Add nonblocking turn metadata test

Verify current turn metadata can be read without waiting for a pending git enrichment task, so turn completion remains fast when git metadata is not ready yet. Co-authored-by: Codex <noreply@openai.com>
Scrub turn git remote URLs in analytics
2026-05-08 05:16:55 +00:00 · 2026-04-25 01:53:06 -07:00 · 2026-04-24 23:25:16 -07:00 · 2026-04-24 23:25:16 -07:00 · 2026-04-24 21:38:27 -07:00 · 2026-04-24 21:16:45 -07:00
753 changed files with 52422 additions and 21114 deletions
--- a/.bazelrc
+++ b/.bazelrc
@@ -29,10 +29,13 @@ common:linux --test_env=PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin
 common:macos --test_env=PATH=/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin

 # Pass through some env vars Windows needs to use powershell?
-common:windows --test_env=PATH
 common:windows --test_env=SYSTEMROOT
 common:windows --test_env=COMSPEC
 common:windows --test_env=WINDIR
+# Rust's libtest harness runs test bodies on std-spawned threads. The default
+# 2 MiB stack can be too small for large async test futures on Windows CI; see
+# https://github.com/openai/codex/pull/19067 for the motivating failure.
+common --test_env=RUST_MIN_STACK=8388608 # 8 MiB

 common --test_output=errors
 common --bes_results_url=https://app.buildbuddy.io/invocation/
--- a/.codespellrc
+++ b/.codespellrc
@@ -1,6 +1,6 @@
 [codespell]
 # Ref: https://github.com/codespell-project/codespell#using-a-config-file
-skip = .git*,vendor,*-lock.yaml,*.lock,.codespellrc,*test.ts,*.jsonl,frame*.txt,*.snap,*.snap.new,*meriyah.umd.min.js
+skip = .git*,vendor,*-lock.yaml,*.lock,.codespellrc,*test.ts,*.jsonl,frame*.txt,*.snap,*.snap.new
 check-hidden = true
 ignore-regex = ^\s*"image/\S+": ".*|\b(afterAll)\b
 ignore-words-list = ratatui,ser,iTerm,iterm2,iterm,te,TE,PASE,SEH
--- a/.devcontainer/Dockerfile.secure
+++ b/.devcontainer/Dockerfile.secure
@@ -4,9 +4,11 @@ ARG TZ
 ARG DEBIAN_FRONTEND=noninteractive
 ARG NODE_MAJOR=22
 ARG RUST_TOOLCHAIN=1.92.0
-ARG CODEX_NPM_VERSION=latest
+# Keep this in sync with .devcontainer/codex-install/package.json and pnpm-lock.yaml.
+ARG CODEX_NPM_VERSION=0.121.0

 ENV TZ="$TZ"
+ENV COREPACK_ENABLE_DOWNLOAD_PROMPT=0

 SHELL ["/bin/bash", "-o", "pipefail", "-c"]

@@ -43,12 +45,18 @@ RUN apt-get update \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

+COPY .devcontainer/codex-install/package.json \
+     .devcontainer/codex-install/pnpm-lock.yaml \
+     .devcontainer/codex-install/pnpm-workspace.yaml \
+     /opt/codex-install/
+
 RUN curl -fsSL "https://deb.nodesource.com/setup_${NODE_MAJOR}.x" | bash - \
    && apt-get update \
    && apt-get install -y --no-install-recommends nodejs \
-    && npm install -g corepack@latest "@openai/codex@${CODEX_NPM_VERSION}" \
-    && corepack enable \
-    && corepack prepare pnpm@10.28.2 --activate \
+    && test "$(node -p "require('/opt/codex-install/package.json').dependencies['@openai/codex']")" = "${CODEX_NPM_VERSION}" \
+    && cd /opt/codex-install \
+    && corepack pnpm install --prod --frozen-lockfile \
+    && ln -s /opt/codex-install/node_modules/.bin/codex /usr/local/bin/codex \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

--- a/.devcontainer/codex-install/package.json
+++ b/.devcontainer/codex-install/package.json
@@ -0,0 +1,13 @@
+{
+  "name": "codex-devcontainer-install",
+  "private": true,
+  "description": "Locked Codex CLI install boundary for the secure devcontainer.",
+  "dependencies": {
+    "@openai/codex": "0.121.0"
+  },
+  "engines": {
+    "node": ">=22",
+    "pnpm": ">=10.33.0"
+  },
+  "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319"
+}
--- a/.devcontainer/codex-install/pnpm-lock.yaml
+++ b/.devcontainer/codex-install/pnpm-lock.yaml
@@ -0,0 +1,85 @@
+lockfileVersion: '9.0'
+
+settings:
+  autoInstallPeers: true
+  excludeLinksFromLockfile: false
+
+importers:
+
+  .:
+    dependencies:
+      '@openai/codex':
+        specifier: 0.121.0
+        version: 0.121.0
+
+packages:
+
+  '@openai/codex@0.121.0':
+    resolution: {integrity: sha512-kCJ2NeATd4QBQRmqV04ymdN1ZU3MSwnJQDm/KzjpuzGvCuUVEn7no/T2mRyxQ2x77AACqriNOyPPoM/yufyvNg==}
+    engines: {node: '>=16'}
+    hasBin: true
+
+  '@openai/codex@0.121.0-darwin-arm64':
+    resolution: {integrity: sha512-ZyBqIB6Fb4I0hGb/h65Vu7ePYjHSmGiqqfm+/1djEuxDPkqjfi4wkxYxNYNY+6najyNGN4UijOSTTf19eDCrqw==}
+    engines: {node: '>=16'}
+    cpu: [arm64]
+    os: [darwin]
+
+  '@openai/codex@0.121.0-darwin-x64':
+    resolution: {integrity: sha512-1/OAtdkAZ5yPI3xqaEFlHuPziS1yCqL2gOZdswE7HTmmwpIxi6Z3FCo60JWDPluIp89z4tftdjq73/OCN0YVcw==}
+    engines: {node: '>=16'}
+    cpu: [x64]
+    os: [darwin]
+
+  '@openai/codex@0.121.0-linux-arm64':
+    resolution: {integrity: sha512-2UgMmdo237o7SCMsfb529cOSEM2HFUgN6OBkv5SBLwfNY1NO2Ex6JnUjlppEXlX6/4cXfZ5qjDghVz5j/+B9zw==}
+    engines: {node: '>=16'}
+    cpu: [arm64]
+    os: [linux]
+
+  '@openai/codex@0.121.0-linux-x64':
+    resolution: {integrity: sha512-vlpNJXIqss800J+32Vy7TUZzv31n61b45OLxmsVQGFkTNLJcjFrj9jDUC7I62eC4F16gLioilefNfv4CdJQOEw==}
+    engines: {node: '>=16'}
+    cpu: [x64]
+    os: [linux]
+
+  '@openai/codex@0.121.0-win32-arm64':
+    resolution: {integrity: sha512-m88q4f3XI5npn1t6OG0nWGHWWAjO5FgjRwxh4hdujbLO6t9CiCNfhfPZIOSsoATbrCNwLC+6S77m3cjbNToPNg==}
+    engines: {node: '>=16'}
+    cpu: [arm64]
+    os: [win32]
+
+  '@openai/codex@0.121.0-win32-x64':
+    resolution: {integrity: sha512-Fp0ecVOyM+VcBi/y4HVvRzhifO9YqRiHzhV3rhtAppC7flh22WPguLC4kmvXYAR0p3RPzbo35M2CedWnkOT+cw==}
+    engines: {node: '>=16'}
+    cpu: [x64]
+    os: [win32]
+
+snapshots:
+
+  '@openai/codex@0.121.0':
+    optionalDependencies:
+      '@openai/codex-darwin-arm64': '@openai/codex@0.121.0-darwin-arm64'
+      '@openai/codex-darwin-x64': '@openai/codex@0.121.0-darwin-x64'
+      '@openai/codex-linux-arm64': '@openai/codex@0.121.0-linux-arm64'
+      '@openai/codex-linux-x64': '@openai/codex@0.121.0-linux-x64'
+      '@openai/codex-win32-arm64': '@openai/codex@0.121.0-win32-arm64'
+      '@openai/codex-win32-x64': '@openai/codex@0.121.0-win32-x64'
+
+  '@openai/codex@0.121.0-darwin-arm64':
+    optional: true
+
+  '@openai/codex@0.121.0-darwin-x64':
+    optional: true
+
+  '@openai/codex@0.121.0-linux-arm64':
+    optional: true
+
+  '@openai/codex@0.121.0-linux-x64':
+    optional: true
+
+  '@openai/codex@0.121.0-win32-arm64':
+    optional: true
+
+  '@openai/codex@0.121.0-win32-x64':
+    optional: true
--- a/.devcontainer/codex-install/pnpm-workspace.yaml
+++ b/.devcontainer/codex-install/pnpm-workspace.yaml
@@ -0,0 +1,12 @@
+packages:
+  - "."
+
+minimumReleaseAge: 10080
+minimumReleaseAgeExclude: []
+
+blockExoticSubdeps: true
+strictDepBuilds: true
+trustPolicy: no-downgrade
+trustPolicyIgnoreAfter: 10080
+trustPolicyExclude: []
+allowBuilds: {}
--- a/.devcontainer/devcontainer.secure.json
+++ b/.devcontainer/devcontainer.secure.json
@@ -8,7 +8,7 @@
      "TZ": "${localEnv:TZ:UTC}",
      "NODE_MAJOR": "22",
      "RUST_TOOLCHAIN": "1.92.0",
-      "CODEX_NPM_VERSION": "latest"
+      "CODEX_NPM_VERSION": "0.121.0"
    }
  },
  "runArgs": [
--- a/.gitattributes
+++ b/.gitattributes
@@ -1 +1,2 @@
 codex-rs/app-server-protocol/schema/** linguist-generated
+codex-rs/hooks/schema/generated/** linguist-generated
--- a/.github/actions/linux-code-sign/action.yml
+++ b/.github/actions/linux-code-sign/action.yml
@@ -7,6 +7,9 @@ inputs:
  artifacts-dir:
    description: Absolute path to the directory containing built binaries to sign.
    required: true
+  binaries:
+    description: Space-delimited binary basenames to sign.
+    default: "codex codex-responses-api-proxy"

 runs:
  using: composite
@@ -18,6 +21,7 @@ runs:
      shell: bash
      env:
        ARTIFACTS_DIR: ${{ inputs.artifacts-dir }}
+        BINARIES: ${{ inputs.binaries }}
        COSIGN_EXPERIMENTAL: "1"
        COSIGN_YES: "true"
        COSIGN_OIDC_CLIENT_ID: "sigstore"
@@ -31,7 +35,7 @@ runs:
          exit 1
        fi

-        for binary in codex codex-responses-api-proxy; do
+        for binary in ${BINARIES}; do
          artifact="${dest}/${binary}"
          if [[ ! -f "$artifact" ]]; then
            echo "Binary $artifact not found"
--- a/.github/actions/macos-code-sign/action.yml
+++ b/.github/actions/macos-code-sign/action.yml
@@ -4,6 +4,9 @@ inputs:
  target:
    description: Rust compilation target triple (e.g. aarch64-apple-darwin).
    required: true
+  binaries:
+    description: Space-delimited binary basenames to sign and notarize.
+    default: "codex codex-responses-api-proxy"
  sign-binaries:
    description: Whether to sign and notarize the macOS binaries.
    required: false
@@ -119,6 +122,7 @@ runs:
      shell: bash
      env:
        TARGET: ${{ inputs.target }}
+        BINARIES: ${{ inputs.binaries }}
      run: |
        set -euo pipefail

@@ -134,7 +138,7 @@ runs:

        entitlements_path="$GITHUB_ACTION_PATH/codex.entitlements.plist"

-        for binary in codex codex-responses-api-proxy; do
+        for binary in ${BINARIES}; do
          path="codex-rs/target/${TARGET}/release/${binary}"
          codesign --force --options runtime --timestamp --entitlements "$entitlements_path" --sign "$APPLE_CODESIGN_IDENTITY" "${keychain_args[@]}" "$path"
        done
@@ -144,6 +148,7 @@ runs:
      shell: bash
      env:
        TARGET: ${{ inputs.target }}
+        BINARIES: ${{ inputs.binaries }}
        APPLE_NOTARIZATION_KEY_P8: ${{ inputs.apple-notarization-key-p8 }}
        APPLE_NOTARIZATION_KEY_ID: ${{ inputs.apple-notarization-key-id }}
        APPLE_NOTARIZATION_ISSUER_ID: ${{ inputs.apple-notarization-issuer-id }}
@@ -182,8 +187,9 @@ runs:
          notarize_submission "$binary" "$archive_path" "$notary_key_path"
        }

-        notarize_binary "codex"
-        notarize_binary "codex-responses-api-proxy"
+        for binary in ${BINARIES}; do
+          notarize_binary "${binary}"
+        done

    - name: Sign and notarize macOS dmg
      if: ${{ inputs.sign-dmg == 'true' }}
--- a/.github/actions/prepare-bazel-ci/action.yml
+++ b/.github/actions/prepare-bazel-ci/action.yml
@@ -8,7 +8,7 @@ inputs:
    description: Logical namespace used to keep concurrent Bazel jobs from reserving the same repository cache key.
    required: true
  install-test-prereqs:
-    description: Install Node.js and DotSlash for Bazel-backed test jobs.
+    description: Install DotSlash for Bazel-backed test jobs.
    required: false
    default: "false"
 outputs:
--- a/.github/actions/setup-bazel-ci/action.yml
+++ b/.github/actions/setup-bazel-ci/action.yml
@@ -5,7 +5,7 @@ inputs:
    description: Target triple used for cache namespacing.
    required: true
  install-test-prereqs:
-    description: Install Node.js and DotSlash for Bazel-backed test jobs.
+    description: Install DotSlash for Bazel-backed test jobs.
    required: false
    default: "false"
 outputs:
@@ -16,12 +16,6 @@ outputs:
 runs:
  using: composite
  steps:
-    - name: Set up Node.js for js_repl tests
-      if: inputs.install-test-prereqs == 'true'
-      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
-      with:
-        node-version-file: codex-rs/node-version.txt
-
    # Some integration tests rely on DotSlash being installed.
    # See https://github.com/openai/codex/pull/7617.
    - name: Install DotSlash
@@ -122,6 +116,11 @@ runs:
          }
        }

+    - name: Compute cache-stable Windows Bazel PATH
+      if: runner.os == 'Windows'
+      shell: pwsh
+      run: ./.github/scripts/compute-bazel-windows-path.ps1
+
    - name: Enable Git long paths (Windows)
      if: runner.os == 'Windows'
      shell: pwsh
--- a/.github/actions/windows-code-sign/action.yml
+++ b/.github/actions/windows-code-sign/action.yml
@@ -4,6 +4,9 @@ inputs:
  target:
    description: Target triple for the artifacts to sign.
    required: true
+  binaries:
+    description: Space-delimited binary basenames to sign.
+    default: "codex codex-responses-api-proxy codex-windows-sandbox-setup codex-command-runner"
  client-id:
    description: Azure Trusted Signing client ID.
    required: true
@@ -33,6 +36,23 @@ runs:
        tenant-id: ${{ inputs.tenant-id }}
        subscription-id: ${{ inputs.subscription-id }}

+    - name: Prepare file list
+      id: prepare
+      shell: bash
+      env:
+        TARGET: ${{ inputs.target }}
+        BINARIES: ${{ inputs.binaries }}
+      run: |
+        set -euo pipefail
+
+        {
+          echo "files<<EOF"
+          for binary in ${BINARIES}; do
+            echo "${GITHUB_WORKSPACE}/codex-rs/target/${TARGET}/release/${binary}.exe"
+          done
+          echo "EOF"
+        } >> "$GITHUB_OUTPUT"
+
    - name: Sign Windows binaries with Azure Trusted Signing
      uses: azure/trusted-signing-action@1d365fec12862c4aa68fcac418143d73f0cea293 # v0
      with:
@@ -50,8 +70,4 @@ runs:
        exclude-azure-developer-cli-credential: true
        exclude-interactive-browser-credential: true
        cache-dependencies: false
-        files: |
-          ${{ github.workspace }}/codex-rs/target/${{ inputs.target }}/release/codex.exe
-          ${{ github.workspace }}/codex-rs/target/${{ inputs.target }}/release/codex-responses-api-proxy.exe
-          ${{ github.workspace }}/codex-rs/target/${{ inputs.target }}/release/codex-windows-sandbox-setup.exe
-          ${{ github.workspace }}/codex-rs/target/${{ inputs.target }}/release/codex-command-runner.exe
+        files: ${{ steps.prepare.outputs.files }}
--- a/.github/dotslash-config.json
+++ b/.github/dotslash-config.json
@@ -28,6 +28,34 @@
        }
      }
    },
+    "codex-app-server": {
+      "platforms": {
+        "macos-aarch64": {
+          "regex": "^codex-app-server-aarch64-apple-darwin\\.zst$",
+          "path": "codex-app-server"
+        },
+        "macos-x86_64": {
+          "regex": "^codex-app-server-x86_64-apple-darwin\\.zst$",
+          "path": "codex-app-server"
+        },
+        "linux-x86_64": {
+          "regex": "^codex-app-server-x86_64-unknown-linux-musl\\.zst$",
+          "path": "codex-app-server"
+        },
+        "linux-aarch64": {
+          "regex": "^codex-app-server-aarch64-unknown-linux-musl\\.zst$",
+          "path": "codex-app-server"
+        },
+        "windows-x86_64": {
+          "regex": "^codex-app-server-x86_64-pc-windows-msvc\\.exe\\.zst$",
+          "path": "codex-app-server.exe"
+        },
+        "windows-aarch64": {
+          "regex": "^codex-app-server-aarch64-pc-windows-msvc\\.exe\\.zst$",
+          "path": "codex-app-server.exe"
+        }
+      }
+    },
    "codex-responses-api-proxy": {
      "platforms": {
        "macos-aarch64": {
--- a/.github/scripts/compute-bazel-windows-path.ps1
+++ b/.github/scripts/compute-bazel-windows-path.ps1
@@ -0,0 +1,105 @@
+<#
+BuildBuddy cache keys include the action and test environment, so Bazel should
+not inherit the full hosted-runner PATH on Windows. That PATH includes volatile
+tool entries, such as Maven, that can change independently of this repo and
+cause avoidable cache misses.
+
+This script derives a smaller, cache-stable PATH that keeps the Windows
+toolchain entries Bazel-backed CI tasks need: MSVC and Windows SDK paths, Git,
+PowerShell, Node, Python, DotSlash, and the standard Windows system
+directories.
+`setup-bazel-ci` runs this after exporting the MSVC environment, and the script
+publishes the result via `GITHUB_ENV` as `CODEX_BAZEL_WINDOWS_PATH` so later
+steps can pass that explicit PATH to Bazel.
+#>
+
+$stablePathEntries = New-Object System.Collections.Generic.List[string]
+$seenEntries = [System.Collections.Generic.HashSet[string]]::new([System.StringComparer]::OrdinalIgnoreCase)
+$windowsAppsPath = if ([string]::IsNullOrWhiteSpace($env:LOCALAPPDATA)) {
+  $null
+} else {
+  "$($env:LOCALAPPDATA)\Microsoft\WindowsApps"
+}
+$windowsDir = if ($env:WINDIR) {
+  $env:WINDIR
+} elseif ($env:SystemRoot) {
+  $env:SystemRoot
+} else {
+  $null
+}
+
+function Add-StablePathEntry {
+  param([string]$PathEntry)
+
+  if ([string]::IsNullOrWhiteSpace($PathEntry)) {
+    return
+  }
+
+  if ($seenEntries.Add($PathEntry)) {
+    [void]$stablePathEntries.Add($PathEntry)
+  }
+}
+
+foreach ($pathEntry in ($env:PATH -split ';')) {
+  if ([string]::IsNullOrWhiteSpace($pathEntry)) {
+    continue
+  }
+
+  if (
+    $pathEntry -like '*Microsoft Visual Studio*' -or
+    $pathEntry -like '*Windows Kits*' -or
+    $pathEntry -like '*Microsoft SDKs*' -or
+    $pathEntry -like 'C:\Program Files\Git\*' -or
+    $pathEntry -like 'C:\Program Files\PowerShell\*' -or
+    $pathEntry -like 'C:\hostedtoolcache\windows\node\*' -or
+    $pathEntry -like 'C:\hostedtoolcache\windows\Python\*' -or
+    $pathEntry -eq 'D:\a\_temp\install-dotslash\bin' -or
+    ($windowsDir -and ($pathEntry -eq $windowsDir -or $pathEntry -like "${windowsDir}\*"))
+  ) {
+    Add-StablePathEntry $pathEntry
+  }
+}
+
+$gitCommand = Get-Command git -ErrorAction SilentlyContinue
+if ($gitCommand) {
+  Add-StablePathEntry (Split-Path $gitCommand.Source -Parent)
+}
+
+$nodeCommand = Get-Command node -ErrorAction SilentlyContinue
+if ($nodeCommand) {
+  Add-StablePathEntry (Split-Path $nodeCommand.Source -Parent)
+}
+
+$python3Command = Get-Command python3 -ErrorAction SilentlyContinue
+if ($python3Command) {
+  Add-StablePathEntry (Split-Path $python3Command.Source -Parent)
+}
+
+$pythonCommand = Get-Command python -ErrorAction SilentlyContinue
+if ($pythonCommand) {
+  Add-StablePathEntry (Split-Path $pythonCommand.Source -Parent)
+}
+
+$pwshCommand = Get-Command pwsh -ErrorAction SilentlyContinue
+if ($pwshCommand) {
+  Add-StablePathEntry (Split-Path $pwshCommand.Source -Parent)
+}
+
+if ($windowsAppsPath) {
+  Add-StablePathEntry $windowsAppsPath
+}
+
+if ($stablePathEntries.Count -eq 0) {
+  throw 'Failed to derive cache-stable Windows PATH.'
+}
+
+if ([string]::IsNullOrWhiteSpace($env:GITHUB_ENV)) {
+  throw 'GITHUB_ENV must be set.'
+}
+
+$stablePath = $stablePathEntries -join ';'
+Write-Host 'Derived CODEX_BAZEL_WINDOWS_PATH entries:'
+foreach ($pathEntry in $stablePathEntries) {
+  Write-Host "  $pathEntry"
+}
+"CODEX_BAZEL_WINDOWS_PATH=$stablePath" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
--- a/.github/scripts/run-argument-comment-lint-bazel.sh
+++ b/.github/scripts/run-argument-comment-lint-bazel.sh
@@ -2,16 +2,6 @@

 set -euo pipefail

-ci_config=ci-linux
-case "${RUNNER_OS:-}" in
-  macOS)
-    ci_config=ci-macos
-    ;;
-  Windows)
-    ci_config=ci-windows
-    ;;
-esac
-
 bazel_lint_args=("$@")
 if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
  has_host_platform_override=0
@@ -44,29 +34,6 @@ if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
  bazel_lint_args+=("--skip_incompatible_explicit_targets")
 fi

