subagents

Co-authored-by: Gabriel Peal <gpeal@users.noreply.github.com>

.github/dependabot.yaml

@@ -24,3 +24,7 @@ updates:
     directory: /
     schedule:
       interval: weekly
+  - package-ecosystem: rust-toolchain
+    directory: codex-rs
+    schedule:
+      interval: weekly

.github/workflows/codex.yml

@@ -52,7 +52,7 @@ jobs:
             ~/.cargo/registry/cache/
             ~/.cargo/git/db/
             ${{ github.workspace }}/codex-rs/target/
-          key: cargo-ubuntu-24.04-x86_64-unknown-linux-gnu-${{ hashFiles('**/Cargo.lock') }}
+          key: cargo-ubuntu-24.04-x86_64-unknown-linux-gnu-dev-${{ hashFiles('**/Cargo.lock') }}
 
       # Note it is possible that the `verify` step internal to Run Codex will
       # fail, in which case the work to setup the repo was worthless :(

.prettierignore

@@ -1,3 +1,7 @@
 /codex-cli/dist
 /codex-cli/node_modules
 pnpm-lock.yaml
+
+prompt.md
+*_prompt.md
+*_instructions.md

AGENTS.md

@@ -2,13 +2,13 @@
 
 In the codex-rs folder where the rust code lives:
 
-- Crate names are prefixed with `codex-`. For examole, the `core` folder's crate is named `codex-core`
+- Crate names are prefixed with `codex-`. For example, the `core` folder's crate is named `codex-core`
 - When using format! and you can inline variables into {}, always do that.
 - Never add or modify any code related to `CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR` or `CODEX_SANDBOX_ENV_VAR`.
   - You operate in a sandbox where `CODEX_SANDBOX_NETWORK_DISABLED=1` will be set whenever you use the `shell` tool. Any existing code that uses `CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR` was authored with this fact in mind. It is often used to early exit out of tests that the author knew you would not be able to run given your sandbox limitations.
   - Similarly, when you spawn a process using Seatbelt (`/usr/bin/sandbox-exec`), `CODEX_SANDBOX=seatbelt` will be set on the child process. Integration tests that want to run Seatbelt themselves cannot be run under Seatbelt, so checks for `CODEX_SANDBOX=seatbelt` are also often used to early exit out of tests, as appropriate.
 
-Before finalizing a change to `codex-rs`, run `just fmt` (in `codex-rs` directory) to format the code and `just fix` (in `codex-rs` directory) to fix any linter issues in the code. Additionally, run the tests:
+Before finalizing a change to `codex-rs`, run `just fmt` (in `codex-rs` directory) to format the code and `just fix -p <project>` (in `codex-rs` directory) to fix any linter issues in the code. Additionally, run the tests:
 1. Run the test for the specific project that was changed. For example, if changes were made in `codex-rs/tui`, run `cargo test -p codex-tui`.
 2. Once those pass, if any changes were made in common, core, or protocol, run the complete test suite with `cargo test --all-features`.
 

README.md

@@ -383,6 +383,13 @@ base_url = "http://my-ollama.example.com:11434/v1"
 
 ### Platform sandboxing details
 
+By default, Codex CLI runs code and shell commands inside a restricted sandbox to protect your system.  
+
+> [!IMPORTANT]
+> Not all tool calls are sandboxed. Specifically, **trusted Model Context Protocol (MCP) tool calls** are executed outside of the sandbox.  
+> This is intentional: MCP tools are explicitly configured and trusted by you, and they often need to connect to **external applications or services** (e.g. issue trackers, databases, messaging systems).  
+> Running them outside the sandbox allows Codex to integrate with these external systems without being blocked by sandbox restrictions.
+
 The mechanism Codex uses to implement the sandbox policy depends on your OS:
 
 - **macOS 12+** uses **Apple Seatbelt** and runs commands using `sandbox-exec` with a profile (`-p`) that corresponds to the `--sandbox` that was specified.

codex-rs/Cargo.lock

@@ -186,6 +186,26 @@ version = "1.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "dde20b3d026af13f561bdd0f15edf01fc734f0dafcedbaf42bba506a9517f223"
 
+[[package]]
+name = "arboard"
+version = "3.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "55f533f8e0af236ffe5eb979b99381df3258853f00ba2e44b6e1955292c75227"
+dependencies = [
+ "clipboard-win",
+ "image",
+ "log",
+ "objc2",
+ "objc2-app-kit",
+ "objc2-core-foundation",
+ "objc2-core-graphics",
+ "objc2-foundation",
+ "parking_lot",
+ "percent-encoding",
+ "windows-sys 0.59.0",
+ "x11rb",
+]
+
 [[package]]
 name = "arg_enum_proc_macro"
 version = "0.3.4"
@@ -737,6 +757,7 @@ dependencies = [
  "tree-sitter-bash",
  "uuid",
  "walkdir",
+ "which",
  "whoami",
  "wildmatch",
  "wiremock",
@@ -753,6 +774,7 @@ dependencies = [
  "codex-arg0",
  "codex-common",
  "codex-core",
+ "codex-login",
  "codex-ollama",
  "codex-protocol",
  "core_test_support",
@@ -822,6 +844,7 @@ version = "0.0.0"
 dependencies = [
  "base64 0.22.1",
  "chrono",
+ "codex-protocol",
  "pretty_assertions",
  "rand 0.8.5",
  "reqwest",
@@ -900,13 +923,16 @@ dependencies = [
 name = "codex-protocol"
 version = "0.0.0"
 dependencies = [
+ "base64 0.22.1",
  "mcp-types",
+ "mime_guess",
  "pretty_assertions",
  "serde",
  "serde_bytes",
  "serde_json",
  "strum 0.27.2",
  "strum_macros 0.27.2",
+ "tracing",
  "ts-rs",
  "uuid",
 ]
@@ -926,6 +952,8 @@ name = "codex-tui"
 version = "0.0.0"
 dependencies = [
  "anyhow",
+ "arboard",
+ "async-stream",
  "base64 0.22.1",
  "chrono",
  "clap",
@@ -959,8 +987,10 @@ dependencies = [
  "strum 0.27.2",
  "strum_macros 0.27.2",
  "supports-color",
+ "tempfile",
  "textwrap 0.16.2",
  "tokio",
+ "tokio-stream",
  "tracing",
  "tracing-appender",
  "tracing-subscriber",
@@ -1161,6 +1191,7 @@ checksum = "829d955a0bb380ef178a640b91779e3987da38c9aea133b20614cfed8cdea9c6"
 dependencies = [
  "bitflags 2.9.1",
  "crossterm_winapi",
+ "futures-core",
  "mio",
  "parking_lot",
  "rustix 0.38.44",
@@ -1405,6 +1436,16 @@ dependencies = [
  "winapi",
 ]
 
+[[package]]
+name = "dispatch2"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "89a09f22a6c6069a18470eb92d2298acf25463f14256d24778e1230d789a2aec"
+dependencies = [
+ "bitflags 2.9.1",
+ "objc2",
+]
+
 [[package]]
 name = "display_container"
 version = "0.9.0"
@@ -1438,12 +1479,6 @@ version = "0.15.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1aaf95b3e5c8f23aa320147307562d361db0ae0d51242340f558153b4eb2439b"
 
-[[package]]
-name = "downcast-rs"
-version = "1.2.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "75b325c5dbd37f80359721ad39aca5a29fb04c89279657cffdda8736d0c0b9d2"
-
 [[package]]
 name = "dupe"
 version = "0.9.1"
@@ -1638,21 +1673,6 @@ dependencies = [
  "pin-project-lite",
 ]
 
-[[package]]
-name = "exec-command-mcp"
-version = "0.0.0"
-dependencies = [
- "anyhow",
- "mcp-types",
- "portable-pty",
- "schemars 0.8.22",
- "serde",
- "serde_json",
- "tokio",
- "tracing",
- "tracing-subscriber",
-]
-
 [[package]]
 name = "exr"
 version = "1.73.0"
@@ -1704,17 +1724,6 @@ dependencies = [
  "simd-adler32",
 ]
 
-[[package]]
-name = "filedescriptor"
-version = "0.8.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e40758ed24c9b2eeb76c35fb0aebc66c626084edd827e07e1552279814c6682d"
-dependencies = [
- "libc",
- "thiserror 1.0.69",
- "winapi",
-]
-
 [[package]]
 name = "fixedbitset"
 version = "0.4.2"
@@ -1890,6 +1899,16 @@ dependencies = [
  "version_check",
 ]
 
+[[package]]
+name = "gethostname"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0176e0459c2e4a1fe232f984bca6890e681076abb9934f6cea7c326f3fc47818"
+dependencies = [
+ "libc",
+ "windows-targets 0.48.5",
+]
+
 [[package]]
 name = "getopts"
 version = "0.2.23"
@@ -3086,6 +3105,42 @@ dependencies = [
  "objc2-encode",
 ]
 
+[[package]]
+name = "objc2-app-kit"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e6f29f568bec459b0ddff777cec4fe3fd8666d82d5a40ebd0ff7e66134f89bcc"
+dependencies = [
+ "bitflags 2.9.1",
+ "objc2",
+ "objc2-core-graphics",
+ "objc2-foundation",
+]
+
+[[package]]
+name = "objc2-core-foundation"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1c10c2894a6fed806ade6027bcd50662746363a9589d3ec9d9bef30a4e4bc166"
+dependencies = [
+ "bitflags 2.9.1",
+ "dispatch2",
+ "objc2",
+]
+
+[[package]]
+name = "objc2-core-graphics"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "989c6c68c13021b5c2d6b71456ebb0f9dc78d752e86a98da7c716f4f9470f5a4"
+dependencies = [
+ "bitflags 2.9.1",
+ "dispatch2",
+ "objc2",
+ "objc2-core-foundation",
+ "objc2-io-surface",
+]
+
 [[package]]
 name = "objc2-encode"
 version = "4.1.0"
@@ -3100,6 +3155,18 @@ checksum = "900831247d2fe1a09a683278e5384cfb8c80c79fe6b166f9d14bfdde0ea1b03c"
 dependencies = [
  "bitflags 2.9.1",
  "objc2",
+ "objc2-core-foundation",
+]
+
+[[package]]
+name = "objc2-io-surface"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7282e9ac92529fa3457ce90ebb15f4ecbc383e8338060960760fa2cf75420c3c"
+dependencies = [
+ "bitflags 2.9.1",
+ "objc2",
+ "objc2-core-foundation",
 ]
 
 [[package]]
@@ -3372,27 +3439,6 @@ dependencies = [
  "portable-atomic",
 ]
 
-[[package]]
-name = "portable-pty"
-version = "0.9.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b4a596a2b3d2752d94f51fac2d4a96737b8705dddd311a32b9af47211f08671e"
-dependencies = [
- "anyhow",
- "bitflags 1.3.2",
- "downcast-rs",
- "filedescriptor",
- "lazy_static",
- "libc",
- "log",
- "nix",
- "serial2",
- "shared_library",
- "shell-words",
- "winapi",
- "winreg",
-]
-
 [[package]]
 name = "potential_utf"
 version = "0.1.2"
@@ -3842,9 +3888,9 @@ checksum = "ba39f3699c378cd8970968dcbff9c43159ea4cfbd88d43c00b22f2ef10a435d2"
 
 [[package]]
 name = "reqwest"
-version = "0.12.22"
+version = "0.12.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cbc931937e6ca3a06e3b6c0aa7841849b160a90351d6ab467a8b9b9959767531"
+checksum = "d429f34c8092b2d42c7c93cec323bb4adeb7c67698f70839adec842ec10c7ceb"
 dependencies = [
  "base64 0.22.1",
  "bytes",
@@ -4236,9 +4282,9 @@ dependencies = [
 
 [[package]]
 name = "serde_json"
-version = "1.0.142"
+version = "1.0.143"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "030fedb782600dcbd6f02d479bf0d817ac3bb40d644745b769d6a96bc3afc5a7"
+checksum = "d401abef1d108fbd9cbaebc3e46611f4b1021f714a0597a71f41ee463f5f4a5a"
 dependencies = [
  "indexmap 2.10.0",
  "itoa",
@@ -4320,17 +4366,6 @@ dependencies = [
  "syn 2.0.104",
 ]
 
-[[package]]
-name = "serial2"
-version = "0.2.31"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "26e1e5956803a69ddd72ce2de337b577898801528749565def03515f82bad5bb"
-dependencies = [
- "cfg-if",
- "libc",
- "winapi",
-]
-
 [[package]]
 name = "sha1"
 version = "0.10.6"
@@ -4362,22 +4397,6 @@ dependencies = [
  "lazy_static",
 ]
 
-[[package]]
-name = "shared_library"
-version = "0.1.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5a9e7e0f2bfae24d8a5b5a66c5b257a83c7412304311512a0c054cd5e619da11"
-dependencies = [
- "lazy_static",
- "libc",
-]
-
-[[package]]
-name = "shell-words"
-version = "1.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "24188a676b6ae68c3b2cb3a01be17fbf7240ce009799bb56d5b1409051e78fde"
-
 [[package]]
 name = "shlex"
 version = "1.3.0"
@@ -5676,6 +5695,18 @@ version = "0.1.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a751b3277700db47d3e574514de2eced5e54dc8a5436a3bf7a0b248b2cee16f3"
 
+[[package]]
+name = "which"
+version = "6.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b4ee928febd44d98f2f459a4a79bd4d928591333a494a10a868418ac1b39cf1f"
+dependencies = [
+ "either",
+ "home",
+ "rustix 0.38.44",
+ "winsafe",
+]
+
 [[package]]
 name = "whoami"
 version = "1.6.0"
@@ -5909,6 +5940,21 @@ dependencies = [
  "windows_x86_64_msvc 0.42.2",
 ]
 
+[[package]]
+name = "windows-targets"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c"
+dependencies = [
+ "windows_aarch64_gnullvm 0.48.5",
+ "windows_aarch64_msvc 0.48.5",
+ "windows_i686_gnu 0.48.5",
+ "windows_i686_msvc 0.48.5",
+ "windows_x86_64_gnu 0.48.5",
+ "windows_x86_64_gnullvm 0.48.5",
+ "windows_x86_64_msvc 0.48.5",
+]
+
 [[package]]
 name = "windows-targets"
 version = "0.52.6"
@@ -5947,6 +5993,12 @@ version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "597a5118570b68bc08d8d59125332c54f1ba9d9adeedeef5b99b02ba2b0698f8"
 
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8"
+
 [[package]]
 name = "windows_aarch64_gnullvm"
 version = "0.52.6"
@@ -5965,6 +6017,12 @@ version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e08e8864a60f06ef0d0ff4ba04124db8b0fb3be5776a5cd47641e942e58c4d43"
 
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc"
+
 [[package]]
 name = "windows_aarch64_msvc"
 version = "0.52.6"
@@ -5983,6 +6041,12 @@ version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c61d927d8da41da96a81f029489353e68739737d3beca43145c8afec9a31a84f"
 
+[[package]]
+name = "windows_i686_gnu"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e"
+
 [[package]]
 name = "windows_i686_gnu"
 version = "0.52.6"
@@ -6013,6 +6077,12 @@ version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "44d840b6ec649f480a41c8d80f9c65108b92d89345dd94027bfe06ac444d1060"
 
+[[package]]
+name = "windows_i686_msvc"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406"
+
 [[package]]
 name = "windows_i686_msvc"
 version = "0.52.6"
@@ -6031,6 +6101,12 @@ version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8de912b8b8feb55c064867cf047dda097f92d51efad5b491dfb98f6bbb70cb36"
 
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e"
+
 [[package]]
 name = "windows_x86_64_gnu"
 version = "0.52.6"
@@ -6049,6 +6125,12 @@ version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "26d41b46a36d453748aedef1486d5c7a85db22e56aff34643984ea85514e94a3"
 
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc"
+
 [[package]]
 name = "windows_x86_64_gnullvm"
 version = "0.52.6"
@@ -6067,6 +6149,12 @@ version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9aec5da331524158c6d1a4ac0ab1541149c0b9505fde06423b02f5ef0106b9f0"
 
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538"
+
 [[package]]
 name = "windows_x86_64_msvc"
 version = "0.52.6"
@@ -6089,13 +6177,10 @@ dependencies = [
 ]
 
 [[package]]
-name = "winreg"
-version = "0.10.1"
+name = "winsafe"
+version = "0.0.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "80d0f4e272c85def139476380b12f9ac60926689dd2e01d4923222f40580869d"
-dependencies = [
- "winapi",
-]
+checksum = "d135d17ab770252ad95e9a872d365cf3090e3be864a34ab46f48555993efc904"
 
 [[package]]
 name = "wiremock"
@@ -6136,6 +6221,23 @@ version = "0.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ea2f10b9bb0928dfb1b42b65e1f9e36f7f54dbdf08457afefb38afcdec4fa2bb"
 
+[[package]]
+name = "x11rb"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5d91ffca73ee7f68ce055750bf9f6eca0780b8c85eff9bc046a3b0da41755e12"
+dependencies = [
+ "gethostname",
+ "rustix 0.38.44",
+ "x11rb-protocol",
+]
+
+[[package]]
+name = "x11rb-protocol"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ec107c4503ea0b4a98ef47356329af139c0a4f7750e621cf2973cd3385ebcb3d"
+
 [[package]]
 name = "yaml-rust"
 version = "0.4.5"

codex-rs/Cargo.toml

@@ -7,7 +7,6 @@ members = [
     "common",
     "core",
     "exec",
-    "exec-command-mcp",
     "execpolicy",
     "file-search",
     "linux-sandbox",

codex-rs/apply-patch/apply_patch_tool_instructions.md

@@ -1,17 +1,23 @@
-To edit files, ALWAYS use the `shell` tool with `apply_patch` CLI.  `apply_patch` effectively allows you to execute a diff/patch against a file, but the format of the diff specification is unique to this task, so pay careful attention to these instructions. To use the `apply_patch` CLI, you should call the shell tool with the following structure:
+## `apply_patch`
 
-```bash
-{"cmd": ["apply_patch", "<<'EOF'\\n*** Begin Patch\\n[YOUR_PATCH]\\n*** End Patch\\nEOF\\n"], "workdir": "..."}
-```
+Use the `apply_patch` shell command to edit files.
+Your patch language is a stripped‑down, file‑oriented diff format designed to be easy to parse and safe to apply. You can think of it as a high‑level envelope:
 
-Where [YOUR_PATCH] is the actual content of your patch, specified in the following V4A diff format.
+*** Begin Patch
+[ one or more file sections ]
+*** End Patch
 
-*** [ACTION] File: [path/to/file] -> ACTION can be one of Add, Update, or Delete.
-For each snippet of code that needs to be changed, repeat the following:
-[context_before] -> See below for further instructions on context.
-- [old_code] -> Precede the old code with a minus sign.
-+ [new_code] -> Precede the new, replacement code with a plus sign.
-[context_after] -> See below for further instructions on context.
+Within that envelope, you get a sequence of file operations.
+You MUST include a header to specify the action you are taking.
+Each operation starts with one of three headers:
+
+*** Add File: <path> - create a new file. Every following line is a + line (the initial contents).
+*** Delete File: <path> - remove an existing file. Nothing follows.
+*** Update File: <path> - patch an existing file in place (optionally with a rename).
+
+May be immediately followed by *** Move to: <new path> if you want to rename the file.
+Then one or more “hunks”, each introduced by @@ (optionally followed by a hunk header).
+Within a hunk each line starts with:
 
 For instructions on [context_before] and [context_after]:
 - By default, show 3 lines of code immediately above and 3 lines immediately below each change. If a change is within 3 lines of a previous change, do NOT duplicate the first change’s [context_after] lines in the second change’s [context_before] lines.
@@ -25,16 +31,45 @@ For instructions on [context_before] and [context_after]:
 - If a code block is repeated so many times in a class or function such that even a single `@@` statement and 3 lines of context cannot uniquely identify the snippet of code, you can use multiple `@@` statements to jump to the right context. For instance:
 
 @@ class BaseClass
-@@ 	def method():
+@@ 	 def method():
 [3 lines of pre-context]
 - [old_code]
 + [new_code]
 [3 lines of post-context]
 
-Note, then, that we do not use line numbers in this diff format, as the context is enough to uniquely identify code. An example of a message that you might pass as "input" to this function, in order to apply a patch, is shown below.
+The full grammar definition is below:
+Patch := Begin { FileOp } End
+Begin := "*** Begin Patch" NEWLINE
+End := "*** End Patch" NEWLINE
+FileOp := AddFile | DeleteFile | UpdateFile
+AddFile := "*** Add File: " path NEWLINE { "+" line NEWLINE }
+DeleteFile := "*** Delete File: " path NEWLINE
+UpdateFile := "*** Update File: " path NEWLINE [ MoveTo ] { Hunk }
+MoveTo := "*** Move to: " newPath NEWLINE
+Hunk := "@@" [ header ] NEWLINE { HunkLine } [ "*** End of File" NEWLINE ]
+HunkLine := (" " | "-" | "+") text NEWLINE
+
+A full patch can combine several operations:
+
+*** Begin Patch
+*** Add File: hello.txt
++Hello world
+*** Update File: src/app.py
+*** Move to: src/main.py
+@@ def greet():
+-print("Hi")
++print("Hello, world!")
+*** Delete File: obsolete.txt
+*** End Patch
+
+It is important to remember:
+
+- You must include a header with your intended action (Add/Delete/Update)
+- You must prefix new lines with `+` even when creating a new file
+- File references can only be relative, NEVER ABSOLUTE.
+
+You can invoke apply_patch like:
 
-```bash
-{"cmd": ["apply_patch", "<<'EOF'\\n*** Begin Patch\\n*** Update File: pygorithm/searching/binary_search.py\\n@@ class BaseClass\\n@@     def search():\\n-        pass\\n+        raise NotImplementedError()\\n@@ class Subclass\\n@@     def search():\\n-        pass\\n+        raise NotImplementedError()\\n*** End Patch\\nEOF\\n"], "workdir": "..."}
 ```
-
-File references can only be relative, NEVER ABSOLUTE. After the apply_patch command is run, it will always say "Done!", regardless of whether the patch was successfully applied or not. However, you can determine if there are issue and errors by looking at any warnings or logging lines printed BEFORE the "Done!" is output.
+shell {"command":["apply_patch","*** Begin Patch\n*** Add File: hello.txt\n+Hello, world!\n*** End Patch\n"]}
+```

codex-rs/apply-patch/src/lib.rs

@@ -22,6 +22,8 @@ use tree_sitter_bash::LANGUAGE as BASH;
 /// Detailed instructions for gpt-4.1 on how to use the `apply_patch` tool.
 pub const APPLY_PATCH_TOOL_INSTRUCTIONS: &str = include_str!("../apply_patch_tool_instructions.md");
 
+const APPLY_PATCH_COMMANDS: [&str; 2] = ["apply_patch", "applypatch"];
+
 #[derive(Debug, Error, PartialEq)]
 pub enum ApplyPatchError {
     #[error(transparent)]
@@ -82,7 +84,6 @@ pub struct ApplyPatchArgs {
 }
 
 pub fn maybe_parse_apply_patch(argv: &[String]) -> MaybeApplyPatch {
-    const APPLY_PATCH_COMMANDS: [&str; 2] = ["apply_patch", "applypatch"];
     match argv {
         [cmd, body] if APPLY_PATCH_COMMANDS.contains(&cmd.as_str()) => match parse_patch(body) {
             Ok(source) => MaybeApplyPatch::Body(source),
@@ -91,7 +92,9 @@ pub fn maybe_parse_apply_patch(argv: &[String]) -> MaybeApplyPatch {
         [bash, flag, script]
             if bash == "bash"
                 && flag == "-lc"
-                && script.trim_start().starts_with("apply_patch") =>
+                && APPLY_PATCH_COMMANDS
+                    .iter()
+                    .any(|cmd| script.trim_start().starts_with(cmd)) =>
         {
             match extract_heredoc_body_from_apply_patch_command(script) {
                 Ok(body) => match parse_patch(&body) {
@@ -262,7 +265,10 @@ pub fn maybe_parse_apply_patch_verified(argv: &[String], cwd: &Path) -> MaybeApp
 fn extract_heredoc_body_from_apply_patch_command(
     src: &str,
 ) -> std::result::Result<String, ExtractHeredocError> {
-    if !src.trim_start().starts_with("apply_patch") {
+    if !APPLY_PATCH_COMMANDS
+        .iter()
+        .any(|cmd| src.trim_start().starts_with(cmd))
+    {
         return Err(ExtractHeredocError::CommandDidNotStartWithApplyPatch);
     }
 
@@ -773,6 +779,33 @@ PATCH"#,
         }
     }
 
+    #[test]
+    fn test_heredoc_applypatch() {
+        let args = strs_to_strings(&[
+            "bash",
+            "-lc",
+            r#"applypatch <<'PATCH'
+*** Begin Patch
+*** Add File: foo
++hi
+*** End Patch
+PATCH"#,
+        ]);
+
+        match maybe_parse_apply_patch(&args) {
+            MaybeApplyPatch::Body(ApplyPatchArgs { hunks, patch: _ }) => {
+                assert_eq!(
+                    hunks,
+                    vec![Hunk::AddFile {
+                        path: PathBuf::from("foo"),
+                        contents: "hi\n".to_string()
+                    }]
+                );
+            }
+            result => panic!("expected MaybeApplyPatch::Body got {result:?}"),
+        }
+    }
+
     #[test]
     fn test_add_file_hunk_creates_file_with_contents() {
         let dir = tempdir().unwrap();

codex-rs/cli/src/main.rs

@@ -159,7 +159,7 @@ async fn cli_main(codex_linux_sandbox_exe: Option<PathBuf>) -> anyhow::Result<()
             codex_exec::run_main(exec_cli, codex_linux_sandbox_exe).await?;
         }
         Some(Subcommand::Mcp) => {
-            codex_mcp_server::run_main(codex_linux_sandbox_exe).await?;
+            codex_mcp_server::run_main(codex_linux_sandbox_exe, cli.config_overrides).await?;
         }
         Some(Subcommand::Login(mut login_cli)) => {
             prepend_config_flags(&mut login_cli.config_overrides, cli.config_overrides);

codex-rs/cli/src/proto.rs

@@ -9,6 +9,7 @@ use codex_core::config::ConfigOverrides;
 use codex_core::protocol::Event;
 use codex_core::protocol::EventMsg;
 use codex_core::protocol::Submission;
+use codex_login::AuthManager;
 use tokio::io::AsyncBufReadExt;
 use tokio::io::BufReader;
 use tracing::error;
@@ -36,7 +37,10 @@ pub async fn run_main(opts: ProtoCli) -> anyhow::Result<()> {
 
     let config = Config::load_with_cli_overrides(overrides_vec, ConfigOverrides::default())?;
     // Use conversation_manager API to start a conversation
-    let conversation_manager = ConversationManager::default();
+    let conversation_manager = ConversationManager::new(AuthManager::shared(
+        config.codex_home.clone(),
+        config.preferred_auth_method,
+    ));
     let NewConversation {
         conversation_id: _,
         conversation,

codex-rs/common/src/approval_presets.rs

@@ -0,0 +1,46 @@
+use codex_core::protocol::AskForApproval;
+use codex_core::protocol::SandboxPolicy;
+
+/// A simple preset pairing an approval policy with a sandbox policy.
+#[derive(Debug, Clone)]
+pub struct ApprovalPreset {
+    /// Stable identifier for the preset.
+    pub id: &'static str,
+    /// Display label shown in UIs.
+    pub label: &'static str,
+    /// Short human description shown next to the label in UIs.
+    pub description: &'static str,
+    /// Approval policy to apply.
+    pub approval: AskForApproval,
+    /// Sandbox policy to apply.
+    pub sandbox: SandboxPolicy,
+}
+
+/// Built-in list of approval presets that pair approval and sandbox policy.
+///
+/// Keep this UI-agnostic so it can be reused by both TUI and MCP server.
+pub fn builtin_approval_presets() -> Vec<ApprovalPreset> {
+    vec![
+        ApprovalPreset {
+            id: "read-only",
+            label: "Read Only",
+            description: "Codex can read files and answer questions. Codex requires approval to make edits, run commands, or access network",
+            approval: AskForApproval::OnRequest,
+            sandbox: SandboxPolicy::ReadOnly,
+        },
+        ApprovalPreset {
+            id: "auto",
+            label: "Auto",
+            description: "Codex can read files, make edits, and run commands in the workspace. Codex requires approval to work outside the workspace or access network",
+            approval: AskForApproval::OnRequest,
+            sandbox: SandboxPolicy::new_workspace_write_policy(),
+        },
+        ApprovalPreset {
+            id: "full-access",
+            label: "Full Access",
+            description: "Codex can read files, make edits, and run commands with network access, without approval. Exercise caution",
+            approval: AskForApproval::Never,
+            sandbox: SandboxPolicy::DangerFullAccess,
+        },
+    ]
+}

codex-rs/common/src/lib.rs

@@ -31,3 +31,6 @@ pub use config_summary::create_config_summary_entries;
 pub mod fuzzy_match;
 // Shared model presets used by TUI and MCP server
 pub mod model_presets;
+// Shared approval presets (AskForApproval + Sandbox) used by TUI and MCP server
+// Not to be confused with AskForApproval, which we should probably rename to EscalationPolicy.
+pub mod approval_presets;

codex-rs/common/src/model_presets.rs

@@ -24,28 +24,28 @@ pub fn builtin_model_presets() -> &'static [ModelPreset] {
         ModelPreset {
             id: "gpt-5-minimal",
             label: "gpt-5 minimal",
-            description: "— Fastest responses with very limited reasoning; ideal for coding, instructions, or lightweight tasks.",
+            description: "— fastest responses with limited reasoning; ideal for coding, instructions, or lightweight tasks",
             model: "gpt-5",
             effort: ReasoningEffort::Minimal,
         },
         ModelPreset {
             id: "gpt-5-low",
             label: "gpt-5 low",
-            description: "— Balances speed with some reasoning; useful for straightforward queries and short explanations.",
+            description: "— balances speed with some reasoning; useful for straightforward queries and short explanations",
             model: "gpt-5",
             effort: ReasoningEffort::Low,
         },
         ModelPreset {
             id: "gpt-5-medium",
             label: "gpt-5 medium",
-            description: "— Default setting; provides a solid balance of reasoning depth and latency for general-purpose tasks.",
+            description: "— default setting; provides a solid balance of reasoning depth and latency for general-purpose tasks",
             model: "gpt-5",
             effort: ReasoningEffort::Medium,
         },
         ModelPreset {
             id: "gpt-5-high",
             label: "gpt-5 high",
-            description: "— Maximizes reasoning depth for complex or ambiguous problems.",
+            description: "— maximizes reasoning depth for complex or ambiguous problems",
             model: "gpt-5",
             effort: ReasoningEffort::High,
         },

codex-rs/config.md

@@ -243,6 +243,25 @@ To disable reasoning summaries, set `model_reasoning_summary` to `"none"` in you
 model_reasoning_summary = "none"  # disable reasoning summaries
 ```
 
