proto

.bazelignore

@@ -1,4 +0,0 @@
-# Without this, Bazel will consider BUILD.bazel files in
-# .git/sl/origbackups (which can be populated by Sapling SCM).
-.git
-codex-rs/target

.bazelrc

@@ -1,51 +0,0 @@
-common --repo_env=BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1
-common --repo_env=BAZEL_NO_APPLE_CPP_TOOLCHAIN=1
-# Dummy xcode config so we don't need to build xcode_locator in repo rule.
-common --xcode_version_config=//:disable_xcode
-
-common --disk_cache=~/.cache/bazel-disk-cache
-common --repo_contents_cache=~/.cache/bazel-repo-contents-cache
-common --repository_cache=~/.cache/bazel-repo-cache
-common --remote_cache_compression
-startup --experimental_remote_repo_contents_cache
-
-common --experimental_platform_in_output_dir
-
-# Runfiles strategy rationale: codex-rs/utils/cargo-bin/README.md
-common --noenable_runfiles
-
-common --enable_platform_specific_config
-# TODO(zbarsky): We need to untangle these libc constraints to get linux remote builds working.
-common:linux --host_platform=//:local
-common --@rules_cc//cc/toolchains/args/archiver_flags:use_libtool_on_macos=False
-common --@toolchains_llvm_bootstrapped//config:experimental_stub_libgcc_s
-
-# We need to use the sh toolchain on windows so we don't send host bash paths to the linux executor.
-common:windows --@rules_rust//rust/settings:experimental_use_sh_toolchain_for_bootstrap_process_wrapper
-
-# TODO(zbarsky): rules_rust doesn't implement this flag properly with remote exec...
-# common --@rules_rust//rust/settings:pipelined_compilation
-
-common --incompatible_strict_action_env
-# Not ideal, but We need to allow dotslash to be found
-common --test_env=PATH=/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin
-
-common --test_output=errors
-common --bes_results_url=https://app.buildbuddy.io/invocation/
-common --bes_backend=grpcs://remote.buildbuddy.io
-common --remote_cache=grpcs://remote.buildbuddy.io
-common --remote_download_toplevel
-common --nobuild_runfile_links
-common --remote_timeout=3600
-common --noexperimental_throttle_remote_action_building
-common --experimental_remote_execution_keepalive
-common --grpc_keepalive_time=30s
-
-# This limits both in-flight executions and concurrent downloads. Even with high number
-# of jobs execution will still be limited by CPU cores, so this just pays a bit of
-# memory in exchange for higher download concurrency.
-common --jobs=30
-
-common:remote --extra_execution_platforms=//:rbe
-common:remote --remote_executor=grpcs://remote.buildbuddy.io
-common:remote --jobs=800

.bazelversion

@@ -1 +0,0 @@
-9.0.0

.codespellignore

@@ -1,3 +1 @@
 iTerm
-iTerm2
-psuedo

.codespellrc

@@ -1,6 +1,6 @@
 [codespell]
 # Ref: https://github.com/codespell-project/codespell#using-a-config-file
-skip = .git*,vendor,*-lock.yaml,*.lock,.codespellrc,*test.ts,*.jsonl,frame*.txt,*.snap,*.snap.new
+skip = .git*,vendor,*-lock.yaml,*.lock,.codespellrc,*test.ts,*.jsonl,frame*.txt
 check-hidden = true
 ignore-regex = ^\s*"image/\S+": ".*|\b(afterAll)\b
-ignore-words-list = ratatui,ser,iTerm,iterm2,iterm
+ignore-words-list = ratatui,ser

.github/ISSUE_TEMPLATE/2-bug-report.yml

@@ -40,18 +40,11 @@ body:
       description: |
         For MacOS and Linux: copy the output of `uname -mprs`
         For Windows: copy the output of `"$([Environment]::OSVersion | ForEach-Object VersionString) $(if ([Environment]::Is64BitOperatingSystem) { "x64" } else { "x86" })"` in the PowerShell console
-  - type: input
-    id: terminal
-    attributes:
-      label: What terminal emulator and version are you using (if applicable)?
-      description: Also note any multiplexer in use (screen / tmux / zellij)
-      description: |
-        E.g, VSCode, Terminal.app, iTerm2, Ghostty, Windows Terminal (WSL / PowerShell)
   - type: textarea
     id: actual
     attributes:
       label: What issue are you seeing?
-      description: Please include the full error messages and prompts with PII redacted. If possible, please provide text instead of a screenshot.
+      description: Please include the full error messages and prompts with PII redacted. If possible, please provide text instead of a screenshot. 
     validations:
       required: true
   - type: textarea

.github/actions/linux-code-sign/action.yml

@@ -1,44 +0,0 @@
-name: linux-code-sign
-description: Sign Linux artifacts with cosign.
-inputs:
-  target:
-    description: Target triple for the artifacts to sign.
-    required: true
-  artifacts-dir:
-    description: Absolute path to the directory containing built binaries to sign.
-    required: true
-
-runs:
-  using: composite
-  steps:
-    - name: Install cosign
-      uses: sigstore/cosign-installer@v3.7.0
-
-    - name: Cosign Linux artifacts
-      shell: bash
-      env:
-        COSIGN_EXPERIMENTAL: "1"
-        COSIGN_YES: "true"
-        COSIGN_OIDC_CLIENT_ID: "sigstore"
-        COSIGN_OIDC_ISSUER: "https://oauth2.sigstore.dev/auth"
-      run: |
-        set -euo pipefail
-
-        dest="${{ inputs.artifacts-dir }}"
-        if [[ ! -d "$dest" ]]; then
-          echo "Destination $dest does not exist"
-          exit 1
-        fi
-
-        for binary in codex codex-responses-api-proxy; do
-          artifact="${dest}/${binary}"
-          if [[ ! -f "$artifact" ]]; then
-            echo "Binary $artifact not found"
-            exit 1
-          fi
-
-          cosign sign-blob \
-            --yes \
-            --bundle "${artifact}.sigstore" \
-            "$artifact"
-        done

.github/actions/macos-code-sign/action.yml

@@ -1,246 +0,0 @@
-name: macos-code-sign
-description: Configure, sign, notarize, and clean up macOS code signing artifacts.
-inputs:
-  target:
-    description: Rust compilation target triple (e.g. aarch64-apple-darwin).
-    required: true
-  sign-binaries:
-    description: Whether to sign and notarize the macOS binaries.
-    required: false
-    default: "true"
-  sign-dmg:
-    description: Whether to sign and notarize the macOS dmg.
-    required: false
-    default: "true"
-  apple-certificate:
-    description: Base64-encoded Apple signing certificate (P12).
-    required: true
-  apple-certificate-password:
-    description: Password for the signing certificate.
-    required: true
-  apple-notarization-key-p8:
-    description: Base64-encoded Apple notarization key (P8).
-    required: true
-  apple-notarization-key-id:
-    description: Apple notarization key ID.
-    required: true
-  apple-notarization-issuer-id:
-    description: Apple notarization issuer ID.
-    required: true
-runs:
-  using: composite
-  steps:
-    - name: Configure Apple code signing
-      shell: bash
-      env:
-        KEYCHAIN_PASSWORD: actions
-        APPLE_CERTIFICATE: ${{ inputs.apple-certificate }}
-        APPLE_CERTIFICATE_PASSWORD: ${{ inputs.apple-certificate-password }}
-      run: |
-        set -euo pipefail
-
-        if [[ -z "${APPLE_CERTIFICATE:-}" ]]; then
-          echo "APPLE_CERTIFICATE is required for macOS signing"
-          exit 1
-        fi
-
-        if [[ -z "${APPLE_CERTIFICATE_PASSWORD:-}" ]]; then
-          echo "APPLE_CERTIFICATE_PASSWORD is required for macOS signing"
-          exit 1
-        fi
-
-        cert_path="${RUNNER_TEMP}/apple_signing_certificate.p12"
-        echo "$APPLE_CERTIFICATE" | base64 -d > "$cert_path"
-
-        keychain_path="${RUNNER_TEMP}/codex-signing.keychain-db"
-        security create-keychain -p "$KEYCHAIN_PASSWORD" "$keychain_path"
-        security set-keychain-settings -lut 21600 "$keychain_path"
-        security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$keychain_path"
-
-        keychain_args=()
-        cleanup_keychain() {
-          if ((${#keychain_args[@]} > 0)); then
-            security list-keychains -s "${keychain_args[@]}" || true
-            security default-keychain -s "${keychain_args[0]}" || true
-          else
-            security list-keychains -s || true
-          fi
-          if [[ -f "$keychain_path" ]]; then
-            security delete-keychain "$keychain_path" || true
-          fi
-        }
-
-        while IFS= read -r keychain; do
-          [[ -n "$keychain" ]] && keychain_args+=("$keychain")
-        done < <(security list-keychains | sed 's/^[[:space:]]*//;s/[[:space:]]*$//;s/"//g')
-
-        if ((${#keychain_args[@]} > 0)); then
-          security list-keychains -s "$keychain_path" "${keychain_args[@]}"
-        else
-          security list-keychains -s "$keychain_path"
-        fi
-
-        security default-keychain -s "$keychain_path"
-        security import "$cert_path" -k "$keychain_path" -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security
-        security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$keychain_path" > /dev/null
-
-        codesign_hashes=()
-        while IFS= read -r hash; do
-          [[ -n "$hash" ]] && codesign_hashes+=("$hash")
-        done < <(security find-identity -v -p codesigning "$keychain_path" \
-          | sed -n 's/.*\([0-9A-F]\{40\}\).*/\1/p' \
-          | sort -u)
-
-        if ((${#codesign_hashes[@]} == 0)); then
-          echo "No signing identities found in $keychain_path"
-          cleanup_keychain
-          rm -f "$cert_path"
-          exit 1
-        fi
-
-        if ((${#codesign_hashes[@]} > 1)); then
-          echo "Multiple signing identities found in $keychain_path:"
-          printf '  %s\n' "${codesign_hashes[@]}"
-          cleanup_keychain
-          rm -f "$cert_path"
-          exit 1
-        fi
-
-        APPLE_CODESIGN_IDENTITY="${codesign_hashes[0]}"
-
-        rm -f "$cert_path"
-
-        echo "APPLE_CODESIGN_IDENTITY=$APPLE_CODESIGN_IDENTITY" >> "$GITHUB_ENV"
-        echo "APPLE_CODESIGN_KEYCHAIN=$keychain_path" >> "$GITHUB_ENV"
-        echo "::add-mask::$APPLE_CODESIGN_IDENTITY"
-
-    - name: Sign macOS binaries
-      if: ${{ inputs.sign-binaries == 'true' }}
-      shell: bash
-      run: |
-        set -euo pipefail
-
-        if [[ -z "${APPLE_CODESIGN_IDENTITY:-}" ]]; then
-          echo "APPLE_CODESIGN_IDENTITY is required for macOS signing"
-          exit 1
-        fi
-
-        keychain_args=()
-        if [[ -n "${APPLE_CODESIGN_KEYCHAIN:-}" && -f "${APPLE_CODESIGN_KEYCHAIN}" ]]; then
-          keychain_args+=(--keychain "${APPLE_CODESIGN_KEYCHAIN}")
-        fi
-
-        for binary in codex codex-responses-api-proxy; do
-          path="codex-rs/target/${{ inputs.target }}/release/${binary}"
-          codesign --force --options runtime --timestamp --sign "$APPLE_CODESIGN_IDENTITY" "${keychain_args[@]}" "$path"
-        done
-
-    - name: Notarize macOS binaries
-      if: ${{ inputs.sign-binaries == 'true' }}
-      shell: bash
-      env:
-        APPLE_NOTARIZATION_KEY_P8: ${{ inputs.apple-notarization-key-p8 }}
-        APPLE_NOTARIZATION_KEY_ID: ${{ inputs.apple-notarization-key-id }}
-        APPLE_NOTARIZATION_ISSUER_ID: ${{ inputs.apple-notarization-issuer-id }}
-      run: |
-        set -euo pipefail
-
-        for var in APPLE_NOTARIZATION_KEY_P8 APPLE_NOTARIZATION_KEY_ID APPLE_NOTARIZATION_ISSUER_ID; do
-          if [[ -z "${!var:-}" ]]; then
-            echo "$var is required for notarization"
-            exit 1
-          fi
-        done
-
-        notary_key_path="${RUNNER_TEMP}/notarytool.key.p8"
-        echo "$APPLE_NOTARIZATION_KEY_P8" | base64 -d > "$notary_key_path"
-        cleanup_notary() {
-          rm -f "$notary_key_path"
-        }
-        trap cleanup_notary EXIT
-
-        source "$GITHUB_ACTION_PATH/notary_helpers.sh"
-
-        notarize_binary() {
-          local binary="$1"
-          local source_path="codex-rs/target/${{ inputs.target }}/release/${binary}"
-          local archive_path="${RUNNER_TEMP}/${binary}.zip"
-
-          if [[ ! -f "$source_path" ]]; then
-            echo "Binary $source_path not found"
-            exit 1
-          fi
-
-          rm -f "$archive_path"
-          ditto -c -k --keepParent "$source_path" "$archive_path"
-
-          notarize_submission "$binary" "$archive_path" "$notary_key_path"
-        }
-
-        notarize_binary "codex"
-        notarize_binary "codex-responses-api-proxy"
-
-    - name: Sign and notarize macOS dmg
-      if: ${{ inputs.sign-dmg == 'true' }}
-      shell: bash
-      env:
-        APPLE_NOTARIZATION_KEY_P8: ${{ inputs.apple-notarization-key-p8 }}
-        APPLE_NOTARIZATION_KEY_ID: ${{ inputs.apple-notarization-key-id }}
-        APPLE_NOTARIZATION_ISSUER_ID: ${{ inputs.apple-notarization-issuer-id }}
-      run: |
-        set -euo pipefail
-
-        for var in APPLE_CODESIGN_IDENTITY APPLE_NOTARIZATION_KEY_P8 APPLE_NOTARIZATION_KEY_ID APPLE_NOTARIZATION_ISSUER_ID; do
-          if [[ -z "${!var:-}" ]]; then
-            echo "$var is required"
-            exit 1
-          fi
-        done
-
-        notary_key_path="${RUNNER_TEMP}/notarytool.key.p8"
-        echo "$APPLE_NOTARIZATION_KEY_P8" | base64 -d > "$notary_key_path"
-        cleanup_notary() {
-          rm -f "$notary_key_path"
-        }
-        trap cleanup_notary EXIT
-
-        source "$GITHUB_ACTION_PATH/notary_helpers.sh"
-
-        dmg_path="codex-rs/target/${{ inputs.target }}/release/codex-${{ inputs.target }}.dmg"
-
-        if [[ ! -f "$dmg_path" ]]; then
-          echo "dmg $dmg_path not found"
-          exit 1
-        fi
-
-        keychain_args=()
-        if [[ -n "${APPLE_CODESIGN_KEYCHAIN:-}" && -f "${APPLE_CODESIGN_KEYCHAIN}" ]]; then
-          keychain_args+=(--keychain "${APPLE_CODESIGN_KEYCHAIN}")
-        fi
-
-        codesign --force --timestamp --sign "$APPLE_CODESIGN_IDENTITY" "${keychain_args[@]}" "$dmg_path"
-        notarize_submission "codex-${{ inputs.target }}.dmg" "$dmg_path" "$notary_key_path"
-        xcrun stapler staple "$dmg_path"
-
-    - name: Remove signing keychain
-      if: ${{ always() }}
-      shell: bash
-      env:
-        APPLE_CODESIGN_KEYCHAIN: ${{ env.APPLE_CODESIGN_KEYCHAIN }}
-      run: |
-        set -euo pipefail
-        if [[ -n "${APPLE_CODESIGN_KEYCHAIN:-}" ]]; then
-          keychain_args=()
-          while IFS= read -r keychain; do
-            [[ "$keychain" == "$APPLE_CODESIGN_KEYCHAIN" ]] && continue
-            [[ -n "$keychain" ]] && keychain_args+=("$keychain")
-          done < <(security list-keychains | sed 's/^[[:space:]]*//;s/[[:space:]]*$//;s/"//g')
-          if ((${#keychain_args[@]} > 0)); then
-            security list-keychains -s "${keychain_args[@]}"
-            security default-keychain -s "${keychain_args[0]}"
-          fi
-
-          if [[ -f "$APPLE_CODESIGN_KEYCHAIN" ]]; then
-            security delete-keychain "$APPLE_CODESIGN_KEYCHAIN"
-          fi
-        fi

.github/actions/macos-code-sign/notary_helpers.sh

@@ -1,46 +0,0 @@
-#!/usr/bin/env bash
-
-notarize_submission() {
-  local label="$1"
-  local path="$2"
-  local notary_key_path="$3"
-
-  if [[ -z "${APPLE_NOTARIZATION_KEY_ID:-}" || -z "${APPLE_NOTARIZATION_ISSUER_ID:-}" ]]; then
-    echo "APPLE_NOTARIZATION_KEY_ID and APPLE_NOTARIZATION_ISSUER_ID are required for notarization"
-    exit 1
-  fi
-
-  if [[ -z "$notary_key_path" || ! -f "$notary_key_path" ]]; then
-    echo "Notary key file $notary_key_path not found"
-    exit 1
-  fi
-
-  if [[ ! -f "$path" ]]; then
-    echo "Notarization payload $path not found"
-    exit 1
-  fi
-
-  local submission_json
-  submission_json=$(xcrun notarytool submit "$path" \
-    --key "$notary_key_path" \
-    --key-id "$APPLE_NOTARIZATION_KEY_ID" \
-    --issuer "$APPLE_NOTARIZATION_ISSUER_ID" \
-    --output-format json \
-    --wait)
-
-  local status submission_id
-  status=$(printf '%s\n' "$submission_json" | jq -r '.status // "Unknown"')
-  submission_id=$(printf '%s\n' "$submission_json" | jq -r '.id // ""')
-
-  if [[ -z "$submission_id" ]]; then
-    echo "Failed to retrieve submission ID for $label"
-    exit 1
-  fi
-
-  echo "::notice title=Notarization::$label submission ${submission_id} completed with status ${status}"
-
-  if [[ "$status" != "Accepted" ]]; then
-    echo "Notarization failed for ${label} (submission ${submission_id}, status ${status})"
-    exit 1
-  fi
-}

.github/actions/windows-code-sign/action.yml

@@ -1,57 +0,0 @@
-name: windows-code-sign
-description: Sign Windows binaries with Azure Trusted Signing.
-inputs:
-  target:
-    description: Target triple for the artifacts to sign.
-    required: true
-  client-id:
-    description: Azure Trusted Signing client ID.
-    required: true
-  tenant-id:
-    description: Azure tenant ID for Trusted Signing.
-    required: true
-  subscription-id:
-    description: Azure subscription ID for Trusted Signing.
-    required: true
-  endpoint:
-    description: Azure Trusted Signing endpoint.
-    required: true
-  account-name:
-    description: Azure Trusted Signing account name.
-    required: true
-  certificate-profile-name:
-    description: Certificate profile name for signing.
-    required: true
-
-runs:
-  using: composite
-  steps:
-    - name: Azure login for Trusted Signing (OIDC)
-      uses: azure/login@v2
-      with:
-        client-id: ${{ inputs.client-id }}
-        tenant-id: ${{ inputs.tenant-id }}
-        subscription-id: ${{ inputs.subscription-id }}
-
-    - name: Sign Windows binaries with Azure Trusted Signing
-      uses: azure/trusted-signing-action@v0
-      with:
-        endpoint: ${{ inputs.endpoint }}
-        trusted-signing-account-name: ${{ inputs.account-name }}
-        certificate-profile-name: ${{ inputs.certificate-profile-name }}
-        exclude-environment-credential: true
-        exclude-workload-identity-credential: true
-        exclude-managed-identity-credential: true
-        exclude-shared-token-cache-credential: true
-        exclude-visual-studio-credential: true
-        exclude-visual-studio-code-credential: true
-        exclude-azure-cli-credential: false
-        exclude-azure-powershell-credential: true
-        exclude-azure-developer-cli-credential: true
-        exclude-interactive-browser-credential: true
-        cache-dependencies: false
-        files: |
-          ${{ github.workspace }}/codex-rs/target/${{ inputs.target }}/release/codex.exe
-          ${{ github.workspace }}/codex-rs/target/${{ inputs.target }}/release/codex-responses-api-proxy.exe
-          ${{ github.workspace }}/codex-rs/target/${{ inputs.target }}/release/codex-windows-sandbox-setup.exe
-          ${{ github.workspace }}/codex-rs/target/${{ inputs.target }}/release/codex-command-runner.exe

.github/codex/home/config.toml

@@ -1,3 +1,3 @@
-model = "gpt-5.1"
+model = "gpt-5"
 
 # Consider setting [mcp_servers] here!

.github/dotslash-config.json

@@ -55,30 +55,6 @@
           "path": "codex-responses-api-proxy.exe"
         }
       }
-    },
-    "codex-command-runner": {
-      "platforms": {
-        "windows-x86_64": {
-          "regex": "^codex-command-runner-x86_64-pc-windows-msvc\\.exe\\.zst$",
-          "path": "codex-command-runner.exe"
-        },
-        "windows-aarch64": {
-          "regex": "^codex-command-runner-aarch64-pc-windows-msvc\\.exe\\.zst$",
-          "path": "codex-command-runner.exe"
-        }
-      }
-    },
-    "codex-windows-sandbox-setup": {
-      "platforms": {
-        "windows-x86_64": {
-          "regex": "^codex-windows-sandbox-setup-x86_64-pc-windows-msvc\\.exe\\.zst$",
-          "path": "codex-windows-sandbox-setup.exe"
-        },
-        "windows-aarch64": {
-          "regex": "^codex-windows-sandbox-setup-aarch64-pc-windows-msvc\\.exe\\.zst$",
-          "path": "codex-windows-sandbox-setup.exe"
-        }
-      }
     }
   }
 }

.github/pull_request_template.md

@@ -4,5 +4,3 @@ Before opening this Pull Request, please read the dedicated "Contributing" markd
 https://github.com/openai/codex/blob/main/docs/contributing.md
 
 If your PR conforms to our contribution guidelines, replace this text with a detailed and high quality description of your changes.
-
-Include a link to a bug report or enhancement request.

.github/scripts/install-musl-build-tools.sh

@@ -1,163 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-: "${TARGET:?TARGET environment variable is required}"
-: "${GITHUB_ENV:?GITHUB_ENV environment variable is required}"
-
-apt_update_args=()
-if [[ -n "${APT_UPDATE_ARGS:-}" ]]; then
-  # shellcheck disable=SC2206
-  apt_update_args=(${APT_UPDATE_ARGS})
-fi
-
-apt_install_args=()
-if [[ -n "${APT_INSTALL_ARGS:-}" ]]; then
-  # shellcheck disable=SC2206
-  apt_install_args=(${APT_INSTALL_ARGS})
-fi
-
-sudo apt-get update "${apt_update_args[@]}"
-sudo apt-get install -y "${apt_install_args[@]}" musl-tools pkg-config g++ clang libc++-dev libc++abi-dev lld
-
-case "${TARGET}" in
-  x86_64-unknown-linux-musl)
-    arch="x86_64"
-    ;;
-  aarch64-unknown-linux-musl)
-    arch="aarch64"
-    ;;
-  *)
-    echo "Unexpected musl target: ${TARGET}" >&2
-    exit 1
-    ;;
-esac
-
-# Use the musl toolchain as the Rust linker to avoid Zig injecting its own CRT.
-if command -v "${arch}-linux-musl-gcc" >/dev/null; then
-  musl_linker="$(command -v "${arch}-linux-musl-gcc")"
-elif command -v musl-gcc >/dev/null; then
-  musl_linker="$(command -v musl-gcc)"
-else
-  echo "musl gcc not found after install; arch=${arch}" >&2
-  exit 1
-fi
-
-zig_target="${TARGET/-unknown-linux-musl/-linux-musl}"
-runner_temp="${RUNNER_TEMP:-/tmp}"
-tool_root="${runner_temp}/codex-musl-tools-${TARGET}"
-mkdir -p "${tool_root}"
-
-sysroot=""
-if command -v zig >/dev/null; then
-  zig_bin="$(command -v zig)"
-  cc="${tool_root}/zigcc"
-  cxx="${tool_root}/zigcxx"
-
-  cat >"${cc}" <<EOF
-#!/usr/bin/env bash
-set -euo pipefail
-
-args=()
-skip_next=0
-for arg in "\$@"; do
-  if [[ "\${skip_next}" -eq 1 ]]; then
-    skip_next=0
-    continue
-  fi
-  case "\${arg}" in
-    --target)
-      skip_next=1
-      continue
-      ;;
-    --target=*|-target=*|-target)
-      # Drop any explicit --target/-target flags. Zig expects -target and
-      # rejects Rust triples like *-unknown-linux-musl.
-      if [[ "\${arg}" == "-target" ]]; then
-        skip_next=1
-      fi
-      continue
-      ;;
-  esac
-  args+=("\${arg}")
-done
-
-exec "${zig_bin}" cc -target "${zig_target}" "\${args[@]}"
-EOF
-  cat >"${cxx}" <<EOF
-#!/usr/bin/env bash
-set -euo pipefail
-
-args=()
-skip_next=0
-for arg in "\$@"; do
-  if [[ "\${skip_next}" -eq 1 ]]; then
-    skip_next=0
-    continue
-  fi
-  case "\${arg}" in
-    --target)
-      skip_next=1
-      continue
-      ;;
-    --target=*|-target=*|-target)
-      if [[ "\${arg}" == "-target" ]]; then
-        skip_next=1
-      fi
-      continue
-      ;;
-  esac
-  args+=("\${arg}")
-done
-
-exec "${zig_bin}" c++ -target "${zig_target}" "\${args[@]}"
-EOF
-  chmod +x "${cc}" "${cxx}"
-
-  sysroot="$("${zig_bin}" cc -target "${zig_target}" -print-sysroot 2>/dev/null || true)"
-else
-  cc="${musl_linker}"
-
-  if command -v "${arch}-linux-musl-g++" >/dev/null; then
-    cxx="$(command -v "${arch}-linux-musl-g++")"
-  elif command -v musl-g++ >/dev/null; then
-    cxx="$(command -v musl-g++)"
-  else
-    cxx="${cc}"
-  fi
-fi
-
-if [[ -n "${sysroot}" && "${sysroot}" != "/" ]]; then
-  echo "BORING_BSSL_SYSROOT=${sysroot}" >> "$GITHUB_ENV"
-  boring_sysroot_var="BORING_BSSL_SYSROOT_${TARGET}"
-  boring_sysroot_var="${boring_sysroot_var//-/_}"
-  echo "${boring_sysroot_var}=${sysroot}" >> "$GITHUB_ENV"
-fi
-
-cflags="-pthread"
-cxxflags="-pthread"
-if [[ "${TARGET}" == "aarch64-unknown-linux-musl" ]]; then
-  # BoringSSL enables -Wframe-larger-than=25344 under clang and treats warnings as errors.
-  cflags="${cflags} -Wno-error=frame-larger-than"
-  cxxflags="${cxxflags} -Wno-error=frame-larger-than"
-fi
-
-echo "CFLAGS=${cflags}" >> "$GITHUB_ENV"
-echo "CXXFLAGS=${cxxflags}" >> "$GITHUB_ENV"
-echo "CC=${cc}" >> "$GITHUB_ENV"
-echo "TARGET_CC=${cc}" >> "$GITHUB_ENV"
-target_cc_var="CC_${TARGET}"
-target_cc_var="${target_cc_var//-/_}"
-echo "${target_cc_var}=${cc}" >> "$GITHUB_ENV"
-echo "CXX=${cxx}" >> "$GITHUB_ENV"
-echo "TARGET_CXX=${cxx}" >> "$GITHUB_ENV"
-target_cxx_var="CXX_${TARGET}"
-target_cxx_var="${target_cxx_var//-/_}"
-echo "${target_cxx_var}=${cxx}" >> "$GITHUB_ENV"
-
-cargo_linker_var="CARGO_TARGET_${TARGET^^}_LINKER"
-cargo_linker_var="${cargo_linker_var//-/_}"
-echo "${cargo_linker_var}=${musl_linker}" >> "$GITHUB_ENV"
-
-echo "CMAKE_C_COMPILER=${cc}" >> "$GITHUB_ENV"
-echo "CMAKE_CXX_COMPILER=${cxx}" >> "$GITHUB_ENV"
-echo "CMAKE_ARGS=-DCMAKE_HAVE_THREADS_LIBRARY=1 -DCMAKE_USE_PTHREADS_INIT=1 -DCMAKE_THREAD_LIBS_INIT=-pthread -DTHREADS_PREFER_PTHREAD_FLAG=ON" >> "$GITHUB_ENV"

