prefix

feat: add sanitizer to redact secrets (#11600 )
Adding a sanitizer crate that can redact API keys and other secret with known pattern from a String
2026-02-17 14:23:48 +00:00 · 2026-02-12 11:06:53 -08:00 · 2026-02-12 16:44:01 +00:00 · 2026-02-12 15:56:48 +00:00 · 2026-02-12 15:28:48 +00:00 · 2026-02-12 14:44:40 +00:00
450 changed files with 24944 additions and 7557 deletions
--- a/.codespellrc
+++ b/.codespellrc
@@ -1,6 +1,6 @@
 [codespell]
 # Ref: https://github.com/codespell-project/codespell#using-a-config-file
-skip = .git*,vendor,*-lock.yaml,*.lock,.codespellrc,*test.ts,*.jsonl,frame*.txt,*.snap,*.snap.new
+skip = .git*,vendor,*-lock.yaml,*.lock,.codespellrc,*test.ts,*.jsonl,frame*.txt,*.snap,*.snap.new,*meriyah.umd.min.js
 check-hidden = true
 ignore-regex = ^\s*"image/\S+": ".*|\b(afterAll)\b
 ignore-words-list = ratatui,ser,iTerm,iterm2,iterm
--- a/.codex/skills/test-tui/SKILL.md
+++ b/.codex/skills/test-tui/SKILL.md
@@ -0,0 +1,14 @@
+---
+name: test-tui
+description: Guide for testing Codex TUI interactively
+---
+
+You can start and use Codex TUI to verify changes. 
+
+Important notes:
+
+Start interactively.
+Always set RUST_LOG="trace" when starting the process.
+Pass `-c log_dir=<some_temp_dir>` argument to have logs written to a specific directory to help with debugging.
+When sending a test message programmatically, send text first, then send Enter in a separate write (do not send text + Enter in one burst).
+Use `just codex` target to run - `just codex -c ...`
--- a/.github/scripts/install-musl-build-tools.sh
+++ b/.github/scripts/install-musl-build-tools.sh
@@ -17,7 +17,7 @@ if [[ -n "${APT_INSTALL_ARGS:-}" ]]; then
 fi

 sudo apt-get update "${apt_update_args[@]}"
-sudo apt-get install -y "${apt_install_args[@]}" musl-tools pkg-config g++ clang libc++-dev libc++abi-dev lld
+sudo apt-get install -y "${apt_install_args[@]}" ca-certificates curl musl-tools pkg-config libcap-dev g++ clang libc++-dev libc++abi-dev lld xz-utils

 case "${TARGET}" in
  x86_64-unknown-linux-musl)
@@ -32,6 +32,11 @@ case "${TARGET}" in
    ;;
 esac

+libcap_version="2.75"
+libcap_sha256="de4e7e064c9ba451d5234dd46e897d7c71c96a9ebf9a0c445bc04f4742d83632"
+libcap_tarball_name="libcap-${libcap_version}.tar.xz"
+libcap_download_url="https://mirrors.edge.kernel.org/pub/linux/libs/security/linux-privs/libcap2/${libcap_tarball_name}"
+
 # Use the musl toolchain as the Rust linker to avoid Zig injecting its own CRT.
 if command -v "${arch}-linux-musl-gcc" >/dev/null; then
  musl_linker="$(command -v "${arch}-linux-musl-gcc")"
@@ -47,6 +52,43 @@ runner_temp="${RUNNER_TEMP:-/tmp}"
 tool_root="${runner_temp}/codex-musl-tools-${TARGET}"
 mkdir -p "${tool_root}"

+libcap_root="${tool_root}/libcap-${libcap_version}"
+libcap_src_root="${libcap_root}/src"
+libcap_prefix="${libcap_root}/prefix"
+libcap_pkgconfig_dir="${libcap_prefix}/lib/pkgconfig"
+
+if [[ ! -f "${libcap_prefix}/lib/libcap.a" ]]; then
+  mkdir -p "${libcap_src_root}" "${libcap_prefix}/lib" "${libcap_prefix}/include/sys" "${libcap_prefix}/include/linux" "${libcap_pkgconfig_dir}"
+  libcap_tarball="${libcap_root}/${libcap_tarball_name}"
+
+  curl -fsSL "${libcap_download_url}" -o "${libcap_tarball}"
+  echo "${libcap_sha256}  ${libcap_tarball}" | sha256sum -c -
+
+  tar -xJf "${libcap_tarball}" -C "${libcap_src_root}"
+  libcap_source_dir="${libcap_src_root}/libcap-${libcap_version}"
+  make -C "${libcap_source_dir}/libcap" -j"$(nproc)" \
+    CC="${musl_linker}" \
+    AR=ar \
+    RANLIB=ranlib
+
+  cp "${libcap_source_dir}/libcap/libcap.a" "${libcap_prefix}/lib/libcap.a"
+  cp "${libcap_source_dir}/libcap/include/uapi/linux/capability.h" "${libcap_prefix}/include/linux/capability.h"
+  cp "${libcap_source_dir}/libcap/../libcap/include/sys/capability.h" "${libcap_prefix}/include/sys/capability.h"
+
+  cat > "${libcap_pkgconfig_dir}/libcap.pc" <<EOF
+prefix=${libcap_prefix}
+exec_prefix=\${prefix}
+libdir=\${prefix}/lib
+includedir=\${prefix}/include
+
+Name: libcap
+Description: Linux capabilities
+Version: ${libcap_version}
+Libs: -L\${libdir} -lcap
+Cflags: -I\${includedir}
+EOF
+fi
+
 sysroot=""
 if command -v zig >/dev/null; then
  zig_bin="$(command -v zig)"
@@ -59,7 +101,19 @@ set -euo pipefail

 args=()
 skip_next=0
+pending_include=0
 for arg in "\$@"; do
+  if [[ "\${pending_include}" -eq 1 ]]; then
+    pending_include=0
+    if [[ "\${arg}" == /usr/include || "\${arg}" == /usr/include/* ]]; then
+      # Keep host-only headers available, but after the target sysroot headers.
+      args+=("-idirafter" "\${arg}")
+    else
+      args+=("-I" "\${arg}")
+    fi
+    continue
+  fi
+
  if [[ "\${skip_next}" -eq 1 ]]; then
    skip_next=0
    continue
@@ -77,6 +131,15 @@ for arg in "\$@"; do
      fi
      continue
      ;;
+    -I)
+      pending_include=1
+      continue
+      ;;
+    -I/usr/include|-I/usr/include/*)
+      # Avoid making glibc headers win over musl headers.
+      args+=("-idirafter" "\${arg#-I}")
+      continue
+      ;;
    -Wp,-U_FORTIFY_SOURCE)
      # aws-lc-sys emits this GCC preprocessor forwarding form in debug
      # builds, but zig cc expects the define flag directly.
@@ -95,7 +158,19 @@ set -euo pipefail

 args=()
 skip_next=0
+pending_include=0
 for arg in "\$@"; do
+  if [[ "\${pending_include}" -eq 1 ]]; then
+    pending_include=0
+    if [[ "\${arg}" == /usr/include || "\${arg}" == /usr/include/* ]]; then
+      # Keep host-only headers available, but after the target sysroot headers.
+      args+=("-idirafter" "\${arg}")
+    else
+      args+=("-I" "\${arg}")
+    fi
+    continue
+  fi
+
  if [[ "\${skip_next}" -eq 1 ]]; then
    skip_next=0
    continue
@@ -113,6 +188,15 @@ for arg in "\$@"; do
      fi
      continue
      ;;
+    -I)
+      pending_include=1
+      continue
+      ;;
+    -I/usr/include|-I/usr/include/*)
+      # Avoid making glibc headers win over musl headers.
+      args+=("-idirafter" "\${arg#-I}")
+      continue
+      ;;
    -Wp,-U_FORTIFY_SOURCE)
      # aws-lc-sys emits this GCC forwarding form in debug builds; zig c++
      # expects the define flag directly.
@@ -175,3 +259,21 @@ echo "${cargo_linker_var}=${musl_linker}" >> "$GITHUB_ENV"
 echo "CMAKE_C_COMPILER=${cc}" >> "$GITHUB_ENV"
 echo "CMAKE_CXX_COMPILER=${cxx}" >> "$GITHUB_ENV"
 echo "CMAKE_ARGS=-DCMAKE_HAVE_THREADS_LIBRARY=1 -DCMAKE_USE_PTHREADS_INIT=1 -DCMAKE_THREAD_LIBS_INIT=-pthread -DTHREADS_PREFER_PTHREAD_FLAG=ON" >> "$GITHUB_ENV"
+
+# Allow pkg-config resolution during cross-compilation.
+echo "PKG_CONFIG_ALLOW_CROSS=1" >> "$GITHUB_ENV"
+pkg_config_path="${libcap_pkgconfig_dir}"
+if [[ -n "${PKG_CONFIG_PATH:-}" ]]; then
+  pkg_config_path="${pkg_config_path}:${PKG_CONFIG_PATH}"
+fi
+echo "PKG_CONFIG_PATH=${pkg_config_path}" >> "$GITHUB_ENV"
+pkg_config_path_var="PKG_CONFIG_PATH_${TARGET}"
+pkg_config_path_var="${pkg_config_path_var//-/_}"
+echo "${pkg_config_path_var}=${libcap_pkgconfig_dir}" >> "$GITHUB_ENV"
+
+if [[ -n "${sysroot}" && "${sysroot}" != "/" ]]; then
+  echo "PKG_CONFIG_SYSROOT_DIR=${sysroot}" >> "$GITHUB_ENV"
+  pkg_config_sysroot_var="PKG_CONFIG_SYSROOT_DIR_${TARGET}"
+  pkg_config_sysroot_var="${pkg_config_sysroot_var//-/_}"
+  echo "${pkg_config_sysroot_var}=${sysroot}" >> "$GITHUB_ENV"
+fi
--- a/.github/workflows/bazel.yml
+++ b/.github/workflows/bazel.yml
@@ -100,12 +100,45 @@ jobs:
      - name: bazel test //...
        env:
          BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
-          CODEX_BWRAP_ENABLE_FFI: ${{ contains(matrix.target, 'unknown-linux') && '1' || '0' }}
        shell: bash
        run: |
-          bazel $BAZEL_STARTUP_ARGS --bazelrc=.github/workflows/ci.bazelrc test //... \
-            --build_metadata=REPO_URL=https://github.com/openai/codex.git \
-            --build_metadata=COMMIT_SHA=$(git rev-parse HEAD) \
-            --build_metadata=ROLE=CI \
-            --build_metadata=VISIBILITY=PUBLIC \
-            "--remote_header=x-buildbuddy-api-key=$BUILDBUDDY_API_KEY"
+          bazel_args=(
+            test
+            //...
+            --test_verbose_timeout_warnings
+            --build_metadata=REPO_URL=https://github.com/openai/codex.git
+            --build_metadata=COMMIT_SHA=$(git rev-parse HEAD)
+            --build_metadata=ROLE=CI
+            --build_metadata=VISIBILITY=PUBLIC
+          )
+
+          if [[ -n "${BUILDBUDDY_API_KEY:-}" ]]; then
+            echo "BuildBuddy API key is available; using remote Bazel configuration."
+            bazel $BAZEL_STARTUP_ARGS \
+              --bazelrc=.github/workflows/ci.bazelrc \
+              "${bazel_args[@]}" \
+              "--remote_header=x-buildbuddy-api-key=$BUILDBUDDY_API_KEY"
+          else
+            echo "BuildBuddy API key is not available; using local Bazel configuration."
+            # Keep fork/community PRs on Bazel but disable remote services that are
+            # configured in .bazelrc and require auth.
+            #
+            # Flag docs:
+            # - Command-line reference: https://bazel.build/reference/command-line-reference
+            # - Remote caching overview: https://bazel.build/remote/caching
+            # - Remote execution overview: https://bazel.build/remote/rbe
+            # - Build Event Protocol overview: https://bazel.build/remote/bep
+            #
+            # --noexperimental_remote_repo_contents_cache:
+            #   disable remote repo contents cache enabled in .bazelrc startup options.
+            #   https://bazel.build/reference/command-line-reference#startup_options-flag--experimental_remote_repo_contents_cache
+            # --remote_cache= and --remote_executor=:
+            #   clear remote cache/execution endpoints configured in .bazelrc.
+            #   https://bazel.build/reference/command-line-reference#common_options-flag--remote_cache
+            #   https://bazel.build/reference/command-line-reference#common_options-flag--remote_executor
+            bazel $BAZEL_STARTUP_ARGS \
+              --noexperimental_remote_repo_contents_cache \
+              "${bazel_args[@]}" \
+              --remote_cache= \
+              --remote_executor=
+          fi
--- a/.github/workflows/rust-ci.yml
+++ b/.github/workflows/rust-ci.yml
@@ -99,9 +99,8 @@ jobs:
      USE_SCCACHE: ${{ startsWith(matrix.runner, 'windows') && 'false' || 'true' }}
      CARGO_INCREMENTAL: "0"
      SCCACHE_CACHE_SIZE: 10G
-      # Keep cargo-based CI independent of system bwrap build deps.
-      # The bwrap FFI path is validated in Bazel workflows.
-      CODEX_BWRAP_ENABLE_FFI: "0"
+      # In rust-ci, representative release-profile checks use thin LTO for faster feedback.
+      CARGO_PROFILE_RELEASE_LTO: ${{ matrix.profile == 'release' && 'thin' || 'fat' }}

    strategy:
      fail-fast: false
@@ -163,6 +162,12 @@ jobs:
            runs_on:
              group: codex-runners
              labels: codex-linux-x64
+          - runner: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-musl
+            profile: release
+            runs_on:
+              group: codex-runners
+              labels: codex-linux-arm64
          - runner: windows-x64
            target: x86_64-pc-windows-msvc
            profile: release
@@ -178,14 +183,18 @@ jobs:

    steps:
      - uses: actions/checkout@v6
-      - name: Install UBSan runtime (musl)
-        if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl' }}
+      - name: Install Linux build dependencies
+        if: ${{ runner.os == 'Linux' }}
        shell: bash
        run: |
          set -euo pipefail
          if command -v apt-get >/dev/null 2>&1; then
            sudo apt-get update -y
-            sudo DEBIAN_FRONTEND=noninteractive apt-get install -y libubsan1
+            packages=(pkg-config libcap-dev)
+            if [[ "${{ matrix.target }}" == 'x86_64-unknown-linux-musl' || "${{ matrix.target }}" == 'aarch64-unknown-linux-musl' ]]; then
+              packages+=(libubsan1)
+            fi
+            sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends "${packages[@]}"
          fi
      - uses: dtolnay/rust-toolchain@1.93
        with:
@@ -379,21 +388,15 @@ jobs:
          cargo chef cook --recipe-path "$RECIPE" --target ${{ matrix.target }} --release --all-features

      - name: cargo clippy
-        id: clippy
-        run: cargo clippy --target ${{ matrix.target }} --all-features --tests --profile ${{ matrix.profile }} -- -D warnings
+        run: cargo clippy --target ${{ matrix.target }} --all-features --tests --profile ${{ matrix.profile }} --timings -- -D warnings

-      # Running `cargo build` from the workspace root builds the workspace using
-      # the union of all features from third-party crates. This can mask errors
-      # where individual crates have underspecified features. To avoid this, we
-      # run `cargo check` for each crate individually, though because this is
-      # slower, we only do this for the x86_64-unknown-linux-gnu target.
-      - name: cargo check individual crates
-        id: cargo_check_all_crates
-        if: ${{ matrix.target == 'x86_64-unknown-linux-gnu' && matrix.profile != 'release' }}
-        continue-on-error: true
-        run: |
-          find . -name Cargo.toml -mindepth 2 -maxdepth 2 -print0 \
-            | xargs -0 -n1 -I{} bash -c 'cd "$(dirname "{}")" && cargo check --profile ${{ matrix.profile }}'
+      - name: Upload Cargo timings (clippy)
+        if: always()
+        uses: actions/upload-artifact@v6
+        with:
+          name: cargo-timings-rust-ci-clippy-${{ matrix.target }}-${{ matrix.profile }}
+          path: codex-rs/target/**/cargo-timings/cargo-timing.html
+          if-no-files-found: warn

      # Save caches explicitly; make non-fatal so cache packaging
      # never fails the overall job. Only save when key wasn't hit.
@@ -447,15 +450,6 @@ jobs:
            /var/cache/apt
          key: apt-${{ matrix.runner }}-${{ matrix.target }}-v1

-      # Fail the job if any of the previous steps failed.
-      - name: verify all steps passed
-        if: |
-          steps.clippy.outcome == 'failure' ||
-          steps.cargo_check_all_crates.outcome == 'failure'
-        run: |
-          echo "One or more checks failed (clippy or cargo_check_all_crates). See logs for details."
-          exit 1
-
  tests:
    name: Tests — ${{ matrix.runner }} - ${{ matrix.target }}
    runs-on: ${{ matrix.runs_on || matrix.runner }}
@@ -470,9 +464,6 @@ jobs:
      USE_SCCACHE: ${{ startsWith(matrix.runner, 'windows') && 'false' || 'true' }}
      CARGO_INCREMENTAL: "0"
      SCCACHE_CACHE_SIZE: 10G
-      # Keep cargo-based CI independent of system bwrap build deps.
-      # The bwrap FFI path is validated in Bazel workflows.
-      CODEX_BWRAP_ENABLE_FFI: "0"

    strategy:
      fail-fast: false
@@ -508,6 +499,15 @@ jobs:

    steps:
      - uses: actions/checkout@v6
+      - name: Install Linux build dependencies
+        if: ${{ runner.os == 'Linux' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          if command -v apt-get >/dev/null 2>&1; then
+            sudo apt-get update -y
+            sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends pkg-config libcap-dev
+          fi
      # Some integration tests rely on DotSlash being installed.
      # See https://github.com/openai/codex/pull/7617.
      - name: Install DotSlash
@@ -583,11 +583,19 @@ jobs:

      - name: tests
        id: test
-        run: cargo nextest run --all-features --no-fail-fast --target ${{ matrix.target }} --cargo-profile ci-test
+        run: cargo nextest run --all-features --no-fail-fast --target ${{ matrix.target }} --cargo-profile ci-test --timings
        env:
          RUST_BACKTRACE: 1
          NEXTEST_STATUS_LEVEL: leak

+      - name: Upload Cargo timings (nextest)
+        if: always()
+        uses: actions/upload-artifact@v6
+        with:
+          name: cargo-timings-rust-ci-nextest-${{ matrix.target }}-${{ matrix.profile }}
+          path: codex-rs/target/**/cargo-timings/cargo-timing.html
+          if-no-files-found: warn
+
      - name: Save cargo home cache
        if: always() && !cancelled() && steps.cache_cargo_home_restore.outputs.cache-hit != 'true'
        continue-on-error: true
--- a/.github/workflows/rust-release-windows.yml
+++ b/.github/workflows/rust-release-windows.yml
@@ -0,0 +1,264 @@
+name: rust-release-windows
+
+on:
+  workflow_call:
+    inputs:
+      release-lto:
+        required: true
+        type: string
+    secrets:
+      AZURE_TRUSTED_SIGNING_CLIENT_ID:
+        required: true
+      AZURE_TRUSTED_SIGNING_TENANT_ID:
+        required: true
+      AZURE_TRUSTED_SIGNING_SUBSCRIPTION_ID:
+        required: true
+      AZURE_TRUSTED_SIGNING_ENDPOINT:
+        required: true
+      AZURE_TRUSTED_SIGNING_ACCOUNT_NAME:
+        required: true
+      AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME:
+        required: true
+
+jobs:
+  build-windows-binaries:
+    name: Build Windows binaries - ${{ matrix.runner }} - ${{ matrix.target }} - ${{ matrix.bundle }}
+    runs-on: ${{ matrix.runs_on }}
+    timeout-minutes: 60
+    permissions:
+      contents: read
+    defaults:
+      run:
+        working-directory: codex-rs
+    env:
+      CARGO_PROFILE_RELEASE_LTO: ${{ inputs.release-lto }}
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: windows-x64
+            target: x86_64-pc-windows-msvc
+            bundle: primary
+            build_args: --bin codex --bin codex-responses-api-proxy
+            runs_on:
+              group: codex-runners
+              labels: codex-windows-x64
+          - runner: windows-arm64
+            target: aarch64-pc-windows-msvc
+            bundle: primary
+            build_args: --bin codex --bin codex-responses-api-proxy
+            runs_on:
+              group: codex-runners
+              labels: codex-windows-arm64
+          - runner: windows-x64
+            target: x86_64-pc-windows-msvc
+            bundle: helpers
+            build_args: --bin codex-windows-sandbox-setup --bin codex-command-runner
+            runs_on:
+              group: codex-runners
+              labels: codex-windows-x64
+          - runner: windows-arm64
+            target: aarch64-pc-windows-msvc
+            bundle: helpers
+            build_args: --bin codex-windows-sandbox-setup --bin codex-command-runner
+            runs_on:
+              group: codex-runners
+              labels: codex-windows-arm64
+
+    steps:
+      - uses: actions/checkout@v6
+      - name: Print runner specs (Windows)
+        shell: powershell
+        run: |
+          $computer = Get-CimInstance Win32_ComputerSystem
+          $cpu = Get-CimInstance Win32_Processor | Select-Object -First 1
+          $ramGiB = [math]::Round($computer.TotalPhysicalMemory / 1GB, 1)
+          Write-Host "Runner: $env:RUNNER_NAME"
+          Write-Host "OS: $([System.Environment]::OSVersion.VersionString)"
+          Write-Host "CPU: $($cpu.Name)"
+          Write-Host "Logical CPUs: $($computer.NumberOfLogicalProcessors)"
+          Write-Host "Physical CPUs: $($computer.NumberOfProcessors)"
+          Write-Host "Total RAM: $ramGiB GiB"
+          Write-Host "Disk usage:"
+          Get-PSDrive -PSProvider FileSystem | Format-Table -AutoSize Name, @{Name='Size(GB)';Expression={[math]::Round(($_.Used + $_.Free) / 1GB, 1)}}, @{Name='Free(GB)';Expression={[math]::Round($_.Free / 1GB, 1)}}
+      - uses: dtolnay/rust-toolchain@1.93
+        with:
+          targets: ${{ matrix.target }}
+
+      - name: Cargo build (Windows binaries)
+        shell: bash
+        run: |
+          cargo build --target ${{ matrix.target }} --release --timings ${{ matrix.build_args }}
+
+      - name: Upload Cargo timings
+        uses: actions/upload-artifact@v6
+        with:
+          name: cargo-timings-rust-release-windows-${{ matrix.target }}-${{ matrix.bundle }}
+          path: codex-rs/target/**/cargo-timings/cargo-timing.html
+          if-no-files-found: warn
+
+      - name: Stage Windows binaries
+        shell: bash
+        run: |
+          output_dir="target/${{ matrix.target }}/release/staged-${{ matrix.bundle }}"
+          mkdir -p "$output_dir"
+          if [[ "${{ matrix.bundle }}" == "primary" ]]; then
+            cp target/${{ matrix.target }}/release/codex.exe "$output_dir/codex.exe"
+            cp target/${{ matrix.target }}/release/codex-responses-api-proxy.exe "$output_dir/codex-responses-api-proxy.exe"
+          else
+            cp target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe "$output_dir/codex-windows-sandbox-setup.exe"
+            cp target/${{ matrix.target }}/release/codex-command-runner.exe "$output_dir/codex-command-runner.exe"
+          fi
+
+      - name: Upload Windows binaries
+        uses: actions/upload-artifact@v6
+        with:
+          name: windows-binaries-${{ matrix.target }}-${{ matrix.bundle }}
+          path: |
+            codex-rs/target/${{ matrix.target }}/release/staged-${{ matrix.bundle }}/*
+
+  build-windows:
+    needs:
+      - build-windows-binaries
+    name: Build - ${{ matrix.runner }} - ${{ matrix.target }}
+    runs-on: ${{ matrix.runs_on }}
+    timeout-minutes: 60
+    permissions:
+      contents: read
+      id-token: write
+    defaults:
+      run:
+        working-directory: codex-rs
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: windows-x64
+            target: x86_64-pc-windows-msvc
+            runs_on:
+              group: codex-runners
+              labels: codex-windows-x64
+          - runner: windows-arm64
+            target: aarch64-pc-windows-msvc
+            runs_on:
+              group: codex-runners
+              labels: codex-windows-arm64
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Download prebuilt Windows primary binaries
+        uses: actions/download-artifact@v7
+        with:
+          name: windows-binaries-${{ matrix.target }}-primary
+          path: codex-rs/target/${{ matrix.target }}/release
+
+      - name: Download prebuilt Windows helper binaries
+        uses: actions/download-artifact@v7
+        with:
+          name: windows-binaries-${{ matrix.target }}-helpers
+          path: codex-rs/target/${{ matrix.target }}/release
+
+      - name: Verify binaries
+        shell: bash
+        run: |
+          set -euo pipefail
+          ls -lh target/${{ matrix.target }}/release/codex.exe
+          ls -lh target/${{ matrix.target }}/release/codex-responses-api-proxy.exe
+          ls -lh target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe
+          ls -lh target/${{ matrix.target }}/release/codex-command-runner.exe
+
+      - name: Sign Windows binaries with Azure Trusted Signing
+        uses: ./.github/actions/windows-code-sign
+        with:
+          target: ${{ matrix.target }}
+          client-id: ${{ secrets.AZURE_TRUSTED_SIGNING_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TRUSTED_SIGNING_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_TRUSTED_SIGNING_SUBSCRIPTION_ID }}
+          endpoint: ${{ secrets.AZURE_TRUSTED_SIGNING_ENDPOINT }}
+          account-name: ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }}
+          certificate-profile-name: ${{ secrets.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME }}
+
+      - name: Stage artifacts
+        shell: bash
+        run: |
+          dest="dist/${{ matrix.target }}"
+          mkdir -p "$dest"
+
+          cp target/${{ matrix.target }}/release/codex.exe "$dest/codex-${{ matrix.target }}.exe"
+          cp target/${{ matrix.target }}/release/codex-responses-api-proxy.exe "$dest/codex-responses-api-proxy-${{ matrix.target }}.exe"
+          cp target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe "$dest/codex-windows-sandbox-setup-${{ matrix.target }}.exe"
+          cp target/${{ matrix.target }}/release/codex-command-runner.exe "$dest/codex-command-runner-${{ matrix.target }}.exe"
+
+      - name: Install DotSlash
+        uses: facebook/install-dotslash@v2
+
+      - name: Compress artifacts
+        shell: bash
+        run: |
+          # Path that contains the uncompressed binaries for the current
+          # ${{ matrix.target }}
+          dest="dist/${{ matrix.target }}"
+          repo_root=$PWD
+
+          # For compatibility with environments that lack the `zstd` tool we
+          # additionally create a `.tar.gz` and `.zip` for every Windows binary.
+          # The end result is:
+          #   codex-<target>.zst
+          #   codex-<target>.tar.gz
+          #   codex-<target>.zip
+          for f in "$dest"/*; do
+            base="$(basename "$f")"
+            # Skip files that are already archives (shouldn't happen, but be
+            # safe).
+            if [[ "$base" == *.tar.gz || "$base" == *.zip || "$base" == *.dmg ]]; then
+              continue
+            fi
+
+            # Don't try to compress signature bundles.
+            if [[ "$base" == *.sigstore ]]; then
+              continue
+            fi
+
+            # Create per-binary tar.gz
+            tar -C "$dest" -czf "$dest/${base}.tar.gz" "$base"
+
+            # Create zip archive for Windows binaries.
+            # Must run from inside the dest dir so 7z won't embed the
+            # directory path inside the zip.
+            if [[ "$base" == "codex-${{ matrix.target }}.exe" ]]; then
+              # Bundle the sandbox helper binaries into the main codex zip so
+              # WinGet installs include the required helpers next to codex.exe.
+              # Fall back to the single-binary zip if the helpers are missing
+              # to avoid breaking releases.
+              bundle_dir="$(mktemp -d)"
+              runner_src="$dest/codex-command-runner-${{ matrix.target }}.exe"
+              setup_src="$dest/codex-windows-sandbox-setup-${{ matrix.target }}.exe"
+              if [[ -f "$runner_src" && -f "$setup_src" ]]; then
+                cp "$dest/$base" "$bundle_dir/$base"
+                cp "$runner_src" "$bundle_dir/codex-command-runner.exe"
+                cp "$setup_src" "$bundle_dir/codex-windows-sandbox-setup.exe"
+                # Use an absolute path so bundle zips land in the real dist
+                # dir even when 7z runs from a temp directory.
+                (cd "$bundle_dir" && 7z a "$repo_root/$dest/${base}.zip" .)
+              else
+                echo "warning: missing sandbox binaries; falling back to single-binary zip"
+                echo "warning: expected $runner_src and $setup_src"
+                (cd "$dest" && 7z a "${base}.zip" "$base")
+              fi
+              rm -rf "$bundle_dir"
+            else
+              (cd "$dest" && 7z a "${base}.zip" "$base")
+            fi
+
+            # Keep raw executables and produce .zst alongside them.
+            "${GITHUB_WORKSPACE}/.github/workflows/zstd" -T0 -19 "$dest/$base"
+          done
+
+      - uses: actions/upload-artifact@v6
+        with:
+          name: ${{ matrix.target }}
+          path: |
+            codex-rs/dist/${{ matrix.target }}/*
--- a/.github/workflows/rust-release.yml
+++ b/.github/workflows/rust-release.yml
@@ -48,7 +48,7 @@ jobs:
  build:
    needs: tag-check
    name: Build - ${{ matrix.runner }} - ${{ matrix.target }}
-    runs-on: ${{ matrix.runner }}
+    runs-on: ${{ matrix.runs_on || matrix.runner }}
    timeout-minutes: 60
    permissions:
      contents: read
@@ -57,7 +57,7 @@ jobs:
      run:
        working-directory: codex-rs
    env:
-      CODEX_BWRAP_ENABLE_FFI: ${{ contains(matrix.target, 'unknown-linux') && '1' || '0' }}
+      CARGO_PROFILE_RELEASE_LTO: ${{ contains(github.ref_name, '-alpha') && 'thin' || 'fat' }}

    strategy:
      fail-fast: false
@@ -75,13 +75,38 @@ jobs:
            target: aarch64-unknown-linux-musl
          - runner: ubuntu-24.04-arm
            target: aarch64-unknown-linux-gnu
-          - runner: windows-latest
-            target: x86_64-pc-windows-msvc
-          - runner: windows-11-arm
-            target: aarch64-pc-windows-msvc

    steps:
      - uses: actions/checkout@v6
+      - name: Print runner specs (Linux)
+        if: ${{ runner.os == 'Linux' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          cpu_model="$(lscpu | awk -F: '/Model name/ {gsub(/^[ \t]+/, "", $2); print $2; exit}')"
+          total_ram="$(awk '/MemTotal/ {printf "%.1f GiB\n", $2 / 1024 / 1024}' /proc/meminfo)"
+          echo "Runner: ${RUNNER_NAME:-unknown}"
+          echo "OS: $(uname -a)"
+          echo "CPU model: ${cpu_model}"
+          echo "Logical CPUs: $(nproc)"
+          echo "Total RAM: ${total_ram}"
+          echo "Disk usage:"
+          df -h .
+      - name: Print runner specs (macOS)
+        if: ${{ runner.os == 'macOS' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          total_ram="$(sysctl -n hw.memsize | awk '{printf "%.1f GiB\n", $1 / 1024 / 1024 / 1024}')"
+          echo "Runner: ${RUNNER_NAME:-unknown}"
+          echo "OS: $(sw_vers -productName) $(sw_vers -productVersion)"
+          echo "Hardware model: $(sysctl -n hw.model)"
+          echo "CPU architecture: $(uname -m)"
+          echo "Logical CPUs: $(sysctl -n hw.logicalcpu)"
+          echo "Physical CPUs: $(sysctl -n hw.physicalcpu)"
+          echo "Total RAM: ${total_ram}"
+          echo "Disk usage:"
+          df -h .
      - name: Install Linux bwrap build dependencies
        if: ${{ runner.os == 'Linux' }}
        shell: bash
@@ -113,20 +138,6 @@ jobs:
          echo "${cargo_home}/bin" >> "$GITHUB_PATH"
          : > "${cargo_home}/config.toml"

-      - uses: actions/cache@v5
-        with:
-          path: |
-            ~/.cargo/bin/
-            ~/.cargo/registry/index/
-            ~/.cargo/registry/cache/
-            ~/.cargo/git/db/
-            ${{ github.workspace }}/.cargo-home/bin/
-            ${{ github.workspace }}/.cargo-home/registry/index/
-            ${{ github.workspace }}/.cargo-home/registry/cache/
-            ${{ github.workspace }}/.cargo-home/git/db/
-            ${{ github.workspace }}/codex-rs/target/
-          key: cargo-${{ matrix.runner }}-${{ matrix.target }}-release-${{ hashFiles('**/Cargo.lock') }}
-
      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
        name: Install Zig
        uses: mlugg/setup-zig@v2
@@ -194,11 +205,14 @@ jobs:
      - name: Cargo build
        shell: bash
        run: |
-          if [[ "${{ contains(matrix.target, 'windows') }}" == 'true' ]]; then
-            cargo build --target ${{ matrix.target }} --release --bin codex --bin codex-responses-api-proxy --bin codex-windows-sandbox-setup --bin codex-command-runner
-          else
-            cargo build --target ${{ matrix.target }} --release --bin codex --bin codex-responses-api-proxy
-          fi
+          cargo build --target ${{ matrix.target }} --release --timings --bin codex --bin codex-responses-api-proxy
+
+      - name: Upload Cargo timings
+        uses: actions/upload-artifact@v6
+        with:
+          name: cargo-timings-rust-release-${{ matrix.target }}
+          path: codex-rs/target/**/cargo-timings/cargo-timing.html
+          if-no-files-found: warn

      - if: ${{ contains(matrix.target, 'linux') }}
        name: Cosign Linux artifacts
@@ -207,18 +221,6 @@ jobs:
          target: ${{ matrix.target }}
          artifacts-dir: ${{ github.workspace }}/codex-rs/target/${{ matrix.target }}/release

-      - if: ${{ contains(matrix.target, 'windows') }}
-        name: Sign Windows binaries with Azure Trusted Signing
-        uses: ./.github/actions/windows-code-sign
-        with:
-          target: ${{ matrix.target }}
-          client-id: ${{ secrets.AZURE_TRUSTED_SIGNING_CLIENT_ID }}
-          tenant-id: ${{ secrets.AZURE_TRUSTED_SIGNING_TENANT_ID }}
-          subscription-id: ${{ secrets.AZURE_TRUSTED_SIGNING_SUBSCRIPTION_ID }}
-          endpoint: ${{ secrets.AZURE_TRUSTED_SIGNING_ENDPOINT }}
-          account-name: ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }}
-          certificate-profile-name: ${{ secrets.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME }}
-
      - if: ${{ runner.os == 'macOS' }}
        name: MacOS code signing (binaries)
        uses: ./.github/actions/macos-code-sign
@@ -297,15 +299,8 @@ jobs:
          dest="dist/${{ matrix.target }}"
          mkdir -p "$dest"

-          if [[ "${{ matrix.runner }}" == windows* ]]; then
-            cp target/${{ matrix.target }}/release/codex.exe "$dest/codex-${{ matrix.target }}.exe"
-            cp target/${{ matrix.target }}/release/codex-responses-api-proxy.exe "$dest/codex-responses-api-proxy-${{ matrix.target }}.exe"
-            cp target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe "$dest/codex-windows-sandbox-setup-${{ matrix.target }}.exe"
-            cp target/${{ matrix.target }}/release/codex-command-runner.exe "$dest/codex-command-runner-${{ matrix.target }}.exe"
-          else
-            cp target/${{ matrix.target }}/release/codex "$dest/codex-${{ matrix.target }}"
-            cp target/${{ matrix.target }}/release/codex-responses-api-proxy "$dest/codex-responses-api-proxy-${{ matrix.target }}"
-          fi
+          cp target/${{ matrix.target }}/release/codex "$dest/codex-${{ matrix.target }}"
+          cp target/${{ matrix.target }}/release/codex-responses-api-proxy "$dest/codex-responses-api-proxy-${{ matrix.target }}"

          if [[ "${{ matrix.target }}" == *linux* ]]; then
            cp target/${{ matrix.target }}/release/codex.sigstore "$dest/codex-${{ matrix.target }}.sigstore"
@@ -316,34 +311,18 @@ jobs:
            cp target/${{ matrix.target }}/release/codex-${{ matrix.target }}.dmg "$dest/codex-${{ matrix.target }}.dmg"
          fi

-      - if: ${{ matrix.runner == 'windows-11-arm' }}
-        name: Install zstd
-        shell: powershell
-        run: choco install -y zstandard
-
      - name: Compress artifacts
        shell: bash
        run: |
          # Path that contains the uncompressed binaries for the current
          # ${{ matrix.target }}
          dest="dist/${{ matrix.target }}"
-          repo_root=$PWD
-
-          # We want to ship the raw Windows executables in the GitHub Release
-          # in addition to the compressed archives. Keep the originals for
-          # Windows targets; remove them elsewhere to limit the number of
-          # artifacts that end up in the GitHub Release.
-          keep_originals=false
-          if [[ "${{ matrix.runner }}" == windows* ]]; then
-            keep_originals=true
-          fi

