paths for node module resolution can be specified for js_repl

feat: drop MCP managing tools if no MCP servers (#11900 )
Drop MCP tools if no MCP servers to save context For this https://github.com/openai/codex/issues/11049
2026-02-17 14:23:48 +00:00 · 2026-02-16 12:48:26 -08:00 · 2026-02-16 18:40:45 +00:00 · 2026-02-16 17:35:05 +01:00 · 2026-02-16 16:29:32 +00:00 · 2026-02-16 16:18:53 +00:00
401 changed files with 30131 additions and 7780 deletions
--- a/.codespellignore
+++ b/.codespellignore
@@ -1,3 +1,5 @@
 iTerm
 iTerm2
-psuedo
+psuedo
+te
+TE
--- a/.codespellrc
+++ b/.codespellrc
@@ -3,4 +3,4 @@
 skip = .git*,vendor,*-lock.yaml,*.lock,.codespellrc,*test.ts,*.jsonl,frame*.txt,*.snap,*.snap.new,*meriyah.umd.min.js
 check-hidden = true
 ignore-regex = ^\s*"image/\S+": ".*|\b(afterAll)\b
-ignore-words-list = ratatui,ser,iTerm,iterm2,iterm
+ignore-words-list = ratatui,ser,iTerm,iterm2,iterm,te,TE
--- a/.codex/skills/test-tui/SKILL.md
+++ b/.codex/skills/test-tui/SKILL.md
@@ -0,0 +1,14 @@
+---
+name: test-tui
+description: Guide for testing Codex TUI interactively
+---
+
+You can start and use Codex TUI to verify changes. 
+
+Important notes:
+
+Start interactively.
+Always set RUST_LOG="trace" when starting the process.
+Pass `-c log_dir=<some_temp_dir>` argument to have logs written to a specific directory to help with debugging.
+When sending a test message programmatically, send text first, then send Enter in a separate write (do not send text + Enter in one burst).
+Use `just codex` target to run - `just codex -c ...`
--- a/.github/ISSUE_TEMPLATE/1-codex-app.yml
+++ b/.github/ISSUE_TEMPLATE/1-codex-app.yml
@@ -21,6 +21,13 @@ body:
      label: What subscription do you have?
    validations:
      required: true
+  - type: input
+    id: platform
+    attributes:
+      label: What platform is your computer?
+      description: |
+        For macOS and Linux: copy the output of `uname -mprs`
+        For Windows: copy the output of `"$([Environment]::OSVersion | ForEach-Object VersionString) $(if ([Environment]::Is64BitOperatingSystem) { "x64" } else { "x86" })"` in the PowerShell console
  - type: textarea
    id: actual
    attributes:
--- a/.github/prompts/issue-deduplicator.txt
+++ b/.github/prompts/issue-deduplicator.txt
@@ -1,18 +0,0 @@
-You are an assistant that triages new GitHub issues by identifying potential duplicates.
-
-You will receive the following JSON files located in the current working directory:
- `codex-current-issue.json`: JSON object describing the newly created issue (fields: number, title, body).
- `codex-existing-issues.json`: JSON array of recent issues (each element includes number, title, body, createdAt).
-
-Instructions:
- Load both files as JSON and review their contents carefully. The codex-existing-issues.json file is large, ensure you explore all of it.
- Compare the current issue against the existing issues to find up to five that appear to describe the same underlying problem or request.
- Only consider an issue a potential duplicate if there is a clear overlap in symptoms, feature requests, reproduction steps, or error messages.
- Prioritize newer issues when similarity is comparable.
- Ignore pull requests and issues whose similarity is tenuous.
- When unsure, prefer returning fewer matches.
-
-Output requirements:
- Respond with a JSON array of issue numbers (integers), ordered from most likely duplicate to least.
- Include at most five numbers.
- If you find no plausible duplicates, respond with `[]`.
--- a/.github/scripts/install-musl-build-tools.sh
+++ b/.github/scripts/install-musl-build-tools.sh
@@ -17,7 +17,7 @@ if [[ -n "${APT_INSTALL_ARGS:-}" ]]; then
 fi

 sudo apt-get update "${apt_update_args[@]}"
-sudo apt-get install -y "${apt_install_args[@]}" musl-tools pkg-config g++ clang libc++-dev libc++abi-dev lld
+sudo apt-get install -y "${apt_install_args[@]}" ca-certificates curl musl-tools pkg-config libcap-dev g++ clang libc++-dev libc++abi-dev lld xz-utils

 case "${TARGET}" in
  x86_64-unknown-linux-musl)
@@ -32,6 +32,11 @@ case "${TARGET}" in
    ;;
 esac

+libcap_version="2.75"
+libcap_sha256="de4e7e064c9ba451d5234dd46e897d7c71c96a9ebf9a0c445bc04f4742d83632"
+libcap_tarball_name="libcap-${libcap_version}.tar.xz"
+libcap_download_url="https://mirrors.edge.kernel.org/pub/linux/libs/security/linux-privs/libcap2/${libcap_tarball_name}"
+
 # Use the musl toolchain as the Rust linker to avoid Zig injecting its own CRT.
 if command -v "${arch}-linux-musl-gcc" >/dev/null; then
  musl_linker="$(command -v "${arch}-linux-musl-gcc")"
@@ -47,6 +52,43 @@ runner_temp="${RUNNER_TEMP:-/tmp}"
 tool_root="${runner_temp}/codex-musl-tools-${TARGET}"
 mkdir -p "${tool_root}"

+libcap_root="${tool_root}/libcap-${libcap_version}"
+libcap_src_root="${libcap_root}/src"
+libcap_prefix="${libcap_root}/prefix"
+libcap_pkgconfig_dir="${libcap_prefix}/lib/pkgconfig"
+
+if [[ ! -f "${libcap_prefix}/lib/libcap.a" ]]; then
+  mkdir -p "${libcap_src_root}" "${libcap_prefix}/lib" "${libcap_prefix}/include/sys" "${libcap_prefix}/include/linux" "${libcap_pkgconfig_dir}"
+  libcap_tarball="${libcap_root}/${libcap_tarball_name}"
+
+  curl -fsSL "${libcap_download_url}" -o "${libcap_tarball}"
+  echo "${libcap_sha256}  ${libcap_tarball}" | sha256sum -c -
+
+  tar -xJf "${libcap_tarball}" -C "${libcap_src_root}"
+  libcap_source_dir="${libcap_src_root}/libcap-${libcap_version}"
+  make -C "${libcap_source_dir}/libcap" -j"$(nproc)" \
+    CC="${musl_linker}" \
+    AR=ar \
+    RANLIB=ranlib
+
+  cp "${libcap_source_dir}/libcap/libcap.a" "${libcap_prefix}/lib/libcap.a"
+  cp "${libcap_source_dir}/libcap/include/uapi/linux/capability.h" "${libcap_prefix}/include/linux/capability.h"
+  cp "${libcap_source_dir}/libcap/../libcap/include/sys/capability.h" "${libcap_prefix}/include/sys/capability.h"
+
+  cat > "${libcap_pkgconfig_dir}/libcap.pc" <<EOF
+prefix=${libcap_prefix}
+exec_prefix=\${prefix}
+libdir=\${prefix}/lib
+includedir=\${prefix}/include
+
+Name: libcap
+Description: Linux capabilities
+Version: ${libcap_version}
+Libs: -L\${libdir} -lcap
+Cflags: -I\${includedir}
+EOF
+fi
+
 sysroot=""
 if command -v zig >/dev/null; then
  zig_bin="$(command -v zig)"
@@ -59,7 +101,19 @@ set -euo pipefail

 args=()
 skip_next=0
+pending_include=0
 for arg in "\$@"; do
+  if [[ "\${pending_include}" -eq 1 ]]; then
+    pending_include=0
+    if [[ "\${arg}" == /usr/include || "\${arg}" == /usr/include/* ]]; then
+      # Keep host-only headers available, but after the target sysroot headers.
+      args+=("-idirafter" "\${arg}")
+    else
+      args+=("-I" "\${arg}")
+    fi
+    continue
+  fi
+
  if [[ "\${skip_next}" -eq 1 ]]; then
    skip_next=0
    continue
@@ -77,6 +131,15 @@ for arg in "\$@"; do
      fi
      continue
      ;;
+    -I)
+      pending_include=1
+      continue
+      ;;
+    -I/usr/include|-I/usr/include/*)
+      # Avoid making glibc headers win over musl headers.
+      args+=("-idirafter" "\${arg#-I}")
+      continue
+      ;;
    -Wp,-U_FORTIFY_SOURCE)
      # aws-lc-sys emits this GCC preprocessor forwarding form in debug
      # builds, but zig cc expects the define flag directly.
@@ -95,7 +158,19 @@ set -euo pipefail

 args=()
 skip_next=0
+pending_include=0
 for arg in "\$@"; do
+  if [[ "\${pending_include}" -eq 1 ]]; then
+    pending_include=0
+    if [[ "\${arg}" == /usr/include || "\${arg}" == /usr/include/* ]]; then
+      # Keep host-only headers available, but after the target sysroot headers.
+      args+=("-idirafter" "\${arg}")
+    else
+      args+=("-I" "\${arg}")
+    fi
+    continue
+  fi
+
  if [[ "\${skip_next}" -eq 1 ]]; then
    skip_next=0
    continue
@@ -113,6 +188,15 @@ for arg in "\$@"; do
      fi
      continue
      ;;
+    -I)
+      pending_include=1
+      continue
+      ;;
+    -I/usr/include|-I/usr/include/*)
+      # Avoid making glibc headers win over musl headers.
+      args+=("-idirafter" "\${arg#-I}")
+      continue
+      ;;
    -Wp,-U_FORTIFY_SOURCE)
      # aws-lc-sys emits this GCC forwarding form in debug builds; zig c++
      # expects the define flag directly.
@@ -175,3 +259,21 @@ echo "${cargo_linker_var}=${musl_linker}" >> "$GITHUB_ENV"
 echo "CMAKE_C_COMPILER=${cc}" >> "$GITHUB_ENV"
 echo "CMAKE_CXX_COMPILER=${cxx}" >> "$GITHUB_ENV"
 echo "CMAKE_ARGS=-DCMAKE_HAVE_THREADS_LIBRARY=1 -DCMAKE_USE_PTHREADS_INIT=1 -DCMAKE_THREAD_LIBS_INIT=-pthread -DTHREADS_PREFER_PTHREAD_FLAG=ON" >> "$GITHUB_ENV"
+
+# Allow pkg-config resolution during cross-compilation.
+echo "PKG_CONFIG_ALLOW_CROSS=1" >> "$GITHUB_ENV"
+pkg_config_path="${libcap_pkgconfig_dir}"
+if [[ -n "${PKG_CONFIG_PATH:-}" ]]; then
+  pkg_config_path="${pkg_config_path}:${PKG_CONFIG_PATH}"
+fi
+echo "PKG_CONFIG_PATH=${pkg_config_path}" >> "$GITHUB_ENV"
+pkg_config_path_var="PKG_CONFIG_PATH_${TARGET}"
+pkg_config_path_var="${pkg_config_path_var//-/_}"
+echo "${pkg_config_path_var}=${libcap_pkgconfig_dir}" >> "$GITHUB_ENV"
+
+if [[ -n "${sysroot}" && "${sysroot}" != "/" ]]; then
+  echo "PKG_CONFIG_SYSROOT_DIR=${sysroot}" >> "$GITHUB_ENV"
+  pkg_config_sysroot_var="PKG_CONFIG_SYSROOT_DIR_${TARGET}"
+  pkg_config_sysroot_var="${pkg_config_sysroot_var//-/_}"
+  echo "${pkg_config_sysroot_var}=${sysroot}" >> "$GITHUB_ENV"
+fi
--- a/.github/workflows/bazel.yml
+++ b/.github/workflows/bazel.yml
@@ -65,6 +65,11 @@ jobs:
      - name: Set up Bazel
        uses: bazelbuild/setup-bazelisk@v3

+      - name: Check MODULE.bazel.lock is up to date
+        if: matrix.os == 'ubuntu-24.04' && matrix.target == 'x86_64-unknown-linux-gnu'
+        shell: bash
+        run: ./scripts/check-module-bazel-lock.sh
+
      # TODO(mbolin): Bring this back once we have caching working. Currently,
      # we never seem to get a cache hit but we still end up paying the cost of
      # uploading at the end of the build, which takes over a minute!
@@ -100,12 +105,12 @@ jobs:
      - name: bazel test //...
        env:
          BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
-          CODEX_BWRAP_ENABLE_FFI: ${{ contains(matrix.target, 'unknown-linux') && '1' || '0' }}
        shell: bash
        run: |
          bazel_args=(
            test
            //...
+            --test_verbose_timeout_warnings
            --build_metadata=REPO_URL=https://github.com/openai/codex.git
            --build_metadata=COMMIT_SHA=$(git rev-parse HEAD)
            --build_metadata=ROLE=CI
--- a/.github/workflows/issue-deduplicator.yml
+++ b/.github/workflows/issue-deduplicator.yml
@@ -15,34 +15,68 @@ jobs:
    permissions:
      contents: read
    outputs:
-      codex_output: ${{ steps.codex.outputs.final-message }}
+      codex_output: ${{ steps.select-final.outputs.codex_output }}
    steps:
      - uses: actions/checkout@v6

      - name: Prepare Codex inputs
        env:
          GH_TOKEN: ${{ github.token }}
+          REPO: ${{ github.repository }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
        run: |
          set -eo pipefail

          CURRENT_ISSUE_FILE=codex-current-issue.json
-          EXISTING_ISSUES_FILE=codex-existing-issues.json
+          EXISTING_ALL_FILE=codex-existing-issues-all.json
+          EXISTING_OPEN_FILE=codex-existing-issues-open.json

-          gh issue list --repo "${{ github.repository }}" \
-            --json number,title,body,createdAt \
+          gh issue list --repo "$REPO" \
+            --json number,title,body,createdAt,updatedAt,state,labels \
            --limit 1000 \
            --state all \
            --search "sort:created-desc" \
-            | jq '.' \
-            > "$EXISTING_ISSUES_FILE"
+            | jq '[.[] | {
+                number,
+                title,
+                body: ((.body // "")[0:4000]),
+                createdAt,
+                updatedAt,
+                state,
+                labels: ((.labels // []) | map(.name))
+              }]' \
+            > "$EXISTING_ALL_FILE"

-          gh issue view "${{ github.event.issue.number }}" \
-            --repo "${{ github.repository }}" \
+          gh issue list --repo "$REPO" \
+            --json number,title,body,createdAt,updatedAt,state,labels \
+            --limit 1000 \
+            --state open \
+            --search "sort:created-desc" \
+            | jq '[.[] | {
+                number,
+                title,
+                body: ((.body // "")[0:4000]),
+                createdAt,
+                updatedAt,
+                state,
+                labels: ((.labels // []) | map(.name))
+              }]' \
+            > "$EXISTING_OPEN_FILE"
+
+          gh issue view "$ISSUE_NUMBER" \
+            --repo "$REPO" \
            --json number,title,body \
-            | jq '.' \
+            | jq '{number, title, body: ((.body // "")[0:4000])}' \
            > "$CURRENT_ISSUE_FILE"

-      - id: codex
+          echo "Prepared duplicate detection input files."
+          echo "all_issue_count=$(jq 'length' "$EXISTING_ALL_FILE")"
+          echo "open_issue_count=$(jq 'length' "$EXISTING_OPEN_FILE")"
+
+      # Prompt instructions are intentionally inline in this workflow. The old
+      # .github/prompts/issue-deduplicator.txt file is obsolete and removed.
+      - id: codex-all
+        name: Find duplicates (pass 1, all issues)
        uses: openai/codex-action@main
        with:
          openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
@@ -52,14 +86,17 @@ jobs:

            You will receive the following JSON files located in the current working directory:
            - `codex-current-issue.json`: JSON object describing the newly created issue (fields: number, title, body).
-            - `codex-existing-issues.json`: JSON array of recent issues (each element includes number, title, body, createdAt).
+            - `codex-existing-issues-all.json`: JSON array of recent issues with states, timestamps, and labels.

            Instructions:
            - Compare the current issue against the existing issues to find up to five that appear to describe the same underlying problem or request.
-            - Focus on the underlying intent and context of each issue—such as reported symptoms, feature requests, reproduction steps, or error messages—rather than relying solely on string similarity or synthetic metrics.
-            - After your analysis, validate your results in 1-2 lines explaining your decision to return the selected matches.
-            - When unsure, prefer returning fewer matches.
-            - Include at most five numbers.
+            - Prioritize concrete overlap in symptoms, reproduction details, error signatures, and user intent.
+            - Prefer active unresolved issues when confidence is similar.
+            - Closed issues can still be valid duplicates if they clearly match.
+            - Return fewer matches rather than speculative ones.
+            - If confidence is low, return an empty list.
+            - Include at most five issue numbers.
+            - After analysis, provide a short reason for your decision.

          output-schema: |
            {
@@ -77,6 +114,179 @@ jobs:
              "additionalProperties": false
            }

+      - id: normalize-all
+        name: Normalize pass 1 output
+        env:
+          CODEX_OUTPUT: ${{ steps.codex-all.outputs.final-message }}
+          CURRENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
+        run: |
+          set -eo pipefail
+
+          raw=${CODEX_OUTPUT//$'\r'/}
+          parsed=false
+          issues='[]'
+          reason=''
+
+          if [ -n "$raw" ] && printf '%s' "$raw" | jq -e 'type == "object" and (.issues | type == "array")' >/dev/null 2>&1; then
+            parsed=true
+            issues=$(printf '%s' "$raw" | jq -c '[.issues[] | tostring]')
+            reason=$(printf '%s' "$raw" | jq -r '.reason // ""')
+          else
+            reason='Pass 1 output was empty or invalid JSON.'
+          fi
+
+          filtered=$(jq -cn --argjson issues "$issues" --arg current "$CURRENT_ISSUE_NUMBER" '[
+            $issues[]
+            | tostring
+            | select(. != $current)
+          ] | reduce .[] as $issue ([]; if index($issue) then . else . + [$issue] end) | .[:5]')
+
+          has_matches=false
+          if [ "$(jq 'length' <<< "$filtered")" -gt 0 ]; then
+            has_matches=true
+          fi
+
+          echo "Pass 1 parsed: $parsed"
+          echo "Pass 1 matches after filtering: $(jq 'length' <<< "$filtered")"
+          echo "Pass 1 reason: $reason"
+
+          {
+            echo "issues_json=$filtered"
+            echo "reason<<EOF"
+            echo "$reason"
+            echo "EOF"
+            echo "has_matches=$has_matches"
+          } >> "$GITHUB_OUTPUT"
+
+      - id: codex-open
+        name: Find duplicates (pass 2, open issues)
+        if: ${{ steps.normalize-all.outputs.has_matches != 'true' }}
+        uses: openai/codex-action@main
+        with:
+          openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
+          allow-users: "*"
+          prompt: |
+            You are an assistant that triages new GitHub issues by identifying potential duplicates.
+
+            This is a fallback pass because a broad search did not find convincing matches.
+
+            You will receive the following JSON files located in the current working directory:
+            - `codex-current-issue.json`: JSON object describing the newly created issue (fields: number, title, body).
+            - `codex-existing-issues-open.json`: JSON array of open issues only.
+
+            Instructions:
+            - Search only these active unresolved issues for duplicates of the current issue.
+            - Prioritize concrete overlap in symptoms, reproduction details, error signatures, and user intent.
+            - Prefer fewer, higher-confidence matches.
+            - If confidence is low, return an empty list.
+            - Include at most five issue numbers.
+            - After analysis, provide a short reason for your decision.
+
+          output-schema: |
+            {
+              "type": "object",
+              "properties": {
+                "issues": {
+                  "type": "array",
+                  "items": {
+                    "type": "string"
+                  }
+                },
+                "reason": { "type": "string" }
+              },
+              "required": ["issues", "reason"],
+              "additionalProperties": false
+            }
+
+      - id: normalize-open
+        name: Normalize pass 2 output
+        if: ${{ steps.normalize-all.outputs.has_matches != 'true' }}
+        env:
+          CODEX_OUTPUT: ${{ steps.codex-open.outputs.final-message }}
+          CURRENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
+        run: |
+          set -eo pipefail
+
+          raw=${CODEX_OUTPUT//$'\r'/}
+          parsed=false
+          issues='[]'
+          reason=''
+
+          if [ -n "$raw" ] && printf '%s' "$raw" | jq -e 'type == "object" and (.issues | type == "array")' >/dev/null 2>&1; then
+            parsed=true
+            issues=$(printf '%s' "$raw" | jq -c '[.issues[] | tostring]')
+            reason=$(printf '%s' "$raw" | jq -r '.reason // ""')
+          else
+            reason='Pass 2 output was empty or invalid JSON.'
+          fi
+
+          filtered=$(jq -cn --argjson issues "$issues" --arg current "$CURRENT_ISSUE_NUMBER" '[
+            $issues[]
+            | tostring
+            | select(. != $current)
+          ] | reduce .[] as $issue ([]; if index($issue) then . else . + [$issue] end) | .[:5]')
+
+          has_matches=false
+          if [ "$(jq 'length' <<< "$filtered")" -gt 0 ]; then
+            has_matches=true
+          fi
+
+          echo "Pass 2 parsed: $parsed"
+          echo "Pass 2 matches after filtering: $(jq 'length' <<< "$filtered")"
+          echo "Pass 2 reason: $reason"
+
+          {
+            echo "issues_json=$filtered"
+            echo "reason<<EOF"
+            echo "$reason"
+            echo "EOF"
+            echo "has_matches=$has_matches"
+          } >> "$GITHUB_OUTPUT"
+
+      - id: select-final
+        name: Select final duplicate set
+        env:
+          PASS1_ISSUES: ${{ steps.normalize-all.outputs.issues_json }}
+          PASS1_REASON: ${{ steps.normalize-all.outputs.reason }}
+          PASS2_ISSUES: ${{ steps.normalize-open.outputs.issues_json }}
+          PASS2_REASON: ${{ steps.normalize-open.outputs.reason }}
+          PASS1_HAS_MATCHES: ${{ steps.normalize-all.outputs.has_matches }}
+          PASS2_HAS_MATCHES: ${{ steps.normalize-open.outputs.has_matches }}
+        run: |
+          set -eo pipefail
+
+          selected_issues='[]'
+          selected_reason='No plausible duplicates found.'
+          selected_pass='none'
+
+          if [ "$PASS1_HAS_MATCHES" = "true" ]; then
+            selected_issues=${PASS1_ISSUES:-'[]'}
+            selected_reason=${PASS1_REASON:-'Pass 1 found duplicates.'}
+            selected_pass='all'
+          fi
+
+          if [ "$PASS2_HAS_MATCHES" = "true" ]; then
+            selected_issues=${PASS2_ISSUES:-'[]'}
+            selected_reason=${PASS2_REASON:-'Pass 2 found duplicates.'}
+            selected_pass='open-fallback'
+          fi
+
+          final_json=$(jq -cn \
+            --argjson issues "$selected_issues" \
+            --arg reason "$selected_reason" \
+            --arg pass "$selected_pass" \
+            '{issues: $issues, reason: $reason, pass: $pass}')
+
+          echo "Final pass used: $selected_pass"
+          echo "Final duplicate count: $(jq '.issues | length' <<< "$final_json")"
+          echo "Final reason: $(jq -r '.reason' <<< "$final_json")"
+
+          {
+            echo "codex_output<<EOF"
+            echo "$final_json"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+
  comment-on-issue:
    name: Comment with potential duplicates
    needs: gather-duplicates
@@ -105,11 +315,17 @@ jobs:

            const issues = Array.isArray(parsed?.issues) ? parsed.issues : [];
            const currentIssueNumber = String(context.payload.issue.number);
+            const passUsed = typeof parsed?.pass === 'string' ? parsed.pass : 'unknown';
+            const reason = typeof parsed?.reason === 'string' ? parsed.reason : '';

            console.log(`Current issue number: ${currentIssueNumber}`);
+            console.log(`Pass used: ${passUsed}`);
+            if (reason) {
+              console.log(`Reason: ${reason}`);
+            }
            console.log(issues);

-            const filteredIssues = issues.filter((value) => String(value) !== currentIssueNumber);
+            const filteredIssues = [...new Set(issues.map((value) => String(value)))].filter((value) => value !== currentIssueNumber).slice(0, 5);

            if (filteredIssues.length === 0) {
              core.info('Codex reported no potential duplicates.');
--- a/.github/workflows/rust-ci.yml
+++ b/.github/workflows/rust-ci.yml
@@ -59,7 +59,7 @@ jobs:
        working-directory: codex-rs
    steps:
      - uses: actions/checkout@v6
-      - uses: dtolnay/rust-toolchain@1.93
+      - uses: dtolnay/rust-toolchain@1.93.0
        with:
          components: rustfmt
      - name: cargo fmt
@@ -75,7 +75,7 @@ jobs:
        working-directory: codex-rs
    steps:
      - uses: actions/checkout@v6
-      - uses: dtolnay/rust-toolchain@1.93
+      - uses: dtolnay/rust-toolchain@1.93.0
      - uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
        with:
          tool: cargo-shear
@@ -99,9 +99,8 @@ jobs:
      USE_SCCACHE: ${{ startsWith(matrix.runner, 'windows') && 'false' || 'true' }}
      CARGO_INCREMENTAL: "0"
      SCCACHE_CACHE_SIZE: 10G
-      # Keep cargo-based CI independent of system bwrap build deps.
-      # The bwrap FFI path is validated in Bazel workflows.
-      CODEX_BWRAP_ENABLE_FFI: "0"
+      # In rust-ci, representative release-profile checks use thin LTO for faster feedback.
+      CARGO_PROFILE_RELEASE_LTO: ${{ matrix.profile == 'release' && 'thin' || 'fat' }}

    strategy:
      fail-fast: false
@@ -163,6 +162,12 @@ jobs:
            runs_on:
              group: codex-runners
              labels: codex-linux-x64
+          - runner: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-musl
+            profile: release
+            runs_on:
+              group: codex-runners
+              labels: codex-linux-arm64
          - runner: windows-x64
            target: x86_64-pc-windows-msvc
            profile: release
@@ -178,16 +183,20 @@ jobs:

    steps:
      - uses: actions/checkout@v6
-      - name: Install UBSan runtime (musl)
-        if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl' }}
+      - name: Install Linux build dependencies
+        if: ${{ runner.os == 'Linux' }}
        shell: bash
        run: |
          set -euo pipefail
          if command -v apt-get >/dev/null 2>&1; then
            sudo apt-get update -y
-            sudo DEBIAN_FRONTEND=noninteractive apt-get install -y libubsan1
+            packages=(pkg-config libcap-dev)
+            if [[ "${{ matrix.target }}" == 'x86_64-unknown-linux-musl' || "${{ matrix.target }}" == 'aarch64-unknown-linux-musl' ]]; then
+              packages+=(libubsan1)
+            fi
+            sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends "${packages[@]}"
          fi
-      - uses: dtolnay/rust-toolchain@1.93
+      - uses: dtolnay/rust-toolchain@1.93.0
        with:
          targets: ${{ matrix.target }}
          components: clippy
@@ -379,7 +388,15 @@ jobs:
          cargo chef cook --recipe-path "$RECIPE" --target ${{ matrix.target }} --release --all-features

      - name: cargo clippy
-        run: cargo clippy --target ${{ matrix.target }} --all-features --tests --profile ${{ matrix.profile }} -- -D warnings
+        run: cargo clippy --target ${{ matrix.target }} --all-features --tests --profile ${{ matrix.profile }} --timings -- -D warnings
+
+      - name: Upload Cargo timings (clippy)
+        if: always()
+        uses: actions/upload-artifact@v6
+        with:
+          name: cargo-timings-rust-ci-clippy-${{ matrix.target }}-${{ matrix.profile }}
+          path: codex-rs/target/**/cargo-timings/cargo-timing.html
+          if-no-files-found: warn

      # Save caches explicitly; make non-fatal so cache packaging
      # never fails the overall job. Only save when key wasn't hit.
@@ -447,9 +464,6 @@ jobs:
      USE_SCCACHE: ${{ startsWith(matrix.runner, 'windows') && 'false' || 'true' }}
      CARGO_INCREMENTAL: "0"
      SCCACHE_CACHE_SIZE: 10G
-      # Keep cargo-based CI independent of system bwrap build deps.
-      # The bwrap FFI path is validated in Bazel workflows.
-      CODEX_BWRAP_ENABLE_FFI: "0"

    strategy:
      fail-fast: false
@@ -485,12 +499,21 @@ jobs:

    steps:
      - uses: actions/checkout@v6
+      - name: Install Linux build dependencies
+        if: ${{ runner.os == 'Linux' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          if command -v apt-get >/dev/null 2>&1; then
+            sudo apt-get update -y
+            sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends pkg-config libcap-dev
+          fi
      # Some integration tests rely on DotSlash being installed.
      # See https://github.com/openai/codex/pull/7617.
      - name: Install DotSlash
        uses: facebook/install-dotslash@v2

-      - uses: dtolnay/rust-toolchain@1.93
+      - uses: dtolnay/rust-toolchain@1.93.0
        with:
          targets: ${{ matrix.target }}

@@ -560,11 +583,19 @@ jobs:

      - name: tests
        id: test
-        run: cargo nextest run --all-features --no-fail-fast --target ${{ matrix.target }} --cargo-profile ci-test
+        run: cargo nextest run --all-features --no-fail-fast --target ${{ matrix.target }} --cargo-profile ci-test --timings
        env:
          RUST_BACKTRACE: 1
          NEXTEST_STATUS_LEVEL: leak

+      - name: Upload Cargo timings (nextest)
+        if: always()
+        uses: actions/upload-artifact@v6
+        with:
+          name: cargo-timings-rust-ci-nextest-${{ matrix.target }}-${{ matrix.profile }}
+          path: codex-rs/target/**/cargo-timings/cargo-timing.html
+          if-no-files-found: warn
+
      - name: Save cargo home cache
        if: always() && !cancelled() && steps.cache_cargo_home_restore.outputs.cache-hit != 'true'
        continue-on-error: true
--- a/.github/workflows/rust-release-windows.yml
+++ b/.github/workflows/rust-release-windows.yml
@@ -82,24 +82,21 @@ jobs:
          Write-Host "Total RAM: $ramGiB GiB"
          Write-Host "Disk usage:"
          Get-PSDrive -PSProvider FileSystem | Format-Table -AutoSize Name, @{Name='Size(GB)';Expression={[math]::Round(($_.Used + $_.Free) / 1GB, 1)}}, @{Name='Free(GB)';Expression={[math]::Round($_.Free / 1GB, 1)}}
-      - uses: dtolnay/rust-toolchain@1.93
+      - uses: dtolnay/rust-toolchain@1.93.0
        with:
          targets: ${{ matrix.target }}

-      - uses: actions/cache@v5
-        with:
-          path: |
-            ~/.cargo/bin/
-            ~/.cargo/registry/index/
-            ~/.cargo/registry/cache/
-            ~/.cargo/git/db/
-            ${{ github.workspace }}/codex-rs/target/
-          key: cargo-${{ matrix.runner }}-${{ matrix.target }}-release-windows-${{ matrix.bundle }}-${{ hashFiles('**/Cargo.lock') }}
-
      - name: Cargo build (Windows binaries)
        shell: bash
        run: |
-          cargo build --target ${{ matrix.target }} --release ${{ matrix.build_args }}
+          cargo build --target ${{ matrix.target }} --release --timings ${{ matrix.build_args }}
+
+      - name: Upload Cargo timings
+        uses: actions/upload-artifact@v6
+        with:
+          name: cargo-timings-rust-release-windows-${{ matrix.target }}-${{ matrix.bundle }}
+          path: codex-rs/target/**/cargo-timings/cargo-timing.html
+          if-no-files-found: warn

