Split workflow runner tiers by job type

2026-05-08 21:32:33 +00:00 · 2026-04-16 10:01:37 -07:00
1468 changed files with 56685 additions and 172928 deletions
--- a/.bazelrc
+++ b/.bazelrc
@@ -29,13 +29,10 @@ common:linux --test_env=PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin
 common:macos --test_env=PATH=/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin

 # Pass through some env vars Windows needs to use powershell?
+common:windows --test_env=PATH
 common:windows --test_env=SYSTEMROOT
 common:windows --test_env=COMSPEC
 common:windows --test_env=WINDIR
-# Rust's libtest harness runs test bodies on std-spawned threads. The default
-# 2 MiB stack can be too small for large async test futures on Windows CI; see
-# https://github.com/openai/codex/pull/19067 for the motivating failure.
-common --test_env=RUST_MIN_STACK=8388608 # 8 MiB

 common --test_output=errors
 common --bes_results_url=https://app.buildbuddy.io/invocation/
@@ -68,10 +65,6 @@ common:ci --verbose_failures
 common:ci --build_metadata=REPO_URL=https://github.com/openai/codex.git
 common:ci --build_metadata=ROLE=CI
 common:ci --build_metadata=VISIBILITY=PUBLIC
-# rules_rust derives debug level from Bazel toolchain/compilation-mode settings,
-# not Cargo profiles. Keep CI Rust actions explicit and lean.
-common:ci --@rules_rust//rust/settings:extra_rustc_flag=-Cdebuginfo=0
-common:ci --@rules_rust//rust/settings:extra_exec_rustc_flag=-Cdebuginfo=0

 # Disable disk cache in CI since we have a remote one and aren't using persistent workers.
 common:ci --disk_cache=
@@ -89,8 +82,6 @@ build:clippy --@rules_rust//rust/settings:clippy.toml=//codex-rs:clippy.toml
 # in their own `Cargo.toml`, but `rules_rust` Bazel clippy does not read Cargo lint levels.
 # `clippy.toml` can configure lint behavior, but it cannot set allow/warn/deny/forbid levels.
 build:clippy --@rules_rust//rust/settings:clippy_flag=-Dwarnings
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::await_holding_invalid_type
-build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::await_holding_lock
 build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::expect_used
 build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::identity_op
 build:clippy --@rules_rust//rust/settings:clippy_flag=--deny=clippy::manual_clamp
--- a/.codespellignore
+++ b/.codespellignore
@@ -1,6 +1,5 @@
 iTerm
 iTerm2
 psuedo
-SOM
 te
 TE
--- a/.codespellrc
+++ b/.codespellrc
@@ -1,6 +1,6 @@
 [codespell]
 # Ref: https://github.com/codespell-project/codespell#using-a-config-file
-skip = .git*,vendor,*-lock.yaml,*.lock,.codespellrc,*test.ts,*.jsonl,frame*.txt,*.snap,*.snap.new
+skip = .git*,vendor,*-lock.yaml,*.lock,.codespellrc,*test.ts,*.jsonl,frame*.txt,*.snap,*.snap.new,*meriyah.umd.min.js
 check-hidden = true
 ignore-regex = ^\s*"image/\S+": ".*|\b(afterAll)\b
 ignore-words-list = ratatui,ser,iTerm,iterm2,iterm,te,TE,PASE,SEH
--- a/.codex/skills/babysit-pr/SKILL.md
+++ b/.codex/skills/babysit-pr/SKILL.md
@@ -30,7 +30,7 @@ Accept any of the following:
 5. If the failure is likely caused by the current branch, patch code locally, commit, and push.
 6. If `process_review_comment` is present, inspect surfaced review items and decide whether to address them.
 7. If a review item is actionable and correct, patch code locally, commit, push, and then mark the associated review thread/comment as resolved once the fix is on GitHub.
-8. If a review item from another author is non-actionable, already addressed, or not valid, post one reply on the comment/thread explaining that decision (for example answering the question or explaining why no change is needed). Prefix the GitHub reply body with `[codex]` so it is clear the response is automated. If the watcher later surfaces your own reply, treat that self-authored item as already handled and do not reply again.
+8. If a review item from another author is non-actionable, already addressed, or not valid, post one reply on the comment/thread explaining that decision (for example answering the question or explaining why no change is needed). If the watcher later surfaces your own reply, treat that self-authored item as already handled and do not reply again.
 9. If the failure is likely flaky/unrelated and `retry_failed_checks` is present, rerun failed jobs with `--retry-failed-now`.
 10. If both actionable review feedback and `retry_failed_checks` are present, prioritize review feedback first; a new commit will retrigger CI, so avoid rerunning flaky checks on the old SHA unless you intentionally defer the review change.
 11. On every loop, look for newly surfaced review feedback before acting on CI failures or mergeability state, then verify mergeability / merge-conflict status (for example via `gh pr view`) alongside CI.
@@ -99,7 +99,7 @@ When you agree with a comment and it is actionable:
 5. Resume watching on the new SHA immediately (do not stop after reporting the push).
 6. If monitoring was running in `--watch` mode, restart `--watch` immediately after the push in the same turn; do not wait for the user to ask again.

-If you disagree or the comment is non-actionable/already addressed, reply once directly on the GitHub comment/thread so the reviewer gets an explicit answer, then continue the watcher loop. Prefix any GitHub reply to a code review comment/thread with `[codex]` so it is clear the response is automated and not from the human user. If the watcher later surfaces your own reply because the authenticated operator is treated as a trusted review author, treat that self-authored item as already handled and do not reply again.
+If you disagree or the comment is non-actionable/already addressed, reply once directly on the GitHub comment/thread so the reviewer gets an explicit answer, then continue the watcher loop. If the watcher later surfaces your own reply because the authenticated operator is treated as a trusted review author, treat that self-authored item as already handled and do not reply again.
 If a code review comment/thread is already marked as resolved in GitHub, treat it as non-actionable and safely ignore it unless new unresolved follow-up feedback appears.

 ## Git Safety Rules
--- a/.codex/skills/code-review-breaking-changes/SKILL.md
+++ b/.codex/skills/code-review-breaking-changes/SKILL.md
@@ -1,12 +0,0 @@
---
-name: code-breaking-changes
-description: Breaking changes
---
-
-Search for breaking changes in external integration surfaces:
- app-server APIs
- CLI parameters
- configuration loading
- resuming sessions from existing rollouts
-
-Do not stop after finding one issue; analyze all possible ways breaking changes can happen.
--- a/.codex/skills/code-review-change-size/SKILL.md
+++ b/.codex/skills/code-review-change-size/SKILL.md
@@ -1,11 +0,0 @@
---
-name: code-review-change-size
-description: Change size guidance (800 lines)
---
-
-Unless the change is mechanical the total number of changed lines should not exceed 800 lines.
-For complex logic changes the size should be under 500 lines.
-
-If the change is larger, explain whether it can be split into reviewable stages and identify the smallest coherent stage to land first.
-Base the staging suggestion on the actual diff, dependencies, and affected call sites.
-
--- a/.codex/skills/code-review-context/SKILL.md
+++ b/.codex/skills/code-review-context/SKILL.md
@@ -1,13 +0,0 @@
---
-name: code-review-context
-description: Model visible context
---
-
-Codex maintains a context (history of messages) that is sent to the model in inference requests.
-
-1. No history rewrite - the context must be built up incrementally.
-2. Avoid frequent changes to context that cause cache misses.
-3. No unbounded items - everything injected in the model context must have a bounded size and a hard cap. 
-4. No items larger than 10K tokens.
-5. Highlight new individual items that can cross >1k tokens as P0. These need an additional manual review.
-6. All injected fragments must be defined as structs in `core/context` and implement ContextualUserFragment trait
--- a/.codex/skills/code-review-testing/SKILL.md
+++ b/.codex/skills/code-review-testing/SKILL.md
@@ -1,14 +0,0 @@
---
-name: code-review-testing
-description: Test authoring guidance
---
-
-For agent changes prefer integration tests over unit tests. Integration tests are under `core/suite` and use `test_codex` to set up a test instance of codex.
-
-Features that change the agent logic MUST add an integration test:
- Provide a list of major logic changes and user-facing behaviors that need to be tested.
-
-If unit tests are needed, put them in a dedicated test file (*_tests.rs).
-Avoid test-only functions in the main implementation.
-
-Check whether there are existing helpers to make tests more streamlined and readable.
--- a/.codex/skills/code-review/SKILL.md
+++ b/.codex/skills/code-review/SKILL.md
@@ -1,14 +0,0 @@
---
-name: code-review
-description: Run a final code review on a pull request
---
-
-Use subagents to review code using all code-review-* skills in this repository other than this orchestrator. One subagent per skill. Pass full skill path to subagents. Use xhigh reasoning.
-
-You must return every single issue from every subagent. You can return an unlimited number of findings.
-Use raw Markdown to report findings.
-Number findings for ease of reference.
-Each finding must include a specific file path and line number.
-
-If the GitHub user running the review is the owner of the pull request add a `code-reviewed` label.
-Do not leave GitHub comments unless explicitly asked.
--- a/.devcontainer/Dockerfile.secure
+++ b/.devcontainer/Dockerfile.secure
@@ -4,11 +4,9 @@ ARG TZ
 ARG DEBIAN_FRONTEND=noninteractive
 ARG NODE_MAJOR=22
 ARG RUST_TOOLCHAIN=1.92.0
-# Keep this in sync with .devcontainer/codex-install/package.json and pnpm-lock.yaml.
-ARG CODEX_NPM_VERSION=0.121.0
+ARG CODEX_NPM_VERSION=latest

 ENV TZ="$TZ"
-ENV COREPACK_ENABLE_DOWNLOAD_PROMPT=0

 SHELL ["/bin/bash", "-o", "pipefail", "-c"]

@@ -45,18 +43,12 @@ RUN apt-get update \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

-COPY .devcontainer/codex-install/package.json \
-     .devcontainer/codex-install/pnpm-lock.yaml \
-     .devcontainer/codex-install/pnpm-workspace.yaml \
-     /opt/codex-install/
-
 RUN curl -fsSL "https://deb.nodesource.com/setup_${NODE_MAJOR}.x" | bash - \
    && apt-get update \
    && apt-get install -y --no-install-recommends nodejs \
-    && test "$(node -p "require('/opt/codex-install/package.json').dependencies['@openai/codex']")" = "${CODEX_NPM_VERSION}" \
-    && cd /opt/codex-install \
-    && corepack pnpm install --prod --frozen-lockfile \
-    && ln -s /opt/codex-install/node_modules/.bin/codex /usr/local/bin/codex \
+    && npm install -g corepack@latest "@openai/codex@${CODEX_NPM_VERSION}" \
+    && corepack enable \
+    && corepack prepare pnpm@10.28.2 --activate \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

--- a/.devcontainer/codex-install/package.json
+++ b/.devcontainer/codex-install/package.json
@@ -1,13 +0,0 @@
-{
-  "name": "codex-devcontainer-install",
-  "private": true,
-  "description": "Locked Codex CLI install boundary for the secure devcontainer.",
-  "dependencies": {
-    "@openai/codex": "0.121.0"
-  },
-  "engines": {
-    "node": ">=22",
-    "pnpm": ">=10.33.0"
-  },
-  "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319"
-}
--- a/.devcontainer/codex-install/pnpm-lock.yaml
+++ b/.devcontainer/codex-install/pnpm-lock.yaml
@@ -1,85 +0,0 @@
-lockfileVersion: '9.0'
-
-settings:
-  autoInstallPeers: true
-  excludeLinksFromLockfile: false
-
-importers:
-
-  .:
-    dependencies:
-      '@openai/codex':
-        specifier: 0.121.0
-        version: 0.121.0
-
-packages:
-
-  '@openai/codex@0.121.0':
-    resolution: {integrity: sha512-kCJ2NeATd4QBQRmqV04ymdN1ZU3MSwnJQDm/KzjpuzGvCuUVEn7no/T2mRyxQ2x77AACqriNOyPPoM/yufyvNg==}
-    engines: {node: '>=16'}
-    hasBin: true
-
-  '@openai/codex@0.121.0-darwin-arm64':
-    resolution: {integrity: sha512-ZyBqIB6Fb4I0hGb/h65Vu7ePYjHSmGiqqfm+/1djEuxDPkqjfi4wkxYxNYNY+6najyNGN4UijOSTTf19eDCrqw==}
-    engines: {node: '>=16'}
-    cpu: [arm64]
-    os: [darwin]
-
-  '@openai/codex@0.121.0-darwin-x64':
-    resolution: {integrity: sha512-1/OAtdkAZ5yPI3xqaEFlHuPziS1yCqL2gOZdswE7HTmmwpIxi6Z3FCo60JWDPluIp89z4tftdjq73/OCN0YVcw==}
-    engines: {node: '>=16'}
-    cpu: [x64]
-    os: [darwin]
-
-  '@openai/codex@0.121.0-linux-arm64':
-    resolution: {integrity: sha512-2UgMmdo237o7SCMsfb529cOSEM2HFUgN6OBkv5SBLwfNY1NO2Ex6JnUjlppEXlX6/4cXfZ5qjDghVz5j/+B9zw==}
-    engines: {node: '>=16'}
-    cpu: [arm64]
-    os: [linux]
-
-  '@openai/codex@0.121.0-linux-x64':
-    resolution: {integrity: sha512-vlpNJXIqss800J+32Vy7TUZzv31n61b45OLxmsVQGFkTNLJcjFrj9jDUC7I62eC4F16gLioilefNfv4CdJQOEw==}
-    engines: {node: '>=16'}
-    cpu: [x64]
-    os: [linux]
-
-  '@openai/codex@0.121.0-win32-arm64':
-    resolution: {integrity: sha512-m88q4f3XI5npn1t6OG0nWGHWWAjO5FgjRwxh4hdujbLO6t9CiCNfhfPZIOSsoATbrCNwLC+6S77m3cjbNToPNg==}
-    engines: {node: '>=16'}
-    cpu: [arm64]
-    os: [win32]
-
-  '@openai/codex@0.121.0-win32-x64':
-    resolution: {integrity: sha512-Fp0ecVOyM+VcBi/y4HVvRzhifO9YqRiHzhV3rhtAppC7flh22WPguLC4kmvXYAR0p3RPzbo35M2CedWnkOT+cw==}
-    engines: {node: '>=16'}
-    cpu: [x64]
-    os: [win32]
-
-snapshots:
-
-  '@openai/codex@0.121.0':
-    optionalDependencies:
-      '@openai/codex-darwin-arm64': '@openai/codex@0.121.0-darwin-arm64'
-      '@openai/codex-darwin-x64': '@openai/codex@0.121.0-darwin-x64'
-      '@openai/codex-linux-arm64': '@openai/codex@0.121.0-linux-arm64'
-      '@openai/codex-linux-x64': '@openai/codex@0.121.0-linux-x64'
-      '@openai/codex-win32-arm64': '@openai/codex@0.121.0-win32-arm64'
-      '@openai/codex-win32-x64': '@openai/codex@0.121.0-win32-x64'
-
-  '@openai/codex@0.121.0-darwin-arm64':
-    optional: true
-
-  '@openai/codex@0.121.0-darwin-x64':
-    optional: true
-
-  '@openai/codex@0.121.0-linux-arm64':
-    optional: true
-
-  '@openai/codex@0.121.0-linux-x64':
-    optional: true
-
-  '@openai/codex@0.121.0-win32-arm64':
-    optional: true
-
-  '@openai/codex@0.121.0-win32-x64':
-    optional: true
--- a/.devcontainer/codex-install/pnpm-workspace.yaml
+++ b/.devcontainer/codex-install/pnpm-workspace.yaml
@@ -1,12 +0,0 @@
-packages:
-  - "."
-
-minimumReleaseAge: 10080
-minimumReleaseAgeExclude: []
-
-blockExoticSubdeps: true
-strictDepBuilds: true
-trustPolicy: no-downgrade
-trustPolicyIgnoreAfter: 10080
-trustPolicyExclude: []
-allowBuilds: {}
--- a/.devcontainer/devcontainer.secure.json
+++ b/.devcontainer/devcontainer.secure.json
@@ -8,7 +8,7 @@
      "TZ": "${localEnv:TZ:UTC}",
      "NODE_MAJOR": "22",
      "RUST_TOOLCHAIN": "1.92.0",
-      "CODEX_NPM_VERSION": "0.121.0"
+      "CODEX_NPM_VERSION": "latest"
    }
  },
  "runArgs": [
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,2 +0,0 @@
-codex-rs/app-server-protocol/schema/** linguist-generated
-codex-rs/hooks/schema/generated/** linguist-generated
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,5 +0,0 @@
-# Core crate ownership.
-/codex-rs/core/ @openai/codex-core-agent-team
-
-# Keep ownership changes reviewed by the same team.
-/.github/CODEOWNERS @openai/codex-core-agent-team
--- a/.github/actions/linux-code-sign/action.yml
+++ b/.github/actions/linux-code-sign/action.yml
@@ -7,9 +7,6 @@ inputs:
  artifacts-dir:
    description: Absolute path to the directory containing built binaries to sign.
    required: true
-  binaries:
-    description: Space-delimited binary basenames to sign.
-    default: "codex codex-responses-api-proxy"

 runs:
  using: composite
@@ -21,7 +18,6 @@ runs:
      shell: bash
      env:
        ARTIFACTS_DIR: ${{ inputs.artifacts-dir }}
-        BINARIES: ${{ inputs.binaries }}
        COSIGN_EXPERIMENTAL: "1"
        COSIGN_YES: "true"
        COSIGN_OIDC_CLIENT_ID: "sigstore"
@@ -35,7 +31,7 @@ runs:
          exit 1
        fi

-        for binary in ${BINARIES}; do
+        for binary in codex codex-responses-api-proxy; do
          artifact="${dest}/${binary}"
          if [[ ! -f "$artifact" ]]; then
            echo "Binary $artifact not found"
--- a/.github/actions/macos-code-sign/action.yml
+++ b/.github/actions/macos-code-sign/action.yml
@@ -4,9 +4,6 @@ inputs:
  target:
    description: Rust compilation target triple (e.g. aarch64-apple-darwin).
    required: true
-  binaries:
-    description: Space-delimited binary basenames to sign and notarize.
-    default: "codex codex-responses-api-proxy"
  sign-binaries:
    description: Whether to sign and notarize the macOS binaries.
    required: false
@@ -122,7 +119,6 @@ runs:
      shell: bash
      env:
        TARGET: ${{ inputs.target }}
-        BINARIES: ${{ inputs.binaries }}
      run: |
        set -euo pipefail

@@ -138,7 +134,7 @@ runs:

        entitlements_path="$GITHUB_ACTION_PATH/codex.entitlements.plist"

-        for binary in ${BINARIES}; do
+        for binary in codex codex-responses-api-proxy; do
          path="codex-rs/target/${TARGET}/release/${binary}"
          codesign --force --options runtime --timestamp --entitlements "$entitlements_path" --sign "$APPLE_CODESIGN_IDENTITY" "${keychain_args[@]}" "$path"
        done
@@ -148,7 +144,6 @@ runs:
      shell: bash
      env:
        TARGET: ${{ inputs.target }}
-        BINARIES: ${{ inputs.binaries }}
        APPLE_NOTARIZATION_KEY_P8: ${{ inputs.apple-notarization-key-p8 }}
        APPLE_NOTARIZATION_KEY_ID: ${{ inputs.apple-notarization-key-id }}
        APPLE_NOTARIZATION_ISSUER_ID: ${{ inputs.apple-notarization-issuer-id }}
@@ -187,9 +182,8 @@ runs:
          notarize_submission "$binary" "$archive_path" "$notary_key_path"
        }

-        for binary in ${BINARIES}; do
-          notarize_binary "${binary}"
-        done
+        notarize_binary "codex"
+        notarize_binary "codex-responses-api-proxy"

    - name: Sign and notarize macOS dmg
      if: ${{ inputs.sign-dmg == 'true' }}
--- a/.github/actions/prepare-bazel-ci/action.yml
+++ b/.github/actions/prepare-bazel-ci/action.yml
@@ -4,23 +4,14 @@ inputs:
  target:
    description: Target triple used for setup and cache namespacing.
    required: true
-  cache-scope:
-    description: Logical namespace used to keep concurrent Bazel jobs from reserving the same repository cache key.
-    required: true
  install-test-prereqs:
-    description: Install DotSlash for Bazel-backed test jobs.
+    description: Install Node.js and DotSlash for Bazel-backed test jobs.
    required: false
    default: "false"
 outputs:
  repository-cache-path:
    description: Filesystem path used for the Bazel repository cache.
    value: ${{ steps.setup_bazel.outputs.repository-cache-path }}
-  repository-cache-key:
-    description: Primary actions/cache key for the Bazel repository cache.
-    value: ${{ steps.cache_bazel_repository_key.outputs.repository-cache-key }}
-  repository-cache-hit:
-    description: Whether the Bazel repository cache restore found an exact key match.
-    value: ${{ steps.cache_bazel_repository_restore.outputs.cache-hit }}

 runs:
  using: composite
@@ -32,17 +23,6 @@ runs:
        target: ${{ inputs.target }}
        install-test-prereqs: ${{ inputs.install-test-prereqs }}

-    - name: Compute bazel repository cache key
-      id: cache_bazel_repository_key
-      shell: bash
-      env:
-        CACHE_SCOPE: ${{ inputs.cache-scope }}
-        TARGET: ${{ inputs.target }}
-        CACHE_HASH: ${{ hashFiles('MODULE.bazel', 'codex-rs/Cargo.lock', 'codex-rs/Cargo.toml') }}
-      run: |
-        echo "repository-cache-key=bazel-cache-${CACHE_SCOPE}-${TARGET}-${CACHE_HASH}" >> "${GITHUB_OUTPUT}"
-        echo "repository-cache-restore-key=bazel-cache-${CACHE_SCOPE}-${TARGET}-" >> "${GITHUB_OUTPUT}"
-
    # Restore the Bazel repository cache explicitly so external dependencies
    # do not need to be re-downloaded on every CI run. Keep restore failures
    # non-fatal so transient cache-service errors degrade to a cold build
@@ -53,9 +33,9 @@ runs:
      uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
      with:
        path: ${{ steps.setup_bazel.outputs.repository-cache-path }}
-        key: ${{ steps.cache_bazel_repository_key.outputs.repository-cache-key }}
+        key: bazel-cache-${{ inputs.target }}-${{ hashFiles('MODULE.bazel', 'codex-rs/Cargo.lock', 'codex-rs/Cargo.toml') }}
        restore-keys: |
-          ${{ steps.cache_bazel_repository_key.outputs.repository-cache-restore-key }}
+          bazel-cache-${{ inputs.target }}

    - name: Set up Bazel execution logs
      shell: bash
--- a/.github/actions/run-argument-comment-lint/action.yml
+++ b/.github/actions/run-argument-comment-lint/action.yml
@@ -1,54 +0,0 @@
-name: Run argument comment lint
-description: Run argument-comment-lint on codex-rs via Bazel.
-
-inputs:
-  target:
-    description: Runner target passed to setup-bazel-ci.
-    required: true
-  buildbuddy-api-key:
-    description: BuildBuddy API key used by Bazel CI.
-    required: false
-    default: ""
-
-runs:
-  using: composite
-  steps:
-    - uses: ./.github/actions/setup-bazel-ci
-      with:
-        target: ${{ inputs.target }}
-        install-test-prereqs: true
-
-    - name: Install Linux sandbox build dependencies
-      if: ${{ runner.os == 'Linux' }}
-      shell: bash
-      run: |
-        sudo DEBIAN_FRONTEND=noninteractive apt-get update
-        sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends pkg-config libcap-dev
-
-    - name: Run argument comment lint on codex-rs via Bazel
-      if: ${{ runner.os != 'Windows' }}
-      env:
-        BUILDBUDDY_API_KEY: ${{ inputs.buildbuddy-api-key }}
-      shell: bash
-      run: |
-        bazel_targets="$(./tools/argument-comment-lint/list-bazel-targets.sh)"
-        ./.github/scripts/run-bazel-ci.sh \
-          -- \
-          build \
-          --config=argument-comment-lint \
-          --keep_going \
-          --build_metadata=COMMIT_SHA=${GITHUB_SHA} \
-          -- \
-          ${bazel_targets}
-
-    - name: Run argument comment lint on codex-rs via Bazel
-      if: ${{ runner.os == 'Windows' }}
-      env:
-        BUILDBUDDY_API_KEY: ${{ inputs.buildbuddy-api-key }}
-      shell: bash
-      run: |
-        ./.github/scripts/run-argument-comment-lint-bazel.sh \
-          --config=argument-comment-lint \
-          --platforms=//:local_windows \
-          --keep_going \
-          --build_metadata=COMMIT_SHA=${GITHUB_SHA}
--- a/.github/actions/setup-bazel-ci/action.yml
+++ b/.github/actions/setup-bazel-ci/action.yml
@@ -5,7 +5,7 @@ inputs:
    description: Target triple used for cache namespacing.
    required: true
  install-test-prereqs:
-    description: Install DotSlash for Bazel-backed test jobs.
+    description: Install Node.js and DotSlash for Bazel-backed test jobs.
    required: false
    default: "false"
 outputs:
@@ -16,6 +16,12 @@ outputs:
 runs:
  using: composite
  steps:
+    - name: Set up Node.js for js_repl tests
+      if: inputs.install-test-prereqs == 'true'
+      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+      with:
+        node-version-file: codex-rs/node-version.txt
+
    # Some integration tests rely on DotSlash being installed.
    # See https://github.com/openai/codex/pull/7617.
    - name: Install DotSlash
@@ -116,11 +122,6 @@ runs:
          }
        }

-    - name: Compute cache-stable Windows Bazel PATH
-      if: runner.os == 'Windows'
-      shell: pwsh
-      run: ./.github/scripts/compute-bazel-windows-path.ps1
-
    - name: Enable Git long paths (Windows)
      if: runner.os == 'Windows'
      shell: pwsh
--- a/.github/actions/windows-code-sign/action.yml
+++ b/.github/actions/windows-code-sign/action.yml
@@ -4,9 +4,6 @@ inputs:
  target:
    description: Target triple for the artifacts to sign.
    required: true
-  binaries:
-    description: Space-delimited binary basenames to sign.
-    default: "codex codex-responses-api-proxy codex-windows-sandbox-setup codex-command-runner"
  client-id:
    description: Azure Trusted Signing client ID.
    required: true
@@ -36,23 +33,6 @@ runs:
        tenant-id: ${{ inputs.tenant-id }}
        subscription-id: ${{ inputs.subscription-id }}

-    - name: Prepare file list
-      id: prepare
-      shell: bash
-      env:
-        TARGET: ${{ inputs.target }}
-        BINARIES: ${{ inputs.binaries }}
-      run: |
-        set -euo pipefail
-
-        {
-          echo "files<<EOF"
-          for binary in ${BINARIES}; do
-            echo "${GITHUB_WORKSPACE}/codex-rs/target/${TARGET}/release/${binary}.exe"
-          done
-          echo "EOF"
-        } >> "$GITHUB_OUTPUT"
-
    - name: Sign Windows binaries with Azure Trusted Signing
      uses: azure/trusted-signing-action@1d365fec12862c4aa68fcac418143d73f0cea293 # v0
      with:
@@ -70,4 +50,8 @@ runs:
        exclude-azure-developer-cli-credential: true
        exclude-interactive-browser-credential: true
        cache-dependencies: false
-        files: ${{ steps.prepare.outputs.files }}
+        files: |
+          ${{ github.workspace }}/codex-rs/target/${{ inputs.target }}/release/codex.exe
+          ${{ github.workspace }}/codex-rs/target/${{ inputs.target }}/release/codex-responses-api-proxy.exe
+          ${{ github.workspace }}/codex-rs/target/${{ inputs.target }}/release/codex-windows-sandbox-setup.exe
+          ${{ github.workspace }}/codex-rs/target/${{ inputs.target }}/release/codex-command-runner.exe
--- a/.github/blob-size-allowlist.txt
+++ b/.github/blob-size-allowlist.txt
@@ -7,4 +7,3 @@ codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json
 codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.v2.schemas.json
 codex-rs/tui/tests/fixtures/oss-story.jsonl
 codex-rs/tui_app_server/tests/fixtures/oss-story.jsonl
-codex-rs/tui/src/app.rs
--- a/.github/dotslash-config.json
+++ b/.github/dotslash-config.json
@@ -28,34 +28,6 @@
        }
      }
    },
-    "codex-app-server": {
-      "platforms": {
-        "macos-aarch64": {
-          "regex": "^codex-app-server-aarch64-apple-darwin\\.zst$",
-          "path": "codex-app-server"
-        },
-        "macos-x86_64": {
-          "regex": "^codex-app-server-x86_64-apple-darwin\\.zst$",
-          "path": "codex-app-server"
-        },
-        "linux-x86_64": {
-          "regex": "^codex-app-server-x86_64-unknown-linux-musl\\.zst$",
-          "path": "codex-app-server"
-        },
-        "linux-aarch64": {
-          "regex": "^codex-app-server-aarch64-unknown-linux-musl\\.zst$",
-          "path": "codex-app-server"
-        },
-        "windows-x86_64": {
-          "regex": "^codex-app-server-x86_64-pc-windows-msvc\\.exe\\.zst$",
-          "path": "codex-app-server.exe"
-        },
-        "windows-aarch64": {
-          "regex": "^codex-app-server-aarch64-pc-windows-msvc\\.exe\\.zst$",
-          "path": "codex-app-server.exe"
-        }
-      }
-    },
    "codex-responses-api-proxy": {
      "platforms": {
        "macos-aarch64": {
--- a/.github/scripts/compute-bazel-windows-path.ps1
+++ b/.github/scripts/compute-bazel-windows-path.ps1
@@ -1,105 +0,0 @@
-<#
-BuildBuddy cache keys include the action and test environment, so Bazel should
-not inherit the full hosted-runner PATH on Windows. That PATH includes volatile
-tool entries, such as Maven, that can change independently of this repo and
-cause avoidable cache misses.
-
-This script derives a smaller, cache-stable PATH that keeps the Windows
-toolchain entries Bazel-backed CI tasks need: MSVC and Windows SDK paths, Git,
-PowerShell, Node, Python, DotSlash, and the standard Windows system
-directories.
-`setup-bazel-ci` runs this after exporting the MSVC environment, and the script
-publishes the result via `GITHUB_ENV` as `CODEX_BAZEL_WINDOWS_PATH` so later
-steps can pass that explicit PATH to Bazel.
-#>
-
-$stablePathEntries = New-Object System.Collections.Generic.List[string]
-$seenEntries = [System.Collections.Generic.HashSet[string]]::new([System.StringComparer]::OrdinalIgnoreCase)
-$windowsAppsPath = if ([string]::IsNullOrWhiteSpace($env:LOCALAPPDATA)) {
-  $null
-} else {
-  "$($env:LOCALAPPDATA)\Microsoft\WindowsApps"
-}
-$windowsDir = if ($env:WINDIR) {
-  $env:WINDIR
-} elseif ($env:SystemRoot) {
-  $env:SystemRoot
-} else {
-  $null
-}
-
-function Add-StablePathEntry {
-  param([string]$PathEntry)
-
-  if ([string]::IsNullOrWhiteSpace($PathEntry)) {
-    return
-  }
-
-  if ($seenEntries.Add($PathEntry)) {
-    [void]$stablePathEntries.Add($PathEntry)
-  }
-}
-
-foreach ($pathEntry in ($env:PATH -split ';')) {
-  if ([string]::IsNullOrWhiteSpace($pathEntry)) {
-    continue
-  }
-
-  if (
-    $pathEntry -like '*Microsoft Visual Studio*' -or
-    $pathEntry -like '*Windows Kits*' -or
-    $pathEntry -like '*Microsoft SDKs*' -or
-    $pathEntry -like 'C:\Program Files\Git\*' -or
-    $pathEntry -like 'C:\Program Files\PowerShell\*' -or
-    $pathEntry -like 'C:\hostedtoolcache\windows\node\*' -or
-    $pathEntry -like 'C:\hostedtoolcache\windows\Python\*' -or
-    $pathEntry -eq 'D:\a\_temp\install-dotslash\bin' -or
-    ($windowsDir -and ($pathEntry -eq $windowsDir -or $pathEntry -like "${windowsDir}\*"))
-  ) {
-    Add-StablePathEntry $pathEntry
-  }
-}
-
-$gitCommand = Get-Command git -ErrorAction SilentlyContinue
-if ($gitCommand) {
-  Add-StablePathEntry (Split-Path $gitCommand.Source -Parent)
-}
-
-$nodeCommand = Get-Command node -ErrorAction SilentlyContinue
-if ($nodeCommand) {
-  Add-StablePathEntry (Split-Path $nodeCommand.Source -Parent)
-}
-
-$python3Command = Get-Command python3 -ErrorAction SilentlyContinue
-if ($python3Command) {
-  Add-StablePathEntry (Split-Path $python3Command.Source -Parent)
-}
-
-$pythonCommand = Get-Command python -ErrorAction SilentlyContinue
-if ($pythonCommand) {
-  Add-StablePathEntry (Split-Path $pythonCommand.Source -Parent)
-}
-
-$pwshCommand = Get-Command pwsh -ErrorAction SilentlyContinue
-if ($pwshCommand) {
-  Add-StablePathEntry (Split-Path $pwshCommand.Source -Parent)
-}
-
-if ($windowsAppsPath) {
-  Add-StablePathEntry $windowsAppsPath
-}
-
-if ($stablePathEntries.Count -eq 0) {
-  throw 'Failed to derive cache-stable Windows PATH.'
-}
-
-if ([string]::IsNullOrWhiteSpace($env:GITHUB_ENV)) {
-  throw 'GITHUB_ENV must be set.'
-}
-
-$stablePath = $stablePathEntries -join ';'
-Write-Host 'Derived CODEX_BAZEL_WINDOWS_PATH entries:'
-foreach ($pathEntry in $stablePathEntries) {
-  Write-Host "  $pathEntry"
-}
-"CODEX_BAZEL_WINDOWS_PATH=$stablePath" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
--- a/.github/scripts/run-argument-comment-lint-bazel.sh
+++ b/.github/scripts/run-argument-comment-lint-bazel.sh
@@ -2,6 +2,16 @@

 set -euo pipefail

+ci_config=ci-linux
+case "${RUNNER_OS:-}" in
+  macOS)
+    ci_config=ci-macos
+    ;;
+  Windows)
+    ci_config=ci-windows
+    ;;
+esac
+
 bazel_lint_args=("$@")
 if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
  has_host_platform_override=0
@@ -34,6 +44,29 @@ if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
  bazel_lint_args+=("--skip_incompatible_explicit_targets")
 fi