.github/workflows/Dockerfile.bazel

@@ -1,20 +0,0 @@
-FROM ubuntu:24.04
-
-# TODO(mbolin): Published to docker.io/mbolin491/codex-bazel:latest for
-# initial debugging, but we should publish to a more proper location.
-#
-# docker buildx create --use
-# docker buildx build --platform linux/amd64,linux/arm64 -f .github/workflows/Dockerfile.bazel -t mbolin491/codex-bazel:latest --push .
-
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
-    curl git python3 ca-certificates && \
-    rm -rf /var/lib/apt/lists/*
-
-# Install dotslash.
-RUN curl -LSfs "https://github.com/facebook/dotslash/releases/download/v0.5.8/dotslash-ubuntu-22.04.$(uname -m).tar.gz" | tar fxz - -C /usr/local/bin
-
-# Ubuntu 24.04 ships with user 'ubuntu' already created with UID 1000.
-USER ubuntu
-
-WORKDIR /workspace

.github/workflows/bazel.yml

@@ -1,110 +0,0 @@
-name: Bazel (experimental)
-
-# Note this workflow was originally derived from:
-# https://github.com/cerisier/toolchains_llvm_bootstrapped/blob/main/.github/workflows/ci.yaml
-
-on:
-  pull_request: {}
-  push:
-    branches:
-      - main
-  workflow_dispatch:
-
-concurrency:
-  # Cancel previous actions from the same PR or branch except 'main' branch.
-  # See https://docs.github.com/en/actions/using-jobs/using-concurrency and https://docs.github.com/en/actions/learn-github-actions/contexts for more info.
-  group: concurrency-group::${{ github.workflow }}::${{ github.event.pull_request.number > 0 && format('pr-{0}', github.event.pull_request.number) || github.ref_name }}${{ github.ref_name == 'main' && format('::{0}', github.run_id) || ''}}
-  cancel-in-progress: ${{ github.ref_name != 'main' }}
-jobs:
-  test:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          # macOS
-          - os: macos-15-xlarge
-            target: aarch64-apple-darwin
-          - os: macos-15-xlarge
-            target: x86_64-apple-darwin
-
-          # Linux
-          - os: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-gnu
-          - os: ubuntu-24.04
-            target: x86_64-unknown-linux-gnu
-          - os: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-          - os: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-          # TODO: Enable Windows once we fix the toolchain issues there.
-          #- os: windows-latest
-          #  target: x86_64-pc-windows-gnullvm
-    runs-on: ${{ matrix.os }}
-
-    # Configure a human readable name for each job
-    name: Local Bazel build on ${{ matrix.os }} for ${{ matrix.target }}
-
-    steps:
-      - uses: actions/checkout@v6
-
-      # Some integration tests rely on DotSlash being installed.
-      # See https://github.com/openai/codex/pull/7617.
-      - name: Install DotSlash
-        uses: facebook/install-dotslash@v2
-
-      - name: Make DotSlash available in PATH (Unix)
-        if: runner.os != 'Windows'
-        run: cp "$(which dotslash)" /usr/local/bin
-
-      - name: Make DotSlash available in PATH (Windows)
-        if: runner.os == 'Windows'
-        shell: pwsh
-        run: Copy-Item (Get-Command dotslash).Source -Destination "$env:LOCALAPPDATA\Microsoft\WindowsApps\dotslash.exe"
-
-      # Install Bazel via Bazelisk
-      - name: Set up Bazel
-        uses: bazelbuild/setup-bazelisk@v3
-
-      # TODO(mbolin): Bring this back once we have caching working. Currently,
-      # we never seem to get a cache hit but we still end up paying the cost of
-      # uploading at the end of the build, which takes over a minute!
-      #
-      # Cache build and external artifacts so that the next ci build is incremental.
-      # Because github action caches cannot be updated after a build, we need to
-      # store the contents of each build in a unique cache key, then fall back to loading
-      # it on the next ci run. We use hashFiles(...) in the key and restore-keys- with
-      # the prefix to load the most recent cache for the branch on a cache miss. You
-      # should customize the contents of hashFiles to capture any bazel input sources,
-      # although this doesn't need to be perfect. If none of the input sources change
-      # then a cache hit will load an existing cache and bazel won't have to do any work.
-      # In the case of a cache miss, you want the fallback cache to contain most of the
-      # previously built artifacts to minimize build time. The more precise you are with
-      # hashFiles sources the less work bazel will have to do.
-      # - name: Mount bazel caches
-      #   uses: actions/cache@v5
-      #   with:
-      #     path: |
-      #       ~/.cache/bazel-repo-cache
-      #       ~/.cache/bazel-repo-contents-cache
-      #     key: bazel-cache-${{ matrix.os }}-${{ hashFiles('**/BUILD.bazel', '**/*.bzl', 'MODULE.bazel') }}
-      #     restore-keys: |
-      #       bazel-cache-${{ matrix.os }}
-
-      - name: Configure Bazel startup args (Windows)
-        if: runner.os == 'Windows'
-        shell: pwsh
-        run: |
-          # Use a very short path to reduce argv/path length issues.
-          "BAZEL_STARTUP_ARGS=--output_user_root=C:\" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
-
-      - name: bazel test //...
-        env:
-          BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
-        shell: bash
-        run: |
-          bazel $BAZEL_STARTUP_ARGS --bazelrc=.github/workflows/ci.bazelrc test //... \
-            --build_metadata=REPO_URL=https://github.com/openai/codex.git \
-            --build_metadata=COMMIT_SHA=$(git rev-parse HEAD) \
-            --build_metadata=ROLE=CI \
-            --build_metadata=VISIBILITY=PUBLIC \
-            "--remote_header=x-buildbuddy-api-key=$BUILDBUDDY_API_KEY"

.github/workflows/cargo-deny.yml

@@ -1,26 +0,0 @@
-name: cargo-deny
-
-on:
-  pull_request:
-  push:
-    branches:
-      - main
-
-jobs:
-  cargo-deny:
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: ./codex-rs
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-
-      - name: Install Rust toolchain
-        uses: dtolnay/rust-toolchain@stable
-
-      - name: Run cargo-deny
-        uses: EmbarkStudios/cargo-deny-action@v2
-        with:
-          rust-version: stable
-          manifest-path: ./codex-rs/Cargo.toml

.github/workflows/ci.bazelrc

@@ -1,20 +0,0 @@
-common --remote_download_minimal
-common --nobuild_runfile_links
-common --keep_going
-
-# We prefer to run the build actions entirely remotely so we can dial up the concurrency.
-# We have platform-specific tests, so we want to execute the tests on all platforms using the strongest sandboxing available on each platform.
-
-# On linux, we can do a full remote build/test, by targeting the right (x86/arm) runners, so we have coverage of both.
-# Linux crossbuilds don't work until we untangle the libc constraint mess.
-common:linux --config=remote
-common:linux --strategy=remote
-common:linux --platforms=//:rbe
-
-# On mac, we can run all the build actions remotely but test actions locally.
-common:macos --config=remote
-common:macos --strategy=remote
-common:macos --strategy=TestRunner=darwin-sandbox,local
-
-common:windows --strategy=TestRunner=local
-

.github/workflows/ci.yml

@@ -12,7 +12,7 @@ jobs:
       NODE_OPTIONS: --max-old-space-size=4096
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
 
       - name: Setup pnpm
         uses: pnpm/action-setup@v4
@@ -20,7 +20,7 @@ jobs:
           run_install: false
 
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
         with:
           node-version: 22
 
@@ -36,8 +36,7 @@ jobs:
           GH_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
-          # Use a rust-release version that includes all native binaries.
-          CODEX_VERSION=0.74.0
+          CODEX_VERSION=0.40.0
           OUTPUT_DIR="${RUNNER_TEMP}"
           python3 ./scripts/stage_npm_packages.py \
             --release-version "$CODEX_VERSION" \
@@ -47,7 +46,7 @@ jobs:
           echo "pack_output=$PACK_OUTPUT" >> "$GITHUB_OUTPUT"
 
       - name: Upload staged npm package artifact
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v4
         with:
           name: codex-npm-staging
           path: ${{ steps.stage_npm_package.outputs.pack_output }}

.github/workflows/cla.yml

@@ -13,37 +13,17 @@ permissions:
 
 jobs:
   cla:
-    # Only run the CLA assistant for the canonical openai repo so forks are not blocked
-    # and contributors who signed previously do not receive duplicate CLA notifications.
-    if: ${{ github.repository_owner == 'openai' }}
     runs-on: ubuntu-latest
     steps:
       - uses: contributor-assistant/github-action@v2.6.1
-        # Run on close only if the PR was merged. This will lock the PR to preserve
-        # the CLA agreement. We don't want to lock PRs that have been closed without
-        # merging because the contributor may want to respond with additional comments.
-        # This action has a "lock-pullrequest-aftermerge" option that can be set to false,
-        # but that would unconditionally skip locking even in cases where the PR was merged.
         if: |
-          (
-            github.event_name == 'pull_request_target' &&
-            (
-              github.event.action == 'opened' ||
-              github.event.action == 'synchronize' ||
-              (github.event.action == 'closed' && github.event.pull_request.merged == true)
-            )
-          ) ||
-          (
-            github.event_name == 'issue_comment' &&
-            (
-              github.event.comment.body == 'recheck' ||
-              github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA'
-            )
-          )
+          github.event_name == 'pull_request_target' ||
+          github.event.comment.body == 'recheck' ||
+          github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA'
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           path-to-document: https://github.com/openai/codex/blob/main/docs/CLA.md
           path-to-signatures: signatures/cla.json
           branch: cla-signatures
-          allowlist: codex,dependabot,dependabot[bot],github-actions[bot]
+          allowlist: dependabot[bot]

.github/workflows/close-stale-contributor-prs.yml

@@ -1,107 +0,0 @@
-name: Close stale contributor PRs
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "0 6 * * *"
-
-permissions:
-  contents: read
-  issues: write
-  pull-requests: write
-
-jobs:
-  close-stale-contributor-prs:
-    # Prevent scheduled runs on forks
-    if: github.repository == 'openai/codex'
-    runs-on: ubuntu-latest
-    steps:
-      - name: Close inactive PRs from contributors
-        uses: actions/github-script@v8
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const DAYS_INACTIVE = 14;
-            const cutoff = new Date(Date.now() - DAYS_INACTIVE * 24 * 60 * 60 * 1000);
-            const { owner, repo } = context.repo;
-            const dryRun = false;
-            const stalePrs = [];
-
-            core.info(`Dry run mode: ${dryRun}`);
-
-            const prs = await github.paginate(github.rest.pulls.list, {
-              owner,
-              repo,
-              state: "open",
-              per_page: 100,
-              sort: "updated",
-              direction: "asc",
-            });
-
-            for (const pr of prs) {
-              const lastUpdated = new Date(pr.updated_at);
-              if (lastUpdated > cutoff) {
-                core.info(`PR ${pr.number} is fresh`);
-                continue;
-              }
-
-              if (!pr.user || pr.user.type !== "User") {
-                core.info(`PR ${pr.number} wasn't created by a user`);
-                continue;
-              }
-
-              let permission;
-              try {
-                const permissionResponse = await github.rest.repos.getCollaboratorPermissionLevel({
-                  owner,
-                  repo,
-                  username: pr.user.login,
-                });
-                permission = permissionResponse.data.permission;
-              } catch (error) {
-                if (error.status === 404) {
-                  core.info(`Author ${pr.user.login} is not a collaborator; skipping #${pr.number}`);
-                  continue;
-                }
-                throw error;
-              }
-
-              const hasContributorAccess = ["admin", "maintain", "write"].includes(permission);
-              if (!hasContributorAccess) {
-                core.info(`Author ${pr.user.login} has ${permission} access; skipping #${pr.number}`);
-                continue;
-              }
-
-              stalePrs.push(pr);
-            }
-
-            if (!stalePrs.length) {
-              core.info("No stale contributor pull requests found.");
-              return;
-            }
-
-            for (const pr of stalePrs) {
-              const issue_number = pr.number;
-              const closeComment = `Closing this pull request because it has had no updates for more than ${DAYS_INACTIVE} days. If you plan to continue working on it, feel free to reopen or open a new PR.`;
-
-              if (dryRun) {
-                core.info(`[dry-run] Would close contributor PR #${issue_number} from ${pr.user.login}`);
-                continue;
-              }
-
-              await github.rest.issues.createComment({
-                owner,
-                repo,
-                issue_number,
-                body: closeComment,
-              });
-
-              await github.rest.pulls.update({
-                owner,
-                repo,
-                pull_number: issue_number,
-                state: "closed",
-              });
-
-              core.info(`Closed contributor PR #${issue_number} from ${pr.user.login}`);
-            }

.github/workflows/codespell.yml

@@ -18,10 +18,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       - name: Annotate locations with typos
         uses: codespell-project/codespell-problem-matcher@b80729f885d32f78a716c2f107b4db1025001c42 # v1
       - name: Codespell
-        uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579 # v2.2
+        uses: codespell-project/actions-codespell@406322ec52dd7b488e48c1c4b82e2a8b3a1bf630 # v2.1
         with:
           ignore_words_file: .codespellignore

.github/workflows/issue-deduplicator.yml

@@ -9,15 +9,14 @@ on:
 jobs:
   gather-duplicates:
     name: Identify potential duplicates
-    # Prevent runs on forks (requires OpenAI API key, wastes Actions minutes)
-    if: github.repository == 'openai/codex' && (github.event.action == 'opened' || (github.event.action == 'labeled' && github.event.label.name == 'codex-deduplicate'))
+    if: ${{ github.event.action == 'opened' || (github.event.action == 'labeled' && github.event.label.name == 'codex-deduplicate') }}
     runs-on: ubuntu-latest
     permissions:
       contents: read
     outputs:
       codex_output: ${{ steps.codex.outputs.final-message }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
 
       - name: Prepare Codex inputs
         env:
@@ -47,6 +46,7 @@ jobs:
         with:
           openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
           allow-users: "*"
+          model: gpt-5
           prompt: |
             You are an assistant that triages new GitHub issues by identifying potential duplicates.
 
@@ -87,7 +87,7 @@ jobs:
       issues: write
     steps:
       - name: Comment on issue
-        uses: actions/github-script@v8
+        uses: actions/github-script@v7
         env:
           CODEX_OUTPUT: ${{ needs.gather-duplicates.outputs.codex_output }}
         with:

.github/workflows/issue-labeler.yml

@@ -9,15 +9,14 @@ on:
 jobs:
   gather-labels:
     name: Generate label suggestions
-    # Prevent runs on forks (requires OpenAI API key, wastes Actions minutes)
-    if: github.repository == 'openai/codex' && (github.event.action == 'opened' || (github.event.action == 'labeled' && github.event.label.name == 'codex-label'))
+    if: ${{ github.event.action == 'opened' || (github.event.action == 'labeled' && github.event.label.name == 'codex-label') }}
     runs-on: ubuntu-latest
     permissions:
       contents: read
     outputs:
       codex_output: ${{ steps.codex.outputs.final-message }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
 
       - id: codex
         uses: openai/codex-action@main
@@ -27,36 +26,21 @@ jobs:
           prompt: |
             You are an assistant that reviews GitHub issues for the repository.
 
-            Your job is to choose the most appropriate labels for the issue described later in this prompt.
+            Your job is to choose the most appropriate existing labels for the issue described later in this prompt.
             Follow these rules:
+            - Only pick labels out of the list below.
+            - Prefer a small set of precise labels over many broad ones.
 
-            - Add one (and only one) of the following three labels to distinguish the type of issue. Default to "bug" if unsure.
+            Labels to apply:
             1. bug — Reproducible defects in Codex products (CLI, VS Code extension, web, auth).
             2. enhancement — Feature requests or usability improvements that ask for new capabilities, better ergonomics, or quality-of-life tweaks.
-            3. documentation — Updates or corrections needed in docs/README/config references (broken links, missing examples, outdated keys, clarification requests).
-
-            - If applicable, add one of the following labels to specify which sub-product or product surface the issue relates to.
-            1. CLI — the Codex command line interface.
-            2. extension — VS Code (or other IDE) extension-specific issues.
-            3. codex-web — Issues targeting the Codex web UI/Cloud experience.
-            4. github-action — Issues with the Codex GitHub action.
-            5. iOS — Issues with the Codex iOS app.
-
-            - Additionally add zero or more of the following labels that are relevant to the issue content. Prefer a small set of precise labels over many broad ones.
-            1. windows-os — Bugs or friction specific to Windows environments (always when PowerShell is mentioned, path handling, copy/paste, OS-specific auth or tooling failures).
-            2. mcp — Topics involving Model Context Protocol servers/clients.
-            3. mcp-server — Problems related to the codex mcp-server command, where codex runs as an MCP server.
-            4. azure — Problems or requests tied to Azure OpenAI deployments.
-            5. model-behavior — Undesirable LLM behavior: forgetting goals, refusing work, hallucinating environment details, quota misreports, or other reasoning/performance anomalies.
-            6. code-review — Issues related to the code review feature or functionality.
-            7. auth - Problems related to authentication, login, or access tokens.
-            8. codex-exec - Problems related to the "codex exec" command or functionality.
-            9. context-management - Problems related to compaction, context windows, or available context reporting.
-            10. custom-model - Problems that involve using custom model providers, local models, or OSS models.
-            11. rate-limits - Problems related to token limits, rate limits, or token usage reporting.
-            12. sandbox - Issues related to local sandbox environments or tool call approvals to override sandbox restrictions.
-            13. tool-calls - Problems related to specific tool call invocations including unexpected errors, failures, or hangs.
-            14. TUI - Problems with the terminal user interface (TUI) including keyboard shortcuts, copy & pasting, menus, or screen update issues.
+            3. extension — VS Code (or other IDE) extension-specific issues.
+            4. windows-os — Bugs or friction specific to Windows environments (always when PowerShell is mentioned, path handling, copy/paste, OS-specific auth or tooling failures).
+            5. mcp — Topics involving Model Context Protocol servers/clients.
+            6. codex-web — Issues targeting the Codex web UI/Cloud experience.
+            8. azure — Problems or requests tied to Azure OpenAI deployments.
+            9. documentation — Updates or corrections needed in docs/README/config references (broken links, missing examples, outdated keys, clarification requests).
+            10. model-behavior — Undesirable LLM behavior: forgetting goals, refusing work, hallucinating environment details, quota misreports, or other reasoning/performance anomalies.
 
             Issue number: ${{ github.event.issue.number }}
 

.github/workflows/rust-ci.yml

@@ -9,7 +9,7 @@ on:
 # CI builds in debug (dev) for faster signal.
 
 jobs:
-  # --- Detect what changed to detect which tests to run (always runs) -------------------------------------
+  # --- Detect what changed (always runs) -------------------------------------
   changed:
     name: Detect changed areas
     runs-on: ubuntu-24.04
@@ -17,7 +17,7 @@ jobs:
       codex: ${{ steps.detect.outputs.codex }}
       workflows: ${{ steps.detect.outputs.workflows }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 0
       - name: Detect changed paths (no external action)
@@ -28,11 +28,9 @@ jobs:
 
           if [[ "${{ github.event_name }}" == "pull_request" ]]; then
             BASE_SHA='${{ github.event.pull_request.base.sha }}'
-            HEAD_SHA='${{ github.event.pull_request.head.sha }}'
             echo "Base SHA: $BASE_SHA"
-            echo "Head SHA: $HEAD_SHA"
-            # List files changed between base and PR head
-            mapfile -t files < <(git diff --name-only --no-renames "$BASE_SHA" "$HEAD_SHA")
+            # List files changed between base and current HEAD (merge-base aware)
+            mapfile -t files < <(git diff --name-only --no-renames "$BASE_SHA"...HEAD)
           else
             # On push / manual runs, default to running everything
             files=("codex-rs/force" ".github/force")
@@ -58,8 +56,8 @@ jobs:
       run:
         working-directory: codex-rs
     steps:
-      - uses: actions/checkout@v6
-      - uses: dtolnay/rust-toolchain@1.93
+      - uses: actions/checkout@v5
+      - uses: dtolnay/rust-toolchain@1.90
         with:
           components: rustfmt
       - name: cargo fmt
@@ -76,9 +74,9 @@ jobs:
       run:
         working-directory: codex-rs
     steps:
-      - uses: actions/checkout@v6
-      - uses: dtolnay/rust-toolchain@1.93
-      - uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
+      - uses: actions/checkout@v5
+      - uses: dtolnay/rust-toolchain@1.90
+      - uses: taiki-e/install-action@0c5db7f7f897c03b771660e91d065338615679f4 # v2
         with:
           tool: cargo-shear
           version: 1.5.1
@@ -86,9 +84,9 @@ jobs:
         run: cargo shear
 
   # --- CI to validate on different os/targets --------------------------------
-  lint_build:
-    name: Lint/Build — ${{ matrix.runner }} - ${{ matrix.target }}${{ matrix.profile == 'release' && ' (release)' || '' }}
-    runs-on: ${{ matrix.runs_on || matrix.runner }}
+  lint_build_test:
+    name: ${{ matrix.runner }} - ${{ matrix.target }}${{ matrix.profile == 'release' && ' (release)' || '' }}
+    runs-on: ${{ matrix.runner }}
     timeout-minutes: 30
     needs: changed
     # Keep job-level if to avoid spinning up runners when not needed
@@ -96,286 +94,85 @@ jobs:
     defaults:
       run:
         working-directory: codex-rs
-    env:
-      # Speed up repeated builds across CI runs by caching compiled objects (non-Windows).
-      USE_SCCACHE: ${{ startsWith(matrix.runner, 'windows') && 'false' || 'true' }}
-      CARGO_INCREMENTAL: "0"
-      SCCACHE_CACHE_SIZE: 10G
 
     strategy:
       fail-fast: false
       matrix:
         include:
-          - runner: macos-15-xlarge
+          - runner: macos-14
             target: aarch64-apple-darwin
             profile: dev
-          - runner: macos-15-xlarge
+          - runner: macos-14
             target: x86_64-apple-darwin
             profile: dev
           - runner: ubuntu-24.04
             target: x86_64-unknown-linux-musl
             profile: dev
-            runs_on:
-              group: codex-runners
-              labels: codex-linux-x64
           - runner: ubuntu-24.04
             target: x86_64-unknown-linux-gnu
             profile: dev
-            runs_on:
-              group: codex-runners
-              labels: codex-linux-x64
           - runner: ubuntu-24.04-arm
             target: aarch64-unknown-linux-musl
             profile: dev
-            runs_on:
-              group: codex-runners
-              labels: codex-linux-arm64
           - runner: ubuntu-24.04-arm
             target: aarch64-unknown-linux-gnu
             profile: dev
-            runs_on:
-              group: codex-runners
-              labels: codex-linux-arm64
-          - runner: windows-x64
+          - runner: windows-latest
             target: x86_64-pc-windows-msvc
             profile: dev
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-x64
-          - runner: windows-arm64
+          - runner: windows-11-arm
             target: aarch64-pc-windows-msvc
             profile: dev
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-arm64
 
           # Also run representative release builds on Mac and Linux because
           # there could be release-only build errors we want to catch.
           # Hopefully this also pre-populates the build cache to speed up
           # releases.
-          - runner: macos-15-xlarge
+          - runner: macos-14
             target: aarch64-apple-darwin
             profile: release
           - runner: ubuntu-24.04
             target: x86_64-unknown-linux-musl
             profile: release
-            runs_on:
-              group: codex-runners
-              labels: codex-linux-x64
-          - runner: windows-x64
+          - runner: windows-latest
             target: x86_64-pc-windows-msvc
             profile: release
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-x64
-          - runner: windows-arm64
+          - runner: windows-11-arm
             target: aarch64-pc-windows-msvc
             profile: release
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-arm64
 
     steps:
-      - uses: actions/checkout@v6
-      - name: Install UBSan runtime (musl)
-        if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl' }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          if command -v apt-get >/dev/null 2>&1; then
-            sudo apt-get update -y
-            sudo DEBIAN_FRONTEND=noninteractive apt-get install -y libubsan1
-          fi
-      - uses: dtolnay/rust-toolchain@1.93
+      - uses: actions/checkout@v5
+      - uses: dtolnay/rust-toolchain@1.90
         with:
           targets: ${{ matrix.target }}
           components: clippy
 