          # For compatibility with environments that lack the `zstd` tool we
-          # additionally create a `.tar.gz` for all platforms and `.zip` for
-          # Windows alongside every single binary that we publish. The end result is:
+          # additionally create a `.tar.gz` alongside every binary we publish.
+          # The end result is:
          #   codex-<target>.zst          (existing)
          #   codex-<target>.tar.gz       (new)
-          #   codex-<target>.zip          (only for Windows)

          # 1. Produce a .tar.gz for every file in the directory *before* we
          #    run `zstd --rm`, because that flag deletes the original files.
@@ -363,43 +342,9 @@ jobs:
            # Create per-binary tar.gz
            tar -C "$dest" -czf "$dest/${base}.tar.gz" "$base"

-            # Create zip archive for Windows binaries
-            # Must run from inside the dest dir so 7z won't
-            # embed the directory path inside the zip.
-            if [[ "${{ matrix.runner }}" == windows* ]]; then
-              if [[ "$base" == "codex-${{ matrix.target }}.exe" ]]; then
-                # Bundle the sandbox helper binaries into the main codex zip so
-                # WinGet installs include the required helpers next to codex.exe.
-                # Fall back to the single-binary zip if the helpers are missing
-                # to avoid breaking releases.
-                bundle_dir="$(mktemp -d)"
-                runner_src="$dest/codex-command-runner-${{ matrix.target }}.exe"
-                setup_src="$dest/codex-windows-sandbox-setup-${{ matrix.target }}.exe"
-                if [[ -f "$runner_src" && -f "$setup_src" ]]; then
-                  cp "$dest/$base" "$bundle_dir/$base"
-                  cp "$runner_src" "$bundle_dir/codex-command-runner.exe"
-                  cp "$setup_src" "$bundle_dir/codex-windows-sandbox-setup.exe"
-                  # Use an absolute path so bundle zips land in the real dist
-                  # dir even when 7z runs from a temp directory.
-                  (cd "$bundle_dir" && 7z a "$repo_root/$dest/${base}.zip" .)
-                else
-                  echo "warning: missing sandbox binaries; falling back to single-binary zip"
-                  echo "warning: expected $runner_src and $setup_src"
-                  (cd "$dest" && 7z a "${base}.zip" "$base")
-                fi
-                rm -rf "$bundle_dir"
-              else
-                (cd "$dest" && 7z a "${base}.zip" "$base")
-              fi
-            fi
-
-            # Also create .zst (existing behaviour) *and* remove the original
-            # uncompressed binary to keep the directory small.
-            zstd_args=(-T0 -19)
-            if [[ "${keep_originals}" == false ]]; then
-              zstd_args+=(--rm)
-            fi
-            zstd "${zstd_args[@]}" "$dest/$base"
+            # Also create .zst and remove the uncompressed binaries to keep
+            # non-Windows artifact directories small.
+            zstd -T0 -19 --rm "$dest/$base"
          done

      - uses: actions/upload-artifact@v6
@@ -410,6 +355,13 @@ jobs:
          path: |
            codex-rs/dist/${{ matrix.target }}/*

+  build-windows:
+    needs: tag-check
+    uses: ./.github/workflows/rust-release-windows.yml
+    with:
+      release-lto: ${{ contains(github.ref_name, '-alpha') && 'thin' || 'fat' }}
+    secrets: inherit
+
  shell-tool-mcp:
    name: shell-tool-mcp
    needs: tag-check
@@ -422,6 +374,7 @@ jobs:
  release:
    needs:
      - build
+      - build-windows
      - shell-tool-mcp
    name: release
    runs-on: ubuntu-latest
@@ -470,6 +423,12 @@ jobs:
      - name: Delete entries from dist/ that should not go in the release
        run: |
          rm -rf dist/shell-tool-mcp*
+          rm -rf dist/windows-binaries*
+          # cargo-timing.html appears under multiple target-specific directories.
+          # If included in files: dist/**, release upload races on duplicate
+          # asset names and can fail with 404s.
+          find dist -type f -name 'cargo-timing.html' -delete
+          find dist -type d -empty -delete

          ls -R dist/

@@ -593,18 +552,20 @@ jobs:
          version="${{ needs.release.outputs.version }}"
          tag="${{ needs.release.outputs.tag }}"
          mkdir -p dist/npm
-          gh release download "$tag" \
-            --repo "${GITHUB_REPOSITORY}" \
-            --pattern "codex-npm-${version}.tgz" \
-            --dir dist/npm
-          gh release download "$tag" \
-            --repo "${GITHUB_REPOSITORY}" \
-            --pattern "codex-responses-api-proxy-npm-${version}.tgz" \
-            --dir dist/npm
-          gh release download "$tag" \
-            --repo "${GITHUB_REPOSITORY}" \
-            --pattern "codex-sdk-npm-${version}.tgz" \
-            --dir dist/npm
+          patterns=(
+            "codex-npm-${version}.tgz"
+            "codex-npm-linux-*-${version}.tgz"
+            "codex-npm-darwin-*-${version}.tgz"
+            "codex-npm-win32-*-${version}.tgz"
+            "codex-responses-api-proxy-npm-${version}.tgz"
+            "codex-sdk-npm-${version}.tgz"
+          )
+          for pattern in "${patterns[@]}"; do
+            gh release download "$tag" \
+              --repo "${GITHUB_REPOSITORY}" \
+              --pattern "$pattern" \
+              --dir dist/npm
+          done

      # No NODE_AUTH_TOKEN needed because we use OIDC.
      - name: Publish to npm
@@ -613,19 +574,44 @@ jobs:
          NPM_TAG: ${{ needs.release.outputs.npm_tag }}
        run: |
          set -euo pipefail
-          tag_args=()
+          prefix=""
          if [[ -n "${NPM_TAG}" ]]; then
-            tag_args+=(--tag "${NPM_TAG}")
+            prefix="${NPM_TAG}-"
          fi

-          tarballs=(
-            "codex-npm-${VERSION}.tgz"
-            "codex-responses-api-proxy-npm-${VERSION}.tgz"
-            "codex-sdk-npm-${VERSION}.tgz"
-          )
+          shopt -s nullglob
+          tarballs=(dist/npm/*-"${VERSION}".tgz)
+          if [[ ${#tarballs[@]} -eq 0 ]]; then
+            echo "No npm tarballs found in dist/npm for version ${VERSION}"
+            exit 1
+          fi

          for tarball in "${tarballs[@]}"; do
-            npm publish "${GITHUB_WORKSPACE}/dist/npm/${tarball}" "${tag_args[@]}"
+            filename="$(basename "${tarball}")"
+            tag=""
+
+            case "${filename}" in
+              codex-npm-linux-*-"${VERSION}".tgz|codex-npm-darwin-*-"${VERSION}".tgz|codex-npm-win32-*-"${VERSION}".tgz)
+                platform="${filename#codex-npm-}"
+                platform="${platform%-${VERSION}.tgz}"
+                tag="${prefix}${platform}"
+                ;;
+              codex-npm-"${VERSION}".tgz|codex-responses-api-proxy-npm-"${VERSION}".tgz|codex-sdk-npm-"${VERSION}".tgz)
+                tag="${NPM_TAG}"
+                ;;
+              *)
+                echo "Unexpected npm tarball: ${filename}"
+                exit 1
+                ;;
+            esac
+
+            publish_cmd=(npm publish "${GITHUB_WORKSPACE}/${tarball}")
+            if [[ -n "${tag}" ]]; then
+              publish_cmd+=(--tag "${tag}")
+            fi
+
+            echo "+ ${publish_cmd[*]}"
+            "${publish_cmd[@]}"
          done

  update-branch:
--- a/.github/workflows/sdk.yml
+++ b/.github/workflows/sdk.yml
@@ -13,6 +13,13 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@v6

+      - name: Install Linux bwrap build dependencies
+        shell: bash
+        run: |
+          set -euo pipefail
+          sudo apt-get update -y
+          sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends pkg-config libcap-dev
+
      - name: Setup pnpm
        uses: pnpm/action-setup@v4
        with:
--- a/.github/workflows/shell-tool-mcp.yml
+++ b/.github/workflows/shell-tool-mcp.yml
@@ -72,6 +72,8 @@ jobs:
    needs: metadata
    runs-on: ${{ matrix.runner }}
    timeout-minutes: 30
+    env:
+      CARGO_PROFILE_RELEASE_LTO: ${{ contains(needs.metadata.outputs.version, '-alpha') && 'thin' || 'fat' }}
    defaults:
      run:
        working-directory: codex-rs
--- a/.github/workflows/zstd
+++ b/.github/workflows/zstd
@@ -0,0 +1,46 @@
+#!/usr/bin/env dotslash
+
+// This DotSlash file wraps zstd for Windows runners.
+// The upstream release provides win32/win64 binaries; for windows-aarch64 we
+// use the win64 artifact via Windows x64 emulation.
+{
+  "name": "zstd",
+  "platforms": {
+    "windows-x86_64": {
+      "size": 1747181,
+      "hash": "sha256",
+      "digest": "acb4e8111511749dc7a3ebedca9b04190e37a17afeb73f55d4425dbf0b90fad9",
+      "format": "zip",
+      "path": "zstd-v1.5.7-win64/zstd.exe",
+      "providers": [
+        {
+          "url": "https://github.com/facebook/zstd/releases/download/v1.5.7/zstd-v1.5.7-win64.zip"
+        },
+        {
+          "type": "github-release",
+          "repo": "facebook/zstd",
+          "tag": "v1.5.7",
+          "name": "zstd-v1.5.7-win64.zip"
+        }
+      ]
+    },
+    "windows-aarch64": {
+      "size": 1747181,
+      "hash": "sha256",
+      "digest": "acb4e8111511749dc7a3ebedca9b04190e37a17afeb73f55d4425dbf0b90fad9",
+      "format": "zip",
+      "path": "zstd-v1.5.7-win64/zstd.exe",
+      "providers": [
+        {
+          "url": "https://github.com/facebook/zstd/releases/download/v1.5.7/zstd-v1.5.7-win64.zip"
+        },
+        {
+          "type": "github-release",
+          "repo": "facebook/zstd",
+          "tag": "v1.5.7",
+          "name": "zstd-v1.5.7-win64.zip"
+        }
+      ]
+    }
+  }
+}
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -96,6 +96,7 @@ crate.annotation(
 inject_repo(crate, "zstd")

 bazel_dep(name = "bzip2", version = "1.0.8.bcr.3")
+bazel_dep(name = "libcap", version = "2.27.bcr.1")

 crate.annotation(
    crate = "bzip2-sys",
--- a/MODULE.bazel.lock
+++ b/MODULE.bazel.lock
@@ -82,6 +82,8 @@
    "https://bcr.bazel.build/modules/jsoncpp/1.9.5/MODULE.bazel": "31271aedc59e815656f5736f282bb7509a97c7ecb43e927ac1a37966e0578075",
    "https://bcr.bazel.build/modules/jsoncpp/1.9.6/MODULE.bazel": "2f8d20d3b7d54143213c4dfc3d98225c42de7d666011528dc8fe91591e2e17b0",
    "https://bcr.bazel.build/modules/jsoncpp/1.9.6/source.json": "a04756d367a2126c3541682864ecec52f92cdee80a35735a3cb249ce015ca000",
+    "https://bcr.bazel.build/modules/libcap/2.27.bcr.1/MODULE.bazel": "7c034d7a4d92b2293294934377f5d1cbc88119710a11079fa8142120f6f08768",
+    "https://bcr.bazel.build/modules/libcap/2.27.bcr.1/source.json": "3b116cbdbd25a68ffb587b672205f6d353a4c19a35452e480d58fc89531e0a10",
    "https://bcr.bazel.build/modules/libpfm/4.11.0/MODULE.bazel": "45061ff025b301940f1e30d2c16bea596c25b176c8b6b3087e92615adbd52902",
    "https://bcr.bazel.build/modules/nlohmann_json/3.6.1/MODULE.bazel": "6f7b417dcc794d9add9e556673ad25cb3ba835224290f4f848f8e2db1e1fca74",
    "https://bcr.bazel.build/modules/nlohmann_json/3.6.1/source.json": "f448c6e8963fdfa7eb831457df83ad63d3d6355018f6574fb017e8169deb43a9",
@@ -204,6 +206,8 @@
    "https://bcr.bazel.build/modules/rules_swift/2.4.0/MODULE.bazel": "1639617eb1ede28d774d967a738b4a68b0accb40650beadb57c21846beab5efd",
    "https://bcr.bazel.build/modules/rules_swift/3.1.2/MODULE.bazel": "72c8f5cf9d26427cee6c76c8e3853eb46ce6b0412a081b2b6db6e8ad56267400",
    "https://bcr.bazel.build/modules/rules_swift/3.1.2/source.json": "e85761f3098a6faf40b8187695e3de6d97944e98abd0d8ce579cb2daf6319a66",
+    "https://bcr.bazel.build/modules/sed/4.9.bcr.3/MODULE.bazel": "3aca45895b85b6ef65366cc12a45217ba6870f8931d2d62e09c99c772d9736ab",
+    "https://bcr.bazel.build/modules/sed/4.9.bcr.3/source.json": "31c0cf4c135ed3fa58298cd7bcfd4301c54ea4cf59d7c4e2ea0a180ce68eb34f",
    "https://bcr.bazel.build/modules/stardoc/0.5.1/MODULE.bazel": "1a05d92974d0c122f5ccf09291442580317cdd859f07a8655f1db9a60374f9f8",
    "https://bcr.bazel.build/modules/stardoc/0.5.3/MODULE.bazel": "c7f6948dae6999bf0db32c1858ae345f112cacf98f174c7a8bb707e41b974f1c",
    "https://bcr.bazel.build/modules/stardoc/0.6.2/MODULE.bazel": "7060193196395f5dd668eda046ccbeacebfd98efc77fed418dbe2b82ffaa39fd",
@@ -608,6 +612,10 @@
      "arrayvec_0.7.6": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"bencher\",\"req\":\"^0.1.4\"},{\"default_features\":false,\"name\":\"borsh\",\"optional\":true,\"req\":\"^1.2.0\"},{\"kind\":\"dev\",\"name\":\"matches\",\"req\":\"^0.1\"},{\"default_features\":false,\"name\":\"serde\",\"optional\":true,\"req\":\"^1.0\"},{\"kind\":\"dev\",\"name\":\"serde_test\",\"req\":\"^1.0\"},{\"default_features\":false,\"name\":\"zeroize\",\"optional\":true,\"req\":\"^1.4\"}],\"features\":{\"default\":[\"std\"],\"std\":[]}}",
      "ascii-canvas_3.0.0": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"diff\",\"req\":\"^0.1\"},{\"name\":\"term\",\"req\":\"^0.7\"}],\"features\":{}}",
      "ascii_1.1.0": "{\"dependencies\":[{\"name\":\"serde\",\"optional\":true,\"req\":\"^1.0.25\"},{\"name\":\"serde_test\",\"optional\":true,\"req\":\"^1.0\"}],\"features\":{\"alloc\":[],\"default\":[\"std\"],\"std\":[\"alloc\"]}}",
+      "askama_0.15.4": "{\"dependencies\":[{\"default_features\":false,\"name\":\"askama_macros\",\"optional\":true,\"req\":\"=0.15.4\"},{\"kind\":\"dev\",\"name\":\"assert_matches\",\"req\":\"^1.5.0\"},{\"kind\":\"dev\",\"name\":\"criterion\",\"req\":\"^0.8\"},{\"name\":\"itoa\",\"req\":\"^1.0.11\"},{\"default_features\":false,\"name\":\"percent-encoding\",\"optional\":true,\"req\":\"^2.1.0\"},{\"default_features\":false,\"name\":\"serde\",\"optional\":true,\"req\":\"^1.0\"},{\"default_features\":false,\"name\":\"serde_json\",\"optional\":true,\"req\":\"^1.0\"}],\"features\":{\"alloc\":[\"askama_macros?/alloc\",\"serde?/alloc\",\"serde_json?/alloc\",\"percent-encoding?/alloc\"],\"code-in-doc\":[\"askama_macros?/code-in-doc\"],\"config\":[\"askama_macros?/config\"],\"default\":[\"config\",\"derive\",\"std\",\"urlencode\"],\"derive\":[\"dep:askama_macros\",\"dep:askama_macros\"],\"full\":[\"default\",\"code-in-doc\",\"serde_json\"],\"nightly-spans\":[\"askama_macros/nightly-spans\"],\"serde_json\":[\"std\",\"askama_macros?/serde_json\",\"dep:serde\",\"dep:serde_json\"],\"std\":[\"alloc\",\"askama_macros?/std\",\"serde?/std\",\"serde_json?/std\",\"percent-encoding?/std\"],\"urlencode\":[\"askama_macros?/urlencode\",\"dep:percent-encoding\"]}}",
+      "askama_derive_0.15.4": "{\"dependencies\":[{\"name\":\"basic-toml\",\"optional\":true,\"req\":\"^0.1.1\"},{\"kind\":\"dev\",\"name\":\"console\",\"req\":\"^0.16.0\"},{\"kind\":\"dev\",\"name\":\"criterion\",\"req\":\"^0.8\"},{\"name\":\"memchr\",\"req\":\"^2\"},{\"name\":\"parser\",\"package\":\"askama_parser\",\"req\":\"=0.15.4\"},{\"kind\":\"dev\",\"name\":\"prettyplease\",\"req\":\"^0.2.20\"},{\"default_features\":false,\"name\":\"proc-macro2\",\"req\":\"^1\"},{\"default_features\":false,\"name\":\"pulldown-cmark\",\"optional\":true,\"req\":\"^0.13.0\"},{\"default_features\":false,\"name\":\"quote\",\"req\":\"^1\"},{\"name\":\"rustc-hash\",\"req\":\"^2.0.0\"},{\"name\":\"serde\",\"optional\":true,\"req\":\"^1.0\"},{\"name\":\"serde_derive\",\"optional\":true,\"req\":\"^1.0\"},{\"kind\":\"dev\",\"name\":\"similar\",\"req\":\"^2.6.0\"},{\"default_features\":false,\"features\":[\"clone-impls\",\"derive\",\"full\",\"parsing\",\"printing\"],\"name\":\"syn\",\"req\":\"^2.0.3\"}],\"features\":{\"alloc\":[],\"code-in-doc\":[\"dep:pulldown-cmark\"],\"config\":[\"external-sources\",\"dep:basic-toml\",\"dep:serde\",\"dep:serde_derive\",\"parser/config\"],\"default\":[\"alloc\",\"code-in-doc\",\"config\",\"external-sources\",\"proc-macro\",\"serde_json\",\"std\",\"urlencode\"],\"external-sources\":[],\"nightly-spans\":[],\"proc-macro\":[\"proc-macro2/proc-macro\"],\"serde_json\":[],\"std\":[\"alloc\"],\"urlencode\":[]}}",
+      "askama_macros_0.15.4": "{\"dependencies\":[{\"default_features\":false,\"features\":[\"external-sources\",\"proc-macro\"],\"name\":\"askama_derive\",\"package\":\"askama_derive\",\"req\":\"=0.15.4\"}],\"features\":{\"alloc\":[\"askama_derive/alloc\"],\"code-in-doc\":[\"askama_derive/code-in-doc\"],\"config\":[\"askama_derive/config\"],\"default\":[\"config\",\"derive\",\"std\",\"urlencode\"],\"derive\":[],\"full\":[\"default\",\"code-in-doc\",\"serde_json\"],\"nightly-spans\":[\"askama_derive/nightly-spans\"],\"serde_json\":[\"askama_derive/serde_json\"],\"std\":[\"askama_derive/std\"],\"urlencode\":[\"askama_derive/urlencode\"]}}",
+      "askama_parser_0.15.4": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"criterion\",\"req\":\"^0.8\"},{\"name\":\"rustc-hash\",\"req\":\"^2.0.0\"},{\"name\":\"serde\",\"optional\":true,\"req\":\"^1.0\"},{\"name\":\"serde_derive\",\"optional\":true,\"req\":\"^1.0\"},{\"name\":\"unicode-ident\",\"req\":\"^1.0.12\"},{\"features\":[\"simd\"],\"name\":\"winnow\",\"req\":\"^0.7.0\"}],\"features\":{\"config\":[\"dep:serde\",\"dep:serde_derive\"]}}",
      "asn1-rs-derive_0.6.0": "{\"dependencies\":[{\"name\":\"proc-macro2\",\"req\":\"^1.0\"},{\"name\":\"quote\",\"req\":\"^1.0\"},{\"features\":[\"full\"],\"name\":\"syn\",\"req\":\"^2.0\"},{\"name\":\"synstructure\",\"req\":\"^0.13\"}],\"features\":{}}",
      "asn1-rs-impl_0.2.0": "{\"dependencies\":[{\"name\":\"proc-macro2\",\"req\":\"^1\"},{\"name\":\"quote\",\"req\":\"^1\"},{\"name\":\"syn\",\"req\":\"^2.0\"}],\"features\":{}}",
      "asn1-rs_0.7.1": "{\"dependencies\":[{\"name\":\"asn1-rs-derive\",\"req\":\"^0.6\"},{\"name\":\"asn1-rs-impl\",\"req\":\"^0.2\"},{\"name\":\"bitvec\",\"optional\":true,\"req\":\"^1.0\"},{\"name\":\"colored\",\"optional\":true,\"req\":\"^3.0\"},{\"kind\":\"dev\",\"name\":\"colored\",\"req\":\"^3.0\"},{\"name\":\"cookie-factory\",\"optional\":true,\"req\":\"^0.3.0\"},{\"name\":\"displaydoc\",\"req\":\"^0.2.2\"},{\"kind\":\"dev\",\"name\":\"hex-literal\",\"req\":\"^0.4\"},{\"default_features\":false,\"features\":[\"std\"],\"name\":\"nom\",\"req\":\"^7.0\"},{\"name\":\"num-bigint\",\"optional\":true,\"req\":\"^0.4\"},{\"name\":\"num-traits\",\"req\":\"^0.2.14\"},{\"kind\":\"dev\",\"name\":\"pem\",\"req\":\"^3.0\"},{\"name\":\"rusticata-macros\",\"req\":\"^4.0\"},{\"name\":\"thiserror\",\"req\":\"^2.0.0\"},{\"features\":[\"macros\",\"parsing\",\"formatting\"],\"name\":\"time\",\"optional\":true,\"req\":\"^0.3\"},{\"kind\":\"dev\",\"name\":\"trybuild\",\"req\":\"^1.0\"}],\"features\":{\"bigint\":[\"num-bigint\"],\"bits\":[\"bitvec\"],\"datetime\":[\"time\"],\"debug\":[\"std\",\"colored\"],\"default\":[\"std\"],\"serialize\":[\"cookie-factory\"],\"std\":[],\"trace\":[\"debug\"]}}",
--- a/3
+++ b/3
@@ -4,3 +4,6 @@ Copyright 2025 OpenAI
 This project includes code derived from [Ratatui](https://github.com/ratatui/ratatui), licensed under the MIT license.
 Copyright (c) 2016-2022 Florian Dehau
 Copyright (c) 2023-2025 The Ratatui Developers
+
+This project includes Meriyah parser assets from [meriyah](https://github.com/meriyah/meriyah), licensed under the ISC license.
+Copyright (c) 2019 and later, KFlash and others.
--- a/codex-cli/bin/codex.js
+++ b/codex-cli/bin/codex.js
@@ -3,12 +3,23 @@

 import { spawn } from "node:child_process";
 import { existsSync } from "fs";
+import { createRequire } from "node:module";
 import path from "path";
 import { fileURLToPath } from "url";

 // __dirname equivalent in ESM
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
+const require = createRequire(import.meta.url);
+
+const PLATFORM_PACKAGE_BY_TARGET = {
+  "x86_64-unknown-linux-musl": "@openai/codex-linux-x64",
+  "aarch64-unknown-linux-musl": "@openai/codex-linux-arm64",
+  "x86_64-apple-darwin": "@openai/codex-darwin-x64",
+  "aarch64-apple-darwin": "@openai/codex-darwin-arm64",
+  "x86_64-pc-windows-msvc": "@openai/codex-win32-x64",
+  "aarch64-pc-windows-msvc": "@openai/codex-win32-arm64",
+};

 const { platform, arch } = process;

@@ -59,9 +70,51 @@ if (!targetTriple) {
  throw new Error(`Unsupported platform: ${platform} (${arch})`);
 }

-const vendorRoot = path.join(__dirname, "..", "vendor");
-const archRoot = path.join(vendorRoot, targetTriple);
+const platformPackage = PLATFORM_PACKAGE_BY_TARGET[targetTriple];
+if (!platformPackage) {
+  throw new Error(`Unsupported target triple: ${targetTriple}`);
+}
+
 const codexBinaryName = process.platform === "win32" ? "codex.exe" : "codex";
+const localVendorRoot = path.join(__dirname, "..", "vendor");
+const localBinaryPath = path.join(
+  localVendorRoot,
+  targetTriple,
+  "codex",
+  codexBinaryName,
+);
+
+let vendorRoot;
+try {
+  const packageJsonPath = require.resolve(`${platformPackage}/package.json`);
+  vendorRoot = path.join(path.dirname(packageJsonPath), "vendor");
+} catch {
+  if (existsSync(localBinaryPath)) {
+    vendorRoot = localVendorRoot;
+  } else {
+    const packageManager = detectPackageManager();
+    const updateCommand =
+      packageManager === "bun"
+        ? "bun install -g @openai/codex@latest"
+        : "npm install -g @openai/codex@latest";
+    throw new Error(
+      `Missing optional dependency ${platformPackage}. Reinstall Codex: ${updateCommand}`,
+    );
+  }
+}
+
+if (!vendorRoot) {
+  const packageManager = detectPackageManager();
+  const updateCommand =
+    packageManager === "bun"
+      ? "bun install -g @openai/codex@latest"
+      : "npm install -g @openai/codex@latest";
+  throw new Error(
+    `Missing optional dependency ${platformPackage}. Reinstall Codex: ${updateCommand}`,
+  );
+}
+
+const archRoot = path.join(vendorRoot, targetTriple);
 const binaryPath = path.join(archRoot, "codex", codexBinaryName);

 // Use an asynchronous spawn instead of spawnSync so that Node is able to
--- a/codex-cli/scripts/README.md
+++ b/codex-cli/scripts/README.md
@@ -14,6 +14,10 @@ example, to stage the CLI, responses proxy, and SDK packages for version `0.6.0`
 This downloads the native artifacts once, hydrates `vendor/` for each package, and writes
 tarballs to `dist/npm/`.

+When `--package codex` is provided, the staging helper builds the lightweight
+`@openai/codex` meta package plus all platform-native `@openai/codex` variants
+that are later published under platform-specific dist-tags.
+
 If you need to invoke `build_npm_package.py` directly, run
 `codex-cli/scripts/install_native_deps.py` first and pass `--vendor-src` pointing to the
 directory that contains the populated `vendor/` tree.
--- a/codex-cli/scripts/build_npm_package.py
+++ b/codex-cli/scripts/build_npm_package.py
@@ -14,15 +14,78 @@ CODEX_CLI_ROOT = SCRIPT_DIR.parent
 REPO_ROOT = CODEX_CLI_ROOT.parent
 RESPONSES_API_PROXY_NPM_ROOT = REPO_ROOT / "codex-rs" / "responses-api-proxy" / "npm"
 CODEX_SDK_ROOT = REPO_ROOT / "sdk" / "typescript"
+CODEX_NPM_NAME = "@openai/codex"
+
+# `npm_name` is the local optional-dependency alias consumed by `bin/codex.js`.
+# The underlying package published to npm is always `@openai/codex`.
+CODEX_PLATFORM_PACKAGES: dict[str, dict[str, str]] = {
+    "codex-linux-x64": {
+        "npm_name": "@openai/codex-linux-x64",
+        "npm_tag": "linux-x64",
+        "target_triple": "x86_64-unknown-linux-musl",
+        "os": "linux",
+        "cpu": "x64",
+    },
+    "codex-linux-arm64": {
+        "npm_name": "@openai/codex-linux-arm64",
+        "npm_tag": "linux-arm64",
+        "target_triple": "aarch64-unknown-linux-musl",
+        "os": "linux",
+        "cpu": "arm64",
+    },
+    "codex-darwin-x64": {
+        "npm_name": "@openai/codex-darwin-x64",
+        "npm_tag": "darwin-x64",
+        "target_triple": "x86_64-apple-darwin",
+        "os": "darwin",
+        "cpu": "x64",
+    },
+    "codex-darwin-arm64": {
+        "npm_name": "@openai/codex-darwin-arm64",
+        "npm_tag": "darwin-arm64",
+        "target_triple": "aarch64-apple-darwin",
+        "os": "darwin",
+        "cpu": "arm64",
+    },
+    "codex-win32-x64": {
+        "npm_name": "@openai/codex-win32-x64",
+        "npm_tag": "win32-x64",
+        "target_triple": "x86_64-pc-windows-msvc",
+        "os": "win32",
+        "cpu": "x64",
+    },
+    "codex-win32-arm64": {
+        "npm_name": "@openai/codex-win32-arm64",
+        "npm_tag": "win32-arm64",
+        "target_triple": "aarch64-pc-windows-msvc",
+        "os": "win32",
+        "cpu": "arm64",
+    },
+}
+
+PACKAGE_EXPANSIONS: dict[str, list[str]] = {
+    "codex": ["codex", *CODEX_PLATFORM_PACKAGES],
+}

 PACKAGE_NATIVE_COMPONENTS: dict[str, list[str]] = {
-    "codex": ["codex", "rg"],
+    "codex": [],
+    "codex-linux-x64": ["codex", "rg"],
+    "codex-linux-arm64": ["codex", "rg"],
+    "codex-darwin-x64": ["codex", "rg"],
+    "codex-darwin-arm64": ["codex", "rg"],
+    "codex-win32-x64": ["codex", "rg", "codex-windows-sandbox-setup", "codex-command-runner"],
+    "codex-win32-arm64": ["codex", "rg", "codex-windows-sandbox-setup", "codex-command-runner"],
    "codex-responses-api-proxy": ["codex-responses-api-proxy"],
-    "codex-sdk": ["codex"],
+    "codex-sdk": [],
 }
-WINDOWS_ONLY_COMPONENTS: dict[str, list[str]] = {
-    "codex": ["codex-windows-sandbox-setup", "codex-command-runner"],
+
+PACKAGE_TARGET_FILTERS: dict[str, str] = {
+    package_name: package_config["target_triple"]
+    for package_name, package_config in CODEX_PLATFORM_PACKAGES.items()
 }
+
+PACKAGE_CHOICES = tuple(PACKAGE_NATIVE_COMPONENTS)
+
 COMPONENT_DEST_DIR: dict[str, str] = {
    "codex": "codex",
    "codex-responses-api-proxy": "codex-responses-api-proxy",
@@ -36,7 +99,7 @@ def parse_args() -> argparse.Namespace:
    parser = argparse.ArgumentParser(description="Build or stage the Codex CLI npm package.")
    parser.add_argument(
        "--package",
-        choices=("codex", "codex-responses-api-proxy", "codex-sdk"),
+        choices=PACKAGE_CHOICES,
        default="codex",
        help="Which npm package to stage (default: codex).",
    )
@@ -98,6 +161,7 @@ def main() -> int:

        vendor_src = args.vendor_src.resolve() if args.vendor_src else None
        native_components = PACKAGE_NATIVE_COMPONENTS.get(package, [])
+        target_filter = PACKAGE_TARGET_FILTERS.get(package)

        if native_components:
            if vendor_src is None:
@@ -108,7 +172,12 @@ def main() -> int:
                    "pointing to a directory containing pre-installed binaries."
                )

-            copy_native_binaries(vendor_src, staging_dir, package, native_components)
+            copy_native_binaries(
+                vendor_src,
+                staging_dir,
+                native_components,
+                target_filter={target_filter} if target_filter else None,
+            )

        if release_version:
            staging_dir_str = str(staging_dir)
@@ -125,12 +194,17 @@ def main() -> int:
                    "Verify the responses API proxy:\n"
                    f"    node {staging_dir_str}/bin/codex-responses-api-proxy.js --help\n\n"
                )
+            elif package in CODEX_PLATFORM_PACKAGES:
+                print(
+                    f"Staged version {version} for release in {staging_dir_str}\n\n"
+                    "Verify native payload contents:\n"
+                    f"    ls {staging_dir_str}/vendor\n\n"
+                )
            else:
                print(
                    f"Staged version {version} for release in {staging_dir_str}\n\n"
                    "Verify the SDK contents:\n"
                    f"    ls {staging_dir_str}/dist\n"
-                    f"    ls {staging_dir_str}/vendor\n"
                    "    node -e \"import('./dist/index.js').then(() => console.log('ok'))\"\n\n"
                )
        else:
@@ -160,6 +234,9 @@ def prepare_staging_dir(staging_dir: Path | None) -> tuple[Path, bool]:


 def stage_sources(staging_dir: Path, version: str, package: str) -> None:
+    package_json: dict
+    package_json_path: Path | None = None
+
    if package == "codex":
        bin_dir = staging_dir / "bin"
        bin_dir.mkdir(parents=True, exist_ok=True)
@@ -173,6 +250,35 @@ def stage_sources(staging_dir: Path, version: str, package: str) -> None:
            shutil.copy2(readme_src, staging_dir / "README.md")

        package_json_path = CODEX_CLI_ROOT / "package.json"
+    elif package in CODEX_PLATFORM_PACKAGES:
+        platform_package = CODEX_PLATFORM_PACKAGES[package]
+        platform_npm_tag = platform_package["npm_tag"]
+        platform_version = compute_platform_package_version(version, platform_npm_tag)
+
+        readme_src = REPO_ROOT / "README.md"
+        if readme_src.exists():
+            shutil.copy2(readme_src, staging_dir / "README.md")
+
+        with open(CODEX_CLI_ROOT / "package.json", "r", encoding="utf-8") as fh:
+            codex_package_json = json.load(fh)
+
+        package_json = {
+            "name": CODEX_NPM_NAME,
+            "version": platform_version,
+            "license": codex_package_json.get("license", "Apache-2.0"),
+            "os": [platform_package["os"]],
+            "cpu": [platform_package["cpu"]],
+            "files": ["vendor"],
+            "repository": codex_package_json.get("repository"),
+        }
+
+        engines = codex_package_json.get("engines")
+        if isinstance(engines, dict):
+            package_json["engines"] = engines
+
+        package_manager = codex_package_json.get("packageManager")
+        if isinstance(package_manager, str):
+            package_json["packageManager"] = package_manager
    elif package == "codex-responses-api-proxy":
        bin_dir = staging_dir / "bin"
        bin_dir.mkdir(parents=True, exist_ok=True)
@@ -190,27 +296,44 @@ def stage_sources(staging_dir: Path, version: str, package: str) -> None:
    else:
        raise RuntimeError(f"Unknown package '{package}'.")