-bazel_startup_args=()
-if [[ -n "${BAZEL_OUTPUT_USER_ROOT:-}" ]]; then
-  bazel_startup_args+=("--output_user_root=${BAZEL_OUTPUT_USER_ROOT}")
-fi
-
-run_bazel() {
-  if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
-    MSYS2_ARG_CONV_EXCL='*' bazel "$@"
-    return
-  fi
-
-  bazel "$@"
-}
-
-run_bazel_with_startup_args() {
-  if [[ ${#bazel_startup_args[@]} -gt 0 ]]; then
-    run_bazel "${bazel_startup_args[@]}" "$@"
-    return
-  fi
-
-  run_bazel "$@"
-}
-
 read_query_labels() {
  local query="$1"
  local query_stdout
@@ -74,12 +41,10 @@ read_query_labels() {
  query_stdout="$(mktemp)"
  query_stderr="$(mktemp)"

-  if ! run_bazel_with_startup_args \
-    --noexperimental_remote_repo_contents_cache \
-    query \
+  if ! ./.github/scripts/run-bazel-query-ci.sh \
    --keep_going \
    --output=label \
-    "$query" >"$query_stdout" 2>"$query_stderr"; then
+    -- "$query" >"$query_stdout" 2>"$query_stderr"; then
    cat "$query_stderr" >&2
    rm -f "$query_stdout" "$query_stderr"
    exit 1
--- a/.github/scripts/run-bazel-ci.sh
+++ b/.github/scripts/run-bazel-ci.sh
@@ -4,7 +4,6 @@ set -euo pipefail

 print_failed_bazel_test_logs=0
 print_failed_bazel_action_summary=0
-use_node_test_env=0
 remote_download_toplevel=0
 windows_msvc_host_platform=0

@@ -18,10 +17,6 @@ while [[ $# -gt 0 ]]; do
      print_failed_bazel_action_summary=1
      shift
      ;;
-    --use-node-test-env)
-      use_node_test_env=1
-      shift
-      ;;
    --remote-download-toplevel)
      remote_download_toplevel=1
      shift
@@ -42,7 +37,7 @@ while [[ $# -gt 0 ]]; do
 done

 if [[ $# -eq 0 ]]; then
-  echo "Usage: $0 [--print-failed-test-logs] [--print-failed-action-summary] [--use-node-test-env] [--remote-download-toplevel] [--windows-msvc-host-platform] -- <bazel args> -- <targets>" >&2
+  echo "Usage: $0 [--print-failed-test-logs] [--print-failed-action-summary] [--remote-download-toplevel] [--windows-msvc-host-platform] -- <bazel args> -- <targets>" >&2
  exit 1
 fi

@@ -249,16 +244,6 @@ if [[ ${#bazel_args[@]} -eq 0 || ${#bazel_targets[@]} -eq 0 ]]; then
  exit 1
 fi

-if [[ $use_node_test_env -eq 1 ]]; then
-  # Bazel test sandboxes on macOS may resolve an older Homebrew `node`
-  # before the `actions/setup-node` runtime on PATH.
-  node_bin="$(which node)"
-  if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
-    node_bin="$(cygpath -w "${node_bin}")"
-  fi
-  bazel_args+=("--test_env=CODEX_JS_REPL_NODE_PATH=${node_bin}")
-fi
-
 post_config_bazel_args=()
 if [[ "${RUNNER_OS:-}" == "Windows" && $windows_msvc_host_platform -eq 1 ]]; then
  has_host_platform_override=0
@@ -306,7 +291,6 @@ if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
    INCLUDE
    LIB
    LIBPATH
-    PATH
    UCRTVersion
    UniversalCRTSdkDir
    VCINSTALLDIR
@@ -323,6 +307,17 @@ if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
      post_config_bazel_args+=("--action_env=${env_var}" "--host_action_env=${env_var}")
    fi
  done
+
+  if [[ -z "${CODEX_BAZEL_WINDOWS_PATH:-}" ]]; then
+    echo "CODEX_BAZEL_WINDOWS_PATH must be set for Windows Bazel CI." >&2
+    exit 1
+  fi
+
+  post_config_bazel_args+=(
+    "--action_env=PATH=${CODEX_BAZEL_WINDOWS_PATH}"
+    "--host_action_env=PATH=${CODEX_BAZEL_WINDOWS_PATH}"
+    "--test_env=PATH=${CODEX_BAZEL_WINDOWS_PATH}"
+  )
 fi

 bazel_console_log="$(mktemp)"
--- a/.github/scripts/run-bazel-query-ci.sh
+++ b/.github/scripts/run-bazel-query-ci.sh
@@ -0,0 +1,75 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# Run Bazel queries with the same CI startup settings as the main build/test
+# invocation so target-discovery queries can reuse the same Bazel server.
+
+query_args=()
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --)
+      shift
+      break
+      ;;
+    *)
+      query_args+=("$1")
+      shift
+      ;;
+  esac
+done
+
+if [[ $# -ne 1 ]]; then
+  echo "Usage: $0 [<bazel query args>...] -- <query expression>" >&2
+  exit 1
+fi
+
+query_expression="$1"
+
+ci_config=ci-linux
+case "${RUNNER_OS:-}" in
+  macOS)
+    ci_config=ci-macos
+    ;;
+  Windows)
+    ci_config=ci-windows
+    ;;
+esac
+
+bazel_startup_args=()
+if [[ -n "${BAZEL_OUTPUT_USER_ROOT:-}" ]]; then
+  bazel_startup_args+=("--output_user_root=${BAZEL_OUTPUT_USER_ROOT}")
+fi
+
+run_bazel() {
+  if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
+    MSYS2_ARG_CONV_EXCL='*' bazel "$@"
+    return
+  fi
+
+  bazel "$@"
+}
+
+bazel_query_args=(--noexperimental_remote_repo_contents_cache query)
+if [[ -n "${BUILDBUDDY_API_KEY:-}" ]]; then
+  bazel_query_args+=(
+    "--config=${ci_config}"
+    "--remote_header=x-buildbuddy-api-key=${BUILDBUDDY_API_KEY}"
+  )
+fi
+
+if [[ -n "${BAZEL_REPO_CONTENTS_CACHE:-}" ]]; then
+  bazel_query_args+=("--repo_contents_cache=${BAZEL_REPO_CONTENTS_CACHE}")
+fi
+
+if [[ -n "${BAZEL_REPOSITORY_CACHE:-}" ]]; then
+  bazel_query_args+=("--repository_cache=${BAZEL_REPOSITORY_CACHE}")
+fi
+
+bazel_query_args+=("${query_args[@]}" "$query_expression")
+
+if (( ${#bazel_startup_args[@]} > 0 )); then
+  run_bazel "${bazel_startup_args[@]}" "${bazel_query_args[@]}"
+else
+  run_bazel "${bazel_query_args[@]}"
+fi
--- a/.github/workflows/Dockerfile.bazel
+++ b/.github/workflows/Dockerfile.bazel
@@ -8,25 +8,9 @@ FROM ubuntu:24.04

 RUN apt-get update && \
    apt-get install -y --no-install-recommends \
-    curl git python3 ca-certificates xz-utils && \
+    curl git python3 ca-certificates && \
    rm -rf /var/lib/apt/lists/*

-COPY codex-rs/node-version.txt /tmp/node-version.txt
-
-RUN set -eux; \
-    node_arch="$(dpkg --print-architecture)"; \
-    case "${node_arch}" in \
-      amd64) node_dist_arch="x64" ;; \
-      arm64) node_dist_arch="arm64" ;; \
-      *) echo "unsupported architecture: ${node_arch}"; exit 1 ;; \
-    esac; \
-    node_version="$(tr -d '[:space:]' </tmp/node-version.txt)"; \
-    curl -fsSLO "https://nodejs.org/dist/v${node_version}/node-v${node_version}-linux-${node_dist_arch}.tar.xz"; \
-    tar -xJf "node-v${node_version}-linux-${node_dist_arch}.tar.xz" -C /usr/local --strip-components=1; \
-    rm "node-v${node_version}-linux-${node_dist_arch}.tar.xz" /tmp/node-version.txt; \
-    node --version; \
-    npm --version
-
 # Install dotslash.
 RUN curl -LSfs "https://github.com/facebook/dotslash/releases/download/v0.5.8/dotslash-ubuntu-22.04.$(uname -m).tar.gz" | tar fxz - -C /usr/local/bin

--- a/.github/workflows/bazel.yml
+++ b/.github/workflows/bazel.yml
@@ -85,7 +85,6 @@ jobs:

          bazel_wrapper_args=(
            --print-failed-test-logs
-            --use-node-test-env
          )
          bazel_test_args=(
            test
--- a/.github/workflows/issue-deduplicator.yml
+++ b/.github/workflows/issue-deduplicator.yml
@@ -61,7 +61,7 @@ jobs:
      # .github/prompts/issue-deduplicator.txt file is obsolete and removed.
      - id: codex-all
        name: Find duplicates (pass 1, all issues)
-        uses: openai/codex-action@0b91f4a2703c23df3102c3f0967d3c6db34eedef # v1
+        uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02 # v1.7
        with:
          openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
          allow-users: "*"
@@ -195,7 +195,7 @@ jobs:

      - id: codex-open
        name: Find duplicates (pass 2, open issues)
-        uses: openai/codex-action@0b91f4a2703c23df3102c3f0967d3c6db34eedef # v1
+        uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02 # v1.7
        with:
          openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
          allow-users: "*"
--- a/.github/workflows/issue-labeler.yml
+++ b/.github/workflows/issue-labeler.yml
@@ -20,7 +20,7 @@ jobs:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - id: codex
-        uses: openai/codex-action@0b91f4a2703c23df3102c3f0967d3c6db34eedef # v1
+        uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02 # v1.7
        with:
          openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
          allow-users: "*"
--- a/.github/workflows/rust-ci-full.yml
+++ b/.github/workflows/rust-ci-full.yml
@@ -76,6 +76,8 @@ jobs:
      - name: Test argument comment lint package
        working-directory: tools/argument-comment-lint
        run: cargo test
+        env:
+          RUST_MIN_STACK: "8388608" # 8 MiB

  argument_comment_lint_prebuilt:
    name: Argument comment lint - ${{ matrix.name }}
@@ -558,10 +560,6 @@ jobs:

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - name: Set up Node.js for js_repl tests
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
-        with:
-          node-version-file: codex-rs/node-version.txt
      - name: Install Linux build dependencies
        if: ${{ runner.os == 'Linux' }}
        shell: bash
@@ -671,6 +669,7 @@ jobs:
        run: cargo nextest run --no-fail-fast --target ${{ matrix.target }} --cargo-profile ci-test --timings
        env:
          RUST_BACKTRACE: 1
+          RUST_MIN_STACK: "8388608" # 8 MiB
          NEXTEST_STATUS_LEVEL: leak

      - name: Upload Cargo timings (nextest)
--- a/.github/workflows/rust-ci.yml
+++ b/.github/workflows/rust-ci.yml
@@ -131,6 +131,8 @@ jobs:
      - name: Test argument comment lint package
        working-directory: tools/argument-comment-lint
        run: cargo test
+        env:
+          RUST_MIN_STACK: "8388608" # 8 MiB

  argument_comment_lint_prebuilt:
    name: Argument comment lint - ${{ matrix.name }}
--- a/.github/workflows/rust-release-windows.yml
+++ b/.github/workflows/rust-release-windows.yml
@@ -40,28 +40,42 @@ jobs:
          - runner: windows-x64
            target: x86_64-pc-windows-msvc
            bundle: primary
-            build_args: --bin codex --bin codex-responses-api-proxy
+            binaries: "codex codex-responses-api-proxy"
            runs_on:
              group: codex-runners
              labels: codex-windows-x64
          - runner: windows-arm64
            target: aarch64-pc-windows-msvc
            bundle: primary
-            build_args: --bin codex --bin codex-responses-api-proxy
+            binaries: "codex codex-responses-api-proxy"
            runs_on:
              group: codex-runners
              labels: codex-windows-arm64
          - runner: windows-x64
            target: x86_64-pc-windows-msvc
            bundle: helpers
-            build_args: --bin codex-windows-sandbox-setup --bin codex-command-runner
+            binaries: "codex-windows-sandbox-setup codex-command-runner"
            runs_on:
              group: codex-runners
              labels: codex-windows-x64
          - runner: windows-arm64
            target: aarch64-pc-windows-msvc
            bundle: helpers
-            build_args: --bin codex-windows-sandbox-setup --bin codex-command-runner
+            binaries: "codex-windows-sandbox-setup codex-command-runner"
+            runs_on:
+              group: codex-runners
+              labels: codex-windows-arm64
+          - runner: windows-x64
+            target: x86_64-pc-windows-msvc
+            bundle: app-server
+            binaries: "codex-app-server"
+            runs_on:
+              group: codex-runners
+              labels: codex-windows-x64
+          - runner: windows-arm64
+            target: aarch64-pc-windows-msvc
+            bundle: app-server
+            binaries: "codex-app-server"
            runs_on:
              group: codex-runners
              labels: codex-windows-arm64
@@ -89,7 +103,11 @@ jobs:
      - name: Cargo build (Windows binaries)
        shell: bash
        run: |
-          cargo build --target ${{ matrix.target }} --release --timings ${{ matrix.build_args }}
+          build_args=()
+          for binary in ${{ matrix.binaries }}; do
+            build_args+=(--bin "$binary")
+          done
+          cargo build --target ${{ matrix.target }} --release --timings "${build_args[@]}"

      - name: Upload Cargo timings
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
@@ -103,13 +121,9 @@ jobs:
        run: |
          output_dir="target/${{ matrix.target }}/release/staged-${{ matrix.bundle }}"
          mkdir -p "$output_dir"
-          if [[ "${{ matrix.bundle }}" == "primary" ]]; then
-            cp target/${{ matrix.target }}/release/codex.exe "$output_dir/codex.exe"
-            cp target/${{ matrix.target }}/release/codex-responses-api-proxy.exe "$output_dir/codex-responses-api-proxy.exe"
-          else
-            cp target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe "$output_dir/codex-windows-sandbox-setup.exe"
-            cp target/${{ matrix.target }}/release/codex-command-runner.exe "$output_dir/codex-command-runner.exe"
-          fi
+          for binary in ${{ matrix.binaries }}; do
+            cp "target/${{ matrix.target }}/release/${binary}.exe" "$output_dir/${binary}.exe"
+          done

      - name: Upload Windows binaries
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
@@ -130,6 +144,8 @@ jobs:
    defaults:
      run:
        working-directory: codex-rs
+    env:
+      WINDOWS_BINARIES: "codex codex-responses-api-proxy codex-windows-sandbox-setup codex-command-runner codex-app-server"

    strategy:
      fail-fast: false
@@ -161,19 +177,25 @@ jobs:
          name: windows-binaries-${{ matrix.target }}-helpers
          path: codex-rs/target/${{ matrix.target }}/release

+      - name: Download prebuilt Windows app-server binary
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        with:
+          name: windows-binaries-${{ matrix.target }}-app-server
+          path: codex-rs/target/${{ matrix.target }}/release
+
      - name: Verify binaries
        shell: bash
        run: |
          set -euo pipefail
-          ls -lh target/${{ matrix.target }}/release/codex.exe
-          ls -lh target/${{ matrix.target }}/release/codex-responses-api-proxy.exe
-          ls -lh target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe
-          ls -lh target/${{ matrix.target }}/release/codex-command-runner.exe
+          for binary in ${WINDOWS_BINARIES}; do
+            ls -lh "target/${{ matrix.target }}/release/${binary}.exe"
+          done

      - name: Sign Windows binaries with Azure Trusted Signing
        uses: ./.github/actions/windows-code-sign
        with:
          target: ${{ matrix.target }}
+          binaries: ${{ env.WINDOWS_BINARIES }}
          client-id: ${{ secrets.AZURE_TRUSTED_SIGNING_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TRUSTED_SIGNING_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_TRUSTED_SIGNING_SUBSCRIPTION_ID }}
@@ -187,10 +209,10 @@ jobs:
          dest="dist/${{ matrix.target }}"
          mkdir -p "$dest"

-          cp target/${{ matrix.target }}/release/codex.exe "$dest/codex-${{ matrix.target }}.exe"
-          cp target/${{ matrix.target }}/release/codex-responses-api-proxy.exe "$dest/codex-responses-api-proxy-${{ matrix.target }}.exe"
-          cp target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe "$dest/codex-windows-sandbox-setup-${{ matrix.target }}.exe"
-          cp target/${{ matrix.target }}/release/codex-command-runner.exe "$dest/codex-command-runner-${{ matrix.target }}.exe"
+          for binary in ${WINDOWS_BINARIES}; do
+            cp "target/${{ matrix.target }}/release/${binary}.exe" \
+              "$dest/${binary}-${{ matrix.target }}.exe"
+          done

      - name: Install DotSlash
        uses: facebook/install-dotslash@1e4e7b3e07eaca387acb98f1d4720e0bee8dbb6a # v2
--- a/.github/workflows/rust-release.yml
+++ b/.github/workflows/rust-release.yml
@@ -47,7 +47,7 @@ jobs:

  build:
    needs: tag-check
-    name: Build - ${{ matrix.runner }} - ${{ matrix.target }}
+    name: Build - ${{ matrix.runner }} - ${{ matrix.target }} - ${{ matrix.bundle }}
    runs-on: ${{ matrix.runs_on || matrix.runner }}
    timeout-minutes: 60
    permissions:
@@ -67,16 +67,53 @@ jobs:
        include:
          - runner: macos-15-xlarge
            target: aarch64-apple-darwin
+            bundle: primary
+            artifact_name: aarch64-apple-darwin
+            binaries: "codex codex-responses-api-proxy"
+            build_dmg: "true"
+          - runner: macos-15-xlarge
+            target: aarch64-apple-darwin
+            bundle: app-server
+            artifact_name: aarch64-apple-darwin-app-server
+            binaries: "codex-app-server"
+            build_dmg: "false"
          - runner: macos-15-xlarge
            target: x86_64-apple-darwin
+            bundle: primary
+            artifact_name: x86_64-apple-darwin
+            binaries: "codex codex-responses-api-proxy"
+            build_dmg: "true"
+          - runner: macos-15-xlarge
+            target: x86_64-apple-darwin
+            bundle: app-server
+            artifact_name: x86_64-apple-darwin-app-server
+            binaries: "codex-app-server"
+            build_dmg: "false"
+          # Release artifacts intentionally ship MUSL-linked Linux binaries.
          - runner: ubuntu-24.04
            target: x86_64-unknown-linux-musl
+            bundle: primary
+            artifact_name: x86_64-unknown-linux-musl
+            binaries: "codex codex-responses-api-proxy"
+            build_dmg: "false"
          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-gnu
+            target: x86_64-unknown-linux-musl
+            bundle: app-server
+            artifact_name: x86_64-unknown-linux-musl-app-server
+            binaries: "codex-app-server"
+            build_dmg: "false"
          - runner: ubuntu-24.04-arm
            target: aarch64-unknown-linux-musl
+            bundle: primary
+            artifact_name: aarch64-unknown-linux-musl
+            binaries: "codex codex-responses-api-proxy"
+            build_dmg: "false"
          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-gnu
+            target: aarch64-unknown-linux-musl
+            bundle: app-server
+            artifact_name: aarch64-unknown-linux-musl-app-server
+            binaries: "codex-app-server"
+            build_dmg: "false"

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
@@ -219,13 +256,17 @@ jobs:
      - name: Cargo build
        shell: bash
        run: |
+          build_args=()
+          for binary in ${{ matrix.binaries }}; do
+            build_args+=(--bin "$binary")
+          done
          echo "CARGO_PROFILE_RELEASE_LTO: ${CARGO_PROFILE_RELEASE_LTO}"
-          cargo build --target ${{ matrix.target }} --release --timings --bin codex --bin codex-responses-api-proxy
+          cargo build --target ${{ matrix.target }} --release --timings "${build_args[@]}"

      - name: Upload Cargo timings
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
-          name: cargo-timings-rust-release-${{ matrix.target }}
+          name: cargo-timings-rust-release-${{ matrix.target }}-${{ matrix.bundle }}
          path: codex-rs/target/**/cargo-timings/cargo-timing.html
          if-no-files-found: warn

@@ -235,12 +276,14 @@ jobs:
        with:
          target: ${{ matrix.target }}
          artifacts-dir: ${{ github.workspace }}/codex-rs/target/${{ matrix.target }}/release
+          binaries: ${{ matrix.binaries }}

      - if: ${{ runner.os == 'macOS' }}
        name: MacOS code signing (binaries)
        uses: ./.github/actions/macos-code-sign
        with:
          target: ${{ matrix.target }}
+          binaries: ${{ matrix.binaries }}
          sign-binaries: "true"
          sign-dmg: "false"
          apple-certificate: ${{ secrets.APPLE_CERTIFICATE_P12 }}
@@ -249,7 +292,7 @@ jobs:
          apple-notarization-key-id: ${{ secrets.APPLE_NOTARIZATION_KEY_ID }}
          apple-notarization-issuer-id: ${{ secrets.APPLE_NOTARIZATION_ISSUER_ID }}

-      - if: ${{ runner.os == 'macOS' }}
+      - if: ${{ runner.os == 'macOS' && matrix.build_dmg == 'true' }}
        name: Build macOS dmg
        shell: bash
        run: |
@@ -264,23 +307,17 @@ jobs:
          # The previous "MacOS code signing (binaries)" step signs + notarizes the
          # built artifacts in `${release_dir}`. This step packages *those same*
          # signed binaries into a dmg.
-          codex_binary_path="${release_dir}/codex"
-          proxy_binary_path="${release_dir}/codex-responses-api-proxy"
-
          rm -rf "$dmg_root"
          mkdir -p "$dmg_root"