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
-        name: Use hermetic Cargo home (musl)
-        shell: bash
-        run: |
-          set -euo pipefail
-          cargo_home="${GITHUB_WORKSPACE}/.cargo-home"
-          mkdir -p "${cargo_home}/bin"
-          echo "CARGO_HOME=${cargo_home}" >> "$GITHUB_ENV"
-          echo "${cargo_home}/bin" >> "$GITHUB_PATH"
-          : > "${cargo_home}/config.toml"
-
-      - name: Compute lockfile hash
-        id: lockhash
-        working-directory: codex-rs
-        shell: bash
-        run: |
-          set -euo pipefail
-          echo "hash=$(sha256sum Cargo.lock | cut -d' ' -f1)" >> "$GITHUB_OUTPUT"
-          echo "toolchain_hash=$(sha256sum rust-toolchain.toml | cut -d' ' -f1)" >> "$GITHUB_OUTPUT"
-
       # Explicit cache restore: split cargo home vs target, so we can
       # avoid caching the large target dir on the gnu-dev job.
       - name: Restore cargo home cache
         id: cache_cargo_home_restore
-        uses: actions/cache/restore@v5
+        uses: actions/cache/restore@v4
         with:
           path: |
             ~/.cargo/bin/
             ~/.cargo/registry/index/
             ~/.cargo/registry/cache/
             ~/.cargo/git/db/
-            ${{ github.workspace }}/.cargo-home/bin/
-            ${{ github.workspace }}/.cargo-home/registry/index/
-            ${{ github.workspace }}/.cargo-home/registry/cache/
-            ${{ github.workspace }}/.cargo-home/git/db/
-          key: cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ steps.lockhash.outputs.toolchain_hash }}
-          restore-keys: |
-            cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-
+          key: cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ hashFiles('**/Cargo.lock') }}
 
-      # Install and restore sccache cache
-      - name: Install sccache
-        if: ${{ env.USE_SCCACHE == 'true' }}
-        uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
+      - name: Restore target cache (except gnu-dev)
+        id: cache_target_restore
+        if: ${{ !(matrix.target == 'x86_64-unknown-linux-gnu' && matrix.profile != 'release') }}
+        uses: actions/cache/restore@v4
         with:
-          tool: sccache
-          version: 0.7.5
-
-      - name: Configure sccache backend
-        if: ${{ env.USE_SCCACHE == 'true' }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          if [[ -n "${ACTIONS_CACHE_URL:-}" && -n "${ACTIONS_RUNTIME_TOKEN:-}" ]]; then
-            echo "SCCACHE_GHA_ENABLED=true" >> "$GITHUB_ENV"
-            echo "Using sccache GitHub backend"
-          else
-            echo "SCCACHE_GHA_ENABLED=false" >> "$GITHUB_ENV"
-            echo "SCCACHE_DIR=${{ github.workspace }}/.sccache" >> "$GITHUB_ENV"
-            echo "Using sccache local disk + actions/cache fallback"
-          fi
-
-      - name: Enable sccache wrapper
-        if: ${{ env.USE_SCCACHE == 'true' }}
-        shell: bash
-        run: echo "RUSTC_WRAPPER=sccache" >> "$GITHUB_ENV"
-
-      - name: Restore sccache cache (fallback)
-        if: ${{ env.USE_SCCACHE == 'true' && env.SCCACHE_GHA_ENABLED != 'true' }}
-        id: cache_sccache_restore
-        uses: actions/cache/restore@v5
-        with:
-          path: ${{ github.workspace }}/.sccache/
-          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
-          restore-keys: |
-            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-
-            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-
-
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
-        name: Disable sccache wrapper (musl)
-        shell: bash
-        run: |
-          set -euo pipefail
-          echo "RUSTC_WRAPPER=" >> "$GITHUB_ENV"
-          echo "RUSTC_WORKSPACE_WRAPPER=" >> "$GITHUB_ENV"
-
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
-        name: Prepare APT cache directories (musl)
-        shell: bash
-        run: |
-          set -euo pipefail
-          sudo mkdir -p /var/cache/apt/archives /var/lib/apt/lists
-          sudo chown -R "$USER:$USER" /var/cache/apt /var/lib/apt/lists
-
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
-        name: Restore APT cache (musl)
-        id: cache_apt_restore
-        uses: actions/cache/restore@v5
-        with:
-          path: |
-            /var/cache/apt
-          key: apt-${{ matrix.runner }}-${{ matrix.target }}-v1
-
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
-        name: Install Zig
-        uses: mlugg/setup-zig@v2
-        with:
-          version: 0.14.0
+          path: ${{ github.workspace }}/codex-rs/target/
+          key: cargo-target-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ hashFiles('**/Cargo.lock') }}
 
       - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
         name: Install musl build tools
-        env:
-          DEBIAN_FRONTEND: noninteractive
-          TARGET: ${{ matrix.target }}
-          APT_UPDATE_ARGS: -o Acquire::Retries=3
-          APT_INSTALL_ARGS: --no-install-recommends
-        shell: bash
-        run: bash "${GITHUB_WORKSPACE}/.github/scripts/install-musl-build-tools.sh"
-
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
-        name: Configure rustc UBSan wrapper (musl host)
-        shell: bash
         run: |
-          set -euo pipefail
-          ubsan=""
-          if command -v ldconfig >/dev/null 2>&1; then
-            ubsan="$(ldconfig -p | grep -m1 'libubsan\.so\.1' | sed -E 's/.*=> (.*)$/\1/')"
-          fi
-          wrapper_root="${RUNNER_TEMP:-/tmp}"
-          wrapper="${wrapper_root}/rustc-ubsan-wrapper"
-          cat > "${wrapper}" <<EOF
-          #!/usr/bin/env bash
-          set -euo pipefail
-          if [[ -n "${ubsan}" ]]; then
-            export LD_PRELOAD="${ubsan}\${LD_PRELOAD:+:\${LD_PRELOAD}}"
-          fi
-          exec "\$1" "\${@:2}"
-          EOF
-          chmod +x "${wrapper}"
-          echo "RUSTC_WRAPPER=${wrapper}" >> "$GITHUB_ENV"
-          echo "RUSTC_WORKSPACE_WRAPPER=" >> "$GITHUB_ENV"
-
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
-        name: Clear sanitizer flags (musl)
-        shell: bash
-        run: |
-          set -euo pipefail
-          # Clear global Rust flags so host/proc-macro builds don't pull in UBSan.
-          echo "RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "CARGO_ENCODED_RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "RUSTDOCFLAGS=" >> "$GITHUB_ENV"
-          # Override any runner-level Cargo config rustflags as well.
-          echo "CARGO_BUILD_RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_RUSTFLAGS=" >> "$GITHUB_ENV"
-
-          sanitize_flags() {
-            local input="$1"
-            input="${input//-fsanitize=undefined/}"
-            input="${input//-fno-sanitize-recover=undefined/}"
-            input="${input//-fno-sanitize-trap=undefined/}"
-            echo "$input"
-          }
-
-          cflags="$(sanitize_flags "${CFLAGS-}")"
-          cxxflags="$(sanitize_flags "${CXXFLAGS-}")"
-          echo "CFLAGS=${cflags}" >> "$GITHUB_ENV"
-          echo "CXXFLAGS=${cxxflags}" >> "$GITHUB_ENV"
-
-      - name: Install cargo-chef
-        if: ${{ matrix.profile == 'release' }}
-        uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
-        with:
-          tool: cargo-chef
-          version: 0.1.71
-
-      - name: Pre-warm dependency cache (cargo-chef)
-        if: ${{ matrix.profile == 'release' }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          RECIPE="${RUNNER_TEMP}/chef-recipe.json"
-          cargo chef prepare --recipe-path "$RECIPE"
-          cargo chef cook --recipe-path "$RECIPE" --target ${{ matrix.target }} --release --all-features
+          sudo apt install -y musl-tools pkg-config && sudo rm -rf /var/lib/apt/lists/*
 
       - name: cargo clippy
         id: clippy
@@ -394,244 +191,59 @@ jobs:
           find . -name Cargo.toml -mindepth 2 -maxdepth 2 -print0 \
             | xargs -0 -n1 -I{} bash -c 'cd "$(dirname "{}")" && cargo check --profile ${{ matrix.profile }}'
 
-      # Save caches explicitly; make non-fatal so cache packaging
-      # never fails the overall job. Only save when key wasn't hit.
-      - name: Save cargo home cache
-        if: always() && !cancelled() && steps.cache_cargo_home_restore.outputs.cache-hit != 'true'
-        continue-on-error: true
-        uses: actions/cache/save@v5
-        with:
-          path: |
-            ~/.cargo/bin/
-            ~/.cargo/registry/index/
-            ~/.cargo/registry/cache/
-            ~/.cargo/git/db/
-            ${{ github.workspace }}/.cargo-home/bin/
-            ${{ github.workspace }}/.cargo-home/registry/index/
-            ${{ github.workspace }}/.cargo-home/registry/cache/
-            ${{ github.workspace }}/.cargo-home/git/db/
-          key: cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ steps.lockhash.outputs.toolchain_hash }}
-
-      - name: Save sccache cache (fallback)
-        if: always() && !cancelled() && env.USE_SCCACHE == 'true' && env.SCCACHE_GHA_ENABLED != 'true'
-        continue-on-error: true
-        uses: actions/cache/save@v5
-        with:
-          path: ${{ github.workspace }}/.sccache/
-          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
-
-      - name: sccache stats
-        if: always() && env.USE_SCCACHE == 'true'
-        continue-on-error: true
-        run: sccache --show-stats || true
-
-      - name: sccache summary
-        if: always() && env.USE_SCCACHE == 'true'
-        shell: bash
-        run: |
-          {
-            echo "### sccache stats — ${{ matrix.target }} (${{ matrix.profile }})";
-            echo;
-            echo '```';
-            sccache --show-stats || true;
-            echo '```';
-          } >> "$GITHUB_STEP_SUMMARY"
-
-      - name: Save APT cache (musl)
-        if: always() && !cancelled() && (matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl') && steps.cache_apt_restore.outputs.cache-hit != 'true'
-        continue-on-error: true
-        uses: actions/cache/save@v5
-        with:
-          path: |
-            /var/cache/apt
-          key: apt-${{ matrix.runner }}-${{ matrix.target }}-v1
-
-      # Fail the job if any of the previous steps failed.
-      - name: verify all steps passed
-        if: |
-          steps.clippy.outcome == 'failure' ||
-          steps.cargo_check_all_crates.outcome == 'failure'
-        run: |
-          echo "One or more checks failed (clippy or cargo_check_all_crates). See logs for details."
-          exit 1
-
-  tests:
-    name: Tests — ${{ matrix.runner }} - ${{ matrix.target }}
-    runs-on: ${{ matrix.runs_on || matrix.runner }}
-    timeout-minutes: 30
-    needs: changed
-    if: ${{ needs.changed.outputs.codex == 'true' || needs.changed.outputs.workflows == 'true' || github.event_name == 'push' }}
-    defaults:
-      run:
-        working-directory: codex-rs
-    env:
-      # Speed up repeated builds across CI runs by caching compiled objects (non-Windows).
-      USE_SCCACHE: ${{ startsWith(matrix.runner, 'windows') && 'false' || 'true' }}
-      CARGO_INCREMENTAL: "0"
-      SCCACHE_CACHE_SIZE: 10G
-
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: macos-15-xlarge
-            target: aarch64-apple-darwin
-            profile: dev
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-gnu
-            profile: dev
-            runs_on:
-              group: codex-runners
-              labels: codex-linux-x64
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-gnu
-            profile: dev
-            runs_on:
-              group: codex-runners
-              labels: codex-linux-arm64
-          - runner: windows-x64
-            target: x86_64-pc-windows-msvc
-            profile: dev
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-x64
-          - runner: windows-arm64
-            target: aarch64-pc-windows-msvc
-            profile: dev
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-arm64
-
-    steps:
-      - uses: actions/checkout@v6
-
-      # Some integration tests rely on DotSlash being installed.
-      # See https://github.com/openai/codex/pull/7617.
-      - name: Install DotSlash
-        uses: facebook/install-dotslash@v2
-
-      - uses: dtolnay/rust-toolchain@1.93
-        with:
-          targets: ${{ matrix.target }}
-
-      - name: Compute lockfile hash
-        id: lockhash
-        working-directory: codex-rs
-        shell: bash
-        run: |
-          set -euo pipefail
-          echo "hash=$(sha256sum Cargo.lock | cut -d' ' -f1)" >> "$GITHUB_OUTPUT"
-          echo "toolchain_hash=$(sha256sum rust-toolchain.toml | cut -d' ' -f1)" >> "$GITHUB_OUTPUT"
-
-      - name: Restore cargo home cache
-        id: cache_cargo_home_restore
-        uses: actions/cache/restore@v5
-        with:
-          path: |
-            ~/.cargo/bin/
-            ~/.cargo/registry/index/
-            ~/.cargo/registry/cache/
-            ~/.cargo/git/db/
-          key: cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ steps.lockhash.outputs.toolchain_hash }}
-          restore-keys: |
-            cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-
-
-      - name: Install sccache
-        if: ${{ env.USE_SCCACHE == 'true' }}
-        uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
-        with:
-          tool: sccache
-          version: 0.7.5
-
-      - name: Configure sccache backend
-        if: ${{ env.USE_SCCACHE == 'true' }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          if [[ -n "${ACTIONS_CACHE_URL:-}" && -n "${ACTIONS_RUNTIME_TOKEN:-}" ]]; then
-            echo "SCCACHE_GHA_ENABLED=true" >> "$GITHUB_ENV"
-            echo "Using sccache GitHub backend"
-          else
-            echo "SCCACHE_GHA_ENABLED=false" >> "$GITHUB_ENV"
-            echo "SCCACHE_DIR=${{ github.workspace }}/.sccache" >> "$GITHUB_ENV"
-            echo "Using sccache local disk + actions/cache fallback"
-          fi
-
-      - name: Enable sccache wrapper
-        if: ${{ env.USE_SCCACHE == 'true' }}
-        shell: bash
-        run: echo "RUSTC_WRAPPER=sccache" >> "$GITHUB_ENV"
-
-      - name: Restore sccache cache (fallback)
-        if: ${{ env.USE_SCCACHE == 'true' && env.SCCACHE_GHA_ENABLED != 'true' }}
-        id: cache_sccache_restore
-        uses: actions/cache/restore@v5
-        with:
-          path: ${{ github.workspace }}/.sccache/
-          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
-          restore-keys: |
-            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-
-            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-
-
-      - uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
+      - uses: taiki-e/install-action@0c5db7f7f897c03b771660e91d065338615679f4 # v2
         with:
           tool: nextest
           version: 0.9.103
 
       - name: tests
         id: test
+        # Tests take too long for release builds to run them on every PR.
+        if: ${{ matrix.profile != 'release' }}
+        continue-on-error: true
         run: cargo nextest run --all-features --no-fail-fast --target ${{ matrix.target }} --cargo-profile ci-test
         env:
           RUST_BACKTRACE: 1
-          NEXTEST_STATUS_LEVEL: leak
 
+      # Save caches explicitly; make non-fatal so cache packaging
+      # never fails the overall job. Only save when key wasn't hit.
       - name: Save cargo home cache
         if: always() && !cancelled() && steps.cache_cargo_home_restore.outputs.cache-hit != 'true'
         continue-on-error: true
-        uses: actions/cache/save@v5
+        uses: actions/cache/save@v4
         with:
           path: |
             ~/.cargo/bin/
             ~/.cargo/registry/index/
             ~/.cargo/registry/cache/
             ~/.cargo/git/db/
-          key: cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ steps.lockhash.outputs.toolchain_hash }}
+          key: cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ hashFiles('**/Cargo.lock') }}
 
-      - name: Save sccache cache (fallback)
-        if: always() && !cancelled() && env.USE_SCCACHE == 'true' && env.SCCACHE_GHA_ENABLED != 'true'
+      - name: Save target cache (except gnu-dev)
+        if: >-
+          always() && !cancelled() &&
+          (steps.cache_target_restore.outputs.cache-hit != 'true') &&
+          !(matrix.target == 'x86_64-unknown-linux-gnu' && matrix.profile != 'release')
         continue-on-error: true
-        uses: actions/cache/save@v5
+        uses: actions/cache/save@v4
         with:
-          path: ${{ github.workspace }}/.sccache/
-          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
+          path: ${{ github.workspace }}/codex-rs/target/
+          key: cargo-target-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ hashFiles('**/Cargo.lock') }}
 
-      - name: sccache stats
-        if: always() && env.USE_SCCACHE == 'true'
-        continue-on-error: true
-        run: sccache --show-stats || true
-
-      - name: sccache summary
-        if: always() && env.USE_SCCACHE == 'true'
-        shell: bash
+      # Fail the job if any of the previous steps failed.
+      - name: verify all steps passed
+        if: |
+          steps.clippy.outcome == 'failure' ||
+          steps.cargo_check_all_crates.outcome == 'failure' ||
+          steps.test.outcome == 'failure'
         run: |
-          {
-            echo "### sccache stats — ${{ matrix.target }} (tests)";
-            echo;
-            echo '```';
-            sccache --show-stats || true;
-            echo '```';
-          } >> "$GITHUB_STEP_SUMMARY"
-
-      - name: verify tests passed
-        if: steps.test.outcome == 'failure'
-        run: |
-          echo "Tests failed. See logs for details."
+          echo "One or more checks failed (clippy, cargo_check_all_crates, or test). See logs for details."
           exit 1
 
   # --- Gatherer job that you mark as the ONLY required status -----------------
   results:
     name: CI results (required)
-    needs: [changed, general, cargo_shear, lint_build, tests]
+    needs: [changed, general, cargo_shear, lint_build_test]
     if: always()
     runs-on: ubuntu-24.04
     steps:
@@ -640,8 +252,7 @@ jobs:
         run: |
           echo "general: ${{ needs.general.result }}"
           echo "shear  : ${{ needs.cargo_shear.result }}"
-          echo "lint   : ${{ needs.lint_build.result }}"
-          echo "tests  : ${{ needs.tests.result }}"
+          echo "matrix : ${{ needs.lint_build_test.result }}"
 
           # If nothing relevant changed (PR touching only root README, etc.),
           # declare success regardless of other jobs.
@@ -653,10 +264,4 @@ jobs:
           # Otherwise require the jobs to have succeeded
           [[ '${{ needs.general.result }}' == 'success' ]] || { echo 'general failed'; exit 1; }
           [[ '${{ needs.cargo_shear.result }}' == 'success' ]] || { echo 'cargo_shear failed'; exit 1; }
-          [[ '${{ needs.lint_build.result }}' == 'success' ]] || { echo 'lint_build failed'; exit 1; }
-          [[ '${{ needs.tests.result }}' == 'success' ]] || { echo 'tests failed'; exit 1; }
-
-      - name: sccache summary note
-        if: always()
-        run: |
-          echo "Per-job sccache stats are attached to each matrix job's Step Summary."
+          [[ '${{ needs.lint_build_test.result }}' == 'success' ]] || { echo 'matrix failed'; exit 1; }

.github/workflows/rust-release-prepare.yml

@@ -1,53 +0,0 @@
-name: rust-release-prepare
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "0 */4 * * *"
-
-concurrency:
-  group: ${{ github.workflow }}
-  cancel-in-progress: false
-
-permissions:
-  contents: write
-  pull-requests: write
-
-jobs:
-  prepare:
-    # Prevent scheduled runs on forks (no secrets, wastes Actions minutes)
-    if: github.repository == 'openai/codex'
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-        with:
-          ref: main
-          fetch-depth: 0
-
-      - name: Update models.json
-        env:
-          OPENAI_API_KEY: ${{ secrets.CODEX_OPENAI_API_KEY }}
-        run: |
-          set -euo pipefail
-
-          client_version="99.99.99"
-          terminal_info="github-actions"
-          user_agent="codex_cli_rs/99.99.99 (Linux $(uname -r); $(uname -m)) ${terminal_info}"
-          base_url="${OPENAI_BASE_URL:-https://chatgpt.com/backend-api/codex}"
-
-          headers=(
-            -H "Authorization: Bearer ${OPENAI_API_KEY}"
-            -H "User-Agent: ${user_agent}"
-          )
-
-          url="${base_url%/}/models?client_version=${client_version}"
-          curl --http1.1 --fail --show-error --location "${headers[@]}" "${url}" | jq '.' > codex-rs/core/models.json
-
-      - name: Open pull request (if changed)
-        uses: peter-evans/create-pull-request@v8
-        with:
-          commit-message: "Update models.json"
-          title: "Update models.json"
-          body: "Automated update of models.json."
-          branch: "bot/update-models-json"
-          reviewers: "pakrym-oai,aibrahim-oai"
-          delete-branch: true

.github/workflows/rust-release.yml

@@ -19,8 +19,8 @@ jobs:
   tag-check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: dtolnay/rust-toolchain@1.92
+      - uses: actions/checkout@v5
+
       - name: Validate tag matches Cargo.toml version
         shell: bash
         run: |
@@ -45,23 +45,11 @@ jobs:
           echo "✅  Tag and Cargo.toml agree (${tag_ver})"
           echo "::endgroup::"
 
-      - name: Verify config schema fixture
-        shell: bash
-        working-directory: codex-rs
-        run: |
-          set -euo pipefail
-          echo "If this fails, run: just write-config-schema to overwrite fixture with intentional changes."
-          cargo run -p codex-core --bin codex-write-config-schema
-          git diff --exit-code core/config.schema.json
-
   build:
     needs: tag-check
     name: Build - ${{ matrix.runner }} - ${{ matrix.target }}
     runs-on: ${{ matrix.runner }}
-    timeout-minutes: 60
-    permissions:
-      contents: read
-      id-token: write
+    timeout-minutes: 30
     defaults:
       run:
         working-directory: codex-rs
@@ -88,208 +76,198 @@ jobs:
             target: aarch64-pc-windows-msvc
 
     steps:
-      - uses: actions/checkout@v6
-      - name: Install UBSan runtime (musl)
-        if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl' }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          if command -v apt-get >/dev/null 2>&1; then
-            sudo apt-get update -y
-            sudo DEBIAN_FRONTEND=noninteractive apt-get install -y libubsan1
-          fi
-      - uses: dtolnay/rust-toolchain@1.93
+      - uses: actions/checkout@v5
+      - uses: dtolnay/rust-toolchain@1.90
         with:
           targets: ${{ matrix.target }}
 
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
-        name: Use hermetic Cargo home (musl)
-        shell: bash
-        run: |
-          set -euo pipefail
-          cargo_home="${GITHUB_WORKSPACE}/.cargo-home"
-          mkdir -p "${cargo_home}/bin"
-          echo "CARGO_HOME=${cargo_home}" >> "$GITHUB_ENV"
-          echo "${cargo_home}/bin" >> "$GITHUB_PATH"
-          : > "${cargo_home}/config.toml"
-
-      - uses: actions/cache@v5
+      - uses: actions/cache@v4
         with:
           path: |
             ~/.cargo/bin/
             ~/.cargo/registry/index/
             ~/.cargo/registry/cache/
             ~/.cargo/git/db/
-            ${{ github.workspace }}/.cargo-home/bin/
-            ${{ github.workspace }}/.cargo-home/registry/index/
-            ${{ github.workspace }}/.cargo-home/registry/cache/
-            ${{ github.workspace }}/.cargo-home/git/db/
             ${{ github.workspace }}/codex-rs/target/
           key: cargo-${{ matrix.runner }}-${{ matrix.target }}-release-${{ hashFiles('**/Cargo.lock') }}
 
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
-        name: Install Zig
-        uses: mlugg/setup-zig@v2
-        with:
-          version: 0.14.0
-
       - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
         name: Install musl build tools
-        env:
-          TARGET: ${{ matrix.target }}
-        run: bash "${GITHUB_WORKSPACE}/.github/scripts/install-musl-build-tools.sh"
-
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
-        name: Configure rustc UBSan wrapper (musl host)
-        shell: bash
         run: |
-          set -euo pipefail
-          ubsan=""
-          if command -v ldconfig >/dev/null 2>&1; then
-            ubsan="$(ldconfig -p | grep -m1 'libubsan\.so\.1' | sed -E 's/.*=> (.*)$/\1/')"
-          fi
-          wrapper_root="${RUNNER_TEMP:-/tmp}"
-          wrapper="${wrapper_root}/rustc-ubsan-wrapper"
-          cat > "${wrapper}" <<EOF
-          #!/usr/bin/env bash
-          set -euo pipefail
-          if [[ -n "${ubsan}" ]]; then
-            export LD_PRELOAD="${ubsan}\${LD_PRELOAD:+:\${LD_PRELOAD}}"
-          fi
-          exec "\$1" "\${@:2}"
-          EOF
-          chmod +x "${wrapper}"
-          echo "RUSTC_WRAPPER=${wrapper}" >> "$GITHUB_ENV"
-          echo "RUSTC_WORKSPACE_WRAPPER=" >> "$GITHUB_ENV"
-
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
-        name: Clear sanitizer flags (musl)
-        shell: bash
-        run: |
-          set -euo pipefail
-          # Clear global Rust flags so host/proc-macro builds don't pull in UBSan.
-          echo "RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "CARGO_ENCODED_RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "RUSTDOCFLAGS=" >> "$GITHUB_ENV"
-          # Override any runner-level Cargo config rustflags as well.
-          echo "CARGO_BUILD_RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_RUSTFLAGS=" >> "$GITHUB_ENV"
-
-          sanitize_flags() {
-            local input="$1"
-            input="${input//-fsanitize=undefined/}"
-            input="${input//-fno-sanitize-recover=undefined/}"
-            input="${input//-fno-sanitize-trap=undefined/}"
-            echo "$input"
-          }
-
-          cflags="$(sanitize_flags "${CFLAGS-}")"
-          cxxflags="$(sanitize_flags "${CXXFLAGS-}")"
-          echo "CFLAGS=${cflags}" >> "$GITHUB_ENV"
-          echo "CXXFLAGS=${cxxflags}" >> "$GITHUB_ENV"
+          sudo apt-get update
+          sudo apt-get install -y musl-tools pkg-config
 
       - name: Cargo build
+        run: cargo build --target ${{ matrix.target }} --release --bin codex --bin codex-responses-api-proxy
+
+      - if: ${{ matrix.runner == 'macos-15-xlarge' }}
+        name: Configure Apple code signing
         shell: bash
+        env:
+          KEYCHAIN_PASSWORD: actions
+          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE_P12 }}
+          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
         run: |
-          if [[ "${{ contains(matrix.target, 'windows') }}" == 'true' ]]; then
-            cargo build --target ${{ matrix.target }} --release --bin codex --bin codex-responses-api-proxy --bin codex-windows-sandbox-setup --bin codex-command-runner
-          else
-            cargo build --target ${{ matrix.target }} --release --bin codex --bin codex-responses-api-proxy
+          set -euo pipefail
+
+          if [[ -z "${APPLE_CERTIFICATE:-}" ]]; then
+            echo "APPLE_CERTIFICATE is required for macOS signing"
+            exit 1
           fi
 
