blocking debug

Add `enforce_residency` to requirements.toml and thread it through to a
header on `default_client`.

.github/workflows/shell-tool-mcp.yml

@@ -436,14 +436,6 @@ jobs:
       id-token: write
       contents: read
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          run_install: false
-
       - name: Setup Node.js
         uses: actions/setup-node@v6
         with:
@@ -451,6 +443,10 @@ jobs:
           registry-url: https://registry.npmjs.org
           scope: "@openai"
 
+      # Trusted publishing requires npm CLI version 11.5.1 or later.
+      - name: Update npm
+        run: npm install -g npm@latest
+
       - name: Download npm tarball
         uses: actions/download-artifact@v7
         with:

announcement_tip.toml

@@ -14,4 +14,4 @@ target_app = "cli"
 [[announcements]]
 content = "This is a test announcement"
 version_regex = "^0\\.0\\.0$"
-to_date = "2026-01-10"
+to_date = "2026-05-10"

codex-cli/package-lock.json

@@ -1,18 +0,0 @@
-{
-  "name": "@openai/codex",
-  "version": "0.0.0-dev",
-  "lockfileVersion": 3,
-  "packages": {
-    "": {
-      "name": "@openai/codex",
-      "version": "0.0.0-dev",
-      "license": "Apache-2.0",
-      "bin": {
-        "codex": "bin/codex.js"
-      },
-      "engines": {
-        "node": ">=16"
-      }
-    }
-  }
-}

codex-rs/Cargo.lock

@@ -1080,6 +1080,7 @@ version = "0.0.0"
 dependencies = [
  "anyhow",
  "app_test_support",
+ "async-trait",
  "axum",
  "base64",
  "chrono",
@@ -1087,6 +1088,7 @@ dependencies = [
  "codex-arg0",
  "codex-backend-client",
  "codex-chatgpt",
+ "codex-cloud-requirements",
  "codex-common",
  "codex-core",
  "codex-execpolicy",
@@ -1291,6 +1293,26 @@ dependencies = [
  "zstd",
 ]
 
+[[package]]
+name = "codex-cloud-requirements"
+version = "0.0.0"
+dependencies = [
+ "anyhow",
+ "async-trait",
+ "base64",
+ "codex-backend-client",
+ "codex-core",
+ "codex-otel",
+ "codex-protocol",
+ "pretty_assertions",
+ "serde_json",
+ "tempfile",
+ "thiserror 2.0.17",
+ "tokio",
+ "toml 0.9.5",
+ "tracing",
+]
+
 [[package]]
 name = "codex-cloud-tasks"
 version = "0.0.0"
@@ -1381,6 +1403,7 @@ dependencies = [
  "codex-state",
  "codex-utils-absolute-path",
  "codex-utils-cargo-bin",
+ "codex-utils-home-dir",
  "codex-utils-pty",
  "codex-utils-readiness",
  "codex-utils-string",
@@ -1388,7 +1411,6 @@ dependencies = [
  "core-foundation 0.9.4",
  "core_test_support",
  "ctor 0.6.3",
- "dirs",
  "dunce",
  "encoding_rs",
  "env-flags",
@@ -1468,6 +1490,7 @@ dependencies = [
  "assert_cmd",
  "clap",
  "codex-arg0",
+ "codex-cloud-requirements",
  "codex-common",
  "codex-core",
  "codex-protocol",
@@ -1823,7 +1846,7 @@ dependencies = [
  "codex-keyring-store",
  "codex-protocol",
  "codex-utils-cargo-bin",
- "dirs",
+ "codex-utils-home-dir",
  "futures",
  "keyring",
  "mcp-types",
@@ -1894,6 +1917,7 @@ dependencies = [
  "codex-backend-client",
  "codex-chatgpt",
  "codex-cli",
+ "codex-cloud-requirements",
  "codex-common",
  "codex-core",
  "codex-feedback",
@@ -1987,6 +2011,15 @@ dependencies = [
  "thiserror 2.0.17",
 ]
 
+[[package]]
+name = "codex-utils-home-dir"
+version = "0.0.0"
+dependencies = [
+ "dirs",
+ "pretty_assertions",
+ "tempfile",
+]
+
 [[package]]
 name = "codex-utils-image"
 version = "0.0.0"

codex-rs/Cargo.toml

@@ -11,6 +11,7 @@ members = [
     "arg0",
     "feedback",
     "codex-backend-openapi-models",
+    "cloud-requirements",
     "cloud-tasks",
     "cloud-tasks-client",
     "cli",
@@ -42,6 +43,7 @@ members = [
     "utils/cache",
     "utils/image",
     "utils/json-to-toml",
+    "utils/home-dir",
     "utils/pty",
     "utils/readiness",
     "utils/string",
@@ -71,6 +73,7 @@ codex-apply-patch = { path = "apply-patch" }
 codex-arg0 = { path = "arg0" }
 codex-async-utils = { path = "async-utils" }
 codex-backend-client = { path = "backend-client" }
+codex-cloud-requirements = { path = "cloud-requirements" }
 codex-chatgpt = { path = "chatgpt" }
 codex-cli = { path = "cli"}
 codex-client = { path = "codex-client" }
@@ -100,6 +103,7 @@ codex-utils-cache = { path = "utils/cache" }
 codex-utils-cargo-bin = { path = "utils/cargo-bin" }
 codex-utils-image = { path = "utils/image" }
 codex-utils-json-to-toml = { path = "utils/json-to-toml" }
+codex-utils-home-dir = { path = "utils/home-dir" }
 codex-utils-pty = { path = "utils/pty" }
 codex-utils-readiness = { path = "utils/readiness" }
 codex-utils-string = { path = "utils/string" }

codex-rs/app-server-protocol/src/protocol/common.rs

@@ -23,11 +23,22 @@ impl GitSha {
     }
 }
 
+/// Authentication mode for OpenAI-backed providers.
 #[derive(Serialize, Deserialize, Debug, Clone, Copy, PartialEq, Eq, Display, JsonSchema, TS)]
 #[serde(rename_all = "lowercase")]
 pub enum AuthMode {
+    /// OpenAI API key provided by the caller and stored by Codex.
     ApiKey,
-    ChatGPT,
+    /// ChatGPT OAuth managed by Codex (tokens persisted and refreshed by Codex).
+    Chatgpt,
+    /// [UNSTABLE] FOR OPENAI INTERNAL USE ONLY - DO NOT USE.
+    ///
+    /// ChatGPT auth tokens are supplied by an external host app and are only
+    /// stored in memory. Token refresh must be handled by the external host app.
+    #[serde(rename = "chatgptAuthTokens")]
+    #[ts(rename = "chatgptAuthTokens")]
+    #[strum(serialize = "chatgptAuthTokens")]
+    ChatgptAuthTokens,
 }
 
 /// Generates an `enum ClientRequest` where each variant is a request that the
@@ -117,6 +128,10 @@ client_request_definitions! {
         params: v2::ThreadArchiveParams,
         response: v2::ThreadArchiveResponse,
     },
+    ThreadSetName => "thread/name/set" {
+        params: v2::ThreadSetNameParams,
+        response: v2::ThreadSetNameResponse,
+    },
     ThreadUnarchive => "thread/unarchive" {
         params: v2::ThreadUnarchiveParams,
         response: v2::ThreadUnarchiveResponse,
@@ -534,6 +549,11 @@ server_request_definitions! {
         response: v2::DynamicToolCallResponse,
     },
 
+    ChatgptAuthTokensRefresh => "account/chatgptAuthTokens/refresh" {
+        params: v2::ChatgptAuthTokensRefreshParams,
+        response: v2::ChatgptAuthTokensRefreshResponse,
+    },
+
     /// DEPRECATED APIs below
     /// Request to approve a patch.
     /// This request is used for Turns started via the legacy APIs (i.e. SendUserTurn, SendUserMessage).
@@ -578,6 +598,7 @@ server_notification_definitions! {
     /// NEW NOTIFICATIONS
     Error => "error" (v2::ErrorNotification),
     ThreadStarted => "thread/started" (v2::ThreadStartedNotification),
+    ThreadNameUpdated => "thread/name/updated" (v2::ThreadNameUpdatedNotification),
     ThreadTokenUsageUpdated => "thread/tokenUsage/updated" (v2::ThreadTokenUsageUpdatedNotification),
     TurnStarted => "turn/started" (v2::TurnStartedNotification),
     TurnCompleted => "turn/completed" (v2::TurnCompletedNotification),
@@ -588,6 +609,8 @@ server_notification_definitions! {
     /// This event is internal-only. Used by Codex Cloud.
     RawResponseItemCompleted => "rawResponseItem/completed" (v2::RawResponseItemCompletedNotification),
     AgentMessageDelta => "item/agentMessage/delta" (v2::AgentMessageDeltaNotification),
+    /// EXPERIMENTAL - proposed plan streaming deltas for plan items.
+    PlanDelta => "item/plan/delta" (v2::PlanDeltaNotification),
     CommandExecutionOutputDelta => "item/commandExecution/outputDelta" (v2::CommandExecutionOutputDeltaNotification),
     TerminalInteraction => "item/commandExecution/terminalInteraction" (v2::TerminalInteractionNotification),
     FileChangeOutputDelta => "item/fileChange/outputDelta" (v2::FileChangeOutputDeltaNotification),
@@ -753,6 +776,29 @@ mod tests {
         Ok(())
     }
 
+    #[test]
+    fn serialize_chatgpt_auth_tokens_refresh_request() -> Result<()> {
+        let request = ServerRequest::ChatgptAuthTokensRefresh {
+            request_id: RequestId::Integer(8),
+            params: v2::ChatgptAuthTokensRefreshParams {
+                reason: v2::ChatgptAuthTokensRefreshReason::Unauthorized,
+                previous_account_id: Some("org-123".to_string()),
+            },
+        };
+        assert_eq!(
+            json!({
+                "method": "account/chatgptAuthTokens/refresh",
+                "id": 8,
+                "params": {
+                    "reason": "unauthorized",
+                    "previousAccountId": "org-123"
+                }
+            }),
+            serde_json::to_value(&request)?,
+        );
+        Ok(())
+    }
+
     #[test]
     fn serialize_get_account_rate_limits() -> Result<()> {
         let request = ClientRequest::GetAccountRateLimits {
@@ -842,10 +888,34 @@ mod tests {
         Ok(())
     }
 
+    #[test]
+    fn serialize_account_login_chatgpt_auth_tokens() -> Result<()> {
+        let request = ClientRequest::LoginAccount {
+            request_id: RequestId::Integer(5),
+            params: v2::LoginAccountParams::ChatgptAuthTokens {
+                access_token: "access-token".to_string(),
+                id_token: "id-token".to_string(),
+            },
+        };
+        assert_eq!(
+            json!({
+                "method": "account/login/start",
+                "id": 5,
+                "params": {
+                    "type": "chatgptAuthTokens",
+                    "accessToken": "access-token",
+                    "idToken": "id-token"
+                }
+            }),
+            serde_json::to_value(&request)?,
+        );
+        Ok(())
+    }
+
     #[test]
     fn serialize_get_account() -> Result<()> {
         let request = ClientRequest::GetAccount {
-            request_id: RequestId::Integer(5),
+            request_id: RequestId::Integer(6),
             params: v2::GetAccountParams {
                 refresh_token: false,
             },
@@ -853,7 +923,7 @@ mod tests {
         assert_eq!(
             json!({
                 "method": "account/read",
-                "id": 5,
+                "id": 6,
                 "params": {
                     "refreshToken": false
                 }

codex-rs/app-server-protocol/src/protocol/thread_history.rs

@@ -6,6 +6,7 @@ use crate::protocol::v2::UserInput;
 use codex_protocol::protocol::AgentReasoningEvent;
 use codex_protocol::protocol::AgentReasoningRawContentEvent;
 use codex_protocol::protocol::EventMsg;
+use codex_protocol::protocol::ItemCompletedEvent;
 use codex_protocol::protocol::ThreadRolledBackEvent;
 use codex_protocol::protocol::TurnAbortedEvent;
 use codex_protocol::protocol::UserMessageEvent;
@@ -55,6 +56,7 @@ impl ThreadHistoryBuilder {
             EventMsg::AgentReasoningRawContent(payload) => {
                 self.handle_agent_reasoning_raw_content(payload)
             }
+            EventMsg::ItemCompleted(payload) => self.handle_item_completed(payload),
             EventMsg::TokenCount(_) => {}
             EventMsg::EnteredReviewMode(_) => {}
             EventMsg::ExitedReviewMode(_) => {}
@@ -125,6 +127,19 @@ impl ThreadHistoryBuilder {
         });
     }
 
+    fn handle_item_completed(&mut self, payload: &ItemCompletedEvent) {
+        if let codex_protocol::items::TurnItem::Plan(plan) = &payload.item {
+            if plan.text.is_empty() {
+                return;
+            }
+            let id = self.next_item_id();
+            self.ensure_turn().items.push(ThreadItem::Plan {
+                id,
+                text: plan.text.clone(),
+            });
+        }
+    }
+
     fn handle_turn_aborted(&mut self, _payload: &TurnAbortedEvent) {
         let Some(turn) = self.current_turn.as_mut() else {
             return;

codex-rs/app-server-protocol/src/protocol/v2.rs

@@ -86,6 +86,10 @@ macro_rules! v2_enum_from_core {
 pub enum CodexErrorInfo {
     ContextWindowExceeded,
     UsageLimitExceeded,
+    ModelCap {
+        model: String,
+        reset_after_seconds: Option<u64>,
+    },
     HttpConnectionFailed {
         #[serde(rename = "httpStatusCode")]
         #[ts(rename = "httpStatusCode")]
@@ -122,6 +126,13 @@ impl From<CoreCodexErrorInfo> for CodexErrorInfo {
         match value {
             CoreCodexErrorInfo::ContextWindowExceeded => CodexErrorInfo::ContextWindowExceeded,
             CoreCodexErrorInfo::UsageLimitExceeded => CodexErrorInfo::UsageLimitExceeded,
+            CoreCodexErrorInfo::ModelCap {
+                model,
+                reset_after_seconds,
+            } => CodexErrorInfo::ModelCap {
+                model,
+                reset_after_seconds,
+            },
             CoreCodexErrorInfo::HttpConnectionFailed { http_status_code } => {
                 CodexErrorInfo::HttpConnectionFailed { http_status_code }
             }
@@ -486,6 +497,14 @@ pub struct ConfigReadResponse {
 pub struct ConfigRequirements {
     pub allowed_approval_policies: Option<Vec<AskForApproval>>,
     pub allowed_sandbox_modes: Option<Vec<SandboxMode>>,
+    pub enforce_residency: Option<ResidencyRequirement>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, JsonSchema, TS)]
+#[serde(rename_all = "lowercase")]
+#[ts(export_to = "v2/")]
+pub enum ResidencyRequirement {
+    Us,
 }
 
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
@@ -824,6 +843,24 @@ pub enum LoginAccountParams {
     #[serde(rename = "chatgpt")]
     #[ts(rename = "chatgpt")]
     Chatgpt,
+    /// [UNSTABLE] FOR OPENAI INTERNAL USE ONLY - DO NOT USE.
+    /// The access token must contain the same scopes that Codex-managed ChatGPT auth tokens have.
+    #[serde(rename = "chatgptAuthTokens")]
+    #[ts(rename = "chatgptAuthTokens")]
+    ChatgptAuthTokens {
+        /// ID token (JWT) supplied by the client.
+        ///
+        /// This token is used for identity and account metadata (email, plan type,
+        /// workspace id).
+        #[serde(rename = "idToken")]
+        #[ts(rename = "idToken")]
+        id_token: String,
+        /// Access token (JWT) supplied by the client.
+        /// This token is used for backend API requests.
+        #[serde(rename = "accessToken")]
+        #[ts(rename = "accessToken")]
+        access_token: String,
+    },
 }
 
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
@@ -843,6 +880,9 @@ pub enum LoginAccountResponse {
         /// URL the client should open in a browser to initiate the OAuth flow.
         auth_url: String,
     },
+    #[serde(rename = "chatgptAuthTokens", rename_all = "camelCase")]
+    #[ts(rename = "chatgptAuthTokens", rename_all = "camelCase")]
+    ChatgptAuthTokens {},
 }
 
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
@@ -873,6 +913,37 @@ pub struct CancelLoginAccountResponse {
 #[ts(export_to = "v2/")]
 pub struct LogoutAccountResponse {}
 
+#[derive(Serialize, Deserialize, Debug, Clone, Copy, PartialEq, Eq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub enum ChatgptAuthTokensRefreshReason {
+    /// Codex attempted a backend request and received `401 Unauthorized`.
+    Unauthorized,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct ChatgptAuthTokensRefreshParams {
+    pub reason: ChatgptAuthTokensRefreshReason,
+    /// Workspace/account identifier that Codex was previously using.
+    ///
+    /// Clients that manage multiple accounts/workspaces can use this as a hint
+    /// to refresh the token for the correct workspace.
+    ///
+    /// This may be `null` when the prior ID token did not include a workspace
+    /// identifier (`chatgpt_account_id`) or when the token could not be parsed.
+    pub previous_account_id: Option<String>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct ChatgptAuthTokensRefreshResponse {
+    pub id_token: String,
+    pub access_token: String,
+}
+
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
@@ -884,6 +955,11 @@ pub struct GetAccountRateLimitsResponse {
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
 pub struct GetAccountParams {
+    /// When `true`, requests a proactive token refresh before returning.
+    ///
+    /// In managed auth mode this triggers the normal refresh-token flow. In
+    /// external auth mode this flag is ignored. Clients should refresh tokens
+    /// themselves and call `account/login/start` with `chatgptAuthTokens`.
     #[serde(default)]
     pub refresh_token: bool,
 }
@@ -1227,6 +1303,14 @@ pub struct ThreadArchiveParams {
 #[ts(export_to = "v2/")]
 pub struct ThreadArchiveResponse {}
 
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct ThreadSetNameParams {
+    pub thread_id: String,
+    pub name: String,
+}
+
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
@@ -1234,6 +1318,11 @@ pub struct ThreadUnarchiveParams {
     pub thread_id: String,
 }
 
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct ThreadSetNameResponse {}
+
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
@@ -1955,6 +2044,11 @@ pub enum ThreadItem {
     AgentMessage { id: String, text: String },
     #[serde(rename_all = "camelCase")]
     #[ts(rename_all = "camelCase")]
+    /// EXPERIMENTAL - proposed plan item content. The completed plan item is
+    /// authoritative and may not match the concatenation of `PlanDelta` text.
+    Plan { id: String, text: String },
+    #[serde(rename_all = "camelCase")]
+    #[ts(rename_all = "camelCase")]
     Reasoning {
         id: String,
         #[serde(default)]
@@ -2059,6 +2153,10 @@ impl From<CoreTurnItem> for ThreadItem {
                     .collect::<String>();
                 ThreadItem::AgentMessage { id: agent.id, text }
             }
+            CoreTurnItem::Plan(plan) => ThreadItem::Plan {
+                id: plan.id,
+                text: plan.text,
+            },
             CoreTurnItem::Reasoning(reasoning) => ThreadItem::Reasoning {
                 id: reasoning.id,
                 summary: reasoning.summary_text,
@@ -2217,6 +2315,16 @@ pub struct ThreadStartedNotification {
     pub thread: Thread,
 }
 
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct ThreadNameUpdatedNotification {
+    pub thread_id: String,
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    #[ts(optional)]
+    pub thread_name: Option<String>,
+}
+
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
@@ -2337,6 +2445,18 @@ pub struct AgentMessageDeltaNotification {
     pub delta: String,
 }
 
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+/// EXPERIMENTAL - proposed plan streaming deltas for plan items. Clients should
+/// not assume concatenated deltas match the completed plan item content.
+pub struct PlanDeltaNotification {
+    pub thread_id: String,
+    pub turn_id: String,
+    pub item_id: String,
+    pub delta: String,
+}
+
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
@@ -2525,13 +2645,15 @@ pub struct ToolRequestUserInputOption {
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
-/// EXPERIMENTAL. Represents one request_user_input question and its optional options.
+/// EXPERIMENTAL. Represents one request_user_input question and its required options.
 pub struct ToolRequestUserInputQuestion {
     pub id: String,
     pub header: String,
     pub question: String,
     #[serde(default)]
     pub is_other: bool,
+    #[serde(default)]
+    pub is_secret: bool,
     pub options: Option<Vec<ToolRequestUserInputOption>>,
 }
 

codex-rs/app-server/Cargo.toml

@@ -17,7 +17,9 @@ workspace = true
 
 [dependencies]
 anyhow = { workspace = true }
+async-trait = { workspace = true }
 codex-arg0 = { workspace = true }
+codex-cloud-requirements = { workspace = true }
 codex-common = { workspace = true, features = ["cli"] }
 codex-core = { workspace = true }
 codex-backend-client = { workspace = true }

codex-rs/app-server/README.md

@@ -82,6 +82,7 @@ Example (from OpenAI's official VSCode extension):
 - `thread/loaded/list` — list the thread ids currently loaded in memory.
 - `thread/read` — read a stored thread by id without resuming it; optionally include turns via `includeTurns`.
 - `thread/archive` — move a thread’s rollout file into the archived directory; returns `{}` on success.
+- `thread/name/set` — set or update a thread’s user-facing name; returns `{}` on success. Thread names are not required to be unique; name lookups resolve to the most recently updated thread.
 - `thread/unarchive` — move an archived rollout file back into the sessions directory; returns the restored `thread` on success.
 - `thread/rollback` — drop the last N turns from the agent’s in-memory context and persist a rollback marker in the rollout so future resumes see the pruned history; returns the updated `thread` (with `turns` populated) on success.
 - `turn/start` — add user input to a thread and begin Codex generation; responds with the initial `turn` object and streams `turn/started`, `item/*`, and `turn/completed` notifications.
@@ -102,7 +103,7 @@ Example (from OpenAI's official VSCode extension):
 - `config/read` — fetch the effective config on disk after resolving config layering.
 - `config/value/write` — write a single config key/value to the user's config.toml on disk.
 - `config/batchWrite` — apply multiple config edits atomically to the user's config.toml on disk.
-- `configRequirements/read` — fetch the loaded requirements allow-lists from `requirements.toml` and/or MDM (or `null` if none are configured).
+- `configRequirements/read` — fetch the loaded requirements allow-lists and `enforceResidency` from `requirements.toml` and/or MDM (or `null` if none are configured).
 
 ### Example: Start or resume a thread
 
@@ -443,6 +444,7 @@ Today both notifications carry an empty `items` array even when item events were
 
 - `userMessage` — `{id, content}` where `content` is a list of user inputs (`text`, `image`, or `localImage`).
 - `agentMessage` — `{id, text}` containing the accumulated agent reply.
+- `plan` — `{id, text}` emitted for plan-mode turns; plan text can stream via `item/plan/delta` (experimental).
 - `reasoning` — `{id, summary, content}` where `summary` holds streamed reasoning summaries (applicable for most OpenAI models) and `content` holds raw reasoning blocks (applicable for e.g. open source models).
 - `commandExecution` — `{id, command, cwd, status, commandActions, aggregatedOutput?, exitCode?, durationMs?}` for sandboxed commands; `status` is `inProgress`, `completed`, `failed`, or `declined`.
 - `fileChange` — `{id, changes, status}` describing proposed edits; `changes` list `{path, kind, diff}` and `status` is `inProgress`, `completed`, `failed`, or `declined`.
@@ -466,6 +468,10 @@ There are additional item-specific events:
 
 - `item/agentMessage/delta` — appends streamed text for the agent message; concatenate `delta` values for the same `itemId` in order to reconstruct the full reply.
 
+#### plan
+
+- `item/plan/delta` — streams proposed plan content for plan items (experimental); concatenate `delta` values for the same plan `itemId`. These deltas correspond to the `<proposed_plan>` block.
+
 #### reasoning
 
 - `item/reasoning/summaryTextDelta` — streams readable reasoning summaries; `summaryIndex` increments when a new summary section opens.
@@ -659,10 +665,17 @@ $demo-app Pull the latest updates from the team.
 
 The JSON-RPC auth/account surface exposes request/response methods plus server-initiated notifications (no `id`). Use these to determine auth state, start or cancel logins, logout, and inspect ChatGPT rate limits.
 
+### Authentication modes
+
+Codex supports these authentication modes. The current mode is surfaced in `account/updated` (`authMode`) and can be inferred from `account/read`.
+
+- **API key (`apiKey`)**: Caller supplies an OpenAI API key via `account/login/start` with `type: "apiKey"`. The API key is saved and used for API requests.
+- **ChatGPT managed (`chatgpt`)** (recommended): Codex owns the ChatGPT OAuth flow and refresh tokens. Start via `account/login/start` with `type: "chatgpt"`; Codex persists tokens to disk and refreshes them automatically.
+
 ### API Overview
 
 - `account/read` — fetch current account info; optionally refresh tokens.
-- `account/login/start` — begin login (`apiKey` or `chatgpt`).
+- `account/login/start` — begin login (`apiKey`, `chatgpt`).
 - `account/login/completed` (notify) — emitted when a login attempt finishes (success or error).
 - `account/login/cancel` — cancel a pending ChatGPT login by `loginId`.
 - `account/logout` — sign out; triggers `account/updated`.

codex-rs/app-server/src/bespoke_event_handling.rs

@@ -44,6 +44,7 @@ use codex_app_server_protocol::McpToolCallResult;
 use codex_app_server_protocol::McpToolCallStatus;
 use codex_app_server_protocol::PatchApplyStatus;
 use codex_app_server_protocol::PatchChangeKind as V2PatchChangeKind;
+use codex_app_server_protocol::PlanDeltaNotification;
 use codex_app_server_protocol::RawResponseItemCompletedNotification;
 use codex_app_server_protocol::ReasoningSummaryPartAddedNotification;
 use codex_app_server_protocol::ReasoningSummaryTextDeltaNotification;
@@ -52,6 +53,7 @@ use codex_app_server_protocol::ServerNotification;
 use codex_app_server_protocol::ServerRequestPayload;
 use codex_app_server_protocol::TerminalInteractionNotification;
 use codex_app_server_protocol::ThreadItem;
+use codex_app_server_protocol::ThreadNameUpdatedNotification;
 use codex_app_server_protocol::ThreadRollbackResponse;
 use codex_app_server_protocol::ThreadTokenUsage;
 use codex_app_server_protocol::ThreadTokenUsageUpdatedNotification;
@@ -117,6 +119,7 @@ pub(crate) async fn apply_bespoke_event_handling(
         msg,
     } = event;
     match msg {
+        EventMsg::TurnStarted(_) => {}
         EventMsg::TurnComplete(_ev) => {
             handle_turn_complete(
                 conversation_id,
@@ -279,6 +282,7 @@ pub(crate) async fn apply_bespoke_event_handling(
                         header: question.header,
                         question: question.question,
                         is_other: question.is_other,
+                        is_secret: question.is_secret,
                         options: question.options.map(|options| {
                             options
                                 .into_iter()
@@ -591,14 +595,27 @@ pub(crate) async fn apply_bespoke_event_handling(
                 .await;
         }
         EventMsg::AgentMessageContentDelta(event) => {
+            let codex_protocol::protocol::AgentMessageContentDeltaEvent { item_id, delta, .. } =
+                event;
             let notification = AgentMessageDeltaNotification {
+                thread_id: conversation_id.to_string(),
+                turn_id: event_turn_id.clone(),
+                item_id,
+                delta,
+            };
+            outgoing
+                .send_server_notification(ServerNotification::AgentMessageDelta(notification))
+                .await;
+        }
+        EventMsg::PlanDelta(event) => {
+            let notification = PlanDeltaNotification {
                 thread_id: conversation_id.to_string(),
                 turn_id: event_turn_id.clone(),
                 item_id: event.item_id,
                 delta: event.delta,
             };
             outgoing
-                .send_server_notification(ServerNotification::AgentMessageDelta(notification))
+                .send_server_notification(ServerNotification::PlanDelta(notification))
                 .await;
         }
         EventMsg::ContextCompacted(..) => {
@@ -1096,6 +1113,17 @@ pub(crate) async fn apply_bespoke_event_handling(
                 outgoing.send_response(request_id, response).await;
             }
         }
+        EventMsg::ThreadNameUpdated(thread_name_event) => {
+            if let ApiVersion::V2 = api_version {
+                let notification = ThreadNameUpdatedNotification {
+                    thread_id: thread_name_event.thread_id.to_string(),
+                    thread_name: thread_name_event.thread_name,
+                };
+                outgoing
+                    .send_server_notification(ServerNotification::ThreadNameUpdated(notification))
+                    .await;
+            }
+        }
         EventMsg::TurnDiff(turn_diff_event) => {
             handle_turn_diff(
                 conversation_id,
@@ -1147,6 +1175,7 @@ async fn handle_turn_plan_update(
     api_version: ApiVersion,
     outgoing: &OutgoingMessageSender,
 ) {
+    // `update_plan` is a todo/checklist tool; it is not related to plan-mode updates
     if let ApiVersion::V2 = api_version {
         let notification = TurnPlanUpdatedNotification {
             thread_id: conversation_id.to_string(),

codex-rs/app-server/src/codex_message_processor.rs

@@ -57,6 +57,7 @@ use codex_app_server_protocol::ListConversationsResponse;
 use codex_app_server_protocol::ListMcpServerStatusParams;
 use codex_app_server_protocol::ListMcpServerStatusResponse;
 use codex_app_server_protocol::LoginAccountParams;
+use codex_app_server_protocol::LoginAccountResponse;
 use codex_app_server_protocol::LoginApiKeyParams;
 use codex_app_server_protocol::LoginApiKeyResponse;
 use codex_app_server_protocol::LoginChatGptCompleteNotification;
@@ -109,6 +110,8 @@ use codex_app_server_protocol::ThreadReadResponse;
 use codex_app_server_protocol::ThreadResumeParams;
 use codex_app_server_protocol::ThreadResumeResponse;
 use codex_app_server_protocol::ThreadRollbackParams;
+use codex_app_server_protocol::ThreadSetNameParams;
+use codex_app_server_protocol::ThreadSetNameResponse;
 use codex_app_server_protocol::ThreadSortKey;
 use codex_app_server_protocol::ThreadSourceKind;
 use codex_app_server_protocol::ThreadStartParams;
@@ -130,6 +133,7 @@ use codex_app_server_protocol::build_turns_from_event_msgs;
 use codex_backend_client::Client as BackendClient;
 use codex_chatgpt::connectors;
 use codex_core::AuthManager;
+use codex_core::CodexAuth;
 use codex_core::CodexThread;
 use codex_core::Cursor as RolloutCursor;
 use codex_core::InitialHistory;
@@ -141,12 +145,14 @@ use codex_core::ThreadManager;
 use codex_core::ThreadSortKey as CoreThreadSortKey;
 use codex_core::auth::CLIENT_ID;
 use codex_core::auth::login_with_api_key;
+use codex_core::auth::login_with_chatgpt_auth_tokens;
 use codex_core::config::Config;
 use codex_core::config::ConfigOverrides;
 use codex_core::config::ConfigService;
 use codex_core::config::edit::ConfigEdit;
 use codex_core::config::edit::ConfigEditsBuilder;
 use codex_core::config::types::McpServerTransportConfig;
+use codex_core::config_loader::CloudRequirementsLoader;
 use codex_core::default_client::get_codex_user_agent;
 use codex_core::error::CodexErr;
 use codex_core::exec::ExecParams;
@@ -169,6 +175,7 @@ use codex_core::read_session_meta_line;
 use codex_core::rollout_date_parts;
 use codex_core::sandboxing::SandboxPermissions;
 use codex_core::state_db::get_state_db;
+use codex_core::token_data::parse_id_token;
 use codex_core::windows_sandbox::WindowsSandboxLevelExt;
 use codex_feedback::CodexFeedback;
 use codex_login::ServerOptions as LoginServerOptions;
@@ -257,6 +264,7 @@ pub(crate) struct CodexMessageProcessor {
     codex_linux_sandbox_exe: Option<PathBuf>,
     config: Arc<Config>,
     cli_overrides: Vec<(String, TomlValue)>,
+    cloud_requirements: CloudRequirementsLoader,
     conversation_listeners: HashMap<Uuid, oneshot::Sender<()>>,
     listener_thread_ids_by_subscription: HashMap<Uuid, ThreadId>,
     active_login: Arc<Mutex<Option<ActiveLogin>>>,
@@ -275,6 +283,17 @@ pub(crate) enum ApiVersion {
     V2,
 }
 
+pub(crate) struct CodexMessageProcessorArgs {
+    pub(crate) auth_manager: Arc<AuthManager>,
+    pub(crate) thread_manager: Arc<ThreadManager>,
+    pub(crate) outgoing: Arc<OutgoingMessageSender>,
+    pub(crate) codex_linux_sandbox_exe: Option<PathBuf>,
+    pub(crate) config: Arc<Config>,
+    pub(crate) cli_overrides: Vec<(String, TomlValue)>,
+    pub(crate) cloud_requirements: CloudRequirementsLoader,
+    pub(crate) feedback: CodexFeedback,
+}
+
 impl CodexMessageProcessor {
     async fn load_thread(
         &self,
@@ -299,15 +318,17 @@ impl CodexMessageProcessor {
 
         Ok((thread_id, thread))
     }
-    pub fn new(
-        auth_manager: Arc<AuthManager>,
-        thread_manager: Arc<ThreadManager>,
-        outgoing: Arc<OutgoingMessageSender>,
-        codex_linux_sandbox_exe: Option<PathBuf>,
-        config: Arc<Config>,
-        cli_overrides: Vec<(String, TomlValue)>,
-        feedback: CodexFeedback,
-    ) -> Self {
+    pub fn new(args: CodexMessageProcessorArgs) -> Self {
+        let CodexMessageProcessorArgs {
+            auth_manager,
+            thread_manager,
+            outgoing,
+            codex_linux_sandbox_exe,
+            config,
+            cli_overrides,
+            cloud_requirements,
+            feedback,
+        } = args;
         Self {
             auth_manager,
             thread_manager,
@@ -315,6 +336,7 @@ impl CodexMessageProcessor {
             codex_linux_sandbox_exe,
             config,
             cli_overrides,
+            cloud_requirements,
             conversation_listeners: HashMap::new(),
             listener_thread_ids_by_subscription: HashMap::new(),
             active_login: Arc::new(Mutex::new(None)),
@@ -327,7 +349,10 @@ impl CodexMessageProcessor {
     }
 
     async fn load_latest_config(&self) -> Result<Config, JSONRPCErrorError> {
-        Config::load_with_cli_overrides(self.cli_overrides.clone())
+        codex_core::config::ConfigBuilder::default()
+            .cli_overrides(self.cli_overrides.clone())
+            .cloud_requirements(self.cloud_requirements.clone())
+            .build()
             .await
             .map_err(|err| JSONRPCErrorError {
                 code: INTERNAL_ERROR_CODE,
@@ -413,6 +438,9 @@ impl CodexMessageProcessor {
             ClientRequest::ThreadArchive { request_id, params } => {
                 self.thread_archive(request_id, params).await;
             }
+            ClientRequest::ThreadSetName { request_id, params } => {
+                self.thread_set_name(request_id, params).await;
+            }
             ClientRequest::ThreadUnarchive { request_id, params } => {
                 self.thread_unarchive(request_id, params).await;
             }
@@ -607,6 +635,22 @@ impl CodexMessageProcessor {
             LoginAccountParams::Chatgpt => {
                 self.login_chatgpt_v2(request_id).await;
             }
+            LoginAccountParams::ChatgptAuthTokens {
+                id_token,
+                access_token,
+            } => {
+                self.login_chatgpt_auth_tokens(request_id, id_token, access_token)
+                    .await;
+            }
+        }
+    }
+
+    fn external_auth_active_error(&self) -> JSONRPCErrorError {
+        JSONRPCErrorError {
+            code: INVALID_REQUEST_ERROR_CODE,
+            message: "External auth is active. Use account/login/start (chatgptAuthTokens) to update it or account/logout to clear it."
+                .to_string(),
+            data: None,
         }
     }
 
@@ -614,6 +658,10 @@ impl CodexMessageProcessor {
         &mut self,
         params: &LoginApiKeyParams,
     ) -> std::result::Result<(), JSONRPCErrorError> {
+        if self.auth_manager.is_external_auth_active() {
+            return Err(self.external_auth_active_error());
+        }
+
         if matches!(
             self.config.forced_login_method,
             Some(ForcedLoginMethod::Chatgpt)
@@ -658,7 +706,11 @@ impl CodexMessageProcessor {
                     .await;
 
                 let payload = AuthStatusChangeNotification {
-                    auth_method: self.auth_manager.auth_cached().map(|auth| auth.mode),
+                    auth_method: self
+                        .auth_manager
+                        .auth_cached()
+                        .as_ref()
+                        .map(CodexAuth::api_auth_mode),
                 };
                 self.outgoing
                     .send_server_notification(ServerNotification::AuthStatusChange(payload))
@@ -688,7 +740,11 @@ impl CodexMessageProcessor {
                     .await;
 
                 let payload_v2 = AccountUpdatedNotification {
-                    auth_mode: self.auth_manager.auth_cached().map(|auth| auth.mode),
+                    auth_mode: self
+                        .auth_manager
+                        .auth_cached()
+                        .as_ref()
+                        .map(CodexAuth::api_auth_mode),
                 };
                 self.outgoing
                     .send_server_notification(ServerNotification::AccountUpdated(payload_v2))
@@ -706,6 +762,10 @@ impl CodexMessageProcessor {
     ) -> std::result::Result<LoginServerOptions, JSONRPCErrorError> {
         let config = self.config.as_ref();
 
+        if self.auth_manager.is_external_auth_active() {
+            return Err(self.external_auth_active_error());
+        }
+
         if matches!(config.forced_login_method, Some(ForcedLoginMethod::Api)) {
             return Err(JSONRPCErrorError {
                 code: INVALID_REQUEST_ERROR_CODE,
@@ -780,7 +840,10 @@ impl CodexMessageProcessor {
                             auth_manager.reload();
 
                             // Notify clients with the actual current auth mode.
-                            let current_auth_method = auth_manager.auth_cached().map(|a| a.mode);
+                            let current_auth_method = auth_manager
+                                .auth_cached()
+                                .as_ref()
+                                .map(CodexAuth::api_auth_mode);
                             let payload = AuthStatusChangeNotification {
                                 auth_method: current_auth_method,
                             };
@@ -870,7 +933,10 @@ impl CodexMessageProcessor {
                             auth_manager.reload();
 
                             // Notify clients with the actual current auth mode.
-                            let current_auth_method = auth_manager.auth_cached().map(|a| a.mode);
+                            let current_auth_method = auth_manager
+                                .auth_cached()
+                                .as_ref()
+                                .map(CodexAuth::api_auth_mode);
                             let payload_v2 = AccountUpdatedNotification {
                                 auth_mode: current_auth_method,
                             };
@@ -964,6 +1030,98 @@ impl CodexMessageProcessor {
         }
     }
 
+    async fn login_chatgpt_auth_tokens(
+        &mut self,
+        request_id: RequestId,
+        id_token: String,
+        access_token: String,
+    ) {
+        if matches!(
+            self.config.forced_login_method,
+            Some(ForcedLoginMethod::Api)
+        ) {
+            let error = JSONRPCErrorError {
+                code: INVALID_REQUEST_ERROR_CODE,
+                message: "External ChatGPT auth is disabled. Use API key login instead."
+                    .to_string(),
+                data: None,
+            };
+            self.outgoing.send_error(request_id, error).await;
+            return;
+        }
+
+        // Cancel any active login attempt to avoid persisting managed auth state.
+        {
+            let mut guard = self.active_login.lock().await;
+            if let Some(active) = guard.take() {
+                drop(active);
+            }
+        }
+
+        let id_token_info = match parse_id_token(&id_token) {
+            Ok(info) => info,
+            Err(err) => {
+                let error = JSONRPCErrorError {
+                    code: INVALID_REQUEST_ERROR_CODE,
+                    message: format!("invalid id token: {err}"),
+                    data: None,
+                };
+                self.outgoing.send_error(request_id, error).await;
+                return;
+            }
+        };
+
+        if let Some(expected_workspace) = self.config.forced_chatgpt_workspace_id.as_deref()
+            && id_token_info.chatgpt_account_id.as_deref() != Some(expected_workspace)
+        {
+            let account_id = id_token_info.chatgpt_account_id;
+            let error = JSONRPCErrorError {
+                code: INVALID_REQUEST_ERROR_CODE,
+                message: format!(
+                    "External auth must use workspace {expected_workspace}, but received {account_id:?}."
+                ),
+                data: None,
+            };
+            self.outgoing.send_error(request_id, error).await;
+            return;
+        }
+
+        if let Err(err) =
+            login_with_chatgpt_auth_tokens(&self.config.codex_home, &id_token, &access_token)
+        {
+            let error = JSONRPCErrorError {
+                code: INTERNAL_ERROR_CODE,
+                message: format!("failed to set external auth: {err}"),
+                data: None,
+            };
+            self.outgoing.send_error(request_id, error).await;
+            return;
+        }
+        self.auth_manager.reload();
+
+        self.outgoing
+            .send_response(request_id, LoginAccountResponse::ChatgptAuthTokens {})
+            .await;
+
+        let payload_login_completed = AccountLoginCompletedNotification {
+            login_id: None,
+            success: true,
+            error: None,
+        };
+        self.outgoing
+            .send_server_notification(ServerNotification::AccountLoginCompleted(
+                payload_login_completed,
+            ))
+            .await;
+
+        let payload_v2 = AccountUpdatedNotification {
+            auth_mode: self.auth_manager.get_auth_mode(),
+        };
+        self.outgoing
+            .send_server_notification(ServerNotification::AccountUpdated(payload_v2))
+            .await;
+    }
+
     async fn logout_common(&mut self) -> std::result::Result<Option<AuthMode>, JSONRPCErrorError> {
         // Cancel any active login attempt.
         {
@@ -982,7 +1140,11 @@ impl CodexMessageProcessor {
         }
 
         // Reflect the current auth method after logout (likely None).
-        Ok(self.auth_manager.auth_cached().map(|auth| auth.mode))
+        Ok(self
+            .auth_manager
+            .auth_cached()
+            .as_ref()
+            .map(CodexAuth::api_auth_mode))
     }
 
     async fn logout_v1(&mut self, request_id: RequestId) {
@@ -1026,6 +1188,9 @@ impl CodexMessageProcessor {
     }
 
     async fn refresh_token_if_requested(&self, do_refresh: bool) {
+        if self.auth_manager.is_external_auth_active() {
+            return;
+        }
         if do_refresh && let Err(err) = self.auth_manager.refresh_token().await {
             tracing::warn!("failed to refresh token while getting account: {err}");
         }
@@ -1051,7 +1216,7 @@ impl CodexMessageProcessor {
         } else {
             match self.auth_manager.auth().await {
                 Some(auth) => {
-                    let auth_mode = auth.mode;
+                    let auth_mode = auth.api_auth_mode();
                     let (reported_auth_method, token_opt) = match auth.get_token() {
                         Ok(token) if !token.is_empty() => {
                             let tok = if include_token { Some(token) } else { None };
@@ -1098,9 +1263,9 @@ impl CodexMessageProcessor {
         }
 
         let account = match self.auth_manager.auth_cached() {
-            Some(auth) => Some(match auth.mode {
-                AuthMode::ApiKey => Account::ApiKey {},
-                AuthMode::ChatGPT => {
+            Some(auth) => Some(match auth {
+                CodexAuth::ApiKey(_) => Account::ApiKey {},
+                CodexAuth::Chatgpt(_) | CodexAuth::ChatgptAuthTokens(_) => {
                     let email = auth.get_account_email();
                     let plan_type = auth.account_plan_type();
 
@@ -1159,7 +1324,7 @@ impl CodexMessageProcessor {
             });
         };
 
-        if auth.mode != AuthMode::ChatGPT {
+        if !auth.is_chatgpt_auth() {
             return Err(JSONRPCErrorError {
                 code: INVALID_REQUEST_ERROR_CODE,
                 message: "chatgpt authentication required to read rate limits".to_string(),
@@ -1373,6 +1538,7 @@ impl CodexMessageProcessor {
             &self.cli_overrides,
             Some(request_overrides),
             typesafe_overrides,
+            &self.cloud_requirements,
         )
         .await
         {
@@ -1457,6 +1623,7 @@ impl CodexMessageProcessor {
             &self.cli_overrides,
             config,
             typesafe_overrides,
+            &self.cloud_requirements,
         )
         .await
         {
@@ -1658,6 +1825,36 @@ impl CodexMessageProcessor {
         }
     }
 
+    async fn thread_set_name(&self, request_id: RequestId, params: ThreadSetNameParams) {
+        let ThreadSetNameParams { thread_id, name } = params;
+        let Some(name) = codex_core::util::normalize_thread_name(&name) else {
+            self.send_invalid_request_error(
+                request_id,
+                "thread name must not be empty".to_string(),
+            )
+            .await;
+            return;
+        };
+
+        let (_, thread) = match self.load_thread(&thread_id).await {
+            Ok(v) => v,
+            Err(error) => {
+                self.outgoing.send_error(request_id, error).await;
+                return;
+            }
+        };
+
+        if let Err(err) = thread.submit(Op::SetThreadName { name }).await {
+            self.send_internal_error(request_id, format!("failed to set thread name: {err}"))
+                .await;
+            return;
+        }
+
+        self.outgoing
+            .send_response(request_id, ThreadSetNameResponse {})
+            .await;
+    }
+
     async fn thread_unarchive(&mut self, request_id: RequestId, params: ThreadUnarchiveParams) {
         // TODO(jif) mostly rewrite this using sqlite after phase 1
         let thread_id = match ThreadId::from_string(&params.thread_id) {
@@ -2174,6 +2371,7 @@ impl CodexMessageProcessor {
             request_overrides,
             typesafe_overrides,
             history_cwd,
+            &self.cloud_requirements,
         )
         .await
         {
@@ -2366,6 +2564,7 @@ impl CodexMessageProcessor {
             request_overrides,
             typesafe_overrides,
             history_cwd,
+            &self.cloud_requirements,
         )
         .await
         {
@@ -3160,6 +3359,7 @@ impl CodexMessageProcessor {
             request_overrides,
             typesafe_overrides,
             history_cwd,
+            &self.cloud_requirements,
         )
         .await
         {
@@ -3348,6 +3548,7 @@ impl CodexMessageProcessor {
             request_overrides,
             typesafe_overrides,
             history_cwd,
+            &self.cloud_requirements,
         )
         .await
         {
@@ -4618,6 +4819,7 @@ async fn derive_config_from_params(
     cli_overrides: &[(String, TomlValue)],
     request_overrides: Option<HashMap<String, serde_json::Value>>,
     typesafe_overrides: ConfigOverrides,
+    cloud_requirements: &CloudRequirementsLoader,
 ) -> std::io::Result<Config> {
     let merged_cli_overrides = cli_overrides
         .iter()
@@ -4630,7 +4832,11 @@ async fn derive_config_from_params(
         )
         .collect::<Vec<_>>();
 
-    Config::load_with_cli_overrides_and_harness_overrides(merged_cli_overrides, typesafe_overrides)
+    codex_core::config::ConfigBuilder::default()
+        .cli_overrides(merged_cli_overrides)
+        .harness_overrides(typesafe_overrides)
+        .cloud_requirements(cloud_requirements.clone())
+        .build()
         .await
 }
 
@@ -4639,6 +4845,7 @@ async fn derive_config_for_cwd(
     request_overrides: Option<HashMap<String, serde_json::Value>>,
     typesafe_overrides: ConfigOverrides,
     cwd: Option<PathBuf>,
+    cloud_requirements: &CloudRequirementsLoader,
 ) -> std::io::Result<Config> {
     let merged_cli_overrides = cli_overrides
         .iter()
@@ -4655,6 +4862,7 @@ async fn derive_config_for_cwd(
         .cli_overrides(merged_cli_overrides)
         .harness_overrides(typesafe_overrides)
         .fallback_cwd(cwd)
+        .cloud_requirements(cloud_requirements.clone())
         .build()
         .await
 }

codex-rs/app-server/src/config_api.rs

@@ -12,8 +12,10 @@ use codex_app_server_protocol::JSONRPCErrorError;
 use codex_app_server_protocol::SandboxMode;
 use codex_core::config::ConfigService;
 use codex_core::config::ConfigServiceError;
+use codex_core::config_loader::CloudRequirementsLoader;
 use codex_core::config_loader::ConfigRequirementsToml;
 use codex_core::config_loader::LoaderOverrides;
+use codex_core::config_loader::ResidencyRequirement as CoreResidencyRequirement;
 use codex_core::config_loader::SandboxModeRequirement as CoreSandboxModeRequirement;
 use serde_json::json;
 use std::path::PathBuf;
@@ -29,9 +31,15 @@ impl ConfigApi {
         codex_home: PathBuf,
         cli_overrides: Vec<(String, TomlValue)>,
         loader_overrides: LoaderOverrides,
+        cloud_requirements: CloudRequirementsLoader,
     ) -> Self {
         Self {
-            service: ConfigService::new(codex_home, cli_overrides, loader_overrides),
+            service: ConfigService::new(
+                codex_home,
+                cli_overrides,
+                loader_overrides,
+                cloud_requirements,
+            ),
         }
     }
 