      - name: Stage Windows binaries
        shell: bash
@@ -195,10 +192,8 @@ jobs:
          cp target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe "$dest/codex-windows-sandbox-setup-${{ matrix.target }}.exe"
          cp target/${{ matrix.target }}/release/codex-command-runner.exe "$dest/codex-command-runner-${{ matrix.target }}.exe"

-      - if: ${{ matrix.runner == 'windows-arm64' }}
-        name: Install zstd
-        shell: powershell
-        run: choco install -y zstandard
+      - name: Install DotSlash
+        uses: facebook/install-dotslash@v2

      - name: Compress artifacts
        shell: bash
@@ -259,7 +254,7 @@ jobs:
            fi

            # Keep raw executables and produce .zst alongside them.
-            zstd -T0 -19 "$dest/$base"
+            "${GITHUB_WORKSPACE}/.github/workflows/zstd" -T0 -19 "$dest/$base"
          done

      - uses: actions/upload-artifact@v6
--- a/.github/workflows/rust-release.yml
+++ b/.github/workflows/rust-release.yml
@@ -57,7 +57,6 @@ jobs:
      run:
        working-directory: codex-rs
    env:
-      CODEX_BWRAP_ENABLE_FFI: ${{ contains(matrix.target, 'unknown-linux') && '1' || '0' }}
      CARGO_PROFILE_RELEASE_LTO: ${{ contains(github.ref_name, '-alpha') && 'thin' || 'fat' }}

    strategy:
@@ -84,11 +83,13 @@ jobs:
        shell: bash
        run: |
          set -euo pipefail
+          cpu_model="$(lscpu | awk -F: '/Model name/ {gsub(/^[ \t]+/, "", $2); print $2; exit}')"
+          total_ram="$(awk '/MemTotal/ {printf "%.1f GiB\n", $2 / 1024 / 1024}' /proc/meminfo)"
          echo "Runner: ${RUNNER_NAME:-unknown}"
          echo "OS: $(uname -a)"
-          echo "CPU model: $(lscpu | awk -F: '/Model name/ {gsub(/^[ \t]+/,\"\",$2); print $2; exit}')"
+          echo "CPU model: ${cpu_model}"
          echo "Logical CPUs: $(nproc)"
-          echo "Total RAM: $(awk '/MemTotal/ {printf \"%.1f GiB\\n\", $2 / 1024 / 1024}' /proc/meminfo)"
+          echo "Total RAM: ${total_ram}"
          echo "Disk usage:"
          df -h .
      - name: Print runner specs (macOS)
@@ -96,13 +97,14 @@ jobs:
        shell: bash
        run: |
          set -euo pipefail
+          total_ram="$(sysctl -n hw.memsize | awk '{printf "%.1f GiB\n", $1 / 1024 / 1024 / 1024}')"
          echo "Runner: ${RUNNER_NAME:-unknown}"
          echo "OS: $(sw_vers -productName) $(sw_vers -productVersion)"
          echo "Hardware model: $(sysctl -n hw.model)"
          echo "CPU architecture: $(uname -m)"
          echo "Logical CPUs: $(sysctl -n hw.logicalcpu)"
          echo "Physical CPUs: $(sysctl -n hw.physicalcpu)"
-          echo "Total RAM: $(sysctl -n hw.memsize | awk '{printf \"%.1f GiB\\n\", $1 / 1024 / 1024 / 1024}')"
+          echo "Total RAM: ${total_ram}"
          echo "Disk usage:"
          df -h .
      - name: Install Linux bwrap build dependencies
@@ -121,7 +123,7 @@ jobs:
            sudo apt-get update -y
            sudo DEBIAN_FRONTEND=noninteractive apt-get install -y libubsan1
          fi
-      - uses: dtolnay/rust-toolchain@1.93
+      - uses: dtolnay/rust-toolchain@1.93.0
        with:
          targets: ${{ matrix.target }}

@@ -136,20 +138,6 @@ jobs:
          echo "${cargo_home}/bin" >> "$GITHUB_PATH"
          : > "${cargo_home}/config.toml"

-      - uses: actions/cache@v5
-        with:
-          path: |
-            ~/.cargo/bin/
-            ~/.cargo/registry/index/
-            ~/.cargo/registry/cache/
-            ~/.cargo/git/db/
-            ${{ github.workspace }}/.cargo-home/bin/
-            ${{ github.workspace }}/.cargo-home/registry/index/
-            ${{ github.workspace }}/.cargo-home/registry/cache/
-            ${{ github.workspace }}/.cargo-home/git/db/
-            ${{ github.workspace }}/codex-rs/target/
-          key: cargo-${{ matrix.runner }}-${{ matrix.target }}-release-${{ hashFiles('**/Cargo.lock') }}
-
      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
        name: Install Zig
        uses: mlugg/setup-zig@v2
@@ -217,7 +205,14 @@ jobs:
      - name: Cargo build
        shell: bash
        run: |
-          cargo build --target ${{ matrix.target }} --release --bin codex --bin codex-responses-api-proxy
+          cargo build --target ${{ matrix.target }} --release --timings --bin codex --bin codex-responses-api-proxy
+
+      - name: Upload Cargo timings
+        uses: actions/upload-artifact@v6
+        with:
+          name: cargo-timings-rust-release-${{ matrix.target }}
+          path: codex-rs/target/**/cargo-timings/cargo-timing.html
+          if-no-files-found: warn

      - if: ${{ contains(matrix.target, 'linux') }}
        name: Cosign Linux artifacts
@@ -429,6 +424,11 @@ jobs:
        run: |
          rm -rf dist/shell-tool-mcp*
          rm -rf dist/windows-binaries*
+          # cargo-timing.html appears under multiple target-specific directories.
+          # If included in files: dist/**, release upload races on duplicate
+          # asset names and can fail with 404s.
+          find dist -type f -name 'cargo-timing.html' -delete
+          find dist -type d -empty -delete

          ls -R dist/

--- a/.github/workflows/sdk.yml
+++ b/.github/workflows/sdk.yml
@@ -13,6 +13,13 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@v6

+      - name: Install Linux bwrap build dependencies
+        shell: bash
+        run: |
+          set -euo pipefail
+          sudo apt-get update -y
+          sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends pkg-config libcap-dev
+
      - name: Setup pnpm
        uses: pnpm/action-setup@v4
        with:
@@ -24,7 +31,7 @@ jobs:
          node-version: 22
          cache: pnpm

-      - uses: dtolnay/rust-toolchain@1.93
+      - uses: dtolnay/rust-toolchain@1.93.0

      - name: build codex
        run: cargo build --bin codex
--- a/.github/workflows/shell-tool-mcp.yml
+++ b/.github/workflows/shell-tool-mcp.yml
@@ -105,7 +105,7 @@ jobs:
            sudo DEBIAN_FRONTEND=noninteractive apt-get install -y libubsan1
          fi

-      - uses: dtolnay/rust-toolchain@1.93
+      - uses: dtolnay/rust-toolchain@1.93.0
        with:
          targets: ${{ matrix.target }}

@@ -251,11 +251,11 @@ jobs:
          set -euo pipefail
          if command -v apt-get >/dev/null 2>&1; then
            apt-get update
-            DEBIAN_FRONTEND=noninteractive apt-get install -y git build-essential bison autoconf gettext
+            DEBIAN_FRONTEND=noninteractive apt-get install -y git build-essential bison autoconf gettext libncursesw5-dev
          elif command -v dnf >/dev/null 2>&1; then
-            dnf install -y git gcc gcc-c++ make bison autoconf gettext
+            dnf install -y git gcc gcc-c++ make bison autoconf gettext ncurses-devel
          elif command -v yum >/dev/null 2>&1; then
-            yum install -y git gcc gcc-c++ make bison autoconf gettext
+            yum install -y git gcc gcc-c++ make bison autoconf gettext ncurses-devel
          else
            echo "Unsupported package manager in container"
            exit 1
@@ -329,6 +329,212 @@ jobs:
          path: artifacts/**
          if-no-files-found: error

+  zsh-linux:
+    name: Build zsh (Linux) - ${{ matrix.variant }} - ${{ matrix.target }}
+    needs: metadata
+    runs-on: ${{ matrix.runner }}
+    timeout-minutes: 30
+    container:
+      image: ${{ matrix.image }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: ubuntu-24.04
+            target: x86_64-unknown-linux-musl
+            variant: ubuntu-24.04
+            image: ubuntu:24.04
+          - runner: ubuntu-24.04
+            target: x86_64-unknown-linux-musl
+            variant: ubuntu-22.04
+            image: ubuntu:22.04
+          - runner: ubuntu-24.04
+            target: x86_64-unknown-linux-musl
+            variant: debian-12
+            image: debian:12
+          - runner: ubuntu-24.04
+            target: x86_64-unknown-linux-musl
+            variant: debian-11
+            image: debian:11
+          - runner: ubuntu-24.04
+            target: x86_64-unknown-linux-musl
+            variant: centos-9
+            image: quay.io/centos/centos:stream9
+          - runner: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-musl
+            variant: ubuntu-24.04
+            image: arm64v8/ubuntu:24.04
+          - runner: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-musl
+            variant: ubuntu-22.04
+            image: arm64v8/ubuntu:22.04
+          - runner: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-musl
+            variant: ubuntu-20.04
+            image: arm64v8/ubuntu:20.04
+          - runner: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-musl
+            variant: debian-12
+            image: arm64v8/debian:12
+          - runner: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-musl
+            variant: debian-11
+            image: arm64v8/debian:11
+          - runner: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-musl
+            variant: centos-9
+            image: quay.io/centos/centos:stream9
+    steps:
+      - name: Install build prerequisites
+        shell: bash
+        run: |
+          set -euo pipefail
+          if command -v apt-get >/dev/null 2>&1; then
+            apt-get update
+            DEBIAN_FRONTEND=noninteractive apt-get install -y git build-essential bison autoconf gettext libncursesw5-dev
+          elif command -v dnf >/dev/null 2>&1; then
+            dnf install -y git gcc gcc-c++ make bison autoconf gettext ncurses-devel
+          elif command -v yum >/dev/null 2>&1; then
+            yum install -y git gcc gcc-c++ make bison autoconf gettext ncurses-devel
+          else
+            echo "Unsupported package manager in container"
+            exit 1
+          fi
+
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Build patched zsh
+        shell: bash
+        run: |
+          set -euo pipefail
+          git clone --depth 1 https://git.code.sf.net/p/zsh/code /tmp/zsh
+          cd /tmp/zsh
+          git fetch --depth 1 origin 77045ef899e53b9598bebc5a41db93a548a40ca6
+          git checkout 77045ef899e53b9598bebc5a41db93a548a40ca6
+          git apply "${GITHUB_WORKSPACE}/shell-tool-mcp/patches/zsh-exec-wrapper.patch"
+          ./Util/preconfig
+          ./configure
+          cores="$(command -v nproc >/dev/null 2>&1 && nproc || getconf _NPROCESSORS_ONLN)"
+          make -j"${cores}"
+
+          dest="${GITHUB_WORKSPACE}/artifacts/vendor/${{ matrix.target }}/zsh/${{ matrix.variant }}"
+          mkdir -p "$dest"
+          cp Src/zsh "$dest/zsh"
+
+      - name: Smoke test zsh exec wrapper
+        shell: bash
+        run: |
+          set -euo pipefail
+          tmpdir="$(mktemp -d)"
+          cat > "$tmpdir/exec-wrapper" <<'EOF'
+          #!/usr/bin/env bash
+          set -euo pipefail
+          : "${CODEX_WRAPPER_LOG:?missing CODEX_WRAPPER_LOG}"
+          printf '%s\n' "$@" > "$CODEX_WRAPPER_LOG"
+          file="$1"
+          shift
+          if [[ "$#" -eq 0 ]]; then
+            exec "$file"
+          fi
+          arg0="$1"
+          shift
+          exec -a "$arg0" "$file" "$@"
+          EOF
+          chmod +x "$tmpdir/exec-wrapper"
+
+          CODEX_WRAPPER_LOG="$tmpdir/wrapper.log" \
+          EXEC_WRAPPER="$tmpdir/exec-wrapper" \
+          /tmp/zsh/Src/zsh -fc '/bin/echo smoke-zsh' > "$tmpdir/stdout.txt"
+
+          grep -Fx "smoke-zsh" "$tmpdir/stdout.txt"
+          grep -Fx "/bin/echo" "$tmpdir/wrapper.log"
+
+      - uses: actions/upload-artifact@v6
+        with:
+          name: shell-tool-mcp-zsh-${{ matrix.target }}-${{ matrix.variant }}
+          path: artifacts/**
+          if-no-files-found: error
+
+  zsh-darwin:
+    name: Build zsh (macOS) - ${{ matrix.variant }} - ${{ matrix.target }}
+    needs: metadata
+    runs-on: ${{ matrix.runner }}
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: macos-15-xlarge
+            target: aarch64-apple-darwin
+            variant: macos-15
+          - runner: macos-14
+            target: aarch64-apple-darwin
+            variant: macos-14
+    steps:
+      - name: Install build prerequisites
+        shell: bash
+        run: |
+          set -euo pipefail
+          if ! command -v autoconf >/dev/null 2>&1; then
+            brew install autoconf
+          fi
+
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Build patched zsh
+        shell: bash
+        run: |
+          set -euo pipefail
+          git clone --depth 1 https://git.code.sf.net/p/zsh/code /tmp/zsh
+          cd /tmp/zsh
+          git fetch --depth 1 origin 77045ef899e53b9598bebc5a41db93a548a40ca6
+          git checkout 77045ef899e53b9598bebc5a41db93a548a40ca6
+          git apply "${GITHUB_WORKSPACE}/shell-tool-mcp/patches/zsh-exec-wrapper.patch"
+          ./Util/preconfig
+          ./configure
+          cores="$(getconf _NPROCESSORS_ONLN)"
+          make -j"${cores}"
+
+          dest="${GITHUB_WORKSPACE}/artifacts/vendor/${{ matrix.target }}/zsh/${{ matrix.variant }}"
+          mkdir -p "$dest"
+          cp Src/zsh "$dest/zsh"
+
+      - name: Smoke test zsh exec wrapper
+        shell: bash
+        run: |
+          set -euo pipefail
+          tmpdir="$(mktemp -d)"
+          cat > "$tmpdir/exec-wrapper" <<'EOF'
+          #!/usr/bin/env bash
+          set -euo pipefail
+          : "${CODEX_WRAPPER_LOG:?missing CODEX_WRAPPER_LOG}"
+          printf '%s\n' "$@" > "$CODEX_WRAPPER_LOG"
+          file="$1"
+          shift
+          if [[ "$#" -eq 0 ]]; then
+            exec "$file"
+          fi
+          arg0="$1"
+          shift
+          exec -a "$arg0" "$file" "$@"
+          EOF
+          chmod +x "$tmpdir/exec-wrapper"
+
+          CODEX_WRAPPER_LOG="$tmpdir/wrapper.log" \
+          EXEC_WRAPPER="$tmpdir/exec-wrapper" \
+          /tmp/zsh/Src/zsh -fc '/bin/echo smoke-zsh' > "$tmpdir/stdout.txt"
+
+          grep -Fx "smoke-zsh" "$tmpdir/stdout.txt"
+          grep -Fx "/bin/echo" "$tmpdir/wrapper.log"
+
+      - uses: actions/upload-artifact@v6
+        with:
+          name: shell-tool-mcp-zsh-${{ matrix.target }}-${{ matrix.variant }}
+          path: artifacts/**
+          if-no-files-found: error
+
  package:
    name: Package npm module
    needs:
@@ -336,6 +542,8 @@ jobs:
      - rust-binaries
      - bash-linux
      - bash-darwin
+      - zsh-linux
+      - zsh-darwin
    runs-on: ubuntu-latest
    env:
      PACKAGE_VERSION: ${{ needs.metadata.outputs.version }}
@@ -409,7 +617,8 @@ jobs:
          chmod +x \
            "$staging"/vendor/*/codex-exec-mcp-server \
            "$staging"/vendor/*/codex-execve-wrapper \
-            "$staging"/vendor/*/bash/*/bash
+            "$staging"/vendor/*/bash/*/bash \
+            "$staging"/vendor/*/zsh/*/zsh

      - name: Create npm tarball
        shell: bash
--- a/.github/workflows/zstd
+++ b/.github/workflows/zstd
@@ -0,0 +1,46 @@
+#!/usr/bin/env dotslash
+
+// This DotSlash file wraps zstd for Windows runners.
+// The upstream release provides win32/win64 binaries; for windows-aarch64 we
+// use the win64 artifact via Windows x64 emulation.
+{
+  "name": "zstd",
+  "platforms": {
+    "windows-x86_64": {
+      "size": 1747181,
+      "hash": "sha256",
+      "digest": "acb4e8111511749dc7a3ebedca9b04190e37a17afeb73f55d4425dbf0b90fad9",
+      "format": "zip",
+      "path": "zstd-v1.5.7-win64/zstd.exe",
+      "providers": [
+        {
+          "url": "https://github.com/facebook/zstd/releases/download/v1.5.7/zstd-v1.5.7-win64.zip"
+        },
+        {
+          "type": "github-release",
+          "repo": "facebook/zstd",
+          "tag": "v1.5.7",
+          "name": "zstd-v1.5.7-win64.zip"
+        }
+      ]
+    },
+    "windows-aarch64": {
+      "size": 1747181,
+      "hash": "sha256",
+      "digest": "acb4e8111511749dc7a3ebedca9b04190e37a17afeb73f55d4425dbf0b90fad9",
+      "format": "zip",
+      "path": "zstd-v1.5.7-win64/zstd.exe",
+      "providers": [
+        {
+          "url": "https://github.com/facebook/zstd/releases/download/v1.5.7/zstd-v1.5.7-win64.zip"
+        },
+        {
+          "type": "github-release",
+          "repo": "facebook/zstd",
+          "tag": "v1.5.7",
+          "name": "zstd-v1.5.7-win64.zip"
+        }
+      ]
+    }
+  }
+}
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -15,6 +15,10 @@ In the codex-rs folder where the rust code lives:
 - When writing tests, prefer comparing the equality of entire objects over fields one by one.
 - When making a change that adds or changes an API, ensure that the documentation in the `docs/` folder is up to date if applicable.
 - If you change `ConfigToml` or nested config types, run `just write-config-schema` to update `codex-rs/core/config.schema.json`.
+- If you change Rust dependencies (`Cargo.toml` or `Cargo.lock`), run `just bazel-lock-update` from the
+  repo root to refresh `MODULE.bazel.lock`, and include that lockfile update in the same change.
+- After dependency changes, run `just bazel-lock-check` from the repo root so lockfile drift is caught
+  locally before CI.
 - Do not create small helper methods that are referenced only once.

 Run `just fmt` (in `codex-rs` directory) automatically after you have finished making Rust code changes; do not ask for approval to run it. Additionally, run the tests:
@@ -60,7 +64,14 @@ See `codex-rs/tui/styles.md`.

 ### Snapshot tests

-This repo uses snapshot tests (via `insta`), especially in `codex-rs/tui`, to validate rendered output. When UI or text output changes intentionally, update the snapshots as follows:
+This repo uses snapshot tests (via `insta`), especially in `codex-rs/tui`, to validate rendered output.
+
+**Requirement:** any change that affects user-visible UI (including adding new UI) must include
+corresponding `insta` snapshot coverage (add a new snapshot test if one doesn't exist yet, or
+update the existing snapshot). Review and accept snapshot updates as part of the PR so UI impact
+is easy to review and future diffs stay visual.
+
+When UI or text output changes intentionally, update the snapshots as follows:

 - Run tests to generate any updated snapshots:
  - `cargo test -p codex-tui`
@@ -158,3 +169,5 @@ These guidelines apply to app-server protocol work in `codex-rs`, especially:
  `just write-app-server-schema`
  (and `just write-app-server-schema --experimental` when experimental API fixtures are affected).
 - Validate with `cargo test -p codex-app-server-protocol`.
+- Avoid boilerplate tests that only assert experimental field markers for individual
+  request fields in `common.rs`; rely on schema generation/tests and behavioral coverage instead.
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -96,6 +96,7 @@ crate.annotation(
 inject_repo(crate, "zstd")

 bazel_dep(name = "bzip2", version = "1.0.8.bcr.3")
+bazel_dep(name = "libcap", version = "2.27.bcr.1")

 crate.annotation(
    crate = "bzip2-sys",
--- a/MODULE.bazel.lock
+++ b/MODULE.bazel.lock
--- a/README.md
+++ b/README.md
@@ -5,6 +5,7 @@
 </p>
 </br>
 If you want Codex in your code editor (VS Code, Cursor, Windsurf), <a href="https://developers.openai.com/codex/ide">install in your IDE.</a>
+</br>If you want the desktop app experience, run <code>codex app</code> or visit <a href="https://chatgpt.com/codex?app-landing-page=true">the Codex App page</a>.
 </br>If you are looking for the <em>cloud-based agent</em> from OpenAI, <strong>Codex Web</strong>, go to <a href="https://chatgpt.com/codex">chatgpt.com/codex</a>.</p>

 ---
--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
@@ -430,9 +430,9 @@ dependencies = [

 [[package]]
 name = "arc-swap"
-version = "1.8.1"
+version = "1.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9ded5f9a03ac8f24d1b8a25101ee812cd32cdc8c50a4c50237de2c4915850e73"
+checksum = "51d03449bb8ca2cc2ef70869af31463d1ae5ccc8fa3e334b307203fbf815207e"
 dependencies = [
 "rustversion",
 ]
@@ -1227,9 +1227,9 @@ dependencies = [

 [[package]]
 name = "clap"
-version = "4.5.57"
+version = "4.5.56"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6899ea499e3fb9305a65d5ebf6e3d2248c5fab291f300ad0a704fbe142eae31a"
+checksum = "a75ca66430e33a14957acc24c5077b503e7d374151b2b4b3a10c83b4ceb4be0e"
 dependencies = [
 "clap_builder",
 "clap_derive",
@@ -1237,9 +1237,9 @@ dependencies = [

 [[package]]
 name = "clap_builder"
-version = "4.5.57"
+version = "4.5.56"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7b12c8b680195a62a8364d16b8447b01b6c2c8f9aaf68bee653be34d4245e238"
+checksum = "793207c7fa6300a0608d1080b858e5fdbe713cdc1c8db9fb17777d8a13e63df0"
 dependencies = [
 "anstream",
 "anstyle",
@@ -1379,7 +1379,7 @@ dependencies = [
 "time",
 "tokio",
 "tokio-tungstenite",
- "toml 0.9.12+spec-1.1.0",
+ "toml 0.9.11+spec-1.1.0",
 "tracing",
 "tracing-subscriber",
 "uuid",
@@ -1401,6 +1401,7 @@ dependencies = [
 "schemars 0.8.22",
 "serde",
 "serde_json",
+ "shlex",
 "similar",
 "strum_macros 0.27.2",
 "tempfile",
@@ -1419,6 +1420,8 @@ dependencies = [
 "codex-protocol",
 "serde",
 "serde_json",
+ "tungstenite",
+ "url",
 "uuid",
 ]

@@ -1539,7 +1542,7 @@ dependencies = [
 "supports-color 3.0.2",
 "tempfile",
 "tokio",
- "toml 0.9.12+spec-1.1.0",
+ "toml 0.9.11+spec-1.1.0",
 "tracing",
 ]

@@ -1585,7 +1588,7 @@ dependencies = [
 "tempfile",
 "thiserror 2.0.18",
 "tokio",
- "toml 0.9.12+spec-1.1.0",
+ "toml 0.9.11+spec-1.1.0",
 "tracing",
 ]

@@ -1650,7 +1653,7 @@ dependencies = [
 "sha2",
 "thiserror 2.0.18",
 "tokio",
- "toml 0.9.12+spec-1.1.0",
+ "toml 0.9.11+spec-1.1.0",
 ]

 [[package]]
@@ -1692,6 +1695,7 @@ dependencies = [
 "codex-utils-home-dir",
 "codex-utils-pty",
 "codex-utils-readiness",
+ "codex-utils-sanitizer",
 "codex-utils-string",
 "codex-windows-sandbox",
 "core-foundation 0.9.4",
@@ -1708,6 +1712,7 @@ dependencies = [
 "include_dir",
 "indexmap 2.13.0",
 "indoc",
+ "insta",
 "keyring",
 "landlock",
 "libc",
@@ -1720,7 +1725,6 @@ dependencies = [
 "predicates",
 "pretty_assertions",
 "rand 0.9.2",
- "regex",
 "regex-lite",
 "reqwest",
 "rmcp",
@@ -1743,8 +1747,8 @@ dependencies = [
 "tokio",
 "tokio-tungstenite",
 "tokio-util",
- "toml 0.9.12+spec-1.1.0",
- "toml_edit 0.24.1+spec-1.1.0",
+ "toml 0.9.11+spec-1.1.0",
+ "toml_edit 0.24.0+spec-1.1.0",
 "tracing",
 "tracing-subscriber",
 "tracing-test",
@@ -2034,6 +2038,7 @@ version = "0.0.0"
 dependencies = [
 "anyhow",
 "async-trait",
+ "base64 0.22.1",
 "clap",
 "codex-utils-absolute-path",
 "codex-utils-rustls-provider",
@@ -2293,6 +2298,7 @@ dependencies = [
 "codex-utils-oss",
 "codex-utils-pty",
 "codex-utils-sandbox-summary",
+ "codex-utils-sleep-inhibitor",
 "codex-windows-sandbox",
 "color-eyre",
 "crossterm",
@@ -2327,7 +2333,7 @@ dependencies = [
 "tokio",
 "tokio-stream",
 "tokio-util",
- "toml 0.9.12+spec-1.1.0",
+ "toml 0.9.11+spec-1.1.0",
 "tracing",
 "tracing-appender",
 "tracing-subscriber",
@@ -2392,7 +2398,7 @@ dependencies = [
 "codex-protocol",
 "pretty_assertions",
 "serde",
- "toml 0.9.12+spec-1.1.0",
+ "toml 0.9.11+spec-1.1.0",
 ]

 [[package]]
@@ -2430,7 +2436,7 @@ version = "0.0.0"
 dependencies = [
 "pretty_assertions",
 "serde_json",
- "toml 0.9.12+spec-1.1.0",
+ "toml 0.9.11+spec-1.1.0",
 ]

 [[package]]
@@ -2485,6 +2491,22 @@ dependencies = [
 "pretty_assertions",
 ]

+[[package]]
+name = "codex-utils-sanitizer"
+version = "0.0.0"
+dependencies = [
+ "regex",
+]
+
+[[package]]
+name = "codex-utils-sleep-inhibitor"
+version = "0.0.0"
+dependencies = [
+ "core-foundation 0.9.4",
+ "libc",
+ "tracing",
+]
+
 [[package]]
 name = "codex-utils-string"
 version = "0.0.0"
@@ -3386,9 +3408,9 @@ dependencies = [

 [[package]]
 name = "ena"
-version = "0.14.4"
+version = "0.14.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eabffdaee24bd1bf95c5ef7cec31260444317e72ea56c4c91750e8b7ee58d5f1"
+checksum = "3d248bdd43ce613d87415282f69b9bb99d947d290b10962dd6c56233312c2ad5"
 dependencies = [
 "log",
 ]
@@ -3708,9 +3730,9 @@ checksum = "1d674e81391d1e1ab681a28d99df07927c6d4aa5b027d7da16ba32d1d21ecd99"

 [[package]]
 name = "flate2"
-version = "1.1.9"
+version = "1.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "843fba2746e448b37e26a819579957415c8cef339bf08564fe8b7ddbd959573c"
+checksum = "b375d6465b98090a5f25b1c7703f3859783755aa9a80433b36e0379a3ec2f369"
 dependencies = [
 "crc32fast",
 "libz-sys",
@@ -4043,19 +4065,6 @@ dependencies = [
 "wasm-bindgen",
 ]

-[[package]]
-name = "getrandom"
-version = "0.4.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "139ef39800118c7683f2fd3c98c1b23c09ae076556b435f8e9064ae108aaeeec"
-dependencies = [
- "cfg-if",
- "libc",
- "r-efi",
- "wasip2",
- "wasip3",
-]
-
 [[package]]
 name = "gif"
 version = "0.14.1"
@@ -4082,7 +4091,7 @@ dependencies = [
 "bstr",
 "log",
 "regex-automata",
- "regex-syntax 0.8.9",
+ "regex-syntax 0.8.8",
 ]

 [[package]]
@@ -4388,7 +4397,7 @@ dependencies = [
 "tokio",
 "tokio-rustls",
 "tower-service",
- "webpki-roots 1.0.6",
+ "webpki-roots 1.0.5",
 ]

 [[package]]
@@ -4422,13 +4431,14 @@ dependencies = [

 [[package]]
 name = "hyper-util"
-version = "0.1.20"
+version = "0.1.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "96547c2556ec9d12fb1578c4eaf448b04993e7fb79cbaad930a656880a6bdfa0"
+checksum = "727805d60e7938b76b826a6ef209eb70eaa1812794f9424d4a4e2d740662df5f"
 dependencies = [
 "base64 0.22.1",
 "bytes",
 "futures-channel",
+ "futures-core",
 "futures-util",
 "http 1.4.0",
 "http-body",
@@ -4661,12 +4671,6 @@ dependencies = [
 "zerovec",
 ]

-[[package]]
-name = "id-arena"
-version = "2.3.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3d3067d79b975e8844ca9eb072e16b31c3c1c36928edf9c6789548c524d0d954"
-
 [[package]]
 name = "ident_case"
 version = "1.0.1"
@@ -4977,9 +4981,9 @@ checksum = "92ecc6618181def0457392ccd0ee51198e065e016d1d527a7ac1b6dc7c1f09d2"

 [[package]]
 name = "jiff"
-version = "0.2.19"
+version = "0.2.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d89a5b5e10d5a9ad6e5d1f4bd58225f655d6fe9767575a5e8ac5a6fe64e04495"
+checksum = "e67e8da4c49d6d9909fe03361f9b620f58898859f5c7aded68351e85e71ecf50"
 dependencies = [
 "jiff-static",
 "log",
@@ -4990,9 +4994,9 @@ dependencies = [

 [[package]]
 name = "jiff-static"
-version = "0.2.19"
+version = "0.2.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ff7a39c8862fc1369215ccf0a8f12dd4598c7f6484704359f0351bd617034dbf"
+checksum = "e0c84ee7f197eca9a86c6fd6cb771e55eb991632f15f2bc3ca6ec838929e6e78"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -5136,17 +5140,11 @@ dependencies = [
 "spin",
 ]

-[[package]]
-name = "leb128fmt"
-version = "0.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2"
-
 [[package]]
 name = "libc"
-version = "0.2.181"
+version = "0.2.180"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "459427e2af2b9c839b132acb702a1c654d95e10f8c326bfc2ad11310e458b1c5"
+checksum = "bcc35a38544a891a5f7c865aca548a982ccb3b8650a5b06d0fd33a10283c56fc"