+bazel_startup_args=()
+if [[ -n "${BAZEL_OUTPUT_USER_ROOT:-}" ]]; then
+  bazel_startup_args+=("--output_user_root=${BAZEL_OUTPUT_USER_ROOT}")
+fi
+
+run_bazel() {
+  if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
+    MSYS2_ARG_CONV_EXCL='*' bazel "$@"
+    return
+  fi
+
+  bazel "$@"
+}
+
+run_bazel_with_startup_args() {
+  if [[ ${#bazel_startup_args[@]} -gt 0 ]]; then
+    run_bazel "${bazel_startup_args[@]}" "$@"
+    return
+  fi
+
+  run_bazel "$@"
+}
+
 read_query_labels() {
  local query="$1"
  local query_stdout
@@ -41,10 +74,12 @@ read_query_labels() {
  query_stdout="$(mktemp)"
  query_stderr="$(mktemp)"

-  if ! ./.github/scripts/run-bazel-query-ci.sh \
+  if ! run_bazel_with_startup_args \
+    --noexperimental_remote_repo_contents_cache \
+    query \
    --keep_going \
    --output=label \
-    -- "$query" >"$query_stdout" 2>"$query_stderr"; then
+    "$query" >"$query_stdout" 2>"$query_stderr"; then
    cat "$query_stderr" >&2
    rm -f "$query_stdout" "$query_stderr"
    exit 1
--- a/.github/scripts/run-bazel-ci.sh
+++ b/.github/scripts/run-bazel-ci.sh
@@ -3,7 +3,7 @@
 set -euo pipefail

 print_failed_bazel_test_logs=0
-print_failed_bazel_action_summary=0
+use_node_test_env=0
 remote_download_toplevel=0
 windows_msvc_host_platform=0

@@ -13,8 +13,8 @@ while [[ $# -gt 0 ]]; do
      print_failed_bazel_test_logs=1
      shift
      ;;
-    --print-failed-action-summary)
-      print_failed_bazel_action_summary=1
+    --use-node-test-env)
+      use_node_test_env=1
      shift
      ;;
    --remote-download-toplevel)
@@ -37,7 +37,7 @@ while [[ $# -gt 0 ]]; do
 done

 if [[ $# -eq 0 ]]; then
-  echo "Usage: $0 [--print-failed-test-logs] [--print-failed-action-summary] [--remote-download-toplevel] [--windows-msvc-host-platform] -- <bazel args> -- <targets>" >&2
+  echo "Usage: $0 [--print-failed-test-logs] [--use-node-test-env] [--remote-download-toplevel] [--windows-msvc-host-platform] -- <bazel args> -- <targets>" >&2
  exit 1
 fi

@@ -69,37 +69,12 @@ print_bazel_test_log_tails() {
  local console_log="$1"
  local testlogs_dir
  local -a bazel_info_cmd=(bazel)
-  local -a bazel_info_args=(info)

  if (( ${#bazel_startup_args[@]} > 0 )); then
    bazel_info_cmd+=("${bazel_startup_args[@]}")
  fi

-  # `bazel info` needs the same CI config as the failed test invocation so
-  # platform-specific output roots match. On Windows, omitting `ci-windows`
-  # would point at `local_windows-fastbuild` even when the test ran with the
-  # MSVC host platform under `local_windows_msvc-fastbuild`.
-  if [[ -n "${BUILDBUDDY_API_KEY:-}" ]]; then
-    bazel_info_args+=(
-      "--config=${ci_config}"
-      "--remote_header=x-buildbuddy-api-key=${BUILDBUDDY_API_KEY}"
-    )
-  fi
-  # Only pass flags that affect Bazel's output-root selection or repository
-  # lookup. Test/build-only flags such as execution logs or remote download
-  # mode can make `bazel info` fail, which would hide the real test log path.
-  for arg in "${post_config_bazel_args[@]}"; do
-    case "$arg" in
-      --host_platform=* | --repo_contents_cache=* | --repository_cache=*)
-        bazel_info_args+=("$arg")
-        ;;
-    esac
-  done
-
-  testlogs_dir="$(run_bazel "${bazel_info_cmd[@]:1}" \
-    --noexperimental_remote_repo_contents_cache \
-    "${bazel_info_args[@]}" \
-    bazel-testlogs 2>/dev/null || echo bazel-testlogs)"
+  testlogs_dir="$(run_bazel "${bazel_info_cmd[@]:1}" info bazel-testlogs 2>/dev/null || echo bazel-testlogs)"

  local failed_targets=()
  while IFS= read -r target; do
@@ -120,9 +95,8 @@ print_bazel_test_log_tails() {
    rel_path="${rel_path/://}"
    local test_log="${testlogs_dir}/${rel_path}/test.log"
    local reported_test_log
-    reported_test_log="$(grep -F "FAIL: ${target} " "$console_log" | sed -nE 's#.* \(see (.*[\\/]test\.log)\).*#\1#p' | head -n 1 || true)"
+    reported_test_log="$(grep -F "FAIL: ${target} " "$console_log" | sed -nE 's#.* \(see ([^)]+/test\.log)\).*#\1#p' | head -n 1 || true)"
    if [[ -n "$reported_test_log" ]]; then
-      reported_test_log="${reported_test_log//\\//}"
      test_log="$reported_test_log"
    fi

@@ -136,93 +110,6 @@ print_bazel_test_log_tails() {
  done
 }

-print_bazel_action_failure_summary() {
-  local console_log="$1"
-  local escaped_summary
-  local summary
-
-  summary="$(
-    awk '
-      function clean(line) {
-        gsub(sprintf("%c", 27) "\\[[0-9;]*m", "", line)
-        sub(/^.*\t[^\t]*\t[0-9TZ:._-]+ /, "", line)
-        return line
-      }
-
-      function is_diagnostic(line) {
-        return line ~ /^(error(\[[^]]+\])?:|warning:|note:|help:)/ ||
-          line ~ /^[[:space:]]+-->/ ||
-          line ~ /^[[:space:]]*[0-9]+[[:space:]]+\|/ ||
-          line ~ /^[[:space:]]*\|/ ||
-          line ~ /^[[:space:]]+= (note|help):/ ||
-          line ~ /^[[:space:]]*\^[[:space:]^~-]*$/ ||
-          line ~ /^For more information/ ||
-          line ~ /^error: aborting/
-      }
-
-      {
-        line = clean($0)
-      }
-
-      line ~ /^ERROR: .* failed:/ {
-        if (printed) {
-          print ""
-        }
-        print line
-        in_failure = 1
-        seen_diagnostic = 0
-        printed = 1
-        next
-      }
-
-      in_failure && is_diagnostic(line) {
-        print line
-        seen_diagnostic = 1
-        next
-      }
-
-      in_failure && seen_diagnostic && line == "" {
-        print ""
-        next
-      }
-
-      in_failure && seen_diagnostic {
-        in_failure = 0
-        seen_diagnostic = 0
-        next
-      }
-    ' "$console_log"
-  )"
-
-  if [[ -z "$summary" ]]; then
-    summary="$(grep -E '^ERROR: |^FAILED: ' "$console_log" | tail -n 50 || true)"
-  fi
-
-  if [[ -z "$summary" ]]; then
-    echo "No Bazel action failures were found in the captured console output."
-    return
-  fi
-
-  if [[ "${GITHUB_ACTIONS:-}" == "true" ]]; then
-    escaped_summary="$(
-      printf '%s' "$summary" \
-        | awk 'BEGIN { ORS = "" } {
-            gsub(/%/, "%25")
-            gsub(/\r/, "%0D")
-            print sep $0
-            sep = "%0A"
-          }'
-    )"
-    echo "::error title=Bazel failed action diagnostics::${escaped_summary}"
-  fi
-
-  echo
-  echo "Bazel failed action diagnostics:"
-  echo "--------------------------------"
-  printf '%s\n' "$summary"
-  echo "--------------------------------"
-}
-
 bazel_args=()
 bazel_targets=()
 found_target_separator=0
@@ -244,6 +131,16 @@ if [[ ${#bazel_args[@]} -eq 0 || ${#bazel_targets[@]} -eq 0 ]]; then
  exit 1
 fi

+if [[ $use_node_test_env -eq 1 ]]; then
+  # Bazel test sandboxes on macOS may resolve an older Homebrew `node`
+  # before the `actions/setup-node` runtime on PATH.
+  node_bin="$(which node)"
+  if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
+    node_bin="$(cygpath -w "${node_bin}")"
+  fi
+  bazel_args+=("--test_env=CODEX_JS_REPL_NODE_PATH=${node_bin}")
+fi
+
 post_config_bazel_args=()
 if [[ "${RUNNER_OS:-}" == "Windows" && $windows_msvc_host_platform -eq 1 ]]; then
  has_host_platform_override=0
@@ -255,10 +152,10 @@ if [[ "${RUNNER_OS:-}" == "Windows" && $windows_msvc_host_platform -eq 1 ]]; the
  done

  if [[ $has_host_platform_override -eq 0 ]]; then
-    # Use the MSVC Windows platform for jobs that need helper binaries like
-    # Rust test wrappers and V8 generators to resolve a compatible toolchain.
-    # Callers that need a different Windows target platform should pass an
-    # explicit `--platforms=...` flag.
+    # Keep Windows Bazel targets on `windows-gnullvm` for cfg coverage, but opt
+    # specific jobs into an MSVC exec platform when they need helper binaries
+    # like Rust test wrappers and V8 generators to resolve a compatible host
+    # toolchain.
    post_config_bazel_args+=("--host_platform=//:local_windows_msvc")
  fi
 fi
@@ -291,6 +188,7 @@ if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
    INCLUDE
    LIB
    LIBPATH
+    PATH
    UCRTVersion
    UniversalCRTSdkDir
    VCINSTALLDIR
@@ -307,17 +205,6 @@ if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
      post_config_bazel_args+=("--action_env=${env_var}" "--host_action_env=${env_var}")
    fi
  done
-
-  if [[ -z "${CODEX_BAZEL_WINDOWS_PATH:-}" ]]; then
-    echo "CODEX_BAZEL_WINDOWS_PATH must be set for Windows Bazel CI." >&2
-    exit 1
-  fi
-
-  post_config_bazel_args+=(
-    "--action_env=PATH=${CODEX_BAZEL_WINDOWS_PATH}"
-    "--host_action_env=PATH=${CODEX_BAZEL_WINDOWS_PATH}"
-    "--test_env=PATH=${CODEX_BAZEL_WINDOWS_PATH}"
-  )
 fi

 bazel_console_log="$(mktemp)"
@@ -389,9 +276,6 @@ else
 fi

 if [[ ${bazel_status:-0} -ne 0 ]]; then
-  if [[ $print_failed_bazel_action_summary -eq 1 ]]; then
-    print_bazel_action_failure_summary "$bazel_console_log"
-  fi
  if [[ $print_failed_bazel_test_logs -eq 1 ]]; then
    print_bazel_test_log_tails "$bazel_console_log"
  fi
--- a/.github/scripts/run-bazel-query-ci.sh
+++ b/.github/scripts/run-bazel-query-ci.sh
@@ -1,75 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-# Run Bazel queries with the same CI startup settings as the main build/test
-# invocation so target-discovery queries can reuse the same Bazel server.
-
-query_args=()
-while [[ $# -gt 0 ]]; do
-  case "$1" in
-    --)
-      shift
-      break
-      ;;
-    *)
-      query_args+=("$1")
-      shift
-      ;;
-  esac
-done
-
-if [[ $# -ne 1 ]]; then
-  echo "Usage: $0 [<bazel query args>...] -- <query expression>" >&2
-  exit 1
-fi
-
-query_expression="$1"
-
-ci_config=ci-linux
-case "${RUNNER_OS:-}" in
-  macOS)
-    ci_config=ci-macos
-    ;;
-  Windows)
-    ci_config=ci-windows
-    ;;
-esac
-
-bazel_startup_args=()
-if [[ -n "${BAZEL_OUTPUT_USER_ROOT:-}" ]]; then
-  bazel_startup_args+=("--output_user_root=${BAZEL_OUTPUT_USER_ROOT}")
-fi
-
-run_bazel() {
-  if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
-    MSYS2_ARG_CONV_EXCL='*' bazel "$@"
-    return
-  fi
-
-  bazel "$@"
-}
-
-bazel_query_args=(--noexperimental_remote_repo_contents_cache query)
-if [[ -n "${BUILDBUDDY_API_KEY:-}" ]]; then
-  bazel_query_args+=(
-    "--config=${ci_config}"
-    "--remote_header=x-buildbuddy-api-key=${BUILDBUDDY_API_KEY}"
-  )
-fi
-
-if [[ -n "${BAZEL_REPO_CONTENTS_CACHE:-}" ]]; then
-  bazel_query_args+=("--repo_contents_cache=${BAZEL_REPO_CONTENTS_CACHE}")
-fi
-
-if [[ -n "${BAZEL_REPOSITORY_CACHE:-}" ]]; then
-  bazel_query_args+=("--repository_cache=${BAZEL_REPOSITORY_CACHE}")
-fi
-
-bazel_query_args+=("${query_args[@]}" "$query_expression")
-
-if (( ${#bazel_startup_args[@]} > 0 )); then
-  run_bazel "${bazel_startup_args[@]}" "${bazel_query_args[@]}"
-else
-  run_bazel "${bazel_query_args[@]}"
-fi
--- a/.github/workflows/Dockerfile.bazel
+++ b/.github/workflows/Dockerfile.bazel
@@ -8,9 +8,25 @@ FROM ubuntu:24.04

 RUN apt-get update && \
    apt-get install -y --no-install-recommends \
-    curl git python3 ca-certificates && \
+    curl git python3 ca-certificates xz-utils && \
    rm -rf /var/lib/apt/lists/*

+COPY codex-rs/node-version.txt /tmp/node-version.txt
+
+RUN set -eux; \
+    node_arch="$(dpkg --print-architecture)"; \
+    case "${node_arch}" in \
+      amd64) node_dist_arch="x64" ;; \
+      arm64) node_dist_arch="arm64" ;; \
+      *) echo "unsupported architecture: ${node_arch}"; exit 1 ;; \
+    esac; \
+    node_version="$(tr -d '[:space:]' </tmp/node-version.txt)"; \
+    curl -fsSLO "https://nodejs.org/dist/v${node_version}/node-v${node_version}-linux-${node_dist_arch}.tar.xz"; \
+    tar -xJf "node-v${node_version}-linux-${node_dist_arch}.tar.xz" -C /usr/local --strip-components=1; \
+    rm "node-v${node_version}-linux-${node_dist_arch}.tar.xz" /tmp/node-version.txt; \
+    node --version; \
+    npm --version
+
 # Install dotslash.
 RUN curl -LSfs "https://github.com/facebook/dotslash/releases/download/v0.5.8/dotslash-ubuntu-22.04.$(uname -m).tar.gz" | tar fxz - -C /usr/local/bin

--- a/.github/workflows/bazel.yml
+++ b/.github/workflows/bazel.yml
@@ -17,13 +17,6 @@ concurrency:
  cancel-in-progress: ${{ github.ref_name != 'main' }}
 jobs:
  test:
-    # Even though a no-cache-hit Windows build seems to exceed the 30-minute
-    # limit on occasion, the more common reason for exceeding the limit is a
-    # true test failure in a rust_test() marked "flaky" that gets run 3x.
-    # In that case, extra time generally does not give us more signal.
-    #
-    # Ultimately we need true distributed builds (e.g.,
-    # https://www.buildbuddy.io/docs/rbe-setup/) to speed things up.
    timeout-minutes: 30
    strategy:
      fail-fast: false
@@ -38,8 +31,14 @@ jobs:
          # Linux
          - os: ubuntu-24.04
            target: x86_64-unknown-linux-gnu
+            runs_on:
+              group: codex-runners
+              labels: codex-linux-x64
          - os: ubuntu-24.04
            target: x86_64-unknown-linux-musl
+            runs_on:
+              group: codex-runners
+              labels: codex-linux-x64
          # 2026-02-27 Bazel tests have been flaky on arm in CI.
          # Disable until we can investigate and stabilize them.
          # - os: ubuntu-24.04-arm
@@ -48,9 +47,12 @@ jobs:
          #   target: aarch64-unknown-linux-gnu

          # Windows
-          - os: windows-latest
+          - os: windows-x64
            target: x86_64-pc-windows-gnullvm
-    runs-on: ${{ matrix.os }}
+            runs_on:
+              group: codex-runners
+              labels: codex-windows-x64
+    runs-on: ${{ matrix.runs_on || matrix.os }}

    # Configure a human readable name for each job
    name: Local Bazel build on ${{ matrix.os }} for ${{ matrix.target }}
@@ -70,7 +72,6 @@ jobs:
        uses: ./.github/actions/prepare-bazel-ci
        with:
          target: ${{ matrix.target }}
-          cache-scope: bazel-${{ github.job }}
          install-test-prereqs: "true"
      - name: Check MODULE.bazel.lock is up to date
        if: matrix.os == 'ubuntu-24.04' && matrix.target == 'x86_64-unknown-linux-gnu'
@@ -92,22 +93,19 @@ jobs:

          bazel_wrapper_args=(
            --print-failed-test-logs
-          )
-          bazel_test_args=(
-            test
-            --test_tag_filters=-argument-comment-lint
-            --test_verbose_timeout_warnings
-            --build_metadata=COMMIT_SHA=${GITHUB_SHA}
+            --use-node-test-env
          )
          if [[ "${RUNNER_OS}" == "Windows" ]]; then
            bazel_wrapper_args+=(--windows-msvc-host-platform)
-            bazel_test_args+=(--jobs=8)
          fi

          ./.github/scripts/run-bazel-ci.sh \
            "${bazel_wrapper_args[@]}" \
            -- \
-            "${bazel_test_args[@]}" \
+            test \
+            --test_tag_filters=-argument-comment-lint \
+            --test_verbose_timeout_warnings \
+            --build_metadata=COMMIT_SHA=${GITHUB_SHA} \
            -- \
            "${bazel_targets[@]}"

@@ -120,15 +118,15 @@ jobs:
          path: ${{ runner.temp }}/bazel-execution-logs
          if-no-files-found: ignore

-      # Save the job-scoped Bazel repository cache after cache misses. Keep the
+      # Save the Bazel repository cache after every non-cancelled run. Keep the
      # upload non-fatal so cache service issues never fail the job itself.
      - name: Save bazel repository cache
-        if: always() && !cancelled() && steps.prepare_bazel.outputs.repository-cache-hit != 'true'
+        if: always() && !cancelled()
        continue-on-error: true
        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: ${{ steps.prepare_bazel.outputs.repository-cache-path }}
-          key: ${{ steps.prepare_bazel.outputs.repository-cache-key }}
+          key: bazel-cache-${{ matrix.target }}-${{ hashFiles('MODULE.bazel', 'codex-rs/Cargo.lock', 'codex-rs/Cargo.toml') }}

  clippy:
    timeout-minutes: 30
@@ -142,11 +140,17 @@ jobs:
          # that the Bazel test job uses.
          - os: ubuntu-24.04
            target: x86_64-unknown-linux-gnu
+            runs_on:
+              group: codex-runners
+              labels: codex-linux-x64
          - os: macos-15-xlarge
            target: aarch64-apple-darwin
-          - os: windows-latest
+          - os: windows-x64
            target: x86_64-pc-windows-gnullvm
-    runs-on: ${{ matrix.os }}
+            runs_on:
+              group: codex-runners
+              labels: codex-windows-x64
+    runs-on: ${{ matrix.runs_on || matrix.os }}
    name: Bazel clippy on ${{ matrix.os }} for ${{ matrix.target }}

    steps:
@@ -157,7 +161,6 @@ jobs:
        uses: ./.github/actions/prepare-bazel-ci
        with:
          target: ${{ matrix.target }}
-          cache-scope: bazel-${{ github.job }}

      - name: bazel build --config=clippy lint targets
        env:
@@ -169,14 +172,10 @@ jobs:
            --build_metadata=COMMIT_SHA=${GITHUB_SHA}
            --build_metadata=TAG_job=clippy
          )
-          bazel_wrapper_args=()
          if [[ "${RUNNER_OS}" == "Windows" ]]; then
-            # Keep this aligned with the Windows Bazel test job. With the
-            # default `//:local_windows` host platform, Windows `rust_test`
-            # targets such as `//codex-rs/core:core-all-test` can be skipped
-            # by `--skip_incompatible_explicit_targets`, which hides clippy
-            # diagnostics from integration-test modules.
-            bazel_wrapper_args+=(--windows-msvc-host-platform)
+            # Some explicit targets pulled in through //codex-rs/... are
+            # intentionally incompatible with `//:local_windows`, but the lint
+            # aspect still traverses their compatible Rust deps.
            bazel_clippy_args+=(--skip_incompatible_explicit_targets)
          fi

@@ -187,8 +186,6 @@ jobs:
          done <<< "${bazel_target_lines}"

          ./.github/scripts/run-bazel-ci.sh \
-            --print-failed-action-summary \
-            "${bazel_wrapper_args[@]}" \
            -- \
            build \
            "${bazel_clippy_args[@]}" \
@@ -204,15 +201,15 @@ jobs:
          path: ${{ runner.temp }}/bazel-execution-logs
          if-no-files-found: ignore

-      # Save the job-scoped Bazel repository cache after cache misses. Keep the
+      # Save the Bazel repository cache after every non-cancelled run. Keep the
      # upload non-fatal so cache service issues never fail the job itself.
      - name: Save bazel repository cache
-        if: always() && !cancelled() && steps.prepare_bazel.outputs.repository-cache-hit != 'true'
+        if: always() && !cancelled()
        continue-on-error: true
        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: ${{ steps.prepare_bazel.outputs.repository-cache-path }}
-          key: ${{ steps.prepare_bazel.outputs.repository-cache-key }}
+          key: bazel-cache-${{ matrix.target }}-${{ hashFiles('MODULE.bazel', 'codex-rs/Cargo.lock', 'codex-rs/Cargo.toml') }}

  verify-release-build:
    timeout-minutes: 30
@@ -222,11 +219,17 @@ jobs:
        include:
          - os: ubuntu-24.04
            target: x86_64-unknown-linux-gnu
+            runs_on:
+              group: codex-runners
+              labels: codex-linux-x64
          - os: macos-15-xlarge
            target: aarch64-apple-darwin
-          - os: windows-latest
+          - os: windows-x64
            target: x86_64-pc-windows-gnullvm
-    runs-on: ${{ matrix.os }}
+            runs_on:
+              group: codex-runners
+              labels: codex-windows-x64
+    runs-on: ${{ matrix.runs_on || matrix.os }}
    name: Verify release build on ${{ matrix.os }} for ${{ matrix.target }}

    steps:
@@ -237,7 +240,6 @@ jobs:
        uses: ./.github/actions/prepare-bazel-ci
        with:
          target: ${{ matrix.target }}
-          cache-scope: bazel-${{ github.job }}

      - name: bazel build verify-release-build targets
        env:
@@ -287,12 +289,12 @@ jobs:
          path: ${{ runner.temp }}/bazel-execution-logs
          if-no-files-found: ignore

-      # Save the job-scoped Bazel repository cache after cache misses. Keep the
+      # Save the Bazel repository cache after every non-cancelled run. Keep the
      # upload non-fatal so cache service issues never fail the job itself.
      - name: Save bazel repository cache
-        if: always() && !cancelled() && steps.prepare_bazel.outputs.repository-cache-hit != 'true'
+        if: always() && !cancelled()
        continue-on-error: true
        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: ${{ steps.prepare_bazel.outputs.repository-cache-path }}
-          key: ${{ steps.prepare_bazel.outputs.repository-cache-key }}
+          key: bazel-cache-${{ matrix.target }}-${{ hashFiles('MODULE.bazel', 'codex-rs/Cargo.lock', 'codex-rs/Cargo.toml') }}
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,7 +6,9 @@ on:

 jobs:
  build-test:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: codex-runners
+      labels: codex-linux-x64
    timeout-minutes: 10
    env:
      NODE_OPTIONS: --max-old-space-size=4096
--- a/.github/workflows/issue-deduplicator.yml
+++ b/.github/workflows/issue-deduplicator.yml
@@ -61,7 +61,7 @@ jobs:
      # .github/prompts/issue-deduplicator.txt file is obsolete and removed.
      - id: codex-all
        name: Find duplicates (pass 1, all issues)
-        uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02 # v1.7
+        uses: openai/codex-action@0b91f4a2703c23df3102c3f0967d3c6db34eedef # v1
        with:
          openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
          allow-users: "*"
@@ -195,7 +195,7 @@ jobs:

      - id: codex-open
        name: Find duplicates (pass 2, open issues)
-        uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02 # v1.7
+        uses: openai/codex-action@0b91f4a2703c23df3102c3f0967d3c6db34eedef # v1
        with:
          openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
          allow-users: "*"
--- a/.github/workflows/issue-labeler.yml
+++ b/.github/workflows/issue-labeler.yml
@@ -20,7 +20,7 @@ jobs:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - id: codex
-        uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02 # v1.7
+        uses: openai/codex-action@0b91f4a2703c23df3102c3f0967d3c6db34eedef # v1
        with:
          openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
          allow-users: "*"
--- a/.github/workflows/rust-ci-full.yml
+++ b/.github/workflows/rust-ci-full.yml
@@ -42,7 +42,9 @@ jobs:

  argument_comment_lint_package:
    name: Argument comment lint package
-    runs-on: ubuntu-24.04
+    runs-on:
+      group: codex-runners
+      labels: codex-linux-x64
    env:
      CARGO_DYLINT_VERSION: 5.0.0
      DYLINT_LINK_VERSION: 5.0.0
@@ -76,8 +78,6 @@ jobs:
      - name: Test argument comment lint package
        working-directory: tools/argument-comment-lint
        run: cargo test
-        env:
-          RUST_MIN_STACK: "8388608" # 8 MiB

  argument_comment_lint_prebuilt:
    name: Argument comment lint - ${{ matrix.name }}
@@ -89,6 +89,9 @@ jobs:
        include:
          - name: Linux
            runner: ubuntu-24.04
+            runs_on:
+              group: codex-runners
+              labels: codex-linux-x64
          - name: macOS
            runner: macos-15-xlarge
          - name: Windows
@@ -560,6 +563,10 @@ jobs:

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - name: Set up Node.js for js_repl tests
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        with:
+          node-version-file: codex-rs/node-version.txt
      - name: Install Linux build dependencies
        if: ${{ runner.os == 'Linux' }}
        shell: bash
@@ -669,7 +676,6 @@ jobs:
        run: cargo nextest run --no-fail-fast --target ${{ matrix.target }} --cargo-profile ci-test --timings
        env:
          RUST_BACKTRACE: 1
-          RUST_MIN_STACK: "8388608" # 8 MiB
          NEXTEST_STATUS_LEVEL: leak

