiver<Vec<u8>>,
-    ) -> Self {
-        let output_buffer = Arc::new(Mutex::new(OutputBufferState::default()));
-        let output_notify = Arc::new(Notify::new());
-        let mut receiver = initial_output_rx;
-        let buffer_clone = Arc::clone(&output_buffer);
-        let notify_clone = Arc::clone(&output_notify);
-        let output_task = tokio::spawn(async move {
-            loop {
-                match receiver.recv().await {
-                    Ok(chunk) => {
-                        let mut guard = buffer_clone.lock().await;
-                        guard.push_chunk(chunk);
-                        drop(guard);
-                        notify_clone.notify_waiters();
-                    }
-                    // If we lag behind the broadcast buffer, skip missed
-                    // messages but keep the task alive to continue streaming.
-                    Err(tokio::sync::broadcast::error::RecvError::Lagged(_)) => {
-                        continue;
-                    }
-                    // When the sender closes, exit the task.
-                    Err(tokio::sync::broadcast::error::RecvError::Closed) => break,
-                }
-            }
-        });
-
-        Self {
-            session,
-            output_buffer,
-            output_notify,
-            output_task,
-        }
-    }
-
-    fn writer_sender(&self) -> mpsc::Sender<Vec<u8>> {
-        self.session.writer_sender()
-    }
-
-    fn output_handles(&self) -> OutputHandles {
-        (
-            Arc::clone(&self.output_buffer),
-            Arc::clone(&self.output_notify),
-        )
-    }
-
-    fn has_exited(&self) -> bool {
-        self.session.has_exited()
-    }
-}
-
-impl Drop for ManagedUnifiedExecSession {
-    fn drop(&mut self) {
-        self.output_task.abort();
-    }
-}
-
-impl UnifiedExecSessionManager {
-    pub async fn handle_request(
-        &self,
-        request: UnifiedExecRequest<'_>,
-    ) -> Result<UnifiedExecResult, UnifiedExecError> {
-        let (timeout_ms, timeout_warning) = match request.timeout_ms {
-            Some(requested) if requested > MAX_TIMEOUT_MS => (
-                MAX_TIMEOUT_MS,
-                Some(format!(
-                    "Warning: requested timeout {requested}ms exceeds maximum of {MAX_TIMEOUT_MS}ms; clamping to {MAX_TIMEOUT_MS}ms.\n"
-                )),
-            ),
-            Some(requested) => (requested, None),
-            None => (DEFAULT_TIMEOUT_MS, None),
-        };
-
-        let mut new_session: Option<ManagedUnifiedExecSession> = None;
-        let session_id;
-        let writer_tx;
-        let output_buffer;
-        let output_notify;
-
-        if let Some(existing_id) = request.session_id {
-            let mut sessions = self.sessions.lock().await;
-            match sessions.get(&existing_id) {
-                Some(session) => {
-                    if session.has_exited() {
-                        sessions.remove(&existing_id);
-                        return Err(UnifiedExecError::UnknownSessionId {
-                            session_id: existing_id,
-                        });
-                    }
-                    let (buffer, notify) = session.output_handles();
-                    session_id = existing_id;
-                    writer_tx = session.writer_sender();
-                    output_buffer = buffer;
-                    output_notify = notify;
-                }
-                None => {
-                    return Err(UnifiedExecError::UnknownSessionId {
-                        session_id: existing_id,
-                    });
-                }
-            }
-            drop(sessions);
-        } else {
-            let command = request.input_chunks.to_vec();
-            let new_id = self.next_session_id.fetch_add(1, Ordering::SeqCst);
-            let (session, initial_output_rx) = create_unified_exec_session(&command).await?;
-            let managed_session = ManagedUnifiedExecSession::new(session, initial_output_rx);
-            let (buffer, notify) = managed_session.output_handles();
-            writer_tx = managed_session.writer_sender();
-            output_buffer = buffer;
-            output_notify = notify;
-            session_id = new_id;
-            new_session = Some(managed_session);
-        };
-
-        if request.session_id.is_some() {
-            let joined_input = request.input_chunks.join(" ");
-            if !joined_input.is_empty() && writer_tx.send(joined_input.into_bytes()).await.is_err()
-            {
-                return Err(UnifiedExecError::WriteToStdin);
-            }
-        }
-
-        let mut collected: Vec<u8> = Vec::with_capacity(4096);
-        let start = Instant::now();
-        let deadline = start + Duration::from_millis(timeout_ms);
-
-        loop {
-            let drained_chunks;
-            let mut wait_for_output = None;
-            {
-                let mut guard = output_buffer.lock().await;
-                drained_chunks = guard.drain();
-                if drained_chunks.is_empty() {
-                    wait_for_output = Some(output_notify.notified());
-                }
-            }
-
-            if drained_chunks.is_empty() {
-                let remaining = deadline.saturating_duration_since(Instant::now());