@@ -84,6 +92,9 @@ fn map_requirements_toml_to_api(requirements: ConfigRequirementsToml) -> ConfigR
                 .filter_map(map_sandbox_mode_requirement_to_api)
                 .collect()
         }),
+        enforce_residency: requirements
+            .enforce_residency
+            .map(map_residency_requirement_to_api),
     }
 }
 
@@ -96,6 +107,14 @@ fn map_sandbox_mode_requirement_to_api(mode: CoreSandboxModeRequirement) -> Opti
     }
 }
 
+fn map_residency_requirement_to_api(
+    residency: CoreResidencyRequirement,
+) -> codex_app_server_protocol::ResidencyRequirement {
+    match residency {
+        CoreResidencyRequirement::Us => codex_app_server_protocol::ResidencyRequirement::Us,
+    }
+}
+
 fn map_error(err: ConfigServiceError) -> JSONRPCErrorError {
     if let Some(code) = err.write_error_code() {
         return config_write_error(code, err.to_string());
@@ -136,6 +155,8 @@ mod tests {
                 CoreSandboxModeRequirement::ExternalSandbox,
             ]),
             mcp_servers: None,
+            rules: None,
+            enforce_residency: Some(CoreResidencyRequirement::Us),
         };
 
         let mapped = map_requirements_toml_to_api(requirements);
@@ -151,5 +172,9 @@ mod tests {
             mapped.allowed_sandbox_modes,
             Some(vec![SandboxMode::ReadOnly]),
         );
+        assert_eq!(
+            mapped.enforce_residency,
+            Some(codex_app_server_protocol::ResidencyRequirement::Us),
+        );
     }
 }

codex-rs/app-server/src/fuzzy_file_search.rs

@@ -1,17 +1,14 @@
 use std::num::NonZero;
-use std::num::NonZeroUsize;
 use std::path::PathBuf;
 use std::sync::Arc;
 use std::sync::atomic::AtomicBool;
 
 use codex_app_server_protocol::FuzzyFileSearchResult;
 use codex_file_search as file_search;
-use tokio::task::JoinSet;
 use tracing::warn;
 
-const LIMIT_PER_ROOT: usize = 50;
+const MATCH_LIMIT: usize = 50;
 const MAX_THREADS: usize = 12;
-const COMPUTE_INDICES: bool = true;
 
 pub(crate) async fn run_fuzzy_file_search(
     query: String,
@@ -23,64 +20,54 @@ pub(crate) async fn run_fuzzy_file_search(
     }
 
     #[expect(clippy::expect_used)]
-    let limit_per_root =
-        NonZero::new(LIMIT_PER_ROOT).expect("LIMIT_PER_ROOT should be a valid non-zero usize");
+    let limit = NonZero::new(MATCH_LIMIT).expect("MATCH_LIMIT should be a valid non-zero usize");
 
     let cores = std::thread::available_parallelism()
         .map(std::num::NonZero::get)
         .unwrap_or(1);
     let threads = cores.min(MAX_THREADS);
-    let threads_per_root = (threads / roots.len()).max(1);
-    let threads = NonZero::new(threads_per_root).unwrap_or(NonZeroUsize::MIN);
+    #[expect(clippy::expect_used)]
+    let threads = NonZero::new(threads.max(1)).expect("threads should be non-zero");
+    let search_dirs: Vec<PathBuf> = roots.iter().map(PathBuf::from).collect();
 
-    let mut files: Vec<FuzzyFileSearchResult> = Vec::new();
-    let mut join_set = JoinSet::new();
-
-    for root in roots {
-        let search_dir = PathBuf::from(&root);
-        let query = query.clone();
-        let cancel_flag = cancellation_flag.clone();
-        join_set.spawn_blocking(move || {
-            match file_search::run(
-                query.as_str(),
-                limit_per_root,
-                &search_dir,
-                Vec::new(),
+    let mut files = match tokio::task::spawn_blocking(move || {
+        file_search::run(
+            query.as_str(),
+            search_dirs,
+            file_search::FileSearchOptions {
+                limit,
                 threads,
-                cancel_flag,
-                COMPUTE_INDICES,
-                true,
-            ) {
-                Ok(res) => Ok((root, res)),
-                Err(err) => Err((root, err)),
-            }
-        });
-    }
-
-    while let Some(res) = join_set.join_next().await {
-        match res {
-            Ok(Ok((root, res))) => {
-                for m in res.matches {
-                    let path = m.path;
-                    let file_name = file_search::file_name_from_path(&path);
-                    let result = FuzzyFileSearchResult {
-                        root: root.clone(),
-                        path,
-                        file_name,
-                        score: m.score,
-                        indices: m.indices,
-                    };
-                    files.push(result);
+                compute_indices: true,
+                ..Default::default()
+            },
+            Some(cancellation_flag),
+        )
+    })
+    .await
+    {
+        Ok(Ok(res)) => res
+            .matches
+            .into_iter()
+            .map(|m| {
+                let file_name = m.path.file_name().unwrap_or_default();
+                FuzzyFileSearchResult {
+                    root: m.root.to_string_lossy().to_string(),
+                    path: m.path.to_string_lossy().to_string(),
+                    file_name: file_name.to_string_lossy().to_string(),
+                    score: m.score,
+                    indices: m.indices,
                 }
-            }
-            Ok(Err((root, err))) => {
-                warn!("fuzzy-file-search in dir '{root}' failed: {err}");
-            }
-            Err(err) => {
-                warn!("fuzzy-file-search join_next failed: {err}");
-            }
+            })
+            .collect::<Vec<_>>(),
+        Ok(Err(err)) => {
+            warn!("fuzzy-file-search failed: {err}");
+            Vec::new()
         }
-    }
+        Err(err) => {
+            warn!("fuzzy-file-search join failed: {err}");
+            Vec::new()
+        }
+    };
 
     files.sort_by(file_search::cmp_by_score_desc_then_path_asc::<
         FuzzyFileSearchResult,

codex-rs/app-server/src/lib.rs

@@ -1,8 +1,11 @@
 #![deny(clippy::print_stdout, clippy::print_stderr)]
 
+use codex_cloud_requirements::cloud_requirements_loader;
 use codex_common::CliConfigOverrides;
+use codex_core::AuthManager;
 use codex_core::config::Config;
 use codex_core::config::ConfigBuilder;
+use codex_core::config_loader::CloudRequirementsLoader;
 use codex_core::config_loader::ConfigLayerStackOrdering;
 use codex_core::config_loader::LoaderOverrides;
 use std::io::ErrorKind;
@@ -10,6 +13,7 @@ use std::io::Result as IoResult;
 use std::path::PathBuf;
 
 use crate::message_processor::MessageProcessor;
+use crate::message_processor::MessageProcessorArgs;
 use crate::outgoing_message::OutgoingMessage;
 use crate::outgoing_message::OutgoingMessageSender;
 use codex_app_server_protocol::ConfigLayerSource;
@@ -204,11 +208,32 @@ pub async fn run_main(
             format!("error parsing -c overrides: {e}"),
         )
     })?;
+    let cloud_requirements = match ConfigBuilder::default()
+        .cli_overrides(cli_kv_overrides.clone())
+        .loader_overrides(loader_overrides.clone())
+        .build()
+        .await
+    {
+        Ok(config) => {
+            let auth_manager = AuthManager::shared(
+                config.codex_home.clone(),
+                false,
+                config.cli_auth_credentials_store_mode,
+            );
+            cloud_requirements_loader(auth_manager, config.chatgpt_base_url)
+        }
+        Err(err) => {
+            warn!(error = %err, "Failed to preload config for cloud requirements");
+            // TODO(gt): Make cloud requirements preload failures blocking once we can fail-closed.
+            CloudRequirementsLoader::default()
+        }
+    };
     let loader_overrides_for_config_api = loader_overrides.clone();
     let mut config_warnings = Vec::new();
     let config = match ConfigBuilder::default()
         .cli_overrides(cli_kv_overrides.clone())
         .loader_overrides(loader_overrides)
+        .cloud_requirements(cloud_requirements.clone())
         .build()
         .await
     {
@@ -290,15 +315,16 @@ pub async fn run_main(
         let outgoing_message_sender = OutgoingMessageSender::new(outgoing_tx);
         let cli_overrides: Vec<(String, TomlValue)> = cli_kv_overrides.clone();
         let loader_overrides = loader_overrides_for_config_api;
-        let mut processor = MessageProcessor::new(
-            outgoing_message_sender,
+        let mut processor = MessageProcessor::new(MessageProcessorArgs {
+            outgoing: outgoing_message_sender,
             codex_linux_sandbox_exe,
-            std::sync::Arc::new(config),
+            config: std::sync::Arc::new(config),
             cli_overrides,
             loader_overrides,
-            feedback.clone(),
+            cloud_requirements: cloud_requirements.clone(),
+            feedback: feedback.clone(),
             config_warnings,
-        );
+        });
         let mut thread_created_rx = processor.thread_created_receiver();
         async move {
             let mut listen_for_threads = true;
@@ -312,7 +338,7 @@ pub async fn run_main(
                             JSONRPCMessage::Request(r) => processor.process_request(r).await,
                             JSONRPCMessage::Response(r) => processor.process_response(r).await,
                             JSONRPCMessage::Notification(n) => processor.process_notification(n).await,
-                            JSONRPCMessage::Error(e) => processor.process_error(e),
+                            JSONRPCMessage::Error(e) => processor.process_error(e).await,
                         }
                     }
                     created = thread_created_rx.recv(), if listen_for_threads => {

codex-rs/app-server/src/message_processor.rs

@@ -2,9 +2,14 @@ use std::path::PathBuf;
 use std::sync::Arc;
 
 use crate::codex_message_processor::CodexMessageProcessor;
+use crate::codex_message_processor::CodexMessageProcessorArgs;
 use crate::config_api::ConfigApi;
 use crate::error_code::INVALID_REQUEST_ERROR_CODE;
 use crate::outgoing_message::OutgoingMessageSender;
+use async_trait::async_trait;
+use codex_app_server_protocol::ChatgptAuthTokensRefreshParams;
+use codex_app_server_protocol::ChatgptAuthTokensRefreshReason;
+use codex_app_server_protocol::ChatgptAuthTokensRefreshResponse;
 use codex_app_server_protocol::ClientInfo;
 use codex_app_server_protocol::ClientRequest;
 use codex_app_server_protocol::ConfigBatchWriteParams;
@@ -19,66 +24,154 @@ use codex_app_server_protocol::JSONRPCRequest;
 use codex_app_server_protocol::JSONRPCResponse;
 use codex_app_server_protocol::RequestId;
 use codex_app_server_protocol::ServerNotification;
+use codex_app_server_protocol::ServerRequestPayload;
 use codex_core::AuthManager;
 use codex_core::ThreadManager;
+use codex_core::auth::ExternalAuthRefreshContext;
+use codex_core::auth::ExternalAuthRefreshReason;
+use codex_core::auth::ExternalAuthRefresher;
+use codex_core::auth::ExternalAuthTokens;
 use codex_core::config::Config;
+use codex_core::config_loader::CloudRequirementsLoader;
 use codex_core::config_loader::LoaderOverrides;
 use codex_core::default_client::SetOriginatorError;
 use codex_core::default_client::USER_AGENT_SUFFIX;
 use codex_core::default_client::get_codex_user_agent;
+use codex_core::default_client::set_default_client_residency_requirement;
 use codex_core::default_client::set_default_originator;
 use codex_feedback::CodexFeedback;
 use codex_protocol::ThreadId;
 use codex_protocol::protocol::SessionSource;
 use tokio::sync::broadcast;
+use tokio::time::Duration;
+use tokio::time::timeout;
 use toml::Value as TomlValue;
 
+const EXTERNAL_AUTH_REFRESH_TIMEOUT: Duration = Duration::from_secs(10);
+
+#[derive(Clone)]
+struct ExternalAuthRefreshBridge {
+    outgoing: Arc<OutgoingMessageSender>,
+}
+
+impl ExternalAuthRefreshBridge {
+    fn map_reason(reason: ExternalAuthRefreshReason) -> ChatgptAuthTokensRefreshReason {
+        match reason {
+            ExternalAuthRefreshReason::Unauthorized => ChatgptAuthTokensRefreshReason::Unauthorized,
+        }
+    }
+}
+
+#[async_trait]
+impl ExternalAuthRefresher for ExternalAuthRefreshBridge {
+    async fn refresh(
+        &self,
+        context: ExternalAuthRefreshContext,
+    ) -> std::io::Result<ExternalAuthTokens> {
+        let params = ChatgptAuthTokensRefreshParams {
+            reason: Self::map_reason(context.reason),
+            previous_account_id: context.previous_account_id,
+        };
+
+        let (request_id, rx) = self
+            .outgoing
+            .send_request_with_id(ServerRequestPayload::ChatgptAuthTokensRefresh(params))
+            .await;
+
+        let result = match timeout(EXTERNAL_AUTH_REFRESH_TIMEOUT, rx).await {
+            Ok(result) => result.map_err(|err| {
+                std::io::Error::other(format!("auth refresh request canceled: {err}"))
+            })?,
+            Err(_) => {
+                let _canceled = self.outgoing.cancel_request(&request_id).await;
+                return Err(std::io::Error::other(format!(
+                    "auth refresh request timed out after {}s",
+                    EXTERNAL_AUTH_REFRESH_TIMEOUT.as_secs()
+                )));
+            }
+        };
+
+        let response: ChatgptAuthTokensRefreshResponse =
+            serde_json::from_value(result).map_err(std::io::Error::other)?;
+
+        Ok(ExternalAuthTokens {
+            access_token: response.access_token,
+            id_token: response.id_token,
+        })
+    }
+}
+
 pub(crate) struct MessageProcessor {
     outgoing: Arc<OutgoingMessageSender>,
     codex_message_processor: CodexMessageProcessor,
     config_api: ConfigApi,
+    config: Arc<Config>,
     initialized: bool,
     config_warnings: Vec<ConfigWarningNotification>,
 }
 
+pub(crate) struct MessageProcessorArgs {
+    pub(crate) outgoing: OutgoingMessageSender,
+    pub(crate) codex_linux_sandbox_exe: Option<PathBuf>,
+    pub(crate) config: Arc<Config>,
+    pub(crate) cli_overrides: Vec<(String, TomlValue)>,
+    pub(crate) loader_overrides: LoaderOverrides,
+    pub(crate) cloud_requirements: CloudRequirementsLoader,
+    pub(crate) feedback: CodexFeedback,
+    pub(crate) config_warnings: Vec<ConfigWarningNotification>,
+}
+
 impl MessageProcessor {
     /// Create a new `MessageProcessor`, retaining a handle to the outgoing
     /// `Sender` so handlers can enqueue messages to be written to stdout.
-    pub(crate) fn new(
-        outgoing: OutgoingMessageSender,
-        codex_linux_sandbox_exe: Option<PathBuf>,
-        config: Arc<Config>,
-        cli_overrides: Vec<(String, TomlValue)>,
-        loader_overrides: LoaderOverrides,
-        feedback: CodexFeedback,
-        config_warnings: Vec<ConfigWarningNotification>,
-    ) -> Self {
+    pub(crate) fn new(args: MessageProcessorArgs) -> Self {
+        let MessageProcessorArgs {
+            outgoing,
+            codex_linux_sandbox_exe,
+            config,
+            cli_overrides,
+            loader_overrides,
+            cloud_requirements,
+            feedback,
+            config_warnings,
+        } = args;
         let outgoing = Arc::new(outgoing);
         let auth_manager = AuthManager::shared(
             config.codex_home.clone(),
             false,
             config.cli_auth_credentials_store_mode,
         );
+        auth_manager.set_forced_chatgpt_workspace_id(config.forced_chatgpt_workspace_id.clone());
+        auth_manager.set_external_auth_refresher(Arc::new(ExternalAuthRefreshBridge {
+            outgoing: outgoing.clone(),
+        }));
         let thread_manager = Arc::new(ThreadManager::new(
             config.codex_home.clone(),
             auth_manager.clone(),
             SessionSource::VSCode,
         ));
-        let codex_message_processor = CodexMessageProcessor::new(
+        let codex_message_processor = CodexMessageProcessor::new(CodexMessageProcessorArgs {
             auth_manager,
             thread_manager,
-            outgoing.clone(),
+            outgoing: outgoing.clone(),
             codex_linux_sandbox_exe,
-            Arc::clone(&config),
-            cli_overrides.clone(),
+            config: Arc::clone(&config),
+            cli_overrides: cli_overrides.clone(),
+            cloud_requirements: cloud_requirements.clone(),
             feedback,
+        });
+        let config_api = ConfigApi::new(
+            config.codex_home.clone(),
+            cli_overrides,
+            loader_overrides,
+            cloud_requirements,
         );
-        let config_api = ConfigApi::new(config.codex_home.clone(), cli_overrides, loader_overrides);
 
         Self {
             outgoing,
             codex_message_processor,
             config_api,
+            config,
             initialized: false,
             config_warnings,
         }
@@ -151,6 +244,7 @@ impl MessageProcessor {
                             }
                         }
                     }
+                    set_default_client_residency_requirement(self.config.enforce_residency.value());
                     let user_agent_suffix = format!("{name}; {version}");
                     if let Ok(mut suffix) = USER_AGENT_SUFFIX.lock() {
                         *suffix = Some(user_agent_suffix);
@@ -236,8 +330,9 @@ impl MessageProcessor {
     }
 
     /// Handle an error object received from the peer.
-    pub(crate) fn process_error(&mut self, err: JSONRPCError) {
+    pub(crate) async fn process_error(&mut self, err: JSONRPCError) {
         tracing::error!("<- error: {:?}", err);
+        self.outgoing.notify_client_error(err.id, err.error).await;
     }
 
     async fn handle_config_read(&self, request_id: RequestId, params: ConfigReadParams) {

codex-rs/app-server/src/outgoing_message.rs

@@ -39,6 +39,14 @@ impl OutgoingMessageSender {
         &self,
         request: ServerRequestPayload,
     ) -> oneshot::Receiver<Result> {
+        let (_id, rx) = self.send_request_with_id(request).await;
+        rx
+    }
+
+    pub(crate) async fn send_request_with_id(
+        &self,
+        request: ServerRequestPayload,
+    ) -> (RequestId, oneshot::Receiver<Result>) {
         let id = RequestId::Integer(self.next_request_id.fetch_add(1, Ordering::Relaxed));
         let outgoing_message_id = id.clone();
         let (tx_approve, rx_approve) = oneshot::channel();
@@ -54,7 +62,7 @@ impl OutgoingMessageSender {
             let mut request_id_to_callback = self.request_id_to_callback.lock().await;
             request_id_to_callback.remove(&outgoing_message_id);
         }
-        rx_approve
+        (outgoing_message_id, rx_approve)
     }
 
     pub(crate) async fn notify_client_response(&self, id: RequestId, result: Result) {
@@ -75,6 +83,30 @@ impl OutgoingMessageSender {
         }
     }
 
+    pub(crate) async fn notify_client_error(&self, id: RequestId, error: JSONRPCErrorError) {
+        let entry = {
+            let mut request_id_to_callback = self.request_id_to_callback.lock().await;
+            request_id_to_callback.remove_entry(&id)
+        };
+
+        match entry {
+            Some((id, _sender)) => {
+                warn!("client responded with error for {id:?}: {error:?}");
+            }
+            None => {
+                warn!("could not find callback for {id:?}");
+            }
+        }
+    }
+
+    pub(crate) async fn cancel_request(&self, id: &RequestId) -> bool {
+        let entry = {
+            let mut request_id_to_callback = self.request_id_to_callback.lock().await;
+            request_id_to_callback.remove_entry(id)
+        };
+        entry.is_some()
+    }
+
     pub(crate) async fn send_response<T: Serialize>(&self, id: RequestId, response: T) {
         match serde_json::to_value(response) {
             Ok(result) => {

codex-rs/app-server/tests/common/auth_fixtures.rs

@@ -6,6 +6,7 @@ use base64::Engine;
 use base64::engine::general_purpose::URL_SAFE_NO_PAD;
 use chrono::DateTime;
 use chrono::Utc;
+use codex_app_server_protocol::AuthMode;
 use codex_core::auth::AuthCredentialsStoreMode;
 use codex_core::auth::AuthDotJson;
 use codex_core::auth::save_auth;
@@ -158,6 +159,7 @@ pub fn write_chatgpt_auth(
     let last_refresh = fixture.last_refresh.unwrap_or_else(|| Some(Utc::now()));
 
     let auth = AuthDotJson {
+        auth_mode: Some(AuthMode::Chatgpt),
         openai_api_key: None,
         tokens: Some(tokens),
         last_refresh,

codex-rs/app-server/tests/common/mcp_process.rs

@@ -29,11 +29,13 @@ use codex_app_server_protocol::GetAuthStatusParams;
 use codex_app_server_protocol::InitializeParams;
 use codex_app_server_protocol::InterruptConversationParams;
 use codex_app_server_protocol::JSONRPCError;
+use codex_app_server_protocol::JSONRPCErrorError;
 use codex_app_server_protocol::JSONRPCMessage;
 use codex_app_server_protocol::JSONRPCNotification;
 use codex_app_server_protocol::JSONRPCRequest;
 use codex_app_server_protocol::JSONRPCResponse;
 use codex_app_server_protocol::ListConversationsParams;
+use codex_app_server_protocol::LoginAccountParams;
 use codex_app_server_protocol::LoginApiKeyParams;
 use codex_app_server_protocol::ModelListParams;
 use codex_app_server_protocol::NewConversationParams;
@@ -298,6 +300,20 @@ impl McpProcess {
         self.send_request("account/read", params).await
     }
 
+    /// Send an `account/login/start` JSON-RPC request with ChatGPT auth tokens.
+    pub async fn send_chatgpt_auth_tokens_login_request(
+        &mut self,
+        id_token: String,
+        access_token: String,
+    ) -> anyhow::Result<i64> {
+        let params = LoginAccountParams::ChatgptAuthTokens {
+            id_token,
+            access_token,
+        };
+        let params = Some(serde_json::to_value(params)?);
+        self.send_request("account/login/start", params).await
+    }
+
     /// Send a `feedback/upload` JSON-RPC request.
     pub async fn send_feedback_upload_request(
         &mut self,
@@ -608,6 +624,15 @@ impl McpProcess {
             .await
     }
 
+    pub async fn send_error(
+        &mut self,
+        id: RequestId,
+        error: JSONRPCErrorError,
+    ) -> anyhow::Result<()> {
+        self.send_jsonrpc_message(JSONRPCMessage::Error(JSONRPCError { id, error }))
+            .await
+    }
+
     pub async fn send_notification(
         &mut self,
         notification: ClientNotification,
@@ -711,6 +736,10 @@ impl McpProcess {
         Ok(notification)
     }
 
+    pub async fn read_next_message(&mut self) -> anyhow::Result<JSONRPCMessage> {
+        self.read_stream_until_message(|_| true).await
+    }
+
     /// Clears any buffered messages so future reads only consider new stream items.
     ///
     /// We call this when e.g. we want to validate against the next turn and no longer care about

codex-rs/app-server/tests/common/models_cache.rs

@@ -27,7 +27,7 @@ fn preset_to_info(preset: &ModelPreset, priority: i32) -> ModelInfo {
         priority,
         upgrade: preset.upgrade.as_ref().map(|u| u.into()),
         base_instructions: "base instructions".to_string(),
-        model_instructions_template: None,
+        model_messages: None,
         supports_reasoning_summaries: false,
         support_verbosity: false,
         default_verbosity: None,

codex-rs/app-server/tests/common/responses.rs

@@ -67,7 +67,6 @@ pub fn create_request_user_input_sse_response(call_id: &str) -> anyhow::Result<S
             "id": "confirm_path",
             "header": "Confirm",
             "question": "Proceed with the plan?",
-            "isOther": false,
             "options": [{
                 "label": "Yes (Recommended)",
                 "description": "Continue the current plan."

codex-rs/app-server/tests/common/rollout.rs

@@ -81,6 +81,7 @@ pub fn create_fake_rollout_with_source(
         source,
         model_provider: model_provider.map(str::to_string),
         base_instructions: None,
+        dynamic_tools: None,
     };
     let payload = serde_json::to_value(SessionMetaLine {
         meta,
@@ -159,6 +160,7 @@ pub fn create_fake_rollout_with_text_elements(
         source: SessionSource::Cli,
         model_provider: model_provider.map(str::to_string),
         base_instructions: None,
+        dynamic_tools: None,
     };
     let payload = serde_json::to_value(SessionMetaLine {
         meta,

codex-rs/app-server/tests/suite/v2/account.rs

@@ -4,28 +4,43 @@ use app_test_support::McpProcess;
 use app_test_support::to_response;
 
 use app_test_support::ChatGptAuthFixture;
+use app_test_support::ChatGptIdTokenClaims;
+use app_test_support::encode_id_token;
 use app_test_support::write_chatgpt_auth;
+use app_test_support::write_models_cache;
 use codex_app_server_protocol::Account;
 use codex_app_server_protocol::AuthMode;
 use codex_app_server_protocol::CancelLoginAccountParams;
 use codex_app_server_protocol::CancelLoginAccountResponse;
+use codex_app_server_protocol::CancelLoginAccountStatus;
+use codex_app_server_protocol::ChatgptAuthTokensRefreshReason;
+use codex_app_server_protocol::ChatgptAuthTokensRefreshResponse;
 use codex_app_server_protocol::GetAccountParams;
 use codex_app_server_protocol::GetAccountResponse;
 use codex_app_server_protocol::JSONRPCError;
+use codex_app_server_protocol::JSONRPCErrorError;
+use codex_app_server_protocol::JSONRPCNotification;
 use codex_app_server_protocol::JSONRPCResponse;
 use codex_app_server_protocol::LoginAccountResponse;
 use codex_app_server_protocol::LogoutAccountResponse;
 use codex_app_server_protocol::RequestId;
 use codex_app_server_protocol::ServerNotification;
+use codex_app_server_protocol::ServerRequest;
+use codex_app_server_protocol::TurnCompletedNotification;
+use codex_app_server_protocol::TurnStatus;
 use codex_core::auth::AuthCredentialsStoreMode;
 use codex_login::login_with_api_key;
 use codex_protocol::account::PlanType as AccountPlanType;
+use core_test_support::responses;
 use pretty_assertions::assert_eq;
+use serde_json::json;
 use serial_test::serial;
 use std::path::Path;
 use std::time::Duration;
 use tempfile::TempDir;
 use tokio::time::timeout;
+use wiremock::MockServer;
+use wiremock::ResponseTemplate;
 
 const DEFAULT_READ_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(10);
 
@@ -35,10 +50,14 @@ struct CreateConfigTomlParams {
     forced_method: Option<String>,
     forced_workspace_id: Option<String>,
     requires_openai_auth: Option<bool>,
+    base_url: Option<String>,
 }
 
 fn create_config_toml(codex_home: &Path, params: CreateConfigTomlParams) -> std::io::Result<()> {
     let config_toml = codex_home.join("config.toml");
+    let base_url = params
+        .base_url
+        .unwrap_or_else(|| "http://127.0.0.1:0/v1".to_string());
     let forced_line = if let Some(method) = params.forced_method {
         format!("forced_login_method = \"{method}\"\n")
     } else {
@@ -66,7 +85,7 @@ model_provider = "mock_provider"
 
 [model_providers.mock_provider]
 name = "Mock provider for test"
-base_url = "http://127.0.0.1:0/v1"
+base_url = "{base_url}"
 wire_api = "responses"
 request_max_retries = 0
 stream_max_retries = 0
@@ -133,6 +152,627 @@ async fn logout_account_removes_auth_and_notifies() -> Result<()> {
     Ok(())
 }
 
+#[tokio::test]
+async fn set_auth_token_updates_account_and_notifies() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    let mock_server = MockServer::start().await;
+    create_config_toml(
+        codex_home.path(),
+        CreateConfigTomlParams {
+            requires_openai_auth: Some(true),
+            base_url: Some(format!("{}/v1", mock_server.uri())),
+            ..Default::default()
+        },
+    )?;
+    write_models_cache(codex_home.path())?;
+
+    let id_token = encode_id_token(
+        &ChatGptIdTokenClaims::new()
+            .email("embedded@example.com")
+            .plan_type("pro")
+            .chatgpt_account_id("org-embedded"),
+    )?;
+    let access_token = "access-embedded".to_string();
+
+    let mut mcp = McpProcess::new_with_env(codex_home.path(), &[("OPENAI_API_KEY", None)]).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let set_id = mcp
+        .send_chatgpt_auth_tokens_login_request(id_token.clone(), access_token)
+        .await?;
+    let set_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(set_id)),
+    )
+    .await??;
+    let response: LoginAccountResponse = to_response(set_resp)?;
+    assert_eq!(response, LoginAccountResponse::ChatgptAuthTokens {});
+
+    let note = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("account/updated"),
+    )
+    .await??;
+    let parsed: ServerNotification = note.try_into()?;
+    let ServerNotification::AccountUpdated(payload) = parsed else {
+        bail!("unexpected notification: {parsed:?}");
+    };
+    assert_eq!(payload.auth_mode, Some(AuthMode::ChatgptAuthTokens));
+
+    let get_id = mcp
+        .send_get_account_request(GetAccountParams {
+            refresh_token: false,
+        })
+        .await?;
+    let get_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(get_id)),
+    )
+    .await??;
+    let account: GetAccountResponse = to_response(get_resp)?;
+    assert_eq!(
+        account,
+        GetAccountResponse {
+            account: Some(Account::Chatgpt {
+                email: "embedded@example.com".to_string(),
+                plan_type: AccountPlanType::Pro,
+            }),
+            requires_openai_auth: true,
+        }
+    );
+
+    Ok(())
+}
+
+#[tokio::test]
+async fn account_read_refresh_token_is_noop_in_external_mode() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    create_config_toml(
+        codex_home.path(),
+        CreateConfigTomlParams {
+            requires_openai_auth: Some(true),
+            ..Default::default()
+        },
+    )?;
+    write_models_cache(codex_home.path())?;
+
+    let id_token = encode_id_token(
+        &ChatGptIdTokenClaims::new()
+            .email("embedded@example.com")
+            .plan_type("pro")
+            .chatgpt_account_id("org-embedded"),
+    )?;
+
+    let mut mcp = McpProcess::new_with_env(codex_home.path(), &[("OPENAI_API_KEY", None)]).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let set_id = mcp
+        .send_chatgpt_auth_tokens_login_request(id_token, "access-embedded".to_string())
+        .await?;
+    let set_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(set_id)),
+    )
+    .await??;
+    let response: LoginAccountResponse = to_response(set_resp)?;
+    assert_eq!(response, LoginAccountResponse::ChatgptAuthTokens {});
+    let _updated = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("account/updated"),
+    )
+    .await??;
+
+    let get_id = mcp
+        .send_get_account_request(GetAccountParams {
+            refresh_token: true,
+        })
+        .await?;
+    let get_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(get_id)),
+    )
+    .await??;
+    let account: GetAccountResponse = to_response(get_resp)?;
+    assert_eq!(
+        account,
+        GetAccountResponse {
+            account: Some(Account::Chatgpt {
+                email: "embedded@example.com".to_string(),
+                plan_type: AccountPlanType::Pro,
+            }),
+            requires_openai_auth: true,
+        }
+    );
+
+    let refresh_request = timeout(
+        Duration::from_millis(250),
+        mcp.read_stream_until_request_message(),
+    )
+    .await;
+    assert!(
+        refresh_request.is_err(),
+        "external mode should not emit account/chatgptAuthTokens/refresh for refreshToken=true"
+    );
+
+    Ok(())
+}
+
+async fn respond_to_refresh_request(
+    mcp: &mut McpProcess,
+    access_token: &str,
+    id_token: &str,
+) -> Result<()> {
+    let refresh_req: ServerRequest = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_request_message(),
+    )
+    .await??;
+    let ServerRequest::ChatgptAuthTokensRefresh { request_id, params } = refresh_req else {
+        bail!("expected account/chatgptAuthTokens/refresh request, got {refresh_req:?}");
+    };
+    assert_eq!(params.reason, ChatgptAuthTokensRefreshReason::Unauthorized);
+    let response = ChatgptAuthTokensRefreshResponse {
+        access_token: access_token.to_string(),
+        id_token: id_token.to_string(),
+    };
+    mcp.send_response(request_id, serde_json::to_value(response)?)
+        .await?;
+    Ok(())
+}
+
+#[tokio::test]
+// 401 response triggers account/chatgptAuthTokens/refresh and retries with new tokens.
+async fn external_auth_refreshes_on_unauthorized() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    let mock_server = MockServer::start().await;
+    create_config_toml(
+        codex_home.path(),
+        CreateConfigTomlParams {
+            requires_openai_auth: Some(true),
+            base_url: Some(format!("{}/v1", mock_server.uri())),
+            ..Default::default()
+        },
+    )?;
+    write_models_cache(codex_home.path())?;
+
+    let success_sse = responses::sse(vec![
+        responses::ev_response_created("resp-turn"),
+        responses::ev_assistant_message("msg-turn", "turn ok"),
+        responses::ev_completed("resp-turn"),
+    ]);
+    let unauthorized = ResponseTemplate::new(401).set_body_json(json!({
+        "error": { "message": "unauthorized" }
+    }));
+    let responses_mock = responses::mount_response_sequence(
+        &mock_server,
+        vec![unauthorized, responses::sse_response(success_sse)],
+    )
+    .await;
+
+    let initial_id_token = encode_id_token(
+        &ChatGptIdTokenClaims::new()
+            .email("initial@example.com")
+            .plan_type("pro")
+            .chatgpt_account_id("org-initial"),
+    )?;
+    let refreshed_id_token = encode_id_token(
+        &ChatGptIdTokenClaims::new()
+            .email("refreshed@example.com")
+            .plan_type("pro")
+            .chatgpt_account_id("org-refreshed"),
+    )?;
+    let initial_access_token = "access-initial".to_string();
+    let refreshed_access_token = "access-refreshed".to_string();
+
+    let mut mcp = McpProcess::new_with_env(codex_home.path(), &[("OPENAI_API_KEY", None)]).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let set_id = mcp
+        .send_chatgpt_auth_tokens_login_request(
+            initial_id_token.clone(),
+            initial_access_token.clone(),
+        )
+        .await?;
+    let set_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(set_id)),
+    )
+    .await??;
+    let response: LoginAccountResponse = to_response(set_resp)?;
+    assert_eq!(response, LoginAccountResponse::ChatgptAuthTokens {});
+    let _updated = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("account/updated"),
+    )
+    .await??;
+
+    let thread_req = mcp
+        .send_thread_start_request(codex_app_server_protocol::ThreadStartParams {
+            model: Some("mock-model".to_string()),
+            ..Default::default()
+        })
+        .await?;
+    let thread_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(thread_req)),
+    )
+    .await??;
+    let thread = to_response::<codex_app_server_protocol::ThreadStartResponse>(thread_resp)?;
+
+    let turn_req = mcp
+        .send_turn_start_request(codex_app_server_protocol::TurnStartParams {
+            thread_id: thread.thread.id,
+            input: vec![codex_app_server_protocol::UserInput::Text {
+                text: "Hello".to_string(),
+                text_elements: Vec::new(),
+            }],
+            ..Default::default()
+        })
+        .await?;
+    respond_to_refresh_request(&mut mcp, &refreshed_access_token, &refreshed_id_token).await?;
+    let _turn_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(turn_req)),
+    )
+    .await??;
+    let _turn_completed = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("turn/completed"),
+    )
+    .await??;
+
+    let requests = responses_mock.requests();
+    assert_eq!(requests.len(), 2);
+    assert_eq!(
+        requests[0].header("authorization"),
+        Some(format!("Bearer {initial_access_token}"))
+    );
+    assert_eq!(
+        requests[1].header("authorization"),
+        Some(format!("Bearer {refreshed_access_token}"))
+    );
+
+    Ok(())
+}
+
+#[tokio::test]
+// Client returns JSON-RPC error to refresh; turn fails.
+async fn external_auth_refresh_error_fails_turn() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    let mock_server = MockServer::start().await;
+    create_config_toml(
+        codex_home.path(),
+        CreateConfigTomlParams {
+            requires_openai_auth: Some(true),
+            base_url: Some(format!("{}/v1", mock_server.uri())),
+            ..Default::default()
+        },
+    )?;
+    write_models_cache(codex_home.path())?;
+
+    let unauthorized = ResponseTemplate::new(401).set_body_json(json!({
+        "error": { "message": "unauthorized" }
+    }));
+    let _responses_mock =
+        responses::mount_response_sequence(&mock_server, vec![unauthorized]).await;
+
+    let initial_id_token = encode_id_token(
+        &ChatGptIdTokenClaims::new()
+            .email("initial@example.com")
+            .plan_type("pro")
+            .chatgpt_account_id("org-initial"),
+    )?;
+
+    let mut mcp = McpProcess::new_with_env(codex_home.path(), &[("OPENAI_API_KEY", None)]).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let set_id = mcp
+        .send_chatgpt_auth_tokens_login_request(initial_id_token, "access-initial".to_string())
+        .await?;
+    let set_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(set_id)),
+    )
+    .await??;
+    let response: LoginAccountResponse = to_response(set_resp)?;
+    assert_eq!(response, LoginAccountResponse::ChatgptAuthTokens {});
+    let _updated = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("account/updated"),
+    )
+    .await??;
+
+    let thread_req = mcp
+        .send_thread_start_request(codex_app_server_protocol::ThreadStartParams {
+            model: Some("mock-model".to_string()),
+            ..Default::default()
+        })
+        .await?;
+    let thread_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(thread_req)),
+    )
+    .await??;
+    let thread = to_response::<codex_app_server_protocol::ThreadStartResponse>(thread_resp)?;
+
+    let turn_req = mcp
+        .send_turn_start_request(codex_app_server_protocol::TurnStartParams {
+            thread_id: thread.thread.id.clone(),
+            input: vec![codex_app_server_protocol::UserInput::Text {
+                text: "Hello".to_string(),
+                text_elements: Vec::new(),
+            }],
+            ..Default::default()
+        })
+        .await?;
+
+    let refresh_req: ServerRequest = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_request_message(),
+    )
+    .await??;
+    let ServerRequest::ChatgptAuthTokensRefresh { request_id, .. } = refresh_req else {
+        bail!("expected account/chatgptAuthTokens/refresh request, got {refresh_req:?}");
+    };
+
+    mcp.send_error(
+        request_id,
+        JSONRPCErrorError {
+            code: -32_000,
+            message: "refresh failed".to_string(),
+            data: None,
+        },
+    )
+    .await?;
+
+    let _turn_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(turn_req)),
+    )
+    .await??;
+    let completed_notif: JSONRPCNotification = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("turn/completed"),
+    )
+    .await??;
+    let completed: TurnCompletedNotification = serde_json::from_value(
+        completed_notif
+            .params
+            .expect("turn/completed params must be present"),
+    )?;
+    assert_eq!(completed.turn.status, TurnStatus::Failed);
+    assert!(completed.turn.error.is_some());
+
+    Ok(())
+}
+
+#[tokio::test]
+// Refresh returns tokens for the wrong workspace; turn fails.
+async fn external_auth_refresh_mismatched_workspace_fails_turn() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    let mock_server = MockServer::start().await;
+    create_config_toml(
+        codex_home.path(),
+        CreateConfigTomlParams {
+            forced_workspace_id: Some("org-expected".to_string()),
+            requires_openai_auth: Some(true),
+            base_url: Some(format!("{}/v1", mock_server.uri())),
+            ..Default::default()
+        },
+    )?;
+    write_models_cache(codex_home.path())?;
+
+    let unauthorized = ResponseTemplate::new(401).set_body_json(json!({
+        "error": { "message": "unauthorized" }
+    }));
+    let _responses_mock =
+        responses::mount_response_sequence(&mock_server, vec![unauthorized]).await;
+
+    let initial_id_token = encode_id_token(
+        &ChatGptIdTokenClaims::new()
+            .email("initial@example.com")
+            .plan_type("pro")
+            .chatgpt_account_id("org-expected"),
+    )?;
+    let refreshed_id_token = encode_id_token(
+        &ChatGptIdTokenClaims::new()
+            .email("refreshed@example.com")
+            .plan_type("pro")
+            .chatgpt_account_id("org-other"),
+    )?;
+
+    let mut mcp = McpProcess::new_with_env(codex_home.path(), &[("OPENAI_API_KEY", None)]).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let set_id = mcp
+        .send_chatgpt_auth_tokens_login_request(initial_id_token, "access-initial".to_string())
+        .await?;
+    let set_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(set_id)),
+    )
+    .await??;
+    let response: LoginAccountResponse = to_response(set_resp)?;
+    assert_eq!(response, LoginAccountResponse::ChatgptAuthTokens {});
+    let _updated = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("account/updated"),
+    )
+    .await??;
+
+    let thread_req = mcp
+        .send_thread_start_request(codex_app_server_protocol::ThreadStartParams {
+            model: Some("mock-model".to_string()),
+            ..Default::default()
+        })
+        .await?;
+    let thread_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(thread_req)),
+    )
+    .await??;
+    let thread = to_response::<codex_app_server_protocol::ThreadStartResponse>(thread_resp)?;
+
+    let turn_req = mcp
+        .send_turn_start_request(codex_app_server_protocol::TurnStartParams {
+            thread_id: thread.thread.id.clone(),
+            input: vec![codex_app_server_protocol::UserInput::Text {
+                text: "Hello".to_string(),
+                text_elements: Vec::new(),
+            }],
+            ..Default::default()
+        })
+        .await?;
+
+    let refresh_req: ServerRequest = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_request_message(),
+    )
+    .await??;
+    let ServerRequest::ChatgptAuthTokensRefresh { request_id, .. } = refresh_req else {
+        bail!("expected account/chatgptAuthTokens/refresh request, got {refresh_req:?}");
+    };
+
+    mcp.send_response(
+        request_id,
+        serde_json::to_value(ChatgptAuthTokensRefreshResponse {
+            access_token: "access-refreshed".to_string(),
+            id_token: refreshed_id_token,
+        })?,
+    )
+    .await?;
+
+    let _turn_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(turn_req)),
+    )
+    .await??;
+    let completed_notif: JSONRPCNotification = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("turn/completed"),
+    )
+    .await??;
+    let completed: TurnCompletedNotification = serde_json::from_value(
+        completed_notif
+            .params
+            .expect("turn/completed params must be present"),
+    )?;
+    assert_eq!(completed.turn.status, TurnStatus::Failed);
+    assert!(completed.turn.error.is_some());
+
+    Ok(())
+}
+
+#[tokio::test]
+// Refresh returns a malformed id_token; turn fails.
+async fn external_auth_refresh_invalid_id_token_fails_turn() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    let mock_server = MockServer::start().await;
+    create_config_toml(
+        codex_home.path(),
+        CreateConfigTomlParams {
+            requires_openai_auth: Some(true),
+            base_url: Some(format!("{}/v1", mock_server.uri())),
+            ..Default::default()
+        },
+    )?;
+    write_models_cache(codex_home.path())?;
+
+    let unauthorized = ResponseTemplate::new(401).set_body_json(json!({
+        "error": { "message": "unauthorized" }
+    }));
+    let _responses_mock =
+        responses::mount_response_sequence(&mock_server, vec![unauthorized]).await;
+
+    let initial_id_token = encode_id_token(
+        &ChatGptIdTokenClaims::new()
+            .email("initial@example.com")
+            .plan_type("pro")
+            .chatgpt_account_id("org-initial"),
+    )?;
+
+    let mut mcp = McpProcess::new_with_env(codex_home.path(), &[("OPENAI_API_KEY", None)]).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let set_id = mcp
+        .send_chatgpt_auth_tokens_login_request(initial_id_token, "access-initial".to_string())
+        .await?;
+    let set_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(set_id)),
+    )
+    .await??;
+    let response: LoginAccountResponse = to_response(set_resp)?;
+    assert_eq!(response, LoginAccountResponse::ChatgptAuthTokens {});
+    let _updated = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("account/updated"),
+    )
+    .await??;
+
+    let thread_req = mcp
+        .send_thread_start_request(codex_app_server_protocol::ThreadStartParams {
+            model: Some("mock-model".to_string()),
+            ..Default::default()
+        })
+        .await?;
+    let thread_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(thread_req)),
+    )
+    .await??;
+    let thread = to_response::<codex_app_server_protocol::ThreadStartResponse>(thread_resp)?;
+
+    let turn_req = mcp
+        .send_turn_start_request(codex_app_server_protocol::TurnStartParams {
+            thread_id: thread.thread.id.clone(),
+            input: vec![codex_app_server_protocol::UserInput::Text {
+                text: "Hello".to_string(),
+                text_elements: Vec::new(),
+            }],
+            ..Default::default()
+        })
+        .await?;
+
+    let refresh_req: ServerRequest = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_request_message(),
+    )
+    .await??;
+    let ServerRequest::ChatgptAuthTokensRefresh { request_id, .. } = refresh_req else {
+        bail!("expected account/chatgptAuthTokens/refresh request, got {refresh_req:?}");
+    };
+
+    mcp.send_response(
+        request_id,
+        serde_json::to_value(ChatgptAuthTokensRefreshResponse {
+            access_token: "access-refreshed".to_string(),
+            id_token: "not-a-jwt".to_string(),
+        })?,
+    )
+    .await?;
+
+    let _turn_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(turn_req)),
+    )
+    .await??;
+    let completed_notif: JSONRPCNotification = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("turn/completed"),
+    )
+    .await??;
+    let completed: TurnCompletedNotification = serde_json::from_value(
+        completed_notif
+            .params
+            .expect("turn/completed params must be present"),
+    )?;
+    assert_eq!(completed.turn.status, TurnStatus::Failed);
+    assert!(completed.turn.error.is_some());
+
+    Ok(())
+}
+
 #[tokio::test]
 async fn login_account_api_key_succeeds_and_notifies() -> Result<()> {
     let codex_home = TempDir::new()?;
@@ -304,6 +944,71 @@ async fn login_account_chatgpt_start_can_be_cancelled() -> Result<()> {
     Ok(())
 }
 