-    with open(package_json_path, "r", encoding="utf-8") as fh:
-        package_json = json.load(fh)
-    package_json["version"] = version
+    if package_json_path is not None:
+        with open(package_json_path, "r", encoding="utf-8") as fh:
+            package_json = json.load(fh)
+        package_json["version"] = version

-    if package == "codex-sdk":
+    if package == "codex":
+        package_json["files"] = ["bin"]
+        package_json["optionalDependencies"] = {
+            CODEX_PLATFORM_PACKAGES[platform_package]["npm_name"]: (
+                f"npm:{CODEX_NPM_NAME}@"
+                f"{compute_platform_package_version(version, CODEX_PLATFORM_PACKAGES[platform_package]['npm_tag'])}"
+            )
+            for platform_package in PACKAGE_EXPANSIONS["codex"]
+            if platform_package != "codex"
+        }
+
+    elif package == "codex-sdk":
        scripts = package_json.get("scripts")
        if isinstance(scripts, dict):
            scripts.pop("prepare", None)

-        files = package_json.get("files")
-        if isinstance(files, list):
-            if "vendor" not in files:
-                files.append("vendor")
-        else:
-            package_json["files"] = ["dist", "vendor"]
+        dependencies = package_json.get("dependencies")
+        if not isinstance(dependencies, dict):
+            dependencies = {}
+        dependencies[CODEX_NPM_NAME] = version
+        package_json["dependencies"] = dependencies

    with open(staging_dir / "package.json", "w", encoding="utf-8") as out:
        json.dump(package_json, out, indent=2)
        out.write("\n")


+def compute_platform_package_version(version: str, platform_tag: str) -> str:
+    # npm forbids republishing the same package name/version, so each
+    # platform-specific tarball needs a unique version string.
+    return f"{version}-{platform_tag}"
+
+
 def run_command(cmd: list[str], cwd: Path | None = None) -> None:
    print("+", " ".join(cmd))
    subprocess.run(cmd, cwd=cwd, check=True)
@@ -240,8 +363,8 @@ def stage_codex_sdk_sources(staging_dir: Path) -> None:
 def copy_native_binaries(
    vendor_src: Path,
    staging_dir: Path,
-    package: str,
    components: list[str],
+    target_filter: set[str] | None = None,
 ) -> None:
    vendor_src = vendor_src.resolve()
    if not vendor_src.exists():
@@ -256,15 +379,18 @@ def copy_native_binaries(
        shutil.rmtree(vendor_dest)
    vendor_dest.mkdir(parents=True, exist_ok=True)

+    copied_targets: set[str] = set()
+
    for target_dir in vendor_src.iterdir():
        if not target_dir.is_dir():
            continue

-        if "windows" in target_dir.name:
-            components_set.update(WINDOWS_ONLY_COMPONENTS.get(package, []))
+        if target_filter is not None and target_dir.name not in target_filter:
+            continue

        dest_target_dir = vendor_dest / target_dir.name
        dest_target_dir.mkdir(parents=True, exist_ok=True)
+        copied_targets.add(target_dir.name)

        for component in components_set:
            dest_dir_name = COMPONENT_DEST_DIR.get(component)
@@ -282,6 +408,12 @@ def copy_native_binaries(
                shutil.rmtree(dest_component_dir)
            shutil.copytree(src_component_dir, dest_component_dir)

+    if target_filter is not None:
+        missing_targets = sorted(target_filter - copied_targets)
+        if missing_targets:
+            missing_list = ", ".join(missing_targets)
+            raise RuntimeError(f"Missing target directories in vendor source: {missing_list}")
+

 def run_npm_pack(staging_dir: Path, output_path: Path) -> Path:
    output_path = output_path.resolve()
--- a/codex-rs/BUILD.bazel
+++ b/codex-rs/BUILD.bazel
@@ -1 +1,3 @@
-
+exports_files([
+    "node-version.txt",
+])
--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
@@ -458,6 +458,58 @@ dependencies = [
 "term",
 ]

+[[package]]
+name = "askama"
+version = "0.15.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "08e1676b346cadfec169374f949d7490fd80a24193d37d2afce0c047cf695e57"
+dependencies = [
+ "askama_macros",
+ "itoa",
+ "percent-encoding",
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "askama_derive"
+version = "0.15.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7661ff56517787343f376f75db037426facd7c8d3049cef8911f1e75016f3a37"
+dependencies = [
+ "askama_parser",
+ "basic-toml",
+ "memchr",
+ "proc-macro2",
+ "quote",
+ "rustc-hash 2.1.1",
+ "serde",
+ "serde_derive",
+ "syn 2.0.114",
+]
+
+[[package]]
+name = "askama_macros"
+version = "0.15.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "713ee4dbfd1eb719c2dab859465b01fa1d21cb566684614a713a6b7a99a4e47b"
+dependencies = [
+ "askama_derive",
+]
+
+[[package]]
+name = "askama_parser"
+version = "0.15.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d62d674238a526418b30c0def480d5beadb9d8964e7f38d635b03bf639c704c"
+dependencies = [
+ "rustc-hash 2.1.1",
+ "serde",
+ "serde_derive",
+ "unicode-ident",
+ "winnow",
+]
+
 [[package]]
 name = "asn1-rs"
 version = "0.7.1"
@@ -1302,7 +1354,6 @@ dependencies = [
 "codex-backend-client",
 "codex-chatgpt",
 "codex-cloud-requirements",
- "codex-common",
 "codex-core",
 "codex-execpolicy",
 "codex-feedback",
@@ -1312,6 +1363,7 @@ dependencies = [
 "codex-rmcp-client",
 "codex-utils-absolute-path",
 "codex-utils-cargo-bin",
+ "codex-utils-cli",
 "codex-utils-json-to-toml",
 "core_test_support",
 "futures",
@@ -1438,10 +1490,10 @@ version = "0.0.0"
 dependencies = [
 "anyhow",
 "clap",
- "codex-common",
 "codex-core",
 "codex-git",
 "codex-utils-cargo-bin",
+ "codex-utils-cli",
 "pretty_assertions",
 "serde",
 "serde_json",
@@ -1465,7 +1517,6 @@ dependencies = [
 "codex-arg0",
 "codex-chatgpt",
 "codex-cloud-tasks",
- "codex-common",
 "codex-core",
 "codex-exec",
 "codex-execpolicy",
@@ -1477,6 +1528,7 @@ dependencies = [
 "codex-stdio-to-uds",
 "codex-tui",
 "codex-utils-cargo-bin",
+ "codex-utils-cli",
 "codex-windows-sandbox",
 "libc",
 "owo-colors",
@@ -1520,13 +1572,18 @@ version = "0.0.0"
 dependencies = [
 "async-trait",
 "base64 0.22.1",
+ "chrono",
 "codex-backend-client",
 "codex-core",
 "codex-otel",
 "codex-protocol",
+ "hmac",
 "pretty_assertions",
+ "serde",
 "serde_json",
+ "sha2",
 "tempfile",
+ "thiserror 2.0.18",
 "tokio",
 "toml 0.9.11+spec-1.1.0",
 "tracing",
@@ -1542,10 +1599,10 @@ dependencies = [
 "chrono",
 "clap",
 "codex-cloud-tasks-client",
- "codex-common",
 "codex-core",
 "codex-login",
 "codex-tui",
+ "codex-utils-cli",
 "crossterm",
 "owo-colors",
 "pretty_assertions",
@@ -1577,17 +1634,22 @@ dependencies = [
 ]

 [[package]]
-name = "codex-common"
+name = "codex-config"
 version = "0.0.0"
 dependencies = [
- "clap",
- "codex-core",
- "codex-lmstudio",
- "codex-ollama",
+ "anyhow",
+ "codex-app-server-protocol",
+ "codex-execpolicy",
 "codex-protocol",
 "codex-utils-absolute-path",
+ "futures",
+ "multimap",
 "pretty_assertions",
 "serde",
+ "serde_json",
+ "sha2",
+ "thiserror 2.0.18",
+ "tokio",
 "toml 0.9.11+spec-1.1.0",
 ]

@@ -1597,6 +1659,7 @@ version = "0.0.0"
 dependencies = [
 "anyhow",
 "arc-swap",
+ "askama",
 "assert_cmd",
 "assert_matches",
 "async-channel",
@@ -1612,15 +1675,17 @@ dependencies = [
 "codex-arg0",
 "codex-async-utils",
 "codex-client",
- "codex-core",
+ "codex-config",
 "codex-execpolicy",
 "codex-file-search",
 "codex-git",
+ "codex-hooks",
 "codex-keyring-store",
 "codex-network-proxy",
 "codex-otel",
 "codex-protocol",
 "codex-rmcp-client",
+ "codex-shell-command",
 "codex-state",
 "codex-utils-absolute-path",
 "codex-utils-cargo-bin",
@@ -1647,7 +1712,6 @@ dependencies = [
 "landlock",
 "libc",
 "maplit",
- "multimap",
 "notify",
 "once_cell",
 "openssl-sys",
@@ -1684,8 +1748,6 @@ dependencies = [
 "tracing",
 "tracing-subscriber",
 "tracing-test",
- "tree-sitter",
- "tree-sitter-bash",
 "url",
 "uuid",
 "walkdir",
@@ -1718,11 +1780,14 @@ dependencies = [
 "clap",
 "codex-arg0",
 "codex-cloud-requirements",
- "codex-common",
 "codex-core",
 "codex-protocol",
 "codex-utils-absolute-path",
 "codex-utils-cargo-bin",
+ "codex-utils-cli",
+ "codex-utils-elapsed",
+ "codex-utils-oss",
+ "codex-utils-sandbox-summary",
 "core_test_support",
 "libc",
 "owo-colors",
@@ -1859,6 +1924,21 @@ dependencies = [
 "walkdir",
 ]

+[[package]]
+name = "codex-hooks"
+version = "0.0.0"
+dependencies = [
+ "anyhow",
+ "chrono",
+ "codex-protocol",
+ "futures",
+ "pretty_assertions",
+ "serde",
+ "serde_json",
+ "tempfile",
+ "tokio",
+]
+
 [[package]]
 name = "codex-keyring-store"
 version = "0.0.0"
@@ -1928,9 +2008,9 @@ version = "0.0.0"
 dependencies = [
 "anyhow",
 "codex-arg0",
- "codex-common",
 "codex-core",
 "codex-protocol",
+ "codex-utils-cli",
 "codex-utils-json-to-toml",
 "core_test_support",
 "mcp_test_support",
@@ -2126,6 +2206,26 @@ dependencies = [
 "tracing",
 ]

+[[package]]
+name = "codex-shell-command"
+version = "0.0.0"
+dependencies = [
+ "anyhow",
+ "base64 0.22.1",
+ "codex-protocol",
+ "codex-utils-absolute-path",
+ "once_cell",
+ "pretty_assertions",
+ "regex",
+ "serde",
+ "serde_json",
+ "shlex",
+ "tree-sitter",
+ "tree-sitter-bash",
+ "url",
+ "which",
+]
+
 [[package]]
 name = "codex-state"
 version = "0.0.0"
@@ -2177,7 +2277,6 @@ dependencies = [
 "codex-chatgpt",
 "codex-cli",
 "codex-cloud-requirements",
- "codex-common",
 "codex-core",
 "codex-feedback",
 "codex-file-search",
@@ -2186,8 +2285,14 @@ dependencies = [
 "codex-protocol",
 "codex-state",
 "codex-utils-absolute-path",
+ "codex-utils-approval-presets",
 "codex-utils-cargo-bin",
+ "codex-utils-cli",
+ "codex-utils-elapsed",
+ "codex-utils-fuzzy-match",
+ "codex-utils-oss",
 "codex-utils-pty",
+ "codex-utils-sandbox-summary",
 "codex-windows-sandbox",
 "color-eyre",
 "crossterm",
@@ -2233,6 +2338,7 @@ dependencies = [
 "url",
 "uuid",
 "vt100",
+ "webbrowser",
 "which",
 "windows-sys 0.52.0",
 "winsplit",
@@ -2252,6 +2358,13 @@ dependencies = [
 "ts-rs",
 ]

+[[package]]
+name = "codex-utils-approval-presets"
+version = "0.0.0"
+dependencies = [
+ "codex-core",
+]
+
 [[package]]
 name = "codex-utils-cache"
 version = "0.0.0"
@@ -2270,6 +2383,26 @@ dependencies = [
 "thiserror 2.0.18",
 ]

+[[package]]
+name = "codex-utils-cli"
+version = "0.0.0"
+dependencies = [
+ "clap",
+ "codex-core",
+ "codex-protocol",
+ "pretty_assertions",
+ "serde",
+ "toml 0.9.11+spec-1.1.0",
+]
+
+[[package]]
+name = "codex-utils-elapsed"
+version = "0.0.0"
+
+[[package]]
+name = "codex-utils-fuzzy-match"
+version = "0.0.0"
+
 [[package]]
 name = "codex-utils-home-dir"
 version = "0.0.0"
@@ -2300,6 +2433,15 @@ dependencies = [
 "toml 0.9.11+spec-1.1.0",
 ]

+[[package]]
+name = "codex-utils-oss"
+version = "0.0.0"
+dependencies = [
+ "codex-core",
+ "codex-lmstudio",
+ "codex-ollama",
+]
+
 [[package]]
 name = "codex-utils-pty"
 version = "0.0.0"
@@ -2334,6 +2476,22 @@ dependencies = [
 "rustls",
 ]

+[[package]]
+name = "codex-utils-sandbox-summary"
+version = "0.0.0"
+dependencies = [
+ "codex-core",
+ "codex-utils-absolute-path",
+ "pretty_assertions",
+]
+
+[[package]]
+name = "codex-utils-sanitizer"
+version = "0.0.0"
+dependencies = [
+ "regex",
+]
+
 [[package]]
 name = "codex-utils-string"
 version = "0.0.0"
@@ -2555,6 +2713,7 @@ dependencies = [
 "codex-protocol",
 "codex-utils-absolute-path",
 "codex-utils-cargo-bin",
+ "ctor 0.6.3",
 "futures",
 "notify",
 "pretty_assertions",
@@ -7243,9 +7402,9 @@ dependencies = [

 [[package]]
 name = "rmcp"
-version = "0.14.0"
+version = "0.15.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0a621b37a548ff6ab6292d57841eb25785a7f146d89391a19c9f199414bd13da"
+checksum = "1bef41ebc9ebed2c1b1d90203e9d1756091e8a00bbc3107676151f39868ca0ee"
 dependencies = [
 "async-trait",
 "axum",
@@ -7279,9 +7438,9 @@ dependencies = [

 [[package]]
 name = "rmcp-macros"
-version = "0.14.0"
+version = "0.15.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6b79ed92303f9262db79575aa8c3652581668e9d136be6fd0b9ededa78954c95"
+checksum = "0e88ad84b8b6237a934534a62b379a5be6388915663c0cc598ceb9b3292bbbfe"
 dependencies = [
 "darling 0.23.0",
 "proc-macro2",
--- a/codex-rs/Cargo.toml
+++ b/codex-rs/Cargo.toml
@@ -15,8 +15,10 @@ members = [
    "cloud-tasks",
    "cloud-tasks-client",
    "cli",
-    "common",
+    "config",
+    "shell-command",
    "core",
+    "hooks",
    "secrets",
    "exec",
    "exec-server",
@@ -48,6 +50,13 @@ members = [
    "utils/readiness",
    "utils/rustls-provider",
    "utils/string",
+    "utils/cli",
+    "utils/elapsed",
+    "utils/sandbox-summary",
+    "utils/sanitizer",
+    "utils/approval-presets",
+    "utils/oss",
+    "utils/fuzzy-match",
    "codex-client",
    "codex-api",
    "state",
@@ -76,19 +85,19 @@ codex-apply-patch = { path = "apply-patch" }
 codex-arg0 = { path = "arg0" }
 codex-async-utils = { path = "async-utils" }
 codex-backend-client = { path = "backend-client" }
-codex-cloud-requirements = { path = "cloud-requirements" }
 codex-chatgpt = { path = "chatgpt" }
-codex-cli = { path = "cli"}
+codex-cli = { path = "cli" }
 codex-client = { path = "codex-client" }
-codex-common = { path = "common" }
+codex-cloud-requirements = { path = "cloud-requirements" }
+codex-config = { path = "config" }
 codex-core = { path = "core" }
-codex-secrets = { path = "secrets" }
 codex-exec = { path = "exec" }
 codex-execpolicy = { path = "execpolicy" }
 codex-experimental-api-macros = { path = "codex-experimental-api-macros" }
 codex-feedback = { path = "feedback" }
 codex-file-search = { path = "file-search" }
 codex-git = { path = "utils/git" }
+codex-hooks = { path = "hooks" }
 codex-keyring-store = { path = "keyring-store" }
 codex-linux-sandbox = { path = "linux-sandbox" }
 codex-lmstudio = { path = "lmstudio" }
@@ -101,18 +110,27 @@ codex-process-hardening = { path = "process-hardening" }
 codex-protocol = { path = "protocol" }
 codex-responses-api-proxy = { path = "responses-api-proxy" }
 codex-rmcp-client = { path = "rmcp-client" }
+codex-secrets = { path = "secrets" }
+codex-shell-command = { path = "shell-command" }
 codex-state = { path = "state" }
 codex-stdio-to-uds = { path = "stdio-to-uds" }
 codex-tui = { path = "tui" }
 codex-utils-absolute-path = { path = "utils/absolute-path" }
+codex-utils-approval-presets = { path = "utils/approval-presets" }
 codex-utils-cache = { path = "utils/cache" }
 codex-utils-cargo-bin = { path = "utils/cargo-bin" }
+codex-utils-cli = { path = "utils/cli" }
+codex-utils-elapsed = { path = "utils/elapsed" }
+codex-utils-fuzzy-match = { path = "utils/fuzzy-match" }
+codex-utils-home-dir = { path = "utils/home-dir" }
 codex-utils-image = { path = "utils/image" }
 codex-utils-json-to-toml = { path = "utils/json-to-toml" }
-codex-utils-home-dir = { path = "utils/home-dir" }
+codex-utils-oss = { path = "utils/oss" }
 codex-utils-pty = { path = "utils/pty" }
 codex-utils-readiness = { path = "utils/readiness" }
 codex-utils-rustls-provider = { path = "utils/rustls-provider" }
+codex-utils-sandbox-summary = { path = "utils/sandbox-summary" }
+codex-utils-sanitizer = { path = "utils/sanitizer" }
 codex-utils-string = { path = "utils/string" }
 codex-windows-sandbox = { path = "windows-sandbox-rs" }
 core_test_support = { path = "core/tests/common" }
@@ -125,6 +143,7 @@ allocative = "0.3.3"
 ansi-to-tui = "7.0.0"
 anyhow = "1"
 arboard = { version = "3", features = ["wayland-data-control"] }
+askama = "0.15.4"
 assert_cmd = "2"
 assert_matches = "1.5.0"
 async-channel = "2.3.1"
@@ -139,8 +158,8 @@ chrono = "0.4.43"
 clap = "4"
 clap_complete = "4"
 color-eyre = "0.6.3"
-crossterm = "0.28.1"
 crossbeam-channel = "0.5.15"
+crossterm = "0.28.1"
 ctor = "0.6.3"
 derive_more = "2"
 diffy = "0.4.2"
@@ -158,10 +177,10 @@ icu_decimal = "2.1"
 icu_locale_core = "2.1"
 icu_provider = { version = "2.1", features = ["sync"] }
 ignore = "0.4.23"
-indoc = "2.0"
 image = { version = "^0.25.9", default-features = false }
 include_dir = "0.7.4"
 indexmap = "2.12.0"
+indoc = "2.0"
 insta = "1.46.3"
 inventory = "0.3.19"
 itertools = "0.14.0"
@@ -183,7 +202,6 @@ opentelemetry-appender-tracing = "0.31.0"
 opentelemetry-otlp = "0.31.0"
 opentelemetry-semantic-conventions = "0.31.0"
 opentelemetry_sdk = "0.31.0"
-tracing-opentelemetry = "0.32.0"
 os_info = "3.12.0"
 owo-colors = "4.2.0"
 path-absolutize = "3.1.1"
@@ -198,11 +216,15 @@ ratatui-macros = "0.6.0"
 regex = "1.12.3"
 regex-lite = "0.1.8"
 reqwest = "0.12"
-rmcp = { version = "0.14.0", default-features = false }
-rustls = { version = "0.23", default-features = false, features = ["ring", "std"] }
+rmcp = { version = "0.15.0", default-features = false }
 runfiles = { git = "https://github.com/dzbarsky/rules_rust", rev = "b56cbaa8465e74127f1ea216f813cd377295ad81" }
+rustls = { version = "0.23", default-features = false, features = [
+    "ring",
+    "std",
+] }
 schemars = "0.8.22"
 seccompiler = "0.5.0"
+semver = "1.0"
 sentry = "0.46.0"
 serde = "1"
 serde_json = "1"
@@ -212,11 +234,19 @@ serde_yaml = "0.9"
 serial_test = "3.2.0"
 sha1 = "0.10.6"
 sha2 = "0.10"
-semver = "1.0"
 shlex = "1.3.0"
 similar = "2.7.0"
 socket2 = "0.6.1"
-sqlx = { version = "0.8.6", default-features = false, features = ["chrono", "json", "macros", "migrate", "runtime-tokio-rustls", "sqlite", "time", "uuid"] }
+sqlx = { version = "0.8.6", default-features = false, features = [
+    "chrono",
+    "json",
+    "macros",
+    "migrate",
+    "runtime-tokio-rustls",
+    "sqlite",
+    "time",
+    "uuid",
+] }
 starlark = "0.13.0"
 strum = "0.27.2"
 strum_macros = "0.27.2"
@@ -231,20 +261,23 @@ tiny_http = "0.12"
 tokio = "1"
 tokio-stream = "0.1.18"
 tokio-test = "0.4"
-tokio-tungstenite = { version = "0.28.0", features = ["proxy", "rustls-tls-native-roots"] }
-tungstenite = { version = "0.27.0", features = ["deflate", "proxy"] }
+tokio-tungstenite = { version = "0.28.0", features = [
+    "proxy",
+    "rustls-tls-native-roots",
+] }
 tokio-util = "0.7.18"
 toml = "0.9.5"
 toml_edit = "0.24.0"
 tracing = "0.1.44"
 tracing-appender = "0.2.3"
+tracing-opentelemetry = "0.32.0"
 tracing-subscriber = "0.3.22"
 tracing-test = "0.2.5"
 tree-sitter = "0.25.10"
 tree-sitter-bash = "0.25"
-zstd = "0.13"
 tree-sitter-highlight = "0.25.10"
 ts-rs = "11"
+tungstenite = { version = "0.27.0", features = ["deflate", "proxy"] }
 uds_windows = "1.1.0"
 unicode-segmentation = "1.12.0"
 unicode-width = "0.2"
@@ -257,6 +290,7 @@ webbrowser = "1.0"
 which = "8"
 wildmatch = "2.6.1"
 zip = "2.4.2"
+zstd = "0.13"

 wiremock = "0.6"
 zeroize = "1.8.2"
@@ -302,7 +336,13 @@ unwrap_used = "deny"
 # cargo-shear cannot see the platform-specific openssl-sys usage, so we
 # silence the false positive here instead of deleting a real dependency.
 [workspace.metadata.cargo-shear]
-ignored = ["icu_provider", "openssl-sys", "codex-utils-readiness", "codex-secrets"]
+ignored = [
+    "icu_provider",
+    "openssl-sys",
+    "codex-utils-readiness",
+    "codex-utils-sanitizer",
+    "codex-secrets",
+]