      - name: Upload Cargo timings (nextest)
--- a/.github/workflows/rust-ci.yml
+++ b/.github/workflows/rust-ci.yml
@@ -41,7 +41,6 @@ jobs:
          for f in "${files[@]}"; do
            [[ $f == codex-rs/* ]] && codex=true
            [[ $f == codex-rs/* || $f == tools/argument-comment-lint/* || $f == justfile ]] && argument_comment_lint=true
-            [[ $f == defs.bzl || $f == workspace_root_test_launcher.sh.tpl || $f == workspace_root_test_launcher.bat.tpl ]] && argument_comment_lint=true
            [[ $f == tools/argument-comment-lint/* || $f == .github/workflows/rust-ci.yml || $f == .github/workflows/rust-ci-full.yml ]] && argument_comment_lint_package=true
            [[ $f == .github/* ]] && workflows=true
          done
@@ -88,7 +87,9 @@ jobs:

  argument_comment_lint_package:
    name: Argument comment lint package
-    runs-on: ubuntu-24.04
+    runs-on:
+      group: codex-runners
+      labels: codex-linux-x64
    needs: changed
    if: ${{ needs.changed.outputs.argument_comment_lint_package == 'true' }}
    env:
@@ -131,14 +132,13 @@ jobs:
      - name: Test argument comment lint package
        working-directory: tools/argument-comment-lint
        run: cargo test
-        env:
-          RUST_MIN_STACK: "8388608" # 8 MiB

  argument_comment_lint_prebuilt:
    name: Argument comment lint - ${{ matrix.name }}
    runs-on: ${{ matrix.runs_on || matrix.runner }}
    timeout-minutes: ${{ matrix.timeout_minutes }}
    needs: changed
+    if: ${{ needs.changed.outputs.argument_comment_lint == 'true' || needs.changed.outputs.workflows == 'true' }}
    strategy:
      fail-fast: false
      matrix:
@@ -146,6 +146,9 @@ jobs:
          - name: Linux
            runner: ubuntu-24.04
            timeout_minutes: 30
+            runs_on:
+              group: codex-runners
+              labels: codex-linux-x64
          - name: macOS
            runner: macos-15-xlarge
            timeout_minutes: 30
@@ -156,28 +159,43 @@ jobs:
              group: codex-runners
              labels: codex-windows-x64
    steps:
-      - name: Check whether argument comment lint should run
-        id: argument_comment_lint_gate
-        shell: bash
-        env:
-          ARGUMENT_COMMENT_LINT: ${{ needs.changed.outputs.argument_comment_lint }}
-          WORKFLOWS: ${{ needs.changed.outputs.workflows }}
-        run: |
-          if [[ "$ARGUMENT_COMMENT_LINT" == "true" || "$WORKFLOWS" == "true" ]]; then
-            echo "run=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          echo "No argument-comment-lint relevant changes."
-          echo "run=false" >> "$GITHUB_OUTPUT"
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        if: ${{ steps.argument_comment_lint_gate.outputs.run == 'true' }}
-      - name: Run argument comment lint on codex-rs via Bazel
-        if: ${{ steps.argument_comment_lint_gate.outputs.run == 'true' }}
-        uses: ./.github/actions/run-argument-comment-lint
+      - uses: ./.github/actions/setup-bazel-ci
        with:
          target: ${{ runner.os }}
-          buildbuddy-api-key: ${{ secrets.BUILDBUDDY_API_KEY }}
+          install-test-prereqs: true
+      - name: Install Linux sandbox build dependencies
+        if: ${{ runner.os == 'Linux' }}
+        shell: bash
+        run: |
+          sudo DEBIAN_FRONTEND=noninteractive apt-get update
+          sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends pkg-config libcap-dev
+      - name: Run argument comment lint on codex-rs via Bazel
+        if: ${{ runner.os != 'Windows' }}
+        env:
+          BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
+        shell: bash
+        run: |
+          bazel_targets="$(./tools/argument-comment-lint/list-bazel-targets.sh)"
+          ./.github/scripts/run-bazel-ci.sh \
+            -- \
+            build \
+            --config=argument-comment-lint \
+            --keep_going \
+            --build_metadata=COMMIT_SHA=${GITHUB_SHA} \
+            -- \
+            ${bazel_targets}
+      - name: Run argument comment lint on codex-rs via Bazel
+        if: ${{ runner.os == 'Windows' }}
+        env:
+          BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
+        shell: bash
+        run: |
+          ./.github/scripts/run-argument-comment-lint-bazel.sh \
+            --config=argument-comment-lint \
+            --platforms=//:local_windows \
+            --keep_going \
+            --build_metadata=COMMIT_SHA=${GITHUB_SHA}

  # --- Gatherer job that you mark as the ONLY required status -----------------
  results:
--- a/.github/workflows/rust-release-argument-comment-lint.yml
+++ b/.github/workflows/rust-release-argument-comment-lint.yml
@@ -39,12 +39,18 @@ jobs:
            lib_name: libargument_comment_lint@nightly-2025-09-18-x86_64-unknown-linux-gnu.so
            runner_binary: argument-comment-lint
            cargo_dylint_binary: cargo-dylint
+            runs_on:
+              group: codex-runners
+              labels: codex-linux-x64
          - runner: ubuntu-24.04-arm
            target: aarch64-unknown-linux-gnu
            archive_name: argument-comment-lint-aarch64-unknown-linux-gnu.tar.gz
            lib_name: libargument_comment_lint@nightly-2025-09-18-aarch64-unknown-linux-gnu.so
            runner_binary: argument-comment-lint
            cargo_dylint_binary: cargo-dylint
+            runs_on:
+              group: codex-runners
+              labels: codex-linux-arm64
          - runner: windows-x64
            target: x86_64-pc-windows-msvc
            archive_name: argument-comment-lint-x86_64-pc-windows-msvc.zip
--- a/.github/workflows/rust-release-prepare.yml
+++ b/.github/workflows/rust-release-prepare.yml
@@ -40,7 +40,7 @@ jobs:
          )

          url="${base_url%/}/models?client_version=${client_version}"
-          curl --http1.1 --fail --show-error --location "${headers[@]}" "${url}" | jq '.' > codex-rs/models-manager/models.json
+          curl --http1.1 --fail --show-error --location "${headers[@]}" "${url}" | jq '.' > codex-rs/core/models.json

      - name: Open pull request (if changed)
        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8
--- a/.github/workflows/rust-release-windows.yml
+++ b/.github/workflows/rust-release-windows.yml
@@ -40,42 +40,28 @@ jobs:
          - runner: windows-x64
            target: x86_64-pc-windows-msvc
            bundle: primary
-            binaries: "codex codex-responses-api-proxy"
+            build_args: --bin codex --bin codex-responses-api-proxy
            runs_on:
              group: codex-runners
              labels: codex-windows-x64
          - runner: windows-arm64
            target: aarch64-pc-windows-msvc
            bundle: primary
-            binaries: "codex codex-responses-api-proxy"
+            build_args: --bin codex --bin codex-responses-api-proxy
            runs_on:
              group: codex-runners
              labels: codex-windows-arm64
          - runner: windows-x64
            target: x86_64-pc-windows-msvc
            bundle: helpers
-            binaries: "codex-windows-sandbox-setup codex-command-runner"
+            build_args: --bin codex-windows-sandbox-setup --bin codex-command-runner
            runs_on:
              group: codex-runners
              labels: codex-windows-x64
          - runner: windows-arm64
            target: aarch64-pc-windows-msvc
            bundle: helpers
-            binaries: "codex-windows-sandbox-setup codex-command-runner"
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-arm64
-          - runner: windows-x64
-            target: x86_64-pc-windows-msvc
-            bundle: app-server
-            binaries: "codex-app-server"
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-x64
-          - runner: windows-arm64
-            target: aarch64-pc-windows-msvc
-            bundle: app-server
-            binaries: "codex-app-server"
+            build_args: --bin codex-windows-sandbox-setup --bin codex-command-runner
            runs_on:
              group: codex-runners
              labels: codex-windows-arm64
@@ -103,11 +89,7 @@ jobs:
      - name: Cargo build (Windows binaries)
        shell: bash
        run: |
-          build_args=()
-          for binary in ${{ matrix.binaries }}; do
-            build_args+=(--bin "$binary")
-          done
-          cargo build --target ${{ matrix.target }} --release --timings "${build_args[@]}"
+          cargo build --target ${{ matrix.target }} --release --timings ${{ matrix.build_args }}

      - name: Upload Cargo timings
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
@@ -121,9 +103,13 @@ jobs:
        run: |
          output_dir="target/${{ matrix.target }}/release/staged-${{ matrix.bundle }}"
          mkdir -p "$output_dir"
-          for binary in ${{ matrix.binaries }}; do
-            cp "target/${{ matrix.target }}/release/${binary}.exe" "$output_dir/${binary}.exe"
-          done
+          if [[ "${{ matrix.bundle }}" == "primary" ]]; then
+            cp target/${{ matrix.target }}/release/codex.exe "$output_dir/codex.exe"
+            cp target/${{ matrix.target }}/release/codex-responses-api-proxy.exe "$output_dir/codex-responses-api-proxy.exe"
+          else
+            cp target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe "$output_dir/codex-windows-sandbox-setup.exe"
+            cp target/${{ matrix.target }}/release/codex-command-runner.exe "$output_dir/codex-command-runner.exe"
+          fi

      - name: Upload Windows binaries
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
@@ -144,8 +130,6 @@ jobs:
    defaults:
      run:
        working-directory: codex-rs
-    env:
-      WINDOWS_BINARIES: "codex codex-responses-api-proxy codex-windows-sandbox-setup codex-command-runner codex-app-server"

    strategy:
      fail-fast: false
@@ -177,25 +161,19 @@ jobs:
          name: windows-binaries-${{ matrix.target }}-helpers
          path: codex-rs/target/${{ matrix.target }}/release

-      - name: Download prebuilt Windows app-server binary
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
-        with:
-          name: windows-binaries-${{ matrix.target }}-app-server
-          path: codex-rs/target/${{ matrix.target }}/release
-
      - name: Verify binaries
        shell: bash
        run: |
          set -euo pipefail
-          for binary in ${WINDOWS_BINARIES}; do
-            ls -lh "target/${{ matrix.target }}/release/${binary}.exe"
-          done
+          ls -lh target/${{ matrix.target }}/release/codex.exe
+          ls -lh target/${{ matrix.target }}/release/codex-responses-api-proxy.exe
+          ls -lh target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe
+          ls -lh target/${{ matrix.target }}/release/codex-command-runner.exe

      - name: Sign Windows binaries with Azure Trusted Signing
        uses: ./.github/actions/windows-code-sign
        with:
          target: ${{ matrix.target }}
-          binaries: ${{ env.WINDOWS_BINARIES }}
          client-id: ${{ secrets.AZURE_TRUSTED_SIGNING_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TRUSTED_SIGNING_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_TRUSTED_SIGNING_SUBSCRIPTION_ID }}
@@ -209,10 +187,10 @@ jobs:
          dest="dist/${{ matrix.target }}"
          mkdir -p "$dest"

-          for binary in ${WINDOWS_BINARIES}; do
-            cp "target/${{ matrix.target }}/release/${binary}.exe" \
-              "$dest/${binary}-${{ matrix.target }}.exe"
-          done
+          cp target/${{ matrix.target }}/release/codex.exe "$dest/codex-${{ matrix.target }}.exe"
+          cp target/${{ matrix.target }}/release/codex-responses-api-proxy.exe "$dest/codex-responses-api-proxy-${{ matrix.target }}.exe"
+          cp target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe "$dest/codex-windows-sandbox-setup-${{ matrix.target }}.exe"
+          cp target/${{ matrix.target }}/release/codex-command-runner.exe "$dest/codex-command-runner-${{ matrix.target }}.exe"

      - name: Install DotSlash
        uses: facebook/install-dotslash@1e4e7b3e07eaca387acb98f1d4720e0bee8dbb6a # v2
--- a/.github/workflows/rust-release-zsh.yml
+++ b/.github/workflows/rust-release-zsh.yml
@@ -10,7 +10,7 @@ env:
 jobs:
  linux:
    name: Build zsh (Linux) - ${{ matrix.variant }} - ${{ matrix.target }}
-    runs-on: ${{ matrix.runner }}
+    runs-on: ${{ matrix.runs_on || matrix.runner }}
    timeout-minutes: 30
    container:
      image: ${{ matrix.image }}
@@ -24,11 +24,17 @@ jobs:
            variant: ubuntu-24.04
            image: ubuntu:24.04
            archive_name: codex-zsh-x86_64-unknown-linux-musl.tar.gz
+            runs_on:
+              group: codex-runners
+              labels: codex-linux-x64
          - runner: ubuntu-24.04-arm
            target: aarch64-unknown-linux-musl
            variant: ubuntu-24.04
            image: arm64v8/ubuntu:24.04
            archive_name: codex-zsh-aarch64-unknown-linux-musl.tar.gz
+            runs_on:
+              group: codex-runners
+              labels: codex-linux-arm64

    steps:
      - name: Install build prerequisites
@@ -60,7 +66,7 @@ jobs:

  darwin:
    name: Build zsh (macOS) - ${{ matrix.variant }} - ${{ matrix.target }}
-    runs-on: ${{ matrix.runner }}
+    runs-on: ${{ matrix.runs_on || matrix.runner }}
    timeout-minutes: 30

    strategy:
--- a/.github/workflows/rust-release.yml
+++ b/.github/workflows/rust-release.yml
@@ -47,7 +47,7 @@ jobs:

  build:
    needs: tag-check
-    name: Build - ${{ matrix.runner }} - ${{ matrix.target }} - ${{ matrix.bundle }}
+    name: Build - ${{ matrix.runner }} - ${{ matrix.target }}
    runs-on: ${{ matrix.runs_on || matrix.runner }}
    timeout-minutes: 60
    permissions:
@@ -67,53 +67,28 @@ jobs:
        include:
          - runner: macos-15-xlarge
            target: aarch64-apple-darwin
-            bundle: primary
-            artifact_name: aarch64-apple-darwin
-            binaries: "codex codex-responses-api-proxy"
-            build_dmg: "true"
-          - runner: macos-15-xlarge
-            target: aarch64-apple-darwin
-            bundle: app-server
-            artifact_name: aarch64-apple-darwin-app-server
-            binaries: "codex-app-server"
-            build_dmg: "false"
          - runner: macos-15-xlarge
            target: x86_64-apple-darwin
-            bundle: primary
-            artifact_name: x86_64-apple-darwin
-            binaries: "codex codex-responses-api-proxy"
-            build_dmg: "true"
-          - runner: macos-15-xlarge
-            target: x86_64-apple-darwin
-            bundle: app-server
-            artifact_name: x86_64-apple-darwin-app-server
-            binaries: "codex-app-server"
-            build_dmg: "false"
-          # Release artifacts intentionally ship MUSL-linked Linux binaries.
          - runner: ubuntu-24.04
            target: x86_64-unknown-linux-musl
-            bundle: primary
-            artifact_name: x86_64-unknown-linux-musl
-            binaries: "codex codex-responses-api-proxy"
-            build_dmg: "false"
+            runs_on:
+              group: codex-runners
+              labels: codex-linux-x64
          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            bundle: app-server
-            artifact_name: x86_64-unknown-linux-musl-app-server
-            binaries: "codex-app-server"
-            build_dmg: "false"
+            target: x86_64-unknown-linux-gnu
+            runs_on:
+              group: codex-runners
+              labels: codex-linux-x64
          - runner: ubuntu-24.04-arm
            target: aarch64-unknown-linux-musl
-            bundle: primary
-            artifact_name: aarch64-unknown-linux-musl
-            binaries: "codex codex-responses-api-proxy"
-            build_dmg: "false"
+            runs_on:
+              group: codex-runners
+              labels: codex-linux-arm64
          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            bundle: app-server
-            artifact_name: aarch64-unknown-linux-musl-app-server
-            binaries: "codex-app-server"
-            build_dmg: "false"
+            target: aarch64-unknown-linux-gnu
+            runs_on:
+              group: codex-runners
+              labels: codex-linux-arm64

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
@@ -256,17 +231,13 @@ jobs:
      - name: Cargo build
        shell: bash
        run: |
-          build_args=()
-          for binary in ${{ matrix.binaries }}; do
-            build_args+=(--bin "$binary")
-          done
          echo "CARGO_PROFILE_RELEASE_LTO: ${CARGO_PROFILE_RELEASE_LTO}"
-          cargo build --target ${{ matrix.target }} --release --timings "${build_args[@]}"
+          cargo build --target ${{ matrix.target }} --release --timings --bin codex --bin codex-responses-api-proxy

      - name: Upload Cargo timings
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
-          name: cargo-timings-rust-release-${{ matrix.target }}-${{ matrix.bundle }}
+          name: cargo-timings-rust-release-${{ matrix.target }}
          path: codex-rs/target/**/cargo-timings/cargo-timing.html
          if-no-files-found: warn

@@ -276,14 +247,12 @@ jobs:
        with:
          target: ${{ matrix.target }}
          artifacts-dir: ${{ github.workspace }}/codex-rs/target/${{ matrix.target }}/release
-          binaries: ${{ matrix.binaries }}

      - if: ${{ runner.os == 'macOS' }}
        name: MacOS code signing (binaries)
        uses: ./.github/actions/macos-code-sign
        with:
          target: ${{ matrix.target }}
-          binaries: ${{ matrix.binaries }}
          sign-binaries: "true"
          sign-dmg: "false"
          apple-certificate: ${{ secrets.APPLE_CERTIFICATE_P12 }}
@@ -292,7 +261,7 @@ jobs:
          apple-notarization-key-id: ${{ secrets.APPLE_NOTARIZATION_KEY_ID }}
          apple-notarization-issuer-id: ${{ secrets.APPLE_NOTARIZATION_ISSUER_ID }}

-      - if: ${{ runner.os == 'macOS' && matrix.build_dmg == 'true' }}
+      - if: ${{ runner.os == 'macOS' }}
        name: Build macOS dmg
        shell: bash
        run: |
@@ -307,17 +276,23 @@ jobs:
          # The previous "MacOS code signing (binaries)" step signs + notarizes the
          # built artifacts in `${release_dir}`. This step packages *those same*
          # signed binaries into a dmg.
+          codex_binary_path="${release_dir}/codex"
+          proxy_binary_path="${release_dir}/codex-responses-api-proxy"
+
          rm -rf "$dmg_root"
          mkdir -p "$dmg_root"

-          for binary in ${{ matrix.binaries }}; do
-            binary_path="${release_dir}/${binary}"
-            if [[ ! -f "${binary_path}" ]]; then
-              echo "Binary ${binary_path} not found"
-              exit 1
-            fi
-            ditto "${binary_path}" "${dmg_root}/${binary}"
-          done
+          if [[ ! -f "$codex_binary_path" ]]; then
+            echo "Binary $codex_binary_path not found"
+            exit 1
+          fi
+          if [[ ! -f "$proxy_binary_path" ]]; then
+            echo "Binary $proxy_binary_path not found"
+            exit 1
+          fi
+
+          ditto "$codex_binary_path" "${dmg_root}/codex"
+          ditto "$proxy_binary_path" "${dmg_root}/codex-responses-api-proxy"

          rm -f "$dmg_path"
          hdiutil create \
@@ -332,7 +307,7 @@ jobs:
            exit 1
          fi

-      - if: ${{ runner.os == 'macOS' && matrix.build_dmg == 'true' }}
+      - if: ${{ runner.os == 'macOS' }}
        name: MacOS code signing (dmg)
        uses: ./.github/actions/macos-code-sign
        with:
@@ -351,15 +326,15 @@ jobs:
          dest="dist/${{ matrix.target }}"
          mkdir -p "$dest"

-          for binary in ${{ matrix.binaries }}; do
-            cp "target/${{ matrix.target }}/release/${binary}" "$dest/${binary}-${{ matrix.target }}"
-            if [[ "${{ matrix.target }}" == *linux* ]]; then
-              cp "target/${{ matrix.target }}/release/${binary}.sigstore" \
-                "$dest/${binary}-${{ matrix.target }}.sigstore"
-            fi
-          done
+          cp target/${{ matrix.target }}/release/codex "$dest/codex-${{ matrix.target }}"
+          cp target/${{ matrix.target }}/release/codex-responses-api-proxy "$dest/codex-responses-api-proxy-${{ matrix.target }}"

-          if [[ "${{ matrix.build_dmg }}" == "true" ]]; then
+          if [[ "${{ matrix.target }}" == *linux* ]]; then
+            cp target/${{ matrix.target }}/release/codex.sigstore "$dest/codex-${{ matrix.target }}.sigstore"
+            cp target/${{ matrix.target }}/release/codex-responses-api-proxy.sigstore "$dest/codex-responses-api-proxy-${{ matrix.target }}.sigstore"
+          fi
+
+          if [[ "${{ matrix.target }}" == *apple-darwin ]]; then
            cp target/${{ matrix.target }}/release/codex-${{ matrix.target }}.dmg "$dest/codex-${{ matrix.target }}.dmg"
          fi

@@ -401,7 +376,7 @@ jobs:

      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
-          name: ${{ matrix.artifact_name }}
+          name: ${{ matrix.target }}
          # Upload the per-binary .zst files as well as the new .tar.gz
          # equivalents we generated in the previous step.
          path: |
@@ -651,59 +626,11 @@ jobs:
            prefix="${NPM_TAG}-"
          fi

-          root_tarball="dist/npm/codex-npm-${VERSION}.tgz"
-          sdk_tarball="dist/npm/codex-sdk-npm-${VERSION}.tgz"
-          # Keep this list in sync with CODEX_PLATFORM_PACKAGES in
-          # codex-cli/scripts/build_npm_package.py. The root wrapper advances
-          # @openai/codex@latest as soon as it publishes, so every platform
-          # package it aliases must already exist in the registry first.
-          platform_tarballs=(
-            "dist/npm/codex-npm-linux-x64-${VERSION}.tgz"
-            "dist/npm/codex-npm-linux-arm64-${VERSION}.tgz"
-            "dist/npm/codex-npm-darwin-x64-${VERSION}.tgz"
-            "dist/npm/codex-npm-darwin-arm64-${VERSION}.tgz"
-            "dist/npm/codex-npm-win32-x64-${VERSION}.tgz"
-            "dist/npm/codex-npm-win32-arm64-${VERSION}.tgz"
-          )
-
-          for required_tarball in "${platform_tarballs[@]}" "${root_tarball}"; do
-            if [[ ! -f "${required_tarball}" ]]; then
-              echo "Missing npm tarball: ${required_tarball}"
-              exit 1
-            fi
-          done
-
          shopt -s nullglob
-          other_tarballs=()
-          for tarball in dist/npm/*-"${VERSION}".tgz; do
-            if [[ "${tarball}" == "${root_tarball}" || "${tarball}" == "${sdk_tarball}" ]]; then
-              continue
-            fi
-
-            is_platform_tarball=false
-            for platform_tarball in "${platform_tarballs[@]}"; do
-              if [[ "${tarball}" == "${platform_tarball}" ]]; then
-                is_platform_tarball=true
-                break
-              fi
-            done
-            if [[ "${is_platform_tarball}" == true ]]; then
-              continue
-            fi
-
-            other_tarballs+=("${tarball}")
-          done
-
-          # Publish the platform packages before the root CLI wrapper. The root
-          # wrapper advances @openai/codex@latest, so it should only publish
-          # after the optional dependency versions it references exist.
-          tarballs=(
-            "${platform_tarballs[@]}"
-            "${other_tarballs[@]}"
-            "${root_tarball}"
-          )
-          if [[ -f "${sdk_tarball}" ]]; then
-            tarballs+=("${sdk_tarball}")
+          tarballs=(dist/npm/*-"${VERSION}".tgz)
+          if [[ ${#tarballs[@]} -eq 0 ]]; then
+            echo "No npm tarballs found in dist/npm for version ${VERSION}"
+            exit 1
          fi

          for tarball in "${tarballs[@]}"; do
--- a/.github/workflows/rusty-v8-release.yml
+++ b/.github/workflows/rusty-v8-release.yml
@@ -59,7 +59,7 @@ jobs:
  build:
    name: Build ${{ matrix.target }}
    needs: metadata
-    runs-on: ${{ matrix.runner }}
+    runs-on: ${{ matrix.runs_on || matrix.runner }}
    permissions:
      contents: read
      actions: read
@@ -70,9 +70,15 @@ jobs:
          - runner: ubuntu-24.04
            platform: linux_amd64_musl
            target: x86_64-unknown-linux-musl
+            runs_on:
+              group: codex-runners
+              labels: codex-linux-x64
          - runner: ubuntu-24.04-arm
            platform: linux_arm64_musl
            target: aarch64-unknown-linux-musl
+            runs_on:
+              group: codex-runners
+              labels: codex-linux-arm64

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
--- a/.github/workflows/v8-canary.yml
+++ b/.github/workflows/v8-canary.yml
@@ -56,7 +56,7 @@ jobs:
  build:
    name: Build ${{ matrix.target }}
    needs: metadata
-    runs-on: ${{ matrix.runner }}
+    runs-on: ${{ matrix.runs_on || matrix.runner }}
    permissions:
      contents: read
      actions: read
@@ -67,9 +67,15 @@ jobs:
          - runner: ubuntu-24.04
            platform: linux_amd64_musl
            target: x86_64-unknown-linux-musl
+            runs_on:
+              group: codex-runners
+              labels: codex-linux-x64
          - runner: ubuntu-24.04-arm
            platform: linux_arm64_musl
            target: aarch64-unknown-linux-musl
+            runs_on:
+              group: codex-runners
+              labels: codex-linux-arm64

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
--- a/.gitignore
+++ b/.gitignore
@@ -52,7 +52,6 @@ yarn-error.log*
 # env
 .env*
 !.env.example
-.venv/

 # package
 *.tgz
@@ -92,3 +91,4 @@ CHANGELOG.ignore.md
 # Python bytecode files
 __pycache__/
 *.pyc
+
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -44,8 +44,6 @@ In the codex-rs folder where the rust code lives:
    `codex-rs/tui/src/bottom_pane/mod.rs`, and similarly central orchestration modules.
  - When extracting code from a large module, move the related tests and module/type docs toward
    the new implementation so the invariants stay close to the code that owns them.
-  - Avoid adding new standalone methods to `codex-rs/tui/src/chatwidget.rs` unless the change is
-    trivial; prefer new modules/files and keep `chatwidget.rs` focused on orchestration.
 - When running Rust commands (e.g. `just fix` or `cargo test`) be patient with the command and never try to kill them using the PID. Rust lock can make the execution slow, this is expected.

 Run `just fmt` (in `codex-rs` directory) automatically after you have finished making Rust code changes; do not ask for approval to run it. Additionally, run the tests:
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -1,8 +1,8 @@
 module(name = "codex")

-bazel_dep(name = "bazel_skylib", version = "1.9.0")
+bazel_dep(name = "bazel_skylib", version = "1.8.2")
 bazel_dep(name = "platforms", version = "1.0.0")
-bazel_dep(name = "llvm", version = "0.7.1")
+bazel_dep(name = "llvm", version = "0.6.8")
 # The upstream LLVM archive contains a few unix-only symlink entries and is
 # missing a couple of MinGW compatibility archives that windows-gnullvm needs
 # during extraction and linking, so patch it until upstream grows native support.
@@ -78,8 +78,8 @@ use_repo(osx, "macos_sdk")
 bazel_dep(name = "apple_support", version = "2.1.0")
 bazel_dep(name = "rules_cc", version = "0.2.16")
 bazel_dep(name = "rules_platform", version = "0.1.0")
-bazel_dep(name = "rules_rs", version = "0.0.58")
-# `rules_rs` still does not model `windows-gnullvm` as a distinct Windows exec
+bazel_dep(name = "rules_rs", version = "0.0.43")
+# `rules_rs` 0.0.43 does not model `windows-gnullvm` as a distinct Windows exec
 # platform, so patch it until upstream grows that support for both x86_64 and
 # aarch64.
 single_version_override(
@@ -87,9 +87,10 @@ single_version_override(
    patch_strip = 1,
    patches = [
        "//patches:rules_rs_windows_gnullvm_exec.patch",
+        "//patches:rules_rs_delete_git_worktree_pointer.patch",
        "//patches:rules_rs_windows_exec_linker.patch",
    ],
-    version = "0.0.58",
+    version = "0.0.43",
 )

 rules_rust = use_extension("@rules_rs//rs/experimental:rules_rust.bzl", "rules_rust")
@@ -107,6 +108,7 @@ rules_rust.patch(
        "//patches:rules_rust_windows_exec_bin_target.patch",
        "//patches:rules_rust_windows_exec_std.patch",
        "//patches:rules_rust_windows_exec_rustc_dev_rlib.patch",
+        "//patches:rules_rust_repository_set_exec_constraints.patch",
    ],
    strip = 1,
 )
--- a/MODULE.bazel.lock
+++ b/MODULE.bazel.lock
--- a/3
+++ b/3
@@ -4,3 +4,6 @@ Copyright 2025 OpenAI
 This project includes code derived from [Ratatui](https://github.com/ratatui/ratatui), licensed under the MIT license.
 Copyright (c) 2016-2022 Florian Dehau
 Copyright (c) 2023-2025 The Ratatui Developers
+
+This project includes Meriyah parser assets from [meriyah](https://github.com/meriyah/meriyah), licensed under the ISC license.
+Copyright (c) 2019 and later, KFlash and others.
--- a/codex-cli/.dockerignore
+++ b/codex-cli/.dockerignore
@@ -0,0 +1 @@
+node_modules/
--- a/codex-cli/Dockerfile
+++ b/codex-cli/Dockerfile
@@ -0,0 +1,59 @@
+FROM node:24-slim
+
+ARG TZ
+ENV TZ="$TZ"
+
+# Install basic development tools, ca-certificates, and iptables/ipset, then clean up apt cache to reduce image size
+RUN apt-get update && apt-get install -y --no-install-recommends \
+  aggregate \
+  ca-certificates \
+  curl \
+  dnsutils \
+  fzf \
+  gh \
+  git \
+  gnupg2 \
+  iproute2 \
+  ipset \
+  iptables \
+  jq \
+  less \
+  man-db \
+  procps \
+  unzip \
+  ripgrep \
+  zsh \
+  && rm -rf /var/lib/apt/lists/*
+
+# Ensure default node user has access to /usr/local/share
+RUN mkdir -p /usr/local/share/npm-global && \
+  chown -R node:node /usr/local/share
+
+ARG USERNAME=node
+
+# Set up non-root user
+USER node
+
+# Install global packages
+ENV NPM_CONFIG_PREFIX=/usr/local/share/npm-global
+ENV PATH=$PATH:/usr/local/share/npm-global/bin
+
+# Install codex
+COPY dist/codex.tgz codex.tgz
+RUN npm install -g codex.tgz \
+  && npm cache clean --force \
+  && rm -rf /usr/local/share/npm-global/lib/node_modules/codex-cli/node_modules/.cache \
+  && rm -rf /usr/local/share/npm-global/lib/node_modules/codex-cli/tests \
+  && rm -rf /usr/local/share/npm-global/lib/node_modules/codex-cli/docs
+
+# Inside the container we consider the environment already sufficiently locked
+# down, therefore instruct Codex CLI to allow running without sandboxing.
+ENV CODEX_UNSAFE_ALLOW_NO_SANDBOX=1
+
+# Copy and set up firewall script as root.
+USER root
+COPY scripts/init_firewall.sh /usr/local/bin/
+RUN chmod 500 /usr/local/bin/init_firewall.sh
+
+# Drop back to non-root.
+USER node
--- a/codex-cli/package.json
+++ b/codex-cli/package.json
@@ -18,5 +18,5 @@
    "url": "git+https://github.com/openai/codex.git",
    "directory": "codex-cli"
  },
-  "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319"
+  "packageManager": "pnpm@10.29.3+sha512.498e1fb4cca5aa06c1dcf2611e6fafc50972ffe7189998c409e90de74566444298ffe43e6cd2acdc775ba1aa7cc5e092a8b7054c811ba8c5770f84693d33d2dc"
 }
--- a/codex-cli/scripts/build_container.sh
+++ b/codex-cli/scripts/build_container.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -euo pipefail
+
+SCRIPT_DIR=$(realpath "$(dirname "$0")")
+trap "popd >> /dev/null" EXIT
+pushd "$SCRIPT_DIR/.." >> /dev/null || {
+  echo "Error: Failed to change directory to $SCRIPT_DIR/.."
+  exit 1
+}
+pnpm install
+pnpm run build
+rm -rf ./dist/openai-codex-*.tgz
+pnpm pack --pack-destination ./dist
+mv ./dist/openai-codex-*.tgz ./dist/codex.tgz
+docker build -t codex -f "./Dockerfile" .
--- a/codex-rs/.cargo/audit.toml
+++ b/codex-rs/.cargo/audit.toml
@@ -6,4 +6,5 @@ ignore = [
    "RUSTSEC-2024-0436", # paste 1.0.15 via starlark/ratatui; upstream crate is unmaintained
    "RUSTSEC-2024-0320", # yaml-rust via syntect; remove when syntect drops or updates it
    "RUSTSEC-2025-0141", # bincode via syntect; remove when syntect drops or updates it
+    "RUSTSEC-2026-0097", # rand 0.8.5 via age/codex-secrets and zbus/keyring; remove when transitive deps move to rand >=0.9.3
 ]
--- a/codex-rs/.config/nextest.toml
+++ b/codex-rs/.config/nextest.toml
@@ -8,11 +8,6 @@ max-threads = 1
 [test-groups.app_server_integration]
 max-threads = 1