-      - if: ${{ contains(matrix.target, 'linux') }}
-        name: Cosign Linux artifacts
-        uses: ./.github/actions/linux-code-sign
-        with:
-          target: ${{ matrix.target }}
-          artifacts-dir: ${{ github.workspace }}/codex-rs/target/${{ matrix.target }}/release
+          if [[ -z "${APPLE_CERTIFICATE_PASSWORD:-}" ]]; then
+            echo "APPLE_CERTIFICATE_PASSWORD is required for macOS signing"
+            exit 1
+          fi
 
-      - if: ${{ contains(matrix.target, 'windows') }}
-        name: Sign Windows binaries with Azure Trusted Signing
-        uses: ./.github/actions/windows-code-sign
-        with:
-          target: ${{ matrix.target }}
-          client-id: ${{ secrets.AZURE_TRUSTED_SIGNING_CLIENT_ID }}
-          tenant-id: ${{ secrets.AZURE_TRUSTED_SIGNING_TENANT_ID }}
-          subscription-id: ${{ secrets.AZURE_TRUSTED_SIGNING_SUBSCRIPTION_ID }}
-          endpoint: ${{ secrets.AZURE_TRUSTED_SIGNING_ENDPOINT }}
-          account-name: ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }}
-          certificate-profile-name: ${{ secrets.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME }}
+          cert_path="${RUNNER_TEMP}/apple_signing_certificate.p12"
+          echo "$APPLE_CERTIFICATE" | base64 -d > "$cert_path"
 
-      - if: ${{ runner.os == 'macOS' }}
-        name: MacOS code signing (binaries)
-        uses: ./.github/actions/macos-code-sign
-        with:
-          target: ${{ matrix.target }}
-          sign-binaries: "true"
-          sign-dmg: "false"
-          apple-certificate: ${{ secrets.APPLE_CERTIFICATE_P12 }}
-          apple-certificate-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
-          apple-notarization-key-p8: ${{ secrets.APPLE_NOTARIZATION_KEY_P8 }}
-          apple-notarization-key-id: ${{ secrets.APPLE_NOTARIZATION_KEY_ID }}
-          apple-notarization-issuer-id: ${{ secrets.APPLE_NOTARIZATION_ISSUER_ID }}
+          keychain_path="${RUNNER_TEMP}/codex-signing.keychain-db"
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$keychain_path"
+          security set-keychain-settings -lut 21600 "$keychain_path"
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$keychain_path"
 
-      - if: ${{ runner.os == 'macOS' }}
-        name: Build macOS dmg
+          keychain_args=()
+          cleanup_keychain() {
+            if ((${#keychain_args[@]} > 0)); then
+              security list-keychains -s "${keychain_args[@]}" || true
+              security default-keychain -s "${keychain_args[0]}" || true
+            else
+              security list-keychains -s || true
+            fi
+            if [[ -f "$keychain_path" ]]; then
+              security delete-keychain "$keychain_path" || true
+            fi
+          }
+
+          while IFS= read -r keychain; do
+            [[ -n "$keychain" ]] && keychain_args+=("$keychain")
+          done < <(security list-keychains | sed 's/^[[:space:]]*//;s/[[:space:]]*$//;s/"//g')
+
+          if ((${#keychain_args[@]} > 0)); then
+            security list-keychains -s "$keychain_path" "${keychain_args[@]}"
+          else
+            security list-keychains -s "$keychain_path"
+          fi
+
+          security default-keychain -s "$keychain_path"
+          security import "$cert_path" -k "$keychain_path" -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security
+          security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$keychain_path" > /dev/null
+
+          codesign_hashes=()
+          while IFS= read -r hash; do
+            [[ -n "$hash" ]] && codesign_hashes+=("$hash")
+          done < <(security find-identity -v -p codesigning "$keychain_path" \
+            | sed -n 's/.*\([0-9A-F]\{40\}\).*/\1/p' \
+            | sort -u)
+
+          if ((${#codesign_hashes[@]} == 0)); then
+            echo "No signing identities found in $keychain_path"
+            cleanup_keychain
+            rm -f "$cert_path"
+            exit 1
+          fi
+
+          if ((${#codesign_hashes[@]} > 1)); then
+            echo "Multiple signing identities found in $keychain_path:"
+            printf '  %s\n' "${codesign_hashes[@]}"
+            cleanup_keychain
+            rm -f "$cert_path"
+            exit 1
+          fi
+
+          APPLE_CODESIGN_IDENTITY="${codesign_hashes[0]}"
+
+          rm -f "$cert_path"
+
+          echo "APPLE_CODESIGN_IDENTITY=$APPLE_CODESIGN_IDENTITY" >> "$GITHUB_ENV"
+          echo "APPLE_CODESIGN_KEYCHAIN=$keychain_path" >> "$GITHUB_ENV"
+          echo "::add-mask::$APPLE_CODESIGN_IDENTITY"
+
+      - if: ${{ matrix.runner == 'macos-15-xlarge' }}
+        name: Sign macOS binaries
         shell: bash
         run: |
           set -euo pipefail
 
-          target="${{ matrix.target }}"
-          release_dir="target/${target}/release"
-          dmg_root="${RUNNER_TEMP}/codex-dmg-root"
-          volname="Codex (${target})"
-          dmg_path="${release_dir}/codex-${target}.dmg"
-
-          # The previous "MacOS code signing (binaries)" step signs + notarizes the
-          # built artifacts in `${release_dir}`. This step packages *those same*
-          # signed binaries into a dmg.
-          codex_binary_path="${release_dir}/codex"
-          proxy_binary_path="${release_dir}/codex-responses-api-proxy"
-
-          rm -rf "$dmg_root"
-          mkdir -p "$dmg_root"
-
-          if [[ ! -f "$codex_binary_path" ]]; then
-            echo "Binary $codex_binary_path not found"
-            exit 1
-          fi
-          if [[ ! -f "$proxy_binary_path" ]]; then
-            echo "Binary $proxy_binary_path not found"
+          if [[ -z "${APPLE_CODESIGN_IDENTITY:-}" ]]; then
+            echo "APPLE_CODESIGN_IDENTITY is required for macOS signing"
             exit 1
           fi
 
-          ditto "$codex_binary_path" "${dmg_root}/codex"
-          ditto "$proxy_binary_path" "${dmg_root}/codex-responses-api-proxy"
-
-          rm -f "$dmg_path"
-          hdiutil create \
-            -volname "$volname" \
-            -srcfolder "$dmg_root" \
-            -format UDZO \
-            -ov \
-            "$dmg_path"
-
-          if [[ ! -f "$dmg_path" ]]; then
-            echo "dmg $dmg_path not found after build"
-            exit 1
+          keychain_args=()
+          if [[ -n "${APPLE_CODESIGN_KEYCHAIN:-}" && -f "${APPLE_CODESIGN_KEYCHAIN}" ]]; then
+            keychain_args+=(--keychain "${APPLE_CODESIGN_KEYCHAIN}")
           fi
 
-      - if: ${{ runner.os == 'macOS' }}
-        name: MacOS code signing (dmg)
-        uses: ./.github/actions/macos-code-sign
-        with:
-          target: ${{ matrix.target }}
-          sign-binaries: "false"
-          sign-dmg: "true"
-          apple-certificate: ${{ secrets.APPLE_CERTIFICATE_P12 }}
-          apple-certificate-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
-          apple-notarization-key-p8: ${{ secrets.APPLE_NOTARIZATION_KEY_P8 }}
-          apple-notarization-key-id: ${{ secrets.APPLE_NOTARIZATION_KEY_ID }}
-          apple-notarization-issuer-id: ${{ secrets.APPLE_NOTARIZATION_ISSUER_ID }}
+          for binary in codex codex-responses-api-proxy; do
+            path="target/${{ matrix.target }}/release/${binary}"
+            codesign --force --options runtime --timestamp --sign "$APPLE_CODESIGN_IDENTITY" "${keychain_args[@]}" "$path"
+          done
+
+      - if: ${{ matrix.runner == 'macos-15-xlarge' }}
+        name: Notarize macOS binaries
+        shell: bash
+        env:
+          APPLE_NOTARIZATION_KEY_P8: ${{ secrets.APPLE_NOTARIZATION_KEY_P8 }}
+          APPLE_NOTARIZATION_KEY_ID: ${{ secrets.APPLE_NOTARIZATION_KEY_ID }}
+          APPLE_NOTARIZATION_ISSUER_ID: ${{ secrets.APPLE_NOTARIZATION_ISSUER_ID }}
+        run: |
+          set -euo pipefail
+
+          for var in APPLE_NOTARIZATION_KEY_P8 APPLE_NOTARIZATION_KEY_ID APPLE_NOTARIZATION_ISSUER_ID; do
+            if [[ -z "${!var:-}" ]]; then
+              echo "$var is required for notarization"
+              exit 1
+            fi
+          done
+
+          notary_key_path="${RUNNER_TEMP}/notarytool.key.p8"
+          echo "$APPLE_NOTARIZATION_KEY_P8" | base64 -d > "$notary_key_path"
+          cleanup_notary() {
+            rm -f "$notary_key_path"
+          }
+          trap cleanup_notary EXIT
+
+          notarize_binary() {
+            local binary="$1"
+            local source_path="target/${{ matrix.target }}/release/${binary}"
+            local archive_path="${RUNNER_TEMP}/${binary}.zip"
+
+            if [[ ! -f "$source_path" ]]; then
+              echo "Binary $source_path not found"
+              exit 1
+            fi
+
+            rm -f "$archive_path"
+            ditto -c -k --keepParent "$source_path" "$archive_path"
+
+            submission_json=$(xcrun notarytool submit "$archive_path" \
+              --key "$notary_key_path" \
+              --key-id "$APPLE_NOTARIZATION_KEY_ID" \
+              --issuer "$APPLE_NOTARIZATION_ISSUER_ID" \
+              --output-format json \
+              --wait)
+
+            status=$(printf '%s\n' "$submission_json" | jq -r '.status // "Unknown"')
+            submission_id=$(printf '%s\n' "$submission_json" | jq -r '.id // ""')
+
+            if [[ -z "$submission_id" ]]; then
+              echo "Failed to retrieve submission ID for $binary"
+              exit 1
+            fi
+
+            echo "::notice title=Notarization::$binary submission ${submission_id} completed with status ${status}"
+
+            if [[ "$status" != "Accepted" ]]; then
+              echo "Notarization failed for ${binary} (submission ${submission_id}, status ${status})"
+              exit 1
+            fi
+          }
+
+          notarize_binary "codex"
+          notarize_binary "codex-responses-api-proxy"
 
       - name: Stage artifacts
         shell: bash
@@ -300,22 +278,11 @@ jobs:
           if [[ "${{ matrix.runner }}" == windows* ]]; then
             cp target/${{ matrix.target }}/release/codex.exe "$dest/codex-${{ matrix.target }}.exe"
             cp target/${{ matrix.target }}/release/codex-responses-api-proxy.exe "$dest/codex-responses-api-proxy-${{ matrix.target }}.exe"
-            cp target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe "$dest/codex-windows-sandbox-setup-${{ matrix.target }}.exe"
-            cp target/${{ matrix.target }}/release/codex-command-runner.exe "$dest/codex-command-runner-${{ matrix.target }}.exe"
           else
             cp target/${{ matrix.target }}/release/codex "$dest/codex-${{ matrix.target }}"
             cp target/${{ matrix.target }}/release/codex-responses-api-proxy "$dest/codex-responses-api-proxy-${{ matrix.target }}"
           fi
 
-          if [[ "${{ matrix.target }}" == *linux* ]]; then
-            cp target/${{ matrix.target }}/release/codex.sigstore "$dest/codex-${{ matrix.target }}.sigstore"
-            cp target/${{ matrix.target }}/release/codex-responses-api-proxy.sigstore "$dest/codex-responses-api-proxy-${{ matrix.target }}.sigstore"
-          fi
-
-          if [[ "${{ matrix.target }}" == *apple-darwin ]]; then
-            cp target/${{ matrix.target }}/release/codex-${{ matrix.target }}.dmg "$dest/codex-${{ matrix.target }}.dmg"
-          fi
-
       - if: ${{ matrix.runner == 'windows-11-arm' }}
         name: Install zstd
         shell: powershell
@@ -327,16 +294,6 @@ jobs:
           # Path that contains the uncompressed binaries for the current
           # ${{ matrix.target }}
           dest="dist/${{ matrix.target }}"
-          repo_root=$PWD
-
-          # We want to ship the raw Windows executables in the GitHub Release
-          # in addition to the compressed archives. Keep the originals for
-          # Windows targets; remove them elsewhere to limit the number of
-          # artifacts that end up in the GitHub Release.
-          keep_originals=false
-          if [[ "${{ matrix.runner }}" == windows* ]]; then
-            keep_originals=true
-          fi
 
           # For compatibility with environments that lack the `zstd` tool we
           # additionally create a `.tar.gz` for all platforms and `.zip` for
@@ -351,12 +308,7 @@ jobs:
             base="$(basename "$f")"
             # Skip files that are already archives (shouldn't happen, but be
             # safe).
-            if [[ "$base" == *.tar.gz || "$base" == *.zip || "$base" == *.dmg ]]; then
-              continue
-            fi
-
-            # Don't try to compress signature bundles.
-            if [[ "$base" == *.sigstore ]]; then
+            if [[ "$base" == *.tar.gz || "$base" == *.zip ]]; then
               continue
             fi
 
@@ -367,42 +319,38 @@ jobs:
             # Must run from inside the dest dir so 7z won't
             # embed the directory path inside the zip.
             if [[ "${{ matrix.runner }}" == windows* ]]; then
-              if [[ "$base" == "codex-${{ matrix.target }}.exe" ]]; then
-                # Bundle the sandbox helper binaries into the main codex zip so
-                # WinGet installs include the required helpers next to codex.exe.
-                # Fall back to the single-binary zip if the helpers are missing
-                # to avoid breaking releases.
-                bundle_dir="$(mktemp -d)"
-                runner_src="$dest/codex-command-runner-${{ matrix.target }}.exe"
-                setup_src="$dest/codex-windows-sandbox-setup-${{ matrix.target }}.exe"
-                if [[ -f "$runner_src" && -f "$setup_src" ]]; then
-                  cp "$dest/$base" "$bundle_dir/$base"
-                  cp "$runner_src" "$bundle_dir/codex-command-runner.exe"
-                  cp "$setup_src" "$bundle_dir/codex-windows-sandbox-setup.exe"
-                  # Use an absolute path so bundle zips land in the real dist
-                  # dir even when 7z runs from a temp directory.
-                  (cd "$bundle_dir" && 7z a "$repo_root/$dest/${base}.zip" .)
-                else
-                  echo "warning: missing sandbox binaries; falling back to single-binary zip"
-                  echo "warning: expected $runner_src and $setup_src"
-                  (cd "$dest" && 7z a "${base}.zip" "$base")
-                fi
-                rm -rf "$bundle_dir"
-              else
-                (cd "$dest" && 7z a "${base}.zip" "$base")
-              fi
+              (cd "$dest" && 7z a "${base}.zip" "$base")
             fi
 
             # Also create .zst (existing behaviour) *and* remove the original
             # uncompressed binary to keep the directory small.
-            zstd_args=(-T0 -19)
-            if [[ "${keep_originals}" == false ]]; then
-              zstd_args+=(--rm)
-            fi
-            zstd "${zstd_args[@]}" "$dest/$base"
+            zstd -T0 -19 --rm "$dest/$base"
           done
 
-      - uses: actions/upload-artifact@v6
+      - name: Remove signing keychain
+        if: ${{ always() && matrix.runner == 'macos-15-xlarge' }}
+        shell: bash
+        env:
+          APPLE_CODESIGN_KEYCHAIN: ${{ env.APPLE_CODESIGN_KEYCHAIN }}
+        run: |
+          set -euo pipefail
+          if [[ -n "${APPLE_CODESIGN_KEYCHAIN:-}" ]]; then
+            keychain_args=()
+            while IFS= read -r keychain; do
+              [[ "$keychain" == "$APPLE_CODESIGN_KEYCHAIN" ]] && continue
+              [[ -n "$keychain" ]] && keychain_args+=("$keychain")
+            done < <(security list-keychains | sed 's/^[[:space:]]*//;s/[[:space:]]*$//;s/"//g')
+            if ((${#keychain_args[@]} > 0)); then
+              security list-keychains -s "${keychain_args[@]}"
+              security default-keychain -s "${keychain_args[0]}"
+            fi
+
+            if [[ -f "$APPLE_CODESIGN_KEYCHAIN" ]]; then
+              security delete-keychain "$APPLE_CODESIGN_KEYCHAIN"
+            fi
+          fi
+
+      - uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.target }}
           # Upload the per-binary .zst files as well as the new .tar.gz
@@ -410,19 +358,8 @@ jobs:
           path: |
             codex-rs/dist/${{ matrix.target }}/*
 
-  shell-tool-mcp:
-    name: shell-tool-mcp
-    needs: tag-check
-    uses: ./.github/workflows/shell-tool-mcp.yml
-    with:
-      release-tag: ${{ github.ref_name }}
-      publish: true
-    secrets: inherit
-
   release:
-    needs:
-      - build
-      - shell-tool-mcp
+    needs: build
     name: release
     runs-on: ubuntu-latest
     permissions:
@@ -436,47 +373,15 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
 
-      - name: Generate release notes from tag commit message
-        id: release_notes
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          # On tag pushes, GITHUB_SHA may be a tag object for annotated tags;
-          # peel it to the underlying commit.
-          commit="$(git rev-parse "${GITHUB_SHA}^{commit}")"
-          notes_path="${RUNNER_TEMP}/release-notes.md"
-
-          # Use the commit message for the commit the tag points at (not the
-          # annotated tag message).
-          git log -1 --format=%B "${commit}" > "${notes_path}"
-          # Ensure trailing newline so GitHub's markdown renderer doesn't
-          # occasionally run the last line into subsequent content.
-          echo >> "${notes_path}"
-
-          echo "path=${notes_path}" >> "${GITHUB_OUTPUT}"
-
-      - uses: actions/download-artifact@v7
+      - uses: actions/download-artifact@v4
         with:
           path: dist
 
       - name: List
         run: ls -R dist/
 
-      # This is a temporary fix: we should modify shell-tool-mcp.yml so these
-      # files do not end up in dist/ in the first place.
-      - name: Delete entries from dist/ that should not go in the release
-        run: |
-          rm -rf dist/shell-tool-mcp*
-
-          ls -R dist/
-
-      - name: Add config schema release asset
-        run: |
-          cp codex-rs/core/config.schema.json dist/config-schema.json
-
       - name: Define release name
         id: release_name
         run: |
@@ -510,7 +415,7 @@ jobs:
           run_install: false
 
       - name: Setup Node.js for npm packaging
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
         with:
           node-version: 22
 
@@ -534,7 +439,6 @@ jobs:
         with:
           name: ${{ steps.release_name.outputs.name }}
           tag_name: ${{ github.ref_name }}
-          body_path: ${{ steps.release_notes.outputs.path }}
           files: dist/**
           # Mark as prerelease only when the version has a suffix after x.y.z
           # (e.g. -alpha, -beta). Otherwise publish a normal release.
@@ -547,19 +451,6 @@ jobs:
           tag: ${{ github.ref_name }}
           config: .github/dotslash-config.json
 
-      - name: Trigger developers.openai.com deploy
-        # Only trigger the deploy if the release is not a pre-release.
-        # The deploy is used to update the developers.openai.com website with the new config schema json file.
-        if: ${{ !contains(steps.release_name.outputs.name, '-') }}
-        continue-on-error: true
-        env:
-          DEV_WEBSITE_VERCEL_DEPLOY_HOOK_URL: ${{ secrets.DEV_WEBSITE_VERCEL_DEPLOY_HOOK_URL }}
-        run: |
-          if ! curl -sS -f -o /dev/null -X POST "$DEV_WEBSITE_VERCEL_DEPLOY_HOOK_URL"; then
-            echo "::warning title=developers.openai.com deploy hook failed::Vercel deploy hook POST failed for ${GITHUB_REF_NAME}"
-            exit 1
-          fi
-
   # Publish to npm using OIDC authentication.
   # July 31, 2025: https://github.blog/changelog/2025-07-31-npm-trusted-publishing-with-oidc-is-generally-available/
   # npm docs: https://docs.npmjs.com/trusted-publishers
@@ -575,7 +466,7 @@ jobs:
 
     steps:
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
         with:
           node-version: 22
           registry-url: "https://registry.npmjs.org"

.github/workflows/sdk.yml

@@ -11,7 +11,7 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
 
       - name: Setup pnpm
         uses: pnpm/action-setup@v4
@@ -19,12 +19,12 @@ jobs:
           run_install: false
 
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v5
         with:
           node-version: 22
           cache: pnpm
 
-      - uses: dtolnay/rust-toolchain@1.93
+      - uses: dtolnay/rust-toolchain@1.90
 
       - name: build codex
         run: cargo build --bin codex

.github/workflows/shell-tool-mcp-ci.yml

@@ -1,48 +0,0 @@
-name: shell-tool-mcp CI
-
-on:
-  push:
-    paths:
-      - "shell-tool-mcp/**"
-      - ".github/workflows/shell-tool-mcp-ci.yml"
-      - "pnpm-lock.yaml"
-      - "pnpm-workspace.yaml"
-  pull_request:
-    paths:
-      - "shell-tool-mcp/**"
-      - ".github/workflows/shell-tool-mcp-ci.yml"
-      - "pnpm-lock.yaml"
-      - "pnpm-workspace.yaml"
-
-env:
-  NODE_VERSION: 22
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          run_install: false
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          cache: "pnpm"
-
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
-
-      - name: Format check
-        run: pnpm --filter @openai/codex-shell-tool-mcp run format
-
-      - name: Run tests
-        run: pnpm --filter @openai/codex-shell-tool-mcp test
-
-      - name: Build
-        run: pnpm --filter @openai/codex-shell-tool-mcp run build