-          if [[ ! -f "$codex_binary_path" ]]; then
-            echo "Binary $codex_binary_path not found"
-            exit 1
-          fi
-          if [[ ! -f "$proxy_binary_path" ]]; then
-            echo "Binary $proxy_binary_path not found"
-            exit 1
-          fi
-
-          ditto "$codex_binary_path" "${dmg_root}/codex"
-          ditto "$proxy_binary_path" "${dmg_root}/codex-responses-api-proxy"
+          for binary in ${{ matrix.binaries }}; do
+            binary_path="${release_dir}/${binary}"
+            if [[ ! -f "${binary_path}" ]]; then
+              echo "Binary ${binary_path} not found"
+              exit 1
+            fi
+            ditto "${binary_path}" "${dmg_root}/${binary}"
+          done

          rm -f "$dmg_path"
          hdiutil create \
@@ -295,7 +332,7 @@ jobs:
            exit 1
          fi

-      - if: ${{ runner.os == 'macOS' }}
+      - if: ${{ runner.os == 'macOS' && matrix.build_dmg == 'true' }}
        name: MacOS code signing (dmg)
        uses: ./.github/actions/macos-code-sign
        with:
@@ -314,15 +351,15 @@ jobs:
          dest="dist/${{ matrix.target }}"
          mkdir -p "$dest"

-          cp target/${{ matrix.target }}/release/codex "$dest/codex-${{ matrix.target }}"
-          cp target/${{ matrix.target }}/release/codex-responses-api-proxy "$dest/codex-responses-api-proxy-${{ matrix.target }}"
+          for binary in ${{ matrix.binaries }}; do
+            cp "target/${{ matrix.target }}/release/${binary}" "$dest/${binary}-${{ matrix.target }}"
+            if [[ "${{ matrix.target }}" == *linux* ]]; then
+              cp "target/${{ matrix.target }}/release/${binary}.sigstore" \
+                "$dest/${binary}-${{ matrix.target }}.sigstore"
+            fi
+          done

-          if [[ "${{ matrix.target }}" == *linux* ]]; then
-            cp target/${{ matrix.target }}/release/codex.sigstore "$dest/codex-${{ matrix.target }}.sigstore"
-            cp target/${{ matrix.target }}/release/codex-responses-api-proxy.sigstore "$dest/codex-responses-api-proxy-${{ matrix.target }}.sigstore"
-          fi
-
-          if [[ "${{ matrix.target }}" == *apple-darwin ]]; then
+          if [[ "${{ matrix.build_dmg }}" == "true" ]]; then
            cp target/${{ matrix.target }}/release/codex-${{ matrix.target }}.dmg "$dest/codex-${{ matrix.target }}.dmg"
          fi

@@ -364,7 +401,7 @@ jobs:

      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
-          name: ${{ matrix.target }}
+          name: ${{ matrix.artifact_name }}
          # Upload the per-binary .zst files as well as the new .tar.gz
          # equivalents we generated in the previous step.
          path: |
--- a/.gitignore
+++ b/.gitignore
@@ -52,6 +52,7 @@ yarn-error.log*
 # env
 .env*
 !.env.example
+.venv/

 # package
 *.tgz
@@ -91,4 +92,3 @@ CHANGELOG.ignore.md
 # Python bytecode files
 __pycache__/
 *.pyc
-
--- a/3
+++ b/3
@@ -4,6 +4,3 @@ Copyright 2025 OpenAI
 This project includes code derived from [Ratatui](https://github.com/ratatui/ratatui), licensed under the MIT license.
 Copyright (c) 2016-2022 Florian Dehau
 Copyright (c) 2023-2025 The Ratatui Developers
-
-This project includes Meriyah parser assets from [meriyah](https://github.com/meriyah/meriyah), licensed under the ISC license.
-Copyright (c) 2019 and later, KFlash and others.
--- a/codex-cli/.dockerignore
+++ b/codex-cli/.dockerignore
@@ -1 +0,0 @@
-node_modules/
--- a/codex-cli/Dockerfile
+++ b/codex-cli/Dockerfile
@@ -1,59 +0,0 @@
-FROM node:24-slim
-
-ARG TZ
-ENV TZ="$TZ"
-
-# Install basic development tools, ca-certificates, and iptables/ipset, then clean up apt cache to reduce image size
-RUN apt-get update && apt-get install -y --no-install-recommends \
-  aggregate \
-  ca-certificates \
-  curl \
-  dnsutils \
-  fzf \
-  gh \
-  git \
-  gnupg2 \
-  iproute2 \
-  ipset \
-  iptables \
-  jq \
-  less \
-  man-db \
-  procps \
-  unzip \
-  ripgrep \
-  zsh \
-  && rm -rf /var/lib/apt/lists/*
-
-# Ensure default node user has access to /usr/local/share
-RUN mkdir -p /usr/local/share/npm-global && \
-  chown -R node:node /usr/local/share
-
-ARG USERNAME=node
-
-# Set up non-root user
-USER node
-
-# Install global packages
-ENV NPM_CONFIG_PREFIX=/usr/local/share/npm-global
-ENV PATH=$PATH:/usr/local/share/npm-global/bin
-
-# Install codex
-COPY dist/codex.tgz codex.tgz
-RUN npm install -g codex.tgz \
-  && npm cache clean --force \
-  && rm -rf /usr/local/share/npm-global/lib/node_modules/codex-cli/node_modules/.cache \
-  && rm -rf /usr/local/share/npm-global/lib/node_modules/codex-cli/tests \
-  && rm -rf /usr/local/share/npm-global/lib/node_modules/codex-cli/docs
-
-# Inside the container we consider the environment already sufficiently locked
-# down, therefore instruct Codex CLI to allow running without sandboxing.
-ENV CODEX_UNSAFE_ALLOW_NO_SANDBOX=1
-
-# Copy and set up firewall script as root.
-USER root
-COPY scripts/init_firewall.sh /usr/local/bin/
-RUN chmod 500 /usr/local/bin/init_firewall.sh
-
-# Drop back to non-root.
-USER node
--- a/codex-cli/package.json
+++ b/codex-cli/package.json
@@ -18,5 +18,5 @@
    "url": "git+https://github.com/openai/codex.git",
    "directory": "codex-cli"
  },
-  "packageManager": "pnpm@10.29.3+sha512.498e1fb4cca5aa06c1dcf2611e6fafc50972ffe7189998c409e90de74566444298ffe43e6cd2acdc775ba1aa7cc5e092a8b7054c811ba8c5770f84693d33d2dc"
+  "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319"
 }
--- a/codex-cli/scripts/build_container.sh
+++ b/codex-cli/scripts/build_container.sh
@@ -1,16 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-SCRIPT_DIR=$(realpath "$(dirname "$0")")
-trap "popd >> /dev/null" EXIT
-pushd "$SCRIPT_DIR/.." >> /dev/null || {
-  echo "Error: Failed to change directory to $SCRIPT_DIR/.."
-  exit 1
-}
-pnpm install
-pnpm run build
-rm -rf ./dist/openai-codex-*.tgz
-pnpm pack --pack-destination ./dist
-mv ./dist/openai-codex-*.tgz ./dist/codex.tgz
-docker build -t codex -f "./Dockerfile" .
--- a/codex-rs/.cargo/audit.toml
+++ b/codex-rs/.cargo/audit.toml
@@ -4,7 +4,6 @@ ignore = [
    "RUSTSEC-2024-0388", # derivative 2.2.0 via starlark; upstream crate is unmaintained
    "RUSTSEC-2025-0057", # fxhash 0.2.1 via starlark_map; upstream crate is unmaintained
    "RUSTSEC-2024-0436", # paste 1.0.15 via starlark/ratatui; upstream crate is unmaintained
-    "RUSTSEC-2026-0002", # lru 0.12.5 via pinned nornagon/ratatui v0.29.0; remove when ratatui moves to lru >=0.16.3
    "RUSTSEC-2024-0320", # yaml-rust via syntect; remove when syntect drops or updates it
    "RUSTSEC-2025-0141", # bincode via syntect; remove when syntect drops or updates it
 ]
--- a/codex-rs/BUILD.bazel
+++ b/codex-rs/BUILD.bazel
@@ -1,6 +1,5 @@
 exports_files([
    "clippy.toml",
-    "node-version.txt",
 ])

 filegroup(
--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
@@ -213,7 +213,7 @@ dependencies = [
 "lazy_static",
 "nom 7.1.3",
 "pin-project",
- "rand 0.8.6",
+ "rand 0.8.5",
 "rust-embed",
 "scrypt",
 "sha2",
@@ -234,7 +234,7 @@ dependencies = [
 "hkdf",
 "io_tee",
 "nom 7.1.3",
- "rand 0.8.6",
+ "rand 0.8.5",
 "secrecy",
 "sha2",
 ]
@@ -1759,7 +1759,7 @@ dependencies = [
 "crypto_box",
 "ed25519-dalek",
 "pretty_assertions",
- "rand 0.9.4",
+ "rand 0.9.3",
 "reqwest",
 "serde",
 "serde_json",
@@ -1773,6 +1773,7 @@ dependencies = [
 "codex-app-server-protocol",
 "codex-git-utils",
 "codex-login",
+ "codex-model-provider",
 "codex-plugin",
 "codex-protocol",
 "codex-utils-absolute-path",
@@ -1840,6 +1841,7 @@ dependencies = [
 "chrono",
 "clap",
 "codex-analytics",
+ "codex-api",
 "codex-app-server-protocol",
 "codex-arg0",
 "codex-backend-client",
@@ -1856,10 +1858,10 @@ dependencies = [
 "codex-git-utils",
 "codex-login",
 "codex-mcp",
+ "codex-model-provider",
 "codex-model-provider-info",
 "codex-models-manager",
 "codex-otel",
- "codex-plugin",
 "codex-protocol",
 "codex-rmcp-client",
 "codex-rollout",
@@ -1868,6 +1870,7 @@ dependencies = [
 "codex-state",
 "codex-thread-store",
 "codex-tools",
+ "codex-uds",
 "codex-utils-absolute-path",
 "codex-utils-cargo-bin",
 "codex-utils-cli",
@@ -2045,9 +2048,11 @@ name = "codex-backend-client"
 version = "0.0.0"
 dependencies = [
 "anyhow",
+ "codex-api",
 "codex-backend-openapi-models",
 "codex-client",
 "codex-login",
+ "codex-model-provider",
 "codex-protocol",
 "pretty_assertions",
 "reqwest",
@@ -2071,11 +2076,11 @@ dependencies = [
 "anyhow",
 "clap",
 "codex-app-server-protocol",
- "codex-config",
 "codex-connectors",
 "codex-core",
 "codex-git-utils",
 "codex-login",
+ "codex-model-provider",
 "codex-utils-cargo-bin",
 "codex-utils-cli",
 "pretty_assertions",
@@ -2103,6 +2108,7 @@ dependencies = [
 "codex-cloud-tasks",
 "codex-config",
 "codex-core",
+ "codex-core-plugins",
 "codex-exec",
 "codex-exec-server",
 "codex-execpolicy",
@@ -2115,6 +2121,7 @@ dependencies = [
 "codex-protocol",
 "codex-responses-api-proxy",
 "codex-rmcp-client",
+ "codex-rollout-trace",
 "codex-sandboxing",
 "codex-state",
 "codex-stdio-to-uds",
@@ -2155,7 +2162,7 @@ dependencies = [
 "opentelemetry",
 "opentelemetry_sdk",
 "pretty_assertions",
- "rand 0.9.4",
+ "rand 0.9.3",
 "reqwest",
 "rustls",
 "rustls-native-certs",
@@ -2202,7 +2209,6 @@ version = "0.0.0"
 dependencies = [
 "anyhow",
 "async-trait",
- "base64 0.22.1",
 "chrono",
 "clap",
 "codex-client",
@@ -2211,6 +2217,7 @@ dependencies = [
 "codex-core",
 "codex-git-utils",
 "codex-login",
+ "codex-model-provider",
 "codex-tui",
 "codex-utils-cli",
 "crossterm",
@@ -2235,6 +2242,7 @@ dependencies = [
 "anyhow",
 "async-trait",
 "chrono",
+ "codex-api",
 "codex-backend-client",
 "codex-git-utils",
 "serde",
@@ -2293,6 +2301,7 @@ dependencies = [
 "libc",
 "multimap",
 "pretty_assertions",
+ "prost 0.14.3",
 "schemars 0.8.22",
 "serde",
 "serde_json",
@@ -2301,8 +2310,12 @@ dependencies = [
 "tempfile",
 "thiserror 2.0.18",
 "tokio",
+ "tokio-stream",
 "toml 0.9.11+spec-1.1.0",
 "toml_edit 0.24.0+spec-1.1.0",
+ "tonic",
+ "tonic-prost",
+ "tonic-prost-build",
 "tracing",
 "wildmatch",
 "winapi-util",
@@ -2362,6 +2375,7 @@ dependencies = [
 "codex-response-debug-context",
 "codex-rmcp-client",
 "codex-rollout",
+ "codex-rollout-trace",
 "codex-sandboxing",
 "codex-secrets",
 "codex-shell-command",
@@ -2408,7 +2422,7 @@ dependencies = [
 "opentelemetry_sdk",
 "predicates",
 "pretty_assertions",
- "rand 0.9.4",
+ "rand 0.9.3",
 "regex-lite",
 "reqwest",
 "rmcp",
@@ -2438,7 +2452,6 @@ dependencies = [
 "whoami",
 "windows-sys 0.52.0",
 "wiremock",
- "zip 2.4.2",
 "zstd 0.13.3",
 ]

@@ -2446,6 +2459,7 @@ dependencies = [
 name = "codex-core-plugins"
 version = "0.0.0"
 dependencies = [
+ "anyhow",
 "chrono",
 "codex-app-server-protocol",
 "codex-config",
@@ -2453,11 +2467,14 @@ dependencies = [
 "codex-exec-server",
 "codex-git-utils",
 "codex-login",
+ "codex-model-provider",
+ "codex-otel",
 "codex-plugin",
 "codex-protocol",
 "codex-utils-absolute-path",
 "codex-utils-plugins",
 "dirs",
+ "libc",
 "pretty_assertions",
 "reqwest",
 "serde",
@@ -2468,6 +2485,8 @@ dependencies = [
 "toml 0.9.11+spec-1.1.0",
 "tracing",
 "url",
+ "wiremock",
+ "zip 2.4.2",
 ]

 [[package]]
@@ -2480,6 +2499,7 @@ dependencies = [
 "codex-config",
 "codex-exec-server",
 "codex-login",
+ "codex-model-provider",
 "codex-otel",
 "codex-protocol",
 "codex-skills",
@@ -2516,13 +2536,15 @@ dependencies = [
 name = "codex-device-key"
 version = "0.0.0"
 dependencies = [
+ "async-trait",
 "base64 0.22.1",
 "p256",
 "pretty_assertions",
- "rand 0.9.4",
+ "rand 0.9.3",
 "serde",
 "serde_json",
 "thiserror 2.0.18",
+ "tokio",
 "url",
 ]

@@ -2578,7 +2600,9 @@ dependencies = [
 "arc-swap",
 "async-trait",
 "base64 0.22.1",
+ "bytes",
 "codex-app-server-protocol",
+ "codex-client",
 "codex-config",
 "codex-protocol",
 "codex-sandboxing",
@@ -2588,6 +2612,7 @@ dependencies = [
 "ctor 0.6.3",
 "futures",
 "pretty_assertions",
+ "reqwest",
 "serde",
 "serde_json",
 "serial_test",
@@ -2596,6 +2621,7 @@ dependencies = [
 "thiserror 2.0.18",
 "tokio",
 "tokio-tungstenite",
+ "tokio-util",
 "tracing",
 "uuid",
 ]
@@ -2810,7 +2836,7 @@ dependencies = [
 "once_cell",
 "os_info",
 "pretty_assertions",
- "rand 0.9.4",
+ "rand 0.9.3",
 "regex-lite",
 "reqwest",
 "serde",
@@ -2834,10 +2860,12 @@ version = "0.0.0"
 dependencies = [
 "anyhow",
 "async-channel",
+ "codex-api",
 "codex-async-utils",
 "codex-config",
 "codex-exec-server",
 "codex-login",
+ "codex-model-provider",
 "codex-otel",
 "codex-plugin",
 "codex-protocol",
@@ -2897,14 +2925,23 @@ name = "codex-model-provider"
 version = "0.0.0"
 dependencies = [
 "async-trait",
+ "codex-agent-identity",
 "codex-api",
 "codex-aws-auth",
 "codex-client",
+ "codex-feedback",
 "codex-login",
 "codex-model-provider-info",
+ "codex-models-manager",
+ "codex-otel",
 "codex-protocol",
+ "codex-response-debug-context",
 "http 1.4.0",
 "pretty_assertions",
+ "serde_json",
+ "tokio",
+ "tracing",
+ "wiremock",
 ]

 [[package]]
@@ -2928,32 +2965,21 @@ dependencies = [
 name = "codex-models-manager"
 version = "0.0.0"
 dependencies = [
- "base64 0.22.1",
+ "async-trait",
 "chrono",
- "codex-api",
 "codex-app-server-protocol",
 "codex-collaboration-mode-templates",
- "codex-config",
- "codex-feedback",
 "codex-login",
- "codex-model-provider",
- "codex-model-provider-info",
 "codex-otel",
 "codex-protocol",
- "codex-response-debug-context",
- "codex-utils-absolute-path",
 "codex-utils-output-truncation",
 "codex-utils-template",
- "core_test_support",
- "http 1.4.0",
 "pretty_assertions",
 "serde",
 "serde_json",
 "tempfile",
 "tokio",
 "tracing",
- "tracing-subscriber",
- "wiremock",
 ]

 [[package]]
@@ -3138,6 +3164,8 @@ version = "0.0.0"
 dependencies = [
 "anyhow",
 "axum",
+ "bytes",
+ "codex-api",
 "codex-client",
 "codex-config",
 "codex-exec-server",
@@ -3197,11 +3225,14 @@ name = "codex-rollout-trace"
 version = "0.0.0"
 dependencies = [
 "anyhow",
+ "codex-code-mode",
 "codex-protocol",
 "pretty_assertions",
 "serde",
 "serde_json",
 "tempfile",
+ "tracing",
+ "uuid",
 ]

 [[package]]
@@ -3236,7 +3267,7 @@ dependencies = [
 "codex-keyring-store",
 "keyring",
 "pretty_assertions",
- "rand 0.9.4",
+ "rand 0.9.3",
 "regex",
 "schemars 0.8.22",
 "serde",
@@ -3368,6 +3399,7 @@ dependencies = [
 "tonic",
 "tonic-prost",
 "tonic-prost-build",
+ "tracing",
 "uuid",
 ]

@@ -3407,6 +3439,7 @@ dependencies = [
 "codex-cloud-requirements",
 "codex-config",
 "codex-connectors",
+ "codex-core-plugins",
 "codex-core-skills",
 "codex-exec-server",
 "codex-features",
@@ -3455,7 +3488,7 @@ dependencies = [
 "pathdiff",
 "pretty_assertions",
 "pulldown-cmark",
- "rand 0.9.4",
+ "rand 0.9.3",
 "ratatui",
 "ratatui-macros",
 "regex-lite",
@@ -3735,7 +3768,7 @@ dependencies = [
 "dunce",
 "glob",
 "pretty_assertions",
- "rand 0.8.6",
+ "rand 0.8.5",
 "serde",
 "serde_json",
 "tempfile",
@@ -6793,7 +6826,7 @@ dependencies = [
 "idna",
 "ipnet",
 "once_cell",
- "rand 0.9.4",
+ "rand 0.9.3",
 "ring",
 "thiserror 2.0.18",
 "tinyvec",
@@ -6815,7 +6848,7 @@ dependencies = [
 "moka",
 "once_cell",
 "parking_lot",
- "rand 0.9.4",
+ "rand 0.9.3",
 "resolv-conf",
 "smallvec",
 "thiserror 2.0.18",
@@ -8517,7 +8550,7 @@ dependencies = [
 "num-integer",
 "num-iter",
 "num-traits",
- "rand 0.8.6",
+ "rand 0.8.5",
 "smallvec",
 "zeroize",
 ]
@@ -8640,7 +8673,7 @@ dependencies = [
 "chrono",
 "getrandom 0.2.17",
 "http 1.4.0",
- "rand 0.8.6",
+ "rand 0.8.5",
 "reqwest",
 "serde",
 "serde_json",
@@ -9059,7 +9092,7 @@ dependencies = [
 "futures-util",
 "opentelemetry",
 "percent-encoding",
- "rand 0.9.4",
+ "rand 0.9.3",
 "thiserror 2.0.18",
 "tokio",
 "tokio-stream",
@@ -9644,7 +9677,7 @@ checksum = "bee689443a2bd0a16ab0348b52ee43e3b2d1b1f931c8aa5c9f8de4c86fbe8c40"
 dependencies = [
 "bitflags 2.10.0",
 "num-traits",
- "rand 0.9.4",
+ "rand 0.9.3",
 "rand_chacha 0.9.0",
 "rand_xorshift",
 "regex-syntax 0.8.8",
@@ -9853,7 +9886,7 @@ dependencies = [
 "bytes",
 "getrandom 0.3.4",
 "lru-slab",
- "rand 0.9.4",
+ "rand 0.9.3",
 "ring",
 "rustc-hash 2.1.1",
 "rustls",
@@ -9985,7 +10018,7 @@ dependencies = [
 "rama-http-types",
 "rama-net",
 "rama-utils",
- "rand 0.9.4",
+ "rand 0.9.3",
 "serde",
 "serde_html_form",
 "serde_json",
@@ -10055,7 +10088,7 @@ dependencies = [
 "rama-macros",
 "rama-net",
 "rama-utils",
- "rand 0.9.4",
+ "rand 0.9.3",
 "serde",
 "sha1",
 ]
@@ -10083,7 +10116,7 @@ dependencies = [
 "rama-error",
 "rama-macros",
 "rama-utils",
- "rand 0.9.4",
+ "rand 0.9.3",
 "serde",
 "serde_json",
 "sync_wrapper",
@@ -10157,7 +10190,7 @@ dependencies = [
 "rama-http-types",
 "rama-net",
 "rama-utils",
- "rand 0.9.4",
+ "rand 0.9.3",
 "tokio",
 ]

@@ -10226,9 +10259,9 @@ dependencies = [

 [[package]]
 name = "rand"
-version = "0.8.6"
+version = "0.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5ca0ecfa931c29007047d1bc58e623ab12e5590e8c7cc53200d5202b69266d8a"
+checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
 dependencies = [
 "libc",
 "rand_chacha 0.3.1",
@@ -10237,9 +10270,9 @@ dependencies = [