 [[package]]
 name = "libdbus-sys"
@@ -5406,9 +5404,9 @@ checksum = "ae960838283323069879657ca3de837e9f7bbb4c7bf6ea7f1b290d5e9476d2e0"

 [[package]]
 name = "memchr"
-version = "2.8.0"
+version = "2.7.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
+checksum = "f52b00d39961fc5b2736ea853c9cc86238e165017a493d1d5c8eac6bdc4cc273"

 [[package]]
 name = "memoffset"
@@ -6566,16 +6564,6 @@ dependencies = [
 "yansi",
 ]

-[[package]]
-name = "prettyplease"
-version = "0.2.37"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "479ca8adacdd7ce8f1fb39ce9ecccbfe93a3f1344b3d0d97f20bc0196208f62b"
-dependencies = [
- "proc-macro2",
- "syn 2.0.114",
-]
-
 [[package]]
 name = "proc-macro-crate"
 version = "3.4.0"
@@ -6632,16 +6620,16 @@ dependencies = [

 [[package]]
 name = "proptest"
-version = "1.10.0"
+version = "1.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "37566cb3fdacef14c0737f9546df7cfeadbfbc9fef10991038bf5015d0c80532"
+checksum = "bee689443a2bd0a16ab0348b52ee43e3b2d1b1f931c8aa5c9f8de4c86fbe8c40"
 dependencies = [
 "bitflags 2.10.0",
 "num-traits",
 "rand 0.9.2",
 "rand_chacha 0.9.0",
 "rand_xorshift",
- "regex-syntax 0.8.9",
+ "regex-syntax 0.8.8",
 "unarray",
 ]

@@ -6670,9 +6658,9 @@ dependencies = [

 [[package]]
 name = "psl"
-version = "2.1.188"
+version = "2.1.184"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b033d75bca9da25cfdcd9528de22ed7870d1695b9e1c3ce55b7127a4a2b16fac"
+checksum = "81dc6a90669f481b41cae3005c68efa36bef275b95aa9123a7af7f1c68c6e5b2"
 dependencies = [
 "psl-types",
 ]
@@ -7080,7 +7068,7 @@ dependencies = [
 "rustls-pki-types",
 "tokio",
 "tokio-rustls",
- "webpki-roots 1.0.6",
+ "webpki-roots 1.0.5",
 "x509-parser",
 ]

@@ -7326,25 +7314,25 @@ dependencies = [
 "aho-corasick",
 "memchr",
 "regex-automata",
- "regex-syntax 0.8.9",
+ "regex-syntax 0.8.8",
 ]

 [[package]]
 name = "regex-automata"
-version = "0.4.14"
+version = "0.4.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6e1dd4122fc1595e8162618945476892eefca7b88c52820e74af6262213cae8f"
+checksum = "5276caf25ac86c8d810222b3dbb938e512c55c6831a10f3e6ed1c93b84041f1c"
 dependencies = [
 "aho-corasick",
 "memchr",
- "regex-syntax 0.8.9",
+ "regex-syntax 0.8.8",
 ]

 [[package]]
 name = "regex-lite"
-version = "0.1.9"
+version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cab834c73d247e67f4fae452806d17d3c7501756d98c8808d7c9c7aa7d18f973"
+checksum = "8d942b98df5e658f56f20d592c7f868833fe38115e65c33003d8cd224b0155da"

 [[package]]
 name = "regex-syntax"
@@ -7354,9 +7342,9 @@ checksum = "f162c6dd7b008981e4d40210aca20b4bd0f9b60ca9271061b07f78537722f2e1"

 [[package]]
 name = "regex-syntax"
-version = "0.8.9"
+version = "0.8.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a96887878f22d7bad8a3b6dc5b7440e0ada9a245242924394987b21cf2210a4c"
+checksum = "7a2d987857b319362043e95f5353c0535c1f58eec5336fdfcf626430af7def58"

 [[package]]
 name = "reqwest"
@@ -7404,7 +7392,7 @@ dependencies = [
 "wasm-bindgen-futures",
 "wasm-streams",
 "web-sys",
- "webpki-roots 1.0.6",
+ "webpki-roots 1.0.5",
 ]

 [[package]]
@@ -7429,9 +7417,9 @@ dependencies = [

 [[package]]
 name = "rmcp"
-version = "0.14.0"
+version = "0.15.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0a621b37a548ff6ab6292d57841eb25785a7f146d89391a19c9f199414bd13da"
+checksum = "1bef41ebc9ebed2c1b1d90203e9d1756091e8a00bbc3107676151f39868ca0ee"
 dependencies = [
 "async-trait",
 "axum",
@@ -7465,9 +7453,9 @@ dependencies = [

 [[package]]
 name = "rmcp-macros"
-version = "0.14.0"
+version = "0.15.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6b79ed92303f9262db79575aa8c3652581668e9d136be6fd0b9ededa78954c95"
+checksum = "0e88ad84b8b6237a934534a62b379a5be6388915663c0cc598ceb9b3292bbbfe"
 dependencies = [
 "darling 0.23.0",
 "proc-macro2",
@@ -7687,9 +7675,9 @@ dependencies = [

 [[package]]
 name = "ryu"
-version = "1.0.23"
+version = "1.0.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9774ba4a74de5f7b1c1451ed6cd5285a32eddb5cccb8cc655a4e50009e06477f"
+checksum = "a50f4cf475b65d88e057964e0e9bb1f0aa9bbb2036dc65c64596b42932536984"

 [[package]]
 name = "salsa20"
@@ -7956,11 +7944,10 @@ checksum = "d767eb0aabc880b29956c35734170f26ed551a859dbd361d140cdbeca61ab1e2"

 [[package]]
 name = "sentry"
-version = "0.46.2"
+version = "0.46.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d92d893ba7469d361a6958522fa440e4e2bc8bf4c5803cd1bf40b9af63f8f9a8"
+checksum = "2f925d575b468e88b079faf590a8dd0c9c99e2ec29e9bab663ceb8b45056312f"
 dependencies = [
- "cfg_aliases 0.2.1",
 "httpdate",
 "native-tls",
 "reqwest",
@@ -7977,9 +7964,9 @@ dependencies = [

 [[package]]
 name = "sentry-actix"
-version = "0.46.2"
+version = "0.46.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "56cb150fd6b55b3023714a3aaa1e3bdadfd44f164efc54fad69efc69aac36887"
+checksum = "18bac0f6b8621fa0f85e298901e51161205788322e1a995e3764329020368058"
 dependencies = [
 "actix-http",
 "actix-web",
@@ -7990,9 +7977,9 @@ dependencies = [

 [[package]]
 name = "sentry-backtrace"
-version = "0.46.2"
+version = "0.46.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5f8784d0a27b5cd4b5f75769ffc84f0b7580e3c35e1af9cd83cb90b612d769cc"
+checksum = "6cb1ef7534f583af20452b1b1bf610a60ed9c8dd2d8485e7bd064efc556a78fb"
 dependencies = [
 "backtrace",
 "regex",
@@ -8001,9 +7988,9 @@ dependencies = [

 [[package]]
 name = "sentry-contexts"
-version = "0.46.2"
+version = "0.46.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0e5eb42f4cd4f9fdfec9e3b07b25a4c9769df83d218a7e846658984d5948ad3e"
+checksum = "ebd6be899d9938390b6d1ec71e2f53bd9e57b6a9d8b1d5b049e5c364e7da9078"
 dependencies = [
 "hostname",
 "libc",
@@ -8015,9 +8002,9 @@ dependencies = [

 [[package]]
 name = "sentry-core"
-version = "0.46.2"
+version = "0.46.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b0b1e7ca40f965db239da279bf278d87b7407469b98835f27f0c8e59ed189b06"
+checksum = "26ab054c34b87f96c3e4701bea1888317cde30cc7e4a6136d2c48454ab96661c"
 dependencies = [
 "rand 0.9.2",
 "sentry-types",
@@ -8028,9 +8015,9 @@ dependencies = [

 [[package]]
 name = "sentry-debug-images"
-version = "0.46.2"
+version = "0.46.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "002561e49ea3a9de316e2efadc40fae553921b8ff41448f02ea85fd135a778d6"
+checksum = "5637ec550dc6f8c49a711537950722d3fc4baa6fd433c371912104eaff31e2a5"
 dependencies = [
 "findshlibs",
 "sentry-core",
@@ -8038,9 +8025,9 @@ dependencies = [

 [[package]]
 name = "sentry-panic"
-version = "0.46.2"
+version = "0.46.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8906f8be87aea5ac7ef937323fb655d66607427f61007b99b7cb3504dc5a156c"
+checksum = "3f02c7162f7b69b8de872b439d4696dc1d65f80b13ddd3c3831723def4756b63"
 dependencies = [
 "sentry-backtrace",
 "sentry-core",
@@ -8048,9 +8035,9 @@ dependencies = [

 [[package]]
 name = "sentry-tracing"
-version = "0.46.2"
+version = "0.46.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5b07eefe04486316c57aba08ab53dd44753c25102d1d3fe05775cc93a13262d9"
+checksum = "e1dd47df349a80025819f3d25c3d2f751df705d49c65a4cdc0f130f700972a48"
 dependencies = [
 "bitflags 2.10.0",
 "sentry-backtrace",
@@ -8061,9 +8048,9 @@ dependencies = [

 [[package]]
 name = "sentry-types"
-version = "0.46.2"
+version = "0.46.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "567711f01f86a842057e1fc17779eba33a336004227e1a1e7e6cc2599e22e259"
+checksum = "eecbd63e9d15a26a40675ed180d376fcb434635d2e33de1c24003f61e3e2230d"
 dependencies = [
 "debugid",
 "hex",
@@ -8947,9 +8934,9 @@ dependencies = [

 [[package]]
 name = "system-configuration"
-version = "0.7.0"
+version = "0.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a13f3d0daba03132c0aa9767f98351b3488edc2c100cda2d2ec2b04f3d8d3c8b"
+checksum = "3c879d448e9d986b661742763247d3693ed13609438cf3d006f51f5368a5ba6b"
 dependencies = [
 "bitflags 2.10.0",
 "core-foundation 0.9.4",
@@ -8974,12 +8961,12 @@ checksum = "7b2093cf4c8eb1e67749a6762251bc9cd836b6fc171623bd0a9d324d37af2417"

 [[package]]
 name = "tempfile"
-version = "3.25.0"
+version = "3.24.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0136791f7c95b1f6dd99f9cc786b91bb81c3800b639b3478e561ddb7be95e5f1"
+checksum = "655da9c7eb6305c55742045d5a8d2037996d61d8de95806335c7c86ce0f82e9c"
 dependencies = [
 "fastrand",
- "getrandom 0.4.1",
+ "getrandom 0.3.4",
 "once_cell",
 "rustix 1.1.3",
 "windows-sys 0.61.2",
@@ -9364,9 +9351,9 @@ dependencies = [

 [[package]]
 name = "toml"
-version = "0.9.12+spec-1.1.0"
+version = "0.9.11+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cf92845e79fc2e2def6a5d828f0801e29a2f8acc037becc5ab08595c7d5e9863"
+checksum = "f3afc9a848309fe1aaffaed6e1546a7a14de1f935dc9d89d32afd9a44bab7c46"
 dependencies = [
 "indexmap 2.13.0",
 "serde_core",
@@ -9400,9 +9387,9 @@ dependencies = [

 [[package]]
 name = "toml_edit"
-version = "0.24.1+spec-1.1.0"
+version = "0.24.0+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "01f2eadbbc6b377a847be05f60791ef1058d9f696ecb51d2c07fe911d8569d8e"
+checksum = "8c740b185920170a6d9191122cafef7010bd6270a3824594bff6784c04d7f09e"
 dependencies = [
 "indexmap 2.13.0",
 "toml_datetime",
@@ -9413,9 +9400,9 @@ dependencies = [

 [[package]]
 name = "toml_parser"
-version = "1.0.7+spec-1.1.0"
+version = "1.0.6+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "247eaa3197818b831697600aadf81514e577e0cba5eab10f7e064e78ae154df1"
+checksum = "a3198b4b0a8e11f09dd03e133c0280504d0801269e9afa46362ffde1cbeebf44"
 dependencies = [
 "winnow",
 ]
@@ -9616,9 +9603,9 @@ dependencies = [

 [[package]]
 name = "tracing-test"
-version = "0.2.6"
+version = "0.2.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "19a4c448db514d4f24c5ddb9f73f2ee71bfb24c526cf0c570ba142d1119e0051"
+checksum = "557b891436fe0d5e0e363427fc7f217abf9ccd510d5136549847bdcbcd011d68"
 dependencies = [
 "tracing-core",
 "tracing-subscriber",
@@ -9627,9 +9614,9 @@ dependencies = [

 [[package]]
 name = "tracing-test-macro"
-version = "0.2.6"
+version = "0.2.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ad06847b7afb65c7866a36664b75c40b895e318cea4f71299f013fb22965329d"
+checksum = "04659ddb06c87d233c566112c1c9c5b9e98256d9af50ec3bc9c8327f873a7568"
 dependencies = [
 "quote",
 "syn 2.0.114",
@@ -9643,7 +9630,7 @@ checksum = "78f873475d258561b06f1c595d93308a7ed124d9977cb26b148c2084a4a3cc87"
 dependencies = [
 "cc",
 "regex",
- "regex-syntax 0.8.9",
+ "regex-syntax 0.8.8",
 "serde_json",
 "streaming-iterator",
 "tree-sitter-language",
@@ -9812,9 +9799,9 @@ checksum = "5c1cb5db39152898a79168971543b1cb5020dff7fe43c8dc468b0885f5e29df5"

 [[package]]
 name = "unicode-ident"
-version = "1.0.23"
+version = "1.0.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "537dd038a89878be9b64dd4bd1b260315c1bb94f4d784956b81e27a088d9a09e"
+checksum = "9312f7c4f6ff9069b165498234ce8be658059c6728633667c526e27dc2cf1df5"

 [[package]]
 name = "unicode-linebreak"
@@ -9902,9 +9889,9 @@ checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"

 [[package]]
 name = "ureq"
-version = "3.2.0"
+version = "3.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fdc97a28575b85cfedf2a7e7d3cc64b3e11bd8ac766666318003abbacc7a21fc"
+checksum = "d39cb1dbab692d82a977c0392ffac19e188bd9186a9f32806f0aaa859d75585a"
 dependencies = [
 "base64 0.22.1",
 "der",
@@ -10061,15 +10048,6 @@ dependencies = [
 "wit-bindgen",
 ]

-[[package]]
-name = "wasip3"
-version = "0.4.0+wasi-0.3.0-rc-2026-01-06"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5428f8bf88ea5ddc08faddef2ac4a67e390b88186c703ce6dbd955e1c145aca5"
-dependencies = [
- "wit-bindgen",
-]
-
 [[package]]
 name = "wasite"
 version = "0.1.0"
@@ -10135,28 +10113,6 @@ dependencies = [
 "unicode-ident",
 ]

-[[package]]
-name = "wasm-encoder"
-version = "0.244.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "990065f2fe63003fe337b932cfb5e3b80e0b4d0f5ff650e6985b1048f62c8319"
-dependencies = [
- "leb128fmt",
- "wasmparser",
-]
-
-[[package]]
-name = "wasm-metadata"
-version = "0.244.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bb0e353e6a2fbdc176932bbaab493762eb1255a7900fe0fea1a2f96c296cc909"
-dependencies = [
- "anyhow",
- "indexmap 2.13.0",
- "wasm-encoder",
- "wasmparser",
-]
-
 [[package]]
 name = "wasm-streams"
 version = "0.4.2"
@@ -10170,18 +10126,6 @@ dependencies = [
 "web-sys",
 ]

-[[package]]
-name = "wasmparser"
-version = "0.244.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "47b807c72e1bac69382b3a6fb3dbe8ea4c0ed87ff5629b8685ae6b9a611028fe"
-dependencies = [
- "bitflags 2.10.0",
- "hashbrown 0.15.5",
- "indexmap 2.13.0",
- "semver",
-]
-
 [[package]]
 name = "wayland-backend"
 version = "0.3.12"
@@ -10274,9 +10218,9 @@ dependencies = [

 [[package]]
 name = "webbrowser"
-version = "1.1.0"
+version = "1.0.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3f00bb839c1cf1e3036066614cbdcd035ecf215206691ea646aa3c60a24f68f2"
+checksum = "00f1243ef785213e3a32fa0396093424a3a6ea566f9948497e5a2309261a4c97"
 dependencies = [
 "core-foundation 0.10.1",
 "jni",
@@ -10290,9 +10234,9 @@ dependencies = [

 [[package]]
 name = "webpki-root-certs"
-version = "1.0.6"
+version = "1.0.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "804f18a4ac2676ffb4e8b5b5fa9ae38af06df08162314f96a68d2a363e21a8ca"
+checksum = "36a29fc0408b113f68cf32637857ab740edfafdf460c326cd2afaa2d84cc05dc"
 dependencies = [
 "rustls-pki-types",
 ]
@@ -10303,14 +10247,14 @@ version = "0.26.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "521bc38abb08001b01866da9f51eb7c5d647a19260e00054a8c7fd5f9e57f7a9"
 dependencies = [
- "webpki-roots 1.0.6",
+ "webpki-roots 1.0.5",
 ]

 [[package]]
 name = "webpki-roots"
-version = "1.0.6"
+version = "1.0.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "22cfaf3c063993ff62e73cb4311efde4db1efb31ab78a3e5c457939ad5cc0bed"
+checksum = "12bed680863276c63889429bfd6cab3b99943659923822de1c8a39c49e4d722c"
 dependencies = [
 "rustls-pki-types",
 ]
@@ -10953,88 +10897,6 @@ name = "wit-bindgen"
 version = "0.51.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d7249219f66ced02969388cf2bb044a09756a083d0fab1e566056b04d9fbcaa5"
-dependencies = [
- "wit-bindgen-rust-macro",
-]
-
-[[package]]
-name = "wit-bindgen-core"
-version = "0.51.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ea61de684c3ea68cb082b7a88508a8b27fcc8b797d738bfc99a82facf1d752dc"
-dependencies = [
- "anyhow",
- "heck",
- "wit-parser",
-]
-
-[[package]]
-name = "wit-bindgen-rust"
-version = "0.51.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b7c566e0f4b284dd6561c786d9cb0142da491f46a9fbed79ea69cdad5db17f21"
-dependencies = [
- "anyhow",
- "heck",
- "indexmap 2.13.0",
- "prettyplease",
- "syn 2.0.114",
- "wasm-metadata",
- "wit-bindgen-core",
- "wit-component",
-]
-
-[[package]]
-name = "wit-bindgen-rust-macro"
-version = "0.51.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0c0f9bfd77e6a48eccf51359e3ae77140a7f50b1e2ebfe62422d8afdaffab17a"
-dependencies = [
- "anyhow",
- "prettyplease",
- "proc-macro2",
- "quote",
- "syn 2.0.114",
- "wit-bindgen-core",
- "wit-bindgen-rust",
-]
-
-[[package]]
-name = "wit-component"
-version = "0.244.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9d66ea20e9553b30172b5e831994e35fbde2d165325bec84fc43dbf6f4eb9cb2"
-dependencies = [
- "anyhow",
- "bitflags 2.10.0",
- "indexmap 2.13.0",
- "log",
- "serde",
- "serde_derive",
- "serde_json",
- "wasm-encoder",
- "wasm-metadata",
- "wasmparser",
- "wit-parser",
-]
-
-[[package]]
-name = "wit-parser"
-version = "0.244.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ecc8ac4bc1dc3381b7f59c34f00b67e18f910c2c0f50015669dde7def656a736"
-dependencies = [
- "anyhow",
- "id-arena",
- "indexmap 2.13.0",
- "log",
- "semver",
- "serde",
- "serde_derive",
- "serde_json",
- "unicode-xid",
- "wasmparser",
-]

 [[package]]
 name = "wl-clipboard-rs"
@@ -11229,18 +11091,18 @@ dependencies = [

 [[package]]
 name = "zerocopy"
-version = "0.8.39"
+version = "0.8.37"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "db6d35d663eadb6c932438e763b262fe1a70987f9ae936e60158176d710cae4a"
+checksum = "7456cf00f0685ad319c5b1693f291a650eaf345e941d082fc4e03df8a03996ac"
 dependencies = [
 "zerocopy-derive",
 ]

 [[package]]
 name = "zerocopy-derive"
-version = "0.8.39"
+version = "0.8.37"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4122cd3169e94605190e77839c9a40d40ed048d305bfdc146e7df40ab0f3e517"
+checksum = "1328722bbf2115db7e19d69ebcc15e795719e2d66b60827c6a69a117365e37a0"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -11354,9 +11216,9 @@ dependencies = [

 [[package]]
 name = "zmij"
-version = "1.0.20"
+version = "1.0.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4de98dfa5d5b7fef4ee834d0073d560c9ca7b6c46a71d058c48db7960f8cfaf7"
+checksum = "3ff05f8caa9038894637571ae6b9e29466c1f4f829d26c9b28f869a29cbe3445"