+## model_verbosity
+
+Controls output length/detail on GPT‑5 family models when using the Responses API. Supported values:
+
+- `"low"`
+- `"medium"` (default when omitted)
+- `"high"`
+
+When set, Codex includes a `text` object in the request payload with the configured verbosity, for example: `"text": { "verbosity": "low" }`.
+
+Example:
+
+```toml
+model = "gpt-5"
+model_verbosity = "low"
+```
+
+Note: This applies only to providers using the Responses API. Chat Completions providers are unaffected.
+
 ## model_supports_reasoning_summaries
 
 By default, `reasoning` is only set on requests to OpenAI models that are known to support them. To force `reasoning` to set on requests to the current model, you can force this behavior by setting the following in `config.toml`:
@@ -300,6 +319,16 @@ This is reasonable to use if Codex is running in an environment that provides it
 
 Though using this option may also be necessary if you try to use Codex in environments where its native sandboxing mechanisms are unsupported, such as older Linux kernels or on Windows.
 
+## Approval presets
+
+Codex provides three main Approval Presets:
+
+- Read Only: Codex can read files and answer questions; edits, running commands, and network access require approval.
+- Auto: Codex can read files, make edits, and run commands in the workspace without approval; asks for approval outside the workspace or for network access.
+- Full Access: Full disk and network access without prompts; extremely risky.
+
+You can further customize how Codex runs at the command line using the `--ask-for-approval` and `--sandbox` options.
+
 ## mcp_servers
 
 Defines the list of MCP servers that Codex can consult for tool use. Currently, only servers that are launched by executing a program that communicate over stdio are supported. For servers that use the SSE transport, consider an adapter like [mcp-proxy](https://github.com/sparfenyuk/mcp-proxy).

codex-rs/core/Cargo.toml

@@ -71,6 +71,9 @@ openssl-sys = { version = "*", features = ["vendored"] }
 [target.aarch64-unknown-linux-musl.dependencies]
 openssl-sys = { version = "*", features = ["vendored"] }
 
+[target.'cfg(target_os = "windows")'.dependencies]
+which = "6"
+
 [dev-dependencies]
 assert_cmd = "2"
 core_test_support = { path = "tests/common" }

codex-rs/core/prompt.md

@@ -265,68 +265,10 @@ For casual greetings, acknowledgements, or other one-off conversational messages
 
 ## Shell commands
 
-Do NOT use `shell`. Use only `functions_exec_command` and `functions_write_stdin`.
+When using the shell, you must adhere to the following guidelines:
 
-## `apply_patch`
-
-Your patch language is a stripped‑down, file‑oriented diff format designed to be easy to parse and safe to apply. You can think of it as a high‑level envelope:
-
-**_ Begin Patch
-[ one or more file sections ]
-_** End Patch
-
-Within that envelope, you get a sequence of file operations.
-You MUST include a header to specify the action you are taking.
-Each operation starts with one of three headers:
-
-**_ Add File: <path> - create a new file. Every following line is a + line (the initial contents).
-_** Delete File: <path> - remove an existing file. Nothing follows.
-\*\*\* Update File: <path> - patch an existing file in place (optionally with a rename).
-
-May be immediately followed by \*\*\* Move to: <new path> if you want to rename the file.
-Then one or more “hunks”, each introduced by @@ (optionally followed by a hunk header).
-Within a hunk each line starts with:
-
-- for inserted text,
-
-* for removed text, or
-  space ( ) for context.
-  At the end of a truncated hunk you can emit \*\*\* End of File.
-
-Patch := Begin { FileOp } End
-Begin := "**_ Begin Patch" NEWLINE
-End := "_** End Patch" NEWLINE
-FileOp := AddFile | DeleteFile | UpdateFile
-AddFile := "**_ Add File: " path NEWLINE { "+" line NEWLINE }
-DeleteFile := "_** Delete File: " path NEWLINE
-UpdateFile := "**_ Update File: " path NEWLINE [ MoveTo ] { Hunk }
-MoveTo := "_** Move to: " newPath NEWLINE
-Hunk := "@@" [ header ] NEWLINE { HunkLine } [ "*** End of File" NEWLINE ]
-HunkLine := (" " | "-" | "+") text NEWLINE
-
-A full patch can combine several operations:
-
-**_ Begin Patch
-_** Add File: hello.txt
-+Hello world
-**_ Update File: src/app.py
-_** Move to: src/main.py
-@@ def greet():
--print("Hi")
-+print("Hello, world!")
-**_ Delete File: obsolete.txt
-_** End Patch
-
-It is important to remember:
-
-- You must include a header with your intended action (Add/Delete/Update)
-- You must prefix new lines with `+` even when creating a new file
-
-You can invoke apply_patch like:
-
-```
-shell {"command":["apply_patch","*** Begin Patch\n*** Add File: hello.txt\n+Hello, world!\n*** End Patch\n"]}
-```
+- When searching for text or files, prefer using `rg` or `rg --files` respectively because `rg` is much faster than alternatives like `grep`. (If the `rg` command is not found, then use alternatives.)
+- Read files in chunks with a max chunk size of 250 lines. Do not use python scripts to attempt to output larger chunks of a file. Command line output will be truncated after 10 kilobytes or 256 lines of output, regardless of the command used.
 
 ## `update_plan`
 

codex-rs/core/src/apply_patch.rs

@@ -1,13 +1,13 @@
 use crate::codex::Session;
 use crate::codex::TurnContext;
-use crate::models::FunctionCallOutputPayload;
-use crate::models::ResponseInputItem;
 use crate::protocol::FileChange;
 use crate::protocol::ReviewDecision;
 use crate::safety::SafetyCheck;
 use crate::safety::assess_patch_safety;
 use codex_apply_patch::ApplyPatchAction;
 use codex_apply_patch::ApplyPatchFileChange;
+use codex_protocol::models::FunctionCallOutputPayload;
+use codex_protocol::models::ResponseInputItem;
 use std::collections::HashMap;
 use std::path::PathBuf;
 

codex-rs/core/src/chat_completions.rs

@@ -22,11 +22,11 @@ use crate::client_common::ResponseStream;
 use crate::error::CodexErr;
 use crate::error::Result;
 use crate::model_family::ModelFamily;
-use crate::models::ContentItem;
-use crate::models::ReasoningItemContent;
-use crate::models::ResponseItem;
 use crate::openai_tools::create_tools_json_for_chat_completions_api;
 use crate::util::backoff;
+use codex_protocol::models::ContentItem;
+use codex_protocol::models::ReasoningItemContent;
+use codex_protocol::models::ResponseItem;
 
 /// Implementation for the classic Chat Completions API.
 pub(crate) async fn stream_chat_completions(
@@ -102,6 +102,33 @@ pub(crate) async fn stream_chat_completions(
                     "content": output.content,
                 }));
             }
+            ResponseItem::CustomToolCall {
+                id,
+                call_id: _,
+                name,
+                input,
+                status: _,
+            } => {
+                messages.push(json!({
+                    "role": "assistant",
+                    "content": null,
+                    "tool_calls": [{
+                        "id": id,
+                        "type": "custom",
+                        "custom": {
+                            "name": name,
+                            "input": input,
+                        }
+                    }]
+                }));
+            }
+            ResponseItem::CustomToolCallOutput { call_id, output } => {
+                messages.push(json!({
+                    "role": "tool",
+                    "tool_call_id": call_id,
+                    "content": output,
+                }));
+            }
             ResponseItem::Reasoning { .. } | ResponseItem::Other => {
                 // Omit these items from the conversation history.
                 continue;
@@ -482,16 +509,19 @@ where
                     // do NOT emit yet. Forward any other item (e.g. FunctionCall) right
                     // away so downstream consumers see it.
 
-                    let is_assistant_delta = matches!(&item, crate::models::ResponseItem::Message { role, .. } if role == "assistant");
+                    let is_assistant_delta = matches!(&item, codex_protocol::models::ResponseItem::Message { role, .. } if role == "assistant");
 
                     if is_assistant_delta {
                         // Only use the final assistant message if we have not
                         // seen any deltas; otherwise, deltas already built the
                         // cumulative text and this would duplicate it.
                         if this.cumulative.is_empty()
-                            && let crate::models::ResponseItem::Message { content, .. } = &item
+                            && let codex_protocol::models::ResponseItem::Message { content, .. } =
+                                &item
                             && let Some(text) = content.iter().find_map(|c| match c {
-                                crate::models::ContentItem::OutputText { text } => Some(text),
+                                codex_protocol::models::ContentItem::OutputText { text } => {
+                                    Some(text)
+                                }
                                 _ => None,
                             })
                         {
@@ -515,26 +545,27 @@ where
                     if !this.cumulative_reasoning.is_empty()
                         && matches!(this.mode, AggregateMode::AggregatedOnly)
                     {
-                        let aggregated_reasoning = crate::models::ResponseItem::Reasoning {
-                            id: String::new(),
-                            summary: Vec::new(),
-                            content: Some(vec![
-                                crate::models::ReasoningItemContent::ReasoningText {
-                                    text: std::mem::take(&mut this.cumulative_reasoning),
-                                },
-                            ]),
-                            encrypted_content: None,
-                        };
+                        let aggregated_reasoning =
+                            codex_protocol::models::ResponseItem::Reasoning {
+                                id: String::new(),
+                                summary: Vec::new(),
+                                content: Some(vec![
+                                    codex_protocol::models::ReasoningItemContent::ReasoningText {
+                                        text: std::mem::take(&mut this.cumulative_reasoning),
+                                    },
+                                ]),
+                                encrypted_content: None,
+                            };
                         this.pending
                             .push_back(ResponseEvent::OutputItemDone(aggregated_reasoning));
                         emitted_any = true;
                     }
 
                     if !this.cumulative.is_empty() {
-                        let aggregated_message = crate::models::ResponseItem::Message {
+                        let aggregated_message = codex_protocol::models::ResponseItem::Message {
                             id: None,
                             role: "assistant".to_string(),
-                            content: vec![crate::models::ContentItem::OutputText {
+                            content: vec![codex_protocol::models::ContentItem::OutputText {
                                 text: std::mem::take(&mut this.cumulative),
                             }],
                         };

codex-rs/core/src/client.rs

@@ -4,8 +4,8 @@ use std::sync::OnceLock;
 use std::time::Duration;
 
 use bytes::Bytes;
+use codex_login::AuthManager;
 use codex_login::AuthMode;
-use codex_login::CodexAuth;
 use eventsource_stream::Eventsource;
 use futures::prelude::*;
 use regex_lite::Regex;
@@ -28,6 +28,7 @@ use crate::client_common::ResponseEvent;
 use crate::client_common::ResponseStream;
 use crate::client_common::ResponsesApiRequest;
 use crate::client_common::create_reasoning_param_for_request;
+use crate::client_common::create_text_param_for_request;
 use crate::config::Config;
 use crate::error::CodexErr;
 use crate::error::Result;
@@ -36,13 +37,13 @@ use crate::flags::CODEX_RS_SSE_FIXTURE;
 use crate::model_family::ModelFamily;
 use crate::model_provider_info::ModelProviderInfo;
 use crate::model_provider_info::WireApi;
-use crate::models::ResponseItem;
 use crate::openai_tools::create_tools_json_for_responses_api;
 use crate::protocol::TokenUsage;
 use crate::user_agent::get_codex_user_agent;
 use crate::util::backoff;
 use codex_protocol::config_types::ReasoningEffort as ReasoningEffortConfig;
 use codex_protocol::config_types::ReasoningSummary as ReasoningSummaryConfig;
+use codex_protocol::models::ResponseItem;
 use std::sync::Arc;
 
 #[derive(Debug, Deserialize)]
@@ -60,7 +61,7 @@ struct Error {
 #[derive(Debug, Clone)]
 pub struct ModelClient {
     config: Arc<Config>,
-    auth: Option<CodexAuth>,
+    auth_manager: Option<Arc<AuthManager>>,
     client: reqwest::Client,
     provider: ModelProviderInfo,
     session_id: Uuid,
@@ -71,7 +72,7 @@ pub struct ModelClient {
 impl ModelClient {
     pub fn new(
         config: Arc<Config>,
-        auth: Option<CodexAuth>,
+        auth_manager: Option<Arc<AuthManager>>,
         provider: ModelProviderInfo,
         effort: ReasoningEffortConfig,
         summary: ReasoningSummaryConfig,
@@ -79,7 +80,7 @@ impl ModelClient {
     ) -> Self {
         Self {
             config,
-            auth,
+            auth_manager,
             client: reqwest::Client::new(),
             provider,
             session_id,
@@ -140,7 +141,8 @@ impl ModelClient {
             return stream_from_fixture(path, self.provider.clone()).await;
         }
 
-        let auth = self.auth.clone();
+        let auth_manager = self.auth_manager.clone();
+        let auth = auth_manager.as_ref().and_then(|m| m.auth());
 
         let auth_mode = auth.as_ref().map(|a| a.mode);
 
@@ -164,6 +166,19 @@ impl ModelClient {
 
         let input_with_instructions = prompt.get_formatted_input();
 
+        // Only include `text.verbosity` for GPT-5 family models
+        let text = if self.config.model_family.family == "gpt-5" {
+            create_text_param_for_request(self.config.model_verbosity)
+        } else {
+            if self.config.model_verbosity.is_some() {
+                warn!(
+                    "model_verbosity is set but ignored for non-gpt-5 model family: {}",
+                    self.config.model_family.family
+                );
+            }
+            None
+        };
+
         let payload = ResponsesApiRequest {
             model: &self.config.model,
             instructions: &full_instructions,
@@ -176,6 +191,7 @@ impl ModelClient {
             stream: true,
             include,
             prompt_cache_key: Some(self.session_id.to_string()),
+            text,
         };
 
         let mut attempt = 0;
@@ -208,11 +224,7 @@ impl ModelClient {
                 req_builder = req_builder.header("chatgpt-account-id", account_id);
             }
 
-            let originator = self
-                .config
-                .internal_originator
-                .as_deref()
-                .unwrap_or("codex_cli_rs");
+            let originator = &self.config.responses_originator_header;
             req_builder = req_builder.header("originator", originator);
             req_builder = req_builder.header("User-Agent", get_codex_user_agent(Some(originator)));
 
@@ -252,6 +264,13 @@ impl ModelClient {
                         .and_then(|v| v.to_str().ok())
                         .and_then(|s| s.parse::<u64>().ok());
 
+                    if status == StatusCode::UNAUTHORIZED
+                        && let Some(manager) = auth_manager.as_ref()
+                        && manager.auth().is_some()
+                    {
+                        let _ = manager.refresh_token().await;
+                    }
+
                     // The OpenAI Responses endpoint returns structured JSON bodies even for 4xx/5xx
                     // errors. When we bubble early with only the HTTP status the caller sees an opaque
                     // "unexpected status 400 Bad Request" which makes debugging nearly impossible.
@@ -259,7 +278,10 @@ impl ModelClient {
                     // exact error message (e.g. "Unknown parameter: 'input[0].metadata'"). The body is
                     // small and this branch only runs on error paths so the extra allocation is
                     // negligible.
-                    if !(status == StatusCode::TOO_MANY_REQUESTS || status.is_server_error()) {
+                    if !(status == StatusCode::TOO_MANY_REQUESTS
+                        || status == StatusCode::UNAUTHORIZED
+                        || status.is_server_error())
+                    {
                         // Surface the error body to callers. Use `unwrap_or_default` per Clippy.
                         let body = res.text().await.unwrap_or_default();
                         return Err(CodexErr::UnexpectedStatus(status, body));
@@ -333,8 +355,8 @@ impl ModelClient {
         self.summary
     }
 
-    pub fn get_auth(&self) -> Option<CodexAuth> {
-        self.auth.clone()
+    pub fn get_auth_manager(&self) -> Option<Arc<AuthManager>> {
+        self.auth_manager.clone()
     }
 }
 
@@ -553,6 +575,8 @@ async fn process_sse<S>(
             }
             "response.content_part.done"
             | "response.function_call_arguments.delta"
+            | "response.custom_tool_call_input.delta"
+            | "response.custom_tool_call_input.done" // also emitted as response.output_item.done
             | "response.in_progress"
             | "response.output_item.added"
             | "response.output_text.done" => {

codex-rs/core/src/client_common.rs

@@ -1,12 +1,13 @@
+use crate::config_types::Verbosity as VerbosityConfig;
 use crate::error::Result;
 use crate::model_family::ModelFamily;
-use crate::models::ContentItem;
-use crate::models::ResponseItem;
 use crate::openai_tools::OpenAiTool;
 use crate::protocol::TokenUsage;
 use codex_apply_patch::APPLY_PATCH_TOOL_INSTRUCTIONS;
 use codex_protocol::config_types::ReasoningEffort as ReasoningEffortConfig;
 use codex_protocol::config_types::ReasoningSummary as ReasoningSummaryConfig;
+use codex_protocol::models::ContentItem;
+use codex_protocol::models::ResponseItem;
 use futures::Stream;
 use serde::Serialize;
 use std::borrow::Cow;
@@ -47,7 +48,18 @@ impl Prompt {
             .as_deref()
             .unwrap_or(BASE_INSTRUCTIONS);
         let mut sections: Vec<&str> = vec![base];
-        if model.needs_special_apply_patch_instructions {
+
+        // When there are no custom instructions, add apply_patch_tool_instructions if either:
+        // - the model needs special instructions (4.1), or
+        // - there is no apply_patch tool present
+        let is_apply_patch_tool_present = self.tools.iter().any(|tool| match tool {
+            OpenAiTool::Function(f) => f.name == "apply_patch",
+            OpenAiTool::Freeform(f) => f.name == "apply_patch",
+            _ => false,
+        });
+        if self.base_instructions_override.is_none()
+            && (model.needs_special_apply_patch_instructions || !is_apply_patch_tool_present)
+        {
             sections.push(APPLY_PATCH_TOOL_INSTRUCTIONS);
         }
         Cow::Owned(sections.join("\n"))
@@ -89,6 +101,32 @@ pub(crate) struct Reasoning {
     pub(crate) summary: ReasoningSummaryConfig,
 }
 
+/// Controls under the `text` field in the Responses API for GPT-5.
+#[derive(Debug, Serialize, Default, Clone, Copy)]
+pub(crate) struct TextControls {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(crate) verbosity: Option<OpenAiVerbosity>,
+}
+
+#[derive(Debug, Serialize, Default, Clone, Copy)]
+#[serde(rename_all = "lowercase")]
+pub(crate) enum OpenAiVerbosity {
+    Low,
+    #[default]
+    Medium,
+    High,
+}
+
+impl From<VerbosityConfig> for OpenAiVerbosity {
+    fn from(v: VerbosityConfig) -> Self {
+        match v {
+            VerbosityConfig::Low => OpenAiVerbosity::Low,
+            VerbosityConfig::Medium => OpenAiVerbosity::Medium,
+            VerbosityConfig::High => OpenAiVerbosity::High,
+        }
+    }
+}
+
 /// Request object that is serialized as JSON and POST'ed when using the
 /// Responses API.
 #[derive(Debug, Serialize)]
@@ -109,6 +147,8 @@ pub(crate) struct ResponsesApiRequest<'a> {
     pub(crate) include: Vec<String>,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub(crate) prompt_cache_key: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(crate) text: Option<TextControls>,
 }
 
 pub(crate) fn create_reasoning_param_for_request(
@@ -123,6 +163,14 @@ pub(crate) fn create_reasoning_param_for_request(
     }
 }
 
+pub(crate) fn create_text_param_for_request(
+    verbosity: Option<VerbosityConfig>,
+) -> Option<TextControls> {
+    verbosity.map(|v| TextControls {
+        verbosity: Some(v.into()),
+    })
+}
+
 pub(crate) struct ResponseStream {
     pub(crate) rx_event: mpsc::Receiver<Result<ResponseEvent>>,
 }
@@ -151,4 +199,57 @@ mod tests {
         let full = prompt.get_full_instructions(&model_family);
         assert_eq!(full, expected);
     }
+
+    #[test]
+    fn serializes_text_verbosity_when_set() {
+        let input: Vec<ResponseItem> = vec![];
+        let tools: Vec<serde_json::Value> = vec![];
+        let req = ResponsesApiRequest {
+            model: "gpt-5",
+            instructions: "i",
+            input: &input,
+            tools: &tools,
+            tool_choice: "auto",
+            parallel_tool_calls: false,
+            reasoning: None,
+            store: true,
+            stream: true,
+            include: vec![],
+            prompt_cache_key: None,
+            text: Some(TextControls {
+                verbosity: Some(OpenAiVerbosity::Low),
+            }),
+        };
+
+        let v = serde_json::to_value(&req).expect("json");
+        assert_eq!(
+            v.get("text")
+                .and_then(|t| t.get("verbosity"))
+                .and_then(|s| s.as_str()),
+            Some("low")
+        );
+    }
+
+    #[test]
+    fn omits_text_when_not_set() {
+        let input: Vec<ResponseItem> = vec![];
+        let tools: Vec<serde_json::Value> = vec![];
+        let req = ResponsesApiRequest {
+            model: "gpt-5",
+            instructions: "i",
+            input: &input,
+            tools: &tools,
+            tool_choice: "auto",
+            parallel_tool_calls: false,
+            reasoning: None,
+            store: true,
+            stream: true,
+            include: vec![],
+            prompt_cache_key: None,
+            text: None,
+        };
+
+        let v = serde_json::to_value(&req).expect("json");
+        assert!(v.get("text").is_none());
+    }
 }

codex-rs/core/src/config.rs

@@ -6,6 +6,8 @@ use crate::config_types::ShellEnvironmentPolicy;
 use crate::config_types::ShellEnvironmentPolicyToml;
 use crate::config_types::Tui;
 use crate::config_types::UriBasedFileOpener;
+use crate::config_types::Verbosity;
+use crate::git_info::resolve_root_git_project_for_trust;
 use crate::model_family::ModelFamily;
 use crate::model_family::find_family_for_model;
 use crate::model_provider_info::ModelProviderInfo;
@@ -35,6 +37,8 @@ pub(crate) const PROJECT_DOC_MAX_BYTES: usize = 32 * 1024; // 32 KiB
 
 const CONFIG_TOML_FILE: &str = "config.toml";
 
+const DEFAULT_RESPONSES_ORIGINATOR_HEADER: &str = "codex_cli_rs";
+
 /// Application configuration loaded from disk and merged with overrides.
 #[derive(Debug, Clone, PartialEq)]
 pub struct Config {
@@ -148,6 +152,9 @@ pub struct Config {
     /// request using the Responses API.
     pub model_reasoning_summary: ReasoningSummary,
 
+    /// Optional verbosity control for GPT-5 models (Responses API `text.verbosity`).
+    pub model_verbosity: Option<Verbosity>,
+
     /// Base URL for requests to ChatGPT (as opposed to the OpenAI API).
     pub chatgpt_base_url: String,
 
@@ -162,10 +169,11 @@ pub struct Config {
     /// model family's default preference.
     pub include_apply_patch_tool: bool,
 
-    pub experimental_disable_built_in_shell_tool: bool,
+    /// Include the `subagent.run` tool allowing the model to invoke configured subagents.
+    pub include_subagent_tool: bool,
 
     /// The value for the `originator` header included with Responses API requests.
-    pub internal_originator: Option<String>,
+    pub responses_originator_header: String,
 
     /// If set to `true`, the API key will be signed with the `originator` header.
     pub preferred_auth_method: AuthMode,
@@ -259,10 +267,61 @@ pub fn set_project_trusted(codex_home: &Path, project_path: &Path) -> anyhow::Re
         Err(e) => return Err(e.into()),
     };
 