 [profile.release]
 lto = "fat"
--- a/codex-rs/README.md
+++ b/codex-rs/README.md
@@ -97,3 +97,5 @@ This folder is the root of a Cargo workspace. It contains quite a bit of experim
 - [`exec/`](./exec) "headless" CLI for use in automation.
 - [`tui/`](./tui) CLI that launches a fullscreen TUI built with [Ratatui](https://ratatui.rs/).
 - [`cli/`](./cli) CLI multitool that provides the aforementioned CLIs via subcommands.
+
+If you want to contribute or inspect behavior in detail, start by reading the module-level `README.md` files under each crate and run the project workspace from the top-level `codex-rs` directory so shared config, features, and build scripts stay aligned.
--- a/codex-rs/app-server-protocol/schema/json/ClientRequest.json
+++ b/codex-rs/app-server-protocol/schema/json/ClientRequest.json
@@ -718,6 +718,16 @@
          "default": false,
          "description": "Opt into receiving experimental API methods and fields.",
          "type": "boolean"
+        },
+        "optOutNotificationMethods": {
+          "description": "Exact notification method names that should be suppressed for this connection (for example `codex/event/session_configured`).",
+          "items": {
+            "type": "string"
+          },
+          "type": [
+            "array",
+            "null"
+          ]
        }
      },
      "type": "object"
@@ -1233,6 +1243,104 @@
      ],
      "type": "string"
    },
+    "ReadOnlyAccess": {
+      "oneOf": [
+        {
+          "properties": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "fullAccess"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
+    "ReadOnlyAccess2": {
+      "description": "Determines how read-only file access is granted inside a restricted sandbox.",
+      "oneOf": [
+        {
+          "description": "Restrict reads to an explicit set of roots.\n\nWhen `include_platform_defaults` is `true`, platform defaults required for basic execution are included in addition to `readable_roots`.",
+          "properties": {
+            "include_platform_defaults": {
+              "default": true,
+              "description": "Include built-in platform read roots required for basic process execution.",
+              "type": "boolean"
+            },
+            "readable_roots": {
+              "description": "Additional absolute roots that should be readable.",
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccess2Type",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess2",
+          "type": "object"
+        },
+        {
+          "description": "Allow unrestricted file reads.",
+          "properties": {
+            "type": {
+              "enum": [
+                "full-access"
+              ],
+              "title": "FullAccessReadOnlyAccess2Type",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess2",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -1912,6 +2020,16 @@
        },
        {
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "readOnly"
@@ -1964,6 +2082,16 @@
              "default": false,
              "type": "boolean"
            },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "workspaceWrite"
@@ -2008,8 +2136,16 @@
          "type": "object"
        },
        {
-          "description": "Read-only access to the entire file-system.",
+          "description": "Read-only access configuration.",
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess2"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "read-only"
@@ -2068,6 +2204,14 @@
              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
              "type": "boolean"
            },
+            "read_only_access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess2"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "workspace-write"
--- a/codex-rs/app-server-protocol/schema/json/EventMsg.json
+++ b/codex-rs/app-server-protocol/schema/json/EventMsg.json
@@ -175,6 +175,7 @@
          "enum": [
            "context_window_exceeded",
            "usage_limit_exceeded",
+            "server_overloaded",
            "internal_server_error",
            "unauthorized",
            "bad_request",
@@ -184,35 +185,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "model_cap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "model_cap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -560,6 +532,9 @@
                "null"
              ]
            },
+            "turn_id": {
+              "type": "string"
+            },
            "type": {
              "enum": [
                "task_started"
@@ -569,6 +544,7 @@
            }
          },
          "required": [
+            "turn_id",
            "type"
          ],
          "title": "TaskStartedEventMsg",
@@ -583,6 +559,9 @@
                "null"
              ]
            },
+            "turn_id": {
+              "type": "string"
+            },
            "type": {
              "enum": [
                "task_complete"
@@ -592,6 +571,7 @@
            }
          },
          "required": [
+            "turn_id",
            "type"
          ],
          "title": "TaskCompleteEventMsg",
@@ -887,6 +867,17 @@
            "model_provider_id": {
              "type": "string"
            },
+            "network_proxy": {
+              "anyOf": [
+                {
+                  "$ref": "#/definitions/SessionNetworkProxyRuntime"
+                },
+                {
+                  "type": "null"
+                }
+              ],
+              "description": "Runtime proxy bind addresses, when the managed proxy was started for this session."
+            },
            "reasoning_effort": {
              "anyOf": [
                {
@@ -2118,6 +2109,12 @@
            "reason": {
              "$ref": "#/definitions/TurnAbortReason"
            },
+            "turn_id": {
+              "type": [
+                "string",
+                "null"
+              ]
+            },
            "type": {
              "enum": [
                "turn_aborted"
@@ -3445,6 +3442,18 @@
            }
          ]
        },
+        "limit_id": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "limit_name": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
        "plan_type": {
          "anyOf": [
            {
@@ -3507,6 +3516,57 @@
      ],
      "type": "object"
    },
+    "ReadOnlyAccess": {
+      "description": "Determines how read-only file access is granted inside a restricted sandbox.",
+      "oneOf": [
+        {
+          "description": "Restrict reads to an explicit set of roots.\n\nWhen `include_platform_defaults` is `true`, platform defaults required for basic execution are included in addition to `readable_roots`.",
+          "properties": {
+            "include_platform_defaults": {
+              "default": true,
+              "description": "Include built-in platform read roots required for basic process execution.",
+              "type": "boolean"
+            },
+            "readable_roots": {
+              "description": "Additional absolute roots that should be readable.",
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "description": "Allow unrestricted file reads.",
+          "properties": {
+            "type": {
+              "enum": [
+                "full-access"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -4344,8 +4404,16 @@
          "type": "object"
        },
        {
-          "description": "Read-only access to the entire file-system.",
+          "description": "Read-only access configuration.",
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "read-only"
@@ -4404,6 +4472,14 @@
              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
              "type": "boolean"
            },
+            "read_only_access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "workspace-write"
@@ -4427,6 +4503,25 @@
        }
      ]
    },
+    "SessionNetworkProxyRuntime": {
+      "properties": {
+        "admin_addr": {
+          "type": "string"
+        },
+        "http_addr": {
+          "type": "string"
+        },
+        "socks_addr": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "admin_addr",
+        "http_addr",
+        "socks_addr"
+      ],
+      "type": "object"
+    },
    "SkillDependencies": {
      "properties": {
        "tools": {
@@ -5273,6 +5368,9 @@
            "null"
          ]
        },
+        "turn_id": {
+          "type": "string"
+        },
        "type": {
          "enum": [
            "task_started"
@@ -5282,6 +5380,7 @@
        }
      },
      "required": [
+        "turn_id",
        "type"
      ],
      "title": "TaskStartedEventMsg",
@@ -5296,6 +5395,9 @@
            "null"
          ]
        },
+        "turn_id": {
+          "type": "string"
+        },
        "type": {
          "enum": [
            "task_complete"
@@ -5305,6 +5407,7 @@
        }
      },
      "required": [
+        "turn_id",
        "type"
      ],
      "title": "TaskCompleteEventMsg",
@@ -5600,6 +5703,17 @@
        "model_provider_id": {
          "type": "string"
        },
+        "network_proxy": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/SessionNetworkProxyRuntime"
+            },
+            {
+              "type": "null"
+            }
+          ],
+          "description": "Runtime proxy bind addresses, when the managed proxy was started for this session."
+        },
        "reasoning_effort": {
          "anyOf": [
            {
@@ -6831,6 +6945,12 @@
        "reason": {
          "$ref": "#/definitions/TurnAbortReason"
        },
+        "turn_id": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
        "type": {
          "enum": [
            "turn_aborted"
@@ -7580,4 +7700,4 @@
    }
  ],
  "title": "EventMsg"
-}
+}
--- a/codex-rs/app-server-protocol/schema/json/ServerNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/ServerNotification.json
@@ -373,6 +373,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -382,35 +383,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -515,6 +487,7 @@
          "enum": [
            "context_window_exceeded",
            "usage_limit_exceeded",
+            "server_overloaded",
            "internal_server_error",
            "unauthorized",
            "bad_request",
@@ -524,35 +497,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "model_cap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "model_cap"
-          ],
-          "title": "ModelCapCodexErrorInfo2",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -1204,6 +1148,9 @@
                "null"
              ]
            },
+            "turn_id": {
+              "type": "string"
+            },
            "type": {
              "enum": [
                "task_started"
@@ -1213,6 +1160,7 @@
            }
          },
          "required": [
+            "turn_id",
            "type"
          ],
          "title": "TaskStartedEventMsg",
@@ -1227,6 +1175,9 @@
                "null"
              ]
            },
+            "turn_id": {
+              "type": "string"
+            },
            "type": {
              "enum": [
                "task_complete"
@@ -1236,6 +1187,7 @@
            }
          },
          "required": [
+            "turn_id",
            "type"
          ],
          "title": "TaskCompleteEventMsg",
@@ -1531,6 +1483,17 @@
            "model_provider_id": {
              "type": "string"
            },
+            "network_proxy": {
+              "anyOf": [
+                {
+                  "$ref": "#/definitions/SessionNetworkProxyRuntime"
+                },
+                {
+                  "type": "null"
+                }
+              ],
+              "description": "Runtime proxy bind addresses, when the managed proxy was started for this session."
+            },
            "reasoning_effort": {
              "anyOf": [
                {
@@ -2762,6 +2725,12 @@
            "reason": {
              "$ref": "#/definitions/TurnAbortReason"
            },
+            "turn_id": {
+              "type": [
+                "string",
+                "null"
+              ]
+            },
            "type": {
              "enum": [
                "turn_aborted"
@@ -4381,6 +4350,18 @@
            }
          ]
        },
+        "limitId": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "limitName": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
        "planType": {
          "anyOf": [
            {
@@ -4426,6 +4407,18 @@
            }
          ]
        },
+        "limit_id": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "limit_name": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
        "plan_type": {
          "anyOf": [
            {
@@ -4533,6 +4526,57 @@
      ],
      "type": "object"
    },
+    "ReadOnlyAccess": {
+      "description": "Determines how read-only file access is granted inside a restricted sandbox.",
+      "oneOf": [
+        {
+          "description": "Restrict reads to an explicit set of roots.\n\nWhen `include_platform_defaults` is `true`, platform defaults required for basic execution are included in addition to `readable_roots`.",
+          "properties": {
+            "include_platform_defaults": {
+              "default": true,
+              "description": "Include built-in platform read roots required for basic process execution.",
+              "type": "boolean"
+            },
+            "readable_roots": {
+              "description": "Additional absolute roots that should be readable.",
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "description": "Allow unrestricted file reads.",
+          "properties": {
+            "type": {
+              "enum": [
+                "full-access"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -5450,8 +5494,16 @@
          "type": "object"
        },
        {
-          "description": "Read-only access to the entire file-system.",
+          "description": "Read-only access configuration.",
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "read-only"
@@ -5510,6 +5562,14 @@
              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
              "type": "boolean"
            },
+            "read_only_access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "workspace-write"
@@ -5583,6 +5643,25 @@
      ],
      "type": "object"
    },
+    "SessionNetworkProxyRuntime": {
+      "properties": {
+        "admin_addr": {
+          "type": "string"
+        },
+        "http_addr": {
+          "type": "string"
+        },
+        "socks_addr": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "admin_addr",
+        "http_addr",
+        "socks_addr"
+      ],
+      "type": "object"
+    },
    "SessionSource": {
      "oneOf": [
        {
@@ -8197,4 +8276,4 @@
    }
  ],
  "title": "ServerNotification"
-}
+}
--- a/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json
+++ b/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json
@@ -1884,6 +1884,7 @@
          "enum": [
            "context_window_exceeded",
            "usage_limit_exceeded",
+            "server_overloaded",
            "internal_server_error",
            "unauthorized",
            "bad_request",
@@ -1893,35 +1894,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "model_cap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "model_cap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -2573,6 +2545,9 @@
                "null"
              ]
            },
+            "turn_id": {
+              "type": "string"
+            },
            "type": {
              "enum": [
                "task_started"
@@ -2582,6 +2557,7 @@
            }
          },
          "required": [
+            "turn_id",
            "type"
          ],
          "title": "TaskStartedEventMsg",
@@ -2596,6 +2572,9 @@
                "null"
              ]
            },
+            "turn_id": {
+              "type": "string"
+            },
            "type": {
              "enum": [
                "task_complete"
@@ -2605,6 +2584,7 @@
            }
          },
          "required": [
+            "turn_id",
            "type"
          ],
          "title": "TaskCompleteEventMsg",
@@ -2900,6 +2880,17 @@
            "model_provider_id": {
              "type": "string"
            },
+            "network_proxy": {
+              "anyOf": [
+                {
+                  "$ref": "#/definitions/SessionNetworkProxyRuntime"
+                },
+                {
+                  "type": "null"
+                }
+              ],
+              "description": "Runtime proxy bind addresses, when the managed proxy was started for this session."
+            },
            "reasoning_effort": {
              "anyOf": [
                {
@@ -4131,6 +4122,12 @@
            "reason": {
              "$ref": "#/definitions/TurnAbortReason"
            },
+            "turn_id": {
+              "type": [
+                "string",
+                "null"
+              ]
+            },
            "type": {
              "enum": [
                "turn_aborted"
@@ -5599,6 +5596,16 @@
          "default": false,
          "description": "Opt into receiving experimental API methods and fields.",
          "type": "boolean"
+        },
+        "optOutNotificationMethods": {
+          "description": "Exact notification method names that should be suppressed for this connection (for example `codex/event/session_configured`).",
+          "items": {
+            "type": "string"
+          },
+          "type": [
+            "array",
+            "null"
+          ]
        }
      },
      "type": "object"
@@ -6520,6 +6527,18 @@
            }
          ]
        },
+        "limit_id": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "limit_name": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
        "plan_type": {
          "anyOf": [
            {
@@ -6582,6 +6601,57 @@
      ],
      "type": "object"
    },
+    "ReadOnlyAccess": {
+      "description": "Determines how read-only file access is granted inside a restricted sandbox.",
+      "oneOf": [
+        {
+          "description": "Restrict reads to an explicit set of roots.\n\nWhen `include_platform_defaults` is `true`, platform defaults required for basic execution are included in addition to `readable_roots`.",
+          "properties": {
+            "include_platform_defaults": {
+              "default": true,
+              "description": "Include built-in platform read roots required for basic process execution.",
+              "type": "boolean"
+            },
+            "readable_roots": {
+              "description": "Additional absolute roots that should be readable.",
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "description": "Allow unrestricted file reads.",
+          "properties": {
+            "type": {
+              "enum": [
+                "full-access"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -7595,8 +7665,16 @@
          "type": "object"
        },
        {
-          "description": "Read-only access to the entire file-system.",
+          "description": "Read-only access configuration.",
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "read-only"
@@ -7655,6 +7733,14 @@
              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
              "type": "boolean"
            },
+            "read_only_access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "workspace-write"
@@ -8678,6 +8764,25 @@
      "title": "SessionConfiguredNotification",
      "type": "object"
    },
+    "SessionNetworkProxyRuntime": {
+      "properties": {
+        "admin_addr": {
+          "type": "string"
+        },
+        "http_addr": {
+          "type": "string"
+        },
+        "socks_addr": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "admin_addr",
+        "http_addr",
+        "socks_addr"
+      ],
+      "type": "object"
+    },
    "SessionSource": {
      "oneOf": [
        {
@@ -10213,6 +10318,7 @@
            "enum": [
              "contextWindowExceeded",
              "usageLimitExceeded",
+              "serverOverloaded",
              "internalServerError",
              "unauthorized",
              "badRequest",
@@ -10222,35 +10328,6 @@
            ],
            "type": "string"
          },
-          {
-            "additionalProperties": false,
-            "properties": {
-              "modelCap": {
-                "properties": {
-                  "model": {
-                    "type": "string"
-                  },
-                  "reset_after_seconds": {
-                    "format": "uint64",
-                    "minimum": 0.0,
-                    "type": [
-                      "integer",
-                      "null"
-                    ]
-                  }
-                },
-                "required": [
-                  "model"
-                ],
-                "type": "object"
-              }
-            },
-            "required": [
-              "modelCap"
-            ],
-            "title": "ModelCapCodexErrorInfo",
-            "type": "object"
-          },
          {
            "additionalProperties": false,
            "properties": {
@@ -11783,7 +11860,22 @@
        "$schema": "http://json-schema.org/draft-07/schema#",
        "properties": {
          "rateLimits": {
-            "$ref": "#/definitions/v2/RateLimitSnapshot"
+            "allOf": [
+              {
+                "$ref": "#/definitions/v2/RateLimitSnapshot"
+              }
+            ],
+            "description": "Backward-compatible single-bucket view; mirrors the historical payload."
+          },
+          "rateLimitsByLimitId": {
+            "additionalProperties": {
+              "$ref": "#/definitions/v2/RateLimitSnapshot"
+            },
+            "description": "Multi-bucket view keyed by metered `limit_id` (for example, `codex`).",
+            "type": [
+              "object",
+              "null"
+            ]
          }
        },
        "required": [
@@ -12798,6 +12890,18 @@
              }
            ]
          },
+          "limitId": {
+            "type": [
+              "string",
+              "null"
+            ]
+          },
+          "limitName": {
+            "type": [
+              "string",
+              "null"
+            ]
+          },
          "planType": {
            "anyOf": [
              {
@@ -12878,6 +12982,53 @@
        "title": "RawResponseItemCompletedNotification",
        "type": "object"
      },
+      "ReadOnlyAccess": {
+        "oneOf": [
+          {
+            "properties": {
+              "includePlatformDefaults": {
+                "default": true,
+                "type": "boolean"
+              },
+              "readableRoots": {
+                "default": [],
+                "items": {
+                  "$ref": "#/definitions/v2/AbsolutePathBuf"
+                },
+                "type": "array"
+              },
+              "type": {
+                "enum": [
+                  "restricted"
+                ],
+                "title": "RestrictedReadOnlyAccessType",
+                "type": "string"
+              }
+            },
+            "required": [
+              "type"
+            ],
+            "title": "RestrictedReadOnlyAccess",
+            "type": "object"
+          },
+          {
+            "properties": {
+              "type": {
+                "enum": [
+                  "fullAccess"
+                ],
+                "title": "FullAccessReadOnlyAccessType",
+                "type": "string"
+              }
+            },
+            "required": [
+              "type"
+            ],
+            "title": "FullAccessReadOnlyAccess",
+            "type": "object"
+          }
+        ]
+      },
      "ReasoningEffort": {
        "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
        "enum": [
@@ -13718,6 +13869,16 @@
          },
          {
            "properties": {
+              "access": {
+                "allOf": [
+                  {
+                    "$ref": "#/definitions/v2/ReadOnlyAccess"
+                  }
+                ],
+                "default": {
+                  "type": "fullAccess"
+                }
+              },
              "type": {
                "enum": [
                  "readOnly"
@@ -13770,6 +13931,16 @@
                "default": false,
                "type": "boolean"
              },
+              "readOnlyAccess": {
+                "allOf": [
+                  {
+                    "$ref": "#/definitions/v2/ReadOnlyAccess"
+                  }
+                ],
+                "default": {
+                  "type": "fullAccess"
+                }
+              },
              "type": {
                "enum": [
                  "workspaceWrite"
@@ -16361,4 +16532,4 @@
  },
  "title": "CodexAppServerProtocol",
  "type": "object"
-}
+}
--- a/codex-rs/app-server-protocol/schema/json/v1/ExecOneOffCommandParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/ExecOneOffCommandParams.json
@@ -13,6 +13,57 @@
      ],
      "type": "string"
    },
+    "ReadOnlyAccess": {
+      "description": "Determines how read-only file access is granted inside a restricted sandbox.",
+      "oneOf": [
+        {
+          "description": "Restrict reads to an explicit set of roots.\n\nWhen `include_platform_defaults` is `true`, platform defaults required for basic execution are included in addition to `readable_roots`.",
+          "properties": {
+            "include_platform_defaults": {
+              "default": true,
+              "description": "Include built-in platform read roots required for basic process execution.",
+              "type": "boolean"
+            },
+            "readable_roots": {
+              "description": "Additional absolute roots that should be readable.",
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "description": "Allow unrestricted file reads.",
+          "properties": {
+            "type": {
+              "enum": [
+                "full-access"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "SandboxPolicy": {
      "description": "Determines execution restrictions for model shell commands.",
      "oneOf": [
@@ -34,8 +85,16 @@
          "type": "object"
        },
        {
-          "description": "Read-only access to the entire file-system.",
+          "description": "Read-only access configuration.",
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "read-only"
@@ -94,6 +153,14 @@
              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
              "type": "boolean"
            },
+            "read_only_access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "workspace-write"
--- a/codex-rs/app-server-protocol/schema/json/v1/ForkConversationResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/ForkConversationResponse.json
@@ -175,6 +175,7 @@
          "enum": [
            "context_window_exceeded",
            "usage_limit_exceeded",
+            "server_overloaded",
            "internal_server_error",
            "unauthorized",
            "bad_request",
@@ -184,35 +185,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "model_cap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "model_cap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -560,6 +532,9 @@
                "null"
              ]
            },
+            "turn_id": {
+              "type": "string"
+            },
            "type": {
              "enum": [
                "task_started"
@@ -569,6 +544,7 @@
            }
          },
          "required": [
+            "turn_id",
            "type"
          ],
          "title": "TaskStartedEventMsg",
@@ -583,6 +559,9 @@
                "null"
              ]
            },
+            "turn_id": {
+              "type": "string"
+            },
            "type": {
              "enum": [
                "task_complete"
@@ -592,6 +571,7 @@
            }
          },
          "required": [
+            "turn_id",
            "type"
          ],
          "title": "TaskCompleteEventMsg",
@@ -887,6 +867,17 @@
            "model_provider_id": {
              "type": "string"
            },
+            "network_proxy": {
+              "anyOf": [
+                {
+                  "$ref": "#/definitions/SessionNetworkProxyRuntime"
+                },
+                {
+                  "type": "null"
+                }
+              ],
+              "description": "Runtime proxy bind addresses, when the managed proxy was started for this session."
+            },
            "reasoning_effort": {
              "anyOf": [
                {
@@ -2118,6 +2109,12 @@
            "reason": {
              "$ref": "#/definitions/TurnAbortReason"
            },
+            "turn_id": {
+              "type": [
+                "string",
+                "null"
+              ]
+            },
            "type": {
              "enum": [
                "turn_aborted"
@@ -3445,6 +3442,18 @@
            }
          ]
        },
+        "limit_id": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "limit_name": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
        "plan_type": {
          "anyOf": [
            {
@@ -3507,6 +3516,57 @@
      ],
      "type": "object"
    },
+    "ReadOnlyAccess": {
+      "description": "Determines how read-only file access is granted inside a restricted sandbox.",
+      "oneOf": [
+        {
+          "description": "Restrict reads to an explicit set of roots.\n\nWhen `include_platform_defaults` is `true`, platform defaults required for basic execution are included in addition to `readable_roots`.",
+          "properties": {
+            "include_platform_defaults": {
+              "default": true,
+              "description": "Include built-in platform read roots required for basic process execution.",
+              "type": "boolean"
+            },
+            "readable_roots": {
+              "description": "Additional absolute roots that should be readable.",
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "description": "Allow unrestricted file reads.",
+          "properties": {
+            "type": {
+              "enum": [
+                "full-access"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -4344,8 +4404,16 @@
          "type": "object"
        },
        {
-          "description": "Read-only access to the entire file-system.",
+          "description": "Read-only access configuration.",
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "read-only"
@@ -4404,6 +4472,14 @@
              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
              "type": "boolean"
            },
+            "read_only_access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "workspace-write"
@@ -4427,6 +4503,25 @@
        }
      ]
    },
+    "SessionNetworkProxyRuntime": {
+      "properties": {
+        "admin_addr": {
+          "type": "string"
+        },
+        "http_addr": {
+          "type": "string"
+        },
+        "socks_addr": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "admin_addr",
+        "http_addr",
+        "socks_addr"
+      ],
+      "type": "object"
+    },
    "SkillDependencies": {
      "properties": {
        "tools": {
@@ -5186,4 +5281,4 @@
  ],
  "title": "ForkConversationResponse",
  "type": "object"
-}
+}
--- a/codex-rs/app-server-protocol/schema/json/v1/InitializeParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/InitializeParams.json
@@ -29,6 +29,16 @@
          "default": false,
          "description": "Opt into receiving experimental API methods and fields.",
          "type": "boolean"
+        },
+        "optOutNotificationMethods": {
+          "description": "Exact notification method names that should be suppressed for this connection (for example `codex/event/session_configured`).",
+          "items": {
+            "type": "string"
+          },
+          "type": [
+            "array",
+            "null"
+          ]
        }
      },
      "type": "object"
--- a/codex-rs/app-server-protocol/schema/json/v1/ResumeConversationResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/ResumeConversationResponse.json
@@ -175,6 +175,7 @@
          "enum": [
            "context_window_exceeded",
            "usage_limit_exceeded",
+            "server_overloaded",
            "internal_server_error",
            "unauthorized",
            "bad_request",
@@ -184,35 +185,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "model_cap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "model_cap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -560,6 +532,9 @@
                "null"
              ]
            },
+            "turn_id": {
+              "type": "string"
+            },
            "type": {
              "enum": [
                "task_started"
@@ -569,6 +544,7 @@
            }
          },
          "required": [
+            "turn_id",
            "type"
          ],
          "title": "TaskStartedEventMsg",
@@ -583,6 +559,9 @@
                "null"
              ]
            },
+            "turn_id": {
+              "type": "string"
+            },
            "type": {
              "enum": [
                "task_complete"
@@ -592,6 +571,7 @@
            }
          },
          "required": [
+            "turn_id",
            "type"
          ],
          "title": "TaskCompleteEventMsg",
@@ -887,6 +867,17 @@
            "model_provider_id": {
              "type": "string"
            },
+            "network_proxy": {
+              "anyOf": [
+                {
+                  "$ref": "#/definitions/SessionNetworkProxyRuntime"
+                },
+                {
+                  "type": "null"
+                }
+              ],
+              "description": "Runtime proxy bind addresses, when the managed proxy was started for this session."
+            },
            "reasoning_effort": {
              "anyOf": [
                {
@@ -2118,6 +2109,12 @@
            "reason": {
              "$ref": "#/definitions/TurnAbortReason"
            },
+            "turn_id": {
+              "type": [
+                "string",
+                "null"
+              ]
+            },
            "type": {
              "enum": [
                "turn_aborted"
@@ -3445,6 +3442,18 @@
            }
          ]
        },
+        "limit_id": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "limit_name": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
        "plan_type": {
          "anyOf": [
            {
@@ -3507,6 +3516,57 @@
      ],
      "type": "object"
    },
+    "ReadOnlyAccess": {
+      "description": "Determines how read-only file access is granted inside a restricted sandbox.",
+      "oneOf": [
+        {
+          "description": "Restrict reads to an explicit set of roots.\n\nWhen `include_platform_defaults` is `true`, platform defaults required for basic execution are included in addition to `readable_roots`.",
+          "properties": {
+            "include_platform_defaults": {
+              "default": true,
+              "description": "Include built-in platform read roots required for basic process execution.",
+              "type": "boolean"
+            },
+            "readable_roots": {
+              "description": "Additional absolute roots that should be readable.",
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "description": "Allow unrestricted file reads.",
+          "properties": {
+            "type": {
+              "enum": [
+                "full-access"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -4344,8 +4404,16 @@
          "type": "object"
        },
        {
-          "description": "Read-only access to the entire file-system.",
+          "description": "Read-only access configuration.",
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "read-only"
@@ -4404,6 +4472,14 @@
              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
              "type": "boolean"
            },
+            "read_only_access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "workspace-write"
@@ -4427,6 +4503,25 @@
        }
      ]
    },
+    "SessionNetworkProxyRuntime": {
+      "properties": {
+        "admin_addr": {
+          "type": "string"
+        },
+        "http_addr": {
+          "type": "string"
+        },
+        "socks_addr": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "admin_addr",
+        "http_addr",
+        "socks_addr"
+      ],
+      "type": "object"
+    },
    "SkillDependencies": {
      "properties": {
        "tools": {
@@ -5186,4 +5281,4 @@
  ],
  "title": "ResumeConversationResponse",
  "type": "object"
-}
+}
--- a/codex-rs/app-server-protocol/schema/json/v1/SendUserTurnParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/SendUserTurnParams.json
@@ -142,6 +142,57 @@
      ],
      "type": "string"
    },
+    "ReadOnlyAccess": {
+      "description": "Determines how read-only file access is granted inside a restricted sandbox.",
+      "oneOf": [
+        {
+          "description": "Restrict reads to an explicit set of roots.\n\nWhen `include_platform_defaults` is `true`, platform defaults required for basic execution are included in addition to `readable_roots`.",
+          "properties": {
+            "include_platform_defaults": {
+              "default": true,
+              "description": "Include built-in platform read roots required for basic process execution.",
+              "type": "boolean"
+            },
+            "readable_roots": {
+              "description": "Additional absolute roots that should be readable.",
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "description": "Allow unrestricted file reads.",
+          "properties": {
+            "type": {
+              "enum": [
+                "full-access"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -195,8 +246,16 @@
          "type": "object"
        },
        {
-          "description": "Read-only access to the entire file-system.",
+          "description": "Read-only access configuration.",
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "read-only"
@@ -255,6 +314,14 @@
              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
              "type": "boolean"
            },
+            "read_only_access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "workspace-write"
--- a/codex-rs/app-server-protocol/schema/json/v1/SessionConfiguredNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/SessionConfiguredNotification.json
@@ -175,6 +175,7 @@
          "enum": [
            "context_window_exceeded",
            "usage_limit_exceeded",
+            "server_overloaded",
            "internal_server_error",
            "unauthorized",
            "bad_request",
@@ -184,35 +185,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "model_cap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "model_cap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -560,6 +532,9 @@
                "null"
              ]
            },
+            "turn_id": {
+              "type": "string"
+            },
            "type": {
              "enum": [
                "task_started"
@@ -569,6 +544,7 @@
            }
          },
          "required": [
+            "turn_id",
            "type"
          ],
          "title": "TaskStartedEventMsg",
@@ -583,6 +559,9 @@
                "null"
              ]
            },
+            "turn_id": {
+              "type": "string"
+            },
            "type": {
              "enum": [
                "task_complete"
@@ -592,6 +571,7 @@
            }
          },
          "required": [
+            "turn_id",
            "type"
          ],
          "title": "TaskCompleteEventMsg",
@@ -887,6 +867,17 @@
            "model_provider_id": {
              "type": "string"
            },
+            "network_proxy": {
+              "anyOf": [
+                {
+                  "$ref": "#/definitions/SessionNetworkProxyRuntime"
+                },
+                {
+                  "type": "null"
+                }
+              ],
+              "description": "Runtime proxy bind addresses, when the managed proxy was started for this session."
+            },
            "reasoning_effort": {
              "anyOf": [
                {
@@ -2118,6 +2109,12 @@
            "reason": {
              "$ref": "#/definitions/TurnAbortReason"
            },
+            "turn_id": {
+              "type": [
+                "string",
+                "null"
+              ]
+            },
            "type": {
              "enum": [
                "turn_aborted"
@@ -3445,6 +3442,18 @@
            }
          ]
        },
+        "limit_id": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "limit_name": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
        "plan_type": {
          "anyOf": [
            {
@@ -3507,6 +3516,57 @@
      ],
      "type": "object"
    },
+    "ReadOnlyAccess": {
+      "description": "Determines how read-only file access is granted inside a restricted sandbox.",
+      "oneOf": [
+        {
+          "description": "Restrict reads to an explicit set of roots.\n\nWhen `include_platform_defaults` is `true`, platform defaults required for basic execution are included in addition to `readable_roots`.",
+          "properties": {
+            "include_platform_defaults": {
+              "default": true,
+              "description": "Include built-in platform read roots required for basic process execution.",
+              "type": "boolean"
+            },
+            "readable_roots": {
+              "description": "Additional absolute roots that should be readable.",
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "description": "Allow unrestricted file reads.",
+          "properties": {
+            "type": {
+              "enum": [
+                "full-access"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -4344,8 +4404,16 @@
          "type": "object"
        },
        {
-          "description": "Read-only access to the entire file-system.",
+          "description": "Read-only access configuration.",
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "read-only"
@@ -4404,6 +4472,14 @@
              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
              "type": "boolean"
            },
+            "read_only_access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "workspace-write"
@@ -4427,6 +4503,25 @@
        }
      ]
    },
+    "SessionNetworkProxyRuntime": {
+      "properties": {
+        "admin_addr": {
+          "type": "string"
+        },
+        "http_addr": {
+          "type": "string"
+        },
+        "socks_addr": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "admin_addr",
+        "http_addr",
+        "socks_addr"
+      ],
+      "type": "object"
+    },
    "SkillDependencies": {
      "properties": {
        "tools": {
@@ -5208,4 +5303,4 @@
  ],
  "title": "SessionConfiguredNotification",
  "type": "object"
-}
+}
--- a/codex-rs/app-server-protocol/schema/json/v2/AccountRateLimitsUpdatedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/AccountRateLimitsUpdatedNotification.json
@@ -48,6 +48,18 @@
            }
          ]
        },
+        "limitId": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "limitName": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
        "planType": {
          "anyOf": [
            {
--- a/codex-rs/app-server-protocol/schema/json/v2/CommandExecParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/CommandExecParams.json
@@ -12,6 +12,53 @@
      ],
      "type": "string"
    },
+    "ReadOnlyAccess": {
+      "oneOf": [
+        {
+          "properties": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "fullAccess"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "SandboxPolicy": {
      "oneOf": [
        {
@@ -32,6 +79,16 @@
        },
        {
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "readOnly"
@@ -84,6 +141,16 @@
              "default": false,
              "type": "boolean"
            },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "workspaceWrite"
--- a/codex-rs/app-server-protocol/schema/json/v2/ErrorNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ErrorNotification.json
@@ -8,6 +8,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -17,35 +18,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
--- a/codex-rs/app-server-protocol/schema/json/v2/GetAccountRateLimitsResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/GetAccountRateLimitsResponse.json
@@ -48,6 +48,18 @@
            }
          ]
        },
+        "limitId": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "limitName": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
        "planType": {
          "anyOf": [
            {
@@ -110,7 +122,22 @@
  },
  "properties": {
    "rateLimits": {
-      "$ref": "#/definitions/RateLimitSnapshot"
+      "allOf": [
+        {
+          "$ref": "#/definitions/RateLimitSnapshot"
+        }
+      ],
+      "description": "Backward-compatible single-bucket view; mirrors the historical payload."
+    },
+    "rateLimitsByLimitId": {
+      "additionalProperties": {
+        "$ref": "#/definitions/RateLimitSnapshot"
+      },
+      "description": "Multi-bucket view keyed by metered `limit_id` (for example, `codex`).",
+      "type": [
+        "object",
+        "null"
+      ]
    }
  },
  "required": [
--- a/codex-rs/app-server-protocol/schema/json/v2/ReviewStartResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ReviewStartResponse.json
@@ -27,6 +27,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -36,35 +37,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadForkResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadForkResponse.json
@@ -40,6 +40,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -49,35 +50,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -488,6 +460,53 @@
        }
      ]
    },
+    "ReadOnlyAccess": {
+      "oneOf": [
+        {
+          "properties": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "fullAccess"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -520,6 +539,16 @@
        },
        {
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "readOnly"
@@ -572,6 +601,16 @@
              "default": false,
              "type": "boolean"
            },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "workspaceWrite"
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadListResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadListResponse.json
@@ -27,6 +27,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -36,35 +37,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadReadResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadReadResponse.json
@@ -27,6 +27,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -36,35 +37,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadResumeResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadResumeResponse.json
@@ -40,6 +40,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -49,35 +50,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -488,6 +460,53 @@
        }
      ]
    },
+    "ReadOnlyAccess": {
+      "oneOf": [
+        {
+          "properties": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "fullAccess"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -520,6 +539,16 @@
        },
        {
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "readOnly"
@@ -572,6 +601,16 @@
              "default": false,
              "type": "boolean"
            },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "workspaceWrite"
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadRollbackResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadRollbackResponse.json
@@ -27,6 +27,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -36,35 +37,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadStartResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadStartResponse.json
@@ -40,6 +40,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -49,35 +50,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -488,6 +460,53 @@
        }
      ]
    },
+    "ReadOnlyAccess": {
+      "oneOf": [
+        {
+          "properties": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "fullAccess"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -520,6 +539,16 @@
        },
        {
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "readOnly"
@@ -572,6 +601,16 @@
              "default": false,
              "type": "boolean"
            },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "workspaceWrite"
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadStartedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadStartedNotification.json
@@ -27,6 +27,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -36,35 +37,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadUnarchiveResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadUnarchiveResponse.json
@@ -27,6 +27,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -36,35 +37,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
--- a/codex-rs/app-server-protocol/schema/json/v2/TurnCompletedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/TurnCompletedNotification.json
@@ -27,6 +27,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -36,35 +37,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
--- a/codex-rs/app-server-protocol/schema/json/v2/TurnStartParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/TurnStartParams.json
@@ -72,6 +72,53 @@
      ],
      "type": "string"
    },
+    "ReadOnlyAccess": {
+      "oneOf": [
+        {
+          "properties": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "fullAccess"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -124,6 +171,16 @@
        },
        {
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "readOnly"
@@ -176,6 +233,16 @@
              "default": false,
              "type": "boolean"
            },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "workspaceWrite"
--- a/codex-rs/app-server-protocol/schema/json/v2/TurnStartResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/TurnStartResponse.json
@@ -27,6 +27,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -36,35 +37,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
--- a/codex-rs/app-server-protocol/schema/json/v2/TurnStartedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/TurnStartedNotification.json
@@ -27,6 +27,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -36,35 +37,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
--- a/codex-rs/app-server-protocol/schema/typescript/CodexErrorInfo.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/CodexErrorInfo.ts
@@ -5,4 +5,4 @@
 /**
 * Codex errors that we expose to clients.
 */
-export type CodexErrorInfo = "context_window_exceeded" | "usage_limit_exceeded" | { "model_cap": { model: string, reset_after_seconds: bigint | null, } } | { "http_connection_failed": { http_status_code: number | null, } } | { "response_stream_connection_failed": { http_status_code: number | null, } } | "internal_server_error" | "unauthorized" | "bad_request" | "sandbox_error" | { "response_stream_disconnected": { http_status_code: number | null, } } | { "response_too_many_failed_attempts": { http_status_code: number | null, } } | "thread_rollback_failed" | "other";
+export type CodexErrorInfo = "context_window_exceeded" | "usage_limit_exceeded" | "server_overloaded" | { "http_connection_failed": { http_status_code: number | null, } } | { "response_stream_connection_failed": { http_status_code: number | null, } } | "internal_server_error" | "unauthorized" | "bad_request" | "sandbox_error" | { "response_stream_disconnected": { http_status_code: number | null, } } | { "response_too_many_failed_attempts": { http_status_code: number | null, } } | "thread_rollback_failed" | "other";
--- a/codex-rs/app-server-protocol/schema/typescript/InitializeCapabilities.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/InitializeCapabilities.ts
@@ -9,4 +9,9 @@ export type InitializeCapabilities = {
 /**
 * Opt into receiving experimental API methods and fields.
 */
-experimentalApi: boolean, };
+experimentalApi: boolean, 
+/**
+ * Exact notification method names that should be suppressed for this
+ * connection (for example `codex/event/session_configured`).
+ */
+optOutNotificationMethods?: Array<string> | null, };
--- a/codex-rs/app-server-protocol/schema/typescript/RateLimitSnapshot.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/RateLimitSnapshot.ts
@@ -5,4 +5,4 @@ import type { CreditsSnapshot } from "./CreditsSnapshot";
 import type { PlanType } from "./PlanType";
 import type { RateLimitWindow } from "./RateLimitWindow";

-export type RateLimitSnapshot = { primary: RateLimitWindow | null, secondary: RateLimitWindow | null, credits: CreditsSnapshot | null, plan_type: PlanType | null, };
+export type RateLimitSnapshot = { limit_id: string | null, limit_name: string | null, primary: RateLimitWindow | null, secondary: RateLimitWindow | null, credits: CreditsSnapshot | null, plan_type: PlanType | null, };
--- a/codex-rs/app-server-protocol/schema/typescript/ReadOnlyAccess.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/ReadOnlyAccess.ts
@@ -0,0 +1,19 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { AbsolutePathBuf } from "./AbsolutePathBuf";
+
+/**
+ * Determines how read-only file access is granted inside a restricted
+ * sandbox.
+ */
+export type ReadOnlyAccess = { "type": "restricted", 
+/**
+ * Include built-in platform read roots required for basic process
+ * execution.
+ */
+include_platform_defaults: boolean, 
+/**
+ * Additional absolute roots that should be readable.
+ */
+readable_roots?: Array<AbsolutePathBuf>, } | { "type": "full-access" };
--- a/codex-rs/app-server-protocol/schema/typescript/SandboxPolicy.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/SandboxPolicy.ts
@@ -3,11 +3,16 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { AbsolutePathBuf } from "./AbsolutePathBuf";
 import type { NetworkAccess } from "./NetworkAccess";
+import type { ReadOnlyAccess } from "./ReadOnlyAccess";

 /**
 * Determines execution restrictions for model shell commands.
 */
-export type SandboxPolicy = { "type": "danger-full-access" } | { "type": "read-only" } | { "type": "external-sandbox", 
+export type SandboxPolicy = { "type": "danger-full-access" } | { "type": "read-only", 
+/**
+ * Read access granted while running under this policy.
+ */
+access?: ReadOnlyAccess, } | { "type": "external-sandbox", 
 /**
 * Whether the external sandbox permits outbound network traffic.
 */
@@ -17,6 +22,10 @@ network_access: NetworkAccess, } | { "type": "workspace-write",
 * writable from within the sandbox.
 */
 writable_roots?: Array<AbsolutePathBuf>, 
+/**
+ * Read access granted while running under this policy.
+ */
+read_only_access?: ReadOnlyAccess, 
 /**
 * When set to `true`, outbound network access is allowed. `false` by
 * default.
--- a/codex-rs/app-server-protocol/schema/typescript/SessionConfiguredEvent.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/SessionConfiguredEvent.ts
@@ -5,6 +5,7 @@ import type { AskForApproval } from "./AskForApproval";
 import type { EventMsg } from "./EventMsg";
 import type { ReasoningEffort } from "./ReasoningEffort";
 import type { SandboxPolicy } from "./SandboxPolicy";
+import type { SessionNetworkProxyRuntime } from "./SessionNetworkProxyRuntime";
 import type { ThreadId } from "./ThreadId";

 export type SessionConfiguredEvent = { session_id: ThreadId, forked_from_id: ThreadId | null, 
@@ -46,6 +47,10 @@ history_entry_count: number,
 * When present, UIs can use these to seed the history.
 */
 initial_messages: Array<EventMsg> | null, 
+/**
+ * Runtime proxy bind addresses, when the managed proxy was started for this session.
+ */
+network_proxy?: SessionNetworkProxyRuntime, 
 /**
 * Path in which the rollout is stored. Can be `None` for ephemeral threads
 */
--- a/codex-rs/app-server-protocol/schema/typescript/SessionNetworkProxyRuntime.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/SessionNetworkProxyRuntime.ts
@@ -0,0 +1,5 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+export type SessionNetworkProxyRuntime = { http_addr: string, socks_addr: string, admin_addr: string, };
--- a/codex-rs/app-server-protocol/schema/typescript/TurnAbortedEvent.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/TurnAbortedEvent.ts
@@ -3,4 +3,4 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { TurnAbortReason } from "./TurnAbortReason";

-export type TurnAbortedEvent = { reason: TurnAbortReason, };
+export type TurnAbortedEvent = { turn_id: string | null, reason: TurnAbortReason, };
--- a/codex-rs/app-server-protocol/schema/typescript/TurnCompleteEvent.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/TurnCompleteEvent.ts
@@ -2,4 +2,4 @@

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.

-export type TurnCompleteEvent = { last_agent_message: string | null, };
+export type TurnCompleteEvent = { turn_id: string, last_agent_message: string | null, };
--- a/codex-rs/app-server-protocol/schema/typescript/TurnStartedEvent.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/TurnStartedEvent.ts
@@ -3,4 +3,4 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { ModeKind } from "./ModeKind";

-export type TurnStartedEvent = { model_context_window: bigint | null, collaboration_mode_kind: ModeKind, };
+export type TurnStartedEvent = { turn_id: string, model_context_window: bigint | null, collaboration_mode_kind: ModeKind, };
--- a/codex-rs/app-server-protocol/schema/typescript/index.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/index.ts
@@ -137,6 +137,7 @@ export type { Profile } from "./Profile";
 export type { RateLimitSnapshot } from "./RateLimitSnapshot";
 export type { RateLimitWindow } from "./RateLimitWindow";
 export type { RawResponseItemEvent } from "./RawResponseItemEvent";
+export type { ReadOnlyAccess } from "./ReadOnlyAccess";
 export type { ReasoningContentDeltaEvent } from "./ReasoningContentDeltaEvent";
 export type { ReasoningEffort } from "./ReasoningEffort";
 export type { ReasoningItem } from "./ReasoningItem";
@@ -175,6 +176,7 @@ export type { ServerNotification } from "./ServerNotification";
 export type { ServerRequest } from "./ServerRequest";
 export type { SessionConfiguredEvent } from "./SessionConfiguredEvent";
 export type { SessionConfiguredNotification } from "./SessionConfiguredNotification";
+export type { SessionNetworkProxyRuntime } from "./SessionNetworkProxyRuntime";
 export type { SessionSource } from "./SessionSource";
 export type { SetDefaultModelParams } from "./SetDefaultModelParams";
 export type { SetDefaultModelResponse } from "./SetDefaultModelResponse";
--- a/codex-rs/app-server-protocol/schema/typescript/v2/CodexErrorInfo.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/CodexErrorInfo.ts
@@ -8,4 +8,4 @@
 * When an upstream HTTP status is available (for example, from the Responses API or a provider),
 * it is forwarded in `httpStatusCode` on the relevant `codexErrorInfo` variant.
 */
-export type CodexErrorInfo = "contextWindowExceeded" | "usageLimitExceeded" | { "modelCap": { model: string, reset_after_seconds: bigint | null, } } | { "httpConnectionFailed": { httpStatusCode: number | null, } } | { "responseStreamConnectionFailed": { httpStatusCode: number | null, } } | "internalServerError" | "unauthorized" | "badRequest" | "threadRollbackFailed" | "sandboxError" | { "responseStreamDisconnected": { httpStatusCode: number | null, } } | { "responseTooManyFailedAttempts": { httpStatusCode: number | null, } } | "other";
+export type CodexErrorInfo = "contextWindowExceeded" | "usageLimitExceeded" | "serverOverloaded" | { "httpConnectionFailed": { httpStatusCode: number | null, } } | { "responseStreamConnectionFailed": { httpStatusCode: number | null, } } | "internalServerError" | "unauthorized" | "badRequest" | "threadRollbackFailed" | "sandboxError" | { "responseStreamDisconnected": { httpStatusCode: number | null, } } | { "responseTooManyFailedAttempts": { httpStatusCode: number | null, } } | "other";
--- a/codex-rs/app-server-protocol/schema/typescript/v2/GetAccountRateLimitsResponse.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/GetAccountRateLimitsResponse.ts
@@ -3,4 +3,12 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { RateLimitSnapshot } from "./RateLimitSnapshot";

-export type GetAccountRateLimitsResponse = { rateLimits: RateLimitSnapshot, };
+export type GetAccountRateLimitsResponse = { 
+/**
+ * Backward-compatible single-bucket view; mirrors the historical payload.
+ */
+rateLimits: RateLimitSnapshot, 
+/**
+ * Multi-bucket view keyed by metered `limit_id` (for example, `codex`).
+ */
+rateLimitsByLimitId: { [key in string]?: RateLimitSnapshot } | null, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/RateLimitSnapshot.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/RateLimitSnapshot.ts
@@ -5,4 +5,4 @@ import type { PlanType } from "../PlanType";
 import type { CreditsSnapshot } from "./CreditsSnapshot";
 import type { RateLimitWindow } from "./RateLimitWindow";

-export type RateLimitSnapshot = { primary: RateLimitWindow | null, secondary: RateLimitWindow | null, credits: CreditsSnapshot | null, planType: PlanType | null, };
+export type RateLimitSnapshot = { limitId: string | null, limitName: string | null, primary: RateLimitWindow | null, secondary: RateLimitWindow | null, credits: CreditsSnapshot | null, planType: PlanType | null, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ReadOnlyAccess.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ReadOnlyAccess.ts
@@ -0,0 +1,6 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { AbsolutePathBuf } from "../AbsolutePathBuf";
+
+export type ReadOnlyAccess = { "type": "restricted", includePlatformDefaults: boolean, readableRoots: Array<AbsolutePathBuf>, } | { "type": "fullAccess" };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/SandboxPolicy.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/SandboxPolicy.ts
@@ -3,5 +3,6 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { AbsolutePathBuf } from "../AbsolutePathBuf";
 import type { NetworkAccess } from "./NetworkAccess";
+import type { ReadOnlyAccess } from "./ReadOnlyAccess";

-export type SandboxPolicy = { "type": "dangerFullAccess" } | { "type": "readOnly" } | { "type": "externalSandbox", networkAccess: NetworkAccess, } | { "type": "workspaceWrite", writableRoots: Array<AbsolutePathBuf>, networkAccess: boolean, excludeTmpdirEnvVar: boolean, excludeSlashTmp: boolean, };
+export type SandboxPolicy = { "type": "dangerFullAccess" } | { "type": "readOnly", access: ReadOnlyAccess, } | { "type": "externalSandbox", networkAccess: NetworkAccess, } | { "type": "workspaceWrite", writableRoots: Array<AbsolutePathBuf>, readOnlyAccess: ReadOnlyAccess, networkAccess: boolean, excludeTmpdirEnvVar: boolean, excludeSlashTmp: boolean, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/index.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/index.ts
@@ -101,6 +101,7 @@ export type { ProfileV2 } from "./ProfileV2";
 export type { RateLimitSnapshot } from "./RateLimitSnapshot";
 export type { RateLimitWindow } from "./RateLimitWindow";
 export type { RawResponseItemCompletedNotification } from "./RawResponseItemCompletedNotification";
+export type { ReadOnlyAccess } from "./ReadOnlyAccess";
 export type { ReasoningEffortOption } from "./ReasoningEffortOption";
 export type { ReasoningSummaryPartAddedNotification } from "./ReasoningSummaryPartAddedNotification";
 export type { ReasoningSummaryTextDeltaNotification } from "./ReasoningSummaryTextDeltaNotification";
--- a/codex-rs/app-server-protocol/src/export.rs
+++ b/codex-rs/app-server-protocol/src/export.rs
@@ -1474,7 +1474,9 @@ mod tests {
                    let allow_optional_nullable = path
                        .file_stem()
                        .and_then(|stem| stem.to_str())
-                        .is_some_and(|stem| stem.ends_with("Params"));
+                        .is_some_and(|stem| {
+                            stem.ends_with("Params") || stem == "InitializeCapabilities"
+                        });

                    let contents = fs::read_to_string(&path)?;
                    if contents.contains("| undefined") {
--- a/codex-rs/app-server-protocol/src/protocol/common.rs
+++ b/codex-rs/app-server-protocol/src/protocol/common.rs
@@ -806,6 +806,94 @@ mod tests {
        Ok(())
    }

+    #[test]
+    fn serialize_initialize_with_opt_out_notification_methods() -> Result<()> {
+        let request = ClientRequest::Initialize {
+            request_id: RequestId::Integer(42),
+            params: v1::InitializeParams {
+                client_info: v1::ClientInfo {
+                    name: "codex_vscode".to_string(),
+                    title: Some("Codex VS Code Extension".to_string()),
+                    version: "0.1.0".to_string(),
+                },
+                capabilities: Some(v1::InitializeCapabilities {
+                    experimental_api: true,
+                    opt_out_notification_methods: Some(vec![
+                        "codex/event/session_configured".to_string(),
+                        "item/agentMessage/delta".to_string(),
+                    ]),
+                }),
+            },
+        };
+
+        assert_eq!(
+            json!({
+                "method": "initialize",
+                "id": 42,
+                "params": {
+                    "clientInfo": {
+                        "name": "codex_vscode",
+                        "title": "Codex VS Code Extension",
+                        "version": "0.1.0"
+                    },
+                    "capabilities": {
+                        "experimentalApi": true,
+                        "optOutNotificationMethods": [
+                            "codex/event/session_configured",
+                            "item/agentMessage/delta"
+                        ]
+                    }
+                }
+            }),
+            serde_json::to_value(&request)?,
+        );
+        Ok(())
+    }
+
+    #[test]
+    fn deserialize_initialize_with_opt_out_notification_methods() -> Result<()> {
+        let request: ClientRequest = serde_json::from_value(json!({
+            "method": "initialize",
+            "id": 42,
+            "params": {
+                "clientInfo": {
+                    "name": "codex_vscode",
+                    "title": "Codex VS Code Extension",
+                    "version": "0.1.0"
+                },
+                "capabilities": {
+                    "experimentalApi": true,
+                    "optOutNotificationMethods": [
+                        "codex/event/session_configured",
+                        "item/agentMessage/delta"
+                    ]
+                }
+            }
+        }))?;
+
+        assert_eq!(
+            request,
+            ClientRequest::Initialize {
+                request_id: RequestId::Integer(42),
+                params: v1::InitializeParams {
+                    client_info: v1::ClientInfo {
+                        name: "codex_vscode".to_string(),
+                        title: Some("Codex VS Code Extension".to_string()),
+                        version: "0.1.0".to_string(),
+                    },
+                    capabilities: Some(v1::InitializeCapabilities {
+                        experimental_api: true,
+                        opt_out_notification_methods: Some(vec![
+                            "codex/event/session_configured".to_string(),
+                            "item/agentMessage/delta".to_string(),
+                        ]),
+                    }),
+                },
+            }
+        );
+        Ok(())
+    }
+
    #[test]
    fn conversation_id_serializes_as_plain_string() -> Result<()> {
        let id = ThreadId::from_string("67e55044-10b1-426f-9247-bb680e5fe0c8")?;
--- a/codex-rs/app-server-protocol/src/protocol/thread_history.rs
+++ b/codex-rs/app-server-protocol/src/protocol/thread_history.rs
@@ -5,21 +5,25 @@ use crate::protocol::v2::TurnStatus;
 use crate::protocol::v2::UserInput;
 use codex_protocol::protocol::AgentReasoningEvent;
 use codex_protocol::protocol::AgentReasoningRawContentEvent;
+use codex_protocol::protocol::CompactedItem;
 use codex_protocol::protocol::EventMsg;
 use codex_protocol::protocol::ItemCompletedEvent;
+use codex_protocol::protocol::RolloutItem;
 use codex_protocol::protocol::ThreadRolledBackEvent;
 use codex_protocol::protocol::TurnAbortedEvent;
+use codex_protocol::protocol::TurnCompleteEvent;
+use codex_protocol::protocol::TurnStartedEvent;
 use codex_protocol::protocol::UserMessageEvent;
+use uuid::Uuid;