 [[package]]
 name = "zopfli"
--- a/codex-rs/Cargo.toml
+++ b/codex-rs/Cargo.toml
@@ -53,6 +53,8 @@ members = [
    "utils/cli",
    "utils/elapsed",
    "utils/sandbox-summary",
+    "utils/sanitizer",
+    "utils/sleep-inhibitor",
    "utils/approval-presets",
    "utils/oss",
    "utils/fuzzy-match",
@@ -129,6 +131,8 @@ codex-utils-pty = { path = "utils/pty" }
 codex-utils-readiness = { path = "utils/readiness" }
 codex-utils-rustls-provider = { path = "utils/rustls-provider" }
 codex-utils-sandbox-summary = { path = "utils/sandbox-summary" }
+codex-utils-sanitizer = { path = "utils/sanitizer" }
+codex-utils-sleep-inhibitor = { path = "utils/sleep-inhibitor" }
 codex-utils-string = { path = "utils/string" }
 codex-windows-sandbox = { path = "windows-sandbox-rs" }
 core_test_support = { path = "core/tests/common" }
@@ -214,7 +218,7 @@ ratatui-macros = "0.6.0"
 regex = "1.12.3"
 regex-lite = "0.1.8"
 reqwest = "0.12"
-rmcp = { version = "0.14.0", default-features = false }
+rmcp = { version = "0.15.0", default-features = false }
 runfiles = { git = "https://github.com/dzbarsky/rules_rust", rev = "b56cbaa8465e74127f1ea216f813cd377295ad81" }
 rustls = { version = "0.23", default-features = false, features = [
    "ring",
--- a/codex-rs/app-server-protocol/Cargo.toml
+++ b/codex-rs/app-server-protocol/Cargo.toml
@@ -20,6 +20,7 @@ codex-utils-absolute-path = { workspace = true }
 schemars = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
 serde_json = { workspace = true }
+shlex = { workspace = true }
 strum_macros = { workspace = true }
 thiserror = { workspace = true }
 ts-rs = { workspace = true }
--- a/codex-rs/app-server-protocol/schema/json/ClientRequest.json
+++ b/codex-rs/app-server-protocol/schema/json/ClientRequest.json
@@ -88,7 +88,7 @@
          "type": "string"
        },
        {
-          "description": "*All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox.",
+          "description": "DEPRECATED: *All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox. Prefer `OnRequest` for interactive runs or `Never` for non-interactive runs.",
          "enum": [
            "on-failure"
          ],
@@ -1128,6 +1128,13 @@
            "null"
          ]
        },
+        "includeHidden": {
+          "description": "When true, include models that are hidden from the default picker list.",
+          "type": [
+            "boolean",
+            "null"
+          ]
+        },
        "limit": {
          "description": "Optional page size; defaults to a reasonable server-side value.",
          "format": "uint32",
@@ -1243,6 +1250,104 @@
      ],
      "type": "string"
    },
+    "ReadOnlyAccess": {
+      "oneOf": [
+        {
+          "properties": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "fullAccess"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
+    "ReadOnlyAccess2": {
+      "description": "Determines how read-only file access is granted inside a restricted sandbox.",
+      "oneOf": [
+        {
+          "description": "Restrict reads to an explicit set of roots.\n\nWhen `include_platform_defaults` is `true`, platform defaults required for basic execution are included in addition to `readable_roots`.",
+          "properties": {
+            "include_platform_defaults": {
+              "default": true,
+              "description": "Include built-in platform read roots required for basic process execution.",
+              "type": "boolean"
+            },
+            "readable_roots": {
+              "description": "Additional absolute roots that should be readable.",
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccess2Type",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess2",
+          "type": "object"
+        },
+        {
+          "description": "Allow unrestricted file reads.",
+          "properties": {
+            "type": {
+              "enum": [
+                "full-access"
+              ],
+              "title": "FullAccessReadOnlyAccess2Type",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess2",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -1922,6 +2027,16 @@
        },
        {
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "readOnly"
@@ -1974,6 +2089,16 @@
              "default": false,
              "type": "boolean"
            },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "workspaceWrite"
@@ -2018,8 +2143,16 @@
          "type": "object"
        },
        {
-          "description": "Read-only access to the entire file-system.",
+          "description": "Read-only access configuration.",
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess2"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "read-only"
@@ -2078,6 +2211,14 @@
              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
              "type": "boolean"
            },
+            "read_only_access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess2"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "workspace-write"
@@ -2431,6 +2572,13 @@
            "null"
          ]
        },
+        "cwd": {
+          "description": "Optional cwd filter; when set, only threads whose session cwd exactly matches this path are returned.",
+          "type": [
+            "string",
+            "null"
+          ]
+        },
        "limit": {
          "description": "Optional page size; defaults to a reasonable server-side value.",
          "format": "uint32",
--- a/codex-rs/app-server-protocol/schema/json/EventMsg.json
+++ b/codex-rs/app-server-protocol/schema/json/EventMsg.json
@@ -104,7 +104,7 @@
          "type": "string"
        },
        {
-          "description": "*All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox.",
+          "description": "DEPRECATED: *All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox. Prefer `OnRequest` for interactive runs or `Never` for non-interactive runs.",
          "enum": [
            "on-failure"
          ],
@@ -175,6 +175,7 @@
          "enum": [
            "context_window_exceeded",
            "usage_limit_exceeded",
+            "server_overloaded",
            "internal_server_error",
            "unauthorized",
            "bad_request",
@@ -184,35 +185,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "model_cap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "model_cap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -1377,6 +1349,14 @@
              "default": "agent",
              "description": "Where the command originated. Defaults to Agent for backward compatibility."
            },
+            "status": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ExecCommandStatus"
+                }
+              ],
+              "description": "Completion status for this command execution."
+            },
            "stderr": {
              "description": "Captured stderr",
              "type": "string"
@@ -1405,6 +1385,7 @@
            "exit_code",
            "formatted_output",
            "parsed_cmd",
+            "status",
            "stderr",
            "stdout",
            "turn_id",
@@ -1457,6 +1438,17 @@
              "description": "The command's working directory.",
              "type": "string"
            },
+            "network_approval_context": {
+              "anyOf": [
+                {
+                  "$ref": "#/definitions/NetworkApprovalContext"
+                },
+                {
+                  "type": "null"
+                }
+              ],
+              "description": "Optional network context for a blocked request that can be approved."
+            },
            "parsed_cmd": {
              "items": {
                "$ref": "#/definitions/ParsedCommand"
@@ -1833,6 +1825,14 @@
              "description": "The changes that were applied (mirrors PatchApplyBeginEvent::changes).",
              "type": "object"
            },
+            "status": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/PatchApplyStatus"
+                }
+              ],
+              "description": "Completion status for this patch application."
+            },
            "stderr": {
              "description": "Captured stderr (parser errors, IO failures, etc.).",
              "type": "string"
@@ -1860,6 +1860,7 @@
          },
          "required": [
            "call_id",
+            "status",
            "stderr",
            "stdout",
            "success",
@@ -2901,6 +2902,14 @@
      ],
      "type": "string"
    },
+    "ExecCommandStatus": {
+      "enum": [
+        "completed",
+        "failed",
+        "declined"
+      ],
+      "type": "string"
+    },
    "ExecOutputStream": {
      "enum": [
        "stdout",
@@ -3317,6 +3326,30 @@
      ],
      "type": "string"
    },
+    "NetworkApprovalContext": {
+      "properties": {
+        "host": {
+          "type": "string"
+        },
+        "protocol": {
+          "$ref": "#/definitions/NetworkApprovalProtocol"
+        }
+      },
+      "required": [
+        "host",
+        "protocol"
+      ],
+      "type": "object"
+    },
+    "NetworkApprovalProtocol": {
+      "enum": [
+        "http",
+        "https",
+        "socks5_tcp",
+        "socks5_udp"
+      ],
+      "type": "string"
+    },
    "ParsedCommand": {
      "oneOf": [
        {
@@ -3428,6 +3461,14 @@
        }
      ]
    },
+    "PatchApplyStatus": {
+      "enum": [
+        "completed",
+        "failed",
+        "declined"
+      ],
+      "type": "string"
+    },
    "PlanItemArg": {
      "additionalProperties": false,
      "properties": {
@@ -3544,6 +3585,57 @@
      ],
      "type": "object"
    },
+    "ReadOnlyAccess": {
+      "description": "Determines how read-only file access is granted inside a restricted sandbox.",
+      "oneOf": [
+        {
+          "description": "Restrict reads to an explicit set of roots.\n\nWhen `include_platform_defaults` is `true`, platform defaults required for basic execution are included in addition to `readable_roots`.",
+          "properties": {
+            "include_platform_defaults": {
+              "default": true,
+              "description": "Include built-in platform read roots required for basic process execution.",
+              "type": "boolean"
+            },
+            "readable_roots": {
+              "description": "Additional absolute roots that should be readable.",
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "description": "Allow unrestricted file reads.",
+          "properties": {
+            "type": {
+              "enum": [
+                "full-access"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -4381,8 +4473,16 @@
          "type": "object"
        },
        {
-          "description": "Read-only access to the entire file-system.",
+          "description": "Read-only access configuration.",
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "read-only"
@@ -4441,6 +4541,14 @@
              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
              "type": "boolean"
            },
+            "read_only_access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "workspace-write"
@@ -6146,6 +6254,14 @@
          "default": "agent",
          "description": "Where the command originated. Defaults to Agent for backward compatibility."
        },
+        "status": {
+          "allOf": [
+            {
+              "$ref": "#/definitions/ExecCommandStatus"
+            }
+          ],
+          "description": "Completion status for this command execution."
+        },
        "stderr": {
          "description": "Captured stderr",
          "type": "string"
@@ -6174,6 +6290,7 @@
        "exit_code",
        "formatted_output",
        "parsed_cmd",
+        "status",
        "stderr",
        "stdout",
        "turn_id",
@@ -6226,6 +6343,17 @@
          "description": "The command's working directory.",
          "type": "string"
        },
+        "network_approval_context": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/NetworkApprovalContext"
+            },
+            {
+              "type": "null"
+            }
+          ],
+          "description": "Optional network context for a blocked request that can be approved."
+        },
        "parsed_cmd": {
          "items": {
            "$ref": "#/definitions/ParsedCommand"
@@ -6602,6 +6730,14 @@
          "description": "The changes that were applied (mirrors PatchApplyBeginEvent::changes).",
          "type": "object"
        },
+        "status": {
+          "allOf": [
+            {
+              "$ref": "#/definitions/PatchApplyStatus"
+            }
+          ],
+          "description": "Completion status for this patch application."
+        },
        "stderr": {
          "description": "Captured stderr (parser errors, IO failures, etc.).",
          "type": "string"
@@ -6629,6 +6765,7 @@
      },
      "required": [
        "call_id",
+        "status",
        "stderr",
        "stdout",
        "success",
--- a/codex-rs/app-server-protocol/schema/json/FuzzyFileSearchSessionCompletedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/FuzzyFileSearchSessionCompletedNotification.json
@@ -0,0 +1,13 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "properties": {
+    "sessionId": {
+      "type": "string"
+    }
+  },
+  "required": [
+    "sessionId"
+  ],
+  "title": "FuzzyFileSearchSessionCompletedNotification",
+  "type": "object"
+}
--- a/codex-rs/app-server-protocol/schema/json/FuzzyFileSearchSessionUpdatedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/FuzzyFileSearchSessionUpdatedNotification.json
@@ -0,0 +1,63 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "definitions": {
+    "FuzzyFileSearchResult": {
+      "description": "Superset of [`codex_file_search::FileMatch`]",
+      "properties": {
+        "file_name": {
+          "type": "string"
+        },
+        "indices": {
+          "items": {
+            "format": "uint32",
+            "minimum": 0.0,
+            "type": "integer"
+          },
+          "type": [
+            "array",
+            "null"
+          ]
+        },
+        "path": {
+          "type": "string"
+        },
+        "root": {
+          "type": "string"
+        },
+        "score": {
+          "format": "uint32",
+          "minimum": 0.0,
+          "type": "integer"
+        }
+      },
+      "required": [
+        "file_name",
+        "path",
+        "root",
+        "score"
+      ],
+      "type": "object"
+    }
+  },
+  "properties": {
+    "files": {
+      "items": {
+        "$ref": "#/definitions/FuzzyFileSearchResult"
+      },
+      "type": "array"
+    },
+    "query": {
+      "type": "string"
+    },
+    "sessionId": {
+      "type": "string"
+    }
+  },
+  "required": [
+    "files",
+    "query",
+    "sessionId"
+  ],
+  "title": "FuzzyFileSearchSessionUpdatedNotification",
+  "type": "object"
+}
--- a/codex-rs/app-server-protocol/schema/json/ServerNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/ServerNotification.json
@@ -193,6 +193,11 @@
          "default": false,
          "type": "boolean"
        },
+        "isEnabled": {
+          "default": true,
+          "description": "Whether this app is enabled in config.toml. Example: ```toml [apps.bad_app] enabled = false ```",
+          "type": "boolean"
+        },
        "logoUrl": {
          "type": [
            "string",
@@ -241,7 +246,7 @@
          "type": "string"
        },
        {
-          "description": "*All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox.",
+          "description": "DEPRECATED: *All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox. Prefer `OnRequest` for interactive runs or `Never` for non-interactive runs.",
          "enum": [
            "on-failure"
          ],
@@ -373,6 +378,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -382,35 +388,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -515,6 +492,7 @@
          "enum": [
            "context_window_exceeded",
            "usage_limit_exceeded",
+            "server_overloaded",
            "internal_server_error",
            "unauthorized",
            "bad_request",
@@ -524,35 +502,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "model_cap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "model_cap"
-          ],
-          "title": "ModelCapCodexErrorInfo2",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -2021,6 +1970,14 @@
              "default": "agent",
              "description": "Where the command originated. Defaults to Agent for backward compatibility."
            },
+            "status": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ExecCommandStatus"
+                }
+              ],
+              "description": "Completion status for this command execution."
+            },
            "stderr": {
              "description": "Captured stderr",
              "type": "string"
@@ -2049,6 +2006,7 @@
            "exit_code",
            "formatted_output",
            "parsed_cmd",
+            "status",
            "stderr",
            "stdout",
            "turn_id",
@@ -2101,6 +2059,17 @@
              "description": "The command's working directory.",
              "type": "string"
            },
+            "network_approval_context": {
+              "anyOf": [
+                {
+                  "$ref": "#/definitions/NetworkApprovalContext"
+                },
+                {
+                  "type": "null"
+                }
+              ],
+              "description": "Optional network context for a blocked request that can be approved."
+            },
            "parsed_cmd": {
              "items": {
                "$ref": "#/definitions/ParsedCommand"
@@ -2477,6 +2446,14 @@
              "description": "The changes that were applied (mirrors PatchApplyBeginEvent::changes).",
              "type": "object"
            },
+            "status": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/PatchApplyStatus2"
+                }
+              ],
+              "description": "Completion status for this patch application."
+            },
            "stderr": {
              "description": "Captured stderr (parser errors, IO failures, etc.).",
              "type": "string"
@@ -2504,6 +2481,7 @@
          },
          "required": [
            "call_id",
+            "status",
            "stderr",
            "stdout",
            "success",
@@ -3545,6 +3523,14 @@
      ],
      "type": "string"
    },
+    "ExecCommandStatus": {
+      "enum": [
+        "completed",
+        "failed",
+        "declined"
+      ],
+      "type": "string"
+    },
    "ExecOutputStream": {
      "enum": [
        "stdout",
@@ -3740,6 +3726,76 @@
      ],
      "type": "object"
    },
+    "FuzzyFileSearchResult": {
+      "description": "Superset of [`codex_file_search::FileMatch`]",
+      "properties": {
+        "file_name": {
+          "type": "string"
+        },
+        "indices": {
+          "items": {
+            "format": "uint32",
+            "minimum": 0.0,
+            "type": "integer"
+          },
+          "type": [
+            "array",
+            "null"
+          ]
+        },
+        "path": {
+          "type": "string"
+        },
+        "root": {
+          "type": "string"
+        },
+        "score": {
+          "format": "uint32",
+          "minimum": 0.0,
+          "type": "integer"
+        }
+      },
+      "required": [
+        "file_name",
+        "path",
+        "root",
+        "score"
+      ],
+      "type": "object"
+    },
+    "FuzzyFileSearchSessionCompletedNotification": {
+      "properties": {
+        "sessionId": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "sessionId"
+      ],
+      "type": "object"
+    },
+    "FuzzyFileSearchSessionUpdatedNotification": {
+      "properties": {
+        "files": {
+          "items": {
+            "$ref": "#/definitions/FuzzyFileSearchResult"
+          },
+          "type": "array"
+        },
+        "query": {
+          "type": "string"
+        },
+        "sessionId": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "files",
+        "query",
+        "sessionId"
+      ],
+      "type": "object"
+    },
    "GhostCommit": {
      "description": "Details of a ghost commit created from a repository state.",
      "properties": {
@@ -4162,6 +4218,30 @@
      ],
      "type": "string"
    },
+    "NetworkApprovalContext": {
+      "properties": {
+        "host": {
+          "type": "string"
+        },
+        "protocol": {
+          "$ref": "#/definitions/NetworkApprovalProtocol"
+        }
+      },
+      "required": [
+        "host",
+        "protocol"
+      ],
+      "type": "object"
+    },
+    "NetworkApprovalProtocol": {
+      "enum": [
+        "http",
+        "https",
+        "socks5_tcp",
+        "socks5_udp"
+      ],
+      "type": "string"
+    },
    "ParsedCommand": {
      "oneOf": [
        {
@@ -4282,6 +4362,14 @@
      ],
      "type": "string"
    },
+    "PatchApplyStatus2": {
+      "enum": [
+        "completed",
+        "failed",
+        "declined"
+      ],
+      "type": "string"
+    },
    "PatchChangeKind": {
      "oneOf": [
        {
@@ -4582,6 +4670,57 @@
      ],
      "type": "object"
    },
+    "ReadOnlyAccess": {
+      "description": "Determines how read-only file access is granted inside a restricted sandbox.",
+      "oneOf": [
+        {
+          "description": "Restrict reads to an explicit set of roots.\n\nWhen `include_platform_defaults` is `true`, platform defaults required for basic execution are included in addition to `readable_roots`.",
+          "properties": {
+            "include_platform_defaults": {
+              "default": true,
+              "description": "Include built-in platform read roots required for basic process execution.",
+              "type": "boolean"
+            },
+            "readable_roots": {
+              "description": "Additional absolute roots that should be readable.",
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "description": "Allow unrestricted file reads.",
+          "properties": {
+            "type": {
+              "enum": [
+                "full-access"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -5499,8 +5638,16 @@
          "type": "object"
        },
        {
-          "description": "Read-only access to the entire file-system.",
+          "description": "Read-only access configuration.",
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "read-only"
@@ -5559,6 +5706,14 @@
              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
              "type": "boolean"
            },
+            "read_only_access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "workspace-write"
@@ -5888,7 +6043,8 @@
        {
          "enum": [
            "review",
-            "compact"
+            "compact",
+            "memory_consolidation"
          ],
          "type": "string"
        },
@@ -8160,6 +8316,46 @@
      "title": "ConfigWarningNotification",
      "type": "object"
    },
+    {
+      "properties": {
+        "method": {
+          "enum": [
+            "fuzzyFileSearch/sessionUpdated"
+          ],
+          "title": "FuzzyFileSearch/sessionUpdatedNotificationMethod",
+          "type": "string"
+        },
+        "params": {
+          "$ref": "#/definitions/FuzzyFileSearchSessionUpdatedNotification"
+        }
+      },
+      "required": [
+        "method",
+        "params"
+      ],
+      "title": "FuzzyFileSearch/sessionUpdatedNotification",
+      "type": "object"
+    },
+    {
+      "properties": {
+        "method": {
+          "enum": [
+            "fuzzyFileSearch/sessionCompleted"
+          ],
+          "title": "FuzzyFileSearch/sessionCompletedNotificationMethod",
+          "type": "string"
+        },
+        "params": {
+          "$ref": "#/definitions/FuzzyFileSearchSessionCompletedNotification"
+        }
+      },
+      "required": [
+        "method",
+        "params"
+      ],
+      "title": "FuzzyFileSearch/sessionCompletedNotification",
+      "type": "object"
+    },
    {
      "description": "Notifies the user of world-writable directories on Windows, which cannot be protected by the sandbox.",
      "properties": {
--- a/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json
+++ b/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json
@@ -208,7 +208,7 @@
          "type": "string"
        },
        {
-          "description": "*All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox.",
+          "description": "DEPRECATED: *All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox. Prefer `OnRequest` for interactive runs or `Never` for non-interactive runs.",
          "enum": [
            "on-failure"
          ],
@@ -1884,6 +1884,7 @@
          "enum": [
            "context_window_exceeded",
            "usage_limit_exceeded",
+            "server_overloaded",
            "internal_server_error",
            "unauthorized",
            "bad_request",
@@ -1893,35 +1894,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "model_cap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "model_cap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -3390,6 +3362,14 @@
              "default": "agent",
              "description": "Where the command originated. Defaults to Agent for backward compatibility."
            },
+            "status": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ExecCommandStatus"
+                }
+              ],
+              "description": "Completion status for this command execution."
+            },
            "stderr": {
              "description": "Captured stderr",
              "type": "string"
@@ -3418,6 +3398,7 @@
            "exit_code",
            "formatted_output",
            "parsed_cmd",
+            "status",
            "stderr",
            "stdout",
            "turn_id",
@@ -3470,6 +3451,17 @@
              "description": "The command's working directory.",
              "type": "string"
            },
+            "network_approval_context": {
+              "anyOf": [
+                {
+                  "$ref": "#/definitions/NetworkApprovalContext"
+                },
+                {
+                  "type": "null"
+                }
+              ],
+              "description": "Optional network context for a blocked request that can be approved."
+            },
            "parsed_cmd": {
              "items": {
                "$ref": "#/definitions/ParsedCommand"
@@ -3846,6 +3838,14 @@
              "description": "The changes that were applied (mirrors PatchApplyBeginEvent::changes).",
              "type": "object"
            },
+            "status": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/v2/PatchApplyStatus"
+                }
+              ],
+              "description": "Completion status for this patch application."
+            },
            "stderr": {
              "description": "Captured stderr (parser errors, IO failures, etc.).",
              "type": "string"
@@ -3873,6 +3873,7 @@
          },
          "required": [
            "call_id",
+            "status",
            "stderr",
            "stdout",
            "success",
@@ -4970,6 +4971,14 @@
      ],
      "type": "string"
    },
+    "ExecCommandStatus": {
+      "enum": [
+        "completed",
+        "failed",
+        "declined"
+      ],
+      "type": "string"
+    },
    "ExecOneOffCommandParams": {
      "$schema": "http://json-schema.org/draft-07/schema#",
      "properties": {
@@ -5414,6 +5423,43 @@
      ],
      "type": "object"
    },
+    "FuzzyFileSearchSessionCompletedNotification": {
+      "$schema": "http://json-schema.org/draft-07/schema#",
+      "properties": {
+        "sessionId": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "sessionId"
+      ],
+      "title": "FuzzyFileSearchSessionCompletedNotification",
+      "type": "object"
+    },
+    "FuzzyFileSearchSessionUpdatedNotification": {
+      "$schema": "http://json-schema.org/draft-07/schema#",
+      "properties": {
+        "files": {
+          "items": {
+            "$ref": "#/definitions/FuzzyFileSearchResult"
+          },
+          "type": "array"
+        },
+        "query": {
+          "type": "string"
+        },
+        "sessionId": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "files",
+        "query",
+        "sessionId"
+      ],
+      "title": "FuzzyFileSearchSessionUpdatedNotification",
+      "type": "object"
+    },
    "GetAuthStatusParams": {
      "$schema": "http://json-schema.org/draft-07/schema#",
      "properties": {
@@ -6228,6 +6274,30 @@
      ],
      "type": "string"
    },
+    "NetworkApprovalContext": {
+      "properties": {
+        "host": {
+          "type": "string"
+        },
+        "protocol": {
+          "$ref": "#/definitions/NetworkApprovalProtocol"
+        }
+      },
+      "required": [
+        "host",
+        "protocol"
+      ],
+      "type": "object"
+    },
+    "NetworkApprovalProtocol": {
+      "enum": [
+        "http",
+        "https",
+        "socks5_tcp",
+        "socks5_udp"
+      ],
+      "type": "string"
+    },
    "NewConversationParams": {
      "properties": {
        "approvalPolicy": {
@@ -6450,6 +6520,14 @@
        }
      ]
    },
+    "PatchApplyStatus": {
+      "enum": [
+        "completed",
+        "failed",
+        "declined"
+      ],
+      "type": "string"
+    },
    "PlanItemArg": {
      "additionalProperties": false,
      "properties": {
@@ -6629,6 +6707,57 @@
      ],
      "type": "object"
    },
+    "ReadOnlyAccess": {
+      "description": "Determines how read-only file access is granted inside a restricted sandbox.",
+      "oneOf": [
+        {
+          "description": "Restrict reads to an explicit set of roots.\n\nWhen `include_platform_defaults` is `true`, platform defaults required for basic execution are included in addition to `readable_roots`.",
+          "properties": {
+            "include_platform_defaults": {
+              "default": true,
+              "description": "Include built-in platform read roots required for basic process execution.",
+              "type": "boolean"
+            },
+            "readable_roots": {
+              "description": "Additional absolute roots that should be readable.",
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "description": "Allow unrestricted file reads.",
+          "properties": {
+            "type": {
+              "enum": [
+                "full-access"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -7642,8 +7771,16 @@
          "type": "object"
        },
        {
-          "description": "Read-only access to the entire file-system.",
+          "description": "Read-only access configuration.",
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "read-only"
@@ -7702,6 +7839,14 @@
              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
              "type": "boolean"
            },
+            "read_only_access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "workspace-write"
@@ -8386,6 +8531,46 @@
          "title": "ConfigWarningNotification",
          "type": "object"
        },
+        {
+          "properties": {
+            "method": {
+              "enum": [
+                "fuzzyFileSearch/sessionUpdated"
+              ],
+              "title": "FuzzyFileSearch/sessionUpdatedNotificationMethod",
+              "type": "string"
+            },
+            "params": {
+              "$ref": "#/definitions/FuzzyFileSearchSessionUpdatedNotification"
+            }
+          },
+          "required": [
+            "method",
+            "params"
+          ],
+          "title": "FuzzyFileSearch/sessionUpdatedNotification",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "method": {
+              "enum": [
+                "fuzzyFileSearch/sessionCompleted"
+              ],
+              "title": "FuzzyFileSearch/sessionCompletedNotificationMethod",
+              "type": "string"
+            },
+            "params": {
+              "$ref": "#/definitions/FuzzyFileSearchSessionCompletedNotification"
+            }
+          },
+          "required": [
+            "method",
+            "params"
+          ],
+          "title": "FuzzyFileSearch/sessionCompletedNotification",
+          "type": "object"
+        },
        {
          "description": "Notifies the user of world-writable directories on Windows, which cannot be protected by the sandbox.",
          "properties": {
@@ -9009,7 +9194,8 @@
        {
          "enum": [
            "review",
-            "compact"
+            "compact",
+            "memory_consolidation"
          ],
          "type": "string"
        },
@@ -10084,6 +10270,11 @@
            "default": false,
            "type": "boolean"
          },
+          "isEnabled": {
+            "default": true,
+            "description": "Whether this app is enabled in config.toml. Example: ```toml [apps.bad_app] enabled = false ```",
+            "type": "boolean"
+          },
          "logoUrl": {
            "type": [
              "string",
@@ -10279,6 +10470,7 @@
            "enum": [
              "contextWindowExceeded",
              "usageLimitExceeded",
+              "serverOverloaded",
              "internalServerError",
              "unauthorized",
              "badRequest",
@@ -10288,35 +10480,6 @@
            ],
            "type": "string"
          },
-          {
-            "additionalProperties": false,
-            "properties": {
-              "modelCap": {
-                "properties": {
-                  "model": {
-                    "type": "string"
-                  },
-                  "reset_after_seconds": {
-                    "format": "uint64",
-                    "minimum": 0.0,
-                    "type": [
-                      "integer",
-                      "null"
-                    ]
-                  }
-                },
-                "required": [
-                  "model"
-                ],
-                "type": "object"
-              }
-            },
-            "required": [
-              "modelCap"
-            ],
-            "title": "ModelCapCodexErrorInfo",
-            "type": "object"
-          },
          {
            "additionalProperties": false,
            "properties": {
@@ -12483,6 +12646,9 @@
          "displayName": {
            "type": "string"
          },
+          "hidden": {
+            "type": "boolean"
+          },
          "id": {
            "type": "string"
          },
@@ -12523,6 +12689,7 @@
          "defaultReasoningEffort",
          "description",
          "displayName",
+          "hidden",
          "id",
          "isDefault",
          "model",
@@ -12540,6 +12707,13 @@
              "null"
            ]
          },
+          "includeHidden": {
+            "description": "When true, include models that are hidden from the default picker list.",
+            "type": [
+              "boolean",
+              "null"
+            ]
+          },
          "limit": {
            "description": "Optional page size; defaults to a reasonable server-side value.",
            "format": "uint32",
@@ -12971,6 +13145,53 @@
        "title": "RawResponseItemCompletedNotification",
        "type": "object"
      },
+      "ReadOnlyAccess": {
+        "oneOf": [
+          {
+            "properties": {
+              "includePlatformDefaults": {
+                "default": true,
+                "type": "boolean"
+              },
+              "readableRoots": {
+                "default": [],
+                "items": {
+                  "$ref": "#/definitions/v2/AbsolutePathBuf"
+                },
+                "type": "array"
+              },
+              "type": {
+                "enum": [
+                  "restricted"
+                ],
+                "title": "RestrictedReadOnlyAccessType",
+                "type": "string"
+              }
+            },
+            "required": [
+              "type"
+            ],
+            "title": "RestrictedReadOnlyAccess",
+            "type": "object"
+          },
+          {
+            "properties": {
+              "type": {
+                "enum": [
+                  "fullAccess"
+                ],
+                "title": "FullAccessReadOnlyAccessType",
+                "type": "string"
+              }
+            },
+            "required": [
+              "type"
+            ],
+            "title": "FullAccessReadOnlyAccess",
+            "type": "object"
+          }
+        ]
+      },
      "ReasoningEffort": {
        "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
        "enum": [
@@ -13811,6 +14032,16 @@
          },
          {
            "properties": {
+              "access": {
+                "allOf": [
+                  {
+                    "$ref": "#/definitions/v2/ReadOnlyAccess"
+                  }
+                ],
+                "default": {
+                  "type": "fullAccess"
+                }
+              },
              "type": {
                "enum": [
                  "readOnly"
@@ -13863,6 +14094,16 @@
                "default": false,
                "type": "boolean"
              },
+              "readOnlyAccess": {
+                "allOf": [
+                  {
+                    "$ref": "#/definitions/v2/ReadOnlyAccess"
+                  }
+                ],
+                "default": {
+                  "type": "fullAccess"
+                }
+              },
              "type": {
                "enum": [
                  "workspaceWrite"
@@ -14319,7 +14560,8 @@
          {
            "enum": [
              "review",
-              "compact"
+              "compact",
+              "memory_consolidation"
            ],
            "type": "string"
          },
@@ -15173,6 +15415,13 @@
              "null"
            ]
          },
+          "cwd": {
+            "description": "Optional cwd filter; when set, only threads whose session cwd exactly matches this path are returned.",
+            "type": [
+              "string",
+              "null"
+            ]
+          },
          "limit": {
            "description": "Optional page size; defaults to a reasonable server-side value.",
            "format": "uint32",
--- a/codex-rs/app-server-protocol/schema/json/v1/ExecOneOffCommandParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/ExecOneOffCommandParams.json
@@ -13,6 +13,57 @@
      ],
      "type": "string"
    },
+    "ReadOnlyAccess": {
+      "description": "Determines how read-only file access is granted inside a restricted sandbox.",
+      "oneOf": [
+        {
+          "description": "Restrict reads to an explicit set of roots.\n\nWhen `include_platform_defaults` is `true`, platform defaults required for basic execution are included in addition to `readable_roots`.",
+          "properties": {
+            "include_platform_defaults": {
+              "default": true,
+              "description": "Include built-in platform read roots required for basic process execution.",
+              "type": "boolean"
+            },
+            "readable_roots": {
+              "description": "Additional absolute roots that should be readable.",
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "description": "Allow unrestricted file reads.",
+          "properties": {
+            "type": {
+              "enum": [
+                "full-access"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "SandboxPolicy": {
      "description": "Determines execution restrictions for model shell commands.",
      "oneOf": [
@@ -34,8 +85,16 @@
          "type": "object"
        },
        {
-          "description": "Read-only access to the entire file-system.",
+          "description": "Read-only access configuration.",
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "read-only"
@@ -94,6 +153,14 @@
              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
              "type": "boolean"
            },
+            "read_only_access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "workspace-write"
--- a/codex-rs/app-server-protocol/schema/json/v1/ForkConversationParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/ForkConversationParams.json
@@ -12,7 +12,7 @@
          "type": "string"
        },
        {
-          "description": "*All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox.",
+          "description": "DEPRECATED: *All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox. Prefer `OnRequest` for interactive runs or `Never` for non-interactive runs.",
          "enum": [
            "on-failure"
          ],
--- a/codex-rs/app-server-protocol/schema/json/v1/ForkConversationResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/ForkConversationResponse.json
@@ -104,7 +104,7 @@
          "type": "string"
        },
        {
-          "description": "*All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox.",
+          "description": "DEPRECATED: *All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox. Prefer `OnRequest` for interactive runs or `Never` for non-interactive runs.",
          "enum": [
            "on-failure"
          ],
@@ -175,6 +175,7 @@
          "enum": [
            "context_window_exceeded",
            "usage_limit_exceeded",
+            "server_overloaded",
            "internal_server_error",
            "unauthorized",
            "bad_request",
@@ -184,35 +185,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "model_cap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "model_cap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -1377,6 +1349,14 @@
              "default": "agent",
              "description": "Where the command originated. Defaults to Agent for backward compatibility."
            },
+            "status": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ExecCommandStatus"
+                }
+              ],
+              "description": "Completion status for this command execution."
+            },
            "stderr": {
              "description": "Captured stderr",
              "type": "string"
@@ -1405,6 +1385,7 @@
            "exit_code",
            "formatted_output",
            "parsed_cmd",
+            "status",
            "stderr",
            "stdout",
            "turn_id",
@@ -1457,6 +1438,17 @@
              "description": "The command's working directory.",
              "type": "string"
            },
+            "network_approval_context": {
+              "anyOf": [
+                {
+                  "$ref": "#/definitions/NetworkApprovalContext"
+                },
+                {
+                  "type": "null"
+                }
+              ],
+              "description": "Optional network context for a blocked request that can be approved."
+            },
            "parsed_cmd": {
              "items": {
                "$ref": "#/definitions/ParsedCommand"
@@ -1833,6 +1825,14 @@
              "description": "The changes that were applied (mirrors PatchApplyBeginEvent::changes).",
              "type": "object"
            },
+            "status": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/PatchApplyStatus"
+                }
+              ],
+              "description": "Completion status for this patch application."
+            },
            "stderr": {
              "description": "Captured stderr (parser errors, IO failures, etc.).",
              "type": "string"
@@ -1860,6 +1860,7 @@
          },
          "required": [
            "call_id",
+            "status",
            "stderr",
            "stdout",
            "success",
@@ -2901,6 +2902,14 @@
      ],
      "type": "string"
    },
+    "ExecCommandStatus": {
+      "enum": [
+        "completed",
+        "failed",
+        "declined"
+      ],
+      "type": "string"
+    },
    "ExecOutputStream": {
      "enum": [
        "stdout",
@@ -3317,6 +3326,30 @@
      ],
      "type": "string"
    },
+    "NetworkApprovalContext": {
+      "properties": {
+        "host": {
+          "type": "string"
+        },
+        "protocol": {
+          "$ref": "#/definitions/NetworkApprovalProtocol"
+        }
+      },
+      "required": [
+        "host",
+        "protocol"
+      ],
+      "type": "object"
+    },
+    "NetworkApprovalProtocol": {
+      "enum": [
+        "http",
+        "https",
+        "socks5_tcp",
+        "socks5_udp"
+      ],
+      "type": "string"
+    },
    "ParsedCommand": {
      "oneOf": [
        {
@@ -3428,6 +3461,14 @@
        }
      ]
    },
+    "PatchApplyStatus": {
+      "enum": [
+        "completed",
+        "failed",
+        "declined"
+      ],
+      "type": "string"
+    },
    "PlanItemArg": {
      "additionalProperties": false,
      "properties": {
@@ -3544,6 +3585,57 @@
      ],
      "type": "object"
    },
+    "ReadOnlyAccess": {
+      "description": "Determines how read-only file access is granted inside a restricted sandbox.",
+      "oneOf": [
+        {
+          "description": "Restrict reads to an explicit set of roots.\n\nWhen `include_platform_defaults` is `true`, platform defaults required for basic execution are included in addition to `readable_roots`.",
+          "properties": {
+            "include_platform_defaults": {
+              "default": true,
+              "description": "Include built-in platform read roots required for basic process execution.",
+              "type": "boolean"
+            },
+            "readable_roots": {
+              "description": "Additional absolute roots that should be readable.",
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "description": "Allow unrestricted file reads.",
+          "properties": {
+            "type": {
+              "enum": [
+                "full-access"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -4381,8 +4473,16 @@
          "type": "object"
        },
        {
-          "description": "Read-only access to the entire file-system.",
+          "description": "Read-only access configuration.",
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "read-only"
@@ -4441,6 +4541,14 @@
              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
              "type": "boolean"
            },
+            "read_only_access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "workspace-write"
--- a/codex-rs/app-server-protocol/schema/json/v1/GetConversationSummaryResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/GetConversationSummaryResponse.json
@@ -113,7 +113,8 @@
        {
          "enum": [
            "review",
-            "compact"
+            "compact",
+            "memory_consolidation"
          ],
          "type": "string"
        },
--- a/codex-rs/app-server-protocol/schema/json/v1/GetUserSavedConfigResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/GetUserSavedConfigResponse.json
@@ -16,7 +16,7 @@
          "type": "string"
        },
        {
-          "description": "*All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox.",
+          "description": "DEPRECATED: *All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox. Prefer `OnRequest` for interactive runs or `Never` for non-interactive runs.",
          "enum": [
            "on-failure"
          ],
--- a/codex-rs/app-server-protocol/schema/json/v1/ListConversationsResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/ListConversationsResponse.json
@@ -113,7 +113,8 @@
        {
          "enum": [
            "review",
-            "compact"
+            "compact",
+            "memory_consolidation"
          ],
          "type": "string"
        },
--- a/codex-rs/app-server-protocol/schema/json/v1/NewConversationParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/NewConversationParams.json
@@ -12,7 +12,7 @@
          "type": "string"
        },
        {
-          "description": "*All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox.",
+          "description": "DEPRECATED: *All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox. Prefer `OnRequest` for interactive runs or `Never` for non-interactive runs.",
          "enum": [
            "on-failure"
          ],
--- a/codex-rs/app-server-protocol/schema/json/v1/ResumeConversationParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/ResumeConversationParams.json
@@ -12,7 +12,7 @@
          "type": "string"
        },
        {
-          "description": "*All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox.",
+          "description": "DEPRECATED: *All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox. Prefer `OnRequest` for interactive runs or `Never` for non-interactive runs.",
          "enum": [
            "on-failure"
          ],
--- a/codex-rs/app-server-protocol/schema/json/v1/ResumeConversationResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/ResumeConversationResponse.json
@@ -104,7 +104,7 @@
          "type": "string"
        },
        {
-          "description": "*All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox.",
+          "description": "DEPRECATED: *All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox. Prefer `OnRequest` for interactive runs or `Never` for non-interactive runs.",
          "enum": [
            "on-failure"
          ],
@@ -175,6 +175,7 @@
          "enum": [
            "context_window_exceeded",
            "usage_limit_exceeded",
+            "server_overloaded",
            "internal_server_error",
            "unauthorized",
            "bad_request",
@@ -184,35 +185,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "model_cap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "model_cap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -1377,6 +1349,14 @@
              "default": "agent",
              "description": "Where the command originated. Defaults to Agent for backward compatibility."
            },
+            "status": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ExecCommandStatus"
+                }
+              ],
+              "description": "Completion status for this command execution."
+            },
            "stderr": {
              "description": "Captured stderr",
              "type": "string"
@@ -1405,6 +1385,7 @@
            "exit_code",
            "formatted_output",
            "parsed_cmd",
+            "status",
            "stderr",
            "stdout",
            "turn_id",
@@ -1457,6 +1438,17 @@
              "description": "The command's working directory.",
              "type": "string"
            },
+            "network_approval_context": {
+              "anyOf": [
+                {
+                  "$ref": "#/definitions/NetworkApprovalContext"
+                },
+                {
+                  "type": "null"
+                }
+              ],
+              "description": "Optional network context for a blocked request that can be approved."
+            },
            "parsed_cmd": {
              "items": {
                "$ref": "#/definitions/ParsedCommand"
@@ -1833,6 +1825,14 @@
              "description": "The changes that were applied (mirrors PatchApplyBeginEvent::changes).",
              "type": "object"
            },
+            "status": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/PatchApplyStatus"
+                }
+              ],
+              "description": "Completion status for this patch application."
+            },
            "stderr": {
              "description": "Captured stderr (parser errors, IO failures, etc.).",
              "type": "string"
@@ -1860,6 +1860,7 @@
          },
          "required": [
            "call_id",
+            "status",
            "stderr",
            "stdout",
            "success",
@@ -2901,6 +2902,14 @@
      ],
      "type": "string"
    },
+    "ExecCommandStatus": {
+      "enum": [
+        "completed",
+        "failed",
+        "declined"
+      ],
+      "type": "string"
+    },
    "ExecOutputStream": {
      "enum": [
        "stdout",
@@ -3317,6 +3326,30 @@
      ],
      "type": "string"
    },
+    "NetworkApprovalContext": {
+      "properties": {
+        "host": {
+          "type": "string"
+        },
+        "protocol": {
+          "$ref": "#/definitions/NetworkApprovalProtocol"
+        }
+      },
+      "required": [
+        "host",
+        "protocol"
+      ],
+      "type": "object"
+    },
+    "NetworkApprovalProtocol": {
+      "enum": [
+        "http",
+        "https",
+        "socks5_tcp",
+        "socks5_udp"
+      ],
+      "type": "string"
+    },
    "ParsedCommand": {
      "oneOf": [
        {
@@ -3428,6 +3461,14 @@
        }
      ]
    },
+    "PatchApplyStatus": {
+      "enum": [
+        "completed",
+        "failed",
+        "declined"
+      ],
+      "type": "string"
+    },
    "PlanItemArg": {
      "additionalProperties": false,
      "properties": {
@@ -3544,6 +3585,57 @@
      ],
      "type": "object"
    },
+    "ReadOnlyAccess": {
+      "description": "Determines how read-only file access is granted inside a restricted sandbox.",
+      "oneOf": [
+        {
+          "description": "Restrict reads to an explicit set of roots.\n\nWhen `include_platform_defaults` is `true`, platform defaults required for basic execution are included in addition to `readable_roots`.",
+          "properties": {
+            "include_platform_defaults": {
+              "default": true,
+              "description": "Include built-in platform read roots required for basic process execution.",
+              "type": "boolean"
+            },
+            "readable_roots": {
+              "description": "Additional absolute roots that should be readable.",
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "description": "Allow unrestricted file reads.",
+          "properties": {
+            "type": {
+              "enum": [
+                "full-access"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -4381,8 +4473,16 @@
          "type": "object"
        },
        {
-          "description": "Read-only access to the entire file-system.",
+          "description": "Read-only access configuration.",
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "read-only"
@@ -4441,6 +4541,14 @@
              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
              "type": "boolean"
            },
+            "read_only_access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "workspace-write"
--- a/codex-rs/app-server-protocol/schema/json/v1/SendUserTurnParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/SendUserTurnParams.json
@@ -16,7 +16,7 @@
          "type": "string"
        },
        {
-          "description": "*All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox.",
+          "description": "DEPRECATED: *All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox. Prefer `OnRequest` for interactive runs or `Never` for non-interactive runs.",
          "enum": [
            "on-failure"
          ],
@@ -142,6 +142,57 @@
      ],
      "type": "string"
    },
+    "ReadOnlyAccess": {
+      "description": "Determines how read-only file access is granted inside a restricted sandbox.",
+      "oneOf": [
+        {
+          "description": "Restrict reads to an explicit set of roots.\n\nWhen `include_platform_defaults` is `true`, platform defaults required for basic execution are included in addition to `readable_roots`.",
+          "properties": {
+            "include_platform_defaults": {
+              "default": true,
+              "description": "Include built-in platform read roots required for basic process execution.",
+              "type": "boolean"
+            },
+            "readable_roots": {
+              "description": "Additional absolute roots that should be readable.",
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "description": "Allow unrestricted file reads.",
+          "properties": {
+            "type": {
+              "enum": [
+                "full-access"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -195,8 +246,16 @@
          "type": "object"
        },
        {
-          "description": "Read-only access to the entire file-system.",
+          "description": "Read-only access configuration.",
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "read-only"
@@ -255,6 +314,14 @@
              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
              "type": "boolean"
            },
+            "read_only_access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "workspace-write"
--- a/codex-rs/app-server-protocol/schema/json/v1/SessionConfiguredNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/SessionConfiguredNotification.json
@@ -104,7 +104,7 @@
          "type": "string"
        },
        {
-          "description": "*All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox.",
+          "description": "DEPRECATED: *All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox. Prefer `OnRequest` for interactive runs or `Never` for non-interactive runs.",
          "enum": [
            "on-failure"
          ],
@@ -175,6 +175,7 @@
          "enum": [
            "context_window_exceeded",
            "usage_limit_exceeded",
+            "server_overloaded",
            "internal_server_error",
            "unauthorized",
            "bad_request",
@@ -184,35 +185,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "model_cap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "model_cap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -1377,6 +1349,14 @@
              "default": "agent",
              "description": "Where the command originated. Defaults to Agent for backward compatibility."
            },
+            "status": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ExecCommandStatus"
+                }
+              ],
+              "description": "Completion status for this command execution."
+            },
            "stderr": {
              "description": "Captured stderr",
              "type": "string"
@@ -1405,6 +1385,7 @@
            "exit_code",
            "formatted_output",
            "parsed_cmd",
+            "status",
            "stderr",
            "stdout",
            "turn_id",
@@ -1457,6 +1438,17 @@
              "description": "The command's working directory.",
              "type": "string"
            },
+            "network_approval_context": {
+              "anyOf": [
+                {
+                  "$ref": "#/definitions/NetworkApprovalContext"
+                },
+                {
+                  "type": "null"
+                }
+              ],
+              "description": "Optional network context for a blocked request that can be approved."
+            },
            "parsed_cmd": {
              "items": {
                "$ref": "#/definitions/ParsedCommand"
@@ -1833,6 +1825,14 @@
              "description": "The changes that were applied (mirrors PatchApplyBeginEvent::changes).",
              "type": "object"
            },
+            "status": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/PatchApplyStatus"
+                }
+              ],
+              "description": "Completion status for this patch application."
+            },
            "stderr": {
              "description": "Captured stderr (parser errors, IO failures, etc.).",
              "type": "string"
@@ -1860,6 +1860,7 @@
          },
          "required": [
            "call_id",
+            "status",
            "stderr",
            "stdout",
            "success",
@@ -2901,6 +2902,14 @@
      ],
      "type": "string"
    },
+    "ExecCommandStatus": {
+      "enum": [
+        "completed",
+        "failed",
+        "declined"
+      ],
+      "type": "string"
+    },
    "ExecOutputStream": {
      "enum": [
        "stdout",
@@ -3317,6 +3326,30 @@
      ],
      "type": "string"
    },
+    "NetworkApprovalContext": {
+      "properties": {
+        "host": {
+          "type": "string"
+        },
+        "protocol": {
+          "$ref": "#/definitions/NetworkApprovalProtocol"
+        }
+      },
+      "required": [
+        "host",
+        "protocol"
+      ],
+      "type": "object"
+    },
+    "NetworkApprovalProtocol": {
+      "enum": [
+        "http",
+        "https",
+        "socks5_tcp",
+        "socks5_udp"
+      ],
+      "type": "string"
+    },
    "ParsedCommand": {
      "oneOf": [
        {
@@ -3428,6 +3461,14 @@
        }
      ]
    },
+    "PatchApplyStatus": {
+      "enum": [
+        "completed",
+        "failed",
+        "declined"
+      ],
+      "type": "string"
+    },
    "PlanItemArg": {
      "additionalProperties": false,
      "properties": {
@@ -3544,6 +3585,57 @@
      ],
      "type": "object"
    },
+    "ReadOnlyAccess": {
+      "description": "Determines how read-only file access is granted inside a restricted sandbox.",
+      "oneOf": [
+        {
+          "description": "Restrict reads to an explicit set of roots.\n\nWhen `include_platform_defaults` is `true`, platform defaults required for basic execution are included in addition to `readable_roots`.",
+          "properties": {
+            "include_platform_defaults": {
+              "default": true,
+              "description": "Include built-in platform read roots required for basic process execution.",
+              "type": "boolean"
+            },
+            "readable_roots": {
+              "description": "Additional absolute roots that should be readable.",
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "description": "Allow unrestricted file reads.",
+          "properties": {
+            "type": {
+              "enum": [
+                "full-access"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -4381,8 +4473,16 @@
          "type": "object"
        },
        {
-          "description": "Read-only access to the entire file-system.",
+          "description": "Read-only access configuration.",
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "read-only"
@@ -4441,6 +4541,14 @@
              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
              "type": "boolean"
            },
+            "read_only_access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "workspace-write"
--- a/codex-rs/app-server-protocol/schema/json/v2/AppListUpdatedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/AppListUpdatedNotification.json
@@ -29,6 +29,11 @@
          "default": false,
          "type": "boolean"
        },
+        "isEnabled": {
+          "default": true,
+          "description": "Whether this app is enabled in config.toml. Example: ```toml [apps.bad_app] enabled = false ```",
+          "type": "boolean"
+        },
        "logoUrl": {
          "type": [
            "string",
--- a/codex-rs/app-server-protocol/schema/json/v2/AppsListResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/AppsListResponse.json
@@ -29,6 +29,11 @@
          "default": false,
          "type": "boolean"
        },
+        "isEnabled": {
+          "default": true,
+          "description": "Whether this app is enabled in config.toml. Example: ```toml [apps.bad_app] enabled = false ```",
+          "type": "boolean"
+        },
        "logoUrl": {
          "type": [
            "string",
--- a/codex-rs/app-server-protocol/schema/json/v2/CommandExecParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/CommandExecParams.json
@@ -12,6 +12,53 @@
      ],
      "type": "string"
    },
+    "ReadOnlyAccess": {
+      "oneOf": [
+        {
+          "properties": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "fullAccess"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "SandboxPolicy": {
      "oneOf": [
        {
@@ -32,6 +79,16 @@
        },
        {
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "readOnly"
@@ -84,6 +141,16 @@
              "default": false,
              "type": "boolean"
            },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "workspaceWrite"
--- a/codex-rs/app-server-protocol/schema/json/v2/ErrorNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ErrorNotification.json
@@ -8,6 +8,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -17,35 +18,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
--- a/codex-rs/app-server-protocol/schema/json/v2/ModelListParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ModelListParams.json
@@ -8,6 +8,13 @@
        "null"
      ]
    },
+    "includeHidden": {
+      "description": "When true, include models that are hidden from the default picker list.",
+      "type": [
+        "boolean",
+        "null"
+      ]
+    },
    "limit": {
      "description": "Optional page size; defaults to a reasonable server-side value.",
      "format": "uint32",
--- a/codex-rs/app-server-protocol/schema/json/v2/ModelListResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ModelListResponse.json
@@ -31,6 +31,9 @@
        "displayName": {
          "type": "string"
        },
+        "hidden": {
+          "type": "boolean"
+        },
        "id": {
          "type": "string"
        },
@@ -71,6 +74,7 @@
        "defaultReasoningEffort",
        "description",
        "displayName",
+        "hidden",
        "id",
        "isDefault",
        "model",
--- a/codex-rs/app-server-protocol/schema/json/v2/ReviewStartResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ReviewStartResponse.json
@@ -27,6 +27,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -36,35 +37,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadForkResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadForkResponse.json
@@ -40,6 +40,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -49,35 +50,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -488,6 +460,53 @@
        }
      ]
    },
+    "ReadOnlyAccess": {
+      "oneOf": [
+        {
+          "properties": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "fullAccess"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -520,6 +539,16 @@
        },
        {
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "readOnly"
@@ -572,6 +601,16 @@
              "default": false,
              "type": "boolean"
            },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "workspaceWrite"
@@ -627,7 +666,8 @@
        {
          "enum": [
            "review",
-            "compact"
+            "compact",
+            "memory_consolidation"
          ],
          "type": "string"
        },
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadListParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadListParams.json
@@ -39,6 +39,13 @@
        "null"
      ]
    },
+    "cwd": {
+      "description": "Optional cwd filter; when set, only threads whose session cwd exactly matches this path are returned.",
+      "type": [
+        "string",
+        "null"
+      ]
+    },
    "limit": {
      "description": "Optional page size; defaults to a reasonable server-side value.",
      "format": "uint32",
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadListResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadListResponse.json
@@ -27,6 +27,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -36,35 +37,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -500,7 +472,8 @@
        {
          "enum": [
            "review",
-            "compact"
+            "compact",
+            "memory_consolidation"
          ],
          "type": "string"
        },
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadReadResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadReadResponse.json
@@ -27,6 +27,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -36,35 +37,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -500,7 +472,8 @@
        {
          "enum": [
            "review",
-            "compact"
+            "compact",
+            "memory_consolidation"
          ],
          "type": "string"
        },
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadResumeResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadResumeResponse.json
@@ -40,6 +40,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -49,35 +50,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -488,6 +460,53 @@
        }
      ]
    },
+    "ReadOnlyAccess": {
+      "oneOf": [
+        {
+          "properties": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "fullAccess"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -520,6 +539,16 @@
        },
        {
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "readOnly"
@@ -572,6 +601,16 @@
              "default": false,
              "type": "boolean"
            },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "workspaceWrite"
@@ -627,7 +666,8 @@
        {
          "enum": [
            "review",
-            "compact"
+            "compact",
+            "memory_consolidation"
          ],
          "type": "string"
        },
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadRollbackResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadRollbackResponse.json
@@ -27,6 +27,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -36,35 +37,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -500,7 +472,8 @@
        {
          "enum": [
            "review",
-            "compact"
+            "compact",
+            "memory_consolidation"
          ],
          "type": "string"
        },
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadStartResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadStartResponse.json
@@ -40,6 +40,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -49,35 +50,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -488,6 +460,53 @@
        }
      ]
    },
+    "ReadOnlyAccess": {
+      "oneOf": [
+        {
+          "properties": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "fullAccess"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -520,6 +539,16 @@
        },
        {
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "readOnly"
@@ -572,6 +601,16 @@
              "default": false,
              "type": "boolean"
            },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "workspaceWrite"
@@ -627,7 +666,8 @@
        {
          "enum": [
            "review",
-            "compact"
+            "compact",
+            "memory_consolidation"
          ],
          "type": "string"
        },
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadStartedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadStartedNotification.json
@@ -27,6 +27,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -36,35 +37,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -500,7 +472,8 @@
        {
          "enum": [
            "review",
-            "compact"
+            "compact",
+            "memory_consolidation"
          ],
          "type": "string"
        },
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadUnarchiveResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadUnarchiveResponse.json
@@ -27,6 +27,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -36,35 +37,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -500,7 +472,8 @@
        {
          "enum": [
            "review",
-            "compact"
+            "compact",
+            "memory_consolidation"
          ],
          "type": "string"
        },
--- a/codex-rs/app-server-protocol/schema/json/v2/TurnCompletedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/TurnCompletedNotification.json
@@ -27,6 +27,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -36,35 +37,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
--- a/codex-rs/app-server-protocol/schema/json/v2/TurnStartParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/TurnStartParams.json
@@ -72,6 +72,53 @@
      ],
      "type": "string"
    },
+    "ReadOnlyAccess": {
+      "oneOf": [
+        {
+          "properties": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "fullAccess"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -124,6 +171,16 @@
        },
        {
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "readOnly"
@@ -176,6 +233,16 @@
              "default": false,
              "type": "boolean"
            },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "workspaceWrite"
--- a/codex-rs/app-server-protocol/schema/json/v2/TurnStartResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/TurnStartResponse.json
@@ -27,6 +27,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -36,35 +37,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
--- a/codex-rs/app-server-protocol/schema/json/v2/TurnStartedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/TurnStartedNotification.json
@@ -27,6 +27,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -36,35 +37,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
--- a/codex-rs/app-server-protocol/schema/typescript/CodexErrorInfo.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/CodexErrorInfo.ts
@@ -5,4 +5,4 @@
 /**
 * Codex errors that we expose to clients.
 */
-export type CodexErrorInfo = "context_window_exceeded" | "usage_limit_exceeded" | { "model_cap": { model: string, reset_after_seconds: bigint | null, } } | { "http_connection_failed": { http_status_code: number | null, } } | { "response_stream_connection_failed": { http_status_code: number | null, } } | "internal_server_error" | "unauthorized" | "bad_request" | "sandbox_error" | { "response_stream_disconnected": { http_status_code: number | null, } } | { "response_too_many_failed_attempts": { http_status_code: number | null, } } | "thread_rollback_failed" | "other";
+export type CodexErrorInfo = "context_window_exceeded" | "usage_limit_exceeded" | "server_overloaded" | { "http_connection_failed": { http_status_code: number | null, } } | { "response_stream_connection_failed": { http_status_code: number | null, } } | "internal_server_error" | "unauthorized" | "bad_request" | "sandbox_error" | { "response_stream_disconnected": { http_status_code: number | null, } } | { "response_too_many_failed_attempts": { http_status_code: number | null, } } | "thread_rollback_failed" | "other";
--- a/codex-rs/app-server-protocol/schema/typescript/ExecApprovalRequestEvent.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/ExecApprovalRequestEvent.ts
@@ -2,6 +2,7 @@