+#[tokio::test]
+// Serialize tests that launch the login server since it binds to a fixed port.
+#[serial(login_port)]
+async fn set_auth_token_cancels_active_chatgpt_login() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    create_config_toml(codex_home.path(), CreateConfigTomlParams::default())?;
+
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    // Initiate the ChatGPT login flow
+    let request_id = mcp.send_login_account_chatgpt_request().await?;
+    let resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
+    )
+    .await??;
+
+    let login: LoginAccountResponse = to_response(resp)?;
+    let LoginAccountResponse::Chatgpt { login_id, .. } = login else {
+        bail!("unexpected login response: {login:?}");
+    };
+
+    let id_token = encode_id_token(
+        &ChatGptIdTokenClaims::new()
+            .email("embedded@example.com")
+            .plan_type("pro")
+            .chatgpt_account_id("org-embedded"),
+    )?;
+    // Set an external auth token instead of completing the ChatGPT login flow.
+    // This should cancel the active login attempt.
+    let set_id = mcp
+        .send_chatgpt_auth_tokens_login_request(id_token, "access-embedded".to_string())
+        .await?;
+    let set_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(set_id)),
+    )
+    .await??;
+    let response: LoginAccountResponse = to_response(set_resp)?;
+    assert_eq!(response, LoginAccountResponse::ChatgptAuthTokens {});
+    let _updated = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("account/updated"),
+    )
+    .await??;
+
+    // Verify that the active login attempt was cancelled.
+    // We check this by trying to cancel it and expecting a not found error.
+    let cancel_id = mcp
+        .send_cancel_login_account_request(CancelLoginAccountParams {
+            login_id: login_id.clone(),
+        })
+        .await?;
+    let cancel_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(cancel_id)),
+    )
+    .await??;
+    let cancel: CancelLoginAccountResponse = to_response(cancel_resp)?;
+    assert_eq!(cancel.status, CancelLoginAccountStatus::NotFound);
+
+    Ok(())
+}
+
 #[tokio::test]
 // Serialize tests that launch the login server since it binds to a fixed port.
 #[serial(login_port)]

codex-rs/app-server/tests/suite/v2/mod.rs

@@ -8,6 +8,7 @@ mod dynamic_tools;
 mod initialize;
 mod model_list;
 mod output_schema;
+mod plan_item;
 mod rate_limits;
 mod request_user_input;
 mod review;

codex-rs/app-server/tests/suite/v2/plan_item.rs

@@ -0,0 +1,257 @@
+use anyhow::Result;
+use anyhow::anyhow;
+use app_test_support::McpProcess;
+use app_test_support::create_mock_responses_server_sequence;
+use app_test_support::to_response;
+use codex_app_server_protocol::ItemCompletedNotification;
+use codex_app_server_protocol::ItemStartedNotification;
+use codex_app_server_protocol::JSONRPCMessage;
+use codex_app_server_protocol::JSONRPCResponse;
+use codex_app_server_protocol::PlanDeltaNotification;
+use codex_app_server_protocol::RequestId;
+use codex_app_server_protocol::ThreadItem;
+use codex_app_server_protocol::ThreadStartParams;
+use codex_app_server_protocol::ThreadStartResponse;
+use codex_app_server_protocol::TurnCompletedNotification;
+use codex_app_server_protocol::TurnStartParams;
+use codex_app_server_protocol::TurnStartResponse;
+use codex_app_server_protocol::TurnStatus;
+use codex_app_server_protocol::UserInput as V2UserInput;
+use codex_core::features::FEATURES;
+use codex_core::features::Feature;
+use codex_protocol::config_types::CollaborationMode;
+use codex_protocol::config_types::ModeKind;
+use codex_protocol::config_types::Settings;
+use core_test_support::responses;
+use core_test_support::skip_if_no_network;
+use pretty_assertions::assert_eq;
+use std::collections::BTreeMap;
+use std::path::Path;
+use tempfile::TempDir;
+use tokio::time::timeout;
+
+const DEFAULT_READ_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(10);
+
+#[tokio::test]
+async fn plan_mode_uses_proposed_plan_block_for_plan_item() -> Result<()> {
+    skip_if_no_network!(Ok(()));
+
+    let plan_block = "<proposed_plan>\n# Final plan\n- first\n- second\n</proposed_plan>\n";
+    let full_message = format!("Preface\n{plan_block}Postscript");
+    let responses = vec![responses::sse(vec![
+        responses::ev_response_created("resp-1"),
+        responses::ev_message_item_added("msg-1", ""),
+        responses::ev_output_text_delta(&full_message),
+        responses::ev_assistant_message("msg-1", &full_message),
+        responses::ev_completed("resp-1"),
+    ])];
+    let server = create_mock_responses_server_sequence(responses).await;
+
+    let codex_home = TempDir::new()?;
+    create_config_toml(codex_home.path(), &server.uri())?;
+
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let turn = start_plan_mode_turn(&mut mcp).await?;
+    let (_, completed_items, plan_deltas, turn_completed) =
+        collect_turn_notifications(&mut mcp).await?;
+
+    assert_eq!(turn_completed.turn.id, turn.id);
+    assert_eq!(turn_completed.turn.status, TurnStatus::Completed);
+
+    let expected_plan = ThreadItem::Plan {
+        id: format!("{}-plan", turn.id),
+        text: "# Final plan\n- first\n- second\n".to_string(),
+    };
+    let expected_plan_id = format!("{}-plan", turn.id);
+    let streamed_plan = plan_deltas
+        .iter()
+        .map(|delta| delta.delta.as_str())
+        .collect::<String>();
+    assert_eq!(streamed_plan, "# Final plan\n- first\n- second\n");
+    assert!(
+        plan_deltas
+            .iter()
+            .all(|delta| delta.item_id == expected_plan_id)
+    );
+    let plan_items = completed_items
+        .iter()
+        .filter_map(|item| match item {
+            ThreadItem::Plan { .. } => Some(item.clone()),
+            _ => None,
+        })
+        .collect::<Vec<_>>();
+    assert_eq!(plan_items, vec![expected_plan]);
+    assert!(
+        completed_items
+            .iter()
+            .any(|item| matches!(item, ThreadItem::AgentMessage { .. })),
+        "agent message items should still be emitted alongside the plan item"
+    );
+
+    Ok(())
+}
+
+#[tokio::test]
+async fn plan_mode_without_proposed_plan_does_not_emit_plan_item() -> Result<()> {
+    skip_if_no_network!(Ok(()));
+
+    let responses = vec![responses::sse(vec![
+        responses::ev_response_created("resp-1"),
+        responses::ev_assistant_message("msg-1", "Done"),
+        responses::ev_completed("resp-1"),
+    ])];
+    let server = create_mock_responses_server_sequence(responses).await;
+
+    let codex_home = TempDir::new()?;
+    create_config_toml(codex_home.path(), &server.uri())?;
+
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let _turn = start_plan_mode_turn(&mut mcp).await?;
+    let (_, completed_items, plan_deltas, _) = collect_turn_notifications(&mut mcp).await?;
+
+    let has_plan_item = completed_items
+        .iter()
+        .any(|item| matches!(item, ThreadItem::Plan { .. }));
+    assert!(!has_plan_item);
+    assert!(plan_deltas.is_empty());
+
+    Ok(())
+}
+
+async fn start_plan_mode_turn(mcp: &mut McpProcess) -> Result<codex_app_server_protocol::Turn> {
+    let thread_req = mcp
+        .send_thread_start_request(ThreadStartParams {
+            model: Some("mock-model".to_string()),
+            ..Default::default()
+        })
+        .await?;
+    let thread_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(thread_req)),
+    )
+    .await??;
+    let thread = to_response::<ThreadStartResponse>(thread_resp)?.thread;
+
+    let collaboration_mode = CollaborationMode {
+        mode: ModeKind::Plan,
+        settings: Settings {
+            model: "mock-model".to_string(),
+            reasoning_effort: None,
+            developer_instructions: None,
+        },
+    };
+    let turn_req = mcp
+        .send_turn_start_request(TurnStartParams {
+            thread_id: thread.id,
+            input: vec![V2UserInput::Text {
+                text: "Plan this".to_string(),
+                text_elements: Vec::new(),
+            }],
+            collaboration_mode: Some(collaboration_mode),
+            ..Default::default()
+        })
+        .await?;
+    let turn_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(turn_req)),
+    )
+    .await??;
+    Ok(to_response::<TurnStartResponse>(turn_resp)?.turn)
+}
+
+async fn collect_turn_notifications(
+    mcp: &mut McpProcess,
+) -> Result<(
+    Vec<ThreadItem>,
+    Vec<ThreadItem>,
+    Vec<PlanDeltaNotification>,
+    TurnCompletedNotification,
+)> {
+    let mut started_items = Vec::new();
+    let mut completed_items = Vec::new();
+    let mut plan_deltas = Vec::new();
+
+    loop {
+        let message = timeout(DEFAULT_READ_TIMEOUT, mcp.read_next_message()).await??;
+        let JSONRPCMessage::Notification(notification) = message else {
+            continue;
+        };
+        match notification.method.as_str() {
+            "item/started" => {
+                let params = notification
+                    .params
+                    .ok_or_else(|| anyhow!("item/started notifications must include params"))?;
+                let payload: ItemStartedNotification = serde_json::from_value(params)?;
+                started_items.push(payload.item);
+            }
+            "item/completed" => {
+                let params = notification
+                    .params
+                    .ok_or_else(|| anyhow!("item/completed notifications must include params"))?;
+                let payload: ItemCompletedNotification = serde_json::from_value(params)?;
+                completed_items.push(payload.item);
+            }
+            "item/plan/delta" => {
+                let params = notification
+                    .params
+                    .ok_or_else(|| anyhow!("item/plan/delta notifications must include params"))?;
+                let payload: PlanDeltaNotification = serde_json::from_value(params)?;
+                plan_deltas.push(payload);
+            }
+            "turn/completed" => {
+                let params = notification
+                    .params
+                    .ok_or_else(|| anyhow!("turn/completed notifications must include params"))?;
+                let payload: TurnCompletedNotification = serde_json::from_value(params)?;
+                return Ok((started_items, completed_items, plan_deltas, payload));
+            }
+            _ => {}
+        }
+    }
+}
+
+fn create_config_toml(codex_home: &Path, server_uri: &str) -> std::io::Result<()> {
+    let features = BTreeMap::from([
+        (Feature::RemoteModels, false),
+        (Feature::CollaborationModes, true),
+    ]);
+    let feature_entries = features
+        .into_iter()
+        .map(|(feature, enabled)| {
+            let key = FEATURES
+                .iter()
+                .find(|spec| spec.id == feature)
+                .map(|spec| spec.key)
+                .unwrap_or_else(|| panic!("missing feature key for {feature:?}"));
+            format!("{key} = {enabled}")
+        })
+        .collect::<Vec<_>>()
+        .join("\n");
+    let config_toml = codex_home.join("config.toml");
+    std::fs::write(
+        config_toml,
+        format!(
+            r#"
+model = "mock-model"
+approval_policy = "never"
+sandbox_mode = "read-only"
+
+model_provider = "mock_provider"
+
+[features]
+{feature_entries}
+
+[model_providers.mock_provider]
+name = "Mock provider for test"
+base_url = "{server_uri}/v1"
+wire_api = "responses"
+request_max_retries = 0
+stream_max_retries = 0
+"#
+        ),
+    )
+}

codex-rs/app-server/tests/suite/v2/thread_resume.rs

@@ -31,7 +31,7 @@ use tempfile::TempDir;
 use tokio::time::timeout;
 
 const DEFAULT_READ_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(10);
-const DEFAULT_BASE_INSTRUCTIONS: &str = "You are Codex, based on GPT-5. You are running as a coding agent in the Codex CLI on a user's computer.";
+const CODEX_5_2_INSTRUCTIONS_TEMPLATE_DEFAULT: &str = "You are Codex, a coding agent based on GPT-5. You and the user share the same workspace and collaborate to achieve the user's goals.";
 
 #[tokio::test]
 async fn thread_resume_returns_original_thread() -> Result<()> {
@@ -368,7 +368,7 @@ async fn thread_resume_supports_history_and_overrides() -> Result<()> {
 }
 
 #[tokio::test]
-async fn thread_resume_accepts_personality_override_v2() -> Result<()> {
+async fn thread_resume_accepts_personality_override() -> Result<()> {
     skip_if_no_network!(Ok(()));
 
     let server = responses::start_mock_server().await;
@@ -438,14 +438,14 @@ async fn thread_resume_accepts_personality_override_v2() -> Result<()> {
     let request = response_mock.single_request();
     let developer_texts = request.message_input_texts("developer");
     assert!(
-        !developer_texts
+        developer_texts
             .iter()
             .any(|text| text.contains("<personality_spec>")),
-        "did not expect a personality update message in developer input, got {developer_texts:?}"
+        "expected a personality update message in developer input, got {developer_texts:?}"
     );
     let instructions_text = request.instructions_text();
     assert!(
-        instructions_text.contains(DEFAULT_BASE_INSTRUCTIONS),
+        instructions_text.contains(CODEX_5_2_INSTRUCTIONS_TEMPLATE_DEFAULT),
         "expected default base instructions from history, got {instructions_text:?}"
     );
 
@@ -459,7 +459,7 @@ fn create_config_toml(codex_home: &std::path::Path, server_uri: &str) -> std::io
         config_toml,
         format!(
             r#"
-model = "mock-model"
+model = "gpt-5.2-codex"
 approval_policy = "never"
 sandbox_mode = "read-only"
 
@@ -467,6 +467,7 @@ model_provider = "mock_provider"
 
 [features]
 remote_models = false
+personality = true
 
 [model_providers.mock_provider]
 name = "Mock provider for test"

codex-rs/app-server/tests/suite/v2/turn_start.rs

@@ -63,7 +63,7 @@ async fn turn_start_sends_originator_header() -> Result<()> {
         codex_home.path(),
         &server.uri(),
         "never",
-        &BTreeMap::default(),
+        &BTreeMap::from([(Feature::Personality, true)]),
     )?;
 
     let mut mcp = McpProcess::new(codex_home.path()).await?;
@@ -138,7 +138,7 @@ async fn turn_start_emits_user_message_item_with_text_elements() -> Result<()> {
         codex_home.path(),
         &server.uri(),
         "never",
-        &BTreeMap::default(),
+        &BTreeMap::from([(Feature::Personality, true)]),
     )?;
 
     let mut mcp = McpProcess::new(codex_home.path()).await?;
@@ -230,7 +230,7 @@ async fn turn_start_emits_notifications_and_accepts_model_override() -> Result<(
         codex_home.path(),
         &server.uri(),
         "never",
-        &BTreeMap::default(),
+        &BTreeMap::from([(Feature::Personality, true)]),
     )?;
 
     let mut mcp = McpProcess::new(codex_home.path()).await?;
@@ -425,7 +425,7 @@ async fn turn_start_accepts_personality_override_v2() -> Result<()> {
         codex_home.path(),
         &server.uri(),
         "never",
-        &BTreeMap::default(),
+        &BTreeMap::from([(Feature::Personality, true)]),
     )?;
 
     let mut mcp = McpProcess::new(codex_home.path()).await?;
@@ -473,6 +473,7 @@ async fn turn_start_accepts_personality_override_v2() -> Result<()> {
     if developer_texts.is_empty() {
         eprintln!("request body: {}", request.body_json());
     }
+
     assert!(
         developer_texts
             .iter()

codex-rs/backend-client/src/client.rs

@@ -351,6 +351,7 @@ impl Client {
     fn map_plan_type(plan_type: crate::types::PlanType) -> AccountPlanType {
         match plan_type {
             crate::types::PlanType::Free => AccountPlanType::Free,
+            crate::types::PlanType::Go => AccountPlanType::Go,
             crate::types::PlanType::Plus => AccountPlanType::Plus,
             crate::types::PlanType::Pro => AccountPlanType::Pro,
             crate::types::PlanType::Team => AccountPlanType::Team,
@@ -358,7 +359,6 @@ impl Client {
             crate::types::PlanType::Enterprise => AccountPlanType::Enterprise,
             crate::types::PlanType::Edu | crate::types::PlanType::Education => AccountPlanType::Edu,
             crate::types::PlanType::Guest
-            | crate::types::PlanType::Go
             | crate::types::PlanType::FreeWorkspace
             | crate::types::PlanType::Quorum
             | crate::types::PlanType::K12 => AccountPlanType::Unknown,

codex-rs/chatgpt/src/connectors.rs

@@ -221,7 +221,11 @@ fn normalize_connector_value(value: Option<&str>) -> Option<String> {
 }
 
 const ALLOWED_APPS_SDK_APPS: &[&str] = &["asdk_app_69781557cc1481919cf5e9824fa2e792"];
-const DISALLOWED_CONNECTOR_IDS: &[&str] = &["asdk_app_6938a94a61d881918ef32cb999ff937c"];
+const DISALLOWED_CONNECTOR_IDS: &[&str] = &[
+    "asdk_app_6938a94a61d881918ef32cb999ff937c",
+    "connector_2b0a9009c9c64bf9933a3dae3f2b1254",
+    "connector_68de829bf7648191acd70a907364c67c",
+];
 const DISALLOWED_CONNECTOR_PREFIX: &str = "connector_openai_";
 
 fn filter_disallowed_connectors(connectors: Vec<AppInfo>) -> Vec<AppInfo> {

codex-rs/cli/src/login.rs

@@ -225,7 +225,7 @@ pub async fn run_login_status(cli_config_overrides: CliConfigOverrides) -> ! {
     let config = load_config_or_exit(cli_config_overrides).await;
 
     match CodexAuth::from_auth_storage(&config.codex_home, config.cli_auth_credentials_store_mode) {
-        Ok(Some(auth)) => match auth.mode {
+        Ok(Some(auth)) => match auth.api_auth_mode() {
             AuthMode::ApiKey => match auth.get_token() {
                 Ok(api_key) => {
                     eprintln!("Logged in using an API key - {}", safe_format_key(&api_key));
@@ -236,10 +236,14 @@ pub async fn run_login_status(cli_config_overrides: CliConfigOverrides) -> ! {
                     std::process::exit(1);
                 }
             },
-            AuthMode::ChatGPT => {
+            AuthMode::Chatgpt => {
                 eprintln!("Logged in using ChatGPT");
                 std::process::exit(0);
             }
+            AuthMode::ChatgptAuthTokens => {
+                eprintln!("Logged in using ChatGPT (external tokens)");
+                std::process::exit(0);
+            }
         },
         Ok(None) => {
             eprintln!("Not logged in");

codex-rs/cli/src/main.rs

@@ -39,6 +39,9 @@ use crate::mcp_cmd::McpCli;
 
 use codex_core::config::Config;
 use codex_core::config::ConfigOverrides;
+use codex_core::config::edit::ConfigEditsBuilder;
+use codex_core::config::find_codex_home;
+use codex_core::features::Stage;
 use codex_core::features::is_known_feature_key;
 use codex_core::terminal::TerminalName;
 
@@ -141,7 +144,7 @@ struct CompletionCommand {
 
 #[derive(Debug, Parser)]
 struct ResumeCommand {
-    /// Conversation/session id (UUID). When provided, resumes this session.
+    /// Conversation/session id (UUID) or thread name. UUIDs take precedence if it parses.
     /// If omitted, use --last to pick the most recent recorded session.
     #[arg(value_name = "SESSION_ID")]
     session_id: Option<String>,
@@ -320,6 +323,7 @@ fn format_exit_messages(exit_info: AppExitInfo, color_enabled: bool) -> Vec<Stri
     let AppExitInfo {
         token_usage,
         thread_id: conversation_id,
+        thread_name,
         ..
     } = exit_info;
 
@@ -332,8 +336,9 @@ fn format_exit_messages(exit_info: AppExitInfo, color_enabled: bool) -> Vec<Stri
         codex_core::protocol::FinalOutput::from(token_usage)
     )];
 
-    if let Some(session_id) = conversation_id {
-        let resume_cmd = format!("codex resume {session_id}");
+    if let Some(resume_cmd) =
+        codex_core::util::resume_command(thread_name.as_deref(), conversation_id)
+    {
         let command = if color_enabled {
             resume_cmd.cyan().to_string()
         } else {
@@ -448,6 +453,16 @@ struct FeaturesCli {
 enum FeaturesSubcommand {
     /// List known features with their stage and effective state.
     List,
+    /// Enable a feature in config.toml.
+    Enable(FeatureSetArgs),
+    /// Disable a feature in config.toml.
+    Disable(FeatureSetArgs),
+}
+
+#[derive(Debug, Parser)]
+struct FeatureSetArgs {
+    /// Feature key to update (for example: unified_exec).
+    feature: String,
 }
 
 fn stage_str(stage: codex_core::features::Stage) -> &'static str {
@@ -711,12 +726,69 @@ async fn cli_main(codex_linux_sandbox_exe: Option<PathBuf>) -> anyhow::Result<()
                     println!("{name:<name_width$}  {stage:<stage_width$}  {enabled}");
                 }
             }
+            FeaturesSubcommand::Enable(FeatureSetArgs { feature }) => {
+                enable_feature_in_config(&interactive, &feature).await?;
+            }
+            FeaturesSubcommand::Disable(FeatureSetArgs { feature }) => {
+                disable_feature_in_config(&interactive, &feature).await?;
+            }
         },
     }
 
     Ok(())
 }
 
+async fn enable_feature_in_config(interactive: &TuiCli, feature: &str) -> anyhow::Result<()> {
+    FeatureToggles::validate_feature(feature)?;
+    let codex_home = find_codex_home()?;
+    ConfigEditsBuilder::new(&codex_home)
+        .with_profile(interactive.config_profile.as_deref())
+        .set_feature_enabled(feature, true)
+        .apply()
+        .await?;
+    println!("Enabled feature `{feature}` in config.toml.");
+    maybe_print_under_development_feature_warning(&codex_home, interactive, feature);
+    Ok(())
+}
+
+async fn disable_feature_in_config(interactive: &TuiCli, feature: &str) -> anyhow::Result<()> {
+    FeatureToggles::validate_feature(feature)?;
+    let codex_home = find_codex_home()?;
+    ConfigEditsBuilder::new(&codex_home)
+        .with_profile(interactive.config_profile.as_deref())
+        .set_feature_enabled(feature, false)
+        .apply()
+        .await?;
+    println!("Disabled feature `{feature}` in config.toml.");
+    Ok(())
+}
+
+fn maybe_print_under_development_feature_warning(
+    codex_home: &std::path::Path,
+    interactive: &TuiCli,
+    feature: &str,
+) {
+    if interactive.config_profile.is_some() {
+        return;
+    }
+
+    let Some(spec) = codex_core::features::FEATURES
+        .iter()
+        .find(|spec| spec.key == feature)
+    else {
+        return;
+    };
+    if !matches!(spec.stage, Stage::UnderDevelopment) {
+        return;
+    }
+
+    let config_path = codex_home.join(codex_core::config::CONFIG_TOML_FILE);
+    eprintln!(
+        "Under-development features enabled: {feature}. Under-development features are incomplete and may behave unpredictably. To suppress this warning, set `suppress_unstable_features_warning = true` in {}.",
+        config_path.display()
+    );
+}
+
 /// Prepend root-level overrides so they have lower precedence than
 /// CLI-specific ones specified after the subcommand (if any).
 fn prepend_config_flags(
@@ -958,7 +1030,7 @@ mod tests {
         app_server
     }
 
-    fn sample_exit_info(conversation: Option<&str>) -> AppExitInfo {
+    fn sample_exit_info(conversation_id: Option<&str>, thread_name: Option<&str>) -> AppExitInfo {
         let token_usage = TokenUsage {
             output_tokens: 2,
             total_tokens: 2,
@@ -966,7 +1038,10 @@ mod tests {
         };
         AppExitInfo {
             token_usage,
-            thread_id: conversation.map(ThreadId::from_string).map(Result::unwrap),
+            thread_id: conversation_id
+                .map(ThreadId::from_string)
+                .map(Result::unwrap),
+            thread_name: thread_name.map(str::to_string),
             update_action: None,
             exit_reason: ExitReason::UserRequested,
         }
@@ -977,6 +1052,7 @@ mod tests {
         let exit_info = AppExitInfo {
             token_usage: TokenUsage::default(),
             thread_id: None,
+            thread_name: None,
             update_action: None,
             exit_reason: ExitReason::UserRequested,
         };
@@ -986,7 +1062,7 @@ mod tests {
 
     #[test]
     fn format_exit_messages_includes_resume_hint_without_color() {
-        let exit_info = sample_exit_info(Some("123e4567-e89b-12d3-a456-426614174000"));
+        let exit_info = sample_exit_info(Some("123e4567-e89b-12d3-a456-426614174000"), None);
         let lines = format_exit_messages(exit_info, false);
         assert_eq!(
             lines,
@@ -1000,12 +1076,28 @@ mod tests {
 
     #[test]
     fn format_exit_messages_applies_color_when_enabled() {
-        let exit_info = sample_exit_info(Some("123e4567-e89b-12d3-a456-426614174000"));
+        let exit_info = sample_exit_info(Some("123e4567-e89b-12d3-a456-426614174000"), None);
         let lines = format_exit_messages(exit_info, true);
         assert_eq!(lines.len(), 2);
         assert!(lines[1].contains("\u{1b}[36m"));
     }
 
+    #[test]
+    fn format_exit_messages_prefers_thread_name() {
+        let exit_info = sample_exit_info(
+            Some("123e4567-e89b-12d3-a456-426614174000"),
+            Some("my-thread"),
+        );
+        let lines = format_exit_messages(exit_info, false);
+        assert_eq!(
+            lines,
+            vec![
+                "Token usage: total=2 input=0 output=2".to_string(),
+                "To continue this session, run codex resume my-thread".to_string(),
+            ]
+        );
+    }
+
     #[test]
     fn resume_model_flag_applies_when_no_root_flags() {
         let interactive =
@@ -1171,6 +1263,32 @@ mod tests {
         assert!(app_server.analytics_default_enabled);
     }
 
+    #[test]
+    fn features_enable_parses_feature_name() {
+        let cli = MultitoolCli::try_parse_from(["codex", "features", "enable", "unified_exec"])
+            .expect("parse should succeed");
+        let Some(Subcommand::Features(FeaturesCli { sub })) = cli.subcommand else {
+            panic!("expected features subcommand");
+        };
+        let FeaturesSubcommand::Enable(FeatureSetArgs { feature }) = sub else {
+            panic!("expected features enable");
+        };
+        assert_eq!(feature, "unified_exec");
+    }
+
+    #[test]
+    fn features_disable_parses_feature_name() {
+        let cli = MultitoolCli::try_parse_from(["codex", "features", "disable", "shell_tool"])
+            .expect("parse should succeed");
+        let Some(Subcommand::Features(FeaturesCli { sub })) = cli.subcommand else {
+            panic!("expected features subcommand");
+        };
+        let FeaturesSubcommand::Disable(FeatureSetArgs { feature }) = sub else {
+            panic!("expected features disable");
+        };
+        assert_eq!(feature, "shell_tool");
+    }
+
     #[test]
     fn feature_toggles_known_features_generate_overrides() {
         let toggles = FeatureToggles {

codex-rs/cli/tests/features.rs

@@ -0,0 +1,58 @@
+use std::path::Path;
+
+use anyhow::Result;
+use predicates::str::contains;
+use tempfile::TempDir;
+
+fn codex_command(codex_home: &Path) -> Result<assert_cmd::Command> {
+    let mut cmd = assert_cmd::Command::new(codex_utils_cargo_bin::cargo_bin("codex")?);
+    cmd.env("CODEX_HOME", codex_home);
+    Ok(cmd)
+}
+
+#[tokio::test]
+async fn features_enable_writes_feature_flag_to_config() -> Result<()> {
+    let codex_home = TempDir::new()?;
+
+    let mut cmd = codex_command(codex_home.path())?;
+    cmd.args(["features", "enable", "unified_exec"])
+        .assert()
+        .success()
+        .stdout(contains("Enabled feature `unified_exec` in config.toml."));
+
+    let config = std::fs::read_to_string(codex_home.path().join("config.toml"))?;
+    assert!(config.contains("[features]"));
+    assert!(config.contains("unified_exec = true"));
+
+    Ok(())
+}
+
+#[tokio::test]
+async fn features_disable_writes_feature_flag_to_config() -> Result<()> {
+    let codex_home = TempDir::new()?;
+
+    let mut cmd = codex_command(codex_home.path())?;
+    cmd.args(["features", "disable", "shell_tool"])
+        .assert()
+        .success()
+        .stdout(contains("Disabled feature `shell_tool` in config.toml."));
+
+    let config = std::fs::read_to_string(codex_home.path().join("config.toml"))?;
+    assert!(config.contains("[features]"));
+    assert!(config.contains("shell_tool = false"));
+
+    Ok(())
+}
+
+#[tokio::test]
+async fn features_enable_under_development_feature_prints_warning() -> Result<()> {
+    let codex_home = TempDir::new()?;
+
+    let mut cmd = codex_command(codex_home.path())?;
+    cmd.args(["features", "enable", "sqlite"])
+        .assert()
+        .success()
+        .stderr(contains("Under-development features enabled: sqlite."));
+
+    Ok(())
+}

codex-rs/cloud-requirements/BUILD.bazel

@@ -0,0 +1,6 @@
+load("//:defs.bzl", "codex_rust_crate")
+
+codex_rust_crate(
+    name = "cloud-requirements",
+    crate_name = "codex_cloud_requirements",
+)

codex-rs/cloud-requirements/Cargo.toml

@@ -0,0 +1,27 @@
+[package]
+name = "codex-cloud-requirements"
+version.workspace = true
+edition.workspace = true
+license.workspace = true
+
+[lints]
+workspace = true
+
+[dependencies]
+async-trait = { workspace = true }
+codex-backend-client = { workspace = true }
+codex-core = { workspace = true }
+codex-otel = { workspace = true }
+codex-protocol = { workspace = true }
+tokio = { workspace = true, features = ["sync", "time"] }
+thiserror = { workspace = true }
+toml = { workspace = true }
+tracing = { workspace = true }
+
+[dev-dependencies]
+anyhow = { workspace = true }
+base64 = { workspace = true }
+pretty_assertions = { workspace = true }
+serde_json = { workspace = true }
+tempfile = { workspace = true }
+tokio = { workspace = true, features = ["macros", "rt", "test-util", "time"] }

codex-rs/cloud-requirements/src/lib.rs

@@ -0,0 +1,459 @@
+//! Cloud-hosted config requirements for Codex.
+//!
+//! This crate fetches `requirements.toml` data from the backend as an alternative to loading it
+//! from the local filesystem. It only applies to Enterprise ChatGPT customers.
+//!
+//! Enterprise ChatGPT customers must successfully fetch these requirements before Codex will run.
+
+use async_trait::async_trait;
+use codex_backend_client::Client as BackendClient;
+use codex_core::AuthManager;
+use codex_core::auth::CodexAuth;
+use codex_core::config_loader::CloudRequirementsLoader;
+use codex_core::config_loader::ConfigRequirementsToml;
+use codex_protocol::account::PlanType;
+use std::io;
+use std::sync::Arc;
+use std::time::Duration;
+use std::time::Instant;
+use thiserror::Error;
+use tokio::time::timeout;
+
+/// This blocks codecs startup, so must be short.
+const CLOUD_REQUIREMENTS_TIMEOUT: Duration = Duration::from_secs(5);
+
+#[derive(Debug, Error, Clone, PartialEq, Eq)]
+enum CloudRequirementsError {
+    #[error("cloud requirements user error: {0}")]
+    User(CloudRequirementsUserError),
+    #[error("cloud requirements network error: {0}")]
+    Network(CloudRequirementsNetworkError),
+}
+
+impl From<CloudRequirementsUserError> for CloudRequirementsError {
+    fn from(err: CloudRequirementsUserError) -> Self {
+        CloudRequirementsError::User(err)
+    }
+}
+
+impl From<CloudRequirementsNetworkError> for CloudRequirementsError {
+    fn from(err: CloudRequirementsNetworkError) -> Self {
+        CloudRequirementsError::Network(err)
+    }
+}
+
+impl From<CloudRequirementsError> for io::Error {
+    fn from(err: CloudRequirementsError) -> Self {
+        let kind = match &err {
+            CloudRequirementsError::User(_) => io::ErrorKind::InvalidData,
+            CloudRequirementsError::Network(CloudRequirementsNetworkError::Timeout { .. }) => {
+                io::ErrorKind::TimedOut
+            }
+            CloudRequirementsError::Network(_) => io::ErrorKind::Other,
+        };
+        io::Error::new(kind, err)
+    }
+}
+
+#[derive(Debug, Error, Clone, PartialEq, Eq)]
+enum CloudRequirementsUserError {
+    #[error("failed to parse requirements TOML: {message}")]
+    InvalidToml { message: String },
+}
+
+#[derive(Debug, Error, Clone, PartialEq, Eq)]
+enum CloudRequirementsNetworkError {
+    #[error("backend client initialization failed: {message}")]
+    BackendClient { message: String },
+    #[error("request failed: {message}")]
+    Request { message: String },
+    #[error("cloud requirements response missing contents")]
+    MissingContents,
+    #[error("timed out after {timeout_ms}ms")]
+    Timeout { timeout_ms: u64 },
+    #[error("cloud requirements task failed: {message}")]
+    Task { message: String },
+}
+
+#[async_trait]
+trait RequirementsFetcher: Send + Sync {
+    /// Returns requirements as a TOML string.
+    async fn fetch_requirements(&self, auth: &CodexAuth) -> Result<String, CloudRequirementsError>;
+}
+
+struct BackendRequirementsFetcher {
+    base_url: String,
+}
+
+impl BackendRequirementsFetcher {
+    fn new(base_url: String) -> Self {
+        Self { base_url }
+    }
+}
+
+#[async_trait]
+impl RequirementsFetcher for BackendRequirementsFetcher {
+    async fn fetch_requirements(&self, auth: &CodexAuth) -> Result<String, CloudRequirementsError> {
+        let client = BackendClient::from_auth(self.base_url.clone(), auth)
+            .inspect_err(|err| {
+                tracing::warn!(
+                    error = %err,
+                    "Failed to construct backend client for cloud requirements"
+                );
+            })
+            .map_err(|err| CloudRequirementsNetworkError::BackendClient {
+                message: err.to_string(),
+            })
+            .map_err(CloudRequirementsError::from)?;
+
+        let response = client
+            .get_config_requirements_file()
+            .await
+            .inspect_err(|err| tracing::warn!(error = %err, "Failed to fetch cloud requirements"))
+            .map_err(|err| CloudRequirementsNetworkError::Request {
+                message: err.to_string(),
+            })
+            .map_err(CloudRequirementsError::from)?;
+
+        let Some(contents) = response.contents else {
+            tracing::warn!("Cloud requirements response missing contents");
+            return Err(CloudRequirementsError::from(
+                CloudRequirementsNetworkError::MissingContents,
+            ));
+        };
+
+        Ok(contents)
+    }
+}
+
+struct CloudRequirementsService {
+    auth_manager: Arc<AuthManager>,
+    fetcher: Arc<dyn RequirementsFetcher>,
+    timeout: Duration,
+}
+
+impl CloudRequirementsService {
+    fn new(
+        auth_manager: Arc<AuthManager>,
+        fetcher: Arc<dyn RequirementsFetcher>,
+        timeout: Duration,
+    ) -> Self {
+        Self {
+            auth_manager,
+            fetcher,
+            timeout,
+        }
+    }
+
+    async fn fetch_with_timeout(
+        &self,
+    ) -> Result<Option<ConfigRequirementsToml>, CloudRequirementsError> {
+        let _timer =
+            codex_otel::start_global_timer("codex.cloud_requirements.fetch.duration_ms", &[]);
+        let started_at = Instant::now();
+        let result = timeout(self.timeout, self.fetch()).await.map_err(|_| {
+            CloudRequirementsNetworkError::Timeout {
+                timeout_ms: self.timeout.as_millis() as u64,
+            }
+        })?;
+
+        let elapsed_ms = started_at.elapsed().as_millis();
+        match result.as_ref() {
+            Ok(Some(requirements)) => {
+                tracing::info!(
+                    elapsed_ms,
+                    status = "success",
+                    requirements = ?requirements,
+                    "Cloud requirements load completed"
+                );
+                println!(
+                    "cloud_requirements status=success elapsed_ms={elapsed_ms} value={requirements:?}"
+                );
+            }
+            Ok(None) => {
+                tracing::info!(
+                    elapsed_ms,
+                    status = "none",
+                    requirements = %"none",
+                    "Cloud requirements load completed"
+                );
+                println!("cloud_requirements status=none elapsed_ms={elapsed_ms} value=none");
+            }
+            Err(err) => {
+                tracing::warn!(
+                    elapsed_ms,
+                    status = "error",
+                    requirements = %"none",
+                    error = %err,
+                    "Cloud requirements load failed"
+                );
+                println!(
+                    "cloud_requirements status=error elapsed_ms={elapsed_ms} value=none error={err}"
+                );
+            }
+        }
+
+        result
+    }
+
+    async fn fetch(&self) -> Result<Option<ConfigRequirementsToml>, CloudRequirementsError> {
+        let auth = match self.auth_manager.auth().await {
+            Some(auth) => auth,
+            None => return Ok(None),
+        };
+        if !(auth.is_chatgpt_auth() && auth.account_plan_type() == Some(PlanType::Enterprise)) {
+            return Ok(None);
+        }
+
+        let contents = self.fetcher.fetch_requirements(&auth).await?;
+        parse_cloud_requirements(&contents)
+            .inspect_err(|err| tracing::warn!(error = %err, "Failed to parse cloud requirements"))
+            .map_err(CloudRequirementsError::from)
+    }
+}
+
+pub fn cloud_requirements_loader(
+    auth_manager: Arc<AuthManager>,
+    chatgpt_base_url: String,
+) -> CloudRequirementsLoader {
+    let service = CloudRequirementsService::new(
+        auth_manager,
+        Arc::new(BackendRequirementsFetcher::new(chatgpt_base_url)),
+        CLOUD_REQUIREMENTS_TIMEOUT,
+    );
+    let task = tokio::spawn(async move { service.fetch_with_timeout().await });
+    CloudRequirementsLoader::new(async move {
+        task.await
+            .map_err(|err| {
+                CloudRequirementsError::from(CloudRequirementsNetworkError::Task {
+                    message: err.to_string(),
+                })
+            })
+            .and_then(std::convert::identity)
+            .map_err(io::Error::from)
+            .inspect_err(|err| tracing::warn!(error = %err, "Cloud requirements task failed"))
+    })
+}
+
+fn parse_cloud_requirements(
+    contents: &str,
+) -> Result<Option<ConfigRequirementsToml>, CloudRequirementsUserError> {
+    if contents.trim().is_empty() {
+        return Ok(None);
+    }
+
+    let requirements: ConfigRequirementsToml =
+        toml::from_str(contents).map_err(|err| CloudRequirementsUserError::InvalidToml {
+            message: err.to_string(),
+        })?;
+    if requirements.is_empty() {
+        Ok(None)
+    } else {
+        Ok(Some(requirements))
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use anyhow::Result;
+    use base64::Engine;
+    use base64::engine::general_purpose::URL_SAFE_NO_PAD;
+    use codex_core::auth::AuthCredentialsStoreMode;
+    use codex_protocol::protocol::AskForApproval;
+    use pretty_assertions::assert_eq;
+    use serde_json::json;
+    use std::future::pending;
+    use std::path::Path;
+    use tempfile::tempdir;
+
+    fn write_auth_json(codex_home: &Path, value: serde_json::Value) -> Result<()> {
+        std::fs::write(codex_home.join("auth.json"), serde_json::to_string(&value)?)?;
+        Ok(())
+    }
+
+    fn auth_manager_with_api_key() -> Result<Arc<AuthManager>> {
+        let tmp = tempdir()?;
+        let auth_json = json!({
+            "OPENAI_API_KEY": "sk-test-key",
+            "tokens": null,
+            "last_refresh": null,
+        });
+        write_auth_json(tmp.path(), auth_json)?;
+        Ok(Arc::new(AuthManager::new(
+            tmp.path().to_path_buf(),
+            false,
+            AuthCredentialsStoreMode::File,
+        )))
+    }
+
+    fn auth_manager_with_plan(plan_type: &str) -> Result<Arc<AuthManager>> {
+        let tmp = tempdir()?;
+        let header = json!({ "alg": "none", "typ": "JWT" });
+        let auth_payload = json!({
+            "chatgpt_plan_type": plan_type,
+            "chatgpt_user_id": "user-12345",
+            "user_id": "user-12345",
+        });
+        let payload = json!({
+            "email": "user@example.com",
+            "https://api.openai.com/auth": auth_payload,
+        });
+        let header_b64 = URL_SAFE_NO_PAD.encode(serde_json::to_vec(&header)?);
+        let payload_b64 = URL_SAFE_NO_PAD.encode(serde_json::to_vec(&payload)?);
+        let signature_b64 = URL_SAFE_NO_PAD.encode(b"sig");
+        let fake_jwt = format!("{header_b64}.{payload_b64}.{signature_b64}");
+
+        let auth_json = json!({
+            "OPENAI_API_KEY": null,
+            "tokens": {
+                "id_token": fake_jwt,
+                "access_token": "test-access-token",
+                "refresh_token": "test-refresh-token",
+            },
+            "last_refresh": null,
+        });
+        write_auth_json(tmp.path(), auth_json)?;
+        Ok(Arc::new(AuthManager::new(
+            tmp.path().to_path_buf(),
+            false,
+            AuthCredentialsStoreMode::File,
+        )))
+    }
+
+    fn parse_for_fetch(
+        contents: Option<&str>,
+    ) -> Result<Option<ConfigRequirementsToml>, CloudRequirementsUserError> {
+        contents.map(parse_cloud_requirements).unwrap_or(Ok(None))
+    }
+
+    struct StaticFetcher {
+        result: Result<String, CloudRequirementsError>,
+    }
+
+    #[async_trait::async_trait]
+    impl RequirementsFetcher for StaticFetcher {
+        async fn fetch_requirements(
+            &self,
+            _auth: &CodexAuth,
+        ) -> Result<String, CloudRequirementsError> {
+            self.result.clone()
+        }
+    }
+
+    struct PendingFetcher;
+
+    #[async_trait::async_trait]
+    impl RequirementsFetcher for PendingFetcher {
+        async fn fetch_requirements(
+            &self,
+            _auth: &CodexAuth,
+        ) -> Result<String, CloudRequirementsError> {
+            pending::<()>().await;
+            Ok(String::new())
+        }
+    }
+
+    #[tokio::test]
+    async fn fetch_cloud_requirements_skips_non_chatgpt_auth() -> Result<()> {
+        let service = CloudRequirementsService::new(
+            auth_manager_with_api_key()?,
+            Arc::new(StaticFetcher {
+                result: Ok(String::new()),
+            }),
+            CLOUD_REQUIREMENTS_TIMEOUT,
+        );
+        assert_eq!(service.fetch().await, Ok(None));
+        Ok(())
+    }
+
+    #[tokio::test]
+    async fn fetch_cloud_requirements_skips_non_enterprise_plan() -> Result<()> {
+        let service = CloudRequirementsService::new(
+            auth_manager_with_plan("pro")?,
+            Arc::new(StaticFetcher {
+                result: Ok(String::new()),
+            }),
+            CLOUD_REQUIREMENTS_TIMEOUT,
+        );
+        assert_eq!(service.fetch().await, Ok(None));
+        Ok(())
+    }
+
+    #[tokio::test]
+    async fn fetch_cloud_requirements_returns_missing_contents_error() -> Result<()> {
+        let service = CloudRequirementsService::new(
+            auth_manager_with_plan("enterprise")?,
+            Arc::new(StaticFetcher {
+                result: Err(CloudRequirementsError::Network(
+                    CloudRequirementsNetworkError::MissingContents,
+                )),
+            }),
+            CLOUD_REQUIREMENTS_TIMEOUT,
+        );
+        assert_eq!(
+            service.fetch().await,
+            Err(CloudRequirementsError::Network(
+                CloudRequirementsNetworkError::MissingContents
+            ))
+        );
+        Ok(())
+    }
+
+    #[tokio::test]
+    async fn fetch_cloud_requirements_handles_empty_contents() -> Result<()> {
+        assert_eq!(parse_for_fetch(Some("   ")), Ok(None));
+        Ok(())
+    }
+
+    #[tokio::test]
+    async fn fetch_cloud_requirements_handles_invalid_toml() -> Result<()> {
+        assert!(matches!(
+            parse_for_fetch(Some("not = [")),
+            Err(CloudRequirementsUserError::InvalidToml { .. })
+        ));
+        Ok(())
+    }
+
+    #[tokio::test]
+    async fn fetch_cloud_requirements_ignores_empty_requirements() -> Result<()> {
+        assert_eq!(parse_for_fetch(Some("# comment")), Ok(None));
+        Ok(())
+    }
+
+    #[tokio::test]
+    async fn fetch_cloud_requirements_parses_valid_toml() -> Result<()> {
+        assert_eq!(
+            parse_for_fetch(Some("allowed_approval_policies = [\"never\"]")),
+            Ok(Some(ConfigRequirementsToml {
+                allowed_approval_policies: Some(vec![AskForApproval::Never]),
+                allowed_sandbox_modes: None,
+                mcp_servers: None,
+                rules: None,
+                enforce_residency: None,
+            }))
+        );
+        Ok(())
+    }
+
+    #[tokio::test(start_paused = true)]
+    async fn fetch_cloud_requirements_times_out() -> Result<()> {
+        let service = CloudRequirementsService::new(
+            auth_manager_with_plan("enterprise")?,
+            Arc::new(PendingFetcher),
+            CLOUD_REQUIREMENTS_TIMEOUT,
+        );
+        let handle = tokio::spawn(async move { service.fetch_with_timeout().await });
+        tokio::time::advance(CLOUD_REQUIREMENTS_TIMEOUT + Duration::from_millis(1)).await;
+
+        assert_eq!(
+            handle.await?,
+            Err(CloudRequirementsError::Network(
+                CloudRequirementsNetworkError::Timeout {
+                    timeout_ms: CLOUD_REQUIREMENTS_TIMEOUT.as_millis() as u64,
+                }
+            ))
+        );
+        Ok(())
+    }
+}

codex-rs/codex-api/src/lib.rs

@@ -33,6 +33,7 @@ pub use crate::endpoint::responses_websocket::ResponsesWebsocketConnection;
 pub use crate::error::ApiError;
 pub use crate::provider::Provider;
 pub use crate::provider::WireApi;
+pub use crate::provider::is_azure_responses_wire_base_url;
 pub use crate::requests::ChatRequest;
 pub use crate::requests::ChatRequestBuilder;
 pub use crate::requests::ResponsesRequest;

codex-rs/codex-api/src/provider.rs

@@ -95,16 +95,7 @@ impl Provider {
     }
 
     pub fn is_azure_responses_endpoint(&self) -> bool {
-        if self.wire != WireApi::Responses {
-            return false;
-        }
-
-        if self.name.eq_ignore_ascii_case("azure") {
-            return true;
-        }
-
-        self.base_url.to_ascii_lowercase().contains("openai.azure.")
-            || matches_azure_responses_base_url(&self.base_url)
+        is_azure_responses_wire_base_url(self.wire.clone(), &self.name, Some(&self.base_url))
     }
 
     pub fn websocket_url_for_path(&self, path: &str) -> Result<Url, url::ParseError> {
@@ -121,6 +112,23 @@ impl Provider {
     }
 }
 