-    // Mark the project as trusted. toml_edit is very good at handling
-    // missing properties
+    // Ensure we render a human-friendly structure:
+    //
+    // [projects]
+    // [projects."/path/to/project"]
+    // trust_level = "trusted"
+    //
+    // rather than inline tables like:
+    //
+    // [projects]
+    // "/path/to/project" = { trust_level = "trusted" }
     let project_key = project_path.to_string_lossy().to_string();
-    doc["projects"][project_key.as_str()]["trust_level"] = toml_edit::value("trusted");
+
+    // Ensure top-level `projects` exists as a non-inline, explicit table. If it
+    // exists but was previously represented as a non-table (e.g., inline),
+    // replace it with an explicit table.
+    let mut created_projects_table = false;
+    {
+        let root = doc.as_table_mut();
+        let needs_table = !root.contains_key("projects")
+            || root.get("projects").and_then(|i| i.as_table()).is_none();
+        if needs_table {
+            root.insert("projects", toml_edit::table());
+            created_projects_table = true;
+        }
+    }
+    let Some(projects_tbl) = doc["projects"].as_table_mut() else {
+        return Err(anyhow::anyhow!(
+            "projects table missing after initialization"
+        ));
+    };
+
+    // If we created the `projects` table ourselves, keep it implicit so we
+    // don't render a standalone `[projects]` header.
+    if created_projects_table {
+        projects_tbl.set_implicit(true);
+    }
+
+    // Ensure the per-project entry is its own explicit table. If it exists but
+    // is not a table (e.g., an inline table), replace it with an explicit table.
+    let needs_proj_table = !projects_tbl.contains_key(project_key.as_str())
+        || projects_tbl
+            .get(project_key.as_str())
+            .and_then(|i| i.as_table())
+            .is_none();
+    if needs_proj_table {
+        projects_tbl.insert(project_key.as_str(), toml_edit::table());
+    }
+    let Some(proj_tbl) = projects_tbl
+        .get_mut(project_key.as_str())
+        .and_then(|i| i.as_table_mut())
+    else {
+        return Err(anyhow::anyhow!("project table missing for {}", project_key));
+    };
+    proj_tbl.set_implicit(false);
+    proj_tbl["trust_level"] = toml_edit::value("trusted");
 
     // ensure codex_home exists
     std::fs::create_dir_all(codex_home)?;
@@ -398,6 +457,8 @@ pub struct ConfigToml {
 
     pub model_reasoning_effort: Option<ReasoningEffort>,
     pub model_reasoning_summary: Option<ReasoningSummary>,
+    /// Optional verbosity control for GPT-5 models (Responses API `text.verbosity`).
+    pub model_verbosity: Option<Verbosity>,
 
     /// Override to force-enable reasoning summaries for the configured model.
     pub model_supports_reasoning_summaries: Option<bool>,
@@ -411,15 +472,16 @@ pub struct ConfigToml {
     /// Experimental path to a file whose contents replace the built-in BASE_INSTRUCTIONS.
     pub experimental_instructions_file: Option<PathBuf>,
 
-    pub experimental_disable_built_in_shell_tool: Option<bool>,
-
     /// The value for the `originator` header included with Responses API requests.
-    pub internal_originator: Option<String>,
+    pub responses_originator_header_internal_override: Option<String>,
 
     pub projects: Option<HashMap<String, ProjectConfig>>,
 
     /// If set to `true`, the API key will be signed with the `originator` header.
     pub preferred_auth_method: Option<AuthMode>,
+
+    /// Include the `subagent.run` tool allowing the model to invoke configured subagents.
+    pub include_subagent_tool: Option<bool>,
 }
 
 #[derive(Deserialize, Debug, Clone, PartialEq, Eq)]
@@ -456,10 +518,27 @@ impl ConfigToml {
     pub fn is_cwd_trusted(&self, resolved_cwd: &Path) -> bool {
         let projects = self.projects.clone().unwrap_or_default();
 
-        projects
-            .get(&resolved_cwd.to_string_lossy().to_string())
-            .map(|p| p.trust_level.clone().unwrap_or("".to_string()) == "trusted")
-            .unwrap_or(false)
+        let is_path_trusted = |path: &Path| {
+            let path_str = path.to_string_lossy().to_string();
+            projects
+                .get(&path_str)
+                .map(|p| p.trust_level.as_deref() == Some("trusted"))
+                .unwrap_or(false)
+        };
+
+        // Fast path: exact cwd match
+        if is_path_trusted(resolved_cwd) {
+            return true;
+        }
+
+        // If cwd lives inside a git worktree, check whether the root git project
+        // (the primary repository working directory) is trusted. This lets
+        // worktrees inherit trust from the main project.
+        if let Some(root_project) = resolve_root_git_project_for_trust(resolved_cwd) {
+            return is_path_trusted(&root_project);
+        }
+
+        false
     }
 
     pub fn get_config_profile(
@@ -497,6 +576,7 @@ pub struct ConfigOverrides {
     pub base_instructions: Option<String>,
     pub include_plan_tool: Option<bool>,
     pub include_apply_patch_tool: Option<bool>,
+    pub include_subagent_tool: Option<bool>,
     pub disable_response_storage: Option<bool>,
     pub show_raw_agent_reasoning: Option<bool>,
 }
@@ -523,6 +603,7 @@ impl Config {
             base_instructions,
             include_plan_tool,
             include_apply_patch_tool,
+            include_subagent_tool,
             disable_response_storage,
             show_raw_agent_reasoning,
         } = overrides;
@@ -599,7 +680,7 @@ impl Config {
                 needs_special_apply_patch_instructions: false,
                 supports_reasoning_summaries,
                 uses_local_shell_tool: false,
-                uses_apply_patch_tool: false,
+                apply_patch_tool_type: None,
             }
         });
 
@@ -626,8 +707,9 @@ impl Config {
             Self::get_base_instructions(experimental_instructions_path, &resolved_cwd)?;
         let base_instructions = base_instructions.or(file_base_instructions);
 
-        let include_apply_patch_tool_val =
-            include_apply_patch_tool.unwrap_or(model_family.uses_apply_patch_tool);
+        let responses_originator_header: String = cfg
+            .responses_originator_header_internal_override
+            .unwrap_or(DEFAULT_RESPONSES_ORIGINATOR_HEADER.to_owned());
 
         let config = Self {
             model,
@@ -673,7 +755,7 @@ impl Config {
                 .model_reasoning_summary
                 .or(cfg.model_reasoning_summary)
                 .unwrap_or_default(),
-
+            model_verbosity: config_profile.model_verbosity.or(cfg.model_verbosity),
             chatgpt_base_url: config_profile
                 .chatgpt_base_url
                 .or(cfg.chatgpt_base_url)
@@ -681,11 +763,13 @@ impl Config {
 
             experimental_resume,
             include_plan_tool: include_plan_tool.unwrap_or(false),
-            include_apply_patch_tool: include_apply_patch_tool_val,
-            experimental_disable_built_in_shell_tool: cfg
-                .experimental_disable_built_in_shell_tool
+            include_apply_patch_tool: include_apply_patch_tool.unwrap_or(false),
+            include_subagent_tool: config_profile
+                .include_subagent_tool
+                .or(cfg.include_subagent_tool)
+                .or(include_subagent_tool)
                 .unwrap_or(false),
-            internal_originator: cfg.internal_originator,
+            responses_originator_header,
             preferred_auth_method: cfg.preferred_auth_method.unwrap_or(AuthMode::ChatGPT),
         };
         Ok(config)
@@ -1045,13 +1129,14 @@ disable_response_storage = true
                 show_raw_agent_reasoning: false,
                 model_reasoning_effort: ReasoningEffort::High,
                 model_reasoning_summary: ReasoningSummary::Detailed,
+                model_verbosity: None,
                 chatgpt_base_url: "https://chatgpt.com/backend-api/".to_string(),
                 experimental_resume: None,
                 base_instructions: None,
                 include_plan_tool: false,
                 include_apply_patch_tool: false,
-                experimental_disable_built_in_shell_tool: false,
-                internal_originator: None,
+                include_subagent_tool: false,
+                responses_originator_header: "codex_cli_rs".to_string(),
                 preferred_auth_method: AuthMode::ChatGPT,
             },
             o3_profile_config
@@ -1099,13 +1184,14 @@ disable_response_storage = true
             show_raw_agent_reasoning: false,
             model_reasoning_effort: ReasoningEffort::default(),
             model_reasoning_summary: ReasoningSummary::default(),
+            model_verbosity: None,
             chatgpt_base_url: "https://chatgpt.com/backend-api/".to_string(),
             experimental_resume: None,
             base_instructions: None,
             include_plan_tool: false,
             include_apply_patch_tool: false,
-            experimental_disable_built_in_shell_tool: false,
-            internal_originator: None,
+            include_subagent_tool: false,
+            responses_originator_header: "codex_cli_rs".to_string(),
             preferred_auth_method: AuthMode::ChatGPT,
         };
 
@@ -1168,13 +1254,14 @@ disable_response_storage = true
             show_raw_agent_reasoning: false,
             model_reasoning_effort: ReasoningEffort::default(),
             model_reasoning_summary: ReasoningSummary::default(),
+            model_verbosity: None,
             chatgpt_base_url: "https://chatgpt.com/backend-api/".to_string(),
             experimental_resume: None,
             base_instructions: None,
             include_plan_tool: false,
             include_apply_patch_tool: false,
-            experimental_disable_built_in_shell_tool: false,
-            internal_originator: None,
+            include_subagent_tool: false,
+            responses_originator_header: "codex_cli_rs".to_string(),
             preferred_auth_method: AuthMode::ChatGPT,
         };
 
@@ -1182,4 +1269,74 @@ disable_response_storage = true
 
         Ok(())
     }
+
+    #[test]
+    fn test_set_project_trusted_writes_explicit_tables() -> anyhow::Result<()> {
+        let codex_home = TempDir::new().unwrap();
+        let project_dir = TempDir::new().unwrap();
+
+        // Call the function under test
+        set_project_trusted(codex_home.path(), project_dir.path())?;
+
+        // Read back the generated config.toml and assert exact contents
+        let config_path = codex_home.path().join(CONFIG_TOML_FILE);
+        let contents = std::fs::read_to_string(&config_path)?;
+
+        let raw_path = project_dir.path().to_string_lossy();
+        let path_str = if raw_path.contains('\\') {
+            format!("'{}'", raw_path)
+        } else {
+            format!("\"{}\"", raw_path)
+        };
+        let expected = format!(
+            r#"[projects.{path_str}]
+trust_level = "trusted"
+"#
+        );
+        assert_eq!(contents, expected);
+
+        Ok(())
+    }
+
+    #[test]
+    fn test_set_project_trusted_converts_inline_to_explicit() -> anyhow::Result<()> {
+        let codex_home = TempDir::new().unwrap();
+        let project_dir = TempDir::new().unwrap();
+
+        // Seed config.toml with an inline project entry under [projects]
+        let config_path = codex_home.path().join(CONFIG_TOML_FILE);
+        let raw_path = project_dir.path().to_string_lossy();
+        let path_str = if raw_path.contains('\\') {
+            format!("'{}'", raw_path)
+        } else {
+            format!("\"{}\"", raw_path)
+        };
+        // Use a quoted key so backslashes don't require escaping on Windows
+        let initial = format!(
+            r#"[projects]
+{path_str} = {{ trust_level = "untrusted" }}
+"#
+        );
+        std::fs::create_dir_all(codex_home.path())?;
+        std::fs::write(&config_path, initial)?;
+
+        // Run the function; it should convert to explicit tables and set trusted
+        set_project_trusted(codex_home.path(), project_dir.path())?;
+
+        let contents = std::fs::read_to_string(&config_path)?;
+
+        // Assert exact output after conversion to explicit table
+        let expected = format!(
+            r#"[projects]
+
+[projects.{path_str}]
+trust_level = "trusted"
+"#
+        );
+        assert_eq!(contents, expected);
+
+        Ok(())
+    }
+
+    // No test enforcing the presence of a standalone [projects] header.
 }

codex-rs/core/src/config_profile.rs

@@ -1,6 +1,7 @@
 use serde::Deserialize;
 use std::path::PathBuf;
 
+use crate::config_types::Verbosity;
 use crate::protocol::AskForApproval;
 use codex_protocol::config_types::ReasoningEffort;
 use codex_protocol::config_types::ReasoningSummary;
@@ -17,6 +18,9 @@ pub struct ConfigProfile {
     pub disable_response_storage: Option<bool>,
     pub model_reasoning_effort: Option<ReasoningEffort>,
     pub model_reasoning_summary: Option<ReasoningSummary>,
+    pub model_verbosity: Option<Verbosity>,
     pub chatgpt_base_url: Option<String>,
     pub experimental_instructions_file: Option<PathBuf>,
+    /// Include the `subagent.run` tool allowing the model to invoke configured subagents.
+    pub include_subagent_tool: Option<bool>,
 }

codex-rs/core/src/config_types.rs

@@ -8,6 +8,8 @@ use std::path::PathBuf;
 use wildmatch::WildMatchPattern;
 
 use serde::Deserialize;
+use serde::Serialize;
+use strum_macros::Display;
 
 #[derive(Deserialize, Debug, Clone, PartialEq)]
 pub struct McpServerConfig {
@@ -183,3 +185,43 @@ impl From<ShellEnvironmentPolicyToml> for ShellEnvironmentPolicy {
         }
     }
 }
+
+/// See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning
+#[derive(Debug, Serialize, Deserialize, Default, Clone, Copy, PartialEq, Eq, Display)]
+#[serde(rename_all = "lowercase")]
+#[strum(serialize_all = "lowercase")]
+pub enum ReasoningEffort {
+    Low,
+    #[default]
+    Medium,
+    High,
+    /// Option to disable reasoning.
+    None,
+}
+
+/// A summary of the reasoning performed by the model. This can be useful for
+/// debugging and understanding the model's reasoning process.
+/// See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#reasoning-summaries
+#[derive(Debug, Serialize, Deserialize, Default, Clone, Copy, PartialEq, Eq, Display)]
+#[serde(rename_all = "lowercase")]
+#[strum(serialize_all = "lowercase")]
+pub enum ReasoningSummary {
+    #[default]
+    Auto,
+    Concise,
+    Detailed,
+    /// Option to disable reasoning summaries.
+    None,
+}
+
+/// Controls output length/detail on GPT-5 models via the Responses API.
+/// Serialized with lowercase values to match the OpenAI API.
+#[derive(Debug, Serialize, Deserialize, Default, Clone, Copy, PartialEq, Eq, Display)]
+#[serde(rename_all = "lowercase")]
+#[strum(serialize_all = "lowercase")]
+pub enum Verbosity {
+    Low,
+    #[default]
+    Medium,
+    High,
+}

codex-rs/core/src/conversation_history.rs

@@ -1,4 +1,4 @@
-use crate::models::ResponseItem;
+use codex_protocol::models::ResponseItem;
 
 /// Transcript of conversation history
 #[derive(Debug, Clone, Default)]
@@ -66,7 +66,7 @@ impl ConversationHistory {
                 self.items.push(ResponseItem::Message {
                     id: None,
                     role: "assistant".to_string(),
-                    content: vec![crate::models::ContentItem::OutputText {
+                    content: vec![codex_protocol::models::ContentItem::OutputText {
                         text: delta.to_string(),
                     }],
                 });
@@ -110,6 +110,8 @@ fn is_api_message(message: &ResponseItem) -> bool {
         ResponseItem::Message { role, .. } => role.as_str() != "system",
         ResponseItem::FunctionCallOutput { .. }
         | ResponseItem::FunctionCall { .. }
+        | ResponseItem::CustomToolCall { .. }
+        | ResponseItem::CustomToolCallOutput { .. }
         | ResponseItem::LocalShellCall { .. }
         | ResponseItem::Reasoning { .. } => true,
         ResponseItem::Other => false,
@@ -118,11 +120,11 @@ fn is_api_message(message: &ResponseItem) -> bool {
 
 /// Helper to append the textual content from `src` into `dst` in place.
 fn append_text_content(
-    dst: &mut Vec<crate::models::ContentItem>,
-    src: &Vec<crate::models::ContentItem>,
+    dst: &mut Vec<codex_protocol::models::ContentItem>,
+    src: &Vec<codex_protocol::models::ContentItem>,
 ) {
     for c in src {
-        if let crate::models::ContentItem::OutputText { text } = c {
+        if let codex_protocol::models::ContentItem::OutputText { text } = c {
             append_text_delta(dst, text);
         }
     }
@@ -130,15 +132,15 @@ fn append_text_content(
 
 /// Append a single text delta to the last OutputText item in `content`, or
 /// push a new OutputText item if none exists.
-fn append_text_delta(content: &mut Vec<crate::models::ContentItem>, delta: &str) {
-    if let Some(crate::models::ContentItem::OutputText { text }) = content
+fn append_text_delta(content: &mut Vec<codex_protocol::models::ContentItem>, delta: &str) {
+    if let Some(codex_protocol::models::ContentItem::OutputText { text }) = content
         .iter_mut()
         .rev()
-        .find(|c| matches!(c, crate::models::ContentItem::OutputText { .. }))
+        .find(|c| matches!(c, codex_protocol::models::ContentItem::OutputText { .. }))
     {
         text.push_str(delta);
     } else {
-        content.push(crate::models::ContentItem::OutputText {
+        content.push(codex_protocol::models::ContentItem::OutputText {
             text: delta.to_string(),
         });
     }
@@ -147,7 +149,7 @@ fn append_text_delta(content: &mut Vec<crate::models::ContentItem>, delta: &str)
 #[cfg(test)]
 mod tests {
     use super::*;
-    use crate::models::ContentItem;
+    use codex_protocol::models::ContentItem;
 
     fn assistant_msg(text: &str) -> ResponseItem {
         ResponseItem::Message {

codex-rs/core/src/conversation_manager.rs

@@ -1,6 +1,7 @@
 use std::collections::HashMap;
 use std::sync::Arc;
 
+use codex_login::AuthManager;
 use codex_login::CodexAuth;
 use tokio::sync::RwLock;
 use uuid::Uuid;
@@ -15,6 +16,7 @@ use crate::error::Result as CodexResult;
 use crate::protocol::Event;
 use crate::protocol::EventMsg;
 use crate::protocol::SessionConfiguredEvent;
+use codex_protocol::models::ResponseItem;
 
 /// Represents a newly created Codex conversation, including the first event
 /// (which is [`EventMsg::SessionConfigured`]).
@@ -28,34 +30,48 @@ pub struct NewConversation {
 /// maintaining them in memory.
 pub struct ConversationManager {
     conversations: Arc<RwLock<HashMap<Uuid, Arc<CodexConversation>>>>,
-}
-
-impl Default for ConversationManager {
-    fn default() -> Self {
-        Self {
-            conversations: Arc::new(RwLock::new(HashMap::new())),
-        }
-    }
+    auth_manager: Arc<AuthManager>,
 }
 
 impl ConversationManager {
-    pub async fn new_conversation(&self, config: Config) -> CodexResult<NewConversation> {
-        let auth = CodexAuth::from_codex_home(&config.codex_home, config.preferred_auth_method)?;
-        self.new_conversation_with_auth(config, auth).await
+    pub fn new(auth_manager: Arc<AuthManager>) -> Self {
+        Self {
+            conversations: Arc::new(RwLock::new(HashMap::new())),
+            auth_manager,
+        }
     }
 
-    /// Used for integration tests: should not be used by ordinary business
-    /// logic.
-    pub async fn new_conversation_with_auth(
+    /// Construct with a dummy AuthManager containing the provided CodexAuth.
+    /// Used for integration tests: should not be used by ordinary business logic.
+    pub fn with_auth(auth: CodexAuth) -> Self {
+        Self::new(codex_login::AuthManager::from_auth_for_testing(auth))
+    }
+
+    pub async fn new_conversation(&self, config: Config) -> CodexResult<NewConversation> {
+        self.spawn_conversation(config, self.auth_manager.clone())
+            .await
+    }
+
+    async fn spawn_conversation(
         &self,
         config: Config,
-        auth: Option<CodexAuth>,
+        auth_manager: Arc<AuthManager>,
     ) -> CodexResult<NewConversation> {
         let CodexSpawnOk {
             codex,
             session_id: conversation_id,
-        } = Codex::spawn(config, auth).await?;
+        } = {
+            let initial_history = None;
+            Codex::spawn(config, auth_manager, initial_history).await?
+        };
+        self.finalize_spawn(codex, conversation_id).await
+    }
 
+    async fn finalize_spawn(
+        &self,
+        codex: Codex,
+        conversation_id: Uuid,
+    ) -> CodexResult<NewConversation> {
         // The first event must be `SessionInitialized`. Validate and forward it
         // to the caller so that they can display it in the conversation
         // history.
@@ -93,4 +109,120 @@ impl ConversationManager {
             .cloned()
             .ok_or_else(|| CodexErr::ConversationNotFound(conversation_id))
     }
+
+    /// Fork an existing conversation by dropping the last `drop_last_messages`
+    /// user/assistant messages from its transcript and starting a new
+    /// conversation with identical configuration (unless overridden by the
+    /// caller's `config`). The new conversation will have a fresh id.
+    pub async fn fork_conversation(
+        &self,
+        conversation_history: Vec<ResponseItem>,
+        num_messages_to_drop: usize,
+        config: Config,
+    ) -> CodexResult<NewConversation> {
+        // Compute the prefix up to the cut point.
+        let truncated_history =
+            truncate_after_dropping_last_messages(conversation_history, num_messages_to_drop);
+
+        // Spawn a new conversation with the computed initial history.
+        let auth_manager = self.auth_manager.clone();
+        let CodexSpawnOk {
+            codex,
+            session_id: conversation_id,
+        } = Codex::spawn(config, auth_manager, Some(truncated_history)).await?;
+
+        self.finalize_spawn(codex, conversation_id).await
+    }
+}
+
+/// Return a prefix of `items` obtained by dropping the last `n` user messages
+/// and all items that follow them.
+fn truncate_after_dropping_last_messages(items: Vec<ResponseItem>, n: usize) -> Vec<ResponseItem> {
+    if n == 0 || items.is_empty() {
+        return items;
+    }
+
+    // Walk backwards counting only `user` Message items, find cut index.
+    let mut count = 0usize;
+    let mut cut_index = 0usize;
+    for (idx, item) in items.iter().enumerate().rev() {
+        if let ResponseItem::Message { role, .. } = item
+            && role == "user"
+        {
+            count += 1;
+            if count == n {
+                // Cut everything from this user message to the end.
+                cut_index = idx;
+                break;
+            }
+        }
+    }
+    if count < n {
+        // If fewer than n messages exist, drop everything.
+        Vec::new()
+    } else {
+        items.into_iter().take(cut_index).collect()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use codex_protocol::models::ContentItem;
+    use codex_protocol::models::ReasoningItemReasoningSummary;
+    use codex_protocol::models::ResponseItem;
+
+    fn user_msg(text: &str) -> ResponseItem {
+        ResponseItem::Message {
+            id: None,
+            role: "user".to_string(),
+            content: vec![ContentItem::OutputText {
+                text: text.to_string(),
+            }],
+        }
+    }
+    fn assistant_msg(text: &str) -> ResponseItem {
+        ResponseItem::Message {
+            id: None,
+            role: "assistant".to_string(),
+            content: vec![ContentItem::OutputText {
+                text: text.to_string(),
+            }],
+        }
+    }
+
+    #[test]
+    fn drops_from_last_user_only() {
+        let items = vec![
+            user_msg("u1"),
+            assistant_msg("a1"),
+            assistant_msg("a2"),
+            user_msg("u2"),
+            assistant_msg("a3"),
+            ResponseItem::Reasoning {
+                id: "r1".to_string(),
+                summary: vec![ReasoningItemReasoningSummary::SummaryText {
+                    text: "s".to_string(),
+                }],
+                content: None,
+                encrypted_content: None,
+            },
+            ResponseItem::FunctionCall {
+                id: None,
+                name: "tool".to_string(),
+                arguments: "{}".to_string(),
+                call_id: "c1".to_string(),
+            },
+            assistant_msg("a4"),
+        ];
+
+        let truncated = truncate_after_dropping_last_messages(items.clone(), 1);
+        assert_eq!(
+            truncated,
+            vec![items[0].clone(), items[1].clone(), items[2].clone()]
+        );
+
+        let truncated2 = truncate_after_dropping_last_messages(items, 2);
+        assert!(truncated2.is_empty());
+    }
 }

codex-rs/core/src/environment_context.rs

@@ -2,16 +2,16 @@ use serde::Deserialize;
 use serde::Serialize;
 use strum_macros::Display as DeriveDisplay;
 
-use crate::models::ContentItem;
-use crate::models::ResponseItem;
 use crate::protocol::AskForApproval;
 use crate::protocol::SandboxPolicy;
+use crate::shell::Shell;
 use codex_protocol::config_types::SandboxMode;
-use std::fmt::Display;
+use codex_protocol::models::ContentItem;
+use codex_protocol::models::ResponseItem;
 use std::path::PathBuf;
 
 /// wraps environment context message in a tag for the model to parse more easily.
-pub(crate) const ENVIRONMENT_CONTEXT_START: &str = "<environment_context>\n";
+pub(crate) const ENVIRONMENT_CONTEXT_START: &str = "<environment_context>";
 pub(crate) const ENVIRONMENT_CONTEXT_END: &str = "</environment_context>";
 
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq, DeriveDisplay)]
@@ -24,52 +24,87 @@ pub enum NetworkAccess {
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
 #[serde(rename = "environment_context", rename_all = "snake_case")]
 pub(crate) struct EnvironmentContext {
-    pub cwd: PathBuf,
-    pub approval_policy: AskForApproval,
-    pub sandbox_mode: SandboxMode,
-    pub network_access: NetworkAccess,
+    pub cwd: Option<PathBuf>,
+    pub approval_policy: Option<AskForApproval>,
+    pub sandbox_mode: Option<SandboxMode>,
+    pub network_access: Option<NetworkAccess>,
+    pub shell: Option<Shell>,
 }
 
 impl EnvironmentContext {
     pub fn new(
-        cwd: PathBuf,
-        approval_policy: AskForApproval,
-        sandbox_policy: SandboxPolicy,
+        cwd: Option<PathBuf>,
+        approval_policy: Option<AskForApproval>,
+        sandbox_policy: Option<SandboxPolicy>,
+        shell: Option<Shell>,
     ) -> Self {
         Self {
             cwd,
             approval_policy,
             sandbox_mode: match sandbox_policy {
-                SandboxPolicy::DangerFullAccess => SandboxMode::DangerFullAccess,
-                SandboxPolicy::ReadOnly => SandboxMode::ReadOnly,
-                SandboxPolicy::WorkspaceWrite { .. } => SandboxMode::WorkspaceWrite,
+                Some(SandboxPolicy::DangerFullAccess) => Some(SandboxMode::DangerFullAccess),
+                Some(SandboxPolicy::ReadOnly) => Some(SandboxMode::ReadOnly),
+                Some(SandboxPolicy::WorkspaceWrite { .. }) => Some(SandboxMode::WorkspaceWrite),
+                None => None,
             },
             network_access: match sandbox_policy {
-                SandboxPolicy::DangerFullAccess => NetworkAccess::Enabled,
-                SandboxPolicy::ReadOnly => NetworkAccess::Restricted,
-                SandboxPolicy::WorkspaceWrite { network_access, .. } => {
+                Some(SandboxPolicy::DangerFullAccess) => Some(NetworkAccess::Enabled),
+                Some(SandboxPolicy::ReadOnly) => Some(NetworkAccess::Restricted),
+                Some(SandboxPolicy::WorkspaceWrite { network_access, .. }) => {
                     if network_access {
-                        NetworkAccess::Enabled
+                        Some(NetworkAccess::Enabled)
                     } else {
-                        NetworkAccess::Restricted
+                        Some(NetworkAccess::Restricted)
                     }
                 }
+                None => None,
             },
+            shell,
         }
     }
 }
 