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { ExecPolicyAmendment } from "./ExecPolicyAmendment";
+import type { NetworkApprovalContext } from "./NetworkApprovalContext";
 import type { ParsedCommand } from "./ParsedCommand";

 export type ExecApprovalRequestEvent = { 
@@ -26,6 +27,10 @@ cwd: string,
 * Optional human-readable reason for the approval (e.g. retry without sandbox).
 */
 reason: string | null, 
+/**
+ * Optional network context for a blocked request that can be approved.
+ */
+network_approval_context?: NetworkApprovalContext, 
 /**
 * Proposed execpolicy amendment that can be applied to allow future runs.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/ExecCommandEndEvent.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/ExecCommandEndEvent.ts
@@ -2,6 +2,7 @@

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { ExecCommandSource } from "./ExecCommandSource";
+import type { ExecCommandStatus } from "./ExecCommandStatus";
 import type { ParsedCommand } from "./ParsedCommand";

 export type ExecCommandEndEvent = { 
@@ -56,4 +57,8 @@ duration: string,
 /**
 * Formatted output from the command, as seen by the model.
 */
-formatted_output: string, };
+formatted_output: string, 
+/**
+ * Completion status for this command execution.
+ */
+status: ExecCommandStatus, };
--- a/codex-rs/app-server-protocol/schema/typescript/ExecCommandStatus.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/ExecCommandStatus.ts
@@ -0,0 +1,5 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+export type ExecCommandStatus = "completed" | "failed" | "declined";
--- a/codex-rs/app-server-protocol/schema/typescript/FuzzyFileSearchSessionCompletedNotification.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/FuzzyFileSearchSessionCompletedNotification.ts
@@ -0,0 +1,5 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+export type FuzzyFileSearchSessionCompletedNotification = { sessionId: string, };
--- a/codex-rs/app-server-protocol/schema/typescript/FuzzyFileSearchSessionUpdatedNotification.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/FuzzyFileSearchSessionUpdatedNotification.ts
@@ -0,0 +1,6 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { FuzzyFileSearchResult } from "./FuzzyFileSearchResult";
+
+export type FuzzyFileSearchSessionUpdatedNotification = { sessionId: string, query: string, files: Array<FuzzyFileSearchResult>, };
--- a/codex-rs/app-server-protocol/schema/typescript/NetworkApprovalContext.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/NetworkApprovalContext.ts
@@ -0,0 +1,6 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { NetworkApprovalProtocol } from "./NetworkApprovalProtocol";
+
+export type NetworkApprovalContext = { host: string, protocol: NetworkApprovalProtocol, };
--- a/codex-rs/app-server-protocol/schema/typescript/NetworkApprovalProtocol.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/NetworkApprovalProtocol.ts
@@ -0,0 +1,5 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+export type NetworkApprovalProtocol = "http" | "https" | "socks5_tcp" | "socks5_udp";
--- a/codex-rs/app-server-protocol/schema/typescript/PatchApplyEndEvent.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/PatchApplyEndEvent.ts
@@ -2,6 +2,7 @@

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { FileChange } from "./FileChange";
+import type { PatchApplyStatus } from "./PatchApplyStatus";

 export type PatchApplyEndEvent = { 
 /**
@@ -28,4 +29,8 @@ success: boolean,
 /**
 * The changes that were applied (mirrors PatchApplyBeginEvent::changes).
 */
-changes: { [key in string]?: FileChange }, };
+changes: { [key in string]?: FileChange }, 
+/**
+ * Completion status for this patch application.
+ */
+status: PatchApplyStatus, };
--- a/codex-rs/app-server-protocol/schema/typescript/PatchApplyStatus.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/PatchApplyStatus.ts
@@ -0,0 +1,5 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+export type PatchApplyStatus = "completed" | "failed" | "declined";
--- a/codex-rs/app-server-protocol/schema/typescript/ReadOnlyAccess.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/ReadOnlyAccess.ts
@@ -0,0 +1,19 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { AbsolutePathBuf } from "./AbsolutePathBuf";
+
+/**
+ * Determines how read-only file access is granted inside a restricted
+ * sandbox.
+ */
+export type ReadOnlyAccess = { "type": "restricted", 
+/**
+ * Include built-in platform read roots required for basic process
+ * execution.
+ */
+include_platform_defaults: boolean, 
+/**
+ * Additional absolute roots that should be readable.
+ */
+readable_roots?: Array<AbsolutePathBuf>, } | { "type": "full-access" };
--- a/codex-rs/app-server-protocol/schema/typescript/SandboxPolicy.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/SandboxPolicy.ts
@@ -3,11 +3,16 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { AbsolutePathBuf } from "./AbsolutePathBuf";
 import type { NetworkAccess } from "./NetworkAccess";
+import type { ReadOnlyAccess } from "./ReadOnlyAccess";

 /**
 * Determines execution restrictions for model shell commands.
 */
-export type SandboxPolicy = { "type": "danger-full-access" } | { "type": "read-only" } | { "type": "external-sandbox", 
+export type SandboxPolicy = { "type": "danger-full-access" } | { "type": "read-only", 
+/**
+ * Read access granted while running under this policy.
+ */
+access?: ReadOnlyAccess, } | { "type": "external-sandbox", 
 /**
 * Whether the external sandbox permits outbound network traffic.
 */
@@ -17,6 +22,10 @@ network_access: NetworkAccess, } | { "type": "workspace-write",
 * writable from within the sandbox.
 */
 writable_roots?: Array<AbsolutePathBuf>, 
+/**
+ * Read access granted while running under this policy.
+ */
+read_only_access?: ReadOnlyAccess, 
 /**
 * When set to `true`, outbound network access is allowed. `false` by
 * default.
--- a/codex-rs/app-server-protocol/schema/typescript/ServerNotification.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/ServerNotification.ts
@@ -2,6 +2,8 @@

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { AuthStatusChangeNotification } from "./AuthStatusChangeNotification";
+import type { FuzzyFileSearchSessionCompletedNotification } from "./FuzzyFileSearchSessionCompletedNotification";
+import type { FuzzyFileSearchSessionUpdatedNotification } from "./FuzzyFileSearchSessionUpdatedNotification";
 import type { LoginChatGptCompleteNotification } from "./LoginChatGptCompleteNotification";
 import type { SessionConfiguredNotification } from "./SessionConfiguredNotification";
 import type { AccountLoginCompletedNotification } from "./v2/AccountLoginCompletedNotification";
@@ -37,4 +39,4 @@ import type { WindowsWorldWritableWarningNotification } from "./v2/WindowsWorldW
 /**
 * Notification sent from the server to the client.
 */
-export type ServerNotification = { "method": "error", "params": ErrorNotification } | { "method": "thread/started", "params": ThreadStartedNotification } | { "method": "thread/name/updated", "params": ThreadNameUpdatedNotification } | { "method": "thread/tokenUsage/updated", "params": ThreadTokenUsageUpdatedNotification } | { "method": "turn/started", "params": TurnStartedNotification } | { "method": "turn/completed", "params": TurnCompletedNotification } | { "method": "turn/diff/updated", "params": TurnDiffUpdatedNotification } | { "method": "turn/plan/updated", "params": TurnPlanUpdatedNotification } | { "method": "item/started", "params": ItemStartedNotification } | { "method": "item/completed", "params": ItemCompletedNotification } | { "method": "rawResponseItem/completed", "params": RawResponseItemCompletedNotification } | { "method": "item/agentMessage/delta", "params": AgentMessageDeltaNotification } | { "method": "item/plan/delta", "params": PlanDeltaNotification } | { "method": "item/commandExecution/outputDelta", "params": CommandExecutionOutputDeltaNotification } | { "method": "item/commandExecution/terminalInteraction", "params": TerminalInteractionNotification } | { "method": "item/fileChange/outputDelta", "params": FileChangeOutputDeltaNotification } | { "method": "item/mcpToolCall/progress", "params": McpToolCallProgressNotification } | { "method": "mcpServer/oauthLogin/completed", "params": McpServerOauthLoginCompletedNotification } | { "method": "account/updated", "params": AccountUpdatedNotification } | { "method": "account/rateLimits/updated", "params": AccountRateLimitsUpdatedNotification } | { "method": "app/list/updated", "params": AppListUpdatedNotification } | { "method": "item/reasoning/summaryTextDelta", "params": ReasoningSummaryTextDeltaNotification } | { "method": "item/reasoning/summaryPartAdded", "params": ReasoningSummaryPartAddedNotification } | { "method": "item/reasoning/textDelta", "params": ReasoningTextDeltaNotification } | { "method": "thread/compacted", "params": ContextCompactedNotification } | { "method": "deprecationNotice", "params": DeprecationNoticeNotification } | { "method": "configWarning", "params": ConfigWarningNotification } | { "method": "windows/worldWritableWarning", "params": WindowsWorldWritableWarningNotification } | { "method": "account/login/completed", "params": AccountLoginCompletedNotification } | { "method": "authStatusChange", "params": AuthStatusChangeNotification } | { "method": "loginChatGptComplete", "params": LoginChatGptCompleteNotification } | { "method": "sessionConfigured", "params": SessionConfiguredNotification };
+export type ServerNotification = { "method": "error", "params": ErrorNotification } | { "method": "thread/started", "params": ThreadStartedNotification } | { "method": "thread/name/updated", "params": ThreadNameUpdatedNotification } | { "method": "thread/tokenUsage/updated", "params": ThreadTokenUsageUpdatedNotification } | { "method": "turn/started", "params": TurnStartedNotification } | { "method": "turn/completed", "params": TurnCompletedNotification } | { "method": "turn/diff/updated", "params": TurnDiffUpdatedNotification } | { "method": "turn/plan/updated", "params": TurnPlanUpdatedNotification } | { "method": "item/started", "params": ItemStartedNotification } | { "method": "item/completed", "params": ItemCompletedNotification } | { "method": "rawResponseItem/completed", "params": RawResponseItemCompletedNotification } | { "method": "item/agentMessage/delta", "params": AgentMessageDeltaNotification } | { "method": "item/plan/delta", "params": PlanDeltaNotification } | { "method": "item/commandExecution/outputDelta", "params": CommandExecutionOutputDeltaNotification } | { "method": "item/commandExecution/terminalInteraction", "params": TerminalInteractionNotification } | { "method": "item/fileChange/outputDelta", "params": FileChangeOutputDeltaNotification } | { "method": "item/mcpToolCall/progress", "params": McpToolCallProgressNotification } | { "method": "mcpServer/oauthLogin/completed", "params": McpServerOauthLoginCompletedNotification } | { "method": "account/updated", "params": AccountUpdatedNotification } | { "method": "account/rateLimits/updated", "params": AccountRateLimitsUpdatedNotification } | { "method": "app/list/updated", "params": AppListUpdatedNotification } | { "method": "item/reasoning/summaryTextDelta", "params": ReasoningSummaryTextDeltaNotification } | { "method": "item/reasoning/summaryPartAdded", "params": ReasoningSummaryPartAddedNotification } | { "method": "item/reasoning/textDelta", "params": ReasoningTextDeltaNotification } | { "method": "thread/compacted", "params": ContextCompactedNotification } | { "method": "deprecationNotice", "params": DeprecationNoticeNotification } | { "method": "configWarning", "params": ConfigWarningNotification } | { "method": "fuzzyFileSearch/sessionUpdated", "params": FuzzyFileSearchSessionUpdatedNotification } | { "method": "fuzzyFileSearch/sessionCompleted", "params": FuzzyFileSearchSessionCompletedNotification } | { "method": "windows/worldWritableWarning", "params": WindowsWorldWritableWarningNotification } | { "method": "account/login/completed", "params": AccountLoginCompletedNotification } | { "method": "authStatusChange", "params": AuthStatusChangeNotification } | { "method": "loginChatGptComplete", "params": LoginChatGptCompleteNotification } | { "method": "sessionConfigured", "params": SessionConfiguredNotification };
--- a/codex-rs/app-server-protocol/schema/typescript/SubAgentSource.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/SubAgentSource.ts
@@ -3,4 +3,4 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { ThreadId } from "./ThreadId";