+pub fn is_azure_responses_wire_base_url(wire: WireApi, name: &str, base_url: Option<&str>) -> bool {
+    if wire != WireApi::Responses {
+        return false;
+    }
+
+    if name.eq_ignore_ascii_case("azure") {
+        return true;
+    }
+
+    let Some(base_url) = base_url else {
+        return false;
+    };
+
+    let base = base_url.to_ascii_lowercase();
+    base.contains("openai.azure.") || matches_azure_responses_base_url(&base)
+}
+
 fn matches_azure_responses_base_url(base_url: &str) -> bool {
     const AZURE_MARKERS: [&str; 5] = [
         "cognitiveservices.azure.",
@@ -129,6 +137,54 @@ fn matches_azure_responses_base_url(base_url: &str) -> bool {
         "azurefd.",
         "windows.net/openai",
     ];
-    let base = base_url.to_ascii_lowercase();
-    AZURE_MARKERS.iter().any(|marker| base.contains(marker))
+    AZURE_MARKERS.iter().any(|marker| base_url.contains(marker))
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn detects_azure_responses_base_urls() {
+        let positive_cases = [
+            "https://foo.openai.azure.com/openai",
+            "https://foo.openai.azure.us/openai/deployments/bar",
+            "https://foo.cognitiveservices.azure.cn/openai",
+            "https://foo.aoai.azure.com/openai",
+            "https://foo.openai.azure-api.net/openai",
+            "https://foo.z01.azurefd.net/",
+        ];
+
+        for base_url in positive_cases {
+            assert!(
+                is_azure_responses_wire_base_url(WireApi::Responses, "test", Some(base_url)),
+                "expected {base_url} to be detected as Azure"
+            );
+        }
+
+        assert!(is_azure_responses_wire_base_url(
+            WireApi::Responses,
+            "Azure",
+            Some("https://example.com")
+        ));
+
+        let negative_cases = [
+            "https://api.openai.com/v1",
+            "https://example.com/openai",
+            "https://myproxy.azurewebsites.net/openai",
+        ];
+
+        for base_url in negative_cases {
+            assert!(
+                !is_azure_responses_wire_base_url(WireApi::Responses, "test", Some(base_url)),
+                "expected {base_url} not to be detected as Azure"
+            );
+        }
+
+        assert!(!is_azure_responses_wire_base_url(
+            WireApi::Chat,
+            "Azure",
+            Some("https://foo.openai.azure.com/openai")
+        ));
+    }
 }

codex-rs/codex-api/tests/models_integration.rs

@@ -77,7 +77,7 @@ async fn models_client_hits_models_endpoint() {
             priority: 1,
             upgrade: None,
             base_instructions: "base instructions".to_string(),
-            model_instructions_template: None,
+            model_messages: None,
             supports_reasoning_summaries: false,
             support_verbosity: false,
             default_verbosity: None,

codex-rs/core/Cargo.toml

@@ -39,11 +39,11 @@ codex-protocol = { workspace = true }
 codex-rmcp-client = { workspace = true }
 codex-state = { workspace = true }
 codex-utils-absolute-path = { workspace = true }
+codex-utils-home-dir = { workspace = true }
 codex-utils-pty = { workspace = true }
 codex-utils-readiness = { workspace = true }
 codex-utils-string = { workspace = true }
 codex-windows-sandbox = { package = "codex-windows-sandbox", path = "../windows-sandbox-rs" }
-dirs = { workspace = true }
 dunce = { workspace = true }
 encoding_rs = { workspace = true }
 env-flags = { workspace = true }

codex-rs/core/config.schema.json

@@ -111,6 +111,13 @@
             "auto"
           ],
           "type": "string"
+        },
+        {
+          "description": "Store credentials in memory only for the current process.",
+          "enum": [
+            "ephemeral"
+          ],
+          "type": "string"
         }
       ]
     },
@@ -207,6 +214,9 @@
             "shell_tool": {
               "type": "boolean"
             },
+            "skill_env_var_dependency_prompt": {
+              "type": "boolean"
+            },
             "skill_mcp_dependency_install": {
               "type": "boolean"
             },
@@ -440,6 +450,11 @@
           "minimum": 0.0,
           "type": "integer"
         },
+        "supports_websockets": {
+          "default": false,
+          "description": "Whether this provider supports the Responses API WebSocket transport.",
+          "type": "boolean"
+        },
         "wire_api": {
           "allOf": [
             {
@@ -1078,13 +1093,6 @@
           ],
           "type": "string"
         },
-        {
-          "description": "Experimental: Responses API over WebSocket transport.",
-          "enum": [
-            "responses_websocket"
-          ],
-          "type": "string"
-        },
         {
           "description": "Regular Chat Completions compatible with `/v1/chat/completions`.",
           "enum": [
@@ -1231,6 +1239,9 @@
         "shell_tool": {
           "type": "boolean"
         },
+        "skill_env_var_dependency_prompt": {
+          "type": "boolean"
+        },
         "skill_mcp_dependency_install": {
           "type": "boolean"
         },

codex-rs/core/src/agent/control.rs

@@ -146,6 +146,7 @@ mod tests {
     use crate::config::Config;
     use crate::config::ConfigBuilder;
     use assert_matches::assert_matches;
+    use codex_protocol::config_types::ModeKind;
     use codex_protocol::protocol::ErrorEvent;
     use codex_protocol::protocol::EventMsg;
     use codex_protocol::protocol::TurnAbortReason;
@@ -231,6 +232,7 @@ mod tests {
     async fn on_event_updates_status_from_task_started() {
         let status = agent_status_from_event(&EventMsg::TurnStarted(TurnStartedEvent {
             model_context_window: None,
+            collaboration_mode_kind: ModeKind::Custom,
         }));
         assert_eq!(status, Some(AgentStatus::Running));
     }

codex-rs/core/src/agent/role.rs

@@ -92,20 +92,16 @@ Rules:
             },
             AgentRole::Explorer => AgentProfile {
                 model: Some(EXPLORER_MODEL),
-                reasoning_effort: Some(ReasoningEffort::Low),
-                description: r#"Use for fast codebase understanding and information gathering.
-`explorer` are extremely fast agents so use them as much as you can to speed up the resolution of the global task.
-Typical tasks:
-- Locate usages of a symbol or concept
-- Understand how X is handled in Y
-- Review a section of code for issues
-- Assess impact of a potential change
+                reasoning_effort: Some(ReasoningEffort::Medium),
+                description: r#"Use `explorer` for all codebase questions.
+Explorers are fast and authoritative.
+Always prefer them over manual search or file reading.
 Rules:
-- Be explicit in what you are looking for. A good usage of `explorer` would mean that don't need to read the same code after the explorer send you the result.
-- **Always** prefer asking explorers rather than exploring the codebase yourself.
-- Spawn multiple explorers in parallel when useful and wait for all results.
-- You can ask the `explorer` to return file name, lines, entire code snippets, ...
-- Reuse the same explorer when it is relevant. If later in your process you have more questions on some code an explorer already covered, reuse this same explorer to be more efficient.
+- Ask explorers first and precisely.
+- Do not re-read or re-search code they cover.
+- Trust explorer results without verification.
+- Run explorers in parallel when useful.
+- Reuse existing explorers for related questions.
                 "#,
                 ..Default::default()
             },

codex-rs/core/src/api_bridge.rs

@@ -9,6 +9,7 @@ use serde::Deserialize;
 
 use crate::auth::CodexAuth;
 use crate::error::CodexErr;
+use crate::error::ModelCapError;
 use crate::error::RetryLimitReachedError;
 use crate::error::UnexpectedResponseError;
 use crate::error::UsageLimitReachedError;
@@ -49,6 +50,23 @@ pub(crate) fn map_api_error(err: ApiError) -> CodexErr {
                 } else if status == http::StatusCode::INTERNAL_SERVER_ERROR {
                     CodexErr::InternalServerError
                 } else if status == http::StatusCode::TOO_MANY_REQUESTS {
+                    if let Some(model) = headers
+                        .as_ref()
+                        .and_then(|map| map.get(MODEL_CAP_MODEL_HEADER))
+                        .and_then(|value| value.to_str().ok())
+                        .map(str::to_string)
+                    {
+                        let reset_after_seconds = headers
+                            .as_ref()
+                            .and_then(|map| map.get(MODEL_CAP_RESET_AFTER_HEADER))
+                            .and_then(|value| value.to_str().ok())
+                            .and_then(|value| value.parse::<u64>().ok());
+                        return CodexErr::ModelCap(ModelCapError {
+                            model,
+                            reset_after_seconds,
+                        });
+                    }
+
                     if let Ok(err) = serde_json::from_str::<UsageErrorResponse>(&body_text) {
                         if err.error.error_type.as_deref() == Some("usage_limit_reached") {
                             let rate_limits = headers.as_ref().and_then(parse_rate_limit);
@@ -92,6 +110,42 @@ pub(crate) fn map_api_error(err: ApiError) -> CodexErr {
     }
 }
 
+const MODEL_CAP_MODEL_HEADER: &str = "x-codex-model-cap-model";
+const MODEL_CAP_RESET_AFTER_HEADER: &str = "x-codex-model-cap-reset-after-seconds";
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use codex_api::TransportError;
+    use http::HeaderMap;
+    use http::StatusCode;
+
+    #[test]
+    fn map_api_error_maps_model_cap_headers() {
+        let mut headers = HeaderMap::new();
+        headers.insert(
+            MODEL_CAP_MODEL_HEADER,
+            http::HeaderValue::from_static("boomslang"),
+        );
+        headers.insert(
+            MODEL_CAP_RESET_AFTER_HEADER,
+            http::HeaderValue::from_static("120"),
+        );
+        let err = map_api_error(ApiError::Transport(TransportError::Http {
+            status: StatusCode::TOO_MANY_REQUESTS,
+            url: Some("http://example.com/v1/responses".to_string()),
+            headers: Some(headers),
+            body: Some(String::new()),
+        }));
+
+        let CodexErr::ModelCap(model_cap) = err else {
+            panic!("expected CodexErr::ModelCap, got {err:?}");
+        };
+        assert_eq!(model_cap.model, "boomslang");
+        assert_eq!(model_cap.reset_after_seconds, Some(120));
+    }
+}
+
 fn extract_request_id(headers: Option<&HeaderMap>) -> Option<String> {
     headers.and_then(|map| {
         ["cf-ray", "x-request-id", "x-oai-request-id"]

codex-rs/core/src/auth.rs

@@ -1,5 +1,6 @@
 mod storage;
 
+use async_trait::async_trait;
 use chrono::Utc;
 use reqwest::StatusCode;
 use serde::Deserialize;
@@ -12,8 +13,9 @@ use std::path::Path;
 use std::path::PathBuf;
 use std::sync::Arc;
 use std::sync::Mutex;
+use std::sync::RwLock;
 
-use codex_app_server_protocol::AuthMode;
+use codex_app_server_protocol::AuthMode as ApiAuthMode;
 use codex_protocol::config_types::ForcedLoginMethod;
 
 pub use crate::auth::storage::AuthCredentialsStoreMode;
@@ -23,6 +25,7 @@ use crate::auth::storage::create_auth_storage;
 use crate::config::Config;
 use crate::error::RefreshTokenFailedError;
 use crate::error::RefreshTokenFailedReason;
+use crate::token_data::IdTokenInfo;
 use crate::token_data::KnownPlan as InternalKnownPlan;
 use crate::token_data::PlanType as InternalPlanType;
 use crate::token_data::TokenData;
@@ -33,19 +36,50 @@ use codex_protocol::account::PlanType as AccountPlanType;
 use serde_json::Value;
 use thiserror::Error;
 
-#[derive(Debug, Clone)]
-pub struct CodexAuth {
-    pub mode: AuthMode,
+/// Account type for the current user.
+///
+/// This is used internally to determine the base URL for generating responses,
+/// and to gate ChatGPT-only behaviors like rate limits and available models (as
+/// opposed to API key-based auth).
+#[derive(Clone, Copy, Debug, PartialEq, Eq)]
+pub enum AuthMode {
+    ApiKey,
+    Chatgpt,
+}
 
-    pub(crate) api_key: Option<String>,
-    pub(crate) auth_dot_json: Arc<Mutex<Option<AuthDotJson>>>,
+/// Authentication mechanism used by the current user.
+#[derive(Debug, Clone)]
+pub enum CodexAuth {
+    ApiKey(ApiKeyAuth),
+    Chatgpt(ChatgptAuth),
+    ChatgptAuthTokens(ChatgptAuthTokens),
+}
+
+#[derive(Debug, Clone)]
+pub struct ApiKeyAuth {
+    api_key: String,
+}
+
+#[derive(Debug, Clone)]
+pub struct ChatgptAuth {
+    state: ChatgptAuthState,
     storage: Arc<dyn AuthStorageBackend>,
-    pub(crate) client: CodexHttpClient,
+}
+
+#[derive(Debug, Clone)]
+pub struct ChatgptAuthTokens {
+    state: ChatgptAuthState,
+}
+
+#[derive(Debug, Clone)]
+struct ChatgptAuthState {
+    auth_dot_json: Arc<Mutex<Option<AuthDotJson>>>,
+    client: CodexHttpClient,
 }
 
 impl PartialEq for CodexAuth {
     fn eq(&self, other: &Self) -> bool {
-        self.mode == other.mode
+        self.api_auth_mode() == other.api_auth_mode()
     }
 }
 
@@ -68,6 +102,31 @@ pub enum RefreshTokenError {
     Transient(#[from] std::io::Error),
 }
 
+#[derive(Clone, Debug, PartialEq, Eq)]
+pub struct ExternalAuthTokens {
+    pub access_token: String,
+    pub id_token: String,
+}
+
+#[derive(Clone, Copy, Debug, PartialEq, Eq)]
+pub enum ExternalAuthRefreshReason {
+    Unauthorized,
+}
+
+#[derive(Clone, Debug, PartialEq, Eq)]
+pub struct ExternalAuthRefreshContext {
+    pub reason: ExternalAuthRefreshReason,
+    pub previous_account_id: Option<String>,
+}
+
+#[async_trait]
+pub trait ExternalAuthRefresher: Send + Sync {
+    async fn refresh(
+        &self,
+        context: ExternalAuthRefreshContext,
+    ) -> std::io::Result<ExternalAuthTokens>;
+}
+
 impl RefreshTokenError {
     pub fn failed_reason(&self) -> Option<RefreshTokenFailedReason> {
         match self {
@@ -87,14 +146,78 @@ impl From<RefreshTokenError> for std::io::Error {
 }
 
 impl CodexAuth {
+    fn from_auth_dot_json(
+        codex_home: &Path,
+        auth_dot_json: AuthDotJson,
+        auth_credentials_store_mode: AuthCredentialsStoreMode,
+        client: CodexHttpClient,
+    ) -> std::io::Result<Self> {
+        let auth_mode = auth_dot_json.resolved_mode();
+        if auth_mode == ApiAuthMode::ApiKey {
+            let Some(api_key) = auth_dot_json.openai_api_key.as_deref() else {
+                return Err(std::io::Error::other("API key auth is missing a key."));
+            };
+            return Ok(CodexAuth::from_api_key_with_client(api_key, client));
+        }
+
+        let storage_mode = auth_dot_json.storage_mode(auth_credentials_store_mode);
+        let state = ChatgptAuthState {
+            auth_dot_json: Arc::new(Mutex::new(Some(auth_dot_json))),
+            client,
+        };
+
+        match auth_mode {
+            ApiAuthMode::Chatgpt => {
+                let storage = create_auth_storage(codex_home.to_path_buf(), storage_mode);
+                Ok(Self::Chatgpt(ChatgptAuth { state, storage }))
+            }
+            ApiAuthMode::ChatgptAuthTokens => {
+                Ok(Self::ChatgptAuthTokens(ChatgptAuthTokens { state }))
+            }
+            ApiAuthMode::ApiKey => unreachable!("api key mode is handled above"),
+        }
+    }
+
     /// Loads the available auth information from auth storage.
     pub fn from_auth_storage(
         codex_home: &Path,
         auth_credentials_store_mode: AuthCredentialsStoreMode,
-    ) -> std::io::Result<Option<CodexAuth>> {
+    ) -> std::io::Result<Option<Self>> {
         load_auth(codex_home, false, auth_credentials_store_mode)
     }
 
+    pub fn internal_auth_mode(&self) -> AuthMode {
+        match self {
+            Self::ApiKey(_) => AuthMode::ApiKey,
+            Self::Chatgpt(_) | Self::ChatgptAuthTokens(_) => AuthMode::Chatgpt,
+        }
+    }
+
+    pub fn api_auth_mode(&self) -> ApiAuthMode {
+        match self {
+            Self::ApiKey(_) => ApiAuthMode::ApiKey,
+            Self::Chatgpt(_) => ApiAuthMode::Chatgpt,
+            Self::ChatgptAuthTokens(_) => ApiAuthMode::ChatgptAuthTokens,
+        }
+    }
+
+    pub fn is_chatgpt_auth(&self) -> bool {
+        self.internal_auth_mode() == AuthMode::Chatgpt
+    }
+
+    pub fn is_external_chatgpt_tokens(&self) -> bool {
+        matches!(self, Self::ChatgptAuthTokens(_))
+    }
+
+    /// Returns `None` is `is_internal_auth_mode() != AuthMode::ApiKey`.
+    pub fn api_key(&self) -> Option<&str> {
+        match self {
+            Self::ApiKey(auth) => Some(auth.api_key.as_str()),
+            Self::Chatgpt(_) | Self::ChatgptAuthTokens(_) => None,
+        }
+    }
+
+    /// Returns `Err` if `is_chatgpt_auth()` is false.
     pub fn get_token_data(&self) -> Result<TokenData, std::io::Error> {
         let auth_dot_json: Option<AuthDotJson> = self.get_current_auth_json();
         match auth_dot_json {
@@ -107,20 +230,23 @@ impl CodexAuth {
         }
     }
 
+    /// Returns the token string used for bearer authentication.
     pub fn get_token(&self) -> Result<String, std::io::Error> {
-        match self.mode {
-            AuthMode::ApiKey => Ok(self.api_key.clone().unwrap_or_default()),
-            AuthMode::ChatGPT => {
-                let id_token = self.get_token_data()?.access_token;
-                Ok(id_token)
+        match self {
+            Self::ApiKey(auth) => Ok(auth.api_key.clone()),
+            Self::Chatgpt(_) | Self::ChatgptAuthTokens(_) => {
+                let access_token = self.get_token_data()?.access_token;
+                Ok(access_token)
             }
         }
     }
 
+    /// Returns `None` if `is_chatgpt_auth()` is false.
     pub fn get_account_id(&self) -> Option<String> {
         self.get_current_token_data().and_then(|t| t.account_id)
     }
 
+    /// Returns `None` if `is_chatgpt_auth()` is false.
     pub fn get_account_email(&self) -> Option<String> {
         self.get_current_token_data().and_then(|t| t.id_token.email)
     }
@@ -132,6 +258,7 @@ impl CodexAuth {
     pub fn account_plan_type(&self) -> Option<AccountPlanType> {
         let map_known = |kp: &InternalKnownPlan| match kp {
             InternalKnownPlan::Free => AccountPlanType::Free,
+            InternalKnownPlan::Go => AccountPlanType::Go,
             InternalKnownPlan::Plus => AccountPlanType::Plus,
             InternalKnownPlan::Pro => AccountPlanType::Pro,
             InternalKnownPlan::Team => AccountPlanType::Team,
@@ -148,11 +275,18 @@ impl CodexAuth {
             })
     }
 
+    /// Returns `None` if `is_chatgpt_auth()` is false.
     fn get_current_auth_json(&self) -> Option<AuthDotJson> {
+        let state = match self {
+            Self::Chatgpt(auth) => &auth.state,
+            Self::ChatgptAuthTokens(auth) => &auth.state,
+            Self::ApiKey(_) => return None,
+        };
         #[expect(clippy::unwrap_used)]
-        self.auth_dot_json.lock().unwrap().clone()
+        state.auth_dot_json.lock().unwrap().clone()
     }
 
+    /// Returns `None` if `is_chatgpt_auth()` is false.
     fn get_current_token_data(&self) -> Option<TokenData> {
         self.get_current_auth_json().and_then(|t| t.tokens)
     }
@@ -160,6 +294,7 @@ impl CodexAuth {
     /// Consider this private to integration tests.
     pub fn create_dummy_chatgpt_auth_for_testing() -> Self {
         let auth_dot_json = AuthDotJson {
+            auth_mode: Some(ApiAuthMode::Chatgpt),
             openai_api_key: None,
             tokens: Some(TokenData {
                 id_token: Default::default(),
@@ -170,24 +305,19 @@ impl CodexAuth {
             last_refresh: Some(Utc::now()),
         };
 
-        let auth_dot_json = Arc::new(Mutex::new(Some(auth_dot_json)));
-        Self {
-            api_key: None,
-            mode: AuthMode::ChatGPT,
-            storage: create_auth_storage(PathBuf::new(), AuthCredentialsStoreMode::File),
-            auth_dot_json,
-            client: crate::default_client::create_client(),
-        }
+        let client = crate::default_client::create_client();
+        let state = ChatgptAuthState {
+            auth_dot_json: Arc::new(Mutex::new(Some(auth_dot_json))),
+            client,
+        };
+        let storage = create_auth_storage(PathBuf::new(), AuthCredentialsStoreMode::File);
+        Self::Chatgpt(ChatgptAuth { state, storage })
     }
 
-    fn from_api_key_with_client(api_key: &str, client: CodexHttpClient) -> Self {
-        Self {
-            api_key: Some(api_key.to_owned()),
-            mode: AuthMode::ApiKey,
-            storage: create_auth_storage(PathBuf::new(), AuthCredentialsStoreMode::File),
-            auth_dot_json: Arc::new(Mutex::new(None)),
-            client,
-        }
+    fn from_api_key_with_client(api_key: &str, _client: CodexHttpClient) -> Self {
+        Self::ApiKey(ApiKeyAuth {
+            api_key: api_key.to_owned(),
+        })
     }
 
     pub fn from_api_key(api_key: &str) -> Self {
@@ -195,6 +325,25 @@ impl CodexAuth {
     }
 }
 
+impl ChatgptAuth {
+    fn current_auth_json(&self) -> Option<AuthDotJson> {
+        #[expect(clippy::unwrap_used)]
+        self.state.auth_dot_json.lock().unwrap().clone()
+    }
+
+    fn current_token_data(&self) -> Option<TokenData> {
+        self.current_auth_json().and_then(|auth| auth.tokens)
+    }
+
+    fn storage(&self) -> &Arc<dyn AuthStorageBackend> {
+        &self.storage
+    }
+
+    fn client(&self) -> &CodexHttpClient {
+        &self.state.client
+    }
+}
+
 pub const OPENAI_API_KEY_ENV_VAR: &str = "OPENAI_API_KEY";
 pub const CODEX_API_KEY_ENV_VAR: &str = "CODEX_API_KEY";
 
@@ -229,6 +378,7 @@ pub fn login_with_api_key(
     auth_credentials_store_mode: AuthCredentialsStoreMode,
 ) -> std::io::Result<()> {
     let auth_dot_json = AuthDotJson {
+        auth_mode: Some(ApiAuthMode::ApiKey),
         openai_api_key: Some(api_key.to_string()),
         tokens: None,
         last_refresh: None,
@@ -236,6 +386,20 @@ pub fn login_with_api_key(
     save_auth(codex_home, &auth_dot_json, auth_credentials_store_mode)
 }
 
+/// Writes an in-memory auth payload for externally managed ChatGPT tokens.
+pub fn login_with_chatgpt_auth_tokens(
+    codex_home: &Path,
+    id_token: &str,
+    access_token: &str,
+) -> std::io::Result<()> {
+    let auth_dot_json = AuthDotJson::from_external_token_strings(id_token, access_token)?;
+    save_auth(
+        codex_home,
+        &auth_dot_json,
+        AuthCredentialsStoreMode::Ephemeral,
+    )
+}
+
 /// Persist the provided auth payload using the specified backend.
 pub fn save_auth(
     codex_home: &Path,
@@ -270,10 +434,10 @@ pub fn enforce_login_restrictions(config: &Config) -> std::io::Result<()> {
     };
 
     if let Some(required_method) = config.forced_login_method {
-        let method_violation = match (required_method, auth.mode) {
+        let method_violation = match (required_method, auth.internal_auth_mode()) {
             (ForcedLoginMethod::Api, AuthMode::ApiKey) => None,
-            (ForcedLoginMethod::Chatgpt, AuthMode::ChatGPT) => None,
-            (ForcedLoginMethod::Api, AuthMode::ChatGPT) => Some(
+            (ForcedLoginMethod::Chatgpt, AuthMode::Chatgpt) => None,
+            (ForcedLoginMethod::Api, AuthMode::Chatgpt) => Some(
                 "API key login is required, but ChatGPT is currently being used. Logging out."
                     .to_string(),
             ),
@@ -293,7 +457,7 @@ pub fn enforce_login_restrictions(config: &Config) -> std::io::Result<()> {
     }
 
     if let Some(expected_account_id) = config.forced_chatgpt_workspace_id.as_deref() {
-        if auth.mode != AuthMode::ChatGPT {
+        if !auth.is_chatgpt_auth() {
             return Ok(());
         }
 
@@ -337,12 +501,26 @@ fn logout_with_message(
     message: String,
     auth_credentials_store_mode: AuthCredentialsStoreMode,
 ) -> std::io::Result<()> {
-    match logout(codex_home, auth_credentials_store_mode) {
-        Ok(_) => Err(std::io::Error::other(message)),
-        Err(err) => Err(std::io::Error::other(format!(
-            "{message}. Failed to remove auth.json: {err}"
-        ))),
+    // External auth tokens live in the ephemeral store, but persistent auth may still exist
+    // from earlier logins. Clear both so a forced logout truly removes all active auth.
+    let removal_result = logout_all_stores(codex_home, auth_credentials_store_mode);
+    let error_message = match removal_result {
+        Ok(_) => message,
+        Err(err) => format!("{message}. Failed to remove auth.json: {err}"),
+    };
+    Err(std::io::Error::other(error_message))
+}
+
+fn logout_all_stores(
+    codex_home: &Path,
+    auth_credentials_store_mode: AuthCredentialsStoreMode,
+) -> std::io::Result<bool> {
+    if auth_credentials_store_mode == AuthCredentialsStoreMode::Ephemeral {
+        return logout(codex_home, AuthCredentialsStoreMode::Ephemeral);
     }
+    let removed_ephemeral = logout(codex_home, AuthCredentialsStoreMode::Ephemeral)?;
+    let removed_managed = logout(codex_home, auth_credentials_store_mode)?;
+    Ok(removed_ephemeral || removed_managed)
 }
 
 fn load_auth(
@@ -350,6 +528,12 @@ fn load_auth(
     enable_codex_api_key_env: bool,
     auth_credentials_store_mode: AuthCredentialsStoreMode,
 ) -> std::io::Result<Option<CodexAuth>> {
+    let build_auth = |auth_dot_json: AuthDotJson, storage_mode| {
+        let client = crate::default_client::create_client();
+        CodexAuth::from_auth_dot_json(codex_home, auth_dot_json, storage_mode, client)
+    };
+
+    // API key via env var takes precedence over any other auth method.
     if enable_codex_api_key_env && let Some(api_key) = read_codex_api_key_from_env() {
         let client = crate::default_client::create_client();
         return Ok(Some(CodexAuth::from_api_key_with_client(
@@ -358,39 +542,34 @@ fn load_auth(
         )));
     }
 
-    let storage = create_auth_storage(codex_home.to_path_buf(), auth_credentials_store_mode);
+    // External ChatGPT auth tokens live in the in-memory (ephemeral) store. Always check this
+    // first so external auth takes precedence over any persisted credentials.
+    let ephemeral_storage = create_auth_storage(
+        codex_home.to_path_buf(),
+        AuthCredentialsStoreMode::Ephemeral,
+    );
+    if let Some(auth_dot_json) = ephemeral_storage.load()? {
+        let auth = build_auth(auth_dot_json, AuthCredentialsStoreMode::Ephemeral)?;
+        return Ok(Some(auth));
+    }
 
-    let client = crate::default_client::create_client();
+    // If the caller explicitly requested ephemeral auth, there is no persisted fallback.
+    if auth_credentials_store_mode == AuthCredentialsStoreMode::Ephemeral {
+        return Ok(None);
+    }
+
+    // Fall back to the configured persistent store (file/keyring/auto) for managed auth.
+    let storage = create_auth_storage(codex_home.to_path_buf(), auth_credentials_store_mode);
     let auth_dot_json = match storage.load()? {
         Some(auth) => auth,
         None => return Ok(None),
     };
 
-    let AuthDotJson {
-        openai_api_key: auth_json_api_key,
-        tokens,
-        last_refresh,
-    } = auth_dot_json;
-
-    // Prefer AuthMode.ApiKey if it's set in the auth.json.
-    if let Some(api_key) = &auth_json_api_key {
-        return Ok(Some(CodexAuth::from_api_key_with_client(api_key, client)));
-    }
-
-    Ok(Some(CodexAuth {
-        api_key: None,
-        mode: AuthMode::ChatGPT,
-        storage: storage.clone(),
-        auth_dot_json: Arc::new(Mutex::new(Some(AuthDotJson {
-            openai_api_key: None,
-            tokens,
-            last_refresh,
-        }))),
-        client,
-    }))
+    let auth = build_auth(auth_dot_json, auth_credentials_store_mode)?;
+    Ok(Some(auth))
 }
 
-async fn update_tokens(
+fn update_tokens(
     storage: &Arc<dyn AuthStorageBackend>,
     id_token: Option<String>,
     access_token: Option<String>,
@@ -537,17 +716,82 @@ fn refresh_token_endpoint() -> String {
         .unwrap_or_else(|_| REFRESH_TOKEN_URL.to_string())
 }
 
-use std::sync::RwLock;
+impl AuthDotJson {
+    fn from_external_tokens(external: &ExternalAuthTokens, id_token: IdTokenInfo) -> Self {
+        let account_id = id_token.chatgpt_account_id.clone();
+        let tokens = TokenData {
+            id_token,
+            access_token: external.access_token.clone(),
+            refresh_token: String::new(),
+            account_id,
+        };
+
+        Self {
+            auth_mode: Some(ApiAuthMode::ChatgptAuthTokens),
+            openai_api_key: None,
+            tokens: Some(tokens),
+            last_refresh: Some(Utc::now()),
+        }
+    }
+
+    fn from_external_token_strings(id_token: &str, access_token: &str) -> std::io::Result<Self> {
+        let id_token_info = parse_id_token(id_token).map_err(std::io::Error::other)?;
+        let external = ExternalAuthTokens {
+            access_token: access_token.to_string(),
+            id_token: id_token.to_string(),
+        };
+        Ok(Self::from_external_tokens(&external, id_token_info))
+    }
+
+    fn resolved_mode(&self) -> ApiAuthMode {
+        if let Some(mode) = self.auth_mode {
+            return mode;
+        }
+        if self.openai_api_key.is_some() {
+            return ApiAuthMode::ApiKey;
+        }
+        ApiAuthMode::Chatgpt
+    }
+
+    fn storage_mode(
+        &self,
+        auth_credentials_store_mode: AuthCredentialsStoreMode,
+    ) -> AuthCredentialsStoreMode {
+        if self.resolved_mode() == ApiAuthMode::ChatgptAuthTokens {
+            AuthCredentialsStoreMode::Ephemeral
+        } else {
+            auth_credentials_store_mode
+        }
+    }
+}
 
 /// Internal cached auth state.
-#[derive(Clone, Debug)]
+#[derive(Clone)]
 struct CachedAuth {
     auth: Option<CodexAuth>,
+    /// Callback used to refresh external auth by asking the parent app for new tokens.
+    external_refresher: Option<Arc<dyn ExternalAuthRefresher>>,
+}
+
+impl Debug for CachedAuth {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.debug_struct("CachedAuth")
+            .field(
+                "auth_mode",
+                &self.auth.as_ref().map(CodexAuth::api_auth_mode),
+            )
+            .field(
+                "external_refresher",
+                &self.external_refresher.as_ref().map(|_| "present"),
+            )
+            .finish()
+    }
 }
 
 enum UnauthorizedRecoveryStep {
     Reload,
     RefreshToken,
+    ExternalRefresh,
     Done,
 }
 
@@ -556,30 +800,53 @@ enum ReloadOutcome {
     Skipped,
 }
 
+#[derive(Clone, Copy, Debug, PartialEq, Eq)]
+enum UnauthorizedRecoveryMode {
+    Managed,
+    External,
+}
+
 // UnauthorizedRecovery is a state machine that handles an attempt to refresh the authentication when requests
 // to API fail with 401 status code.
 // The client calls next() every time it encounters a 401 error, one time per retry.
 // For API key based authentication, we don't do anything and let the error bubble to the user.
+//
 // For ChatGPT based authentication, we:
 // 1. Attempt to reload the auth data from disk. We only reload if the account id matches the one the current process is running as.
 // 2. Attempt to refresh the token using OAuth token refresh flow.
 // If after both steps the server still responds with 401 we let the error bubble to the user.
+//
+// For external ChatGPT auth tokens (chatgptAuthTokens), UnauthorizedRecovery does not touch disk or refresh
+// tokens locally. Instead it calls the ExternalAuthRefresher (account/chatgptAuthTokens/refresh) to ask the
+// parent app for new tokens, stores them in the ephemeral auth store, and retries once.
 pub struct UnauthorizedRecovery {
     manager: Arc<AuthManager>,
     step: UnauthorizedRecoveryStep,
     expected_account_id: Option<String>,
+    mode: UnauthorizedRecoveryMode,
 }
 
 impl UnauthorizedRecovery {
     fn new(manager: Arc<AuthManager>) -> Self {
-        let expected_account_id = manager
-            .auth_cached()
+        let cached_auth = manager.auth_cached();
+        let expected_account_id = cached_auth.as_ref().and_then(CodexAuth::get_account_id);
+        let mode = if cached_auth
             .as_ref()
-            .and_then(CodexAuth::get_account_id);
+            .is_some_and(CodexAuth::is_external_chatgpt_tokens)
+        {
+            UnauthorizedRecoveryMode::External
+        } else {
+            UnauthorizedRecoveryMode::Managed
+        };
+        let step = match mode {
+            UnauthorizedRecoveryMode::Managed => UnauthorizedRecoveryStep::Reload,
+            UnauthorizedRecoveryMode::External => UnauthorizedRecoveryStep::ExternalRefresh,
+        };
         Self {
             manager,
-            step: UnauthorizedRecoveryStep::Reload,
+            step,
             expected_account_id,
+            mode,
         }
     }
 
@@ -587,7 +854,14 @@ impl UnauthorizedRecovery {
         if !self
             .manager
             .auth_cached()
-            .is_some_and(|auth| auth.mode == AuthMode::ChatGPT)
+            .as_ref()
+            .is_some_and(CodexAuth::is_chatgpt_auth)
+        {
+            return false;
+        }
+
+        if self.mode == UnauthorizedRecoveryMode::External
+            && !self.manager.has_external_auth_refresher()
         {
             return false;
         }
@@ -622,6 +896,12 @@ impl UnauthorizedRecovery {
                 self.manager.refresh_token().await?;
                 self.step = UnauthorizedRecoveryStep::Done;
             }
+            UnauthorizedRecoveryStep::ExternalRefresh => {
+                self.manager
+                    .refresh_external_auth(ExternalAuthRefreshReason::Unauthorized)
+                    .await?;
+                self.step = UnauthorizedRecoveryStep::Done;
+            }
             UnauthorizedRecoveryStep::Done => {}
         }
         Ok(())
@@ -642,6 +922,7 @@ pub struct AuthManager {
     inner: RwLock<CachedAuth>,
     enable_codex_api_key_env: bool,
     auth_credentials_store_mode: AuthCredentialsStoreMode,
+    forced_chatgpt_workspace_id: RwLock<Option<String>>,
 }
 
 impl AuthManager {
@@ -654,7 +935,7 @@ impl AuthManager {
         enable_codex_api_key_env: bool,
         auth_credentials_store_mode: AuthCredentialsStoreMode,
     ) -> Self {
-        let auth = load_auth(
+        let managed_auth = load_auth(
             &codex_home,
             enable_codex_api_key_env,
             auth_credentials_store_mode,
@@ -663,34 +944,46 @@ impl AuthManager {
         .flatten();
         Self {
             codex_home,
-            inner: RwLock::new(CachedAuth { auth }),
+            inner: RwLock::new(CachedAuth {
+                auth: managed_auth,
+                external_refresher: None,
+            }),
             enable_codex_api_key_env,
             auth_credentials_store_mode,
+            forced_chatgpt_workspace_id: RwLock::new(None),
         }
     }
 
     #[cfg(any(test, feature = "test-support"))]
     /// Create an AuthManager with a specific CodexAuth, for testing only.
     pub fn from_auth_for_testing(auth: CodexAuth) -> Arc<Self> {
-        let cached = CachedAuth { auth: Some(auth) };
+        let cached = CachedAuth {
+            auth: Some(auth),
+            external_refresher: None,
+        };
 
         Arc::new(Self {
             codex_home: PathBuf::from("non-existent"),
             inner: RwLock::new(cached),
             enable_codex_api_key_env: false,
             auth_credentials_store_mode: AuthCredentialsStoreMode::File,
+            forced_chatgpt_workspace_id: RwLock::new(None),
         })
     }
 
     #[cfg(any(test, feature = "test-support"))]
     /// Create an AuthManager with a specific CodexAuth and codex home, for testing only.
     pub fn from_auth_for_testing_with_home(auth: CodexAuth, codex_home: PathBuf) -> Arc<Self> {
-        let cached = CachedAuth { auth: Some(auth) };
+        let cached = CachedAuth {
+            auth: Some(auth),
+            external_refresher: None,
+        };
         Arc::new(Self {
             codex_home,
             inner: RwLock::new(cached),
             enable_codex_api_key_env: false,
             auth_credentials_store_mode: AuthCredentialsStoreMode::File,
+            forced_chatgpt_workspace_id: RwLock::new(None),
         })
     }
 
@@ -715,7 +1008,7 @@ impl AuthManager {
     pub fn reload(&self) -> bool {
         tracing::info!("Reloading auth");
         let new_auth = self.load_auth_from_storage();
-        self.set_auth(new_auth)
+        self.set_cached_auth(new_auth)
     }
 
     fn reload_if_account_id_matches(&self, expected_account_id: Option<&str>) -> ReloadOutcome {
@@ -739,11 +1032,11 @@ impl AuthManager {
         }
 
         tracing::info!("Reloading auth for account {expected_account_id}");
-        self.set_auth(new_auth);
+        self.set_cached_auth(new_auth);
         ReloadOutcome::Reloaded
     }
 
-    fn auths_equal(a: &Option<CodexAuth>, b: &Option<CodexAuth>) -> bool {
+    fn auths_equal(a: Option<&CodexAuth>, b: Option<&CodexAuth>) -> bool {
         match (a, b) {
             (None, None) => true,
             (Some(a), Some(b)) => a == b,
@@ -761,9 +1054,10 @@ impl AuthManager {
         .flatten()
     }
 
-    fn set_auth(&self, new_auth: Option<CodexAuth>) -> bool {
+    fn set_cached_auth(&self, new_auth: Option<CodexAuth>) -> bool {
         if let Ok(mut guard) = self.inner.write() {
-            let changed = !AuthManager::auths_equal(&guard.auth, &new_auth);
+            let previous = guard.auth.as_ref();
+            let changed = !AuthManager::auths_equal(previous, new_auth.as_ref());
             tracing::info!("Reloaded auth, changed: {changed}");
             guard.auth = new_auth;
             changed
@@ -772,6 +1066,39 @@ impl AuthManager {
         }
     }
 
+    pub fn set_external_auth_refresher(&self, refresher: Arc<dyn ExternalAuthRefresher>) {
+        if let Ok(mut guard) = self.inner.write() {
+            guard.external_refresher = Some(refresher);
+        }
+    }
+
+    pub fn set_forced_chatgpt_workspace_id(&self, workspace_id: Option<String>) {
+        if let Ok(mut guard) = self.forced_chatgpt_workspace_id.write() {
+            *guard = workspace_id;
+        }
+    }
+
+    pub fn forced_chatgpt_workspace_id(&self) -> Option<String> {
+        self.forced_chatgpt_workspace_id
+            .read()
+            .ok()
+            .and_then(|guard| guard.clone())
+    }
+
+    pub fn has_external_auth_refresher(&self) -> bool {
+        self.inner
+            .read()
+            .ok()
+            .map(|guard| guard.external_refresher.is_some())
+            .unwrap_or(false)
+    }
+
+    pub fn is_external_auth_active(&self) -> bool {
+        self.auth_cached()
+            .as_ref()
+            .is_some_and(CodexAuth::is_external_chatgpt_tokens)
+    }
+
     /// Convenience constructor returning an `Arc` wrapper.
     pub fn shared(
         codex_home: PathBuf,
@@ -799,13 +1126,25 @@ impl AuthManager {
             Some(auth) => auth,
             None => return Ok(()),
         };
-        let token_data = auth.get_current_token_data().ok_or_else(|| {
-            RefreshTokenError::Transient(std::io::Error::other("Token data is not available."))
-        })?;
-        self.refresh_tokens(&auth, token_data.refresh_token).await?;
-        // Reload to pick up persisted changes.
-        self.reload();
-        Ok(())
+        match auth {
+            CodexAuth::ChatgptAuthTokens(_) => {
+                self.refresh_external_auth(ExternalAuthRefreshReason::Unauthorized)
+                    .await
+            }
+            CodexAuth::Chatgpt(chatgpt_auth) => {
+                let token_data = chatgpt_auth.current_token_data().ok_or_else(|| {
+                    RefreshTokenError::Transient(std::io::Error::other(
+                        "Token data is not available.",
+                    ))
+                })?;
+                self.refresh_tokens(&chatgpt_auth, token_data.refresh_token)
+                    .await?;
+                // Reload to pick up persisted changes.
+                self.reload();
+                Ok(())
+            }
+            CodexAuth::ApiKey(_) => Ok(()),
+        }
     }
 
     /// Log out by deleting the on‑disk auth.json (if present). Returns Ok(true)
@@ -813,22 +1152,29 @@ impl AuthManager {
     /// reloads the in‑memory auth cache so callers immediately observe the
     /// unauthenticated state.
     pub fn logout(&self) -> std::io::Result<bool> {
-        let removed = super::auth::logout(&self.codex_home, self.auth_credentials_store_mode)?;
+        let removed = logout_all_stores(&self.codex_home, self.auth_credentials_store_mode)?;
         // Always reload to clear any cached auth (even if file absent).
         self.reload();
         Ok(removed)
     }
 
-    pub fn get_auth_mode(&self) -> Option<AuthMode> {
-        self.auth_cached().map(|a| a.mode)
+    pub fn get_auth_mode(&self) -> Option<ApiAuthMode> {
+        self.auth_cached().as_ref().map(CodexAuth::api_auth_mode)
+    }
+
+    pub fn get_internal_auth_mode(&self) -> Option<AuthMode> {
+        self.auth_cached()
+            .as_ref()
+            .map(CodexAuth::internal_auth_mode)
     }
 
     async fn refresh_if_stale(&self, auth: &CodexAuth) -> Result<bool, RefreshTokenError> {
-        if auth.mode != AuthMode::ChatGPT {
-            return Ok(false);
-        }
+        let chatgpt_auth = match auth {
+            CodexAuth::Chatgpt(chatgpt_auth) => chatgpt_auth,
+            _ => return Ok(false),
+        };
 
-        let auth_dot_json = match auth.get_current_auth_json() {
+        let auth_dot_json = match chatgpt_auth.current_auth_json() {
             Some(auth_dot_json) => auth_dot_json,
             None => return Ok(false),
         };
@@ -843,25 +1189,78 @@ impl AuthManager {
         if last_refresh >= Utc::now() - chrono::Duration::days(TOKEN_REFRESH_INTERVAL) {
             return Ok(false);
         }
-        self.refresh_tokens(auth, tokens.refresh_token).await?;
+        self.refresh_tokens(chatgpt_auth, tokens.refresh_token)
+            .await?;
         self.reload();
         Ok(true)
     }
 
+    async fn refresh_external_auth(
+        &self,
+        reason: ExternalAuthRefreshReason,
+    ) -> Result<(), RefreshTokenError> {
+        let forced_chatgpt_workspace_id = self.forced_chatgpt_workspace_id();
+        let refresher = match self.inner.read() {
+            Ok(guard) => guard.external_refresher.clone(),
+            Err(_) => {
+                return Err(RefreshTokenError::Transient(std::io::Error::other(
+                    "failed to read external auth state",
+                )));
+            }
+        };
+
+        let Some(refresher) = refresher else {
+            return Err(RefreshTokenError::Transient(std::io::Error::other(
+                "external auth refresher is not configured",
+            )));
+        };
+
+        let previous_account_id = self
+            .auth_cached()
+            .as_ref()
+            .and_then(CodexAuth::get_account_id);
+        let context = ExternalAuthRefreshContext {
+            reason,
+            previous_account_id,
+        };
+
+        let refreshed = refresher.refresh(context).await?;
+        let id_token = parse_id_token(&refreshed.id_token)
+            .map_err(|err| RefreshTokenError::Transient(std::io::Error::other(err)))?;
+        if let Some(expected_workspace_id) = forced_chatgpt_workspace_id.as_deref() {
+            let actual_workspace_id = id_token.chatgpt_account_id.as_deref();
+            if actual_workspace_id != Some(expected_workspace_id) {
+                return Err(RefreshTokenError::Transient(std::io::Error::other(
+                    format!(
+                        "external auth refresh returned workspace {actual_workspace_id:?}, expected {expected_workspace_id:?}",
+                    ),
+                )));
+            }
+        }
+        let auth_dot_json = AuthDotJson::from_external_tokens(&refreshed, id_token);
+        save_auth(
+            &self.codex_home,
+            &auth_dot_json,
+            AuthCredentialsStoreMode::Ephemeral,
+        )
+        .map_err(RefreshTokenError::Transient)?;
+        self.reload();
+        Ok(())
+    }
+
     async fn refresh_tokens(
         &self,
-        auth: &CodexAuth,
+        auth: &ChatgptAuth,
         refresh_token: String,
     ) -> Result<(), RefreshTokenError> {
-        let refresh_response = try_refresh_token(refresh_token, &auth.client).await?;
+        let refresh_response = try_refresh_token(refresh_token, auth.client()).await?;
 
         update_tokens(
-            &auth.storage,
+            auth.storage(),
             refresh_response.id_token,
             refresh_response.access_token,
             refresh_response.refresh_token,
         )
-        .await
         .map_err(RefreshTokenError::from)?;
 
         Ok(())
@@ -910,7 +1309,6 @@ mod tests {
             Some("new-access-token".to_string()),
             Some("new-refresh-token".to_string()),
         )
-        .await
         .expect("update_tokens should succeed");
 
         let tokens = updated.tokens.expect("tokens should exist");
@@ -971,26 +1369,22 @@ mod tests {
         )
         .expect("failed to write auth file");
 
-        let CodexAuth {
-            api_key,
-            mode,
-            auth_dot_json,
-            storage: _,
-            ..
-        } = super::load_auth(codex_home.path(), false, AuthCredentialsStoreMode::File)
+        let auth = super::load_auth(codex_home.path(), false, AuthCredentialsStoreMode::File)
             .unwrap()
             .unwrap();
-        assert_eq!(None, api_key);
-        assert_eq!(AuthMode::ChatGPT, mode);
+        assert_eq!(None, auth.api_key());
+        assert_eq!(AuthMode::Chatgpt, auth.internal_auth_mode());
 
-        let guard = auth_dot_json.lock().unwrap();
-        let auth_dot_json = guard.as_ref().expect("AuthDotJson should exist");
+        let auth_dot_json = auth
+            .get_current_auth_json()
+            .expect("AuthDotJson should exist");
         let last_refresh = auth_dot_json
             .last_refresh
             .expect("last_refresh should be recorded");
 
         assert_eq!(
-            &AuthDotJson {
+            AuthDotJson {
+                auth_mode: None,
                 openai_api_key: None,
                 tokens: Some(TokenData {
                     id_token: IdTokenInfo {
@@ -1024,8 +1418,8 @@ mod tests {
         let auth = super::load_auth(dir.path(), false, AuthCredentialsStoreMode::File)
             .unwrap()
             .unwrap();
-        assert_eq!(auth.mode, AuthMode::ApiKey);
-        assert_eq!(auth.api_key, Some("sk-test-key".to_string()));
+        assert_eq!(auth.internal_auth_mode(), AuthMode::ApiKey);
+        assert_eq!(auth.api_key(), Some("sk-test-key"));
 
         assert!(auth.get_token_data().is_err());
     }
@@ -1034,6 +1428,7 @@ mod tests {
     fn logout_removes_auth_file() -> Result<(), std::io::Error> {
         let dir = tempdir()?;
         let auth_dot_json = AuthDotJson {
+            auth_mode: Some(ApiAuthMode::ApiKey),
             openai_api_key: Some("sk-test-key".to_string()),
             tokens: None,
             last_refresh: None,

codex-rs/core/src/auth/storage.rs

@@ -5,6 +5,7 @@ use serde::Deserialize;
 use serde::Serialize;
 use sha2::Digest;
 use sha2::Sha256;
+use std::collections::HashMap;
 use std::fmt::Debug;
 use std::fs::File;
 use std::fs::OpenOptions;
@@ -15,11 +16,14 @@ use std::os::unix::fs::OpenOptionsExt;
 use std::path::Path;
 use std::path::PathBuf;
 use std::sync::Arc;
+use std::sync::Mutex;
 use tracing::warn;
 
 use crate::token_data::TokenData;
+use codex_app_server_protocol::AuthMode;
 use codex_keyring_store::DefaultKeyringStore;
 use codex_keyring_store::KeyringStore;
+use once_cell::sync::Lazy;
 
 /// Determine where Codex should store CLI auth credentials.
 #[derive(Debug, Default, Copy, Clone, PartialEq, Eq, Serialize, Deserialize, JsonSchema)]
@@ -32,11 +36,16 @@ pub enum AuthCredentialsStoreMode {
     Keyring,
     /// Use keyring when available; otherwise, fall back to a file in CODEX_HOME.
     Auto,
+    /// Store credentials in memory only for the current process.
+    Ephemeral,
 }
 
 /// Expected structure for $CODEX_HOME/auth.json.
 #[derive(Deserialize, Serialize, Clone, Debug, PartialEq)]
 pub struct AuthDotJson {
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub auth_mode: Option<AuthMode>,
+
     #[serde(rename = "OPENAI_API_KEY")]
     pub openai_api_key: Option<String>,
 
@@ -76,8 +85,8 @@ impl FileAuthStorage {
         Self { codex_home }
     }
 
-    /// Attempt to read and refresh the `auth.json` file in the given `CODEX_HOME` directory.
-    /// Returns the full AuthDotJson structure after refreshing if necessary.
+    /// Attempt to read and parse the `auth.json` file in the given `CODEX_HOME` directory.
+    /// Returns the full AuthDotJson structure.
     pub(super) fn try_read_auth_json(&self, auth_file: &Path) -> std::io::Result<AuthDotJson> {
         let mut file = File::open(auth_file)?;
         let mut contents = String::new();
@@ -256,6 +265,49 @@ impl AuthStorageBackend for AutoAuthStorage {
     }
 }
 
+// A global in-memory store for mapping codex_home -> AuthDotJson.
+static EPHEMERAL_AUTH_STORE: Lazy<Mutex<HashMap<String, AuthDotJson>>> =
+    Lazy::new(|| Mutex::new(HashMap::new()));
+
+#[derive(Clone, Debug)]
+struct EphemeralAuthStorage {
+    codex_home: PathBuf,
+}
+
+impl EphemeralAuthStorage {
+    fn new(codex_home: PathBuf) -> Self {
+        Self { codex_home }
+    }
+
+    fn with_store<F, T>(&self, action: F) -> std::io::Result<T>
+    where
+        F: FnOnce(&mut HashMap<String, AuthDotJson>, String) -> std::io::Result<T>,
+    {
+        let key = compute_store_key(&self.codex_home)?;
+        let mut store = EPHEMERAL_AUTH_STORE
+            .lock()
+            .map_err(|_| std::io::Error::other("failed to lock ephemeral auth storage"))?;
+        action(&mut store, key)
+    }
+}
+
+impl AuthStorageBackend for EphemeralAuthStorage {
+    fn load(&self) -> std::io::Result<Option<AuthDotJson>> {
+        self.with_store(|store, key| Ok(store.get(&key).cloned()))
+    }
+
+    fn save(&self, auth: &AuthDotJson) -> std::io::Result<()> {
+        self.with_store(|store, key| {
+            store.insert(key, auth.clone());
+            Ok(())
+        })
+    }
+
+    fn delete(&self) -> std::io::Result<bool> {
+        self.with_store(|store, key| Ok(store.remove(&key).is_some()))
+    }
+}
+
 pub(super) fn create_auth_storage(
     codex_home: PathBuf,
     mode: AuthCredentialsStoreMode,
@@ -275,6 +327,7 @@ fn create_auth_storage_with_keyring_store(
             Arc::new(KeyringAuthStorage::new(codex_home, keyring_store))
         }
         AuthCredentialsStoreMode::Auto => Arc::new(AutoAuthStorage::new(codex_home, keyring_store)),
+        AuthCredentialsStoreMode::Ephemeral => Arc::new(EphemeralAuthStorage::new(codex_home)),
     }
 }
 