-impl Display for EnvironmentContext {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        writeln!(
-            f,
-            "Current working directory: {}",
-            self.cwd.to_string_lossy()
-        )?;
-        writeln!(f, "Approval policy: {}", self.approval_policy)?;
-        writeln!(f, "Sandbox mode: {}", self.sandbox_mode)?;
-        writeln!(f, "Network access: {}", self.network_access)?;
-        Ok(())
+impl EnvironmentContext {
+    /// Serializes the environment context to XML. Libraries like `quick-xml`
+    /// require custom macros to handle Enums with newtypes, so we just do it
+    /// manually, to keep things simple. Output looks like:
+    ///
+    /// ```xml
+    /// <environment_context>
+    ///   <cwd>...</cwd>
+    ///   <approval_policy>...</approval_policy>
+    ///   <sandbox_mode>...</sandbox_mode>
+    ///   <network_access>...</network_access>
+    ///   <shell>...</shell>
+    /// </environment_context>
+    /// ```
+    pub fn serialize_to_xml(self) -> String {
+        let mut lines = vec![ENVIRONMENT_CONTEXT_START.to_string()];
+        if let Some(cwd) = self.cwd {
+            lines.push(format!("  <cwd>{}</cwd>", cwd.to_string_lossy()));
+        }
+        if let Some(approval_policy) = self.approval_policy {
+            lines.push(format!(
+                "  <approval_policy>{}</approval_policy>",
+                approval_policy
+            ));
+        }
+        if let Some(sandbox_mode) = self.sandbox_mode {
+            lines.push(format!("  <sandbox_mode>{}</sandbox_mode>", sandbox_mode));
+        }
+        if let Some(network_access) = self.network_access {
+            lines.push(format!(
+                "  <network_access>{}</network_access>",
+                network_access
+            ));
+        }
+        if let Some(shell) = self.shell
+            && let Some(shell_name) = shell.name()
+        {
+            lines.push(format!("  <shell>{}</shell>", shell_name));
+        }
+        lines.push(ENVIRONMENT_CONTEXT_END.to_string());
+        lines.join("\n")
     }
 }
 
@@ -79,7 +114,7 @@ impl From<EnvironmentContext> for ResponseItem {
             id: None,
             role: "user".to_string(),
             content: vec![ContentItem::InputText {
-                text: format!("{ENVIRONMENT_CONTEXT_START}{ec}{ENVIRONMENT_CONTEXT_END}"),
+                text: ec.serialize_to_xml(),
             }],
         }
     }

codex-rs/core/src/exec.rs

@@ -28,18 +28,17 @@ use crate::spawn::StdioPolicy;
 use crate::spawn::spawn_child_async;
 use serde_bytes::ByteBuf;
 
-// Maximum we send for each stream, which is either:
-// - 10KiB OR
-// - 256 lines
-const MAX_STREAM_OUTPUT: usize = 10 * 1024;
-const MAX_STREAM_OUTPUT_LINES: usize = 256;
-
 const DEFAULT_TIMEOUT_MS: u64 = 10_000;
 
 // Hardcode these since it does not seem worth including the libc crate just
 // for these.
 const SIGKILL_CODE: i32 = 9;
 const TIMEOUT_CODE: i32 = 64;
+const EXIT_CODE_SIGNAL_BASE: i32 = 128; // conventional shell: 128 + signal
+
+// I/O buffer sizing
+const READ_CHUNK_SIZE: usize = 8192; // bytes per read
+const AGGREGATE_BUFFER_INITIAL_CAPACITY: usize = 8 * 1024; // 8 KiB
 
 #[derive(Debug, Clone)]
 pub struct ExecParams {
@@ -153,6 +152,7 @@ pub async fn process_exec_tool_call(
                 exit_code,
                 stdout,
                 stderr,
+                aggregated_output: raw_output.aggregated_output.from_utf8_lossy(),
                 duration,
             })
         }
@@ -189,10 +189,11 @@ pub struct StreamOutput<T> {
     pub truncated_after_lines: Option<u32>,
 }
 #[derive(Debug)]
-pub struct RawExecToolCallOutput {
+struct RawExecToolCallOutput {
     pub exit_status: ExitStatus,
     pub stdout: StreamOutput<Vec<u8>>,
     pub stderr: StreamOutput<Vec<u8>>,
+    pub aggregated_output: StreamOutput<Vec<u8>>,
 }
 
 impl StreamOutput<String> {
@@ -213,11 +214,17 @@ impl StreamOutput<Vec<u8>> {
     }
 }
 
+#[inline]
+fn append_all(dst: &mut Vec<u8>, src: &[u8]) {
+    dst.extend_from_slice(src);
+}
+
 #[derive(Debug)]
 pub struct ExecToolCallOutput {
     pub exit_code: i32,
     pub stdout: StreamOutput<String>,
     pub stderr: StreamOutput<String>,
+    pub aggregated_output: StreamOutput<String>,
     pub duration: Duration,
 }
 
@@ -253,7 +260,7 @@ async fn exec(
 
 /// Consumes the output of a child process, truncating it so it is suitable for
 /// use as the output of a `shell` tool call. Also enforces specified timeout.
-pub(crate) async fn consume_truncated_output(
+async fn consume_truncated_output(
     mut child: Child,
     timeout: Duration,
     stdout_stream: Option<StdoutStream>,
@@ -273,19 +280,19 @@ pub(crate) async fn consume_truncated_output(
         ))
     })?;
 
+    let (agg_tx, agg_rx) = async_channel::unbounded::<Vec<u8>>();
+
     let stdout_handle = tokio::spawn(read_capped(
         BufReader::new(stdout_reader),
-        MAX_STREAM_OUTPUT,
-        MAX_STREAM_OUTPUT_LINES,
         stdout_stream.clone(),
         false,
+        Some(agg_tx.clone()),
     ));
     let stderr_handle = tokio::spawn(read_capped(
         BufReader::new(stderr_reader),
-        MAX_STREAM_OUTPUT,
-        MAX_STREAM_OUTPUT_LINES,
         stdout_stream.clone(),
         true,
+        Some(agg_tx.clone()),
     ));
 
     let exit_status = tokio::select! {
@@ -297,38 +304,48 @@ pub(crate) async fn consume_truncated_output(
                     // timeout
                     child.start_kill()?;
                     // Debatable whether `child.wait().await` should be called here.
-                    synthetic_exit_status(128 + TIMEOUT_CODE)
+                    synthetic_exit_status(EXIT_CODE_SIGNAL_BASE + TIMEOUT_CODE)
                 }
             }
         }
         _ = tokio::signal::ctrl_c() => {
             child.start_kill()?;
-            synthetic_exit_status(128 + SIGKILL_CODE)
+            synthetic_exit_status(EXIT_CODE_SIGNAL_BASE + SIGKILL_CODE)
         }
     };
 
     let stdout = stdout_handle.await??;
     let stderr = stderr_handle.await??;
 
+    drop(agg_tx);
+
+    let mut combined_buf = Vec::with_capacity(AGGREGATE_BUFFER_INITIAL_CAPACITY);
+    while let Ok(chunk) = agg_rx.recv().await {
+        append_all(&mut combined_buf, &chunk);
+    }
+    let aggregated_output = StreamOutput {
+        text: combined_buf,
+        truncated_after_lines: None,
+    };
+
     Ok(RawExecToolCallOutput {
         exit_status,
         stdout,
         stderr,
+        aggregated_output,
     })
 }
 
 async fn read_capped<R: AsyncRead + Unpin + Send + 'static>(
     mut reader: R,
-    max_output: usize,
-    max_lines: usize,
     stream: Option<StdoutStream>,
     is_stderr: bool,
+    aggregate_tx: Option<Sender<Vec<u8>>>,
 ) -> io::Result<StreamOutput<Vec<u8>>> {
-    let mut buf = Vec::with_capacity(max_output.min(8 * 1024));
-    let mut tmp = [0u8; 8192];
+    let mut buf = Vec::with_capacity(AGGREGATE_BUFFER_INITIAL_CAPACITY);
+    let mut tmp = [0u8; READ_CHUNK_SIZE];
 
-    let mut remaining_bytes = max_output;
-    let mut remaining_lines = max_lines;
+    // No caps: append all bytes
 
     loop {
         let n = reader.read(&mut tmp).await?;
@@ -355,33 +372,17 @@ async fn read_capped<R: AsyncRead + Unpin + Send + 'static>(
             let _ = stream.tx_event.send(event).await;
         }
 
-        // Copy into the buffer only while we still have byte and line budget.
-        if remaining_bytes > 0 && remaining_lines > 0 {
-            let mut copy_len = 0;
-            for &b in &tmp[..n] {
-                if remaining_bytes == 0 || remaining_lines == 0 {
-                    break;
-                }
-                copy_len += 1;
-                remaining_bytes -= 1;
-                if b == b'\n' {
-                    remaining_lines -= 1;
-                }
-            }
-            buf.extend_from_slice(&tmp[..copy_len]);
+        if let Some(tx) = &aggregate_tx {
+            let _ = tx.send(tmp[..n].to_vec()).await;
         }
-        // Continue reading to EOF to avoid back-pressure, but discard once caps are hit.
-    }
 
-    let truncated = remaining_lines == 0 || remaining_bytes == 0;
+        append_all(&mut buf, &tmp[..n]);
+        // Continue reading to EOF to avoid back-pressure
+    }
 
     Ok(StreamOutput {
         text: buf,
-        truncated_after_lines: if truncated {
-            Some((max_lines - remaining_lines) as u32)
-        } else {
-            None
-        },
+        truncated_after_lines: None,
     })
 }
 

codex-rs/core/src/git_info.rs

@@ -1,11 +1,17 @@
+use std::collections::HashSet;
 use std::path::Path;
+use std::path::PathBuf;
 
+use codex_protocol::mcp_protocol::GitSha;
+use futures::future::join_all;
 use serde::Deserialize;
 use serde::Serialize;
 use tokio::process::Command;
 use tokio::time::Duration as TokioDuration;
 use tokio::time::timeout;
 
+use crate::util::is_inside_git_repo;
+
 /// Timeout for git commands to prevent freezing on large repositories
 const GIT_COMMAND_TIMEOUT: TokioDuration = TokioDuration::from_secs(5);
 
@@ -22,6 +28,12 @@ pub struct GitInfo {
     pub repository_url: Option<String>,
 }
 
+#[derive(Serialize, Deserialize, Clone, Debug)]
+pub struct GitDiffToRemote {
+    pub sha: GitSha,
+    pub diff: String,
+}
+
 /// Collect git repository information from the given working directory using command-line git.
 /// Returns None if no git repository is found or if git operations fail.
 /// Uses timeouts to prevent freezing on large repositories.
@@ -80,6 +92,23 @@ pub async fn collect_git_info(cwd: &Path) -> Option<GitInfo> {
     Some(git_info)
 }
 
+/// Returns the closest git sha to HEAD that is on a remote as well as the diff to that sha.
+pub async fn git_diff_to_remote(cwd: &Path) -> Option<GitDiffToRemote> {
+    if !is_inside_git_repo(cwd) {
+        return None;
+    }
+
+    let remotes = get_git_remotes(cwd).await?;
+    let branches = branch_ancestry(cwd).await?;
+    let base_sha = find_closest_sha(cwd, &branches, &remotes).await?;
+    let diff = diff_against_sha(cwd, &base_sha).await?;
+
+    Some(GitDiffToRemote {
+        sha: base_sha,
+        diff,
+    })
+}
+
 /// Run a git command with a timeout to prevent blocking on large repositories
 async fn run_git_command_with_timeout(args: &[&str], cwd: &Path) -> Option<std::process::Output> {
     let result = timeout(
@@ -94,6 +123,341 @@ async fn run_git_command_with_timeout(args: &[&str], cwd: &Path) -> Option<std::
     }
 }
 
+async fn get_git_remotes(cwd: &Path) -> Option<Vec<String>> {
+    let output = run_git_command_with_timeout(&["remote"], cwd).await?;
+    if !output.status.success() {
+        return None;
+    }
+    let mut remotes: Vec<String> = String::from_utf8(output.stdout)
+        .ok()?
+        .lines()
+        .map(|s| s.to_string())
+        .collect();
+    if let Some(pos) = remotes.iter().position(|r| r == "origin") {
+        let origin = remotes.remove(pos);
+        remotes.insert(0, origin);
+    }
+    Some(remotes)
+}
+
+/// Attempt to determine the repository's default branch name.
+///
+/// Preference order:
+/// 1) The symbolic ref at `refs/remotes/<remote>/HEAD` for the first remote (origin prioritized)
+/// 2) `git remote show <remote>` parsed for "HEAD branch: <name>"
+/// 3) Local fallback to existing `main` or `master` if present
+async fn get_default_branch(cwd: &Path) -> Option<String> {
+    // Prefer the first remote (with origin prioritized)
+    let remotes = get_git_remotes(cwd).await.unwrap_or_default();
+    for remote in remotes {
+        // Try symbolic-ref, which returns something like: refs/remotes/origin/main
+        if let Some(symref_output) = run_git_command_with_timeout(
+            &[
+                "symbolic-ref",
+                "--quiet",
+                &format!("refs/remotes/{remote}/HEAD"),
+            ],
+            cwd,
+        )
+        .await
+            && symref_output.status.success()
+            && let Ok(sym) = String::from_utf8(symref_output.stdout)
+        {
+            let trimmed = sym.trim();
+            if let Some((_, name)) = trimmed.rsplit_once('/') {
+                return Some(name.to_string());
+            }
+        }
+
+        // Fall back to parsing `git remote show <remote>` output
+        if let Some(show_output) =
+            run_git_command_with_timeout(&["remote", "show", &remote], cwd).await
+            && show_output.status.success()
+            && let Ok(text) = String::from_utf8(show_output.stdout)
+        {
+            for line in text.lines() {
+                let line = line.trim();
+                if let Some(rest) = line.strip_prefix("HEAD branch:") {
+                    let name = rest.trim();
+                    if !name.is_empty() {
+                        return Some(name.to_string());
+                    }
+                }
+            }
+        }
+    }
+
+    // No remote-derived default; try common local defaults if they exist
+    for candidate in ["main", "master"] {
+        if let Some(verify) = run_git_command_with_timeout(
+            &[
+                "rev-parse",
+                "--verify",
+                "--quiet",
+                &format!("refs/heads/{candidate}"),
+            ],
+            cwd,
+        )
+        .await
+            && verify.status.success()
+        {
+            return Some(candidate.to_string());
+        }
+    }
+
+    None
+}
+
+/// Build an ancestry of branches starting at the current branch and ending at the
+/// repository's default branch (if determinable)..
+async fn branch_ancestry(cwd: &Path) -> Option<Vec<String>> {
+    // Discover current branch (ignore detached HEAD by treating it as None)
+    let current_branch = run_git_command_with_timeout(&["rev-parse", "--abbrev-ref", "HEAD"], cwd)
+        .await
+        .and_then(|o| {
+            if o.status.success() {
+                String::from_utf8(o.stdout).ok()
+            } else {
+                None
+            }
+        })
+        .map(|s| s.trim().to_string())
+        .filter(|s| s != "HEAD");
+
+    // Discover default branch
+    let default_branch = get_default_branch(cwd).await;
+
+    let mut ancestry: Vec<String> = Vec::new();
+    let mut seen: HashSet<String> = HashSet::new();
+    if let Some(cb) = current_branch.clone() {
+        seen.insert(cb.clone());
+        ancestry.push(cb);
+    }
+    if let Some(db) = default_branch
+        && !seen.contains(&db)
+    {
+        seen.insert(db.clone());
+        ancestry.push(db);
+    }
+
+    // Expand candidates: include any remote branches that already contain HEAD.
+    // This addresses cases where we're on a new local-only branch forked from a
+    // remote branch that isn't the repository default. We prioritize remotes in
+    // the order returned by get_git_remotes (origin first).
+    let remotes = get_git_remotes(cwd).await.unwrap_or_default();
+    for remote in remotes {
+        if let Some(output) = run_git_command_with_timeout(
+            &[
+                "for-each-ref",
+                "--format=%(refname:short)",
+                "--contains=HEAD",
+                &format!("refs/remotes/{remote}"),
+            ],
+            cwd,
+        )
+        .await
+            && output.status.success()
+            && let Ok(text) = String::from_utf8(output.stdout)
+        {
+            for line in text.lines() {
+                let short = line.trim();
+                // Expect format like: "origin/feature"; extract the branch path after "remote/"
+                if let Some(stripped) = short.strip_prefix(&format!("{remote}/"))
+                    && !stripped.is_empty()
+                    && !seen.contains(stripped)
+                {
+                    seen.insert(stripped.to_string());
+                    ancestry.push(stripped.to_string());
+                }
+            }
+        }
+    }
+
+    // Ensure we return Some vector, even if empty, to allow caller logic to proceed
+    Some(ancestry)
+}
+
+// Helper for a single branch: return the remote SHA if present on any remote
+// and the distance (commits ahead of HEAD) for that branch. The first item is
+// None if the branch is not present on any remote. Returns None if distance
+// could not be computed due to git errors/timeouts.
+async fn branch_remote_and_distance(
+    cwd: &Path,
+    branch: &str,
+    remotes: &[String],
+) -> Option<(Option<GitSha>, usize)> {
+    // Try to find the first remote ref that exists for this branch (origin prioritized by caller).
+    let mut found_remote_sha: Option<GitSha> = None;
+    let mut found_remote_ref: Option<String> = None;
+    for remote in remotes {
+        let remote_ref = format!("refs/remotes/{remote}/{branch}");
+        let Some(verify_output) =
+            run_git_command_with_timeout(&["rev-parse", "--verify", "--quiet", &remote_ref], cwd)
+                .await
+        else {
+            // Mirror previous behavior: if the verify call times out/fails at the process level,
+            // treat the entire branch as unusable.
+            return None;
+        };
+        if !verify_output.status.success() {
+            continue;
+        }
+        let Ok(sha) = String::from_utf8(verify_output.stdout) else {
+            // Mirror previous behavior and skip the entire branch on parse failure.
+            return None;
+        };
+        found_remote_sha = Some(GitSha::new(sha.trim()));
+        found_remote_ref = Some(remote_ref);
+        break;
+    }
+
+    // Compute distance as the number of commits HEAD is ahead of the branch.
+    // Prefer local branch name if it exists; otherwise fall back to the remote ref (if any).
+    let count_output = if let Some(local_count) =
+        run_git_command_with_timeout(&["rev-list", "--count", &format!("{branch}..HEAD")], cwd)
+            .await
+    {
+        if local_count.status.success() {
+            local_count
+        } else if let Some(remote_ref) = &found_remote_ref {
+            match run_git_command_with_timeout(
+                &["rev-list", "--count", &format!("{remote_ref}..HEAD")],
+                cwd,
+            )
+            .await
+            {
+                Some(remote_count) => remote_count,
+                None => return None,
+            }
+        } else {
+            return None;
+        }
+    } else if let Some(remote_ref) = &found_remote_ref {
+        match run_git_command_with_timeout(
+            &["rev-list", "--count", &format!("{remote_ref}..HEAD")],
+            cwd,
+        )
+        .await
+        {
+            Some(remote_count) => remote_count,
+            None => return None,
+        }
+    } else {
+        return None;
+    };
+
+    if !count_output.status.success() {
+        return None;
+    }
+    let Ok(distance_str) = String::from_utf8(count_output.stdout) else {
+        return None;
+    };
+    let Ok(distance) = distance_str.trim().parse::<usize>() else {
+        return None;
+    };
+
+    Some((found_remote_sha, distance))
+}
+
+// Finds the closest sha that exist on any of branches and also exists on any of the remotes.
+async fn find_closest_sha(cwd: &Path, branches: &[String], remotes: &[String]) -> Option<GitSha> {
+    // A sha and how many commits away from HEAD it is.
+    let mut closest_sha: Option<(GitSha, usize)> = None;
+    for branch in branches {
+        let Some((maybe_remote_sha, distance)) =
+            branch_remote_and_distance(cwd, branch, remotes).await
+        else {
+            continue;
+        };
+        let Some(remote_sha) = maybe_remote_sha else {
+            // Preserve existing behavior: skip branches that are not present on a remote.
+            continue;
+        };
+        match &closest_sha {
+            None => closest_sha = Some((remote_sha, distance)),
+            Some((_, best_distance)) if distance < *best_distance => {
+                closest_sha = Some((remote_sha, distance));
+            }
+            _ => {}
+        }
+    }
+    closest_sha.map(|(sha, _)| sha)
+}
+
+async fn diff_against_sha(cwd: &Path, sha: &GitSha) -> Option<String> {
+    let output = run_git_command_with_timeout(&["diff", &sha.0], cwd).await?;
+    // 0 is success and no diff.
+    // 1 is success but there is a diff.
+    let exit_ok = output.status.code().is_some_and(|c| c == 0 || c == 1);
+    if !exit_ok {
+        return None;
+    }
+    let mut diff = String::from_utf8(output.stdout).ok()?;
+
+    if let Some(untracked_output) =
+        run_git_command_with_timeout(&["ls-files", "--others", "--exclude-standard"], cwd).await
+        && untracked_output.status.success()
+    {
+        let untracked: Vec<String> = String::from_utf8(untracked_output.stdout)
+            .ok()?
+            .lines()
+            .map(|s| s.to_string())
+            .filter(|s| !s.is_empty())
+            .collect();
+
+        if !untracked.is_empty() {
+            let futures_iter = untracked.into_iter().map(|file| async move {
+                let file_owned = file;
+                let args_vec: Vec<&str> =
+                    vec!["diff", "--binary", "--no-index", "/dev/null", &file_owned];
+                run_git_command_with_timeout(&args_vec, cwd).await
+            });
+            let results = join_all(futures_iter).await;
+            for extra in results.into_iter().flatten() {
+                if extra.status.code().is_some_and(|c| c == 0 || c == 1)
+                    && let Ok(s) = String::from_utf8(extra.stdout)
+                {
+                    diff.push_str(&s);
+                }
+            }
+        }
+    }
+
+    Some(diff)
+}
+
+/// Resolve the path that should be used for trust checks. Similar to
+/// `[utils::is_inside_git_repo]`, but resolves to the root of the main
+/// repository. Handles worktrees.
+pub fn resolve_root_git_project_for_trust(cwd: &Path) -> Option<PathBuf> {
+    let base = if cwd.is_dir() { cwd } else { cwd.parent()? };
+
+    // TODO: we should make this async, but it's primarily used deep in
+    // callstacks of sync code, and should almost always be fast
+    let git_dir_out = std::process::Command::new("git")
+        .args(["rev-parse", "--git-common-dir"])
+        .current_dir(base)
+        .output()
+        .ok()?;
+    if !git_dir_out.status.success() {
+        return None;
+    }
+    let git_dir_s = String::from_utf8(git_dir_out.stdout)
+        .ok()?
+        .trim()
+        .to_string();
+
+    let git_dir_path_raw = if Path::new(&git_dir_s).is_absolute() {
+        PathBuf::from(&git_dir_s)
+    } else {
+        base.join(&git_dir_s)
+    };
+
+    // Normalize to handle macOS /var vs /private/var and resolve ".." segments.
+    let git_dir_path = std::fs::canonicalize(&git_dir_path_raw).unwrap_or(git_dir_path_raw);
+    git_dir_path.parent().map(Path::to_path_buf)
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -104,7 +468,8 @@ mod tests {
 
     // Helper function to create a test git repository
     async fn create_test_git_repo(temp_dir: &TempDir) -> PathBuf {
-        let repo_path = temp_dir.path().to_path_buf();
+        let repo_path = temp_dir.path().join("repo");
+        fs::create_dir(&repo_path).expect("Failed to create repo dir");
         let envs = vec![
             ("GIT_CONFIG_GLOBAL", "/dev/null"),
             ("GIT_CONFIG_NOSYSTEM", "1"),
@@ -159,6 +524,41 @@ mod tests {
         repo_path
     }
 
+    async fn create_test_git_repo_with_remote(temp_dir: &TempDir) -> (PathBuf, String) {
+        let repo_path = create_test_git_repo(temp_dir).await;
+        let remote_path = temp_dir.path().join("remote.git");
+
+        Command::new("git")
+            .args(["init", "--bare", remote_path.to_str().unwrap()])
+            .output()
+            .await
+            .expect("Failed to init bare remote");
+
+        Command::new("git")
+            .args(["remote", "add", "origin", remote_path.to_str().unwrap()])
+            .current_dir(&repo_path)
+            .output()
+            .await
+            .expect("Failed to add remote");
+
+        let output = Command::new("git")
+            .args(["rev-parse", "--abbrev-ref", "HEAD"])
+            .current_dir(&repo_path)
+            .output()
+            .await
+            .expect("Failed to get branch");
+        let branch = String::from_utf8(output.stdout).unwrap().trim().to_string();
+
+        Command::new("git")
+            .args(["push", "-u", "origin", &branch])
+            .current_dir(&repo_path)
+            .output()
+            .await
+            .expect("Failed to push initial commit");
+
+        (repo_path, branch)
+    }
+
     #[tokio::test]
     async fn test_collect_git_info_non_git_directory() {
         let temp_dir = TempDir::new().expect("Failed to create temp dir");
@@ -272,6 +672,210 @@ mod tests {
         assert_eq!(git_info.branch, Some("feature-branch".to_string()));
     }
 