-export type SubAgentSource = "review" | "compact" | { "thread_spawn": { parent_thread_id: ThreadId, depth: number, } } | { "other": string };
+export type SubAgentSource = "review" | "compact" | { "thread_spawn": { parent_thread_id: ThreadId, depth: number, } } | "memory_consolidation" | { "other": string };
--- a/codex-rs/app-server-protocol/schema/typescript/index.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/index.ts
@@ -62,6 +62,7 @@ export type { ExecCommandBeginEvent } from "./ExecCommandBeginEvent";
 export type { ExecCommandEndEvent } from "./ExecCommandEndEvent";
 export type { ExecCommandOutputDeltaEvent } from "./ExecCommandOutputDeltaEvent";
 export type { ExecCommandSource } from "./ExecCommandSource";
+export type { ExecCommandStatus } from "./ExecCommandStatus";
 export type { ExecOneOffCommandParams } from "./ExecOneOffCommandParams";
 export type { ExecOneOffCommandResponse } from "./ExecOneOffCommandResponse";
 export type { ExecOutputStream } from "./ExecOutputStream";
@@ -77,6 +78,8 @@ export type { FunctionCallOutputPayload } from "./FunctionCallOutputPayload";
 export type { FuzzyFileSearchParams } from "./FuzzyFileSearchParams";
 export type { FuzzyFileSearchResponse } from "./FuzzyFileSearchResponse";
 export type { FuzzyFileSearchResult } from "./FuzzyFileSearchResult";
+export type { FuzzyFileSearchSessionCompletedNotification } from "./FuzzyFileSearchSessionCompletedNotification";
+export type { FuzzyFileSearchSessionUpdatedNotification } from "./FuzzyFileSearchSessionUpdatedNotification";
 export type { GetAuthStatusParams } from "./GetAuthStatusParams";
 export type { GetAuthStatusResponse } from "./GetAuthStatusResponse";
 export type { GetConversationSummaryParams } from "./GetConversationSummaryParams";
@@ -123,11 +126,14 @@ export type { McpToolCallEndEvent } from "./McpToolCallEndEvent";
 export type { MessagePhase } from "./MessagePhase";
 export type { ModeKind } from "./ModeKind";
 export type { NetworkAccess } from "./NetworkAccess";
+export type { NetworkApprovalContext } from "./NetworkApprovalContext";
+export type { NetworkApprovalProtocol } from "./NetworkApprovalProtocol";
 export type { NewConversationParams } from "./NewConversationParams";
 export type { NewConversationResponse } from "./NewConversationResponse";
 export type { ParsedCommand } from "./ParsedCommand";
 export type { PatchApplyBeginEvent } from "./PatchApplyBeginEvent";
 export type { PatchApplyEndEvent } from "./PatchApplyEndEvent";
+export type { PatchApplyStatus } from "./PatchApplyStatus";
 export type { Personality } from "./Personality";
 export type { PlanDeltaEvent } from "./PlanDeltaEvent";
 export type { PlanItem } from "./PlanItem";
@@ -137,6 +143,7 @@ export type { Profile } from "./Profile";
 export type { RateLimitSnapshot } from "./RateLimitSnapshot";
 export type { RateLimitWindow } from "./RateLimitWindow";
 export type { RawResponseItemEvent } from "./RawResponseItemEvent";
+export type { ReadOnlyAccess } from "./ReadOnlyAccess";
 export type { ReasoningContentDeltaEvent } from "./ReasoningContentDeltaEvent";
 export type { ReasoningEffort } from "./ReasoningEffort";
 export type { ReasoningItem } from "./ReasoningItem";
--- a/codex-rs/app-server-protocol/schema/typescript/v2/AppInfo.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/AppInfo.ts
@@ -5,4 +5,13 @@
 /**
 * EXPERIMENTAL - app metadata returned by app-list APIs.
 */
-export type AppInfo = { id: string, name: string, description: string | null, logoUrl: string | null, logoUrlDark: string | null, distributionChannel: string | null, installUrl: string | null, isAccessible: boolean, };
+export type AppInfo = { id: string, name: string, description: string | null, logoUrl: string | null, logoUrlDark: string | null, distributionChannel: string | null, installUrl: string | null, isAccessible: boolean, 
+/**
+ * Whether this app is enabled in config.toml.
+ * Example:
+ * ```toml
+ * [apps.bad_app]
+ * enabled = false
+ * ```
+ */
+isEnabled: boolean, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/CodexErrorInfo.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/CodexErrorInfo.ts
@@ -8,4 +8,4 @@
 * When an upstream HTTP status is available (for example, from the Responses API or a provider),
 * it is forwarded in `httpStatusCode` on the relevant `codexErrorInfo` variant.
 */
-export type CodexErrorInfo = "contextWindowExceeded" | "usageLimitExceeded" | { "modelCap": { model: string, reset_after_seconds: bigint | null, } } | { "httpConnectionFailed": { httpStatusCode: number | null, } } | { "responseStreamConnectionFailed": { httpStatusCode: number | null, } } | "internalServerError" | "unauthorized" | "badRequest" | "threadRollbackFailed" | "sandboxError" | { "responseStreamDisconnected": { httpStatusCode: number | null, } } | { "responseTooManyFailedAttempts": { httpStatusCode: number | null, } } | "other";
+export type CodexErrorInfo = "contextWindowExceeded" | "usageLimitExceeded" | "serverOverloaded" | { "httpConnectionFailed": { httpStatusCode: number | null, } } | { "responseStreamConnectionFailed": { httpStatusCode: number | null, } } | "internalServerError" | "unauthorized" | "badRequest" | "threadRollbackFailed" | "sandboxError" | { "responseStreamDisconnected": { httpStatusCode: number | null, } } | { "responseTooManyFailedAttempts": { httpStatusCode: number | null, } } | "other";
--- a/codex-rs/app-server-protocol/schema/typescript/v2/Model.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/Model.ts
@@ -5,4 +5,4 @@ import type { InputModality } from "../InputModality";
 import type { ReasoningEffort } from "../ReasoningEffort";
 import type { ReasoningEffortOption } from "./ReasoningEffortOption";

-export type Model = { id: string, model: string, upgrade: string | null, displayName: string, description: string, supportedReasoningEfforts: Array<ReasoningEffortOption>, defaultReasoningEffort: ReasoningEffort, inputModalities: Array<InputModality>, supportsPersonality: boolean, isDefault: boolean, };
+export type Model = { id: string, model: string, upgrade: string | null, displayName: string, description: string, hidden: boolean, supportedReasoningEfforts: Array<ReasoningEffortOption>, defaultReasoningEffort: ReasoningEffort, inputModalities: Array<InputModality>, supportsPersonality: boolean, isDefault: boolean, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ModelListParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ModelListParams.ts
@@ -10,4 +10,8 @@ cursor?: string | null,
 /**
 * Optional page size; defaults to a reasonable server-side value.
 */
-limit?: number | null, };
+limit?: number | null, 
+/**
+ * When true, include models that are hidden from the default picker list.
+ */
+includeHidden?: boolean | null, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ReadOnlyAccess.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ReadOnlyAccess.ts
@@ -0,0 +1,6 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { AbsolutePathBuf } from "../AbsolutePathBuf";
+
+export type ReadOnlyAccess = { "type": "restricted", includePlatformDefaults: boolean, readableRoots: Array<AbsolutePathBuf>, } | { "type": "fullAccess" };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/SandboxPolicy.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/SandboxPolicy.ts
@@ -3,5 +3,6 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { AbsolutePathBuf } from "../AbsolutePathBuf";
 import type { NetworkAccess } from "./NetworkAccess";
+import type { ReadOnlyAccess } from "./ReadOnlyAccess";

-export type SandboxPolicy = { "type": "dangerFullAccess" } | { "type": "readOnly" } | { "type": "externalSandbox", networkAccess: NetworkAccess, } | { "type": "workspaceWrite", writableRoots: Array<AbsolutePathBuf>, networkAccess: boolean, excludeTmpdirEnvVar: boolean, excludeSlashTmp: boolean, };
+export type SandboxPolicy = { "type": "dangerFullAccess" } | { "type": "readOnly", access: ReadOnlyAccess, } | { "type": "externalSandbox", networkAccess: NetworkAccess, } | { "type": "workspaceWrite", writableRoots: Array<AbsolutePathBuf>, readOnlyAccess: ReadOnlyAccess, networkAccess: boolean, excludeTmpdirEnvVar: boolean, excludeSlashTmp: boolean, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ThreadForkParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ThreadForkParams.ts
@@ -21,4 +21,8 @@ export type ThreadForkParams = {threadId: string, /**
 path?: string | null, /**
 * Configuration overrides for the forked thread, if any.
 */
-model?: string | null, modelProvider?: string | null, cwd?: string | null, approvalPolicy?: AskForApproval | null, sandbox?: SandboxMode | null, config?: { [key in string]?: JsonValue } | null, baseInstructions?: string | null, developerInstructions?: string | null};
+model?: string | null, modelProvider?: string | null, cwd?: string | null, approvalPolicy?: AskForApproval | null, sandbox?: SandboxMode | null, config?: { [key in string]?: JsonValue } | null, baseInstructions?: string | null, developerInstructions?: string | null, /**
+ * If true, persist additional rollout EventMsg variants required to
+ * reconstruct a richer thread history on subsequent resume/fork/read.
+ */
+persistExtendedHistory: boolean};
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ThreadListParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ThreadListParams.ts
@@ -31,4 +31,9 @@ sourceKinds?: Array<ThreadSourceKind> | null,
 * Optional archived filter; when set to true, only archived threads are returned.
 * If false or null, only non-archived threads are returned.
 */
-archived?: boolean | null, };
+archived?: boolean | null, 
+/**
+ * Optional cwd filter; when set, only threads whose session cwd exactly
+ * matches this path are returned.
+ */
+cwd?: string | null, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ThreadResumeParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ThreadResumeParams.ts
@@ -30,4 +30,8 @@ history?: Array<ResponseItem> | null, /**
 path?: string | null, /**
 * Configuration overrides for the resumed thread, if any.
 */
-model?: string | null, modelProvider?: string | null, cwd?: string | null, approvalPolicy?: AskForApproval | null, sandbox?: SandboxMode | null, config?: { [key in string]?: JsonValue } | null, baseInstructions?: string | null, developerInstructions?: string | null, personality?: Personality | null};
+model?: string | null, modelProvider?: string | null, cwd?: string | null, approvalPolicy?: AskForApproval | null, sandbox?: SandboxMode | null, config?: { [key in string]?: JsonValue } | null, baseInstructions?: string | null, developerInstructions?: string | null, personality?: Personality | null, /**
+ * If true, persist additional rollout EventMsg variants required to
+ * reconstruct a richer thread history on subsequent resume/fork/read.
+ */
+persistExtendedHistory: boolean};
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ThreadStartParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ThreadStartParams.ts
@@ -10,4 +10,8 @@ export type ThreadStartParams = {model?: string | null, modelProvider?: string |
 * If true, opt into emitting raw Responses API items on the event stream.
 * This is for internal use only (e.g. Codex Cloud).
 */
-experimentalRawEvents: boolean};
+experimentalRawEvents: boolean, /**
+ * If true, persist additional rollout EventMsg variants required to
+ * reconstruct a richer thread history on resume/fork/read.
+ */
+persistExtendedHistory: boolean};
--- a/codex-rs/app-server-protocol/schema/typescript/v2/index.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/index.ts
@@ -101,6 +101,7 @@ export type { ProfileV2 } from "./ProfileV2";
 export type { RateLimitSnapshot } from "./RateLimitSnapshot";
 export type { RateLimitWindow } from "./RateLimitWindow";
 export type { RawResponseItemCompletedNotification } from "./RawResponseItemCompletedNotification";
+export type { ReadOnlyAccess } from "./ReadOnlyAccess";
 export type { ReasoningEffortOption } from "./ReasoningEffortOption";
 export type { ReasoningSummaryPartAddedNotification } from "./ReasoningSummaryPartAddedNotification";
 export type { ReasoningSummaryTextDeltaNotification } from "./ReasoningSummaryTextDeltaNotification";
--- a/codex-rs/app-server-protocol/src/protocol/common.rs
+++ b/codex-rs/app-server-protocol/src/protocol/common.rs
@@ -458,6 +458,21 @@ client_request_definitions! {
        params: FuzzyFileSearchParams,
        response: FuzzyFileSearchResponse,
    },
+    #[experimental("fuzzyFileSearch/sessionStart")]
+    FuzzyFileSearchSessionStart => "fuzzyFileSearch/sessionStart" {
+        params: FuzzyFileSearchSessionStartParams,
+        response: FuzzyFileSearchSessionStartResponse,
+    },
+    #[experimental("fuzzyFileSearch/sessionUpdate")]
+    FuzzyFileSearchSessionUpdate => "fuzzyFileSearch/sessionUpdate" {
+        params: FuzzyFileSearchSessionUpdateParams,
+        response: FuzzyFileSearchSessionUpdateResponse,
+    },
+    #[experimental("fuzzyFileSearch/sessionStop")]
+    FuzzyFileSearchSessionStop => "fuzzyFileSearch/sessionStop" {
+        params: FuzzyFileSearchSessionStopParams,
+        response: FuzzyFileSearchSessionStopResponse,
+    },
    /// Execute a command (argv vector) under the server's sandbox.
    ExecOneOffCommand {
        params: v1::ExecOneOffCommandParams,
@@ -702,6 +717,54 @@ pub struct FuzzyFileSearchResponse {
    pub files: Vec<FuzzyFileSearchResult>,
 }

+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(rename_all = "camelCase")]
+pub struct FuzzyFileSearchSessionStartParams {
+    pub session_id: String,
+    pub roots: Vec<String>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS, Default)]
+pub struct FuzzyFileSearchSessionStartResponse {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(rename_all = "camelCase")]
+pub struct FuzzyFileSearchSessionUpdateParams {
+    pub session_id: String,
+    pub query: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS, Default)]
+pub struct FuzzyFileSearchSessionUpdateResponse {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(rename_all = "camelCase")]
+pub struct FuzzyFileSearchSessionStopParams {
+    pub session_id: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS, Default)]
+pub struct FuzzyFileSearchSessionStopResponse {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(rename_all = "camelCase")]
+pub struct FuzzyFileSearchSessionUpdatedNotification {
+    pub session_id: String,
+    pub query: String,
+    pub files: Vec<FuzzyFileSearchResult>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(rename_all = "camelCase")]
+pub struct FuzzyFileSearchSessionCompletedNotification {
+    pub session_id: String,
+}
+
 server_notification_definitions! {
    /// NEW NOTIFICATIONS
    Error => "error" (v2::ErrorNotification),
@@ -734,6 +797,8 @@ server_notification_definitions! {
    ContextCompacted => "thread/compacted" (v2::ContextCompactedNotification),
    DeprecationNotice => "deprecationNotice" (v2::DeprecationNoticeNotification),
    ConfigWarning => "configWarning" (v2::ConfigWarningNotification),
+    FuzzyFileSearchSessionUpdated => "fuzzyFileSearch/sessionUpdated" (FuzzyFileSearchSessionUpdatedNotification),
+    FuzzyFileSearchSessionCompleted => "fuzzyFileSearch/sessionCompleted" (FuzzyFileSearchSessionCompletedNotification),

    /// Notifies the user of world-writable directories on Windows, which cannot be protected by the sandbox.
    WindowsWorldWritableWarning => "windows/worldWritableWarning" (v2::WindowsWorldWritableWarningNotification),
@@ -1170,7 +1235,8 @@ mod tests {
                "id": 6,
                "params": {
                    "limit": null,
-                    "cursor": null
+                    "cursor": null,
+                    "includeHidden": null
                }
            }),
            serde_json::to_value(&request)?,
@@ -1266,17 +1332,4 @@ mod tests {
        let reason = crate::experimental_api::ExperimentalApi::experimental_reason(&request);
        assert_eq!(reason, Some("mock/experimentalMethod"));
    }
-
-    #[test]
-    fn thread_start_mock_field_is_marked_experimental() {
-        let request = ClientRequest::ThreadStart {
-            request_id: RequestId::Integer(1),
-            params: v2::ThreadStartParams {
-                mock_experimental_field: Some("mock".to_string()),
-                ..Default::default()
-            },
-        };
-        let reason = crate::experimental_api::ExperimentalApi::experimental_reason(&request);
-        assert_eq!(reason, Some("thread/start.mockExperimentalField"));
-    }
 }
--- a/codex-rs/app-server-protocol/src/protocol/thread_history.rs
+++ b/codex-rs/app-server-protocol/src/protocol/thread_history.rs
--- a/codex-rs/app-server-protocol/src/protocol/v2.rs
+++ b/codex-rs/app-server-protocol/src/protocol/v2.rs
@@ -29,9 +29,12 @@ use codex_protocol::protocol::AgentStatus as CoreAgentStatus;
 use codex_protocol::protocol::AskForApproval as CoreAskForApproval;
 use codex_protocol::protocol::CodexErrorInfo as CoreCodexErrorInfo;
 use codex_protocol::protocol::CreditsSnapshot as CoreCreditsSnapshot;
+use codex_protocol::protocol::ExecCommandStatus as CoreExecCommandStatus;
 use codex_protocol::protocol::NetworkAccess as CoreNetworkAccess;
+use codex_protocol::protocol::PatchApplyStatus as CorePatchApplyStatus;
 use codex_protocol::protocol::RateLimitSnapshot as CoreRateLimitSnapshot;
 use codex_protocol::protocol::RateLimitWindow as CoreRateLimitWindow;
+use codex_protocol::protocol::ReadOnlyAccess as CoreReadOnlyAccess;
 use codex_protocol::protocol::SessionSource as CoreSessionSource;
 use codex_protocol::protocol::SkillDependencies as CoreSkillDependencies;
 use codex_protocol::protocol::SkillErrorInfo as CoreSkillErrorInfo;
@@ -88,10 +91,7 @@ macro_rules! v2_enum_from_core {
 pub enum CodexErrorInfo {
    ContextWindowExceeded,
    UsageLimitExceeded,
-    ModelCap {
-        model: String,
-        reset_after_seconds: Option<u64>,
-    },
+    ServerOverloaded,
    HttpConnectionFailed {
        #[serde(rename = "httpStatusCode")]
        #[ts(rename = "httpStatusCode")]
@@ -128,13 +128,7 @@ impl From<CoreCodexErrorInfo> for CodexErrorInfo {
        match value {
            CoreCodexErrorInfo::ContextWindowExceeded => CodexErrorInfo::ContextWindowExceeded,
            CoreCodexErrorInfo::UsageLimitExceeded => CodexErrorInfo::UsageLimitExceeded,
-            CoreCodexErrorInfo::ModelCap {
-                model,
-                reset_after_seconds,
-            } => CodexErrorInfo::ModelCap {
-                model,
-                reset_after_seconds,
-            },
+            CoreCodexErrorInfo::ServerOverloaded => CodexErrorInfo::ServerOverloaded,
            CoreCodexErrorInfo::HttpConnectionFailed { http_status_code } => {
                CodexErrorInfo::HttpConnectionFailed { http_status_code }
            }
@@ -404,6 +398,10 @@ const fn default_enabled() -> bool {
    true
 }

+const fn default_include_platform_defaults() -> bool {
+    true
+}
+
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS, ExperimentalApi)]
 #[serde(rename_all = "snake_case")]
 #[ts(export_to = "v2/")]
@@ -647,13 +645,65 @@ pub enum NetworkAccess {
    Enabled,
 }

+#[derive(Serialize, Deserialize, Debug, Default, Clone, PartialEq, Eq, JsonSchema, TS)]
+#[serde(tag = "type", rename_all = "camelCase")]
+#[ts(tag = "type")]
+#[ts(export_to = "v2/")]
+pub enum ReadOnlyAccess {
+    #[serde(rename_all = "camelCase")]
+    #[ts(rename_all = "camelCase")]
+    Restricted {
+        #[serde(default = "default_include_platform_defaults")]
+        include_platform_defaults: bool,
+        #[serde(default)]
+        readable_roots: Vec<AbsolutePathBuf>,
+    },
+    #[default]
+    FullAccess,
+}
+
+impl ReadOnlyAccess {
+    pub fn to_core(&self) -> CoreReadOnlyAccess {
+        match self {
+            ReadOnlyAccess::Restricted {
+                include_platform_defaults,
+                readable_roots,
+            } => CoreReadOnlyAccess::Restricted {
+                include_platform_defaults: *include_platform_defaults,
+                readable_roots: readable_roots.clone(),
+            },
+            ReadOnlyAccess::FullAccess => CoreReadOnlyAccess::FullAccess,
+        }
+    }
+}
+
+impl From<CoreReadOnlyAccess> for ReadOnlyAccess {
+    fn from(value: CoreReadOnlyAccess) -> Self {
+        match value {
+            CoreReadOnlyAccess::Restricted {
+                include_platform_defaults,
+                readable_roots,
+            } => ReadOnlyAccess::Restricted {
+                include_platform_defaults,
+                readable_roots,
+            },
+            CoreReadOnlyAccess::FullAccess => ReadOnlyAccess::FullAccess,
+        }
+    }
+}
+
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, JsonSchema, TS)]
 #[serde(tag = "type", rename_all = "camelCase")]
 #[ts(tag = "type")]
 #[ts(export_to = "v2/")]
 pub enum SandboxPolicy {
    DangerFullAccess,
-    ReadOnly,
+    #[serde(rename_all = "camelCase")]
+    #[ts(rename_all = "camelCase")]
+    ReadOnly {
+        #[serde(default)]
+        access: ReadOnlyAccess,
+    },
    #[serde(rename_all = "camelCase")]
    #[ts(rename_all = "camelCase")]
    ExternalSandbox {
@@ -666,6 +716,8 @@ pub enum SandboxPolicy {
        #[serde(default)]
        writable_roots: Vec<AbsolutePathBuf>,
        #[serde(default)]
+        read_only_access: ReadOnlyAccess,
+        #[serde(default)]
        network_access: bool,
        #[serde(default)]
        exclude_tmpdir_env_var: bool,
@@ -680,7 +732,11 @@ impl SandboxPolicy {
            SandboxPolicy::DangerFullAccess => {
                codex_protocol::protocol::SandboxPolicy::DangerFullAccess
            }
-            SandboxPolicy::ReadOnly => codex_protocol::protocol::SandboxPolicy::ReadOnly,
+            SandboxPolicy::ReadOnly { access } => {
+                codex_protocol::protocol::SandboxPolicy::ReadOnly {
+                    access: access.to_core(),
+                }
+            }
            SandboxPolicy::ExternalSandbox { network_access } => {
                codex_protocol::protocol::SandboxPolicy::ExternalSandbox {
                    network_access: match network_access {
@@ -691,11 +747,13 @@ impl SandboxPolicy {
            }
            SandboxPolicy::WorkspaceWrite {
                writable_roots,
+                read_only_access,
                network_access,
                exclude_tmpdir_env_var,
                exclude_slash_tmp,
            } => codex_protocol::protocol::SandboxPolicy::WorkspaceWrite {
                writable_roots: writable_roots.clone(),
+                read_only_access: read_only_access.to_core(),
                network_access: *network_access,
                exclude_tmpdir_env_var: *exclude_tmpdir_env_var,
                exclude_slash_tmp: *exclude_slash_tmp,
@@ -710,7 +768,11 @@ impl From<codex_protocol::protocol::SandboxPolicy> for SandboxPolicy {
            codex_protocol::protocol::SandboxPolicy::DangerFullAccess => {
                SandboxPolicy::DangerFullAccess
            }
-            codex_protocol::protocol::SandboxPolicy::ReadOnly => SandboxPolicy::ReadOnly,
+            codex_protocol::protocol::SandboxPolicy::ReadOnly { access } => {
+                SandboxPolicy::ReadOnly {
+                    access: ReadOnlyAccess::from(access),
+                }
+            }
            codex_protocol::protocol::SandboxPolicy::ExternalSandbox { network_access } => {
                SandboxPolicy::ExternalSandbox {
                    network_access: match network_access {
@@ -721,11 +783,13 @@ impl From<codex_protocol::protocol::SandboxPolicy> for SandboxPolicy {
            }
            codex_protocol::protocol::SandboxPolicy::WorkspaceWrite {
                writable_roots,
+                read_only_access,
                network_access,
                exclude_tmpdir_env_var,
                exclude_slash_tmp,
            } => SandboxPolicy::WorkspaceWrite {
                writable_roots,
+                read_only_access: ReadOnlyAccess::from(read_only_access),
                network_access,
                exclude_tmpdir_env_var,
                exclude_slash_tmp,
@@ -1046,6 +1110,9 @@ pub struct ModelListParams {
    /// Optional page size; defaults to a reasonable server-side value.
    #[ts(optional = nullable)]
    pub limit: Option<u32>,
+    /// When true, include models that are hidden from the default picker list.
+    #[ts(optional = nullable)]
+    pub include_hidden: Option<bool>,
 }

 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
@@ -1057,6 +1124,7 @@ pub struct Model {
    pub upgrade: Option<String>,
    pub display_name: String,
    pub description: String,
+    pub hidden: bool,
    pub supported_reasoning_efforts: Vec<ReasoningEffortOption>,
    pub default_reasoning_effort: ReasoningEffort,
    #[serde(default = "default_input_modalities")]
@@ -1226,6 +1294,14 @@ pub struct AppInfo {
    pub install_url: Option<String>,
    #[serde(default)]
    pub is_accessible: bool,
+    /// Whether this app is enabled in config.toml.
+    /// Example:
+    /// ```toml
+    /// [apps.bad_app]
+    /// enabled = false
+    /// ```
+    #[serde(default = "default_enabled")]
+    pub is_enabled: bool,
 }

 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
@@ -1360,6 +1436,11 @@ pub struct ThreadStartParams {
    #[experimental("thread/start.experimentalRawEvents")]
    #[serde(default)]
    pub experimental_raw_events: bool,
+    /// If true, persist additional rollout EventMsg variants required to
+    /// reconstruct a richer thread history on resume/fork/read.
+    #[experimental("thread/start.persistFullHistory")]
+    #[serde(default)]
+    pub persist_extended_history: bool,
 }

 #[derive(Serialize, Deserialize, Debug, Default, Clone, PartialEq, JsonSchema, TS)]
@@ -1441,6 +1522,11 @@ pub struct ThreadResumeParams {
    pub developer_instructions: Option<String>,
    #[ts(optional = nullable)]
    pub personality: Option<Personality>,
+    /// If true, persist additional rollout EventMsg variants required to
+    /// reconstruct a richer thread history on subsequent resume/fork/read.
+    #[experimental("thread/resume.persistFullHistory")]
+    #[serde(default)]
+    pub persist_extended_history: bool,
 }

 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
@@ -1494,6 +1580,11 @@ pub struct ThreadForkParams {
    pub base_instructions: Option<String>,
    #[ts(optional = nullable)]
    pub developer_instructions: Option<String>,
+    /// If true, persist additional rollout EventMsg variants required to
+    /// reconstruct a richer thread history on subsequent resume/fork/read.
+    #[experimental("thread/fork.persistFullHistory")]
+    #[serde(default)]
+    pub persist_extended_history: bool,
 }

 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
@@ -1621,6 +1712,10 @@ pub struct ThreadListParams {
    /// If false or null, only non-archived threads are returned.
    #[ts(optional = nullable)]
    pub archived: Option<bool>,
+    /// Optional cwd filter; when set, only threads whose session cwd exactly
+    /// matches this path are returned.
+    #[ts(optional = nullable)]
+    pub cwd: Option<String>,
 }

 #[derive(Serialize, Deserialize, Debug, Clone, Copy, PartialEq, Eq, JsonSchema, TS)]
@@ -2560,6 +2655,22 @@ pub enum CommandExecutionStatus {
    Declined,
 }

+impl From<CoreExecCommandStatus> for CommandExecutionStatus {
+    fn from(value: CoreExecCommandStatus) -> Self {
+        Self::from(&value)
+    }
+}
+
+impl From<&CoreExecCommandStatus> for CommandExecutionStatus {
+    fn from(value: &CoreExecCommandStatus) -> Self {
+        match value {
+            CoreExecCommandStatus::Completed => CommandExecutionStatus::Completed,
+            CoreExecCommandStatus::Failed => CommandExecutionStatus::Failed,
+            CoreExecCommandStatus::Declined => CommandExecutionStatus::Declined,
+        }
+    }
+}
+
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
@@ -2600,6 +2711,22 @@ pub enum PatchApplyStatus {
    Declined,
 }

+impl From<CorePatchApplyStatus> for PatchApplyStatus {
+    fn from(value: CorePatchApplyStatus) -> Self {
+        Self::from(&value)
+    }
+}
+
+impl From<&CorePatchApplyStatus> for PatchApplyStatus {
+    fn from(value: &CorePatchApplyStatus) -> Self {
+        match value {
+            CorePatchApplyStatus::Completed => PatchApplyStatus::Completed,
+            CorePatchApplyStatus::Failed => PatchApplyStatus::Failed,
+            CorePatchApplyStatus::Declined => PatchApplyStatus::Declined,
+        }
+    }
+}
+
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
@@ -3235,11 +3362,21 @@ mod tests {
    use codex_protocol::items::WebSearchItem;
    use codex_protocol::models::WebSearchAction as CoreWebSearchAction;
    use codex_protocol::protocol::NetworkAccess as CoreNetworkAccess;
+    use codex_protocol::protocol::ReadOnlyAccess as CoreReadOnlyAccess;
    use codex_protocol::user_input::UserInput as CoreUserInput;
    use pretty_assertions::assert_eq;
    use serde_json::json;
    use std::path::PathBuf;

+    fn test_absolute_path() -> AbsolutePathBuf {
+        let path = if cfg!(windows) {
+            r"C:\readable"
+        } else {
+            "/readable"
+        };
+        AbsolutePathBuf::from_absolute_path(path).expect("path must be absolute")
+    }
+
    #[test]
    fn sandbox_policy_round_trips_external_sandbox_network_access() {
        let v2_policy = SandboxPolicy::ExternalSandbox {
@@ -3258,6 +3395,100 @@ mod tests {
        assert_eq!(back_to_v2, v2_policy);
    }

+    #[test]
+    fn sandbox_policy_round_trips_read_only_access() {
+        let readable_root = test_absolute_path();
+        let v2_policy = SandboxPolicy::ReadOnly {
+            access: ReadOnlyAccess::Restricted {
+                include_platform_defaults: false,
+                readable_roots: vec![readable_root.clone()],
+            },
+        };
+
+        let core_policy = v2_policy.to_core();
+        assert_eq!(
+            core_policy,
+            codex_protocol::protocol::SandboxPolicy::ReadOnly {
+                access: CoreReadOnlyAccess::Restricted {
+                    include_platform_defaults: false,
+                    readable_roots: vec![readable_root],
+                },
+            }
+        );
+
+        let back_to_v2 = SandboxPolicy::from(core_policy);
+        assert_eq!(back_to_v2, v2_policy);
+    }
+
+    #[test]
+    fn sandbox_policy_round_trips_workspace_write_read_only_access() {
+        let readable_root = test_absolute_path();
+        let v2_policy = SandboxPolicy::WorkspaceWrite {
+            writable_roots: vec![],
+            read_only_access: ReadOnlyAccess::Restricted {
+                include_platform_defaults: false,
+                readable_roots: vec![readable_root.clone()],
+            },
+            network_access: true,
+            exclude_tmpdir_env_var: false,
+            exclude_slash_tmp: false,
+        };
+
+        let core_policy = v2_policy.to_core();
+        assert_eq!(
+            core_policy,
+            codex_protocol::protocol::SandboxPolicy::WorkspaceWrite {
+                writable_roots: vec![],
+                read_only_access: CoreReadOnlyAccess::Restricted {
+                    include_platform_defaults: false,
+                    readable_roots: vec![readable_root],
+                },
+                network_access: true,
+                exclude_tmpdir_env_var: false,
+                exclude_slash_tmp: false,
+            }
+        );
+
+        let back_to_v2 = SandboxPolicy::from(core_policy);
+        assert_eq!(back_to_v2, v2_policy);
+    }
+
+    #[test]
+    fn sandbox_policy_deserializes_legacy_read_only_without_access_field() {
+        let policy: SandboxPolicy = serde_json::from_value(json!({
+            "type": "readOnly"
+        }))
+        .expect("read-only policy should deserialize");
+        assert_eq!(
+            policy,
+            SandboxPolicy::ReadOnly {
+                access: ReadOnlyAccess::FullAccess,
+            }
+        );
+    }
+
+    #[test]
+    fn sandbox_policy_deserializes_legacy_workspace_write_without_read_only_access_field() {
+        let policy: SandboxPolicy = serde_json::from_value(json!({
+            "type": "workspaceWrite",
+            "writableRoots": [],
+            "networkAccess": false,
+            "excludeTmpdirEnvVar": false,
+            "excludeSlashTmp": false
+        }))
+        .expect("workspace-write policy should deserialize");
+        assert_eq!(
+            policy,
+            SandboxPolicy::WorkspaceWrite {
+                writable_roots: vec![],
+                read_only_access: ReadOnlyAccess::FullAccess,
+                network_access: false,
+                exclude_tmpdir_env_var: false,
+                exclude_slash_tmp: false,
+            }
+        );
+    }
+
    #[test]
    fn core_turn_item_into_thread_item_converts_supported_variants() {
        let user_item = TurnItem::UserMessage(UserMessageItem {
--- a/codex-rs/app-server-test-client/Cargo.lock
+++ b/codex-rs/app-server-test-client/Cargo.lock
--- a/codex-rs/app-server-test-client/Cargo.toml
+++ b/codex-rs/app-server-test-client/Cargo.toml
@@ -14,4 +14,6 @@ codex-app-server-protocol = { workspace = true }
 codex-protocol = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
 serde_json = { workspace = true }
+tungstenite = { workspace = true }
+url = { workspace = true }
 uuid = { workspace = true, features = ["v4"] }
--- a/codex-rs/app-server-test-client/README.md
+++ b/codex-rs/app-server-test-client/README.md
@@ -1,2 +1,49 @@
 # App Server Test Client
-Exercises simple `codex app-server` flows end-to-end, logging JSON-RPC messages sent between client and server to stdout.
+Quickstart for running and hitting `codex app-server`.
+
+## Quickstart
+
+Run from `<reporoot>/codex-rs`.
+
+```bash
+# 1) Build debug codex binary
+cargo build -p codex-cli --bin codex
+
+# 2) Start websocket app-server in background
+cargo run -p codex-app-server-test-client -- \
+  --codex-bin ./target/debug/codex \
+  serve --listen ws://127.0.0.1:4222 --kill
+
+# 3) Call app-server (defaults to ws://127.0.0.1:4222)
+cargo run -p codex-app-server-test-client -- model-list
+```
+
+## Testing Thread Rejoin Behavior
+
+Build and start an app server using commands above. The app-server log is written to `/tmp/codex-app-server-test-client/app-server.log`
+
+### 1) Get a thread id
+
+Create at least one thread, then list threads:
+
+```bash
+cargo run -p codex-app-server-test-client -- send-message-v2 "seed thread for rejoin test"
+cargo run -p codex-app-server-test-client -- thread-list --limit 5
+```
+
+Copy a thread id from the `thread-list` output.
+
+### 2) Rejoin while a turn is in progress (two terminals)
+
+Terminal A:
+
+```bash
+cargo run --bin codex-app-server-test-client -- \
+  resume-message-v2 <THREAD_ID> "respond with thorough docs on the rust core"
+```
+
+Terminal B (while Terminal A is still streaming):
+
+```bash
+cargo run --bin codex-app-server-test-client -- thread-resume <THREAD_ID>
+```
--- a/codex-rs/app-server-test-client/src/lib.rs
+++ b/codex-rs/app-server-test-client/src/lib.rs
@@ -1,8 +1,10 @@
 use std::collections::VecDeque;
 use std::fs;
+use std::fs::OpenOptions;
 use std::io::BufRead;
 use std::io::BufReader;
 use std::io::Write;
+use std::net::TcpStream;
 use std::path::Path;
 use std::path::PathBuf;
 use std::process::Child;
@@ -46,12 +48,15 @@ use codex_app_server_protocol::ModelListParams;
 use codex_app_server_protocol::ModelListResponse;
 use codex_app_server_protocol::NewConversationParams;
 use codex_app_server_protocol::NewConversationResponse;
+use codex_app_server_protocol::ReadOnlyAccess;
 use codex_app_server_protocol::RequestId;
 use codex_app_server_protocol::SandboxPolicy;
 use codex_app_server_protocol::SendUserMessageParams;
 use codex_app_server_protocol::SendUserMessageResponse;
 use codex_app_server_protocol::ServerNotification;
 use codex_app_server_protocol::ServerRequest;
+use codex_app_server_protocol::ThreadListParams;
+use codex_app_server_protocol::ThreadListResponse;
 use codex_app_server_protocol::ThreadResumeParams;
 use codex_app_server_protocol::ThreadResumeResponse;
 use codex_app_server_protocol::ThreadStartParams;
@@ -66,15 +71,28 @@ use codex_protocol::protocol::EventMsg;
 use serde::Serialize;
 use serde::de::DeserializeOwned;
 use serde_json::Value;
+use tungstenite::Message;
+use tungstenite::WebSocket;
+use tungstenite::connect;
+use tungstenite::stream::MaybeTlsStream;
+use url::Url;
 use uuid::Uuid;