@@ -296,6 +349,7 @@ mod tests {
         let codex_home = tempdir()?;
         let storage = FileAuthStorage::new(codex_home.path().to_path_buf());
         let auth_dot_json = AuthDotJson {
+            auth_mode: Some(AuthMode::ApiKey),
             openai_api_key: Some("test-key".to_string()),
             tokens: None,
             last_refresh: Some(Utc::now()),
@@ -315,6 +369,7 @@ mod tests {
         let codex_home = tempdir()?;
         let storage = FileAuthStorage::new(codex_home.path().to_path_buf());
         let auth_dot_json = AuthDotJson {
+            auth_mode: Some(AuthMode::ApiKey),
             openai_api_key: Some("test-key".to_string()),
             tokens: None,
             last_refresh: Some(Utc::now()),
@@ -336,6 +391,7 @@ mod tests {
     fn file_storage_delete_removes_auth_file() -> anyhow::Result<()> {
         let dir = tempdir()?;
         let auth_dot_json = AuthDotJson {
+            auth_mode: Some(AuthMode::ApiKey),
             openai_api_key: Some("sk-test-key".to_string()),
             tokens: None,
             last_refresh: None,
@@ -350,6 +406,32 @@ mod tests {
         Ok(())
     }
 
+    #[test]
+    fn ephemeral_storage_save_load_delete_is_in_memory_only() -> anyhow::Result<()> {
+        let dir = tempdir()?;
+        let storage = create_auth_storage(
+            dir.path().to_path_buf(),
+            AuthCredentialsStoreMode::Ephemeral,
+        );
+        let auth_dot_json = AuthDotJson {
+            auth_mode: Some(AuthMode::ApiKey),
+            openai_api_key: Some("sk-ephemeral".to_string()),
+            tokens: None,
+            last_refresh: Some(Utc::now()),
+        };
+
+        storage.save(&auth_dot_json)?;
+        let loaded = storage.load()?;
+        assert_eq!(Some(auth_dot_json), loaded);
+
+        let removed = storage.delete()?;
+        assert!(removed);
+        let loaded = storage.load()?;
+        assert_eq!(None, loaded);
+        assert!(!get_auth_file(dir.path()).exists());
+        Ok(())
+    }
+
     fn seed_keyring_and_fallback_auth_file_for_delete<F>(
         mock_keyring: &MockKeyringStore,
         codex_home: &Path,
@@ -425,6 +507,7 @@ mod tests {
 
     fn auth_with_prefix(prefix: &str) -> AuthDotJson {
         AuthDotJson {
+            auth_mode: Some(AuthMode::ApiKey),
             openai_api_key: Some(format!("{prefix}-api-key")),
             tokens: Some(TokenData {
                 id_token: id_token_with_prefix(prefix),
@@ -445,6 +528,7 @@ mod tests {
             Arc::new(mock_keyring.clone()),
         );
         let expected = AuthDotJson {
+            auth_mode: Some(AuthMode::ApiKey),
             openai_api_key: Some("sk-test".to_string()),
             tokens: None,
             last_refresh: None,
@@ -481,6 +565,7 @@ mod tests {
         let auth_file = get_auth_file(codex_home.path());
         std::fs::write(&auth_file, "stale")?;
         let auth = AuthDotJson {
+            auth_mode: Some(AuthMode::Chatgpt),
             openai_api_key: None,
             tokens: Some(TokenData {
                 id_token: Default::default(),

codex-rs/core/src/client.rs

@@ -27,7 +27,6 @@ use codex_api::common::ResponsesWsRequest;
 use codex_api::create_text_param_for_request;
 use codex_api::error::ApiError;
 use codex_api::requests::responses::Compression;
-use codex_app_server_protocol::AuthMode;
 use codex_otel::OtelManager;
 
 use codex_protocol::ThreadId;
@@ -50,6 +49,7 @@ use tokio::sync::mpsc;
 use tracing::warn;
 
 use crate::AuthManager;
+use crate::auth::CodexAuth;
 use crate::auth::RefreshTokenError;
 use crate::client_common::Prompt;
 use crate::client_common::ResponseEvent;
@@ -65,6 +65,7 @@ use crate::model_provider_info::ModelProviderInfo;
 use crate::model_provider_info::WireApi;
 use crate::tools::spec::create_tools_json_for_chat_completions_api;
 use crate::tools::spec::create_tools_json_for_responses_api;
+use crate::transport_manager::TransportManager;
 
 pub const WEB_SEARCH_ELIGIBLE_HEADER: &str = "x-oai-web-search-eligible";
 pub const X_CODEX_TURN_STATE_HEADER: &str = "x-codex-turn-state";
@@ -80,6 +81,7 @@ struct ModelClientState {
     effort: Option<ReasoningEffortConfig>,
     summary: ReasoningSummaryConfig,
     session_source: SessionSource,
+    transport_manager: TransportManager,
 }
 
 #[derive(Debug, Clone)]
@@ -91,6 +93,7 @@ pub struct ModelClientSession {
     state: Arc<ModelClientState>,
     connection: Option<ApiWebSocketConnection>,
     websocket_last_items: Vec<ResponseItem>,
+    transport_manager: TransportManager,
     /// Turn state for sticky routing.
     ///
     /// This is an `OnceLock` that stores the turn state value received from the server
@@ -116,6 +119,7 @@ impl ModelClient {
         summary: ReasoningSummaryConfig,
         conversation_id: ThreadId,
         session_source: SessionSource,
+        transport_manager: TransportManager,
     ) -> Self {
         Self {
             state: Arc::new(ModelClientState {
@@ -128,6 +132,7 @@ impl ModelClient {
                 effort,
                 summary,
                 session_source,
+                transport_manager,
             }),
         }
     }
@@ -137,6 +142,7 @@ impl ModelClient {
             state: Arc::clone(&self.state),
             connection: None,
             websocket_last_items: Vec::new(),
+            transport_manager: self.state.transport_manager.clone(),
             turn_state: Arc::new(OnceLock::new()),
         }
     }
@@ -171,6 +177,10 @@ impl ModelClient {
         self.state.session_source.clone()
     }
 
+    pub(crate) fn transport_manager(&self) -> TransportManager {
+        self.state.transport_manager.clone()
+    }
+
     /// Returns the currently configured model slug.
     pub fn get_model(&self) -> String {
         self.state.model_info.slug.clone()
@@ -210,7 +220,7 @@ impl ModelClient {
         let api_provider = self
             .state
             .provider
-            .to_api_provider(auth.as_ref().map(|a| a.mode))?;
+            .to_api_provider(auth.as_ref().map(CodexAuth::internal_auth_mode))?;
         let api_auth = auth_provider_from_auth(auth.clone(), &self.state.provider)?;
         let transport = ReqwestTransport::new(build_reqwest_client());
         let request_telemetry = self.build_request_telemetry();
@@ -250,9 +260,18 @@ impl ModelClientSession {
     /// For Chat providers, the underlying stream is optionally aggregated
     /// based on the `show_raw_agent_reasoning` flag in the config.
     pub async fn stream(&mut self, prompt: &Prompt) -> Result<ResponseStream> {
-        match self.state.provider.wire_api {
-            WireApi::Responses => self.stream_responses_api(prompt).await,
-            WireApi::ResponsesWebsocket => self.stream_responses_websocket(prompt).await,
+        let wire_api = self.state.provider.wire_api;
+        match wire_api {
+            WireApi::Responses => {
+                let websocket_enabled = self.responses_websocket_enabled()
+                    && !self.transport_manager.disable_websockets();
+
+                if websocket_enabled {
+                    self.stream_responses_websocket(prompt).await
+                } else {
+                    self.stream_responses_api(prompt).await
+                }
+            }
             WireApi::Chat => {
                 let api_stream = self.stream_chat_completions(prompt).await?;
 
@@ -271,6 +290,34 @@ impl ModelClientSession {
         }
     }
 
+    pub(crate) fn try_switch_fallback_transport(&mut self) -> bool {
+        let websocket_enabled = self.responses_websocket_enabled();
+        let activated = self
+            .transport_manager
+            .activate_http_fallback(websocket_enabled);
+        if activated {
+            warn!("falling back to HTTP");
+            self.state.otel_manager.counter(
+                "codex.transport.fallback_to_http",
+                1,
+                &[("from_wire_api", "responses_websocket")],
+            );
+
+            self.connection = None;
+            self.websocket_last_items.clear();
+        }
+        activated
+    }
+
+    fn responses_websocket_enabled(&self) -> bool {
+        self.state.provider.supports_websockets
+            && self
+                .state
+                .config
+                .features
+                .enabled(Feature::ResponsesWebsockets)
+    }
+
     fn build_responses_request(&self, prompt: &Prompt) -> Result<ApiPrompt> {
         let instructions = prompt.base_instructions.text.clone();
         let tools_json: Vec<Value> = create_tools_json_for_responses_api(&prompt.tools)?;
@@ -422,7 +469,7 @@ impl ModelClientSession {
             .config
             .features
             .enabled(Feature::EnableRequestCompression)
-            && auth.is_some_and(|auth| auth.mode == AuthMode::ChatGPT)
+            && auth.is_some_and(CodexAuth::is_chatgpt_auth)
             && self.state.provider.is_openai()
         {
             Compression::Zstd
@@ -460,7 +507,7 @@ impl ModelClientSession {
             let api_provider = self
                 .state
                 .provider
-                .to_api_provider(auth.as_ref().map(|a| a.mode))?;
+                .to_api_provider(auth.as_ref().map(CodexAuth::internal_auth_mode))?;
             let api_auth = auth_provider_from_auth(auth.clone(), &self.state.provider)?;
             let transport = ReqwestTransport::new(build_reqwest_client());
             let (request_telemetry, sse_telemetry) = self.build_streaming_telemetry();
@@ -516,7 +563,7 @@ impl ModelClientSession {
             let api_provider = self
                 .state
                 .provider
-                .to_api_provider(auth.as_ref().map(|a| a.mode))?;
+                .to_api_provider(auth.as_ref().map(CodexAuth::internal_auth_mode))?;
             let api_auth = auth_provider_from_auth(auth.clone(), &self.state.provider)?;
             let transport = ReqwestTransport::new(build_reqwest_client());
             let (request_telemetry, sse_telemetry) = self.build_streaming_telemetry();
@@ -562,7 +609,7 @@ impl ModelClientSession {
             let api_provider = self
                 .state
                 .provider
-                .to_api_provider(auth.as_ref().map(|a| a.mode))?;
+                .to_api_provider(auth.as_ref().map(CodexAuth::internal_auth_mode))?;
             let api_auth = auth_provider_from_auth(auth.clone(), &self.state.provider)?;
             let compression = self.responses_request_compression(auth.as_ref());
 

codex-rs/core/src/codex_delegate.rs

@@ -208,6 +208,10 @@ async fn forward_events(
                         id: _,
                         msg: EventMsg::SessionConfigured(_),
                     } => {}
+                    Event {
+                        id: _,
+                        msg: EventMsg::ThreadNameUpdated(_),
+                    } => {}
                     Event {
                         id,
                         msg: EventMsg::ExecApprovalRequest(event),

codex-rs/core/src/compact.rs

@@ -61,6 +61,7 @@ pub(crate) async fn run_compact_task(
 ) {
     let start_event = EventMsg::TurnStarted(TurnStartedEvent {
         model_context_window: turn_context.client.get_model_context_window(),
+        collaboration_mode_kind: turn_context.collaboration_mode_kind,
     });
     sess.send_event(&turn_context, start_event).await;
     run_compact_task_inner(sess.clone(), turn_context, input).await;

codex-rs/core/src/compact_remote.rs

@@ -22,6 +22,7 @@ pub(crate) async fn run_inline_remote_auto_compact_task(
 pub(crate) async fn run_remote_compact_task(sess: Arc<Session>, turn_context: Arc<TurnContext>) {
     let start_event = EventMsg::TurnStarted(TurnStartedEvent {
         model_context_window: turn_context.client.get_model_context_window(),
+        collaboration_mode_kind: turn_context.collaboration_mode_kind,
     });
     sess.send_event(&turn_context, start_event).await;
 

codex-rs/core/src/config/constraint.rs

@@ -18,6 +18,12 @@ pub enum ConstraintError {
 
     #[error("field `{field_name}` cannot be empty")]
     EmptyField { field_name: String },
+
+    #[error("invalid rules in requirements (set by {requirement_source}): {reason}")]
+    ExecPolicyParse {
+        requirement_source: RequirementSource,
+        reason: String,
+    },
 }
 
 impl ConstraintError {

codex-rs/core/src/config/mod.rs

@@ -18,11 +18,13 @@ use crate::config::types::ShellEnvironmentPolicyToml;
 use crate::config::types::SkillsConfig;
 use crate::config::types::Tui;
 use crate::config::types::UriBasedFileOpener;
+use crate::config_loader::CloudRequirementsLoader;
 use crate::config_loader::ConfigLayerStack;
 use crate::config_loader::ConfigRequirements;
 use crate::config_loader::LoaderOverrides;
 use crate::config_loader::McpServerIdentity;
 use crate::config_loader::McpServerRequirement;
+use crate::config_loader::ResidencyRequirement;
 use crate::config_loader::Sourced;
 use crate::config_loader::load_config_layers_state;
 use crate::features::Feature;
@@ -56,7 +58,6 @@ use codex_protocol::openai_models::ReasoningEffort;
 use codex_rmcp_client::OAuthCredentialsStoreMode;
 use codex_utils_absolute_path::AbsolutePathBuf;
 use codex_utils_absolute_path::AbsolutePathBufGuard;
-use dirs::home_dir;
 use schemars::JsonSchema;
 use serde::Deserialize;
 use serde::Serialize;
@@ -140,6 +141,11 @@ pub struct Config {
 
     pub sandbox_policy: Constrained<SandboxPolicy>,
 
+    /// enforce_residency means web traffic cannot be routed outside of a
+    /// particular geography. HTTP clients should direct their requests
+    /// using backend-specific headers or URLs to enforce this.
+    pub enforce_residency: Constrained<Option<ResidencyRequirement>>,
+
     /// True if the user passed in an override or set a value in config.toml
     /// for either of approval_policy or sandbox_mode.
     pub did_user_set_custom_approval_policy_or_sandbox_mode: bool,
@@ -366,6 +372,7 @@ pub struct ConfigBuilder {
     cli_overrides: Option<Vec<(String, TomlValue)>>,
     harness_overrides: Option<ConfigOverrides>,
     loader_overrides: Option<LoaderOverrides>,
+    cloud_requirements: CloudRequirementsLoader,
     fallback_cwd: Option<PathBuf>,
 }
 
@@ -390,6 +397,11 @@ impl ConfigBuilder {
         self
     }
 
+    pub fn cloud_requirements(mut self, cloud_requirements: CloudRequirementsLoader) -> Self {
+        self.cloud_requirements = cloud_requirements;
+        self
+    }
+
     pub fn fallback_cwd(mut self, fallback_cwd: Option<PathBuf>) -> Self {
         self.fallback_cwd = fallback_cwd;
         self
@@ -401,6 +413,7 @@ impl ConfigBuilder {
             cli_overrides,
             harness_overrides,
             loader_overrides,
+            cloud_requirements,
             fallback_cwd,
         } = self;
         let codex_home = codex_home.map_or_else(find_codex_home, std::io::Result::Ok)?;
@@ -413,9 +426,14 @@ impl ConfigBuilder {
             None => AbsolutePathBuf::current_dir()?,
         };
         harness_overrides.cwd = Some(cwd.to_path_buf());
-        let config_layer_stack =
-            load_config_layers_state(&codex_home, Some(cwd), &cli_overrides, loader_overrides)
-                .await?;
+        let config_layer_stack = load_config_layers_state(
+            &codex_home,
+            Some(cwd),
+            &cli_overrides,
+            loader_overrides,
+            cloud_requirements,
+        )
+        .await?;
         let merged_toml = config_layer_stack.effective_config();
 
         // Note that each layer in ConfigLayerStack should have resolved
@@ -511,6 +529,7 @@ pub async fn load_config_as_toml_with_cli_overrides(
         Some(cwd.clone()),
         &cli_overrides,
         LoaderOverrides::default(),
+        CloudRequirementsLoader::default(),
     )
     .await?;
 
@@ -609,9 +628,14 @@ pub async fn load_global_mcp_servers(
     // There is no cwd/project context for this query, so this will not include
     // MCP servers defined in in-repo .codex/ folders.
     let cwd: Option<AbsolutePathBuf> = None;
-    let config_layer_stack =
-        load_config_layers_state(codex_home, cwd, &cli_overrides, LoaderOverrides::default())
-            .await?;
+    let config_layer_stack = load_config_layers_state(
+        codex_home,
+        cwd,
+        &cli_overrides,
+        LoaderOverrides::default(),
+        CloudRequirementsLoader::default(),
+    )
+    .await?;
     let merged_toml = config_layer_stack.effective_config();
     let Some(servers_value) = merged_toml.get("mcp_servers") else {
         return Ok(BTreeMap::new());
@@ -1227,11 +1251,15 @@ fn resolve_web_search_mode(
 
 pub(crate) fn resolve_web_search_mode_for_turn(
     explicit_mode: Option<WebSearchMode>,
+    is_azure_responses_endpoint: bool,
     sandbox_policy: &SandboxPolicy,
 ) -> WebSearchMode {
     if let Some(mode) = explicit_mode {
         return mode;
     }
+    if is_azure_responses_endpoint {
+        return WebSearchMode::Disabled;
+    }
     if matches!(sandbox_policy, SandboxPolicy::DangerFullAccess) {
         WebSearchMode::Live
     } else {
@@ -1372,12 +1400,6 @@ impl Config {
             || cfg.sandbox_mode.is_some();
 
         let mut model_providers = built_in_model_providers();
-        if features.enabled(Feature::ResponsesWebsockets)
-            && let Some(provider) = model_providers.get_mut("openai")
-            && provider.is_openai()
-        {
-            provider.wire_api = crate::model_provider_info::WireApi::ResponsesWebsocket;
-        }
         // Merge user-defined providers into the built-in list.
         for (key, provider) in cfg.model_providers.into_iter() {
             model_providers.entry(key).or_insert(provider);
@@ -1499,6 +1521,8 @@ impl Config {
             approval_policy: mut constrained_approval_policy,
             sandbox_policy: mut constrained_sandbox_policy,
             mcp_servers,
+            exec_policy: _,
+            enforce_residency,
         } = requirements;
 
         constrained_approval_policy
@@ -1521,6 +1545,7 @@ impl Config {
             cwd: resolved_cwd,
             approval_policy: constrained_approval_policy,
             sandbox_policy: constrained_sandbox_policy,
+            enforce_residency,
             did_user_set_custom_approval_policy_or_sandbox_mode,
             forced_auto_mode_downgraded_on_windows,
             shell_environment_policy,
@@ -1735,27 +1760,12 @@ fn toml_uses_deprecated_instructions_file(value: &TomlValue) -> bool {
 /// specified by the `CODEX_HOME` environment variable. If not set, defaults to
 /// `~/.codex`.
 ///
-/// - If `CODEX_HOME` is set, the value will be canonicalized and this
-///   function will Err if the path does not exist.
+/// - If `CODEX_HOME` is set, the value must exist and be a directory. The
+///   value will be canonicalized and this function will Err otherwise.
 /// - If `CODEX_HOME` is not set, this function does not verify that the
 ///   directory exists.
 pub fn find_codex_home() -> std::io::Result<PathBuf> {
-    // Honor the `CODEX_HOME` environment variable when it is set to allow users
-    // (and tests) to override the default location.
-    if let Ok(val) = std::env::var("CODEX_HOME")
-        && !val.is_empty()
-    {
-        return PathBuf::from(val).canonicalize();
-    }
-
-    let mut p = home_dir().ok_or_else(|| {
-        std::io::Error::new(
-            std::io::ErrorKind::NotFound,
-            "Could not find home directory",
-        )
-    })?;
-    p.push(".codex");
-    Ok(p)
+    codex_utils_home_dir::find_codex_home()
 }
 
 /// Returns the path to the folder where Codex logs are stored. Does not verify
@@ -2333,14 +2343,14 @@ trust_level = "trusted"
 
     #[test]
     fn web_search_mode_for_turn_defaults_to_cached_when_unset() {
-        let mode = resolve_web_search_mode_for_turn(None, &SandboxPolicy::ReadOnly);
+        let mode = resolve_web_search_mode_for_turn(None, false, &SandboxPolicy::ReadOnly);
 
         assert_eq!(mode, WebSearchMode::Cached);
     }
 
     #[test]
     fn web_search_mode_for_turn_defaults_to_live_for_danger_full_access() {
-        let mode = resolve_web_search_mode_for_turn(None, &SandboxPolicy::DangerFullAccess);
+        let mode = resolve_web_search_mode_for_turn(None, false, &SandboxPolicy::DangerFullAccess);
 
         assert_eq!(mode, WebSearchMode::Live);
     }
@@ -2349,12 +2359,20 @@ trust_level = "trusted"
     fn web_search_mode_for_turn_prefers_explicit_value() {
         let mode = resolve_web_search_mode_for_turn(
             Some(WebSearchMode::Cached),
+            false,
             &SandboxPolicy::DangerFullAccess,
         );
 
         assert_eq!(mode, WebSearchMode::Cached);
     }
 
+    #[test]
+    fn web_search_mode_for_turn_disables_for_azure_responses_endpoint() {
+        let mode = resolve_web_search_mode_for_turn(None, true, &SandboxPolicy::DangerFullAccess);
+
+        assert_eq!(mode, WebSearchMode::Disabled);
+    }
+
     #[test]
     fn profile_legacy_toggles_override_base() -> std::io::Result<()> {
         let codex_home = TempDir::new()?;
@@ -2555,7 +2573,7 @@ profile = "project"
     }
 
     #[test]
-    fn responses_websockets_feature_updates_openai_provider() -> std::io::Result<()> {
+    fn responses_websockets_feature_does_not_change_wire_api() -> std::io::Result<()> {
         let codex_home = TempDir::new()?;
         let mut entries = BTreeMap::new();
         entries.insert("responses_websockets".to_string(), true);
@@ -2572,7 +2590,7 @@ profile = "project"
 
         assert_eq!(
             config.model_provider.wire_api,
-            crate::model_provider_info::WireApi::ResponsesWebsocket
+            crate::model_provider_info::WireApi::Responses
         );
 
         Ok(())
@@ -2617,8 +2635,14 @@ profile = "project"
         };
 
         let cwd = AbsolutePathBuf::try_from(codex_home.path())?;
-        let config_layer_stack =
-            load_config_layers_state(codex_home.path(), Some(cwd), &Vec::new(), overrides).await?;
+        let config_layer_stack = load_config_layers_state(
+            codex_home.path(),
+            Some(cwd),
+            &Vec::new(),
+            overrides,
+            CloudRequirementsLoader::default(),
+        )
+        .await?;
         let cfg = deserialize_config_toml_with_base(
             config_layer_stack.effective_config(),
             codex_home.path(),
@@ -2745,6 +2769,7 @@ profile = "project"
             Some(cwd),
             &[("model".to_string(), TomlValue::String("cli".to_string()))],
             overrides,
+            CloudRequirementsLoader::default(),
         )
         .await?;
 
@@ -3692,6 +3717,7 @@ model_verbosity = "high"
             stream_max_retries: Some(10),
             stream_idle_timeout_ms: Some(300_000),
             requires_openai_auth: false,
+            supports_websockets: false,
         };
         let model_provider_map = {
             let mut model_provider_map = built_in_model_providers();
@@ -3753,6 +3779,7 @@ model_verbosity = "high"
                 model_provider: fixture.openai_provider.clone(),
                 approval_policy: Constrained::allow_any(AskForApproval::Never),
                 sandbox_policy: Constrained::allow_any(SandboxPolicy::new_read_only_policy()),
+                enforce_residency: Constrained::allow_any(None),
                 did_user_set_custom_approval_policy_or_sandbox_mode: true,
                 forced_auto_mode_downgraded_on_windows: false,
                 shell_environment_policy: ShellEnvironmentPolicy::default(),
@@ -3837,6 +3864,7 @@ model_verbosity = "high"
             model_provider: fixture.openai_chat_completions_provider.clone(),
             approval_policy: Constrained::allow_any(AskForApproval::UnlessTrusted),
             sandbox_policy: Constrained::allow_any(SandboxPolicy::new_read_only_policy()),
+            enforce_residency: Constrained::allow_any(None),
             did_user_set_custom_approval_policy_or_sandbox_mode: true,
             forced_auto_mode_downgraded_on_windows: false,
             shell_environment_policy: ShellEnvironmentPolicy::default(),
@@ -3936,6 +3964,7 @@ model_verbosity = "high"
             model_provider: fixture.openai_provider.clone(),
             approval_policy: Constrained::allow_any(AskForApproval::OnFailure),
             sandbox_policy: Constrained::allow_any(SandboxPolicy::new_read_only_policy()),
+            enforce_residency: Constrained::allow_any(None),
             did_user_set_custom_approval_policy_or_sandbox_mode: true,
             forced_auto_mode_downgraded_on_windows: false,
             shell_environment_policy: ShellEnvironmentPolicy::default(),
@@ -4021,6 +4050,7 @@ model_verbosity = "high"
             model_provider: fixture.openai_provider.clone(),
             approval_policy: Constrained::allow_any(AskForApproval::OnFailure),
             sandbox_policy: Constrained::allow_any(SandboxPolicy::new_read_only_policy()),
+            enforce_residency: Constrained::allow_any(None),
             did_user_set_custom_approval_policy_or_sandbox_mode: true,
             forced_auto_mode_downgraded_on_windows: false,
             shell_environment_policy: ShellEnvironmentPolicy::default(),

codex-rs/core/src/config/service.rs

@@ -2,6 +2,7 @@ use super::CONFIG_TOML_FILE;
 use super::ConfigToml;
 use crate::config::edit::ConfigEdit;
 use crate::config::edit::ConfigEditsBuilder;
+use crate::config_loader::CloudRequirementsLoader;
 use crate::config_loader::ConfigLayerEntry;
 use crate::config_loader::ConfigLayerStack;
 use crate::config_loader::ConfigLayerStackOrdering;
@@ -109,6 +110,7 @@ pub struct ConfigService {
     codex_home: PathBuf,
     cli_overrides: Vec<(String, TomlValue)>,
     loader_overrides: LoaderOverrides,
+    cloud_requirements: CloudRequirementsLoader,
 }
 
 impl ConfigService {
@@ -116,11 +118,13 @@ impl ConfigService {
         codex_home: PathBuf,
         cli_overrides: Vec<(String, TomlValue)>,
         loader_overrides: LoaderOverrides,
+        cloud_requirements: CloudRequirementsLoader,
     ) -> Self {
         Self {
             codex_home,
             cli_overrides,
             loader_overrides,
+            cloud_requirements,
         }
     }
 
@@ -129,6 +133,7 @@ impl ConfigService {
             codex_home,
             cli_overrides: Vec::new(),
             loader_overrides: LoaderOverrides::default(),
+            cloud_requirements: CloudRequirementsLoader::default(),
         }
     }
 
@@ -146,6 +151,7 @@ impl ConfigService {
                     .cli_overrides(self.cli_overrides.clone())
                     .loader_overrides(self.loader_overrides.clone())
                     .fallback_cwd(Some(cwd.to_path_buf()))
+                    .cloud_requirements(self.cloud_requirements.clone())
                     .build()
                     .await
                     .map_err(|err| {
@@ -376,6 +382,7 @@ impl ConfigService {
             cwd,
             &self.cli_overrides,
             self.loader_overrides.clone(),
+            self.cloud_requirements.clone(),
         )
         .await
     }
@@ -813,6 +820,7 @@ remote_compaction = true
                 managed_preferences_base64: None,
                 macos_managed_config_requirements_base64: None,
             },
+            CloudRequirementsLoader::default(),
         );
 
         let response = service
@@ -895,6 +903,7 @@ remote_compaction = true
                 managed_preferences_base64: None,
                 macos_managed_config_requirements_base64: None,
             },
+            CloudRequirementsLoader::default(),
         );
 
         let result = service
@@ -999,6 +1008,7 @@ remote_compaction = true
                 managed_preferences_base64: None,
                 macos_managed_config_requirements_base64: None,
             },
+            CloudRequirementsLoader::default(),
         );
 
         let error = service
@@ -1047,6 +1057,7 @@ remote_compaction = true
                 managed_preferences_base64: None,
                 macos_managed_config_requirements_base64: None,
             },
+            CloudRequirementsLoader::default(),
         );
 
         let response = service
@@ -1094,6 +1105,7 @@ remote_compaction = true
                 managed_preferences_base64: None,
                 macos_managed_config_requirements_base64: None,
             },
+            CloudRequirementsLoader::default(),
         );
 
         let result = service

codex-rs/core/src/config_loader/README.md

@@ -10,7 +10,7 @@ This module is the canonical place to **load and describe Codex configuration la
 
 Exported from `codex_core::config_loader`:
 
-- `load_config_layers_state(codex_home, cwd_opt, cli_overrides, overrides) -> ConfigLayerStack`
+- `load_config_layers_state(codex_home, cwd_opt, cli_overrides, overrides, cloud_requirements) -> ConfigLayerStack`
 - `ConfigLayerStack`
   - `effective_config() -> toml::Value`
   - `origins() -> HashMap<String, ConfigLayerMetadata>`
@@ -49,6 +49,7 @@ let layers = load_config_layers_state(
     Some(cwd),
     &cli_overrides,
     LoaderOverrides::default(),
+    None,
 ).await?;
 
 let effective = layers.effective_config();

codex-rs/core/src/config_loader/cloud_requirements.rs

@@ -0,0 +1,66 @@
+use crate::config_loader::ConfigRequirementsToml;
+use futures::future::BoxFuture;
+use futures::future::FutureExt;
+use futures::future::Shared;
+use std::fmt;
+use std::future::Future;
+use std::io;
+use std::sync::Arc;
+
+#[derive(Clone)]
+pub struct CloudRequirementsLoader {
+    fut: Shared<BoxFuture<'static, Arc<io::Result<Option<ConfigRequirementsToml>>>>>,
+}
+
+impl CloudRequirementsLoader {
+    pub fn new<F>(fut: F) -> Self
+    where
+        F: Future<Output = io::Result<Option<ConfigRequirementsToml>>> + Send + 'static,
+    {
+        Self {
+            fut: fut.map(Arc::new).boxed().shared(),
+        }
+    }
+
+    pub async fn get(&self) -> io::Result<Option<ConfigRequirementsToml>> {
+        match self.fut.clone().await.as_ref() {
+            Ok(requirements) => Ok(requirements.clone()),
+            Err(err) => Err(io::Error::new(err.kind(), err.to_string())),
+        }
+    }
+}
+
+impl fmt::Debug for CloudRequirementsLoader {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.debug_struct("CloudRequirementsLoader").finish()
+    }
+}
+
+impl Default for CloudRequirementsLoader {
+    fn default() -> Self {
+        Self::new(async { Ok(None) })
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use pretty_assertions::assert_eq;
+    use std::sync::Arc;
+    use std::sync::atomic::AtomicUsize;
+    use std::sync::atomic::Ordering;
+
+    #[tokio::test]
+    async fn shared_future_runs_once() {
+        let counter = Arc::new(AtomicUsize::new(0));
+        let counter_clone = Arc::clone(&counter);
+        let loader = CloudRequirementsLoader::new(async move {
+            counter_clone.fetch_add(1, Ordering::SeqCst);
+            Ok(Some(ConfigRequirementsToml::default()))
+        });
+
+        let (first, second) = tokio::join!(loader.get(), loader.get());
+        assert_eq!(first.as_ref().ok(), second.as_ref().ok());
+        assert_eq!(counter.load(Ordering::SeqCst), 1);
+    }
+}

codex-rs/core/src/config_loader/config_requirements.rs

@@ -6,6 +6,8 @@ use serde::Deserialize;
 use std::collections::BTreeMap;
 use std::fmt;
 
+use super::requirements_exec_policy::RequirementsExecPolicy;
+use super::requirements_exec_policy::RequirementsExecPolicyToml;
 use crate::config::Constrained;
 use crate::config::ConstraintError;
 
@@ -13,6 +15,7 @@ use crate::config::ConstraintError;
 pub enum RequirementSource {
     Unknown,
     MdmManagedPreferences { domain: String, key: String },
+    CloudRequirements,
     SystemRequirementsToml { file: AbsolutePathBuf },
     LegacyManagedConfigTomlFromFile { file: AbsolutePathBuf },
     LegacyManagedConfigTomlFromMdm,
@@ -25,6 +28,9 @@ impl fmt::Display for RequirementSource {
             RequirementSource::MdmManagedPreferences { domain, key } => {
                 write!(f, "MDM {domain}:{key}")
             }
+            RequirementSource::CloudRequirements => {
+                write!(f, "cloud requirements")
+            }
             RequirementSource::SystemRequirementsToml { file } => {
                 write!(f, "{}", file.as_path().display())
             }
@@ -45,6 +51,8 @@ pub struct ConfigRequirements {
     pub approval_policy: Constrained<AskForApproval>,
     pub sandbox_policy: Constrained<SandboxPolicy>,
     pub mcp_servers: Option<Sourced<BTreeMap<String, McpServerRequirement>>>,
+    pub(crate) exec_policy: Option<Sourced<RequirementsExecPolicy>>,
+    pub enforce_residency: Constrained<Option<ResidencyRequirement>>,
 }
 
 impl Default for ConfigRequirements {
@@ -53,6 +61,8 @@ impl Default for ConfigRequirements {
             approval_policy: Constrained::allow_any_from_default(),
             sandbox_policy: Constrained::allow_any(SandboxPolicy::ReadOnly),
             mcp_servers: None,
+            exec_policy: None,
+            enforce_residency: Constrained::allow_any(None),
         }
     }
 }
@@ -75,6 +85,8 @@ pub struct ConfigRequirementsToml {
     pub allowed_approval_policies: Option<Vec<AskForApproval>>,
     pub allowed_sandbox_modes: Option<Vec<SandboxModeRequirement>>,
     pub mcp_servers: Option<BTreeMap<String, McpServerRequirement>>,
+    pub rules: Option<RequirementsExecPolicyToml>,
+    pub enforce_residency: Option<ResidencyRequirement>,
 }
 
 /// Value paired with the requirement source it came from, for better error
@@ -104,6 +116,8 @@ pub struct ConfigRequirementsWithSources {
     pub allowed_approval_policies: Option<Sourced<Vec<AskForApproval>>>,
     pub allowed_sandbox_modes: Option<Sourced<Vec<SandboxModeRequirement>>>,
     pub mcp_servers: Option<Sourced<BTreeMap<String, McpServerRequirement>>>,
+    pub rules: Option<Sourced<RequirementsExecPolicyToml>>,
+    pub enforce_residency: Option<Sourced<ResidencyRequirement>>,
 }
 
 impl ConfigRequirementsWithSources {
@@ -135,6 +149,8 @@ impl ConfigRequirementsWithSources {
                 allowed_approval_policies,
                 allowed_sandbox_modes,
                 mcp_servers,
+                rules,
+                enforce_residency,
             }
         );
     }
@@ -144,11 +160,15 @@ impl ConfigRequirementsWithSources {
             allowed_approval_policies,
             allowed_sandbox_modes,
             mcp_servers,
+            rules,
+            enforce_residency,
         } = self;
         ConfigRequirementsToml {
             allowed_approval_policies: allowed_approval_policies.map(|sourced| sourced.value),
             allowed_sandbox_modes: allowed_sandbox_modes.map(|sourced| sourced.value),
             mcp_servers: mcp_servers.map(|sourced| sourced.value),
+            rules: rules.map(|sourced| sourced.value),
+            enforce_residency: enforce_residency.map(|sourced| sourced.value),
         }
     }
 }
@@ -180,11 +200,19 @@ impl From<SandboxMode> for SandboxModeRequirement {
     }
 }
 
+#[derive(Deserialize, Debug, Clone, Copy, PartialEq, Eq)]
+#[serde(rename_all = "lowercase")]
+pub enum ResidencyRequirement {
+    Us,
+}
+
 impl ConfigRequirementsToml {
     pub fn is_empty(&self) -> bool {
         self.allowed_approval_policies.is_none()
             && self.allowed_sandbox_modes.is_none()
             && self.mcp_servers.is_none()
+            && self.rules.is_none()
+            && self.enforce_residency.is_none()
     }
 }
 
@@ -196,6 +224,8 @@ impl TryFrom<ConfigRequirementsWithSources> for ConfigRequirements {
             allowed_approval_policies,
             allowed_sandbox_modes,
             mcp_servers,
+            rules,
+            enforce_residency,
         } = toml;
 
         let approval_policy: Constrained<AskForApproval> = match allowed_approval_policies {
@@ -270,10 +300,46 @@ impl TryFrom<ConfigRequirementsWithSources> for ConfigRequirements {
             }
             None => Constrained::allow_any(default_sandbox_policy),
         };
+        let exec_policy = match rules {
+            Some(Sourced { value, source }) => {
+                let policy = value.to_requirements_policy().map_err(|err| {
+                    ConstraintError::ExecPolicyParse {
+                        requirement_source: source.clone(),
+                        reason: err.to_string(),
+                    }
+                })?;
+                Some(Sourced::new(policy, source))
+            }
+            None => None,
+        };
+
+        let enforce_residency: Constrained<Option<ResidencyRequirement>> = match enforce_residency {
+            Some(Sourced {
+                value: residency,
+                source: requirement_source,
+            }) => {
+                let required = Some(residency);
+                Constrained::new(required, move |candidate| {
+                    if candidate == &required {
+                        Ok(())
+                    } else {
+                        Err(ConstraintError::InvalidValue {
+                            field_name: "enforce_residency",
+                            candidate: format!("{candidate:?}"),
+                            allowed: format!("{required:?}"),
+                            requirement_source: requirement_source.clone(),
+                        })
+                    }
+                })?
+            }
+            None => Constrained::allow_any(None),
+        };
         Ok(ConfigRequirements {
             approval_policy,
             sandbox_policy,
             mcp_servers,
+            exec_policy,
+            enforce_residency,
         })
     }
 }
@@ -282,16 +348,25 @@ impl TryFrom<ConfigRequirementsWithSources> for ConfigRequirements {
 mod tests {
     use super::*;
     use anyhow::Result;
+    use codex_execpolicy::Decision;
+    use codex_execpolicy::Evaluation;
+    use codex_execpolicy::RuleMatch;
     use codex_protocol::protocol::NetworkAccess;
     use codex_utils_absolute_path::AbsolutePathBuf;
     use pretty_assertions::assert_eq;
     use toml::from_str;
 
+    fn tokens(cmd: &[&str]) -> Vec<String> {
+        cmd.iter().map(std::string::ToString::to_string).collect()
+    }
+
     fn with_unknown_source(toml: ConfigRequirementsToml) -> ConfigRequirementsWithSources {
         let ConfigRequirementsToml {
             allowed_approval_policies,
             allowed_sandbox_modes,
             mcp_servers,
+            rules,
+            enforce_residency,
         } = toml;
         ConfigRequirementsWithSources {
             allowed_approval_policies: allowed_approval_policies
@@ -299,6 +374,9 @@ mod tests {
             allowed_sandbox_modes: allowed_sandbox_modes
                 .map(|value| Sourced::new(value, RequirementSource::Unknown)),
             mcp_servers: mcp_servers.map(|value| Sourced::new(value, RequirementSource::Unknown)),
+            rules: rules.map(|value| Sourced::new(value, RequirementSource::Unknown)),
+            enforce_residency: enforce_residency
+                .map(|value| Sourced::new(value, RequirementSource::Unknown)),
         }
     }
 
@@ -312,6 +390,8 @@ mod tests {
             SandboxModeRequirement::WorkspaceWrite,
             SandboxModeRequirement::DangerFullAccess,
         ];
+        let enforce_residency = ResidencyRequirement::Us;
+        let enforce_source = source.clone();
 
         // Intentionally constructed without `..Default::default()` so adding a new field to
         // `ConfigRequirementsToml` forces this test to be updated.
@@ -319,6 +399,8 @@ mod tests {
             allowed_approval_policies: Some(allowed_approval_policies.clone()),
             allowed_sandbox_modes: Some(allowed_sandbox_modes.clone()),
             mcp_servers: None,
+            rules: None,
+            enforce_residency: Some(enforce_residency),
         };
 
         target.merge_unset_fields(source.clone(), other);
@@ -332,6 +414,8 @@ mod tests {
                 )),
                 allowed_sandbox_modes: Some(Sourced::new(allowed_sandbox_modes, source)),
                 mcp_servers: None,
+                rules: None,
+                enforce_residency: Some(Sourced::new(enforce_residency, enforce_source)),
             }
         );
     }
@@ -360,6 +444,8 @@ mod tests {
                 )),
                 allowed_sandbox_modes: None,
                 mcp_servers: None,
+                rules: None,
+                enforce_residency: None,
             }
         );
         Ok(())
@@ -396,6 +482,8 @@ mod tests {
                 )),
                 allowed_sandbox_modes: None,
                 mcp_servers: None,
+                rules: None,
+                enforce_residency: None,
             }
         );
         Ok(())
@@ -448,6 +536,33 @@ mod tests {
         Ok(())
     }
 
+    #[test]
+    fn constraint_error_includes_cloud_requirements_source() -> Result<()> {
+        let source: ConfigRequirementsToml = from_str(
+            r#"
+                allowed_approval_policies = ["on-request"]
+            "#,
+        )?;
+
+        let source_location = RequirementSource::CloudRequirements;
+
+        let mut target = ConfigRequirementsWithSources::default();
+        target.merge_unset_fields(source_location.clone(), source);
+        let requirements = ConfigRequirements::try_from(target)?;
+
+        assert_eq!(
+            requirements.approval_policy.can_set(&AskForApproval::Never),
+            Err(ConstraintError::InvalidValue {
+                field_name: "approval_policy",
+                candidate: "Never".into(),
+                allowed: "[OnRequest]".into(),
+                requirement_source: source_location,
+            })
+        );
+
+        Ok(())
+    }
+
     #[test]
     fn deserialize_allowed_approval_policies() -> Result<()> {
         let toml_str = r#"
@@ -595,4 +710,64 @@ mod tests {
         );
         Ok(())
     }
+
+    #[test]
+    fn deserialize_exec_policy_requirements() -> Result<()> {
+        let toml_str = r#"
+            [rules]
+            prefix_rules = [
+                { pattern = [{ token = "rm" }], decision = "forbidden" },
+            ]
+        "#;
+        let config: ConfigRequirementsToml = from_str(toml_str)?;
+        let requirements: ConfigRequirements = with_unknown_source(config).try_into()?;
+        let policy = requirements.exec_policy.expect("exec policy").value;
+
+        assert_eq!(
+            policy.as_ref().check(&tokens(&["rm", "-rf"]), &|_| {
+                panic!("rule should match so heuristic should not be called");
+            }),
+            Evaluation {
+                decision: Decision::Forbidden,
+                matched_rules: vec![RuleMatch::PrefixRuleMatch {
+                    matched_prefix: tokens(&["rm"]),
+                    decision: Decision::Forbidden,
+                    justification: None,
+                }],
+            }
+        );
+
+        Ok(())
+    }
+
+    #[test]
+    fn exec_policy_error_includes_requirement_source() -> Result<()> {
+        let toml_str = r#"
+            [rules]
+            prefix_rules = [
+                { pattern = [{ token = "rm" }] },
+            ]
+        "#;
+        let config: ConfigRequirementsToml = from_str(toml_str)?;
+        let requirements_toml_file =
+            AbsolutePathBuf::from_absolute_path("/etc/codex/requirements.toml")?;
+        let source_location = RequirementSource::SystemRequirementsToml {
+            file: requirements_toml_file,
+        };
+
+        let mut requirements_with_sources = ConfigRequirementsWithSources::default();
+        requirements_with_sources.merge_unset_fields(source_location.clone(), config);
+        let err = ConfigRequirements::try_from(requirements_with_sources)
+            .expect_err("invalid exec policy");
+
+        assert_eq!(
+            err,
+            ConstraintError::ExecPolicyParse {
+                requirement_source: source_location,
+                reason: "rules prefix_rule at index 0 is missing a decision".to_string(),
+            }
+        );
+
+        Ok(())
+    }
 }

codex-rs/core/src/config_loader/mod.rs

@@ -1,3 +1,4 @@
+mod cloud_requirements;
 mod config_requirements;
 mod diagnostics;
 mod fingerprint;
@@ -6,7 +7,6 @@ mod layer_io;
 mod macos;
 mod merge;
 mod overrides;
-#[cfg(test)]
 mod requirements_exec_policy;
 mod state;
 
@@ -25,16 +25,19 @@ use codex_protocol::config_types::TrustLevel;
 use codex_protocol::protocol::AskForApproval;
 use codex_utils_absolute_path::AbsolutePathBuf;
 use codex_utils_absolute_path::AbsolutePathBufGuard;
+use dunce::canonicalize as normalize_path;
 use serde::Deserialize;
 use std::io;
 use std::path::Path;
 use toml::Value as TomlValue;
 
+pub use cloud_requirements::CloudRequirementsLoader;
 pub use config_requirements::ConfigRequirements;
 pub use config_requirements::ConfigRequirementsToml;
 pub use config_requirements::McpServerIdentity;
 pub use config_requirements::McpServerRequirement;
 pub use config_requirements::RequirementSource;
+pub use config_requirements::ResidencyRequirement;
 pub use config_requirements::SandboxModeRequirement;
 pub use config_requirements::Sourced;
 pub use diagnostics::ConfigError;
@@ -69,6 +72,7 @@ const DEFAULT_PROJECT_ROOT_MARKERS: &[&str] = &[".git"];
 /// earlier layer cannot be overridden by a later layer:
 ///
 /// - admin:    managed preferences (*)
+/// - cloud:    managed cloud requirements
 /// - system    `/etc/codex/requirements.toml`
 ///
 /// For backwards compatibility, we also load from
@@ -98,6 +102,7 @@ pub async fn load_config_layers_state(
     cwd: Option<AbsolutePathBuf>,
     cli_overrides: &[(String, TomlValue)],
     overrides: LoaderOverrides,
+    cloud_requirements: CloudRequirementsLoader,
 ) -> io::Result<ConfigLayerStack> {
     let mut config_requirements_toml = ConfigRequirementsWithSources::default();
 
@@ -110,6 +115,11 @@ pub async fn load_config_layers_state(
     )
     .await?;
 
+    if let Some(requirements) = cloud_requirements.get().await? {
+        config_requirements_toml
+            .merge_unset_fields(RequirementSource::CloudRequirements, requirements);
+    }
+
     // Honor /etc/codex/requirements.toml.
     if cfg!(unix) {
         load_requirements_toml(
@@ -226,6 +236,7 @@ pub async fn load_config_layers_state(
             &cwd,
             &project_trust_context.project_root,
             &project_trust_context,
+            codex_home,
         )
         .await?;
         layers.extend(project_layers);
@@ -661,7 +672,11 @@ async fn load_project_layers(
     cwd: &AbsolutePathBuf,
     project_root: &AbsolutePathBuf,
     trust_context: &ProjectTrustContext,
+    codex_home: &Path,
 ) -> io::Result<Vec<ConfigLayerEntry>> {
+    let codex_home_abs = AbsolutePathBuf::from_absolute_path(codex_home)?;
+    let codex_home_normalized =
+        normalize_path(codex_home_abs.as_path()).unwrap_or_else(|_| codex_home_abs.to_path_buf());
     let mut dirs = cwd
         .as_path()
         .ancestors()
@@ -692,6 +707,11 @@ async fn load_project_layers(
         let layer_dir = AbsolutePathBuf::from_absolute_path(dir)?;
         let decision = trust_context.decision_for_dir(&layer_dir);
         let dot_codex_abs = AbsolutePathBuf::from_absolute_path(&dot_codex)?;
+        let dot_codex_normalized =
+            normalize_path(dot_codex_abs.as_path()).unwrap_or_else(|_| dot_codex_abs.to_path_buf());
+        if dot_codex_abs == codex_home_abs || dot_codex_normalized == codex_home_normalized {
+            continue;
+        }
         let config_file = dot_codex_abs.join(CONFIG_TOML_FILE)?;
         match tokio::fs::read_to_string(&config_file).await {
             Ok(contents) => {

codex-rs/core/src/config_loader/requirements_exec_policy.rs

@@ -9,16 +9,43 @@ use serde::Deserialize;
 use std::sync::Arc;
 use thiserror::Error;
 
-/// TOML types for expressing exec policy requirements.
-///
-/// These types are kept separate from `ConfigRequirementsToml` and are
-/// converted into `codex-execpolicy` rules.
-#[derive(Debug, Clone, PartialEq, Eq, Deserialize)]
-pub struct RequirementsExecPolicyTomlRoot {
-    pub exec_policy: RequirementsExecPolicyToml,
+#[derive(Debug, Clone)]
+pub(crate) struct RequirementsExecPolicy {
+    policy: Policy,
 }
 