+    #[tokio::test]
+    async fn test_get_git_working_tree_state_clean_repo() {
+        let temp_dir = TempDir::new().expect("Failed to create temp dir");
+        let (repo_path, branch) = create_test_git_repo_with_remote(&temp_dir).await;
+
+        let remote_sha = Command::new("git")
+            .args(["rev-parse", &format!("origin/{branch}")])
+            .current_dir(&repo_path)
+            .output()
+            .await
+            .expect("Failed to rev-parse remote");
+        let remote_sha = String::from_utf8(remote_sha.stdout)
+            .unwrap()
+            .trim()
+            .to_string();
+
+        let state = git_diff_to_remote(&repo_path)
+            .await
+            .expect("Should collect working tree state");
+        assert_eq!(state.sha, GitSha::new(&remote_sha));
+        assert!(state.diff.is_empty());
+    }
+
+    #[tokio::test]
+    async fn test_get_git_working_tree_state_with_changes() {
+        let temp_dir = TempDir::new().expect("Failed to create temp dir");
+        let (repo_path, branch) = create_test_git_repo_with_remote(&temp_dir).await;
+
+        let tracked = repo_path.join("test.txt");
+        fs::write(&tracked, "modified").unwrap();
+        fs::write(repo_path.join("untracked.txt"), "new").unwrap();
+
+        let remote_sha = Command::new("git")
+            .args(["rev-parse", &format!("origin/{branch}")])
+            .current_dir(&repo_path)
+            .output()
+            .await
+            .expect("Failed to rev-parse remote");
+        let remote_sha = String::from_utf8(remote_sha.stdout)
+            .unwrap()
+            .trim()
+            .to_string();
+
+        let state = git_diff_to_remote(&repo_path)
+            .await
+            .expect("Should collect working tree state");
+        assert_eq!(state.sha, GitSha::new(&remote_sha));
+        assert!(state.diff.contains("test.txt"));
+        assert!(state.diff.contains("untracked.txt"));
+    }
+
+    #[tokio::test]
+    async fn test_get_git_working_tree_state_branch_fallback() {
+        let temp_dir = TempDir::new().expect("Failed to create temp dir");
+        let (repo_path, _branch) = create_test_git_repo_with_remote(&temp_dir).await;
+
+        Command::new("git")
+            .args(["checkout", "-b", "feature"])
+            .current_dir(&repo_path)
+            .output()
+            .await
+            .expect("Failed to create feature branch");
+        Command::new("git")
+            .args(["push", "-u", "origin", "feature"])
+            .current_dir(&repo_path)
+            .output()
+            .await
+            .expect("Failed to push feature branch");
+
+        Command::new("git")
+            .args(["checkout", "-b", "local-branch"])
+            .current_dir(&repo_path)
+            .output()
+            .await
+            .expect("Failed to create local branch");
+
+        let remote_sha = Command::new("git")
+            .args(["rev-parse", "origin/feature"])
+            .current_dir(&repo_path)
+            .output()
+            .await
+            .expect("Failed to rev-parse remote");
+        let remote_sha = String::from_utf8(remote_sha.stdout)
+            .unwrap()
+            .trim()
+            .to_string();
+
+        let state = git_diff_to_remote(&repo_path)
+            .await
+            .expect("Should collect working tree state");
+        assert_eq!(state.sha, GitSha::new(&remote_sha));
+    }
+
+    #[test]
+    fn resolve_root_git_project_for_trust_returns_none_outside_repo() {
+        let tmp = TempDir::new().expect("tempdir");
+        assert!(resolve_root_git_project_for_trust(tmp.path()).is_none());
+    }
+
+    #[tokio::test]
+    async fn resolve_root_git_project_for_trust_regular_repo_returns_repo_root() {
+        let temp_dir = TempDir::new().expect("Failed to create temp dir");
+        let repo_path = create_test_git_repo(&temp_dir).await;
+        let expected = std::fs::canonicalize(&repo_path).unwrap().to_path_buf();
+
+        assert_eq!(
+            resolve_root_git_project_for_trust(&repo_path),
+            Some(expected.clone())
+        );
+        let nested = repo_path.join("sub/dir");
+        std::fs::create_dir_all(&nested).unwrap();
+        assert_eq!(
+            resolve_root_git_project_for_trust(&nested),
+            Some(expected.clone())
+        );
+    }
+
+    #[tokio::test]
+    async fn resolve_root_git_project_for_trust_detects_worktree_and_returns_main_root() {
+        let temp_dir = TempDir::new().expect("Failed to create temp dir");
+        let repo_path = create_test_git_repo(&temp_dir).await;
+
+        // Create a linked worktree
+        let wt_root = temp_dir.path().join("wt");
+        let _ = std::process::Command::new("git")
+            .args([
+                "worktree",
+                "add",
+                wt_root.to_str().unwrap(),
+                "-b",
+                "feature/x",
+            ])
+            .current_dir(&repo_path)
+            .output()
+            .expect("git worktree add");
+
+        let expected = std::fs::canonicalize(&repo_path).ok();
+        let got = resolve_root_git_project_for_trust(&wt_root)
+            .and_then(|p| std::fs::canonicalize(p).ok());
+        assert_eq!(got, expected);
+        let nested = wt_root.join("nested/sub");
+        std::fs::create_dir_all(&nested).unwrap();
+        let got_nested =
+            resolve_root_git_project_for_trust(&nested).and_then(|p| std::fs::canonicalize(p).ok());
+        assert_eq!(got_nested, expected);
+    }
+
+    #[test]
+    fn resolve_root_git_project_for_trust_non_worktrees_gitdir_returns_none() {
+        let tmp = TempDir::new().expect("tempdir");
+        let proj = tmp.path().join("proj");
+        std::fs::create_dir_all(proj.join("nested")).unwrap();
+
+        // `.git` is a file but does not point to a worktrees path
+        std::fs::write(
+            proj.join(".git"),
+            format!(
+                "gitdir: {}\n",
+                tmp.path().join("some/other/location").display()
+            ),
+        )
+        .unwrap();
+
+        assert!(resolve_root_git_project_for_trust(&proj).is_none());
+        assert!(resolve_root_git_project_for_trust(&proj.join("nested")).is_none());
+    }
+
+    #[tokio::test]
+    async fn test_get_git_working_tree_state_unpushed_commit() {
+        let temp_dir = TempDir::new().expect("Failed to create temp dir");
+        let (repo_path, branch) = create_test_git_repo_with_remote(&temp_dir).await;
+
+        let remote_sha = Command::new("git")
+            .args(["rev-parse", &format!("origin/{branch}")])
+            .current_dir(&repo_path)
+            .output()
+            .await
+            .expect("Failed to rev-parse remote");
+        let remote_sha = String::from_utf8(remote_sha.stdout)
+            .unwrap()
+            .trim()
+            .to_string();
+
+        fs::write(repo_path.join("test.txt"), "updated").unwrap();
+        Command::new("git")
+            .args(["add", "test.txt"])
+            .current_dir(&repo_path)
+            .output()
+            .await
+            .expect("Failed to add file");
+        Command::new("git")
+            .args(["commit", "-m", "local change"])
+            .current_dir(&repo_path)
+            .output()
+            .await
+            .expect("Failed to commit");
+
+        let state = git_diff_to_remote(&repo_path)
+            .await
+            .expect("Should collect working tree state");
+        assert_eq!(state.sha, GitSha::new(&remote_sha));
+        assert!(state.diff.contains("updated"));
+    }
+
     #[test]
     fn test_git_info_serialization() {
         let git_info = GitInfo {

codex-rs/core/src/lib.rs

@@ -39,16 +39,17 @@ mod conversation_manager;
 pub use conversation_manager::ConversationManager;
 pub use conversation_manager::NewConversation;
 pub mod model_family;
-mod models;
 mod openai_model_info;
 mod openai_tools;
 pub mod plan_tool;
-mod project_doc;
+pub mod project_doc;
 mod rollout;
 pub(crate) mod safety;
 pub mod seatbelt;
 pub mod shell;
 pub mod spawn;
+pub mod terminal;
+mod tool_apply_patch;
 pub mod turn_diff_tracker;
 pub mod user_agent;
 mod user_notification;
@@ -61,3 +62,4 @@ pub use codex_protocol::protocol;
 // Re-export protocol config enums to ensure call sites can use the same types
 // as those in the protocol crate when constructing protocol messages.
 pub use codex_protocol::config_types as protocol_config_types;
+pub mod subagents;

codex-rs/core/src/mcp_tool_call.rs

@@ -4,13 +4,13 @@ use std::time::Instant;
 use tracing::error;
 
 use crate::codex::Session;
-use crate::models::FunctionCallOutputPayload;
-use crate::models::ResponseInputItem;
 use crate::protocol::Event;
 use crate::protocol::EventMsg;
 use crate::protocol::McpInvocation;
 use crate::protocol::McpToolCallBeginEvent;
 use crate::protocol::McpToolCallEndEvent;
+use codex_protocol::models::FunctionCallOutputPayload;
+use codex_protocol::models::ResponseInputItem;
 
 /// Handles the specified tool call dispatches the appropriate
 /// `McpToolCallBegin` and `McpToolCallEnd` events to the `Session`.

codex-rs/core/src/model_family.rs

@@ -1,3 +1,5 @@
+use crate::tool_apply_patch::ApplyPatchToolType;
+
 /// A model family is a group of models that share certain characteristics.
 #[derive(Debug, Clone, PartialEq, Eq, Hash)]
 pub struct ModelFamily {
@@ -24,9 +26,9 @@ pub struct ModelFamily {
     // See https://platform.openai.com/docs/guides/tools-local-shell
     pub uses_local_shell_tool: bool,
 
-    /// True if the model performs better when `apply_patch` is provided as
-    /// a tool call instead of just a bash command.
-    pub uses_apply_patch_tool: bool,
+    /// Present if the model performs better when `apply_patch` is provided as
+    /// a tool call instead of just a bash command
+    pub apply_patch_tool_type: Option<ApplyPatchToolType>,
 }
 
 macro_rules! model_family {
@@ -40,7 +42,7 @@ macro_rules! model_family {
             needs_special_apply_patch_instructions: false,
             supports_reasoning_summaries: false,
             uses_local_shell_tool: false,
-            uses_apply_patch_tool: false,
+            apply_patch_tool_type: None,
         };
         // apply overrides
         $(
@@ -60,7 +62,7 @@ macro_rules! simple_model_family {
             needs_special_apply_patch_instructions: false,
             supports_reasoning_summaries: false,
             uses_local_shell_tool: false,
-            uses_apply_patch_tool: false,
+            apply_patch_tool_type: None,
         })
     }};
 }
@@ -88,6 +90,7 @@ pub fn find_family_for_model(slug: &str) -> Option<ModelFamily> {
         model_family!(
             slug, slug,
             supports_reasoning_summaries: true,
+            apply_patch_tool_type: Some(ApplyPatchToolType::Freeform),
         )
     } else if slug.starts_with("gpt-4.1") {
         model_family!(
@@ -95,7 +98,7 @@ pub fn find_family_for_model(slug: &str) -> Option<ModelFamily> {
             needs_special_apply_patch_instructions: true,
         )
     } else if slug.starts_with("gpt-oss") {
-        model_family!(slug, "gpt-oss", uses_apply_patch_tool: true)
+        model_family!(slug, "gpt-oss", apply_patch_tool_type: Some(ApplyPatchToolType::Function))
     } else if slug.starts_with("gpt-4o") {
         simple_model_family!(slug, "gpt-4o")
     } else if slug.starts_with("gpt-3.5") {
@@ -104,6 +107,7 @@ pub fn find_family_for_model(slug: &str) -> Option<ModelFamily> {
         model_family!(
             slug, "gpt-5",
             supports_reasoning_summaries: true,
+            apply_patch_tool_type: Some(ApplyPatchToolType::Freeform),
         )
     } else {
         None

codex-rs/core/src/openai_tools.rs

@@ -9,6 +9,9 @@ use crate::model_family::ModelFamily;
 use crate::plan_tool::PLAN_TOOL;
 use crate::protocol::AskForApproval;
 use crate::protocol::SandboxPolicy;
+use crate::tool_apply_patch::ApplyPatchToolType;
+use crate::tool_apply_patch::create_apply_patch_freeform_tool;
+use crate::tool_apply_patch::create_apply_patch_json_tool;
 
 #[derive(Debug, Clone, Serialize, PartialEq)]
 pub struct ResponsesApiTool {
@@ -21,6 +24,20 @@ pub struct ResponsesApiTool {
     pub(crate) parameters: JsonSchema,
 }
 
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
+pub struct FreeformTool {
+    pub(crate) name: String,
+    pub(crate) description: String,
+    pub(crate) format: FreeformToolFormat,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
+pub struct FreeformToolFormat {
+    pub(crate) r#type: String,
+    pub(crate) syntax: String,
+    pub(crate) definition: String,
+}
+
 /// When serialized as JSON, this produces a valid "Tool" in the OpenAI
 /// Responses API.
 #[derive(Debug, Clone, Serialize, PartialEq)]
@@ -30,6 +47,8 @@ pub(crate) enum OpenAiTool {
     Function(ResponsesApiTool),
     #[serde(rename = "local_shell")]
     LocalShell {},
+    #[serde(rename = "custom")]
+    Freeform(FreeformTool),
 }
 
 #[derive(Debug, Clone)]
@@ -37,14 +56,14 @@ pub enum ConfigShellToolType {
     DefaultShell,
     ShellWithRequest { sandbox_policy: SandboxPolicy },
     LocalShell,
-    NoBuiltInShellTool,
 }
 
 #[derive(Debug, Clone)]
 pub struct ToolsConfig {
     pub shell_type: ConfigShellToolType,
     pub plan_tool: bool,
-    pub apply_patch_tool: bool,
+    pub apply_patch_tool_type: Option<ApplyPatchToolType>,
+    pub subagent_tool: bool,
 }
 
 impl ToolsConfig {
@@ -54,11 +73,9 @@ impl ToolsConfig {
         sandbox_policy: SandboxPolicy,
         include_plan_tool: bool,
         include_apply_patch_tool: bool,
-        experimental_disable_built_in_shell_tool: bool,
+        include_subagent_tool: bool,
     ) -> Self {
-        let mut shell_type = if experimental_disable_built_in_shell_tool {
-            ConfigShellToolType::NoBuiltInShellTool
-        } else if model_family.uses_local_shell_tool {
+        let mut shell_type = if model_family.uses_local_shell_tool {
             ConfigShellToolType::LocalShell
         } else {
             ConfigShellToolType::DefaultShell
@@ -69,10 +86,23 @@ impl ToolsConfig {
             }
         }
 
+        let apply_patch_tool_type = match model_family.apply_patch_tool_type {
+            Some(ApplyPatchToolType::Freeform) => Some(ApplyPatchToolType::Freeform),
+            Some(ApplyPatchToolType::Function) => Some(ApplyPatchToolType::Function),
+            None => {
+                if include_apply_patch_tool {
+                    Some(ApplyPatchToolType::Freeform)
+                } else {
+                    None
+                }
+            }
+        };
+
         Self {
             shell_type,
             plan_tool: include_plan_tool,
-            apply_patch_tool: include_apply_patch_tool || model_family.uses_apply_patch_tool,
+            apply_patch_tool_type,
+            subagent_tool: include_subagent_tool,
         }
     }
 }
@@ -119,16 +149,20 @@ fn create_shell_tool() -> OpenAiTool {
         "command".to_string(),
         JsonSchema::Array {
             items: Box::new(JsonSchema::String { description: None }),
-            description: None,
+            description: Some("The command to execute".to_string()),
         },
     );
     properties.insert(
         "workdir".to_string(),
-        JsonSchema::String { description: None },
+        JsonSchema::String {
+            description: Some("The working directory to execute the command in".to_string()),
+        },
     );
     properties.insert(
-        "timeout".to_string(),
-        JsonSchema::Number { description: None },
+        "timeout_ms".to_string(),
+        JsonSchema::Number {
+            description: Some("The timeout for the command in milliseconds".to_string()),
+        },
     );
 
     OpenAiTool::Function(ResponsesApiTool {
@@ -159,7 +193,7 @@ fn create_shell_tool_for_sandbox(sandbox_policy: &SandboxPolicy) -> OpenAiTool {
         },
     );
     properties.insert(
-        "timeout".to_string(),
+        "timeout_ms".to_string(),
         JsonSchema::Number {
             description: Some("The timeout for the command in milliseconds".to_string()),
         },
@@ -175,7 +209,7 @@ fn create_shell_tool_for_sandbox(sandbox_policy: &SandboxPolicy) -> OpenAiTool {
         properties.insert(
         "justification".to_string(),
         JsonSchema::String {
-            description: Some("Only set if ask_for_escalated_permissions is true. 1-sentence explanation of why we want to run this command.".to_string()),
+            description: Some("Only set if with_escalated_permissions is true. 1-sentence explanation of why we want to run this command.".to_string()),
         },
     );
     }
@@ -241,92 +275,16 @@ The shell tool is used to execute shell commands.
         },
     })
 }
-
+/// TODO(dylan): deprecate once we get rid of json tool
 #[derive(Serialize, Deserialize)]
 pub(crate) struct ApplyPatchToolArgs {
     pub(crate) input: String,
 }
 
-fn create_apply_patch_tool() -> OpenAiTool {
-    // Minimal schema: one required string argument containing the patch body
-    let mut properties = BTreeMap::new();
-    properties.insert(
-        "input".to_string(),
-        JsonSchema::String {
-            description: Some(r#"The entire contents of the apply_patch command"#.to_string()),
-        },
-    );
-
-    OpenAiTool::Function(ResponsesApiTool {
-        name: "apply_patch".to_string(),
-        description: r#"Use this tool to edit files.
-Your patch language is a stripped‑down, file‑oriented diff format designed to be easy to parse and safe to apply. You can think of it as a high‑level envelope:
-
-**_ Begin Patch
-[ one or more file sections ]
-_** End Patch
-
-Within that envelope, you get a sequence of file operations.
-You MUST include a header to specify the action you are taking.
-Each operation starts with one of three headers:
-
-**_ Add File: <path> - create a new file. Every following line is a + line (the initial contents).
-_** Delete File: <path> - remove an existing file. Nothing follows.
-\*\*\* Update File: <path> - patch an existing file in place (optionally with a rename).
-
-May be immediately followed by \*\*\* Move to: <new path> if you want to rename the file.
-Then one or more “hunks”, each introduced by @@ (optionally followed by a hunk header).
-Within a hunk each line starts with:
-
-- for inserted text,
-
-* for removed text, or
-  space ( ) for context.
-  At the end of a truncated hunk you can emit \*\*\* End of File.
-
-Patch := Begin { FileOp } End
-Begin := "**_ Begin Patch" NEWLINE
-End := "_** End Patch" NEWLINE
-FileOp := AddFile | DeleteFile | UpdateFile
-AddFile := "**_ Add File: " path NEWLINE { "+" line NEWLINE }
-DeleteFile := "_** Delete File: " path NEWLINE
-UpdateFile := "**_ Update File: " path NEWLINE [ MoveTo ] { Hunk }
-MoveTo := "_** Move to: " newPath NEWLINE
-Hunk := "@@" [ header ] NEWLINE { HunkLine } [ "*** End of File" NEWLINE ]
-HunkLine := (" " | "-" | "+") text NEWLINE
-
-A full patch can combine several operations:
-
-**_ Begin Patch
-_** Add File: hello.txt
-+Hello world
-**_ Update File: src/app.py
-_** Move to: src/main.py
-@@ def greet():
--print("Hi")
-+print("Hello, world!")
-**_ Delete File: obsolete.txt
-_** End Patch
-
-It is important to remember:
-
-- You must include a header with your intended action (Add/Delete/Update)
-- You must prefix new lines with `+` even when creating a new file
-"#
-        .to_string(),
-        strict: false,
-        parameters: JsonSchema::Object {
-            properties,
-            required: Some(vec!["input".to_string()]),
-            additional_properties: Some(false),
-        },
-    })
-}
-
 /// Returns JSON values that are compatible with Function Calling in the
 /// Responses API:
 /// https://platform.openai.com/docs/guides/function-calling?api-mode=responses
-pub(crate) fn create_tools_json_for_responses_api(
+pub fn create_tools_json_for_responses_api(
     tools: &Vec<OpenAiTool>,
 ) -> crate::error::Result<Vec<serde_json::Value>> {
     let mut tools_json = Vec::new();
@@ -537,17 +495,27 @@ pub(crate) fn get_openai_tools(
         ConfigShellToolType::LocalShell => {
             tools.push(OpenAiTool::LocalShell {});
         }
-        ConfigShellToolType::NoBuiltInShellTool => {
-            // Do not add a shell tool
-        }
     }
 
     if config.plan_tool {
         tools.push(PLAN_TOOL.clone());
     }
 
-    if config.apply_patch_tool {
-        tools.push(create_apply_patch_tool());
+    if let Some(apply_patch_tool_type) = &config.apply_patch_tool_type {
+        match apply_patch_tool_type {
+            ApplyPatchToolType::Freeform => {
+                tools.push(create_apply_patch_freeform_tool());
+            }
+            ApplyPatchToolType::Function => {
+                tools.push(create_apply_patch_json_tool());
+            }
+        }
+    }
+
+    if config.subagent_tool {
+        tracing::trace!("Adding subagent tool");
+        tools.push(crate::subagents::SUBAGENT_TOOL.clone());
+        tools.push(crate::subagents::SUBAGENT_LIST_TOOL.clone());
     }
 
     if let Some(mcp_tools) = mcp_tools {
@@ -561,6 +529,7 @@ pub(crate) fn get_openai_tools(
         }
     }
 
+    tracing::trace!("Tools: {tools:?}");
     tools
 }
 
@@ -578,6 +547,7 @@ mod tests {
             .map(|tool| match tool {
                 OpenAiTool::Function(ResponsesApiTool { name, .. }) => name,
                 OpenAiTool::LocalShell {} => "local_shell",
+                OpenAiTool::Freeform(FreeformTool { name, .. }) => name,
             })
             .collect::<Vec<_>>();
 
@@ -603,8 +573,8 @@ mod tests {
             AskForApproval::Never,
             SandboxPolicy::ReadOnly,
             true,
-            model_family.uses_apply_patch_tool,
-            /*experimental_disable_built_in_shell_tool*/ false,
+            false,
+            false,
         );
         let tools = get_openai_tools(&config, Some(HashMap::new()));
 
@@ -619,8 +589,8 @@ mod tests {
             AskForApproval::Never,
             SandboxPolicy::ReadOnly,
             true,
-            model_family.uses_apply_patch_tool,
-            /*experimental_disable_built_in_shell_tool*/ false,
+            false,
+            false,
         );
         let tools = get_openai_tools(&config, Some(HashMap::new()));
 
@@ -635,8 +605,8 @@ mod tests {
             AskForApproval::Never,
             SandboxPolicy::ReadOnly,
             false,
-            model_family.uses_apply_patch_tool,
-            /*experimental_disable_built_in_shell_tool*/ false,
+            false,
+            false,
         );
         let tools = get_openai_tools(
             &config,
@@ -730,8 +700,8 @@ mod tests {
             AskForApproval::Never,
             SandboxPolicy::ReadOnly,
             false,
-            model_family.uses_apply_patch_tool,
-            /*experimental_disable_built_in_shell_tool*/ false,
+            false,
+            false,
         );
 
         let tools = get_openai_tools(
@@ -787,8 +757,8 @@ mod tests {
             AskForApproval::Never,
             SandboxPolicy::ReadOnly,
             false,
-            model_family.uses_apply_patch_tool,
-            /*experimental_disable_built_in_shell_tool*/ false,
+            false,
+            false,
         );
 
         let tools = get_openai_tools(
@@ -839,8 +809,8 @@ mod tests {
             AskForApproval::Never,
             SandboxPolicy::ReadOnly,
             false,
-            model_family.uses_apply_patch_tool,
-            /*experimental_disable_built_in_shell_tool*/ false,
+            false,
+            false,
         );
 
         let tools = get_openai_tools(
@@ -894,8 +864,8 @@ mod tests {
             AskForApproval::Never,
             SandboxPolicy::ReadOnly,
             false,
-            model_family.uses_apply_patch_tool,
-            /*experimental_disable_built_in_shell_tool*/ false,
+            false,
+            false,
         );
 
         let tools = get_openai_tools(

codex-rs/core/src/plan_tool.rs

@@ -2,13 +2,13 @@ use std::collections::BTreeMap;
 use std::sync::LazyLock;
 
 use crate::codex::Session;
-use crate::models::FunctionCallOutputPayload;
-use crate::models::ResponseInputItem;
 use crate::openai_tools::JsonSchema;
 use crate::openai_tools::OpenAiTool;
 use crate::openai_tools::ResponsesApiTool;
 use crate::protocol::Event;
 use crate::protocol::EventMsg;
+use codex_protocol::models::FunctionCallOutputPayload;
+use codex_protocol::models::ResponseInputItem;
 
 // Use the canonical plan tool types from the protocol crate to ensure
 // type-identity matches events transported via `codex_protocol`.

codex-rs/core/src/project_doc.rs

@@ -1,18 +1,19 @@
 //! Project-level documentation discovery.
 //!
-//! Project-level documentation can be stored in a file named `AGENTS.md`.
-//! Currently, we include only the contents of the first file found as follows:
+//! Project-level documentation can be stored in files named `AGENTS.md`.
+//! We include the concatenation of all files found along the path from the
+//! repository root to the current working directory as follows:
 //!
-//! 1.  Look for the doc file in the current working directory (as determined
-//!     by the `Config`).
-//! 2.  If not found, walk *upwards* until the Git repository root is reached
-//!     (detected by the presence of a `.git` directory/file), or failing that,
-//!     the filesystem root.
-//! 3.  If the Git root is encountered, look for the doc file there. If it
-//!     exists, the search stops – we do **not** walk past the Git root.
+//! 1.  Determine the Git repository root by walking upwards from the current
+//!     working directory until a `.git` directory or file is found. If no Git
+//!     root is found, only the current working directory is considered.
+//! 2.  Collect every `AGENTS.md` found from the repository root down to the
+//!     current working directory (inclusive) and concatenate their contents in
+//!     that order.
+//! 3.  We do **not** walk past the Git root.
 
 use crate::config::Config;
-use std::path::Path;
+use std::path::PathBuf;
 use tokio::io::AsyncReadExt;
 use tracing::error;
 
@@ -26,7 +27,7 @@ const PROJECT_DOC_SEPARATOR: &str = "\n\n--- project-doc ---\n\n";
 /// Combines `Config::instructions` and `AGENTS.md` (if present) into a single
 /// string of instructions.
 pub(crate) async fn get_user_instructions(config: &Config) -> Option<String> {
-    match find_project_doc(config).await {
+    match read_project_docs(config).await {
         Ok(Some(project_doc)) => match &config.user_instructions {
             Some(original_instructions) => Some(format!(
                 "{original_instructions}{PROJECT_DOC_SEPARATOR}{project_doc}"
@@ -41,95 +42,135 @@ pub(crate) async fn get_user_instructions(config: &Config) -> Option<String> {
     }
 }
 
-/// Attempt to locate and load the project documentation. Currently, the search
-/// starts from `Config::cwd`, but if we may want to consider other directories
-/// in the future, e.g., additional writable directories in the `SandboxPolicy`.
+/// Attempt to locate and load the project documentation.
 ///
-/// On success returns `Ok(Some(contents))`. If no documentation file is found
-/// the function returns `Ok(None)`. Unexpected I/O failures bubble up as
-/// `Err` so callers can decide how to handle them.
-async fn find_project_doc(config: &Config) -> std::io::Result<Option<String>> {
-    let max_bytes = config.project_doc_max_bytes;
+/// On success returns `Ok(Some(contents))` where `contents` is the
+/// concatenation of all discovered docs. If no documentation file is found the
+/// function returns `Ok(None)`. Unexpected I/O failures bubble up as `Err` so
+/// callers can decide how to handle them.
+pub async fn read_project_docs(config: &Config) -> std::io::Result<Option<String>> {
+    let max_total = config.project_doc_max_bytes;
 
-    // Attempt to load from the working directory first.
-    if let Some(doc) = load_first_candidate(&config.cwd, CANDIDATE_FILENAMES, max_bytes).await? {
-        return Ok(Some(doc));
+    if max_total == 0 {
+        return Ok(None);
     }
 
-    // Walk up towards the filesystem root, stopping once we encounter the Git
-    // repository root. The presence of **either** a `.git` *file* or
-    // *directory* counts.
-    let mut dir = config.cwd.clone();
+    let paths = discover_project_doc_paths(config)?;
+    if paths.is_empty() {
+        return Ok(None);
+    }
 
-    // Canonicalize the path so that we do not end up in an infinite loop when
-    // `cwd` contains `..` components.
+    let mut remaining: u64 = max_total as u64;
+    let mut parts: Vec<String> = Vec::new();
+
+    for p in paths {
+        if remaining == 0 {
+            break;
+        }
+
+        let file = match tokio::fs::File::open(&p).await {
+            Ok(f) => f,
+            Err(e) if e.kind() == std::io::ErrorKind::NotFound => continue,
+            Err(e) => return Err(e),
+        };
+
+        let size = file.metadata().await?.len();
+        let mut reader = tokio::io::BufReader::new(file).take(remaining);
+        let mut data: Vec<u8> = Vec::new();
+        reader.read_to_end(&mut data).await?;
+
+        if size > remaining {
+            tracing::warn!(
+                "Project doc `{}` exceeds remaining budget ({} bytes) - truncating.",
+                p.display(),
+                remaining,
+            );
+        }
+
+        let text = String::from_utf8_lossy(&data).to_string();
+        if !text.trim().is_empty() {
+            parts.push(text);
+            remaining = remaining.saturating_sub(data.len() as u64);
+        }
+    }
+
+    if parts.is_empty() {
+        Ok(None)
+    } else {
+        Ok(Some(parts.join("\n\n")))
+    }
+}
+
+/// Discover the list of AGENTS.md files using the same search rules as
+/// `read_project_docs`, but return the file paths instead of concatenated
+/// contents. The list is ordered from repository root to the current working
+/// directory (inclusive). Symlinks are allowed. When `project_doc_max_bytes`
+/// is zero, returns an empty list.
+pub fn discover_project_doc_paths(config: &Config) -> std::io::Result<Vec<PathBuf>> {
+    let mut dir = config.cwd.clone();
     if let Ok(canon) = dir.canonicalize() {
         dir = canon;
     }
 