.github/workflows/shell-tool-mcp.yml

@@ -1,467 +0,0 @@
-name: shell-tool-mcp
-
-on:
-  workflow_call:
-    inputs:
-      release-version:
-        description: Version to publish (x.y.z or x.y.z-alpha.N). Defaults to GITHUB_REF_NAME when it starts with rust-v.
-        required: false
-        type: string
-      release-tag:
-        description: Tag name to use when downloading release artifacts (defaults to rust-v<version>).
-        required: false
-        type: string
-      publish:
-        description: Whether to publish to npm when the version is releasable.
-        required: false
-        default: true
-        type: boolean
-
-env:
-  NODE_VERSION: 22
-
-jobs:
-  metadata:
-    runs-on: ubuntu-latest
-    outputs:
-      version: ${{ steps.compute.outputs.version }}
-      release_tag: ${{ steps.compute.outputs.release_tag }}
-      should_publish: ${{ steps.compute.outputs.should_publish }}
-      npm_tag: ${{ steps.compute.outputs.npm_tag }}
-    steps:
-      - name: Compute version and tags
-        id: compute
-        run: |
-          set -euo pipefail
-
-          version="${{ inputs.release-version }}"
-          release_tag="${{ inputs.release-tag }}"
-
-          if [[ -z "$version" ]]; then
-            if [[ -n "$release_tag" && "$release_tag" =~ ^rust-v.+ ]]; then
-              version="${release_tag#rust-v}"
-            elif [[ "${GITHUB_REF_NAME:-}" =~ ^rust-v.+ ]]; then
-              version="${GITHUB_REF_NAME#rust-v}"
-              release_tag="${GITHUB_REF_NAME}"
-            else
-              echo "release-version is required when GITHUB_REF_NAME is not a rust-v tag."
-              exit 1
-            fi
-          fi
-
-          if [[ -z "$release_tag" ]]; then
-            release_tag="rust-v${version}"
-          fi
-
-          npm_tag=""
-          should_publish="false"
-          if [[ "$version" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-            should_publish="true"
-          elif [[ "$version" =~ ^[0-9]+\.[0-9]+\.[0-9]+-alpha\.[0-9]+$ ]]; then
-            should_publish="true"
-            npm_tag="alpha"
-          fi
-
-          echo "version=${version}" >> "$GITHUB_OUTPUT"
-          echo "release_tag=${release_tag}" >> "$GITHUB_OUTPUT"
-          echo "npm_tag=${npm_tag}" >> "$GITHUB_OUTPUT"
-          echo "should_publish=${should_publish}" >> "$GITHUB_OUTPUT"
-
-  rust-binaries:
-    name: Build Rust - ${{ matrix.target }}
-    needs: metadata
-    runs-on: ${{ matrix.runner }}
-    timeout-minutes: 30
-    defaults:
-      run:
-        working-directory: codex-rs
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: macos-15-xlarge
-            target: aarch64-apple-darwin
-          - runner: macos-15-xlarge
-            target: x86_64-apple-darwin
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            install_musl: true
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            install_musl: true
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Install UBSan runtime (musl)
-        if: ${{ matrix.install_musl }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          if command -v apt-get >/dev/null 2>&1; then
-            sudo apt-get update -y
-            sudo DEBIAN_FRONTEND=noninteractive apt-get install -y libubsan1
-          fi
-
-      - uses: dtolnay/rust-toolchain@1.93
-        with:
-          targets: ${{ matrix.target }}
-
-      - if: ${{ matrix.install_musl }}
-        name: Install Zig
-        uses: mlugg/setup-zig@v2
-        with:
-          version: 0.14.0
-
-      - if: ${{ matrix.install_musl }}
-        name: Install musl build dependencies
-        env:
-          TARGET: ${{ matrix.target }}
-        run: bash "${GITHUB_WORKSPACE}/.github/scripts/install-musl-build-tools.sh"
-
-      - if: ${{ matrix.install_musl }}
-        name: Configure rustc UBSan wrapper (musl host)
-        shell: bash
-        run: |
-          set -euo pipefail
-          ubsan=""
-          if command -v ldconfig >/dev/null 2>&1; then
-            ubsan="$(ldconfig -p | grep -m1 'libubsan\.so\.1' | sed -E 's/.*=> (.*)$/\1/')"
-          fi
-          wrapper_root="${RUNNER_TEMP:-/tmp}"
-          wrapper="${wrapper_root}/rustc-ubsan-wrapper"
-          cat > "${wrapper}" <<EOF
-          #!/usr/bin/env bash
-          set -euo pipefail
-          if [[ -n "${ubsan}" ]]; then
-            export LD_PRELOAD="${ubsan}\${LD_PRELOAD:+:\${LD_PRELOAD}}"
-          fi
-          exec "\$1" "\${@:2}"
-          EOF
-          chmod +x "${wrapper}"
-          echo "RUSTC_WRAPPER=${wrapper}" >> "$GITHUB_ENV"
-          echo "RUSTC_WORKSPACE_WRAPPER=" >> "$GITHUB_ENV"
-
-      - if: ${{ matrix.install_musl }}
-        name: Clear sanitizer flags (musl)
-        shell: bash
-        run: |
-          set -euo pipefail
-          # Clear global Rust flags so host/proc-macro builds don't pull in UBSan.
-          echo "RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "CARGO_ENCODED_RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "RUSTDOCFLAGS=" >> "$GITHUB_ENV"
-          # Override any runner-level Cargo config rustflags as well.
-          echo "CARGO_BUILD_RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_RUSTFLAGS=" >> "$GITHUB_ENV"
-          echo "CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_RUSTFLAGS=" >> "$GITHUB_ENV"
-
-          sanitize_flags() {
-            local input="$1"
-            input="${input//-fsanitize=undefined/}"
-            input="${input//-fno-sanitize-recover=undefined/}"
-            input="${input//-fno-sanitize-trap=undefined/}"
-            echo "$input"
-          }
-
-          cflags="$(sanitize_flags "${CFLAGS-}")"
-          cxxflags="$(sanitize_flags "${CXXFLAGS-}")"
-          echo "CFLAGS=${cflags}" >> "$GITHUB_ENV"
-          echo "CXXFLAGS=${cxxflags}" >> "$GITHUB_ENV"
-
-      - name: Build exec server binaries
-        run: cargo build --release --target ${{ matrix.target }} --bin codex-exec-mcp-server --bin codex-execve-wrapper
-
-      - name: Stage exec server binaries
-        run: |
-          dest="${GITHUB_WORKSPACE}/artifacts/vendor/${{ matrix.target }}"
-          mkdir -p "$dest"
-          cp "target/${{ matrix.target }}/release/codex-exec-mcp-server" "$dest/"
-          cp "target/${{ matrix.target }}/release/codex-execve-wrapper" "$dest/"
-
-      - uses: actions/upload-artifact@v6
-        with:
-          name: shell-tool-mcp-rust-${{ matrix.target }}
-          path: artifacts/**
-          if-no-files-found: error
-
-  bash-linux:
-    name: Build Bash (Linux) - ${{ matrix.variant }} - ${{ matrix.target }}
-    needs: metadata
-    runs-on: ${{ matrix.runner }}
-    timeout-minutes: 30
-    container:
-      image: ${{ matrix.image }}
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            variant: ubuntu-24.04
-            image: ubuntu:24.04
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            variant: ubuntu-22.04
-            image: ubuntu:22.04
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            variant: debian-12
-            image: debian:12
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            variant: debian-11
-            image: debian:11
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            variant: centos-9
-            image: quay.io/centos/centos:stream9
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            variant: ubuntu-24.04
-            image: arm64v8/ubuntu:24.04
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            variant: ubuntu-22.04
-            image: arm64v8/ubuntu:22.04
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            variant: ubuntu-20.04
-            image: arm64v8/ubuntu:20.04
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            variant: debian-12
-            image: arm64v8/debian:12
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            variant: debian-11
-            image: arm64v8/debian:11
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            variant: centos-9
-            image: quay.io/centos/centos:stream9
-    steps:
-      - name: Install build prerequisites
-        shell: bash
-        run: |
-          set -euo pipefail
-          if command -v apt-get >/dev/null 2>&1; then
-            apt-get update
-            DEBIAN_FRONTEND=noninteractive apt-get install -y git build-essential bison autoconf gettext
-          elif command -v dnf >/dev/null 2>&1; then
-            dnf install -y git gcc gcc-c++ make bison autoconf gettext
-          elif command -v yum >/dev/null 2>&1; then
-            yum install -y git gcc gcc-c++ make bison autoconf gettext
-          else
-            echo "Unsupported package manager in container"
-            exit 1
-          fi
-
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Build patched Bash
-        shell: bash
-        run: |
-          set -euo pipefail
-          git clone --depth 1 https://github.com/bolinfest/bash /tmp/bash
-          cd /tmp/bash
-          git fetch --depth 1 origin a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b
-          git checkout a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b
-          git apply "${GITHUB_WORKSPACE}/shell-tool-mcp/patches/bash-exec-wrapper.patch"
-          ./configure --without-bash-malloc
-          cores="$(command -v nproc >/dev/null 2>&1 && nproc || getconf _NPROCESSORS_ONLN)"
-          make -j"${cores}"
-
-          dest="${GITHUB_WORKSPACE}/artifacts/vendor/${{ matrix.target }}/bash/${{ matrix.variant }}"
-          mkdir -p "$dest"
-          cp bash "$dest/bash"
-
-      - uses: actions/upload-artifact@v6
-        with:
-          name: shell-tool-mcp-bash-${{ matrix.target }}-${{ matrix.variant }}
-          path: artifacts/**
-          if-no-files-found: error
-
-  bash-darwin:
-    name: Build Bash (macOS) - ${{ matrix.variant }} - ${{ matrix.target }}
-    needs: metadata
-    runs-on: ${{ matrix.runner }}
-    timeout-minutes: 30
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: macos-15-xlarge
-            target: aarch64-apple-darwin
-            variant: macos-15
-          - runner: macos-14
-            target: aarch64-apple-darwin
-            variant: macos-14
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Build patched Bash
-        shell: bash
-        run: |
-          set -euo pipefail
-          git clone --depth 1 https://github.com/bolinfest/bash /tmp/bash
-          cd /tmp/bash
-          git fetch --depth 1 origin a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b
-          git checkout a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b
-          git apply "${GITHUB_WORKSPACE}/shell-tool-mcp/patches/bash-exec-wrapper.patch"
-          ./configure --without-bash-malloc
-          cores="$(getconf _NPROCESSORS_ONLN)"
-          make -j"${cores}"
-
-          dest="${GITHUB_WORKSPACE}/artifacts/vendor/${{ matrix.target }}/bash/${{ matrix.variant }}"
-          mkdir -p "$dest"
-          cp bash "$dest/bash"
-
-      - uses: actions/upload-artifact@v6
-        with:
-          name: shell-tool-mcp-bash-${{ matrix.target }}-${{ matrix.variant }}
-          path: artifacts/**
-          if-no-files-found: error
-
-  package:
-    name: Package npm module
-    needs:
-      - metadata
-      - rust-binaries
-      - bash-linux
-      - bash-darwin
-    runs-on: ubuntu-latest
-    env:
-      PACKAGE_VERSION: ${{ needs.metadata.outputs.version }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          run_install: false
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-
-      - name: Install JavaScript dependencies
-        run: pnpm install --frozen-lockfile
-
-      - name: Build (shell-tool-mcp)
-        run: pnpm --filter @openai/codex-shell-tool-mcp run build
-
-      - name: Download build artifacts
-        uses: actions/download-artifact@v7
-        with:
-          path: artifacts
-
-      - name: Assemble staging directory
-        id: staging
-        shell: bash
-        run: |
-          set -euo pipefail
-          staging="${STAGING_DIR}"
-          mkdir -p "$staging" "$staging/vendor"
-          cp shell-tool-mcp/README.md "$staging/"
-          cp shell-tool-mcp/package.json "$staging/"
-          cp -R shell-tool-mcp/bin "$staging/"
-
-          found_vendor="false"
-          shopt -s nullglob
-          for vendor_dir in artifacts/*/vendor; do
-            rsync -av "$vendor_dir/" "$staging/vendor/"
-            found_vendor="true"
-          done
-          if [[ "$found_vendor" == "false" ]]; then
-            echo "No vendor payloads were downloaded."
-            exit 1
-          fi
-
-          node - <<'NODE'
-            import fs from "node:fs";
-            import path from "node:path";
-
-            const stagingDir = process.env.STAGING_DIR;
-            const version = process.env.PACKAGE_VERSION;
-            const pkgPath = path.join(stagingDir, "package.json");
-            const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf8"));
-            pkg.version = version;
-            fs.writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + "\n");
-          NODE
-
-          echo "dir=$staging" >> "$GITHUB_OUTPUT"
-        env:
-          STAGING_DIR: ${{ runner.temp }}/shell-tool-mcp
-
-      - name: Ensure binaries are executable
-        run: |
-          set -euo pipefail
-          staging="${{ steps.staging.outputs.dir }}"
-          chmod +x \
-            "$staging"/vendor/*/codex-exec-mcp-server \
-            "$staging"/vendor/*/codex-execve-wrapper \
-            "$staging"/vendor/*/bash/*/bash
-
-      - name: Create npm tarball
-        shell: bash
-        run: |
-          set -euo pipefail
-          mkdir -p dist/npm
-          staging="${{ steps.staging.outputs.dir }}"
-          pack_info=$(cd "$staging" && npm pack --ignore-scripts --json --pack-destination "${GITHUB_WORKSPACE}/dist/npm")
-          filename=$(PACK_INFO="$pack_info" node -e 'const data = JSON.parse(process.env.PACK_INFO); console.log(data[0].filename);')
-          mv "dist/npm/${filename}" "dist/npm/codex-shell-tool-mcp-npm-${PACKAGE_VERSION}.tgz"
-
-      - uses: actions/upload-artifact@v6
-        with:
-          name: codex-shell-tool-mcp-npm
-          path: dist/npm/codex-shell-tool-mcp-npm-${{ env.PACKAGE_VERSION }}.tgz
-          if-no-files-found: error
-
-  publish:
-    name: Publish npm package
-    needs:
-      - metadata
-      - package
-    if: ${{ inputs.publish && needs.metadata.outputs.should_publish == 'true' }}
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      contents: read
-    steps:
-      - name: Setup Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          registry-url: https://registry.npmjs.org
-          scope: "@openai"
-
-      # Trusted publishing requires npm CLI version 11.5.1 or later.
-      - name: Update npm
-        run: npm install -g npm@latest
-
-      - name: Download npm tarball
-        uses: actions/download-artifact@v7
-        with:
-          name: codex-shell-tool-mcp-npm
-          path: dist/npm
-
-      - name: Publish to npm
-        env:
-          NPM_TAG: ${{ needs.metadata.outputs.npm_tag }}
-          VERSION: ${{ needs.metadata.outputs.version }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          tag_args=()
-          if [[ -n "${NPM_TAG}" ]]; then
-            tag_args+=(--tag "${NPM_TAG}")
-          fi
-          npm publish "dist/npm/codex-shell-tool-mcp-npm-${VERSION}.tgz" "${tag_args[@]}"

.gitignore

@@ -9,7 +9,6 @@ node_modules
 
 # build
 dist/
-bazel-*
 build/
 out/
 storybook-static/
@@ -65,9 +64,6 @@ apply_patch/
 # coverage
 coverage/
 
-# personal files
-personal/
-
 # os
 .DS_Store
 Thumbs.db
@@ -86,8 +82,3 @@ CHANGELOG.ignore.md
 # nix related
 .direnv
 .envrc
-
-# Python bytecode files
-__pycache__/
-*.pyc
-

.markdownlint-cli2.yaml

@@ -1,6 +0,0 @@
-config:
-  MD013:
-    line_length: 100
-
-globs:
-  - "docs/tui-chat-composer.md"

AGENTS.md

@@ -11,17 +11,15 @@ In the codex-rs folder where the rust code lives:
 - Always collapse if statements per https://rust-lang.github.io/rust-clippy/master/index.html#collapsible_if
 - Always inline format! args when possible per https://rust-lang.github.io/rust-clippy/master/index.html#uninlined_format_args
 - Use method references over closures when possible per https://rust-lang.github.io/rust-clippy/master/index.html#redundant_closure_for_method_calls
-- When possible, make `match` statements exhaustive and avoid wildcard arms.
+- Do not use unsigned integer even if the number cannot be negative.
 - When writing tests, prefer comparing the equality of entire objects over fields one by one.
 - When making a change that adds or changes an API, ensure that the documentation in the `docs/` folder is up to date if applicable.
-- If you change `ConfigToml` or nested config types, run `just write-config-schema` to update `codex-rs/core/config.schema.json`.
 
-Run `just fmt` (in `codex-rs` directory) automatically after you have finished making Rust code changes; do not ask for approval to run it. Additionally, run the tests:
+Run `just fmt` (in `codex-rs` directory) automatically after making Rust code changes; do not ask for approval to run it. Before finalizing a change to `codex-rs`, run `just fix -p <project>` (in `codex-rs` directory) to fix any linter issues in the code. Prefer scoping with `-p` to avoid slow workspace‑wide Clippy builds; only run `just fix` without `-p` if you changed shared crates. Additionally, run the tests:
 
 1. Run the test for the specific project that was changed. For example, if changes were made in `codex-rs/tui`, run `cargo test -p codex-tui`.
-2. Once those pass, if any changes were made in common, core, or protocol, run the complete test suite with `cargo test --all-features`. project-specific or individual tests can be run without asking the user, but do ask the user before running the complete test suite.
-
-Before finalizing a large change to `codex-rs`, run `just fix -p <project>` (in `codex-rs` directory) to fix any linter issues in the code. Prefer scoping with `-p` to avoid slow workspace‑wide Clippy builds; only run `just fix` without `-p` if you changed shared crates.
+2. Once those pass, if any changes were made in common, core, or protocol, run the complete test suite with `cargo test --all-features`.
+   When running interactively, ask the user before running `just fix` to finalize. `just fmt` does not require approval. project-specific or individual tests can be run without asking the user, but do ask the user before running the complete test suite.
 
 ## TUI style conventions
 
@@ -77,14 +75,6 @@ If you don’t have the tool:
 ### Test assertions
 
 - Tests should use pretty_assertions::assert_eq for clearer diffs. Import this at the top of the test module if it isn't already.
-- Prefer deep equals comparisons whenever possible. Perform `assert_eq!()` on entire objects, rather than individual fields.
-- Avoid mutating process environment in tests; prefer passing environment-derived flags or dependencies from above.
-
-### Spawning workspace binaries in tests (Cargo vs Bazel)
-
-- Prefer `codex_utils_cargo_bin::cargo_bin("...")` over `assert_cmd::Command::cargo_bin(...)` or `escargot` when tests need to spawn first-party binaries.
-  - Under Bazel, binaries and resources may live under runfiles; use `codex_utils_cargo_bin::cargo_bin` to resolve absolute paths that remain stable after `chdir`.
-- When locating fixture files or test resources under Bazel, avoid `env!("CARGO_MANIFEST_DIR")`. Prefer `codex_utils_cargo_bin::find_resource!` so paths resolve correctly under both Cargo and Bazel runfiles.
 
 ### Integration tests (core)
 
@@ -94,8 +84,6 @@ If you don’t have the tool:
 - Use `ResponseMock::single_request()` when a test should only issue one POST, or `ResponseMock::requests()` to inspect every captured `ResponsesRequest`.
 - `ResponsesRequest` exposes helpers (`body_json`, `input`, `function_call_output`, `custom_tool_call_output`, `call_output`, `header`, `path`, `query_param`) so assertions can target structured payloads instead of manual JSON digging.
 - Build SSE payloads with the provided `ev_*` constructors and the `sse(...)`.
-- Prefer `wait_for_event` over `wait_for_event_with_timeout`.
-- Prefer `mount_sse_once` over `mount_sse_once_match` or `mount_sse_sequence`
 
 - Typical pattern:
 

BUILD.bazel

@@ -1,23 +0,0 @@
-load("@apple_support//xcode:xcode_config.bzl", "xcode_config")
-
-xcode_config(name = "disable_xcode")
-
-# We mark the local platform as glibc-compatible so that rust can grab a toolchain for us.
-# TODO(zbarsky): Upstream a better libc constraint into rules_rust.
-# We only enable this on linux though for sanity, and because it breaks remote execution.
-platform(
-    name = "local",
-    constraint_values = [
-        "@toolchains_llvm_bootstrapped//constraints/libc:gnu.2.28",
-    ],
-    parents = [
-        "@platforms//host",
-    ],
-)
-
-alias(
-    name = "rbe",
-    actual = "@rbe_platform",
-)
-
-exports_files(["AGENTS.md"])

CHANGELOG.md

@@ -1 +1 @@
-The changelog can be found on the [releases page](https://github.com/openai/codex/releases).
+The changelog can be found on the [releases page](https://github.com/openai/codex/releases)

MODULE.bazel

@@ -1,136 +0,0 @@
-bazel_dep(name = "platforms", version = "1.0.0")
-bazel_dep(name = "toolchains_llvm_bootstrapped", version = "0.3.1")
-archive_override(
-    module_name = "toolchains_llvm_bootstrapped",
-    integrity = "sha256-4/2h4tYSUSptxFVI9G50yJxWGOwHSeTeOGBlaLQBV8g=",
-    strip_prefix = "toolchains_llvm_bootstrapped-d20baf67e04d8e2887e3779022890d1dc5e6b948",
-    urls = ["https://github.com/cerisier/toolchains_llvm_bootstrapped/archive/d20baf67e04d8e2887e3779022890d1dc5e6b948.tar.gz"],
-)
-
-osx = use_extension("@toolchains_llvm_bootstrapped//toolchain/extension:osx.bzl", "osx")
-osx.framework(name = "ApplicationServices")
-osx.framework(name = "AppKit")
-osx.framework(name = "ColorSync")
-osx.framework(name = "CoreFoundation")
-osx.framework(name = "CoreGraphics")
-osx.framework(name = "CoreServices")
-osx.framework(name = "CoreText")
-osx.framework(name = "CFNetwork")
-osx.framework(name = "Foundation")
-osx.framework(name = "ImageIO")
-osx.framework(name = "Kernel")
-osx.framework(name = "OSLog")
-osx.framework(name = "Security")
-osx.framework(name = "SystemConfiguration")
-
-register_toolchains(
-    "@toolchains_llvm_bootstrapped//toolchain:all",
-)
-
-# Needed to disable xcode...
-bazel_dep(name = "apple_support", version = "2.1.0")
-bazel_dep(name = "rules_cc", version = "0.2.16")
-bazel_dep(name = "rules_platform", version = "0.1.0")
-bazel_dep(name = "rules_rust", version = "0.68.1")
-single_version_override(
-    module_name = "rules_rust",
-    patch_strip = 1,
-    patches = [
-        "//patches:rules_rust.patch",
-        "//patches:rules_rust_windows_gnu.patch",
-        "//patches:rules_rust_musl.patch",
-    ],
-)
-
-RUST_TRIPLES = [
-    "aarch64-unknown-linux-musl",
-    "aarch64-apple-darwin",
-    "aarch64-pc-windows-gnullvm",
-    "x86_64-unknown-linux-musl",
-    "x86_64-apple-darwin",
-    "x86_64-pc-windows-gnullvm",
-]
-
-rust = use_extension("@rules_rust//rust:extensions.bzl", "rust")
-rust.toolchain(
-    edition = "2024",
-    extra_target_triples = RUST_TRIPLES,
-    versions = ["1.93.0"],
-)
-use_repo(rust, "rust_toolchains")
-
-register_toolchains("@rust_toolchains//:all")
-
-bazel_dep(name = "rules_rs", version = "0.0.23")
-
-crate = use_extension("@rules_rs//rs:extensions.bzl", "crate")
-crate.from_cargo(
-    cargo_lock = "//codex-rs:Cargo.lock",
-    cargo_toml = "//codex-rs:Cargo.toml",
-    platform_triples = RUST_TRIPLES,
-)
-crate.annotation(
-    crate = "nucleo-matcher",
-    strip_prefix = "matcher",
-    version = "0.3.1",
-)
-
-bazel_dep(name = "openssl", version = "3.5.4.bcr.0")
-
-crate.annotation(
-    build_script_data = [
-        "@openssl//:gen_dir",
-    ],
-    build_script_env = {
-        "OPENSSL_DIR": "$(execpath @openssl//:gen_dir)",
-        "OPENSSL_NO_VENDOR": "1",
-        "OPENSSL_STATIC": "1",
-    },
-    crate = "openssl-sys",
-    data = ["@openssl//:gen_dir"],
-)
-
-inject_repo(crate, "openssl")
-
-crate.annotation(
-    crate = "runfiles",
-    workspace_cargo_toml = "rust/runfiles/Cargo.toml",
-)
-
-# Fix readme inclusions
-crate.annotation(
-    crate = "windows-link",
-    patch_args = ["-p1"],
-    patches = [
-        "//patches:windows-link.patch",
-    ],
-)
-
-WINDOWS_IMPORT_LIB = """
-load("@rules_cc//cc:defs.bzl", "cc_import")
-
-cc_import(
-    name = "windows_import_lib",
-    static_library = glob(["lib/*.a"])[0],
-)
-"""
-
-crate.annotation(
-    additive_build_file_content = WINDOWS_IMPORT_LIB,
-    crate = "windows_x86_64_gnullvm",
-    gen_build_script = "off",
-    deps = [":windows_import_lib"],
-)
-crate.annotation(
-    additive_build_file_content = WINDOWS_IMPORT_LIB,
-    crate = "windows_aarch64_gnullvm",
-    gen_build_script = "off",
-    deps = [":windows_import_lib"],
-)
-use_repo(crate, "crates")
-
-rbe_platform_repository = use_repo_rule("//:rbe.bzl", "rbe_platform_repository")
-
-rbe_platform_repository(
-    name = "rbe_platform",
-)

PNPM.md

@@ -0,0 +1,70 @@
+# Migration to pnpm
+
+This project has been migrated from npm to pnpm to improve dependency management and developer experience.
+
+## Why pnpm?
+
+- **Faster installation**: pnpm is significantly faster than npm and yarn
+- **Disk space savings**: pnpm uses a content-addressable store to avoid duplication
+- **Phantom dependency prevention**: pnpm creates a strict node_modules structure
+- **Native workspaces support**: simplified monorepo management
+
+## How to use pnpm
+
+### Installation
+
+```bash
+# Global installation of pnpm
+npm install -g pnpm@10.8.1
+
+# Or with corepack (available with Node.js 22+)
+corepack enable
+corepack prepare pnpm@10.8.1 --activate
+```
+
+### Common commands
+
+| npm command     | pnpm equivalent  |
+| --------------- | ---------------- |
+| `npm install`   | `pnpm install`   |
+| `npm run build` | `pnpm run build` |
+| `npm test`      | `pnpm test`      |
+| `npm run lint`  | `pnpm run lint`  |
+
+### Workspace-specific commands
+
+| Action                                     | Command                                  |
+| ------------------------------------------ | ---------------------------------------- |
+| Run a command in a specific package        | `pnpm --filter @openai/codex run build`  |
+| Install a dependency in a specific package | `pnpm --filter @openai/codex add lodash` |
+| Run a command in all packages              | `pnpm -r run test`                       |
+
+## Monorepo structure
+
+```
+codex/
+├── pnpm-workspace.yaml    # Workspace configuration
+├── .npmrc                 # pnpm configuration
+├── package.json           # Root dependencies and scripts
+├── codex-cli/             # Main package
+│   └── package.json       # codex-cli specific dependencies
+└── docs/                  # Documentation (future package)
+```
+
+## Configuration files
+
+- **pnpm-workspace.yaml**: Defines the packages included in the monorepo
+- **.npmrc**: Configures pnpm behavior
+- **Root package.json**: Contains shared scripts and dependencies
+
+## CI/CD
+
+CI/CD workflows have been updated to use pnpm instead of npm. Make sure your CI environments use pnpm 10.8.1 or higher.
+
+## Known issues
+
+If you encounter issues with pnpm, try the following solutions:
+
+1. Remove the `node_modules` folder and `pnpm-lock.yaml` file, then run `pnpm install`
+2. Make sure you're using pnpm 10.8.1 or higher
+3. Verify that Node.js 22 or higher is installed

README.md

@@ -1,11 +1,13 @@
 <p align="center"><code>npm i -g @openai/codex</code><br />or <code>brew install --cask codex</code></p>
+
 <p align="center"><strong>Codex CLI</strong> is a coding agent from OpenAI that runs locally on your computer.
+</br>
+</br>If you want Codex in your code editor (VS Code, Cursor, Windsurf), <a href="https://developers.openai.com/codex/ide">install in your IDE</a>
+</br>If you are looking for the <em>cloud-based agent</em> from OpenAI, <strong>Codex Web</strong>, go to <a href="https://chatgpt.com/codex">chatgpt.com/codex</a></p>
+
 <p align="center">
   <img src="./.github/codex-cli-splash.png" alt="Codex CLI splash" width="80%" />
-</p>
-</br>
-If you want Codex in your code editor (VS Code, Cursor, Windsurf), <a href="https://developers.openai.com/codex/ide">install in your IDE.</a>
-</br>If you are looking for the <em>cloud-based agent</em> from OpenAI, <strong>Codex Web</strong>, go to <a href="https://chatgpt.com/codex">chatgpt.com/codex</a>.</p>
+  </p>
 
 ---
 
@@ -13,19 +15,23 @@ If you want Codex in your code editor (VS Code, Cursor, Windsurf), <a href="http
 
 ### Installing and running Codex CLI
 
-Install globally with your preferred package manager:
+Install globally with your preferred package manager. If you use npm:
 
 ```shell
-# Install using npm
 npm install -g @openai/codex
 ```
 
+Alternatively, if you use Homebrew:
+
 ```shell
-# Install using Homebrew
 brew install --cask codex
 ```
 
-Then simply run `codex` to get started.
+Then simply run `codex` to get started:
+
+```shell
+codex
+```
 
 <details>
 <summary>You can also go to the <a href="https://github.com/openai/codex/releases/latest">latest GitHub Release</a> and download the appropriate binary for your platform.</summary>
@@ -45,15 +51,55 @@ Each archive contains a single entry with the platform baked into the name (e.g.
 
 ### Using Codex with your ChatGPT plan
 
+<p align="center">
+  <img src="./.github/codex-cli-login.png" alt="Codex CLI login" width="80%" />
+  </p>
+
 Run `codex` and select **Sign in with ChatGPT**. We recommend signing into your ChatGPT account to use Codex as part of your Plus, Pro, Team, Edu, or Enterprise plan. [Learn more about what's included in your ChatGPT plan](https://help.openai.com/en/articles/11369540-codex-in-chatgpt).
 
-You can also use Codex with an API key, but this requires [additional setup](https://developers.openai.com/codex/auth#sign-in-with-an-api-key).
+You can also use Codex with an API key, but this requires [additional setup](./docs/authentication.md#usage-based-billing-alternative-use-an-openai-api-key). If you previously used an API key for usage-based billing, see the [migration steps](./docs/authentication.md#migrating-from-usage-based-billing-api-key). If you're having trouble with login, please comment on [this issue](https://github.com/openai/codex/issues/1243).
 