-/// Convert persisted [`EventMsg`] entries into a sequence of [`Turn`] values.
+/// Convert persisted [`RolloutItem`] entries into a sequence of [`Turn`] values.
 ///
-/// The purpose of this is to convert the EventMsgs persisted in a rollout file
-/// into a sequence of Turns and ThreadItems, which allows the client to render
-/// the historical messages when resuming a thread.
-pub fn build_turns_from_event_msgs(events: &[EventMsg]) -> Vec<Turn> {
+/// When available, this uses `TurnContext.turn_id` as the canonical turn id so
+/// resumed/rebuilt thread history preserves the original turn identifiers.
+pub fn build_turns_from_rollout_items(items: &[RolloutItem]) -> Vec<Turn> {
    let mut builder = ThreadHistoryBuilder::new();
-    for event in events {
-        builder.handle_event(event);
+    for item in items {
+        builder.handle_rollout_item(item);
    }
    builder.finish()
 }
@@ -27,7 +31,6 @@ pub fn build_turns_from_event_msgs(events: &[EventMsg]) -> Vec<Turn> {
 struct ThreadHistoryBuilder {
    turns: Vec<Turn>,
    current_turn: Option<PendingTurn>,
-    next_turn_index: i64,
    next_item_index: i64,
 }

@@ -36,7 +39,6 @@ impl ThreadHistoryBuilder {
        Self {
            turns: Vec::new(),
            current_turn: None,
-            next_turn_index: 1,
            next_item_index: 1,
        }
    }
@@ -63,13 +65,36 @@ impl ThreadHistoryBuilder {
            EventMsg::ThreadRolledBack(payload) => self.handle_thread_rollback(payload),
            EventMsg::UndoCompleted(_) => {}
            EventMsg::TurnAborted(payload) => self.handle_turn_aborted(payload),
+            EventMsg::TurnStarted(payload) => self.handle_turn_started(payload),
+            EventMsg::TurnComplete(payload) => self.handle_turn_complete(payload),
            _ => {}
        }
    }

+    fn handle_rollout_item(&mut self, item: &RolloutItem) {
+        match item {
+            RolloutItem::EventMsg(event) => self.handle_event(event),
+            RolloutItem::Compacted(payload) => self.handle_compacted(payload),
+            RolloutItem::TurnContext(_)
+            | RolloutItem::SessionMeta(_)
+            | RolloutItem::ResponseItem(_) => {}
+        }
+    }
+
    fn handle_user_message(&mut self, payload: &UserMessageEvent) {
-        self.finish_current_turn();
-        let mut turn = self.new_turn();
+        // User messages should stay in explicitly opened turns. For backward
+        // compatibility with older streams that did not open turns explicitly,
+        // close any implicit/inactive turn and start a fresh one for this input.
+        if let Some(turn) = self.current_turn.as_ref()
+            && !turn.opened_explicitly
+            && !(turn.saw_compaction && turn.items.is_empty())
+        {
+            self.finish_current_turn();
+        }
+        let mut turn = self
+            .current_turn
+            .take()
+            .unwrap_or_else(|| self.new_turn(None));
        let id = self.next_item_id();
        let content = self.build_user_inputs(payload);
        turn.items.push(ThreadItem::UserMessage { id, content });
@@ -147,6 +172,30 @@ impl ThreadHistoryBuilder {
        turn.status = TurnStatus::Interrupted;
    }

+    fn handle_turn_started(&mut self, payload: &TurnStartedEvent) {
+        self.finish_current_turn();
+        self.current_turn = Some(
+            self.new_turn(Some(payload.turn_id.clone()))
+                .opened_explicitly(),
+        );
+    }
+
+    fn handle_turn_complete(&mut self, _payload: &TurnCompleteEvent) {
+        if let Some(current_turn) = self.current_turn.as_mut() {
+            current_turn.status = TurnStatus::Completed;
+            self.finish_current_turn();
+        }
+    }
+
+    /// Marks the current turn as containing a persisted compaction marker.
+    ///
+    /// This keeps compaction-only legacy turns from being dropped by
+    /// `finish_current_turn` when they have no renderable items and were not
+    /// explicitly opened.
+    fn handle_compacted(&mut self, _payload: &CompactedItem) {
+        self.ensure_turn().saw_compaction = true;
+    }
+
    fn handle_thread_rollback(&mut self, payload: &ThreadRolledBackEvent) {
        self.finish_current_turn();

@@ -157,34 +206,33 @@ impl ThreadHistoryBuilder {
            self.turns.truncate(self.turns.len().saturating_sub(n));
        }

-        // Re-number subsequent synthetic ids so the pruned history is consistent.
-        self.next_turn_index =
-            i64::try_from(self.turns.len().saturating_add(1)).unwrap_or(i64::MAX);
        let item_count: usize = self.turns.iter().map(|t| t.items.len()).sum();
        self.next_item_index = i64::try_from(item_count.saturating_add(1)).unwrap_or(i64::MAX);
    }

    fn finish_current_turn(&mut self) {
        if let Some(turn) = self.current_turn.take() {
-            if turn.items.is_empty() {
+            if turn.items.is_empty() && !turn.opened_explicitly && !turn.saw_compaction {
                return;
            }
            self.turns.push(turn.into());
        }
    }

-    fn new_turn(&mut self) -> PendingTurn {
+    fn new_turn(&mut self, id: Option<String>) -> PendingTurn {
        PendingTurn {
-            id: self.next_turn_id(),
+            id: id.unwrap_or_else(|| Uuid::now_v7().to_string()),
            items: Vec::new(),
            error: None,
            status: TurnStatus::Completed,
+            opened_explicitly: false,
+            saw_compaction: false,
        }
    }

    fn ensure_turn(&mut self) -> &mut PendingTurn {
        if self.current_turn.is_none() {
-            let turn = self.new_turn();
+            let turn = self.new_turn(None);
            return self.current_turn.insert(turn);
        }

@@ -195,12 +243,6 @@ impl ThreadHistoryBuilder {
        unreachable!("current turn must exist after initialization");
    }

-    fn next_turn_id(&mut self) -> String {
-        let id = format!("turn-{}", self.next_turn_index);
-        self.next_turn_index += 1;
-        id
-    }
-
    fn next_item_id(&mut self) -> String {
        let id = format!("item-{}", self.next_item_index);
        self.next_item_index += 1;
@@ -237,6 +279,19 @@ struct PendingTurn {
    items: Vec<ThreadItem>,
    error: Option<TurnError>,
    status: TurnStatus,
+    /// True when this turn originated from an explicit `turn_started`/`turn_complete`
+    /// boundary, so we preserve it even if it has no renderable items.
+    opened_explicitly: bool,
+    /// True when this turn includes a persisted `RolloutItem::Compacted`, which
+    /// should keep the turn from being dropped even without normal items.
+    saw_compaction: bool,
+}
+
+impl PendingTurn {
+    fn opened_explicitly(mut self) -> Self {
+        self.opened_explicitly = true;
+        self
+    }
 }

 impl From<PendingTurn> for Turn {
@@ -256,11 +311,15 @@ mod tests {
    use codex_protocol::protocol::AgentMessageEvent;
    use codex_protocol::protocol::AgentReasoningEvent;
    use codex_protocol::protocol::AgentReasoningRawContentEvent;
+    use codex_protocol::protocol::CompactedItem;
    use codex_protocol::protocol::ThreadRolledBackEvent;
    use codex_protocol::protocol::TurnAbortReason;
    use codex_protocol::protocol::TurnAbortedEvent;
+    use codex_protocol::protocol::TurnCompleteEvent;
+    use codex_protocol::protocol::TurnStartedEvent;
    use codex_protocol::protocol::UserMessageEvent;
    use pretty_assertions::assert_eq;
+    use uuid::Uuid;

    #[test]
    fn builds_multiple_turns_with_reasoning_items() {
@@ -291,11 +350,15 @@ mod tests {
            }),
        ];

-        let turns = build_turns_from_event_msgs(&events);
+        let items = events
+            .into_iter()
+            .map(RolloutItem::EventMsg)
+            .collect::<Vec<_>>();
+        let turns = build_turns_from_rollout_items(&items);
        assert_eq!(turns.len(), 2);

        let first = &turns[0];
-        assert_eq!(first.id, "turn-1");
+        assert!(Uuid::parse_str(&first.id).is_ok());
        assert_eq!(first.status, TurnStatus::Completed);
        assert_eq!(first.items.len(), 3);
        assert_eq!(
@@ -330,7 +393,8 @@ mod tests {
        );

        let second = &turns[1];
-        assert_eq!(second.id, "turn-2");
+        assert!(Uuid::parse_str(&second.id).is_ok());
+        assert_ne!(first.id, second.id);
        assert_eq!(second.items.len(), 2);
        assert_eq!(
            second.items[0],
@@ -374,7 +438,11 @@ mod tests {
            }),
        ];

-        let turns = build_turns_from_event_msgs(&events);
+        let items = events
+            .into_iter()
+            .map(RolloutItem::EventMsg)
+            .collect::<Vec<_>>();
+        let turns = build_turns_from_rollout_items(&items);
        assert_eq!(turns.len(), 1);
        let turn = &turns[0];
        assert_eq!(turn.items.len(), 4);
@@ -410,6 +478,7 @@ mod tests {
                message: "Working...".into(),
            }),
            EventMsg::TurnAborted(TurnAbortedEvent {
+                turn_id: Some("turn-1".into()),
                reason: TurnAbortReason::Replaced,
            }),
            EventMsg::UserMessage(UserMessageEvent {
@@ -423,7 +492,11 @@ mod tests {
            }),
        ];

-        let turns = build_turns_from_event_msgs(&events);
+        let items = events
+            .into_iter()
+            .map(RolloutItem::EventMsg)
+            .collect::<Vec<_>>();
+        let turns = build_turns_from_rollout_items(&items);
        assert_eq!(turns.len(), 2);

        let first_turn = &turns[0];
@@ -502,46 +575,49 @@ mod tests {
            }),
        ];

-        let turns = build_turns_from_event_msgs(&events);
-        let expected = vec![
-            Turn {
-                id: "turn-1".into(),
-                status: TurnStatus::Completed,
-                error: None,
-                items: vec![
-                    ThreadItem::UserMessage {
-                        id: "item-1".into(),
-                        content: vec![UserInput::Text {
-                            text: "First".into(),
-                            text_elements: Vec::new(),
-                        }],
-                    },
-                    ThreadItem::AgentMessage {
-                        id: "item-2".into(),
-                        text: "A1".into(),
-                    },
-                ],
-            },
-            Turn {
-                id: "turn-2".into(),
-                status: TurnStatus::Completed,
-                error: None,
-                items: vec![
-                    ThreadItem::UserMessage {
-                        id: "item-3".into(),
-                        content: vec![UserInput::Text {
-                            text: "Third".into(),
-                            text_elements: Vec::new(),
-                        }],
-                    },
-                    ThreadItem::AgentMessage {
-                        id: "item-4".into(),
-                        text: "A3".into(),
-                    },
-                ],
-            },
-        ];
-        assert_eq!(turns, expected);
+        let items = events
+            .into_iter()
+            .map(RolloutItem::EventMsg)
+            .collect::<Vec<_>>();
+        let turns = build_turns_from_rollout_items(&items);
+        assert_eq!(turns.len(), 2);
+        assert!(Uuid::parse_str(&turns[0].id).is_ok());
+        assert!(Uuid::parse_str(&turns[1].id).is_ok());
+        assert_ne!(turns[0].id, turns[1].id);
+        assert_eq!(turns[0].status, TurnStatus::Completed);
+        assert_eq!(turns[1].status, TurnStatus::Completed);
+        assert_eq!(
+            turns[0].items,
+            vec![
+                ThreadItem::UserMessage {
+                    id: "item-1".into(),
+                    content: vec![UserInput::Text {
+                        text: "First".into(),
+                        text_elements: Vec::new(),
+                    }],
+                },
+                ThreadItem::AgentMessage {
+                    id: "item-2".into(),
+                    text: "A1".into(),
+                },
+            ]
+        );
+        assert_eq!(
+            turns[1].items,
+            vec![
+                ThreadItem::UserMessage {
+                    id: "item-3".into(),
+                    content: vec![UserInput::Text {
+                        text: "Third".into(),
+                        text_elements: Vec::new(),
+                    }],
+                },
+                ThreadItem::AgentMessage {
+                    id: "item-4".into(),
+                    text: "A3".into(),
+                },
+            ]
+        );
    }

    #[test]
@@ -568,7 +644,95 @@ mod tests {
            EventMsg::ThreadRolledBack(ThreadRolledBackEvent { num_turns: 99 }),
        ];

-        let turns = build_turns_from_event_msgs(&events);
+        let items = events
+            .into_iter()
+            .map(RolloutItem::EventMsg)
+            .collect::<Vec<_>>();
+        let turns = build_turns_from_rollout_items(&items);
        assert_eq!(turns, Vec::<Turn>::new());
    }
+
+    #[test]
+    fn uses_explicit_turn_boundaries_for_mid_turn_steering() {
+        let events = vec![
+            EventMsg::TurnStarted(TurnStartedEvent {
+                turn_id: "turn-a".into(),
+                model_context_window: None,
+                collaboration_mode_kind: Default::default(),
+            }),
+            EventMsg::UserMessage(UserMessageEvent {
+                message: "Start".into(),
+                images: None,
+                text_elements: Vec::new(),
+                local_images: Vec::new(),
+            }),
+            EventMsg::UserMessage(UserMessageEvent {
+                message: "Steer".into(),
+                images: None,
+                text_elements: Vec::new(),
+                local_images: Vec::new(),
+            }),
+            EventMsg::TurnComplete(TurnCompleteEvent {
+                turn_id: "turn-a".into(),
+                last_agent_message: None,
+            }),
+        ];
+
+        let items = events
+            .into_iter()
+            .map(RolloutItem::EventMsg)
+            .collect::<Vec<_>>();
+        let turns = build_turns_from_rollout_items(&items);
+        assert_eq!(turns.len(), 1);
+        assert_eq!(turns[0].id, "turn-a");
+        assert_eq!(
+            turns[0].items,
+            vec![
+                ThreadItem::UserMessage {
+                    id: "item-1".into(),
+                    content: vec![UserInput::Text {
+                        text: "Start".into(),
+                        text_elements: Vec::new(),
+                    }],
+                },
+                ThreadItem::UserMessage {
+                    id: "item-2".into(),
+                    content: vec![UserInput::Text {
+                        text: "Steer".into(),
+                        text_elements: Vec::new(),
+                    }],
+                },
+            ]
+        );
+    }
+
+    #[test]
+    fn preserves_compaction_only_turn() {
+        let items = vec![
+            RolloutItem::EventMsg(EventMsg::TurnStarted(TurnStartedEvent {
+                turn_id: "turn-compact".into(),
+                model_context_window: None,
+                collaboration_mode_kind: Default::default(),
+            })),
+            RolloutItem::Compacted(CompactedItem {
+                message: String::new(),
+                replacement_history: None,
+            }),
+            RolloutItem::EventMsg(EventMsg::TurnComplete(TurnCompleteEvent {
+                turn_id: "turn-compact".into(),
+                last_agent_message: None,
+            })),
+        ];
+
+        let turns = build_turns_from_rollout_items(&items);
+        assert_eq!(
+            turns,
+            vec![Turn {
+                id: "turn-compact".into(),
+                status: TurnStatus::Completed,
+                error: None,
+                items: Vec::new(),
+            }]
+        );
+    }
 }
--- a/codex-rs/app-server-protocol/src/protocol/v1.rs
+++ b/codex-rs/app-server-protocol/src/protocol/v1.rs
@@ -46,12 +46,16 @@ pub struct ClientInfo {
 }

 /// Client-declared capabilities negotiated during initialize.
-#[derive(Serialize, Deserialize, Debug, Clone, Copy, PartialEq, Eq, Default, JsonSchema, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, Default, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct InitializeCapabilities {
    /// Opt into receiving experimental API methods and fields.
    #[serde(default)]
    pub experimental_api: bool,
+    /// Exact notification method names that should be suppressed for this
+    /// connection (for example `codex/event/session_configured`).
+    #[ts(optional = nullable)]
+    pub opt_out_notification_methods: Option<Vec<String>>,
 }

 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
--- a/codex-rs/app-server-protocol/src/protocol/v2.rs
+++ b/codex-rs/app-server-protocol/src/protocol/v2.rs
@@ -32,6 +32,7 @@ use codex_protocol::protocol::CreditsSnapshot as CoreCreditsSnapshot;
 use codex_protocol::protocol::NetworkAccess as CoreNetworkAccess;
 use codex_protocol::protocol::RateLimitSnapshot as CoreRateLimitSnapshot;
 use codex_protocol::protocol::RateLimitWindow as CoreRateLimitWindow;
+use codex_protocol::protocol::ReadOnlyAccess as CoreReadOnlyAccess;
 use codex_protocol::protocol::SessionSource as CoreSessionSource;
 use codex_protocol::protocol::SkillDependencies as CoreSkillDependencies;
 use codex_protocol::protocol::SkillErrorInfo as CoreSkillErrorInfo;
@@ -88,10 +89,7 @@ macro_rules! v2_enum_from_core {
 pub enum CodexErrorInfo {
    ContextWindowExceeded,
    UsageLimitExceeded,
-    ModelCap {
-        model: String,
-        reset_after_seconds: Option<u64>,
-    },
+    ServerOverloaded,
    HttpConnectionFailed {
        #[serde(rename = "httpStatusCode")]
        #[ts(rename = "httpStatusCode")]
@@ -128,13 +126,7 @@ impl From<CoreCodexErrorInfo> for CodexErrorInfo {
        match value {
            CoreCodexErrorInfo::ContextWindowExceeded => CodexErrorInfo::ContextWindowExceeded,
            CoreCodexErrorInfo::UsageLimitExceeded => CodexErrorInfo::UsageLimitExceeded,
-            CoreCodexErrorInfo::ModelCap {
-                model,
-                reset_after_seconds,
-            } => CodexErrorInfo::ModelCap {
-                model,
-                reset_after_seconds,
-            },
+            CoreCodexErrorInfo::ServerOverloaded => CodexErrorInfo::ServerOverloaded,
            CoreCodexErrorInfo::HttpConnectionFailed { http_status_code } => {
                CodexErrorInfo::HttpConnectionFailed { http_status_code }
            }
@@ -404,6 +396,10 @@ const fn default_enabled() -> bool {
    true
 }

+const fn default_include_platform_defaults() -> bool {
+    true
+}
+
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS, ExperimentalApi)]
 #[serde(rename_all = "snake_case")]
 #[ts(export_to = "v2/")]
@@ -647,13 +643,65 @@ pub enum NetworkAccess {
    Enabled,
 }

+#[derive(Serialize, Deserialize, Debug, Default, Clone, PartialEq, Eq, JsonSchema, TS)]
+#[serde(tag = "type", rename_all = "camelCase")]
+#[ts(tag = "type")]
+#[ts(export_to = "v2/")]
+pub enum ReadOnlyAccess {
+    #[serde(rename_all = "camelCase")]
+    #[ts(rename_all = "camelCase")]
+    Restricted {
+        #[serde(default = "default_include_platform_defaults")]
+        include_platform_defaults: bool,
+        #[serde(default)]
+        readable_roots: Vec<AbsolutePathBuf>,
+    },
+    #[default]
+    FullAccess,
+}
+
+impl ReadOnlyAccess {
+    pub fn to_core(&self) -> CoreReadOnlyAccess {
+        match self {
+            ReadOnlyAccess::Restricted {
+                include_platform_defaults,
+                readable_roots,
+            } => CoreReadOnlyAccess::Restricted {
+                include_platform_defaults: *include_platform_defaults,
+                readable_roots: readable_roots.clone(),
+            },
+            ReadOnlyAccess::FullAccess => CoreReadOnlyAccess::FullAccess,
+        }
+    }
+}
+
+impl From<CoreReadOnlyAccess> for ReadOnlyAccess {
+    fn from(value: CoreReadOnlyAccess) -> Self {
+        match value {
+            CoreReadOnlyAccess::Restricted {
+                include_platform_defaults,
+                readable_roots,
+            } => ReadOnlyAccess::Restricted {
+                include_platform_defaults,
+                readable_roots,
+            },
+            CoreReadOnlyAccess::FullAccess => ReadOnlyAccess::FullAccess,
+        }
+    }
+}
+
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, JsonSchema, TS)]
 #[serde(tag = "type", rename_all = "camelCase")]
 #[ts(tag = "type")]
 #[ts(export_to = "v2/")]
 pub enum SandboxPolicy {
    DangerFullAccess,
-    ReadOnly,
+    #[serde(rename_all = "camelCase")]
+    #[ts(rename_all = "camelCase")]
+    ReadOnly {
+        #[serde(default)]
+        access: ReadOnlyAccess,
+    },
    #[serde(rename_all = "camelCase")]
    #[ts(rename_all = "camelCase")]
    ExternalSandbox {
@@ -666,6 +714,8 @@ pub enum SandboxPolicy {
        #[serde(default)]
        writable_roots: Vec<AbsolutePathBuf>,
        #[serde(default)]
+        read_only_access: ReadOnlyAccess,
+        #[serde(default)]
        network_access: bool,
        #[serde(default)]
        exclude_tmpdir_env_var: bool,
@@ -680,7 +730,11 @@ impl SandboxPolicy {
            SandboxPolicy::DangerFullAccess => {
                codex_protocol::protocol::SandboxPolicy::DangerFullAccess
            }
-            SandboxPolicy::ReadOnly => codex_protocol::protocol::SandboxPolicy::ReadOnly,
+            SandboxPolicy::ReadOnly { access } => {
+                codex_protocol::protocol::SandboxPolicy::ReadOnly {
+                    access: access.to_core(),
+                }
+            }
            SandboxPolicy::ExternalSandbox { network_access } => {
                codex_protocol::protocol::SandboxPolicy::ExternalSandbox {
                    network_access: match network_access {
@@ -691,11 +745,13 @@ impl SandboxPolicy {
            }
            SandboxPolicy::WorkspaceWrite {
                writable_roots,
+                read_only_access,
                network_access,
                exclude_tmpdir_env_var,
                exclude_slash_tmp,
            } => codex_protocol::protocol::SandboxPolicy::WorkspaceWrite {
                writable_roots: writable_roots.clone(),
+                read_only_access: read_only_access.to_core(),
                network_access: *network_access,
                exclude_tmpdir_env_var: *exclude_tmpdir_env_var,
                exclude_slash_tmp: *exclude_slash_tmp,
@@ -710,7 +766,11 @@ impl From<codex_protocol::protocol::SandboxPolicy> for SandboxPolicy {
            codex_protocol::protocol::SandboxPolicy::DangerFullAccess => {
                SandboxPolicy::DangerFullAccess
            }
-            codex_protocol::protocol::SandboxPolicy::ReadOnly => SandboxPolicy::ReadOnly,
+            codex_protocol::protocol::SandboxPolicy::ReadOnly { access } => {
+                SandboxPolicy::ReadOnly {
+                    access: ReadOnlyAccess::from(access),
+                }
+            }
            codex_protocol::protocol::SandboxPolicy::ExternalSandbox { network_access } => {
                SandboxPolicy::ExternalSandbox {
                    network_access: match network_access {
@@ -721,11 +781,13 @@ impl From<codex_protocol::protocol::SandboxPolicy> for SandboxPolicy {
            }
            codex_protocol::protocol::SandboxPolicy::WorkspaceWrite {
                writable_roots,
+                read_only_access,
                network_access,
                exclude_tmpdir_env_var,
                exclude_slash_tmp,
            } => SandboxPolicy::WorkspaceWrite {
                writable_roots,
+                read_only_access: ReadOnlyAccess::from(read_only_access),
                network_access,
                exclude_tmpdir_env_var,
                exclude_slash_tmp,
@@ -1009,7 +1071,10 @@ pub struct ChatgptAuthTokensRefreshResponse {
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
 pub struct GetAccountRateLimitsResponse {
+    /// Backward-compatible single-bucket view; mirrors the historical payload.
    pub rate_limits: RateLimitSnapshot,
+    /// Multi-bucket view keyed by metered `limit_id` (for example, `codex`).
+    pub rate_limits_by_limit_id: Option<HashMap<String, RateLimitSnapshot>>,
 }

 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
@@ -3103,6 +3168,8 @@ pub struct AccountRateLimitsUpdatedNotification {
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
 pub struct RateLimitSnapshot {
+    pub limit_id: Option<String>,
+    pub limit_name: Option<String>,
    pub primary: Option<RateLimitWindow>,
    pub secondary: Option<RateLimitWindow>,
    pub credits: Option<CreditsSnapshot>,
@@ -3112,6 +3179,8 @@ pub struct RateLimitSnapshot {
 impl From<CoreRateLimitSnapshot> for RateLimitSnapshot {
    fn from(value: CoreRateLimitSnapshot) -> Self {
        Self {
+            limit_id: value.limit_id,
+            limit_name: value.limit_name,
            primary: value.primary.map(RateLimitWindow::from),
            secondary: value.secondary.map(RateLimitWindow::from),
            credits: value.credits.map(CreditsSnapshot::from),
@@ -3228,11 +3297,21 @@ mod tests {
    use codex_protocol::items::WebSearchItem;
    use codex_protocol::models::WebSearchAction as CoreWebSearchAction;
    use codex_protocol::protocol::NetworkAccess as CoreNetworkAccess;
+    use codex_protocol::protocol::ReadOnlyAccess as CoreReadOnlyAccess;
    use codex_protocol::user_input::UserInput as CoreUserInput;
    use pretty_assertions::assert_eq;
    use serde_json::json;
    use std::path::PathBuf;

+    fn test_absolute_path() -> AbsolutePathBuf {
+        let path = if cfg!(windows) {
+            r"C:\readable"
+        } else {
+            "/readable"
+        };
+        AbsolutePathBuf::from_absolute_path(path).expect("path must be absolute")
+    }
+
    #[test]
    fn sandbox_policy_round_trips_external_sandbox_network_access() {
        let v2_policy = SandboxPolicy::ExternalSandbox {
@@ -3251,6 +3330,100 @@ mod tests {
        assert_eq!(back_to_v2, v2_policy);
    }

+    #[test]
+    fn sandbox_policy_round_trips_read_only_access() {
+        let readable_root = test_absolute_path();
+        let v2_policy = SandboxPolicy::ReadOnly {
+            access: ReadOnlyAccess::Restricted {
+                include_platform_defaults: false,
+                readable_roots: vec![readable_root.clone()],
+            },
+        };
+
+        let core_policy = v2_policy.to_core();
+        assert_eq!(
+            core_policy,
+            codex_protocol::protocol::SandboxPolicy::ReadOnly {
+                access: CoreReadOnlyAccess::Restricted {
+                    include_platform_defaults: false,
+                    readable_roots: vec![readable_root],
+                },
+            }
+        );
+
+        let back_to_v2 = SandboxPolicy::from(core_policy);
+        assert_eq!(back_to_v2, v2_policy);
+    }
+
+    #[test]
+    fn sandbox_policy_round_trips_workspace_write_read_only_access() {
+        let readable_root = test_absolute_path();
+        let v2_policy = SandboxPolicy::WorkspaceWrite {
+            writable_roots: vec![],
+            read_only_access: ReadOnlyAccess::Restricted {
+                include_platform_defaults: false,
+                readable_roots: vec![readable_root.clone()],
+            },
+            network_access: true,
+            exclude_tmpdir_env_var: false,
+            exclude_slash_tmp: false,
+        };
+
+        let core_policy = v2_policy.to_core();
+        assert_eq!(
+            core_policy,
+            codex_protocol::protocol::SandboxPolicy::WorkspaceWrite {
+                writable_roots: vec![],
+                read_only_access: CoreReadOnlyAccess::Restricted {
+                    include_platform_defaults: false,
+                    readable_roots: vec![readable_root],
+                },
+                network_access: true,
+                exclude_tmpdir_env_var: false,
+                exclude_slash_tmp: false,
+            }
+        );
+
+        let back_to_v2 = SandboxPolicy::from(core_policy);
+        assert_eq!(back_to_v2, v2_policy);
+    }
+
+    #[test]
+    fn sandbox_policy_deserializes_legacy_read_only_without_access_field() {
+        let policy: SandboxPolicy = serde_json::from_value(json!({
+            "type": "readOnly"
+        }))
+        .expect("read-only policy should deserialize");
+        assert_eq!(
+            policy,
+            SandboxPolicy::ReadOnly {
+                access: ReadOnlyAccess::FullAccess,
+            }
+        );
+    }
+
+    #[test]
+    fn sandbox_policy_deserializes_legacy_workspace_write_without_read_only_access_field() {
+        let policy: SandboxPolicy = serde_json::from_value(json!({
+            "type": "workspaceWrite",
+            "writableRoots": [],
+            "networkAccess": false,
+            "excludeTmpdirEnvVar": false,
+            "excludeSlashTmp": false
+        }))
+        .expect("workspace-write policy should deserialize");
+        assert_eq!(
+            policy,
+            SandboxPolicy::WorkspaceWrite {
+                writable_roots: vec![],
+                read_only_access: ReadOnlyAccess::FullAccess,
+                network_access: false,
+                exclude_tmpdir_env_var: false,
+                exclude_slash_tmp: false,
+            }
+        );
+    }
+
    #[test]
    fn core_turn_item_into_thread_item_converts_supported_variants() {
        let user_item = TurnItem::UserMessage(UserMessageItem {
--- a/codex-rs/app-server-test-client/Cargo.lock
+++ b/codex-rs/app-server-test-client/Cargo.lock
--- a/codex-rs/app-server-test-client/src/lib.rs
+++ b/codex-rs/app-server-test-client/src/lib.rs
@@ -46,12 +46,15 @@ use codex_app_server_protocol::ModelListParams;
 use codex_app_server_protocol::ModelListResponse;
 use codex_app_server_protocol::NewConversationParams;
 use codex_app_server_protocol::NewConversationResponse;
+use codex_app_server_protocol::ReadOnlyAccess;
 use codex_app_server_protocol::RequestId;
 use codex_app_server_protocol::SandboxPolicy;
 use codex_app_server_protocol::SendUserMessageParams;
 use codex_app_server_protocol::SendUserMessageResponse;
 use codex_app_server_protocol::ServerNotification;
 use codex_app_server_protocol::ServerRequest;
+use codex_app_server_protocol::ThreadResumeParams;
+use codex_app_server_protocol::ThreadResumeResponse;
 use codex_app_server_protocol::ThreadStartParams;
 use codex_app_server_protocol::ThreadStartResponse;
 use codex_app_server_protocol::TurnStartParams;
@@ -112,6 +115,13 @@ enum CliCommand {
        /// User message to send to Codex.
        user_message: String,
    },
+    /// Resume a V2 thread by id, then send a user message.
+    ResumeMessageV2 {
+        /// Existing thread id to resume.
+        thread_id: String,
+        /// User message to send to Codex.
+        user_message: String,
+    },
    /// Start a V2 turn that elicits an ExecCommand approval.
    #[command(name = "trigger-cmd-approval")]
    TriggerCmdApproval {
@@ -161,6 +171,16 @@ pub fn run() -> Result<()> {
        CliCommand::SendMessageV2 { user_message } => {
            send_message_v2(&codex_bin, &config_overrides, user_message, &dynamic_tools)
        }
+        CliCommand::ResumeMessageV2 {
+            thread_id,
+            user_message,
+        } => resume_message_v2(
+            &codex_bin,
+            &config_overrides,
+            thread_id,
+            user_message,
+            &dynamic_tools,
+        ),
        CliCommand::TriggerCmdApproval { user_message } => {
            trigger_cmd_approval(&codex_bin, &config_overrides, user_message, &dynamic_tools)
        }
@@ -233,6 +253,41 @@ pub fn send_message_v2(
    )
 }

+fn resume_message_v2(
+    codex_bin: &Path,
+    config_overrides: &[String],
+    thread_id: String,
+    user_message: String,
+    dynamic_tools: &Option<Vec<DynamicToolSpec>>,
+) -> Result<()> {
+    ensure_dynamic_tools_unused(dynamic_tools, "resume-message-v2")?;
+
+    let mut client = CodexClient::spawn(codex_bin, config_overrides)?;
+
+    let initialize = client.initialize()?;
+    println!("< initialize response: {initialize:?}");
+
+    let resume_response = client.thread_resume(ThreadResumeParams {
+        thread_id,
+        ..Default::default()
+    })?;
+    println!("< thread/resume response: {resume_response:?}");
+
+    let turn_response = client.turn_start(TurnStartParams {
+        thread_id: resume_response.thread.id.clone(),
+        input: vec![V2UserInput::Text {
+            text: user_message,
+            text_elements: Vec::new(),
+        }],
+        ..Default::default()
+    })?;
+    println!("< turn/start response: {turn_response:?}");
+
+    client.stream_turn(&resume_response.thread.id, &turn_response.turn.id)?;
+
+    Ok(())
+}
+
 fn trigger_cmd_approval(
    codex_bin: &Path,
    config_overrides: &[String],
@@ -247,7 +302,9 @@ fn trigger_cmd_approval(
        config_overrides,
        message,
        Some(AskForApproval::OnRequest),
-        Some(SandboxPolicy::ReadOnly),
+        Some(SandboxPolicy::ReadOnly {
+            access: ReadOnlyAccess::FullAccess,
+        }),
        dynamic_tools,
    )
 }
@@ -266,7 +323,9 @@ fn trigger_patch_approval(
        config_overrides,
        message,
        Some(AskForApproval::OnRequest),
-        Some(SandboxPolicy::ReadOnly),
+        Some(SandboxPolicy::ReadOnly {
+            access: ReadOnlyAccess::FullAccess,
+        }),
        dynamic_tools,
    )
 }
@@ -511,6 +570,7 @@ impl CodexClient {
                },
                capabilities: Some(InitializeCapabilities {
                    experimental_api: true,
+                    opt_out_notification_methods: None,
                }),
            },
        };
@@ -591,6 +651,16 @@ impl CodexClient {
        self.send_request(request, request_id, "thread/start")
    }

+    fn thread_resume(&mut self, params: ThreadResumeParams) -> Result<ThreadResumeResponse> {
+        let request_id = self.request_id();
+        let request = ClientRequest::ThreadResume {
+            request_id: request_id.clone(),
+            params,
+        };
+
+        self.send_request(request, request_id, "thread/resume")
+    }
+
    fn turn_start(&mut self, params: TurnStartParams) -> Result<TurnStartResponse> {
        let request_id = self.request_id();
        let request = ClientRequest::TurnStart {
--- a/codex-rs/app-server/Cargo.toml
+++ b/codex-rs/app-server/Cargo.toml
@@ -20,8 +20,8 @@ anyhow = { workspace = true }
 async-trait = { workspace = true }
 codex-arg0 = { workspace = true }
 codex-cloud-requirements = { workspace = true }
-codex-common = { workspace = true, features = ["cli"] }
 codex-core = { workspace = true }
+codex-utils-cli = { workspace = true }
 codex-backend-client = { workspace = true }
 codex-file-search = { workspace = true }
 codex-chatgpt = { workspace = true }
--- a/codex-rs/app-server/README.md
+++ b/codex-rs/app-server/README.md
@@ -28,6 +28,12 @@ Supported transports:

 Websocket transport is currently experimental and unsupported. Do not rely on it for production workloads.

+Backpressure behavior:
+
+- The server uses bounded queues between transport ingress, request processing, and outbound writes.
+- When request ingress is saturated, new requests are rejected with a JSON-RPC error code `-32001` and message `"Server overloaded; retry later."`.
+- Clients should treat this as retryable and use exponential backoff with jitter.
+
 ## Message Schema

 Currently, you can dump a TypeScript version of the schema using `codex app-server generate-ts`, or a JSON Schema bundle via `codex app-server generate-json-schema`. Each output is specific to the version of Codex you used to run the command, so the generated artifacts are guaranteed to match that version.
@@ -59,6 +65,8 @@ Use the thread APIs to create, list, or archive conversations. Drive a conversat

 Clients must send a single `initialize` request per transport connection before invoking any other method on that connection, then acknowledge with an `initialized` notification. The server returns the user agent string it will present to upstream services; subsequent requests issued before initialization receive a `"Not initialized"` error, and repeated `initialize` calls on the same connection receive an `"Already initialized"` error.