-    while let Some(parent) = dir.parent() {
-        // `.git` can be a *file* (for worktrees or submodules) or a *dir*.
-        let git_marker = dir.join(".git");
-        let git_exists = match tokio::fs::metadata(&git_marker).await {
+    // Build chain from cwd upwards and detect git root.
+    let mut chain: Vec<PathBuf> = vec![dir.clone()];
+    let mut git_root: Option<PathBuf> = None;
+    let mut cursor = dir.clone();
+    while let Some(parent) = cursor.parent() {
+        let git_marker = cursor.join(".git");
+        let git_exists = match std::fs::metadata(&git_marker) {
             Ok(_) => true,
             Err(e) if e.kind() == std::io::ErrorKind::NotFound => false,
             Err(e) => return Err(e),
         };
 
         if git_exists {
-            // We are at the repo root – attempt one final load.
-            if let Some(doc) = load_first_candidate(&dir, CANDIDATE_FILENAMES, max_bytes).await? {
-                return Ok(Some(doc));
-            }
+            git_root = Some(cursor.clone());
             break;
         }
 
-        dir = parent.to_path_buf();
+        chain.push(parent.to_path_buf());
+        cursor = parent.to_path_buf();
     }
 
-    Ok(None)
-}
-
-/// Attempt to load the first candidate file found in `dir`. Returns the file
-/// contents (truncated if it exceeds `max_bytes`) when successful.
-async fn load_first_candidate(
-    dir: &Path,
-    names: &[&str],
-    max_bytes: usize,
-) -> std::io::Result<Option<String>> {
-    for name in names {
-        let candidate = dir.join(name);
-
-        let file = match tokio::fs::File::open(&candidate).await {
-            Err(e) if e.kind() == std::io::ErrorKind::NotFound => continue,
-            Err(e) => return Err(e),
-            Ok(f) => f,
-        };
-
-        let size = file.metadata().await?.len();
-
-        let reader = tokio::io::BufReader::new(file);
-        let mut data = Vec::with_capacity(std::cmp::min(size as usize, max_bytes));
-        let mut limited = reader.take(max_bytes as u64);
-        limited.read_to_end(&mut data).await?;
-
-        if size as usize > max_bytes {
-            tracing::warn!(
-                "Project doc `{}` exceeds {max_bytes} bytes - truncating.",
-                candidate.display(),
-            );
+    let search_dirs: Vec<PathBuf> = if let Some(root) = git_root {
+        let mut dirs: Vec<PathBuf> = Vec::new();
+        let mut saw_root = false;
+        for p in chain.iter().rev() {
+            if !saw_root {
+                if p == &root {
+                    saw_root = true;
+                } else {
+                    continue;
+                }
+            }
+            dirs.push(p.clone());
         }
+        dirs
+    } else {
+        vec![config.cwd.clone()]
+    };
 
-        let contents = String::from_utf8_lossy(&data).to_string();
-        if contents.trim().is_empty() {
-            // Empty file – treat as not found.
-            continue;
+    let mut found: Vec<PathBuf> = Vec::new();
+    for d in search_dirs {
+        for name in CANDIDATE_FILENAMES {
+            let candidate = d.join(name);
+            match std::fs::symlink_metadata(&candidate) {
+                Ok(md) => {
+                    let ft = md.file_type();
+                    // Allow regular files and symlinks; opening will later fail for dangling links.
+                    if ft.is_file() || ft.is_symlink() {
+                        found.push(candidate);
+                        break;
+                    }
+                }
+                Err(e) if e.kind() == std::io::ErrorKind::NotFound => continue,
+                Err(e) => return Err(e),
+            }
         }
-
-        return Ok(Some(contents));
     }
 
-    Ok(None)
+    Ok(found)
 }
 
 #[cfg(test)]
@@ -278,4 +319,32 @@ mod tests {
 
         assert_eq!(res, Some(INSTRUCTIONS.to_string()));
     }
+
+    /// When both the repository root and the working directory contain
+    /// AGENTS.md files, their contents are concatenated from root to cwd.
+    #[tokio::test]
+    async fn concatenates_root_and_cwd_docs() {
+        let repo = tempfile::tempdir().expect("tempdir");
+
+        // Simulate a git repository.
+        std::fs::write(
+            repo.path().join(".git"),
+            "gitdir: /path/to/actual/git/dir\n",
+        )
+        .unwrap();
+
+        // Repo root doc.
+        fs::write(repo.path().join("AGENTS.md"), "root doc").unwrap();
+
+        // Nested working directory with its own doc.
+        let nested = repo.path().join("workspace/crate_a");
+        std::fs::create_dir_all(&nested).unwrap();
+        fs::write(nested.join("AGENTS.md"), "crate doc").unwrap();
+
+        let mut cfg = make_config(&repo, 4096, None);
+        cfg.cwd = nested;
+
+        let res = get_user_instructions(&cfg).await.expect("doc expected");
+        assert_eq!(res, "root doc\n\ncrate doc");
+    }
 }

codex-rs/core/src/rollout.rs

@@ -22,7 +22,7 @@ use uuid::Uuid;
 use crate::config::Config;
 use crate::git_info::GitInfo;
 use crate::git_info::collect_git_info;
-use crate::models::ResponseItem;
+use codex_protocol::models::ResponseItem;
 
 const SESSIONS_SUBDIR: &str = "sessions";
 
@@ -132,6 +132,8 @@ impl RolloutRecorder {
                 | ResponseItem::LocalShellCall { .. }
                 | ResponseItem::FunctionCall { .. }
                 | ResponseItem::FunctionCallOutput { .. }
+                | ResponseItem::CustomToolCall { .. }
+                | ResponseItem::CustomToolCallOutput { .. }
                 | ResponseItem::Reasoning { .. } => filtered.push(item.clone()),
                 ResponseItem::Other => {
                     // These should never be serialized.
@@ -194,6 +196,8 @@ impl RolloutRecorder {
                     | ResponseItem::LocalShellCall { .. }
                     | ResponseItem::FunctionCall { .. }
                     | ResponseItem::FunctionCallOutput { .. }
+                    | ResponseItem::CustomToolCall { .. }
+                    | ResponseItem::CustomToolCallOutput { .. }
                     | ResponseItem::Reasoning { .. } => items.push(item),
                     ResponseItem::Other => {}
                 },
@@ -317,6 +321,8 @@ async fn rollout_writer(
                         | ResponseItem::LocalShellCall { .. }
                         | ResponseItem::FunctionCall { .. }
                         | ResponseItem::FunctionCallOutput { .. }
+                        | ResponseItem::CustomToolCall { .. }
+                        | ResponseItem::CustomToolCallOutput { .. }
                         | ResponseItem::Reasoning { .. } => {
                             writer.write_line(&item).await?;
                         }

codex-rs/core/src/shell.rs

@@ -1,14 +1,24 @@
+use serde::Deserialize;
+use serde::Serialize;
 use shlex;
+use std::path::PathBuf;
 
-#[derive(Debug, PartialEq, Eq)]
+#[derive(Debug, PartialEq, Eq, Clone, Serialize, Deserialize)]
 pub struct ZshShell {
     shell_path: String,
     zshrc_path: String,
 }
 
-#[derive(Debug, PartialEq, Eq)]
+#[derive(Debug, PartialEq, Eq, Clone, Serialize, Deserialize)]
+pub struct PowerShellConfig {
+    exe: String, // Executable name or path, e.g. "pwsh" or "powershell.exe".
+    bash_exe_fallback: Option<PathBuf>, // In case the model generates a bash command.
+}
+
+#[derive(Debug, PartialEq, Eq, Clone, Serialize, Deserialize)]
 pub enum Shell {
     Zsh(ZshShell),
+    PowerShell(PowerShellConfig),
     Unknown,
 }
 
@@ -33,6 +43,61 @@ impl Shell {
                 }
                 Some(result)
             }
+            Shell::PowerShell(ps) => {
+                // If model generated a bash command, prefer a detected bash fallback
+                if let Some(script) = strip_bash_lc(&command) {
+                    return match &ps.bash_exe_fallback {
+                        Some(bash) => Some(vec![
+                            bash.to_string_lossy().to_string(),
+                            "-lc".to_string(),
+                            script,
+                        ]),
+
+                        // No bash fallback → run the script under PowerShell.
+                        // It will likely fail (except for some simple commands), but the error
+                        // should give a clue to the model to fix upon retry that it's running under PowerShell.
+                        None => Some(vec![
+                            ps.exe.clone(),
+                            "-NoProfile".to_string(),
+                            "-Command".to_string(),
+                            script,
+                        ]),
+                    };
+                }
+
+                // Not a bash command. If model did not generate a PowerShell command,
+                // turn it into a PowerShell command.
+                let first = command.first().map(String::as_str);
+                if first != Some(ps.exe.as_str()) {
+                    // TODO (CODEX_2900): Handle escaping newlines.
+                    if command.iter().any(|a| a.contains('\n') || a.contains('\r')) {
+                        return Some(command);
+                    }
+
+                    let joined = shlex::try_join(command.iter().map(|s| s.as_str())).ok();
+                    return joined.map(|arg| {
+                        vec![
+                            ps.exe.clone(),
+                            "-NoProfile".to_string(),
+                            "-Command".to_string(),
+                            arg,
+                        ]
+                    });
+                }
+
+                // Model generated a PowerShell command. Run it.
+                Some(command)
+            }
+            Shell::Unknown => None,
+        }
+    }
+
+    pub fn name(&self) -> Option<String> {
+        match self {
+            Shell::Zsh(zsh) => std::path::Path::new(&zsh.shell_path)
+                .file_name()
+                .map(|s| s.to_string_lossy().to_string()),
+            Shell::PowerShell(ps) => Some(ps.exe.clone()),
             Shell::Unknown => None,
         }
     }
@@ -86,11 +151,51 @@ pub async fn default_user_shell() -> Shell {
     }
 }
 
-#[cfg(not(target_os = "macos"))]
+#[cfg(all(not(target_os = "macos"), not(target_os = "windows")))]
 pub async fn default_user_shell() -> Shell {
     Shell::Unknown
 }
 
+#[cfg(target_os = "windows")]
+pub async fn default_user_shell() -> Shell {
+    use tokio::process::Command;
+
+    // Prefer PowerShell 7+ (`pwsh`) if available, otherwise fall back to Windows PowerShell.
+    let has_pwsh = Command::new("pwsh")
+        .arg("-NoLogo")
+        .arg("-NoProfile")
+        .arg("-Command")
+        .arg("$PSVersionTable.PSVersion.Major")
+        .output()
+        .await
+        .map(|o| o.status.success())
+        .unwrap_or(false);
+    let bash_exe = if Command::new("bash.exe")
+        .arg("--version")
+        .output()
+        .await
+        .ok()
+        .map(|o| o.status.success())
+        .unwrap_or(false)
+    {
+        which::which("bash.exe").ok()
+    } else {
+        None
+    };
+
+    if has_pwsh {
+        Shell::PowerShell(PowerShellConfig {
+            exe: "pwsh.exe".to_string(),
+            bash_exe_fallback: bash_exe,
+        })
+    } else {
+        Shell::PowerShell(PowerShellConfig {
+            exe: "powershell.exe".to_string(),
+            bash_exe_fallback: bash_exe,
+        })
+    }
+}
+
 #[cfg(test)]
 #[cfg(target_os = "macos")]
 mod tests {
@@ -231,3 +336,97 @@ mod tests {
         }
     }
 }
+
+#[cfg(test)]
+#[cfg(target_os = "windows")]
+mod tests_windows {
+    use super::*;
+
+    #[test]
+    fn test_format_default_shell_invocation_powershell() {
+        let cases = vec![
+            (
+                Shell::PowerShell(PowerShellConfig {
+                    exe: "pwsh.exe".to_string(),
+                    bash_exe_fallback: None,
+                }),
+                vec!["bash", "-lc", "echo hello"],
+                vec!["pwsh.exe", "-NoProfile", "-Command", "echo hello"],
+            ),
+            (
+                Shell::PowerShell(PowerShellConfig {
+                    exe: "powershell.exe".to_string(),
+                    bash_exe_fallback: None,
+                }),
+                vec!["bash", "-lc", "echo hello"],
+                vec!["powershell.exe", "-NoProfile", "-Command", "echo hello"],
+            ),
+            (
+                Shell::PowerShell(PowerShellConfig {
+                    exe: "pwsh.exe".to_string(),
+                    bash_exe_fallback: Some(PathBuf::from("bash.exe")),
+                }),
+                vec!["bash", "-lc", "echo hello"],
+                vec!["bash.exe", "-lc", "echo hello"],
+            ),
+            (
+                Shell::PowerShell(PowerShellConfig {
+                    exe: "pwsh.exe".to_string(),
+                    bash_exe_fallback: Some(PathBuf::from("bash.exe")),
+                }),
+                vec![
+                    "bash",
+                    "-lc",
+                    "apply_patch <<'EOF'\n*** Begin Patch\n*** Update File: destination_file.txt\n-original content\n+modified content\n*** End Patch\nEOF",
+                ],
+                vec![
+                    "bash.exe",
+                    "-lc",
+                    "apply_patch <<'EOF'\n*** Begin Patch\n*** Update File: destination_file.txt\n-original content\n+modified content\n*** End Patch\nEOF",
+                ],
+            ),
+            (
+                Shell::PowerShell(PowerShellConfig {
+                    exe: "pwsh.exe".to_string(),
+                    bash_exe_fallback: Some(PathBuf::from("bash.exe")),
+                }),
+                vec!["echo", "hello"],
+                vec!["pwsh.exe", "-NoProfile", "-Command", "echo hello"],
+            ),
+            (
+                Shell::PowerShell(PowerShellConfig {
+                    exe: "pwsh.exe".to_string(),
+                    bash_exe_fallback: Some(PathBuf::from("bash.exe")),
+                }),
+                vec!["pwsh.exe", "-NoProfile", "-Command", "echo hello"],
+                vec!["pwsh.exe", "-NoProfile", "-Command", "echo hello"],
+            ),
+            (
+                // TODO (CODEX_2900): Handle escaping newlines for powershell invocation.
+                Shell::PowerShell(PowerShellConfig {
+                    exe: "powershell.exe".to_string(),
+                    bash_exe_fallback: Some(PathBuf::from("bash.exe")),
+                }),
+                vec![
+                    "codex-mcp-server.exe",
+                    "--codex-run-as-apply-patch",
+                    "*** Begin Patch\n*** Update File: C:\\Users\\person\\destination_file.txt\n-original content\n+modified content\n*** End Patch",
+                ],
+                vec![
+                    "codex-mcp-server.exe",
+                    "--codex-run-as-apply-patch",
+                    "*** Begin Patch\n*** Update File: C:\\Users\\person\\destination_file.txt\n-original content\n+modified content\n*** End Patch",
+                ],
+            ),
+        ];
+
+        for (shell, input, expected_cmd) in cases {
+            let actual_cmd = shell
+                .format_default_shell_invocation(input.iter().map(|s| s.to_string()).collect());
+            assert_eq!(
+                actual_cmd,
+                Some(expected_cmd.iter().map(|s| s.to_string()).collect())
+            );
+        }
+    }
+}

codex-rs/core/src/subagents/definition.rs

@@ -0,0 +1,32 @@
+use serde::Deserialize;
+use std::fs;
+use std::path::Path;
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct SubagentDefinition {
+    pub name: String,
+    pub description: String,
+    /// Base instructions for this subagent.
+    pub instructions: String,
+    /// When not set, inherits the parent agent's tool set. When set to an
+    /// empty list, no tools are available to the subagent.
+    #[serde(default)]
+    pub tools: Option<Vec<String>>, // None => inherit; Some(vec) => allow-list
+}
+
+impl SubagentDefinition {
+    pub fn from_json_str(s: &str) -> Result<Self, serde_json::Error> {
+        serde_json::from_str::<Self>(s)
+    }
+
+    pub fn from_file(path: &Path) -> std::io::Result<Self> {
+        let contents = fs::read_to_string(path)?;
+        // Surface JSON parsing error with file context
+        serde_json::from_str::<Self>(&contents).map_err(|e| {
+            std::io::Error::new(
+                std::io::ErrorKind::InvalidData,
+                format!("invalid subagent JSON at {}: {e}", path.display()),
+            )
+        })
+    }
+}

codex-rs/core/src/subagents/mod.rs

@@ -0,0 +1,6 @@
+pub mod definition;
+pub mod registry;
+pub mod runner;
+pub mod tool;
+
+pub(crate) use tool::{SUBAGENT_LIST_TOOL, SUBAGENT_TOOL};

codex-rs/core/src/subagents/registry.rs

@@ -0,0 +1,92 @@
+use super::definition::SubagentDefinition;
+use std::collections::HashMap;
+use std::fs;
+use std::path::Path;
+use std::path::PathBuf;
+
+#[derive(Debug, Default, Clone)]
+pub struct SubagentRegistry {
+    /// Directory under the project (cwd/.codex/agents).
+    project_dir: Option<PathBuf>,
+    /// Directory under CODEX_HOME (~/.codex/agents).
+    user_dir: Option<PathBuf>,
+    /// Merged map: project definitions override user ones.
+    map: HashMap<String, SubagentDefinition>,
+}
+
+impl SubagentRegistry {
+    pub fn new(project_dir: Option<PathBuf>, user_dir: Option<PathBuf>) -> Self {
+        Self {
+            project_dir,
+            user_dir,
+            map: HashMap::new(),
+        }
+    }
+
+    /// Loads JSON files from user_dir then project_dir (project wins on conflict).
+    pub fn load(&mut self) {
+        let mut map: HashMap<String, SubagentDefinition> = HashMap::new();
+
+        // Load user definitions first
+        if let Some(dir) = &self.user_dir {
+            Self::load_from_dir_into(dir, &mut map);
+        }
+        // Then load project definitions which override on conflicts
+        if let Some(dir) = &self.project_dir {
+            Self::load_from_dir_into(dir, &mut map);
+        }
+
+        // Ensure a simple built‑in test subagent exists to validate wiring end‑to‑end.
+        // Users can override this by providing their own definition named "hello".
+        if !map.contains_key("hello") {
+            map.insert(
+                "hello".to_string(),
+                SubagentDefinition {
+                    name: "hello".to_string(),
+                    description: "Built‑in test subagent that replies with a greeting".to_string(),
+                    // Keep instructions narrow so models reliably output the intended text.
+                    instructions:
+                        "Reply with exactly this text and nothing else: Hello from subagent"
+                            .to_string(),
+                    // Disallow tool usage for the hello subagent.
+                    tools: Some(Vec::new()),
+                },
+            );
+        }
+
+        self.map = map;
+    }
+
+    pub fn get(&self, name: &str) -> Option<&SubagentDefinition> {
+        self.map.get(name)
+    }
+
+    pub fn all_names(&self) -> Vec<String> {
+        self.map.keys().cloned().collect()
+    }
+
+    fn load_from_dir_into(dir: &Path, out: &mut HashMap<String, SubagentDefinition>) {
+        let Ok(iter) = fs::read_dir(dir) else {
+            return;
+        };
+        for entry in iter.flatten() {
+            let path = entry.path();
+            if path.is_file()
+                && path
+                    .extension()
+                    .and_then(|e| e.to_str())
+                    .map(|e| e.eq_ignore_ascii_case("json"))
+                    .unwrap_or(false)
+            {
+                match SubagentDefinition::from_file(&path) {
+                    Ok(def) => {
+                        out.insert(def.name.clone(), def);
+                    }
+                    Err(e) => {
+                        tracing::warn!("Failed to load subagent from {}: {}", path.display(), e);
+                    }
+                }
+            }
+        }
+    }
+}

codex-rs/core/src/subagents/runner.rs

@@ -0,0 +1,142 @@
+use crate::codex::Codex;
+use crate::error::Result as CodexResult;
+
+use super::definition::SubagentDefinition;
+use super::registry::SubagentRegistry;
+
+/// Arguments expected for the `subagent.run` tool.
+#[derive(serde::Deserialize)]
+pub struct RunSubagentArgs {
+    pub name: String,
+    pub input: String,
+    #[serde(default)]
+    pub context: Option<String>,
+}
+
+/// Run a subagent in a nested Codex session and return the final message.
+pub(crate) async fn run(
+    sess: &crate::codex::Session,
+    turn_context: &crate::codex::TurnContext,
+    registry: &SubagentRegistry,
+    args: RunSubagentArgs,
+    _parent_sub_id: &str,
+) -> CodexResult<String> {
+    let def: &SubagentDefinition = registry.get(&args.name).ok_or_else(|| {
+        crate::error::CodexErr::Stream(format!("unknown subagent: {}", args.name), None)
+    })?;
+
+    let mut nested_cfg = (*sess.base_config()).clone();
+    nested_cfg.base_instructions = Some(def.instructions.clone());
+    nested_cfg.user_instructions = None;
+    nested_cfg.approval_policy = turn_context.approval_policy;
+    nested_cfg.sandbox_policy = turn_context.sandbox_policy.clone();
+    nested_cfg.cwd = turn_context.cwd.clone();
+    nested_cfg.include_subagent_tool = false;
+
+    let nested = Codex::spawn(nested_cfg, sess.auth_manager(), None).await?;
+    let nested_codex = nested.codex;
+
+    let subagent_id = uuid::Uuid::new_v4().to_string();
+    forward_begin(sess, _parent_sub_id, &subagent_id, &def.name).await;
+
+    let text = match args.context {
+        Some(ctx) if !ctx.trim().is_empty() => format!("{ctx}\n\n{input}", input = args.input),
+        _ => args.input,
+    };
+
+    nested_codex
+        .submit(crate::protocol::Op::UserInput {
+            items: vec![crate::protocol::InputItem::Text { text }],
+        })
+        .await
+        .map_err(|e| {
+            crate::error::CodexErr::Stream(format!("failed to submit to subagent: {e}"), None)
+        })?;
+
+    let mut last_message: Option<String> = None;
+    loop {
+        let ev = nested_codex.next_event().await?;
+        match ev.msg.clone() {
+            crate::protocol::EventMsg::AgentMessage(m) => {
+                last_message = Some(m.message);
+            }
+            crate::protocol::EventMsg::TaskComplete(t) => {
+                let _ = nested_codex.submit(crate::protocol::Op::Shutdown).await;
+                forward_forwarded(sess, _parent_sub_id, &subagent_id, &def.name, ev.msg).await;
+                forward_end(
+                    sess,
+                    _parent_sub_id,
+                    &subagent_id,
+                    &def.name,
+                    true,
+                    t.last_agent_message.clone(),
+                )
+                .await;
+                return Ok(t
+                    .last_agent_message
+                    .unwrap_or_else(|| last_message.unwrap_or_default()));
+            }
+            _ => {}
+        }
+        forward_forwarded(sess, _parent_sub_id, &subagent_id, &def.name, ev.msg).await;
+    }
+}
+
+async fn forward_begin(
+    sess: &crate::codex::Session,
+    parent_sub_id: &str,
+    subagent_id: &str,
+    name: &str,
+) {
+    sess
+        .send_event(crate::protocol::Event {
+            id: parent_sub_id.to_string(),
+            msg: crate::protocol::EventMsg::SubagentBegin(crate::protocol::SubagentBeginEvent {
+                subagent_id: subagent_id.to_string(),
+                name: name.to_string(),
+            }),
+        })
+        .await;
+}
+
+async fn forward_forwarded(
+    sess: &crate::codex::Session,
+    parent_sub_id: &str,
+    subagent_id: &str,
+    name: &str,
+    msg: crate::protocol::EventMsg,
+) {
+    sess
+        .send_event(crate::protocol::Event {
+            id: parent_sub_id.to_string(),
+            msg: crate::protocol::EventMsg::SubagentForwarded(
+                crate::protocol::SubagentForwardedEvent {
+                    subagent_id: subagent_id.to_string(),
+                    name: name.to_string(),
+                    event: Box::new(msg),
+                },
+            ),
+        })
+        .await;
+}
+
+async fn forward_end(
+    sess: &crate::codex::Session,
+    parent_sub_id: &str,
+    subagent_id: &str,
+    name: &str,
+    success: bool,
+    last_agent_message: Option<String>,
+) {
+    sess
+        .send_event(crate::protocol::Event {
+            id: parent_sub_id.to_string(),
+            msg: crate::protocol::EventMsg::SubagentEnd(crate::protocol::SubagentEndEvent {
+                subagent_id: subagent_id.to_string(),
+                name: name.to_string(),
+                success,
+                last_agent_message,
+            }),
+        })
+        .await;
+}

codex-rs/core/src/subagents/tool.rs

@@ -0,0 +1,54 @@
+use std::collections::BTreeMap;
+use std::sync::LazyLock;
+
+use crate::openai_tools::JsonSchema;
+use crate::openai_tools::OpenAiTool;
+use crate::openai_tools::ResponsesApiTool;
+
+pub(crate) static SUBAGENT_TOOL: LazyLock<OpenAiTool> = LazyLock::new(|| {
+    let mut properties = BTreeMap::new();
+    properties.insert(
+        "name".to_string(),
+        JsonSchema::String {
+            description: Some("Registered subagent name".to_string()),
+        },
+    );
+    properties.insert(
+        "input".to_string(),
+        JsonSchema::String {
+            description: Some("Task or instruction for the subagent".to_string()),
+        },
+    );
+    properties.insert(
+        "context".to_string(),
+        JsonSchema::String {
+            description: Some("Optional extra context to aid the task".to_string()),
+        },
+    );
+
+    OpenAiTool::Function(ResponsesApiTool {
+        name: "subagent_run".to_string(),
+        description: "Invoke a named subagent with isolated context and return its result"
+            .to_string(),
+        strict: false,
+        parameters: JsonSchema::Object {
+            properties,
+            required: Some(vec!["name".to_string(), "input".to_string()]),
+            additional_properties: Some(false),
+        },
+    })
+});
+
+pub(crate) static SUBAGENT_LIST_TOOL: LazyLock<OpenAiTool> = LazyLock::new(|| {
+    let properties = BTreeMap::new();
+    OpenAiTool::Function(ResponsesApiTool {
+        name: "subagent_list".to_string(),
+        description: "List available subagents (name and description). Call before subagent_run if unsure.".to_string(),
+        strict: false,
+        parameters: JsonSchema::Object {
+            properties,
+            required: None,
+            additional_properties: Some(false),
+        },
+    })
+});