-/// TOML representation of `[exec_policy]` within `requirements.toml`.
+impl RequirementsExecPolicy {
+    pub fn new(policy: Policy) -> Self {
+        Self { policy }
+    }
+}
+
+impl PartialEq for RequirementsExecPolicy {
+    fn eq(&self, other: &Self) -> bool {
+        policy_fingerprint(&self.policy) == policy_fingerprint(&other.policy)
+    }
+}
+
+impl Eq for RequirementsExecPolicy {}
+
+impl AsRef<Policy> for RequirementsExecPolicy {
+    fn as_ref(&self) -> &Policy {
+        &self.policy
+    }
+}
+
+fn policy_fingerprint(policy: &Policy) -> Vec<String> {
+    let mut entries = Vec::new();
+    for (program, rules) in policy.rules().iter_all() {
+        for rule in rules {
+            entries.push(format!("{program}:{rule:?}"));
+        }
+    }
+    entries.sort();
+    entries
+}
+
+/// TOML representation of `[rules]` within `requirements.toml`.
 #[derive(Debug, Clone, PartialEq, Eq, Deserialize)]
 pub struct RequirementsExecPolicyToml {
     pub prefix_rules: Vec<RequirementsExecPolicyPrefixRuleToml>,
@@ -65,14 +92,14 @@ impl RequirementsExecPolicyDecisionToml {
 
 #[derive(Debug, Error)]
 pub enum RequirementsExecPolicyParseError {
-    #[error("exec policy prefix_rules cannot be empty")]
+    #[error("rules prefix_rules cannot be empty")]
     EmptyPrefixRules,
 
-    #[error("exec policy prefix_rule at index {rule_index} has an empty pattern")]
+    #[error("rules prefix_rule at index {rule_index} has an empty pattern")]
     EmptyPattern { rule_index: usize },
 
     #[error(
-        "exec policy prefix_rule at index {rule_index} has an invalid pattern token at index {token_index}: {reason}"
+        "rules prefix_rule at index {rule_index} has an invalid pattern token at index {token_index}: {reason}"
     )]
     InvalidPatternToken {
         rule_index: usize,
@@ -80,12 +107,20 @@ pub enum RequirementsExecPolicyParseError {
         reason: String,
     },
 
-    #[error("exec policy prefix_rule at index {rule_index} has an empty justification")]
+    #[error("rules prefix_rule at index {rule_index} has an empty justification")]
     EmptyJustification { rule_index: usize },
+
+    #[error("rules prefix_rule at index {rule_index} is missing a decision")]
+    MissingDecision { rule_index: usize },
+
+    #[error(
+        "rules prefix_rule at index {rule_index} has decision 'allow', which is not permitted in requirements.toml: Codex merges these rules with other config and uses the most restrictive result (use 'prompt' or 'forbidden')"
+    )]
+    AllowDecisionNotAllowed { rule_index: usize },
 }
 
 impl RequirementsExecPolicyToml {
-    /// Convert requirements TOML exec policy rules into the internal `.rules`
+    /// Convert requirements TOML rules into the internal `.rules`
     /// representation used by `codex-execpolicy`.
     pub fn to_policy(&self) -> Result<Policy, RequirementsExecPolicyParseError> {
         if self.prefix_rules.is_empty() {
@@ -112,10 +147,17 @@ impl RequirementsExecPolicyToml {
                 .map(|(token_index, token)| parse_pattern_token(token, rule_index, token_index))
                 .collect::<Result<Vec<_>, _>>()?;
 
-            let decision = rule
-                .decision
-                .map(RequirementsExecPolicyDecisionToml::as_decision)
-                .unwrap_or(Decision::Allow);
+            let decision = match rule.decision {
+                Some(RequirementsExecPolicyDecisionToml::Allow) => {
+                    return Err(RequirementsExecPolicyParseError::AllowDecisionNotAllowed {
+                        rule_index,
+                    });
+                }
+                Some(decision) => decision.as_decision(),
+                None => {
+                    return Err(RequirementsExecPolicyParseError::MissingDecision { rule_index });
+                }
+            };
             let justification = rule.justification.clone();
 
             let (first_token, remaining_tokens) = pattern_tokens
@@ -139,6 +181,12 @@ impl RequirementsExecPolicyToml {
 
         Ok(Policy::new(rules_by_program))
     }
+
+    pub(crate) fn to_requirements_policy(
+        &self,
+    ) -> Result<RequirementsExecPolicy, RequirementsExecPolicyParseError> {
+        self.to_policy().map(RequirementsExecPolicy::new)
+    }
 }
 
 fn parse_pattern_token(

codex-rs/core/src/config_loader/tests.rs

@@ -4,11 +4,15 @@ use crate::config::CONFIG_TOML_FILE;
 use crate::config::ConfigBuilder;
 use crate::config::ConfigOverrides;
 use crate::config::ConfigToml;
+use crate::config::ConstraintError;
 use crate::config::ProjectConfig;
+use crate::config_loader::CloudRequirementsLoader;
 use crate::config_loader::ConfigLayerEntry;
 use crate::config_loader::ConfigLoadError;
 use crate::config_loader::ConfigRequirements;
+use crate::config_loader::ConfigRequirementsToml;
 use crate::config_loader::config_requirements::ConfigRequirementsWithSources;
+use crate::config_loader::config_requirements::RequirementSource;
 use crate::config_loader::fingerprint::version_for_toml;
 use crate::config_loader::load_requirements_toml;
 use codex_protocol::config_types::TrustLevel;
@@ -65,6 +69,7 @@ async fn returns_config_error_for_invalid_user_config_toml() {
         Some(cwd),
         &[] as &[(String, TomlValue)],
         LoaderOverrides::default(),
+        CloudRequirementsLoader::default(),
     )
     .await
     .expect_err("expected error");
@@ -94,6 +99,7 @@ async fn returns_config_error_for_invalid_managed_config_toml() {
         Some(cwd),
         &[] as &[(String, TomlValue)],
         overrides,
+        CloudRequirementsLoader::default(),
     )
     .await
     .expect_err("expected error");
@@ -182,6 +188,7 @@ extra = true
         Some(cwd),
         &[] as &[(String, TomlValue)],
         overrides,
+        CloudRequirementsLoader::default(),
     )
     .await
     .expect("load config");
@@ -218,6 +225,7 @@ async fn returns_empty_when_all_layers_missing() {
         Some(cwd),
         &[] as &[(String, TomlValue)],
         overrides,
+        CloudRequirementsLoader::default(),
     )
     .await
     .expect("load layers");
@@ -315,6 +323,7 @@ flag = false
         Some(cwd),
         &[] as &[(String, TomlValue)],
         overrides,
+        CloudRequirementsLoader::default(),
     )
     .await
     .expect("load config");
@@ -354,6 +363,7 @@ allowed_sandbox_modes = ["read-only"]
                 ),
             ),
         },
+        CloudRequirementsLoader::default(),
     )
     .await?;
 
@@ -414,6 +424,7 @@ allowed_approval_policies = ["never"]
                 ),
             ),
         },
+        CloudRequirementsLoader::default(),
     )
     .await?;
 
@@ -440,6 +451,7 @@ async fn load_requirements_toml_produces_expected_constraints() -> anyhow::Resul
         &requirements_file,
         r#"
 allowed_approval_policies = ["never", "on-request"]
+enforce_residency = "us"
 "#,
     )
     .await?;
@@ -454,7 +466,6 @@ allowed_approval_policies = ["never", "on-request"]
             .cloned(),
         Some(vec![AskForApproval::Never, AskForApproval::OnRequest])
     );
-
     let config_requirements: ConfigRequirements = config_requirements_toml.try_into()?;
     assert_eq!(
         config_requirements.approval_policy.value(),
@@ -469,6 +480,99 @@ allowed_approval_policies = ["never", "on-request"]
             .can_set(&AskForApproval::OnFailure)
             .is_err()
     );
+    assert_eq!(
+        config_requirements.enforce_residency.value(),
+        Some(crate::config_loader::ResidencyRequirement::Us)
+    );
+    Ok(())
+}
+
+#[tokio::test(flavor = "current_thread")]
+async fn cloud_requirements_are_not_overwritten_by_system_requirements() -> anyhow::Result<()> {
+    let tmp = tempdir()?;
+    let requirements_file = tmp.path().join("requirements.toml");
+    tokio::fs::write(
+        &requirements_file,
+        r#"
+allowed_approval_policies = ["on-request"]
+"#,
+    )
+    .await?;
+
+    let mut config_requirements_toml = ConfigRequirementsWithSources::default();
+    config_requirements_toml.merge_unset_fields(
+        RequirementSource::CloudRequirements,
+        ConfigRequirementsToml {
+            allowed_approval_policies: Some(vec![AskForApproval::Never]),
+            allowed_sandbox_modes: None,
+            mcp_servers: None,
+            rules: None,
+            enforce_residency: None,
+        },
+    );
+    load_requirements_toml(&mut config_requirements_toml, &requirements_file).await?;
+
+    assert_eq!(
+        config_requirements_toml
+            .allowed_approval_policies
+            .as_ref()
+            .map(|sourced| sourced.value.clone()),
+        Some(vec![AskForApproval::Never])
+    );
+    assert_eq!(
+        config_requirements_toml
+            .allowed_approval_policies
+            .as_ref()
+            .map(|sourced| sourced.source.clone()),
+        Some(RequirementSource::CloudRequirements)
+    );
+
+    Ok(())
+}
+
+#[tokio::test]
+async fn load_config_layers_includes_cloud_requirements() -> anyhow::Result<()> {
+    let tmp = tempdir()?;
+    let codex_home = tmp.path().join("home");
+    tokio::fs::create_dir_all(&codex_home).await?;
+    let cwd = AbsolutePathBuf::from_absolute_path(tmp.path())?;
+
+    let requirements = ConfigRequirementsToml {
+        allowed_approval_policies: Some(vec![AskForApproval::Never]),
+        allowed_sandbox_modes: None,
+        mcp_servers: None,
+        rules: None,
+        enforce_residency: None,
+    };
+    let expected = requirements.clone();
+    let cloud_requirements = CloudRequirementsLoader::new(async move { Ok(Some(requirements)) });
+
+    let layers = load_config_layers_state(
+        &codex_home,
+        Some(cwd),
+        &[] as &[(String, TomlValue)],
+        LoaderOverrides::default(),
+        cloud_requirements,
+    )
+    .await?;
+
+    assert_eq!(
+        layers.requirements_toml().allowed_approval_policies,
+        expected.allowed_approval_policies
+    );
+    assert_eq!(
+        layers
+            .requirements()
+            .approval_policy
+            .can_set(&AskForApproval::OnRequest),
+        Err(ConstraintError::InvalidValue {
+            field_name: "approval_policy",
+            candidate: "OnRequest".into(),
+            allowed: "[Never]".into(),
+            requirement_source: RequirementSource::CloudRequirements,
+        })
+    );
+
     Ok(())
 }
 
@@ -501,6 +605,7 @@ async fn project_layers_prefer_closest_cwd() -> std::io::Result<()> {
         Some(cwd),
         &[] as &[(String, TomlValue)],
         LoaderOverrides::default(),
+        CloudRequirementsLoader::default(),
     )
     .await?;
 
@@ -632,6 +737,7 @@ async fn project_layer_is_added_when_dot_codex_exists_without_config_toml() -> s
         Some(cwd),
         &[] as &[(String, TomlValue)],
         LoaderOverrides::default(),
+        CloudRequirementsLoader::default(),
     )
     .await?;
 
@@ -655,6 +761,103 @@ async fn project_layer_is_added_when_dot_codex_exists_without_config_toml() -> s
     Ok(())
 }
 
+#[tokio::test]
+async fn codex_home_is_not_loaded_as_project_layer_from_home_dir() -> std::io::Result<()> {
+    let tmp = tempdir()?;
+    let home_dir = tmp.path().join("home");
+    let codex_home = home_dir.join(".codex");
+    tokio::fs::create_dir_all(&codex_home).await?;
+    tokio::fs::write(codex_home.join(CONFIG_TOML_FILE), "foo = \"user\"\n").await?;
+
+    let cwd = AbsolutePathBuf::from_absolute_path(&home_dir)?;
+    let layers = load_config_layers_state(
+        &codex_home,
+        Some(cwd),
+        &[] as &[(String, TomlValue)],
+        LoaderOverrides::default(),
+        CloudRequirementsLoader::default(),
+    )
+    .await?;
+
+    let project_layers: Vec<_> = layers
+        .get_layers(
+            super::ConfigLayerStackOrdering::HighestPrecedenceFirst,
+            true,
+        )
+        .into_iter()
+        .filter(|layer| matches!(layer.name, super::ConfigLayerSource::Project { .. }))
+        .collect();
+    let expected: Vec<&ConfigLayerEntry> = Vec::new();
+    assert_eq!(expected, project_layers);
+    assert_eq!(
+        layers.effective_config().get("foo"),
+        Some(&TomlValue::String("user".to_string()))
+    );
+
+    Ok(())
+}
+
+#[tokio::test]
+async fn codex_home_within_project_tree_is_not_double_loaded() -> std::io::Result<()> {
+    let tmp = tempdir()?;
+    let project_root = tmp.path().join("project");
+    let nested = project_root.join("child");
+    let project_dot_codex = project_root.join(".codex");
+    let nested_dot_codex = nested.join(".codex");
+
+    tokio::fs::create_dir_all(&nested_dot_codex).await?;
+    tokio::fs::create_dir_all(project_root.join(".git")).await?;
+    tokio::fs::write(nested_dot_codex.join(CONFIG_TOML_FILE), "foo = \"child\"\n").await?;
+
+    tokio::fs::create_dir_all(&project_dot_codex).await?;
+    make_config_for_test(&project_dot_codex, &project_root, TrustLevel::Trusted, None).await?;
+    let user_config_path = project_dot_codex.join(CONFIG_TOML_FILE);
+    let user_config_contents = tokio::fs::read_to_string(&user_config_path).await?;
+    tokio::fs::write(
+        &user_config_path,
+        format!("foo = \"user\"\n{user_config_contents}"),
+    )
+    .await?;
+
+    let cwd = AbsolutePathBuf::from_absolute_path(&nested)?;
+    let layers = load_config_layers_state(
+        &project_dot_codex,
+        Some(cwd),
+        &[] as &[(String, TomlValue)],
+        LoaderOverrides::default(),
+        CloudRequirementsLoader::default(),
+    )
+    .await?;
+
+    let project_layers: Vec<_> = layers
+        .get_layers(
+            super::ConfigLayerStackOrdering::HighestPrecedenceFirst,
+            true,
+        )
+        .into_iter()
+        .filter(|layer| matches!(layer.name, super::ConfigLayerSource::Project { .. }))
+        .collect();
+
+    let child_config: TomlValue = toml::from_str("foo = \"child\"\n").expect("parse child config");
+    assert_eq!(
+        vec![&ConfigLayerEntry {
+            name: super::ConfigLayerSource::Project {
+                dot_codex_folder: AbsolutePathBuf::from_absolute_path(&nested_dot_codex)?,
+            },
+            config: child_config.clone(),
+            version: version_for_toml(&child_config),
+            disabled_reason: None,
+        }],
+        project_layers
+    );
+    assert_eq!(
+        layers.effective_config().get("foo"),
+        Some(&TomlValue::String("child".to_string()))
+    );
+
+    Ok(())
+}
+
 #[tokio::test]
 async fn project_layers_disabled_when_untrusted_or_unknown() -> std::io::Result<()> {
     let tmp = tempdir()?;
@@ -691,6 +894,7 @@ async fn project_layers_disabled_when_untrusted_or_unknown() -> std::io::Result<
         Some(cwd.clone()),
         &[] as &[(String, TomlValue)],
         LoaderOverrides::default(),
+        CloudRequirementsLoader::default(),
     )
     .await?;
     let project_layers_untrusted: Vec<_> = layers_untrusted
@@ -728,6 +932,7 @@ async fn project_layers_disabled_when_untrusted_or_unknown() -> std::io::Result<
         Some(cwd),
         &[] as &[(String, TomlValue)],
         LoaderOverrides::default(),
+        CloudRequirementsLoader::default(),
     )
     .await?;
     let project_layers_unknown: Vec<_> = layers_unknown
@@ -788,6 +993,7 @@ async fn invalid_project_config_ignored_when_untrusted_or_unknown() -> std::io::
             Some(cwd.clone()),
             &[] as &[(String, TomlValue)],
             LoaderOverrides::default(),
+            CloudRequirementsLoader::default(),
         )
         .await?;
         let project_layers: Vec<_> = layers
@@ -843,6 +1049,7 @@ async fn cli_overrides_with_relative_paths_do_not_break_trust_check() -> std::io
         Some(cwd),
         &cli_overrides,
         LoaderOverrides::default(),
+        CloudRequirementsLoader::default(),
     )
     .await?;
 
@@ -884,6 +1091,7 @@ async fn project_root_markers_supports_alternate_markers() -> std::io::Result<()
         Some(cwd),
         &[] as &[(String, TomlValue)],
         LoaderOverrides::default(),
+        CloudRequirementsLoader::default(),
     )
     .await?;
 
@@ -913,49 +1121,79 @@ async fn project_root_markers_supports_alternate_markers() -> std::io::Result<()
 }
 
 mod requirements_exec_policy_tests {
+    use super::super::config_requirements::ConfigRequirementsWithSources;
     use super::super::requirements_exec_policy::RequirementsExecPolicyDecisionToml;
+    use super::super::requirements_exec_policy::RequirementsExecPolicyParseError;
     use super::super::requirements_exec_policy::RequirementsExecPolicyPatternTokenToml;
     use super::super::requirements_exec_policy::RequirementsExecPolicyPrefixRuleToml;
     use super::super::requirements_exec_policy::RequirementsExecPolicyToml;
-    use super::super::requirements_exec_policy::RequirementsExecPolicyTomlRoot;
+    use crate::config_loader::ConfigLayerEntry;
+    use crate::config_loader::ConfigLayerStack;
+    use crate::config_loader::ConfigRequirements;
+    use crate::config_loader::ConfigRequirementsToml;
+    use crate::config_loader::RequirementSource;
+    use crate::exec_policy::load_exec_policy;
+    use codex_app_server_protocol::ConfigLayerSource;
     use codex_execpolicy::Decision;
     use codex_execpolicy::Evaluation;
     use codex_execpolicy::RuleMatch;
+    use codex_utils_absolute_path::AbsolutePathBuf;
     use pretty_assertions::assert_eq;
+    use std::path::Path;
+    use tempfile::tempdir;
+    use toml::Value as TomlValue;
     use toml::from_str;
 
     fn tokens(cmd: &[&str]) -> Vec<String> {
         cmd.iter().map(std::string::ToString::to_string).collect()
     }
 
-    fn allow_all(_: &[String]) -> Decision {
-        Decision::Allow
+    fn panic_if_called(_: &[String]) -> Decision {
+        panic!("rule should match so heuristic should not be called");
+    }
+
+    fn config_stack_for_dot_codex_folder_with_requirements(
+        dot_codex_folder: &Path,
+        requirements: ConfigRequirements,
+    ) -> ConfigLayerStack {
+        let dot_codex_folder = AbsolutePathBuf::from_absolute_path(dot_codex_folder)
+            .expect("absolute dot_codex_folder");
+        let layer = ConfigLayerEntry::new(
+            ConfigLayerSource::Project { dot_codex_folder },
+            TomlValue::Table(Default::default()),
+        );
+        ConfigLayerStack::new(vec![layer], requirements, ConfigRequirementsToml::default())
+            .expect("ConfigLayerStack")
+    }
+
+    fn requirements_from_toml(toml_str: &str) -> ConfigRequirements {
+        let config: ConfigRequirementsToml = from_str(toml_str).expect("parse requirements toml");
+        let mut with_sources = ConfigRequirementsWithSources::default();
+        with_sources.merge_unset_fields(RequirementSource::Unknown, config);
+        ConfigRequirements::try_from(with_sources).expect("requirements")
     }
 
     #[test]
     fn parses_single_prefix_rule_from_raw_toml() -> anyhow::Result<()> {
         let toml_str = r#"
-[exec_policy]
 prefix_rules = [
     { pattern = [{ token = "rm" }], decision = "forbidden" },
 ]
 "#;
 
-        let parsed: RequirementsExecPolicyTomlRoot = from_str(toml_str)?;
+        let parsed: RequirementsExecPolicyToml = from_str(toml_str)?;
 
         assert_eq!(
             parsed,
-            RequirementsExecPolicyTomlRoot {
-                exec_policy: RequirementsExecPolicyToml {
-                    prefix_rules: vec![RequirementsExecPolicyPrefixRuleToml {
-                        pattern: vec![RequirementsExecPolicyPatternTokenToml {
-                            token: Some("rm".to_string()),
-                            any_of: None,
-                        }],
-                        decision: Some(RequirementsExecPolicyDecisionToml::Forbidden),
-                        justification: None,
+            RequirementsExecPolicyToml {
+                prefix_rules: vec![RequirementsExecPolicyPrefixRuleToml {
+                    pattern: vec![RequirementsExecPolicyPatternTokenToml {
+                        token: Some("rm".to_string()),
+                        any_of: None,
                     }],
-                },
+                    decision: Some(RequirementsExecPolicyDecisionToml::Forbidden),
+                    justification: None,
+                }],
             }
         );
 
@@ -965,44 +1203,41 @@ prefix_rules = [
     #[test]
     fn parses_multiple_prefix_rules_from_raw_toml() -> anyhow::Result<()> {
         let toml_str = r#"
-[exec_policy]
 prefix_rules = [
     { pattern = [{ token = "rm" }], decision = "forbidden" },
     { pattern = [{ token = "git" }, { any_of = ["push", "commit"] }], decision = "prompt", justification = "review changes before push or commit" },
 ]
 "#;
 
-        let parsed: RequirementsExecPolicyTomlRoot = from_str(toml_str)?;
+        let parsed: RequirementsExecPolicyToml = from_str(toml_str)?;
 
         assert_eq!(
             parsed,
-            RequirementsExecPolicyTomlRoot {
-                exec_policy: RequirementsExecPolicyToml {
-                    prefix_rules: vec![
-                        RequirementsExecPolicyPrefixRuleToml {
-                            pattern: vec![RequirementsExecPolicyPatternTokenToml {
-                                token: Some("rm".to_string()),
+            RequirementsExecPolicyToml {
+                prefix_rules: vec![
+                    RequirementsExecPolicyPrefixRuleToml {
+                        pattern: vec![RequirementsExecPolicyPatternTokenToml {
+                            token: Some("rm".to_string()),
+                            any_of: None,
+                        }],
+                        decision: Some(RequirementsExecPolicyDecisionToml::Forbidden),
+                        justification: None,
+                    },
+                    RequirementsExecPolicyPrefixRuleToml {
+                        pattern: vec![
+                            RequirementsExecPolicyPatternTokenToml {
+                                token: Some("git".to_string()),
                                 any_of: None,
-                            }],
-                            decision: Some(RequirementsExecPolicyDecisionToml::Forbidden),
-                            justification: None,
-                        },
-                        RequirementsExecPolicyPrefixRuleToml {
-                            pattern: vec![
-                                RequirementsExecPolicyPatternTokenToml {
-                                    token: Some("git".to_string()),
-                                    any_of: None,
-                                },
-                                RequirementsExecPolicyPatternTokenToml {
-                                    token: None,
-                                    any_of: Some(vec!["push".to_string(), "commit".to_string()]),
-                                },
-                            ],
-                            decision: Some(RequirementsExecPolicyDecisionToml::Prompt),
-                            justification: Some("review changes before push or commit".to_string()),
-                        },
-                    ],
-                },
+                            },
+                            RequirementsExecPolicyPatternTokenToml {
+                                token: None,
+                                any_of: Some(vec!["push".to_string(), "commit".to_string()]),
+                            },
+                        ],
+                        decision: Some(RequirementsExecPolicyDecisionToml::Prompt),
+                        justification: Some("review changes before push or commit".to_string()),
+                    },
+                ],
             }
         );
 
@@ -1012,17 +1247,16 @@ prefix_rules = [
     #[test]
     fn converts_rules_toml_into_internal_policy_representation() -> anyhow::Result<()> {
         let toml_str = r#"
-[exec_policy]
 prefix_rules = [
     { pattern = [{ token = "rm" }], decision = "forbidden" },
 ]
 "#;
 
-        let parsed: RequirementsExecPolicyTomlRoot = from_str(toml_str)?;
-        let policy = parsed.exec_policy.to_policy()?;
+        let parsed: RequirementsExecPolicyToml = from_str(toml_str)?;
+        let policy = parsed.to_policy()?;
 
         assert_eq!(
-            policy.check(&tokens(&["rm", "-rf", "/tmp"]), &allow_all),
+            policy.check(&tokens(&["rm", "-rf", "/tmp"]), &panic_if_called),
             Evaluation {
                 decision: Decision::Forbidden,
                 matched_rules: vec![RuleMatch::PrefixRuleMatch {
@@ -1039,16 +1273,15 @@ prefix_rules = [
     #[test]
     fn head_any_of_expands_into_multiple_program_rules() -> anyhow::Result<()> {
         let toml_str = r#"
-[exec_policy]
 prefix_rules = [
     { pattern = [{ any_of = ["git", "hg"] }, { token = "status" }], decision = "prompt" },
 ]
 "#;
-        let parsed: RequirementsExecPolicyTomlRoot = from_str(toml_str)?;
-        let policy = parsed.exec_policy.to_policy()?;
+        let parsed: RequirementsExecPolicyToml = from_str(toml_str)?;
+        let policy = parsed.to_policy()?;
 
         assert_eq!(
-            policy.check(&tokens(&["git", "status"]), &allow_all),
+            policy.check(&tokens(&["git", "status"]), &panic_if_called),
             Evaluation {
                 decision: Decision::Prompt,
                 matched_rules: vec![RuleMatch::PrefixRuleMatch {
@@ -1059,7 +1292,7 @@ prefix_rules = [
             }
         );
         assert_eq!(
-            policy.check(&tokens(&["hg", "status"]), &allow_all),
+            policy.check(&tokens(&["hg", "status"]), &panic_if_called),
             Evaluation {
                 decision: Decision::Prompt,
                 matched_rules: vec![RuleMatch::PrefixRuleMatch {
@@ -1072,4 +1305,139 @@ prefix_rules = [
 
         Ok(())
     }
+
+    #[test]
+    fn missing_decision_is_rejected() -> anyhow::Result<()> {
+        let toml_str = r#"
+prefix_rules = [
+    { pattern = [{ token = "rm" }] },
+]
+"#;
+
+        let parsed: RequirementsExecPolicyToml = from_str(toml_str)?;
+        let err = parsed.to_policy().expect_err("missing decision");
+
+        assert!(matches!(
+            err,
+            RequirementsExecPolicyParseError::MissingDecision { rule_index: 0 }
+        ));
+        Ok(())
+    }
+
+    #[test]
+    fn allow_decision_is_rejected() -> anyhow::Result<()> {
+        let toml_str = r#"
+prefix_rules = [
+    { pattern = [{ token = "rm" }], decision = "allow" },
+]
+"#;
+
+        let parsed: RequirementsExecPolicyToml = from_str(toml_str)?;
+        let err = parsed.to_policy().expect_err("allow decision not allowed");
+
+        assert!(matches!(
+            err,
+            RequirementsExecPolicyParseError::AllowDecisionNotAllowed { rule_index: 0 }
+        ));
+        Ok(())
+    }
+
+    #[test]
+    fn empty_prefix_rules_is_rejected() -> anyhow::Result<()> {
+        let toml_str = r#"
+prefix_rules = []
+"#;
+
+        let parsed: RequirementsExecPolicyToml = from_str(toml_str)?;
+        let err = parsed.to_policy().expect_err("empty prefix rules");
+
+        assert!(matches!(
+            err,
+            RequirementsExecPolicyParseError::EmptyPrefixRules
+        ));
+        Ok(())
+    }
+
+    #[tokio::test]
+    async fn loads_requirements_exec_policy_without_rules_files() -> anyhow::Result<()> {
+        let temp_dir = tempdir()?;
+        let requirements = requirements_from_toml(
+            r#"
+                [rules]
+                prefix_rules = [
+                    { pattern = [{ token = "rm" }], decision = "forbidden" },
+                ]
+            "#,
+        );
+        let config_stack =
+            config_stack_for_dot_codex_folder_with_requirements(temp_dir.path(), requirements);
+
+        let policy = load_exec_policy(&config_stack).await?;
+
+        assert_eq!(
+            policy.check_multiple([vec!["rm".to_string()]].iter(), &panic_if_called),
+            Evaluation {
+                decision: Decision::Forbidden,
+                matched_rules: vec![RuleMatch::PrefixRuleMatch {
+                    matched_prefix: vec!["rm".to_string()],
+                    decision: Decision::Forbidden,
+                    justification: None,
+                }],
+            }
+        );
+
+        Ok(())
+    }
+
+    #[tokio::test]
+    async fn merges_requirements_exec_policy_with_file_rules() -> anyhow::Result<()> {
+        let temp_dir = tempdir()?;
+        let policy_dir = temp_dir.path().join("rules");
+        std::fs::create_dir_all(&policy_dir)?;
+        std::fs::write(
+            policy_dir.join("deny.rules"),
+            r#"prefix_rule(pattern=["rm"], decision="forbidden")"#,
+        )?;
+
+        let requirements = requirements_from_toml(
+            r#"
+                [rules]
+                prefix_rules = [
+                    { pattern = [{ token = "git" }, { token = "push" }], decision = "prompt" },
+                ]
+            "#,
+        );
+        let config_stack =
+            config_stack_for_dot_codex_folder_with_requirements(temp_dir.path(), requirements);
+
+        let policy = load_exec_policy(&config_stack).await?;
+
+        assert_eq!(
+            policy.check_multiple([vec!["rm".to_string()]].iter(), &panic_if_called),
+            Evaluation {
+                decision: Decision::Forbidden,
+                matched_rules: vec![RuleMatch::PrefixRuleMatch {
+                    matched_prefix: vec!["rm".to_string()],
+                    decision: Decision::Forbidden,
+                    justification: None,
+                }],
+            }
+        );
+        assert_eq!(
+            policy.check_multiple(
+                [vec!["git".to_string(), "push".to_string()]].iter(),
+                &panic_if_called
+            ),
+            Evaluation {
+                decision: Decision::Prompt,
+                matched_rules: vec![RuleMatch::PrefixRuleMatch {
+                    matched_prefix: vec!["git".to_string(), "push".to_string()],
+                    decision: Decision::Prompt,
+                    justification: None,
+                }],
+            }
+        );
+
+        Ok(())
+    }
 }

codex-rs/core/src/context_manager/history.rs

@@ -266,7 +266,7 @@ impl ContextManager {
     }
 
     fn process_item(&self, item: &ResponseItem, policy: TruncationPolicy) -> ResponseItem {
-        let policy_with_serialization_budget = policy.mul(1.2);
+        let policy_with_serialization_budget = policy * 1.2;
         match item {
             ResponseItem::FunctionCallOutput { call_id, output } => {
                 let truncated =

codex-rs/core/src/default_client.rs

@@ -1,6 +1,8 @@
+use crate::config_loader::ResidencyRequirement;
 use crate::spawn::CODEX_SANDBOX_ENV_VAR;
 use codex_client::CodexHttpClient;
 pub use codex_client::CodexRequestBuilder;
+use reqwest::header::HeaderMap;
 use reqwest::header::HeaderValue;
 use std::sync::LazyLock;
 use std::sync::Mutex;
@@ -24,6 +26,7 @@ use std::sync::RwLock;
 pub static USER_AGENT_SUFFIX: LazyLock<Mutex<Option<String>>> = LazyLock::new(|| Mutex::new(None));
 pub const DEFAULT_ORIGINATOR: &str = "codex_cli_rs";
 pub const CODEX_INTERNAL_ORIGINATOR_OVERRIDE_ENV_VAR: &str = "CODEX_INTERNAL_ORIGINATOR_OVERRIDE";
+pub const RESIDENCY_HEADER_NAME: &str = "x-openai-internal-codex-residency";
 
 #[derive(Debug, Clone)]
 pub struct Originator {
@@ -31,6 +34,8 @@ pub struct Originator {
     pub header_value: HeaderValue,
 }
 static ORIGINATOR: LazyLock<RwLock<Option<Originator>>> = LazyLock::new(|| RwLock::new(None));
+static REQUIREMENTS_RESIDENCY: LazyLock<RwLock<Option<ResidencyRequirement>>> =
+    LazyLock::new(|| RwLock::new(None));
 
 #[derive(Debug)]
 pub enum SetOriginatorError {
@@ -74,6 +79,14 @@ pub fn set_default_originator(value: String) -> Result<(), SetOriginatorError> {
     Ok(())
 }
 
+pub fn set_default_client_residency_requirement(enforce_residency: Option<ResidencyRequirement>) {
+    let Ok(mut guard) = REQUIREMENTS_RESIDENCY.write() else {
+        tracing::warn!("Failed to acquire requirements residency lock");
+        return;
+    };
+    *guard = enforce_residency;
+}
+
 pub fn originator() -> Originator {
     if let Ok(guard) = ORIGINATOR.read()
         && let Some(originator) = guard.as_ref()
@@ -166,10 +179,17 @@ pub fn create_client() -> CodexHttpClient {
 }
 
 pub fn build_reqwest_client() -> reqwest::Client {
-    use reqwest::header::HeaderMap;
-
     let mut headers = HeaderMap::new();
     headers.insert("originator", originator().header_value);
+    if let Ok(guard) = REQUIREMENTS_RESIDENCY.read()
+        && let Some(requirement) = guard.as_ref()
+        && !headers.contains_key(RESIDENCY_HEADER_NAME)
+    {
+        let value = match requirement {
+            ResidencyRequirement::Us => HeaderValue::from_static("us"),
+        };
+        headers.insert(RESIDENCY_HEADER_NAME, value);
+    }
     let ua = get_codex_user_agent();
 
     let mut builder = reqwest::Client::builder()
@@ -214,6 +234,8 @@ mod tests {
     async fn test_create_client_sets_default_headers() {
         skip_if_no_network!();
 
+        set_default_client_residency_requirement(Some(ResidencyRequirement::Us));
+
         use wiremock::Mock;
         use wiremock::MockServer;
         use wiremock::ResponseTemplate;
@@ -256,6 +278,13 @@ mod tests {
             .get("user-agent")
             .expect("user-agent header missing");
         assert_eq!(ua_header.to_str().unwrap(), expected_ua);
+
+        let residency_header = headers
+            .get(RESIDENCY_HEADER_NAME)
+            .expect("residency header missing");
+        assert_eq!(residency_header.to_str().unwrap(), "us");
+
+        set_default_client_residency_requirement(None);
     }
 
     #[test]

codex-rs/core/src/error.rs

@@ -113,6 +113,9 @@ pub enum CodexErr {
     #[error("{0}")]
     UsageLimitReached(UsageLimitReachedError),
 
+    #[error("{0}")]
+    ModelCap(ModelCapError),
+
     #[error("{0}")]
     ResponseStreamFailed(ResponseStreamFailed),
 
@@ -205,7 +208,8 @@ impl CodexErr {
             | CodexErr::AgentLimitReached { .. }
             | CodexErr::Spawn
             | CodexErr::SessionConfiguredNotFirstEvent
-            | CodexErr::UsageLimitReached(_) => false,
+            | CodexErr::UsageLimitReached(_)
+            | CodexErr::ModelCap(_) => false,
             CodexErr::Stream(..)
             | CodexErr::Timeout
             | CodexErr::UnexpectedStatus(_)
@@ -371,9 +375,11 @@ impl std::fmt::Display for UsageLimitReachedError {
                     retry_suffix_after_or(self.resets_at.as_ref())
                 )
             }
-            Some(PlanType::Known(KnownPlan::Free)) => {
-                "You've hit your usage limit. Upgrade to Plus to continue using Codex (https://openai.com/chatgpt/pricing)."
-                    .to_string()
+            Some(PlanType::Known(KnownPlan::Free)) | Some(PlanType::Known(KnownPlan::Go)) => {
+                format!(
+                    "You've hit your usage limit. Upgrade to Plus to continue using Codex (https://openai.com/chatgpt/pricing),{}",
+                    retry_suffix_after_or(self.resets_at.as_ref())
+                )
             }
             Some(PlanType::Known(KnownPlan::Pro)) => format!(
                 "You've hit your usage limit. Visit https://chatgpt.com/codex/settings/usage to purchase more credits{}",
@@ -394,6 +400,30 @@ impl std::fmt::Display for UsageLimitReachedError {
     }
 }
 
+#[derive(Debug)]
+pub struct ModelCapError {
+    pub(crate) model: String,
+    pub(crate) reset_after_seconds: Option<u64>,
+}
+
+impl std::fmt::Display for ModelCapError {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        let mut message = format!(
+            "Model {} is at capacity. Please try a different model.",
+            self.model
+        );
+        if let Some(seconds) = self.reset_after_seconds {
+            message.push_str(&format!(
+                " Try again in {}.",
+                format_duration_short(seconds)
+            ));
+        } else {
+            message.push_str(" Try again later.");
+        }
+        write!(f, "{message}")
+    }
+}
+
 fn retry_suffix(resets_at: Option<&DateTime<Utc>>) -> String {
     if let Some(resets_at) = resets_at {
         let formatted = format_retry_timestamp(resets_at);
@@ -425,6 +455,18 @@ fn format_retry_timestamp(resets_at: &DateTime<Utc>) -> String {
     }
 }
 
+fn format_duration_short(seconds: u64) -> String {
+    if seconds < 60 {
+        "less than a minute".to_string()
+    } else if seconds < 3600 {
+        format!("{}m", seconds / 60)
+    } else if seconds < 86_400 {
+        format!("{}h", seconds / 3600)
+    } else {
+        format!("{}d", seconds / 86_400)
+    }
+}
+
 fn day_suffix(day: u32) -> &'static str {
     match day {
         11..=13 => "th",
@@ -488,6 +530,10 @@ impl CodexErr {
             CodexErr::UsageLimitReached(_)
             | CodexErr::QuotaExceeded
             | CodexErr::UsageNotIncluded => CodexErrorInfo::UsageLimitExceeded,
+            CodexErr::ModelCap(err) => CodexErrorInfo::ModelCap {
+                model: err.model.clone(),
+                reset_after_seconds: err.reset_after_seconds,
+            },
             CodexErr::RetryLimit(_) => CodexErrorInfo::ResponseTooManyFailedAttempts {
                 http_status_code: self.http_status_code_value(),
             },
@@ -631,6 +677,45 @@ mod tests {
         );
     }
 
+    #[test]
+    fn model_cap_error_formats_message() {
+        let err = ModelCapError {
+            model: "boomslang".to_string(),
+            reset_after_seconds: Some(120),
+        };
+        assert_eq!(
+            err.to_string(),
+            "Model boomslang is at capacity. Please try a different model. Try again in 2m."
+        );
+    }
+
+    #[test]
+    fn model_cap_error_formats_message_without_reset() {
+        let err = ModelCapError {
+            model: "boomslang".to_string(),
+            reset_after_seconds: None,
+        };
+        assert_eq!(
+            err.to_string(),
+            "Model boomslang is at capacity. Please try a different model. Try again later."
+        );
+    }
+
+    #[test]
+    fn model_cap_error_maps_to_protocol() {
+        let err = CodexErr::ModelCap(ModelCapError {
+            model: "boomslang".to_string(),
+            reset_after_seconds: Some(30),
+        });
+        assert_eq!(
+            err.to_codex_protocol_error(),
+            CodexErrorInfo::ModelCap {
+                model: "boomslang".to_string(),
+                reset_after_seconds: Some(30),
+            }
+        );
+    }
+
     #[test]
     fn sandbox_denied_uses_aggregated_output_when_stderr_empty() {
         let output = ExecToolCallOutput {
@@ -734,7 +819,20 @@ mod tests {
         };
         assert_eq!(
             err.to_string(),
-            "You've hit your usage limit. Upgrade to Plus to continue using Codex (https://openai.com/chatgpt/pricing)."
+            "You've hit your usage limit. Upgrade to Plus to continue using Codex (https://openai.com/chatgpt/pricing), or try again later."
+        );
+    }
+
+    #[test]
+    fn usage_limit_reached_error_formats_go_plan() {
+        let err = UsageLimitReachedError {
+            plan_type: Some(PlanType::Known(KnownPlan::Go)),
+            resets_at: None,
+            rate_limits: Some(rate_limit_snapshot()),
+        };
+        assert_eq!(
+            err.to_string(),
+            "You've hit your usage limit. Upgrade to Plus to continue using Codex (https://openai.com/chatgpt/pricing), or try again later."
         );
     }
 

codex-rs/core/src/exec_policy.rs

@@ -280,7 +280,18 @@ pub async fn load_exec_policy(config_stack: &ConfigLayerStack) -> Result<Policy,
     let policy = parser.build();
     tracing::debug!("loaded rules from {} files", policy_paths.len());
 
-    Ok(policy)
+    let Some(requirements_policy) = config_stack.requirements().exec_policy.as_deref() else {
+        return Ok(policy);
+    };
+
+    let mut combined_rules = policy.rules().clone();
+    for (program, rules) in requirements_policy.as_ref().rules().iter_all() {
+        for rule in rules {
+            combined_rules.insert(program.clone(), rule.clone());
+        }
+    }
+
+    Ok(Policy::new(combined_rules))
 }
 
 /// If a command is not matched by any execpolicy rule, derive a [`Decision`].

codex-rs/core/src/features.rs

@@ -115,6 +115,8 @@ pub enum Feature {
     Apps,
     /// Allow prompting and installing missing MCP dependencies.
     SkillMcpDependencyInstall,
+    /// Prompt for missing skill env var dependencies.
+    SkillEnvVarDependencyPrompt,
     /// Steer feature flag - when enabled, Enter submits immediately instead of queuing.
     Steer,
     /// Enable collaboration modes (Plan, Code, Pair Programming, Execute).
@@ -462,7 +464,11 @@ pub const FEATURES: &[FeatureSpec] = &[
     FeatureSpec {
         id: Feature::RequestRule,
         key: "request_rule",
-        stage: Stage::UnderDevelopment,
+        stage: Stage::Experimental {
+            name: "Smart approvals",
+            menu_description: "Get smarter \"Don't ask again\" rule requests.",
+            announcement: "NEW: Try Smart approvals to get smarter \"Don't ask again\" requests. Enable in /experimental!",
+        },
         default_enabled: false,
     },
     FeatureSpec {
@@ -533,6 +539,12 @@ pub const FEATURES: &[FeatureSpec] = &[
         stage: Stage::Stable,
         default_enabled: true,
     },
+    FeatureSpec {
+        id: Feature::SkillEnvVarDependencyPrompt,
+        key: "skill_env_var_dependency_prompt",
+        stage: Stage::UnderDevelopment,
+        default_enabled: false,
+    },
     FeatureSpec {
         id: Feature::Steer,
         key: "steer",
@@ -552,7 +564,11 @@ pub const FEATURES: &[FeatureSpec] = &[
     FeatureSpec {
         id: Feature::Personality,
         key: "personality",
-        stage: Stage::UnderDevelopment,
+        stage: Stage::Experimental {
+            name: "Personality",
+            menu_description: "Choose a communication style for Codex.",
+            announcement: "NEW: Pick a personality for Codex. Enable in /experimental!",
+        },
         default_enabled: false,
     },
     FeatureSpec {

codex-rs/core/src/lib.rs

@@ -38,6 +38,7 @@ pub mod landlock;
 pub mod mcp;
 mod mcp_connection_manager;
 pub mod models_manager;
+mod transport_manager;
 pub use mcp_connection_manager::MCP_SANDBOX_STATE_CAPABILITY;
 pub use mcp_connection_manager::MCP_SANDBOX_STATE_METHOD;
 pub use mcp_connection_manager::SandboxState;
@@ -48,9 +49,11 @@ mod model_provider_info;
 pub mod parse_command;
 pub mod path_utils;
 pub mod powershell;
+mod proposed_plan_parser;
 pub mod sandboxing;
 mod session_prefix;
 mod stream_events_utils;
+mod tagged_block_parser;
 mod text_encoding;
 pub mod token_data;
 mod truncate;
@@ -99,12 +102,14 @@ pub mod turn_diff_tracker;
 pub use rollout::ARCHIVED_SESSIONS_SUBDIR;
 pub use rollout::INTERACTIVE_SESSION_SOURCES;
 pub use rollout::RolloutRecorder;
+pub use rollout::RolloutRecorderParams;
 pub use rollout::SESSIONS_SUBDIR;
 pub use rollout::SessionMeta;
 pub use rollout::find_archived_thread_path_by_id_str;
 #[deprecated(note = "use find_thread_path_by_id_str")]
 pub use rollout::find_conversation_path_by_id_str;
 pub use rollout::find_thread_path_by_id_str;
+pub use rollout::find_thread_path_by_name_str;
 pub use rollout::list::Cursor;
 pub use rollout::list::ThreadItem;
 pub use rollout::list::ThreadSortKey;
@@ -113,6 +118,7 @@ pub use rollout::list::parse_cursor;
 pub use rollout::list::read_head_for_summary;
 pub use rollout::list::read_session_meta_line;
 pub use rollout::rollout_date_parts;
+pub use transport_manager::TransportManager;
 mod function_tool;
 mod state;
 mod tasks;

codex-rs/core/src/mcp/skill_dependencies.rs

@@ -79,6 +79,7 @@ async fn should_install_mcp_dependencies(
             "The following MCP servers are required by the selected skills but are not installed yet: {server_list}. Install them now?"
         ),
         is_other: false,
+        is_secret: false,
         options: Some(vec![
             RequestUserInputQuestionOption {
                 label: MCP_DEPENDENCY_OPTION_INSTALL.to_string(),

codex-rs/core/src/mcp_connection_manager.rs

@@ -769,6 +769,32 @@ fn filter_tools(tools: Vec<ToolInfo>, filter: ToolFilter) -> Vec<ToolInfo> {
         .collect()
 }
 
+fn normalize_codex_apps_tool_title(
+    server_name: &str,
+    connector_name: Option<&str>,
+    value: &str,
+) -> String {
+    if server_name != CODEX_APPS_MCP_SERVER_NAME {
+        return value.to_string();
+    }
+
+    let Some(connector_name) = connector_name
+        .map(str::trim)
+        .filter(|name| !name.is_empty())
+    else {
+        return value.to_string();
+    };
+
+    let prefix = format!("{connector_name}_");
+    if let Some(stripped) = value.strip_prefix(&prefix)
+        && !stripped.is_empty()
+    {
+        return stripped.to_string();
+    }
+
+    value.to_string()
+}
+
 fn resolve_bearer_token(
     server_name: &str,
     bearer_token_env_var: Option<&str>,
@@ -926,12 +952,23 @@ async fn list_tools_for_client(
     Ok(resp
         .tools
         .into_iter()
-        .map(|tool| ToolInfo {
-            server_name: server_name.to_owned(),
-            tool_name: tool.tool.name.clone(),
-            tool: tool.tool,
-            connector_id: tool.connector_id,
-            connector_name: tool.connector_name,
+        .map(|tool| {
+            let connector_name = tool.connector_name;
+            let mut tool_def = tool.tool;
+            if let Some(title) = tool_def.title.as_deref() {
+                let normalized_title =
+                    normalize_codex_apps_tool_title(server_name, connector_name.as_deref(), title);
+                if tool_def.title.as_deref() != Some(normalized_title.as_str()) {
+                    tool_def.title = Some(normalized_title);
+                }
+            }
+            ToolInfo {
+                server_name: server_name.to_owned(),
+                tool_name: tool_def.name.clone(),
+                tool: tool_def,
+                connector_id: tool.connector_id,
+                connector_name,
+            }
         })
         .collect())
 }

codex-rs/core/src/mcp_tool_call.rs

@@ -1,20 +1,30 @@
+use std::time::Duration;
 use std::time::Instant;
 
 use tracing::error;
 
 use crate::codex::Session;
 use crate::codex::TurnContext;
+use crate::mcp::CODEX_APPS_MCP_SERVER_NAME;
 use crate::protocol::EventMsg;
 use crate::protocol::McpInvocation;
 use crate::protocol::McpToolCallBeginEvent;
 use crate::protocol::McpToolCallEndEvent;
 use codex_protocol::models::FunctionCallOutputPayload;
 use codex_protocol::models::ResponseInputItem;
+use codex_protocol::protocol::AskForApproval;
+use codex_protocol::protocol::SandboxPolicy;
+use codex_protocol::request_user_input::RequestUserInputArgs;
+use codex_protocol::request_user_input::RequestUserInputQuestion;
+use codex_protocol::request_user_input::RequestUserInputQuestionOption;
+use codex_protocol::request_user_input::RequestUserInputResponse;
+use mcp_types::ToolAnnotations;
+use std::sync::Arc;
 