-[test-groups.core_apply_patch_cli_integration]
-max-threads = 1
-
-[test-groups.windows_sandbox_legacy_sessions]
-max-threads = 1

 [[profile.default.overrides]]
 # Do not add new tests here
@@ -32,15 +27,3 @@ test-group = 'app_server_protocol_codegen'
 # Keep the library unit tests parallel.
 filter = 'package(codex-app-server) & kind(test)'
 test-group = 'app_server_integration'
-
-[[profile.default.overrides]]
-# These tests exercise full Codex turns and apply_patch execution, and they are
-# sensitive to Windows runner process-startup stalls when many cases launch at once.
-filter = 'package(codex-core) & kind(test) & test(apply_patch_cli)'
-test-group = 'core_apply_patch_cli_integration'
-
-[[profile.default.overrides]]
-# These tests create restricted-token Windows child processes and private desktops.
-# Serialize them to avoid exhausting Windows session/global desktop resources in CI.
-filter = 'package(codex-windows-sandbox) & test(legacy_)'
-test-group = 'windows_sandbox_legacy_sessions'
--- a/codex-rs/BUILD.bazel
+++ b/codex-rs/BUILD.bazel
@@ -1,5 +1,6 @@
 exports_files([
    "clippy.toml",
+    "node-version.txt",
 ])

 filegroup(
--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
--- a/codex-rs/Cargo.toml
+++ b/codex-rs/Cargo.toml
@@ -1,8 +1,6 @@
 [workspace]
 members = [
-    "aws-auth",
    "analytics",
-    "agent-identity",
    "backend-client",
    "ansi-escape",
    "async-utils",
@@ -26,7 +24,6 @@ members = [
    "collaboration-mode-templates",
    "connectors",
    "config",
-    "device-key",
    "shell-command",
    "shell-escalation",
    "skills",
@@ -34,6 +31,7 @@ members = [
    "core-plugins",
    "core-skills",
    "hooks",
+    "instructions",
    "secrets",
    "exec",
    "exec-server",
@@ -54,7 +52,6 @@ members = [
    "protocol",
    "realtime-webrtc",
    "rollout",
-    "rollout-trace",
    "rmcp-client",
    "responses-api-proxy",
    "response-debug-context",
@@ -93,10 +90,8 @@ members = [
    "terminal-detection",
    "test-binary-support",
    "thread-store",
-    "uds",
    "codex-experimental-api-macros",
    "plugin",
-    "model-provider",
 ]
 resolver = "2"

@@ -113,10 +108,8 @@ license = "Apache-2.0"
 # Internal
 app_test_support = { path = "app-server/tests/common" }
 codex-analytics = { path = "analytics" }
-codex-agent-identity = { path = "agent-identity" }
 codex-ansi-escape = { path = "ansi-escape" }
 codex-api = { path = "codex-api" }
-codex-aws-auth = { path = "aws-auth" }
 codex-app-server = { path = "app-server" }
 codex-app-server-client = { path = "app-server-client" }
 codex-app-server-protocol = { path = "app-server-protocol" }
@@ -138,7 +131,6 @@ codex-connectors = { path = "connectors" }
 codex-core = { path = "core" }
 codex-core-plugins = { path = "core-plugins" }
 codex-core-skills = { path = "core-skills" }
-codex-device-key = { path = "device-key" }
 codex-exec = { path = "exec" }
 codex-exec-server = { path = "exec-server" }
 codex-execpolicy = { path = "execpolicy" }
@@ -149,6 +141,7 @@ codex-install-context = { path = "install-context" }
 codex-file-search = { path = "file-search" }
 codex-git-utils = { path = "git-utils" }
 codex-hooks = { path = "hooks" }
+codex-instructions = { path = "instructions" }
 codex-keyring-store = { path = "keyring-store" }
 codex-linux-sandbox = { path = "linux-sandbox" }
 codex-lmstudio = { path = "lmstudio" }
@@ -161,7 +154,6 @@ codex-network-proxy = { path = "network-proxy" }
 codex-ollama = { path = "ollama" }
 codex-otel = { path = "otel" }
 codex-plugin = { path = "plugin" }
-codex-model-provider = { path = "model-provider" }
 codex-process-hardening = { path = "process-hardening" }
 codex-protocol = { path = "protocol" }
 codex-realtime-webrtc = { path = "realtime-webrtc" }
@@ -169,7 +161,6 @@ codex-responses-api-proxy = { path = "responses-api-proxy" }
 codex-response-debug-context = { path = "response-debug-context" }
 codex-rmcp-client = { path = "rmcp-client" }
 codex-rollout = { path = "rollout" }
-codex-rollout-trace = { path = "rollout-trace" }
 codex-sandboxing = { path = "sandboxing" }
 codex-secrets = { path = "secrets" }
 codex-shell-command = { path = "shell-command" }
@@ -182,7 +173,6 @@ codex-test-binary-support = { path = "test-binary-support" }
 codex-thread-store = { path = "thread-store" }
 codex-tools = { path = "tools" }
 codex-tui = { path = "tui" }
-codex-uds = { path = "uds" }
 codex-utils-absolute-path = { path = "utils/absolute-path" }
 codex-utils-approval-presets = { path = "utils/approval-presets" }
 codex-utils-cache = { path = "utils/cache" }
@@ -220,13 +210,8 @@ arc-swap = "1.9.0"
 assert_cmd = "2"
 assert_matches = "1.5.0"
 async-channel = "2.3.1"
-async-io = "2.6.0"
 async-stream = "0.3.6"
 async-trait = "0.1.89"
-aws-config = "1"
-aws-credential-types = "1"
-aws-sigv4 = "1"
-aws-types = "1"
 axum = { version = "0.8", default-features = false }
 base64 = "0.22.1"
 bm25 = "2.3.2"
@@ -238,7 +223,6 @@ clap_complete = "4"
 color-eyre = "0.6.3"
 constant_time_eq = "0.3.1"
 crossbeam-channel = "0.5.15"
-crypto_box = { version = "0.9.1", features = ["seal"] }
 crossterm = "0.28.1"
 csv = "1.3.1"
 ctor = "0.6.3"
@@ -246,7 +230,6 @@ deno_core_icudata = "0.77.0"
 derive_more = "2"
 diffy = "0.4.2"
 dirs = "6"
-dns-lookup = "3.0.1"
 dotenvy = "0.15.7"
 dunce = "1.0.4"
 ed25519-dalek = { version = "2.2.0", features = ["pkcs8"] }
@@ -256,8 +239,6 @@ env_logger = "0.11.9"
 eventsource-stream = "0.2.3"
 futures = { version = "0.3", default-features = false }
 gethostname = "1.1.0"
-gix = { version = "0.81.0", default-features = false, features = ["sha1"] }
-glob = "0.3"
 globset = "0.4"
 hmac = "0.12.1"
 http = "1.3.1"
@@ -295,7 +276,6 @@ os_info = "3.12.0"
 owo-colors = "4.3.0"
 path-absolutize = "3.1.1"
 pathdiff = "0.2"
-p256 = "0.13.2"
 portable-pty = "0.9.0"
 predicates = "3"
 pretty_assertions = "1.4.1"
@@ -306,7 +286,7 @@ ratatui = "0.29.0"
 ratatui-macros = "0.6.0"
 regex = "1.12.3"
 regex-lite = "0.1.8"
-reqwest = { version = "0.12", features = ["cookies"] }
+reqwest = "0.12"
 rmcp = { version = "0.15.0", default-features = false }
 runfiles = { git = "https://github.com/dzbarsky/rules_rust", rev = "b56cbaa8465e74127f1ea216f813cd377295ad81" }
 rustls = { version = "0.23", default-features = false, features = [
@@ -367,8 +347,6 @@ tracing-appender = "0.2.3"
 tracing-opentelemetry = "0.32.0"
 tracing-subscriber = "0.3.22"
 tracing-test = "0.2.5"
-tonic = { version = "0.14.3", default-features = false, features = ["channel", "codegen"] }
-tonic-prost = "0.14.3"
 tree-sitter = "0.25.10"
 tree-sitter-bash = "0.25"
 ts-rs = "11"
@@ -386,7 +364,6 @@ webbrowser = "1.0"
 which = "8"
 whoami = "1.6.1"
 wildmatch = "2.6.1"
-winapi-util = "0.1.11"
 zip = "2.4.2"
 zstd = "0.13"

@@ -397,8 +374,6 @@ zeroize = "1.8.2"
 rust = {}

 [workspace.lints.clippy]
-await_holding_invalid_type = "deny"
-await_holding_lock = "deny"
 expect_used = "deny"
 identity_op = "deny"
 manual_clamp = "deny"
@@ -444,17 +419,6 @@ ignored = [
    "codex-v8-poc",
 ]

-[profile.dev]
-# Keep line tables/backtraces while avoiding expensive full variable debug info
-# across local dev builds.
-debug = 1
-
-[profile.dev-small]
-inherits = "dev"
-opt-level = 0
-debug = 0
-strip = true
-
 [profile.release]
 lto = "fat"
 split-debuginfo = "off"
--- a/codex-rs/README.md
+++ b/codex-rs/README.md
@@ -94,7 +94,7 @@ In `workspace-write`, Codex also includes `~/.codex/memories` in its writable ro

 This folder is the root of a Cargo workspace. It contains quite a bit of experimental code, but here are the key crates:

- [`core/`](./core) contains the business logic for Codex. Ultimately, we hope this becomes a library crate that is generally useful for building other Rust/native applications that use Codex.
+- [`core/`](./core) contains the business logic for Codex. Ultimately, we hope this to be a library crate that is generally useful for building other Rust/native applications that use Codex.
 - [`exec/`](./exec) "headless" CLI for use in automation.
 - [`tui/`](./tui) CLI that launches a fullscreen TUI built with [Ratatui](https://ratatui.rs/).
 - [`cli/`](./cli) CLI multitool that provides the aforementioned CLIs via subcommands.
--- a/codex-rs/agent-identity/BUILD.bazel
+++ b/codex-rs/agent-identity/BUILD.bazel
@@ -1,6 +0,0 @@
-load("//:defs.bzl", "codex_rust_crate")
-
-codex_rust_crate(
-    name = "agent-identity",
-    crate_name = "codex_agent_identity",
-)
--- a/codex-rs/agent-identity/Cargo.toml
+++ b/codex-rs/agent-identity/Cargo.toml
@@ -1,30 +0,0 @@
-[package]
-edition.workspace = true
-license.workspace = true
-name = "codex-agent-identity"
-version.workspace = true
-
-[lib]
-doctest = false
-name = "codex_agent_identity"
-path = "src/lib.rs"
-
-[lints]
-workspace = true
-
-[dependencies]
-anyhow = { workspace = true }
-base64 = { workspace = true }
-chrono = { workspace = true }
-codex-protocol = { workspace = true }
-crypto_box = { workspace = true }
-ed25519-dalek = { workspace = true }
-jsonwebtoken = { workspace = true }
-rand = { workspace = true }
-reqwest = { workspace = true, features = ["json"] }
-serde = { workspace = true, features = ["derive"] }
-serde_json = { workspace = true }
-sha2 = { workspace = true }
-
-[dev-dependencies]
-pretty_assertions = { workspace = true }
--- a/codex-rs/agent-identity/src/lib.rs
+++ b/codex-rs/agent-identity/src/lib.rs
@@ -1,599 +0,0 @@
-use std::collections::BTreeMap;
-use std::time::Duration;
-
-use anyhow::Context;
-use anyhow::Result;
-use base64::Engine as _;
-use base64::engine::general_purpose::STANDARD as BASE64_STANDARD;
-use base64::engine::general_purpose::URL_SAFE_NO_PAD;
-use chrono::SecondsFormat;
-use chrono::Utc;
-use codex_protocol::account::PlanType as AccountPlanType;
-use codex_protocol::protocol::SessionSource;
-use crypto_box::SecretKey as Curve25519SecretKey;
-use ed25519_dalek::Signer as _;
-use ed25519_dalek::SigningKey;
-use ed25519_dalek::VerifyingKey;
-use ed25519_dalek::pkcs8::DecodePrivateKey;
-use ed25519_dalek::pkcs8::EncodePrivateKey;
-use jsonwebtoken::Algorithm;
-use jsonwebtoken::DecodingKey;
-use jsonwebtoken::Validation;
-use rand::TryRngCore;
-use rand::rngs::OsRng;
-use serde::Deserialize;
-use serde::Serialize;
-use serde::de::DeserializeOwned;
-use sha2::Digest as _;
-use sha2::Sha512;
-
-const AGENT_TASK_REGISTRATION_TIMEOUT: Duration = Duration::from_secs(30);
-
-/// Stored key material for a registered agent identity.
-#[derive(Clone, Copy, Debug, PartialEq, Eq)]
-pub struct AgentIdentityKey<'a> {
-    pub agent_runtime_id: &'a str,
-    pub private_key_pkcs8_base64: &'a str,
-}
-
-/// Task binding to use when constructing a task-scoped AgentAssertion.
-#[derive(Clone, Copy, Debug, PartialEq, Eq)]
-pub struct AgentTaskAuthorizationTarget<'a> {
-    pub agent_runtime_id: &'a str,
-    pub task_id: &'a str,
-}
-
-#[derive(Clone, Debug, Serialize, Deserialize, PartialEq, Eq)]
-pub struct AgentBillOfMaterials {
-    pub agent_version: String,
-    pub agent_harness_id: String,
-    pub running_location: String,
-}
-
-pub struct GeneratedAgentKeyMaterial {
-    pub private_key_pkcs8_base64: String,
-    pub public_key_ssh: String,
-}
-
-/// Claims carried by an Agent Identity JWT.
-#[derive(Clone, Debug, Deserialize, PartialEq, Eq)]
-pub struct AgentIdentityJwtClaims {
-    pub agent_runtime_id: String,
-    pub agent_private_key: String,
-    pub account_id: String,
-    pub chatgpt_user_id: String,
-    pub email: String,
-    pub plan_type: AccountPlanType,
-    pub chatgpt_account_is_fedramp: bool,
-}
-
-#[derive(Clone, Debug, Serialize, Deserialize, PartialEq, Eq)]
-struct AgentAssertionEnvelope {
-    agent_runtime_id: String,
-    task_id: String,
-    timestamp: String,
-    signature: String,
-}
-
-#[derive(Serialize)]
-struct RegisterTaskRequest {
-    timestamp: String,
-    signature: String,
-}
-
-#[derive(Deserialize)]
-struct RegisterTaskResponse {
-    #[serde(default)]
-    task_id: Option<String>,
-    #[serde(default, rename = "taskId")]
-    task_id_camel: Option<String>,
-    #[serde(default)]
-    encrypted_task_id: Option<String>,
-    #[serde(default, rename = "encryptedTaskId")]
-    encrypted_task_id_camel: Option<String>,
-}
-
-pub fn authorization_header_for_agent_task(
-    key: AgentIdentityKey<'_>,
-    target: AgentTaskAuthorizationTarget<'_>,
-) -> Result<String> {
-    anyhow::ensure!(
-        key.agent_runtime_id == target.agent_runtime_id,
-        "agent task runtime {} does not match stored agent identity {}",
-        target.agent_runtime_id,
-        key.agent_runtime_id
-    );
-
-    let timestamp = Utc::now().to_rfc3339_opts(SecondsFormat::Secs, true);
-    let envelope = AgentAssertionEnvelope {
-        agent_runtime_id: target.agent_runtime_id.to_string(),
-        task_id: target.task_id.to_string(),
-        timestamp: timestamp.clone(),
-        signature: sign_agent_assertion_payload(key, target.task_id, &timestamp)?,
-    };
-    let serialized_assertion = serialize_agent_assertion(&envelope)?;
-    Ok(format!("AgentAssertion {serialized_assertion}"))
-}
-
-pub fn decode_agent_identity_jwt(
-    jwt: &str,
-    public_key_base64: Option<&str>,
-) -> Result<AgentIdentityJwtClaims> {
-    let Some(public_key_base64) = public_key_base64 else {
-        return decode_agent_identity_jwt_payload(jwt);
-    };
-
-    let mut validation = Validation::new(Algorithm::EdDSA);
-    validation.required_spec_claims.clear();
-    validation.validate_exp = false;
-    validation.validate_aud = false;
-
-    let public_key = BASE64_STANDARD
-        .decode(public_key_base64)
-        .context("agent identity JWT public key is not valid base64")?;
-    let decoding_key = DecodingKey::from_ed_der(&public_key);
-
-    jsonwebtoken::decode::<AgentIdentityJwtClaims>(jwt, &decoding_key, &validation)
-        .map(|data| data.claims)
-        .context("failed to decode agent identity JWT")
-}
-
-fn decode_agent_identity_jwt_payload<T: DeserializeOwned>(jwt: &str) -> Result<T> {
-    let mut parts = jwt.split('.');
-    let (_header_b64, payload_b64, _sig_b64) = match (parts.next(), parts.next(), parts.next()) {
-        (Some(h), Some(p), Some(s)) if !h.is_empty() && !p.is_empty() && !s.is_empty() => (h, p, s),
-        _ => anyhow::bail!("invalid agent identity JWT format"),
-    };
-    anyhow::ensure!(parts.next().is_none(), "invalid agent identity JWT format");
-
-    let payload_bytes = URL_SAFE_NO_PAD
-        .decode(payload_b64)
-        .context("agent identity JWT payload is not valid base64url")?;
-    serde_json::from_slice(&payload_bytes).context("agent identity JWT payload is not valid JSON")
-}
-
-pub fn sign_task_registration_payload(
-    key: AgentIdentityKey<'_>,
-    timestamp: &str,
-) -> Result<String> {
-    let signing_key = signing_key_from_private_key_pkcs8_base64(key.private_key_pkcs8_base64)?;
-    let payload = format!("{}:{timestamp}", key.agent_runtime_id);
-    Ok(BASE64_STANDARD.encode(signing_key.sign(payload.as_bytes()).to_bytes()))
-}
-
-pub async fn register_agent_task(
-    client: &reqwest::Client,
-    chatgpt_base_url: &str,
-    key: AgentIdentityKey<'_>,
-) -> Result<String> {
-    let timestamp = Utc::now().to_rfc3339_opts(SecondsFormat::Secs, true);
-    let request = RegisterTaskRequest {
-        signature: sign_task_registration_payload(key, &timestamp)?,
-        timestamp,
-    };
-    let url = agent_task_registration_url(chatgpt_base_url, key.agent_runtime_id);
-
-    let response = client
-        .post(url)
-        .timeout(AGENT_TASK_REGISTRATION_TIMEOUT)
-        .json(&request)
-        .send()
-        .await
-        .context("failed to register agent task")?;
-    if !response.status().is_success() {
-        let status = response.status();
-        let body = response.text().await.unwrap_or_default();
-        let body = if body.len() > 512 {
-            format!("{}...", body.chars().take(512).collect::<String>())
-        } else {
-            body
-        };
-        anyhow::bail!("failed to register agent task with status {status}: {body}");
-    }
-
-    let response = response
-        .json()
-        .await
-        .context("failed to decode agent task registration response")?;
-
-    task_id_from_register_task_response(key, response)
-}
-
-fn task_id_from_register_task_response(
-    key: AgentIdentityKey<'_>,
-    response: RegisterTaskResponse,
-) -> Result<String> {
-    if let Some(task_id) = response.task_id.or(response.task_id_camel) {
-        return Ok(task_id);
-    }
-    let encrypted_task_id = response
-        .encrypted_task_id
-        .or(response.encrypted_task_id_camel)
-        .context("agent task registration response omitted task id")?;
-    decrypt_task_id_response(key, &encrypted_task_id)
-}
-
-pub fn decrypt_task_id_response(
-    key: AgentIdentityKey<'_>,
-    encrypted_task_id: &str,
-) -> Result<String> {
-    let signing_key = signing_key_from_private_key_pkcs8_base64(key.private_key_pkcs8_base64)?;
-    let ciphertext = BASE64_STANDARD
-        .decode(encrypted_task_id)
-        .context("encrypted task id is not valid base64")?;
-    let plaintext = curve25519_secret_key_from_signing_key(&signing_key)
-        .unseal(&ciphertext)
-        .map_err(|_| anyhow::anyhow!("failed to decrypt encrypted task id"))?;
-    String::from_utf8(plaintext).context("decrypted task id is not valid UTF-8")
-}
-
-pub fn generate_agent_key_material() -> Result<GeneratedAgentKeyMaterial> {
-    let mut secret_key_bytes = [0u8; 32];
-    OsRng
-        .try_fill_bytes(&mut secret_key_bytes)
-        .context("failed to generate agent identity private key bytes")?;
-    let signing_key = SigningKey::from_bytes(&secret_key_bytes);
-    let private_key_pkcs8 = signing_key
-        .to_pkcs8_der()
-        .context("failed to encode agent identity private key as PKCS#8")?;
-
-    Ok(GeneratedAgentKeyMaterial {
-        private_key_pkcs8_base64: BASE64_STANDARD.encode(private_key_pkcs8.as_bytes()),
-        public_key_ssh: encode_ssh_ed25519_public_key(&signing_key.verifying_key()),
-    })
-}
-
-pub fn public_key_ssh_from_private_key_pkcs8_base64(
-    private_key_pkcs8_base64: &str,
-) -> Result<String> {
-    let signing_key = signing_key_from_private_key_pkcs8_base64(private_key_pkcs8_base64)?;
-    Ok(encode_ssh_ed25519_public_key(&signing_key.verifying_key()))
-}
-
-pub fn verifying_key_from_private_key_pkcs8_base64(
-    private_key_pkcs8_base64: &str,
-) -> Result<VerifyingKey> {
-    let signing_key = signing_key_from_private_key_pkcs8_base64(private_key_pkcs8_base64)?;
-    Ok(signing_key.verifying_key())
-}
-
-pub fn curve25519_secret_key_from_private_key_pkcs8_base64(
-    private_key_pkcs8_base64: &str,
-) -> Result<Curve25519SecretKey> {
-    let signing_key = signing_key_from_private_key_pkcs8_base64(private_key_pkcs8_base64)?;
-    Ok(curve25519_secret_key_from_signing_key(&signing_key))
-}
-
-pub fn agent_registration_url(chatgpt_base_url: &str) -> String {
-    let trimmed = chatgpt_base_url.trim_end_matches('/');
-    format!("{trimmed}/v1/agent/register")
-}
-
-pub fn agent_task_registration_url(chatgpt_base_url: &str, agent_runtime_id: &str) -> String {
-    let trimmed = chatgpt_base_url.trim_end_matches('/');
-    format!("{trimmed}/v1/agent/{agent_runtime_id}/task/register")
-}
-
-pub fn agent_identity_biscuit_url(chatgpt_base_url: &str) -> String {
-    let trimmed = chatgpt_base_url.trim_end_matches('/');
-    format!("{trimmed}/authenticate_app_v2")
-}
-
-pub fn agent_identity_request_id() -> Result<String> {
-    let mut request_id_bytes = [0u8; 16];
-    OsRng
-        .try_fill_bytes(&mut request_id_bytes)
-        .context("failed to generate agent identity request id")?;
-    Ok(format!(
-        "codex-agent-identity-{}",
-        URL_SAFE_NO_PAD.encode(request_id_bytes)
-    ))
-}
-
-pub fn normalize_chatgpt_base_url(chatgpt_base_url: &str) -> String {
-    let mut base_url = chatgpt_base_url.trim_end_matches('/').to_string();
-    for suffix in [
-        "/wham/remote/control/server/enroll",
-        "/wham/remote/control/server",
-    ] {
-        if let Some(stripped) = base_url.strip_suffix(suffix) {
-            base_url = stripped.to_string();
-            break;
-        }
-    }
-    if let Some(stripped) = base_url.strip_suffix("/codex") {
-        base_url = stripped.to_string();
-    }
-    if (base_url.starts_with("https://chatgpt.com")
-        || base_url.starts_with("https://chat.openai.com"))
-        && !base_url.contains("/backend-api")
-    {
-        base_url = format!("{base_url}/backend-api");
-    }
-    base_url
-}
-
-pub fn build_abom(session_source: SessionSource) -> AgentBillOfMaterials {
-    AgentBillOfMaterials {
-        agent_version: env!("CARGO_PKG_VERSION").to_string(),
-        agent_harness_id: match &session_source {
-            SessionSource::VSCode => "codex-app".to_string(),
-            SessionSource::Cli
-            | SessionSource::Exec
-            | SessionSource::Mcp
-            | SessionSource::Custom(_)
-            | SessionSource::SubAgent(_)
-            | SessionSource::Unknown => "codex-cli".to_string(),
-        },
-        running_location: format!("{}-{}", session_source, std::env::consts::OS),
-    }
-}
-
-pub fn encode_ssh_ed25519_public_key(verifying_key: &VerifyingKey) -> String {
-    let mut blob = Vec::with_capacity(4 + 11 + 4 + 32);
-    append_ssh_string(&mut blob, b"ssh-ed25519");
-    append_ssh_string(&mut blob, verifying_key.as_bytes());
-    format!("ssh-ed25519 {}", BASE64_STANDARD.encode(blob))
-}
-
-fn sign_agent_assertion_payload(
-    key: AgentIdentityKey<'_>,
-    task_id: &str,
-    timestamp: &str,
-) -> Result<String> {
-    let signing_key = signing_key_from_private_key_pkcs8_base64(key.private_key_pkcs8_base64)?;
-    let payload = format!("{}:{task_id}:{timestamp}", key.agent_runtime_id);
-    Ok(BASE64_STANDARD.encode(signing_key.sign(payload.as_bytes()).to_bytes()))
-}
-
-fn serialize_agent_assertion(envelope: &AgentAssertionEnvelope) -> Result<String> {
-    let payload = serde_json::to_vec(&BTreeMap::from([
-        ("agent_runtime_id", envelope.agent_runtime_id.as_str()),
-        ("signature", envelope.signature.as_str()),
-        ("task_id", envelope.task_id.as_str()),
-        ("timestamp", envelope.timestamp.as_str()),
-    ]))
-    .context("failed to serialize agent assertion envelope")?;
-    Ok(URL_SAFE_NO_PAD.encode(payload))
-}
-
-fn curve25519_secret_key_from_signing_key(signing_key: &SigningKey) -> Curve25519SecretKey {
-    let digest = Sha512::digest(signing_key.to_bytes());
-    let mut secret_key = [0u8; 32];
-    secret_key.copy_from_slice(&digest[..32]);
-    secret_key[0] &= 248;
-    secret_key[31] &= 127;
-    secret_key[31] |= 64;
-    Curve25519SecretKey::from(secret_key)
-}
-
-fn append_ssh_string(buf: &mut Vec<u8>, value: &[u8]) {
-    buf.extend_from_slice(&(value.len() as u32).to_be_bytes());
-    buf.extend_from_slice(value);
-}
-
-fn signing_key_from_private_key_pkcs8_base64(private_key_pkcs8_base64: &str) -> Result<SigningKey> {
-    let private_key = BASE64_STANDARD
-        .decode(private_key_pkcs8_base64)
-        .context("stored agent identity private key is not valid base64")?;
-    SigningKey::from_pkcs8_der(&private_key)
-        .context("stored agent identity private key is not valid PKCS#8")
-}
-
-#[cfg(test)]
-mod tests {
-    use base64::Engine as _;
-    use ed25519_dalek::Signature;
-    use ed25519_dalek::Verifier as _;
-    use jsonwebtoken::EncodingKey;
-    use jsonwebtoken::Header;
-    use pretty_assertions::assert_eq;
-
-    use super::*;
-
-    #[test]
-    fn authorization_header_for_agent_task_serializes_signed_agent_assertion() {
-        let signing_key = SigningKey::from_bytes(&[7u8; 32]);
-        let private_key = signing_key
-            .to_pkcs8_der()
-            .expect("encode test key material");
-        let key = AgentIdentityKey {
-            agent_runtime_id: "agent-123",
-            private_key_pkcs8_base64: &BASE64_STANDARD.encode(private_key.as_bytes()),
-        };
-        let target = AgentTaskAuthorizationTarget {
-            agent_runtime_id: "agent-123",
-            task_id: "task-123",
-        };
-
-        let header =
-            authorization_header_for_agent_task(key, target).expect("build agent assertion header");
-        let token = header
-            .strip_prefix("AgentAssertion ")
-            .expect("agent assertion scheme");
-        let payload = URL_SAFE_NO_PAD
-            .decode(token)
-            .expect("valid base64url payload");
-        let envelope: AgentAssertionEnvelope =
-            serde_json::from_slice(&payload).expect("valid assertion envelope");
-
-        assert_eq!(
-            envelope,
-            AgentAssertionEnvelope {
-                agent_runtime_id: "agent-123".to_string(),
-                task_id: "task-123".to_string(),
-                timestamp: envelope.timestamp.clone(),
-                signature: envelope.signature.clone(),
-            }
-        );
-        let signature_bytes = BASE64_STANDARD
-            .decode(&envelope.signature)
-            .expect("valid base64 signature");
-        let signature = Signature::from_slice(&signature_bytes).expect("valid signature bytes");
-        signing_key
-            .verifying_key()
-            .verify(
-                format!(
-                    "{}:{}:{}",
-                    envelope.agent_runtime_id, envelope.task_id, envelope.timestamp
-                )
-                .as_bytes(),
-                &signature,
-            )
-            .expect("signature should verify");
-    }
-
-    #[test]
-    fn authorization_header_for_agent_task_rejects_mismatched_runtime() {
-        let signing_key = SigningKey::from_bytes(&[7u8; 32]);
-        let private_key = signing_key
-            .to_pkcs8_der()
-            .expect("encode test key material");
-        let private_key_pkcs8_base64 = BASE64_STANDARD.encode(private_key.as_bytes());
-        let key = AgentIdentityKey {
-            agent_runtime_id: "agent-123",
-            private_key_pkcs8_base64: &private_key_pkcs8_base64,
-        };
-        let target = AgentTaskAuthorizationTarget {
-            agent_runtime_id: "agent-456",
-            task_id: "task-123",
-        };
-
-        let error = authorization_header_for_agent_task(key, target)
-            .expect_err("runtime mismatch should fail");
-
-        assert_eq!(
-            error.to_string(),
-            "agent task runtime agent-456 does not match stored agent identity agent-123"
-        );
-    }
-
-    #[test]
-    fn decode_agent_identity_jwt_reads_claims() {
-        let jwt = jwt_with_payload(serde_json::json!({
-            "agent_runtime_id": "agent-runtime-id",
-            "agent_private_key": "private-key",
-            "account_id": "account-id",
-            "chatgpt_user_id": "user-id",
-            "email": "user@example.com",
-            "plan_type": "pro",
-            "chatgpt_account_is_fedramp": false,
-        }));
-
-        let claims =
-            decode_agent_identity_jwt(&jwt, /*public_key_base64*/ None).expect("JWT should decode");
-
-        assert_eq!(
-            claims,
-            AgentIdentityJwtClaims {
-                agent_runtime_id: "agent-runtime-id".to_string(),
-                agent_private_key: "private-key".to_string(),
-                account_id: "account-id".to_string(),
-                chatgpt_user_id: "user-id".to_string(),
-                email: "user@example.com".to_string(),
-                plan_type: AccountPlanType::Pro,
-                chatgpt_account_is_fedramp: false,
-            }
-        );
-    }
-
-    #[test]
-    fn decode_agent_identity_jwt_verifies_when_public_key_is_present() {
-        let mut secret_key_bytes = [0u8; 32];
-        secret_key_bytes[0] = 1;
-        let signing_key = SigningKey::from_bytes(&secret_key_bytes);
-        let private_key_pkcs8 = signing_key
-            .to_pkcs8_der()
-            .expect("private key should encode");
-        let public_key_base64 = BASE64_STANDARD.encode(signing_key.verifying_key().as_bytes());
-        let claims = AgentIdentityJwtClaims {
-            agent_runtime_id: "agent-runtime-id".to_string(),
-            agent_private_key: "private-key".to_string(),
-            account_id: "account-id".to_string(),
-            chatgpt_user_id: "user-id".to_string(),
-            email: "user@example.com".to_string(),
-            plan_type: AccountPlanType::Pro,
-            chatgpt_account_is_fedramp: false,
-        };
-        let jwt = jsonwebtoken::encode(
-            &Header::new(Algorithm::EdDSA),
-            &serde_json::json!({
-                "agent_runtime_id": claims.agent_runtime_id,
-                "agent_private_key": claims.agent_private_key,
-                "account_id": claims.account_id,
-                "chatgpt_user_id": claims.chatgpt_user_id,
-                "email": claims.email,
-                "plan_type": "pro",
-                "chatgpt_account_is_fedramp": claims.chatgpt_account_is_fedramp,
-            }),
-            &EncodingKey::from_ed_der(private_key_pkcs8.as_bytes()),
-        )
-        .expect("JWT should encode");
-
-        let expected_claims = AgentIdentityJwtClaims {
-            agent_runtime_id: "agent-runtime-id".to_string(),
-            agent_private_key: "private-key".to_string(),
-            account_id: "account-id".to_string(),
-            chatgpt_user_id: "user-id".to_string(),
-            email: "user@example.com".to_string(),
-            plan_type: AccountPlanType::Pro,
-            chatgpt_account_is_fedramp: false,
-        };
-        assert_eq!(
-            decode_agent_identity_jwt(&jwt, Some(&public_key_base64)).expect("JWT should verify"),
-            expected_claims
-        );
-    }
-
-    #[test]
-    fn decode_agent_identity_jwt_rejects_wrong_public_key() {
-        let mut signing_secret_key_bytes = [0u8; 32];
-        signing_secret_key_bytes[0] = 1;
-        let signing_key = SigningKey::from_bytes(&signing_secret_key_bytes);
-        let private_key_pkcs8 = signing_key
-            .to_pkcs8_der()
-            .expect("private key should encode");
-
-        let mut other_secret_key_bytes = [0u8; 32];
-        other_secret_key_bytes[0] = 2;
-        let other_public_key_base64 = BASE64_STANDARD.encode(
-            SigningKey::from_bytes(&other_secret_key_bytes)
-                .verifying_key()
-                .as_bytes(),
-        );
-
-        let jwt = jsonwebtoken::encode(
-            &Header::new(Algorithm::EdDSA),
-            &serde_json::json!({
-                "agent_runtime_id": "agent-runtime-id",
-                "agent_private_key": "private-key",
-                "account_id": "account-id",
-                "chatgpt_user_id": "user-id",
-                "email": "user@example.com",
-                "plan_type": "pro",
-                "chatgpt_account_is_fedramp": false,
-            }),
-            &EncodingKey::from_ed_der(private_key_pkcs8.as_bytes()),
-        )
-        .expect("JWT should encode");
-
-        decode_agent_identity_jwt(&jwt, Some(&other_public_key_base64))
-            .expect_err("JWT should not verify");
-    }
-
-    #[test]
-    fn normalize_chatgpt_base_url_strips_codex_before_backend_api() {
-        assert_eq!(
-            normalize_chatgpt_base_url("https://chatgpt.com/codex"),
-            "https://chatgpt.com/backend-api"
-        );
-    }
-
-    fn jwt_with_payload(payload: serde_json::Value) -> String {
-        let encode = |bytes: &[u8]| URL_SAFE_NO_PAD.encode(bytes);
-        let header_b64 = encode(br#"{"alg":"none","typ":"JWT"}"#);
-        let payload_b64 = encode(&serde_json::to_vec(&payload).expect("payload should serialize"));
-        let signature_b64 = encode(b"sig");
-        format!("{header_b64}.{payload_b64}.{signature_b64}")
-    }
-}
--- a/codex-rs/analytics/Cargo.toml
+++ b/codex-rs/analytics/Cargo.toml
@@ -16,7 +16,6 @@ workspace = true
 codex-app-server-protocol = { workspace = true }
 codex-git-utils = { workspace = true }
 codex-login = { workspace = true }
-codex-model-provider = { workspace = true }
 codex-plugin = { workspace = true }
 codex-protocol = { workspace = true }
 os_info = { workspace = true }
--- a/codex-rs/analytics/src/analytics_client_tests.rs
+++ b/codex-rs/analytics/src/analytics_client_tests.rs
@@ -4,22 +4,14 @@ use crate::events::CodexAppMentionedEventRequest;
 use crate::events::CodexAppServerClientMetadata;
 use crate::events::CodexAppUsedEventRequest;
 use crate::events::CodexCompactionEventRequest;
-use crate::events::CodexHookRunEventRequest;
 use crate::events::CodexPluginEventRequest;
 use crate::events::CodexPluginUsedEventRequest;
 use crate::events::CodexRuntimeMetadata;
 use crate::events::CodexTurnEventRequest;
-use crate::events::GuardianApprovalRequestSource;
-use crate::events::GuardianReviewDecision;
-use crate::events::GuardianReviewEventParams;
-use crate::events::GuardianReviewFailureReason;
-use crate::events::GuardianReviewTerminalStatus;
-use crate::events::GuardianReviewedAction;
 use crate::events::ThreadInitializedEvent;
 use crate::events::ThreadInitializedEventParams;
 use crate::events::TrackEventRequest;
 use crate::events::codex_app_metadata;
-use crate::events::codex_hook_run_metadata;
 use crate::events::codex_plugin_metadata;
 use crate::events::codex_plugin_used_metadata;
 use crate::events::subagent_thread_started_event_request;
@@ -36,8 +28,6 @@ use crate::facts::CompactionStatus;
 use crate::facts::CompactionStrategy;
 use crate::facts::CompactionTrigger;
 use crate::facts::CustomAnalyticsFact;
-use crate::facts::HookRunFact;
-use crate::facts::HookRunInput;
 use crate::facts::InputError;
 use crate::facts::InvocationType;
 use crate::facts::PluginState;
@@ -65,7 +55,6 @@ use codex_app_server_protocol::InitializeCapabilities;
 use codex_app_server_protocol::InitializeParams;
 use codex_app_server_protocol::JSONRPCErrorError;
 use codex_app_server_protocol::NonSteerableTurnKind;
-use codex_app_server_protocol::PermissionProfile as AppServerPermissionProfile;
 use codex_app_server_protocol::RequestId;
 use codex_app_server_protocol::SandboxPolicy as AppServerSandboxPolicy;
 use codex_app_server_protocol::ServerNotification;
@@ -89,14 +78,9 @@ use codex_plugin::AppConnectorId;
 use codex_plugin::PluginCapabilitySummary;
 use codex_plugin::PluginId;
 use codex_plugin::PluginTelemetryMetadata;
-use codex_protocol::approvals::NetworkApprovalProtocol;
 use codex_protocol::config_types::ApprovalsReviewer;
 use codex_protocol::config_types::ModeKind;
-use codex_protocol::models::PermissionProfile as CorePermissionProfile;
 use codex_protocol::protocol::AskForApproval;
-use codex_protocol::protocol::HookEventName;
-use codex_protocol::protocol::HookRunStatus;
-use codex_protocol::protocol::HookSource;
 use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::protocol::SessionSource;
 use codex_protocol::protocol::SubAgentSource;
@@ -154,16 +138,11 @@ fn sample_thread_start_response(thread_id: &str, ephemeral: bool, model: &str) -
            approval_policy: AppServerAskForApproval::OnFailure,
            approvals_reviewer: AppServerApprovalsReviewer::User,
            sandbox: AppServerSandboxPolicy::DangerFullAccess,
-            permission_profile: Some(sample_permission_profile()),
            reasoning_effort: None,
        },
    }
 }