-## Docs
+### Model Context Protocol (MCP)
 
-- [**Codex Documentation**](https://developers.openai.com/codex)
+Codex can access MCP servers. To configure them, refer to the [config docs](./docs/config.md#mcp_servers).
+
+### Configuration
+
+Codex CLI supports a rich set of configuration options, with preferences stored in `~/.codex/config.toml`. For full configuration options, see [Configuration](./docs/config.md).
+
+---
+
+### Docs & FAQ
+
+- [**Getting started**](./docs/getting-started.md)
+  - [CLI usage](./docs/getting-started.md#cli-usage)
+  - [Running with a prompt as input](./docs/getting-started.md#running-with-a-prompt-as-input)
+  - [Example prompts](./docs/getting-started.md#example-prompts)
+  - [Custom prompts](./docs/prompts.md)
+  - [Memory with AGENTS.md](./docs/getting-started.md#memory-with-agentsmd)
+  - [Configuration](./docs/config.md)
+- [**Sandbox & approvals**](./docs/sandbox.md)
+- [**Authentication**](./docs/authentication.md)
+  - [Auth methods](./docs/authentication.md#forcing-a-specific-auth-method-advanced)
+  - [Login on a "Headless" machine](./docs/authentication.md#connecting-on-a-headless-machine)
+- **Automating Codex**
+  - [GitHub Action](https://github.com/openai/codex-action)
+  - [TypeScript SDK](./sdk/typescript/README.md)
+  - [Non-interactive mode (`codex exec`)](./docs/exec.md)
+- [**Advanced**](./docs/advanced.md)
+  - [Tracing / verbose logging](./docs/advanced.md#tracing--verbose-logging)
+  - [Model Context Protocol (MCP)](./docs/advanced.md#model-context-protocol-mcp)
+- [**Zero data retention (ZDR)**](./docs/zdr.md)
 - [**Contributing**](./docs/contributing.md)
-- [**Installing & building**](./docs/install.md)
+- [**Install & build**](./docs/install.md)
+  - [System Requirements](./docs/install.md#system-requirements)
+  - [DotSlash](./docs/install.md#dotslash)
+  - [Build from source](./docs/install.md#build-from-source)
+- [**FAQ**](./docs/faq.md)
 - [**Open source fund**](./docs/open-source-fund.md)
 
+---
+
+## License
+
 This repository is licensed under the [Apache-2.0 License](LICENSE).

announcement_tip.toml

@@ -1,17 +0,0 @@
-# Example announcement tips for Codex TUI.
-# Each [[announcements]] entry is evaluated in order; the last matching one is shown.
-# Dates are UTC, formatted as YYYY-MM-DD. The from_date is inclusive and the to_date is exclusive.
-# version_regex matches against the CLI version (env!("CARGO_PKG_VERSION")); omit to apply to all versions.
-# target_app specify which app should display the announcement (cli, vsce, ...).
-
-[[announcements]]
-content = "Welcome to Codex! Check out the new onboarding flow."
-from_date = "2024-10-01"
-to_date = "2024-10-15"
-target_app = "cli"
-
-# Test announcement only for local build version until 2026-01-10 excluded (past)
-[[announcements]]
-content = "This is a test announcement"
-version_regex = "^0\\.0\\.0$"
-to_date = "2026-01-10"

codex-cli/bin/codex.js

@@ -96,8 +96,9 @@ function detectPackageManager() {
   }
 
   if (
-    __dirname.includes(".bun/install/global") ||
-    __dirname.includes(".bun\\install\\global")
+    process.env.BUN_INSTALL ||
+    process.env.BUN_INSTALL_GLOBAL_DIR ||
+    process.env.BUN_INSTALL_BIN_DIR
   ) {
     return "bun";
   }

codex-cli/package-lock.json

@@ -0,0 +1,18 @@
+{
+  "name": "@openai/codex",
+  "version": "0.0.0-dev",
+  "lockfileVersion": 3,
+  "packages": {
+    "": {
+      "name": "@openai/codex",
+      "version": "0.0.0-dev",
+      "license": "Apache-2.0",
+      "bin": {
+        "codex": "bin/codex.js"
+      },
+      "engines": {
+        "node": ">=16"
+      }
+    }
+  }
+}

codex-cli/package.json

@@ -17,6 +17,5 @@
     "type": "git",
     "url": "git+https://github.com/openai/codex.git",
     "directory": "codex-cli"
-  },
-  "packageManager": "pnpm@10.28.2+sha512.41872f037ad22f7348e3b1debbaf7e867cfd448f2726d9cf74c08f19507c31d2c8e7a11525b983febc2df640b5438dee6023ebb1f84ed43cc2d654d2bc326264"
+  }
 }

codex-cli/scripts/build_npm_package.py

@@ -20,14 +20,9 @@ PACKAGE_NATIVE_COMPONENTS: dict[str, list[str]] = {
     "codex-responses-api-proxy": ["codex-responses-api-proxy"],
     "codex-sdk": ["codex"],
 }
-WINDOWS_ONLY_COMPONENTS: dict[str, list[str]] = {
-    "codex": ["codex-windows-sandbox-setup", "codex-command-runner"],
-}
 COMPONENT_DEST_DIR: dict[str, str] = {
     "codex": "codex",
     "codex-responses-api-proxy": "codex-responses-api-proxy",
-    "codex-windows-sandbox-setup": "codex",
-    "codex-command-runner": "codex",
     "rg": "path",
 }
 
@@ -108,7 +103,7 @@ def main() -> int:
                     "pointing to a directory containing pre-installed binaries."
                 )
 
-            copy_native_binaries(vendor_src, staging_dir, package, native_components)
+            copy_native_binaries(vendor_src, staging_dir, native_components)
 
         if release_version:
             staging_dir_str = str(staging_dir)
@@ -237,12 +232,7 @@ def stage_codex_sdk_sources(staging_dir: Path) -> None:
         shutil.copy2(license_src, staging_dir / "LICENSE")
 
 
-def copy_native_binaries(
-    vendor_src: Path,
-    staging_dir: Path,
-    package: str,
-    components: list[str],
-) -> None:
+def copy_native_binaries(vendor_src: Path, staging_dir: Path, components: list[str]) -> None:
     vendor_src = vendor_src.resolve()
     if not vendor_src.exists():
         raise RuntimeError(f"Vendor source directory not found: {vendor_src}")
@@ -260,9 +250,6 @@ def copy_native_binaries(
         if not target_dir.is_dir():
             continue
 
-        if "windows" in target_dir.name:
-            components_set.update(WINDOWS_ONLY_COMPONENTS.get(package, []))
-
         dest_target_dir = vendor_dest / target_dir.name
         dest_target_dir.mkdir(parents=True, exist_ok=True)
 

codex-cli/scripts/install_native_deps.py

@@ -2,7 +2,6 @@
 """Install Codex native binaries (Rust CLI plus ripgrep helpers)."""
 
 import argparse
-from contextlib import contextmanager
 import json
 import os
 import shutil
@@ -13,7 +12,6 @@ import zipfile
 from dataclasses import dataclass
 from concurrent.futures import ThreadPoolExecutor, as_completed
 from pathlib import Path
-import sys
 from typing import Iterable, Sequence
 from urllib.parse import urlparse
 from urllib.request import urlopen
@@ -38,11 +36,8 @@ class BinaryComponent:
     artifact_prefix: str  # matches the artifact filename prefix (e.g. codex-<target>.zst)
     dest_dir: str  # directory under vendor/<target>/ where the binary is installed
     binary_basename: str  # executable name inside dest_dir (before optional .exe)
-    targets: tuple[str, ...] | None = None  # limit installation to specific targets
 
 
-WINDOWS_TARGETS = tuple(target for target in BINARY_TARGETS if "windows" in target)
-
 BINARY_COMPONENTS = {
     "codex": BinaryComponent(
         artifact_prefix="codex",
@@ -54,18 +49,6 @@ BINARY_COMPONENTS = {
         dest_dir="codex-responses-api-proxy",
         binary_basename="codex-responses-api-proxy",
     ),
-    "codex-windows-sandbox-setup": BinaryComponent(
-        artifact_prefix="codex-windows-sandbox-setup",
-        dest_dir="codex",
-        binary_basename="codex-windows-sandbox-setup",
-        targets=WINDOWS_TARGETS,
-    ),
-    "codex-command-runner": BinaryComponent(
-        artifact_prefix="codex-command-runner",
-        dest_dir="codex",
-        binary_basename="codex-command-runner",
-        targets=WINDOWS_TARGETS,
-    ),
 }
 
 RG_TARGET_PLATFORM_PAIRS: list[tuple[str, str]] = [
@@ -79,45 +62,6 @@ RG_TARGET_PLATFORM_PAIRS: list[tuple[str, str]] = [
 RG_TARGET_TO_PLATFORM = {target: platform for target, platform in RG_TARGET_PLATFORM_PAIRS}
 DEFAULT_RG_TARGETS = [target for target, _ in RG_TARGET_PLATFORM_PAIRS]
 
-# urllib.request.urlopen() defaults to no timeout (can hang indefinitely), which is painful in CI.
-DOWNLOAD_TIMEOUT_SECS = 60
-
-
-def _gha_enabled() -> bool:
-    # GitHub Actions supports "workflow commands" (e.g. ::group:: / ::error::) that make logs
-    # much easier to scan: groups collapse noisy sections and error annotations surface the
-    # failure in the UI without changing the actual exception/traceback output.
-    return os.environ.get("GITHUB_ACTIONS") == "true"
-
-
-def _gha_escape(value: str) -> str:
-    # Workflow commands require percent/newline escaping.
-    return value.replace("%", "%25").replace("\r", "%0D").replace("\n", "%0A")
-
-
-def _gha_error(*, title: str, message: str) -> None:
-    # Emit a GitHub Actions error annotation. This does not replace stdout/stderr logs; it just
-    # adds a prominent summary line to the job UI so the root cause is easier to spot.
-    if not _gha_enabled():
-        return
-    print(
-        f"::error title={_gha_escape(title)}::{_gha_escape(message)}",
-        flush=True,
-    )
-
-
-@contextmanager
-def _gha_group(title: str):
-    # Wrap a block in a collapsible log group on GitHub Actions. Outside of GHA this is a no-op
-    # so local output remains unchanged.
-    if _gha_enabled():
-        print(f"::group::{_gha_escape(title)}", flush=True)
-    try:
-        yield
-    finally:
-        if _gha_enabled():
-            print("::endgroup::", flush=True)
-
 
 def parse_args() -> argparse.Namespace:
     parser = argparse.ArgumentParser(description="Install native Codex binaries.")
@@ -135,8 +79,7 @@ def parse_args() -> argparse.Namespace:
         choices=tuple(list(BINARY_COMPONENTS) + ["rg"]),
         help=(
             "Limit installation to the specified components."
-            " May be repeated. Defaults to codex, codex-windows-sandbox-setup,"
-            " codex-command-runner, and rg."
+            " May be repeated. Defaults to 'codex' and 'rg'."
         ),
     )
     parser.add_argument(
@@ -158,12 +101,7 @@ def main() -> int:
     vendor_dir = codex_cli_root / VENDOR_DIR_NAME
     vendor_dir.mkdir(parents=True, exist_ok=True)
 
-    components = args.components or [
-        "codex",
-        "codex-windows-sandbox-setup",
-        "codex-command-runner",
-        "rg",
-    ]
+    components = args.components or ["codex", "rg"]
 
     workflow_url = (args.workflow_url or DEFAULT_WORKFLOW_URL).strip()
     if not workflow_url:
@@ -172,20 +110,19 @@ def main() -> int:
     workflow_id = workflow_url.rstrip("/").split("/")[-1]
     print(f"Downloading native artifacts from workflow {workflow_id}...")
 
-    with _gha_group(f"Download native artifacts from workflow {workflow_id}"):
-        with tempfile.TemporaryDirectory(prefix="codex-native-artifacts-") as artifacts_dir_str:
-            artifacts_dir = Path(artifacts_dir_str)
-            _download_artifacts(workflow_id, artifacts_dir)
-            install_binary_components(
-                artifacts_dir,
-                vendor_dir,
-                [BINARY_COMPONENTS[name] for name in components if name in BINARY_COMPONENTS],
-            )
+    with tempfile.TemporaryDirectory(prefix="codex-native-artifacts-") as artifacts_dir_str:
+        artifacts_dir = Path(artifacts_dir_str)
+        _download_artifacts(workflow_id, artifacts_dir)
+        install_binary_components(
+            artifacts_dir,
+            vendor_dir,
+            BINARY_TARGETS,
+            [name for name in components if name in BINARY_COMPONENTS],
+        )
 
     if "rg" in components:
-        with _gha_group("Fetch ripgrep binaries"):
-            print("Fetching ripgrep binaries...")
-            fetch_rg(vendor_dir, DEFAULT_RG_TARGETS, manifest_path=RG_MANIFEST)
+        print("Fetching ripgrep binaries...")
+        fetch_rg(vendor_dir, DEFAULT_RG_TARGETS, manifest_path=RG_MANIFEST)
 
     print(f"Installed native dependencies into {vendor_dir}")
     return 0
@@ -246,14 +183,7 @@ def fetch_rg(
 
         for future in as_completed(future_map):
             target = future_map[future]
-            try:
-                results[target] = future.result()
-            except Exception as exc:
-                _gha_error(
-                    title="ripgrep install failed",
-                    message=f"target={target} error={exc!r}",
-                )
-                raise RuntimeError(f"Failed to install ripgrep for target {target}.") from exc
+            results[target] = future.result()
             print(f"  installed ripgrep for {target}")
 
     return [results[target] for target in targets]
@@ -276,19 +206,23 @@ def _download_artifacts(workflow_id: str, dest_dir: Path) -> None:
 def install_binary_components(
     artifacts_dir: Path,
     vendor_dir: Path,
-    selected_components: Sequence[BinaryComponent],
+    targets: Iterable[str],
+    component_names: Sequence[str],
 ) -> None:
+    selected_components = [BINARY_COMPONENTS[name] for name in component_names if name in BINARY_COMPONENTS]
     if not selected_components:
         return
 
-    for component in selected_components:
-        component_targets = list(component.targets or BINARY_TARGETS)
+    targets = list(targets)
+    if not targets:
+        return
 
+    for component in selected_components:
         print(
             f"Installing {component.binary_basename} binaries for targets: "
-            + ", ".join(component_targets)
+            + ", ".join(targets)
         )
-        max_workers = min(len(component_targets), max(1, (os.cpu_count() or 1)))
+        max_workers = min(len(targets), max(1, (os.cpu_count() or 1)))
         with ThreadPoolExecutor(max_workers=max_workers) as executor:
             futures = {
                 executor.submit(
@@ -298,7 +232,7 @@ def install_binary_components(
                     target,
                     component,
                 ): target
-                for target in component_targets
+                for target in targets
             }
             for future in as_completed(futures):
                 installed_path = future.result()
@@ -351,8 +285,6 @@ def _fetch_single_rg(
     url = providers[0]["url"]
     archive_format = platform_info.get("format", "zst")
     archive_member = platform_info.get("path")
-    digest = platform_info.get("digest")
-    expected_size = platform_info.get("size")
 
     dest_dir = vendor_dir / target / "path"
     dest_dir.mkdir(parents=True, exist_ok=True)
@@ -365,32 +297,10 @@ def _fetch_single_rg(
         tmp_dir = Path(tmp_dir_str)
         archive_filename = os.path.basename(urlparse(url).path)
         download_path = tmp_dir / archive_filename
-        print(
-            f"  downloading ripgrep for {target} ({platform_key}) from {url}",
-            flush=True,
-        )
-        try:
-            _download_file(url, download_path)
-        except Exception as exc:
-            _gha_error(
-                title="ripgrep download failed",
-                message=f"target={target} platform={platform_key} url={url} error={exc!r}",
-            )
-            raise RuntimeError(
-                "Failed to download ripgrep "
-                f"(target={target}, platform={platform_key}, format={archive_format}, "
-                f"expected_size={expected_size!r}, digest={digest!r}, url={url}, dest={download_path})."
-            ) from exc
+        _download_file(url, download_path)
 
         dest.unlink(missing_ok=True)
-        try:
-            extract_archive(download_path, archive_format, archive_member, dest)
-        except Exception as exc:
-            raise RuntimeError(
-                "Failed to extract ripgrep "
-                f"(target={target}, platform={platform_key}, format={archive_format}, "
-                f"member={archive_member!r}, url={url}, archive={download_path})."
-            ) from exc
+        extract_archive(download_path, archive_format, archive_member, dest)
 
     if not is_windows:
         dest.chmod(0o755)
@@ -400,9 +310,7 @@ def _fetch_single_rg(
 
 def _download_file(url: str, dest: Path) -> None:
     dest.parent.mkdir(parents=True, exist_ok=True)
-    dest.unlink(missing_ok=True)
-
-    with urlopen(url, timeout=DOWNLOAD_TIMEOUT_SECS) as response, open(dest, "wb") as out:
+    with urlopen(url) as response, open(dest, "wb") as out:
         shutil.copyfileobj(response, out)
 
 

codex-rs/.cargo/audit.toml

@@ -1,6 +0,0 @@
-[advisories]
-ignore = [
-    "RUSTSEC-2024-0388", # derivative 2.2.0 via starlark; upstream crate is unmaintained
-    "RUSTSEC-2025-0057", # fxhash 0.2.1 via starlark_map; upstream crate is unmaintained
-    "RUSTSEC-2024-0436", # paste 1.0.15 via starlark/ratatui; upstream crate is unmaintained
-]

codex-rs/.cargo/config.toml

@@ -1,5 +0,0 @@
-[target.'cfg(all(windows, target_env = "msvc"))']
-rustflags = ["-C", "link-arg=/STACK:8388608"]
-
-[target.'cfg(all(windows, target_env = "gnu"))']
-rustflags = ["-C", "link-arg=-Wl,--stack,8388608"]

codex-rs/.config/nextest.toml

@@ -1,13 +0,0 @@
-[profile.default]
-# Do not increase, fix your test instead
-slow-timeout = { period = "15s", terminate-after = 2 }
-
-
-[[profile.default.overrides]]
-# Do not add new tests here
-filter = 'test(rmcp_client) | test(humanlike_typing_1000_chars_appears_live_no_placeholder)'
-slow-timeout = { period = "1m", terminate-after = 4 }
-
-[[profile.default.overrides]]
-filter = 'test(approval_matrix_covers_all_modes)'
-slow-timeout = { period = "30s", terminate-after = 2 }

codex-rs/.github/workflows/cargo-audit.yml

@@ -1,26 +0,0 @@
-name: Cargo audit
-
-on:
-  pull_request:
-  push:
-    branches:
-      - main
-
-permissions:
-  contents: read
-
-jobs:
-  audit:
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: codex-rs
-    steps:
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
-      - name: Install cargo-audit
-        uses: taiki-e/install-action@v2
-        with:
-          tool: cargo-audit
-      - name: Run cargo audit
-        run: cargo audit --deny warnings

codex-rs/BUILD.bazel

@@ -1 +0,0 @@
-

codex-rs/Cargo.toml

@@ -5,11 +5,6 @@ members = [
     "async-utils",
     "app-server",
     "app-server-protocol",
-    "app-server-protocol-stable-export",
-    "app-server-json-schema",
-    "app-server-ts-types",
-    "app-server-test-client",
-    "debug-client",
     "apply-patch",
     "arg0",
     "feedback",
@@ -20,37 +15,28 @@ members = [
     "common",
     "core",
     "exec",
-    "exec-server",
     "execpolicy",
-    "execpolicy-legacy",
-    "keyring-store",
     "file-search",
+    "git-tooling",
     "linux-sandbox",
-    "lmstudio",
     "login",
     "mcp-server",
     "mcp-types",
-    "network-proxy",
     "ollama",
     "process-hardening",
     "protocol",
+    "protocol-ts",
     "rmcp-client",
     "responses-api-proxy",
     "stdio-to-uds",
     "otel",
     "tui",
-    "utils/absolute-path",
-    "utils/cargo-bin",
-    "utils/git",
-    "utils/cache",
-    "utils/image",
+    "git-apply",
     "utils/json-to-toml",
-    "utils/pty",
     "utils/readiness",
+    "utils/pty",
     "utils/string",
-    "codex-client",
-    "codex-api",
-    "state",
+    "utils/tokenizer",
 ]
 resolver = "2"
 
@@ -61,56 +47,42 @@ version = "0.0.0"
 # crates created with `cargo new -w ...` automatically inherit the 2024
 # edition.
 edition = "2024"
-license = "Apache-2.0"
 
 [workspace.dependencies]
 # Internal
 app_test_support = { path = "app-server/tests/common" }
 codex-ansi-escape = { path = "ansi-escape" }
-codex-api = { path = "codex-api" }
 codex-app-server = { path = "app-server" }
-codex-app-server-json-schema = { path = "app-server-json-schema" }
 codex-app-server-protocol = { path = "app-server-protocol" }
-codex-app-server-ts-types = { path = "app-server-ts-types" }
 codex-apply-patch = { path = "apply-patch" }
 codex-arg0 = { path = "arg0" }
 codex-async-utils = { path = "async-utils" }
 codex-backend-client = { path = "backend-client" }
 codex-chatgpt = { path = "chatgpt" }
-codex-cli = { path = "cli"}
-codex-client = { path = "codex-client" }
 codex-common = { path = "common" }
 codex-core = { path = "core" }
 codex-exec = { path = "exec" }
-codex-execpolicy = { path = "execpolicy" }
 codex-feedback = { path = "feedback" }
 codex-file-search = { path = "file-search" }
-codex-git = { path = "utils/git" }
-codex-keyring-store = { path = "keyring-store" }
+codex-git-tooling = { path = "git-tooling" }
 codex-linux-sandbox = { path = "linux-sandbox" }
-codex-lmstudio = { path = "lmstudio" }
 codex-login = { path = "login" }
 codex-mcp-server = { path = "mcp-server" }
 codex-ollama = { path = "ollama" }
 codex-otel = { path = "otel" }
 codex-process-hardening = { path = "process-hardening" }
 codex-protocol = { path = "protocol" }
+codex-protocol-ts = { path = "protocol-ts" }
 codex-responses-api-proxy = { path = "responses-api-proxy" }
 codex-rmcp-client = { path = "rmcp-client" }
-codex-state = { path = "state" }
 codex-stdio-to-uds = { path = "stdio-to-uds" }
 codex-tui = { path = "tui" }
-codex-utils-absolute-path = { path = "utils/absolute-path" }
-codex-utils-cache = { path = "utils/cache" }
-codex-utils-cargo-bin = { path = "utils/cargo-bin" }
-codex-utils-image = { path = "utils/image" }
 codex-utils-json-to-toml = { path = "utils/json-to-toml" }
 codex-utils-pty = { path = "utils/pty" }
 codex-utils-readiness = { path = "utils/readiness" }
 codex-utils-string = { path = "utils/string" }
-codex-windows-sandbox = { path = "windows-sandbox-rs" }
+codex-utils-tokenizer = { path = "utils/tokenizer" }
 core_test_support = { path = "core/tests/common" }
-exec_server_test_support = { path = "exec-server/tests/common" }
 mcp-types = { path = "mcp-types" }
 mcp_test_support = { path = "mcp-server/tests/common" }
 
@@ -118,7 +90,8 @@ mcp_test_support = { path = "mcp-server/tests/common" }
 allocative = "0.3.3"
 ansi-to-tui = "7.0.0"
 anyhow = "1"
-arboard = { version = "3", features = ["wayland-data-control"] }
+arboard = "3"
+askama = "0.12"
 assert_cmd = "2"
 assert_matches = "1.5.0"
 async-channel = "2.3.1"
@@ -127,57 +100,48 @@ async-trait = "0.1.89"
 axum = { version = "0.8", default-features = false }
 base64 = "0.22.1"
 bytes = "1.10.1"
-chardetng = "0.1.17"
-chrono = "0.4.43"
+chrono = "0.4.42"
 clap = "4"
 clap_complete = "4"
 color-eyre = "0.6.3"
 crossterm = "0.28.1"
-crossbeam-channel = "0.5.15"
-ctor = "0.6.3"
+ctor = "0.5.0"
 derive_more = "2"
 diffy = "0.4.2"
 dirs = "6"
 dotenvy = "0.15.7"
 dunce = "1.0.4"
-encoding_rs = "0.8.35"
 env-flags = "0.1.1"
 env_logger = "0.11.5"
+escargot = "0.5"
 eventsource-stream = "0.2.3"
 futures = { version = "0.3", default-features = false }
-globset = "0.4"
-http = "1.3.1"
-icu_decimal = "2.1"
-icu_locale_core = "2.1"
-icu_provider = { version = "2.1", features = ["sync"] }
+icu_decimal = "2.0.0"
+icu_locale_core = "2.0.0"
 ignore = "0.4.23"
-indoc = "2.0"
-image = { version = "^0.25.9", default-features = false }
-include_dir = "0.7.4"
-indexmap = "2.12.0"
-insta = "1.46.0"
+image = { version = "^0.25.8", default-features = false }
+indexmap = "2.6.0"
+insta = "1.43.2"
 itertools = "0.14.0"
-keyring = { version = "3.6", default-features = false }
-landlock = "0.4.4"
+keyring = "3.6"
+landlock = "0.4.1"
 lazy_static = "1"
-libc = "0.2.177"
+libc = "0.2.175"
 log = "0.4"
-lru = "0.16.3"
 maplit = "1.0.2"
 mime_guess = "2.0.5"
 multimap = "0.10.0"
 notify = "8.2.0"
-nucleo = { git = "https://github.com/helix-editor/nucleo.git", rev = "4253de9faabb4e5c6d81d946a5e35a90f87347ee" }
-once_cell = "1.20.2"
+nucleo-matcher = "0.3.1"
 openssl-sys = "*"
-opentelemetry = "0.31.0"
-opentelemetry-appender-tracing = "0.31.0"
-opentelemetry-otlp = "0.31.0"
-opentelemetry-semantic-conventions = "0.31.0"
-opentelemetry_sdk = "0.31.0"
-tracing-opentelemetry = "0.32.0"
+opentelemetry = "0.30.0"
+opentelemetry-appender-tracing = "0.30.0"
+opentelemetry-otlp = "0.30.0"
+opentelemetry-semantic-conventions = "0.30.0"
+opentelemetry_sdk = "0.30.0"
 os_info = "3.12.0"
 owo-colors = "4.2.0"
+paste = "1.0.15"
 path-absolutize = "3.1.1"
 pathdiff = "0.2"
 portable-pty = "0.9.0"
@@ -187,52 +151,44 @@ pulldown-cmark = "0.10"
 rand = "0.9"
 ratatui = "0.29.0"
 ratatui-macros = "0.6.0"
-regex = "1.12.2"
-regex-lite = "0.1.8"
+regex-lite = "0.1.7"
 reqwest = "0.12"
-rmcp = { version = "0.12.0", default-features = false }
-runfiles = { git = "https://github.com/dzbarsky/rules_rust", rev = "b56cbaa8465e74127f1ea216f813cd377295ad81" }
+rmcp = { version = "0.8.2", default-features = false }
 schemars = "0.8.22"
 seccompiler = "0.5.0"
-sentry = "0.46.0"
+sentry = "0.34.0"
 serde = "1"
 serde_json = "1"
-serde_path_to_error = "0.1.20"
-serde_with = "3.16"
-serde_yaml = "0.9"
+serde_with = "3.14"
 serial_test = "3.2.0"
 sha1 = "0.10.6"
 sha2 = "0.10"
-semver = "1.0"
 shlex = "1.3.0"
 similar = "2.7.0"
-socket2 = "0.6.1"
-sqlx = { version = "0.8.6", default-features = false, features = ["chrono", "json", "macros", "migrate", "runtime-tokio-rustls", "sqlite", "time", "uuid"] }
 starlark = "0.13.0"
 strum = "0.27.2"
 strum_macros = "0.27.2"
 supports-color = "3.0.2"
 sys-locale = "0.3.2"
 tempfile = "3.23.0"
-test-log = "0.2.19"
+test-log = "0.2.18"
 textwrap = "0.16.2"
-thiserror = "2.0.17"
+thiserror = "2.0.16"
 time = "0.3"
 tiny_http = "0.12"
 tokio = "1"
-tokio-stream = "0.1.18"
+tokio-stream = "0.1.17"
 tokio-test = "0.4"
-tokio-tungstenite = { version = "0.28.0", features = ["proxy", "rustls-tls-native-roots"] }
-tokio-util = "0.7.18"
+tokio-util = "0.7.16"
 toml = "0.9.5"
-toml_edit = "0.24.0"
-tracing = "0.1.44"
+toml_edit = "0.23.4"
+tonic = "0.13.1"
+tracing = "0.1.41"
 tracing-appender = "0.2.3"
-tracing-subscriber = "0.3.22"
+tracing-subscriber = "0.3.20"
 tracing-test = "0.2.5"
 tree-sitter = "0.25.10"
 tree-sitter-bash = "0.25"
-zstd = "0.13"
 tree-sitter-highlight = "0.25.10"
 ts-rs = "11"
 uds_windows = "1.1.0"
@@ -244,11 +200,10 @@ uuid = "1"
 vt100 = "0.16.2"
 walkdir = "2.5.0"
 webbrowser = "1.0"
-which = "8"
-wildmatch = "2.6.1"
-
+which = "6"
+wildmatch = "2.5.0"
 wiremock = "0.6"
-zeroize = "1.8.2"
+zeroize = "1.8.1"
 