 [[package]]
 name = "rand"
-version = "0.9.4"
+version = "0.9.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "44c5af06bb1b7d3216d91932aed5265164bf384dc89cd6ba05cf59a35f5f76ea"
+checksum = "7ec095654a25171c2124e9e3393a930bddbffdc939556c914957a4c3e0a87166"
 dependencies = [
 "rand_chacha 0.9.0",
 "rand_core 0.9.5",
@@ -10566,7 +10599,7 @@ dependencies = [
 "pastey",
 "pin-project-lite",
 "process-wrap",
- "rand 0.9.4",
+ "rand 0.9.3",
 "reqwest",
 "rmcp-macros",
 "schemars 1.2.1",
@@ -11037,7 +11070,7 @@ dependencies = [
 "hkdf",
 "num",
 "once_cell",
- "rand 0.8.6",
+ "rand 0.8.5",
 "serde",
 "sha2",
 "zbus",
@@ -11164,7 +11197,7 @@ version = "0.46.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "26ab054c34b87f96c3e4701bea1888317cde30cc7e4a6136d2c48454ab96661c"
 dependencies = [
- "rand 0.9.4",
+ "rand 0.9.3",
 "sentry-types",
 "serde",
 "serde_json",
@@ -11212,7 +11245,7 @@ checksum = "eecbd63e9d15a26a40675ed180d376fcb434635d2e33de1c24003f61e3e2230d"
 dependencies = [
 "debugid",
 "hex",
- "rand 0.9.4",
+ "rand 0.9.3",
 "serde",
 "serde_json",
 "thiserror 2.0.18",
@@ -11749,7 +11782,7 @@ dependencies = [
 "memchr",
 "once_cell",
 "percent-encoding",
- "rand 0.8.6",
+ "rand 0.8.5",
 "rsa",
 "serde",
 "sha1",
@@ -11790,7 +11823,7 @@ dependencies = [
 "md-5",
 "memchr",
 "once_cell",
- "rand 0.8.6",
+ "rand 0.8.5",
 "serde",
 "serde_json",
 "sha2",
@@ -13039,7 +13072,7 @@ dependencies = [
 "http 1.4.0",
 "httparse",
 "log",
- "rand 0.9.4",
+ "rand 0.9.3",
 "rustls",
 "rustls-pki-types",
 "sha1",
@@ -14504,7 +14537,7 @@ dependencies = [
 "hex",
 "nix 0.29.0",
 "ordered-stream",
- "rand 0.8.6",
+ "rand 0.8.5",
 "serde",
 "serde_repr",
 "sha1",
--- a/codex-rs/Cargo.toml
+++ b/codex-rs/Cargo.toml
@@ -169,6 +169,7 @@ codex-responses-api-proxy = { path = "responses-api-proxy" }
 codex-response-debug-context = { path = "response-debug-context" }
 codex-rmcp-client = { path = "rmcp-client" }
 codex-rollout = { path = "rollout" }
+codex-rollout-trace = { path = "rollout-trace" }
 codex-sandboxing = { path = "sandboxing" }
 codex-secrets = { path = "secrets" }
 codex-shell-command = { path = "shell-command" }
--- a/codex-rs/analytics/Cargo.toml
+++ b/codex-rs/analytics/Cargo.toml
@@ -16,6 +16,7 @@ workspace = true
 codex-app-server-protocol = { workspace = true }
 codex-git-utils = { workspace = true }
 codex-login = { workspace = true }
+codex-model-provider = { workspace = true }
 codex-plugin = { workspace = true }
 codex-protocol = { workspace = true }
 os_info = { workspace = true }
--- a/codex-rs/analytics/src/analytics_client_tests.rs
+++ b/codex-rs/analytics/src/analytics_client_tests.rs
@@ -48,6 +48,8 @@ use crate::facts::SkillInvokedInput;
 use crate::facts::SubAgentThreadStartedInput;
 use crate::facts::ThreadInitializationMode;
 use crate::facts::TrackEventsContext;
+use crate::facts::TurnGitMetadataFact;
+use crate::facts::TurnGitWorkspaceMetadata;
 use crate::facts::TurnResolvedConfigFact;
 use crate::facts::TurnStatus;
 use crate::facts::TurnSteerRequestError;
@@ -105,6 +107,7 @@ use codex_utils_absolute_path::test_support::PathBufExt;
 use codex_utils_absolute_path::test_support::test_path_buf;
 use pretty_assertions::assert_eq;
 use serde_json::json;
+use std::collections::BTreeMap;
 use std::collections::HashSet;
 use std::path::PathBuf;
 use std::sync::Arc;
@@ -161,11 +164,7 @@ fn sample_thread_start_response(thread_id: &str, ephemeral: bool, model: &str) -
 }

 fn sample_permission_profile() -> AppServerPermissionProfile {
-    CorePermissionProfile::from_legacy_sandbox_policy(
-        &SandboxPolicy::DangerFullAccess,
-        &test_path_buf("/tmp"),
-    )
-    .into()
+    CorePermissionProfile::from_legacy_sandbox_policy(&SandboxPolicy::DangerFullAccess).into()
 }

 fn sample_app_server_client_metadata() -> CodexAppServerClientMetadata {
@@ -324,7 +323,7 @@ fn sample_turn_resolved_config(turn_id: &str) -> TurnResolvedConfigFact {
        reasoning_summary: None,
        service_tier: None,
        approval_policy: AskForApproval::OnRequest,
-        approvals_reviewer: ApprovalsReviewer::GuardianSubagent,
+        approvals_reviewer: ApprovalsReviewer::AutoReview,
        sandbox_network_access: true,
        collaboration_mode: ModeKind::Plan,
        personality: None,
@@ -1334,7 +1333,7 @@ fn subagent_thread_started_other_serializes_explicit_parent_thread_id() {
        },
    ));

-    let payload = serde_json::to_value(&event).expect("serialize guardian subagent event");
+    let payload = serde_json::to_value(&event).expect("serialize auto-review subagent event");
    assert_eq!(payload["event_params"]["subagent_source"], "guardian");
    assert_eq!(
        payload["event_params"]["parent_thread_id"],
@@ -1758,7 +1757,7 @@ fn turn_event_serializes_expected_shape() {
            reasoning_summary: Some("detailed".to_string()),
            service_tier: "flex".to_string(),
            approval_policy: "on-request".to_string(),
-            approvals_reviewer: "guardian_subagent".to_string(),
+            approvals_reviewer: "auto_review".to_string(),
            sandbox_network_access: true,
            collaboration_mode: Some("plan"),
            personality: Some("pragmatic".to_string()),
@@ -1775,6 +1774,7 @@ fn turn_event_serializes_expected_shape() {
            subagent_tool_call_count: None,
            web_search_count: None,
            image_generation_count: None,
+            git_workspaces: None,
            input_tokens: None,
            cached_input_tokens: None,
            output_tokens: None,
@@ -1819,7 +1819,7 @@ fn turn_event_serializes_expected_shape() {
                "reasoning_summary": "detailed",
                "service_tier": "flex",
                "approval_policy": "on-request",
-                "approvals_reviewer": "guardian_subagent",
+                "approvals_reviewer": "auto_review",
                "sandbox_network_access": true,
                "collaboration_mode": "plan",
                "personality": "pragmatic",
@@ -1836,6 +1836,7 @@ fn turn_event_serializes_expected_shape() {
                "subagent_tool_call_count": null,
                "web_search_count": null,
                "image_generation_count": null,
+                "git_workspaces": null,
                "input_tokens": null,
                "cached_input_tokens": null,
                "output_tokens": null,
@@ -2146,6 +2147,82 @@ async fn turn_lifecycle_emits_turn_event() {
    assert_eq!(payload["event_params"]["total_tokens"], json!(321));
 }

+#[tokio::test]
+async fn turn_lifecycle_includes_git_metadata_when_recorded() {
+    let mut reducer = AnalyticsReducer::default();
+    let mut out = Vec::new();
+
+    ingest_turn_prerequisites(
+        &mut reducer,
+        &mut out,
+        /*include_initialize*/ true,
+        /*include_resolved_config*/ true,
+        /*include_started*/ true,
+        /*include_token_usage*/ false,
+    )
+    .await;
+
+    let mut associated_remote_urls = BTreeMap::new();
+    associated_remote_urls.insert(
+        "origin".to_string(),
+        "https://user:placeholder@example.com/openai/codex.git?credential=placeholder".to_string(),
+    );
+    associated_remote_urls.insert(
+        "upstream".to_string(),
+        "git@github.com:openai/codex.git".to_string(),
+    );
+    let mut git_workspaces = BTreeMap::new();
+    git_workspaces.insert(
+        "/workspace/codex".to_string(),
+        TurnGitWorkspaceMetadata {
+            associated_remote_urls: Some(associated_remote_urls),
+            latest_git_commit_hash: Some("abc123".to_string()),
+            has_changes: Some(true),
+        },
+    );
+    reducer
+        .ingest(
+            AnalyticsFact::Custom(CustomAnalyticsFact::TurnGitMetadata(Box::new(
+                TurnGitMetadataFact {
+                    turn_id: "turn-2".to_string(),
+                    thread_id: "thread-2".to_string(),
+                    git_workspaces,
+                },
+            ))),
+            &mut out,
+        )
+        .await;
+    assert!(out.is_empty());
+
+    reducer
+        .ingest(
+            AnalyticsFact::Notification(Box::new(sample_turn_completed_notification(
+                "thread-2",
+                "turn-2",
+                AppServerTurnStatus::Completed,
+                /*codex_error_info*/ None,
+            ))),
+            &mut out,
+        )
+        .await;
+
+    assert_eq!(out.len(), 1);
+    let payload = serde_json::to_value(&out[0]).expect("serialize turn event");
+    assert_eq!(
+        payload["event_params"]["git_workspaces"],
+        json!({
+            "/workspace/codex": {
+                "associated_remote_urls": {
+                    "origin": "https://example.com/openai/codex.git",
+                    "upstream": "github.com:openai/codex.git"
+                },
+                "latest_git_commit_hash": "abc123",
+                "has_changes": true
+            }
+        })
+    );
+}
+
 #[tokio::test]
 async fn accepted_steers_increment_turn_steer_count() {
    let mut reducer = AnalyticsReducer::default();
--- a/codex-rs/analytics/src/client.rs
+++ b/codex-rs/analytics/src/client.rs
@@ -18,6 +18,7 @@ use crate::facts::SkillInvocation;
 use crate::facts::SkillInvokedInput;
 use crate::facts::SubAgentThreadStartedInput;
 use crate::facts::TrackEventsContext;
+use crate::facts::TurnGitMetadataFact;
 use crate::facts::TurnResolvedConfigFact;
 use crate::facts::TurnTokenUsageFact;
 use crate::reducer::AnalyticsReducer;
@@ -231,6 +232,12 @@ impl AnalyticsEventsClient {
        )));
    }

+    pub fn track_turn_git_metadata(&self, fact: TurnGitMetadataFact) {
+        self.record_fact(AnalyticsFact::Custom(CustomAnalyticsFact::TurnGitMetadata(
+            Box::new(fact),
+        )));
+    }
+
    pub fn track_plugin_installed(&self, plugin: PluginTelemetryMetadata) {
        self.record_fact(AnalyticsFact::Custom(
            CustomAnalyticsFact::PluginStateChanged(PluginStateChangedInput {
@@ -312,16 +319,9 @@ async fn send_track_events(
    let Some(auth) = auth_manager.auth().await else {
        return;
    };
-    if !auth.is_chatgpt_auth() {
+    if !auth.uses_codex_backend() {
        return;
    }
-    let access_token = match auth.get_token() {
-        Ok(token) => token,
-        Err(_) => return,
-    };
-    let Some(account_id) = auth.get_account_id() else {
-        return;
-    };

    let base_url = base_url.trim_end_matches('/');
    let url = format!("{base_url}/codex/analytics-events/events");
@@ -330,8 +330,7 @@ async fn send_track_events(
    let response = create_client()
        .post(&url)
        .timeout(ANALYTICS_EVENTS_TIMEOUT)
-        .bearer_auth(&access_token)
-        .header("chatgpt-account-id", &account_id)
+        .headers(codex_model_provider::auth_provider_from_auth(&auth).to_auth_headers())
        .header("Content-Type", "application/json")
        .json(&payload)
        .send()
--- a/codex-rs/analytics/src/events.rs
+++ b/codex-rs/analytics/src/events.rs
@@ -14,6 +14,7 @@ use crate::facts::PluginState;
 use crate::facts::SubAgentThreadStartedInput;
 use crate::facts::ThreadInitializationMode;
 use crate::facts::TrackEventsContext;
+use crate::facts::TurnGitWorkspaceMetadata;
 use crate::facts::TurnStatus;
 use crate::facts::TurnSteerRejectionReason;
 use crate::facts::TurnSteerResult;
@@ -23,7 +24,7 @@ use codex_app_server_protocol::CodexErrorInfo;
 use codex_login::default_client::originator;
 use codex_plugin::PluginTelemetryMetadata;
 use codex_protocol::approvals::NetworkApprovalProtocol;
-use codex_protocol::models::PermissionProfile;
+use codex_protocol::models::AdditionalPermissionProfile;
 use codex_protocol::models::SandboxPermissions;
 use codex_protocol::protocol::GuardianAssessmentOutcome;
 use codex_protocol::protocol::GuardianCommandSource;
@@ -35,6 +36,7 @@ use codex_protocol::protocol::HookSource;
 use codex_protocol::protocol::SubAgentSource;
 use codex_protocol::protocol::TokenUsage;
 use serde::Serialize;
+use std::collections::BTreeMap;

 #[derive(Clone, Copy, Debug, Serialize)]
 #[serde(rename_all = "snake_case")]
@@ -180,17 +182,17 @@ pub enum GuardianApprovalRequestSource {
 pub enum GuardianReviewedAction {
    Shell {
        sandbox_permissions: SandboxPermissions,
-        additional_permissions: Option<PermissionProfile>,
+        additional_permissions: Option<AdditionalPermissionProfile>,
    },
    UnifiedExec {
        sandbox_permissions: SandboxPermissions,
-        additional_permissions: Option<PermissionProfile>,
+        additional_permissions: Option<AdditionalPermissionProfile>,
        tty: bool,
    },
    Execve {
        source: GuardianCommandSource,
        program: String,
-        additional_permissions: Option<PermissionProfile>,
+        additional_permissions: Option<AdditionalPermissionProfile>,
    },
    ApplyPatch {},
    NetworkAccess {
@@ -492,6 +494,7 @@ pub(crate) struct CodexTurnEventParams {
    pub(crate) subagent_tool_call_count: Option<usize>,
    pub(crate) web_search_count: Option<usize>,
    pub(crate) image_generation_count: Option<usize>,
+    pub(crate) git_workspaces: Option<BTreeMap<String, TurnGitWorkspaceMetadata>>,
    pub(crate) input_tokens: Option<i64>,
    pub(crate) cached_input_tokens: Option<i64>,
    pub(crate) output_tokens: Option<i64>,
--- a/codex-rs/analytics/src/facts.rs
+++ b/codex-rs/analytics/src/facts.rs
@@ -23,7 +23,9 @@ use codex_protocol::protocol::SessionSource;
 use codex_protocol::protocol::SkillScope;
 use codex_protocol::protocol::SubAgentSource;
 use codex_protocol::protocol::TokenUsage;
+use serde::Deserialize;
 use serde::Serialize;
+use std::collections::BTreeMap;
 use std::path::PathBuf;

 #[derive(Clone)]
@@ -89,6 +91,23 @@ pub struct TurnTokenUsageFact {
    pub token_usage: TokenUsage,
 }

+#[derive(Clone, Debug, Deserialize, PartialEq, Eq, Serialize)]
+pub struct TurnGitWorkspaceMetadata {
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub associated_remote_urls: Option<BTreeMap<String, String>>,
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub latest_git_commit_hash: Option<String>,
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub has_changes: Option<bool>,
+}
+
+#[derive(Clone)]
+pub struct TurnGitMetadataFact {
+    pub turn_id: String,
+    pub thread_id: String,
+    pub git_workspaces: BTreeMap<String, TurnGitWorkspaceMetadata>,
+}
+
 #[derive(Clone, Copy, Debug, Serialize)]
 #[serde(rename_all = "snake_case")]
 pub enum TurnStatus {
@@ -298,6 +317,7 @@ pub(crate) enum CustomAnalyticsFact {
    GuardianReview(Box<GuardianReviewEventParams>),
    TurnResolvedConfig(Box<TurnResolvedConfigFact>),
    TurnTokenUsage(Box<TurnTokenUsageFact>),
+    TurnGitMetadata(Box<TurnGitMetadataFact>),
    SkillInvoked(SkillInvokedInput),
    AppMentioned(AppMentionedInput),
    AppUsed(AppUsedInput),
--- a/codex-rs/analytics/src/lib.rs
+++ b/codex-rs/analytics/src/lib.rs
@@ -34,6 +34,8 @@ pub use facts::SkillInvocation;
 pub use facts::SubAgentThreadStartedInput;
 pub use facts::ThreadInitializationMode;
 pub use facts::TrackEventsContext;
+pub use facts::TurnGitMetadataFact;
+pub use facts::TurnGitWorkspaceMetadata;
 pub use facts::TurnResolvedConfigFact;
 pub use facts::TurnStatus;
 pub use facts::TurnSteerRejectionReason;
--- a/codex-rs/analytics/src/reducer.rs
+++ b/codex-rs/analytics/src/reducer.rs
@@ -41,6 +41,8 @@ use crate::facts::PluginUsedInput;
 use crate::facts::SkillInvokedInput;
 use crate::facts::SubAgentThreadStartedInput;
 use crate::facts::ThreadInitializationMode;
+use crate::facts::TurnGitMetadataFact;
+use crate::facts::TurnGitWorkspaceMetadata;
 use crate::facts::TurnResolvedConfigFact;
 use crate::facts::TurnStatus;
 use crate::facts::TurnSteerRejectionReason;
@@ -57,6 +59,7 @@ use codex_app_server_protocol::TurnSteerResponse;
 use codex_app_server_protocol::UserInput;
 use codex_git_utils::collect_git_info;
 use codex_git_utils::get_git_repo_root;
+use codex_git_utils::scrub_git_remote_url;
 use codex_login::default_client::originator;
 use codex_protocol::config_types::ModeKind;
 use codex_protocol::config_types::Personality;
@@ -66,6 +69,7 @@ use codex_protocol::protocol::SessionSource;
 use codex_protocol::protocol::SkillScope;
 use codex_protocol::protocol::TokenUsage;
 use sha1::Digest;
+use std::collections::BTreeMap;
 use std::collections::HashMap;
 use std::path::Path;

@@ -149,6 +153,7 @@ struct TurnState {
    resolved_config: Option<TurnResolvedConfigFact>,
    started_at: Option<u64>,
    token_usage: Option<TokenUsage>,
+    git_workspaces: Option<BTreeMap<String, TurnGitWorkspaceMetadata>>,
    completed: Option<CompletedTurnState>,
    steer_count: usize,
 }
@@ -211,6 +216,9 @@ impl AnalyticsReducer {
                CustomAnalyticsFact::TurnTokenUsage(input) => {
                    self.ingest_turn_token_usage(*input, out);
                }
+                CustomAnalyticsFact::TurnGitMetadata(input) => {
+                    self.ingest_turn_git_metadata(*input, out);
+                }
                CustomAnalyticsFact::SkillInvoked(input) => {
                    self.ingest_skill_invoked(input, out).await;
                }
@@ -350,6 +358,7 @@ impl AnalyticsReducer {
            resolved_config: None,
            started_at: None,
            token_usage: None,
+            git_workspaces: None,
            completed: None,
            steer_count: 0,
        });
@@ -372,6 +381,7 @@ impl AnalyticsReducer {
            resolved_config: None,
            started_at: None,
            token_usage: None,
+            git_workspaces: None,
            completed: None,
            steer_count: 0,
        });
@@ -380,6 +390,40 @@ impl AnalyticsReducer {
        self.maybe_emit_turn_event(&turn_id, out);
    }

+    fn ingest_turn_git_metadata(
+        &mut self,
+        input: TurnGitMetadataFact,
+        out: &mut Vec<TrackEventRequest>,
+    ) {
+        if input.git_workspaces.is_empty() {
+            return;
+        }
+        let turn_id = input.turn_id.clone();
+        let mut git_workspaces = input.git_workspaces;
+        for metadata in git_workspaces.values_mut() {
+            let Some(remote_urls) = metadata.associated_remote_urls.as_mut() else {
+                continue;
+            };
+            for url in remote_urls.values_mut() {
+                *url = scrub_git_remote_url(url);
+            }
+        }
+        let turn_state = self.turns.entry(turn_id.clone()).or_insert(TurnState {
+            connection_id: None,
+            thread_id: None,
+            num_input_images: None,
+            resolved_config: None,
+            started_at: None,
+            token_usage: None,
+            git_workspaces: None,
+            completed: None,
+            steer_count: 0,
+        });
+        turn_state.thread_id = Some(input.thread_id);
+        turn_state.git_workspaces = Some(git_workspaces);
+        self.maybe_emit_turn_event(&turn_id, out);
+    }
+
    async fn ingest_skill_invoked(
        &mut self,
        input: SkillInvokedInput,
@@ -533,6 +577,7 @@ impl AnalyticsReducer {
                    resolved_config: None,
                    started_at: None,
                    token_usage: None,
+                    git_workspaces: None,
                    completed: None,
                    steer_count: 0,
                });
@@ -615,6 +660,7 @@ impl AnalyticsReducer {
                    resolved_config: None,
                    started_at: None,
                    token_usage: None,
+                    git_workspaces: None,
                    completed: None,
                    steer_count: 0,
                });
@@ -634,6 +680,7 @@ impl AnalyticsReducer {
                            resolved_config: None,
                            started_at: None,
                            token_usage: None,
+                            git_workspaces: None,
                            completed: None,
                            steer_count: 0,
                        });
@@ -933,6 +980,7 @@ fn codex_turn_event_params(
        subagent_tool_call_count: None,
        web_search_count: None,
        image_generation_count: None,
+        git_workspaces: turn_state.git_workspaces.clone(),
        input_tokens: token_usage
            .as_ref()
            .map(|token_usage| token_usage.input_tokens),
--- a/codex-rs/app-server-client/src/lib.rs
+++ b/codex-rs/app-server-client/src/lib.rs
@@ -42,6 +42,8 @@ use codex_app_server_protocol::ServerNotification;
 use codex_app_server_protocol::ServerRequest;
 use codex_arg0::Arg0DispatchPaths;
 use codex_config::NoopThreadConfigLoader;
+use codex_config::RemoteThreadConfigLoader;
+use codex_config::ThreadConfigLoader;
 use codex_core::config::Config;
 use codex_core::config_loader::CloudRequirementsLoader;
 use codex_core::config_loader::LoaderOverrides;
@@ -98,7 +100,7 @@ pub mod legacy_core {
    }

    pub mod plugins {
-        pub use codex_core::plugins::*;
+        pub use codex_core::plugins::PluginsManager;
    }

    pub mod review_format {
@@ -357,6 +359,13 @@ pub struct InProcessClientStartArgs {
    pub channel_capacity: usize,
 }