-fn sample_permission_profile() -> AppServerPermissionProfile {
-    CorePermissionProfile::Disabled.into()
-}
-
 fn sample_app_server_client_metadata() -> CodexAppServerClientMetadata {
    CodexAppServerClientMetadata {
        product_client_id: DEFAULT_ORIGINATOR.to_string(),
@@ -210,7 +189,6 @@ fn sample_thread_resume_response_with_source(
            approval_policy: AppServerAskForApproval::OnFailure,
            approvals_reviewer: AppServerApprovalsReviewer::User,
            sandbox: AppServerSandboxPolicy::DangerFullAccess,
-            permission_profile: Some(sample_permission_profile()),
            reasoning_effort: None,
        },
    }
@@ -315,15 +293,12 @@ fn sample_turn_resolved_config(turn_id: &str) -> TurnResolvedConfigFact {
        session_source: SessionSource::Exec,
        model: "gpt-5".to_string(),
        model_provider: "openai".to_string(),
-        permission_profile: CorePermissionProfile::from_legacy_sandbox_policy(
-            &SandboxPolicy::new_read_only_policy(),
-        ),
-        permission_profile_cwd: PathBuf::from("/tmp"),
+        sandbox_policy: SandboxPolicy::new_read_only_policy(),
        reasoning_effort: None,
        reasoning_summary: None,
        service_tier: None,
        approval_policy: AskForApproval::OnRequest,
-        approvals_reviewer: ApprovalsReviewer::AutoReview,
+        approvals_reviewer: ApprovalsReviewer::GuardianSubagent,
        sandbox_network_access: true,
        collaboration_mode: ModeKind::Plan,
        personality: None,
@@ -1068,135 +1043,6 @@ async fn compaction_event_ingests_custom_fact() {
    assert_eq!(payload[0]["event_params"]["status"], "failed");
 }

-#[tokio::test]
-async fn guardian_review_event_ingests_custom_fact_with_optional_target_item() {
-    let mut reducer = AnalyticsReducer::default();
-    let mut events = Vec::new();
-
-    reducer
-        .ingest(
-            AnalyticsFact::Initialize {
-                connection_id: 7,
-                params: InitializeParams {
-                    client_info: ClientInfo {
-                        name: "codex-tui".to_string(),
-                        title: None,
-                        version: "1.0.0".to_string(),
-                    },
-                    capabilities: Some(InitializeCapabilities {
-                        experimental_api: false,
-                        opt_out_notification_methods: None,
-                    }),
-                },
-                product_client_id: DEFAULT_ORIGINATOR.to_string(),
-                runtime: sample_runtime_metadata(),
-                rpc_transport: AppServerRpcTransport::Websocket,
-            },
-            &mut events,
-        )
-        .await;
-    reducer
-        .ingest(
-            AnalyticsFact::Response {
-                connection_id: 7,
-                response: Box::new(sample_thread_start_response(
-                    "thread-guardian",
-                    /*ephemeral*/ false,
-                    "gpt-5",
-                )),
-            },
-            &mut events,
-        )
-        .await;
-    events.clear();
-
-    reducer
-        .ingest(
-            AnalyticsFact::Custom(CustomAnalyticsFact::GuardianReview(Box::new(
-                GuardianReviewEventParams {
-                    thread_id: "thread-guardian".to_string(),
-                    turn_id: "turn-guardian".to_string(),
-                    review_id: "review-guardian".to_string(),
-                    target_item_id: None,
-                    approval_request_source: GuardianApprovalRequestSource::DelegatedSubagent,
-                    reviewed_action: GuardianReviewedAction::NetworkAccess {
-                        protocol: NetworkApprovalProtocol::Https,
-                        port: 443,
-                    },
-                    reviewed_action_truncated: false,
-                    decision: GuardianReviewDecision::Denied,
-                    terminal_status: GuardianReviewTerminalStatus::TimedOut,
-                    failure_reason: Some(GuardianReviewFailureReason::Timeout),
-                    risk_level: None,
-                    user_authorization: None,
-                    outcome: None,
-                    guardian_thread_id: None,
-                    guardian_session_kind: None,
-                    guardian_model: None,
-                    guardian_reasoning_effort: None,
-                    had_prior_review_context: None,
-                    review_timeout_ms: 90_000,
-                    tool_call_count: None,
-                    time_to_first_token_ms: None,
-                    completion_latency_ms: Some(90_000),
-                    started_at: 100,
-                    completed_at: Some(190),
-                    input_tokens: None,
-                    cached_input_tokens: None,
-                    output_tokens: None,
-                    reasoning_output_tokens: None,
-                    total_tokens: None,
-                },
-            ))),
-            &mut events,
-        )
-        .await;
-
-    let payload = serde_json::to_value(&events).expect("serialize events");
-    assert_eq!(payload.as_array().expect("events array").len(), 1);
-    assert_eq!(payload[0]["event_type"], "codex_guardian_review");
-    assert_eq!(payload[0]["event_params"]["thread_id"], "thread-guardian");
-    assert_eq!(payload[0]["event_params"]["turn_id"], "turn-guardian");
-    assert_eq!(payload[0]["event_params"]["review_id"], "review-guardian");
-    assert_eq!(payload[0]["event_params"]["target_item_id"], json!(null));
-    assert_eq!(
-        payload[0]["event_params"]["approval_request_source"],
-        "delegated_subagent"
-    );
-    assert_eq!(
-        payload[0]["event_params"]["app_server_client"]["product_client_id"],
-        DEFAULT_ORIGINATOR
-    );
-    assert_eq!(
-        payload[0]["event_params"]["runtime"]["codex_rs_version"],
-        "0.1.0"
-    );
-    assert_eq!(
-        payload[0]["event_params"]["reviewed_action"]["type"],
-        "network_access"
-    );
-    assert_eq!(
-        payload[0]["event_params"]["reviewed_action"]["protocol"],
-        "https"
-    );
-    assert_eq!(payload[0]["event_params"]["reviewed_action"]["port"], 443);
-    assert!(payload[0]["event_params"].get("retry_reason").is_none());
-    assert!(payload[0]["event_params"].get("rationale").is_none());
-    assert!(
-        payload[0]["event_params"]["reviewed_action"]
-            .get("target")
-            .is_none()
-    );
-    assert!(
-        payload[0]["event_params"]["reviewed_action"]
-            .get("host")
-            .is_none()
-    );
-    assert_eq!(payload[0]["event_params"]["terminal_status"], "timed_out");
-    assert_eq!(payload[0]["event_params"]["failure_reason"], "timeout");
-    assert_eq!(payload[0]["event_params"]["review_timeout_ms"], 90_000);
-}
-
 #[test]
 fn subagent_thread_started_review_serializes_expected_shape() {
    let event = TrackEventRequest::ThreadInitialized(subagent_thread_started_event_request(
@@ -1333,7 +1179,7 @@ fn subagent_thread_started_other_serializes_explicit_parent_thread_id() {
        },
    ));

-    let payload = serde_json::to_value(&event).expect("serialize auto-review subagent event");
+    let payload = serde_json::to_value(&event).expect("serialize guardian subagent event");
    assert_eq!(payload["event_params"]["subagent_source"], "guardian");
    assert_eq!(
        payload["event_params"]["parent_thread_id"],
@@ -1436,109 +1282,6 @@ fn plugin_management_event_serializes_expected_shape() {
    );
 }

-#[test]
-fn hook_run_event_serializes_expected_shape() {
-    let tracking = TrackEventsContext {
-        model_slug: "gpt-5".to_string(),
-        thread_id: "thread-3".to_string(),
-        turn_id: "turn-3".to_string(),
-    };
-    let event = TrackEventRequest::HookRun(CodexHookRunEventRequest {
-        event_type: "codex_hook_run",
-        event_params: codex_hook_run_metadata(
-            &tracking,
-            HookRunFact {
-                event_name: HookEventName::PreToolUse,
-                hook_source: HookSource::User,
-                status: HookRunStatus::Completed,
-            },
-        ),
-    });
-
-    let payload = serde_json::to_value(&event).expect("serialize hook run event");
-
-    assert_eq!(
-        payload,
-        json!({
-            "event_type": "codex_hook_run",
-            "event_params": {
-                "thread_id": "thread-3",
-                "turn_id": "turn-3",
-                "model_slug": "gpt-5",
-                "hook_name": "PreToolUse",
-                "hook_source": "user",
-                "status": "completed"
-            }
-        })
-    );
-}
-
-#[test]
-fn hook_run_metadata_maps_sources_and_statuses() {
-    let tracking = TrackEventsContext {
-        model_slug: "gpt-5".to_string(),
-        thread_id: "thread-1".to_string(),
-        turn_id: "turn-1".to_string(),
-    };
-
-    let system = serde_json::to_value(codex_hook_run_metadata(
-        &tracking,
-        HookRunFact {
-            event_name: HookEventName::SessionStart,
-            hook_source: HookSource::System,
-            status: HookRunStatus::Completed,
-        },
-    ))
-    .expect("serialize system hook");
-    let project = serde_json::to_value(codex_hook_run_metadata(
-        &tracking,
-        HookRunFact {
-            event_name: HookEventName::Stop,
-            hook_source: HookSource::Project,
-            status: HookRunStatus::Blocked,
-        },
-    ))
-    .expect("serialize project hook");
-    let unknown = serde_json::to_value(codex_hook_run_metadata(
-        &tracking,
-        HookRunFact {
-            event_name: HookEventName::UserPromptSubmit,
-            hook_source: HookSource::Unknown,
-            status: HookRunStatus::Failed,
-        },
-    ))
-    .expect("serialize unknown hook");
-
-    assert_eq!(system["hook_source"], "system");
-    assert_eq!(system["status"], "completed");
-    assert_eq!(project["hook_source"], "project");
-    assert_eq!(project["status"], "blocked");
-    assert_eq!(unknown["hook_source"], "unknown");
-    assert_eq!(unknown["status"], "failed");
-}
-
-#[test]
-fn hook_run_metadata_maps_stopped_status() {
-    let tracking = TrackEventsContext {
-        model_slug: "gpt-5".to_string(),
-        thread_id: "thread-1".to_string(),
-        turn_id: "turn-1".to_string(),
-    };
-
-    let stopped = serde_json::to_value(codex_hook_run_metadata(
-        &tracking,
-        HookRunFact {
-            event_name: HookEventName::Stop,
-            hook_source: HookSource::User,
-            status: HookRunStatus::Stopped,
-        },
-    ))
-    .expect("serialize stopped hook");
-
-    assert_eq!(stopped["hook_source"], "user");
-    assert_eq!(stopped["status"], "stopped");
-}
-
 #[test]
 fn plugin_used_dedupe_is_keyed_by_turn_and_plugin() {
    let (sender, _receiver) = mpsc::channel(1);
@@ -1616,37 +1359,6 @@ async fn reducer_ingests_skill_invoked_fact() {
    );
 }

-#[tokio::test]
-async fn reducer_ingests_hook_run_fact() {
-    let mut reducer = AnalyticsReducer::default();
-    let mut events = Vec::new();
-
-    reducer
-        .ingest(
-            AnalyticsFact::Custom(CustomAnalyticsFact::HookRun(HookRunInput {
-                tracking: TrackEventsContext {
-                    model_slug: "gpt-5".to_string(),
-                    thread_id: "thread-1".to_string(),
-                    turn_id: "turn-1".to_string(),
-                },
-                hook: HookRunFact {
-                    event_name: HookEventName::PostToolUse,
-                    hook_source: HookSource::Unknown,
-                    status: HookRunStatus::Failed,
-                },
-            })),
-            &mut events,
-        )
-        .await;
-
-    let payload = serde_json::to_value(&events).expect("serialize events");
-    assert_eq!(payload.as_array().expect("events array").len(), 1);
-    assert_eq!(payload[0]["event_type"], "codex_hook_run");
-    assert_eq!(payload[0]["event_params"]["hook_name"], "PostToolUse");
-    assert_eq!(payload[0]["event_params"]["hook_source"], "unknown");
-    assert_eq!(payload[0]["event_params"]["status"], "failed");
-}
-
 #[tokio::test]
 async fn reducer_ingests_app_and_plugin_facts() {
    let mut reducer = AnalyticsReducer::default();
@@ -1757,7 +1469,7 @@ fn turn_event_serializes_expected_shape() {
            reasoning_summary: Some("detailed".to_string()),
            service_tier: "flex".to_string(),
            approval_policy: "on-request".to_string(),
-            approvals_reviewer: "auto_review".to_string(),
+            approvals_reviewer: "guardian_subagent".to_string(),
            sandbox_network_access: true,
            collaboration_mode: Some("plan"),
            personality: Some("pragmatic".to_string()),
@@ -1818,7 +1530,7 @@ fn turn_event_serializes_expected_shape() {
                "reasoning_summary": "detailed",
                "service_tier": "flex",
                "approval_policy": "on-request",
-                "approvals_reviewer": "auto_review",
+                "approvals_reviewer": "guardian_subagent",
                "sandbox_network_access": true,
                "collaboration_mode": "plan",
                "personality": "pragmatic",
--- a/codex-rs/analytics/src/client.rs
+++ b/codex-rs/analytics/src/client.rs
@@ -1,6 +1,5 @@
 use crate::events::AppServerRpcTransport;
-use crate::events::GuardianReviewAnalyticsResult;
-use crate::events::GuardianReviewTrackContext;
+use crate::events::GuardianReviewEventParams;
 use crate::events::TrackEventRequest;
 use crate::events::TrackEventsRequest;
 use crate::events::current_runtime_metadata;
@@ -10,8 +9,6 @@ use crate::facts::AppInvocation;
 use crate::facts::AppMentionedInput;
 use crate::facts::AppUsedInput;
 use crate::facts::CustomAnalyticsFact;
-use crate::facts::HookRunFact;
-use crate::facts::HookRunInput;
 use crate::facts::PluginState;
 use crate::facts::PluginStateChangedInput;
 use crate::facts::SkillInvocation;
@@ -162,13 +159,9 @@ impl AnalyticsEventsClient {
        ));
    }

-    pub fn track_guardian_review(
-        &self,
-        tracking: &GuardianReviewTrackContext,
-        result: GuardianReviewAnalyticsResult,
-    ) {
+    pub fn track_guardian_review(&self, input: GuardianReviewEventParams) {
        self.record_fact(AnalyticsFact::Custom(CustomAnalyticsFact::GuardianReview(
-            Box::new(tracking.event_params(result)),
+            Box::new(input),
        )));
    }

@@ -198,12 +191,6 @@ impl AnalyticsEventsClient {
        )));
    }

-    pub fn track_hook_run(&self, tracking: TrackEventsContext, hook: HookRunFact) {
-        self.record_fact(AnalyticsFact::Custom(CustomAnalyticsFact::HookRun(
-            HookRunInput { tracking, hook },
-        )));
-    }
-
    pub fn track_plugin_used(&self, tracking: TrackEventsContext, plugin: PluginTelemetryMetadata) {
        if !self.queue.should_enqueue_plugin_used(&tracking, &plugin) {
            return;
@@ -312,9 +299,16 @@ async fn send_track_events(
    let Some(auth) = auth_manager.auth().await else {
        return;
    };
-    if !auth.uses_codex_backend() {
+    if !auth.is_chatgpt_auth() {
        return;
    }
+    let access_token = match auth.get_token() {
+        Ok(token) => token,
+        Err(_) => return,
+    };
+    let Some(account_id) = auth.get_account_id() else {
+        return;
+    };

    let base_url = base_url.trim_end_matches('/');
    let url = format!("{base_url}/codex/analytics-events/events");
@@ -323,7 +317,8 @@ async fn send_track_events(
    let response = create_client()
        .post(&url)
        .timeout(ANALYTICS_EVENTS_TIMEOUT)
-        .headers(codex_model_provider::auth_provider_from_auth(&auth).to_auth_headers())
+        .bearer_auth(&access_token)
+        .header("chatgpt-account-id", &account_id)
        .header("Content-Type", "application/json")
        .json(&payload)
        .send()
--- a/codex-rs/analytics/src/events.rs
+++ b/codex-rs/analytics/src/events.rs
@@ -1,14 +1,5 @@
-use std::time::Instant;
-
 use crate::facts::AppInvocation;
 use crate::facts::CodexCompactionEvent;
-use crate::facts::CompactionImplementation;
-use crate::facts::CompactionPhase;
-use crate::facts::CompactionReason;
-use crate::facts::CompactionStatus;
-use crate::facts::CompactionStrategy;
-use crate::facts::CompactionTrigger;
-use crate::facts::HookRunFact;
 use crate::facts::InvocationType;
 use crate::facts::PluginState;
 use crate::facts::SubAgentThreadStartedInput;
@@ -18,22 +9,13 @@ use crate::facts::TurnStatus;
 use crate::facts::TurnSteerRejectionReason;
 use crate::facts::TurnSteerResult;
 use crate::facts::TurnSubmissionType;
-use crate::now_unix_seconds;
 use codex_app_server_protocol::CodexErrorInfo;
 use codex_login::default_client::originator;
 use codex_plugin::PluginTelemetryMetadata;
 use codex_protocol::approvals::NetworkApprovalProtocol;
-use codex_protocol::models::AdditionalPermissionProfile;
+use codex_protocol::models::PermissionProfile;
 use codex_protocol::models::SandboxPermissions;
-use codex_protocol::protocol::GuardianAssessmentOutcome;
-use codex_protocol::protocol::GuardianCommandSource;
-use codex_protocol::protocol::GuardianRiskLevel;
-use codex_protocol::protocol::GuardianUserAuthorization;
-use codex_protocol::protocol::HookEventName;
-use codex_protocol::protocol::HookRunStatus;
-use codex_protocol::protocol::HookSource;
 use codex_protocol::protocol::SubAgentSource;
-use codex_protocol::protocol::TokenUsage;
 use serde::Serialize;

 #[derive(Clone, Copy, Debug, Serialize)]
@@ -57,7 +39,6 @@ pub(crate) enum TrackEventRequest {
    GuardianReview(Box<GuardianReviewEventRequest>),
    AppMentioned(CodexAppMentionedEventRequest),
    AppUsed(CodexAppUsedEventRequest),
-    HookRun(CodexHookRunEventRequest),
    Compaction(Box<CodexCompactionEventRequest>),
    TurnEvent(Box<CodexTurnEventRequest>),
    TurnSteer(CodexTurnSteerEventRequest),
@@ -165,6 +146,31 @@ pub enum GuardianReviewSessionKind {
    EphemeralForked,
 }

+#[derive(Clone, Copy, Debug, Serialize)]
+#[serde(rename_all = "lowercase")]
+pub enum GuardianReviewRiskLevel {
+    Low,
+    Medium,
+    High,
+    Critical,
+}
+
+#[derive(Clone, Copy, Debug, Serialize)]
+#[serde(rename_all = "lowercase")]
+pub enum GuardianReviewUserAuthorization {
+    Unknown,
+    Low,
+    Medium,
+    High,
+}
+
+#[derive(Clone, Copy, Debug, Serialize)]
+#[serde(rename_all = "lowercase")]
+pub enum GuardianReviewOutcome {
+    Allow,
+    Deny,
+}
+
 #[derive(Clone, Copy, Debug, Serialize)]
 #[serde(rename_all = "snake_case")]
 pub enum GuardianApprovalRequestSource {
@@ -179,21 +185,36 @@ pub enum GuardianApprovalRequestSource {
 #[serde(tag = "type", rename_all = "snake_case")]
 pub enum GuardianReviewedAction {
    Shell {
+        command: Vec<String>,
+        command_display: String,
+        cwd: String,
        sandbox_permissions: SandboxPermissions,
-        additional_permissions: Option<AdditionalPermissionProfile>,
+        additional_permissions: Option<PermissionProfile>,
+        justification: Option<String>,
    },
    UnifiedExec {
+        command: Vec<String>,
+        command_display: String,
+        cwd: String,
        sandbox_permissions: SandboxPermissions,
-        additional_permissions: Option<AdditionalPermissionProfile>,
+        additional_permissions: Option<PermissionProfile>,
+        justification: Option<String>,
        tty: bool,
    },
    Execve {
        source: GuardianCommandSource,
        program: String,
-        additional_permissions: Option<AdditionalPermissionProfile>,
+        argv: Vec<String>,
+        cwd: String,
+        additional_permissions: Option<PermissionProfile>,
+    },
+    ApplyPatch {
+        cwd: String,
+        files: Vec<String>,
    },
-    ApplyPatch {},
    NetworkAccess {
+        target: String,
+        host: String,
        protocol: NetworkApprovalProtocol,
        port: u16,
    },
@@ -204,7 +225,13 @@ pub enum GuardianReviewedAction {
        connector_name: Option<String>,
        tool_title: Option<String>,
    },
-    RequestPermissions {},
+}
+
+#[derive(Clone, Copy, Debug, Serialize)]
+#[serde(rename_all = "snake_case")]
+pub enum GuardianCommandSource {
+    Shell,
+    UnifiedExec,
 }