-                if remaining == Duration::ZERO {
-                    break;
-                }
-
-                let notified = wait_for_output.unwrap_or_else(|| output_notify.notified());
-                tokio::pin!(notified);
-                tokio::select! {
-                    _ = &mut notified => {}
-                    _ = tokio::time::sleep(remaining) => break,
-                }
-                continue;
-            }
-
-            for chunk in drained_chunks {
-                collected.extend_from_slice(&chunk);
-            }
-
-            if Instant::now() >= deadline {
-                break;
-            }
-        }
-
-        let (output, _maybe_tokens) = truncate_middle(
-            &String::from_utf8_lossy(&collected),
-            UNIFIED_EXEC_OUTPUT_MAX_BYTES,
-        );
-        let output = if let Some(warning) = timeout_warning {
-            format!("{warning}{output}")
-        } else {
-            output
-        };
-
-        let should_store_session = if let Some(session) = new_session.as_ref() {
-            !session.has_exited()
-        } else if request.session_id.is_some() {
-            let mut sessions = self.sessions.lock().await;
-            if let Some(existing) = sessions.get(&session_id) {
-                if existing.has_exited() {
-                    sessions.remove(&session_id);
-                    false
-                } else {
-                    true
-                }
-            } else {
-                false
-            }
-        } else {
-            true
-        };
-
-        if should_store_session {
-            if let Some(session) = new_session {
-                self.sessions.lock().await.insert(session_id, session);
-            }
-            Ok(UnifiedExecResult {
-                session_id: Some(session_id),
-                output,
-            })
-        } else {
-            Ok(UnifiedExecResult {
-                session_id: None,
-                output,
-            })
-        }
-    }
-}
-
-async fn create_unified_exec_session(
-    command: &[String],
-) -> Result<
-    (
-        ExecCommandSession,
-        tokio::sync::broadcast::Receiver<Vec<u8>>,
-    ),
-    UnifiedExecError,
-> {
-    if command.is_empty() {
-        return Err(UnifiedExecError::MissingCommandLine);
-    }
-
-    let pty_system = native_pty_system();
-
-    let pair = pty_system
-        .openpty(PtySize {
-            rows: 24,
-            cols: 80,
-            pixel_width: 0,
-            pixel_height: 0,
-        })
-        .map_err(UnifiedExecError::create_session)?;
-
-    // Safe thanks to the check at the top of the function.
-    let mut command_builder = CommandBuilder::new(command[0].clone());
-    for arg in &command[1..] {
-        command_builder.arg(arg);
-    }
-
-    let mut child = pair
-        .slave
-        .spawn_command(command_builder)
-        .map_err(UnifiedExecError::create_session)?;
-    let killer = child.clone_killer();
-
-    let (writer_tx, mut writer_rx) = mpsc::channel::<Vec<u8>>(128);
-    let (output_tx, _) = tokio::sync::broadcast::channel::<Vec<u8>>(256);
-
-    let mut reader = pair
-        .master
-        .try_clone_reader()
-        .map_err(UnifiedExecError::create_session)?;
-    let output_tx_clone = output_tx.clone();
-    let reader_handle = tokio::task::spawn_blocking(move || {
-        let mut buf = [0u8; 8192];
-        loop {
-            match reader.read(&mut buf) {
-                Ok(0) => break,
-                Ok(n) => {
-                    let _ = output_tx_clone.send(buf[..n].to_vec());
-                }
-                Err(ref e) if e.kind() == ErrorKind::Interrupted => continue,
-                Err(ref e) if e.kind() == ErrorKind::WouldBlock => {
-                    std::thread::sleep(Duration::from_millis(5));
-                    continue;
-                }
-                Err(_) => break,
-            }
-        }
-    });
-
-    let writer = pair
-        .master
-        .take_writer()
-        .map_err(UnifiedExecError::create_session)?;
-    let writer = Arc::new(StdMutex::new(writer));
-    let writer_handle = tokio::spawn({
-        let writer = writer.clone();
-        async move {
-            while let Some(bytes) = writer_rx.recv().await {
-                let writer = writer.clone();
-                let _ = tokio::task::spawn_blocking(move || {
-                    if let Ok(mut guard) = writer.lock() {
-                        use std::io::Write;
-                        let _ = guard.write_all(&bytes);
-                        let _ = guard.flush();
-                    }
-                })
-                .await;
-            }
-        }
-    });
-
-    let exit_status = Arc::new(AtomicBool::new(false));
-    let wait_exit_status = Arc::clone(&exit_status);
-    let wait_handle = tokio::task::spawn_blocking(move || {
-        let _ = child.wait();
-        wait_exit_status.store(true, Ordering::SeqCst);
-    });
-
-    let (session, initial_output_rx) = ExecCommandSession::new(
-        writer_tx,
-        output_tx,
-        killer,
-        reader_handle,
-        writer_handle,
-        wait_handle,
-        exit_status,
-    );
-    Ok((session, initial_output_rx))
+    sessions: Mutex<HashMap<i32, session::UnifiedExecSession>>,
 }