 [workspace.lints]
 rust = {}
@@ -291,7 +246,7 @@ unwrap_used = "deny"
 # cargo-shear cannot see the platform-specific openssl-sys usage, so we
 # silence the false positive here instead of deleting a real dependency.
 [workspace.metadata.cargo-shear]
-ignored = ["icu_provider", "openssl-sys", "codex-utils-readiness"]
+ignored = ["openssl-sys", "codex-utils-readiness", "codex-utils-tokenizer"]
 
 [profile.release]
 lto = "fat"
@@ -310,12 +265,7 @@ opt-level = 0
 [patch.crates-io]
 # Uncomment to debug local changes.
 # ratatui = { path = "../../ratatui" }
-crossterm = { git = "https://github.com/nornagon/crossterm", branch = "nornagon/color-query" }
 ratatui = { git = "https://github.com/nornagon/ratatui", branch = "nornagon-v0.29.0-patch" }
-tokio-tungstenite = { git = "https://github.com/JakkuSakura/tokio-tungstenite", rev = "2ae536b0de793f3ddf31fc2f22d445bf1ef2023d" }
 
 # Uncomment to debug local changes.
 # rmcp = { path = "../../rust-sdk/crates/rmcp" }
-
-[patch."ssh://git@github.com/JakkuSakura/tungstenite-rs.git"]
-tungstenite = { git = "https://github.com/JakkuSakura/tungstenite-rs", rev = "f514de8644821113e5d18a027d6d28a5c8cc0a6e" }

codex-rs/README.md

@@ -15,8 +15,8 @@ You can also install via Homebrew (`brew install --cask codex`) or download a pl
 
 ## Documentation quickstart
 
-- First run with Codex? Start with [`docs/getting-started.md`](../docs/getting-started.md) (links to the walkthrough for prompts, keyboard shortcuts, and session management).
-- Want deeper control? See [`docs/config.md`](../docs/config.md) and [`docs/install.md`](../docs/install.md).
+- First run with Codex? Follow the walkthrough in [`docs/getting-started.md`](../docs/getting-started.md) for prompts, keyboard shortcuts, and session management.
+- Already shipping with Codex and want deeper control? Jump to [`docs/advanced.md`](../docs/advanced.md) and the configuration reference at [`docs/config.md`](../docs/config.md).
 
 ## What's new in the Rust CLI
 
@@ -30,7 +30,7 @@ Codex supports a rich set of configuration options. Note that the Rust CLI uses
 
 #### MCP client
 
-Codex CLI functions as an MCP client that allows the Codex CLI and IDE extension to connect to MCP servers on startup. See the [`configuration documentation`](../docs/config.md#connecting-to-mcp-servers) for details.
+Codex CLI functions as an MCP client that allows the Codex CLI and IDE extension to connect to MCP servers on startup. See the [`configuration documentation`](../docs/config.md#mcp_servers) for details.
 
 #### MCP server (experimental)
 
@@ -46,7 +46,7 @@ Use `codex mcp` to add/list/get/remove MCP server launchers defined in `config.t
 
 ### Notifications
 
-You can enable notifications by configuring a script that is run whenever the agent finishes a turn. The [notify documentation](../docs/config.md#notify) includes a detailed example that explains how to get desktop notifications via [terminal-notifier](https://github.com/julienXX/terminal-notifier) on macOS. When Codex detects that it is running under WSL 2 inside Windows Terminal (`WT_SESSION` is set), the TUI automatically falls back to native Windows toast notifications so approval prompts and completed turns surface even though Windows Terminal does not implement OSC 9.
+You can enable notifications by configuring a script that is run whenever the agent finishes a turn. The [notify documentation](../docs/config.md#notify) includes a detailed example that explains how to get desktop notifications via [terminal-notifier](https://github.com/julienXX/terminal-notifier) on macOS.
 
 ### `codex exec` to run Codex programmatically/non-interactively
 
@@ -58,16 +58,13 @@ To test to see what happens when a command is run under the sandbox provided by
 
 ```
 # macOS
-codex sandbox macos [--full-auto] [--log-denials] [COMMAND]...
+codex sandbox macos [--full-auto] [COMMAND]...
 
 # Linux
 codex sandbox linux [--full-auto] [COMMAND]...
 
-# Windows
-codex sandbox windows [--full-auto] [COMMAND]...
-
 # Legacy aliases
-codex debug seatbelt [--full-auto] [--log-denials] [COMMAND]...
+codex debug seatbelt [--full-auto] [COMMAND]...
 codex debug landlock [--full-auto] [COMMAND]...
 ```
 

codex-rs/ansi-escape/BUILD.bazel

@@ -1,6 +0,0 @@
-load("//:defs.bzl", "codex_rust_crate")
-
-codex_rust_crate(
-    name = "ansi-escape",
-    crate_name = "codex_ansi_escape",
-)

codex-rs/ansi-escape/Cargo.toml

@@ -1,8 +1,7 @@
 [package]
+edition = "2024"
 name = "codex-ansi-escape"
-version.workspace = true
-edition.workspace = true
-license.workspace = true
+version = { workspace = true }
 
 [lib]
 name = "codex_ansi_escape"

codex-rs/app-server-json-schema/BUILD.bazel

@@ -1,21 +0,0 @@
-load("//:defs.bzl", "codex_rust_crate")
-
-stable_files = glob(
-    include = ["stable/**"],
-    allow_empty = True,
-    exclude = [
-        "**/* *",
-        "BUILD.bazel",
-        "Cargo.toml",
-    ],
-)
-
-codex_rust_crate(
-    name = "app-server-json-schema",
-    compile_data = stable_files,
-    crate_name = "codex_app_server_json_schema",
-    extra_binaries = [
-        "//codex-rs/app-server-protocol-stable-export:codex-app-server-protocol-stable-export",
-    ],
-    test_data_extra = stable_files,
-)

codex-rs/app-server-json-schema/Cargo.toml

@@ -1,17 +0,0 @@
-[package]
-name = "codex-app-server-json-schema"
-version.workspace = true
-edition.workspace = true
-license.workspace = true
-
-[lints]
-workspace = true
-
-[dependencies]
-include_dir = { workspace = true }
-
-[dev-dependencies]
-anyhow = { workspace = true }
-codex-utils-cargo-bin = { workspace = true }
-pretty_assertions = { workspace = true }
-tempfile = { workspace = true }

codex-rs/app-server-json-schema/src/lib.rs

@@ -1,39 +0,0 @@
-use std::ffi::OsStr;
-use std::fs;
-use std::io;
-use std::path::Path;
-
-static STABLE_APP_SERVER_JSON_SCHEMA_DIR: include_dir::Dir<'_> =
-    include_dir::include_dir!("$CARGO_MANIFEST_DIR/stable");
-
-/// Write the bundled stable JSON Schema artifacts to `out_dir`.
-pub fn write_stable_json_schema(out_dir: &Path) -> io::Result<()> {
-    fs::create_dir_all(out_dir)?;
-    write_dir_recursive(&STABLE_APP_SERVER_JSON_SCHEMA_DIR, out_dir, "json")
-}
-
-fn write_dir_recursive(
-    dir: &include_dir::Dir<'_>,
-    out_dir: &Path,
-    extension: &str,
-) -> io::Result<()> {
-    for file in dir.files() {
-        if file
-            .path()
-            .extension()
-            .is_some_and(|ext| ext == OsStr::new(extension))
-        {
-            let out_path = out_dir.join(file.path());
-            if let Some(parent) = out_path.parent() {
-                fs::create_dir_all(parent)?;
-            }
-            fs::write(out_path, file.contents())?;
-        }
-    }
-
-    for child in dir.dirs() {
-        write_dir_recursive(child, out_dir, extension)?;
-    }
-
-    Ok(())
-}

codex-rs/app-server-json-schema/stable/ApplyPatchApprovalParams.json

@@ -1,114 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "FileChange": {
-      "oneOf": [
-        {
-          "properties": {
-            "content": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "add"
-              ],
-              "title": "AddFileChangeType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "content",
-            "type"
-          ],
-          "title": "AddFileChange",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "content": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "delete"
-              ],
-              "title": "DeleteFileChangeType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "content",
-            "type"
-          ],
-          "title": "DeleteFileChange",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "move_path": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "update"
-              ],
-              "title": "UpdateFileChangeType",
-              "type": "string"
-            },
-            "unified_diff": {
-              "type": "string"
-            }
-          },
-          "required": [
-            "type",
-            "unified_diff"
-          ],
-          "title": "UpdateFileChange",
-          "type": "object"
-        }
-      ]
-    },
-    "ThreadId": {
-      "type": "string"
-    }
-  },
-  "properties": {
-    "callId": {
-      "description": "Use to correlate this with [codex_core::protocol::PatchApplyBeginEvent] and [codex_core::protocol::PatchApplyEndEvent].",
-      "type": "string"
-    },
-    "conversationId": {
-      "$ref": "#/definitions/ThreadId"
-    },
-    "fileChanges": {
-      "additionalProperties": {
-        "$ref": "#/definitions/FileChange"
-      },
-      "type": "object"
-    },
-    "grantRoot": {
-      "description": "When set, the agent is asking the user to allow writes under this root for the remainder of the session (unclear if this is honored today).",
-      "type": [
-        "string",
-        "null"
-      ]
-    },
-    "reason": {
-      "description": "Optional explanatory reason (e.g. request for extra write access).",
-      "type": [
-        "string",
-        "null"
-      ]
-    }
-  },
-  "required": [
-    "callId",
-    "conversationId",
-    "fileChanges"
-  ],
-  "title": "ApplyPatchApprovalParams",
-  "type": "object"
-}

codex-rs/app-server-json-schema/stable/ApplyPatchApprovalResponse.json

@@ -1,73 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "ReviewDecision": {
-      "description": "User's decision in response to an ExecApprovalRequest.",
-      "oneOf": [
-        {
-          "description": "User has approved this command and the agent should execute it.",
-          "enum": [
-            "approved"
-          ],
-          "type": "string"
-        },
-        {
-          "additionalProperties": false,
-          "description": "User has approved this command and wants to apply the proposed execpolicy amendment so future matching commands are permitted.",
-          "properties": {
-            "approved_execpolicy_amendment": {
-              "properties": {
-                "proposed_execpolicy_amendment": {
-                  "items": {
-                    "type": "string"
-                  },
-                  "type": "array"
-                }
-              },
-              "required": [
-                "proposed_execpolicy_amendment"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "approved_execpolicy_amendment"
-          ],
-          "title": "ApprovedExecpolicyAmendmentReviewDecision",
-          "type": "object"
-        },
-        {
-          "description": "User has approved this command and wants to automatically approve any future identical instances (`command` and `cwd` match exactly) for the remainder of the session.",
-          "enum": [
-            "approved_for_session"
-          ],
-          "type": "string"
-        },
-        {
-          "description": "User has denied this command and the agent should not execute it, but it should continue the session and try something else.",
-          "enum": [
-            "denied"
-          ],
-          "type": "string"
-        },
-        {
-          "description": "User has denied this command and the agent should not do anything until the user's next command.",
-          "enum": [
-            "abort"
-          ],
-          "type": "string"
-        }
-      ]
-    }
-  },
-  "properties": {
-    "decision": {
-      "$ref": "#/definitions/ReviewDecision"
-    }
-  },
-  "required": [
-    "decision"
-  ],
-  "title": "ApplyPatchApprovalResponse",
-  "type": "object"
-}

codex-rs/app-server-json-schema/stable/ClientNotification.json

@@ -1,22 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "oneOf": [
-    {
-      "properties": {
-        "method": {
-          "enum": [
-            "initialized"
-          ],
-          "title": "InitializedNotificationMethod",
-          "type": "string"
-        }
-      },
-      "required": [
-        "method"
-      ],
-      "title": "InitializedNotification",
-      "type": "object"
-    }
-  ],
-  "title": "ClientNotification"
-}

codex-rs/app-server-json-schema/stable/CommandExecutionRequestApprovalParams.json

@@ -1,174 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "CommandAction": {
-      "oneOf": [
-        {
-          "properties": {
-            "command": {
-              "type": "string"
-            },
-            "name": {
-              "type": "string"
-            },
-            "path": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "read"
-              ],
-              "title": "ReadCommandActionType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "command",
-            "name",
-            "path",
-            "type"
-          ],
-          "title": "ReadCommandAction",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "command": {
-              "type": "string"
-            },
-            "path": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "listFiles"
-              ],
-              "title": "ListFilesCommandActionType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "command",
-            "type"
-          ],
-          "title": "ListFilesCommandAction",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "command": {
-              "type": "string"
-            },
-            "path": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
-            "query": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "search"
-              ],
-              "title": "SearchCommandActionType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "command",
-            "type"
-          ],
-          "title": "SearchCommandAction",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "command": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "unknown"
-              ],
-              "title": "UnknownCommandActionType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "command",
-            "type"
-          ],
-          "title": "UnknownCommandAction",
-          "type": "object"
-        }
-      ]
-    }
-  },
-  "properties": {
-    "command": {
-      "description": "The command to be executed.",
-      "type": [
-        "string",
-        "null"
-      ]
-    },
-    "commandActions": {
-      "description": "Best-effort parsed command actions for friendly display.",
-      "items": {
-        "$ref": "#/definitions/CommandAction"
-      },
-      "type": [
-        "array",
-        "null"
-      ]
-    },
-    "cwd": {
-      "description": "The command's working directory.",
-      "type": [
-        "string",
-        "null"
-      ]
-    },
-    "itemId": {
-      "type": "string"
-    },
-    "proposedExecpolicyAmendment": {
-      "description": "Optional proposed execpolicy amendment to allow similar commands without prompting.",
-      "items": {
-        "type": "string"
-      },
-      "type": [
-        "array",
-        "null"
-      ]
-    },
-    "reason": {
-      "description": "Optional explanatory reason (e.g. request for network access).",
-      "type": [
-        "string",
-        "null"
-      ]
-    },
-    "threadId": {
-      "type": "string"
-    },
-    "turnId": {
-      "type": "string"
-    }
-  },
-  "required": [
-    "itemId",
-    "threadId",
-    "turnId"
-  ],
-  "title": "CommandExecutionRequestApprovalParams",
-  "type": "object"
-}

codex-rs/app-server-json-schema/stable/CommandExecutionRequestApprovalResponse.json

@@ -1,72 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "CommandExecutionApprovalDecision": {
-      "oneOf": [
-        {
-          "description": "User approved the command.",
-          "enum": [
-            "accept"
-          ],
-          "type": "string"
-        },
-        {
-          "description": "User approved the command and future identical commands should run without prompting.",
-          "enum": [
-            "acceptForSession"
-          ],
-          "type": "string"
-        },
-        {
-          "additionalProperties": false,
-          "description": "User approved the command, and wants to apply the proposed execpolicy amendment so future matching commands can run without prompting.",
-          "properties": {
-            "acceptWithExecpolicyAmendment": {
-              "properties": {
-                "execpolicy_amendment": {
-                  "items": {
-                    "type": "string"
-                  },
-                  "type": "array"
-                }
-              },
-              "required": [
-                "execpolicy_amendment"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "acceptWithExecpolicyAmendment"
-          ],
-          "title": "AcceptWithExecpolicyAmendmentCommandExecutionApprovalDecision",
-          "type": "object"
-        },
-        {
-          "description": "User denied the command. The agent will continue the turn.",
-          "enum": [
-            "decline"
-          ],
-          "type": "string"
-        },
-        {
-          "description": "User denied the command. The turn will also be immediately interrupted.",
-          "enum": [
-            "cancel"
-          ],
-          "type": "string"
-        }
-      ]
-    }
-  },
-  "properties": {
-    "decision": {
-      "$ref": "#/definitions/CommandExecutionApprovalDecision"
-    }
-  },
-  "required": [
-    "decision"
-  ],
-  "title": "CommandExecutionRequestApprovalResponse",
-  "type": "object"
-}

codex-rs/app-server-json-schema/stable/DynamicToolCallParams.json

@@ -1,27 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "properties": {
-    "arguments": true,
-    "callId": {
-      "type": "string"
-    },
-    "threadId": {
-      "type": "string"
-    },
-    "tool": {
-      "type": "string"
-    },
-    "turnId": {
-      "type": "string"
-    }
-  },
-  "required": [
-    "arguments",
-    "callId",
-    "threadId",
-    "tool",
-    "turnId"
-  ],
-  "title": "DynamicToolCallParams",
-  "type": "object"
-}

codex-rs/app-server-json-schema/stable/DynamicToolCallResponse.json

@@ -1,17 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "properties": {
-    "output": {
-      "type": "string"
-    },
-    "success": {
-      "type": "boolean"
-    }
-  },
-  "required": [
-    "output",
-    "success"
-  ],
-  "title": "DynamicToolCallResponse",
-  "type": "object"
-}

codex-rs/app-server-json-schema/stable/ExecCommandApprovalParams.json

@@ -1,158 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "ParsedCommand": {
-      "oneOf": [
-        {
-          "properties": {
-            "cmd": {
-              "type": "string"
-            },
-            "name": {
-              "type": "string"
-            },
-            "path": {
-              "description": "(Best effort) Path to the file being read by the command. When possible, this is an absolute path, though when relative, it should be resolved against the `cwd`` that will be used to run the command to derive the absolute path.",
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "read"
-              ],
-              "title": "ReadParsedCommandType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "cmd",
-            "name",
-            "path",
-            "type"
-          ],
-          "title": "ReadParsedCommand",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "cmd": {
-              "type": "string"
-            },
-            "path": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "list_files"
-              ],
-              "title": "ListFilesParsedCommandType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "cmd",
-            "type"
-          ],
-          "title": "ListFilesParsedCommand",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "cmd": {
-              "type": "string"
-            },
-            "path": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
-            "query": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "search"
-              ],
-              "title": "SearchParsedCommandType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "cmd",
-            "type"
-          ],
-          "title": "SearchParsedCommand",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "cmd": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "unknown"
-              ],
-              "title": "UnknownParsedCommandType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "cmd",
-            "type"
-          ],
-          "title": "UnknownParsedCommand",
-          "type": "object"
-        }
-      ]
-    },
-    "ThreadId": {
-      "type": "string"
-    }
-  },
-  "properties": {
-    "callId": {
-      "description": "Use to correlate this with [codex_core::protocol::ExecCommandBeginEvent] and [codex_core::protocol::ExecCommandEndEvent].",
-      "type": "string"
-    },
-    "command": {
-      "items": {
-        "type": "string"
-      },
-      "type": "array"
-    },
-    "conversationId": {
-      "$ref": "#/definitions/ThreadId"
-    },
-    "cwd": {
-      "type": "string"
-    },
-    "parsedCmd": {
-      "items": {
-        "$ref": "#/definitions/ParsedCommand"
-      },
-      "type": "array"
-    },
-    "reason": {
-      "type": [
-        "string",
-        "null"
-      ]
-    }
-  },
-  "required": [
-    "callId",
-    "command",
-    "conversationId",
-    "cwd",
-    "parsedCmd"
-  ],
-  "title": "ExecCommandApprovalParams",
-  "type": "object"
-}

codex-rs/app-server-json-schema/stable/ExecCommandApprovalResponse.json

@@ -1,73 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "ReviewDecision": {
-      "description": "User's decision in response to an ExecApprovalRequest.",
-      "oneOf": [
-        {
-          "description": "User has approved this command and the agent should execute it.",
-          "enum": [
-            "approved"
-          ],
-          "type": "string"
-        },
-        {
-          "additionalProperties": false,
-          "description": "User has approved this command and wants to apply the proposed execpolicy amendment so future matching commands are permitted.",
-          "properties": {
-            "approved_execpolicy_amendment": {
-              "properties": {
-                "proposed_execpolicy_amendment": {
-                  "items": {
-                    "type": "string"
-                  },
-                  "type": "array"
-                }
-              },
-              "required": [
-                "proposed_execpolicy_amendment"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "approved_execpolicy_amendment"
-          ],
-          "title": "ApprovedExecpolicyAmendmentReviewDecision",
-          "type": "object"
-        },
-        {
-          "description": "User has approved this command and wants to automatically approve any future identical instances (`command` and `cwd` match exactly) for the remainder of the session.",
-          "enum": [
-            "approved_for_session"
-          ],
-          "type": "string"
-        },
-        {
-          "description": "User has denied this command and the agent should not execute it, but it should continue the session and try something else.",
-          "enum": [
-            "denied"
-          ],
-          "type": "string"
-        },
-        {
-          "description": "User has denied this command and the agent should not do anything until the user's next command.",
-          "enum": [
-            "abort"
-          ],
-          "type": "string"
-        }
-      ]
-    }
-  },
-  "properties": {
-    "decision": {
-      "$ref": "#/definitions/ReviewDecision"
-    }
-  },
-  "required": [
-    "decision"
-  ],
-  "title": "ExecCommandApprovalResponse",
-  "type": "object"
-}

codex-rs/app-server-json-schema/stable/FileChangeRequestApprovalParams.json

@@ -1,28 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "properties": {
-    "itemId": {
-      "type": "string"
-    },
-    "reason": {
-      "description": "Optional explanatory reason (e.g. request for extra write access).",
-      "type": [
-        "string",
-        "null"
-      ]
-    },
-    "threadId": {
-      "type": "string"
-    },
-    "turnId": {
-      "type": "string"
-    }
-  },
-  "required": [
-    "itemId",
-    "threadId",
-    "turnId"
-  ],
-  "title": "FileChangeRequestApprovalParams",
-  "type": "object"
-}

codex-rs/app-server-json-schema/stable/FileChangeRequestApprovalResponse.json

@@ -1,47 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "FileChangeApprovalDecision": {
-      "oneOf": [
-        {
-          "description": "User approved the file changes.",
-          "enum": [
-            "accept"
-          ],
-          "type": "string"
-        },
-        {
-          "description": "User approved the file changes and future changes to the same files should run without prompting.",
-          "enum": [
-            "acceptForSession"
-          ],
-          "type": "string"
-        },
-        {
-          "description": "User denied the file changes. The agent will continue the turn.",
-          "enum": [
-            "decline"
-          ],
-          "type": "string"
-        },
-        {
-          "description": "User denied the file changes. The turn will also be immediately interrupted.",
-          "enum": [
-            "cancel"
-          ],
-          "type": "string"
-        }
-      ]
-    }
-  },
-  "properties": {
-    "decision": {
-      "$ref": "#/definitions/FileChangeApprovalDecision"
-    }
-  },
-  "required": [
-    "decision"
-  ],
-  "title": "FileChangeRequestApprovalResponse",
-  "type": "object"
-}

codex-rs/app-server-json-schema/stable/FuzzyFileSearchParams.json

@@ -1,26 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "properties": {
-    "cancellationToken": {
-      "type": [
-        "string",
-        "null"
-      ]
-    },
-    "query": {
-      "type": "string"
-    },
-    "roots": {
-      "items": {
-        "type": "string"
-      },
-      "type": "array"
-    }
-  },
-  "required": [
-    "query",
-    "roots"
-  ],
-  "title": "FuzzyFileSearchParams",
-  "type": "object"
-}

codex-rs/app-server-json-schema/stable/FuzzyFileSearchResponse.json

@@ -1,55 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "FuzzyFileSearchResult": {
-      "description": "Superset of [`codex_file_search::FileMatch`]",
-      "properties": {
-        "file_name": {
-          "type": "string"
-        },
-        "indices": {
-          "items": {
-            "format": "uint32",
-            "minimum": 0.0,
-            "type": "integer"
-          },
-          "type": [
-            "array",
-            "null"
-          ]
-        },
-        "path": {
-          "type": "string"
-        },
-        "root": {
-          "type": "string"
-        },
-        "score": {
-          "format": "uint32",
-          "minimum": 0.0,
-          "type": "integer"
-        }
-      },
-      "required": [
-        "file_name",
-        "path",
-        "root",
-        "score"
-      ],
-      "type": "object"
-    }
-  },
-  "properties": {
-    "files": {
-      "items": {
-        "$ref": "#/definitions/FuzzyFileSearchResult"
-      },
-      "type": "array"
-    }
-  },
-  "required": [
-    "files"
-  ],
-  "title": "FuzzyFileSearchResponse",
-  "type": "object"
-}