 #[derive(Clone, Serialize)]
@@ -212,23 +239,25 @@ pub struct GuardianReviewEventParams {
    pub thread_id: String,
    pub turn_id: String,
    pub review_id: String,
-    pub target_item_id: Option<String>,
+    pub target_item_id: String,
+    pub retry_reason: Option<String>,
    pub approval_request_source: GuardianApprovalRequestSource,
    pub reviewed_action: GuardianReviewedAction,
    pub reviewed_action_truncated: bool,
    pub decision: GuardianReviewDecision,
    pub terminal_status: GuardianReviewTerminalStatus,
    pub failure_reason: Option<GuardianReviewFailureReason>,
-    pub risk_level: Option<GuardianRiskLevel>,
-    pub user_authorization: Option<GuardianUserAuthorization>,
-    pub outcome: Option<GuardianAssessmentOutcome>,
+    pub risk_level: Option<GuardianReviewRiskLevel>,
+    pub user_authorization: Option<GuardianReviewUserAuthorization>,
+    pub outcome: Option<GuardianReviewOutcome>,
+    pub rationale: Option<String>,
    pub guardian_thread_id: Option<String>,
    pub guardian_session_kind: Option<GuardianReviewSessionKind>,
    pub guardian_model: Option<String>,
    pub guardian_reasoning_effort: Option<String>,
    pub had_prior_review_context: Option<bool>,
    pub review_timeout_ms: u64,
-    pub tool_call_count: Option<u64>,
+    pub tool_call_count: u64,
    pub time_to_first_token_ms: Option<u64>,
    pub completion_latency_ms: Option<u64>,
    pub started_at: u64,
@@ -240,142 +269,6 @@ pub struct GuardianReviewEventParams {
    pub total_tokens: Option<i64>,
 }

-pub struct GuardianReviewTrackContext {
-    thread_id: String,
-    turn_id: String,
-    review_id: String,
-    target_item_id: Option<String>,
-    approval_request_source: GuardianApprovalRequestSource,
-    reviewed_action: GuardianReviewedAction,
-    review_timeout_ms: u64,
-    started_at: u64,
-    started_instant: Instant,
-}
-
-impl GuardianReviewTrackContext {
-    pub fn new(
-        thread_id: String,
-        turn_id: String,
-        review_id: String,
-        target_item_id: Option<String>,
-        approval_request_source: GuardianApprovalRequestSource,
-        reviewed_action: GuardianReviewedAction,
-        review_timeout_ms: u64,
-    ) -> Self {
-        Self {
-            thread_id,
-            turn_id,
-            review_id,
-            target_item_id,
-            approval_request_source,
-            reviewed_action,
-            review_timeout_ms,
-            started_at: now_unix_seconds(),
-            started_instant: Instant::now(),
-        }
-    }
-
-    pub(crate) fn event_params(
-        &self,
-        result: GuardianReviewAnalyticsResult,
-    ) -> GuardianReviewEventParams {
-        GuardianReviewEventParams {
-            thread_id: self.thread_id.clone(),
-            turn_id: self.turn_id.clone(),
-            review_id: self.review_id.clone(),
-            target_item_id: self.target_item_id.clone(),
-            approval_request_source: self.approval_request_source,
-            reviewed_action: self.reviewed_action.clone(),
-            reviewed_action_truncated: result.reviewed_action_truncated,
-            decision: result.decision,
-            terminal_status: result.terminal_status,
-            failure_reason: result.failure_reason,
-            risk_level: result.risk_level,
-            user_authorization: result.user_authorization,
-            outcome: result.outcome,
-            guardian_thread_id: result.guardian_thread_id,
-            guardian_session_kind: result.guardian_session_kind,
-            guardian_model: result.guardian_model,
-            guardian_reasoning_effort: result.guardian_reasoning_effort,
-            had_prior_review_context: result.had_prior_review_context,
-            review_timeout_ms: self.review_timeout_ms,
-            // TODO(rhan-oai): plumb nested Guardian review session tool-call counts.
-            tool_call_count: None,
-            time_to_first_token_ms: result.time_to_first_token_ms,
-            completion_latency_ms: Some(self.started_instant.elapsed().as_millis() as u64),
-            started_at: self.started_at,
-            completed_at: Some(now_unix_seconds()),
-            input_tokens: result.token_usage.as_ref().map(|usage| usage.input_tokens),
-            cached_input_tokens: result
-                .token_usage
-                .as_ref()
-                .map(|usage| usage.cached_input_tokens),
-            output_tokens: result.token_usage.as_ref().map(|usage| usage.output_tokens),
-            reasoning_output_tokens: result
-                .token_usage
-                .as_ref()
-                .map(|usage| usage.reasoning_output_tokens),
-            total_tokens: result.token_usage.as_ref().map(|usage| usage.total_tokens),
-        }
-    }
-}
-
-#[derive(Debug)]
-pub struct GuardianReviewAnalyticsResult {
-    pub decision: GuardianReviewDecision,
-    pub terminal_status: GuardianReviewTerminalStatus,
-    pub failure_reason: Option<GuardianReviewFailureReason>,
-    pub risk_level: Option<GuardianRiskLevel>,
-    pub user_authorization: Option<GuardianUserAuthorization>,
-    pub outcome: Option<GuardianAssessmentOutcome>,
-    pub guardian_thread_id: Option<String>,
-    pub guardian_session_kind: Option<GuardianReviewSessionKind>,
-    pub guardian_model: Option<String>,
-    pub guardian_reasoning_effort: Option<String>,
-    pub had_prior_review_context: Option<bool>,
-    pub reviewed_action_truncated: bool,
-    pub token_usage: Option<TokenUsage>,
-    pub time_to_first_token_ms: Option<u64>,
-}
-
-impl GuardianReviewAnalyticsResult {
-    pub fn without_session() -> Self {
-        Self {
-            decision: GuardianReviewDecision::Denied,
-            terminal_status: GuardianReviewTerminalStatus::FailedClosed,
-            failure_reason: None,
-            risk_level: None,
-            user_authorization: None,
-            outcome: None,
-            guardian_thread_id: None,
-            guardian_session_kind: None,
-            guardian_model: None,
-            guardian_reasoning_effort: None,
-            had_prior_review_context: None,
-            reviewed_action_truncated: false,
-            token_usage: None,
-            time_to_first_token_ms: None,
-        }
-    }
-
-    pub fn from_session(
-        guardian_thread_id: String,
-        guardian_session_kind: GuardianReviewSessionKind,
-        guardian_model: String,
-        guardian_reasoning_effort: Option<String>,
-        had_prior_review_context: bool,
-    ) -> Self {
-        Self {
-            guardian_thread_id: Some(guardian_thread_id),
-            guardian_session_kind: Some(guardian_session_kind),
-            guardian_model: Some(guardian_model),
-            guardian_reasoning_effort,
-            had_prior_review_context: Some(had_prior_review_context),
-            ..Self::without_session()
-        }
-    }
-}
-
 #[derive(Serialize)]
 pub(crate) struct GuardianReviewEventPayload {
    pub(crate) app_server_client: CodexAppServerClientMetadata,
@@ -407,22 +300,6 @@ pub(crate) struct CodexAppUsedEventRequest {
    pub(crate) event_params: CodexAppMetadata,
 }

-#[derive(Serialize)]
-pub(crate) struct CodexHookRunMetadata {
-    pub(crate) thread_id: Option<String>,
-    pub(crate) turn_id: Option<String>,
-    pub(crate) model_slug: Option<String>,
-    pub(crate) hook_name: Option<String>,
-    pub(crate) hook_source: Option<&'static str>,
-    pub(crate) status: Option<HookRunStatus>,
-}
-
-#[derive(Serialize)]
-pub(crate) struct CodexHookRunEventRequest {
-    pub(crate) event_type: &'static str,
-    pub(crate) event_params: CodexHookRunMetadata,
-}
-
 #[derive(Serialize)]
 pub(crate) struct CodexCompactionEventParams {
    pub(crate) thread_id: String,
@@ -432,12 +309,12 @@ pub(crate) struct CodexCompactionEventParams {
    pub(crate) thread_source: Option<&'static str>,
    pub(crate) subagent_source: Option<String>,
    pub(crate) parent_thread_id: Option<String>,
-    pub(crate) trigger: CompactionTrigger,
-    pub(crate) reason: CompactionReason,
-    pub(crate) implementation: CompactionImplementation,
-    pub(crate) phase: CompactionPhase,
-    pub(crate) strategy: CompactionStrategy,
-    pub(crate) status: CompactionStatus,
+    pub(crate) trigger: crate::facts::CompactionTrigger,
+    pub(crate) reason: crate::facts::CompactionReason,
+    pub(crate) implementation: crate::facts::CompactionImplementation,
+    pub(crate) phase: crate::facts::CompactionPhase,
+    pub(crate) strategy: crate::facts::CompactionStrategy,
+    pub(crate) status: crate::facts::CompactionStatus,
    pub(crate) error: Option<String>,
    pub(crate) active_context_tokens_before: i64,
    pub(crate) active_context_tokens_after: i64,
@@ -652,44 +529,6 @@ pub(crate) fn codex_plugin_used_metadata(
    }
 }

-pub(crate) fn codex_hook_run_metadata(
-    tracking: &TrackEventsContext,
-    hook: HookRunFact,
-) -> CodexHookRunMetadata {
-    CodexHookRunMetadata {
-        thread_id: Some(tracking.thread_id.clone()),
-        turn_id: Some(tracking.turn_id.clone()),
-        model_slug: Some(tracking.model_slug.clone()),
-        hook_name: Some(analytics_hook_event_name(hook.event_name).to_owned()),
-        hook_source: Some(analytics_hook_source(hook.hook_source)),
-        status: Some(analytics_hook_status(hook.status)),
-    }
-}
-
-fn analytics_hook_event_name(event_name: HookEventName) -> &'static str {
-    match event_name {
-        HookEventName::PreToolUse => "PreToolUse",
-        HookEventName::PermissionRequest => "PermissionRequest",
-        HookEventName::PostToolUse => "PostToolUse",
-        HookEventName::SessionStart => "SessionStart",
-        HookEventName::UserPromptSubmit => "UserPromptSubmit",
-        HookEventName::Stop => "Stop",
-    }
-}
-
-fn analytics_hook_source(source: HookSource) -> &'static str {
-    match source {
-        HookSource::System => "system",
-        HookSource::User => "user",
-        HookSource::Project => "project",
-        HookSource::Mdm => "mdm",
-        HookSource::SessionFlags => "session_flags",
-        HookSource::LegacyManagedConfigFile => "legacy_managed_config_file",
-        HookSource::LegacyManagedConfigMdm => "legacy_managed_config_mdm",
-        HookSource::Unknown => "unknown",
-    }
-}
-
 pub(crate) fn current_runtime_metadata() -> CodexRuntimeMetadata {
    let os_info = os_info::get();
    CodexRuntimeMetadata {
@@ -747,11 +586,3 @@ pub(crate) fn subagent_parent_thread_id(subagent_source: &SubAgentSource) -> Opt
        _ => None,
    }
 }
-
-fn analytics_hook_status(status: HookRunStatus) -> HookRunStatus {
-    match status {
-        // Running is unexpected here and normalized defensively.
-        HookRunStatus::Running => HookRunStatus::Failed,
-        other => other,
-    }
-}
--- a/codex-rs/analytics/src/facts.rs
+++ b/codex-rs/analytics/src/facts.rs
@@ -13,12 +13,9 @@ use codex_protocol::config_types::ModeKind;
 use codex_protocol::config_types::Personality;
 use codex_protocol::config_types::ReasoningSummary;
 use codex_protocol::config_types::ServiceTier;
-use codex_protocol::models::PermissionProfile;
 use codex_protocol::openai_models::ReasoningEffort;
 use codex_protocol::protocol::AskForApproval;
-use codex_protocol::protocol::HookEventName;
-use codex_protocol::protocol::HookRunStatus;
-use codex_protocol::protocol::HookSource;
+use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::protocol::SessionSource;
 use codex_protocol::protocol::SkillScope;
 use codex_protocol::protocol::SubAgentSource;
@@ -62,8 +59,7 @@ pub struct TurnResolvedConfigFact {
    pub session_source: SessionSource,
    pub model: String,
    pub model_provider: String,
-    pub permission_profile: PermissionProfile,
-    pub permission_profile_cwd: PathBuf,
+    pub sandbox_policy: SandboxPolicy,
    pub reasoning_effort: Option<ReasoningEffort>,
    pub reasoning_summary: Option<ReasoningSummary>,
    pub service_tier: Option<ServiceTier>,
@@ -302,7 +298,6 @@ pub(crate) enum CustomAnalyticsFact {
    SkillInvoked(SkillInvokedInput),
    AppMentioned(AppMentionedInput),
    AppUsed(AppUsedInput),
-    HookRun(HookRunInput),
    PluginUsed(PluginUsedInput),
    PluginStateChanged(PluginStateChangedInput),
 }
@@ -322,17 +317,6 @@ pub(crate) struct AppUsedInput {
    pub app: AppInvocation,
 }

-pub(crate) struct HookRunInput {
-    pub tracking: TrackEventsContext,
-    pub hook: HookRunFact,
-}
-
-pub struct HookRunFact {
-    pub event_name: HookEventName,
-    pub hook_source: HookSource,
-    pub status: HookRunStatus,
-}
-
 pub(crate) struct PluginUsedInput {
    pub tracking: TrackEventsContext,
    pub plugin: PluginTelemetryMetadata,
--- a/codex-rs/analytics/src/lib.rs
+++ b/codex-rs/analytics/src/lib.rs
@@ -9,13 +9,15 @@ use std::time::UNIX_EPOCH;
 pub use client::AnalyticsEventsClient;
 pub use events::AppServerRpcTransport;
 pub use events::GuardianApprovalRequestSource;
-pub use events::GuardianReviewAnalyticsResult;
+pub use events::GuardianCommandSource;
 pub use events::GuardianReviewDecision;
 pub use events::GuardianReviewEventParams;
 pub use events::GuardianReviewFailureReason;
+pub use events::GuardianReviewOutcome;
+pub use events::GuardianReviewRiskLevel;
 pub use events::GuardianReviewSessionKind;
 pub use events::GuardianReviewTerminalStatus;
-pub use events::GuardianReviewTrackContext;
+pub use events::GuardianReviewUserAuthorization;
 pub use events::GuardianReviewedAction;
 pub use facts::AnalyticsJsonRpcError;
 pub use facts::AppInvocation;
@@ -27,7 +29,6 @@ pub use facts::CompactionReason;
 pub use facts::CompactionStatus;
 pub use facts::CompactionStrategy;
 pub use facts::CompactionTrigger;
-pub use facts::HookRunFact;
 pub use facts::InputError;
 pub use facts::InvocationType;
 pub use facts::SkillInvocation;
--- a/codex-rs/analytics/src/reducer.rs
+++ b/codex-rs/analytics/src/reducer.rs
@@ -3,7 +3,6 @@ use crate::events::CodexAppMentionedEventRequest;
 use crate::events::CodexAppServerClientMetadata;
 use crate::events::CodexAppUsedEventRequest;
 use crate::events::CodexCompactionEventRequest;
-use crate::events::CodexHookRunEventRequest;
 use crate::events::CodexPluginEventRequest;
 use crate::events::CodexPluginUsedEventRequest;
 use crate::events::CodexRuntimeMetadata;
@@ -21,7 +20,6 @@ use crate::events::ThreadInitializedEventParams;
 use crate::events::TrackEventRequest;
 use crate::events::codex_app_metadata;
 use crate::events::codex_compaction_event_params;
-use crate::events::codex_hook_run_metadata;
 use crate::events::codex_plugin_metadata;
 use crate::events::codex_plugin_used_metadata;
 use crate::events::plugin_state_event_type;
@@ -34,7 +32,6 @@ use crate::facts::AppMentionedInput;
 use crate::facts::AppUsedInput;
 use crate::facts::CodexCompactionEvent;
 use crate::facts::CustomAnalyticsFact;
-use crate::facts::HookRunInput;
 use crate::facts::PluginState;
 use crate::facts::PluginStateChangedInput;
 use crate::facts::PluginUsedInput;
@@ -61,7 +58,6 @@ use codex_login::default_client::originator;
 use codex_protocol::config_types::ModeKind;
 use codex_protocol::config_types::Personality;
 use codex_protocol::config_types::ReasoningSummary;
-use codex_protocol::models::PermissionProfile;
 use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::protocol::SessionSource;
 use codex_protocol::protocol::SkillScope;
@@ -221,9 +217,6 @@ impl AnalyticsReducer {
                CustomAnalyticsFact::AppUsed(input) => {
                    self.ingest_app_used(input, out);
                }
-                CustomAnalyticsFact::HookRun(input) => {
-                    self.ingest_hook_run(input, out);
-                }
                CustomAnalyticsFact::PluginUsed(input) => {
                    self.ingest_plugin_used(input, out);
                }
@@ -449,14 +442,6 @@ impl AnalyticsReducer {
        }));
    }

-    fn ingest_hook_run(&mut self, input: HookRunInput, out: &mut Vec<TrackEventRequest>) {
-        let HookRunInput { tracking, hook } = input;
-        out.push(TrackEventRequest::HookRun(CodexHookRunEventRequest {
-            event_type: "codex_hook_run",
-            event_params: codex_hook_run_metadata(&tracking, hook),
-        }));
-    }
-
    fn ingest_plugin_used(&mut self, input: PluginUsedInput, out: &mut Vec<TrackEventRequest>) {
        let PluginUsedInput { tracking, plugin } = input;
        out.push(TrackEventRequest::PluginUsed(CodexPluginUsedEventRequest {
@@ -885,8 +870,7 @@ fn codex_turn_event_params(
        session_source: _session_source,
        model,
        model_provider,
-        permission_profile,
-        permission_profile_cwd,
+        sandbox_policy,
        reasoning_effort,
        reasoning_summary,
        service_tier,
@@ -911,10 +895,7 @@ fn codex_turn_event_params(
        parent_thread_id: thread_metadata.parent_thread_id.clone(),
        model: Some(model),
        model_provider,
-        sandbox_policy: Some(sandbox_policy_mode(
-            &permission_profile,
-            permission_profile_cwd.as_path(),
-        )),
+        sandbox_policy: Some(sandbox_policy_mode(&sandbox_policy)),
        reasoning_effort: reasoning_effort.map(|value| value.to_string()),
        reasoning_summary: reasoning_summary_mode(reasoning_summary),
        service_tier: service_tier
@@ -959,19 +940,12 @@ fn codex_turn_event_params(
    }
 }

-fn sandbox_policy_mode(permission_profile: &PermissionProfile, cwd: &Path) -> &'static str {
-    match permission_profile {
-        PermissionProfile::Disabled => "full_access",
-        PermissionProfile::External { .. } => "external_sandbox",
-        PermissionProfile::Managed { .. } => {
-            match permission_profile.to_legacy_sandbox_policy(cwd) {
-                Ok(SandboxPolicy::DangerFullAccess) => "full_access",
-                Ok(SandboxPolicy::ReadOnly { .. }) => "read_only",
-                Ok(SandboxPolicy::WorkspaceWrite { .. }) => "workspace_write",
-                Ok(SandboxPolicy::ExternalSandbox { .. }) => "external_sandbox",
-                Err(_) => "workspace_write",
-            }
-        }
+fn sandbox_policy_mode(sandbox_policy: &SandboxPolicy) -> &'static str {
+    match sandbox_policy {
+        SandboxPolicy::DangerFullAccess => "full_access",
+        SandboxPolicy::ReadOnly { .. } => "read_only",
+        SandboxPolicy::WorkspaceWrite { .. } => "workspace_write",
+        SandboxPolicy::ExternalSandbox { .. } => "external_sandbox",
    }
 }

--- a/codex-rs/app-server-client/Cargo.toml
+++ b/codex-rs/app-server-client/Cargo.toml
@@ -15,7 +15,6 @@ workspace = true
 codex-app-server = { workspace = true }
 codex-app-server-protocol = { workspace = true }
 codex-arg0 = { workspace = true }
-codex-config = { workspace = true }
 codex-core = { workspace = true }
 codex-exec-server = { workspace = true }
 codex-feedback = { workspace = true }
--- a/codex-rs/app-server-client/src/lib.rs
+++ b/codex-rs/app-server-client/src/lib.rs
@@ -41,14 +41,10 @@ use codex_app_server_protocol::Result as JsonRpcResult;
 use codex_app_server_protocol::ServerNotification;
 use codex_app_server_protocol::ServerRequest;
 use codex_arg0::Arg0DispatchPaths;
-use codex_config::CloudRequirementsLoader;
-use codex_config::LoaderOverrides;
-use codex_config::NoopThreadConfigLoader;
-use codex_config::RemoteThreadConfigLoader;
-use codex_config::ThreadConfigLoader;
 use codex_core::config::Config;
+use codex_core::config_loader::CloudRequirementsLoader;
+use codex_core::config_loader::LoaderOverrides;
 pub use codex_exec_server::EnvironmentManager;
-pub use codex_exec_server::EnvironmentManagerArgs;
 pub use codex_exec_server::ExecServerRuntimePaths;
 use codex_feedback::CodexFeedback;
 use codex_protocol::protocol::SessionSource;
@@ -68,15 +64,29 @@ pub use crate::remote::RemoteAppServerConnectArgs;
 /// module exists so clients can remove a direct `codex-core` dependency
 /// while legacy startup/config paths are migrated to RPCs.
 pub mod legacy_core {
-    pub use codex_core::DEFAULT_AGENTS_MD_FILENAME;
-    pub use codex_core::LOCAL_AGENTS_MD_FILENAME;
+    pub use codex_core::Cursor;
+    pub use codex_core::DEFAULT_PROJECT_DOC_FILENAME;
+    pub use codex_core::INTERACTIVE_SESSION_SOURCES;
+    pub use codex_core::LOCAL_PROJECT_DOC_FILENAME;
    pub use codex_core::McpManager;
+    pub use codex_core::PLUGIN_TEXT_MENTION_SIGIL;
+    pub use codex_core::RolloutRecorder;
+    pub use codex_core::TOOL_MENTION_SIGIL;
+    pub use codex_core::ThreadItem;
+    pub use codex_core::ThreadSortKey;
+    pub use codex_core::ThreadsPage;
    pub use codex_core::append_message_history_entry;
    pub use codex_core::check_execpolicy_for_warnings;
+    pub use codex_core::discover_project_doc_paths;
+    pub use codex_core::find_thread_meta_by_name_str;
+    pub use codex_core::find_thread_name_by_id;
+    pub use codex_core::find_thread_names_by_ids;
    pub use codex_core::format_exec_policy_error_with_source;
    pub use codex_core::grant_read_root_non_elevated;
    pub use codex_core::lookup_message_history_entry;
    pub use codex_core::message_history_metadata;
+    pub use codex_core::path_utils;
+    pub use codex_core::read_session_meta_line;
    pub use codex_core::web_search_detail;

    pub mod config {
@@ -87,6 +97,10 @@ pub mod legacy_core {
        }
    }

+    pub mod config_loader {
+        pub use codex_core::config_loader::*;
+    }
+
    pub mod connectors {
        pub use codex_core::connectors::*;
    }
@@ -100,7 +114,7 @@ pub mod legacy_core {
    }

    pub mod plugins {
-        pub use codex_core::plugins::PluginsManager;
+        pub use codex_core::plugins::*;
    }

    pub mod review_format {
@@ -111,6 +125,10 @@ pub mod legacy_core {
        pub use codex_core::review_prompts::*;
    }

+    pub mod skills {
+        pub use codex_core::skills::*;
+    }
+
    pub mod test_support {
        pub use codex_core::test_support::*;
    }
@@ -359,13 +377,6 @@ pub struct InProcessClientStartArgs {
    pub channel_capacity: usize,
 }

-fn configured_thread_config_loader(config: &Config) -> Arc<dyn ThreadConfigLoader> {
-    match config.experimental_thread_config_endpoint.as_deref() {
-        Some(endpoint) => Arc::new(RemoteThreadConfigLoader::new(endpoint)),
-        None => Arc::new(NoopThreadConfigLoader),
-    }
-}
-
 impl InProcessClientStartArgs {
    /// Builds initialize params from caller-provided metadata.
    pub fn initialize_params(&self) -> InitializeParams {
@@ -390,14 +401,12 @@ impl InProcessClientStartArgs {

    fn into_runtime_start_args(self) -> InProcessStartArgs {
        let initialize = self.initialize_params();
-        let thread_config_loader = configured_thread_config_loader(&self.config);
        InProcessStartArgs {
            arg0_paths: self.arg0_paths,
            config: self.config,
            cli_overrides: self.cli_overrides,
            loader_overrides: self.loader_overrides,
            cloud_requirements: self.cloud_requirements,
-            thread_config_loader,
            feedback: self.feedback,
            log_db: self.log_db,
            environment_manager: self.environment_manager,
@@ -979,7 +988,7 @@ mod tests {
            cloud_requirements: CloudRequirementsLoader::default(),
            feedback: CodexFeedback::new(),
            log_db: None,
-            environment_manager: Arc::new(EnvironmentManager::default_for_tests()),
+            environment_manager: Arc::new(EnvironmentManager::new(/*exec_server_url*/ None)),
            config_warnings: Vec::new(),
            session_source,
            enable_codex_api_key_env: false,
@@ -1980,14 +1989,9 @@ mod tests {
    #[tokio::test]
    async fn runtime_start_args_forward_environment_manager() {
        let config = Arc::new(build_test_config().await);
-        let environment_manager = Arc::new(EnvironmentManager::new(EnvironmentManagerArgs {
-            exec_server_url: Some("ws://127.0.0.1:8765".to_string()),
-            local_runtime_paths: ExecServerRuntimePaths::new(
-                std::env::current_exe().expect("current exe"),
-                /*codex_linux_sandbox_exe*/ None,
-            )
-            .expect("runtime paths"),
-        }));
+        let environment_manager = Arc::new(EnvironmentManager::new(Some(
+            "ws://127.0.0.1:8765".to_string(),
+        )));

        let runtime_args = InProcessClientStartArgs {
            arg0_paths: Arg0DispatchPaths::default(),
@@ -2014,49 +2018,7 @@ mod tests {
            &runtime_args.environment_manager,
            &environment_manager
        ));
-        assert!(
-            runtime_args
-                .environment_manager
-                .default_environment()
-                .expect("default environment")
-                .is_remote()
-        );
-    }
-
-    #[tokio::test]
-    async fn runtime_start_args_use_remote_thread_config_loader_when_configured() {
-        let mut config = build_test_config().await;
-        config.experimental_thread_config_endpoint = Some("not-a-valid-endpoint".to_string());
-
-        let runtime_args = InProcessClientStartArgs {
-            arg0_paths: Arg0DispatchPaths::default(),
-            config: Arc::new(config),
-            cli_overrides: Vec::new(),
-            loader_overrides: LoaderOverrides::default(),
-            cloud_requirements: CloudRequirementsLoader::default(),
-            feedback: CodexFeedback::new(),
-            log_db: None,
-            environment_manager: Arc::new(EnvironmentManager::default_for_tests()),
-            config_warnings: Vec::new(),
-            session_source: SessionSource::Exec,
-            enable_codex_api_key_env: false,
-            client_name: "codex-app-server-client-test".to_string(),
-            client_version: "0.0.0-test".to_string(),
-            experimental_api: true,
-            opt_out_notification_methods: Vec::new(),
-            channel_capacity: DEFAULT_IN_PROCESS_CHANNEL_CAPACITY,
-        }
-        .into_runtime_start_args();
-
-        let err = runtime_args
-            .thread_config_loader
-            .load(Default::default())
-            .await
-            .expect_err("configured remote loader should try to connect");
-        assert_eq!(
-            err.code(),
-            codex_config::ThreadConfigLoadErrorCode::RequestFailed
-        );
+        assert!(runtime_args.environment_manager.is_remote());
    }