 #[cfg(test)]
+#[cfg(unix)]
 mod tests {
    use super::*;
-    #[cfg(unix)]
+
+    use crate::codex::Session;
+    use crate::codex::TurnContext;
+    use crate::codex::make_session_and_context;
+    use crate::protocol::AskForApproval;
+    use crate::protocol::SandboxPolicy;
    use core_test_support::skip_if_sandbox;
+    use std::sync::Arc;
+    use tokio::time::Duration;
+
+    use super::session::OutputBufferState;
+
+    fn test_session_and_turn() -> (Arc<Session>, Arc<TurnContext>) {
+        let (session, mut turn) = make_session_and_context();
+        turn.approval_policy = AskForApproval::Never;
+        turn.sandbox_policy = SandboxPolicy::DangerFullAccess;
+        (Arc::new(session), Arc::new(turn))
+    }
+
+    async fn run_unified_exec_request(
+        session: &Arc<Session>,
+        turn: &Arc<TurnContext>,
+        session_id: Option<i32>,
+        input: Vec<String>,
+        timeout_ms: Option<u64>,
+    ) -> Result<UnifiedExecResult, UnifiedExecError> {
+        let request_input = input;
+        let request = UnifiedExecRequest {
+            input_chunks: &request_input,
+            timeout_ms,
+        };
+
+        session
+            .services
+            .unified_exec_manager
+            .handle_request(
+                request,
+                UnifiedExecContext {
+                    session,
+                    turn: turn.as_ref(),
+                    sub_id: "sub",
+                    call_id: "call",
+                    session_id,
+                },
+            )
+            .await
+    }