codex-rs/core/src/terminal.rs

@@ -0,0 +1,72 @@
+use std::sync::OnceLock;
+
+static TERMINAL: OnceLock<String> = OnceLock::new();
+
+pub fn user_agent() -> String {
+    TERMINAL.get_or_init(detect_terminal).to_string()
+}
+
+/// Sanitize a header value to be used in a User-Agent string.
+///
+/// This function replaces any characters that are not allowed in a User-Agent string with an underscore.
+///
+/// # Arguments
+///
+/// * `value` - The value to sanitize.
+fn is_valid_header_value_char(c: char) -> bool {
+    c.is_ascii_alphanumeric() || c == '-' || c == '_' || c == '.' || c == '/'
+}
+
+fn sanitize_header_value(value: String) -> String {
+    value.replace(|c| !is_valid_header_value_char(c), "_")
+}
+
+fn detect_terminal() -> String {
+    sanitize_header_value(
+        if let Ok(tp) = std::env::var("TERM_PROGRAM")
+            && !tp.trim().is_empty()
+        {
+            let ver = std::env::var("TERM_PROGRAM_VERSION").ok();
+            match ver {
+                Some(v) if !v.trim().is_empty() => format!("{tp}/{v}"),
+                _ => tp,
+            }
+        } else if let Ok(v) = std::env::var("WEZTERM_VERSION") {
+            if !v.trim().is_empty() {
+                format!("WezTerm/{v}")
+            } else {
+                "WezTerm".to_string()
+            }
+        } else if std::env::var("KITTY_WINDOW_ID").is_ok()
+            || std::env::var("TERM")
+                .map(|t| t.contains("kitty"))
+                .unwrap_or(false)
+        {
+            "kitty".to_string()
+        } else if std::env::var("ALACRITTY_SOCKET").is_ok()
+            || std::env::var("TERM")
+                .map(|t| t == "alacritty")
+                .unwrap_or(false)
+        {
+            "Alacritty".to_string()
+        } else if let Ok(v) = std::env::var("KONSOLE_VERSION") {
+            if !v.trim().is_empty() {
+                format!("Konsole/{v}")
+            } else {
+                "Konsole".to_string()
+            }
+        } else if std::env::var("GNOME_TERMINAL_SCREEN").is_ok() {
+            return "gnome-terminal".to_string();
+        } else if let Ok(v) = std::env::var("VTE_VERSION") {
+            if !v.trim().is_empty() {
+                format!("VTE/{v}")
+            } else {
+                "VTE".to_string()
+            }
+        } else if std::env::var("WT_SESSION").is_ok() {
+            return "WindowsTerminal".to_string();
+        } else {
+            std::env::var("TERM").unwrap_or_else(|_| "unknown".to_string())
+        },
+    )
+}

codex-rs/core/src/tool_apply_patch.rs

@@ -0,0 +1,145 @@
+use serde::Deserialize;
+use serde::Serialize;
+use std::collections::BTreeMap;
+
+use crate::openai_tools::FreeformTool;
+use crate::openai_tools::FreeformToolFormat;
+use crate::openai_tools::JsonSchema;
+use crate::openai_tools::OpenAiTool;
+use crate::openai_tools::ResponsesApiTool;
+
+#[derive(Serialize, Deserialize)]
+pub(crate) struct ApplyPatchToolArgs {
+    pub(crate) input: String,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, Hash)]
+#[serde(rename_all = "snake_case")]
+pub enum ApplyPatchToolType {
+    Freeform,
+    Function,
+}
+
+/// Returns a custom tool that can be used to edit files. Well-suited for GPT-5 models
+/// https://platform.openai.com/docs/guides/function-calling#custom-tools
+pub(crate) fn create_apply_patch_freeform_tool() -> OpenAiTool {
+    OpenAiTool::Freeform(FreeformTool {
+        name: "apply_patch".to_string(),
+        description: "Use the `apply_patch` tool to edit files".to_string(),
+        format: FreeformToolFormat {
+            r#type: "grammar".to_string(),
+            syntax: "lark".to_string(),
+            definition: r#"start: begin_patch hunk+ end_patch
+begin_patch: "*** Begin Patch" LF
+end_patch: "*** End Patch" LF?
+
+hunk: add_hunk | delete_hunk | update_hunk
+add_hunk: "*** Add File: " filename LF add_line+
+delete_hunk: "*** Delete File: " filename LF
+update_hunk: "*** Update File: " filename LF change_move? change?
+
+filename: /(.+)/
+add_line: "+" /(.+)/ LF -> line
+
+change_move: "*** Move to: " filename LF
+change: (change_context | change_line)+ eof_line?
+change_context: ("@@" | "@@ " /(.+)/) LF
+change_line: ("+" | "-" | " ") /(.+)/ LF
+eof_line: "*** End of File" LF
+
+%import common.LF
+"#
+            .to_string(),
+        },
+    })
+}
+
+/// Returns a json tool that can be used to edit files. Should only be used with gpt-oss models
+pub(crate) fn create_apply_patch_json_tool() -> OpenAiTool {
+    let mut properties = BTreeMap::new();
+    properties.insert(
+        "input".to_string(),
+        JsonSchema::String {
+            description: Some(r#"The entire contents of the apply_patch command"#.to_string()),
+        },
+    );
+
+    OpenAiTool::Function(ResponsesApiTool {
+        name: "apply_patch".to_string(),
+        description: r#"Use the `apply_patch` tool to edit files.
+Your patch language is a stripped‑down, file‑oriented diff format designed to be easy to parse and safe to apply. You can think of it as a high‑level envelope:
+
+*** Begin Patch
+[ one or more file sections ]
+*** End Patch
+
+Within that envelope, you get a sequence of file operations.
+You MUST include a header to specify the action you are taking.
+Each operation starts with one of three headers:
+
+*** Add File: <path> - create a new file. Every following line is a + line (the initial contents).
+*** Delete File: <path> - remove an existing file. Nothing follows.
+*** Update File: <path> - patch an existing file in place (optionally with a rename).
+
+May be immediately followed by *** Move to: <new path> if you want to rename the file.
+Then one or more “hunks”, each introduced by @@ (optionally followed by a hunk header).
+Within a hunk each line starts with:
+
+For instructions on [context_before] and [context_after]:
+- By default, show 3 lines of code immediately above and 3 lines immediately below each change. If a change is within 3 lines of a previous change, do NOT duplicate the first change’s [context_after] lines in the second change’s [context_before] lines.
+- If 3 lines of context is insufficient to uniquely identify the snippet of code within the file, use the @@ operator to indicate the class or function to which the snippet belongs. For instance, we might have:
+@@ class BaseClass
+[3 lines of pre-context]
+- [old_code]
++ [new_code]
+[3 lines of post-context]
+
+- If a code block is repeated so many times in a class or function such that even a single `@@` statement and 3 lines of context cannot uniquely identify the snippet of code, you can use multiple `@@` statements to jump to the right context. For instance:
+
+@@ class BaseClass
+@@ 	 def method():
+[3 lines of pre-context]
+- [old_code]
++ [new_code]
+[3 lines of post-context]
+
+The full grammar definition is below:
+Patch := Begin { FileOp } End
+Begin := "*** Begin Patch" NEWLINE
+End := "*** End Patch" NEWLINE
+FileOp := AddFile | DeleteFile | UpdateFile
+AddFile := "*** Add File: " path NEWLINE { "+" line NEWLINE }
+DeleteFile := "*** Delete File: " path NEWLINE
+UpdateFile := "*** Update File: " path NEWLINE [ MoveTo ] { Hunk }
+MoveTo := "*** Move to: " newPath NEWLINE
+Hunk := "@@" [ header ] NEWLINE { HunkLine } [ "*** End of File" NEWLINE ]
+HunkLine := (" " | "-" | "+") text NEWLINE
+
+A full patch can combine several operations:
+
+*** Begin Patch
+*** Add File: hello.txt
++Hello world
+*** Update File: src/app.py
+*** Move to: src/main.py
+@@ def greet():
+-print("Hi")
++print("Hello, world!")
+*** Delete File: obsolete.txt
+*** End Patch
+
+It is important to remember:
+
+- You must include a header with your intended action (Add/Delete/Update)
+- You must prefix new lines with `+` even when creating a new file
+- File references can only be relative, NEVER ABSOLUTE.
+"#
+        .to_string(),
+        strict: false,
+        parameters: JsonSchema::Object {
+            properties,
+            required: Some(vec!["input".to_string()]),
+            additional_properties: Some(false),
+        },
+    })
+}

codex-rs/core/src/user_agent.rs

@@ -4,11 +4,12 @@ pub fn get_codex_user_agent(originator: Option<&str>) -> String {
     let build_version = env!("CARGO_PKG_VERSION");
     let os_info = os_info::get();
     format!(
-        "{}/{build_version} ({} {}; {})",
+        "{}/{build_version} ({} {}; {}) {}",
         originator.unwrap_or(DEFAULT_ORIGINATOR),
         os_info.os_type(),
         os_info.version(),
         os_info.architecture().unwrap_or("unknown"),
+        crate::terminal::user_agent()
     )
 }
 
@@ -27,9 +28,10 @@ mod tests {
     fn test_macos() {
         use regex_lite::Regex;
         let user_agent = get_codex_user_agent(None);
-        let re =
-            Regex::new(r"^codex_cli_rs/\d+\.\d+\.\d+ \(Mac OS \d+\.\d+\.\d+; (x86_64|arm64)\)$")
-                .unwrap();
+        let re = Regex::new(
+            r"^codex_cli_rs/\d+\.\d+\.\d+ \(Mac OS \d+\.\d+\.\d+; (x86_64|arm64)\) (\S+)$",
+        )
+        .unwrap();
         assert!(re.is_match(&user_agent));
     }
 }

codex-rs/core/tests/client.rs

@@ -142,13 +142,14 @@ async fn includes_session_id_and_model_headers_in_request() {
     let mut config = load_default_config_for_test(&codex_home);
     config.model_provider = model_provider;
 
-    let conversation_manager = ConversationManager::default();
+    let conversation_manager =
+        ConversationManager::with_auth(CodexAuth::from_api_key("Test API Key"));
     let NewConversation {
         conversation: codex,
         conversation_id,
         session_configured: _,
     } = conversation_manager
-        .new_conversation_with_auth(config, Some(CodexAuth::from_api_key("Test API Key")))
+        .new_conversation(config)
         .await
         .expect("create new conversation");
 
@@ -207,9 +208,10 @@ async fn includes_base_instructions_override_in_request() {
     config.base_instructions = Some("test instructions".to_string());
     config.model_provider = model_provider;
 
-    let conversation_manager = ConversationManager::default();
+    let conversation_manager =
+        ConversationManager::with_auth(CodexAuth::from_api_key("Test API Key"));
     let codex = conversation_manager
-        .new_conversation_with_auth(config, Some(CodexAuth::from_api_key("Test API Key")))
+        .new_conversation(config)
         .await
         .expect("create new conversation")
         .conversation;
@@ -260,11 +262,12 @@ async fn originator_config_override_is_used() {
     let codex_home = TempDir::new().unwrap();
     let mut config = load_default_config_for_test(&codex_home);
     config.model_provider = model_provider;
-    config.internal_originator = Some("my_override".to_string());
+    config.responses_originator_header = "my_override".to_owned();
 
-    let conversation_manager = ConversationManager::default();
+    let conversation_manager =
+        ConversationManager::with_auth(CodexAuth::from_api_key("Test API Key"));
     let codex = conversation_manager
-        .new_conversation_with_auth(config, Some(CodexAuth::from_api_key("Test API Key")))
+        .new_conversation(config)
         .await
         .expect("create new conversation")
         .conversation;
@@ -318,13 +321,13 @@ async fn chatgpt_auth_sends_correct_request() {
     let codex_home = TempDir::new().unwrap();
     let mut config = load_default_config_for_test(&codex_home);
     config.model_provider = model_provider;
-    let conversation_manager = ConversationManager::default();
+    let conversation_manager = ConversationManager::with_auth(create_dummy_codex_auth());
     let NewConversation {
         conversation: codex,
         conversation_id,
         session_configured: _,
     } = conversation_manager
-        .new_conversation_with_auth(config, Some(create_dummy_codex_auth()))
+        .new_conversation(config)
         .await
         .expect("create new conversation");
 
@@ -411,7 +414,13 @@ async fn prefers_chatgpt_token_when_config_prefers_chatgpt() {
     config.model_provider = model_provider;
     config.preferred_auth_method = AuthMode::ChatGPT;
 
-    let conversation_manager = ConversationManager::default();
+    let auth_manager =
+        match CodexAuth::from_codex_home(codex_home.path(), config.preferred_auth_method) {
+            Ok(Some(auth)) => codex_login::AuthManager::from_auth_for_testing(auth),
+            Ok(None) => panic!("No CodexAuth found in codex_home"),
+            Err(e) => panic!("Failed to load CodexAuth: {}", e),
+        };
+    let conversation_manager = ConversationManager::new(auth_manager);
     let NewConversation {
         conversation: codex,
         ..
@@ -486,7 +495,13 @@ async fn prefers_apikey_when_config_prefers_apikey_even_with_chatgpt_tokens() {
     config.model_provider = model_provider;
     config.preferred_auth_method = AuthMode::ApiKey;
 
-    let conversation_manager = ConversationManager::default();
+    let auth_manager =
+        match CodexAuth::from_codex_home(codex_home.path(), config.preferred_auth_method) {
+            Ok(Some(auth)) => codex_login::AuthManager::from_auth_for_testing(auth),
+            Ok(None) => panic!("No CodexAuth found in codex_home"),
+            Err(e) => panic!("Failed to load CodexAuth: {}", e),
+        };
+    let conversation_manager = ConversationManager::new(auth_manager);
     let NewConversation {
         conversation: codex,
         ..
@@ -540,9 +555,10 @@ async fn includes_user_instructions_message_in_request() {
     config.model_provider = model_provider;
     config.user_instructions = Some("be nice".to_string());
 
-    let conversation_manager = ConversationManager::default();
+    let conversation_manager =
+        ConversationManager::with_auth(CodexAuth::from_api_key("Test API Key"));
     let codex = conversation_manager
-        .new_conversation_with_auth(config, Some(CodexAuth::from_api_key("Test API Key")))
+        .new_conversation(config)
         .await
         .expect("create new conversation")
         .conversation;
@@ -632,9 +648,9 @@ async fn azure_overrides_assign_properties_used_for_responses_url() {
     let mut config = load_default_config_for_test(&codex_home);
     config.model_provider = provider;
 
-    let conversation_manager = ConversationManager::default();
+    let conversation_manager = ConversationManager::with_auth(create_dummy_codex_auth());
     let codex = conversation_manager
-        .new_conversation_with_auth(config, None)
+        .new_conversation(config)
         .await
         .expect("create new conversation")
         .conversation;
@@ -708,9 +724,9 @@ async fn env_var_overrides_loaded_auth() {
     let mut config = load_default_config_for_test(&codex_home);
     config.model_provider = provider;
 
-    let conversation_manager = ConversationManager::default();
+    let conversation_manager = ConversationManager::with_auth(create_dummy_codex_auth());
     let codex = conversation_manager
-        .new_conversation_with_auth(config, Some(create_dummy_codex_auth()))
+        .new_conversation(config)
         .await
         .expect("create new conversation")
         .conversation;

codex-rs/core/tests/compact.rs

@@ -141,9 +141,9 @@ async fn summarize_context_three_requests_and_instructions() {
     let home = TempDir::new().unwrap();
     let mut config = load_default_config_for_test(&home);
     config.model_provider = model_provider;
-    let conversation_manager = ConversationManager::default();
+    let conversation_manager = ConversationManager::with_auth(CodexAuth::from_api_key("dummy"));
     let codex = conversation_manager
-        .new_conversation_with_auth(config, Some(CodexAuth::from_api_key("dummy")))
+        .new_conversation(config)
         .await
         .unwrap()
         .conversation;

codex-rs/core/tests/exec.rs

@@ -70,12 +70,12 @@ async fn truncates_output_lines() {
 
     let output = run_test_cmd(tmp, cmd).await.unwrap();
 
-    let expected_output = (1..=256)
+    let expected_output = (1..=300)
         .map(|i| format!("{i}\n"))
         .collect::<Vec<_>>()
         .join("");
     assert_eq!(output.stdout.text, expected_output);
-    assert_eq!(output.stdout.truncated_after_lines, Some(256));
+    assert_eq!(output.stdout.truncated_after_lines, None);
 }
 
 /// Command succeeds with exit code 0 normally
@@ -91,8 +91,8 @@ async fn truncates_output_bytes() {
 
     let output = run_test_cmd(tmp, cmd).await.unwrap();
 
-    assert_eq!(output.stdout.text.len(), 10240);
-    assert_eq!(output.stdout.truncated_after_lines, Some(10));
+    assert!(output.stdout.text.len() >= 15000);
+    assert_eq!(output.stdout.truncated_after_lines, None);
 }
 
 /// Command not found returns exit code 127, this is not considered a sandbox error

codex-rs/core/tests/exec_stream_events.rs

@@ -139,3 +139,34 @@ async fn test_exec_stderr_stream_events_echo() {
     }
     assert_eq!(String::from_utf8_lossy(&err), "oops\n");
 }
+
+#[tokio::test]
+async fn test_aggregated_output_interleaves_in_order() {
+    // Spawn a shell that alternates stdout and stderr with sleeps to enforce order.
+    let cmd = vec![
+        "/bin/sh".to_string(),
+        "-c".to_string(),
+        "printf 'O1\\n'; sleep 0.01; printf 'E1\\n' 1>&2; sleep 0.01; printf 'O2\\n'; sleep 0.01; printf 'E2\\n' 1>&2".to_string(),
+    ];
+
+    let params = ExecParams {
+        command: cmd,
+        cwd: std::env::current_dir().unwrap_or_else(|_| PathBuf::from(".")),
+        timeout_ms: Some(5_000),
+        env: HashMap::new(),
+        with_escalated_permissions: None,
+        justification: None,
+    };
+
+    let policy = SandboxPolicy::new_read_only_policy();
+
+    let result = process_exec_tool_call(params, SandboxType::None, &policy, &None, None)
+        .await
+        .expect("process_exec_tool_call");
+
+    assert_eq!(result.exit_code, 0);
+    assert_eq!(result.stdout.text, "O1\nO2\n");
+    assert_eq!(result.stderr.text, "E1\nE2\n");
+    assert_eq!(result.aggregated_output.text, "O1\nE1\nO2\nE2\n");
+    assert_eq!(result.aggregated_output.truncated_after_lines, None);
+}

codex-rs/core/tests/prompt_caching.rs

@@ -1,6 +1,9 @@
+#![allow(clippy::unwrap_used)]
+
 use codex_core::ConversationManager;
 use codex_core::ModelProviderInfo;
 use codex_core::built_in_model_providers;
+use codex_core::model_family::find_family_for_model;
 use codex_core::protocol::AskForApproval;
 use codex_core::protocol::EventMsg;
 use codex_core::protocol::InputItem;
@@ -8,6 +11,7 @@ use codex_core::protocol::Op;
 use codex_core::protocol::SandboxPolicy;
 use codex_core::protocol_config_types::ReasoningEffort;
 use codex_core::protocol_config_types::ReasoningSummary;
+use codex_core::shell::default_user_shell;
 use codex_login::CodexAuth;
 use core_test_support::load_default_config_for_test;
 use core_test_support::load_sse_fixture_with_id;
@@ -24,6 +28,185 @@ fn sse_completed(id: &str) -> String {
     load_sse_fixture_with_id("tests/fixtures/completed_template.json", id)
 }
 
+fn assert_tool_names(body: &serde_json::Value, expected_names: &[&str]) {
+    assert_eq!(
+        body["tools"]
+            .as_array()
+            .unwrap()
+            .iter()
+            .map(|t| t["name"].as_str().unwrap().to_string())
+            .collect::<Vec<_>>(),
+        expected_names
+    );
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 4)]
+async fn codex_mini_latest_tools() {
+    use pretty_assertions::assert_eq;
+
+    let server = MockServer::start().await;
+
+    let sse = sse_completed("resp");
+    let template = ResponseTemplate::new(200)
+        .insert_header("content-type", "text/event-stream")
+        .set_body_raw(sse, "text/event-stream");
+
+    // Expect two POSTs to /v1/responses
+    Mock::given(method("POST"))
+        .and(path("/v1/responses"))
+        .respond_with(template)
+        .expect(2)
+        .mount(&server)
+        .await;
+
+    let model_provider = ModelProviderInfo {
+        base_url: Some(format!("{}/v1", server.uri())),
+        ..built_in_model_providers()["openai"].clone()
+    };
+
+    let cwd = TempDir::new().unwrap();
+    let codex_home = TempDir::new().unwrap();
+    let mut config = load_default_config_for_test(&codex_home);
+    config.cwd = cwd.path().to_path_buf();
+    config.model_provider = model_provider;
+    config.user_instructions = Some("be consistent and helpful".to_string());
+
+    let conversation_manager =
+        ConversationManager::with_auth(CodexAuth::from_api_key("Test API Key"));
+    config.include_apply_patch_tool = false;
+    config.model = "codex-mini-latest".to_string();
+    config.model_family = find_family_for_model("codex-mini-latest").unwrap();
+
+    let codex = conversation_manager
+        .new_conversation(config)
+        .await
+        .expect("create new conversation")
+        .conversation;
+
+    codex
+        .submit(Op::UserInput {
+            items: vec![InputItem::Text {
+                text: "hello 1".into(),
+            }],
+        })
+        .await
+        .unwrap();
+    wait_for_event(&codex, |ev| matches!(ev, EventMsg::TaskComplete(_))).await;
+
+    codex
+        .submit(Op::UserInput {
+            items: vec![InputItem::Text {
+                text: "hello 2".into(),
+            }],
+        })
+        .await
+        .unwrap();
+    wait_for_event(&codex, |ev| matches!(ev, EventMsg::TaskComplete(_))).await;
+
+    let requests = server.received_requests().await.unwrap();
+    assert_eq!(requests.len(), 2, "expected two POST requests");
+
+    let expected_instructions = [
+        include_str!("../prompt.md"),
+        include_str!("../../apply-patch/apply_patch_tool_instructions.md"),
+    ]
+    .join("\n");
+
+    let body0 = requests[0].body_json::<serde_json::Value>().unwrap();
+    assert_eq!(
+        body0["instructions"],
+        serde_json::json!(expected_instructions),
+    );
+    let body1 = requests[1].body_json::<serde_json::Value>().unwrap();
+    assert_eq!(
+        body1["instructions"],
+        serde_json::json!(expected_instructions),
+    );
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 4)]
+async fn prompt_tools_are_consistent_across_requests() {
+    use pretty_assertions::assert_eq;
+
+    let server = MockServer::start().await;
+
+    let sse = sse_completed("resp");
+    let template = ResponseTemplate::new(200)
+        .insert_header("content-type", "text/event-stream")
+        .set_body_raw(sse, "text/event-stream");
+
+    // Expect two POSTs to /v1/responses
+    Mock::given(method("POST"))
+        .and(path("/v1/responses"))
+        .respond_with(template)
+        .expect(2)
+        .mount(&server)
+        .await;
+
+    let model_provider = ModelProviderInfo {
+        base_url: Some(format!("{}/v1", server.uri())),
+        ..built_in_model_providers()["openai"].clone()
+    };
+
+    let cwd = TempDir::new().unwrap();
+    let codex_home = TempDir::new().unwrap();
+    let mut config = load_default_config_for_test(&codex_home);
+    config.cwd = cwd.path().to_path_buf();
+    config.model_provider = model_provider;
+    config.user_instructions = Some("be consistent and helpful".to_string());
+    config.include_apply_patch_tool = true;
+    config.include_plan_tool = true;
+
+    let conversation_manager =
+        ConversationManager::with_auth(CodexAuth::from_api_key("Test API Key"));
+    let codex = conversation_manager
+        .new_conversation(config)
+        .await
+        .expect("create new conversation")
+        .conversation;
+
+    codex
+        .submit(Op::UserInput {
+            items: vec![InputItem::Text {
+                text: "hello 1".into(),
+            }],
+        })
+        .await
+        .unwrap();
+    wait_for_event(&codex, |ev| matches!(ev, EventMsg::TaskComplete(_))).await;
+
+    codex
+        .submit(Op::UserInput {
+            items: vec![InputItem::Text {
+                text: "hello 2".into(),
+            }],
+        })
+        .await
+        .unwrap();
+    wait_for_event(&codex, |ev| matches!(ev, EventMsg::TaskComplete(_))).await;
+
+    let requests = server.received_requests().await.unwrap();
+    assert_eq!(requests.len(), 2, "expected two POST requests");
+
+    let expected_instructions: &str = include_str!("../prompt.md");
+    // our internal implementation is responsible for keeping tools in sync
+    // with the OpenAI schema, so we just verify the tool presence here
+    let expected_tools_names: &[&str] = &["shell", "update_plan", "apply_patch"];
+    let body0 = requests[0].body_json::<serde_json::Value>().unwrap();
+    assert_eq!(
+        body0["instructions"],
+        serde_json::json!(expected_instructions),
+    );
+    assert_tool_names(&body0, expected_tools_names);
+
+    let body1 = requests[1].body_json::<serde_json::Value>().unwrap();
+    assert_eq!(
+        body1["instructions"],
+        serde_json::json!(expected_instructions),
+    );
+    assert_tool_names(&body1, expected_tools_names);
+}
+
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 async fn prefixes_context_and_instructions_once_and_consistently_across_requests() {
     use pretty_assertions::assert_eq;
@@ -55,9 +238,10 @@ async fn prefixes_context_and_instructions_once_and_consistently_across_requests
     config.model_provider = model_provider;
     config.user_instructions = Some("be consistent and helpful".to_string());
 
-    let conversation_manager = ConversationManager::default();
+    let conversation_manager =
+        ConversationManager::with_auth(CodexAuth::from_api_key("Test API Key"));
     let codex = conversation_manager
-        .new_conversation_with_auth(config, Some(CodexAuth::from_api_key("Test API Key")))
+        .new_conversation(config)
         .await
         .expect("create new conversation")
         .conversation;
@@ -85,9 +269,20 @@ async fn prefixes_context_and_instructions_once_and_consistently_across_requests
     let requests = server.received_requests().await.unwrap();
     assert_eq!(requests.len(), 2, "expected two POST requests");
 
+    let shell = default_user_shell().await;
+
     let expected_env_text = format!(
-        "<environment_context>\nCurrent working directory: {}\nApproval policy: on-request\nSandbox mode: read-only\nNetwork access: restricted\n</environment_context>",
-        cwd.path().to_string_lossy()
+        r#"<environment_context>
+  <cwd>{}</cwd>
+  <approval_policy>on-request</approval_policy>
+  <sandbox_mode>read-only</sandbox_mode>
+  <network_access>restricted</network_access>
+{}</environment_context>"#,
+        cwd.path().to_string_lossy(),
+        match shell.name() {
+            Some(name) => format!("  <shell>{}</shell>\n", name),
+            None => String::new(),
+        }
     );
     let expected_ui_text =
         "<user_instructions>\n\nbe consistent and helpful\n\n</user_instructions>";
@@ -165,9 +360,10 @@ async fn overrides_turn_context_but_keeps_cached_prefix_and_key_constant() {
     config.model_provider = model_provider;
     config.user_instructions = Some("be consistent and helpful".to_string());
 
-    let conversation_manager = ConversationManager::default();
+    let conversation_manager =
+        ConversationManager::with_auth(CodexAuth::from_api_key("Test API Key"));
     let codex = conversation_manager
-        .new_conversation_with_auth(config, Some(CodexAuth::from_api_key("Test API Key")))
+        .new_conversation(config)
         .await
         .expect("create new conversation")
         .conversation;
@@ -183,12 +379,10 @@ async fn overrides_turn_context_but_keeps_cached_prefix_and_key_constant() {
         .unwrap();
     wait_for_event(&codex, |ev| matches!(ev, EventMsg::TaskComplete(_))).await;
 