+`initialize.params.capabilities` also supports per-connection notification opt-out via `optOutNotificationMethods`, which is a list of exact method names to suppress for that connection. Matching is exact (no wildcards/prefixes). Unknown method names are accepted and ignored.
+
 Applications building on top of `codex app-server` should identify themselves via the `clientInfo` parameter.

 **Important**: `clientInfo.name` is used to identify the client for the OpenAI Compliance Logs Platform. If
@@ -81,6 +89,29 @@ Example (from OpenAI's official VSCode extension):
 }
 ```

+Example with notification opt-out:
+
+```json
+{
+  "method": "initialize",
+  "id": 1,
+  "params": {
+    "clientInfo": {
+      "name": "my_client",
+      "title": "My Client",
+      "version": "0.1.0"
+    },
+    "capabilities": {
+      "experimentalApi": true,
+      "optOutNotificationMethods": [
+        "codex/event/session_configured",
+        "item/agentMessage/delta"
+      ]
+    }
+  }
+}
+```
+
 ## API Overview

 - `thread/start` — create a new thread; emits `thread/started` and auto-subscribes you to turn/item events for that thread.
@@ -487,6 +518,20 @@ Notes:

 Event notifications are the server-initiated event stream for thread lifecycles, turn lifecycles, and the items within them. After you start or resume a thread, keep reading stdout for `thread/started`, `turn/*`, and `item/*` notifications.

+### Notification opt-out
+
+Clients can suppress specific notifications per connection by sending exact method names in `initialize.params.capabilities.optOutNotificationMethods`.
+
+- Exact-match only: `item/agentMessage/delta` suppresses only that method.
+- Unknown method names are ignored.
+- Applies to both legacy (`codex/event/*`) and v2 (`thread/*`, `turn/*`, `item/*`, etc.) notifications.
+- Does not apply to requests/responses/errors.
+
+Examples:
+
+- Opt out of legacy session setup event: `codex/event/session_configured`
+- Opt out of streamed agent text deltas: `item/agentMessage/delta`
+
 ### Turn events

 The app-server streams JSON-RPC notifications while a turn is running. Each turn starts with `turn/started` (initial `turn`) and ends with `turn/completed` (final `turn` status). Token usage events stream separately via `thread/tokenUsage/updated`. Clients subscribe to the events they care about, rendering each item incrementally as updates arrive. The per-item lifecycle is always: `item/started` → zero or more item-specific deltas → `item/completed`.
--- a/codex-rs/app-server/src/bespoke_event_handling.rs
+++ b/codex-rs/app-server/src/bespoke_event_handling.rs
@@ -1,14 +1,12 @@
 use crate::codex_message_processor::ApiVersion;
-use crate::codex_message_processor::PendingInterrupts;
-use crate::codex_message_processor::PendingRollbacks;
-use crate::codex_message_processor::TurnSummary;
-use crate::codex_message_processor::TurnSummaryStore;
-use crate::codex_message_processor::read_event_msgs_from_rollout;
+use crate::codex_message_processor::read_rollout_items_from_rollout;
 use crate::codex_message_processor::read_summary_from_rollout;
 use crate::codex_message_processor::summary_to_thread;
 use crate::error_code::INTERNAL_ERROR_CODE;
 use crate::error_code::INVALID_REQUEST_ERROR_CODE;
-use crate::outgoing_message::OutgoingMessageSender;
+use crate::outgoing_message::ThreadScopedOutgoingMessageSender;
+use crate::thread_state::ThreadState;
+use crate::thread_state::TurnSummary;
 use codex_app_server_protocol::AccountRateLimitsUpdatedNotification;
 use codex_app_server_protocol::AgentMessageDeltaNotification;
 use codex_app_server_protocol::ApplyPatchApprovalParams;
@@ -69,7 +67,7 @@ use codex_app_server_protocol::TurnInterruptResponse;
 use codex_app_server_protocol::TurnPlanStep;
 use codex_app_server_protocol::TurnPlanUpdatedNotification;
 use codex_app_server_protocol::TurnStatus;
-use codex_app_server_protocol::build_turns_from_event_msgs;
+use codex_app_server_protocol::build_turns_from_rollout_items;
 use codex_core::CodexThread;
 use codex_core::parse_command::shlex_join;
 use codex_core::protocol::ApplyPatchApprovalRequestEvent;
@@ -98,6 +96,7 @@ use std::collections::HashMap;
 use std::convert::TryFrom;
 use std::path::PathBuf;
 use std::sync::Arc;
+use tokio::sync::Mutex;
 use tokio::sync::oneshot;
 use tracing::error;

@@ -108,10 +107,8 @@ pub(crate) async fn apply_bespoke_event_handling(
    event: Event,
    conversation_id: ThreadId,
    conversation: Arc<CodexThread>,
-    outgoing: Arc<OutgoingMessageSender>,
-    pending_interrupts: PendingInterrupts,
-    pending_rollbacks: PendingRollbacks,
-    turn_summary_store: TurnSummaryStore,
+    outgoing: ThreadScopedOutgoingMessageSender,
+    thread_state: Arc<tokio::sync::Mutex<ThreadState>>,
    api_version: ApiVersion,
    fallback_model_provider: String,
 ) {
@@ -122,13 +119,7 @@ pub(crate) async fn apply_bespoke_event_handling(
    match msg {
        EventMsg::TurnStarted(_) => {}
        EventMsg::TurnComplete(_ev) => {
-            handle_turn_complete(
-                conversation_id,
-                event_turn_id,
-                &outgoing,
-                &turn_summary_store,
-            )
-            .await;
+            handle_turn_complete(conversation_id, event_turn_id, &outgoing, &thread_state).await;
        }
        EventMsg::ApplyPatchApprovalRequest(ApplyPatchApprovalRequestEvent {
            call_id,
@@ -140,7 +131,7 @@ pub(crate) async fn apply_bespoke_event_handling(
            ApiVersion::V1 => {
                let params = ApplyPatchApprovalParams {
                    conversation_id,
-                    call_id,
+                    call_id: call_id.clone(),
                    file_changes: changes.clone(),
                    reason,
                    grant_root,
@@ -149,7 +140,7 @@ pub(crate) async fn apply_bespoke_event_handling(
                    .send_request(ServerRequestPayload::ApplyPatchApproval(params))
                    .await;
                tokio::spawn(async move {
-                    on_patch_approval_response(event_turn_id, rx, conversation).await;
+                    on_patch_approval_response(call_id, rx, conversation).await;
                });
            }
            ApiVersion::V2 => {
@@ -159,9 +150,11 @@ pub(crate) async fn apply_bespoke_event_handling(
                let patch_changes = convert_patch_changes(&changes);

                let first_start = {
-                    let mut map = turn_summary_store.lock().await;
-                    let summary = map.entry(conversation_id).or_default();
-                    summary.file_change_started.insert(item_id.clone())
+                    let mut state = thread_state.lock().await;
+                    state
+                        .turn_summary
+                        .file_change_started
+                        .insert(item_id.clone())
                };
                if first_start {
                    let item = ThreadItem::FileChange {
@@ -198,7 +191,7 @@ pub(crate) async fn apply_bespoke_event_handling(
                        rx,
                        conversation,
                        outgoing,
-                        turn_summary_store,
+                        thread_state.clone(),
                    )
                    .await;
                });
@@ -216,7 +209,7 @@ pub(crate) async fn apply_bespoke_event_handling(
            ApiVersion::V1 => {
                let params = ExecCommandApprovalParams {
                    conversation_id,
-                    call_id,
+                    call_id: call_id.clone(),
                    command,
                    cwd,
                    reason,
@@ -226,7 +219,7 @@ pub(crate) async fn apply_bespoke_event_handling(
                    .send_request(ServerRequestPayload::ExecCommandApproval(params))
                    .await;
                tokio::spawn(async move {
-                    on_exec_approval_response(event_turn_id, rx, conversation).await;
+                    on_exec_approval_response(call_id, event_turn_id, rx, conversation).await;
                });
            }
            ApiVersion::V2 => {
@@ -718,7 +711,7 @@ pub(crate) async fn apply_bespoke_event_handling(
                return handle_thread_rollback_failed(
                    conversation_id,
                    message,
-                    &pending_rollbacks,
+                    &thread_state,
                    &outgoing,
                )
                .await;
@@ -729,7 +722,7 @@ pub(crate) async fn apply_bespoke_event_handling(
                codex_error_info: ev.codex_error_info.map(V2CodexErrorInfo::from),
                additional_details: None,
            };
-            handle_error(conversation_id, turn_error.clone(), &turn_summary_store).await;
+            handle_error(conversation_id, turn_error.clone(), &thread_state).await;
            outgoing
                .send_server_notification(ServerNotification::Error(ErrorNotification {
                    error: turn_error.clone(),
@@ -857,7 +850,7 @@ pub(crate) async fn apply_bespoke_event_handling(
                conversation_id,
                &event_turn_id,
                raw_response_item_event.item,
-                outgoing.as_ref(),
+                &outgoing,
            )
            .await;
        }
@@ -867,9 +860,11 @@ pub(crate) async fn apply_bespoke_event_handling(
            let item_id = patch_begin_event.call_id.clone();

            let first_start = {
-                let mut map = turn_summary_store.lock().await;
-                let summary = map.entry(conversation_id).or_default();
-                summary.file_change_started.insert(item_id.clone())
+                let mut state = thread_state.lock().await;
+                state
+                    .turn_summary
+                    .file_change_started
+                    .insert(item_id.clone())
            };
            if first_start {
                let item = ThreadItem::FileChange {
@@ -904,8 +899,8 @@ pub(crate) async fn apply_bespoke_event_handling(
                changes,
                status,
                event_turn_id.clone(),
-                outgoing.as_ref(),
-                &turn_summary_store,
+                &outgoing,
+                &thread_state,
            )
            .await;
        }
@@ -950,9 +945,8 @@ pub(crate) async fn apply_bespoke_event_handling(
            // We need to detect which item type it is so we can emit the right notification.
            // We already have state tracking FileChange items on item/started, so let's use that.
            let is_file_change = {
-                let map = turn_summary_store.lock().await;
-                map.get(&conversation_id)
-                    .is_some_and(|summary| summary.file_change_started.contains(&item_id))
+                let state = thread_state.lock().await;
+                state.turn_summary.file_change_started.contains(&item_id)
            };
            if is_file_change {
                let notification = FileChangeOutputDeltaNotification {
@@ -1049,8 +1043,8 @@ pub(crate) async fn apply_bespoke_event_handling(
        // If this is a TurnAborted, reply to any pending interrupt requests.
        EventMsg::TurnAborted(turn_aborted_event) => {
            let pending = {
-                let mut map = pending_interrupts.lock().await;
-                map.remove(&conversation_id).unwrap_or_default()
+                let mut state = thread_state.lock().await;
+                std::mem::take(&mut state.pending_interrupts)
            };
            if !pending.is_empty() {
                for (rid, ver) in pending {
@@ -1069,18 +1063,12 @@ pub(crate) async fn apply_bespoke_event_handling(
                }
            }

-            handle_turn_interrupted(
-                conversation_id,
-                event_turn_id,
-                &outgoing,
-                &turn_summary_store,
-            )
-            .await;
+            handle_turn_interrupted(conversation_id, event_turn_id, &outgoing, &thread_state).await;
        }
        EventMsg::ThreadRolledBack(_rollback_event) => {
            let pending = {
-                let mut map = pending_rollbacks.lock().await;
-                map.remove(&conversation_id)
+                let mut state = thread_state.lock().await;
+                state.pending_rollbacks.take()
            };

            if let Some(request_id) = pending {
@@ -1101,9 +1089,9 @@ pub(crate) async fn apply_bespoke_event_handling(
                {
                    Ok(summary) => {
                        let mut thread = summary_to_thread(summary);
-                        match read_event_msgs_from_rollout(rollout_path.as_path()).await {
-                            Ok(events) => {
-                                thread.turns = build_turns_from_event_msgs(&events);
+                        match read_rollout_items_from_rollout(rollout_path.as_path()).await {
+                            Ok(items) => {
+                                thread.turns = build_turns_from_rollout_items(&items);
                                ThreadRollbackResponse { thread }
                            }
                            Err(err) => {
@@ -1154,7 +1142,7 @@ pub(crate) async fn apply_bespoke_event_handling(
                &event_turn_id,
                turn_diff_event,
                api_version,
-                outgoing.as_ref(),
+                &outgoing,
            )
            .await;
        }
@@ -1164,7 +1152,7 @@ pub(crate) async fn apply_bespoke_event_handling(
                &event_turn_id,
                plan_update_event,
                api_version,
-                outgoing.as_ref(),
+                &outgoing,
            )
            .await;
        }
@@ -1178,7 +1166,7 @@ async fn handle_turn_diff(
    event_turn_id: &str,
    turn_diff_event: TurnDiffEvent,
    api_version: ApiVersion,
-    outgoing: &OutgoingMessageSender,
+    outgoing: &ThreadScopedOutgoingMessageSender,
 ) {
    if let ApiVersion::V2 = api_version {
        let notification = TurnDiffUpdatedNotification {
@@ -1197,7 +1185,7 @@ async fn handle_turn_plan_update(
    event_turn_id: &str,
    plan_update_event: UpdatePlanArgs,
    api_version: ApiVersion,
-    outgoing: &OutgoingMessageSender,
+    outgoing: &ThreadScopedOutgoingMessageSender,
 ) {
    // `update_plan` is a todo/checklist tool; it is not related to plan-mode updates
    if let ApiVersion::V2 = api_version {
@@ -1222,7 +1210,7 @@ async fn emit_turn_completed_with_status(
    event_turn_id: String,
    status: TurnStatus,
    error: Option<TurnError>,
-    outgoing: &OutgoingMessageSender,
+    outgoing: &ThreadScopedOutgoingMessageSender,
 ) {
    let notification = TurnCompletedNotification {
        thread_id: conversation_id.to_string(),
@@ -1244,15 +1232,12 @@ async fn complete_file_change_item(
    changes: Vec<FileUpdateChange>,
    status: PatchApplyStatus,
    turn_id: String,
-    outgoing: &OutgoingMessageSender,
-    turn_summary_store: &TurnSummaryStore,
+    outgoing: &ThreadScopedOutgoingMessageSender,
+    thread_state: &Arc<Mutex<ThreadState>>,
 ) {
-    {
-        let mut map = turn_summary_store.lock().await;
-        if let Some(summary) = map.get_mut(&conversation_id) {
-            summary.file_change_started.remove(&item_id);
-        }
-    }
+    let mut state = thread_state.lock().await;
+    state.turn_summary.file_change_started.remove(&item_id);
+    drop(state);

    let item = ThreadItem::FileChange {
        id: item_id,
@@ -1279,7 +1264,7 @@ async fn complete_command_execution_item(
    process_id: Option<String>,
    command_actions: Vec<V2ParsedCommand>,
    status: CommandExecutionStatus,
-    outgoing: &OutgoingMessageSender,
+    outgoing: &ThreadScopedOutgoingMessageSender,
 ) {
    let item = ThreadItem::CommandExecution {
        id: item_id,
@@ -1307,7 +1292,7 @@ async fn maybe_emit_raw_response_item_completed(
    conversation_id: ThreadId,
    turn_id: &str,
    item: codex_protocol::models::ResponseItem,
-    outgoing: &OutgoingMessageSender,
+    outgoing: &ThreadScopedOutgoingMessageSender,
 ) {
    let ApiVersion::V2 = api_version else {
        return;
@@ -1324,20 +1309,20 @@ async fn maybe_emit_raw_response_item_completed(
 }

 async fn find_and_remove_turn_summary(
-    conversation_id: ThreadId,
-    turn_summary_store: &TurnSummaryStore,
+    _conversation_id: ThreadId,
+    thread_state: &Arc<Mutex<ThreadState>>,
 ) -> TurnSummary {
-    let mut map = turn_summary_store.lock().await;
-    map.remove(&conversation_id).unwrap_or_default()
+    let mut state = thread_state.lock().await;
+    std::mem::take(&mut state.turn_summary)
 }

 async fn handle_turn_complete(
    conversation_id: ThreadId,
    event_turn_id: String,
-    outgoing: &OutgoingMessageSender,
-    turn_summary_store: &TurnSummaryStore,
+    outgoing: &ThreadScopedOutgoingMessageSender,
+    thread_state: &Arc<Mutex<ThreadState>>,
 ) {
-    let turn_summary = find_and_remove_turn_summary(conversation_id, turn_summary_store).await;
+    let turn_summary = find_and_remove_turn_summary(conversation_id, thread_state).await;

    let (status, error) = match turn_summary.last_error {
        Some(error) => (TurnStatus::Failed, Some(error)),
@@ -1350,10 +1335,10 @@ async fn handle_turn_complete(
 async fn handle_turn_interrupted(
    conversation_id: ThreadId,
    event_turn_id: String,
-    outgoing: &OutgoingMessageSender,
-    turn_summary_store: &TurnSummaryStore,
+    outgoing: &ThreadScopedOutgoingMessageSender,
+    thread_state: &Arc<Mutex<ThreadState>>,
 ) {
-    find_and_remove_turn_summary(conversation_id, turn_summary_store).await;
+    find_and_remove_turn_summary(conversation_id, thread_state).await;

    emit_turn_completed_with_status(
        conversation_id,
@@ -1366,15 +1351,12 @@ async fn handle_turn_interrupted(
 }

 async fn handle_thread_rollback_failed(
-    conversation_id: ThreadId,
+    _conversation_id: ThreadId,
    message: String,
-    pending_rollbacks: &PendingRollbacks,
-    outgoing: &OutgoingMessageSender,
+    thread_state: &Arc<Mutex<ThreadState>>,
+    outgoing: &ThreadScopedOutgoingMessageSender,
 ) {
-    let pending_rollback = {
-        let mut map = pending_rollbacks.lock().await;
-        map.remove(&conversation_id)
-    };
+    let pending_rollback = thread_state.lock().await.pending_rollbacks.take();

    if let Some(request_id) = pending_rollback {
        outgoing
@@ -1394,7 +1376,7 @@ async fn handle_token_count_event(
    conversation_id: ThreadId,
    turn_id: String,
    token_count_event: TokenCountEvent,
-    outgoing: &OutgoingMessageSender,
+    outgoing: &ThreadScopedOutgoingMessageSender,
 ) {
    let TokenCountEvent { info, rate_limits } = token_count_event;
    if let Some(token_usage) = info.map(ThreadTokenUsage::from) {
@@ -1419,16 +1401,16 @@ async fn handle_token_count_event(
 }

 async fn handle_error(
-    conversation_id: ThreadId,
+    _conversation_id: ThreadId,
    error: TurnError,
-    turn_summary_store: &TurnSummaryStore,
+    thread_state: &Arc<Mutex<ThreadState>>,
 ) {
-    let mut map = turn_summary_store.lock().await;
-    map.entry(conversation_id).or_default().last_error = Some(error);
+    let mut state = thread_state.lock().await;
+    state.turn_summary.last_error = Some(error);
 }

 async fn on_patch_approval_response(
-    event_turn_id: String,
+    call_id: String,
    receiver: oneshot::Receiver<JsonValue>,
    codex: Arc<CodexThread>,
 ) {
@@ -1439,7 +1421,7 @@ async fn on_patch_approval_response(
            error!("request failed: {err:?}");
            if let Err(submit_err) = codex
                .submit(Op::PatchApproval {
-                    id: event_turn_id.clone(),
+                    id: call_id.clone(),
                    decision: ReviewDecision::Denied,
                })
                .await
@@ -1460,7 +1442,7 @@ async fn on_patch_approval_response(

    if let Err(err) = codex
        .submit(Op::PatchApproval {
-            id: event_turn_id,
+            id: call_id,
            decision: response.decision,
        })
        .await
@@ -1470,7 +1452,8 @@ async fn on_patch_approval_response(
 }

 async fn on_exec_approval_response(
-    event_turn_id: String,
+    call_id: String,
+    turn_id: String,
    receiver: oneshot::Receiver<JsonValue>,
    conversation: Arc<CodexThread>,
 ) {
@@ -1496,7 +1479,8 @@ async fn on_exec_approval_response(

    if let Err(err) = conversation
        .submit(Op::ExecApproval {
-            id: event_turn_id,
+            id: call_id,
+            turn_id: Some(turn_id),
            decision: response.decision,
        })
        .await
@@ -1649,8 +1633,8 @@ async fn on_file_change_request_approval_response(
    changes: Vec<FileUpdateChange>,
    receiver: oneshot::Receiver<JsonValue>,
    codex: Arc<CodexThread>,
-    outgoing: Arc<OutgoingMessageSender>,
-    turn_summary_store: TurnSummaryStore,
+    outgoing: ThreadScopedOutgoingMessageSender,
+    thread_state: Arc<Mutex<ThreadState>>,
 ) {
    let response = receiver.await;
    let (decision, completion_status) = match response {
@@ -1678,19 +1662,19 @@ async fn on_file_change_request_approval_response(
    if let Some(status) = completion_status {
        complete_file_change_item(
            conversation_id,
-            item_id,
+            item_id.clone(),
            changes,
            status,
            event_turn_id.clone(),
-            outgoing.as_ref(),
-            &turn_summary_store,
+            &outgoing,
+            &thread_state,
        )
        .await;
    }

    if let Err(err) = codex
        .submit(Op::PatchApproval {
-            id: event_turn_id,
+            id: item_id,
            decision,
        })
        .await
@@ -1709,7 +1693,7 @@ async fn on_command_execution_request_approval_response(
    command_actions: Vec<V2ParsedCommand>,
    receiver: oneshot::Receiver<JsonValue>,
    conversation: Arc<CodexThread>,
-    outgoing: Arc<OutgoingMessageSender>,
+    outgoing: ThreadScopedOutgoingMessageSender,
 ) {
    let response = receiver.await;
    let (decision, completion_status) = match response {
@@ -1764,14 +1748,15 @@ async fn on_command_execution_request_approval_response(
            None,
            command_actions.clone(),
            status,
-            outgoing.as_ref(),
+            &outgoing,
        )
        .await;
    }

    if let Err(err) = conversation
        .submit(Op::ExecApproval {
-            id: event_turn_id,
+            id: item_id,
+            turn_id: Some(event_turn_id),
            decision,
        })
        .await
@@ -1891,6 +1876,7 @@ async fn construct_mcp_tool_call_end_notification(
 mod tests {
    use super::*;
    use crate::CHANNEL_CAPACITY;
+    use crate::outgoing_message::ConnectionId;
    use crate::outgoing_message::OutgoingEnvelope;
    use crate::outgoing_message::OutgoingMessage;
    use crate::outgoing_message::OutgoingMessageSender;
@@ -1912,13 +1898,12 @@ mod tests {
    use pretty_assertions::assert_eq;
    use rmcp::model::Content;
    use serde_json::Value as JsonValue;
-    use std::collections::HashMap;
    use std::time::Duration;
    use tokio::sync::Mutex;
    use tokio::sync::mpsc;

-    fn new_turn_summary_store() -> TurnSummaryStore {
-        Arc::new(Mutex::new(HashMap::new()))
+    fn new_thread_state() -> Arc<Mutex<ThreadState>> {
+        Arc::new(Mutex::new(ThreadState::default()))
    }

    async fn recv_broadcast_message(
@@ -1930,9 +1915,7 @@ mod tests {
            .ok_or_else(|| anyhow!("should send one message"))?;
        match envelope {
            OutgoingEnvelope::Broadcast { message } => Ok(message),
-            OutgoingEnvelope::ToConnection { connection_id, .. } => {
-                bail!("unexpected targeted message for connection {connection_id:?}")
-            }
+            OutgoingEnvelope::ToConnection { message, .. } => Ok(message),
        }
    }

@@ -1996,7 +1979,7 @@ mod tests {
    #[tokio::test]
    async fn test_handle_error_records_message() -> Result<()> {
        let conversation_id = ThreadId::new();
-        let turn_summary_store = new_turn_summary_store();
+        let thread_state = new_thread_state();

        handle_error(
            conversation_id,
@@ -2005,11 +1988,11 @@ mod tests {
                codex_error_info: Some(V2CodexErrorInfo::InternalServerError),
                additional_details: None,
            },
-            &turn_summary_store,
+            &thread_state,
        )
        .await;

-        let turn_summary = find_and_remove_turn_summary(conversation_id, &turn_summary_store).await;
+        let turn_summary = find_and_remove_turn_summary(conversation_id, &thread_state).await;
        assert_eq!(
            turn_summary.last_error,
            Some(TurnError {
@@ -2027,13 +2010,14 @@ mod tests {
        let event_turn_id = "complete1".to_string();
        let (tx, mut rx) = mpsc::channel(CHANNEL_CAPACITY);
        let outgoing = Arc::new(OutgoingMessageSender::new(tx));
-        let turn_summary_store = new_turn_summary_store();
+        let outgoing = ThreadScopedOutgoingMessageSender::new(outgoing, vec![ConnectionId(1)]);
+        let thread_state = new_thread_state();

        handle_turn_complete(
            conversation_id,
            event_turn_id.clone(),
            &outgoing,
-            &turn_summary_store,
+            &thread_state,
        )
        .await;

@@ -2054,7 +2038,7 @@ mod tests {
    async fn test_handle_turn_interrupted_emits_interrupted_with_error() -> Result<()> {
        let conversation_id = ThreadId::new();
        let event_turn_id = "interrupt1".to_string();
-        let turn_summary_store = new_turn_summary_store();
+        let thread_state = new_thread_state();
        handle_error(
            conversation_id,
            TurnError {
@@ -2062,17 +2046,18 @@ mod tests {
                codex_error_info: None,
                additional_details: None,
            },
-            &turn_summary_store,
+            &thread_state,
        )
        .await;
        let (tx, mut rx) = mpsc::channel(CHANNEL_CAPACITY);
        let outgoing = Arc::new(OutgoingMessageSender::new(tx));
+        let outgoing = ThreadScopedOutgoingMessageSender::new(outgoing, vec![ConnectionId(1)]);

        handle_turn_interrupted(
            conversation_id,
            event_turn_id.clone(),
            &outgoing,
-            &turn_summary_store,
+            &thread_state,
        )
        .await;

@@ -2093,7 +2078,7 @@ mod tests {
    async fn test_handle_turn_complete_emits_failed_with_error() -> Result<()> {
        let conversation_id = ThreadId::new();
        let event_turn_id = "complete_err1".to_string();
-        let turn_summary_store = new_turn_summary_store();
+        let thread_state = new_thread_state();
        handle_error(
            conversation_id,
            TurnError {
@@ -2101,17 +2086,18 @@ mod tests {
                codex_error_info: Some(V2CodexErrorInfo::Other),
                additional_details: None,
            },
-            &turn_summary_store,
+            &thread_state,
        )
        .await;
        let (tx, mut rx) = mpsc::channel(CHANNEL_CAPACITY);
        let outgoing = Arc::new(OutgoingMessageSender::new(tx));
+        let outgoing = ThreadScopedOutgoingMessageSender::new(outgoing, vec![ConnectionId(1)]);

        handle_turn_complete(
            conversation_id,
            event_turn_id.clone(),
            &outgoing,
-            &turn_summary_store,
+            &thread_state,
        )
        .await;

@@ -2138,7 +2124,8 @@ mod tests {
    #[tokio::test]
    async fn test_handle_turn_plan_update_emits_notification_for_v2() -> Result<()> {
        let (tx, mut rx) = mpsc::channel(CHANNEL_CAPACITY);
-        let outgoing = OutgoingMessageSender::new(tx);
+        let outgoing = Arc::new(OutgoingMessageSender::new(tx));
+        let outgoing = ThreadScopedOutgoingMessageSender::new(outgoing, vec![ConnectionId(1)]);
        let update = UpdatePlanArgs {
            explanation: Some("need plan".to_string()),
            plan: vec![
@@ -2188,6 +2175,7 @@ mod tests {
        let turn_id = "turn-123".to_string();
        let (tx, mut rx) = mpsc::channel(CHANNEL_CAPACITY);
        let outgoing = Arc::new(OutgoingMessageSender::new(tx));
+        let outgoing = ThreadScopedOutgoingMessageSender::new(outgoing, vec![ConnectionId(1)]);

        let info = TokenUsageInfo {
            total_token_usage: TokenUsage {
@@ -2207,6 +2195,8 @@ mod tests {
            model_context_window: Some(4096),
        };
        let rate_limits = RateLimitSnapshot {
+            limit_id: Some("codex".to_string()),
+            limit_name: None,
            primary: Some(RateLimitWindow {
                used_percent: 42.5,
                window_minutes: Some(15),
@@ -2253,6 +2243,8 @@ mod tests {
            OutgoingMessage::AppServerNotification(
                ServerNotification::AccountRateLimitsUpdated(payload),
            ) => {
+                assert_eq!(payload.rate_limits.limit_id.as_deref(), Some("codex"));
+                assert_eq!(payload.rate_limits.limit_name, None);
                assert!(payload.rate_limits.primary.is_some());
                assert!(payload.rate_limits.credits.is_some());
            }
@@ -2267,6 +2259,7 @@ mod tests {
        let turn_id = "turn-456".to_string();
        let (tx, mut rx) = mpsc::channel(CHANNEL_CAPACITY);
        let outgoing = Arc::new(OutgoingMessageSender::new(tx));
+        let outgoing = ThreadScopedOutgoingMessageSender::new(outgoing, vec![ConnectionId(1)]);

        handle_token_count_event(
            conversation_id,
@@ -2329,10 +2322,11 @@ mod tests {
        // Conversation A will have two turns; Conversation B will have one turn.
        let conversation_a = ThreadId::new();
        let conversation_b = ThreadId::new();
-        let turn_summary_store = new_turn_summary_store();
+        let thread_state = new_thread_state();

        let (tx, mut rx) = mpsc::channel(CHANNEL_CAPACITY);
        let outgoing = Arc::new(OutgoingMessageSender::new(tx));
+        let outgoing = ThreadScopedOutgoingMessageSender::new(outgoing, vec![ConnectionId(1)]);

        // Turn 1 on conversation A
        let a_turn1 = "a_turn1".to_string();
@@ -2343,16 +2337,10 @@ mod tests {
                codex_error_info: Some(V2CodexErrorInfo::BadRequest),
                additional_details: None,
            },
-            &turn_summary_store,
-        )
-        .await;
-        handle_turn_complete(
-            conversation_a,
-            a_turn1.clone(),
-            &outgoing,
-            &turn_summary_store,
+            &thread_state,
        )
        .await;
+        handle_turn_complete(conversation_a, a_turn1.clone(), &outgoing, &thread_state).await;

        // Turn 1 on conversation B
        let b_turn1 = "b_turn1".to_string();
@@ -2363,26 +2351,14 @@ mod tests {
                codex_error_info: None,
                additional_details: None,
            },
-            &turn_summary_store,
-        )
-        .await;
-        handle_turn_complete(
-            conversation_b,
-            b_turn1.clone(),
-            &outgoing,
-            &turn_summary_store,
+            &thread_state,
        )
        .await;
+        handle_turn_complete(conversation_b, b_turn1.clone(), &outgoing, &thread_state).await;

        // Turn 2 on conversation A
        let a_turn2 = "a_turn2".to_string();
-        handle_turn_complete(
-            conversation_a,
-            a_turn2.clone(),
-            &outgoing,
-            &turn_summary_store,
-        )
-        .await;
+        handle_turn_complete(conversation_a, a_turn2.clone(), &outgoing, &thread_state).await;

        // Verify: A turn 1
        let msg = recv_broadcast_message(&mut rx).await?;
@@ -2572,7 +2548,8 @@ mod tests {
    #[tokio::test]
    async fn test_handle_turn_diff_emits_v2_notification() -> Result<()> {
        let (tx, mut rx) = mpsc::channel(CHANNEL_CAPACITY);
-        let outgoing = OutgoingMessageSender::new(tx);
+        let outgoing = Arc::new(OutgoingMessageSender::new(tx));
+        let outgoing = ThreadScopedOutgoingMessageSender::new(outgoing, vec![ConnectionId(1)]);
        let unified_diff = "--- a\n+++ b\n".to_string();
        let conversation_id = ThreadId::new();

@@ -2605,7 +2582,8 @@ mod tests {
    #[tokio::test]
    async fn test_handle_turn_diff_is_noop_for_v1() -> Result<()> {
        let (tx, mut rx) = mpsc::channel(CHANNEL_CAPACITY);
-        let outgoing = OutgoingMessageSender::new(tx);
+        let outgoing = Arc::new(OutgoingMessageSender::new(tx));
+        let outgoing = ThreadScopedOutgoingMessageSender::new(outgoing, vec![ConnectionId(1)]);
        let conversation_id = ThreadId::new();

        handle_turn_diff(
--- a/codex-rs/app-server/src/codex_message_processor.rs
+++ b/codex-rs/app-server/src/codex_message_processor.rs
--- a/codex-rs/app-server/src/error_code.rs
+++ b/codex-rs/app-server/src/error_code.rs
@@ -1,2 +1,3 @@
 pub(crate) const INVALID_REQUEST_ERROR_CODE: i64 = -32600;
 pub(crate) const INTERNAL_ERROR_CODE: i64 = -32603;
+pub(crate) const OVERLOADED_ERROR_CODE: i64 = -32001;
--- a/codex-rs/app-server/src/lib.rs
+++ b/codex-rs/app-server/src/lib.rs
@@ -1,18 +1,22 @@
 #![deny(clippy::print_stdout, clippy::print_stderr)]

 use codex_cloud_requirements::cloud_requirements_loader;
-use codex_common::CliConfigOverrides;
 use codex_core::AuthManager;
 use codex_core::config::Config;
 use codex_core::config::ConfigBuilder;
 use codex_core::config_loader::CloudRequirementsLoader;
 use codex_core::config_loader::ConfigLayerStackOrdering;
 use codex_core::config_loader::LoaderOverrides;
+use codex_utils_cli::CliConfigOverrides;
 use std::collections::HashMap;
+use std::collections::HashSet;
+use std::collections::VecDeque;
 use std::io::ErrorKind;
 use std::io::Result as IoResult;
 use std::path::PathBuf;
 use std::sync::Arc;
+use std::sync::RwLock;
+use std::sync::atomic::AtomicBool;

 use crate::message_processor::MessageProcessor;
 use crate::message_processor::MessageProcessorArgs;
@@ -21,8 +25,8 @@ use crate::outgoing_message::OutgoingEnvelope;
 use crate::outgoing_message::OutgoingMessageSender;
 use crate::transport::CHANNEL_CAPACITY;
 use crate::transport::ConnectionState;
+use crate::transport::OutboundConnectionState;
 use crate::transport::TransportEvent;
-use crate::transport::has_initialized_connections;
 use crate::transport::route_outgoing_envelope;
 use crate::transport::start_stdio_connection;
 use crate::transport::start_websocket_acceptor;
@@ -57,10 +61,32 @@ mod fuzzy_file_search;
 mod message_processor;
 mod models;
 mod outgoing_message;
+mod thread_state;
 mod transport;

 pub use crate::transport::AppServerTransport;

+/// Control-plane messages from the processor/transport side to the outbound router task.
+///
+/// `run_main_with_transport` now uses two loops/tasks:
+/// - processor loop: handles incoming JSON-RPC and request dispatch
+/// - outbound loop: performs potentially slow writes to per-connection writers
+///
+/// `OutboundControlEvent` keeps those loops coordinated without sharing mutable
+/// connection state directly. In particular, the outbound loop needs to know
+/// when a connection opens/closes so it can route messages correctly.
+enum OutboundControlEvent {
+    /// Register a new writer for an opened connection.
+    Opened {
+        connection_id: ConnectionId,
+        writer: mpsc::Sender<crate::outgoing_message::OutgoingMessage>,
+        initialized: Arc<AtomicBool>,
+        opted_out_notification_methods: Arc<RwLock<HashSet<String>>>,
+    },
+    /// Remove state for a closed/disconnected connection.
+    Closed { connection_id: ConnectionId },
+}
+
 fn config_warning_from_error(
    summary: impl Into<String>,
    err: &std::io::Error,
@@ -197,6 +223,8 @@ pub async fn run_main_with_transport(
    let (transport_event_tx, mut transport_event_rx) =
        mpsc::channel::<TransportEvent>(CHANNEL_CAPACITY);
    let (outgoing_tx, mut outgoing_rx) = mpsc::channel::<OutgoingEnvelope>(CHANNEL_CAPACITY);
+    let (outbound_control_tx, mut outbound_control_rx) =
+        mpsc::channel::<OutboundControlEvent>(CHANNEL_CAPACITY);

    let mut stdio_handles = Vec::<JoinHandle<()>>::new();
    let mut websocket_accept_handle = None;
@@ -248,7 +276,11 @@ pub async fn run_main_with_transport(
                false,
                config.cli_auth_credentials_store_mode,
            );
-            cloud_requirements_loader(auth_manager, config.chatgpt_base_url)
+            cloud_requirements_loader(
+                auth_manager,
+                config.chatgpt_base_url,
+                config.codex_home.clone(),
+            )
        }
        Err(err) => {
            warn!(error = %err, "Failed to preload config for cloud requirements");
@@ -336,8 +368,70 @@ pub async fn run_main_with_transport(
        }
    }

+    let transport_event_tx_for_outbound = transport_event_tx.clone();
+    let outbound_handle = tokio::spawn(async move {
+        let mut outbound_connections = HashMap::<ConnectionId, OutboundConnectionState>::new();
+        let mut pending_closed_connections = VecDeque::<ConnectionId>::new();
+        loop {
+            tokio::select! {
+                biased;
+                event = outbound_control_rx.recv() => {
+                    let Some(event) = event else {
+                        break;
+                    };
+                    match event {
+                        OutboundControlEvent::Opened {
+                            connection_id,
+                            writer,
+                            initialized,
+                            opted_out_notification_methods,
+                        } => {
+                            outbound_connections.insert(
+                                connection_id,
+                                OutboundConnectionState::new(
+                                    writer,
+                                    initialized,
+                                    opted_out_notification_methods,
+                                ),
+                            );
+                        }
+                        OutboundControlEvent::Closed { connection_id } => {
+                            outbound_connections.remove(&connection_id);
+                        }
+                    }
+                }
+                envelope = outgoing_rx.recv() => {
+                    let Some(envelope) = envelope else {
+                        break;
+                    };
+                    let disconnected_connections =
+                        route_outgoing_envelope(&mut outbound_connections, envelope).await;
+                    pending_closed_connections.extend(disconnected_connections);
+                }
+            }
+
+            while let Some(connection_id) = pending_closed_connections.front().copied() {
+                match transport_event_tx_for_outbound
+                    .try_send(TransportEvent::ConnectionClosed { connection_id })
+                {
+                    Ok(()) => {
+                        pending_closed_connections.pop_front();
+                    }
+                    Err(mpsc::error::TrySendError::Full(_)) => {
+                        break;
+                    }
+                    Err(mpsc::error::TrySendError::Closed(_)) => {
+                        return;
+                    }
+                }
+            }
+        }
+        info!("outbound router task exited (channel closed)");