    #[test]
    fn push_chunk_trims_only_excess_bytes() {
@@ -426,167 +126,170 @@ mod tests {
        buffer.push_chunk(vec![b'c']);

        assert_eq!(buffer.total_bytes, UNIFIED_EXEC_OUTPUT_MAX_BYTES);
-        assert_eq!(buffer.chunks.len(), 3);
+        let snapshot = buffer.snapshot();
+        assert_eq!(snapshot.len(), 3);
        assert_eq!(
-            buffer.chunks.front().unwrap().len(),
+            snapshot.first().unwrap().len(),
            UNIFIED_EXEC_OUTPUT_MAX_BYTES - 2
        );
-        assert_eq!(buffer.chunks.pop_back().unwrap(), vec![b'c']);
-        assert_eq!(buffer.chunks.pop_back().unwrap(), vec![b'b']);
+        assert_eq!(snapshot.get(2).unwrap(), &vec![b'c']);
+        assert_eq!(snapshot.get(1).unwrap(), &vec![b'b']);
    }

-    #[cfg(unix)]
    #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-    async fn unified_exec_persists_across_requests_jif() -> Result<(), UnifiedExecError> {
+    async fn unified_exec_persists_across_requests() -> anyhow::Result<()> {
        skip_if_sandbox!(Ok(()));

-        let manager = UnifiedExecSessionManager::default();
+        let (session, turn) = test_session_and_turn();

-        let open_shell = manager
-            .handle_request(UnifiedExecRequest {
-                session_id: None,
-                input_chunks: &["bash".to_string(), "-i".to_string()],
-                timeout_ms: Some(2_500),
-            })
-            .await?;
+        let open_shell = run_unified_exec_request(
+            &session,
+            &turn,
+            None,
+            vec!["bash".to_string(), "-i".to_string()],
+            Some(2_500),
+        )
+        .await?;
        let session_id = open_shell.session_id.expect("expected session_id");

-        manager
-            .handle_request(UnifiedExecRequest {
-                session_id: Some(session_id),
-                input_chunks: &[
-                    "export".to_string(),
-                    "CODEX_INTERACTIVE_SHELL_VAR=codex\n".to_string(),
-                ],
-                timeout_ms: Some(2_500),
-            })
-            .await?;
+        run_unified_exec_request(
+            &session,
+            &turn,
+            Some(session_id),
+            vec![
+                "export".to_string(),
+                "CODEX_INTERACTIVE_SHELL_VAR=codex\n".to_string(),
+            ],
+            Some(2_500),
+        )
+        .await?;

-        let out_2 = manager
-            .handle_request(UnifiedExecRequest {
-                session_id: Some(session_id),
-                input_chunks: &["echo $CODEX_INTERACTIVE_SHELL_VAR\n".to_string()],
-                timeout_ms: Some(2_500),
-            })
-            .await?;
+        let out_2 = run_unified_exec_request(
+            &session,
+            &turn,
+            Some(session_id),
+            vec!["echo $CODEX_INTERACTIVE_SHELL_VAR\n".to_string()],
+            Some(2_500),
+        )
+        .await?;
        assert!(out_2.output.contains("codex"));

        Ok(())
    }

-    #[cfg(unix)]
    #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-    async fn multi_unified_exec_sessions() -> Result<(), UnifiedExecError> {
+    async fn multi_unified_exec_sessions() -> anyhow::Result<()> {
        skip_if_sandbox!(Ok(()));

-        let manager = UnifiedExecSessionManager::default();
+        let (session, turn) = test_session_and_turn();

-        let shell_a = manager
-            .handle_request(UnifiedExecRequest {
-                session_id: None,
-                input_chunks: &["/bin/bash".to_string(), "-i".to_string()],
-                timeout_ms: Some(2_500),
-            })
-            .await?;
+        let shell_a = run_unified_exec_request(
+            &session,
+            &turn,
+            None,
+            vec!["/bin/bash".to_string(), "-i".to_string()],
+            Some(2_500),
+        )
+        .await?;
        let session_a = shell_a.session_id.expect("expected session id");

-        manager
-            .handle_request(UnifiedExecRequest {
-                session_id: Some(session_a),
-                input_chunks: &["export CODEX_INTERACTIVE_SHELL_VAR=codex\n".to_string()],
-                timeout_ms: Some(2_500),
-            })
-            .await?;
+        run_unified_exec_request(
+            &session,
+            &turn,
+            Some(session_a),
+            vec!["export CODEX_INTERACTIVE_SHELL_VAR=codex\n".to_string()],
+            Some(2_500),
+        )
+        .await?;