    #[tokio::test]
--- a/codex-rs/app-server-client/src/remote.rs
+++ b/codex-rs/app-server-client/src/remote.rs
@@ -20,6 +20,7 @@ use crate::RequestResult;
 use crate::SHUTDOWN_TIMEOUT;
 use crate::TypedRequestError;
 use crate::request_method_name;
+use crate::server_notification_requires_delivery;
 use codex_app_server_protocol::ClientInfo;
 use codex_app_server_protocol::ClientNotification;
 use codex_app_server_protocol::ClientRequest;
@@ -125,7 +126,7 @@ enum RemoteClientCommand {

 pub struct RemoteAppServerClient {
    command_tx: mpsc::Sender<RemoteClientCommand>,
-    event_rx: mpsc::UnboundedReceiver<AppServerEvent>,
+    event_rx: mpsc::Receiver<AppServerEvent>,
    pending_events: VecDeque<AppServerEvent>,
    worker_handle: tokio::task::JoinHandle<()>,
 }
@@ -194,10 +195,11 @@ impl RemoteAppServerClient {
        .await?;

        let (command_tx, mut command_rx) = mpsc::channel::<RemoteClientCommand>(channel_capacity);
-        let (event_tx, event_rx) = mpsc::unbounded_channel::<AppServerEvent>();
+        let (event_tx, event_rx) = mpsc::channel::<AppServerEvent>(channel_capacity);
        let worker_handle = tokio::spawn(async move {
            let mut pending_requests =
                HashMap::<RequestId, oneshot::Sender<IoResult<RequestResult>>>::new();
+            let mut skipped_events = 0usize;
            loop {
                tokio::select! {
                    command = command_rx.recv() => {
@@ -229,12 +231,15 @@ impl RemoteAppServerClient {
                                    }
                                    let _ = deliver_event(
                                        &event_tx,
+                                        &mut skipped_events,
                                        AppServerEvent::Disconnected {
                                            message: format!(
                                                "remote app server at `{websocket_url}` write failed: {err_message}"
                                            ),
                                        },
-                                    );
+                                        &mut stream,
+                                    )
+                                    .await;
                                    break;
                                }
                            }
@@ -311,8 +316,11 @@ impl RemoteAppServerClient {
                                            app_server_event_from_notification(notification)
                                            && let Err(err) = deliver_event(
                                                &event_tx,
+                                                &mut skipped_events,
                                                event,
+                                                &mut stream,
                                            )
+                                            .await
                                            {
                                                warn!(%err, "failed to deliver remote app-server event");
                                                break;
@@ -325,8 +333,11 @@ impl RemoteAppServerClient {
                                            Ok(request) => {
                                                if let Err(err) = deliver_event(
                                                    &event_tx,
+                                                    &mut skipped_events,
                                                    AppServerEvent::ServerRequest(request),
+                                                    &mut stream,
                                                )
+                                                .await
                                                {
                                                    warn!(%err, "failed to deliver remote app-server server request");
                                                    break;
@@ -353,12 +364,15 @@ impl RemoteAppServerClient {
                                                    let err_message = reject_err.to_string();
                                                    let _ = deliver_event(
                                                        &event_tx,
+                                                        &mut skipped_events,
                                                        AppServerEvent::Disconnected {
                                                            message: format!(
                                                                "remote app server at `{websocket_url}` write failed: {err_message}"
                                                            ),
                                                        },
-                                                    );
+                                                        &mut stream,
+                                                    )
+                                                    .await;
                                                    break;
                                                }
                                            }
@@ -367,12 +381,15 @@ impl RemoteAppServerClient {
                                    Err(err) => {
                                        let _ = deliver_event(
                                            &event_tx,
+                                            &mut skipped_events,
                                            AppServerEvent::Disconnected {
                                                message: format!(
                                                    "remote app server at `{websocket_url}` sent invalid JSON-RPC: {err}"
                                                ),
                                            },
-                                        );
+                                            &mut stream,
+                                        )
+                                        .await;
                                        break;
                                    }
                                }
@@ -385,12 +402,15 @@ impl RemoteAppServerClient {
                                    .unwrap_or_else(|| "connection closed".to_string());
                                let _ = deliver_event(
                                    &event_tx,
+                                    &mut skipped_events,
                                    AppServerEvent::Disconnected {
                                        message: format!(
                                            "remote app server at `{websocket_url}` disconnected: {reason}"
                                        ),
                                    },
-                                );
+                                    &mut stream,
+                                )
+                                .await;
                                break;
                            }
                            Some(Ok(Message::Binary(_)))
@@ -400,23 +420,29 @@ impl RemoteAppServerClient {
                            Some(Err(err)) => {
                                let _ = deliver_event(
                                    &event_tx,
+                                    &mut skipped_events,
                                    AppServerEvent::Disconnected {
                                        message: format!(
                                            "remote app server at `{websocket_url}` transport failed: {err}"
                                        ),
                                    },
-                                );
+                                    &mut stream,
+                                )
+                                .await;
                                break;
                            }
                            None => {
                                let _ = deliver_event(
                                    &event_tx,
+                                    &mut skipped_events,
                                    AppServerEvent::Disconnected {
                                        message: format!(
                                            "remote app server at `{websocket_url}` closed the connection"
                                        ),
                                    },
-                                );
+                                    &mut stream,
+                                )
+                                .await;
                                break;
                            }
                        }
@@ -586,9 +612,14 @@ impl RemoteAppServerClient {
            .send(RemoteClientCommand::Shutdown { response_tx })
            .await
            .is_ok()
-            && let Ok(Ok(close_result)) = timeout(SHUTDOWN_TIMEOUT, response_rx).await
+            && let Ok(command_result) = timeout(SHUTDOWN_TIMEOUT, response_rx).await
        {
-            close_result?;
+            command_result.map_err(|_| {
+                IoError::new(
+                    ErrorKind::BrokenPipe,
+                    "remote app-server shutdown channel is closed",
+                )
+            })??;
        }

        if let Err(_elapsed) = timeout(SHUTDOWN_TIMEOUT, &mut worker_handle).await {
@@ -775,16 +806,100 @@ fn app_server_event_from_notification(notification: JSONRPCNotification) -> Opti
    }
 }

-fn deliver_event(
-    event_tx: &mpsc::UnboundedSender<AppServerEvent>,
+async fn deliver_event(
+    event_tx: &mpsc::Sender<AppServerEvent>,
+    skipped_events: &mut usize,
    event: AppServerEvent,
+    stream: &mut WebSocketStream<MaybeTlsStream<TcpStream>>,
 ) -> IoResult<()> {
-    event_tx.send(event).map_err(|_| {
-        IoError::new(
+    if *skipped_events > 0 {
+        if event_requires_delivery(&event) {
+            if event_tx
+                .send(AppServerEvent::Lagged {
+                    skipped: *skipped_events,
+                })
+                .await
+                .is_err()
+            {
+                return Err(IoError::new(
+                    ErrorKind::BrokenPipe,
+                    "remote app-server event consumer channel is closed",
+                ));
+            }
+            *skipped_events = 0;
+        } else {
+            match event_tx.try_send(AppServerEvent::Lagged {
+                skipped: *skipped_events,
+            }) {
+                Ok(()) => *skipped_events = 0,
+                Err(mpsc::error::TrySendError::Full(_)) => {
+                    *skipped_events = (*skipped_events).saturating_add(1);
+                    reject_if_server_request_dropped(stream, &event).await?;
+                    return Ok(());
+                }
+                Err(mpsc::error::TrySendError::Closed(_)) => {
+                    return Err(IoError::new(
+                        ErrorKind::BrokenPipe,
+                        "remote app-server event consumer channel is closed",
+                    ));
+                }
+            }
+        }
+    }
+
+    if event_requires_delivery(&event) {
+        event_tx.send(event).await.map_err(|_| {
+            IoError::new(
+                ErrorKind::BrokenPipe,
+                "remote app-server event consumer channel is closed",
+            )
+        })?;
+        return Ok(());
+    }
+
+    match event_tx.try_send(event) {
+        Ok(()) => Ok(()),
+        Err(mpsc::error::TrySendError::Full(event)) => {
+            *skipped_events = (*skipped_events).saturating_add(1);
+            reject_if_server_request_dropped(stream, &event).await
+        }
+        Err(mpsc::error::TrySendError::Closed(_)) => Err(IoError::new(
            ErrorKind::BrokenPipe,
            "remote app-server event consumer channel is closed",
-        )
-    })
+        )),
+    }
+}
+
+async fn reject_if_server_request_dropped(
+    stream: &mut WebSocketStream<MaybeTlsStream<TcpStream>>,
+    event: &AppServerEvent,
+) -> IoResult<()> {
+    let AppServerEvent::ServerRequest(request) = event else {
+        return Ok(());
+    };
+    write_jsonrpc_message(
+        stream,
+        JSONRPCMessage::Error(JSONRPCError {
+            error: JSONRPCErrorError {
+                code: -32001,
+                message: "remote app-server event queue is full".to_string(),
+                data: None,
+            },
+            id: request.id().clone(),
+        }),
+        "<remote-app-server>",
+    )
+    .await
+}
+
+fn event_requires_delivery(event: &AppServerEvent) -> bool {
+    match event {
+        AppServerEvent::ServerNotification(notification) => {
+            server_notification_requires_delivery(notification)
+        }
+        AppServerEvent::Disconnected { .. } => true,
+        AppServerEvent::Lagged { .. } | AppServerEvent::ServerRequest(_) => false,
+    }
 }

 fn request_id_from_client_request(request: &ClientRequest) -> RequestId {
@@ -830,27 +945,40 @@ async fn write_jsonrpc_message(
            ))
        })
 }
+
 #[cfg(test)]
 mod tests {
    use super::*;