 /// Handles the specified tool call dispatches the appropriate
 /// `McpToolCallBegin` and `McpToolCallEnd` events to the `Session`.
 pub(crate) async fn handle_mcp_tool_call(
-    sess: &Session,
+    sess: Arc<Session>,
     turn_context: &TurnContext,
     call_id: String,
     server: String,
@@ -48,11 +58,79 @@ pub(crate) async fn handle_mcp_tool_call(
         arguments: arguments_value.clone(),
     };
 
+    if let Some(decision) =
+        maybe_request_mcp_tool_approval(sess.as_ref(), turn_context, &call_id, &server, &tool_name)
+            .await
+    {
+        let result = match decision {
+            McpToolApprovalDecision::Accept => {
+                let tool_call_begin_event = EventMsg::McpToolCallBegin(McpToolCallBeginEvent {
+                    call_id: call_id.clone(),
+                    invocation: invocation.clone(),
+                });
+                notify_mcp_tool_call_event(sess.as_ref(), turn_context, tool_call_begin_event)
+                    .await;
+
+                let start = Instant::now();
+                let result = sess
+                    .call_tool(&server, &tool_name, arguments_value.clone())
+                    .await
+                    .map_err(|e| format!("tool call error: {e:?}"));
+                if let Err(e) = &result {
+                    tracing::warn!("MCP tool call error: {e:?}");
+                }
+                let tool_call_end_event = EventMsg::McpToolCallEnd(McpToolCallEndEvent {
+                    call_id: call_id.clone(),
+                    invocation,
+                    duration: start.elapsed(),
+                    result: result.clone(),
+                });
+                notify_mcp_tool_call_event(
+                    sess.as_ref(),
+                    turn_context,
+                    tool_call_end_event.clone(),
+                )
+                .await;
+                result
+            }
+            McpToolApprovalDecision::Decline => {
+                let message = "user rejected MCP tool call".to_string();
+                notify_mcp_tool_call_skip(
+                    sess.as_ref(),
+                    turn_context,
+                    &call_id,
+                    invocation,
+                    message,
+                )
+                .await
+            }
+            McpToolApprovalDecision::Cancel => {
+                let message = "user cancelled MCP tool call".to_string();
+                notify_mcp_tool_call_skip(
+                    sess.as_ref(),
+                    turn_context,
+                    &call_id,
+                    invocation,
+                    message,
+                )
+                .await
+            }
+        };
+
+        let status = if result.is_ok() { "ok" } else { "error" };
+        turn_context
+            .client
+            .get_otel_manager()
+            .counter("codex.mcp.call", 1, &[("status", status)]);
+
+        return ResponseInputItem::McpToolCallOutput { call_id, result };
+    }
+
     let tool_call_begin_event = EventMsg::McpToolCallBegin(McpToolCallBeginEvent {
         call_id: call_id.clone(),
         invocation: invocation.clone(),
     });
-    notify_mcp_tool_call_event(sess, turn_context, tool_call_begin_event).await;
+    notify_mcp_tool_call_event(sess.as_ref(), turn_context, tool_call_begin_event).await;
 
     let start = Instant::now();
     // Perform the tool call.
@@ -70,7 +148,7 @@ pub(crate) async fn handle_mcp_tool_call(
         result: result.clone(),
     });
 
-    notify_mcp_tool_call_event(sess, turn_context, tool_call_end_event.clone()).await;
+    notify_mcp_tool_call_event(sess.as_ref(), turn_context, tool_call_end_event.clone()).await;
 
     let status = if result.is_ok() { "ok" } else { "error" };
     turn_context
@@ -84,3 +162,236 @@ pub(crate) async fn handle_mcp_tool_call(
 async fn notify_mcp_tool_call_event(sess: &Session, turn_context: &TurnContext, event: EventMsg) {
     sess.send_event(turn_context, event).await;
 }
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+enum McpToolApprovalDecision {
+    Accept,
+    Decline,
+    Cancel,
+}
+
+struct McpToolApprovalMetadata {
+    annotations: ToolAnnotations,
+    connector_name: Option<String>,
+    tool_title: Option<String>,
+}
+
+const MCP_TOOL_APPROVAL_QUESTION_ID_PREFIX: &str = "mcp_tool_call_approval";
+const MCP_TOOL_APPROVAL_ACCEPT: &str = "Accept";
+const MCP_TOOL_APPROVAL_DECLINE: &str = "Decline";
+const MCP_TOOL_APPROVAL_CANCEL: &str = "Cancel";
+
+async fn maybe_request_mcp_tool_approval(
+    sess: &Session,
+    turn_context: &TurnContext,
+    call_id: &str,
+    server: &str,
+    tool_name: &str,
+) -> Option<McpToolApprovalDecision> {
+    if is_full_access_mode(turn_context) {
+        return None;
+    }
+    if server != CODEX_APPS_MCP_SERVER_NAME {
+        return None;
+    }
+
+    let metadata = lookup_mcp_tool_metadata(sess, server, tool_name).await?;
+    if !requires_mcp_tool_approval(&metadata.annotations) {
+        return None;
+    }
+
+    let question_id = format!("{MCP_TOOL_APPROVAL_QUESTION_ID_PREFIX}_{call_id}");
+    let question = build_mcp_tool_approval_question(
+        question_id.clone(),
+        tool_name,
+        metadata.tool_title.as_deref(),
+        metadata.connector_name.as_deref(),
+        &metadata.annotations,
+    );
+    let args = RequestUserInputArgs {
+        questions: vec![question],
+    };
+    let response = sess
+        .request_user_input(turn_context, call_id.to_string(), args)
+        .await;
+    Some(parse_mcp_tool_approval_response(response, &question_id))
+}
+
+fn is_full_access_mode(turn_context: &TurnContext) -> bool {
+    matches!(turn_context.approval_policy, AskForApproval::Never)
+        && matches!(
+            turn_context.sandbox_policy,
+            SandboxPolicy::DangerFullAccess | SandboxPolicy::ExternalSandbox { .. }
+        )
+}
+
+async fn lookup_mcp_tool_metadata(
+    sess: &Session,
+    server: &str,
+    tool_name: &str,
+) -> Option<McpToolApprovalMetadata> {
+    let tools = sess
+        .services
+        .mcp_connection_manager
+        .read()
+        .await
+        .list_all_tools()
+        .await;
+
+    tools.into_values().find_map(|tool_info| {
+        if tool_info.server_name == server && tool_info.tool_name == tool_name {
+            tool_info
+                .tool
+                .annotations
+                .map(|annotations| McpToolApprovalMetadata {
+                    annotations,
+                    connector_name: tool_info.connector_name,
+                    tool_title: tool_info.tool.title,
+                })
+        } else {
+            None
+        }
+    })
+}
+
+fn build_mcp_tool_approval_question(
+    question_id: String,
+    tool_name: &str,
+    tool_title: Option<&str>,
+    connector_name: Option<&str>,
+    annotations: &ToolAnnotations,
+) -> RequestUserInputQuestion {
+    let destructive = annotations.destructive_hint == Some(true);
+    let open_world = annotations.open_world_hint == Some(true);
+    let reason = match (destructive, open_world) {
+        (true, true) => "may modify data and access external systems",
+        (true, false) => "may modify or delete data",
+        (false, true) => "may access external systems",
+        (false, false) => "may have side effects",
+    };
+
+    let tool_label = tool_title.unwrap_or(tool_name);
+    let app_label = connector_name
+        .map(|name| format!("The {name} app"))
+        .unwrap_or_else(|| "This app".to_string());
+    let question = format!(
+        "{app_label} wants to run the tool \"{tool_label}\", which {reason}. Allow this action?"
+    );
+
+    RequestUserInputQuestion {
+        id: question_id,
+        header: "Approve app tool call?".to_string(),
+        question,
+        is_other: false,
+        is_secret: false,
+        options: Some(vec![
+            RequestUserInputQuestionOption {
+                label: MCP_TOOL_APPROVAL_ACCEPT.to_string(),
+                description: "Run the tool and continue.".to_string(),
+            },
+            RequestUserInputQuestionOption {
+                label: MCP_TOOL_APPROVAL_DECLINE.to_string(),
+                description: "Decline this tool call and continue.".to_string(),
+            },
+            RequestUserInputQuestionOption {
+                label: MCP_TOOL_APPROVAL_CANCEL.to_string(),
+                description: "Cancel this tool call".to_string(),
+            },
+        ]),
+    }
+}
+
+fn parse_mcp_tool_approval_response(
+    response: Option<RequestUserInputResponse>,
+    question_id: &str,
+) -> McpToolApprovalDecision {
+    let Some(response) = response else {
+        return McpToolApprovalDecision::Cancel;
+    };
+    let answers = response
+        .answers
+        .get(question_id)
+        .map(|answer| answer.answers.as_slice());
+    let Some(answers) = answers else {
+        return McpToolApprovalDecision::Cancel;
+    };
+    if answers
+        .iter()
+        .any(|answer| answer == MCP_TOOL_APPROVAL_ACCEPT)
+    {
+        McpToolApprovalDecision::Accept
+    } else if answers
+        .iter()
+        .any(|answer| answer == MCP_TOOL_APPROVAL_CANCEL)
+    {
+        McpToolApprovalDecision::Cancel
+    } else {
+        McpToolApprovalDecision::Decline
+    }
+}
+
+fn requires_mcp_tool_approval(annotations: &ToolAnnotations) -> bool {
+    annotations.read_only_hint == Some(false)
+        && (annotations.destructive_hint == Some(true) || annotations.open_world_hint == Some(true))
+}
+
+async fn notify_mcp_tool_call_skip(
+    sess: &Session,
+    turn_context: &TurnContext,
+    call_id: &str,
+    invocation: McpInvocation,
+    message: String,
+) -> Result<mcp_types::CallToolResult, String> {
+    let tool_call_begin_event = EventMsg::McpToolCallBegin(McpToolCallBeginEvent {
+        call_id: call_id.to_string(),
+        invocation: invocation.clone(),
+    });
+    notify_mcp_tool_call_event(sess, turn_context, tool_call_begin_event).await;
+
+    let tool_call_end_event = EventMsg::McpToolCallEnd(McpToolCallEndEvent {
+        call_id: call_id.to_string(),
+        invocation,
+        duration: Duration::ZERO,
+        result: Err(message.clone()),
+    });
+    notify_mcp_tool_call_event(sess, turn_context, tool_call_end_event).await;
+    Err(message)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use pretty_assertions::assert_eq;
+
+    fn annotations(
+        read_only: Option<bool>,
+        destructive: Option<bool>,
+        open_world: Option<bool>,
+    ) -> ToolAnnotations {
+        ToolAnnotations {
+            destructive_hint: destructive,
+            idempotent_hint: None,
+            open_world_hint: open_world,
+            read_only_hint: read_only,
+            title: None,
+        }
+    }
+
+    #[test]
+    fn approval_required_when_read_only_false_and_destructive() {
+        let annotations = annotations(Some(false), Some(true), None);
+        assert_eq!(requires_mcp_tool_approval(&annotations), true);
+    }
+
+    #[test]
+    fn approval_required_when_read_only_false_and_open_world() {
+        let annotations = annotations(Some(false), None, Some(true));
+        assert_eq!(requires_mcp_tool_approval(&annotations), true);
+    }
+
+    #[test]
+    fn approval_not_required_when_read_only_true() {
+        let annotations = annotations(Some(true), Some(true), Some(true));
+        assert_eq!(requires_mcp_tool_approval(&annotations), false);
+    }
+}

codex-rs/core/src/model_provider_info.rs

@@ -5,10 +5,12 @@
 //!   2. User-defined entries inside `~/.codex/config.toml` under the `model_providers`
 //!      key. These override or extend the defaults at runtime.
 
+use crate::auth::AuthMode;
+use crate::error::EnvVarError;
 use codex_api::Provider as ApiProvider;
 use codex_api::WireApi as ApiWireApi;
+use codex_api::is_azure_responses_wire_base_url;
 use codex_api::provider::RetryConfig as ApiRetryConfig;
-use codex_app_server_protocol::AuthMode;
 use http::HeaderMap;
 use http::header::HeaderName;
 use http::header::HeaderValue;
@@ -19,7 +21,6 @@ use std::collections::HashMap;
 use std::env::VarError;
 use std::time::Duration;
 
-use crate::error::EnvVarError;
 const DEFAULT_STREAM_IDLE_TIMEOUT_MS: u64 = 300_000;
 const DEFAULT_STREAM_MAX_RETRIES: u64 = 5;
 const DEFAULT_REQUEST_MAX_RETRIES: u64 = 4;
@@ -43,10 +44,6 @@ pub enum WireApi {
     /// The Responses API exposed by OpenAI at `/v1/responses`.
     Responses,
 
-    /// Experimental: Responses API over WebSocket transport.
-    #[serde(rename = "responses_websocket")]
-    ResponsesWebsocket,
-
     /// Regular Chat Completions compatible with `/v1/chat/completions`.
     #[default]
     Chat,
@@ -105,6 +102,10 @@ pub struct ModelProviderInfo {
     /// and API key (if needed) comes from the "env_key" environment variable.
     #[serde(default)]
     pub requires_openai_auth: bool,
+
+    /// Whether this provider supports the Responses API WebSocket transport.
+    #[serde(default)]
+    pub supports_websockets: bool,
 }
 
 impl ModelProviderInfo {
@@ -137,7 +138,7 @@ impl ModelProviderInfo {
         &self,
         auth_mode: Option<AuthMode>,
     ) -> crate::error::Result<ApiProvider> {
-        let default_base_url = if matches!(auth_mode, Some(AuthMode::ChatGPT)) {
+        let default_base_url = if matches!(auth_mode, Some(AuthMode::Chatgpt)) {
             "https://chatgpt.com/backend-api/codex"
         } else {
             "https://api.openai.com/v1"
@@ -162,7 +163,6 @@ impl ModelProviderInfo {
             query_params: self.query_params.clone(),
             wire: match self.wire_api {
                 WireApi::Responses => ApiWireApi::Responses,
-                WireApi::ResponsesWebsocket => ApiWireApi::Responses,
                 WireApi::Chat => ApiWireApi::Chat,
             },
             headers,
@@ -171,6 +171,15 @@ impl ModelProviderInfo {
         })
     }
 
+    pub(crate) fn is_azure_responses_endpoint(&self) -> bool {
+        let wire = match self.wire_api {
+            WireApi::Responses => ApiWireApi::Responses,
+            WireApi::Chat => ApiWireApi::Chat,
+        };
+
+        is_azure_responses_wire_base_url(wire, &self.name, self.base_url.as_deref())
+    }
+
     /// If `env_key` is Some, returns the API key for this provider if present
     /// (and non-empty) in the environment. If `env_key` is required but
     /// cannot be found, returns an error.
@@ -254,6 +263,7 @@ impl ModelProviderInfo {
             stream_max_retries: None,
             stream_idle_timeout_ms: None,
             requires_openai_auth: true,
+            supports_websockets: true,
         }
     }
 
@@ -332,6 +342,7 @@ pub fn create_oss_provider_with_base_url(base_url: &str, wire_api: WireApi) -> M
         stream_max_retries: None,
         stream_idle_timeout_ms: None,
         requires_openai_auth: false,
+        supports_websockets: false,
     }
 }
 
@@ -360,6 +371,7 @@ base_url = "http://localhost:11434/v1"
             stream_max_retries: None,
             stream_idle_timeout_ms: None,
             requires_openai_auth: false,
+            supports_websockets: false,
         };
 
         let provider: ModelProviderInfo = toml::from_str(azure_provider_toml).unwrap();
@@ -390,6 +402,7 @@ query_params = { api-version = "2025-04-01-preview" }
             stream_max_retries: None,
             stream_idle_timeout_ms: None,
             requires_openai_auth: false,
+            supports_websockets: false,
         };
 
         let provider: ModelProviderInfo = toml::from_str(azure_provider_toml).unwrap();
@@ -423,89 +436,10 @@ env_http_headers = { "X-Example-Env-Header" = "EXAMPLE_ENV_VAR" }
             stream_max_retries: None,
             stream_idle_timeout_ms: None,
             requires_openai_auth: false,
+            supports_websockets: false,
         };
 
         let provider: ModelProviderInfo = toml::from_str(azure_provider_toml).unwrap();
         assert_eq!(expected_provider, provider);
     }
-
-    #[test]
-    fn detects_azure_responses_base_urls() {
-        let positive_cases = [
-            "https://foo.openai.azure.com/openai",
-            "https://foo.openai.azure.us/openai/deployments/bar",
-            "https://foo.cognitiveservices.azure.cn/openai",
-            "https://foo.aoai.azure.com/openai",
-            "https://foo.openai.azure-api.net/openai",
-            "https://foo.z01.azurefd.net/",
-        ];
-        for base_url in positive_cases {
-            let provider = ModelProviderInfo {
-                name: "test".into(),
-                base_url: Some(base_url.into()),
-                env_key: None,
-                env_key_instructions: None,
-                experimental_bearer_token: None,
-                wire_api: WireApi::Responses,
-                query_params: None,
-                http_headers: None,
-                env_http_headers: None,
-                request_max_retries: None,
-                stream_max_retries: None,
-                stream_idle_timeout_ms: None,
-                requires_openai_auth: false,
-            };
-            let api = provider.to_api_provider(None).expect("api provider");
-            assert!(
-                api.is_azure_responses_endpoint(),
-                "expected {base_url} to be detected as Azure"
-            );
-        }
-
-        let named_provider = ModelProviderInfo {
-            name: "Azure".into(),
-            base_url: Some("https://example.com".into()),
-            env_key: None,
-            env_key_instructions: None,
-            experimental_bearer_token: None,
-            wire_api: WireApi::Responses,
-            query_params: None,
-            http_headers: None,
-            env_http_headers: None,
-            request_max_retries: None,
-            stream_max_retries: None,
-            stream_idle_timeout_ms: None,
-            requires_openai_auth: false,
-        };
-        let named_api = named_provider.to_api_provider(None).expect("api provider");
-        assert!(named_api.is_azure_responses_endpoint());
-
-        let negative_cases = [
-            "https://api.openai.com/v1",
-            "https://example.com/openai",
-            "https://myproxy.azurewebsites.net/openai",
-        ];
-        for base_url in negative_cases {
-            let provider = ModelProviderInfo {
-                name: "test".into(),
-                base_url: Some(base_url.into()),
-                env_key: None,
-                env_key_instructions: None,
-                experimental_bearer_token: None,
-                wire_api: WireApi::Responses,
-                query_params: None,
-                http_headers: None,
-                env_http_headers: None,
-                request_max_retries: None,
-                stream_max_retries: None,
-                stream_idle_timeout_ms: None,
-                requires_openai_auth: false,
-            };
-            let api = provider.to_api_provider(None).expect("api provider");
-            assert!(
-                !api.is_azure_responses_endpoint(),
-                "expected {base_url} not to be detected as Azure"
-            );
-        }
-    }
 }

codex-rs/core/src/models_manager/manager.rs

@@ -2,6 +2,7 @@ use super::cache::ModelsCacheManager;
 use crate::api_bridge::auth_provider_from_auth;
 use crate::api_bridge::map_api_error;
 use crate::auth::AuthManager;
+use crate::auth::AuthMode;
 use crate::config::Config;
 use crate::default_client::build_reqwest_client;
 use crate::error::CodexErr;
@@ -13,7 +14,6 @@ use crate::models_manager::model_info;
 use crate::models_manager::model_presets::builtin_model_presets;
 use codex_api::ModelsClient;
 use codex_api::ReqwestTransport;
-use codex_app_server_protocol::AuthMode;
 use codex_protocol::config_types::CollaborationModeMask;
 use codex_protocol::openai_models::ModelInfo;
 use codex_protocol::openai_models::ModelPreset;
@@ -61,7 +61,7 @@ impl ModelsManager {
         let cache_path = codex_home.join(MODEL_CACHE_FILE);
         let cache_manager = ModelsCacheManager::new(cache_path, DEFAULT_MODEL_CACHE_TTL);
         Self {
-            local_models: builtin_model_presets(auth_manager.get_auth_mode()),
+            local_models: builtin_model_presets(auth_manager.get_internal_auth_mode()),
             remote_models: RwLock::new(Self::load_remote_models_from_file().unwrap_or_default()),
             auth_manager,
             etag: RwLock::new(None),
@@ -175,7 +175,7 @@ impl ModelsManager {
         refresh_strategy: RefreshStrategy,
     ) -> CoreResult<()> {
         if !config.features.enabled(Feature::RemoteModels)
-            || self.auth_manager.get_auth_mode() == Some(AuthMode::ApiKey)
+            || self.auth_manager.get_internal_auth_mode() == Some(AuthMode::ApiKey)
         {
             return Ok(());
         }
@@ -204,7 +204,8 @@ impl ModelsManager {
         let _timer =
             codex_otel::start_global_timer("codex.remote_models.fetch_update.duration_ms", &[]);
         let auth = self.auth_manager.auth().await;
-        let api_provider = self.provider.to_api_provider(Some(AuthMode::ChatGPT))?;
+        let auth_mode = self.auth_manager.get_internal_auth_mode();
+        let api_provider = self.provider.to_api_provider(auth_mode)?;
         let api_auth = auth_provider_from_auth(auth.clone(), &self.provider)?;
         let transport = ReqwestTransport::new(build_reqwest_client());
         let client = ModelsClient::new(transport, api_provider, api_auth);
@@ -271,7 +272,10 @@ impl ModelsManager {
         let remote_presets: Vec<ModelPreset> = remote_models.into_iter().map(Into::into).collect();
         let existing_presets = self.local_models.clone();
         let mut merged_presets = ModelPreset::merge(remote_presets, existing_presets);
-        let chatgpt_mode = self.auth_manager.get_auth_mode() == Some(AuthMode::ChatGPT);
+        let chatgpt_mode = matches!(
+            self.auth_manager.get_internal_auth_mode(),
+            Some(AuthMode::Chatgpt)
+        );
         merged_presets = ModelPreset::filter_by_auth(merged_presets, chatgpt_mode);
 
         for preset in &mut merged_presets {
@@ -315,7 +319,7 @@ impl ModelsManager {
         let cache_path = codex_home.join(MODEL_CACHE_FILE);
         let cache_manager = ModelsCacheManager::new(cache_path, DEFAULT_MODEL_CACHE_TTL);
         Self {
-            local_models: builtin_model_presets(auth_manager.get_auth_mode()),
+            local_models: builtin_model_presets(auth_manager.get_internal_auth_mode()),
             remote_models: RwLock::new(Self::load_remote_models_from_file().unwrap_or_default()),
             auth_manager,
             etag: RwLock::new(None),
@@ -432,6 +436,7 @@ mod tests {
             stream_max_retries: Some(0),
             stream_idle_timeout_ms: Some(5_000),
             requires_openai_auth: false,
+            supports_websockets: false,
         }
     }
 

codex-rs/core/src/models_manager/model_info.rs

@@ -1,19 +1,17 @@
-use std::collections::BTreeMap;
-
-use codex_protocol::config_types::Personality;
 use codex_protocol::config_types::Verbosity;
 use codex_protocol::openai_models::ApplyPatchToolType;
 use codex_protocol::openai_models::ConfigShellToolType;
 use codex_protocol::openai_models::ModelInfo;
-use codex_protocol::openai_models::ModelInstructionsTemplate;
+use codex_protocol::openai_models::ModelInstructionsVariables;
+use codex_protocol::openai_models::ModelMessages;
 use codex_protocol::openai_models::ModelVisibility;
-use codex_protocol::openai_models::PersonalityMessages;
 use codex_protocol::openai_models::ReasoningEffort;
 use codex_protocol::openai_models::ReasoningEffortPreset;
 use codex_protocol::openai_models::TruncationMode;
 use codex_protocol::openai_models::TruncationPolicyConfig;
 
 use crate::config::Config;
+use crate::features::Feature;
 use crate::truncate::approx_bytes_for_tokens;
 use tracing::warn;
 
@@ -29,8 +27,11 @@ const GPT_5_1_CODEX_MAX_INSTRUCTIONS: &str = include_str!("../../gpt-5.1-codex-m
 const GPT_5_2_CODEX_INSTRUCTIONS: &str = include_str!("../../gpt-5.2-codex_prompt.md");
 const GPT_5_2_CODEX_INSTRUCTIONS_TEMPLATE: &str =
     include_str!("../../templates/model_instructions/gpt-5.2-codex_instructions_template.md");
-const PERSONALITY_FRIENDLY: &str = include_str!("../../templates/personalities/friendly.md");
-const PERSONALITY_PRAGMATIC: &str = include_str!("../../templates/personalities/pragmatic.md");
+
+const GPT_5_2_CODEX_PERSONALITY_FRIENDLY: &str =
+    include_str!("../../templates/personalities/gpt-5.2-codex_friendly.md");
+const GPT_5_2_CODEX_PERSONALITY_PRAGMATIC: &str =
+    include_str!("../../templates/personalities/gpt-5.2-codex_pragmatic.md");
 
 pub(crate) const CONTEXT_WINDOW_272K: i64 = 272_000;
 
@@ -54,7 +55,7 @@ macro_rules! model_info {
             priority: 99,
             upgrade: None,
             base_instructions: BASE_INSTRUCTIONS.to_string(),
-            model_instructions_template: None,
+            model_messages: None,
             supports_reasoning_summaries: false,
             support_verbosity: false,
             default_verbosity: None,
@@ -100,8 +101,11 @@ pub(crate) fn with_config_overrides(mut model: ModelInfo, config: &Config) -> Mo
 
     if let Some(base_instructions) = &config.base_instructions {
         model.base_instructions = base_instructions.clone();
-        model.model_instructions_template = None;
+        model.model_messages = None;
+    } else if !config.features.enabled(Feature::Personality) {
+        model.model_messages = None;
     }
+
     model
 }
 
@@ -169,15 +173,13 @@ pub(crate) fn find_model_info_for_slug(slug: &str) -> ModelInfo {
         model_info!(
             slug,
             base_instructions: GPT_5_2_CODEX_INSTRUCTIONS.to_string(),
-            model_instructions_template: Some(ModelInstructionsTemplate {
-                template: GPT_5_2_CODEX_INSTRUCTIONS_TEMPLATE.to_string(),
-                personality_messages: Some(PersonalityMessages(BTreeMap::from([(
-                    Personality::Friendly,
-                    PERSONALITY_FRIENDLY.to_string(),
-                ), (
-                    Personality::Pragmatic,
-                    PERSONALITY_PRAGMATIC.to_string(),
-                )]))),
+            model_messages: Some(ModelMessages {
+                instructions_template: Some(GPT_5_2_CODEX_INSTRUCTIONS_TEMPLATE.to_string()),
+                instructions_variables: Some(ModelInstructionsVariables {
+                    personality_default: Some("".to_string()),
+                    personality_friendly: Some(GPT_5_2_CODEX_PERSONALITY_FRIENDLY.to_string()),
+                    personality_pragmatic: Some(GPT_5_2_CODEX_PERSONALITY_PRAGMATIC.to_string()),
+                }),
             }),
             apply_patch_tool_type: Some(ApplyPatchToolType::Freeform),
             shell_type: ConfigShellToolType::ShellCommand,
@@ -213,15 +215,14 @@ pub(crate) fn find_model_info_for_slug(slug: &str) -> ModelInfo {
             truncation_policy: TruncationPolicyConfig::tokens(10_000),
             context_window: Some(CONTEXT_WINDOW_272K),
             supported_reasoning_levels: supported_reasoning_level_low_medium_high_xhigh(),
-            model_instructions_template: Some(ModelInstructionsTemplate {
-                template: GPT_5_2_CODEX_INSTRUCTIONS_TEMPLATE.to_string(),
-                personality_messages: Some(PersonalityMessages(BTreeMap::from([(
-                    Personality::Friendly,
-                    PERSONALITY_FRIENDLY.to_string(),
-                ), (
-                    Personality::Pragmatic,
-                    PERSONALITY_PRAGMATIC.to_string(),
-                )]))),
+            base_instructions: GPT_5_2_CODEX_INSTRUCTIONS.to_string(),
+            model_messages: Some(ModelMessages {
+                instructions_template: Some(GPT_5_2_CODEX_INSTRUCTIONS_TEMPLATE.to_string()),
+                instructions_variables: Some(ModelInstructionsVariables {
+                    personality_default: Some("".to_string()),
+                    personality_friendly: Some(GPT_5_2_CODEX_PERSONALITY_FRIENDLY.to_string()),
+                    personality_pragmatic: Some(GPT_5_2_CODEX_PERSONALITY_PRAGMATIC.to_string()),
+                }),
             }),
         )
     } else if slug.starts_with("gpt-5.1-codex-max") {

codex-rs/core/src/models_manager/model_presets.rs

@@ -1,4 +1,4 @@
-use codex_app_server_protocol::AuthMode;
+use crate::auth::AuthMode;
 use codex_protocol::openai_models::ModelPreset;
 use codex_protocol::openai_models::ModelUpgrade;
 use codex_protocol::openai_models::ReasoningEffort;

codex-rs/core/src/proposed_plan_parser.rs

@@ -0,0 +1,185 @@
+use crate::tagged_block_parser::TagSpec;
+use crate::tagged_block_parser::TaggedLineParser;
+use crate::tagged_block_parser::TaggedLineSegment;
+
+const OPEN_TAG: &str = "<proposed_plan>";
+const CLOSE_TAG: &str = "</proposed_plan>";
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+enum PlanTag {
+    ProposedPlan,
+}
+
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub(crate) enum ProposedPlanSegment {
+    Normal(String),
+    ProposedPlanStart,
+    ProposedPlanDelta(String),
+    ProposedPlanEnd,
+}
+
+/// Parser for `<proposed_plan>` blocks emitted in plan mode.
+///
+/// This is a thin wrapper around the generic line-based tag parser. It maps
+/// tag-aware segments into plan-specific segments for downstream consumers.
+#[derive(Debug)]
+pub(crate) struct ProposedPlanParser {
+    parser: TaggedLineParser<PlanTag>,
+}
+
+impl ProposedPlanParser {
+    pub(crate) fn new() -> Self {
+        Self {
+            parser: TaggedLineParser::new(vec![TagSpec {
+                open: OPEN_TAG,
+                close: CLOSE_TAG,
+                tag: PlanTag::ProposedPlan,
+            }]),
+        }
+    }
+
+    pub(crate) fn parse(&mut self, delta: &str) -> Vec<ProposedPlanSegment> {
+        self.parser
+            .parse(delta)
+            .into_iter()
+            .map(map_plan_segment)
+            .collect()
+    }
+
+    pub(crate) fn finish(&mut self) -> Vec<ProposedPlanSegment> {
+        self.parser
+            .finish()
+            .into_iter()
+            .map(map_plan_segment)
+            .collect()
+    }
+}
+
+fn map_plan_segment(segment: TaggedLineSegment<PlanTag>) -> ProposedPlanSegment {
+    match segment {
+        TaggedLineSegment::Normal(text) => ProposedPlanSegment::Normal(text),
+        TaggedLineSegment::TagStart(PlanTag::ProposedPlan) => {
+            ProposedPlanSegment::ProposedPlanStart
+        }
+        TaggedLineSegment::TagDelta(PlanTag::ProposedPlan, text) => {
+            ProposedPlanSegment::ProposedPlanDelta(text)
+        }
+        TaggedLineSegment::TagEnd(PlanTag::ProposedPlan) => ProposedPlanSegment::ProposedPlanEnd,
+    }
+}
+
+pub(crate) fn strip_proposed_plan_blocks(text: &str) -> String {
+    let mut parser = ProposedPlanParser::new();
+    let mut out = String::new();
+    for segment in parser.parse(text).into_iter().chain(parser.finish()) {
+        if let ProposedPlanSegment::Normal(delta) = segment {
+            out.push_str(&delta);
+        }
+    }
+    out
+}
+
+pub(crate) fn extract_proposed_plan_text(text: &str) -> Option<String> {
+    let mut parser = ProposedPlanParser::new();
+    let mut plan_text = String::new();
+    let mut saw_plan_block = false;
+    for segment in parser.parse(text).into_iter().chain(parser.finish()) {
+        match segment {
+            ProposedPlanSegment::ProposedPlanStart => {
+                saw_plan_block = true;
+                plan_text.clear();
+            }
+            ProposedPlanSegment::ProposedPlanDelta(delta) => {
+                plan_text.push_str(&delta);
+            }
+            ProposedPlanSegment::ProposedPlanEnd | ProposedPlanSegment::Normal(_) => {}
+        }
+    }
+    saw_plan_block.then_some(plan_text)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::ProposedPlanParser;
+    use super::ProposedPlanSegment;
+    use super::strip_proposed_plan_blocks;
+    use pretty_assertions::assert_eq;
+
+    #[test]
+    fn streams_proposed_plan_segments() {
+        let mut parser = ProposedPlanParser::new();
+        let mut segments = Vec::new();
+
+        for chunk in [
+            "Intro text\n<prop",
+            "osed_plan>\n- step 1\n",
+            "</proposed_plan>\nOutro",
+        ] {
+            segments.extend(parser.parse(chunk));
+        }
+        segments.extend(parser.finish());
+
+        assert_eq!(
+            segments,
+            vec![
+                ProposedPlanSegment::Normal("Intro text\n".to_string()),
+                ProposedPlanSegment::ProposedPlanStart,
+                ProposedPlanSegment::ProposedPlanDelta("- step 1\n".to_string()),
+                ProposedPlanSegment::ProposedPlanEnd,
+                ProposedPlanSegment::Normal("Outro".to_string()),
+            ]
+        );
+    }
+
+    #[test]
+    fn preserves_non_tag_lines() {
+        let mut parser = ProposedPlanParser::new();
+        let mut segments = parser.parse("  <proposed_plan> extra\n");
+        segments.extend(parser.finish());
+
+        assert_eq!(
+            segments,
+            vec![ProposedPlanSegment::Normal(
+                "  <proposed_plan> extra\n".to_string()
+            )]
+        );
+    }
+
+    #[test]
+    fn closes_unterminated_plan_block_on_finish() {
+        let mut parser = ProposedPlanParser::new();
+        let mut segments = parser.parse("<proposed_plan>\n- step 1\n");
+        segments.extend(parser.finish());
+
+        assert_eq!(
+            segments,
+            vec![
+                ProposedPlanSegment::ProposedPlanStart,
+                ProposedPlanSegment::ProposedPlanDelta("- step 1\n".to_string()),
+                ProposedPlanSegment::ProposedPlanEnd,
+            ]
+        );
+    }
+
+    #[test]
+    fn closes_tag_line_without_trailing_newline() {
+        let mut parser = ProposedPlanParser::new();
+        let mut segments = parser.parse("<proposed_plan>\n- step 1\n</proposed_plan>");
+        segments.extend(parser.finish());
+
+        assert_eq!(
+            segments,
+            vec![
+                ProposedPlanSegment::ProposedPlanStart,
+                ProposedPlanSegment::ProposedPlanDelta("- step 1\n".to_string()),
+                ProposedPlanSegment::ProposedPlanEnd,
+            ]
+        );
+    }
+
+    #[test]
+    fn strips_proposed_plan_blocks_from_text() {
+        let text = "before\n<proposed_plan>\n- step\n</proposed_plan>\nafter";
+        assert_eq!(strip_proposed_plan_blocks(text), "before\nafter");
+    }
+}

codex-rs/core/src/rollout/list.rs

@@ -6,8 +6,6 @@ use std::num::NonZero;
 use std::ops::ControlFlow;
 use std::path::Path;
 use std::path::PathBuf;
-use std::sync::Arc;
-use std::sync::atomic::AtomicBool;
 use time::OffsetDateTime;
 use time::PrimitiveDateTime;
 use time::format_description::FormatItem;
@@ -1075,30 +1073,17 @@ async fn find_thread_path_by_id_str_in_subdir(
     // This is safe because we know the values are valid.
     #[allow(clippy::unwrap_used)]
     let limit = NonZero::new(1).unwrap();
-    // This is safe because we know the values are valid.
-    #[allow(clippy::unwrap_used)]
-    let threads = NonZero::new(2).unwrap();
-    let cancel = Arc::new(AtomicBool::new(false));
-    let exclude: Vec<String> = Vec::new();
-    let compute_indices = false;
-
-    let results = file_search::run(
-        id_str,
+    let options = file_search::FileSearchOptions {
         limit,
-        &root,
-        exclude,
-        threads,
-        cancel,
-        compute_indices,
-        false,
-    )
-    .map_err(|e| io::Error::other(format!("file search failed: {e}")))?;
+        compute_indices: false,
+        respect_gitignore: false,
+        ..Default::default()
+    };
 
-    let found = results
-        .matches
-        .into_iter()
-        .next()
-        .map(|m| root.join(m.path));
+    let results = file_search::run(id_str, vec![root], options, None)
+        .map_err(|e| io::Error::other(format!("file search failed: {e}")))?;
+
+    let found = results.matches.into_iter().next().map(|m| m.full_path());
 
     // Checking if DB is at parity.
     // TODO(jif): sqlite migration phase 1

codex-rs/core/src/rollout/metadata.rs

@@ -16,6 +16,7 @@ use codex_protocol::protocol::SessionSource;
 use codex_state::BackfillStats;
 use codex_state::DB_ERROR_METRIC;
 use codex_state::DB_METRIC_BACKFILL;
+use codex_state::DB_METRIC_BACKFILL_DURATION_MS;
 use codex_state::ExtractionOutcome;
 use codex_state::ThreadMetadataBuilder;
 use codex_state::apply_rollout_item;
@@ -128,6 +129,7 @@ pub(crate) async fn backfill_sessions(
     config: &Config,
     otel: Option<&OtelManager>,
 ) {
+    let timer = otel.and_then(|otel| otel.start_timer(DB_METRIC_BACKFILL_DURATION_MS, &[]).ok());
     let sessions_root = config.codex_home.join(rollout::SESSIONS_SUBDIR);
     let archived_root = config.codex_home.join(rollout::ARCHIVED_SESSIONS_SUBDIR);
     let mut rollout_paths: Vec<(PathBuf, bool)> = Vec::new();
@@ -210,6 +212,16 @@ pub(crate) async fn backfill_sessions(
             &[("status", "failed")],
         );
     }
+    if let Some(timer) = timer.as_ref() {
+        let status = if stats.failed == 0 {
+            "success"
+        } else if stats.upserted == 0 {
+            "failed"
+        } else {
+            "partial_failure"
+        };
+        let _ = timer.record(&[("status", status)]);
+    }
 }
 
 async fn file_modified_time_utc(path: &Path) -> Option<DateTime<Utc>> {
@@ -303,6 +315,7 @@ mod tests {
             source: SessionSource::default(),
             model_provider: Some("openai".to_string()),
             base_instructions: None,
+            dynamic_tools: None,
         };
         let session_meta_line = SessionMetaLine {
             meta: session_meta,

codex-rs/core/src/rollout/mod.rs

@@ -12,6 +12,7 @@ pub mod list;
 pub(crate) mod metadata;
 pub(crate) mod policy;
 pub mod recorder;
+pub(crate) mod session_index;
 pub(crate) mod truncation;
 
 pub use codex_protocol::protocol::SessionMeta;
@@ -23,6 +24,7 @@ pub use list::find_thread_path_by_id_str as find_conversation_path_by_id_str;
 pub use list::rollout_date_parts;
 pub use recorder::RolloutRecorder;
 pub use recorder::RolloutRecorderParams;
+pub use session_index::find_thread_path_by_name_str;
 
 #[cfg(test)]
 pub mod tests;

codex-rs/core/src/rollout/policy.rs

@@ -48,6 +48,12 @@ pub(crate) fn should_persist_event_msg(ev: &EventMsg) -> bool {
         | EventMsg::ThreadRolledBack(_)
         | EventMsg::UndoCompleted(_)
         | EventMsg::TurnAborted(_) => true,
+        EventMsg::ItemCompleted(event) => {
+            // Plan items are derived from streaming tags and are not part of the
+            // raw ResponseItem history, so we persist their completion to replay
+            // them on resume without bloating rollouts with every item lifecycle.
+            matches!(event.item, codex_protocol::items::TurnItem::Plan(_))
+        }
         EventMsg::Error(_)
         | EventMsg::Warning(_)
         | EventMsg::TurnStarted(_)
@@ -58,6 +64,7 @@ pub(crate) fn should_persist_event_msg(ev: &EventMsg) -> bool {
         | EventMsg::AgentReasoningSectionBreak(_)
         | EventMsg::RawResponseItem(_)
         | EventMsg::SessionConfigured(_)
+        | EventMsg::ThreadNameUpdated(_)
         | EventMsg::McpToolCallBegin(_)
         | EventMsg::McpToolCallEnd(_)
         | EventMsg::WebSearchBegin(_)
@@ -88,8 +95,8 @@ pub(crate) fn should_persist_event_msg(ev: &EventMsg) -> bool {
         | EventMsg::ViewImageToolCall(_)
         | EventMsg::DeprecationNotice(_)
         | EventMsg::ItemStarted(_)
-        | EventMsg::ItemCompleted(_)
         | EventMsg::AgentMessageContentDelta(_)
+        | EventMsg::PlanDelta(_)
         | EventMsg::ReasoningContentDelta(_)
         | EventMsg::ReasoningRawContentDelta(_)
         | EventMsg::SkillsUpdateAvailable

codex-rs/core/src/rollout/recorder.rs

@@ -7,6 +7,7 @@ use std::path::Path;
 use std::path::PathBuf;
 
 use codex_protocol::ThreadId;
+use codex_protocol::dynamic_tools::DynamicToolSpec;
 use codex_protocol::models::BaseInstructions;
 use serde_json::Value;
 use time::OffsetDateTime;
@@ -68,6 +69,7 @@ pub enum RolloutRecorderParams {
         forked_from_id: Option<ThreadId>,
         source: SessionSource,
         base_instructions: BaseInstructions,
+        dynamic_tools: Vec<DynamicToolSpec>,
     },
     Resume {
         path: PathBuf,
@@ -91,12 +93,14 @@ impl RolloutRecorderParams {
         forked_from_id: Option<ThreadId>,
         source: SessionSource,
         base_instructions: BaseInstructions,
+        dynamic_tools: Vec<DynamicToolSpec>,
     ) -> Self {
         Self::Create {
             conversation_id,
             forked_from_id,
             source,
             base_instructions,
+            dynamic_tools,
         }
     }
 
@@ -259,6 +263,7 @@ impl RolloutRecorder {
                 forked_from_id,
                 source,
                 base_instructions,
+                dynamic_tools,
             } => {
                 let LogFileInfo {
                     file,
@@ -288,6 +293,11 @@ impl RolloutRecorder {
                         source,
                         model_provider: Some(config.model_provider_id.clone()),
                         base_instructions: Some(base_instructions),
+                        dynamic_tools: if dynamic_tools.is_empty() {
+                            None
+                        } else {
+                            Some(dynamic_tools)
+                        },
                     }),
                 )
             }
@@ -418,13 +428,13 @@ impl RolloutRecorder {
                     }
                 },
                 Err(e) => {
-                    warn!("failed to parse rollout line: {v:?}, error: {e}");
+                    warn!("failed to parse rollout line: {e}");
                     parse_errors = parse_errors.saturating_add(1);
                 }
             }
         }
 