 /// Minimal launcher that initializes the Codex app-server and logs the handshake.
 #[derive(Parser)]
 #[command(author = "Codex", version, about = "Bootstrap Codex app-server", long_about = None)]
 struct Cli {
-    /// Path to the `codex` CLI binary.
-    #[arg(long, env = "CODEX_BIN", default_value = "codex")]
-    codex_bin: PathBuf,
+    /// Path to the `codex` CLI binary. When set, requests use stdio by
+    /// spawning `codex app-server` as a child process.
+    #[arg(long, env = "CODEX_BIN", global = true)]
+    codex_bin: Option<PathBuf>,
+
+    /// Existing websocket server URL to connect to.
+    ///
+    /// If neither `--codex-bin` nor `--url` is provided, defaults to
+    /// `ws://127.0.0.1:4222`.
+    #[arg(long, env = "CODEX_APP_SERVER_URL", global = true)]
+    url: Option<String>,

    /// Forwarded to the `codex` CLI as `--config key=value`. Repeatable.
    ///
@@ -104,6 +122,18 @@ struct Cli {

 #[derive(Subcommand)]
 enum CliCommand {
+    /// Start `codex app-server` on a websocket endpoint in the background.
+    ///
+    /// Logs are written to:
+    ///   `/tmp/codex-app-server-test-client/`
+    Serve {
+        /// WebSocket listen URL passed to `codex app-server --listen`.
+        #[arg(long, default_value = "ws://127.0.0.1:4222")]
+        listen: String,
+        /// Kill any process listening on the same port before starting.
+        #[arg(long, default_value_t = false)]
+        kill: bool,
+    },
    /// Send a user message through the Codex app-server.
    SendMessage {
        /// User message to send to Codex.
@@ -121,6 +151,13 @@ enum CliCommand {
        /// User message to send to Codex.
        user_message: String,
    },
+    /// Resume a V2 thread and continuously stream notifications/events.
+    ///
+    /// This command does not auto-exit; stop it with SIGINT/SIGTERM/SIGKILL.
+    ThreadResume {
+        /// Existing thread id to resume.
+        thread_id: String,
+    },
    /// Start a V2 turn that elicits an ExecCommand approval.
    #[command(name = "trigger-cmd-approval")]
    TriggerCmdApproval {
@@ -150,11 +187,19 @@ enum CliCommand {
    /// List the available models from the Codex app-server.
    #[command(name = "model-list")]
    ModelList,
+    /// List stored threads from the Codex app-server.
+    #[command(name = "thread-list")]
+    ThreadList {
+        /// Number of threads to return.
+        #[arg(long, default_value_t = 20)]
+        limit: u32,
+    },
 }

 pub fn run() -> Result<()> {
    let Cli {
        codex_bin,
+        url,
        config_overrides,
        dynamic_tools,
        command,
@@ -163,59 +208,222 @@ pub fn run() -> Result<()> {
    let dynamic_tools = parse_dynamic_tools_arg(&dynamic_tools)?;

    match command {
+        CliCommand::Serve { listen, kill } => {
+            ensure_dynamic_tools_unused(&dynamic_tools, "serve")?;
+            let codex_bin = codex_bin.unwrap_or_else(|| PathBuf::from("codex"));
+            serve(&codex_bin, &config_overrides, &listen, kill)
+        }
        CliCommand::SendMessage { user_message } => {
            ensure_dynamic_tools_unused(&dynamic_tools, "send-message")?;
-            send_message(&codex_bin, &config_overrides, user_message)
+            let endpoint = resolve_endpoint(codex_bin, url)?;
+            send_message(&endpoint, &config_overrides, user_message)
        }
        CliCommand::SendMessageV2 { user_message } => {
-            send_message_v2(&codex_bin, &config_overrides, user_message, &dynamic_tools)
+            let endpoint = resolve_endpoint(codex_bin, url)?;
+            send_message_v2_endpoint(&endpoint, &config_overrides, user_message, &dynamic_tools)
        }
        CliCommand::ResumeMessageV2 {
            thread_id,
            user_message,
-        } => resume_message_v2(
-            &codex_bin,
-            &config_overrides,
-            thread_id,
-            user_message,
-            &dynamic_tools,
-        ),
+        } => {
+            let endpoint = resolve_endpoint(codex_bin, url)?;
+            resume_message_v2(
+                &endpoint,
+                &config_overrides,
+                thread_id,
+                user_message,
+                &dynamic_tools,
+            )
+        }
+        CliCommand::ThreadResume { thread_id } => {
+            ensure_dynamic_tools_unused(&dynamic_tools, "thread-resume")?;
+            let endpoint = resolve_endpoint(codex_bin, url)?;
+            thread_resume_follow(&endpoint, &config_overrides, thread_id)
+        }
        CliCommand::TriggerCmdApproval { user_message } => {
-            trigger_cmd_approval(&codex_bin, &config_overrides, user_message, &dynamic_tools)
+            let endpoint = resolve_endpoint(codex_bin, url)?;
+            trigger_cmd_approval(&endpoint, &config_overrides, user_message, &dynamic_tools)
        }
        CliCommand::TriggerPatchApproval { user_message } => {
-            trigger_patch_approval(&codex_bin, &config_overrides, user_message, &dynamic_tools)
+            let endpoint = resolve_endpoint(codex_bin, url)?;
+            trigger_patch_approval(&endpoint, &config_overrides, user_message, &dynamic_tools)
        }
        CliCommand::NoTriggerCmdApproval => {
-            no_trigger_cmd_approval(&codex_bin, &config_overrides, &dynamic_tools)
+            let endpoint = resolve_endpoint(codex_bin, url)?;
+            no_trigger_cmd_approval(&endpoint, &config_overrides, &dynamic_tools)
        }
        CliCommand::SendFollowUpV2 {
            first_message,
            follow_up_message,
-        } => send_follow_up_v2(
-            &codex_bin,
-            &config_overrides,
-            first_message,
-            follow_up_message,
-            &dynamic_tools,
-        ),
+        } => {
+            let endpoint = resolve_endpoint(codex_bin, url)?;
+            send_follow_up_v2(
+                &endpoint,
+                &config_overrides,
+                first_message,
+                follow_up_message,
+                &dynamic_tools,
+            )
+        }
        CliCommand::TestLogin => {
            ensure_dynamic_tools_unused(&dynamic_tools, "test-login")?;
-            test_login(&codex_bin, &config_overrides)
+            let endpoint = resolve_endpoint(codex_bin, url)?;
+            test_login(&endpoint, &config_overrides)
        }
        CliCommand::GetAccountRateLimits => {
            ensure_dynamic_tools_unused(&dynamic_tools, "get-account-rate-limits")?;
-            get_account_rate_limits(&codex_bin, &config_overrides)
+            let endpoint = resolve_endpoint(codex_bin, url)?;
+            get_account_rate_limits(&endpoint, &config_overrides)
        }
        CliCommand::ModelList => {
            ensure_dynamic_tools_unused(&dynamic_tools, "model-list")?;
-            model_list(&codex_bin, &config_overrides)
+            let endpoint = resolve_endpoint(codex_bin, url)?;
+            model_list(&endpoint, &config_overrides)
+        }
+        CliCommand::ThreadList { limit } => {
+            ensure_dynamic_tools_unused(&dynamic_tools, "thread-list")?;
+            let endpoint = resolve_endpoint(codex_bin, url)?;
+            thread_list(&endpoint, &config_overrides, limit)
        }
    }
 }

-fn send_message(codex_bin: &Path, config_overrides: &[String], user_message: String) -> Result<()> {
-    let mut client = CodexClient::spawn(codex_bin, config_overrides)?;
+enum Endpoint {
+    SpawnCodex(PathBuf),
+    ConnectWs(String),
+}
+
+fn resolve_endpoint(codex_bin: Option<PathBuf>, url: Option<String>) -> Result<Endpoint> {
+    if codex_bin.is_some() && url.is_some() {
+        bail!("--codex-bin and --url are mutually exclusive");
+    }
+    if let Some(codex_bin) = codex_bin {
+        return Ok(Endpoint::SpawnCodex(codex_bin));
+    }
+    if let Some(url) = url {
+        return Ok(Endpoint::ConnectWs(url));
+    }
+    Ok(Endpoint::ConnectWs("ws://127.0.0.1:4222".to_string()))
+}
+
+fn serve(codex_bin: &Path, config_overrides: &[String], listen: &str, kill: bool) -> Result<()> {
+    let runtime_dir = PathBuf::from("/tmp/codex-app-server-test-client");
+    fs::create_dir_all(&runtime_dir)
+        .with_context(|| format!("failed to create runtime dir {}", runtime_dir.display()))?;
+    let log_path = runtime_dir.join("app-server.log");
+    if kill {
+        kill_listeners_on_same_port(listen)?;
+    }
+
+    let log_file = OpenOptions::new()
+        .create(true)
+        .append(true)
+        .open(&log_path)
+        .with_context(|| format!("failed to open log file {}", log_path.display()))?;
+    let log_file_stderr = log_file
+        .try_clone()
+        .with_context(|| format!("failed to clone log file handle {}", log_path.display()))?;
+
+    let mut cmdline = format!(
+        "tail -f /dev/null | RUST_BACKTRACE=full RUST_LOG=warn,codex_=trace {}",
+        shell_quote(&codex_bin.display().to_string())
+    );
+    for override_kv in config_overrides {
+        cmdline.push_str(&format!(" --config {}", shell_quote(override_kv)));
+    }
+    cmdline.push_str(&format!(" app-server --listen {}", shell_quote(listen)));
+
+    let child = Command::new("nohup")
+        .arg("sh")
+        .arg("-c")
+        .arg(cmdline)
+        .stdin(Stdio::null())
+        .stdout(Stdio::from(log_file))
+        .stderr(Stdio::from(log_file_stderr))
+        .spawn()
+        .with_context(|| format!("failed to start `{}` app-server", codex_bin.display()))?;
+
+    let pid = child.id();
+
+    println!("started codex app-server");
+    println!("listen: {listen}");
+    println!("pid: {pid} (launcher process)");
+    println!("log: {}", log_path.display());
+
+    Ok(())
+}
+
+fn kill_listeners_on_same_port(listen: &str) -> Result<()> {
+    let url = Url::parse(listen).with_context(|| format!("invalid --listen URL `{listen}`"))?;
+    let port = url
+        .port_or_known_default()
+        .with_context(|| format!("unable to infer port from --listen URL `{listen}`"))?;
+
+    let output = Command::new("lsof")
+        .arg("-nP")
+        .arg(format!("-tiTCP:{port}"))
+        .arg("-sTCP:LISTEN")
+        .output()
+        .with_context(|| format!("failed to run lsof for port {port}"))?;
+
+    if !output.status.success() {
+        return Ok(());
+    }
+
+    let pids: Vec<u32> = String::from_utf8_lossy(&output.stdout)
+        .lines()
+        .filter_map(|line| line.trim().parse::<u32>().ok())
+        .collect();
+
+    if pids.is_empty() {
+        return Ok(());
+    }
+
+    for pid in pids {
+        println!("killing listener pid {pid} on port {port}");
+        let pid_str = pid.to_string();
+        let term_status = Command::new("kill")
+            .arg(&pid_str)
+            .status()
+            .with_context(|| format!("failed to send SIGTERM to pid {pid}"))?;
+        if !term_status.success() {
+            continue;
+        }
+    }
+
+    thread::sleep(Duration::from_millis(300));
+
+    let output = Command::new("lsof")
+        .arg("-nP")
+        .arg(format!("-tiTCP:{port}"))
+        .arg("-sTCP:LISTEN")
+        .output()
+        .with_context(|| format!("failed to re-check listeners on port {port}"))?;
+    if !output.status.success() {
+        return Ok(());
+    }
+    let remaining: Vec<u32> = String::from_utf8_lossy(&output.stdout)
+        .lines()
+        .filter_map(|line| line.trim().parse::<u32>().ok())
+        .collect();
+    for pid in remaining {
+        println!("force killing remaining listener pid {pid} on port {port}");
+        let _ = Command::new("kill").arg("-9").arg(pid.to_string()).status();
+    }
+
+    Ok(())
+}
+
+fn shell_quote(input: &str) -> String {
+    format!("'{}'", input.replace('\'', "'\\''"))
+}
+
+fn send_message(
+    endpoint: &Endpoint,
+    config_overrides: &[String],
+    user_message: String,
+) -> Result<()> {
+    let mut client = CodexClient::connect(endpoint, config_overrides)?;

    let initialize = client.initialize()?;
    println!("< initialize response: {initialize:?}");
@@ -241,9 +449,19 @@ pub fn send_message_v2(
    config_overrides: &[String],
    user_message: String,
    dynamic_tools: &Option<Vec<DynamicToolSpec>>,
+) -> Result<()> {
+    let endpoint = Endpoint::SpawnCodex(codex_bin.to_path_buf());
+    send_message_v2_endpoint(&endpoint, config_overrides, user_message, dynamic_tools)
+}
+
+fn send_message_v2_endpoint(
+    endpoint: &Endpoint,
+    config_overrides: &[String],
+    user_message: String,
+    dynamic_tools: &Option<Vec<DynamicToolSpec>>,
 ) -> Result<()> {
    send_message_v2_with_policies(
-        codex_bin,
+        endpoint,
        config_overrides,
        user_message,
        None,
@@ -253,7 +471,7 @@ pub fn send_message_v2(
 }

 fn resume_message_v2(
-    codex_bin: &Path,
+    endpoint: &Endpoint,
    config_overrides: &[String],
    thread_id: String,
    user_message: String,
@@ -261,7 +479,7 @@ fn resume_message_v2(
 ) -> Result<()> {
    ensure_dynamic_tools_unused(dynamic_tools, "resume-message-v2")?;

-    let mut client = CodexClient::spawn(codex_bin, config_overrides)?;
+    let mut client = CodexClient::connect(endpoint, config_overrides)?;

    let initialize = client.initialize()?;
    println!("< initialize response: {initialize:?}");
@@ -287,8 +505,28 @@ fn resume_message_v2(
    Ok(())
 }

+fn thread_resume_follow(
+    endpoint: &Endpoint,
+    config_overrides: &[String],
+    thread_id: String,
+) -> Result<()> {
+    let mut client = CodexClient::connect(endpoint, config_overrides)?;
+
+    let initialize = client.initialize()?;
+    println!("< initialize response: {initialize:?}");
+
+    let resume_response = client.thread_resume(ThreadResumeParams {
+        thread_id,
+        ..Default::default()
+    })?;
+    println!("< thread/resume response: {resume_response:?}");
+    println!("< streaming notifications until process is terminated");
+
+    client.stream_notifications_forever()
+}
+
 fn trigger_cmd_approval(
-    codex_bin: &Path,
+    endpoint: &Endpoint,
    config_overrides: &[String],
    user_message: Option<String>,
    dynamic_tools: &Option<Vec<DynamicToolSpec>>,
@@ -297,17 +535,19 @@ fn trigger_cmd_approval(
        "Run `touch /tmp/should-trigger-approval` so I can confirm the file exists.";
    let message = user_message.unwrap_or_else(|| default_prompt.to_string());
    send_message_v2_with_policies(
-        codex_bin,
+        endpoint,
        config_overrides,
        message,
        Some(AskForApproval::OnRequest),
-        Some(SandboxPolicy::ReadOnly),
+        Some(SandboxPolicy::ReadOnly {
+            access: ReadOnlyAccess::FullAccess,
+        }),
        dynamic_tools,
    )
 }

 fn trigger_patch_approval(
-    codex_bin: &Path,
+    endpoint: &Endpoint,
    config_overrides: &[String],
    user_message: Option<String>,
    dynamic_tools: &Option<Vec<DynamicToolSpec>>,
@@ -316,23 +556,25 @@ fn trigger_patch_approval(
        "Create a file named APPROVAL_DEMO.txt containing a short hello message using apply_patch.";
    let message = user_message.unwrap_or_else(|| default_prompt.to_string());
    send_message_v2_with_policies(
-        codex_bin,
+        endpoint,
        config_overrides,
        message,
        Some(AskForApproval::OnRequest),
-        Some(SandboxPolicy::ReadOnly),
+        Some(SandboxPolicy::ReadOnly {
+            access: ReadOnlyAccess::FullAccess,
+        }),
        dynamic_tools,
    )
 }

 fn no_trigger_cmd_approval(
-    codex_bin: &Path,
+    endpoint: &Endpoint,
    config_overrides: &[String],
    dynamic_tools: &Option<Vec<DynamicToolSpec>>,
 ) -> Result<()> {
    let prompt = "Run `touch should_not_trigger_approval.txt`";
    send_message_v2_with_policies(
-        codex_bin,
+        endpoint,
        config_overrides,
        prompt.to_string(),
        None,
@@ -342,14 +584,14 @@ fn no_trigger_cmd_approval(
 }

 fn send_message_v2_with_policies(
-    codex_bin: &Path,
+    endpoint: &Endpoint,
    config_overrides: &[String],
    user_message: String,
    approval_policy: Option<AskForApproval>,
    sandbox_policy: Option<SandboxPolicy>,
    dynamic_tools: &Option<Vec<DynamicToolSpec>>,
 ) -> Result<()> {
-    let mut client = CodexClient::spawn(codex_bin, config_overrides)?;
+    let mut client = CodexClient::connect(endpoint, config_overrides)?;

    let initialize = client.initialize()?;
    println!("< initialize response: {initialize:?}");
@@ -380,13 +622,13 @@ fn send_message_v2_with_policies(
 }

 fn send_follow_up_v2(
-    codex_bin: &Path,
+    endpoint: &Endpoint,
    config_overrides: &[String],
    first_message: String,
    follow_up_message: String,
    dynamic_tools: &Option<Vec<DynamicToolSpec>>,
 ) -> Result<()> {
-    let mut client = CodexClient::spawn(codex_bin, config_overrides)?;
+    let mut client = CodexClient::connect(endpoint, config_overrides)?;

    let initialize = client.initialize()?;
    println!("< initialize response: {initialize:?}");
@@ -426,8 +668,8 @@ fn send_follow_up_v2(
    Ok(())
 }

-fn test_login(codex_bin: &Path, config_overrides: &[String]) -> Result<()> {
-    let mut client = CodexClient::spawn(codex_bin, config_overrides)?;
+fn test_login(endpoint: &Endpoint, config_overrides: &[String]) -> Result<()> {
+    let mut client = CodexClient::connect(endpoint, config_overrides)?;

    let initialize = client.initialize()?;
    println!("< initialize response: {initialize:?}");
@@ -456,8 +698,8 @@ fn test_login(codex_bin: &Path, config_overrides: &[String]) -> Result<()> {
    }
 }

-fn get_account_rate_limits(codex_bin: &Path, config_overrides: &[String]) -> Result<()> {
-    let mut client = CodexClient::spawn(codex_bin, config_overrides)?;
+fn get_account_rate_limits(endpoint: &Endpoint, config_overrides: &[String]) -> Result<()> {
+    let mut client = CodexClient::connect(endpoint, config_overrides)?;

    let initialize = client.initialize()?;
    println!("< initialize response: {initialize:?}");
@@ -468,8 +710,8 @@ fn get_account_rate_limits(codex_bin: &Path, config_overrides: &[String]) -> Res
    Ok(())
 }

-fn model_list(codex_bin: &Path, config_overrides: &[String]) -> Result<()> {
-    let mut client = CodexClient::spawn(codex_bin, config_overrides)?;
+fn model_list(endpoint: &Endpoint, config_overrides: &[String]) -> Result<()> {
+    let mut client = CodexClient::connect(endpoint, config_overrides)?;

    let initialize = client.initialize()?;
    println!("< initialize response: {initialize:?}");
@@ -480,6 +722,26 @@ fn model_list(codex_bin: &Path, config_overrides: &[String]) -> Result<()> {
    Ok(())
 }

+fn thread_list(endpoint: &Endpoint, config_overrides: &[String], limit: u32) -> Result<()> {
+    let mut client = CodexClient::connect(endpoint, config_overrides)?;
+
+    let initialize = client.initialize()?;
+    println!("< initialize response: {initialize:?}");
+
+    let response = client.thread_list(ThreadListParams {
+        cursor: None,
+        limit: Some(limit),
+        sort_key: None,
+        model_providers: None,
+        source_kinds: None,
+        archived: None,
+        cwd: None,
+    })?;
+    println!("< thread/list response: {response:?}");
+
+    Ok(())
+}
+
 fn ensure_dynamic_tools_unused(
    dynamic_tools: &Option<Vec<DynamicToolSpec>>,
    command: &str,
@@ -514,15 +776,32 @@ fn parse_dynamic_tools_arg(dynamic_tools: &Option<String>) -> Result<Option<Vec<
    Ok(Some(tools))
 }

+enum ClientTransport {
+    Stdio {
+        child: Child,
+        stdin: Option<ChildStdin>,
+        stdout: BufReader<ChildStdout>,
+    },
+    WebSocket {
+        url: String,
+        socket: Box<WebSocket<MaybeTlsStream<TcpStream>>>,
+    },
+}
+
 struct CodexClient {
-    child: Child,
-    stdin: Option<ChildStdin>,
-    stdout: BufReader<ChildStdout>,
+    transport: ClientTransport,
    pending_notifications: VecDeque<JSONRPCNotification>,
 }

 impl CodexClient {
-    fn spawn(codex_bin: &Path, config_overrides: &[String]) -> Result<Self> {
+    fn connect(endpoint: &Endpoint, config_overrides: &[String]) -> Result<Self> {
+        match endpoint {
+            Endpoint::SpawnCodex(codex_bin) => Self::spawn_stdio(codex_bin, config_overrides),
+            Endpoint::ConnectWs(url) => Self::connect_websocket(url),
+        }
+    }
+
+    fn spawn_stdio(codex_bin: &Path, config_overrides: &[String]) -> Result<Self> {
        let codex_bin_display = codex_bin.display();
        let mut cmd = Command::new(codex_bin);
        for override_kv in config_overrides {
@@ -546,9 +825,27 @@ impl CodexClient {
            .context("codex app-server stdout unavailable")?;

        Ok(Self {
-            child: codex_app_server,
-            stdin: Some(stdin),
-            stdout: BufReader::new(stdout),
+            transport: ClientTransport::Stdio {
+                child: codex_app_server,
+                stdin: Some(stdin),
+                stdout: BufReader::new(stdout),
+            },
+            pending_notifications: VecDeque::new(),
+        })
+    }
+
+    fn connect_websocket(url: &str) -> Result<Self> {
+        let parsed = Url::parse(url).with_context(|| format!("invalid websocket URL `{url}`"))?;
+        let (socket, _response) = connect(parsed.as_str()).with_context(|| {
+            format!(
+                "failed to connect to websocket app-server at `{url}`; if no server is running, start one with `codex-app-server-test-client serve --listen {url}`"
+            )
+        })?;
+        Ok(Self {
+            transport: ClientTransport::WebSocket {
+                url: url.to_string(),
+                socket: Box::new(socket),
+            },
            pending_notifications: VecDeque::new(),
        })
    }
@@ -570,7 +867,16 @@ impl CodexClient {
            },
        };

-        self.send_request(request, request_id, "initialize")
+        let response: InitializeResponse = self.send_request(request, request_id, "initialize")?;
+
+        // Complete the initialize handshake.
+        let initialized = JSONRPCMessage::Notification(JSONRPCNotification {
+            method: "initialized".to_string(),
+            params: None,
+        });
+        self.write_jsonrpc_message(initialized)?;
+
+        Ok(response)
    }

    fn start_thread(&mut self) -> Result<NewConversationResponse> {
@@ -696,6 +1002,16 @@ impl CodexClient {
        self.send_request(request, request_id, "model/list")
    }

+    fn thread_list(&mut self, params: ThreadListParams) -> Result<ThreadListResponse> {
+        let request_id = self.request_id();
+        let request = ClientRequest::ThreadList {
+            request_id: request_id.clone(),
+            params,
+        };
+
+        self.send_request(request, request_id, "thread/list")
+    }
+
    fn stream_conversation(&mut self, conversation_id: &ThreadId) -> Result<()> {
        loop {
            let notification = self.next_notification()?;
@@ -830,6 +1146,12 @@ impl CodexClient {
        Ok(())
    }

+    fn stream_notifications_forever(&mut self) -> Result<()> {
+        loop {
+            let _ = self.next_notification()?;
+        }
+    }
+
    fn extract_event(
        &self,
        notification: JSONRPCNotification,
@@ -877,17 +1199,7 @@ impl CodexClient {
        let request_json = serde_json::to_string(request)?;
        let request_pretty = serde_json::to_string_pretty(request)?;
        print_multiline_with_prefix("> ", &request_pretty);
-
-        if let Some(stdin) = self.stdin.as_mut() {
-            writeln!(stdin, "{request_json}")?;
-            stdin
-                .flush()
-                .context("failed to flush request to codex app-server")?;
-        } else {
-            bail!("codex app-server stdin closed");
-        }
-
-        Ok(())
+        self.write_payload(&request_json)
    }

    fn wait_for_response<T>(&mut self, request_id: RequestId, method: &str) -> Result<T>
@@ -942,17 +1254,8 @@ impl CodexClient {

    fn read_jsonrpc_message(&mut self) -> Result<JSONRPCMessage> {
        loop {
-            let mut response_line = String::new();
-            let bytes = self
-                .stdout
-                .read_line(&mut response_line)
-                .context("failed to read from codex app-server")?;
-
-            if bytes == 0 {
-                bail!("codex app-server closed stdout");
-            }
-
-            let trimmed = response_line.trim();
+            let raw = self.read_payload()?;
+            let trimmed = raw.trim();
            if trimmed.is_empty() {
                continue;
            }
@@ -1081,16 +1384,56 @@ impl CodexClient {
        let payload = serde_json::to_string(&message)?;
        let pretty = serde_json::to_string_pretty(&message)?;
        print_multiline_with_prefix("> ", &pretty);
+        self.write_payload(&payload)
+    }

-        if let Some(stdin) = self.stdin.as_mut() {
-            writeln!(stdin, "{payload}")?;
-            stdin
-                .flush()
-                .context("failed to flush response to codex app-server")?;
-            return Ok(());
+    fn write_payload(&mut self, payload: &str) -> Result<()> {
+        match &mut self.transport {
+            ClientTransport::Stdio { stdin, .. } => {
+                if let Some(stdin) = stdin.as_mut() {
+                    writeln!(stdin, "{payload}")?;
+                    stdin
+                        .flush()
+                        .context("failed to flush payload to codex app-server")?;
+                    return Ok(());
+                }
+                bail!("codex app-server stdin closed")
+            }
+            ClientTransport::WebSocket { socket, url } => {
+                socket
+                    .send(Message::Text(payload.to_string().into()))
+                    .with_context(|| format!("failed to write websocket message to `{url}`"))?;
+                Ok(())
+            }
        }
+    }

-        bail!("codex app-server stdin closed")
+    fn read_payload(&mut self) -> Result<String> {
+        match &mut self.transport {
+            ClientTransport::Stdio { stdout, .. } => {
+                let mut response_line = String::new();
+                let bytes = stdout
+                    .read_line(&mut response_line)
+                    .context("failed to read from codex app-server")?;
+                if bytes == 0 {
+                    bail!("codex app-server closed stdout");
+                }
+                Ok(response_line)
+            }
+            ClientTransport::WebSocket { socket, url } => loop {
+                let frame = socket
+                    .read()
+                    .with_context(|| format!("failed to read websocket message from `{url}`"))?;
+                match frame {
+                    Message::Text(text) => return Ok(text.to_string()),
+                    Message::Binary(_) | Message::Ping(_) | Message::Pong(_) => continue,
+                    Message::Close(_) => {
+                        bail!("websocket app-server at `{url}` closed the connection")
+                    }
+                    Message::Frame(_) => continue,
+                }
+            },
+        }
    }
 }

@@ -1102,21 +1445,25 @@ fn print_multiline_with_prefix(prefix: &str, payload: &str) {

 impl Drop for CodexClient {
    fn drop(&mut self) {
-        let _ = self.stdin.take();
+        let ClientTransport::Stdio { child, stdin, .. } = &mut self.transport else {
+            return;
+        };