-        let out_2 = manager
-            .handle_request(UnifiedExecRequest {
-                session_id: None,
-                input_chunks: &[
-                    "echo".to_string(),
-                    "$CODEX_INTERACTIVE_SHELL_VAR\n".to_string(),
-                ],
-                timeout_ms: Some(2_500),
-            })
-            .await?;
+        let out_2 = run_unified_exec_request(
+            &session,
+            &turn,
+            None,
+            vec![
+                "echo".to_string(),
+                "$CODEX_INTERACTIVE_SHELL_VAR\n".to_string(),
+            ],
+            Some(2_500),
+        )
+        .await?;
        assert!(!out_2.output.contains("codex"));

-        let out_3 = manager
-            .handle_request(UnifiedExecRequest {
-                session_id: Some(session_a),
-                input_chunks: &["echo $CODEX_INTERACTIVE_SHELL_VAR\n".to_string()],
-                timeout_ms: Some(2_500),
-            })
-            .await?;
+        let out_3 = run_unified_exec_request(
+            &session,
+            &turn,
+            Some(session_a),
+            vec!["echo $CODEX_INTERACTIVE_SHELL_VAR\n".to_string()],
+            Some(2_500),
+        )
+        .await?;
        assert!(out_3.output.contains("codex"));

        Ok(())
    }

-    #[cfg(unix)]
    #[tokio::test]
-    async fn unified_exec_timeouts() -> Result<(), UnifiedExecError> {
+    async fn unified_exec_timeouts() -> anyhow::Result<()> {
        skip_if_sandbox!(Ok(()));

-        let manager = UnifiedExecSessionManager::default();
+        let (session, turn) = test_session_and_turn();

-        let open_shell = manager
-            .handle_request(UnifiedExecRequest {
-                session_id: None,
-                input_chunks: &["bash".to_string(), "-i".to_string()],
-                timeout_ms: Some(2_500),
-            })
-            .await?;
+        let open_shell = run_unified_exec_request(
+            &session,
+            &turn,
+            None,
+            vec!["bash".to_string(), "-i".to_string()],
+            Some(2_500),
+        )
+        .await?;
        let session_id = open_shell.session_id.expect("expected session id");

-        manager
-            .handle_request(UnifiedExecRequest {
-                session_id: Some(session_id),
-                input_chunks: &[
-                    "export".to_string(),
-                    "CODEX_INTERACTIVE_SHELL_VAR=codex\n".to_string(),
-                ],
-                timeout_ms: Some(2_500),
-            })
-            .await?;
+        run_unified_exec_request(
+            &session,
+            &turn,
+            Some(session_id),
+            vec![
+                "export".to_string(),
+                "CODEX_INTERACTIVE_SHELL_VAR=codex\n".to_string(),
+            ],
+            Some(2_500),
+        )
+        .await?;

-        let out_2 = manager
-            .handle_request(UnifiedExecRequest {
-                session_id: Some(session_id),
-                input_chunks: &["sleep 5 && echo $CODEX_INTERACTIVE_SHELL_VAR\n".to_string()],
-                timeout_ms: Some(10),
-            })
-            .await?;
+        let out_2 = run_unified_exec_request(
+            &session,
+            &turn,
+            Some(session_id),
+            vec!["sleep 5 && echo $CODEX_INTERACTIVE_SHELL_VAR\n".to_string()],
+            Some(10),
+        )
+        .await?;
        assert!(!out_2.output.contains("codex"));

        tokio::time::sleep(Duration::from_secs(7)).await;

-        let empty = Vec::new();
-        let out_3 = manager
-            .handle_request(UnifiedExecRequest {
-                session_id: Some(session_id),
-                input_chunks: &empty,
-                timeout_ms: Some(100),
-            })
-            .await?;
+        let out_3 =
+            run_unified_exec_request(&session, &turn, Some(session_id), Vec::new(), Some(100))
+                .await?;

        assert!(out_3.output.contains("codex"));

        Ok(())
    }

-    #[cfg(unix)]
    #[tokio::test]
    #[ignore] // Ignored while we have a better way to test this.
-    async fn requests_with_large_timeout_are_capped() -> Result<(), UnifiedExecError> {
-        let manager = UnifiedExecSessionManager::default();
+    async fn requests_with_large_timeout_are_capped() -> anyhow::Result<()> {
+        let (session, turn) = test_session_and_turn();