-        info!(
+        tracing::debug!(
             "Resumed rollout with {} items, thread ID: {:?}, parse errors: {}",
             items.len(),
             thread_id,

codex-rs/core/src/rollout/session_index.rs

@@ -0,0 +1,325 @@
+use std::fs::File;
+use std::io::Read;
+use std::io::Seek;
+use std::io::SeekFrom;
+use std::path::Path;
+use std::path::PathBuf;
+
+use codex_protocol::ThreadId;
+use serde::Deserialize;
+use serde::Serialize;
+use tokio::io::AsyncWriteExt;
+
+const SESSION_INDEX_FILE: &str = "session_index.jsonl";
+const READ_CHUNK_SIZE: usize = 8192;
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
+pub struct SessionIndexEntry {
+    pub id: ThreadId,
+    pub thread_name: String,
+    pub updated_at: String,
+}
+
+/// Append a thread name update to the session index.
+/// The index is append-only; the most recent entry wins when resolving names or ids.
+pub async fn append_thread_name(
+    codex_home: &Path,
+    thread_id: ThreadId,
+    name: &str,
+) -> std::io::Result<()> {
+    use time::OffsetDateTime;
+    use time::format_description::well_known::Rfc3339;
+
+    let updated_at = OffsetDateTime::now_utc()
+        .format(&Rfc3339)
+        .unwrap_or_else(|_| "unknown".to_string());
+    let entry = SessionIndexEntry {
+        id: thread_id,
+        thread_name: name.to_string(),
+        updated_at,
+    };
+    append_session_index_entry(codex_home, &entry).await
+}
+
+/// Append a raw session index entry to `session_index.jsonl`.
+/// The file is append-only; consumers scan from the end to find the newest match.
+pub async fn append_session_index_entry(
+    codex_home: &Path,
+    entry: &SessionIndexEntry,
+) -> std::io::Result<()> {
+    let path = session_index_path(codex_home);
+    let mut file = tokio::fs::OpenOptions::new()
+        .create(true)
+        .append(true)
+        .open(&path)
+        .await?;
+    let mut line = serde_json::to_string(entry).map_err(std::io::Error::other)?;
+    line.push('\n');
+    file.write_all(line.as_bytes()).await?;
+    file.flush().await?;
+    Ok(())
+}
+
+/// Find the latest thread name for a thread id, if any.
+pub async fn find_thread_name_by_id(
+    codex_home: &Path,
+    thread_id: &ThreadId,
+) -> std::io::Result<Option<String>> {
+    let path = session_index_path(codex_home);
+    if !path.exists() {
+        return Ok(None);
+    }
+    let id = *thread_id;
+    let entry = tokio::task::spawn_blocking(move || scan_index_from_end_by_id(&path, &id))
+        .await
+        .map_err(std::io::Error::other)??;
+    Ok(entry.map(|entry| entry.thread_name))
+}
+
+/// Find the most recently updated thread id for a thread name, if any.
+pub async fn find_thread_id_by_name(
+    codex_home: &Path,
+    name: &str,
+) -> std::io::Result<Option<ThreadId>> {
+    if name.trim().is_empty() {
+        return Ok(None);
+    }
+    let path = session_index_path(codex_home);
+    if !path.exists() {
+        return Ok(None);
+    }
+    let name = name.to_string();
+    let entry = tokio::task::spawn_blocking(move || scan_index_from_end_by_name(&path, &name))
+        .await
+        .map_err(std::io::Error::other)??;
+    Ok(entry.map(|entry| entry.id))
+}
+
+/// Locate a recorded thread rollout file by thread name using newest-first ordering.
+/// Returns `Ok(Some(path))` if found, `Ok(None)` if not present.
+pub async fn find_thread_path_by_name_str(
+    codex_home: &Path,
+    name: &str,
+) -> std::io::Result<Option<PathBuf>> {
+    let Some(thread_id) = find_thread_id_by_name(codex_home, name).await? else {
+        return Ok(None);
+    };
+    super::list::find_thread_path_by_id_str(codex_home, &thread_id.to_string()).await
+}
+
+fn session_index_path(codex_home: &Path) -> PathBuf {
+    codex_home.join(SESSION_INDEX_FILE)
+}
+
+fn scan_index_from_end_by_id(
+    path: &Path,
+    thread_id: &ThreadId,
+) -> std::io::Result<Option<SessionIndexEntry>> {
+    scan_index_from_end(path, |entry| entry.id == *thread_id)
+}
+
+fn scan_index_from_end_by_name(
+    path: &Path,
+    name: &str,
+) -> std::io::Result<Option<SessionIndexEntry>> {
+    scan_index_from_end(path, |entry| entry.thread_name == name)
+}
+
+fn scan_index_from_end<F>(
+    path: &Path,
+    mut predicate: F,
+) -> std::io::Result<Option<SessionIndexEntry>>
+where
+    F: FnMut(&SessionIndexEntry) -> bool,
+{
+    let mut file = File::open(path)?;
+    let mut remaining = file.metadata()?.len();
+    let mut line_rev: Vec<u8> = Vec::new();
+    let mut buf = vec![0u8; READ_CHUNK_SIZE];
+
+    while remaining > 0 {
+        let read_size = usize::try_from(remaining.min(READ_CHUNK_SIZE as u64))
+            .map_err(std::io::Error::other)?;
+        remaining -= read_size as u64;
+        file.seek(SeekFrom::Start(remaining))?;
+        file.read_exact(&mut buf[..read_size])?;
+
+        for &byte in buf[..read_size].iter().rev() {
+            if byte == b'\n' {
+                if let Some(entry) = parse_line_from_rev(&mut line_rev, &mut predicate)? {
+                    return Ok(Some(entry));
+                }
+                continue;
+            }
+            line_rev.push(byte);
+        }
+    }
+
+    if let Some(entry) = parse_line_from_rev(&mut line_rev, &mut predicate)? {
+        return Ok(Some(entry));
+    }
+
+    Ok(None)
+}
+
+fn parse_line_from_rev<F>(
+    line_rev: &mut Vec<u8>,
+    predicate: &mut F,
+) -> std::io::Result<Option<SessionIndexEntry>>
+where
+    F: FnMut(&SessionIndexEntry) -> bool,
+{
+    if line_rev.is_empty() {
+        return Ok(None);
+    }
+    line_rev.reverse();
+    let line = std::mem::take(line_rev);
+    let Ok(mut line) = String::from_utf8(line) else {
+        return Ok(None);
+    };
+    if line.ends_with('\r') {
+        line.pop();
+    }
+    let trimmed = line.trim();
+    if trimmed.is_empty() {
+        return Ok(None);
+    }
+    let Ok(entry) = serde_json::from_str::<SessionIndexEntry>(trimmed) else {
+        return Ok(None);
+    };
+    if predicate(&entry) {
+        return Ok(Some(entry));
+    }
+    Ok(None)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use pretty_assertions::assert_eq;
+    use tempfile::TempDir;
+    fn write_index(path: &Path, lines: &[SessionIndexEntry]) -> std::io::Result<()> {
+        let mut out = String::new();
+        for entry in lines {
+            out.push_str(&serde_json::to_string(entry).unwrap());
+            out.push('\n');
+        }
+        std::fs::write(path, out)
+    }
+
+    #[test]
+    fn find_thread_id_by_name_prefers_latest_entry() -> std::io::Result<()> {
+        let temp = TempDir::new()?;
+        let path = session_index_path(temp.path());
+        let id1 = ThreadId::new();
+        let id2 = ThreadId::new();
+        let lines = vec![
+            SessionIndexEntry {
+                id: id1,
+                thread_name: "same".to_string(),
+                updated_at: "2024-01-01T00:00:00Z".to_string(),
+            },
+            SessionIndexEntry {
+                id: id2,
+                thread_name: "same".to_string(),
+                updated_at: "2024-01-02T00:00:00Z".to_string(),
+            },
+        ];
+        write_index(&path, &lines)?;
+
+        let found = scan_index_from_end_by_name(&path, "same")?;
+        assert_eq!(found.map(|entry| entry.id), Some(id2));
+        Ok(())
+    }
+
+    #[test]
+    fn find_thread_name_by_id_prefers_latest_entry() -> std::io::Result<()> {
+        let temp = TempDir::new()?;
+        let path = session_index_path(temp.path());
+        let id = ThreadId::new();
+        let lines = vec![
+            SessionIndexEntry {
+                id,
+                thread_name: "first".to_string(),
+                updated_at: "2024-01-01T00:00:00Z".to_string(),
+            },
+            SessionIndexEntry {
+                id,
+                thread_name: "second".to_string(),
+                updated_at: "2024-01-02T00:00:00Z".to_string(),
+            },
+        ];
+        write_index(&path, &lines)?;
+
+        let found = scan_index_from_end_by_id(&path, &id)?;
+        assert_eq!(
+            found.map(|entry| entry.thread_name),
+            Some("second".to_string())
+        );
+        Ok(())
+    }
+
+    #[test]
+    fn scan_index_returns_none_when_entry_missing() -> std::io::Result<()> {
+        let temp = TempDir::new()?;
+        let path = session_index_path(temp.path());
+        let id = ThreadId::new();
+        let lines = vec![SessionIndexEntry {
+            id,
+            thread_name: "present".to_string(),
+            updated_at: "2024-01-01T00:00:00Z".to_string(),
+        }];
+        write_index(&path, &lines)?;
+
+        let missing_name = scan_index_from_end_by_name(&path, "missing")?;
+        assert_eq!(missing_name, None);
+
+        let missing_id = scan_index_from_end_by_id(&path, &ThreadId::new())?;
+        assert_eq!(missing_id, None);
+        Ok(())
+    }
+
+    #[test]
+    fn scan_index_finds_latest_match_among_mixed_entries() -> std::io::Result<()> {
+        let temp = TempDir::new()?;
+        let path = session_index_path(temp.path());
+        let id_target = ThreadId::new();
+        let id_other = ThreadId::new();
+        let expected = SessionIndexEntry {
+            id: id_target,
+            thread_name: "target".to_string(),
+            updated_at: "2024-01-03T00:00:00Z".to_string(),
+        };
+        let expected_other = SessionIndexEntry {
+            id: id_other,
+            thread_name: "target".to_string(),
+            updated_at: "2024-01-02T00:00:00Z".to_string(),
+        };
+        // Resolution is based on append order (scan from end), not updated_at.
+        let lines = vec![
+            SessionIndexEntry {
+                id: id_target,
+                thread_name: "target".to_string(),
+                updated_at: "2024-01-01T00:00:00Z".to_string(),
+            },
+            expected_other.clone(),
+            expected.clone(),
+            SessionIndexEntry {
+                id: ThreadId::new(),
+                thread_name: "another".to_string(),
+                updated_at: "2024-01-04T00:00:00Z".to_string(),
+            },
+        ];
+        write_index(&path, &lines)?;
+
+        let found_by_name = scan_index_from_end_by_name(&path, "target")?;
+        assert_eq!(found_by_name, Some(expected.clone()));
+
+        let found_by_id = scan_index_from_end_by_id(&path, &id_target)?;
+        assert_eq!(found_by_id, Some(expected));
+
+        let found_other_by_id = scan_index_from_end_by_id(&path, &id_other)?;
+        assert_eq!(found_other_by_id, Some(expected_other));
+        Ok(())
+    }
+}

codex-rs/core/src/rollout/tests.rs

@@ -873,6 +873,7 @@ async fn test_updated_at_uses_file_mtime() -> Result<()> {
                 source: SessionSource::VSCode,
                 model_provider: Some("test-provider".into()),
                 base_instructions: None,
+                dynamic_tools: None,
             },
             git: None,
         }),

codex-rs/core/src/shell.rs

@@ -137,6 +137,7 @@ fn get_shell_path(
     let default_shell_path = get_user_shell_path();
     if let Some(default_shell_path) = default_shell_path
         && detect_shell_type(&default_shell_path) == Some(shell_type)
+        && file_exists(&default_shell_path).is_some()
     {
         return Some(default_shell_path);
     }

codex-rs/core/src/shell_snapshot.rs

@@ -1,6 +1,7 @@
 use std::io::ErrorKind;
 use std::path::Path;
 use std::path::PathBuf;
+use std::process::Stdio;
 use std::sync::Arc;
 use std::time::Duration;
 use std::time::SystemTime;
@@ -187,6 +188,7 @@ async fn run_script_with_timeout(
     // returns a ref of handler.
     let mut handler = Command::new(&args[0]);
     handler.args(&args[1..]);
+    handler.stdin(Stdio::null());
     #[cfg(unix)]
     unsafe {
         handler.pre_exec(|| {
@@ -477,6 +479,62 @@ mod tests {
 
     use tempfile::tempdir;
 
+    #[cfg(unix)]
+    struct BlockingStdinPipe {
+        original: i32,
+        write_end: i32,
+    }
+
+    #[cfg(unix)]
+    impl BlockingStdinPipe {
+        fn install() -> Result<Self> {
+            let mut fds = [0i32; 2];
+            if unsafe { libc::pipe(fds.as_mut_ptr()) } == -1 {
+                return Err(std::io::Error::last_os_error()).context("create stdin pipe");
+            }
+
+            let original = unsafe { libc::dup(libc::STDIN_FILENO) };
+            if original == -1 {
+                let err = std::io::Error::last_os_error();
+                unsafe {
+                    libc::close(fds[0]);
+                    libc::close(fds[1]);
+                }
+                return Err(err).context("dup stdin");
+            }
+
+            if unsafe { libc::dup2(fds[0], libc::STDIN_FILENO) } == -1 {
+                let err = std::io::Error::last_os_error();
+                unsafe {
+                    libc::close(fds[0]);
+                    libc::close(fds[1]);
+                    libc::close(original);
+                }
+                return Err(err).context("replace stdin");
+            }
+
+            unsafe {
+                libc::close(fds[0]);
+            }
+
+            Ok(Self {
+                original,
+                write_end: fds[1],
+            })
+        }
+    }
+
+    #[cfg(unix)]
+    impl Drop for BlockingStdinPipe {
+        fn drop(&mut self) {
+            unsafe {
+                libc::dup2(self.original, libc::STDIN_FILENO);
+                libc::close(self.original);
+                libc::close(self.write_end);
+            }
+        }
+    }
+
     #[cfg(not(target_os = "windows"))]
     fn assert_posix_snapshot_sections(snapshot: &str) {
         assert!(snapshot.contains("# Snapshot file"));
@@ -557,6 +615,38 @@ mod tests {
         Ok(())
     }
 
+    #[cfg(unix)]
+    #[tokio::test]
+    async fn snapshot_shell_does_not_inherit_stdin() -> Result<()> {
+        let _stdin_guard = BlockingStdinPipe::install()?;
+
+        let dir = tempdir()?;
+        let home = dir.path();
+        fs::write(home.join(".bashrc"), "read -r ignored\n").await?;
+
+        let shell = Shell {
+            shell_type: ShellType::Bash,
+            shell_path: PathBuf::from("/bin/bash"),
+            shell_snapshot: crate::shell::empty_shell_snapshot_receiver(),
+        };
+
+        let home_display = home.display();
+        let script = format!(
+            "HOME=\"{home_display}\"; export HOME; {}",
+            bash_snapshot_script()
+        );
+        let output = run_script_with_timeout(&shell, &script, Duration::from_millis(500), true)
+            .await
+            .context("run snapshot command")?;
+
+        assert!(
+            output.contains("# Snapshot file"),
+            "expected snapshot marker in output; output={output:?}"
+        );
+
+        Ok(())
+    }
+
     #[cfg(target_os = "linux")]
     #[tokio::test]
     async fn timed_out_snapshot_shell_is_terminated() -> Result<()> {

codex-rs/core/src/skills/env_var_dependencies.rs

@@ -0,0 +1,162 @@
+use std::collections::HashMap;
+use std::collections::HashSet;
+use std::env;
+use std::sync::Arc;
+
+use codex_protocol::request_user_input::RequestUserInputArgs;
+use codex_protocol::request_user_input::RequestUserInputQuestion;
+use codex_protocol::request_user_input::RequestUserInputResponse;
+use tracing::warn;
+
+use crate::codex::Session;
+use crate::codex::TurnContext;
+use crate::skills::SkillMetadata;
+
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub(crate) struct SkillDependencyInfo {
+    pub(crate) skill_name: String,
+    pub(crate) name: String,
+    pub(crate) description: Option<String>,
+}
+
+/// Resolve required dependency values (session cache, then env vars),
+/// and prompt the UI for any missing ones.
+pub(crate) async fn resolve_skill_dependencies_for_turn(
+    sess: &Arc<Session>,
+    turn_context: &Arc<TurnContext>,
+    dependencies: &[SkillDependencyInfo],
+) {
+    if dependencies.is_empty() {
+        return;
+    }
+
+    let existing_env = sess.dependency_env().await;
+    let mut loaded_values = HashMap::new();
+    let mut missing = Vec::new();
+    let mut seen_names = HashSet::new();
+
+    for dependency in dependencies {
+        let name = dependency.name.clone();
+        if !seen_names.insert(name.clone()) {
+            continue;
+        }
+        if existing_env.contains_key(&name) {
+            continue;
+        }
+        match env::var(&name) {
+            Ok(value) => {
+                loaded_values.insert(name.clone(), value);
+                continue;
+            }
+            Err(env::VarError::NotPresent) => {}
+            Err(err) => {
+                warn!("failed to read env var {name}: {err}");
+            }
+        }
+        missing.push(dependency.clone());
+    }
+
+    if !loaded_values.is_empty() {
+        sess.set_dependency_env(loaded_values).await;
+    }
+
+    if !missing.is_empty() {
+        request_skill_dependencies(sess, turn_context, &missing).await;
+    }
+}
+
+pub(crate) fn collect_env_var_dependencies(
+    mentioned_skills: &[SkillMetadata],
+) -> Vec<SkillDependencyInfo> {
+    let mut dependencies = Vec::new();
+    for skill in mentioned_skills {
+        let Some(skill_dependencies) = &skill.dependencies else {
+            continue;
+        };
+        for tool in &skill_dependencies.tools {
+            if tool.r#type != "env_var" {
+                continue;
+            }
+            if tool.value.is_empty() {
+                continue;
+            }
+            dependencies.push(SkillDependencyInfo {
+                skill_name: skill.name.clone(),
+                name: tool.value.clone(),
+                description: tool.description.clone(),
+            });
+        }
+    }
+    dependencies
+}
+
+/// Prompt via request_user_input to gather missing env vars.
+pub(crate) async fn request_skill_dependencies(
+    sess: &Arc<Session>,
+    turn_context: &Arc<TurnContext>,
+    dependencies: &[SkillDependencyInfo],
+) {
+    let questions = dependencies
+        .iter()
+        .map(|dep| {
+            let requirement = dep.description.as_ref().map_or_else(
+                || format!("The skill \"{}\" requires \"{}\" to be set.", dep.skill_name, dep.name),
+                |description| {
+                    format!(
+                        "The skill \"{}\" requires \"{}\" to be set ({}).",
+                        dep.skill_name, dep.name, description
+                    )
+                },
+            );
+            let question = format!(
+                "{requirement} This is an experimental internal feature. The value is stored in memory for this session only.",
+            );
+            RequestUserInputQuestion {
+                id: dep.name.clone(),
+                header: "Skill requires environment variable".to_string(),
+                question,
+                is_other: false,
+                is_secret: true,
+                options: None,
+            }
+        })
+        .collect::<Vec<_>>();
+
+    if questions.is_empty() {
+        return;
+    }
+
+    let args = RequestUserInputArgs { questions };
+    let call_id = format!("skill-deps-{}", turn_context.sub_id);
+    let response = sess
+        .request_user_input(turn_context, call_id, args)
+        .await
+        .unwrap_or_else(|| RequestUserInputResponse {
+            answers: HashMap::new(),
+        });
+
+    if response.answers.is_empty() {
+        return;
+    }
+
+    let mut values = HashMap::new();
+    for (name, answer) in response.answers {
+        let mut user_note = None;
+        for entry in &answer.answers {
+            if let Some(note) = entry.strip_prefix("user_note: ")
+                && !note.trim().is_empty()
+            {
+                user_note = Some(note.trim().to_string());
+            }
+        }
+        if let Some(value) = user_note {
+            values.insert(name, value);
+        }
+    }
+
+    if values.is_empty() {
+        return;
+    }
+
+    sess.set_dependency_env(values).await;
+}

codex-rs/core/src/skills/loader.rs

@@ -72,7 +72,8 @@ struct DependencyTool {
 }
 
 const SKILLS_FILENAME: &str = "SKILL.md";
-const SKILLS_JSON_FILENAME: &str = "SKILL.json";
+const SKILLS_METADATA_DIR: &str = "agents";
+const SKILLS_METADATA_FILENAME: &str = "openai.yaml";
 const SKILLS_DIR_NAME: &str = "skills";
 const MAX_NAME_LEN: usize = 64;
 const MAX_DESCRIPTION_LEN: usize = 1024;
@@ -402,7 +403,9 @@ fn load_skill_metadata(skill_path: &Path) -> (Option<SkillInterface>, Option<Ski
     let Some(skill_dir) = skill_path.parent() else {
         return (None, None);
     };
-    let metadata_path = skill_dir.join(SKILLS_JSON_FILENAME);
+    let metadata_path = skill_dir
+        .join(SKILLS_METADATA_DIR)
+        .join(SKILLS_METADATA_FILENAME);
     if !metadata_path.exists() {
         return (None, None);
     }
@@ -413,19 +416,19 @@ fn load_skill_metadata(skill_path: &Path) -> (Option<SkillInterface>, Option<Ski
             tracing::warn!(
                 "ignoring {path}: failed to read {label}: {error}",
                 path = metadata_path.display(),
-                label = SKILLS_JSON_FILENAME
+                label = SKILLS_METADATA_FILENAME
             );
             return (None, None);
         }
     };
 
-    let parsed: SkillMetadataFile = match serde_json::from_str(&contents) {
+    let parsed: SkillMetadataFile = match serde_yaml::from_str(&contents) {
         Ok(parsed) => parsed,
         Err(error) => {
             tracing::warn!(
                 "ignoring {path}: invalid {label}: {error}",
                 path = metadata_path.display(),
-                label = SKILLS_JSON_FILENAME
+                label = SKILLS_METADATA_FILENAME
             );
             return (None, None);
         }
@@ -859,25 +862,29 @@ mod tests {
         path
     }
 
-    fn write_skill_metadata_at(skill_dir: &Path, filename: &str, contents: &str) -> PathBuf {
-        let path = skill_dir.join(filename);
+    fn write_skill_metadata_at(skill_dir: &Path, contents: &str) -> PathBuf {
+        let path = skill_dir
+            .join(SKILLS_METADATA_DIR)
+            .join(SKILLS_METADATA_FILENAME);
+        if let Some(parent) = path.parent() {
+            fs::create_dir_all(parent).unwrap();
+        }
         fs::write(&path, contents).unwrap();
         path
     }
 
     fn write_skill_interface_at(skill_dir: &Path, contents: &str) -> PathBuf {
-        write_skill_metadata_at(skill_dir, SKILLS_JSON_FILENAME, contents)
+        write_skill_metadata_at(skill_dir, contents)
     }
 
     #[tokio::test]
-    async fn loads_skill_dependencies_metadata_from_json() {
+    async fn loads_skill_dependencies_metadata_from_yaml() {
         let codex_home = tempfile::tempdir().expect("tempdir");
         let skill_path = write_skill(&codex_home, "demo", "dep-skill", "from json");
         let skill_dir = skill_path.parent().expect("skill dir");
 
         write_skill_metadata_at(
             skill_dir,
-            SKILLS_JSON_FILENAME,
             r#"
 {
   "dependencies": {
@@ -970,7 +977,7 @@ mod tests {
     }
 
     #[tokio::test]
-    async fn loads_skill_interface_metadata_from_json() {
+    async fn loads_skill_interface_metadata_from_yaml() {
         let codex_home = tempfile::tempdir().expect("tempdir");
         let skill_path = write_skill(&codex_home, "demo", "ui-skill", "from json");
         let skill_dir = skill_path.parent().expect("skill dir");
@@ -979,16 +986,13 @@ mod tests {
         write_skill_interface_at(
             skill_dir,
             r##"
-{
-  "interface": {
-    "display_name": "UI Skill",
-    "short_description": "  short    desc   ",
-    "icon_small": "./assets/small-400px.png",
-    "icon_large": "./assets/large-logo.svg",
-    "brand_color": "#3B82F6",
-    "default_prompt": "  default   prompt   "
-  }
-}
+interface:
+  display_name: "UI Skill"
+  short_description: "  short    desc   "
+  icon_small: "./assets/small-400px.png"
+  icon_large: "./assets/large-logo.svg"
+  brand_color: "#3B82F6"
+  default_prompt: "  default   prompt   "
 "##,
         );
 
@@ -1000,8 +1004,13 @@ mod tests {
             "unexpected errors: {:?}",
             outcome.errors
         );
+        let user_skills: Vec<SkillMetadata> = outcome
+            .skills
+            .into_iter()
+            .filter(|skill| skill.scope == SkillScope::User)
+            .collect();
         assert_eq!(
-            outcome.skills,
+            user_skills,
             vec![SkillMetadata {
                 name: "ui-skill".to_string(),
                 description: "from json".to_string(),

codex-rs/core/src/skills/manager.rs

@@ -10,6 +10,7 @@ use tracing::warn;
 
 use crate::config::Config;
 use crate::config::types::SkillsConfig;
+use crate::config_loader::CloudRequirementsLoader;
 use crate::config_loader::LoaderOverrides;
 use crate::config_loader::load_config_layers_state;
 use crate::skills::SkillLoadOutcome;
@@ -88,6 +89,7 @@ impl SkillsManager {
             Some(cwd_abs),
             &cli_overrides,
             LoaderOverrides::default(),
+            CloudRequirementsLoader::default(),
         )
         .await
         {

codex-rs/core/src/skills/mod.rs

@@ -1,3 +1,4 @@
+mod env_var_dependencies;
 pub mod injection;
 pub mod loader;
 pub mod manager;
@@ -5,6 +6,8 @@ pub mod model;
 pub mod render;
 pub mod system;
 
+pub(crate) use env_var_dependencies::collect_env_var_dependencies;
+pub(crate) use env_var_dependencies::resolve_skill_dependencies_for_turn;
 pub(crate) use injection::SkillInjections;
 pub(crate) use injection::build_skill_injections;
 pub(crate) use injection::collect_explicit_skill_mentions;

codex-rs/core/src/state/service.rs

@@ -9,6 +9,7 @@ use crate::models_manager::manager::ModelsManager;
 use crate::skills::SkillsManager;
 use crate::state_db::StateDbHandle;
 use crate::tools::sandboxing::ApprovalStore;
+use crate::transport_manager::TransportManager;
 use crate::unified_exec::UnifiedExecProcessManager;
 use crate::user_notification::UserNotifier;
 use codex_otel::OtelManager;
@@ -32,4 +33,5 @@ pub(crate) struct SessionServices {
     pub(crate) skills_manager: Arc<SkillsManager>,
     pub(crate) agent_control: AgentControl,
     pub(crate) state_db: Option<StateDbHandle>,
+    pub(crate) transport_manager: TransportManager,
 }

codex-rs/core/src/state/session.rs

@@ -1,6 +1,7 @@
 //! Session-wide mutable state.
 
 use codex_protocol::models::ResponseItem;
+use std::collections::HashMap;
 use std::collections::HashSet;
 
 use crate::codex::SessionConfiguration;
@@ -16,6 +17,7 @@ pub(crate) struct SessionState {
     pub(crate) history: ContextManager,
     pub(crate) latest_rate_limits: Option<RateLimitSnapshot>,
     pub(crate) server_reasoning_included: bool,
+    pub(crate) dependency_env: HashMap<String, String>,
     pub(crate) mcp_dependency_prompted: HashSet<String>,
     /// Whether the session's initial context has been seeded into history.
     ///
@@ -33,6 +35,7 @@ impl SessionState {
             history,
             latest_rate_limits: None,
             server_reasoning_included: false,
+            dependency_env: HashMap::new(),
             mcp_dependency_prompted: HashSet::new(),
             initial_context_seeded: false,
         }
@@ -112,6 +115,16 @@ impl SessionState {
     pub(crate) fn mcp_dependency_prompted(&self) -> HashSet<String> {
         self.mcp_dependency_prompted.clone()
     }
+
+    pub(crate) fn set_dependency_env(&mut self, values: HashMap<String, String>) {
+        for (key, value) in values {
+            self.dependency_env.insert(key, value);
+        }
+    }
+
+    pub(crate) fn dependency_env(&self) -> HashMap<String, String> {
+        self.dependency_env.clone()
+    }
 }
 
 // Sometimes new snapshots don't include credits or plan information.

codex-rs/core/src/state_db.rs

@@ -11,6 +11,7 @@ use codex_otel::OtelManager;
 use codex_protocol::ThreadId;
 use codex_protocol::protocol::RolloutItem;
 use codex_protocol::protocol::SessionSource;
+use codex_state::DB_METRIC_COMPARE_ERROR;
 pub use codex_state::LogEntry;
 use codex_state::STATE_DB_FILENAME;
 use codex_state::ThreadMetadataBuilder;
@@ -32,12 +33,6 @@ pub(crate) async fn init_if_enabled(
 ) -> Option<StateDbHandle> {
     let state_path = config.codex_home.join(STATE_DB_FILENAME);
     if !config.features.enabled(Feature::Sqlite) {
-        // We delete the file on best effort basis to maintain retro-compatibility in the future.
-        let wal_path = state_path.with_extension("sqlite-wal");
-        let shm_path = state_path.with_extension("sqlite-shm");
-        for path in [state_path.as_path(), wal_path.as_path(), shm_path.as_path()] {
-            tokio::fs::remove_file(path).await.ok();
-        }
         return None;
     }
     let existed = tokio::fs::try_exists(&state_path).await.unwrap_or(false);
@@ -282,9 +277,10 @@ pub async fn apply_rollout_items(
 pub fn record_discrepancy(stage: &str, reason: &str) {
     // We access the global metric because the call sites might not have access to the broader
     // OtelManager.
+    tracing::warn!("state db record_discrepancy: {stage}{reason}");
     if let Some(metric) = codex_otel::metrics::global() {
         let _ = metric.counter(
-            "codex.db.discrepancy",
+            DB_METRIC_COMPARE_ERROR,
             1,
             &[("stage", stage), ("reason", reason)],
         );

codex-rs/core/src/stream_events_utils.rs

@@ -1,6 +1,7 @@
 use std::pin::Pin;
 use std::sync::Arc;
 
+use codex_protocol::config_types::ModeKind;
 use codex_protocol::items::TurnItem;
 use tokio_util::sync::CancellationToken;
 
@@ -10,6 +11,7 @@ use crate::error::CodexErr;
 use crate::error::Result;
 use crate::function_tool::FunctionCallError;
 use crate::parse_turn_item;
+use crate::proposed_plan_parser::strip_proposed_plan_blocks;
 use crate::tools::parallel::ToolCallRuntime;
 use crate::tools::router::ToolRouter;
 use codex_protocol::models::FunctionCallOutputPayload;
@@ -46,12 +48,18 @@ pub(crate) async fn handle_output_item_done(
     previously_active_item: Option<TurnItem>,
 ) -> Result<OutputItemResult> {
     let mut output = OutputItemResult::default();
+    let plan_mode = ctx.turn_context.collaboration_mode_kind == ModeKind::Plan;
 
     match ToolRouter::build_tool_call(ctx.sess.as_ref(), item.clone()).await {
         // The model emitted a tool call; log it, persist the item immediately, and queue the tool execution.
         Ok(Some(call)) => {
             let payload_preview = call.payload.log_payload().into_owned();
-            tracing::info!("ToolCall: {} {}", call.tool_name, payload_preview);
+            tracing::info!(
+                thread_id = %ctx.sess.conversation_id,
+                "ToolCall: {} {}",
+                call.tool_name,
+                payload_preview
+            );
 
             ctx.sess
                 .record_conversation_items(&ctx.turn_context, std::slice::from_ref(&item))
@@ -69,7 +77,7 @@ pub(crate) async fn handle_output_item_done(
         }
         // No tool call: convert messages/reasoning into turn items and mark them as complete.
         Ok(None) => {
-            if let Some(turn_item) = handle_non_tool_response_item(&item).await {
+            if let Some(turn_item) = handle_non_tool_response_item(&item, plan_mode).await {
                 if previously_active_item.is_none() {
                     ctx.sess
                         .emit_turn_item_started(&ctx.turn_context, &turn_item)
@@ -84,7 +92,7 @@ pub(crate) async fn handle_output_item_done(
             ctx.sess
                 .record_conversation_items(&ctx.turn_context, std::slice::from_ref(&item))
                 .await;
-            let last_agent_message = last_assistant_message_from_item(&item);
+            let last_agent_message = last_assistant_message_from_item(&item, plan_mode);
 
             output.last_agent_message = last_agent_message;
         }
@@ -150,13 +158,31 @@ pub(crate) async fn handle_output_item_done(
     Ok(output)
 }
 
-pub(crate) async fn handle_non_tool_response_item(item: &ResponseItem) -> Option<TurnItem> {
+pub(crate) async fn handle_non_tool_response_item(
+    item: &ResponseItem,
+    plan_mode: bool,
+) -> Option<TurnItem> {
     debug!(?item, "Output item");
 
     match item {
         ResponseItem::Message { .. }
         | ResponseItem::Reasoning { .. }
-        | ResponseItem::WebSearchCall { .. } => parse_turn_item(item),
+        | ResponseItem::WebSearchCall { .. } => {
+            let mut turn_item = parse_turn_item(item)?;
+            if plan_mode && let TurnItem::AgentMessage(agent_message) = &mut turn_item {
+                let combined = agent_message
+                    .content
+                    .iter()
+                    .map(|entry| match entry {
+                        codex_protocol::items::AgentMessageContent::Text { text } => text.as_str(),
+                    })
+                    .collect::<String>();
+                let stripped = strip_proposed_plan_blocks(&combined);
+                agent_message.content =
+                    vec![codex_protocol::items::AgentMessageContent::Text { text: stripped }];
+            }
+            Some(turn_item)
+        }
         ResponseItem::FunctionCallOutput { .. } | ResponseItem::CustomToolCallOutput { .. } => {
             debug!("unexpected tool output from stream");
             None
@@ -165,14 +191,29 @@ pub(crate) async fn handle_non_tool_response_item(item: &ResponseItem) -> Option
     }
 }
 
-pub(crate) fn last_assistant_message_from_item(item: &ResponseItem) -> Option<String> {
+pub(crate) fn last_assistant_message_from_item(
+    item: &ResponseItem,
+    plan_mode: bool,
+) -> Option<String> {
     if let ResponseItem::Message { role, content, .. } = item
         && role == "assistant"
     {
-        return content.iter().rev().find_map(|ci| match ci {
-            codex_protocol::models::ContentItem::OutputText { text } => Some(text.clone()),
-            _ => None,
-        });
+        let combined = content
+            .iter()
+            .filter_map(|ci| match ci {
+                codex_protocol::models::ContentItem::OutputText { text } => Some(text.as_str()),
+                _ => None,
+            })
+            .collect::<String>();
+        if combined.is_empty() {
+            return None;
+        }
+        return if plan_mode {
+            let stripped = strip_proposed_plan_blocks(&combined);
+            (!stripped.trim().is_empty()).then_some(stripped)
+        } else {
+            Some(combined)
+        };
     }
     None
 }

codex-rs/core/src/tagged_block_parser.rs

@@ -0,0 +1,314 @@
+//! Line-based tag block parsing for streamed text.
+//!
+//! The parser buffers each line until it can disprove that the line is a tag,
+//! which is required for tags that must appear alone on a line. For example,
+//! Proposed Plan output uses `<proposed_plan>` and `</proposed_plan>` tags
+//! on their own lines so clients can stream plan content separately.
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub(crate) struct TagSpec<T> {
+    pub(crate) open: &'static str,
+    pub(crate) close: &'static str,
+    pub(crate) tag: T,
+}
+
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub(crate) enum TaggedLineSegment<T> {
+    Normal(String),
+    TagStart(T),
+    TagDelta(T, String),
+    TagEnd(T),
+}
+
+/// Stateful line parser that splits input into normal text vs tag blocks.
+///
+/// How it works:
+/// - While reading a line, we buffer characters until the line either finishes
+///   (`\n`) or stops matching any tag prefix (after `trim_start`).
+/// - If it stops matching a tag prefix, the buffered line is immediately
+///   emitted as text and we continue in "plain text" mode until the next
+///   newline.
+/// - When a full line is available, we compare it to the open/close tags; tag
+///   lines emit TagStart/TagEnd, otherwise the line is emitted as text.
+/// - `finish()` flushes any buffered line and auto-closes an unterminated tag,
+///   which keeps streaming resilient to missing closing tags.
+#[derive(Debug, Default)]
+pub(crate) struct TaggedLineParser<T>
+where
+    T: Copy + Eq,
+{
+    specs: Vec<TagSpec<T>>,
+    active_tag: Option<T>,
+    detect_tag: bool,
+    line_buffer: String,
+}
+
+impl<T> TaggedLineParser<T>
+where
+    T: Copy + Eq,
+{
+    pub(crate) fn new(specs: Vec<TagSpec<T>>) -> Self {
+        Self {
+            specs,
+            active_tag: None,
+            detect_tag: true,
+            line_buffer: String::new(),
+        }
+    }
+
+    /// Parse a streamed delta into line-aware segments.
+    pub(crate) fn parse(&mut self, delta: &str) -> Vec<TaggedLineSegment<T>> {
+        let mut segments = Vec::new();
+        let mut run = String::new();
+
+        for ch in delta.chars() {
+            if self.detect_tag {
+                if !run.is_empty() {
+                    self.push_text(std::mem::take(&mut run), &mut segments);
+                }
+                self.line_buffer.push(ch);
+                if ch == '\n' {
+                    self.finish_line(&mut segments);
+                    continue;
+                }
+                let slug = self.line_buffer.trim_start();
+                if slug.is_empty() || self.is_tag_prefix(slug) {
+                    continue;
+                }
+                // This line cannot be a tag line, so flush it immediately.
+                let buffered = std::mem::take(&mut self.line_buffer);
+                self.detect_tag = false;
+                self.push_text(buffered, &mut segments);
+                continue;
+            }
+
+            run.push(ch);
+            if ch == '\n' {
+                self.push_text(std::mem::take(&mut run), &mut segments);
+                self.detect_tag = true;
+            }
+        }
+
+        if !run.is_empty() {
+            self.push_text(run, &mut segments);
+        }
+
+        segments
+    }
+
+    /// Flush any buffered text and close an unterminated tag block.
+    pub(crate) fn finish(&mut self) -> Vec<TaggedLineSegment<T>> {
+        let mut segments = Vec::new();
+        if !self.line_buffer.is_empty() {
+            let buffered = std::mem::take(&mut self.line_buffer);
+            let without_newline = buffered.strip_suffix('\n').unwrap_or(&buffered);
+            let slug = without_newline.trim_start().trim_end();
+
+            if let Some(tag) = self.match_open(slug)
+                && self.active_tag.is_none()
+            {
+                push_segment(&mut segments, TaggedLineSegment::TagStart(tag));
+                self.active_tag = Some(tag);
+            } else if let Some(tag) = self.match_close(slug)
+                && self.active_tag == Some(tag)
+            {
+                push_segment(&mut segments, TaggedLineSegment::TagEnd(tag));
+                self.active_tag = None;
+            } else {
+                // The buffered line never proved to be a tag line.
+                self.push_text(buffered, &mut segments);
+            }
+        }
+        if let Some(tag) = self.active_tag.take() {
+            push_segment(&mut segments, TaggedLineSegment::TagEnd(tag));
+        }
+        self.detect_tag = true;
+        segments
+    }
+
+    fn finish_line(&mut self, segments: &mut Vec<TaggedLineSegment<T>>) {
+        let line = std::mem::take(&mut self.line_buffer);
+        let without_newline = line.strip_suffix('\n').unwrap_or(&line);
+        let slug = without_newline.trim_start().trim_end();
+
+        if let Some(tag) = self.match_open(slug)
+            && self.active_tag.is_none()
+        {
+            push_segment(segments, TaggedLineSegment::TagStart(tag));
+            self.active_tag = Some(tag);
+            self.detect_tag = true;
+            return;
+        }
+
+        if let Some(tag) = self.match_close(slug)
+            && self.active_tag == Some(tag)
+        {
+            push_segment(segments, TaggedLineSegment::TagEnd(tag));
+            self.active_tag = None;
+            self.detect_tag = true;
+            return;
+        }
+
+        self.detect_tag = true;
+        self.push_text(line, segments);
+    }
+
+    fn push_text(&self, text: String, segments: &mut Vec<TaggedLineSegment<T>>) {
+        if let Some(tag) = self.active_tag {
+            push_segment(segments, TaggedLineSegment::TagDelta(tag, text));
+        } else {
+            push_segment(segments, TaggedLineSegment::Normal(text));
+        }
+    }
+
+    fn is_tag_prefix(&self, slug: &str) -> bool {
+        let slug = slug.trim_end();
+        self.specs
+            .iter()
+            .any(|spec| spec.open.starts_with(slug) || spec.close.starts_with(slug))
+    }
+
+    fn match_open(&self, slug: &str) -> Option<T> {
+        self.specs
+            .iter()
+            .find(|spec| spec.open == slug)
+            .map(|spec| spec.tag)
+    }
+
+    fn match_close(&self, slug: &str) -> Option<T> {
+        self.specs
+            .iter()
+            .find(|spec| spec.close == slug)
+            .map(|spec| spec.tag)
+    }
+}
+
+fn push_segment<T>(segments: &mut Vec<TaggedLineSegment<T>>, segment: TaggedLineSegment<T>)
+where
+    T: Copy + Eq,
+{
+    match segment {
+        TaggedLineSegment::Normal(delta) => {
+            if delta.is_empty() {
+                return;
+            }
+            if let Some(TaggedLineSegment::Normal(existing)) = segments.last_mut() {
+                existing.push_str(&delta);
+                return;
+            }
+            segments.push(TaggedLineSegment::Normal(delta));
+        }
+        TaggedLineSegment::TagDelta(tag, delta) => {
+            if delta.is_empty() {
+                return;
+            }
+            if let Some(TaggedLineSegment::TagDelta(existing_tag, existing)) = segments.last_mut()
+                && *existing_tag == tag
+            {
+                existing.push_str(&delta);
+                return;
+            }
+            segments.push(TaggedLineSegment::TagDelta(tag, delta));
+        }
+        TaggedLineSegment::TagStart(tag) => {
+            segments.push(TaggedLineSegment::TagStart(tag));
+        }
+        TaggedLineSegment::TagEnd(tag) => {
+            segments.push(TaggedLineSegment::TagEnd(tag));
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::TagSpec;
+    use super::TaggedLineParser;
+    use super::TaggedLineSegment;
+    use pretty_assertions::assert_eq;
+
+    #[derive(Debug, Clone, Copy, PartialEq, Eq)]
+    enum Tag {
+        Block,
+    }
+
+    fn parser() -> TaggedLineParser<Tag> {
+        TaggedLineParser::new(vec![TagSpec {
+            open: "<tag>",
+            close: "</tag>",
+            tag: Tag::Block,
+        }])
+    }
+
+    #[test]
+    fn buffers_prefix_until_tag_is_decided() {
+        let mut parser = parser();
+        let mut segments = parser.parse("<t");
+        segments.extend(parser.parse("ag>\nline\n</tag>\n"));
+        segments.extend(parser.finish());
+
+        assert_eq!(
+            segments,
+            vec![
+                TaggedLineSegment::TagStart(Tag::Block),
+                TaggedLineSegment::TagDelta(Tag::Block, "line\n".to_string()),
+                TaggedLineSegment::TagEnd(Tag::Block),
+            ]
+        );
+    }
+
+    #[test]
+    fn rejects_tag_lines_with_extra_text() {
+        let mut parser = parser();
+        let mut segments = parser.parse("<tag> extra\n");
+        segments.extend(parser.finish());
+
+        assert_eq!(
+            segments,
+            vec![TaggedLineSegment::Normal("<tag> extra\n".to_string())]
+        );
+    }
+
+    #[test]
+    fn closes_unterminated_tag_on_finish() {
+        let mut parser = parser();
+        let mut segments = parser.parse("<tag>\nline\n");
+        segments.extend(parser.finish());
+
+        assert_eq!(
+            segments,
+            vec![
+                TaggedLineSegment::TagStart(Tag::Block),
+                TaggedLineSegment::TagDelta(Tag::Block, "line\n".to_string()),
+                TaggedLineSegment::TagEnd(Tag::Block),
+            ]
+        );
+    }
+
+    #[test]
+    fn accepts_tags_with_trailing_whitespace() {
+        let mut parser = parser();
+        let mut segments = parser.parse("<tag>   \nline\n</tag>  \n");
+        segments.extend(parser.finish());
+
+        assert_eq!(
+            segments,
+            vec![
+                TaggedLineSegment::TagStart(Tag::Block),
+                TaggedLineSegment::TagDelta(Tag::Block, "line\n".to_string()),
+                TaggedLineSegment::TagEnd(Tag::Block),
+            ]
+        );
+    }
+
+    #[test]
+    fn passes_through_plain_text() {
+        let mut parser = parser();
+        let mut segments = parser.parse("plain text\n");
+        segments.extend(parser.finish());
+
+        assert_eq!(
+            segments,
+            vec![TaggedLineSegment::Normal("plain text\n".to_string())]
+        );
+    }
+}

codex-rs/core/src/tasks/mod.rs

@@ -14,7 +14,7 @@ use tokio::sync::Notify;
 use tokio_util::sync::CancellationToken;
 use tokio_util::task::AbortOnDropHandle;
 use tracing::Instrument;
-use tracing::info_span;
+use tracing::Span;
 use tracing::trace;
 use tracing::warn;
 
@@ -132,8 +132,7 @@ impl Session {
             let ctx = Arc::clone(&turn_context);
             let task_for_run = Arc::clone(&task);
             let task_cancellation_token = cancellation_token.child_token();
-            let thread_id = self.conversation_id;
-            let session_span = info_span!("session_task", thread_id = %thread_id);
+            let session_span = Span::current();
             tokio::spawn(
                 async move {
                     let ctx_for_finish = Arc::clone(&ctx);

codex-rs/core/src/tasks/user_shell.rs

@@ -67,6 +67,7 @@ impl SessionTask for UserShellCommandTask {
 
         let event = EventMsg::TurnStarted(TurnStartedEvent {
             model_context_window: turn_context.client.get_model_context_window(),
+            collaboration_mode_kind: turn_context.collaboration_mode_kind,
         });
         let session = session.clone_session();
         session.send_event(turn_context.as_ref(), event).await;

codex-rs/core/src/token_data.rs

@@ -64,6 +64,7 @@ pub(crate) enum PlanType {
 #[serde(rename_all = "lowercase")]
 pub(crate) enum KnownPlan {
     Free,
+    Go,
     Plus,
     Pro,
     Team,
@@ -76,10 +77,18 @@ pub(crate) enum KnownPlan {
 struct IdClaims {
     #[serde(default)]
     email: Option<String>,
+    #[serde(rename = "https://api.openai.com/profile", default)]
+    profile: Option<ProfileClaims>,
     #[serde(rename = "https://api.openai.com/auth", default)]
     auth: Option<AuthClaims>,
 }
 
+#[derive(Deserialize)]
+struct ProfileClaims {
+    #[serde(default)]
+    email: Option<String>,
+}
+
 #[derive(Deserialize)]
 struct AuthClaims {
     #[serde(default)]
@@ -112,17 +121,20 @@ pub fn parse_id_token(id_token: &str) -> Result<IdTokenInfo, IdTokenInfoError> {
 
     let payload_bytes = base64::engine::general_purpose::URL_SAFE_NO_PAD.decode(payload_b64)?;
     let claims: IdClaims = serde_json::from_slice(&payload_bytes)?;
+    let email = claims
+        .email
+        .or_else(|| claims.profile.and_then(|profile| profile.email));
 
     match claims.auth {
         Some(auth) => Ok(IdTokenInfo {
-            email: claims.email,
+            email,
             raw_jwt: id_token.to_string(),
             chatgpt_plan_type: auth.chatgpt_plan_type,
             chatgpt_user_id: auth.chatgpt_user_id.or(auth.user_id),
             chatgpt_account_id: auth.chatgpt_account_id,
         }),
         None => Ok(IdTokenInfo {
-            email: claims.email,
+            email,
             raw_jwt: id_token.to_string(),
             chatgpt_plan_type: None,
             chatgpt_user_id: None,
@@ -184,6 +196,38 @@ mod tests {
         assert_eq!(info.get_chatgpt_plan_type().as_deref(), Some("Pro"));
     }
 
+    #[test]
+    fn id_token_info_parses_go_plan() {
+        #[derive(Serialize)]
+        struct Header {
+            alg: &'static str,
+            typ: &'static str,
+        }
+        let header = Header {
+            alg: "none",
+            typ: "JWT",
+        };
+        let payload = serde_json::json!({
+            "email": "user@example.com",
+            "https://api.openai.com/auth": {
+                "chatgpt_plan_type": "go"
+            }
+        });
+
+        fn b64url_no_pad(bytes: &[u8]) -> String {
+            base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(bytes)
+        }
+
+        let header_b64 = b64url_no_pad(&serde_json::to_vec(&header).unwrap());
+        let payload_b64 = b64url_no_pad(&serde_json::to_vec(&payload).unwrap());
+        let signature_b64 = b64url_no_pad(b"sig");
+        let fake_jwt = format!("{header_b64}.{payload_b64}.{signature_b64}");
+
+        let info = parse_id_token(&fake_jwt).expect("should parse");
+        assert_eq!(info.email.as_deref(), Some("user@example.com"));
+        assert_eq!(info.get_chatgpt_plan_type().as_deref(), Some("Go"));
+    }
+
     #[test]
     fn id_token_info_handles_missing_fields() {
         #[derive(Serialize)]

codex-rs/core/src/tools/handlers/collab.rs

@@ -781,6 +781,7 @@ mod tests {
             turn.client.get_reasoning_summary(),
             session.conversation_id,
             session_source,
+            session.services.transport_manager.clone(),
         );
 
         let invocation = invocation(
@@ -1221,6 +1222,7 @@ mod tests {
         let mut base_config = (*turn.client.config()).clone();
         base_config.user_instructions = Some("base-user".to_string());
         turn.user_instructions = Some("resolved-user".to_string());
+        let transport_manager = turn.client.transport_manager();
         turn.client = ModelClient::new(
             Arc::new(base_config.clone()),
             Some(session.services.auth_manager.clone()),
@@ -1231,6 +1233,7 @@ mod tests {
             turn.client.get_reasoning_summary(),
             session.conversation_id,
             session_source,
+            transport_manager,
         );
         let base_instructions = BaseInstructions {
             text: "base".to_string(),

codex-rs/core/src/tools/handlers/mcp.rs

@@ -1,4 +1,5 @@
 use async_trait::async_trait;
+use std::sync::Arc;
 
 use crate::function_tool::FunctionCallError;
 use crate::mcp_tool_call::handle_mcp_tool_call;
@@ -42,7 +43,7 @@ impl ToolHandler for McpHandler {
         let arguments_str = raw_arguments;
 
         let response = handle_mcp_tool_call(
-            session.as_ref(),
+            Arc::clone(&session),
             turn.as_ref(),
             call_id.clone(),
             server,

codex-rs/core/src/tools/handlers/plan.rs

@@ -10,6 +10,7 @@ use crate::tools::registry::ToolHandler;
 use crate::tools::registry::ToolKind;
 use crate::tools::spec::JsonSchema;
 use async_trait::async_trait;
+use codex_protocol::config_types::ModeKind;
 use codex_protocol::plan_tool::UpdatePlanArgs;
 use codex_protocol::protocol::EventMsg;
 use std::collections::BTreeMap;
@@ -103,6 +104,11 @@ pub(crate) async fn handle_update_plan(
     arguments: String,
     _call_id: String,
 ) -> Result<String, FunctionCallError> {
+    if turn_context.collaboration_mode_kind == ModeKind::Plan {
+        return Err(FunctionCallError::RespondToModel(
+            "update_plan is a TODO/checklist tool and is not allowed in Plan mode".to_string(),
+        ));
+    }
     let args = parse_update_plan_arguments(&arguments)?;
     session
         .send_event(turn_context, EventMsg::PlanUpdate(args))

codex-rs/core/src/tools/handlers/request_user_input.rs

@@ -49,7 +49,19 @@ impl ToolHandler for RequestUserInputHandler {
             )));
         }
 
-        let args: RequestUserInputArgs = parse_arguments(&arguments)?;
+        let mut args: RequestUserInputArgs = parse_arguments(&arguments)?;
+        let missing_options = args
+            .questions
+            .iter()
+            .any(|question| question.options.as_ref().is_none_or(Vec::is_empty));
+        if missing_options {
+            return Err(FunctionCallError::RespondToModel(
+                "request_user_input requires non-empty options for every question".to_string(),
+            ));
+        }
+        for question in &mut args.questions {
+            question.is_other = true;
+        }
         let response = session
             .request_user_input(turn.as_ref(), call_id, args)
             .await

codex-rs/core/src/tools/handlers/shell.rs

@@ -233,6 +233,12 @@ impl ShellHandler {
             None
         };
 
+        let mut exec_params = exec_params;
+        let dependency_env = session.dependency_env().await;
+        if !dependency_env.is_empty() {
+            exec_params.env.extend(dependency_env);
+        }
+
         // Approval policy guard for explicit escalation in non-OnRequest modes.
         if exec_params
             .sandbox_permissions

codex-rs/core/src/tools/spec.rs

@@ -571,7 +571,7 @@ fn create_request_user_input_tool() -> ToolSpec {
 
     let options_schema = JsonSchema::Array {
         description: Some(
-            "Optional 2-3 mutually exclusive choices. Put the recommended option first and suffix its label with \"(Recommended)\". Do not include an \"Other\" option in this list; use isOther on the question to request a free form choice. If the question is free form in nature, please do not have any option."
+            "Provide 2-3 mutually exclusive choices. Put the recommended option first and suffix its label with \"(Recommended)\". Do not include an \"Other\" option in this list; the client will add a free-form \"Other\" option automatically."
                 .to_string(),
         ),
         items: Box::new(JsonSchema::Object {
@@ -602,15 +602,6 @@ fn create_request_user_input_tool() -> ToolSpec {
             description: Some("Single-sentence prompt shown to the user.".to_string()),
         },
     );
-    question_props.insert(
-        "isOther".to_string(),
-        JsonSchema::Boolean {
-            description: Some(
-                "True when this question should include a free-form \"Other\" option. Otherwise false."
-                    .to_string(),
-            ),
-        },
-    );
     question_props.insert("options".to_string(), options_schema);
 
     let questions_schema = JsonSchema::Array {
@@ -621,7 +612,7 @@ fn create_request_user_input_tool() -> ToolSpec {
                 "id".to_string(),
                 "header".to_string(),
                 "question".to_string(),
-                "isOther".to_string(),
+                "options".to_string(),
             ]),
             additional_properties: Some(false.into()),
         }),