+fn configured_thread_config_loader(config: &Config) -> Arc<dyn ThreadConfigLoader> {
+    match config.experimental_thread_config_endpoint.as_deref() {
+        Some(endpoint) => Arc::new(RemoteThreadConfigLoader::new(endpoint)),
+        None => Arc::new(NoopThreadConfigLoader),
+    }
+}
+
 impl InProcessClientStartArgs {
    /// Builds initialize params from caller-provided metadata.
    pub fn initialize_params(&self) -> InitializeParams {
@@ -381,13 +390,14 @@ impl InProcessClientStartArgs {

    fn into_runtime_start_args(self) -> InProcessStartArgs {
        let initialize = self.initialize_params();
+        let thread_config_loader = configured_thread_config_loader(&self.config);
        InProcessStartArgs {
            arg0_paths: self.arg0_paths,
            config: self.config,
            cli_overrides: self.cli_overrides,
            loader_overrides: self.loader_overrides,
            cloud_requirements: self.cloud_requirements,
-            thread_config_loader: Arc::new(NoopThreadConfigLoader),
+            thread_config_loader,
            feedback: self.feedback,
            log_db: self.log_db,
            environment_manager: self.environment_manager,
@@ -2013,6 +2023,42 @@ mod tests {
        );
    }

+    #[tokio::test]
+    async fn runtime_start_args_use_remote_thread_config_loader_when_configured() {
+        let mut config = build_test_config().await;
+        config.experimental_thread_config_endpoint = Some("not-a-valid-endpoint".to_string());
+
+        let runtime_args = InProcessClientStartArgs {
+            arg0_paths: Arg0DispatchPaths::default(),
+            config: Arc::new(config),
+            cli_overrides: Vec::new(),
+            loader_overrides: LoaderOverrides::default(),
+            cloud_requirements: CloudRequirementsLoader::default(),
+            feedback: CodexFeedback::new(),
+            log_db: None,
+            environment_manager: Arc::new(EnvironmentManager::default_for_tests()),
+            config_warnings: Vec::new(),
+            session_source: SessionSource::Exec,
+            enable_codex_api_key_env: false,
+            client_name: "codex-app-server-client-test".to_string(),
+            client_version: "0.0.0-test".to_string(),
+            experimental_api: true,
+            opt_out_notification_methods: Vec::new(),
+            channel_capacity: DEFAULT_IN_PROCESS_CHANNEL_CAPACITY,
+        }
+        .into_runtime_start_args();
+
+        let err = runtime_args
+            .thread_config_loader
+            .load(Default::default())
+            .await
+            .expect_err("configured remote loader should try to connect");
+        assert_eq!(
+            err.code(),
+            codex_config::ThreadConfigLoadErrorCode::RequestFailed
+        );
+    }
+
    #[tokio::test]
    async fn shutdown_completes_promptly_without_retained_managers() {
        let client = start_test_client(SessionSource::Cli).await;
--- a/codex-rs/app-server-client/src/remote.rs
+++ b/codex-rs/app-server-client/src/remote.rs
@@ -20,7 +20,6 @@ use crate::RequestResult;
 use crate::SHUTDOWN_TIMEOUT;
 use crate::TypedRequestError;
 use crate::request_method_name;
-use crate::server_notification_requires_delivery;
 use codex_app_server_protocol::ClientInfo;
 use codex_app_server_protocol::ClientNotification;
 use codex_app_server_protocol::ClientRequest;
@@ -126,7 +125,7 @@ enum RemoteClientCommand {

 pub struct RemoteAppServerClient {
    command_tx: mpsc::Sender<RemoteClientCommand>,
-    event_rx: mpsc::Receiver<AppServerEvent>,
+    event_rx: mpsc::UnboundedReceiver<AppServerEvent>,
    pending_events: VecDeque<AppServerEvent>,
    worker_handle: tokio::task::JoinHandle<()>,
 }
@@ -195,11 +194,10 @@ impl RemoteAppServerClient {
        .await?;

        let (command_tx, mut command_rx) = mpsc::channel::<RemoteClientCommand>(channel_capacity);
-        let (event_tx, event_rx) = mpsc::channel::<AppServerEvent>(channel_capacity);
+        let (event_tx, event_rx) = mpsc::unbounded_channel::<AppServerEvent>();
        let worker_handle = tokio::spawn(async move {
            let mut pending_requests =
                HashMap::<RequestId, oneshot::Sender<IoResult<RequestResult>>>::new();
-            let mut skipped_events = 0usize;
            loop {
                tokio::select! {
                    command = command_rx.recv() => {
@@ -231,15 +229,12 @@ impl RemoteAppServerClient {
                                    }
                                    let _ = deliver_event(
                                        &event_tx,
-                                        &mut skipped_events,
                                        AppServerEvent::Disconnected {
                                            message: format!(
                                                "remote app server at `{websocket_url}` write failed: {err_message}"
                                            ),
                                        },
-                                        &mut stream,
-                                    )
-                                    .await;
+                                    );
                                    break;
                                }
                            }
@@ -316,11 +311,8 @@ impl RemoteAppServerClient {
                                            app_server_event_from_notification(notification)
                                            && let Err(err) = deliver_event(
                                                &event_tx,
-                                                &mut skipped_events,
                                                event,
-                                                &mut stream,
                                            )
-                                            .await
                                            {
                                                warn!(%err, "failed to deliver remote app-server event");
                                                break;
@@ -333,11 +325,8 @@ impl RemoteAppServerClient {
                                            Ok(request) => {
                                                if let Err(err) = deliver_event(
                                                    &event_tx,
-                                                    &mut skipped_events,
                                                    AppServerEvent::ServerRequest(request),
-                                                    &mut stream,
                                                )
-                                                .await
                                                {
                                                    warn!(%err, "failed to deliver remote app-server server request");
                                                    break;
@@ -364,15 +353,12 @@ impl RemoteAppServerClient {
                                                    let err_message = reject_err.to_string();
                                                    let _ = deliver_event(
                                                        &event_tx,
-                                                        &mut skipped_events,
                                                        AppServerEvent::Disconnected {
                                                            message: format!(
                                                                "remote app server at `{websocket_url}` write failed: {err_message}"
                                                            ),
                                                        },
-                                                        &mut stream,
-                                                    )
-                                                    .await;
+                                                    );
                                                    break;
                                                }
                                            }
@@ -381,15 +367,12 @@ impl RemoteAppServerClient {
                                    Err(err) => {
                                        let _ = deliver_event(
                                            &event_tx,
-                                            &mut skipped_events,
                                            AppServerEvent::Disconnected {
                                                message: format!(
                                                    "remote app server at `{websocket_url}` sent invalid JSON-RPC: {err}"
                                                ),
                                            },
-                                            &mut stream,
-                                        )
-                                        .await;
+                                        );
                                        break;
                                    }
                                }
@@ -402,15 +385,12 @@ impl RemoteAppServerClient {
                                    .unwrap_or_else(|| "connection closed".to_string());
                                let _ = deliver_event(
                                    &event_tx,
-                                    &mut skipped_events,
                                    AppServerEvent::Disconnected {
                                        message: format!(
                                            "remote app server at `{websocket_url}` disconnected: {reason}"
                                        ),
                                    },
-                                    &mut stream,
-                                )
-                                .await;
+                                );
                                break;
                            }
                            Some(Ok(Message::Binary(_)))
@@ -420,29 +400,23 @@ impl RemoteAppServerClient {
                            Some(Err(err)) => {
                                let _ = deliver_event(
                                    &event_tx,
-                                    &mut skipped_events,
                                    AppServerEvent::Disconnected {
                                        message: format!(
                                            "remote app server at `{websocket_url}` transport failed: {err}"
                                        ),
                                    },
-                                    &mut stream,
-                                )
-                                .await;
+                                );
                                break;
                            }
                            None => {
                                let _ = deliver_event(
                                    &event_tx,
-                                    &mut skipped_events,
                                    AppServerEvent::Disconnected {
                                        message: format!(
                                            "remote app server at `{websocket_url}` closed the connection"
                                        ),
                                    },
-                                    &mut stream,
-                                )
-                                .await;
+                                );
                                break;
                            }
                        }
@@ -801,100 +775,16 @@ fn app_server_event_from_notification(notification: JSONRPCNotification) -> Opti
    }
 }

-async fn deliver_event(
-    event_tx: &mpsc::Sender<AppServerEvent>,
-    skipped_events: &mut usize,
+fn deliver_event(
+    event_tx: &mpsc::UnboundedSender<AppServerEvent>,
    event: AppServerEvent,
-    stream: &mut WebSocketStream<MaybeTlsStream<TcpStream>>,
 ) -> IoResult<()> {
-    if *skipped_events > 0 {
-        if event_requires_delivery(&event) {
-            if event_tx
-                .send(AppServerEvent::Lagged {
-                    skipped: *skipped_events,
-                })
-                .await
-                .is_err()
-            {
-                return Err(IoError::new(
-                    ErrorKind::BrokenPipe,
-                    "remote app-server event consumer channel is closed",
-                ));
-            }
-            *skipped_events = 0;
-        } else {
-            match event_tx.try_send(AppServerEvent::Lagged {
-                skipped: *skipped_events,
-            }) {
-                Ok(()) => *skipped_events = 0,
-                Err(mpsc::error::TrySendError::Full(_)) => {
-                    *skipped_events = (*skipped_events).saturating_add(1);
-                    reject_if_server_request_dropped(stream, &event).await?;
-                    return Ok(());
-                }
-                Err(mpsc::error::TrySendError::Closed(_)) => {
-                    return Err(IoError::new(
-                        ErrorKind::BrokenPipe,
-                        "remote app-server event consumer channel is closed",
-                    ));
-                }
-            }
-        }
-    }
-
-    if event_requires_delivery(&event) {
-        event_tx.send(event).await.map_err(|_| {
-            IoError::new(
-                ErrorKind::BrokenPipe,
-                "remote app-server event consumer channel is closed",
-            )
-        })?;
-        return Ok(());
-    }
-
-    match event_tx.try_send(event) {
-        Ok(()) => Ok(()),
-        Err(mpsc::error::TrySendError::Full(event)) => {
-            *skipped_events = (*skipped_events).saturating_add(1);
-            reject_if_server_request_dropped(stream, &event).await
-        }
-        Err(mpsc::error::TrySendError::Closed(_)) => Err(IoError::new(
+    event_tx.send(event).map_err(|_| {
+        IoError::new(
            ErrorKind::BrokenPipe,
            "remote app-server event consumer channel is closed",
-        )),
-    }
-}
-
-async fn reject_if_server_request_dropped(
-    stream: &mut WebSocketStream<MaybeTlsStream<TcpStream>>,
-    event: &AppServerEvent,
-) -> IoResult<()> {
-    let AppServerEvent::ServerRequest(request) = event else {
-        return Ok(());
-    };
-    write_jsonrpc_message(
-        stream,
-        JSONRPCMessage::Error(JSONRPCError {
-            error: JSONRPCErrorError {
-                code: -32001,
-                message: "remote app-server event queue is full".to_string(),
-                data: None,
-            },
-            id: request.id().clone(),
-        }),
-        "<remote-app-server>",
-    )
-    .await
-}
-
-fn event_requires_delivery(event: &AppServerEvent) -> bool {
-    match event {
-        AppServerEvent::ServerNotification(notification) => {
-            server_notification_requires_delivery(notification)
-        }
-        AppServerEvent::Disconnected { .. } => true,
-        AppServerEvent::Lagged { .. } | AppServerEvent::ServerRequest(_) => false,
-    }
+        )
+    })
 }

 fn request_id_from_client_request(request: &ClientRequest) -> RequestId {
@@ -940,47 +830,14 @@ async fn write_jsonrpc_message(
            ))
        })
 }
-
 #[cfg(test)]
 mod tests {
    use super::*;