codex-rs/app-server-json-schema/stable/JSONRPCError.json

@@ -1,48 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "JSONRPCErrorError": {
-      "properties": {
-        "code": {
-          "format": "int64",
-          "type": "integer"
-        },
-        "data": true,
-        "message": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "code",
-        "message"
-      ],
-      "type": "object"
-    },
-    "RequestId": {
-      "anyOf": [
-        {
-          "type": "string"
-        },
-        {
-          "format": "int64",
-          "type": "integer"
-        }
-      ]
-    }
-  },
-  "description": "A response to a request that indicates an error occurred.",
-  "properties": {
-    "error": {
-      "$ref": "#/definitions/JSONRPCErrorError"
-    },
-    "id": {
-      "$ref": "#/definitions/RequestId"
-    }
-  },
-  "required": [
-    "error",
-    "id"
-  ],
-  "title": "JSONRPCError",
-  "type": "object"
-}

codex-rs/app-server-json-schema/stable/JSONRPCErrorError.json

@@ -1,19 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "properties": {
-    "code": {
-      "format": "int64",
-      "type": "integer"
-    },
-    "data": true,
-    "message": {
-      "type": "string"
-    }
-  },
-  "required": [
-    "code",
-    "message"
-  ],
-  "title": "JSONRPCErrorError",
-  "type": "object"
-}

codex-rs/app-server-json-schema/stable/JSONRPCMessage.json

@@ -1,109 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "anyOf": [
-    {
-      "$ref": "#/definitions/JSONRPCRequest"
-    },
-    {
-      "$ref": "#/definitions/JSONRPCNotification"
-    },
-    {
-      "$ref": "#/definitions/JSONRPCResponse"
-    },
-    {
-      "$ref": "#/definitions/JSONRPCError"
-    }
-  ],
-  "definitions": {
-    "JSONRPCError": {
-      "description": "A response to a request that indicates an error occurred.",
-      "properties": {
-        "error": {
-          "$ref": "#/definitions/JSONRPCErrorError"
-        },
-        "id": {
-          "$ref": "#/definitions/RequestId"
-        }
-      },
-      "required": [
-        "error",
-        "id"
-      ],
-      "type": "object"
-    },
-    "JSONRPCErrorError": {
-      "properties": {
-        "code": {
-          "format": "int64",
-          "type": "integer"
-        },
-        "data": true,
-        "message": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "code",
-        "message"
-      ],
-      "type": "object"
-    },
-    "JSONRPCNotification": {
-      "description": "A notification which does not expect a response.",
-      "properties": {
-        "method": {
-          "type": "string"
-        },
-        "params": true
-      },
-      "required": [
-        "method"
-      ],
-      "type": "object"
-    },
-    "JSONRPCRequest": {
-      "description": "A request that expects a response.",
-      "properties": {
-        "id": {
-          "$ref": "#/definitions/RequestId"
-        },
-        "method": {
-          "type": "string"
-        },
-        "params": true
-      },
-      "required": [
-        "id",
-        "method"
-      ],
-      "type": "object"
-    },
-    "JSONRPCResponse": {
-      "description": "A successful (non-error) response to a request.",
-      "properties": {
-        "id": {
-          "$ref": "#/definitions/RequestId"
-        },
-        "result": true
-      },
-      "required": [
-        "id",
-        "result"
-      ],
-      "type": "object"
-    },
-    "RequestId": {
-      "anyOf": [
-        {
-          "type": "string"
-        },
-        {
-          "format": "int64",
-          "type": "integer"
-        }
-      ]
-    }
-  },
-  "description": "Refers to any valid JSON-RPC object that can be decoded off the wire, or encoded to be sent.",
-  "title": "JSONRPCMessage"
-}

codex-rs/app-server-json-schema/stable/JSONRPCNotification.json

@@ -1,15 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "description": "A notification which does not expect a response.",
-  "properties": {
-    "method": {
-      "type": "string"
-    },
-    "params": true
-  },
-  "required": [
-    "method"
-  ],
-  "title": "JSONRPCNotification",
-  "type": "object"
-}

codex-rs/app-server-json-schema/stable/JSONRPCRequest.json

@@ -1,32 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "RequestId": {
-      "anyOf": [
-        {
-          "type": "string"
-        },
-        {
-          "format": "int64",
-          "type": "integer"
-        }
-      ]
-    }
-  },
-  "description": "A request that expects a response.",
-  "properties": {
-    "id": {
-      "$ref": "#/definitions/RequestId"
-    },
-    "method": {
-      "type": "string"
-    },
-    "params": true
-  },
-  "required": [
-    "id",
-    "method"
-  ],
-  "title": "JSONRPCRequest",
-  "type": "object"
-}

codex-rs/app-server-json-schema/stable/JSONRPCResponse.json

@@ -1,29 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "RequestId": {
-      "anyOf": [
-        {
-          "type": "string"
-        },
-        {
-          "format": "int64",
-          "type": "integer"
-        }
-      ]
-    }
-  },
-  "description": "A successful (non-error) response to a request.",
-  "properties": {
-    "id": {
-      "$ref": "#/definitions/RequestId"
-    },
-    "result": true
-  },
-  "required": [
-    "id",
-    "result"
-  ],
-  "title": "JSONRPCResponse",
-  "type": "object"
-}

codex-rs/app-server-json-schema/stable/RequestId.json

@@ -1,13 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "anyOf": [
-    {
-      "type": "string"
-    },
-    {
-      "format": "int64",
-      "type": "integer"
-    }
-  ],
-  "title": "RequestId"
-}

codex-rs/app-server-json-schema/stable/ServerRequest.json

@@ -1,627 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "ApplyPatchApprovalParams": {
-      "properties": {
-        "callId": {
-          "description": "Use to correlate this with [codex_core::protocol::PatchApplyBeginEvent] and [codex_core::protocol::PatchApplyEndEvent].",
-          "type": "string"
-        },
-        "conversationId": {
-          "$ref": "#/definitions/ThreadId"
-        },
-        "fileChanges": {
-          "additionalProperties": {
-            "$ref": "#/definitions/FileChange"
-          },
-          "type": "object"
-        },
-        "grantRoot": {
-          "description": "When set, the agent is asking the user to allow writes under this root for the remainder of the session (unclear if this is honored today).",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "reason": {
-          "description": "Optional explanatory reason (e.g. request for extra write access).",
-          "type": [
-            "string",
-            "null"
-          ]
-        }
-      },
-      "required": [
-        "callId",
-        "conversationId",
-        "fileChanges"
-      ],
-      "type": "object"
-    },
-    "CommandAction": {
-      "oneOf": [
-        {
-          "properties": {
-            "command": {
-              "type": "string"
-            },
-            "name": {
-              "type": "string"
-            },
-            "path": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "read"
-              ],
-              "title": "ReadCommandActionType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "command",
-            "name",
-            "path",
-            "type"
-          ],
-          "title": "ReadCommandAction",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "command": {
-              "type": "string"
-            },
-            "path": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "listFiles"
-              ],
-              "title": "ListFilesCommandActionType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "command",
-            "type"
-          ],
-          "title": "ListFilesCommandAction",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "command": {
-              "type": "string"
-            },
-            "path": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
-            "query": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "search"
-              ],
-              "title": "SearchCommandActionType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "command",
-            "type"
-          ],
-          "title": "SearchCommandAction",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "command": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "unknown"
-              ],
-              "title": "UnknownCommandActionType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "command",
-            "type"
-          ],
-          "title": "UnknownCommandAction",
-          "type": "object"
-        }
-      ]
-    },
-    "CommandExecutionRequestApprovalParams": {
-      "properties": {
-        "command": {
-          "description": "The command to be executed.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "commandActions": {
-          "description": "Best-effort parsed command actions for friendly display.",
-          "items": {
-            "$ref": "#/definitions/CommandAction"
-          },
-          "type": [
-            "array",
-            "null"
-          ]
-        },
-        "cwd": {
-          "description": "The command's working directory.",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "itemId": {
-          "type": "string"
-        },
-        "proposedExecpolicyAmendment": {
-          "description": "Optional proposed execpolicy amendment to allow similar commands without prompting.",
-          "items": {
-            "type": "string"
-          },
-          "type": [
-            "array",
-            "null"
-          ]
-        },
-        "reason": {
-          "description": "Optional explanatory reason (e.g. request for network access).",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "threadId": {
-          "type": "string"
-        },
-        "turnId": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "itemId",
-        "threadId",
-        "turnId"
-      ],
-      "type": "object"
-    },
-    "DynamicToolCallParams": {
-      "properties": {
-        "arguments": true,
-        "callId": {
-          "type": "string"
-        },
-        "threadId": {
-          "type": "string"
-        },
-        "tool": {
-          "type": "string"
-        },
-        "turnId": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "arguments",
-        "callId",
-        "threadId",
-        "tool",
-        "turnId"
-      ],
-      "type": "object"
-    },
-    "ExecCommandApprovalParams": {
-      "properties": {
-        "callId": {
-          "description": "Use to correlate this with [codex_core::protocol::ExecCommandBeginEvent] and [codex_core::protocol::ExecCommandEndEvent].",
-          "type": "string"
-        },
-        "command": {
-          "items": {
-            "type": "string"
-          },
-          "type": "array"
-        },
-        "conversationId": {
-          "$ref": "#/definitions/ThreadId"
-        },
-        "cwd": {
-          "type": "string"
-        },
-        "parsedCmd": {
-          "items": {
-            "$ref": "#/definitions/ParsedCommand"
-          },
-          "type": "array"
-        },
-        "reason": {
-          "type": [
-            "string",
-            "null"
-          ]
-        }
-      },
-      "required": [
-        "callId",
-        "command",
-        "conversationId",
-        "cwd",
-        "parsedCmd"
-      ],
-      "type": "object"
-    },
-    "FileChange": {
-      "oneOf": [
-        {
-          "properties": {
-            "content": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "add"
-              ],
-              "title": "AddFileChangeType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "content",
-            "type"
-          ],
-          "title": "AddFileChange",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "content": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "delete"
-              ],
-              "title": "DeleteFileChangeType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "content",
-            "type"
-          ],
-          "title": "DeleteFileChange",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "move_path": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "update"
-              ],
-              "title": "UpdateFileChangeType",
-              "type": "string"
-            },
-            "unified_diff": {
-              "type": "string"
-            }
-          },
-          "required": [
-            "type",
-            "unified_diff"
-          ],
-          "title": "UpdateFileChange",
-          "type": "object"
-        }
-      ]
-    },
-    "FileChangeRequestApprovalParams": {
-      "properties": {
-        "itemId": {
-          "type": "string"
-        },
-        "reason": {
-          "description": "Optional explanatory reason (e.g. request for extra write access).",
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "threadId": {
-          "type": "string"
-        },
-        "turnId": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "itemId",
-        "threadId",
-        "turnId"
-      ],
-      "type": "object"
-    },
-    "ParsedCommand": {
-      "oneOf": [
-        {
-          "properties": {
-            "cmd": {
-              "type": "string"
-            },
-            "name": {
-              "type": "string"
-            },
-            "path": {
-              "description": "(Best effort) Path to the file being read by the command. When possible, this is an absolute path, though when relative, it should be resolved against the `cwd`` that will be used to run the command to derive the absolute path.",
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "read"
-              ],
-              "title": "ReadParsedCommandType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "cmd",
-            "name",
-            "path",
-            "type"
-          ],
-          "title": "ReadParsedCommand",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "cmd": {
-              "type": "string"
-            },
-            "path": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "list_files"
-              ],
-              "title": "ListFilesParsedCommandType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "cmd",
-            "type"
-          ],
-          "title": "ListFilesParsedCommand",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "cmd": {
-              "type": "string"
-            },
-            "path": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
-            "query": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "search"
-              ],
-              "title": "SearchParsedCommandType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "cmd",
-            "type"
-          ],
-          "title": "SearchParsedCommand",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "cmd": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "unknown"
-              ],
-              "title": "UnknownParsedCommandType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "cmd",
-            "type"
-          ],
-          "title": "UnknownParsedCommand",
-          "type": "object"
-        }
-      ]
-    },
-    "RequestId": {
-      "anyOf": [
-        {
-          "type": "string"
-        },
-        {
-          "format": "int64",
-          "type": "integer"
-        }
-      ]
-    },
-    "ThreadId": {
-      "type": "string"
-    }
-  },
-  "description": "Request initiated from the server and sent to the client.",
-  "oneOf": [
-    {
-      "description": "NEW APIs Sent when approval is requested for a specific command execution. This request is used for Turns started via turn/start.",
-      "properties": {
-        "id": {
-          "$ref": "#/definitions/RequestId"
-        },
-        "method": {
-          "enum": [
-            "item/commandExecution/requestApproval"
-          ],
-          "title": "Item/commandExecution/requestApprovalRequestMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/CommandExecutionRequestApprovalParams"
-        }
-      },
-      "required": [
-        "id",
-        "method",
-        "params"
-      ],
-      "title": "Item/commandExecution/requestApprovalRequest",
-      "type": "object"
-    },
-    {
-      "description": "Sent when approval is requested for a specific file change. This request is used for Turns started via turn/start.",
-      "properties": {
-        "id": {
-          "$ref": "#/definitions/RequestId"
-        },
-        "method": {
-          "enum": [
-            "item/fileChange/requestApproval"
-          ],
-          "title": "Item/fileChange/requestApprovalRequestMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/FileChangeRequestApprovalParams"
-        }
-      },
-      "required": [
-        "id",
-        "method",
-        "params"
-      ],
-      "title": "Item/fileChange/requestApprovalRequest",
-      "type": "object"
-    },
-    {
-      "description": "Execute a dynamic tool call on the client.",
-      "properties": {
-        "id": {
-          "$ref": "#/definitions/RequestId"
-        },
-        "method": {
-          "enum": [
-            "item/tool/call"
-          ],
-          "title": "Item/tool/callRequestMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/DynamicToolCallParams"
-        }
-      },
-      "required": [
-        "id",
-        "method",
-        "params"
-      ],
-      "title": "Item/tool/callRequest",
-      "type": "object"
-    },
-    {
-      "description": "DEPRECATED APIs below Request to approve a patch. This request is used for Turns started via the legacy APIs (i.e. SendUserTurn, SendUserMessage).",
-      "properties": {
-        "id": {
-          "$ref": "#/definitions/RequestId"
-        },
-        "method": {
-          "enum": [
-            "applyPatchApproval"
-          ],
-          "title": "ApplyPatchApprovalRequestMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/ApplyPatchApprovalParams"
-        }
-      },
-      "required": [
-        "id",
-        "method",
-        "params"
-      ],
-      "title": "ApplyPatchApprovalRequest",
-      "type": "object"
-    },
-    {
-      "description": "Request to exec a command. This request is used for Turns started via the legacy APIs (i.e. SendUserTurn, SendUserMessage).",
-      "properties": {
-        "id": {
-          "$ref": "#/definitions/RequestId"
-        },
-        "method": {
-          "enum": [
-            "execCommandApproval"
-          ],
-          "title": "ExecCommandApprovalRequestMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/ExecCommandApprovalParams"
-        }
-      },
-      "required": [
-        "id",
-        "method",
-        "params"
-      ],
-      "title": "ExecCommandApprovalRequest",
-      "type": "object"
-    }
-  ],
-  "title": "ServerRequest"
-}

codex-rs/app-server-json-schema/stable/v1/AddConversationListenerParams.json

@@ -1,18 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "ThreadId": {
-      "type": "string"
-    }
-  },
-  "properties": {
-    "conversationId": {
-      "$ref": "#/definitions/ThreadId"
-    }
-  },
-  "required": [
-    "conversationId"
-  ],
-  "title": "AddConversationListenerParams",
-  "type": "object"
-}

codex-rs/app-server-json-schema/stable/v1/AddConversationSubscriptionResponse.json

@@ -1,13 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "properties": {
-    "subscriptionId": {
-      "type": "string"
-    }
-  },
-  "required": [
-    "subscriptionId"
-  ],
-  "title": "AddConversationSubscriptionResponse",
-  "type": "object"
-}

codex-rs/app-server-json-schema/stable/v1/ArchiveConversationParams.json

@@ -1,22 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "ThreadId": {
-      "type": "string"
-    }
-  },
-  "properties": {
-    "conversationId": {
-      "$ref": "#/definitions/ThreadId"
-    },
-    "rolloutPath": {
-      "type": "string"
-    }
-  },
-  "required": [
-    "conversationId",
-    "rolloutPath"
-  ],
-  "title": "ArchiveConversationParams",
-  "type": "object"
-}

codex-rs/app-server-json-schema/stable/v1/ArchiveConversationResponse.json

@@ -1,5 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "title": "ArchiveConversationResponse",
-  "type": "object"
-}

codex-rs/app-server-json-schema/stable/v1/AuthStatusChangeNotification.json

@@ -1,39 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "AuthMode": {
-      "description": "Authentication mode for OpenAI-backed providers.\n\nThis is used internally to determine the base URL for generating responses, and to gate ChatGPT-only behaviors like rate limits and available models (as opposed to API key-based auth).",
-      "oneOf": [
-        {
-          "description": "OpenAI API key provided by the caller and stored by Codex.",
-          "enum": [
-            "apikey"
-          ],
-          "type": "string"
-        },
-        {
-          "description": "ChatGPT OAuth managed by Codex (tokens persisted and refreshed by Codex).",
-          "enum": [
-            "chatgpt"
-          ],
-          "type": "string"
-        }
-      ]
-    }
-  },
-  "description": "Deprecated notification. Use AccountUpdatedNotification instead.",
-  "properties": {
-    "authMethod": {
-      "anyOf": [
-        {
-          "$ref": "#/definitions/AuthMode"
-        },
-        {
-          "type": "null"
-        }
-      ]
-    }
-  },
-  "title": "AuthStatusChangeNotification",
-  "type": "object"
-}

codex-rs/app-server-json-schema/stable/v1/CancelLoginChatGptParams.json

@@ -1,13 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "properties": {
-    "loginId": {
-      "type": "string"
-    }
-  },
-  "required": [
-    "loginId"
-  ],
-  "title": "CancelLoginChatGptParams",
-  "type": "object"
-}

codex-rs/app-server-json-schema/stable/v1/CancelLoginChatGptResponse.json

@@ -1,5 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "title": "CancelLoginChatGptResponse",
-  "type": "object"
-}

codex-rs/app-server-json-schema/stable/v1/ExecOneOffCommandParams.json

@@ -1,158 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "AbsolutePathBuf": {
-      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
-      "type": "string"
-    },
-    "NetworkAccess": {
-      "description": "Represents whether outbound network access is available to the agent.",
-      "enum": [
-        "restricted",
-        "enabled"
-      ],
-      "type": "string"
-    },
-    "SandboxPolicy": {
-      "description": "Determines execution restrictions for model shell commands.",
-      "oneOf": [
-        {
-          "description": "No restrictions whatsoever. Use with caution.",
-          "properties": {
-            "type": {
-              "enum": [
-                "danger-full-access"
-              ],
-              "title": "DangerFullAccessSandboxPolicyType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "DangerFullAccessSandboxPolicy",
-          "type": "object"
-        },
-        {
-          "description": "Read-only access to the entire file-system.",
-          "properties": {
-            "type": {
-              "enum": [
-                "read-only"
-              ],
-              "title": "ReadOnlySandboxPolicyType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "ReadOnlySandboxPolicy",
-          "type": "object"
-        },
-        {
-          "description": "Indicates the process is already in an external sandbox. Allows full disk access while honoring the provided network setting.",
-          "properties": {
-            "network_access": {
-              "allOf": [
-                {
-                  "$ref": "#/definitions/NetworkAccess"
-                }
-              ],
-              "default": "restricted",
-              "description": "Whether the external sandbox permits outbound network traffic."
-            },
-            "type": {
-              "enum": [
-                "external-sandbox"
-              ],
-              "title": "ExternalSandboxSandboxPolicyType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "ExternalSandboxSandboxPolicy",
-          "type": "object"
-        },
-        {
-          "description": "Same as `ReadOnly` but additionally grants write access to the current working directory (\"workspace\").",
-          "properties": {
-            "exclude_slash_tmp": {
-              "default": false,
-              "description": "When set to `true`, will NOT include the `/tmp` among the default writable roots on UNIX. Defaults to `false`.",
-              "type": "boolean"
-            },
-            "exclude_tmpdir_env_var": {
-              "default": false,
-              "description": "When set to `true`, will NOT include the per-user `TMPDIR` environment variable among the default writable roots. Defaults to `false`.",
-              "type": "boolean"
-            },
-            "network_access": {
-              "default": false,
-              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
-              "type": "boolean"
-            },
-            "type": {
-              "enum": [
-                "workspace-write"
-              ],
-              "title": "WorkspaceWriteSandboxPolicyType",
-              "type": "string"
-            },
-            "writable_roots": {
-              "description": "Additional folders (beyond cwd and possibly TMPDIR) that should be writable from within the sandbox.",
-              "items": {
-                "$ref": "#/definitions/AbsolutePathBuf"
-              },
-              "type": "array"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "WorkspaceWriteSandboxPolicy",
-          "type": "object"
-        }
-      ]
-    }
-  },
-  "properties": {
-    "command": {
-      "items": {
-        "type": "string"
-      },
-      "type": "array"
-    },
-    "cwd": {
-      "type": [
-        "string",
-        "null"
-      ]
-    },
-    "sandboxPolicy": {
-      "anyOf": [
-        {
-          "$ref": "#/definitions/SandboxPolicy"
-        },
-        {
-          "type": "null"
-        }
-      ]
-    },
-    "timeoutMs": {
-      "format": "uint64",
-      "minimum": 0.0,
-      "type": [
-        "integer",
-        "null"
-      ]
-    }
-  },
-  "required": [
-    "command"
-  ],
-  "title": "ExecOneOffCommandParams",
-  "type": "object"
-}

codex-rs/app-server-json-schema/stable/v1/ExecOneOffCommandResponse.json

@@ -1,22 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "properties": {
-    "exitCode": {
-      "format": "int32",
-      "type": "integer"
-    },
-    "stderr": {
-      "type": "string"
-    },
-    "stdout": {
-      "type": "string"
-    }
-  },
-  "required": [
-    "exitCode",
-    "stderr",
-    "stdout"
-  ],
-  "title": "ExecOneOffCommandResponse",
-  "type": "object"
-}

codex-rs/app-server-json-schema/stable/v1/ForkConversationParams.json

@@ -1,159 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "AskForApproval": {
-      "description": "Determines the conditions under which the user is consulted to approve running the command proposed by Codex.",
-      "oneOf": [
-        {
-          "description": "Under this policy, only \"known safe\" commands—as determined by `is_safe_command()`—that **only read files** are auto‑approved. Everything else will ask the user to approve.",
-          "enum": [
-            "untrusted"
-          ],
-          "type": "string"
-        },
-        {
-          "description": "*All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox.",
-          "enum": [
-            "on-failure"
-          ],
-          "type": "string"
-        },
-        {
-          "description": "The model decides when to ask the user for approval.",
-          "enum": [
-            "on-request"
-          ],
-          "type": "string"
-        },
-        {
-          "description": "Never ask the user to approve commands. Failures are immediately returned to the model, and never escalated to the user for approval.",
-          "enum": [
-            "never"
-          ],
-          "type": "string"
-        }
-      ]
-    },
-    "NewConversationParams": {
-      "properties": {
-        "approvalPolicy": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/AskForApproval"
-            },
-            {
-              "type": "null"
-            }
-          ]
-        },
-        "baseInstructions": {
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "compactPrompt": {
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "config": {
-          "additionalProperties": true,
-          "type": [
-            "object",
-            "null"
-          ]
-        },
-        "cwd": {
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "developerInstructions": {
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "includeApplyPatchTool": {
-          "type": [
-            "boolean",
-            "null"
-          ]
-        },
-        "model": {
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "modelProvider": {
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "profile": {
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "sandbox": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/SandboxMode"
-            },
-            {
-              "type": "null"
-            }
-          ]
-        }
-      },
-      "type": "object"
-    },
-    "SandboxMode": {
-      "enum": [
-        "read-only",
-        "workspace-write",
-        "danger-full-access"
-      ],
-      "type": "string"
-    },
-    "ThreadId": {
-      "type": "string"
-    }
-  },
-  "properties": {
-    "conversationId": {
-      "anyOf": [
-        {
-          "$ref": "#/definitions/ThreadId"
-        },
-        {
-          "type": "null"
-        }
-      ]
-    },
-    "overrides": {
-      "anyOf": [
-        {
-          "$ref": "#/definitions/NewConversationParams"
-        },
-        {
-          "type": "null"
-        }
-      ]
-    },
-    "path": {
-      "type": [
-        "string",
-        "null"
-      ]
-    }
-  },
-  "title": "ForkConversationParams",
-  "type": "object"
-}

codex-rs/app-server-json-schema/stable/v1/GetAuthStatusParams.json

@@ -1,19 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "properties": {
-    "includeToken": {
-      "type": [
-        "boolean",
-        "null"
-      ]
-    },
-    "refreshToken": {
-      "type": [
-        "boolean",
-        "null"
-      ]
-    }
-  },
-  "title": "GetAuthStatusParams",
-  "type": "object"
-}

codex-rs/app-server-json-schema/stable/v1/GetAuthStatusResponse.json

@@ -1,50 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "AuthMode": {
-      "description": "Authentication mode for OpenAI-backed providers.\n\nThis is used internally to determine the base URL for generating responses, and to gate ChatGPT-only behaviors like rate limits and available models (as opposed to API key-based auth).",
-      "oneOf": [
-        {
-          "description": "OpenAI API key provided by the caller and stored by Codex.",
-          "enum": [
-            "apikey"
-          ],
-          "type": "string"
-        },
-        {
-          "description": "ChatGPT OAuth managed by Codex (tokens persisted and refreshed by Codex).",
-          "enum": [
-            "chatgpt"
-          ],
-          "type": "string"
-        }
-      ]
-    }
-  },
-  "properties": {
-    "authMethod": {
-      "anyOf": [
-        {
-          "$ref": "#/definitions/AuthMode"
-        },
-        {
-          "type": "null"
-        }
-      ]
-    },
-    "authToken": {
-      "type": [
-        "string",
-        "null"
-      ]
-    },
-    "requiresOpenaiAuth": {
-      "type": [
-        "boolean",
-        "null"
-      ]
-    }
-  },
-  "title": "GetAuthStatusResponse",
-  "type": "object"
-}