-        let result = manager
-            .handle_request(UnifiedExecRequest {
-                session_id: None,
-                input_chunks: &["echo".to_string(), "codex".to_string()],
-                timeout_ms: Some(120_000),
-            })
-            .await?;
+        let result = run_unified_exec_request(
+            &session,
+            &turn,
+            None,
+            vec!["echo".to_string(), "codex".to_string()],
+            Some(120_000),
+        )
+        .await?;

        assert!(result.output.starts_with(
            "Warning: requested timeout 120000ms exceeds maximum of 60000ms; clamping to 60000ms.\n"
@@ -596,61 +299,66 @@ mod tests {
        Ok(())
    }

-    #[cfg(unix)]
    #[tokio::test]
    #[ignore] // Ignored while we have a better way to test this.
-    async fn completed_commands_do_not_persist_sessions() -> Result<(), UnifiedExecError> {
-        let manager = UnifiedExecSessionManager::default();
-        let result = manager
-            .handle_request(UnifiedExecRequest {
-                session_id: None,
-                input_chunks: &["/bin/echo".to_string(), "codex".to_string()],
-                timeout_ms: Some(2_500),
-            })
-            .await?;
+    async fn completed_commands_do_not_persist_sessions() -> anyhow::Result<()> {
+        let (session, turn) = test_session_and_turn();
+        let result = run_unified_exec_request(
+            &session,
+            &turn,
+            None,
+            vec!["/bin/echo".to_string(), "codex".to_string()],
+            Some(2_500),
+        )
+        .await?;

        assert!(result.session_id.is_none());
        assert!(result.output.contains("codex"));

-        assert!(manager.sessions.lock().await.is_empty());
+        assert!(
+            session
+                .services
+                .unified_exec_manager
+                .sessions
+                .lock()
+                .await
+                .is_empty()
+        );

        Ok(())
    }

-    #[cfg(unix)]
    #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-    async fn reusing_completed_session_returns_unknown_session() -> Result<(), UnifiedExecError> {
+    async fn reusing_completed_session_returns_unknown_session() -> anyhow::Result<()> {
        skip_if_sandbox!(Ok(()));

-        let manager = UnifiedExecSessionManager::default();
+        let (session, turn) = test_session_and_turn();

-        let open_shell = manager
-            .handle_request(UnifiedExecRequest {
-                session_id: None,
-                input_chunks: &["/bin/bash".to_string(), "-i".to_string()],
-                timeout_ms: Some(2_500),
-            })
-            .await?;
+        let open_shell = run_unified_exec_request(
+            &session,
+            &turn,
+            None,
+            vec!["/bin/bash".to_string(), "-i".to_string()],
+            Some(2_500),
+        )
+        .await?;
        let session_id = open_shell.session_id.expect("expected session id");

-        manager
-            .handle_request(UnifiedExecRequest {
-                session_id: Some(session_id),
-                input_chunks: &["exit\n".to_string()],
-                timeout_ms: Some(2_500),
-            })
-            .await?;
+        run_unified_exec_request(
+            &session,
+            &turn,
+            Some(session_id),
+            vec!["exit\n".to_string()],
+            Some(2_500),
+        )
+        .await?;

        tokio::time::sleep(Duration::from_millis(200)).await;

-        let err = manager
-            .handle_request(UnifiedExecRequest {
-                session_id: Some(session_id),
-                input_chunks: &[],
-                timeout_ms: Some(100),
-            })
-            .await
-            .expect_err("expected unknown session error");
+        let err =
+            run_unified_exec_request(&session, &turn, Some(session_id), Vec::new(), Some(100))
+                .await
+                .expect_err("expected unknown session error");

        match err {
            UnifiedExecError::UnknownSessionId { session_id: err_id } => {
@@ -659,7 +367,15 @@ mod tests {
            other => panic!("expected UnknownSessionId, got {other:?}"),
        }

-        assert!(!manager.sessions.lock().await.contains_key(&session_id));
+        assert!(
+            !session
+                .services
+                .unified_exec_manager
+                .sessions
+                .lock()
+                .await
+                .contains_key(&session_id)
+        );

        Ok(())
    }
--- a/Show More
+++ b/Show More