-    #[test]
-    fn event_requires_delivery_marks_transcript_and_disconnect_events() {
-        assert!(event_requires_delivery(
-            &AppServerEvent::ServerNotification(ServerNotification::AgentMessageDelta(
-                codex_app_server_protocol::AgentMessageDeltaNotification {
-                    thread_id: "thread".to_string(),
-                    turn_id: "turn".to_string(),
-                    item_id: "item".to_string(),
-                    delta: "hello".to_string(),
-                },
-            ),)
-        ));
-        assert!(event_requires_delivery(
-            &AppServerEvent::ServerNotification(ServerNotification::ItemCompleted(
-                codex_app_server_protocol::ItemCompletedNotification {
-                    thread_id: "thread".to_string(),
-                    turn_id: "turn".to_string(),
-                    item: codex_app_server_protocol::ThreadItem::Plan {
-                        id: "item".to_string(),
-                        text: "step".to_string(),
-                    },
-                }
-            ),)
-        ));
-        assert!(event_requires_delivery(&AppServerEvent::Disconnected {
-            message: "closed".to_string(),
-        }));
-        assert!(!event_requires_delivery(&AppServerEvent::Lagged {
-            skipped: 1
-        }));
-    }
-
    #[tokio::test]
    async fn shutdown_tolerates_worker_exit_after_command_is_queued() {
        let (command_tx, mut command_rx) = mpsc::channel(1);
-        let (_event_tx, event_rx) = mpsc::channel(1);
+        let (_event_tx, event_rx) = mpsc::unbounded_channel::<AppServerEvent>();
        let worker_handle = tokio::spawn(async move {
            let _ = command_rx.recv().await;
        });
--- a/codex-rs/app-server-protocol/schema/json/ClientRequest.json
+++ b/codex-rs/app-server-protocol/schema/json/ClientRequest.json
@@ -13,9 +13,10 @@
      "type": "string"
    },
    "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
      "enum": [
        "user",
+        "auto_review",
        "guardian_subagent"
      ],
      "type": "string"
@@ -217,6 +218,17 @@
            "null"
          ]
        },
+        "permissionProfile": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/PermissionProfile"
+            },
+            {
+              "type": "null"
+            }
+          ],
+          "description": "Optional full permissions profile for this command.\n\nDefaults to the user's configured permissions when omitted. Cannot be combined with `sandboxPolicy`."
+        },
        "processId": {
          "description": "Optional client-supplied, connection-scoped process id.\n\nRequired for `tty`, `streamStdin`, `streamStdoutStderr`, and follow-up `command/exec/write`, `command/exec/resize`, and `command/exec/terminate` calls. When omitted, buffered execution gets an internal id that is not exposed to the client.",
          "type": [
@@ -233,7 +245,7 @@
              "type": "null"
            }
          ],
-          "description": "Optional sandbox policy for this command.\n\nUses the same shape as thread/turn execution sandbox configuration and defaults to the user's configured policy when omitted."
+          "description": "Optional sandbox policy for this command.\n\nUses the same shape as thread/turn execution sandbox configuration and defaults to the user's configured policy when omitted. Cannot be combined with `permissionProfile`."
        },
        "size": {
          "anyOf": [
@@ -897,6 +909,217 @@
      ],
      "type": "object"
    },
+    "FileSystemAccessMode": {
+      "enum": [
+        "read",
+        "write",
+        "none"
+      ],
+      "type": "string"
+    },
+    "FileSystemPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "path"
+              ],
+              "title": "PathFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "PathFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "pattern": {
+              "type": "string"
+            },
+            "type": {
+              "enum": [
+                "glob_pattern"
+              ],
+              "title": "GlobPatternFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "pattern",
+            "type"
+          ],
+          "title": "GlobPatternFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "special"
+              ],
+              "title": "SpecialFileSystemPathType",
+              "type": "string"
+            },
+            "value": {
+              "$ref": "#/definitions/FileSystemSpecialPath"
+            }
+          },
+          "required": [
+            "type",
+            "value"
+          ],
+          "title": "SpecialFileSystemPath",
+          "type": "object"
+        }
+      ]
+    },
+    "FileSystemSandboxEntry": {
+      "properties": {
+        "access": {
+          "$ref": "#/definitions/FileSystemAccessMode"
+        },
+        "path": {
+          "$ref": "#/definitions/FileSystemPath"
+        }
+      },
+      "required": [
+        "access",
+        "path"
+      ],
+      "type": "object"
+    },
+    "FileSystemSpecialPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "root"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "RootFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "minimal"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "MinimalFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "current_working_directory"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "CurrentWorkingDirectoryFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "project_roots"
+              ],
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "KindFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "tmpdir"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "TmpdirFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "slash_tmp"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "SlashTmpFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "unknown"
+              ],
+              "type": "string"
+            },
+            "path": {
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind",
+            "path"
+          ],
+          "type": "object"
+        }
+      ]
+    },
    "FsCopyParams": {
      "description": "Copy a file or directory tree on the host filesystem.",
      "properties": {
@@ -1498,6 +1721,17 @@
      ],
      "type": "object"
    },
+    "MarketplaceUpgradeParams": {
+      "properties": {
+        "marketplaceName": {
+          "type": [
+            "string",
+            "null"
+          ]
+        }
+      },
+      "type": "object"
+    },
    "McpResourceReadParams": {
      "properties": {
        "server": {
@@ -1657,6 +1891,135 @@
      ],
      "type": "string"
    },
+    "PermissionProfile": {
+      "oneOf": [
+        {
+          "description": "Codex owns sandbox construction for this profile.",
+          "properties": {
+            "fileSystem": {
+              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
+            },
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "managed"
+              ],
+              "title": "ManagedPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "fileSystem",
+            "network",
+            "type"
+          ],
+          "title": "ManagedPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Do not apply an outer sandbox.",
+          "properties": {
+            "type": {
+              "enum": [
+                "disabled"
+              ],
+              "title": "DisabledPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "DisabledPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Filesystem isolation is enforced by an external caller.",
+          "properties": {
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "external"
+              ],
+              "title": "ExternalPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "network",
+            "type"
+          ],
+          "title": "ExternalPermissionProfile",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileFileSystemPermissions": {
+      "oneOf": [
+        {
+          "properties": {
+            "entries": {
+              "items": {
+                "$ref": "#/definitions/FileSystemSandboxEntry"
+              },
+              "type": "array"
+            },
+            "globScanMaxDepth": {
+              "format": "uint",
+              "minimum": 1.0,
+              "type": [
+                "integer",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "entries",
+            "type"
+          ],
+          "title": "RestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "unrestricted"
+              ],
+              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileNetworkPermissions": {
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        }
+      },
+      "required": [
+        "enabled"
+      ],
+      "type": "object"
+    },
    "Personality": {
      "enum": [
        "none",
@@ -1763,53 +2126,6 @@
      ],
      "type": "object"
    },
-    "ReadOnlyAccess": {
-      "oneOf": [
-        {
-          "properties": {
-            "includePlatformDefaults": {
-              "default": true,
-              "type": "boolean"
-            },
-            "readableRoots": {
-              "default": [],
-              "items": {
-                "$ref": "#/definitions/AbsolutePathBuf"
-              },
-              "type": "array"
-            },
-            "type": {
-              "enum": [
-                "restricted"
-              ],
-              "title": "RestrictedReadOnlyAccessType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "RestrictedReadOnlyAccess",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "fullAccess"
-              ],
-              "title": "FullAccessReadOnlyAccessType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "FullAccessReadOnlyAccess",
-          "type": "object"
-        }
-      ]
-    },
    "RealtimeOutputModality": {
      "enum": [
        "text",
@@ -2693,16 +3009,6 @@
        },
        {
          "properties": {
-            "access": {
-              "allOf": [
-                {
-                  "$ref": "#/definitions/ReadOnlyAccess"
-                }
-              ],
-              "default": {
-                "type": "fullAccess"
-              }
-            },
            "networkAccess": {
              "default": false,
              "type": "boolean"
@@ -2759,16 +3065,6 @@
              "default": false,
              "type": "boolean"
            },
-            "readOnlyAccess": {
-              "allOf": [
-                {
-                  "$ref": "#/definitions/ReadOnlyAccess"
-                }
-              ],
-              "default": {
-                "type": "fullAccess"
-              }
-            },
            "type": {
              "enum": [
                "workspaceWrite"
@@ -2942,6 +3238,21 @@
      ],
      "type": "object"
    },
+    "ThreadApproveGuardianDeniedActionParams": {
+      "properties": {
+        "event": {
+          "description": "Serialized `codex_protocol::protocol::GuardianAssessmentEvent`."
+        },
+        "threadId": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "event",
+        "threadId"
+      ],
+      "type": "object"
+    },
    "ThreadArchiveParams": {
      "properties": {
        "threadId": {
@@ -3016,6 +3327,10 @@
        "ephemeral": {
          "type": "boolean"
        },
+        "excludeTurns": {
+          "description": "When true, return only thread metadata and live fork state without populating `thread.turns`. This is useful when the client plans to call `thread/turns/list` immediately after forking.",
+          "type": "boolean"
+        },
        "model": {
          "description": "Configuration overrides for the forked thread, if any.",
          "type": [
@@ -3029,6 +3344,17 @@
            "null"
          ]
        },
+        "permissionProfile": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/PermissionProfile"
+            },
+            {
+              "type": "null"
+            }
+          ],
+          "description": "Full permissions override for the forked thread. Cannot be combined with `sandbox`."
+        },
        "sandbox": {
          "anyOf": [
            {
@@ -3065,6 +3391,15 @@
      ],
      "type": "object"
    },
+    "ThreadGoalStatus": {
+      "enum": [
+        "active",
+        "paused",
+        "budgetLimited",
+        "complete"
+      ],
+      "type": "string"
+    },
    "ThreadInjectItemsParams": {
      "properties": {
        "items": {
@@ -3408,6 +3743,10 @@
            "null"
          ]
        },
+        "excludeTurns": {
+          "description": "When true, return only thread metadata and live-resume state without populating `thread.turns`. This is useful when the client plans to call `thread/turns/list` immediately after resuming.",
+          "type": "boolean"
+        },
        "model": {
          "description": "Configuration overrides for the resumed thread, if any.",
          "type": [
@@ -3421,6 +3760,17 @@
            "null"
          ]
        },
+        "permissionProfile": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/PermissionProfile"
+            },
+            {
+              "type": "null"
+            }
+          ],
+          "description": "Full permissions override for the resumed thread. Cannot be combined with `sandbox`."
+        },
        "personality": {
          "anyOf": [
            {
@@ -3604,6 +3954,17 @@
            "null"
          ]
        },
+        "permissionProfile": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/PermissionProfile"
+            },
+            {
+              "type": "null"
+            }
+          ],
+          "description": "Full permissions override for this thread. Cannot be combined with `sandbox`."
+        },
        "personality": {
          "anyOf": [
            {
@@ -3815,6 +4176,17 @@
        "outputSchema": {
          "description": "Optional JSON Schema used to constrain the final assistant message for this turn."
        },
+        "permissionProfile": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/PermissionProfile"
+            },
+            {
+              "type": "null"
+            }
+          ],
+          "description": "Override the full permissions profile for this turn and subsequent turns. Cannot be combined with `sandboxPolicy`."
+        },
        "personality": {
          "anyOf": [
            {
@@ -4315,6 +4687,30 @@
      "title": "Thread/shellCommandRequest",
      "type": "object"
    },
+    {
+      "properties": {
+        "id": {
+          "$ref": "#/definitions/RequestId"
+        },
+        "method": {
+          "enum": [
+            "thread/approveGuardianDeniedAction"
+          ],
+          "title": "Thread/approveGuardianDeniedActionRequestMethod",
+          "type": "string"
+        },
+        "params": {
+          "$ref": "#/definitions/ThreadApproveGuardianDeniedActionParams"
+        }
+      },
+      "required": [
+        "id",
+        "method",
+        "params"
+      ],
+      "title": "Thread/approveGuardianDeniedActionRequest",
+      "type": "object"
+    },
    {
      "properties": {
        "id": {
@@ -4532,6 +4928,30 @@
      "title": "Marketplace/removeRequest",
      "type": "object"
    },
+    {
+      "properties": {
+        "id": {
+          "$ref": "#/definitions/RequestId"
+        },
+        "method": {
+          "enum": [
+            "marketplace/upgrade"
+          ],
+          "title": "Marketplace/upgradeRequestMethod",
+          "type": "string"
+        },
+        "params": {
+          "$ref": "#/definitions/MarketplaceUpgradeParams"
+        }
+      },
+      "required": [
+        "id",
+        "method",
+        "params"
+      ],
+      "title": "Marketplace/upgradeRequest",
+      "type": "object"
+    },
    {
      "properties": {
        "id": {
--- a/codex-rs/app-server-protocol/schema/json/CommandExecutionRequestApprovalParams.json
+++ b/codex-rs/app-server-protocol/schema/json/CommandExecutionRequestApprovalParams.json
@@ -25,6 +25,7 @@
          ]
        },
        "read": {
+          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -34,6 +35,7 @@
          ]
        },
        "write": {
+          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -76,7 +78,8 @@
            {
              "type": "null"
            }
-          ]
+          ],
+          "description": "Partial overlay used for per-command permission requests."
        }
      },
      "type": "object"
--- a/codex-rs/app-server-protocol/schema/json/PermissionsRequestApprovalParams.json
+++ b/codex-rs/app-server-protocol/schema/json/PermissionsRequestApprovalParams.json
@@ -25,6 +25,7 @@
          ]
        },
        "read": {
+          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -34,6 +35,7 @@
          ]
        },
        "write": {
+          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
--- a/codex-rs/app-server-protocol/schema/json/PermissionsRequestApprovalResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/PermissionsRequestApprovalResponse.json
@@ -25,6 +25,7 @@
          ]
        },
        "read": {
+          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -34,6 +35,7 @@
          ]
        },
        "write": {
+          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -311,6 +313,13 @@
        }
      ],
      "default": "turn"
+    },
+    "strictAutoReview": {
+      "description": "Review every subsequent command in this turn before normal sandboxed execution.",
+      "type": [
+        "boolean",
+        "null"
+      ]
    }
  },
  "required": [
--- a/codex-rs/app-server-protocol/schema/json/ServerNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/ServerNotification.json
@@ -84,6 +84,7 @@
          ]
        },
        "read": {
+          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -93,6 +94,7 @@
          ]
        },
        "write": {
+          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -480,6 +482,7 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
+            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -1704,6 +1707,23 @@
      ],
      "type": "string"
    },
+    "GuardianWarningNotification": {
+      "properties": {
+        "message": {
+          "description": "Concise guardian warning message for the user.",
+          "type": "string"
+        },
+        "threadId": {
+          "description": "Thread target for the guardian warning.",
+          "type": "string"
+        }
+      },
+      "required": [
+        "message",
+        "threadId"
+      ],
+      "type": "object"
+    },
    "HookCompletedNotification": {
      "properties": {
        "run": {
@@ -2243,6 +2263,34 @@
      ],
      "type": "object"
    },
+    "ModelVerification": {
+      "enum": [
+        "trustedAccessForCyber"
+      ],
+      "type": "string"
+    },
+    "ModelVerificationNotification": {
+      "properties": {
+        "threadId": {
+          "type": "string"
+        },
+        "turnId": {
+          "type": "string"
+        },
+        "verifications": {
+          "items": {
+            "$ref": "#/definitions/ModelVerification"
+          },
+          "type": "array"
+        }
+      },
+      "required": [
+        "threadId",
+        "turnId",
+        "verifications"
+      ],
+      "type": "object"
+    },
    "NetworkApprovalProtocol": {
      "enum": [
        "http",
@@ -2980,6 +3028,93 @@
      ],
      "type": "object"
    },
+    "ThreadGoal": {
+      "properties": {
+        "createdAt": {
+          "format": "int64",
+          "type": "integer"
+        },
+        "objective": {
+          "type": "string"
+        },
+        "status": {
+          "$ref": "#/definitions/ThreadGoalStatus"
+        },
+        "threadId": {
+          "type": "string"
+        },
+        "timeUsedSeconds": {
+          "format": "int64",
+          "type": "integer"
+        },
+        "tokenBudget": {
+          "format": "int64",
+          "type": [
+            "integer",
+            "null"
+          ]
+        },
+        "tokensUsed": {
+          "format": "int64",
+          "type": "integer"
+        },
+        "updatedAt": {
+          "format": "int64",
+          "type": "integer"
+        }
+      },
+      "required": [
+        "createdAt",
+        "objective",
+        "status",
+        "threadId",
+        "timeUsedSeconds",
+        "tokensUsed",
+        "updatedAt"
+      ],
+      "type": "object"
+    },
+    "ThreadGoalClearedNotification": {
+      "properties": {
+        "threadId": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "threadId"
+      ],
+      "type": "object"
+    },
+    "ThreadGoalStatus": {
+      "enum": [
+        "active",
+        "paused",
+        "budgetLimited",
+        "complete"
+      ],
+      "type": "string"
+    },
+    "ThreadGoalUpdatedNotification": {
+      "properties": {
+        "goal": {
+          "$ref": "#/definitions/ThreadGoal"
+        },
+        "threadId": {
+          "type": "string"
+        },
+        "turnId": {
+          "type": [
+            "string",
+            "null"
+          ]
+        }
+      },
+      "required": [
+        "goal",
+        "threadId"
+      ],
+      "type": "object"
+    },
    "ThreadId": {
      "type": "string"
    },
@@ -4679,6 +4814,46 @@
      "title": "Thread/name/updatedNotification",
      "type": "object"
    },
+    {
+      "properties": {
+        "method": {
+          "enum": [
+            "thread/goal/updated"
+          ],
+          "title": "Thread/goal/updatedNotificationMethod",
+          "type": "string"
+        },
+        "params": {
+          "$ref": "#/definitions/ThreadGoalUpdatedNotification"
+        }
+      },
+      "required": [
+        "method",
+        "params"
+      ],
+      "title": "Thread/goal/updatedNotification",
+      "type": "object"
+    },
+    {
+      "properties": {
+        "method": {
+          "enum": [
+            "thread/goal/cleared"
+          ],
+          "title": "Thread/goal/clearedNotificationMethod",
+          "type": "string"
+        },
+        "params": {
+          "$ref": "#/definitions/ThreadGoalClearedNotification"
+        }
+      },
+      "required": [
+        "method",
+        "params"
+      ],
+      "title": "Thread/goal/clearedNotification",
+      "type": "object"
+    },
    {
      "properties": {
        "method": {
@@ -5322,6 +5497,26 @@
      "title": "Model/reroutedNotification",
      "type": "object"
    },
+    {
+      "properties": {
+        "method": {
+          "enum": [
+            "model/verification"
+          ],
+          "title": "Model/verificationNotificationMethod",
+          "type": "string"
+        },
+        "params": {
+          "$ref": "#/definitions/ModelVerificationNotification"
+        }
+      },
+      "required": [
+        "method",
+        "params"
+      ],
+      "title": "Model/verificationNotification",
+      "type": "object"
+    },
    {
      "properties": {
        "method": {
@@ -5342,6 +5537,26 @@
      "title": "WarningNotification",
      "type": "object"
    },
+    {
+      "properties": {
+        "method": {
+          "enum": [
+            "guardianWarning"
+          ],
+          "title": "GuardianWarningNotificationMethod",
+          "type": "string"
+        },
+        "params": {
+          "$ref": "#/definitions/GuardianWarningNotification"
+        }
+      },
+      "required": [
+        "method",
+        "params"
+      ],
+      "title": "GuardianWarningNotification",
+      "type": "object"
+    },
    {
      "properties": {
        "method": {
--- a/codex-rs/app-server-protocol/schema/json/ServerRequest.json
+++ b/codex-rs/app-server-protocol/schema/json/ServerRequest.json
@@ -25,6 +25,7 @@
          ]
        },
        "read": {
+          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -34,6 +35,7 @@
          ]
        },
        "write": {
+          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -76,7 +78,8 @@
            {
              "type": "null"
            }
-          ]
+          ],
+          "description": "Partial overlay used for per-command permission requests."
        }
      },
      "type": "object"
--- a/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json
+++ b/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json
--- a/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.v2.schemas.json
+++ b/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.v2.schemas.json
--- a/codex-rs/app-server-protocol/schema/json/v2/CommandExecParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/CommandExecParams.json
@@ -27,6 +27,217 @@
      ],
      "type": "object"
    },
+    "FileSystemAccessMode": {
+      "enum": [
+        "read",
+        "write",
+        "none"
+      ],
+      "type": "string"
+    },
+    "FileSystemPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "path"
+              ],
+              "title": "PathFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "PathFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "pattern": {
+              "type": "string"
+            },
+            "type": {
+              "enum": [
+                "glob_pattern"
+              ],
+              "title": "GlobPatternFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "pattern",
+            "type"
+          ],
+          "title": "GlobPatternFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "special"
+              ],
+              "title": "SpecialFileSystemPathType",
+              "type": "string"
+            },
+            "value": {
+              "$ref": "#/definitions/FileSystemSpecialPath"
+            }
+          },
+          "required": [
+            "type",
+            "value"
+          ],
+          "title": "SpecialFileSystemPath",
+          "type": "object"
+        }
+      ]
+    },
+    "FileSystemSandboxEntry": {
+      "properties": {
+        "access": {
+          "$ref": "#/definitions/FileSystemAccessMode"
+        },
+        "path": {
+          "$ref": "#/definitions/FileSystemPath"
+        }
+      },
+      "required": [
+        "access",
+        "path"
+      ],
+      "type": "object"
+    },
+    "FileSystemSpecialPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "root"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "RootFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "minimal"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "MinimalFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "current_working_directory"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "CurrentWorkingDirectoryFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "project_roots"
+              ],
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "KindFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "tmpdir"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "TmpdirFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "slash_tmp"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "SlashTmpFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "unknown"
+              ],
+              "type": "string"
+            },
+            "path": {
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind",
+            "path"
+          ],
+          "type": "object"
+        }
+      ]
+    },
    "NetworkAccess": {
      "enum": [
        "restricted",
@@ -34,53 +245,135 @@
      ],
      "type": "string"
    },
-    "ReadOnlyAccess": {
+    "PermissionProfile": {
      "oneOf": [
        {
+          "description": "Codex owns sandbox construction for this profile.",
          "properties": {
-            "includePlatformDefaults": {
-              "default": true,
-              "type": "boolean"
+            "fileSystem": {
+              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
            },
-            "readableRoots": {
-              "default": [],
-              "items": {
-                "$ref": "#/definitions/AbsolutePathBuf"
-              },
-              "type": "array"
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
            },
            "type": {
              "enum": [
-                "restricted"
+                "managed"
              ],
-              "title": "RestrictedReadOnlyAccessType",
+              "title": "ManagedPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "fileSystem",
+            "network",
+            "type"
+          ],
+          "title": "ManagedPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Do not apply an outer sandbox.",
+          "properties": {
+            "type": {
+              "enum": [
+                "disabled"
+              ],
+              "title": "DisabledPermissionProfileType",
              "type": "string"
            }
          },
          "required": [
            "type"
          ],
-          "title": "RestrictedReadOnlyAccess",
+          "title": "DisabledPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Filesystem isolation is enforced by an external caller.",
+          "properties": {
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "external"
+              ],
+              "title": "ExternalPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "network",
+            "type"
+          ],
+          "title": "ExternalPermissionProfile",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileFileSystemPermissions": {
+      "oneOf": [
+        {
+          "properties": {
+            "entries": {
+              "items": {
+                "$ref": "#/definitions/FileSystemSandboxEntry"
+              },
+              "type": "array"
+            },
+            "globScanMaxDepth": {
+              "format": "uint",
+              "minimum": 1.0,
+              "type": [
+                "integer",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "entries",
+            "type"
+          ],
+          "title": "RestrictedPermissionProfileFileSystemPermissions",
          "type": "object"
        },
        {
          "properties": {
            "type": {
              "enum": [
-                "fullAccess"
+                "unrestricted"
              ],
-              "title": "FullAccessReadOnlyAccessType",
+              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
              "type": "string"
            }
          },
          "required": [
            "type"
          ],
-          "title": "FullAccessReadOnlyAccess",
+          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
          "type": "object"
        }
      ]
    },
+    "PermissionProfileNetworkPermissions": {
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        }
+      },
+      "required": [
+        "enabled"
+      ],
+      "type": "object"
+    },
    "SandboxPolicy": {
      "oneOf": [
        {
@@ -101,16 +394,6 @@
        },
        {
          "properties": {
-            "access": {
-              "allOf": [
-                {
-                  "$ref": "#/definitions/ReadOnlyAccess"
-                }
-              ],
-              "default": {
-                "type": "fullAccess"
-              }
-            },
            "networkAccess": {
              "default": false,
              "type": "boolean"
@@ -167,16 +450,6 @@
              "default": false,
              "type": "boolean"
            },
-            "readOnlyAccess": {
-              "allOf": [
-                {
-                  "$ref": "#/definitions/ReadOnlyAccess"
-                }
-              ],
-              "default": {
-                "type": "fullAccess"
-              }
-            },
            "type": {
              "enum": [
                "workspaceWrite"
@@ -247,6 +520,17 @@
        "null"
      ]
    },
+    "permissionProfile": {
+      "anyOf": [
+        {
+          "$ref": "#/definitions/PermissionProfile"
+        },
+        {
+          "type": "null"
+        }
+      ],
+      "description": "Optional full permissions profile for this command.\n\nDefaults to the user's configured permissions when omitted. Cannot be combined with `sandboxPolicy`."
+    },
    "processId": {
      "description": "Optional client-supplied, connection-scoped process id.\n\nRequired for `tty`, `streamStdin`, `streamStdoutStderr`, and follow-up `command/exec/write`, `command/exec/resize`, and `command/exec/terminate` calls. When omitted, buffered execution gets an internal id that is not exposed to the client.",
      "type": [
@@ -263,7 +547,7 @@
          "type": "null"
        }
      ],
-      "description": "Optional sandbox policy for this command.\n\nUses the same shape as thread/turn execution sandbox configuration and defaults to the user's configured policy when omitted."
+      "description": "Optional sandbox policy for this command.\n\nUses the same shape as thread/turn execution sandbox configuration and defaults to the user's configured policy when omitted. Cannot be combined with `permissionProfile`."
    },
    "size": {
      "anyOf": [
--- a/codex-rs/app-server-protocol/schema/json/v2/ConfigReadResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ConfigReadResponse.json
@@ -97,9 +97,10 @@
      "type": "object"
    },
    "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
      "enum": [
        "user",
+        "auto_review",
        "guardian_subagent"
      ],
      "type": "string"
--- a/codex-rs/app-server-protocol/schema/json/v2/ConfigRequirementsReadResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ConfigRequirementsReadResponse.json
@@ -2,9 +2,10 @@
  "$schema": "http://json-schema.org/draft-07/schema#",
  "definitions": {
    "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
      "enum": [
        "user",
+        "auto_review",
        "guardian_subagent"
      ],
      "type": "string"
@@ -110,6 +111,161 @@
      },
      "type": "object"
    },
+    "ConfiguredHookHandler": {
+      "oneOf": [
+        {
+          "properties": {
+            "async": {
+              "type": "boolean"
+            },
+            "command": {
+              "type": "string"
+            },
+            "statusMessage": {
+              "type": [
+                "string",
+                "null"
+              ]
+            },
+            "timeoutSec": {
+              "format": "uint64",
+              "minimum": 0.0,
+              "type": [
+                "integer",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "command"
+              ],
+              "title": "CommandConfiguredHookHandlerType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "async",
+            "command",
+            "type"
+          ],
+          "title": "CommandConfiguredHookHandler",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "prompt"
+              ],
+              "title": "PromptConfiguredHookHandlerType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "PromptConfiguredHookHandler",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "agent"
+              ],
+              "title": "AgentConfiguredHookHandlerType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "AgentConfiguredHookHandler",
+          "type": "object"
+        }
+      ]
+    },
+    "ConfiguredHookMatcherGroup": {
+      "properties": {
+        "hooks": {
+          "items": {
+            "$ref": "#/definitions/ConfiguredHookHandler"
+          },
+          "type": "array"
+        },
+        "matcher": {
+          "type": [
+            "string",
+            "null"
+          ]
+        }
+      },
+      "required": [
+        "hooks"
+      ],
+      "type": "object"
+    },
+    "ManagedHooksRequirements": {
+      "properties": {
+        "PermissionRequest": {
+          "items": {
+            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
+          },
+          "type": "array"
+        },
+        "PostToolUse": {
+          "items": {
+            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
+          },
+          "type": "array"
+        },
+        "PreToolUse": {
+          "items": {
+            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
+          },
+          "type": "array"
+        },
+        "SessionStart": {
+          "items": {
+            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
+          },
+          "type": "array"
+        },
+        "Stop": {
+          "items": {
+            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
+          },
+          "type": "array"
+        },
+        "UserPromptSubmit": {
+          "items": {
+            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
+          },
+          "type": "array"
+        },
+        "managedDir": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "windowsManagedDir": {
+          "type": [
+            "string",
+            "null"
+          ]
+        }
+      },
+      "required": [
+        "PermissionRequest",
+        "PostToolUse",
+        "PreToolUse",
+        "SessionStart",
+        "Stop",
+        "UserPromptSubmit"
+      ],
+      "type": "object"
+    },
    "NetworkDomainPermission": {
      "enum": [
        "allow",
--- a/codex-rs/app-server-protocol/schema/json/v2/ErrorNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ErrorNotification.json
@@ -9,6 +9,7 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
+            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
--- a/codex-rs/app-server-protocol/schema/json/v2/GetAccountResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/GetAccountResponse.json
@@ -42,6 +42,22 @@
          ],
          "title": "ChatgptAccount",
          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "amazonBedrock"
+              ],
+              "title": "AmazonBedrockAccountType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "AmazonBedrockAccount",
+          "type": "object"
        }
      ]
    },
--- a/codex-rs/app-server-protocol/schema/json/v2/GuardianWarningNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/GuardianWarningNotification.json
@@ -0,0 +1,19 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "properties": {
+    "message": {
+      "description": "Concise guardian warning message for the user.",
+      "type": "string"
+    },
+    "threadId": {
+      "description": "Thread target for the guardian warning.",
+      "type": "string"
+    }
+  },
+  "required": [
+    "message",
+    "threadId"
+  ],
+  "title": "GuardianWarningNotification",
+  "type": "object"
+}
--- a/codex-rs/app-server-protocol/schema/json/v2/ItemGuardianApprovalReviewCompletedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ItemGuardianApprovalReviewCompletedNotification.json
@@ -25,6 +25,7 @@
          ]
        },
        "read": {
+          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -34,6 +35,7 @@
          ]
        },
        "write": {
+          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
--- a/codex-rs/app-server-protocol/schema/json/v2/ItemGuardianApprovalReviewStartedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ItemGuardianApprovalReviewStartedNotification.json
@@ -25,6 +25,7 @@
          ]
        },
        "read": {
+          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -34,6 +35,7 @@
          ]
        },
        "write": {
+          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
--- a/codex-rs/app-server-protocol/schema/json/v2/MarketplaceUpgradeParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/MarketplaceUpgradeParams.json
@@ -0,0 +1,13 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "properties": {
+    "marketplaceName": {
+      "type": [
+        "string",
+        "null"
+      ]
+    }
+  },
+  "title": "MarketplaceUpgradeParams",
+  "type": "object"
+}
--- a/codex-rs/app-server-protocol/schema/json/v2/MarketplaceUpgradeResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/MarketplaceUpgradeResponse.json
@@ -0,0 +1,51 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "definitions": {
+    "AbsolutePathBuf": {
+      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
+      "type": "string"
+    },
+    "MarketplaceUpgradeErrorInfo": {
+      "properties": {
+        "marketplaceName": {
+          "type": "string"
+        },
+        "message": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "marketplaceName",
+        "message"
+      ],
+      "type": "object"
+    }
+  },
+  "properties": {
+    "errors": {
+      "items": {
+        "$ref": "#/definitions/MarketplaceUpgradeErrorInfo"
+      },
+      "type": "array"
+    },
+    "selectedMarketplaces": {
+      "items": {
+        "type": "string"
+      },
+      "type": "array"
+    },
+    "upgradedRoots": {
+      "items": {
+        "$ref": "#/definitions/AbsolutePathBuf"
+      },
+      "type": "array"
+    }
+  },
+  "required": [
+    "errors",
+    "selectedMarketplaces",
+    "upgradedRoots"
+  ],
+  "title": "MarketplaceUpgradeResponse",
+  "type": "object"
+}
--- a/codex-rs/app-server-protocol/schema/json/v2/ModelVerificationNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ModelVerificationNotification.json
@@ -0,0 +1,32 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "definitions": {
+    "ModelVerification": {
+      "enum": [
+        "trustedAccessForCyber"
+      ],
+      "type": "string"
+    }
+  },
+  "properties": {
+    "threadId": {
+      "type": "string"
+    },
+    "turnId": {
+      "type": "string"
+    },
+    "verifications": {
+      "items": {
+        "$ref": "#/definitions/ModelVerification"
+      },
+      "type": "array"
+    }
+  },
+  "required": [
+    "threadId",
+    "turnId",
+    "verifications"
+  ],
+  "title": "ModelVerificationNotification",
+  "type": "object"
+}
--- a/codex-rs/app-server-protocol/schema/json/v2/ReviewStartResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ReviewStartResponse.json
@@ -32,6 +32,7 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
+            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadApproveGuardianDeniedActionParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadApproveGuardianDeniedActionParams.json
@@ -0,0 +1,17 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "properties": {
+    "event": {
+      "description": "Serialized `codex_protocol::protocol::GuardianAssessmentEvent`."
+    },
+    "threadId": {
+      "type": "string"
+    }
+  },
+  "required": [
+    "event",
+    "threadId"
+  ],
+  "title": "ThreadApproveGuardianDeniedActionParams",
+  "type": "object"
+}
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadApproveGuardianDeniedActionResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadApproveGuardianDeniedActionResponse.json
@@ -0,0 +1,5 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "ThreadApproveGuardianDeniedActionResponse",
+  "type": "object"
+}
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadForkParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadForkParams.json
@@ -1,10 +1,15 @@
 {
  "$schema": "http://json-schema.org/draft-07/schema#",
  "definitions": {
+    "AbsolutePathBuf": {
+      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
+      "type": "string"
+    },
    "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
      "enum": [
        "user",
+        "auto_review",
        "guardian_subagent"
      ],
      "type": "string"
@@ -59,6 +64,346 @@
        }
      ]
    },
+    "FileSystemAccessMode": {
+      "enum": [
+        "read",
+        "write",
+        "none"
+      ],
+      "type": "string"
+    },
+    "FileSystemPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "path"
+              ],
+              "title": "PathFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "PathFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "pattern": {
+              "type": "string"
+            },
+            "type": {
+              "enum": [
+                "glob_pattern"
+              ],
+              "title": "GlobPatternFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "pattern",
+            "type"
+          ],
+          "title": "GlobPatternFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "special"
+              ],
+              "title": "SpecialFileSystemPathType",
+              "type": "string"
+            },
+            "value": {
+              "$ref": "#/definitions/FileSystemSpecialPath"
+            }
+          },
+          "required": [
+            "type",
+            "value"
+          ],
+          "title": "SpecialFileSystemPath",
+          "type": "object"
+        }
+      ]
+    },
+    "FileSystemSandboxEntry": {
+      "properties": {
+        "access": {
+          "$ref": "#/definitions/FileSystemAccessMode"
+        },
+        "path": {
+          "$ref": "#/definitions/FileSystemPath"
+        }
+      },
+      "required": [
+        "access",
+        "path"
+      ],
+      "type": "object"
+    },
+    "FileSystemSpecialPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "root"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "RootFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "minimal"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "MinimalFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "current_working_directory"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "CurrentWorkingDirectoryFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "project_roots"
+              ],
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "KindFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "tmpdir"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "TmpdirFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "slash_tmp"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "SlashTmpFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "unknown"
+              ],
+              "type": "string"
+            },
+            "path": {
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind",
+            "path"
+          ],
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfile": {
+      "oneOf": [
+        {
+          "description": "Codex owns sandbox construction for this profile.",
+          "properties": {
+            "fileSystem": {
+              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
+            },
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "managed"
+              ],
+              "title": "ManagedPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "fileSystem",
+            "network",
+            "type"
+          ],
+          "title": "ManagedPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Do not apply an outer sandbox.",
+          "properties": {
+            "type": {
+              "enum": [
+                "disabled"
+              ],
+              "title": "DisabledPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "DisabledPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Filesystem isolation is enforced by an external caller.",
+          "properties": {
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "external"
+              ],
+              "title": "ExternalPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "network",