-    #[tokio::test]
-    async fn shutdown_tolerates_worker_exit_after_command_is_queued() {
-        let (command_tx, mut command_rx) = mpsc::channel(1);
-        let (_event_tx, event_rx) = mpsc::unbounded_channel::<AppServerEvent>();
-        let worker_handle = tokio::spawn(async move {
-            let _ = command_rx.recv().await;
-        });
-        let client = RemoteAppServerClient {
-            command_tx,
-            event_rx,
-            pending_events: VecDeque::new(),
-            worker_handle,
-        };
-
-        client
-            .shutdown()
-            .await
-            .expect("shutdown should complete when worker exits first");
+    #[test]
+    fn event_requires_delivery_marks_transcript_and_disconnect_events() {
+        assert!(event_requires_delivery(
+            &AppServerEvent::ServerNotification(ServerNotification::AgentMessageDelta(
+                codex_app_server_protocol::AgentMessageDeltaNotification {
+                    thread_id: "thread".to_string(),
+                    turn_id: "turn".to_string(),
+                    item_id: "item".to_string(),
+                    delta: "hello".to_string(),
+                },
+            ),)
+        ));
+        assert!(event_requires_delivery(
+            &AppServerEvent::ServerNotification(ServerNotification::ItemCompleted(
+                codex_app_server_protocol::ItemCompletedNotification {
+                    thread_id: "thread".to_string(),
+                    turn_id: "turn".to_string(),
+                    item: codex_app_server_protocol::ThreadItem::Plan {
+                        id: "item".to_string(),
+                        text: "step".to_string(),
+                    },
+                }
+            ),)
+        ));
+        assert!(event_requires_delivery(&AppServerEvent::Disconnected {
+            message: "closed".to_string(),
+        }));
+        assert!(!event_requires_delivery(&AppServerEvent::Lagged {
+            skipped: 1
+        }));
    }
 }
--- a/codex-rs/app-server-protocol/Cargo.toml
+++ b/codex-rs/app-server-protocol/Cargo.toml
@@ -15,6 +15,7 @@ workspace = true
 anyhow = { workspace = true }
 clap = { workspace = true, features = ["derive"] }
 codex-experimental-api-macros = { workspace = true }
+codex-git-utils = { workspace = true }
 codex-protocol = { workspace = true }
 codex-shell-command = { workspace = true }
 codex-utils-absolute-path = { workspace = true }
--- a/codex-rs/app-server-protocol/schema/json/ClientRequest.json
+++ b/codex-rs/app-server-protocol/schema/json/ClientRequest.json
--- a/codex-rs/app-server-protocol/schema/json/CommandExecutionRequestApprovalParams.json
+++ b/codex-rs/app-server-protocol/schema/json/CommandExecutionRequestApprovalParams.json
@@ -7,25 +7,7 @@
    },
    "AdditionalFileSystemPermissions": {
      "properties": {
-        "entries": {
-          "items": {
-            "$ref": "#/definitions/FileSystemSandboxEntry"
-          },
-          "type": [
-            "array",
-            "null"
-          ]
-        },
-        "globScanMaxDepth": {
-          "format": "uint",
-          "minimum": 1.0,
-          "type": [
-            "integer",
-            "null"
-          ]
-        },
        "read": {
-          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -35,7 +17,6 @@
          ]
        },
        "write": {
-          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -78,8 +59,7 @@
            {
              "type": "null"
            }
-          ],
-          "description": "Partial overlay used for per-command permission requests."
+          ]
        }
      },
      "type": "object"
@@ -273,217 +253,6 @@
        }
      ]
    },
-    "FileSystemAccessMode": {
-      "enum": [
-        "read",
-        "write",
-        "none"
-      ],
-      "type": "string"
-    },
-    "FileSystemPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "path"
-              ],
-              "title": "PathFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "PathFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "pattern": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "glob_pattern"
-              ],
-              "title": "GlobPatternFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "pattern",
-            "type"
-          ],
-          "title": "GlobPatternFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "special"
-              ],
-              "title": "SpecialFileSystemPathType",
-              "type": "string"
-            },
-            "value": {
-              "$ref": "#/definitions/FileSystemSpecialPath"
-            }
-          },
-          "required": [
-            "type",
-            "value"
-          ],
-          "title": "SpecialFileSystemPath",
-          "type": "object"
-        }
-      ]
-    },
-    "FileSystemSandboxEntry": {
-      "properties": {
-        "access": {
-          "$ref": "#/definitions/FileSystemAccessMode"
-        },
-        "path": {
-          "$ref": "#/definitions/FileSystemPath"
-        }
-      },
-      "required": [
-        "access",
-        "path"
-      ],
-      "type": "object"
-    },
-    "FileSystemSpecialPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "root"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "RootFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "minimal"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "MinimalFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "current_working_directory"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "CurrentWorkingDirectoryFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "project_roots"
-              ],
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "KindFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "tmpdir"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "TmpdirFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "slash_tmp"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "SlashTmpFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "unknown"
-              ],
-              "type": "string"
-            },
-            "path": {
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind",
-            "path"
-          ],
-          "type": "object"
-        }
-      ]
-    },
    "NetworkApprovalContext": {
      "properties": {
        "host": {
--- a/codex-rs/app-server-protocol/schema/json/DynamicToolCallParams.json
+++ b/codex-rs/app-server-protocol/schema/json/DynamicToolCallParams.json
@@ -5,12 +5,6 @@
    "callId": {
      "type": "string"
    },
-    "namespace": {
-      "type": [
-        "string",
-        "null"
-      ]
-    },
    "threadId": {
      "type": "string"
    },
--- a/codex-rs/app-server-protocol/schema/json/PermissionsRequestApprovalParams.json
+++ b/codex-rs/app-server-protocol/schema/json/PermissionsRequestApprovalParams.json
@@ -7,25 +7,7 @@
    },
    "AdditionalFileSystemPermissions": {
      "properties": {
-        "entries": {
-          "items": {
-            "$ref": "#/definitions/FileSystemSandboxEntry"
-          },
-          "type": [
-            "array",
-            "null"
-          ]
-        },
-        "globScanMaxDepth": {
-          "format": "uint",
-          "minimum": 1.0,
-          "type": [
-            "integer",
-            "null"
-          ]
-        },
        "read": {
-          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -35,7 +17,6 @@
          ]
        },
        "write": {
-          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -58,217 +39,6 @@
      },
      "type": "object"
    },
-    "FileSystemAccessMode": {
-      "enum": [
-        "read",
-        "write",
-        "none"
-      ],
-      "type": "string"
-    },
-    "FileSystemPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "path"
-              ],
-              "title": "PathFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "PathFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "pattern": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "glob_pattern"
-              ],
-              "title": "GlobPatternFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "pattern",
-            "type"
-          ],
-          "title": "GlobPatternFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "special"
-              ],
-              "title": "SpecialFileSystemPathType",
-              "type": "string"
-            },
-            "value": {
-              "$ref": "#/definitions/FileSystemSpecialPath"
-            }
-          },
-          "required": [
-            "type",
-            "value"
-          ],
-          "title": "SpecialFileSystemPath",
-          "type": "object"
-        }
-      ]
-    },
-    "FileSystemSandboxEntry": {
-      "properties": {
-        "access": {
-          "$ref": "#/definitions/FileSystemAccessMode"
-        },
-        "path": {
-          "$ref": "#/definitions/FileSystemPath"
-        }
-      },
-      "required": [
-        "access",
-        "path"
-      ],
-      "type": "object"
-    },
-    "FileSystemSpecialPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "root"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "RootFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "minimal"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "MinimalFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "current_working_directory"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "CurrentWorkingDirectoryFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "project_roots"
-              ],
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "KindFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "tmpdir"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "TmpdirFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "slash_tmp"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "SlashTmpFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "unknown"
-              ],
-              "type": "string"
-            },
-            "path": {
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind",
-            "path"
-          ],
-          "type": "object"
-        }
-      ]
-    },
    "RequestPermissionProfile": {
      "additionalProperties": false,
      "properties": {
@@ -297,9 +67,6 @@
    }
  },
  "properties": {
-    "cwd": {
-      "$ref": "#/definitions/AbsolutePathBuf"
-    },
    "itemId": {
      "type": "string"
    },
@@ -320,7 +87,6 @@
    }
  },
  "required": [
-    "cwd",
    "itemId",
    "permissions",
    "threadId",
--- a/codex-rs/app-server-protocol/schema/json/PermissionsRequestApprovalResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/PermissionsRequestApprovalResponse.json
@@ -7,25 +7,7 @@
    },
    "AdditionalFileSystemPermissions": {
      "properties": {
-        "entries": {
-          "items": {
-            "$ref": "#/definitions/FileSystemSandboxEntry"
-          },
-          "type": [
-            "array",
-            "null"
-          ]
-        },
-        "globScanMaxDepth": {
-          "format": "uint",
-          "minimum": 1.0,
-          "type": [
-            "integer",
-            "null"
-          ]
-        },
        "read": {
-          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -35,7 +17,6 @@
          ]
        },
        "write": {
-          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -58,217 +39,6 @@
      },
      "type": "object"
    },
-    "FileSystemAccessMode": {
-      "enum": [
-        "read",
-        "write",
-        "none"
-      ],
-      "type": "string"
-    },
-    "FileSystemPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "path"
-              ],
-              "title": "PathFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "PathFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "pattern": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "glob_pattern"
-              ],
-              "title": "GlobPatternFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "pattern",
-            "type"
-          ],
-          "title": "GlobPatternFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "special"
-              ],
-              "title": "SpecialFileSystemPathType",
-              "type": "string"
-            },
-            "value": {
-              "$ref": "#/definitions/FileSystemSpecialPath"
-            }
-          },
-          "required": [
-            "type",
-            "value"
-          ],
-          "title": "SpecialFileSystemPath",
-          "type": "object"
-        }
-      ]
-    },
-    "FileSystemSandboxEntry": {
-      "properties": {
-        "access": {
-          "$ref": "#/definitions/FileSystemAccessMode"
-        },
-        "path": {
-          "$ref": "#/definitions/FileSystemPath"
-        }
-      },
-      "required": [
-        "access",
-        "path"
-      ],
-      "type": "object"
-    },
-    "FileSystemSpecialPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "root"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "RootFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "minimal"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "MinimalFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "current_working_directory"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "CurrentWorkingDirectoryFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "project_roots"
-              ],
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "KindFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "tmpdir"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "TmpdirFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "slash_tmp"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "SlashTmpFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "unknown"
-              ],
-              "type": "string"
-            },
-            "path": {
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind",
-            "path"
-          ],
-          "type": "object"
-        }
-      ]
-    },
    "GrantedPermissionProfile": {
      "properties": {
        "fileSystem": {
@@ -313,13 +83,6 @@
        }
      ],
      "default": "turn"
-    },
-    "strictAutoReview": {
-      "description": "Review every subsequent command in this turn before normal sandboxed execution.",
-      "type": [
-        "boolean",
-        "null"
-      ]
    }
  },
  "required": [
--- a/codex-rs/app-server-protocol/schema/json/ServerNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/ServerNotification.json
@@ -64,59 +64,6 @@
      },
      "type": "object"
    },
-    "AdditionalFileSystemPermissions": {
-      "properties": {
-        "entries": {
-          "items": {
-            "$ref": "#/definitions/FileSystemSandboxEntry"
-          },
-          "type": [
-            "array",
-            "null"
-          ]
-        },
-        "globScanMaxDepth": {
-          "format": "uint",
-          "minimum": 1.0,
-          "type": [
-            "integer",
-            "null"
-          ]
-        },
-        "read": {
-          "description": "This will be removed in favor of `entries`.",
-          "items": {
-            "$ref": "#/definitions/AbsolutePathBuf"
-          },
-          "type": [
-            "array",
-            "null"
-          ]
-        },
-        "write": {
-          "description": "This will be removed in favor of `entries`.",
-          "items": {
-            "$ref": "#/definitions/AbsolutePathBuf"
-          },
-          "type": [
-            "array",
-            "null"
-          ]
-        }
-      },
-      "type": "object"
-    },
-    "AdditionalNetworkPermissions": {
-      "properties": {
-        "enabled": {
-          "type": [
-            "boolean",
-            "null"
-          ]
-        }
-      },
-      "type": "object"
-    },
    "AgentMessageDeltaNotification": {
      "properties": {
        "delta": {
@@ -438,18 +385,11 @@
            "chatgptAuthTokens"
          ],
          "type": "string"
-        },
-        {
-          "description": "Programmatic Codex auth backed by a registered Agent Identity.",
-          "enum": [
-            "agentIdentity"
-          ],
-          "type": "string"
        }
      ]
    },
    "AutoReviewDecisionSource": {
-      "description": "[UNSTABLE] Source that produced a terminal approval auto-review decision.",
+      "description": "[UNSTABLE] Source that produced a terminal guardian approval review decision.",
      "enum": [
        "agent"
      ],
@@ -482,7 +422,6 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
-            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -1028,9 +967,6 @@
      ],
      "type": "object"
    },
-    "ExternalAgentConfigImportCompletedNotification": {
-      "type": "object"
-    },
    "FileChangeOutputDeltaNotification": {
      "properties": {
        "delta": {
@@ -1054,243 +990,6 @@
      ],
      "type": "object"
    },
-    "FileChangePatchUpdatedNotification": {
-      "properties": {
-        "changes": {
-          "items": {
-            "$ref": "#/definitions/FileUpdateChange"
-          },
-          "type": "array"
-        },
-        "itemId": {
-          "type": "string"
-        },
-        "threadId": {
-          "type": "string"
-        },
-        "turnId": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "changes",
-        "itemId",
-        "threadId",
-        "turnId"
-      ],
-      "type": "object"
-    },
-    "FileSystemAccessMode": {
-      "enum": [
-        "read",
-        "write",
-        "none"
-      ],
-      "type": "string"
-    },
-    "FileSystemPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "path"
-              ],
-              "title": "PathFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "PathFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "pattern": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "glob_pattern"
-              ],
-              "title": "GlobPatternFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "pattern",
-            "type"
-          ],
-          "title": "GlobPatternFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "special"
-              ],
-              "title": "SpecialFileSystemPathType",
-              "type": "string"
-            },
-            "value": {
-              "$ref": "#/definitions/FileSystemSpecialPath"
-            }
-          },
-          "required": [
-            "type",
-            "value"
-          ],
-          "title": "SpecialFileSystemPath",
-          "type": "object"
-        }
-      ]
-    },
-    "FileSystemSandboxEntry": {
-      "properties": {
-        "access": {
-          "$ref": "#/definitions/FileSystemAccessMode"
-        },
-        "path": {
-          "$ref": "#/definitions/FileSystemPath"
-        }
-      },
-      "required": [
-        "access",
-        "path"
-      ],
-      "type": "object"
-    },
-    "FileSystemSpecialPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "root"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "RootFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "minimal"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "MinimalFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "current_working_directory"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "CurrentWorkingDirectoryFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "project_roots"
-              ],
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "KindFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "tmpdir"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "TmpdirFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "slash_tmp"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "SlashTmpFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "unknown"
-              ],
-              "type": "string"
-            },
-            "path": {
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind",
-            "path"
-          ],
-          "type": "object"
-        }
-      ]
-    },
    "FileUpdateChange": {
      "properties": {
        "diff": {
@@ -1436,7 +1135,7 @@
      "type": "object"
    },
    "GuardianApprovalReview": {
-      "description": "[UNSTABLE] Temporary approval auto-review payload used by `item/autoApprovalReview/*` notifications. This shape is expected to change soon.",
+      "description": "[UNSTABLE] Temporary guardian approval review payload used by `item/autoApprovalReview/*` notifications. This shape is expected to change soon.",
      "properties": {
        "rationale": {
          "type": [
@@ -1640,37 +1339,11 @@
          ],
          "title": "McpToolCallGuardianApprovalReviewAction",
          "type": "object"
-        },
-        {
-          "properties": {
-            "permissions": {
-              "$ref": "#/definitions/RequestPermissionProfile"
-            },
-            "reason": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "requestPermissions"
-              ],
-              "title": "RequestPermissionsGuardianApprovalReviewActionType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "permissions",
-            "type"
-          ],
-          "title": "RequestPermissionsGuardianApprovalReviewAction",
-          "type": "object"
        }
      ]
    },
    "GuardianApprovalReviewStatus": {
-      "description": "[UNSTABLE] Lifecycle state for an approval auto-review.",
+      "description": "[UNSTABLE] Lifecycle state for a guardian approval review.",
      "enum": [
        "inProgress",
        "approved",
@@ -1688,7 +1361,7 @@
      "type": "string"
    },
    "GuardianRiskLevel": {
-      "description": "[UNSTABLE] Risk level assigned by approval auto-review.",
+      "description": "[UNSTABLE] Risk level assigned by guardian approval review.",
      "enum": [
        "low",
        "medium",
@@ -1698,7 +1371,7 @@
      "type": "string"
    },
    "GuardianUserAuthorization": {
-      "description": "[UNSTABLE] Authorization level assigned by approval auto-review.",
+      "description": "[UNSTABLE] Authorization level assigned by guardian approval review.",
      "enum": [
        "unknown",
        "low",
@@ -1707,23 +1380,6 @@
      ],
      "type": "string"
    },
-    "GuardianWarningNotification": {
-      "properties": {
-        "message": {
-          "description": "Concise guardian warning message for the user.",
-          "type": "string"
-        },
-        "threadId": {
-          "description": "Thread target for the guardian warning.",
-          "type": "string"
-        }
-      },
-      "required": [
-        "message",
-        "threadId"
-      ],
-      "type": "object"
-    },
    "HookCompletedNotification": {
      "properties": {
        "run": {
@@ -1748,7 +1404,6 @@
    "HookEventName": {
      "enum": [
        "preToolUse",
-        "permissionRequest",
        "postToolUse",
        "sessionStart",
        "userPromptSubmit",
@@ -1862,14 +1517,6 @@
        "scope": {
          "$ref": "#/definitions/HookScope"
        },
-        "source": {
-          "allOf": [
-            {
-              "$ref": "#/definitions/HookSource"
-            }
-          ],
-          "default": "unknown"
-        },
        "sourcePath": {
          "$ref": "#/definitions/AbsolutePathBuf"
        },
@@ -1908,19 +1555,6 @@
      ],
      "type": "string"
    },
-    "HookSource": {
-      "enum": [
-        "system",
-        "user",
-        "project",
-        "mdm",
-        "sessionFlags",
-        "legacyManagedConfigFile",
-        "legacyManagedConfigMdm",
-        "unknown"
-      ],
-      "type": "string"
-    },
    "HookStartedNotification": {
      "properties": {
        "run": {
@@ -1962,7 +1596,7 @@
      "type": "object"
    },
    "ItemGuardianApprovalReviewCompletedNotification": {
-      "description": "[UNSTABLE] Temporary notification payload for approval auto-review. This shape is expected to change soon.",
+      "description": "[UNSTABLE] Temporary notification payload for guardian automatic approval review. This shape is expected to change soon.",
      "properties": {
        "action": {
          "$ref": "#/definitions/GuardianApprovalReviewAction"
@@ -2002,7 +1636,7 @@
      "type": "object"
    },
    "ItemGuardianApprovalReviewStartedNotification": {
-      "description": "[UNSTABLE] Temporary notification payload for approval auto-review. This shape is expected to change soon.",
+      "description": "[UNSTABLE] Temporary notification payload for guardian automatic approval review. This shape is expected to change soon.",
      "properties": {
        "action": {
          "$ref": "#/definitions/GuardianApprovalReviewAction"
@@ -2263,34 +1897,6 @@
      ],
      "type": "object"
    },
-    "ModelVerification": {
-      "enum": [
-        "trustedAccessForCyber"
-      ],
-      "type": "string"
-    },
-    "ModelVerificationNotification": {
-      "properties": {
-        "threadId": {
-          "type": "string"
-        },
-        "turnId": {
-          "type": "string"
-        },
-        "verifications": {
-          "items": {
-            "$ref": "#/definitions/ModelVerification"
-          },
-          "type": "array"
-        }
-      },
-      "required": [
-        "threadId",
-        "turnId",
-        "verifications"
-      ],
-      "type": "object"
-    },
    "NetworkApprovalProtocol": {
      "enum": [
        "http",
@@ -2415,16 +2021,6 @@
      ],
      "type": "string"
    },
-    "RateLimitReachedType": {
-      "enum": [
-        "rate_limit_reached",
-        "workspace_owner_credits_depleted",
-        "workspace_member_credits_depleted",
-        "workspace_owner_usage_limit_reached",
-        "workspace_member_usage_limit_reached"
-      ],
-      "type": "string"
-    },
    "RateLimitSnapshot": {
      "properties": {
        "credits": {
@@ -2469,16 +2065,6 @@
            }
          ]
        },
-        "rateLimitReachedType": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/RateLimitReachedType"
-            },
-            {
-              "type": "null"
-            }
-          ]
-        },
        "secondary": {
          "anyOf": [
            {
@@ -2628,32 +2214,6 @@
        }
      ]
    },
-    "RequestPermissionProfile": {
-      "additionalProperties": false,
-      "properties": {
-        "fileSystem": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/AdditionalFileSystemPermissions"
-            },
-            {
-              "type": "null"
-            }
-          ]
-        },
-        "network": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/AdditionalNetworkPermissions"
-            },
-            {
-              "type": "null"
-            }
-          ]
-        }
-      },
-      "type": "object"
-    },
    "ServerRequestResolvedNotification": {
      "properties": {
        "requestId": {
@@ -3028,93 +2588,6 @@
      ],
      "type": "object"
    },
-    "ThreadGoal": {
-      "properties": {
-        "createdAt": {
-          "format": "int64",
-          "type": "integer"
-        },
-        "objective": {
-          "type": "string"
-        },
-        "status": {
-          "$ref": "#/definitions/ThreadGoalStatus"
-        },
-        "threadId": {
-          "type": "string"
-        },
-        "timeUsedSeconds": {
-          "format": "int64",
-          "type": "integer"
-        },
-        "tokenBudget": {
-          "format": "int64",
-          "type": [
-            "integer",
-            "null"
-          ]
-        },
-        "tokensUsed": {
-          "format": "int64",
-          "type": "integer"
-        },
-        "updatedAt": {
-          "format": "int64",
-          "type": "integer"
-        }
-      },
-      "required": [
-        "createdAt",
-        "objective",
-        "status",
-        "threadId",
-        "timeUsedSeconds",
-        "tokensUsed",
-        "updatedAt"
-      ],
-      "type": "object"
-    },
-    "ThreadGoalClearedNotification": {
-      "properties": {
-        "threadId": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "threadId"
-      ],
-      "type": "object"
-    },
-    "ThreadGoalStatus": {
-      "enum": [
-        "active",
-        "paused",
-        "budgetLimited",
-        "complete"
-      ],
-      "type": "string"
-    },
-    "ThreadGoalUpdatedNotification": {
-      "properties": {
-        "goal": {
-          "$ref": "#/definitions/ThreadGoal"
-        },
-        "threadId": {
-          "type": "string"
-        },
-        "turnId": {
-          "type": [
-            "string",
-            "null"
-          ]
-        }
-      },
-      "required": [
-        "goal",
-        "threadId"
-      ],
-      "type": "object"
-    },
    "ThreadId": {
      "type": "string"
    },
@@ -3485,12 +2958,6 @@
            "id": {
              "type": "string"
            },
-            "namespace": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
            "status": {
              "$ref": "#/definitions/DynamicToolCallStatus"
            },
@@ -4478,25 +3945,6 @@
        }
      ]
    },
-    "WarningNotification": {
-      "properties": {
-        "message": {
-          "description": "Concise warning message for the user.",
-          "type": "string"
-        },
-        "threadId": {
-          "description": "Optional thread target when the warning applies to a specific thread.",
-          "type": [
-            "string",
-            "null"
-          ]
-        }
-      },
-      "required": [
-        "message"
-      ],
-      "type": "object"
-    },
    "WebSearchAction": {
      "oneOf": [
        {
@@ -4814,46 +4262,6 @@
      "title": "Thread/name/updatedNotification",
      "type": "object"
    },
-    {
-      "properties": {
-        "method": {
-          "enum": [
-            "thread/goal/updated"
-          ],
-          "title": "Thread/goal/updatedNotificationMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/ThreadGoalUpdatedNotification"
-        }
-      },
-      "required": [
-        "method",
-        "params"
-      ],
-      "title": "Thread/goal/updatedNotification",
-      "type": "object"
-    },
-    {
-      "properties": {
-        "method": {
-          "enum": [
-            "thread/goal/cleared"
-          ],
-          "title": "Thread/goal/clearedNotificationMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/ThreadGoalClearedNotification"
-        }
-      },
-      "required": [
-        "method",
-        "params"
-      ],
-      "title": "Thread/goal/clearedNotification",
-      "type": "object"
-    },
    {
      "properties": {
        "method": {
@@ -5196,26 +4604,6 @@
      "title": "Item/fileChange/outputDeltaNotification",
      "type": "object"
    },
-    {
-      "properties": {
-        "method": {
-          "enum": [
-            "item/fileChange/patchUpdated"
-          ],
-          "title": "Item/fileChange/patchUpdatedNotificationMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/FileChangePatchUpdatedNotification"
-        }
-      },
-      "required": [
-        "method",
-        "params"
-      ],
-      "title": "Item/fileChange/patchUpdatedNotification",
-      "type": "object"
-    },
    {
      "properties": {
        "method": {
@@ -5356,26 +4744,6 @@
      "title": "App/list/updatedNotification",
      "type": "object"
    },
-    {
-      "properties": {
-        "method": {
-          "enum": [
-            "externalAgentConfig/import/completed"
-          ],
-          "title": "ExternalAgentConfig/import/completedNotificationMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/ExternalAgentConfigImportCompletedNotification"
-        }
-      },
-      "required": [
-        "method",
-        "params"
-      ],
-      "title": "ExternalAgentConfig/import/completedNotification",
-      "type": "object"
-    },
    {
      "properties": {
        "method": {
@@ -5497,66 +4865,6 @@
      "title": "Model/reroutedNotification",
      "type": "object"
    },
-    {
-      "properties": {
-        "method": {
-          "enum": [
-            "model/verification"
-          ],
-          "title": "Model/verificationNotificationMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/ModelVerificationNotification"
-        }
-      },
-      "required": [
-        "method",
-        "params"
-      ],
-      "title": "Model/verificationNotification",
-      "type": "object"
-    },
-    {
-      "properties": {
-        "method": {
-          "enum": [
-            "warning"
-          ],
-          "title": "WarningNotificationMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/WarningNotification"
-        }
-      },
-      "required": [
-        "method",
-        "params"
-      ],
-      "title": "WarningNotification",
-      "type": "object"
-    },
-    {
-      "properties": {
-        "method": {
-          "enum": [
-            "guardianWarning"
-          ],
-          "title": "GuardianWarningNotificationMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/GuardianWarningNotification"
-        }
-      },
-      "required": [
-        "method",
-        "params"
-      ],
-      "title": "GuardianWarningNotification",
-      "type": "object"
-    },
    {
      "properties": {
        "method": {
--- a/codex-rs/app-server-protocol/schema/json/ServerRequest.json
+++ b/codex-rs/app-server-protocol/schema/json/ServerRequest.json
@@ -7,25 +7,7 @@
    },
    "AdditionalFileSystemPermissions": {
      "properties": {
-        "entries": {
-          "items": {
-            "$ref": "#/definitions/FileSystemSandboxEntry"
-          },
-          "type": [
-            "array",
-            "null"
-          ]
-        },
-        "globScanMaxDepth": {
-          "format": "uint",
-          "minimum": 1.0,
-          "type": [
-            "integer",
-            "null"
-          ]
-        },
        "read": {
-          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -35,7 +17,6 @@
          ]
        },
        "write": {
-          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -78,8 +59,7 @@
            {
              "type": "null"
            }
-          ],
-          "description": "Partial overlay used for per-command permission requests."
+          ]
        }
      },
      "type": "object"
@@ -437,12 +417,6 @@
        "callId": {
          "type": "string"
        },
-        "namespace": {
-          "type": [
-            "string",
-            "null"
-          ]
-        },
        "threadId": {
          "type": "string"
        },
@@ -612,217 +586,6 @@
      ],
      "type": "object"
    },
-    "FileSystemAccessMode": {
-      "enum": [
-        "read",
-        "write",
-        "none"
-      ],
-      "type": "string"
-    },
-    "FileSystemPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "path"
-              ],
-              "title": "PathFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "PathFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "pattern": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "glob_pattern"
-              ],
-              "title": "GlobPatternFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "pattern",
-            "type"
-          ],
-          "title": "GlobPatternFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "special"
-              ],
-              "title": "SpecialFileSystemPathType",
-              "type": "string"
-            },
-            "value": {
-              "$ref": "#/definitions/FileSystemSpecialPath"
-            }
-          },
-          "required": [
-            "type",
-            "value"
-          ],
-          "title": "SpecialFileSystemPath",
-          "type": "object"
-        }
-      ]
-    },
-    "FileSystemSandboxEntry": {
-      "properties": {
-        "access": {
-          "$ref": "#/definitions/FileSystemAccessMode"
-        },
-        "path": {
-          "$ref": "#/definitions/FileSystemPath"
-        }
-      },
-      "required": [
-        "access",
-        "path"
-      ],
-      "type": "object"
-    },
-    "FileSystemSpecialPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "root"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "RootFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "minimal"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "MinimalFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "current_working_directory"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "CurrentWorkingDirectoryFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "project_roots"
-              ],
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "KindFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "tmpdir"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "TmpdirFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "slash_tmp"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "SlashTmpFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "unknown"
-              ],
-              "type": "string"
-            },
-            "path": {
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind",
-            "path"
-          ],
-          "type": "object"
-        }
-      ]
-    },
    "McpElicitationArrayType": {
      "enum": [
        "array"
@@ -1587,9 +1350,6 @@
    },
    "PermissionsRequestApprovalParams": {
      "properties": {
-        "cwd": {
-          "$ref": "#/definitions/AbsolutePathBuf"
-        },
        "itemId": {
          "type": "string"
        },
@@ -1610,7 +1370,6 @@
        }
      },
      "required": [
-        "cwd",
        "itemId",
        "permissions",
        "threadId",
--- a/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json
+++ b/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json
--- a/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.v2.schemas.json
+++ b/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.v2.schemas.json
--- a/codex-rs/app-server-protocol/schema/json/v2/AccountRateLimitsUpdatedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/AccountRateLimitsUpdatedNotification.json
@@ -39,16 +39,6 @@
      ],
      "type": "string"
    },
-    "RateLimitReachedType": {
-      "enum": [
-        "rate_limit_reached",
-        "workspace_owner_credits_depleted",
-        "workspace_member_credits_depleted",
-        "workspace_owner_usage_limit_reached",
-        "workspace_member_usage_limit_reached"
-      ],
-      "type": "string"
-    },
    "RateLimitSnapshot": {
      "properties": {
        "credits": {
@@ -93,16 +83,6 @@
            }
          ]
        },
-        "rateLimitReachedType": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/RateLimitReachedType"
-            },
-            {
-              "type": "null"
-            }
-          ]
-        },
        "secondary": {
          "anyOf": [
            {
--- a/codex-rs/app-server-protocol/schema/json/v2/AccountUpdatedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/AccountUpdatedNotification.json
@@ -24,13 +24,6 @@
            "chatgptAuthTokens"
          ],
          "type": "string"
-        },
-        {
-          "description": "Programmatic Codex auth backed by a registered Agent Identity.",
-          "enum": [
-            "agentIdentity"
-          ],
-          "type": "string"
        }
      ]
    },
--- a/codex-rs/app-server-protocol/schema/json/v2/CommandExecParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/CommandExecParams.json
@@ -27,217 +27,6 @@
      ],
      "type": "object"
    },
-    "FileSystemAccessMode": {
-      "enum": [
-        "read",
-        "write",
-        "none"
-      ],
-      "type": "string"
-    },
-    "FileSystemPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "path"
-              ],
-              "title": "PathFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "PathFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "pattern": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "glob_pattern"
-              ],
-              "title": "GlobPatternFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "pattern",
-            "type"
-          ],
-          "title": "GlobPatternFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "special"
-              ],
-              "title": "SpecialFileSystemPathType",
-              "type": "string"
-            },
-            "value": {
-              "$ref": "#/definitions/FileSystemSpecialPath"
-            }
-          },
-          "required": [
-            "type",
-            "value"
-          ],
-          "title": "SpecialFileSystemPath",
-          "type": "object"
-        }
-      ]
-    },
-    "FileSystemSandboxEntry": {
-      "properties": {
-        "access": {
-          "$ref": "#/definitions/FileSystemAccessMode"
-        },
-        "path": {
-          "$ref": "#/definitions/FileSystemPath"
-        }
-      },
-      "required": [
-        "access",
-        "path"
-      ],
-      "type": "object"
-    },
-    "FileSystemSpecialPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "root"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "RootFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "minimal"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "MinimalFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "current_working_directory"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "CurrentWorkingDirectoryFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "project_roots"
-              ],
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "KindFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "tmpdir"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "TmpdirFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "slash_tmp"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "SlashTmpFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "unknown"
-              ],
-              "type": "string"
-            },
-            "path": {
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind",
-            "path"
-          ],
-          "type": "object"
-        }
-      ]
-    },
    "NetworkAccess": {
      "enum": [
        "restricted",
@@ -245,135 +34,53 @@
      ],
      "type": "string"
    },
-    "PermissionProfile": {
-      "oneOf": [
-        {
-          "description": "Codex owns sandbox construction for this profile.",
-          "properties": {
-            "fileSystem": {
-              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
-            },
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "managed"
-              ],
-              "title": "ManagedPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "fileSystem",
-            "network",
-            "type"
-          ],
-          "title": "ManagedPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Do not apply an outer sandbox.",
-          "properties": {
-            "type": {
-              "enum": [
-                "disabled"
-              ],
-              "title": "DisabledPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "DisabledPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Filesystem isolation is enforced by an external caller.",
-          "properties": {
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "external"
-              ],
-              "title": "ExternalPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "network",
-            "type"
-          ],
-          "title": "ExternalPermissionProfile",
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfileFileSystemPermissions": {
+    "ReadOnlyAccess": {
      "oneOf": [
        {
          "properties": {
-            "entries": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
              "items": {
-                "$ref": "#/definitions/FileSystemSandboxEntry"
+                "$ref": "#/definitions/AbsolutePathBuf"
              },
              "type": "array"
            },
-            "globScanMaxDepth": {
-              "format": "uint",
-              "minimum": 1.0,
-              "type": [
-                "integer",
-                "null"
-              ]
-            },
            "type": {
              "enum": [
                "restricted"
              ],
-              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
+              "title": "RestrictedReadOnlyAccessType",
              "type": "string"
            }
          },
          "required": [
-            "entries",
            "type"
          ],
-          "title": "RestrictedPermissionProfileFileSystemPermissions",
+          "title": "RestrictedReadOnlyAccess",
          "type": "object"
        },
        {
          "properties": {
            "type": {
              "enum": [
-                "unrestricted"
+                "fullAccess"
              ],
-              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
+              "title": "FullAccessReadOnlyAccessType",
              "type": "string"
            }
          },
          "required": [
            "type"
          ],
-          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
+          "title": "FullAccessReadOnlyAccess",
          "type": "object"
        }
      ]
    },
-    "PermissionProfileNetworkPermissions": {
-      "properties": {
-        "enabled": {
-          "type": "boolean"
-        }
-      },
-      "required": [
-        "enabled"
-      ],
-      "type": "object"
-    },
    "SandboxPolicy": {
      "oneOf": [
        {
@@ -394,6 +101,16 @@
        },
        {
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "networkAccess": {
              "default": false,
              "type": "boolean"
@@ -450,6 +167,16 @@
              "default": false,
              "type": "boolean"
            },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "workspaceWrite"
@@ -520,17 +247,6 @@
        "null"
      ]
    },
-    "permissionProfile": {
-      "anyOf": [
-        {
-          "$ref": "#/definitions/PermissionProfile"
-        },
-        {
-          "type": "null"
-        }
-      ],
-      "description": "Optional full permissions profile for this command.\n\nDefaults to the user's configured permissions when omitted. Cannot be combined with `sandboxPolicy`."
-    },
    "processId": {
      "description": "Optional client-supplied, connection-scoped process id.\n\nRequired for `tty`, `streamStdin`, `streamStdoutStderr`, and follow-up `command/exec/write`, `command/exec/resize`, and `command/exec/terminate` calls. When omitted, buffered execution gets an internal id that is not exposed to the client.",
      "type": [
@@ -547,7 +263,7 @@
          "type": "null"
        }
      ],
-      "description": "Optional sandbox policy for this command.\n\nUses the same shape as thread/turn execution sandbox configuration and defaults to the user's configured policy when omitted. Cannot be combined with `permissionProfile`."
+      "description": "Optional sandbox policy for this command.\n\nUses the same shape as thread/turn execution sandbox configuration and defaults to the user's configured policy when omitted."
    },
    "size": {
      "anyOf": [
--- a/codex-rs/app-server-protocol/schema/json/v2/ConfigReadResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ConfigReadResponse.json
@@ -97,10 +97,9 @@
      "type": "object"
    },
    "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
      "enum": [
        "user",
-        "auto_review",
        "guardian_subagent"
      ],
      "type": "string"
--- a/codex-rs/app-server-protocol/schema/json/v2/ConfigRequirementsReadResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ConfigRequirementsReadResponse.json
@@ -2,10 +2,9 @@
  "$schema": "http://json-schema.org/draft-07/schema#",
  "definitions": {
    "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
      "enum": [
        "user",
-        "auto_review",
        "guardian_subagent"
      ],
      "type": "string"
@@ -111,161 +110,6 @@
      },
      "type": "object"
    },
-    "ConfiguredHookHandler": {
-      "oneOf": [
-        {
-          "properties": {
-            "async": {
-              "type": "boolean"
-            },
-            "command": {
-              "type": "string"
-            },
-            "statusMessage": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
-            "timeoutSec": {
-              "format": "uint64",
-              "minimum": 0.0,
-              "type": [
-                "integer",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "command"
-              ],
-              "title": "CommandConfiguredHookHandlerType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "async",
-            "command",
-            "type"
-          ],
-          "title": "CommandConfiguredHookHandler",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "prompt"
-              ],
-              "title": "PromptConfiguredHookHandlerType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "PromptConfiguredHookHandler",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "agent"
-              ],
-              "title": "AgentConfiguredHookHandlerType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "AgentConfiguredHookHandler",
-          "type": "object"
-        }
-      ]
-    },
-    "ConfiguredHookMatcherGroup": {
-      "properties": {
-        "hooks": {
-          "items": {
-            "$ref": "#/definitions/ConfiguredHookHandler"
-          },
-          "type": "array"
-        },
-        "matcher": {
-          "type": [
-            "string",
-            "null"
-          ]
-        }
-      },
-      "required": [
-        "hooks"
-      ],
-      "type": "object"
-    },
-    "ManagedHooksRequirements": {
-      "properties": {
-        "PermissionRequest": {
-          "items": {
-            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
-          },
-          "type": "array"
-        },
-        "PostToolUse": {
-          "items": {
-            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
-          },
-          "type": "array"
-        },
-        "PreToolUse": {
-          "items": {
-            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
-          },
-          "type": "array"
-        },
-        "SessionStart": {
-          "items": {
-            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
-          },
-          "type": "array"
-        },
-        "Stop": {
-          "items": {
-            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
-          },
-          "type": "array"
-        },
-        "UserPromptSubmit": {
-          "items": {
-            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
-          },
-          "type": "array"
-        },
-        "managedDir": {
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "windowsManagedDir": {
-          "type": [
-            "string",
-            "null"
-          ]
-        }
-      },
-      "required": [
-        "PermissionRequest",
-        "PostToolUse",
-        "PreToolUse",
-        "SessionStart",
-        "Stop",
-        "UserPromptSubmit"
-      ],
-      "type": "object"
-    },
    "NetworkDomainPermission": {
      "enum": [
        "allow",
--- a/codex-rs/app-server-protocol/schema/json/v2/DeviceKeyCreateParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/DeviceKeyCreateParams.json
@@ -1,39 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "DeviceKeyProtectionPolicy": {
-      "description": "Protection policy for creating or loading a controller-local device key.",
-      "enum": [
-        "hardware_only",
-        "allow_os_protected_nonextractable"
-      ],
-      "type": "string"
-    }
-  },
-  "description": "Create a controller-local device key with a random key id.",
-  "properties": {
-    "accountUserId": {
-      "type": "string"
-    },
-    "clientId": {
-      "type": "string"
-    },
-    "protectionPolicy": {
-      "anyOf": [
-        {
-          "$ref": "#/definitions/DeviceKeyProtectionPolicy"
-        },
-        {
-          "type": "null"
-        }
-      ],
-      "description": "Defaults to `hardware_only` when omitted."
-    }
-  },
-  "required": [
-    "accountUserId",
-    "clientId"
-  ],
-  "title": "DeviceKeyCreateParams",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/v2/DeviceKeyCreateResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/DeviceKeyCreateResponse.json
@@ -1,45 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "DeviceKeyAlgorithm": {
-      "description": "Device-key algorithm reported at enrollment and signing boundaries.",
-      "enum": [
-        "ecdsa_p256_sha256"
-      ],
-      "type": "string"
-    },
-    "DeviceKeyProtectionClass": {
-      "description": "Platform protection class for a controller-local device key.",
-      "enum": [
-        "hardware_secure_enclave",
-        "hardware_tpm",
-        "os_protected_nonextractable"
-      ],
-      "type": "string"
-    }
-  },
-  "description": "Device-key metadata and public key returned by create/public APIs.",
-  "properties": {
-    "algorithm": {
-      "$ref": "#/definitions/DeviceKeyAlgorithm"
-    },
-    "keyId": {
-      "type": "string"
-    },
-    "protectionClass": {
-      "$ref": "#/definitions/DeviceKeyProtectionClass"
-    },
-    "publicKeySpkiDerBase64": {
-      "description": "SubjectPublicKeyInfo DER encoded as base64.",
-      "type": "string"
-    }
-  },
-  "required": [
-    "algorithm",
-    "keyId",
-    "protectionClass",
-    "publicKeySpkiDerBase64"
-  ],
-  "title": "DeviceKeyCreateResponse",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/v2/DeviceKeyPublicParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/DeviceKeyPublicParams.json
@@ -1,14 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "description": "Fetch a controller-local device key public key by id.",
-  "properties": {
-    "keyId": {
-      "type": "string"
-    }
-  },
-  "required": [
-    "keyId"
-  ],
-  "title": "DeviceKeyPublicParams",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/v2/DeviceKeyPublicResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/DeviceKeyPublicResponse.json
@@ -1,45 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "DeviceKeyAlgorithm": {
-      "description": "Device-key algorithm reported at enrollment and signing boundaries.",
-      "enum": [
-        "ecdsa_p256_sha256"
-      ],
-      "type": "string"
-    },
-    "DeviceKeyProtectionClass": {
-      "description": "Platform protection class for a controller-local device key.",
-      "enum": [
-        "hardware_secure_enclave",
-        "hardware_tpm",
-        "os_protected_nonextractable"
-      ],
-      "type": "string"
-    }
-  },
-  "description": "Device-key public metadata returned by `device/key/public`.",
-  "properties": {
-    "algorithm": {
-      "$ref": "#/definitions/DeviceKeyAlgorithm"
-    },
-    "keyId": {
-      "type": "string"
-    },
-    "protectionClass": {
-      "$ref": "#/definitions/DeviceKeyProtectionClass"
-    },
-    "publicKeySpkiDerBase64": {
-      "description": "SubjectPublicKeyInfo DER encoded as base64.",
-      "type": "string"
-    }
-  },
-  "required": [
-    "algorithm",
-    "keyId",
-    "protectionClass",
-    "publicKeySpkiDerBase64"
-  ],
-  "title": "DeviceKeyPublicResponse",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/v2/DeviceKeySignParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/DeviceKeySignParams.json
@@ -1,165 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "DeviceKeySignPayload": {
-      "description": "Structured payloads accepted by `device/key/sign`.",
-      "oneOf": [
-        {
-          "description": "Payload bound to one remote-control controller websocket `/client` connection challenge.",
-          "properties": {
-            "accountUserId": {
-              "type": "string"
-            },
-            "audience": {
-              "$ref": "#/definitions/RemoteControlClientConnectionAudience"
-            },
-            "clientId": {
-              "type": "string"
-            },
-            "nonce": {
-              "type": "string"
-            },
-            "scopes": {
-              "description": "Must contain exactly `remote_control_controller_websocket`.",
-              "items": {
-                "type": "string"
-              },
-              "type": "array"
-            },
-            "sessionId": {
-              "description": "Backend-issued websocket session id that this proof authorizes.",
-              "type": "string"
-            },
-            "targetOrigin": {
-              "description": "Origin of the backend endpoint that issued the challenge and will verify this proof.",
-              "type": "string"
-            },
-            "targetPath": {
-              "description": "Websocket route path that this proof authorizes.",
-              "type": "string"
-            },
-            "tokenExpiresAt": {
-              "description": "Remote-control token expiration as Unix seconds.",
-              "format": "int64",
-              "type": "integer"
-            },
-            "tokenSha256Base64url": {
-              "description": "SHA-256 of the controller-scoped remote-control token, encoded as unpadded base64url.",
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "remoteControlClientConnection"
-              ],
-              "title": "RemoteControlClientConnectionDeviceKeySignPayloadType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "accountUserId",
-            "audience",
-            "clientId",
-            "nonce",
-            "scopes",
-            "sessionId",
-            "targetOrigin",
-            "targetPath",
-            "tokenExpiresAt",
-            "tokenSha256Base64url",
-            "type"
-          ],
-          "title": "RemoteControlClientConnectionDeviceKeySignPayload",
-          "type": "object"
-        },
-        {
-          "description": "Payload bound to a remote-control client `/client/enroll` ownership challenge.",
-          "properties": {
-            "accountUserId": {
-              "type": "string"
-            },
-            "audience": {
-              "$ref": "#/definitions/RemoteControlClientEnrollmentAudience"
-            },
-            "challengeExpiresAt": {
-              "description": "Enrollment challenge expiration as Unix seconds.",
-              "format": "int64",
-              "type": "integer"
-            },
-            "challengeId": {
-              "description": "Backend-issued enrollment challenge id that this proof authorizes.",
-              "type": "string"
-            },
-            "clientId": {
-              "type": "string"
-            },
-            "deviceIdentitySha256Base64url": {
-              "description": "SHA-256 of the requested device identity operation, encoded as unpadded base64url.",
-              "type": "string"
-            },
-            "nonce": {
-              "type": "string"
-            },
-            "targetOrigin": {
-              "description": "Origin of the backend endpoint that issued the challenge and will verify this proof.",
-              "type": "string"
-            },
-            "targetPath": {
-              "description": "HTTP route path that this proof authorizes.",
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "remoteControlClientEnrollment"
-              ],
-              "title": "RemoteControlClientEnrollmentDeviceKeySignPayloadType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "accountUserId",
-            "audience",
-            "challengeExpiresAt",
-            "challengeId",
-            "clientId",
-            "deviceIdentitySha256Base64url",
-            "nonce",
-            "targetOrigin",
-            "targetPath",
-            "type"
-          ],
-          "title": "RemoteControlClientEnrollmentDeviceKeySignPayload",
-          "type": "object"
-        }
-      ]
-    },
-    "RemoteControlClientConnectionAudience": {
-      "description": "Audience for a remote-control client connection device-key proof.",
-      "enum": [
-        "remote_control_client_websocket"
-      ],
-      "type": "string"
-    },
-    "RemoteControlClientEnrollmentAudience": {
-      "description": "Audience for a remote-control client enrollment device-key proof.",
-      "enum": [
-        "remote_control_client_enrollment"
-      ],
-      "type": "string"
-    }
-  },
-  "description": "Sign an accepted structured payload with a controller-local device key.",
-  "properties": {
-    "keyId": {
-      "type": "string"
-    },
-    "payload": {
-      "$ref": "#/definitions/DeviceKeySignPayload"
-    }
-  },
-  "required": [
-    "keyId",
-    "payload"
-  ],
-  "title": "DeviceKeySignParams",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/v2/DeviceKeySignResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/DeviceKeySignResponse.json
@@ -1,33 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "DeviceKeyAlgorithm": {
-      "description": "Device-key algorithm reported at enrollment and signing boundaries.",
-      "enum": [
-        "ecdsa_p256_sha256"
-      ],
-      "type": "string"
-    }
-  },
-  "description": "ASN.1 DER signature returned by `device/key/sign`.",
-  "properties": {
-    "algorithm": {
-      "$ref": "#/definitions/DeviceKeyAlgorithm"
-    },
-    "signatureDerBase64": {
-      "description": "ECDSA signature DER encoded as base64.",
-      "type": "string"
-    },
-    "signedPayloadBase64": {
-      "description": "Exact bytes signed by the device key, encoded as base64. Verifiers must verify this byte string directly and must not reserialize `payload`.",
-      "type": "string"
-    }
-  },
-  "required": [
-    "algorithm",
-    "signatureDerBase64",
-    "signedPayloadBase64"
-  ],
-  "title": "DeviceKeySignResponse",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/v2/ErrorNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ErrorNotification.json
@@ -9,7 +9,6 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
-            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
--- a/codex-rs/app-server-protocol/schema/json/v2/ExternalAgentConfigImportCompletedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ExternalAgentConfigImportCompletedNotification.json
@@ -1,5 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "title": "ExternalAgentConfigImportCompletedNotification",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/v2/FileChangePatchUpdatedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/FileChangePatchUpdatedNotification.json
@@ -1,107 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "FileUpdateChange": {
-      "properties": {
-        "diff": {
-          "type": "string"
-        },
-        "kind": {
-          "$ref": "#/definitions/PatchChangeKind"
-        },
-        "path": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "diff",
-        "kind",
-        "path"
-      ],
-      "type": "object"
-    },
-    "PatchChangeKind": {
-      "oneOf": [
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "add"
-              ],
-              "title": "AddPatchChangeKindType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "AddPatchChangeKind",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "delete"
-              ],
-              "title": "DeletePatchChangeKindType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "DeletePatchChangeKind",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "move_path": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "update"
-              ],
-              "title": "UpdatePatchChangeKindType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "UpdatePatchChangeKind",
-          "type": "object"
-        }
-      ]
-    }
-  },
-  "properties": {
-    "changes": {
-      "items": {
-        "$ref": "#/definitions/FileUpdateChange"
-      },
-      "type": "array"
-    },
-    "itemId": {
-      "type": "string"
-    },
-    "threadId": {
-      "type": "string"
-    },
-    "turnId": {
-      "type": "string"
-    }
-  },
-  "required": [
-    "changes",
-    "itemId",
-    "threadId",
-    "turnId"
-  ],
-  "title": "FileChangePatchUpdatedNotification",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/v2/GetAccountRateLimitsResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/GetAccountRateLimitsResponse.json
@@ -39,16 +39,6 @@
      ],
      "type": "string"
    },
-    "RateLimitReachedType": {
-      "enum": [
-        "rate_limit_reached",
-        "workspace_owner_credits_depleted",
-        "workspace_member_credits_depleted",
-        "workspace_owner_usage_limit_reached",
-        "workspace_member_usage_limit_reached"
-      ],
-      "type": "string"
-    },
    "RateLimitSnapshot": {
      "properties": {
        "credits": {
@@ -93,16 +83,6 @@
            }
          ]
        },
-        "rateLimitReachedType": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/RateLimitReachedType"
-            },
-            {
-              "type": "null"
-            }
-          ]
-        },
        "secondary": {
          "anyOf": [
            {
--- a/codex-rs/app-server-protocol/schema/json/v2/GetAccountResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/GetAccountResponse.json
@@ -42,22 +42,6 @@
          ],
          "title": "ChatgptAccount",
          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "amazonBedrock"
-              ],
-              "title": "AmazonBedrockAccountType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "AmazonBedrockAccount",
-          "type": "object"
        }
      ]
    },
--- a/codex-rs/app-server-protocol/schema/json/v2/GuardianWarningNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/GuardianWarningNotification.json
@@ -1,19 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "properties": {
-    "message": {
-      "description": "Concise guardian warning message for the user.",
-      "type": "string"
-    },
-    "threadId": {
-      "description": "Thread target for the guardian warning.",
-      "type": "string"
-    }
-  },
-  "required": [
-    "message",
-    "threadId"
-  ],
-  "title": "GuardianWarningNotification",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/v2/HookCompletedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/HookCompletedNotification.json
@@ -8,7 +8,6 @@
    "HookEventName": {
      "enum": [
        "preToolUse",
-        "permissionRequest",
        "postToolUse",
        "sessionStart",
        "userPromptSubmit",
@@ -107,14 +106,6 @@
        "scope": {
          "$ref": "#/definitions/HookScope"
        },
-        "source": {
-          "allOf": [
-            {
-              "$ref": "#/definitions/HookSource"
-            }
-          ],
-          "default": "unknown"
-        },
        "sourcePath": {
          "$ref": "#/definitions/AbsolutePathBuf"
        },
@@ -152,19 +143,6 @@
        "turn"
      ],
      "type": "string"
-    },
-    "HookSource": {
-      "enum": [
-        "system",
-        "user",
-        "project",
-        "mdm",
-        "sessionFlags",
-        "legacyManagedConfigFile",
-        "legacyManagedConfigMdm",
-        "unknown"
-      ],
-      "type": "string"
    }
  },
  "properties": {
--- a/codex-rs/app-server-protocol/schema/json/v2/HookStartedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/HookStartedNotification.json
@@ -8,7 +8,6 @@
    "HookEventName": {
      "enum": [
        "preToolUse",
-        "permissionRequest",
        "postToolUse",
        "sessionStart",
        "userPromptSubmit",
@@ -107,14 +106,6 @@
        "scope": {
          "$ref": "#/definitions/HookScope"
        },
-        "source": {
-          "allOf": [
-            {
-              "$ref": "#/definitions/HookSource"
-            }
-          ],
-          "default": "unknown"
-        },
        "sourcePath": {
          "$ref": "#/definitions/AbsolutePathBuf"
        },
@@ -152,19 +143,6 @@
        "turn"
      ],
      "type": "string"
-    },
-    "HookSource": {
-      "enum": [
-        "system",
-        "user",
-        "project",
-        "mdm",
-        "sessionFlags",
-        "legacyManagedConfigFile",
-        "legacyManagedConfigMdm",
-        "unknown"
-      ],
-      "type": "string"
    }
  },
  "properties": {
--- a/codex-rs/app-server-protocol/schema/json/v2/ItemCompletedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ItemCompletedNotification.json
@@ -854,12 +854,6 @@
            "id": {
              "type": "string"
            },
-            "namespace": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
            "status": {
              "$ref": "#/definitions/DynamicToolCallStatus"
            },
--- a/Show More
+++ b/Show More