+    });
+
    let processor_handle = tokio::spawn({
        let outgoing_message_sender = Arc::new(OutgoingMessageSender::new(outgoing_tx));
+        let outbound_control_tx = outbound_control_tx;
        let cli_overrides: Vec<(String, TomlValue)> = cli_kv_overrides.clone();
        let loader_overrides = loader_overrides_for_config_api;
        let mut processor = MessageProcessor::new(MessageProcessorArgs {
@@ -362,9 +456,40 @@ pub async fn run_main_with_transport(
                        };
                        match event {
                            TransportEvent::ConnectionOpened { connection_id, writer } => {
-                                connections.insert(connection_id, ConnectionState::new(writer));
+                                let outbound_initialized = Arc::new(AtomicBool::new(false));
+                                let outbound_opted_out_notification_methods =
+                                    Arc::new(RwLock::new(HashSet::new()));
+                                if outbound_control_tx
+                                    .send(OutboundControlEvent::Opened {
+                                        connection_id,
+                                        writer,
+                                        initialized: Arc::clone(&outbound_initialized),
+                                        opted_out_notification_methods: Arc::clone(
+                                            &outbound_opted_out_notification_methods,
+                                        ),
+                                    })
+                                    .await
+                                    .is_err()
+                                {
+                                    break;
+                                }
+                                connections.insert(
+                                    connection_id,
+                                    ConnectionState::new(
+                                        outbound_initialized,
+                                        outbound_opted_out_notification_methods,
+                                    ),
+                                );
                            }
                            TransportEvent::ConnectionClosed { connection_id } => {
+                                if outbound_control_tx
+                                    .send(OutboundControlEvent::Closed { connection_id })
+                                    .await
+                                    .is_err()
+                                {
+                                    break;
+                                }
+                                processor.connection_closed(connection_id).await;
                                connections.remove(&connection_id);
                                if shutdown_when_no_connections && connections.is_empty() {
                                    break;
@@ -377,13 +502,31 @@ pub async fn run_main_with_transport(
                                            warn!("dropping request from unknown connection: {:?}", connection_id);
                                            continue;
                                        };
+                                        let was_initialized = connection_state.session.initialized;
                                        processor
                                            .process_request(
                                                connection_id,
                                                request,
                                                &mut connection_state.session,
+                                                &connection_state.outbound_initialized,
                                            )
                                            .await;
+                                        if let Ok(mut opted_out_notification_methods) = connection_state
+                                            .outbound_opted_out_notification_methods
+                                            .write()
+                                        {
+                                            *opted_out_notification_methods = connection_state
+                                                .session
+                                                .opted_out_notification_methods
+                                                .clone();
+                                        } else {
+                                            warn!(
+                                                "failed to update outbound opted-out notifications"
+                                            );
+                                        }
+                                        if !was_initialized && connection_state.session.initialized {
+                                            processor.send_initialize_notifications().await;
+                                        }
                                    }
                                    JSONRPCMessage::Response(response) => {
                                        processor.process_response(response).await;
@@ -398,17 +541,22 @@ pub async fn run_main_with_transport(
                            }
                        }
                    }
-                    envelope = outgoing_rx.recv() => {
-                        let Some(envelope) = envelope else {
-                            break;
-                        };
-                        route_outgoing_envelope(&mut connections, envelope).await;
-                    }
                    created = thread_created_rx.recv(), if listen_for_threads => {
                        match created {
                            Ok(thread_id) => {
-                                if has_initialized_connections(&connections) {
-                                    processor.try_attach_thread_listener(thread_id).await;
+                                let initialized_connection_ids: Vec<ConnectionId> = connections
+                                    .iter()
+                                    .filter_map(|(connection_id, connection_state)| {
+                                        connection_state.session.initialized.then_some(*connection_id)
+                                    })
+                                    .collect();
+                                if !initialized_connection_ids.is_empty() {
+                                    processor
+                                        .try_attach_thread_listener(
+                                            thread_id,
+                                            initialized_connection_ids,
+                                        )
+                                        .await;
                                }
                            }
                            Err(tokio::sync::broadcast::error::RecvError::Lagged(_)) => {
@@ -433,6 +581,7 @@ pub async fn run_main_with_transport(
    drop(transport_event_tx);

    let _ = processor_handle.await;
+    let _ = outbound_handle.await;

    if let Some(handle) = websocket_accept_handle {
        handle.abort();
--- a/codex-rs/app-server/src/main.rs
+++ b/codex-rs/app-server/src/main.rs
@@ -2,8 +2,8 @@ use clap::Parser;
 use codex_app_server::AppServerTransport;
 use codex_app_server::run_main_with_transport;
 use codex_arg0::arg0_dispatch_or_else;
-use codex_common::CliConfigOverrides;
 use codex_core::config_loader::LoaderOverrides;
+use codex_utils_cli::CliConfigOverrides;
 use std::path::PathBuf;

 // Debug-only test hook: lets integration tests point the server at a temporary
--- a/codex-rs/app-server/src/message_processor.rs
+++ b/codex-rs/app-server/src/message_processor.rs
@@ -1,6 +1,9 @@
+use std::collections::HashSet;
 use std::path::PathBuf;
 use std::sync::Arc;
 use std::sync::RwLock;
+use std::sync::atomic::AtomicBool;
+use std::sync::atomic::Ordering;

 use crate::codex_message_processor::CodexMessageProcessor;
 use crate::codex_message_processor::CodexMessageProcessorArgs;
@@ -114,10 +117,11 @@ pub(crate) struct MessageProcessor {
    config_warnings: Arc<Vec<ConfigWarningNotification>>,
 }

-#[derive(Debug, Default)]
+#[derive(Clone, Debug, Default)]
 pub(crate) struct ConnectionSessionState {
    pub(crate) initialized: bool,
    experimental_api_enabled: bool,
+    pub(crate) opted_out_notification_methods: HashSet<String>,
 }

 pub(crate) struct MessageProcessorArgs {
@@ -191,6 +195,7 @@ impl MessageProcessor {
        connection_id: ConnectionId,
        request: JSONRPCRequest,
        session: &mut ConnectionSessionState,
+        outbound_initialized: &AtomicBool,
    ) {
        let request_id = ConnectionRequestId {
            connection_id,
@@ -245,10 +250,19 @@ impl MessageProcessor {
                    // shared thread when another connected client did not opt into
                    // experimental API). Proposed direction is instance-global first-write-wins
                    // with initialize-time mismatch rejection.
-                    session.experimental_api_enabled = params
-                        .capabilities
-                        .as_ref()
-                        .is_some_and(|cap| cap.experimental_api);
+                    let (experimental_api_enabled, opt_out_notification_methods) =
+                        match params.capabilities {
+                            Some(capabilities) => (
+                                capabilities.experimental_api,
+                                capabilities
+                                    .opt_out_notification_methods
+                                    .unwrap_or_default(),
+                            ),
+                            None => (false, Vec::new()),
+                        };
+                    session.experimental_api_enabled = experimental_api_enabled;
+                    session.opted_out_notification_methods =
+                        opt_out_notification_methods.into_iter().collect();
                    let ClientInfo {
                        name,
                        title: _title,
@@ -286,14 +300,7 @@ impl MessageProcessor {
                    self.outgoing.send_response(request_id, response).await;

                    session.initialized = true;
-                    for notification in self.config_warnings.iter().cloned() {
-                        self.outgoing
-                            .send_server_notification(ServerNotification::ConfigWarning(
-                                notification,
-                            ))
-                            .await;
-                    }
-
+                    outbound_initialized.store(true, Ordering::Release);
                    return;
                }
            }
@@ -381,9 +388,27 @@ impl MessageProcessor {
        self.codex_message_processor.thread_created_receiver()
    }

-    pub(crate) async fn try_attach_thread_listener(&mut self, thread_id: ThreadId) {
+    pub(crate) async fn send_initialize_notifications(&self) {
+        for notification in self.config_warnings.iter().cloned() {
+            self.outgoing
+                .send_server_notification(ServerNotification::ConfigWarning(notification))
+                .await;
+        }
+    }
+
+    pub(crate) async fn try_attach_thread_listener(
+        &mut self,
+        thread_id: ThreadId,
+        connection_ids: Vec<ConnectionId>,
+    ) {
        self.codex_message_processor
-            .try_attach_thread_listener(thread_id)
+            .try_attach_thread_listener(thread_id, connection_ids)
+            .await;
+    }
+
+    pub(crate) async fn connection_closed(&mut self, connection_id: ConnectionId) {
+        self.codex_message_processor
+            .connection_closed(connection_id)
            .await;
    }

--- a/codex-rs/app-server/src/outgoing_message.rs
+++ b/codex-rs/app-server/src/outgoing_message.rs
@@ -1,4 +1,5 @@
 use std::collections::HashMap;
+use std::sync::Arc;
 use std::sync::atomic::AtomicI64;
 use std::sync::atomic::Ordering;

@@ -48,6 +49,62 @@ pub(crate) struct OutgoingMessageSender {
    request_id_to_callback: Mutex<HashMap<RequestId, oneshot::Sender<Result>>>,
 }

+#[derive(Clone)]
+pub(crate) struct ThreadScopedOutgoingMessageSender {
+    outgoing: Arc<OutgoingMessageSender>,
+    connection_ids: Arc<Vec<ConnectionId>>,
+}
+
+impl ThreadScopedOutgoingMessageSender {
+    pub(crate) fn new(
+        outgoing: Arc<OutgoingMessageSender>,
+        connection_ids: Vec<ConnectionId>,
+    ) -> Self {
+        Self {
+            outgoing,
+            connection_ids: Arc::new(connection_ids),
+        }
+    }
+
+    pub(crate) async fn send_request(
+        &self,
+        payload: ServerRequestPayload,
+    ) -> oneshot::Receiver<Result> {
+        if self.connection_ids.is_empty() {
+            let (_tx, rx) = oneshot::channel();
+            return rx;
+        }
+        self.outgoing
+            .send_request_to_connections(self.connection_ids.as_slice(), payload)
+            .await
+    }
+
+    pub(crate) async fn send_server_notification(&self, notification: ServerNotification) {
+        if self.connection_ids.is_empty() {
+            return;
+        }
+        self.outgoing
+            .send_server_notification_to_connections(self.connection_ids.as_slice(), notification)
+            .await;
+    }
+
+    pub(crate) async fn send_response<T: Serialize>(
+        &self,
+        request_id: ConnectionRequestId,
+        response: T,
+    ) {
+        self.outgoing.send_response(request_id, response).await;
+    }
+
+    pub(crate) async fn send_error(
+        &self,
+        request_id: ConnectionRequestId,
+        error: JSONRPCErrorError,
+    ) {
+        self.outgoing.send_error(request_id, error).await;
+    }
+}
+
 impl OutgoingMessageSender {
    pub(crate) fn new(sender: mpsc::Sender<OutgoingEnvelope>) -> Self {
        Self {
@@ -57,17 +114,28 @@ impl OutgoingMessageSender {
        }
    }

-    pub(crate) async fn send_request(
+    pub(crate) async fn send_request_to_connections(
        &self,
+        connection_ids: &[ConnectionId],
        request: ServerRequestPayload,
    ) -> oneshot::Receiver<Result> {
-        let (_id, rx) = self.send_request_with_id(request).await;
+        let (_id, rx) = self
+            .send_request_with_id_to_connections(connection_ids, request)
+            .await;
        rx
    }

    pub(crate) async fn send_request_with_id(
        &self,
        request: ServerRequestPayload,
+    ) -> (RequestId, oneshot::Receiver<Result>) {
+        self.send_request_with_id_to_connections(&[], request).await
+    }
+
+    async fn send_request_with_id_to_connections(
+        &self,
+        connection_ids: &[ConnectionId],
+        request: ServerRequestPayload,
    ) -> (RequestId, oneshot::Receiver<Result>) {
        let id = RequestId::Integer(self.next_server_request_id.fetch_add(1, Ordering::Relaxed));
        let outgoing_message_id = id.clone();
@@ -79,13 +147,34 @@ impl OutgoingMessageSender {

        let outgoing_message =
            OutgoingMessage::Request(request.request_with_id(outgoing_message_id.clone()));
-        if let Err(err) = self
-            .sender
-            .send(OutgoingEnvelope::Broadcast {
-                message: outgoing_message,
-            })
-            .await
-        {
+        let send_result = if connection_ids.is_empty() {
+            self.sender
+                .send(OutgoingEnvelope::Broadcast {
+                    message: outgoing_message,
+                })
+                .await
+        } else {
+            let mut send_error = None;
+            for connection_id in connection_ids {
+                if let Err(err) = self
+                    .sender
+                    .send(OutgoingEnvelope::ToConnection {
+                        connection_id: *connection_id,
+                        message: outgoing_message.clone(),
+                    })
+                    .await
+                {
+                    send_error = Some(err);
+                    break;
+                }
+            }
+            match send_error {
+                Some(err) => Err(err),
+                None => Ok(()),
+            }
+        };
+
+        if let Err(err) = send_result {
            warn!("failed to send request {outgoing_message_id:?} to client: {err:?}");
            let mut request_id_to_callback = self.request_id_to_callback.lock().await;
            request_id_to_callback.remove(&outgoing_message_id);
@@ -172,29 +261,71 @@ impl OutgoingMessageSender {
    }

    pub(crate) async fn send_server_notification(&self, notification: ServerNotification) {
-        if let Err(err) = self
-            .sender
-            .send(OutgoingEnvelope::Broadcast {
-                message: OutgoingMessage::AppServerNotification(notification),
-            })
-            .await
-        {
-            warn!("failed to send server notification to client: {err:?}");
+        self.send_server_notification_to_connections(&[], notification)
+            .await;
+    }
+
+    pub(crate) async fn send_server_notification_to_connections(
+        &self,
+        connection_ids: &[ConnectionId],
+        notification: ServerNotification,
+    ) {
+        let outgoing_message = OutgoingMessage::AppServerNotification(notification);
+        if connection_ids.is_empty() {
+            if let Err(err) = self
+                .sender
+                .send(OutgoingEnvelope::Broadcast {
+                    message: outgoing_message,
+                })
+                .await
+            {
+                warn!("failed to send server notification to client: {err:?}");
+            }
+            return;
+        }
+        for connection_id in connection_ids {
+            if let Err(err) = self
+                .sender
+                .send(OutgoingEnvelope::ToConnection {
+                    connection_id: *connection_id,
+                    message: outgoing_message.clone(),
+                })
+                .await
+            {
+                warn!("failed to send server notification to client: {err:?}");
+            }
        }
    }

-    /// All notifications should be migrated to [`ServerNotification`] and
-    /// [`OutgoingMessage::Notification`] should be removed.
-    pub(crate) async fn send_notification(&self, notification: OutgoingNotification) {
+    pub(crate) async fn send_notification_to_connections(
+        &self,
+        connection_ids: &[ConnectionId],
+        notification: OutgoingNotification,
+    ) {
        let outgoing_message = OutgoingMessage::Notification(notification);
-        if let Err(err) = self
-            .sender
-            .send(OutgoingEnvelope::Broadcast {
-                message: outgoing_message,
-            })
-            .await
-        {
-            warn!("failed to send notification to client: {err:?}");
+        if connection_ids.is_empty() {
+            if let Err(err) = self
+                .sender
+                .send(OutgoingEnvelope::Broadcast {
+                    message: outgoing_message,
+                })
+                .await
+            {
+                warn!("failed to send notification to client: {err:?}");
+            }
+            return;
+        }
+        for connection_id in connection_ids {
+            if let Err(err) = self
+                .sender
+                .send(OutgoingEnvelope::ToConnection {
+                    connection_id: *connection_id,
+                    message: outgoing_message.clone(),
+                })
+                .await
+            {
+                warn!("failed to send notification to client: {err:?}");
+            }
        }
    }

@@ -326,6 +457,8 @@ mod tests {
        let notification =
            ServerNotification::AccountRateLimitsUpdated(AccountRateLimitsUpdatedNotification {
                rate_limits: RateLimitSnapshot {
+                    limit_id: Some("codex".to_string()),
+                    limit_name: None,
                    primary: Some(RateLimitWindow {
                        used_percent: 25,
                        window_duration_mins: Some(15),
@@ -342,7 +475,9 @@ mod tests {
            json!({
                "method": "account/rateLimits/updated",
                "params": {
-                    "rateLimits": {
+                        "rateLimits": {
+                        "limitId": "codex",
+                        "limitName": null,
                        "primary": {
                            "usedPercent": 25,
                            "windowDurationMins": 15,
--- a/codex-rs/app-server/src/thread_state.rs
+++ b/codex-rs/app-server/src/thread_state.rs
@@ -0,0 +1,221 @@
+use crate::outgoing_message::ConnectionId;
+use crate::outgoing_message::ConnectionRequestId;
+use codex_app_server_protocol::TurnError;
+use codex_core::CodexThread;
+use codex_protocol::ThreadId;
+use std::collections::HashMap;
+use std::collections::HashSet;
+use std::sync::Arc;
+use std::sync::Weak;
+use tokio::sync::Mutex;
+use tokio::sync::oneshot;
+use uuid::Uuid;
+
+type PendingInterruptQueue = Vec<(
+    ConnectionRequestId,
+    crate::codex_message_processor::ApiVersion,
+)>;
+
+/// Per-conversation accumulation of the latest states e.g. error message while a turn runs.
+#[derive(Default, Clone)]
+pub(crate) struct TurnSummary {
+    pub(crate) file_change_started: HashSet<String>,
+    pub(crate) last_error: Option<TurnError>,
+}
+
+#[derive(Default)]
+pub(crate) struct ThreadState {
+    pub(crate) pending_interrupts: PendingInterruptQueue,
+    pub(crate) pending_rollbacks: Option<ConnectionRequestId>,
+    pub(crate) turn_summary: TurnSummary,
+    pub(crate) cancel_tx: Option<oneshot::Sender<()>>,
+    pub(crate) experimental_raw_events: bool,
+    listener_thread: Option<Weak<CodexThread>>,
+    subscribed_connections: HashSet<ConnectionId>,
+}
+
+impl ThreadState {
+    pub(crate) fn listener_matches(&self, conversation: &Arc<CodexThread>) -> bool {
+        self.listener_thread
+            .as_ref()
+            .and_then(Weak::upgrade)
+            .is_some_and(|existing| Arc::ptr_eq(&existing, conversation))
+    }
+
+    pub(crate) fn set_listener(
+        &mut self,
+        cancel_tx: oneshot::Sender<()>,
+        conversation: &Arc<CodexThread>,
+    ) {
+        if let Some(previous) = self.cancel_tx.replace(cancel_tx) {
+            let _ = previous.send(());
+        }
+        self.listener_thread = Some(Arc::downgrade(conversation));
+    }
+
+    pub(crate) fn clear_listener(&mut self) {
+        if let Some(cancel_tx) = self.cancel_tx.take() {
+            let _ = cancel_tx.send(());
+        }
+        self.listener_thread = None;
+    }
+
+    pub(crate) fn add_connection(&mut self, connection_id: ConnectionId) {
+        self.subscribed_connections.insert(connection_id);
+    }
+
+    pub(crate) fn remove_connection(&mut self, connection_id: ConnectionId) {
+        self.subscribed_connections.remove(&connection_id);
+    }
+
+    pub(crate) fn subscribed_connection_ids(&self) -> Vec<ConnectionId> {
+        self.subscribed_connections.iter().copied().collect()
+    }
+
+    pub(crate) fn set_experimental_raw_events(&mut self, enabled: bool) {
+        self.experimental_raw_events = enabled;
+    }
+}
+
+#[derive(Clone, Copy)]
+struct SubscriptionState {
+    thread_id: ThreadId,
+    connection_id: ConnectionId,
+}
+
+#[derive(Default)]
+pub(crate) struct ThreadStateManager {
+    thread_states: HashMap<ThreadId, Arc<Mutex<ThreadState>>>,
+    subscription_state_by_id: HashMap<Uuid, SubscriptionState>,
+    thread_ids_by_connection: HashMap<ConnectionId, HashSet<ThreadId>>,
+}
+
+impl ThreadStateManager {
+    pub(crate) fn new() -> Self {
+        Self::default()
+    }
+
+    pub(crate) fn thread_state(&mut self, thread_id: ThreadId) -> Arc<Mutex<ThreadState>> {
+        self.thread_states
+            .entry(thread_id)
+            .or_insert_with(|| Arc::new(Mutex::new(ThreadState::default())))
+            .clone()
+    }
+
+    pub(crate) async fn remove_listener(&mut self, subscription_id: Uuid) -> Option<ThreadId> {
+        let subscription_state = self.subscription_state_by_id.remove(&subscription_id)?;
+        let thread_id = subscription_state.thread_id;
+
+        let connection_still_subscribed_to_thread =
+            self.subscription_state_by_id.values().any(|state| {
+                state.thread_id == thread_id
+                    && state.connection_id == subscription_state.connection_id
+            });
+        if !connection_still_subscribed_to_thread {
+            let mut remove_connection_entry = false;
+            if let Some(thread_ids) = self
+                .thread_ids_by_connection
+                .get_mut(&subscription_state.connection_id)
+            {
+                thread_ids.remove(&thread_id);
+                remove_connection_entry = thread_ids.is_empty();
+            }
+            if remove_connection_entry {
+                self.thread_ids_by_connection
+                    .remove(&subscription_state.connection_id);
+            }
+            if let Some(thread_state) = self.thread_states.get(&thread_id) {
+                thread_state
+                    .lock()
+                    .await
+                    .remove_connection(subscription_state.connection_id);
+            }
+        }
+
+        if let Some(thread_state) = self.thread_states.get(&thread_id) {
+            let mut thread_state = thread_state.lock().await;
+            if thread_state.subscribed_connection_ids().is_empty() {
+                thread_state.clear_listener();
+            }
+        }
+        Some(thread_id)
+    }
+
+    pub(crate) async fn remove_thread_state(&mut self, thread_id: ThreadId) {
+        if let Some(thread_state) = self.thread_states.remove(&thread_id) {
+            thread_state.lock().await.clear_listener();
+        }
+        self.subscription_state_by_id
+            .retain(|_, state| state.thread_id != thread_id);
+        self.thread_ids_by_connection.retain(|_, thread_ids| {
+            thread_ids.remove(&thread_id);
+            !thread_ids.is_empty()
+        });
+    }
+
+    pub(crate) async fn set_listener(
+        &mut self,
+        subscription_id: Uuid,
+        thread_id: ThreadId,
+        connection_id: ConnectionId,
+        experimental_raw_events: bool,
+    ) -> Arc<Mutex<ThreadState>> {
+        self.subscription_state_by_id.insert(
+            subscription_id,
+            SubscriptionState {
+                thread_id,
+                connection_id,
+            },
+        );
+        self.thread_ids_by_connection
+            .entry(connection_id)
+            .or_default()
+            .insert(thread_id);
+        let thread_state = self.thread_state(thread_id);
+        {
+            let mut thread_state_guard = thread_state.lock().await;
+            thread_state_guard.add_connection(connection_id);
+            thread_state_guard.set_experimental_raw_events(experimental_raw_events);
+        }
+        thread_state
+    }
+
+    pub(crate) async fn ensure_connection_subscribed(
+        &mut self,
+        thread_id: ThreadId,
+        connection_id: ConnectionId,
+        experimental_raw_events: bool,
+    ) -> Arc<Mutex<ThreadState>> {
+        self.thread_ids_by_connection
+            .entry(connection_id)
+            .or_default()
+            .insert(thread_id);
+        let thread_state = self.thread_state(thread_id);
+        {
+            let mut thread_state_guard = thread_state.lock().await;
+            thread_state_guard.add_connection(connection_id);
+            if experimental_raw_events {
+                thread_state_guard.set_experimental_raw_events(true);
+            }
+        }
+        thread_state
+    }
+
+    pub(crate) async fn remove_connection(&mut self, connection_id: ConnectionId) {
+        let Some(thread_ids) = self.thread_ids_by_connection.remove(&connection_id) else {
+            return;
+        };
+        self.subscription_state_by_id
+            .retain(|_, state| state.connection_id != connection_id);
+
+        for thread_id in thread_ids {
+            if let Some(thread_state) = self.thread_states.get(&thread_id) {
+                let mut thread_state = thread_state.lock().await;
+                thread_state.remove_connection(connection_id);
+                if thread_state.subscribed_connection_ids().is_empty() {
+                    thread_state.clear_listener();
+                }
+            }
+        }
+    }
+}
--- a/codex-rs/app-server/src/transport.rs
+++ b/codex-rs/app-server/src/transport.rs
@@ -1,7 +1,10 @@
+use crate::error_code::OVERLOADED_ERROR_CODE;
 use crate::message_processor::ConnectionSessionState;
 use crate::outgoing_message::ConnectionId;
 use crate::outgoing_message::OutgoingEnvelope;
+use crate::outgoing_message::OutgoingError;
 use crate::outgoing_message::OutgoingMessage;
+use codex_app_server_protocol::JSONRPCErrorError;
 use codex_app_server_protocol::JSONRPCMessage;
 use futures::SinkExt;
 use futures::StreamExt;
@@ -9,11 +12,14 @@ use owo_colors::OwoColorize;
 use owo_colors::Stream;
 use owo_colors::Style;
 use std::collections::HashMap;
+use std::collections::HashSet;
 use std::io::ErrorKind;
 use std::io::Result as IoResult;
 use std::net::SocketAddr;
 use std::str::FromStr;
 use std::sync::Arc;
+use std::sync::RwLock;
+use std::sync::atomic::AtomicBool;
 use std::sync::atomic::AtomicU64;
 use std::sync::atomic::Ordering;
 use tokio::io::AsyncBufReadExt;
@@ -140,25 +146,51 @@ pub(crate) enum TransportEvent {
 }

 pub(crate) struct ConnectionState {
-    pub(crate) writer: mpsc::Sender<OutgoingMessage>,
+    pub(crate) outbound_initialized: Arc<AtomicBool>,
+    pub(crate) outbound_opted_out_notification_methods: Arc<RwLock<HashSet<String>>>,
    pub(crate) session: ConnectionSessionState,
 }

 impl ConnectionState {
-    pub(crate) fn new(writer: mpsc::Sender<OutgoingMessage>) -> Self {
+    pub(crate) fn new(
+        outbound_initialized: Arc<AtomicBool>,
+        outbound_opted_out_notification_methods: Arc<RwLock<HashSet<String>>>,
+    ) -> Self {
        Self {
-            writer,
+            outbound_initialized,
+            outbound_opted_out_notification_methods,
            session: ConnectionSessionState::default(),
        }
    }
 }

+pub(crate) struct OutboundConnectionState {
+    pub(crate) initialized: Arc<AtomicBool>,
+    pub(crate) opted_out_notification_methods: Arc<RwLock<HashSet<String>>>,
+    pub(crate) writer: mpsc::Sender<OutgoingMessage>,
+}
+
+impl OutboundConnectionState {
+    pub(crate) fn new(
+        writer: mpsc::Sender<OutgoingMessage>,
+        initialized: Arc<AtomicBool>,
+        opted_out_notification_methods: Arc<RwLock<HashSet<String>>>,
+    ) -> Self {
+        Self {
+            initialized,
+            opted_out_notification_methods,
+            writer,
+        }
+    }
+}
+
 pub(crate) async fn start_stdio_connection(
    transport_event_tx: mpsc::Sender<TransportEvent>,
    stdio_handles: &mut Vec<JoinHandle<()>>,
 ) -> IoResult<()> {
    let connection_id = ConnectionId(0);
    let (writer_tx, mut writer_rx) = mpsc::channel::<OutgoingMessage>(CHANNEL_CAPACITY);
+    let writer_tx_for_reader = writer_tx.clone();
    transport_event_tx
        .send(TransportEvent::ConnectionOpened {
            connection_id,
@@ -178,6 +210,7 @@ pub(crate) async fn start_stdio_connection(
                Ok(Some(line)) => {
                    if !forward_incoming_message(
                        &transport_event_tx_for_reader,
+                        &writer_tx_for_reader,
                        connection_id,
                        &line,
                    )
@@ -267,6 +300,7 @@ async fn run_websocket_connection(
    };

    let (writer_tx, mut writer_rx) = mpsc::channel::<OutgoingMessage>(CHANNEL_CAPACITY);
+    let writer_tx_for_reader = writer_tx.clone();
    if transport_event_tx
        .send(TransportEvent::ConnectionOpened {
            connection_id,
@@ -295,7 +329,14 @@ async fn run_websocket_connection(
            incoming_message = websocket_reader.next() => {
                match incoming_message {
                    Some(Ok(WebSocketMessage::Text(text))) => {
-                        if !forward_incoming_message(&transport_event_tx, connection_id, &text).await {
+                        if !forward_incoming_message(
+                            &transport_event_tx,
+                            &writer_tx_for_reader,
+                            connection_id,
+                            &text,
+                        )
+                        .await
+                        {
                            break;
                        }
                    }
@@ -326,17 +367,14 @@ async fn run_websocket_connection(

 async fn forward_incoming_message(
    transport_event_tx: &mpsc::Sender<TransportEvent>,
+    writer: &mpsc::Sender<OutgoingMessage>,
    connection_id: ConnectionId,
    payload: &str,
 ) -> bool {
    match serde_json::from_str::<JSONRPCMessage>(payload) {
-        Ok(message) => transport_event_tx
-            .send(TransportEvent::IncomingMessage {
-                connection_id,
-                message,
-            })
-            .await
-            .is_ok(),
+        Ok(message) => {
+            enqueue_incoming_message(transport_event_tx, writer, connection_id, message).await
+        }
        Err(err) => {
            error!("Failed to deserialize JSONRPCMessage: {err}");
            true
@@ -344,6 +382,47 @@ async fn forward_incoming_message(
    }
 }

+async fn enqueue_incoming_message(
+    transport_event_tx: &mpsc::Sender<TransportEvent>,
+    writer: &mpsc::Sender<OutgoingMessage>,
+    connection_id: ConnectionId,
+    message: JSONRPCMessage,
+) -> bool {
+    let event = TransportEvent::IncomingMessage {
+        connection_id,
+        message,
+    };
+    match transport_event_tx.try_send(event) {
+        Ok(()) => true,
+        Err(mpsc::error::TrySendError::Closed(_)) => false,
+        Err(mpsc::error::TrySendError::Full(TransportEvent::IncomingMessage {
+            connection_id,
+            message: JSONRPCMessage::Request(request),
+        })) => {
+            let overload_error = OutgoingMessage::Error(OutgoingError {
+                id: request.id,
+                error: JSONRPCErrorError {
+                    code: OVERLOADED_ERROR_CODE,
+                    message: "Server overloaded; retry later.".to_string(),
+                    data: None,
+                },
+            });
+            match writer.try_send(overload_error) {
+                Ok(()) => true,
+                Err(mpsc::error::TrySendError::Closed(_)) => false,
+                Err(mpsc::error::TrySendError::Full(_overload_error)) => {
+                    warn!(
+                        "dropping overload response for connection {:?}: outbound queue is full",
+                        connection_id
+                    );
+                    true
+                }
+            }
+        }
+        Err(mpsc::error::TrySendError::Full(event)) => transport_event_tx.send(event).await.is_ok(),
+    }
+}
+
 fn serialize_outgoing_message(outgoing_message: OutgoingMessage) -> Option<String> {
    let value = match serde_json::to_value(outgoing_message) {
        Ok(value) => value,
@@ -361,10 +440,32 @@ fn serialize_outgoing_message(outgoing_message: OutgoingMessage) -> Option<Strin
    }
 }

+fn should_skip_notification_for_connection(
+    connection_state: &OutboundConnectionState,
+    message: &OutgoingMessage,
+) -> bool {
+    let Ok(opted_out_notification_methods) = connection_state.opted_out_notification_methods.read()
+    else {
+        warn!("failed to read outbound opted-out notifications");
+        return false;
+    };
+    match message {
+        OutgoingMessage::AppServerNotification(notification) => {
+            let method = notification.to_string();
+            opted_out_notification_methods.contains(method.as_str())
+        }
+        OutgoingMessage::Notification(notification) => {
+            opted_out_notification_methods.contains(notification.method.as_str())
+        }
+        _ => false,
+    }
+}
+
 pub(crate) async fn route_outgoing_envelope(
-    connections: &mut HashMap<ConnectionId, ConnectionState>,
+    connections: &mut HashMap<ConnectionId, OutboundConnectionState>,
    envelope: OutgoingEnvelope,
-) {
+) -> Vec<ConnectionId> {
+    let mut disconnected = Vec::new();
    match envelope {
        OutgoingEnvelope::ToConnection {
            connection_id,
@@ -375,17 +476,23 @@ pub(crate) async fn route_outgoing_envelope(
                    "dropping message for disconnected connection: {:?}",
                    connection_id
                );
-                return;
+                return disconnected;
            };
+            if should_skip_notification_for_connection(connection_state, &message) {
+                return disconnected;
+            }
            if connection_state.writer.send(message).await.is_err() {
                connections.remove(&connection_id);
+                disconnected.push(connection_id);
            }
        }
        OutgoingEnvelope::Broadcast { message } => {
            let target_connections: Vec<ConnectionId> = connections
                .iter()
                .filter_map(|(connection_id, connection_state)| {
-                    if connection_state.session.initialized {
+                    if connection_state.initialized.load(Ordering::Acquire)
+                        && !should_skip_notification_for_connection(connection_state, &message)
+                    {
                        Some(*connection_id)
                    } else {
                        None
@@ -399,24 +506,20 @@ pub(crate) async fn route_outgoing_envelope(
                };
                if connection_state.writer.send(message.clone()).await.is_err() {
                    connections.remove(&connection_id);
+                    disconnected.push(connection_id);
                }
            }
        }
    }
-}
-
-pub(crate) fn has_initialized_connections(
-    connections: &HashMap<ConnectionId, ConnectionState>,
-) -> bool {
-    connections
-        .values()
-        .any(|connection| connection.session.initialized)
+    disconnected
 }

 #[cfg(test)]
 mod tests {
    use super::*;
+    use crate::error_code::OVERLOADED_ERROR_CODE;
    use pretty_assertions::assert_eq;
+    use serde_json::json;

    #[test]
    fn app_server_transport_parses_stdio_listen_url() {
@@ -456,4 +559,222 @@ mod tests {
            "unsupported --listen URL `http://127.0.0.1:1234`; expected `stdio://` or `ws://IP:PORT`"
        );
    }
+
+    #[tokio::test]
+    async fn enqueue_incoming_request_returns_overload_error_when_queue_is_full() {
+        let connection_id = ConnectionId(42);
+        let (transport_event_tx, mut transport_event_rx) = mpsc::channel(1);
+        let (writer_tx, mut writer_rx) = mpsc::channel(1);
+
+        let first_message =
+            JSONRPCMessage::Notification(codex_app_server_protocol::JSONRPCNotification {
+                method: "initialized".to_string(),
+                params: None,
+            });
+        transport_event_tx
+            .send(TransportEvent::IncomingMessage {
+                connection_id,
+                message: first_message.clone(),
+            })
+            .await
+            .expect("queue should accept first message");
+
+        let request = JSONRPCMessage::Request(codex_app_server_protocol::JSONRPCRequest {