+            "type"
+          ],
+          "title": "ExternalPermissionProfile",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileFileSystemPermissions": {
+      "oneOf": [
+        {
+          "properties": {
+            "entries": {
+              "items": {
+                "$ref": "#/definitions/FileSystemSandboxEntry"
+              },
+              "type": "array"
+            },
+            "globScanMaxDepth": {
+              "format": "uint",
+              "minimum": 1.0,
+              "type": [
+                "integer",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "entries",
+            "type"
+          ],
+          "title": "RestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "unrestricted"
+              ],
+              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileNetworkPermissions": {
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        }
+      },
+      "required": [
+        "enabled"
+      ],
+      "type": "object"
+    },
    "SandboxMode": {
      "enum": [
        "read-only",
@@ -126,6 +471,10 @@
    "ephemeral": {
      "type": "boolean"
    },
+    "excludeTurns": {
+      "description": "When true, return only thread metadata and live fork state without populating `thread.turns`. This is useful when the client plans to call `thread/turns/list` immediately after forking.",
+      "type": "boolean"
+    },
    "model": {
      "description": "Configuration overrides for the forked thread, if any.",
      "type": [
@@ -139,6 +488,17 @@
        "null"
      ]
    },
+    "permissionProfile": {
+      "anyOf": [
+        {
+          "$ref": "#/definitions/PermissionProfile"
+        },
+        {
+          "type": "null"
+        }
+      ],
+      "description": "Full permissions override for the forked thread. Cannot be combined with `sandbox`."
+    },
    "sandbox": {
      "anyOf": [
        {
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadForkResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadForkResponse.json
@@ -9,9 +9,10 @@
      "type": "string"
    },
    "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
      "enum": [
        "user",
+        "auto_review",
        "guardian_subagent"
      ],
      "type": "string"
@@ -93,6 +94,7 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
+            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -898,110 +900,134 @@
      ]
    },
    "PermissionProfile": {
-      "properties": {
-        "fileSystem": {
-          "anyOf": [
-            {
+      "oneOf": [
+        {
+          "description": "Codex owns sandbox construction for this profile.",
+          "properties": {
+            "fileSystem": {
              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
            },
-            {
-              "type": "null"
-            }
-          ]
-        },
-        "network": {
-          "anyOf": [
-            {
+            "network": {
              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
            },
-            {
-              "type": "null"
+            "type": {
+              "enum": [
+                "managed"
+              ],
+              "title": "ManagedPermissionProfileType",
+              "type": "string"
            }
-          ]
+          },
+          "required": [
+            "fileSystem",
+            "network",
+            "type"
+          ],
+          "title": "ManagedPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Do not apply an outer sandbox.",
+          "properties": {
+            "type": {
+              "enum": [
+                "disabled"
+              ],
+              "title": "DisabledPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "DisabledPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Filesystem isolation is enforced by an external caller.",
+          "properties": {
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "external"
+              ],
+              "title": "ExternalPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "network",
+            "type"
+          ],
+          "title": "ExternalPermissionProfile",
+          "type": "object"
        }
-      },
-      "type": "object"
+      ]
    },
    "PermissionProfileFileSystemPermissions": {
-      "properties": {
-        "entries": {
-          "items": {
-            "$ref": "#/definitions/FileSystemSandboxEntry"
-          },
-          "type": "array"
-        },
-        "globScanMaxDepth": {
-          "format": "uint",
-          "minimum": 1.0,
-          "type": [
-            "integer",
-            "null"
-          ]
-        }
-      },
-      "required": [
-        "entries"
-      ],
-      "type": "object"
-    },
-    "PermissionProfileNetworkPermissions": {
-      "properties": {
-        "enabled": {
-          "type": [
-            "boolean",
-            "null"
-          ]
-        }
-      },
-      "type": "object"
-    },
-    "ReadOnlyAccess": {
      "oneOf": [
        {
          "properties": {
-            "includePlatformDefaults": {
-              "default": true,
-              "type": "boolean"
-            },
-            "readableRoots": {
-              "default": [],
+            "entries": {
              "items": {
-                "$ref": "#/definitions/AbsolutePathBuf"
+                "$ref": "#/definitions/FileSystemSandboxEntry"
              },
              "type": "array"
            },
+            "globScanMaxDepth": {
+              "format": "uint",
+              "minimum": 1.0,
+              "type": [
+                "integer",
+                "null"
+              ]
+            },
            "type": {
              "enum": [
                "restricted"
              ],
-              "title": "RestrictedReadOnlyAccessType",
+              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
              "type": "string"
            }
          },
          "required": [
+            "entries",
            "type"
          ],
-          "title": "RestrictedReadOnlyAccess",
+          "title": "RestrictedPermissionProfileFileSystemPermissions",
          "type": "object"
        },
        {
          "properties": {
            "type": {
              "enum": [
-                "fullAccess"
+                "unrestricted"
              ],
-              "title": "FullAccessReadOnlyAccessType",
+              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
              "type": "string"
            }
          },
          "required": [
            "type"
          ],
-          "title": "FullAccessReadOnlyAccess",
+          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
          "type": "object"
        }
      ]
    },
+    "PermissionProfileNetworkPermissions": {
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        }
+      },
+      "required": [
+        "enabled"
+      ],
+      "type": "object"
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -1034,16 +1060,6 @@
        },
        {
          "properties": {
-            "access": {
-              "allOf": [
-                {
-                  "$ref": "#/definitions/ReadOnlyAccess"
-                }
-              ],
-              "default": {
-                "type": "fullAccess"
-              }
-            },
            "networkAccess": {
              "default": false,
              "type": "boolean"
@@ -1100,16 +1116,6 @@
              "default": false,
              "type": "boolean"
            },
-            "readOnlyAccess": {
-              "allOf": [
-                {
-                  "$ref": "#/definitions/ReadOnlyAccess"
-                }
-              ],
-              "default": {
-                "type": "fullAccess"
-              }
-            },
            "type": {
              "enum": [
                "workspaceWrite"
@@ -2504,7 +2510,7 @@
        }
      ],
      "default": null,
-      "description": "Canonical active permissions view for this thread when representable. This is `null` for external sandbox policies because external enforcement cannot be round-tripped as a `PermissionProfile`."
+      "description": "Canonical active permissions view for this thread."
    },
    "reasoningEffort": {
      "anyOf": [
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadGoalClearedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadGoalClearedNotification.json
@@ -0,0 +1,13 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "properties": {
+    "threadId": {
+      "type": "string"
+    }
+  },
+  "required": [
+    "threadId"
+  ],
+  "title": "ThreadGoalClearedNotification",
+  "type": "object"
+}
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadGoalUpdatedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadGoalUpdatedNotification.json
@@ -0,0 +1,80 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "definitions": {
+    "ThreadGoal": {
+      "properties": {
+        "createdAt": {
+          "format": "int64",
+          "type": "integer"
+        },
+        "objective": {
+          "type": "string"
+        },
+        "status": {
+          "$ref": "#/definitions/ThreadGoalStatus"
+        },
+        "threadId": {
+          "type": "string"
+        },
+        "timeUsedSeconds": {
+          "format": "int64",
+          "type": "integer"
+        },
+        "tokenBudget": {
+          "format": "int64",
+          "type": [
+            "integer",
+            "null"
+          ]
+        },
+        "tokensUsed": {
+          "format": "int64",
+          "type": "integer"
+        },
+        "updatedAt": {
+          "format": "int64",
+          "type": "integer"
+        }
+      },
+      "required": [
+        "createdAt",
+        "objective",
+        "status",
+        "threadId",
+        "timeUsedSeconds",
+        "tokensUsed",
+        "updatedAt"
+      ],
+      "type": "object"
+    },
+    "ThreadGoalStatus": {
+      "enum": [
+        "active",
+        "paused",
+        "budgetLimited",
+        "complete"
+      ],
+      "type": "string"
+    }
+  },
+  "properties": {
+    "goal": {
+      "$ref": "#/definitions/ThreadGoal"
+    },
+    "threadId": {
+      "type": "string"
+    },
+    "turnId": {
+      "type": [
+        "string",
+        "null"
+      ]
+    }
+  },
+  "required": [
+    "goal",
+    "threadId"
+  ],
+  "title": "ThreadGoalUpdatedNotification",
+  "type": "object"
+}
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadListResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadListResponse.json
@@ -35,6 +35,7 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
+            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadMetadataUpdateResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadMetadataUpdateResponse.json
@@ -35,6 +35,7 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
+            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadReadResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadReadResponse.json
@@ -35,6 +35,7 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
+            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadResumeParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadResumeParams.json
@@ -1,10 +1,15 @@
 {
  "$schema": "http://json-schema.org/draft-07/schema#",
  "definitions": {
+    "AbsolutePathBuf": {
+      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
+      "type": "string"
+    },
    "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
      "enum": [
        "user",
+        "auto_review",
        "guardian_subagent"
      ],
      "type": "string"
@@ -133,6 +138,217 @@
        }
      ]
    },
+    "FileSystemAccessMode": {
+      "enum": [
+        "read",
+        "write",
+        "none"
+      ],
+      "type": "string"
+    },
+    "FileSystemPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "path"
+              ],
+              "title": "PathFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "PathFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "pattern": {
+              "type": "string"
+            },
+            "type": {
+              "enum": [
+                "glob_pattern"
+              ],
+              "title": "GlobPatternFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "pattern",
+            "type"
+          ],
+          "title": "GlobPatternFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "special"
+              ],
+              "title": "SpecialFileSystemPathType",
+              "type": "string"
+            },
+            "value": {
+              "$ref": "#/definitions/FileSystemSpecialPath"
+            }
+          },
+          "required": [
+            "type",
+            "value"
+          ],
+          "title": "SpecialFileSystemPath",
+          "type": "object"
+        }
+      ]
+    },
+    "FileSystemSandboxEntry": {
+      "properties": {
+        "access": {
+          "$ref": "#/definitions/FileSystemAccessMode"
+        },
+        "path": {
+          "$ref": "#/definitions/FileSystemPath"
+        }
+      },
+      "required": [
+        "access",
+        "path"
+      ],
+      "type": "object"
+    },
+    "FileSystemSpecialPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "root"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "RootFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "minimal"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "MinimalFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "current_working_directory"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "CurrentWorkingDirectoryFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "project_roots"
+              ],
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "KindFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "tmpdir"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "TmpdirFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "slash_tmp"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "SlashTmpFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "unknown"
+              ],
+              "type": "string"
+            },
+            "path": {
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind",
+            "path"
+          ],
+          "type": "object"
+        }
+      ]
+    },
    "FunctionCallOutputBody": {
      "anyOf": [
        {
@@ -325,6 +541,135 @@
        }
      ]
    },
+    "PermissionProfile": {
+      "oneOf": [
+        {
+          "description": "Codex owns sandbox construction for this profile.",
+          "properties": {
+            "fileSystem": {
+              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
+            },
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "managed"
+              ],
+              "title": "ManagedPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "fileSystem",
+            "network",
+            "type"
+          ],
+          "title": "ManagedPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Do not apply an outer sandbox.",
+          "properties": {
+            "type": {
+              "enum": [
+                "disabled"
+              ],
+              "title": "DisabledPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "DisabledPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Filesystem isolation is enforced by an external caller.",
+          "properties": {
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "external"
+              ],
+              "title": "ExternalPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "network",
+            "type"
+          ],
+          "title": "ExternalPermissionProfile",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileFileSystemPermissions": {
+      "oneOf": [
+        {
+          "properties": {
+            "entries": {
+              "items": {
+                "$ref": "#/definitions/FileSystemSandboxEntry"
+              },
+              "type": "array"
+            },
+            "globScanMaxDepth": {
+              "format": "uint",
+              "minimum": 1.0,
+              "type": [
+                "integer",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "entries",
+            "type"
+          ],
+          "title": "RestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "unrestricted"
+              ],
+              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileNetworkPermissions": {
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        }
+      },
+      "required": [
+        "enabled"
+      ],
+      "type": "object"
+    },
    "Personality": {
      "enum": [
        "none",
@@ -1039,6 +1384,10 @@
        "null"
      ]
    },
+    "excludeTurns": {
+      "description": "When true, return only thread metadata and live-resume state without populating `thread.turns`. This is useful when the client plans to call `thread/turns/list` immediately after resuming.",
+      "type": "boolean"
+    },
    "model": {
      "description": "Configuration overrides for the resumed thread, if any.",
      "type": [
@@ -1052,6 +1401,17 @@
        "null"
      ]
    },
+    "permissionProfile": {
+      "anyOf": [
+        {
+          "$ref": "#/definitions/PermissionProfile"
+        },
+        {
+          "type": "null"
+        }
+      ],
+      "description": "Full permissions override for the resumed thread. Cannot be combined with `sandbox`."
+    },
    "personality": {
      "anyOf": [
        {
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadResumeResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadResumeResponse.json
@@ -9,9 +9,10 @@
      "type": "string"
    },
    "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
      "enum": [
        "user",
+        "auto_review",
        "guardian_subagent"
      ],
      "type": "string"
@@ -93,6 +94,7 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
+            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -898,110 +900,134 @@
      ]
    },
    "PermissionProfile": {
-      "properties": {
-        "fileSystem": {
-          "anyOf": [
-            {
+      "oneOf": [
+        {
+          "description": "Codex owns sandbox construction for this profile.",
+          "properties": {
+            "fileSystem": {
              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
            },
-            {
-              "type": "null"
-            }
-          ]
-        },
-        "network": {
-          "anyOf": [
-            {
+            "network": {
              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
            },
-            {
-              "type": "null"
+            "type": {
+              "enum": [
+                "managed"
+              ],
+              "title": "ManagedPermissionProfileType",
+              "type": "string"
            }
-          ]
+          },
+          "required": [
+            "fileSystem",
+            "network",
+            "type"
+          ],
+          "title": "ManagedPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Do not apply an outer sandbox.",
+          "properties": {
+            "type": {
+              "enum": [
+                "disabled"
+              ],
+              "title": "DisabledPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "DisabledPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Filesystem isolation is enforced by an external caller.",
+          "properties": {
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "external"
+              ],
+              "title": "ExternalPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "network",
+            "type"
+          ],
+          "title": "ExternalPermissionProfile",
+          "type": "object"
        }
-      },
-      "type": "object"
+      ]
    },
    "PermissionProfileFileSystemPermissions": {
-      "properties": {
-        "entries": {
-          "items": {
-            "$ref": "#/definitions/FileSystemSandboxEntry"
-          },
-          "type": "array"
-        },
-        "globScanMaxDepth": {
-          "format": "uint",
-          "minimum": 1.0,
-          "type": [
-            "integer",
-            "null"
-          ]
-        }
-      },
-      "required": [
-        "entries"
-      ],
-      "type": "object"
-    },
-    "PermissionProfileNetworkPermissions": {
-      "properties": {
-        "enabled": {
-          "type": [
-            "boolean",
-            "null"
-          ]
-        }
-      },
-      "type": "object"
-    },
-    "ReadOnlyAccess": {
      "oneOf": [
        {
          "properties": {
-            "includePlatformDefaults": {
-              "default": true,
-              "type": "boolean"
-            },
-            "readableRoots": {
-              "default": [],
+            "entries": {
              "items": {
-                "$ref": "#/definitions/AbsolutePathBuf"
+                "$ref": "#/definitions/FileSystemSandboxEntry"
              },
              "type": "array"
            },
+            "globScanMaxDepth": {
+              "format": "uint",
+              "minimum": 1.0,
+              "type": [
+                "integer",
+                "null"
+              ]
+            },
            "type": {
              "enum": [
                "restricted"
              ],
-              "title": "RestrictedReadOnlyAccessType",
+              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
              "type": "string"
            }
          },
          "required": [
+            "entries",
            "type"
          ],
-          "title": "RestrictedReadOnlyAccess",
+          "title": "RestrictedPermissionProfileFileSystemPermissions",
          "type": "object"
        },
        {
          "properties": {
            "type": {
              "enum": [
-                "fullAccess"
+                "unrestricted"
              ],
-              "title": "FullAccessReadOnlyAccessType",
+              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
              "type": "string"
            }
          },
          "required": [
            "type"
          ],
-          "title": "FullAccessReadOnlyAccess",
+          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
          "type": "object"
        }
      ]
    },
+    "PermissionProfileNetworkPermissions": {
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        }
+      },
+      "required": [
+        "enabled"
+      ],
+      "type": "object"
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -1034,16 +1060,6 @@
        },
        {
          "properties": {
-            "access": {
-              "allOf": [
-                {
-                  "$ref": "#/definitions/ReadOnlyAccess"
-                }
-              ],
-              "default": {
-                "type": "fullAccess"
-              }
-            },
            "networkAccess": {
              "default": false,
              "type": "boolean"
@@ -1100,16 +1116,6 @@
              "default": false,
              "type": "boolean"
            },
-            "readOnlyAccess": {
-              "allOf": [
-                {
-                  "$ref": "#/definitions/ReadOnlyAccess"
-                }
-              ],
-              "default": {
-                "type": "fullAccess"
-              }
-            },
            "type": {
              "enum": [
                "workspaceWrite"
@@ -2504,7 +2510,7 @@
        }
      ],
      "default": null,
-      "description": "Canonical active permissions view for this thread when representable. This is `null` for external sandbox policies because external enforcement cannot be round-tripped as a `PermissionProfile`."
+      "description": "Canonical active permissions view for this thread."
    },
    "reasoningEffort": {
      "anyOf": [
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadRollbackResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadRollbackResponse.json
@@ -35,6 +35,7 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
+            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadStartParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadStartParams.json
@@ -1,10 +1,15 @@
 {
  "$schema": "http://json-schema.org/draft-07/schema#",
  "definitions": {
+    "AbsolutePathBuf": {
+      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
+      "type": "string"
+    },
    "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
      "enum": [
        "user",
+        "auto_review",
        "guardian_subagent"
      ],
      "type": "string"
@@ -85,6 +90,346 @@
      ],
      "type": "object"
    },
+    "FileSystemAccessMode": {
+      "enum": [
+        "read",
+        "write",
+        "none"
+      ],
+      "type": "string"
+    },
+    "FileSystemPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "path"
+              ],
+              "title": "PathFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "PathFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "pattern": {
+              "type": "string"
+            },
+            "type": {
+              "enum": [
+                "glob_pattern"
+              ],
+              "title": "GlobPatternFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "pattern",
+            "type"
+          ],
+          "title": "GlobPatternFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "special"
+              ],
+              "title": "SpecialFileSystemPathType",
+              "type": "string"
+            },
+            "value": {
+              "$ref": "#/definitions/FileSystemSpecialPath"
+            }
+          },
+          "required": [
+            "type",
+            "value"
+          ],
+          "title": "SpecialFileSystemPath",
+          "type": "object"
+        }
+      ]
+    },
+    "FileSystemSandboxEntry": {
+      "properties": {
+        "access": {
+          "$ref": "#/definitions/FileSystemAccessMode"
+        },
+        "path": {
+          "$ref": "#/definitions/FileSystemPath"
+        }
+      },
+      "required": [
+        "access",
+        "path"
+      ],
+      "type": "object"
+    },
+    "FileSystemSpecialPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "root"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "RootFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "minimal"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "MinimalFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "current_working_directory"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "CurrentWorkingDirectoryFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "project_roots"
+              ],
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "KindFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "tmpdir"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "TmpdirFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "slash_tmp"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "SlashTmpFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "unknown"
+              ],
+              "type": "string"
+            },
+            "path": {
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind",
+            "path"
+          ],
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfile": {
+      "oneOf": [
+        {
+          "description": "Codex owns sandbox construction for this profile.",
+          "properties": {
+            "fileSystem": {
+              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
+            },
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "managed"
+              ],
+              "title": "ManagedPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "fileSystem",
+            "network",
+            "type"
+          ],
+          "title": "ManagedPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Do not apply an outer sandbox.",
+          "properties": {
+            "type": {
+              "enum": [
+                "disabled"
+              ],
+              "title": "DisabledPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "DisabledPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Filesystem isolation is enforced by an external caller.",
+          "properties": {
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "external"
+              ],
+              "title": "ExternalPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "network",
+            "type"
+          ],
+          "title": "ExternalPermissionProfile",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileFileSystemPermissions": {
+      "oneOf": [
+        {
+          "properties": {
+            "entries": {
+              "items": {
+                "$ref": "#/definitions/FileSystemSandboxEntry"
+              },
+              "type": "array"
+            },
+            "globScanMaxDepth": {
+              "format": "uint",
+              "minimum": 1.0,
+              "type": [
+                "integer",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "entries",
+            "type"
+          ],
+          "title": "RestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "unrestricted"
+              ],
+              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileNetworkPermissions": {
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        }
+      },
+      "required": [
+        "enabled"
+      ],
+      "type": "object"
+    },
    "Personality": {
      "enum": [
        "none",
@@ -114,6 +459,21 @@
        "clear"
      ],
      "type": "string"
+    },
+    "TurnEnvironmentParams": {
+      "properties": {
+        "cwd": {
+          "$ref": "#/definitions/AbsolutePathBuf"
+        },
+        "environmentId": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "cwd",
+        "environmentId"
+      ],
+      "type": "object"
    }
  },
  "properties": {
@@ -181,6 +541,17 @@
        "null"
      ]
    },
+    "permissionProfile": {
+      "anyOf": [
+        {
+          "$ref": "#/definitions/PermissionProfile"
+        },
+        {
+          "type": "null"
+        }
+      ],
+      "description": "Full permissions override for this thread. Cannot be combined with `sandbox`."
+    },
    "personality": {
      "anyOf": [
        {
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadStartResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadStartResponse.json
@@ -9,9 +9,10 @@
      "type": "string"
    },
    "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
      "enum": [
        "user",
+        "auto_review",
        "guardian_subagent"
      ],
      "type": "string"
@@ -93,6 +94,7 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
+            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -898,110 +900,134 @@
      ]
    },
    "PermissionProfile": {
-      "properties": {
-        "fileSystem": {
-          "anyOf": [
-            {
+      "oneOf": [
+        {
+          "description": "Codex owns sandbox construction for this profile.",
+          "properties": {
+            "fileSystem": {
              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
            },
-            {
-              "type": "null"
-            }
-          ]
-        },
-        "network": {
-          "anyOf": [
-            {
+            "network": {
              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
            },
-            {
-              "type": "null"
+            "type": {
+              "enum": [
+                "managed"
+              ],
+              "title": "ManagedPermissionProfileType",
+              "type": "string"
            }
-          ]
+          },
+          "required": [
+            "fileSystem",
+            "network",
+            "type"
+          ],
+          "title": "ManagedPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Do not apply an outer sandbox.",
+          "properties": {
+            "type": {
+              "enum": [
+                "disabled"
+              ],
+              "title": "DisabledPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "DisabledPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Filesystem isolation is enforced by an external caller.",
+          "properties": {
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "external"
+              ],
+              "title": "ExternalPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "network",
+            "type"
+          ],
+          "title": "ExternalPermissionProfile",
+          "type": "object"
        }
-      },
-      "type": "object"
+      ]
    },
    "PermissionProfileFileSystemPermissions": {
-      "properties": {
-        "entries": {
-          "items": {
-            "$ref": "#/definitions/FileSystemSandboxEntry"
-          },
-          "type": "array"
-        },
-        "globScanMaxDepth": {
-          "format": "uint",
-          "minimum": 1.0,
-          "type": [
-            "integer",
-            "null"
-          ]
-        }
-      },
-      "required": [
-        "entries"
-      ],
-      "type": "object"
-    },
-    "PermissionProfileNetworkPermissions": {
-      "properties": {
-        "enabled": {
-          "type": [
-            "boolean",
-            "null"
-          ]
-        }
-      },
-      "type": "object"
-    },
-    "ReadOnlyAccess": {
      "oneOf": [
        {
          "properties": {
-            "includePlatformDefaults": {
-              "default": true,
-              "type": "boolean"
-            },
-            "readableRoots": {
-              "default": [],
+            "entries": {
              "items": {
-                "$ref": "#/definitions/AbsolutePathBuf"
+                "$ref": "#/definitions/FileSystemSandboxEntry"
              },
              "type": "array"
            },
+            "globScanMaxDepth": {
+              "format": "uint",
+              "minimum": 1.0,
+              "type": [
+                "integer",
+                "null"
+              ]
+            },
            "type": {
              "enum": [
                "restricted"
              ],
-              "title": "RestrictedReadOnlyAccessType",
+              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
              "type": "string"
            }
          },
          "required": [
+            "entries",
            "type"
          ],
-          "title": "RestrictedReadOnlyAccess",
+          "title": "RestrictedPermissionProfileFileSystemPermissions",
          "type": "object"
        },
        {
          "properties": {
            "type": {
              "enum": [
-                "fullAccess"
+                "unrestricted"
              ],
-              "title": "FullAccessReadOnlyAccessType",
+              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
              "type": "string"
            }
          },
          "required": [
            "type"
          ],
-          "title": "FullAccessReadOnlyAccess",
+          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
          "type": "object"
        }
      ]
    },
+    "PermissionProfileNetworkPermissions": {
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        }
+      },
+      "required": [
+        "enabled"
+      ],
+      "type": "object"
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -1034,16 +1060,6 @@
        },
        {
          "properties": {
-            "access": {
-              "allOf": [
-                {
-                  "$ref": "#/definitions/ReadOnlyAccess"
-                }
-              ],
-              "default": {
-                "type": "fullAccess"
-              }
-            },
            "networkAccess": {
              "default": false,
              "type": "boolean"
@@ -1100,16 +1116,6 @@
              "default": false,
              "type": "boolean"
            },
-            "readOnlyAccess": {
-              "allOf": [
-                {
-                  "$ref": "#/definitions/ReadOnlyAccess"
-                }
-              ],
-              "default": {
-                "type": "fullAccess"
-              }
-            },
            "type": {
              "enum": [
                "workspaceWrite"
@@ -2504,7 +2510,7 @@
        }
      ],
      "default": null,
-      "description": "Canonical active permissions view for this thread when representable. This is `null` for external sandbox policies because external enforcement cannot be round-tripped as a `PermissionProfile`."
+      "description": "Canonical active permissions view for this thread."
    },
    "reasoningEffort": {
      "anyOf": [
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadStartedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadStartedNotification.json
@@ -35,6 +35,7 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
+            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadTurnsListResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadTurnsListResponse.json
@@ -32,6 +32,7 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
+            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadUnarchiveResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadUnarchiveResponse.json
@@ -35,6 +35,7 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
+            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
--- a/codex-rs/app-server-protocol/schema/json/v2/TurnCompletedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/TurnCompletedNotification.json
@@ -32,6 +32,7 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
+            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
--- a/codex-rs/app-server-protocol/schema/json/v2/TurnStartParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/TurnStartParams.json
@@ -6,9 +6,10 @@
      "type": "string"
    },
    "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
      "enum": [
        "user",
+        "auto_review",
        "guardian_subagent"
      ],
      "type": "string"
@@ -98,6 +99,217 @@
      ],
      "type": "object"
    },
+    "FileSystemAccessMode": {
+      "enum": [
+        "read",
+        "write",
+        "none"
+      ],
+      "type": "string"
+    },
+    "FileSystemPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "path": {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            "type": {
+              "enum": [
+                "path"
+              ],
+              "title": "PathFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "path",
+            "type"
+          ],
+          "title": "PathFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "pattern": {
+              "type": "string"
+            },
+            "type": {
+              "enum": [
+                "glob_pattern"
+              ],
+              "title": "GlobPatternFileSystemPathType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "pattern",
+            "type"
+          ],
+          "title": "GlobPatternFileSystemPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "special"
+              ],
+              "title": "SpecialFileSystemPathType",
+              "type": "string"
+            },
+            "value": {
+              "$ref": "#/definitions/FileSystemSpecialPath"
+            }
+          },
+          "required": [
+            "type",
+            "value"
+          ],
+          "title": "SpecialFileSystemPath",
+          "type": "object"
+        }
+      ]
+    },
+    "FileSystemSandboxEntry": {
+      "properties": {
+        "access": {
+          "$ref": "#/definitions/FileSystemAccessMode"
+        },
+        "path": {
+          "$ref": "#/definitions/FileSystemPath"
+        }
+      },
+      "required": [
+        "access",
+        "path"
+      ],
+      "type": "object"
+    },
+    "FileSystemSpecialPath": {
+      "oneOf": [
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "root"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "RootFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "minimal"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "MinimalFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "current_working_directory"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "CurrentWorkingDirectoryFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "project_roots"
+              ],
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "KindFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "tmpdir"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "TmpdirFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "slash_tmp"
+              ],
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "title": "SlashTmpFileSystemSpecialPath",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "kind": {
+              "enum": [
+                "unknown"
+              ],
+              "type": "string"
+            },
+            "path": {
+              "type": "string"
+            },
+            "subpath": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "kind",
+            "path"
+          ],
+          "type": "object"
+        }
+      ]
+    },
    "ModeKind": {
      "description": "Initial collaboration mode to use when the TUI starts.",
      "enum": [
@@ -113,6 +325,135 @@
      ],
      "type": "string"
    },
+    "PermissionProfile": {
+      "oneOf": [
+        {
+          "description": "Codex owns sandbox construction for this profile.",
+          "properties": {
+            "fileSystem": {
+              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
+            },
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "managed"
+              ],
+              "title": "ManagedPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "fileSystem",
+            "network",
+            "type"
+          ],
+          "title": "ManagedPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Do not apply an outer sandbox.",
+          "properties": {
+            "type": {
+              "enum": [
+                "disabled"
+              ],
+              "title": "DisabledPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "DisabledPermissionProfile",
+          "type": "object"
+        },
+        {
+          "description": "Filesystem isolation is enforced by an external caller.",
+          "properties": {
+            "network": {
+              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
+            },
+            "type": {
+              "enum": [
+                "external"
+              ],
+              "title": "ExternalPermissionProfileType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "network",
+            "type"
+          ],
+          "title": "ExternalPermissionProfile",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileFileSystemPermissions": {
+      "oneOf": [
+        {
+          "properties": {
+            "entries": {
+              "items": {
+                "$ref": "#/definitions/FileSystemSandboxEntry"
+              },
+              "type": "array"
+            },
+            "globScanMaxDepth": {
+              "format": "uint",
+              "minimum": 1.0,
+              "type": [
+                "integer",
+                "null"
+              ]
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "entries",
+            "type"
+          ],
+          "title": "RestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "unrestricted"
+              ],
+              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
+          "type": "object"
+        }
+      ]
+    },
+    "PermissionProfileNetworkPermissions": {
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        }
+      },
+      "required": [
+        "enabled"
+      ],
+      "type": "object"
+    },
    "Personality": {
      "enum": [
        "none",
@@ -121,53 +462,6 @@
      ],
      "type": "string"
    },
-    "ReadOnlyAccess": {
-      "oneOf": [
-        {
-          "properties": {
-            "includePlatformDefaults": {
-              "default": true,
-              "type": "boolean"
-            },
-            "readableRoots": {
-              "default": [],
-              "items": {
-                "$ref": "#/definitions/AbsolutePathBuf"
-              },
-              "type": "array"
-            },
-            "type": {
-              "enum": [
-                "restricted"
-              ],
-              "title": "RestrictedReadOnlyAccessType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "RestrictedReadOnlyAccess",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "fullAccess"
-              ],
-              "title": "FullAccessReadOnlyAccessType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "FullAccessReadOnlyAccess",
-          "type": "object"
-        }
-      ]
-    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -220,16 +514,6 @@
        },
        {
          "properties": {
-            "access": {
-              "allOf": [
-                {
-                  "$ref": "#/definitions/ReadOnlyAccess"
-                }
-              ],
-              "default": {
-                "type": "fullAccess"
-              }
-            },
            "networkAccess": {
              "default": false,
              "type": "boolean"
@@ -286,16 +570,6 @@
              "default": false,
              "type": "boolean"
            },
-            "readOnlyAccess": {
-              "allOf": [
-                {
-                  "$ref": "#/definitions/ReadOnlyAccess"
-                }
-              ],
-              "default": {
-                "type": "fullAccess"
-              }
-            },
            "type": {
              "enum": [
                "workspaceWrite"
@@ -570,6 +844,17 @@
    "outputSchema": {
      "description": "Optional JSON Schema used to constrain the final assistant message for this turn."
    },
+    "permissionProfile": {
+      "anyOf": [
+        {
+          "$ref": "#/definitions/PermissionProfile"
+        },
+        {
+          "type": "null"
+        }
+      ],
+      "description": "Override the full permissions profile for this turn and subsequent turns. Cannot be combined with `sandboxPolicy`."
+    },
    "personality": {
      "anyOf": [
        {
--- a/codex-rs/app-server-protocol/schema/json/v2/TurnStartResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/TurnStartResponse.json
@@ -32,6 +32,7 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
+            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
--- a/codex-rs/app-server-protocol/schema/json/v2/TurnStartedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/TurnStartedNotification.json
@@ -32,6 +32,7 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
+            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
--- a/codex-rs/app-server-protocol/schema/typescript/ClientRequest.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/ClientRequest.ts
--- a/codex-rs/app-server-protocol/schema/typescript/ServerNotification.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/ServerNotification.ts
--- a/codex-rs/app-server-protocol/schema/typescript/v2/Account.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/Account.ts
@@ -3,4 +3,4 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { PlanType } from "../PlanType";