-        if let Ok(Some(status)) = self.child.try_wait() {
+        let _ = stdin.take();
+
+        if let Ok(Some(status)) = child.try_wait() {
            println!("[codex app-server exited: {status}]");
            return;
        }

        thread::sleep(Duration::from_millis(100));

-        if let Ok(Some(status)) = self.child.try_wait() {
+        if let Ok(Some(status)) = child.try_wait() {
            println!("[codex app-server exited: {status}]");
            return;
        }

-        let _ = self.child.kill();
-        let _ = self.child.wait();
+        let _ = child.kill();
+        let _ = child.wait();
    }
 }
--- a/codex-rs/app-server/README.md
+++ b/codex-rs/app-server/README.md
@@ -117,7 +117,7 @@ Example with notification opt-out:
 - `thread/start` — create a new thread; emits `thread/started` and auto-subscribes you to turn/item events for that thread.
 - `thread/resume` — reopen an existing thread by id so subsequent `turn/start` calls append to it.
 - `thread/fork` — fork an existing thread into a new thread id by copying the stored history; emits `thread/started` and auto-subscribes you to turn/item events for the new thread.
- `thread/list` — page through stored rollouts; supports cursor-based pagination and optional `modelProviders` filtering.
+- `thread/list` — page through stored rollouts; supports cursor-based pagination and optional `modelProviders`, `sourceKinds`, `archived`, and `cwd` filters.
 - `thread/loaded/list` — list the thread ids currently loaded in memory.
 - `thread/read` — read a stored thread by id without resuming it; optionally include turns via `includeTurns`.
 - `thread/archive` — move a thread’s rollout file into the archived directory; returns `{}` on success.
@@ -131,7 +131,7 @@ Example with notification opt-out:
 - `turn/interrupt` — request cancellation of an in-flight turn by `(thread_id, turn_id)`; success is an empty `{}` response and the turn finishes with `status: "interrupted"`.
 - `review/start` — kick off Codex’s automated reviewer for a thread; responds like `turn/start` and emits `item/started`/`item/completed` notifications with `enteredReviewMode` and `exitedReviewMode` items, plus a final assistant `agentMessage` containing the review.
 - `command/exec` — run a single command under the server sandbox without starting a thread/turn (handy for utilities and validation).
- `model/list` — list available models (with reasoning effort options and optional `upgrade` model ids).
+- `model/list` — list available models (set `includeHidden: true` to include entries with `hidden: true`), with reasoning effort options and optional `upgrade` model ids.
 - `experimentalFeature/list` — list feature flags with stage metadata (`beta`, `underDevelopment`, `stable`, etc.), enabled/default-enabled state, and cursor pagination. For non-beta flags, `displayName`/`description`/`announcement` are `null`.
 - `collaborationMode/list` — list available collaboration mode presets (experimental, no pagination).
 - `skills/list` — list skills for one or more `cwd` values (optional `forceReload`).
@@ -209,6 +209,8 @@ To branch from a stored session, call `thread/fork` with the `thread.id`. This c
 { "method": "thread/started", "params": { "thread": { … } } }
 ```

+Experimental API: `thread/start`, `thread/resume`, and `thread/fork` accept `persistExtendedHistory: true` to persist a richer subset of ThreadItems for non-lossy history when calling `thread/read`, `thread/resume`, and `thread/fork` later. This does not backfill events that were not persisted previously.
+
 ### Example: List threads (with pagination & filters)

 `thread/list` lets you render a history UI. Results default to `createdAt` (newest first) descending. Pass any combination of:
@@ -219,6 +221,7 @@ To branch from a stored session, call `thread/fork` with the `thread.id`. This c
 - `modelProviders` — restrict results to specific providers; unset, null, or an empty array will include all providers.
 - `sourceKinds` — restrict results to specific sources; omit or pass `[]` for interactive sessions only (`cli`, `vscode`).
 - `archived` — when `true`, list archived threads only. When `false` or `null`, list non-archived threads (default).
+- `cwd` — restrict results to threads whose session cwd exactly matches this path.

 Example:

@@ -532,6 +535,13 @@ Examples:
 - Opt out of legacy session setup event: `codex/event/session_configured`
 - Opt out of streamed agent text deltas: `item/agentMessage/delta`

+### Fuzzy file search events (experimental)
+
+The fuzzy file search session API emits per-query notifications:
+
+- `fuzzyFileSearch/sessionUpdated` — `{ sessionId, query, files }` with the current matching files for the active query.
+- `fuzzyFileSearch/sessionCompleted` — `{ sessionId, query }` once indexing/matching for that query has completed.
+
 ### Turn events

 The app-server streams JSON-RPC notifications while a turn is running. Each turn starts with `turn/started` (initial `turn`) and ends with `turn/completed` (final `turn` status). Token usage events stream separately via `thread/tokenUsage/updated`. Clients subscribe to the events they care about, rendering each item incrementally as updates arrive. The per-item lifecycle is always: `item/started` → zero or more item-specific deltas → `item/completed`.
@@ -761,7 +771,7 @@ To enable or disable a skill by path:

 ## Apps

-Use `app/list` to fetch available apps (connectors). Each entry includes metadata like the app `id`, display `name`, `installUrl`, and whether it is currently accessible.
+Use `app/list` to fetch available apps (connectors). Each entry includes metadata like the app `id`, display `name`, `installUrl`, whether it is currently accessible, and whether it is enabled in config.

 ```json
 { "method": "app/list", "id": 50, "params": {
@@ -780,7 +790,8 @@ Use `app/list` to fetch available apps (connectors). Each entry includes metadat
            "logoUrlDark": null,
            "distributionChannel": null,
            "installUrl": "https://chatgpt.com/apps/demo-app/demo-app",
-            "isAccessible": true
+            "isAccessible": true,
+            "isEnabled": true
        }
    ],
    "nextCursor": null
@@ -806,7 +817,8 @@ The server also emits `app/list/updated` notifications whenever either source (a
        "logoUrlDark": null,
        "distributionChannel": null,
        "installUrl": "https://chatgpt.com/apps/demo-app/demo-app",
-        "isAccessible": true
+        "isAccessible": true,
+        "isEnabled": true
      }
    ]
  }
--- a/codex-rs/app-server/src/bespoke_event_handling.rs
+++ b/codex-rs/app-server/src/bespoke_event_handling.rs
@@ -4,6 +4,7 @@ use crate::codex_message_processor::read_summary_from_rollout;
 use crate::codex_message_processor::summary_to_thread;
 use crate::error_code::INTERNAL_ERROR_CODE;
 use crate::error_code::INVALID_REQUEST_ERROR_CODE;
+use crate::outgoing_message::ClientRequestResult;
 use crate::outgoing_message::ThreadScopedOutgoingMessageSender;
 use crate::thread_state::ThreadState;
 use crate::thread_state::TurnSummary;
@@ -205,6 +206,7 @@ pub(crate) async fn apply_bespoke_event_handling(
            reason,
            proposed_execpolicy_amendment,
            parsed_cmd,
+            ..
        }) => match api_version {
            ApiVersion::V1 => {
                let params = ExecCommandApprovalParams {
@@ -717,6 +719,10 @@ pub(crate) async fn apply_bespoke_event_handling(
                .await;
            };

+            if !ev.affects_turn_status() {
+                return;
+            }
+
            let turn_error = TurnError {
                message: ev.message,
                codex_error_info: ev.codex_error_info.map(V2CodexErrorInfo::from),
@@ -887,11 +893,7 @@ pub(crate) async fn apply_bespoke_event_handling(
            // and emit the corresponding EventMsg, we repurpose the call_id as the item_id.
            let item_id = patch_end_event.call_id.clone();

-            let status = if patch_end_event.success {
-                PatchApplyStatus::Completed
-            } else {
-                PatchApplyStatus::Failed
-            };
+            let status: PatchApplyStatus = (&patch_end_event.status).into();
            let changes = convert_patch_changes(&patch_end_event.changes);
            complete_file_change_item(
                conversation_id,
@@ -998,14 +1000,11 @@ pub(crate) async fn apply_bespoke_event_handling(
                aggregated_output,
                exit_code,
                duration,
+                status,
                ..
            } = exec_command_end_event;

-            let status = if exit_code == 0 {
-                CommandExecutionStatus::Completed
-            } else {
-                CommandExecutionStatus::Failed
-            };
+            let status: CommandExecutionStatus = (&status).into();
            let command_actions = parsed_cmd
                .into_iter()
                .map(V2ParsedCommand::from)
@@ -1411,12 +1410,25 @@ async fn handle_error(

 async fn on_patch_approval_response(
    call_id: String,
-    receiver: oneshot::Receiver<JsonValue>,
+    receiver: oneshot::Receiver<ClientRequestResult>,
    codex: Arc<CodexThread>,
 ) {
    let response = receiver.await;
    let value = match response {
-        Ok(value) => value,
+        Ok(Ok(value)) => value,
+        Ok(Err(err)) => {
+            error!("request failed with client error: {err:?}");
+            if let Err(submit_err) = codex
+                .submit(Op::PatchApproval {
+                    id: call_id.clone(),
+                    decision: ReviewDecision::Denied,
+                })
+                .await
+            {
+                error!("failed to submit denied PatchApproval after request failure: {submit_err}");
+            }
+            return;
+        }
        Err(err) => {
            error!("request failed: {err:?}");
            if let Err(submit_err) = codex
@@ -1454,12 +1466,16 @@ async fn on_patch_approval_response(
 async fn on_exec_approval_response(
    call_id: String,
    turn_id: String,
-    receiver: oneshot::Receiver<JsonValue>,
+    receiver: oneshot::Receiver<ClientRequestResult>,
    conversation: Arc<CodexThread>,
 ) {
    let response = receiver.await;
    let value = match response {
-        Ok(value) => value,
+        Ok(Ok(value)) => value,
+        Ok(Err(err)) => {
+            error!("request failed with client error: {err:?}");
+            return;
+        }
        Err(err) => {
            error!("request failed: {err:?}");
            return;
@@ -1491,12 +1507,28 @@ async fn on_exec_approval_response(

 async fn on_request_user_input_response(
    event_turn_id: String,
-    receiver: oneshot::Receiver<JsonValue>,
+    receiver: oneshot::Receiver<ClientRequestResult>,
    conversation: Arc<CodexThread>,
 ) {
    let response = receiver.await;
    let value = match response {
-        Ok(value) => value,
+        Ok(Ok(value)) => value,
+        Ok(Err(err)) => {
+            error!("request failed with client error: {err:?}");
+            let empty = CoreRequestUserInputResponse {
+                answers: HashMap::new(),
+            };
+            if let Err(err) = conversation
+                .submit(Op::UserInputAnswer {
+                    id: event_turn_id,
+                    response: empty,
+                })
+                .await
+            {
+                error!("failed to submit UserInputAnswer: {err}");
+            }
+            return;
+        }
        Err(err) => {
            error!("request failed: {err:?}");
            let empty = CoreRequestUserInputResponse {
@@ -1631,14 +1663,14 @@ async fn on_file_change_request_approval_response(
    conversation_id: ThreadId,
    item_id: String,
    changes: Vec<FileUpdateChange>,
-    receiver: oneshot::Receiver<JsonValue>,
+    receiver: oneshot::Receiver<ClientRequestResult>,
    codex: Arc<CodexThread>,
    outgoing: ThreadScopedOutgoingMessageSender,
    thread_state: Arc<Mutex<ThreadState>>,
 ) {
    let response = receiver.await;
    let (decision, completion_status) = match response {
-        Ok(value) => {
+        Ok(Ok(value)) => {
            let response = serde_json::from_value::<FileChangeRequestApprovalResponse>(value)
                .unwrap_or_else(|err| {
                    error!("failed to deserialize FileChangeRequestApprovalResponse: {err}");
@@ -1653,6 +1685,10 @@ async fn on_file_change_request_approval_response(
            // Only short-circuit on declines/cancels/failures.
            (decision, completion_status)
        }
+        Ok(Err(err)) => {
+            error!("request failed with client error: {err:?}");
+            (ReviewDecision::Denied, Some(PatchApplyStatus::Failed))
+        }
        Err(err) => {
            error!("request failed: {err:?}");
            (ReviewDecision::Denied, Some(PatchApplyStatus::Failed))
@@ -1691,13 +1727,13 @@ async fn on_command_execution_request_approval_response(
    command: String,
    cwd: PathBuf,
    command_actions: Vec<V2ParsedCommand>,
-    receiver: oneshot::Receiver<JsonValue>,
+    receiver: oneshot::Receiver<ClientRequestResult>,
    conversation: Arc<CodexThread>,
    outgoing: ThreadScopedOutgoingMessageSender,
 ) {
    let response = receiver.await;
    let (decision, completion_status) = match response {
-        Ok(value) => {
+        Ok(Ok(value)) => {
            let response = serde_json::from_value::<CommandExecutionRequestApprovalResponse>(value)
                .unwrap_or_else(|err| {
                    error!("failed to deserialize CommandExecutionRequestApprovalResponse: {err}");
@@ -1732,6 +1768,10 @@ async fn on_command_execution_request_approval_response(
            };
            (decision, completion_status)
        }
+        Ok(Err(err)) => {
+            error!("request failed with client error: {err:?}");
+            (ReviewDecision::Denied, Some(CommandExecutionStatus::Failed))
+        }
        Err(err) => {
            error!("request failed: {err:?}");
            (ReviewDecision::Denied, Some(CommandExecutionStatus::Failed))
--- a/codex-rs/app-server/src/codex_message_processor.rs
+++ b/codex-rs/app-server/src/codex_message_processor.rs
--- a/codex-rs/app-server/src/dynamic_tools.rs
+++ b/codex-rs/app-server/src/dynamic_tools.rs
@@ -7,14 +7,35 @@ use std::sync::Arc;
 use tokio::sync::oneshot;
 use tracing::error;

+use crate::outgoing_message::ClientRequestResult;
+
 pub(crate) async fn on_call_response(
    call_id: String,
-    receiver: oneshot::Receiver<serde_json::Value>,
+    receiver: oneshot::Receiver<ClientRequestResult>,
    conversation: Arc<CodexThread>,
 ) {
    let response = receiver.await;
    let value = match response {
-        Ok(value) => value,
+        Ok(Ok(value)) => value,
+        Ok(Err(err)) => {
+            error!("request failed with client error: {err:?}");
+            let fallback = CoreDynamicToolResponse {
+                content_items: vec![CoreDynamicToolCallOutputContentItem::InputText {
+                    text: "dynamic tool request failed".to_string(),
+                }],
+                success: false,
+            };
+            if let Err(err) = conversation
+                .submit(Op::DynamicToolResponse {
+                    id: call_id.clone(),
+                    response: fallback,
+                })
+                .await
+            {
+                error!("failed to submit DynamicToolResponse: {err}");
+            }
+            return;
+        }
        Err(err) => {
            error!("request failed: {err:?}");
            let fallback = CoreDynamicToolResponse {
--- a/codex-rs/app-server/src/fuzzy_file_search.rs
+++ b/codex-rs/app-server/src/fuzzy_file_search.rs
@@ -1,12 +1,19 @@
 use std::num::NonZero;
 use std::path::PathBuf;
 use std::sync::Arc;
+use std::sync::Mutex;
 use std::sync::atomic::AtomicBool;
+use std::sync::atomic::Ordering;

 use codex_app_server_protocol::FuzzyFileSearchResult;
+use codex_app_server_protocol::FuzzyFileSearchSessionCompletedNotification;
+use codex_app_server_protocol::FuzzyFileSearchSessionUpdatedNotification;
+use codex_app_server_protocol::ServerNotification;
 use codex_file_search as file_search;
 use tracing::warn;

+use crate::outgoing_message::OutgoingMessageSender;
+
 const MATCH_LIMIT: usize = 50;
 const MAX_THREADS: usize = 12;

@@ -77,3 +84,164 @@ pub(crate) async fn run_fuzzy_file_search(

    files
 }
+
+pub(crate) struct FuzzyFileSearchSession {
+    session: file_search::FileSearchSession,
+    shared: Arc<SessionShared>,
+}
+
+impl FuzzyFileSearchSession {
+    pub(crate) fn update_query(&self, query: String) {
+        if self.shared.canceled.load(Ordering::Relaxed) {
+            return;
+        }
+        {
+            #[expect(clippy::unwrap_used)]
+            let mut latest_query = self.shared.latest_query.lock().unwrap();
+            *latest_query = query.clone();
+        }
+        self.session.update_query(&query);
+    }
+}
+
+impl Drop for FuzzyFileSearchSession {
+    fn drop(&mut self) {
+        self.shared.canceled.store(true, Ordering::Relaxed);
+    }
+}
+
+pub(crate) fn start_fuzzy_file_search_session(
+    session_id: String,
+    roots: Vec<String>,
+    outgoing: Arc<OutgoingMessageSender>,
+) -> anyhow::Result<FuzzyFileSearchSession> {
+    #[expect(clippy::expect_used)]
+    let limit = NonZero::new(MATCH_LIMIT).expect("MATCH_LIMIT should be a valid non-zero usize");
+    let cores = std::thread::available_parallelism()
+        .map(std::num::NonZero::get)
+        .unwrap_or(1);
+    let threads = cores.min(MAX_THREADS);
+    #[expect(clippy::expect_used)]
+    let threads = NonZero::new(threads.max(1)).expect("threads should be non-zero");
+    let search_dirs: Vec<PathBuf> = roots.iter().map(PathBuf::from).collect();
+    let canceled = Arc::new(AtomicBool::new(false));
+
+    let shared = Arc::new(SessionShared {
+        session_id,
+        latest_query: Mutex::new(String::new()),
+        outgoing,
+        runtime: tokio::runtime::Handle::current(),
+        canceled: canceled.clone(),
+    });
+
+    let reporter = Arc::new(SessionReporterImpl {
+        shared: shared.clone(),
+    });
+    let session = file_search::create_session(
+        search_dirs,
+        file_search::FileSearchOptions {
+            limit,
+            threads,
+            compute_indices: true,
+            ..Default::default()
+        },
+        reporter,
+        Some(canceled),
+    )?;
+
+    Ok(FuzzyFileSearchSession { session, shared })
+}
+
+struct SessionShared {
+    session_id: String,
+    latest_query: Mutex<String>,
+    outgoing: Arc<OutgoingMessageSender>,
+    runtime: tokio::runtime::Handle,
+    canceled: Arc<AtomicBool>,
+}
+
+struct SessionReporterImpl {
+    shared: Arc<SessionShared>,
+}
+
+impl SessionReporterImpl {
+    fn send_snapshot(&self, snapshot: &file_search::FileSearchSnapshot) {
+        if self.shared.canceled.load(Ordering::Relaxed) {
+            return;
+        }
+
+        let query = {
+            #[expect(clippy::unwrap_used)]
+            self.shared.latest_query.lock().unwrap().clone()
+        };
+        if snapshot.query != query {
+            return;
+        }
+
+        let files = if query.is_empty() {
+            Vec::new()
+        } else {
+            collect_files(snapshot)
+        };
+
+        let notification = ServerNotification::FuzzyFileSearchSessionUpdated(
+            FuzzyFileSearchSessionUpdatedNotification {
+                session_id: self.shared.session_id.clone(),
+                query,
+                files,
+            },
+        );
+        let outgoing = self.shared.outgoing.clone();
+        self.shared.runtime.spawn(async move {
+            outgoing.send_server_notification(notification).await;
+        });
+    }
+
+    fn send_complete(&self) {
+        if self.shared.canceled.load(Ordering::Relaxed) {
+            return;
+        }
+        let session_id = self.shared.session_id.clone();
+        let outgoing = self.shared.outgoing.clone();
+        self.shared.runtime.spawn(async move {
+            let notification = ServerNotification::FuzzyFileSearchSessionCompleted(
+                FuzzyFileSearchSessionCompletedNotification { session_id },
+            );
+            outgoing.send_server_notification(notification).await;
+        });
+    }
+}
+
+impl file_search::SessionReporter for SessionReporterImpl {
+    fn on_update(&self, snapshot: &file_search::FileSearchSnapshot) {
+        self.send_snapshot(snapshot);
+    }
+
+    fn on_complete(&self) {
+        self.send_complete();
+    }
+}
+
+fn collect_files(snapshot: &file_search::FileSearchSnapshot) -> Vec<FuzzyFileSearchResult> {
+    let mut files = snapshot
+        .matches
+        .iter()
+        .map(|m| {
+            let file_name = m.path.file_name().unwrap_or_default();
+            FuzzyFileSearchResult {
+                root: m.root.to_string_lossy().to_string(),
+                path: m.path.to_string_lossy().to_string(),
+                file_name: file_name.to_string_lossy().to_string(),
+                score: m.score,
+                indices: m.indices.clone(),
+            }
+        })
+        .collect::<Vec<_>>();
+
+    files.sort_by(file_search::cmp_by_score_desc_then_path_asc::<
+        FuzzyFileSearchResult,
+        _,
+        _,
+    >(|f| f.score, |f| f.path.as_str()));
+    files
+}
--- a/codex-rs/app-server/src/message_processor.rs
+++ b/codex-rs/app-server/src/message_processor.rs
@@ -86,9 +86,20 @@ impl ExternalAuthRefresher for ExternalAuthRefreshBridge {
            .await;

        let result = match timeout(EXTERNAL_AUTH_REFRESH_TIMEOUT, rx).await {
-            Ok(result) => result.map_err(|err| {
-                std::io::Error::other(format!("auth refresh request canceled: {err}"))
-            })?,
+            Ok(result) => {
+                // Two failure scenarios:
+                // 1) `oneshot::Receiver` failed (sender dropped) => request canceled/channel closed.
+                // 2) client answered with JSON-RPC error payload => propagate code/message.
+                let result = result.map_err(|err| {
+                    std::io::Error::other(format!("auth refresh request canceled: {err}"))
+                })?;
+                result.map_err(|err| {
+                    std::io::Error::other(format!(
+                        "auth refresh request failed: code={} message={}",
+                        err.code, err.message
+                    ))
+                })?
+            }
            Err(_) => {
                let _canceled = self.outgoing.cancel_request(&request_id).await;
                return Err(std::io::Error::other(format!(
--- a/codex-rs/app-server/src/models.rs
+++ b/codex-rs/app-server/src/models.rs
@@ -8,12 +8,16 @@ use codex_core::models_manager::manager::RefreshStrategy;
 use codex_protocol::openai_models::ModelPreset;
 use codex_protocol::openai_models::ReasoningEffortPreset;

-pub async fn supported_models(thread_manager: Arc<ThreadManager>, config: &Config) -> Vec<Model> {
+pub async fn supported_models(
+    thread_manager: Arc<ThreadManager>,
+    config: &Config,
+    include_hidden: bool,
+) -> Vec<Model> {
    thread_manager
        .list_models(config, RefreshStrategy::OnlineIfUncached)
        .await
        .into_iter()
-        .filter(|preset| preset.show_in_picker)
+        .filter(|preset| include_hidden || preset.show_in_picker)
        .map(model_from_preset)
        .collect()
 }
@@ -25,6 +29,7 @@ fn model_from_preset(preset: ModelPreset) -> Model {
        upgrade: preset.upgrade.map(|upgrade| upgrade.id),
        display_name: preset.display_name.to_string(),
        description: preset.description.to_string(),
+        hidden: !preset.show_in_picker,
        supported_reasoning_efforts: reasoning_efforts_from_preset(
            preset.supported_reasoning_efforts,
        ),
--- a/codex-rs/app-server/src/outgoing_message.rs
+++ b/codex-rs/app-server/src/outgoing_message.rs
@@ -20,6 +20,8 @@ use crate::error_code::INTERNAL_ERROR_CODE;
 #[cfg(test)]
 use codex_protocol::account::PlanType;

+pub(crate) type ClientRequestResult = std::result::Result<Result, JSONRPCErrorError>;
+
 /// Stable identifier for a transport connection.
 #[derive(Clone, Copy, Debug, Eq, Hash, PartialEq)]
 pub(crate) struct ConnectionId(pub(crate) u64);
@@ -46,7 +48,7 @@ pub(crate) enum OutgoingEnvelope {
 pub(crate) struct OutgoingMessageSender {
    next_server_request_id: AtomicI64,
    sender: mpsc::Sender<OutgoingEnvelope>,
-    request_id_to_callback: Mutex<HashMap<RequestId, oneshot::Sender<Result>>>,
+    request_id_to_callback: Mutex<HashMap<RequestId, oneshot::Sender<ClientRequestResult>>>,
 }

 #[derive(Clone)]
@@ -69,7 +71,7 @@ impl ThreadScopedOutgoingMessageSender {
    pub(crate) async fn send_request(
        &self,
        payload: ServerRequestPayload,
-    ) -> oneshot::Receiver<Result> {
+    ) -> oneshot::Receiver<ClientRequestResult> {
        if self.connection_ids.is_empty() {
            let (_tx, rx) = oneshot::channel();
            return rx;
@@ -118,7 +120,7 @@ impl OutgoingMessageSender {
        &self,
        connection_ids: &[ConnectionId],
        request: ServerRequestPayload,
-    ) -> oneshot::Receiver<Result> {
+    ) -> oneshot::Receiver<ClientRequestResult> {
        let (_id, rx) = self
            .send_request_with_id_to_connections(connection_ids, request)
            .await;
@@ -128,7 +130,7 @@ impl OutgoingMessageSender {
    pub(crate) async fn send_request_with_id(
        &self,
        request: ServerRequestPayload,
-    ) -> (RequestId, oneshot::Receiver<Result>) {
+    ) -> (RequestId, oneshot::Receiver<ClientRequestResult>) {
        self.send_request_with_id_to_connections(&[], request).await
    }

@@ -136,7 +138,7 @@ impl OutgoingMessageSender {
        &self,
        connection_ids: &[ConnectionId],
        request: ServerRequestPayload,
-    ) -> (RequestId, oneshot::Receiver<Result>) {
+    ) -> (RequestId, oneshot::Receiver<ClientRequestResult>) {
        let id = RequestId::Integer(self.next_server_request_id.fetch_add(1, Ordering::Relaxed));
        let outgoing_message_id = id.clone();
        let (tx_approve, rx_approve) = oneshot::channel();
@@ -190,7 +192,7 @@ impl OutgoingMessageSender {

        match entry {
            Some((id, sender)) => {
-                if let Err(err) = sender.send(result) {
+                if let Err(err) = sender.send(Ok(result)) {
                    warn!("could not notify callback for {id:?} due to: {err:?}");
                }
            }
@@ -207,8 +209,11 @@ impl OutgoingMessageSender {
        };

        match entry {
-            Some((id, _sender)) => {
+            Some((id, sender)) => {
                warn!("client responded with error for {id:?}: {error:?}");
+                if let Err(err) = sender.send(Err(error)) {
+                    warn!("could not notify callback for {id:?} due to: {err:?}");
+                }
            }
            None => {
                warn!("could not find callback for {id:?}");
@@ -390,11 +395,13 @@ mod tests {
    use codex_app_server_protocol::AccountLoginCompletedNotification;
    use codex_app_server_protocol::AccountRateLimitsUpdatedNotification;
    use codex_app_server_protocol::AccountUpdatedNotification;
+    use codex_app_server_protocol::ApplyPatchApprovalParams;
    use codex_app_server_protocol::AuthMode;
    use codex_app_server_protocol::ConfigWarningNotification;
    use codex_app_server_protocol::LoginChatGptCompleteNotification;
    use codex_app_server_protocol::RateLimitSnapshot;
    use codex_app_server_protocol::RateLimitWindow;
+    use codex_protocol::ThreadId;
    use pretty_assertions::assert_eq;
    use serde_json::json;
    use tokio::time::timeout;
@@ -609,4 +616,38 @@ mod tests {
            other => panic!("expected targeted error envelope, got: {other:?}"),
        }
    }
+
+    #[tokio::test]
+    async fn notify_client_error_forwards_error_to_waiter() {
+        let (tx, _rx) = mpsc::channel::<OutgoingEnvelope>(4);
+        let outgoing = OutgoingMessageSender::new(tx);
+
+        let (request_id, wait_for_result) = outgoing
+            .send_request_with_id(ServerRequestPayload::ApplyPatchApproval(
+                ApplyPatchApprovalParams {
+                    conversation_id: ThreadId::new(),
+                    call_id: "call-id".to_string(),
+                    file_changes: HashMap::new(),
+                    reason: None,
+                    grant_root: None,
+                },
+            ))
+            .await;
+
+        let error = JSONRPCErrorError {
+            code: INTERNAL_ERROR_CODE,
+            message: "refresh failed".to_string(),
+            data: None,
+        };
+
+        outgoing
+            .notify_client_error(request_id, error.clone())
+            .await;
+
+        let result = timeout(Duration::from_secs(1), wait_for_result)
+            .await
+            .expect("wait should not time out")
+            .expect("waiter should receive a callback");
+        assert_eq!(result, Err(error));
+    }
 }
--- a/codex-rs/app-server/tests/common/mcp_process.rs
+++ b/codex-rs/app-server/tests/common/mcp_process.rs
@@ -678,6 +678,78 @@ impl McpProcess {
        self.send_request("fuzzyFileSearch", Some(params)).await
    }

+    pub async fn send_fuzzy_file_search_session_start_request(
+        &mut self,
+        session_id: &str,
+        roots: Vec<String>,
+    ) -> anyhow::Result<i64> {
+        let params = serde_json::json!({
+            "sessionId": session_id,
+            "roots": roots,
+        });
+        self.send_request("fuzzyFileSearch/sessionStart", Some(params))
+            .await
+    }
+
+    pub async fn start_fuzzy_file_search_session(
+        &mut self,
+        session_id: &str,
+        roots: Vec<String>,
+    ) -> anyhow::Result<JSONRPCResponse> {
+        let request_id = self
+            .send_fuzzy_file_search_session_start_request(session_id, roots)
+            .await?;
+        self.read_stream_until_response_message(RequestId::Integer(request_id))
+            .await
+    }
+
+    pub async fn send_fuzzy_file_search_session_update_request(
+        &mut self,
+        session_id: &str,
+        query: &str,
+    ) -> anyhow::Result<i64> {
+        let params = serde_json::json!({
+            "sessionId": session_id,
+            "query": query,
+        });
+        self.send_request("fuzzyFileSearch/sessionUpdate", Some(params))
+            .await
+    }
+
+    pub async fn update_fuzzy_file_search_session(
+        &mut self,
+        session_id: &str,
+        query: &str,
+    ) -> anyhow::Result<JSONRPCResponse> {
+        let request_id = self
+            .send_fuzzy_file_search_session_update_request(session_id, query)
+            .await?;
+        self.read_stream_until_response_message(RequestId::Integer(request_id))
+            .await
+    }
+
+    pub async fn send_fuzzy_file_search_session_stop_request(
+        &mut self,
+        session_id: &str,
+    ) -> anyhow::Result<i64> {
+        let params = serde_json::json!({
+            "sessionId": session_id,
+        });
+        self.send_request("fuzzyFileSearch/sessionStop", Some(params))
+            .await
+    }
+
+    pub async fn stop_fuzzy_file_search_session(
+        &mut self,
+        session_id: &str,
+    ) -> anyhow::Result<JSONRPCResponse> {
+        let request_id = self
+            .send_fuzzy_file_search_session_stop_request(session_id)
+            .await?;
+        self.read_stream_until_response_message(RequestId::Integer(request_id))
+            .await
+    }
+
    async fn send_request(
        &mut self,
        method: &str,
--- a/Show More
+++ b/Show More