+            id: codex_app_server_protocol::RequestId::Integer(7),
+            method: "config/read".to_string(),
+            params: Some(json!({ "includeLayers": false })),
+        });
+        assert!(
+            enqueue_incoming_message(&transport_event_tx, &writer_tx, connection_id, request).await
+        );
+
+        let queued_event = transport_event_rx
+            .recv()
+            .await
+            .expect("first event should stay queued");
+        match queued_event {
+            TransportEvent::IncomingMessage {
+                connection_id: queued_connection_id,
+                message,
+            } => {
+                assert_eq!(queued_connection_id, connection_id);
+                assert_eq!(message, first_message);
+            }
+            _ => panic!("expected queued incoming message"),
+        }
+
+        let overload = writer_rx
+            .recv()
+            .await
+            .expect("request should receive overload error");
+        let overload_json = serde_json::to_value(overload).expect("serialize overload error");
+        assert_eq!(
+            overload_json,
+            json!({
+                "id": 7,
+                "error": {
+                    "code": OVERLOADED_ERROR_CODE,
+                    "message": "Server overloaded; retry later."
+                }
+            })
+        );
+    }
+
+    #[tokio::test]
+    async fn enqueue_incoming_response_waits_instead_of_dropping_when_queue_is_full() {
+        let connection_id = ConnectionId(42);
+        let (transport_event_tx, mut transport_event_rx) = mpsc::channel(1);
+        let (writer_tx, _writer_rx) = mpsc::channel(1);
+
+        let first_message =
+            JSONRPCMessage::Notification(codex_app_server_protocol::JSONRPCNotification {
+                method: "initialized".to_string(),
+                params: None,
+            });
+        transport_event_tx
+            .send(TransportEvent::IncomingMessage {
+                connection_id,
+                message: first_message.clone(),
+            })
+            .await
+            .expect("queue should accept first message");
+
+        let response = JSONRPCMessage::Response(codex_app_server_protocol::JSONRPCResponse {
+            id: codex_app_server_protocol::RequestId::Integer(7),
+            result: json!({"ok": true}),
+        });
+        let transport_event_tx_for_enqueue = transport_event_tx.clone();
+        let writer_tx_for_enqueue = writer_tx.clone();
+        let enqueue_handle = tokio::spawn(async move {
+            enqueue_incoming_message(
+                &transport_event_tx_for_enqueue,
+                &writer_tx_for_enqueue,
+                connection_id,
+                response,
+            )
+            .await
+        });
+
+        let queued_event = transport_event_rx
+            .recv()
+            .await
+            .expect("first event should be dequeued");
+        match queued_event {
+            TransportEvent::IncomingMessage {
+                connection_id: queued_connection_id,
+                message,
+            } => {
+                assert_eq!(queued_connection_id, connection_id);
+                assert_eq!(message, first_message);
+            }
+            _ => panic!("expected queued incoming message"),
+        }
+
+        let enqueue_result = enqueue_handle.await.expect("enqueue task should not panic");
+        assert!(enqueue_result);
+
+        let forwarded_event = transport_event_rx
+            .recv()
+            .await
+            .expect("response should be forwarded instead of dropped");
+        match forwarded_event {
+            TransportEvent::IncomingMessage {
+                connection_id: queued_connection_id,
+                message:
+                    JSONRPCMessage::Response(codex_app_server_protocol::JSONRPCResponse { id, result }),
+            } => {
+                assert_eq!(queued_connection_id, connection_id);
+                assert_eq!(id, codex_app_server_protocol::RequestId::Integer(7));
+                assert_eq!(result, json!({"ok": true}));
+            }
+            _ => panic!("expected forwarded response message"),
+        }
+    }
+
+    #[tokio::test]
+    async fn enqueue_incoming_request_does_not_block_when_writer_queue_is_full() {
+        let connection_id = ConnectionId(42);
+        let (transport_event_tx, _transport_event_rx) = mpsc::channel(1);
+        let (writer_tx, mut writer_rx) = mpsc::channel(1);
+
+        transport_event_tx
+            .send(TransportEvent::IncomingMessage {
+                connection_id,
+                message: JSONRPCMessage::Notification(
+                    codex_app_server_protocol::JSONRPCNotification {
+                        method: "initialized".to_string(),
+                        params: None,
+                    },
+                ),
+            })
+            .await
+            .expect("transport queue should accept first message");
+
+        writer_tx
+            .send(OutgoingMessage::Notification(
+                crate::outgoing_message::OutgoingNotification {
+                    method: "queued".to_string(),
+                    params: None,
+                },
+            ))
+            .await
+            .expect("writer queue should accept first message");
+
+        let request = JSONRPCMessage::Request(codex_app_server_protocol::JSONRPCRequest {
+            id: codex_app_server_protocol::RequestId::Integer(7),
+            method: "config/read".to_string(),
+            params: Some(json!({ "includeLayers": false })),
+        });
+
+        let enqueue_result = tokio::time::timeout(
+            std::time::Duration::from_millis(100),
+            enqueue_incoming_message(&transport_event_tx, &writer_tx, connection_id, request),
+        )
+        .await
+        .expect("enqueue should not block while writer queue is full");
+        assert!(enqueue_result);
+
+        let queued_outgoing = writer_rx
+            .recv()
+            .await
+            .expect("writer queue should still contain original message");
+        let queued_json = serde_json::to_value(queued_outgoing).expect("serialize queued message");
+        assert_eq!(queued_json, json!({ "method": "queued" }));
+    }
+
+    #[tokio::test]
+    async fn to_connection_notification_respects_opt_out_filters() {
+        let connection_id = ConnectionId(7);
+        let (writer_tx, mut writer_rx) = mpsc::channel(1);
+        let initialized = Arc::new(AtomicBool::new(true));
+        let opted_out_notification_methods = Arc::new(RwLock::new(HashSet::from([
+            "codex/event/task_started".to_string(),
+        ])));
+
+        let mut connections = HashMap::new();
+        connections.insert(
+            connection_id,
+            OutboundConnectionState::new(writer_tx, initialized, opted_out_notification_methods),
+        );
+
+        let disconnected = route_outgoing_envelope(
+            &mut connections,
+            OutgoingEnvelope::ToConnection {
+                connection_id,
+                message: OutgoingMessage::Notification(
+                    crate::outgoing_message::OutgoingNotification {
+                        method: "codex/event/task_started".to_string(),
+                        params: None,
+                    },
+                ),
+            },
+        )
+        .await;
+
+        assert_eq!(disconnected, Vec::<ConnectionId>::new());
+        assert!(
+            writer_rx.try_recv().is_err(),
+            "opted-out notification should be dropped"
+        );
+    }
 }
--- a/codex-rs/app-server/tests/common/Cargo.toml
+++ b/codex-rs/app-server/tests/common/Cargo.toml
@@ -12,7 +12,7 @@ anyhow = { workspace = true }
 base64 = { workspace = true }
 chrono = { workspace = true }
 codex-app-server-protocol = { workspace = true }
-codex-core = { workspace = true, features = ["test-support"] }
+codex-core = { workspace = true }
 codex-protocol = { workspace = true }
 codex-utils-cargo-bin = { workspace = true }
 serde = { workspace = true }
--- a/codex-rs/app-server/tests/common/mcp_process.rs
+++ b/codex-rs/app-server/tests/common/mcp_process.rs
@@ -174,6 +174,7 @@ impl McpProcess {
            client_info,
            Some(InitializeCapabilities {
                experimental_api: true,
+                ..Default::default()
            }),
        )
        .await
--- a/codex-rs/app-server/tests/common/models_cache.rs
+++ b/codex-rs/app-server/tests/common/models_cache.rs
@@ -1,6 +1,6 @@
 use chrono::DateTime;
 use chrono::Utc;
-use codex_core::models_manager::model_presets::all_model_presets;
+use codex_core::test_support::all_model_presets;
 use codex_protocol::openai_models::ConfigShellToolType;
 use codex_protocol::openai_models::ModelInfo;
 use codex_protocol::openai_models::ModelPreset;
@@ -40,6 +40,7 @@ fn preset_to_info(preset: &ModelPreset, priority: i32) -> ModelInfo {
        effective_context_window_percent: 95,
        experimental_supported_tools: Vec::new(),
        input_modalities: default_input_modalities(),
+        prefer_websockets: false,
    }
 }

--- a/codex-rs/app-server/tests/suite/codex_message_processor_flow.rs
+++ b/codex-rs/app-server/tests/suite/codex_message_processor_flow.rs
@@ -444,6 +444,7 @@ async fn test_send_user_turn_updates_sandbox_and_cwd_between_turns() -> Result<(
            approval_policy: AskForApproval::Never,
            sandbox_policy: SandboxPolicy::WorkspaceWrite {
                writable_roots: vec![first_cwd.try_into()?],
+                read_only_access: Default::default(),
                network_access: false,
                exclude_tmpdir_env_var: false,
                exclude_slash_tmp: false,
--- a/codex-rs/app-server/tests/suite/send_message.rs
+++ b/codex-rs/app-server/tests/suite/send_message.rs
@@ -560,6 +560,7 @@ fn append_rollout_turn_context(path: &Path, timestamp: &str, model: &str) -> std
    let line = RolloutLine {
        timestamp: timestamp.to_string(),
        item: RolloutItem::TurnContext(TurnContextItem {
+            turn_id: None,
            cwd: PathBuf::from("/"),
            approval_policy: AskForApproval::Never,
            sandbox_policy: SandboxPolicy::DangerFullAccess,
--- a/codex-rs/app-server/tests/suite/v2/analytics.rs
+++ b/codex-rs/app-server/tests/suite/v2/analytics.rs
@@ -36,8 +36,9 @@ async fn app_server_default_analytics_disabled_without_flag() -> Result<()> {
    .map_err(|err| anyhow::anyhow!(err.to_string()))?;

    // With analytics unset in the config and the default flag is false, metrics are disabled.
-    // No provider is built.
-    assert_eq!(provider.is_none(), true);
+    // A provider may still exist for non-metrics telemetry, so check metrics specifically.
+    let has_metrics = provider.as_ref().and_then(|otel| otel.metrics()).is_some();
+    assert_eq!(has_metrics, false);
    Ok(())
 }

--- a/codex-rs/app-server/tests/suite/v2/app_list.rs
+++ b/codex-rs/app-server/tests/suite/v2/app_list.rs
@@ -120,6 +120,7 @@ async fn list_apps_uses_thread_feature_flag_when_thread_id_is_provided() -> Resu
        format!(
            r#"
 chatgpt_base_url = "{server_url}"
+mcp_oauth_credentials_store = "file"

 [features]
 connectors = false
@@ -791,6 +792,7 @@ fn write_connectors_config(codex_home: &std::path::Path, base_url: &str) -> std:
        format!(
            r#"
 chatgpt_base_url = "{base_url}"
+mcp_oauth_credentials_store = "file"

 [features]
 connectors = true
--- a/codex-rs/app-server/tests/suite/v2/collaboration_mode_list.rs
+++ b/codex-rs/app-server/tests/suite/v2/collaboration_mode_list.rs
@@ -15,7 +15,7 @@ use codex_app_server_protocol::CollaborationModeListParams;
 use codex_app_server_protocol::CollaborationModeListResponse;
 use codex_app_server_protocol::JSONRPCResponse;
 use codex_app_server_protocol::RequestId;
-use codex_core::models_manager::test_builtin_collaboration_mode_presets;
+use codex_core::test_support::builtin_collaboration_mode_presets;
 use codex_protocol::config_types::CollaborationModeMask;
 use codex_protocol::config_types::ModeKind;
 use pretty_assertions::assert_eq;
@@ -55,7 +55,7 @@ async fn list_collaboration_modes_returns_presets() -> Result<()> {
 /// If the defaults change in the app server, this helper should be updated alongside the
 /// contract, or the test will fail in ways that imply a regression in the API.
 fn plan_preset() -> CollaborationModeMask {
-    let presets = test_builtin_collaboration_mode_presets();
+    let presets = builtin_collaboration_mode_presets();
    presets
        .into_iter()
        .find(|p| p.mode == Some(ModeKind::Plan))
@@ -64,7 +64,7 @@ fn plan_preset() -> CollaborationModeMask {

 /// Builds the default preset that the list response is expected to return.
 fn default_preset() -> CollaborationModeMask {
-    let presets = test_builtin_collaboration_mode_presets();
+    let presets = builtin_collaboration_mode_presets();
    presets
        .into_iter()
        .find(|p| p.mode == Some(ModeKind::Default))
--- a/codex-rs/app-server/tests/suite/v2/config_rpc.rs
+++ b/codex-rs/app-server/tests/suite/v2/config_rpc.rs
@@ -560,9 +560,22 @@ fn assert_layers_user_then_optional_system(
    layers: &[codex_app_server_protocol::ConfigLayer],
    user_file: AbsolutePathBuf,
 ) -> Result<()> {
-    assert_eq!(layers.len(), 2);
-    assert_eq!(layers[0].name, ConfigLayerSource::User { file: user_file });
-    assert!(matches!(layers[1].name, ConfigLayerSource::System { .. }));
+    let mut first_index = 0;
+    if matches!(
+        layers.first().map(|layer| &layer.name),
+        Some(ConfigLayerSource::LegacyManagedConfigTomlFromMdm)
+    ) {
+        first_index = 1;
+    }
+    assert_eq!(layers.len(), first_index + 2);
+    assert_eq!(
+        layers[first_index].name,
+        ConfigLayerSource::User { file: user_file }
+    );
+    assert!(matches!(
+        layers[first_index + 1].name,
+        ConfigLayerSource::System { .. }
+    ));
    Ok(())
 }

@@ -571,12 +584,25 @@ fn assert_layers_managed_user_then_optional_system(
    managed_file: AbsolutePathBuf,
    user_file: AbsolutePathBuf,
 ) -> Result<()> {
-    assert_eq!(layers.len(), 3);
+    let mut first_index = 0;
+    if matches!(
+        layers.first().map(|layer| &layer.name),
+        Some(ConfigLayerSource::LegacyManagedConfigTomlFromMdm)
+    ) {
+        first_index = 1;
+    }
+    assert_eq!(layers.len(), first_index + 3);
    assert_eq!(
-        layers[0].name,
+        layers[first_index].name,
        ConfigLayerSource::LegacyManagedConfigTomlFromFile { file: managed_file }
    );
-    assert_eq!(layers[1].name, ConfigLayerSource::User { file: user_file });
-    assert!(matches!(layers[2].name, ConfigLayerSource::System { .. }));
+    assert_eq!(
+        layers[first_index + 1].name,
+        ConfigLayerSource::User { file: user_file }
+    );
+    assert!(matches!(
+        layers[first_index + 2].name,
+        ConfigLayerSource::System { .. }
+    ));
    Ok(())
 }
--- a/codex-rs/app-server/tests/suite/v2/experimental_api.rs
+++ b/codex-rs/app-server/tests/suite/v2/experimental_api.rs
@@ -30,6 +30,7 @@ async fn mock_experimental_method_requires_experimental_api_capability() -> Resu
            default_client_info(),
            Some(InitializeCapabilities {
                experimental_api: false,
+                opt_out_notification_methods: None,
            }),
        )
        .await?;
@@ -61,6 +62,7 @@ async fn thread_start_mock_field_requires_experimental_api_capability() -> Resul
            default_client_info(),
            Some(InitializeCapabilities {
                experimental_api: false,
+                opt_out_notification_methods: None,
            }),
        )
        .await?;
@@ -97,6 +99,7 @@ async fn thread_start_without_dynamic_tools_allows_without_experimental_api_capa
            default_client_info(),
            Some(InitializeCapabilities {
                experimental_api: false,
+                opt_out_notification_methods: None,
            }),
        )
        .await?;
--- a/codex-rs/app-server/tests/suite/v2/initialize.rs
+++ b/codex-rs/app-server/tests/suite/v2/initialize.rs
@@ -3,8 +3,12 @@ use app_test_support::McpProcess;
 use app_test_support::create_mock_responses_server_sequence_unchecked;
 use app_test_support::to_response;
 use codex_app_server_protocol::ClientInfo;
+use codex_app_server_protocol::InitializeCapabilities;
 use codex_app_server_protocol::InitializeResponse;
 use codex_app_server_protocol::JSONRPCMessage;
+use codex_app_server_protocol::RequestId;
+use codex_app_server_protocol::ThreadStartParams;
+use codex_app_server_protocol::ThreadStartResponse;
 use pretty_assertions::assert_eq;
 use std::path::Path;
 use tempfile::TempDir;
@@ -108,6 +112,72 @@ async fn initialize_rejects_invalid_client_name() -> Result<()> {
    Ok(())
 }

+#[tokio::test]
+async fn initialize_opt_out_notification_methods_filters_notifications() -> Result<()> {
+    let responses = Vec::new();
+    let server = create_mock_responses_server_sequence_unchecked(responses).await;
+    let codex_home = TempDir::new()?;
+    create_config_toml(codex_home.path(), &server.uri(), "never")?;
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+
+    let message = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.initialize_with_capabilities(
+            ClientInfo {
+                name: "codex_vscode".to_string(),
+                title: Some("Codex VS Code Extension".to_string()),
+                version: "0.1.0".to_string(),
+            },
+            Some(InitializeCapabilities {
+                experimental_api: true,
+                opt_out_notification_methods: Some(vec![
+                    "thread/started".to_string(),
+                    "codex/event/session_configured".to_string(),
+                ]),
+            }),
+        ),
+    )
+    .await??;
+    let JSONRPCMessage::Response(_) = message else {
+        anyhow::bail!("expected initialize response, got {message:?}");
+    };
+
+    let request_id = mcp
+        .send_thread_start_request(ThreadStartParams::default())
+        .await?;
+    let response = timeout(DEFAULT_READ_TIMEOUT, async {
+        loop {
+            let message = mcp.read_next_message().await?;
+            match message {
+                JSONRPCMessage::Response(response)
+                    if response.id == RequestId::Integer(request_id) =>
+                {
+                    return Ok(response);
+                }
+                JSONRPCMessage::Notification(notification)
+                    if notification.method == "thread/started" =>
+                {
+                    anyhow::bail!("thread/started should be filtered by optOutNotificationMethods");
+                }
+                _ => {}
+            }
+        }
+    })
+    .await??;
+    let _: ThreadStartResponse = to_response(response)?;
+
+    let thread_started = timeout(
+        std::time::Duration::from_millis(500),
+        mcp.read_stream_until_notification_message("thread/started"),
+    )
+    .await;
+    assert!(
+        thread_started.is_err(),
+        "thread/started should be filtered by optOutNotificationMethods"
+    );
+    Ok(())
+}
+
 // Helper to create a config.toml pointing at the mock model server.
 fn create_config_toml(
    codex_home: &Path,
--- a/codex-rs/app-server/tests/suite/v2/rate_limits.rs
+++ b/codex-rs/app-server/tests/suite/v2/rate_limits.rs
@@ -117,7 +117,23 @@ async fn get_account_rate_limits_returns_snapshot() -> Result<()> {
                "reset_after_seconds": 43200,
                "reset_at": secondary_reset_timestamp,
            }
-        }
+        },
+        "additional_rate_limits": [
+            {
+                "limit_name": "codex_other",
+                "metered_feature": "codex_other",
+                "rate_limit": {
+                    "allowed": true,
+                    "limit_reached": false,
+                    "primary_window": {
+                        "used_percent": 88,
+                        "limit_window_seconds": 1800,
+                        "reset_after_seconds": 600,
+                        "reset_at": 1735693200
+                    }
+                }
+            }
+        ]
    });

    Mock::given(method("GET"))
@@ -143,6 +159,8 @@ async fn get_account_rate_limits_returns_snapshot() -> Result<()> {

    let expected = GetAccountRateLimitsResponse {
        rate_limits: RateLimitSnapshot {
+            limit_id: Some("codex".to_string()),
+            limit_name: None,
            primary: Some(RateLimitWindow {
                used_percent: 42,
                window_duration_mins: Some(60),
@@ -156,6 +174,46 @@ async fn get_account_rate_limits_returns_snapshot() -> Result<()> {
            credits: None,
            plan_type: Some(AccountPlanType::Pro),
        },
+        rate_limits_by_limit_id: Some(
+            [
+                (
+                    "codex".to_string(),
+                    RateLimitSnapshot {
+                        limit_id: Some("codex".to_string()),
+                        limit_name: None,
+                        primary: Some(RateLimitWindow {
+                            used_percent: 42,
+                            window_duration_mins: Some(60),
+                            resets_at: Some(primary_reset_timestamp),
+                        }),
+                        secondary: Some(RateLimitWindow {
+                            used_percent: 5,
+                            window_duration_mins: Some(1440),
+                            resets_at: Some(secondary_reset_timestamp),
+                        }),
+                        credits: None,
+                        plan_type: Some(AccountPlanType::Pro),
+                    },
+                ),
+                (
+                    "codex_other".to_string(),
+                    RateLimitSnapshot {
+                        limit_id: Some("codex_other".to_string()),
+                        limit_name: Some("codex_other".to_string()),
+                        primary: Some(RateLimitWindow {
+                            used_percent: 88,
+                            window_duration_mins: Some(30),
+                            resets_at: Some(1735693200),
+                        }),
+                        secondary: None,
+                        credits: None,
+                        plan_type: Some(AccountPlanType::Pro),
+                    },
+                ),
+            ]
+            .into_iter()
+            .collect(),
+        ),
    };
    assert_eq!(received, expected);

--- a/codex-rs/app-server/tests/suite/v2/review.rs
+++ b/codex-rs/app-server/tests/suite/v2/review.rs
@@ -136,6 +136,7 @@ async fn review_start_runs_review_turn_and_emits_code_review_item() -> Result<()
 }

 #[tokio::test]
+#[ignore = "TODO(owenlin0): flaky"]
 async fn review_start_exec_approval_item_id_matches_command_execution_item() -> Result<()> {
    let responses = vec![
        create_shell_command_sse_response(
--- a/codex-rs/app-server/tests/suite/v2/thread_list.rs
+++ b/codex-rs/app-server/tests/suite/v2/thread_list.rs
@@ -116,6 +116,7 @@ fn timestamp_at(
    )
 }

+#[allow(dead_code)]
 fn set_rollout_mtime(path: &Path, updated_at_rfc3339: &str) -> Result<()> {
    let parsed = DateTime::parse_from_rfc3339(updated_at_rfc3339)?.with_timezone(&Utc);
    let times = FileTimes::new().set_modified(parsed.into());
--- a/codex-rs/app-server/tests/suite/v2/thread_resume.rs
+++ b/codex-rs/app-server/tests/suite/v2/thread_resume.rs
@@ -605,6 +605,7 @@ required = true
    )
 }

+#[allow(dead_code)]
 fn set_rollout_mtime(path: &Path, updated_at_rfc3339: &str) -> Result<()> {
    let parsed = chrono::DateTime::parse_from_rfc3339(updated_at_rfc3339)?.with_timezone(&Utc);
    let times = FileTimes::new().set_modified(parsed.into());
--- a/codex-rs/app-server/tests/suite/v2/turn_start.rs
+++ b/codex-rs/app-server/tests/suite/v2/turn_start.rs
@@ -9,6 +9,7 @@ use app_test_support::create_mock_responses_server_sequence_unchecked;
 use app_test_support::create_shell_command_sse_response;
 use app_test_support::format_with_current_shell_display;
 use app_test_support::to_response;
+use app_test_support::write_models_cache_with_slug_for_originator;
 use codex_app_server_protocol::ByteRange;
 use codex_app_server_protocol::ClientInfo;
 use codex_app_server_protocol::CommandExecutionApprovalDecision;
@@ -59,6 +60,7 @@ const DEFAULT_READ_TIMEOUT: std::time::Duration = std::time::Duration::from_secs
 const DEFAULT_READ_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(10);
 const TEST_ORIGINATOR: &str = "codex_vscode";
 const LOCAL_PRAGMATIC_TEMPLATE: &str = "You are a deeply pragmatic, effective software engineer.";
+const APP_SERVER_CACHE_ORIGINATOR: &str = "codex_app_server_cache_e2e";

 #[tokio::test]
 async fn turn_start_sends_originator_header() -> Result<()> {
@@ -135,6 +137,89 @@ async fn turn_start_sends_originator_header() -> Result<()> {
    Ok(())
 }

+#[tokio::test]
+async fn turn_start_uses_originator_scoped_cache_slug() -> Result<()> {
+    let responses = vec![create_final_assistant_message_sse_response("Done")?];
+    let server = create_mock_responses_server_sequence_unchecked(responses).await;
+
+    let codex_home = TempDir::new()?;
+    create_config_toml(
+        codex_home.path(),
+        &server.uri(),
+        "never",
+        &BTreeMap::from([(Feature::Personality, true)]),
+    )?;
+    let cached_slug = "app-server-cache-slug-e2e";
+    write_models_cache_with_slug_for_originator(
+        codex_home.path(),
+        APP_SERVER_CACHE_ORIGINATOR,
+        cached_slug,
+    )?;
+
+    let mut mcp = McpProcess::new_with_env(
+        codex_home.path(),
+        &[(
+            codex_core::default_client::CODEX_INTERNAL_ORIGINATOR_OVERRIDE_ENV_VAR,
+            Some(APP_SERVER_CACHE_ORIGINATOR),
+        )],
+    )
+    .await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let thread_req = mcp
+        .send_thread_start_request(ThreadStartParams::default())
+        .await?;
+    let thread_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(thread_req)),
+    )
+    .await??;
+    let ThreadStartResponse { thread, .. } = to_response::<ThreadStartResponse>(thread_resp)?;
+
+    let turn_req = mcp
+        .send_turn_start_request(TurnStartParams {
+            thread_id: thread.id,
+            input: vec![V2UserInput::Text {
+                text: "Hello".to_string(),
+                text_elements: Vec::new(),
+            }],
+            ..Default::default()
+        })
+        .await?;
+    timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(turn_req)),
+    )
+    .await??;
+    timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("turn/completed"),
+    )
+    .await??;
+
+    let requests = server
+        .received_requests()
+        .await
+        .expect("failed to fetch received requests");
+    let response_request = requests
+        .into_iter()
+        .find(|request| request.url.path().ends_with("/responses"))
+        .expect("expected /responses request");
+    let body: serde_json::Value = serde_json::from_slice(&response_request.body)
+        .expect("responses request body should be json");
+    assert_eq!(body["model"].as_str(), Some(cached_slug));
+    assert!(
+        codex_home
+            .path()
+            .join("models_cache")
+            .join(APP_SERVER_CACHE_ORIGINATOR)
+            .join("models_cache.json")
+            .exists()
+    );
+
+    Ok(())
+}
+
 #[tokio::test]
 async fn turn_start_emits_user_message_item_with_text_elements() -> Result<()> {
    let responses = vec![create_final_assistant_message_sse_response("Done")?];
@@ -1104,6 +1189,7 @@ async fn turn_start_updates_sandbox_and_cwd_between_turns_v2() -> Result<()> {
            approval_policy: Some(codex_app_server_protocol::AskForApproval::Never),
            sandbox_policy: Some(codex_app_server_protocol::SandboxPolicy::WorkspaceWrite {
                writable_roots: vec![first_cwd.try_into()?],
+                read_only_access: codex_app_server_protocol::ReadOnlyAccess::FullAccess,
                network_access: false,
                exclude_tmpdir_env_var: false,
                exclude_slash_tmp: false,
--- a/codex-rs/backend-client/src/client.rs
+++ b/codex-rs/backend-client/src/client.rs
@@ -1,9 +1,7 @@
 use crate::types::CodeTaskDetailsResponse;
 use crate::types::ConfigFileResponse;
-use crate::types::CreditStatusDetails;
 use crate::types::PaginatedListTaskListItem;
 use crate::types::RateLimitStatusPayload;
-use crate::types::RateLimitWindowSnapshot;
 use crate::types::TurnAttemptsSiblingTurnsResponse;
 use anyhow::Result;
 use codex_core::auth::CodexAuth;
@@ -160,6 +158,15 @@ impl Client {
    }

    pub async fn get_rate_limits(&self) -> Result<RateLimitSnapshot> {
+        let snapshots = self.get_rate_limits_many().await?;
+        let preferred = snapshots
+            .iter()
+            .find(|snapshot| snapshot.limit_id.as_deref() == Some("codex"))
+            .cloned();
+        Ok(preferred.unwrap_or_else(|| snapshots[0].clone()))
+    }
+
+    pub async fn get_rate_limits_many(&self) -> Result<Vec<RateLimitSnapshot>> {
        let url = match self.path_style {
            PathStyle::CodexApi => format!("{}/api/codex/usage", self.base_url),
            PathStyle::ChatGptApi => format!("{}/wham/usage", self.base_url),
@@ -167,7 +174,7 @@ impl Client {
        let req = self.http.get(&url).headers(self.headers());
        let (body, ct) = self.exec_request(req, "GET", &url).await?;
        let payload: RateLimitStatusPayload = self.decode_json(&url, &ct, &body)?;
-        Ok(Self::rate_limit_snapshot_from_payload(payload))
+        Ok(Self::rate_limit_snapshots_from_payload(payload))
    }

    pub async fn list_tasks(
@@ -295,35 +302,59 @@ impl Client {
    }

    // rate limit helpers
-    fn rate_limit_snapshot_from_payload(payload: RateLimitStatusPayload) -> RateLimitSnapshot {
-        let rate_limit_details = payload
-            .rate_limit
-            .and_then(|inner| inner.map(|boxed| *boxed));
+    fn rate_limit_snapshots_from_payload(
+        payload: RateLimitStatusPayload,
+    ) -> Vec<RateLimitSnapshot> {
+        let plan_type = Some(Self::map_plan_type(payload.plan_type));
+        let mut snapshots = vec![Self::make_rate_limit_snapshot(
+            Some("codex".to_string()),
+            None,
+            payload.rate_limit.flatten().map(|details| *details),
+            payload.credits.flatten().map(|details| *details),
+            plan_type,
+        )];
+        if let Some(additional) = payload.additional_rate_limits.flatten() {
+            snapshots.extend(additional.into_iter().map(|details| {
+                Self::make_rate_limit_snapshot(
+                    Some(details.metered_feature),
+                    Some(details.limit_name),
+                    details.rate_limit.flatten().map(|rate_limit| *rate_limit),
+                    None,
+                    plan_type,
+                )
+            }));
+        }
+        snapshots
+    }

-        let (primary, secondary) = if let Some(details) = rate_limit_details {
-            (
+    fn make_rate_limit_snapshot(
+        limit_id: Option<String>,
+        limit_name: Option<String>,
+        rate_limit: Option<crate::types::RateLimitStatusDetails>,
+        credits: Option<crate::types::CreditStatusDetails>,
+        plan_type: Option<AccountPlanType>,
+    ) -> RateLimitSnapshot {
+        let (primary, secondary) = match rate_limit {
+            Some(details) => (
                Self::map_rate_limit_window(details.primary_window),
                Self::map_rate_limit_window(details.secondary_window),
-            )
-        } else {
-            (None, None)
+            ),
+            None => (None, None),
        };
-
        RateLimitSnapshot {
+            limit_id,
+            limit_name,
            primary,
            secondary,
-            credits: Self::map_credits(payload.credits),
-            plan_type: Some(Self::map_plan_type(payload.plan_type)),
+            credits: Self::map_credits(credits),
+            plan_type,
        }
    }

    fn map_rate_limit_window(
-        window: Option<Option<Box<RateLimitWindowSnapshot>>>,
+        window: Option<Option<Box<crate::types::RateLimitWindowSnapshot>>>,
    ) -> Option<RateLimitWindow> {
-        let snapshot = match window {
-            Some(Some(snapshot)) => *snapshot,
-            _ => return None,
-        };
+        let snapshot = window.flatten().map(|details| *details)?;

        let used_percent = f64::from(snapshot.used_percent);
        let window_minutes = Self::window_minutes_from_seconds(snapshot.limit_window_seconds);
@@ -335,16 +366,13 @@ impl Client {
        })
    }

-    fn map_credits(credits: Option<Option<Box<CreditStatusDetails>>>) -> Option<CreditsSnapshot> {
-        let details = match credits {
-            Some(Some(details)) => *details,
-            _ => return None,
-        };
+    fn map_credits(credits: Option<crate::types::CreditStatusDetails>) -> Option<CreditsSnapshot> {
+        let details = credits?;

        Some(CreditsSnapshot {
            has_credits: details.has_credits,
            unlimited: details.unlimited,
-            balance: details.balance.and_then(|inner| inner),
+            balance: details.balance.flatten(),
        })
    }

@@ -374,3 +402,142 @@ impl Client {
        Some((seconds_i64 + 59) / 60)
    }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use pretty_assertions::assert_eq;
+
+    #[test]
+    fn usage_payload_maps_primary_and_additional_rate_limits() {
+        let payload = RateLimitStatusPayload {
+            plan_type: crate::types::PlanType::Pro,
+            rate_limit: Some(Some(Box::new(crate::types::RateLimitStatusDetails {
+                primary_window: Some(Some(Box::new(crate::types::RateLimitWindowSnapshot {
+                    used_percent: 42,
+                    limit_window_seconds: 300,
+                    reset_after_seconds: 0,
+                    reset_at: 123,
+                }))),
+                secondary_window: Some(Some(Box::new(crate::types::RateLimitWindowSnapshot {
+                    used_percent: 84,
+                    limit_window_seconds: 3600,
+                    reset_after_seconds: 0,
+                    reset_at: 456,
+                }))),
+                ..Default::default()
+            }))),
+            additional_rate_limits: Some(Some(vec![crate::types::AdditionalRateLimitDetails {
+                limit_name: "codex_other".to_string(),
+                metered_feature: "codex_other".to_string(),
+                rate_limit: Some(Some(Box::new(crate::types::RateLimitStatusDetails {
+                    primary_window: Some(Some(Box::new(crate::types::RateLimitWindowSnapshot {
+                        used_percent: 70,
+                        limit_window_seconds: 900,
+                        reset_after_seconds: 0,
+                        reset_at: 789,
+                    }))),
+                    secondary_window: None,
+                    ..Default::default()
+                }))),
+            }])),
+            credits: Some(Some(Box::new(crate::types::CreditStatusDetails {
+                has_credits: true,
+                unlimited: false,
+                balance: Some(Some("9.99".to_string())),
+                ..Default::default()
+            }))),
+        };
+
+        let snapshots = Client::rate_limit_snapshots_from_payload(payload);
+        assert_eq!(snapshots.len(), 2);
+
+        assert_eq!(snapshots[0].limit_id.as_deref(), Some("codex"));
+        assert_eq!(snapshots[0].limit_name, None);
+        assert_eq!(
+            snapshots[0].primary.as_ref().map(|w| w.used_percent),
+            Some(42.0)
+        );
+        assert_eq!(
+            snapshots[0].secondary.as_ref().map(|w| w.used_percent),
+            Some(84.0)
+        );
+        assert_eq!(
+            snapshots[0].credits,
+            Some(CreditsSnapshot {
+                has_credits: true,
+                unlimited: false,
+                balance: Some("9.99".to_string()),
+            })
+        );
+        assert_eq!(snapshots[0].plan_type, Some(AccountPlanType::Pro));
+
+        assert_eq!(snapshots[1].limit_id.as_deref(), Some("codex_other"));
+        assert_eq!(snapshots[1].limit_name.as_deref(), Some("codex_other"));
+        assert_eq!(
+            snapshots[1].primary.as_ref().map(|w| w.used_percent),
+            Some(70.0)
+        );
+        assert_eq!(snapshots[1].credits, None);
+        assert_eq!(snapshots[1].plan_type, Some(AccountPlanType::Pro));
+    }
+
+    #[test]
+    fn usage_payload_maps_zero_rate_limit_when_primary_absent() {
+        let payload = RateLimitStatusPayload {
+            plan_type: crate::types::PlanType::Plus,
+            rate_limit: None,
+            additional_rate_limits: Some(Some(vec![crate::types::AdditionalRateLimitDetails {
+                limit_name: "codex_other".to_string(),
+                metered_feature: "codex_other".to_string(),
+                rate_limit: None,
+            }])),
+            credits: None,
+        };
+
+        let snapshots = Client::rate_limit_snapshots_from_payload(payload);
+        assert_eq!(snapshots.len(), 2);
+        assert_eq!(snapshots[0].limit_id.as_deref(), Some("codex"));
+        assert_eq!(snapshots[0].limit_name, None);
+        assert_eq!(snapshots[0].primary, None);
+        assert_eq!(snapshots[1].limit_id.as_deref(), Some("codex_other"));
+        assert_eq!(snapshots[1].limit_name.as_deref(), Some("codex_other"));
+    }
+
+    #[test]
+    fn preferred_snapshot_selection_matches_get_rate_limits_behavior() {
+        let snapshots = [
+            RateLimitSnapshot {
+                limit_id: Some("codex_other".to_string()),
+                limit_name: Some("codex_other".to_string()),
+                primary: Some(RateLimitWindow {
+                    used_percent: 90.0,
+                    window_minutes: Some(60),
+                    resets_at: Some(1),
+                }),
+                secondary: None,
+                credits: None,
+                plan_type: Some(AccountPlanType::Pro),
+            },
+            RateLimitSnapshot {
+                limit_id: Some("codex".to_string()),
+                limit_name: Some("codex".to_string()),
+                primary: Some(RateLimitWindow {
+                    used_percent: 10.0,
+                    window_minutes: Some(60),
+                    resets_at: Some(2),
+                }),
+                secondary: None,
+                credits: None,
+                plan_type: Some(AccountPlanType::Pro),
+            },
+        ];
+
+        let preferred = snapshots
+            .iter()
+            .find(|snapshot| snapshot.limit_id.as_deref() == Some("codex"))
+            .cloned()
+            .unwrap_or_else(|| snapshots[0].clone());
+        assert_eq!(preferred.limit_id.as_deref(), Some("codex"));
+    }
+}
--- a/codex-rs/backend-client/src/types.rs
+++ b/codex-rs/backend-client/src/types.rs
@@ -1,3 +1,4 @@
+pub use codex_backend_openapi_models::models::AdditionalRateLimitDetails;
 pub use codex_backend_openapi_models::models::ConfigFileResponse;
 pub use codex_backend_openapi_models::models::CreditStatusDetails;
 pub use codex_backend_openapi_models::models::PaginatedListTaskListItem;
--- a/Show More
+++ b/Show More