-export type Account = { "type": "apiKey", } | { "type": "chatgpt", email: string, planType: PlanType, };
+export type Account = { "type": "apiKey", } | { "type": "chatgpt", email: string, planType: PlanType, } | { "type": "amazonBedrock", };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/AdditionalFileSystemPermissions.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/AdditionalFileSystemPermissions.ts
@@ -4,4 +4,12 @@
 import type { AbsolutePathBuf } from "../AbsolutePathBuf";
 import type { FileSystemSandboxEntry } from "./FileSystemSandboxEntry";

-export type AdditionalFileSystemPermissions = { read: Array<AbsolutePathBuf> | null, write: Array<AbsolutePathBuf> | null, globScanMaxDepth?: number, entries?: Array<FileSystemSandboxEntry>, };
+export type AdditionalFileSystemPermissions = {
+/**
+ * This will be removed in favor of `entries`.
+ */
+read: Array<AbsolutePathBuf> | null,
+/**
+ * This will be removed in favor of `entries`.
+ */
+write: Array<AbsolutePathBuf> | null, globScanMaxDepth?: number, entries?: Array<FileSystemSandboxEntry>, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/AdditionalPermissionProfile.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/AdditionalPermissionProfile.ts
@@ -4,4 +4,8 @@
 import type { AdditionalFileSystemPermissions } from "./AdditionalFileSystemPermissions";
 import type { AdditionalNetworkPermissions } from "./AdditionalNetworkPermissions";

-export type AdditionalPermissionProfile = { network: AdditionalNetworkPermissions | null, fileSystem: AdditionalFileSystemPermissions | null, };
+export type AdditionalPermissionProfile = {
+/**
+ * Partial overlay used for per-command permission requests.
+ */
+network: AdditionalNetworkPermissions | null, fileSystem: AdditionalFileSystemPermissions | null, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ApprovalsReviewer.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ApprovalsReviewer.ts
@@ -5,8 +5,8 @@
 /**
 * Configures who approval requests are routed to for review. Examples
 * include sandbox escapes, blocked network access, MCP approval prompts, and
- * ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully
+ * ARC escalations. Defaults to `user`. `auto_review` uses a carefully
 * prompted subagent to gather relevant context and apply a risk-based
 * decision framework before approving or denying the request.
 */
-export type ApprovalsReviewer = "user" | "guardian_subagent";
+export type ApprovalsReviewer = "user" | "auto_review" | "guardian_subagent";
--- a/codex-rs/app-server-protocol/schema/typescript/v2/CodexErrorInfo.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/CodexErrorInfo.ts
@@ -9,4 +9,4 @@ import type { NonSteerableTurnKind } from "./NonSteerableTurnKind";
 * When an upstream HTTP status is available (for example, from the Responses API or a provider),
 * it is forwarded in `httpStatusCode` on the relevant `codexErrorInfo` variant.
 */
-export type CodexErrorInfo = "contextWindowExceeded" | "usageLimitExceeded" | "serverOverloaded" | { "httpConnectionFailed": { httpStatusCode: number | null, } } | { "responseStreamConnectionFailed": { httpStatusCode: number | null, } } | "internalServerError" | "unauthorized" | "badRequest" | "threadRollbackFailed" | "sandboxError" | { "responseStreamDisconnected": { httpStatusCode: number | null, } } | { "responseTooManyFailedAttempts": { httpStatusCode: number | null, } } | { "activeTurnNotSteerable": { turnKind: NonSteerableTurnKind, } } | "other";
+export type CodexErrorInfo = "contextWindowExceeded" | "usageLimitExceeded" | "serverOverloaded" | "cyberPolicy" | { "httpConnectionFailed": { httpStatusCode: number | null, } } | { "responseStreamConnectionFailed": { httpStatusCode: number | null, } } | "internalServerError" | "unauthorized" | "badRequest" | "threadRollbackFailed" | "sandboxError" | { "responseStreamDisconnected": { httpStatusCode: number | null, } } | { "responseTooManyFailedAttempts": { httpStatusCode: number | null, } } | { "activeTurnNotSteerable": { turnKind: NonSteerableTurnKind, } } | "other";
--- a/codex-rs/app-server-protocol/schema/typescript/v2/CommandExecParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/CommandExecParams.ts
@@ -2,6 +2,7 @@

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { CommandExecTerminalSize } from "./CommandExecTerminalSize";
+import type { PermissionProfile } from "./PermissionProfile";
 import type { SandboxPolicy } from "./SandboxPolicy";

 /**
@@ -92,6 +93,14 @@ size?: CommandExecTerminalSize | null,
 * Optional sandbox policy for this command.
 *
 * Uses the same shape as thread/turn execution sandbox configuration and
- * defaults to the user's configured policy when omitted.
+ * defaults to the user's configured policy when omitted. Cannot be
+ * combined with `permissionProfile`.
 */
-sandboxPolicy?: SandboxPolicy | null, };
+sandboxPolicy?: SandboxPolicy | null,
+/**
+ * Optional full permissions profile for this command.
+ *
+ * Defaults to the user's configured permissions when omitted. Cannot be
+ * combined with `sandboxPolicy`.
+ */
+permissionProfile?: PermissionProfile | null, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ConfiguredHookHandler.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ConfiguredHookHandler.ts
@@ -0,0 +1,5 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+export type ConfiguredHookHandler = { "type": "command", command: string, timeoutSec: bigint | null, async: boolean, statusMessage: string | null, } | { "type": "prompt", } | { "type": "agent", };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ConfiguredHookMatcherGroup.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ConfiguredHookMatcherGroup.ts
@@ -0,0 +1,6 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { ConfiguredHookHandler } from "./ConfiguredHookHandler";
+
+export type ConfiguredHookMatcherGroup = { matcher: string | null, hooks: Array<ConfiguredHookHandler>, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/GuardianWarningNotification.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/GuardianWarningNotification.ts
@@ -0,0 +1,13 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+export type GuardianWarningNotification = {
+/**
+ * Thread target for the guardian warning.
+ */
+threadId: string,
+/**
+ * Concise guardian warning message for the user.
+ */
+message: string, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ManagedHooksRequirements.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ManagedHooksRequirements.ts
@@ -0,0 +1,6 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { ConfiguredHookMatcherGroup } from "./ConfiguredHookMatcherGroup";
+
+export type ManagedHooksRequirements = { managedDir: string | null, windowsManagedDir: string | null, PreToolUse: Array<ConfiguredHookMatcherGroup>, PermissionRequest: Array<ConfiguredHookMatcherGroup>, PostToolUse: Array<ConfiguredHookMatcherGroup>, SessionStart: Array<ConfiguredHookMatcherGroup>, UserPromptSubmit: Array<ConfiguredHookMatcherGroup>, Stop: Array<ConfiguredHookMatcherGroup>, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/MarketplaceUpgradeErrorInfo.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/MarketplaceUpgradeErrorInfo.ts
@@ -0,0 +1,5 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+export type MarketplaceUpgradeErrorInfo = { marketplaceName: string, message: string, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/MarketplaceUpgradeParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/MarketplaceUpgradeParams.ts
@@ -0,0 +1,5 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+export type MarketplaceUpgradeParams = { marketplaceName?: string | null, };
--- a/Show More
+++ b/Show More