-    // Change everything about the turn context.
-    let new_cwd = TempDir::new().unwrap();
     let writable = TempDir::new().unwrap();
     codex
         .submit(Op::OverrideTurnContext {
-            cwd: Some(new_cwd.path().to_path_buf()),
+            cwd: None,
             approval_policy: Some(AskForApproval::Never),
             sandbox_policy: Some(SandboxPolicy::WorkspaceWrite {
                 writable_roots: vec![writable.path().to_path_buf()],
@@ -220,7 +414,6 @@ async fn overrides_turn_context_but_keeps_cached_prefix_and_key_constant() {
 
     let body1 = requests[0].body_json::<serde_json::Value>().unwrap();
     let body2 = requests[1].body_json::<serde_json::Value>().unwrap();
-
     // prompt_cache_key should remain constant across overrides
     assert_eq!(
         body1["prompt_cache_key"], body2["prompt_cache_key"],
@@ -236,11 +429,13 @@ async fn overrides_turn_context_but_keeps_cached_prefix_and_key_constant() {
         "content": [ { "type": "input_text", "text": "hello 2" } ]
     });
     // After overriding the turn context, the environment context should be emitted again
-    // reflecting the new cwd, approval policy and sandbox settings.
-    let expected_env_text_2 = format!(
-        "<environment_context>\nCurrent working directory: {}\nApproval policy: never\nSandbox mode: workspace-write\nNetwork access: enabled\n</environment_context>",
-        new_cwd.path().to_string_lossy()
-    );
+    // reflecting the new approval policy and sandbox settings. Omit cwd because it did
+    // not change.
+    let expected_env_text_2 = r#"<environment_context>
+  <approval_policy>never</approval_policy>
+  <sandbox_mode>workspace-write</sandbox_mode>
+  <network_access>enabled</network_access>
+</environment_context>"#;
     let expected_env_msg_2 = serde_json::json!({
         "type": "message",
         "id": serde_json::Value::Null,
@@ -288,9 +483,10 @@ async fn per_turn_overrides_keep_cached_prefix_and_key_constant() {
     config.model_provider = model_provider;
     config.user_instructions = Some("be consistent and helpful".to_string());
 
-    let conversation_manager = ConversationManager::default();
+    let conversation_manager =
+        ConversationManager::with_auth(CodexAuth::from_api_key("Test API Key"));
     let codex = conversation_manager
-        .new_conversation_with_auth(config, Some(CodexAuth::from_api_key("Test API Key")))
+        .new_conversation(config)
         .await
         .expect("create new conversation")
         .conversation;

codex-rs/core/tests/stream_error_allows_next_turn.rs

@@ -88,9 +88,10 @@ async fn continue_after_stream_error() {
     config.base_instructions = Some("You are a helpful assistant".to_string());
     config.model_provider = provider;
 
-    let conversation_manager = ConversationManager::default();
+    let conversation_manager =
+        ConversationManager::with_auth(CodexAuth::from_api_key("Test API Key"));
     let codex = conversation_manager
-        .new_conversation_with_auth(config, Some(CodexAuth::from_api_key("Test API Key")))
+        .new_conversation(config)
         .await
         .unwrap()
         .conversation;

codex-rs/core/tests/stream_no_completed.rs

@@ -93,9 +93,10 @@ async fn retries_on_early_close() {
     let codex_home = TempDir::new().unwrap();
     let mut config = load_default_config_for_test(&codex_home);
     config.model_provider = model_provider;
-    let conversation_manager = ConversationManager::default();
+    let conversation_manager =
+        ConversationManager::with_auth(CodexAuth::from_api_key("Test API Key"));
     let codex = conversation_manager
-        .new_conversation_with_auth(config, Some(CodexAuth::from_api_key("Test API Key")))
+        .new_conversation(config)
         .await
         .unwrap()
         .conversation;

codex-rs/exec-command-mcp/Cargo.toml

@@ -1,35 +0,0 @@
-[package]
-edition = "2024"
-name = "exec-command-mcp"
-version = { workspace = true }
-
-[[bin]]
-name = "exec-command-mcp"
-path = "src/main.rs"
-
-[lib]
-name = "exec_command_mcp"
-path = "src/lib.rs"
-
-[lints]
-workspace = true
-
-[dependencies]
-anyhow = "1"
-mcp-types = { path = "../mcp-types" }
-portable-pty = "0.9.0"
-schemars = "0.8.22"
-serde = { version = "1", features = ["derive"] }
-serde_json = "1"
-tokio = { version = "1", features = [
-    "io-std",
-    "io-util",
-    "macros",
-    "process",
-    "rt-multi-thread",
-    "time",
-    "sync",
-    "signal",
-] }
-tracing = { version = "0.1.41", features = ["log"] }
-tracing-subscriber = { version = "0.3", features = ["env-filter", "fmt"] }

codex-rs/exec-command-mcp/src/error_code.rs

@@ -1,2 +0,0 @@
-pub(crate) const INVALID_REQUEST_ERROR_CODE: i64 = -32600;
-pub(crate) const INTERNAL_ERROR_CODE: i64 = -32603;

codex-rs/exec-command-mcp/src/exec_command.rs

@@ -1,59 +0,0 @@
-use schemars::JsonSchema;
-use serde::Deserialize;
-use serde::Serialize;
-
-use crate::session_id::SessionId;
-
-#[allow(dead_code)]
-#[derive(Debug, Clone, Deserialize, JsonSchema)]
-pub(crate) struct ExecCommandParams {
-    pub(crate) cmd: String,
-
-    #[serde(default = "default_yield_time")]
-    pub(crate) yield_time_ms: u64,
-
-    #[serde(default = "max_output_tokens")]
-    pub(crate) max_output_tokens: u64,
-
-    #[serde(default = "default_shell")]
-    pub(crate) shell: String,
-
-    #[serde(default = "default_login")]
-    pub(crate) login: bool,
-}
-
-fn default_yield_time() -> u64 {
-    10_000
-}
-
-fn max_output_tokens() -> u64 {
-    10_000
-}
-
-fn default_login() -> bool {
-    true
-}
-
-fn default_shell() -> String {
-    "/bin/bash".to_string()
-}
-
-#[derive(Debug, Deserialize, Serialize, JsonSchema)]
-pub(crate) struct WriteStdinParams {
-    pub(crate) session_id: SessionId,
-    pub(crate) chars: String,
-
-    #[serde(default = "write_stdin_default_yield_time_ms")]
-    pub(crate) yield_time_ms: u64,
-
-    #[serde(default = "write_stdin_default_max_output_tokens")]
-    pub(crate) max_output_tokens: u64,
-}
-
-fn write_stdin_default_yield_time_ms() -> u64 {
-    250
-}
-
-fn write_stdin_default_max_output_tokens() -> u64 {
-    10_000
-}

codex-rs/exec-command-mcp/src/exec_command_session.rs

@@ -1,54 +0,0 @@
-use std::sync::Arc;
-
-use tokio::sync::Mutex;
-use tokio::sync::mpsc;
-
-use crate::session_id::SessionId;
-
-#[allow(dead_code)]
-#[derive(Debug)]
-pub(crate) struct ExecCommandSession {
-    pub(crate) id: SessionId,
-    /// Queue for writing bytes to the process stdin (PTY master write side).
-    writer_tx: mpsc::Sender<Vec<u8>>,
-    /// Stream of output chunks read from the PTY. Wrapped in Mutex so callers can
-    /// `await` receiving without needing `&mut self`.
-    output_rx: Arc<Mutex<mpsc::Receiver<Vec<u8>>>>,
-}
-
-#[allow(dead_code)]
-impl ExecCommandSession {
-    pub(crate) fn new(
-        id: SessionId,
-        writer_tx: mpsc::Sender<Vec<u8>>,
-        output_rx: mpsc::Receiver<Vec<u8>>,
-    ) -> Self {
-        Self {
-            id,
-            writer_tx,
-            output_rx: Arc::new(Mutex::new(output_rx)),
-        }
-    }
-
-    /// Enqueue bytes to be written to the process stdin (PTY master).
-    pub(crate) async fn write_stdin(&self, bytes: impl AsRef<[u8]>) -> anyhow::Result<()> {
-        self.writer_tx
-            .send(bytes.as_ref().to_vec())
-            .await
-            .map_err(|e| anyhow::anyhow!("failed to send to writer: {e}"))
-    }
-
-    /// Receive the next chunk of output from the process. Returns `None` when the
-    /// output stream is closed (process exited or reader finished).
-    pub(crate) async fn recv_output_chunk(&self) -> Option<Vec<u8>> {
-        self.output_rx.lock().await.recv().await
-    }
-
-    pub(crate) fn writer_sender(&self) -> mpsc::Sender<Vec<u8>> {
-        self.writer_tx.clone()
-    }
-
-    pub(crate) fn output_receiver(&self) -> Arc<Mutex<mpsc::Receiver<Vec<u8>>>> {
-        self.output_rx.clone()
-    }
-}

codex-rs/exec-command-mcp/src/lib.rs

@@ -1,118 +0,0 @@
-#![deny(clippy::print_stdout, clippy::print_stderr)]
-
-use mcp_types::JSONRPCMessage;
-use std::io::Result as IoResult;
-use tokio::io::AsyncBufReadExt;
-use tokio::io::AsyncWriteExt;
-use tokio::io::BufReader;
-use tokio::sync::mpsc;
-use tracing::debug;
-use tracing::error;
-use tracing::info;
-use tracing_subscriber::EnvFilter;
-
-use crate::message_processor::MessageProcessor;
-use crate::outgoing_message::OutgoingMessage;
-use crate::outgoing_message_sender::OutgoingMessageSender;
-
-mod error_code;
-mod exec_command;
-mod exec_command_session;
-mod message_processor;
-mod outgoing_message;
-mod outgoing_message_sender;
-mod session_id;
-mod session_manager;
-
-/// Size of the bounded channels used to communicate between tasks. The value
-/// is a balance between throughput and memory usage – 128 messages should be
-/// plenty for an interactive CLI.
-const CHANNEL_CAPACITY: usize = 128;
-
-pub async fn run_main() -> IoResult<()> {
-    // Honor `RUST_LOG`.
-    tracing_subscriber::fmt()
-        .with_writer(std::io::stderr)
-        .with_env_filter(EnvFilter::from_default_env())
-        .init();
-
-    // Set up channels.
-    let (incoming_tx, mut incoming_rx) = mpsc::channel::<JSONRPCMessage>(CHANNEL_CAPACITY);
-    let (outgoing_tx, mut outgoing_rx) = mpsc::channel::<OutgoingMessage>(CHANNEL_CAPACITY);
-
-    // Task: read from stdin, push to `incoming_tx`.
-    let stdin_reader_handle = tokio::spawn({
-        let incoming_tx = incoming_tx.clone();
-        async move {
-            let stdin = tokio::io::stdin();
-            let reader = BufReader::new(stdin);
-            let mut lines = reader.lines();
-
-            while let Some(line) = lines.next_line().await.unwrap_or_default() {
-                match serde_json::from_str::<JSONRPCMessage>(&line) {
-                    Ok(msg) => {
-                        if incoming_tx.send(msg).await.is_err() {
-                            // Receiver gone – nothing left to do.
-                            break;
-                        }
-                    }
-                    Err(e) => error!("Failed to deserialize JSONRPCMessage: {e}"),
-                }
-            }
-
-            debug!("stdin reader finished (EOF)");
-        }
-    });
-
-    // Task: process incoming messages.
-    let processor_handle = tokio::spawn({
-        let outgoing_message_sender = OutgoingMessageSender::new(outgoing_tx);
-        let mut processor = MessageProcessor::new(outgoing_message_sender);
-        async move {
-            while let Some(msg) = incoming_rx.recv().await {
-                match msg {
-                    JSONRPCMessage::Request(request) => processor.process_request(request).await,
-                    JSONRPCMessage::Response(_response) => {}
-                    JSONRPCMessage::Notification(_notification) => {}
-                    JSONRPCMessage::Error(_error) => {}
-                }
-            }
-
-            info!("processor task exited (channel closed)");
-        }
-    });
-
-    // Task: write outgoing messages to stdout.
-    let stdout_writer_handle = tokio::spawn(async move {
-        let mut stdout = tokio::io::stdout();
-        while let Some(outgoing_message) = outgoing_rx.recv().await {
-            let msg: JSONRPCMessage = outgoing_message.into();
-            match serde_json::to_string(&msg) {
-                Ok(json) => {
-                    if let Err(e) = stdout.write_all(json.as_bytes()).await {
-                        error!("Failed to write to stdout: {e}");
-                        break;
-                    }
-                    if let Err(e) = stdout.write_all(b"\n").await {
-                        error!("Failed to write newline to stdout: {e}");
-                        break;
-                    }
-                    if let Err(e) = stdout.flush().await {
-                        error!("Failed to flush stdout: {e}");
-                        break;
-                    }
-                }
-                Err(e) => error!("Failed to serialize JSONRPCMessage: {e}"),
-            }
-        }
-
-        info!("stdout writer exited (channel closed)");
-    });
-
-    // Wait for all tasks to finish.  The typical exit path is the stdin reader
-    // hitting EOF which, once it drops `incoming_tx`, propagates shutdown to
-    // the processor and then to the stdout task.
-    let _ = tokio::join!(stdin_reader_handle, processor_handle, stdout_writer_handle);
-
-    Ok(())
-}

codex-rs/exec-command-mcp/src/main.rs

@@ -1,7 +0,0 @@
-use exec_command_mcp::run_main;
-
-#[tokio::main]
-async fn main() -> anyhow::Result<()> {
-    run_main().await?;
-    Ok(())
-}

codex-rs/exec-command-mcp/src/message_processor.rs

@@ -1,289 +0,0 @@
-use std::sync::Arc;
-
-use mcp_types::CallToolRequestParams;
-use mcp_types::CallToolResult;
-use mcp_types::ClientRequest as McpClientRequest;
-use mcp_types::ContentBlock;
-use mcp_types::JSONRPCErrorError;
-use mcp_types::JSONRPCRequest;
-use mcp_types::ListToolsResult;
-use mcp_types::ModelContextProtocolRequest;
-use mcp_types::RequestId;
-use mcp_types::ServerCapabilitiesTools;
-use mcp_types::TextContent;
-use mcp_types::Tool;
-use mcp_types::ToolInputSchema;
-use schemars::r#gen::SchemaSettings;
-
-use crate::error_code::INVALID_REQUEST_ERROR_CODE;
-use crate::error_code::{self};
-use crate::exec_command::ExecCommandParams;
-use crate::exec_command::WriteStdinParams;
-use crate::outgoing_message_sender::OutgoingMessageSender;
-use crate::session_manager::SessionManager;
-
-#[derive(Debug)]
-pub(crate) struct MessageProcessor {
-    initialized: bool,
-    outgoing: Arc<OutgoingMessageSender>,
-    session_manager: Arc<SessionManager>,
-}
-
-impl MessageProcessor {
-    pub(crate) fn new(outgoing: OutgoingMessageSender) -> Self {
-        Self {
-            initialized: false,
-            outgoing: Arc::new(outgoing),
-            session_manager: Arc::new(SessionManager::default()),
-        }
-    }
-
-    pub(crate) async fn process_request(&mut self, request: JSONRPCRequest) {
-        let request_id = request.id.clone();
-        let client_request = match McpClientRequest::try_from(request) {
-            Ok(client_request) => client_request,
-            Err(e) => {
-                self.outgoing
-                    .send_error(
-                        request_id,
-                        JSONRPCErrorError {
-                            code: error_code::INVALID_REQUEST_ERROR_CODE,
-                            message: format!("Invalid request: {e}"),
-                            data: None,
-                        },
-                    )
-                    .await;
-                return;
-            }
-        };
-
-        match client_request {
-            McpClientRequest::InitializeRequest(params) => {
-                self.handle_initialize(request_id, params).await;
-            }
-            McpClientRequest::ListToolsRequest(params) => {
-                self.handle_list_tools(request_id, params).await;
-            }
-            McpClientRequest::CallToolRequest(params) => {
-                self.handle_call_tool(request_id, params).await;
-            }
-            _ => {
-                tracing::warn!("Unhandled client request: {client_request:?}");
-            }
-        }
-    }
-
-    async fn handle_initialize(
-        &mut self,
-        id: RequestId,
-        params: <mcp_types::InitializeRequest as ModelContextProtocolRequest>::Params,
-    ) {
-        tracing::info!("initialize -> params: {:?}", params);
-
-        if self.initialized {
-            // Already initialised: send JSON-RPC error response.
-            let error = JSONRPCErrorError {
-                code: INVALID_REQUEST_ERROR_CODE,
-                message: "initialize called more than once".to_string(),
-                data: None,
-            };
-            self.outgoing.send_error(id, error).await;
-            return;
-        }
-
-        self.initialized = true;
-
-        // Build a minimal InitializeResult. Fill with placeholders.
-        let result = mcp_types::InitializeResult {
-            capabilities: mcp_types::ServerCapabilities {
-                completions: None,
-                experimental: None,
-                logging: None,
-                prompts: None,
-                resources: None,
-                tools: Some(ServerCapabilitiesTools {
-                    list_changed: Some(true),
-                }),
-            },
-            instructions: None,
-            protocol_version: params.protocol_version.clone(),
-            server_info: mcp_types::Implementation {
-                name: "exec-command-mcp".to_string(),
-                version: env!("CARGO_PKG_VERSION").to_string(),
-                title: Some("Codex exec_command".to_string()),
-            },
-        };
-
-        self.send_response::<mcp_types::InitializeRequest>(id, result)
-            .await;
-    }
-
-    async fn handle_list_tools(
-        &self,
-        request_id: RequestId,
-        params: <mcp_types::ListToolsRequest as mcp_types::ModelContextProtocolRequest>::Params,
-    ) {
-        tracing::trace!("tools/list ({request_id:?}) -> {params:?}");
-
-        // Generate tool schema eagerly in a short-lived scope to avoid holding
-        // non-Send schemars generator across await.
-        let result = {
-            let generator = SchemaSettings::draft2019_09()
-                .with(|s| {
-                    s.inline_subschemas = true;
-                    s.option_add_null_type = false;
-                })
-                .into_generator();
-
-            let exec_schema = generator
-                .clone()
-                .into_root_schema_for::<ExecCommandParams>();
-            let write_schema = generator.into_root_schema_for::<WriteStdinParams>();
-
-            #[expect(clippy::expect_used)]
-            let exec_schema_json =
-                serde_json::to_value(&exec_schema).expect("exec_command schema should serialize");
-            #[expect(clippy::expect_used)]
-            let write_schema_json =
-                serde_json::to_value(&write_schema).expect("write_stdin schema should serialize");
-
-            let exec_input_schema = serde_json::from_value::<ToolInputSchema>(exec_schema_json)
-                .unwrap_or_else(|e| {
-                    panic!("failed to create Tool from schema: {e}");
-                });
-            let write_input_schema = serde_json::from_value::<ToolInputSchema>(write_schema_json)
-                .unwrap_or_else(|e| {
-                    panic!("failed to create Tool from schema: {e}");
-                });
-
-            let tools = vec![
-                Tool {
-                    name: "functions_exec_command".to_string(),
-                    title: Some("Exec Command".to_string()),
-                    description: Some("Start a PTY-backed shell command; returns early on timeout or completion.".to_string()),
-                    input_schema: exec_input_schema,
-                    output_schema: None,
-                    annotations: None,
-                },
-                Tool {
-                    name: "functions_write_stdin".to_string(),
-                    title: Some("Write Stdin".to_string()),
-                    description: Some("Write characters to a running exec session and collect output for a short window.".to_string()),
-                    input_schema: write_input_schema,
-                    output_schema: None,
-                    annotations: None,
-                },
-            ];
-
-            ListToolsResult {
-                tools,
-                next_cursor: None,
-            }
-        };
-
-        self.send_response::<mcp_types::ListToolsRequest>(request_id, result)
-            .await;
-    }
-
-    async fn handle_call_tool(
-        &self,
-        request_id: RequestId,
-        params: <mcp_types::CallToolRequest as mcp_types::ModelContextProtocolRequest>::Params,
-    ) {
-        tracing::info!("tools/call -> params: {params:?}");
-        let CallToolRequestParams { name, arguments } = params;
-
-        match name.as_str() {
-            "functions_exec_command" => match extract_exec_command_params(arguments).await {
-                Ok(params) => {
-                    tracing::info!("functions_exec_command -> params: {params:?}");
-                    let session_manager = self.session_manager.clone();
-                    let outgoing = self.outgoing.clone();
-                    tokio::spawn(async move {
-                        session_manager
-                            .handle_exec_command_request(request_id, params, outgoing)
-                            .await;
-                    });
-                }
-                Err(jsonrpc_error) => {
-                    self.outgoing.send_error(request_id, jsonrpc_error).await;
-                }
-            },
-            "functions_write_stdin" => match extract_write_stdin_params(arguments).await {
-                Ok(params) => {
-                    tracing::info!("functions_write_stdin -> params: {params:?}");
-                    let session_manager = self.session_manager.clone();
-                    let outgoing = self.outgoing.clone();
-                    tokio::spawn(async move {
-                        session_manager
-                            .handle_write_stdin_request(request_id, params, outgoing)
-                            .await;
-                    });
-                }
-                Err(jsonrpc_error) => {
-                    self.outgoing.send_error(request_id, jsonrpc_error).await;
-                }
-            },
-            _ => {
-                let result = CallToolResult {
-                    content: vec![ContentBlock::TextContent(TextContent {
-                        r#type: "text".to_string(),
-                        text: format!("Unknown tool '{name}'"),
-                        annotations: None,
-                    })],
-                    is_error: Some(true),
-                    structured_content: None,
-                };
-                self.send_response::<mcp_types::CallToolRequest>(request_id, result)
-                    .await;
-            }
-        }
-    }
-
-    async fn send_response<T>(&self, id: RequestId, result: T::Result)
-    where
-        T: ModelContextProtocolRequest,
-    {
-        self.outgoing.send_response(id, result).await;
-    }
-}
-
-async fn extract_exec_command_params(
-    args: Option<serde_json::Value>,
-) -> Result<ExecCommandParams, JSONRPCErrorError> {
-    match args {
-        Some(value) => match serde_json::from_value::<ExecCommandParams>(value) {
-            Ok(params) => Ok(params),
-            Err(e) => Err(JSONRPCErrorError {
-                code: error_code::INVALID_REQUEST_ERROR_CODE,
-                message: format!("Invalid request: {e}"),
-                data: None,
-            }),
-        },
-        None => Err(JSONRPCErrorError {
-            code: error_code::INVALID_REQUEST_ERROR_CODE,
-            message: "Missing arguments".to_string(),
-            data: None,
-        }),
-    }
-}
-
-async fn extract_write_stdin_params(
-    args: Option<serde_json::Value>,
-) -> Result<WriteStdinParams, JSONRPCErrorError> {
-    match args {
-        Some(value) => match serde_json::from_value::<WriteStdinParams>(value) {
-            Ok(params) => Ok(params),
-            Err(e) => Err(JSONRPCErrorError {
-                code: error_code::INVALID_REQUEST_ERROR_CODE,
-                message: format!("Invalid request: {e}"),
-                data: None,
-            }),
-        },
-        None => Err(JSONRPCErrorError {
-            code: error_code::INVALID_REQUEST_ERROR_CODE,
-            message: "Missing arguments".to_string(),
-            data: None,
-        }),
-    }
-}

codex-rs/exec-command-mcp/src/outgoing_message.rs

@@ -1,46 +0,0 @@
-use mcp_types::JSONRPC_VERSION;
-use mcp_types::JSONRPCError;
-use mcp_types::JSONRPCErrorError;
-use mcp_types::JSONRPCMessage;
-use mcp_types::JSONRPCResponse;
-use mcp_types::RequestId;
-use mcp_types::Result;
-use serde::Serialize;
-
-/// Outgoing message from the server to the client.
-pub(crate) enum OutgoingMessage {
-    Response(OutgoingResponse),
-    Error(OutgoingError),
-}
-
-impl From<OutgoingMessage> for JSONRPCMessage {
-    fn from(val: OutgoingMessage) -> Self {
-        use OutgoingMessage::*;
-        match val {
-            Response(OutgoingResponse { id, result }) => {
-                JSONRPCMessage::Response(JSONRPCResponse {
-                    jsonrpc: JSONRPC_VERSION.into(),
-                    id,
-                    result,
-                })
-            }
-            Error(OutgoingError { id, error }) => JSONRPCMessage::Error(JSONRPCError {
-                jsonrpc: JSONRPC_VERSION.into(),
-                id,
-                error,
-            }),
-        }
-    }
-}
-
-#[derive(Debug, Clone, PartialEq, Serialize)]
-pub(crate) struct OutgoingResponse {
-    pub id: RequestId,
-    pub result: Result,
-}
-
-#[derive(Debug, Clone, PartialEq, Serialize)]
-pub(crate) struct OutgoingError {
-    pub error: JSONRPCErrorError,
-    pub id: RequestId,
-}

codex-rs/exec-command-mcp/src/outgoing_message_sender.rs

@@ -1,47 +0,0 @@
-use mcp_types::JSONRPCErrorError;
-use mcp_types::RequestId;
-use serde::Serialize;
-use tokio::sync::mpsc;
-
-use crate::outgoing_message::OutgoingError;
-use crate::outgoing_message::OutgoingMessage;
-use crate::outgoing_message::OutgoingResponse;
-
-use crate::error_code::INTERNAL_ERROR_CODE;
-
-/// Sends messages to the client and manages request callbacks.
-#[derive(Debug)]
-pub(crate) struct OutgoingMessageSender {
-    sender: mpsc::Sender<OutgoingMessage>,
-}
-
-impl OutgoingMessageSender {
-    pub(crate) fn new(sender: mpsc::Sender<OutgoingMessage>) -> Self {
-        Self { sender }
-    }
-
-    pub(crate) async fn send_response<T: Serialize>(&self, id: RequestId, response: T) {
-        match serde_json::to_value(response) {
-            Ok(result) => {
-                let outgoing_message = OutgoingMessage::Response(OutgoingResponse { id, result });
-                let _ = self.sender.send(outgoing_message).await;
-            }
-            Err(err) => {
-                self.send_error(
-                    id,
-                    JSONRPCErrorError {
-                        code: INTERNAL_ERROR_CODE,
-                        message: format!("failed to serialize response: {err}"),
-                        data: None,
-                    },
-                )
-                .await;
-            }
-        }
-    }
-
-    pub(crate) async fn send_error(&self, id: RequestId, error: JSONRPCErrorError) {
-        let outgoing_message = OutgoingMessage::Error(OutgoingError { id, error });
-        let _ = self.sender.send(outgoing_message).await;
-    }
-}

codex-rs/exec-command-mcp/src/session_id.rs

@@ -1,6 +0,0 @@
-use schemars::JsonSchema;
-use serde::Deserialize;
-use serde::Serialize;
-
-#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize, JsonSchema)]
-pub(crate) struct SessionId(pub u32);

codex-rs/exec-command-mcp/src/session_manager.rs

@@ -1,324 +0,0 @@
-use std::collections::HashMap;
-use std::io::Read;
-use std::sync::Arc;
-use std::sync::Mutex as StdMutex;
-use std::sync::atomic::AtomicU32;
-
-use mcp_types::CallToolResult;
-use mcp_types::ContentBlock;
-use mcp_types::JSONRPCErrorError;
-use mcp_types::RequestId;
-use mcp_types::TextContent;
-use portable_pty::CommandBuilder;
-use portable_pty::PtySize;
-use portable_pty::native_pty_system;
-use serde_json::json;
-use tokio::sync::Mutex;
-use tokio::sync::mpsc;
-use tokio::sync::oneshot;
-use tokio::time::Duration;
-use tokio::time::Instant;
-use tokio::time::timeout;
-
-use crate::error_code;
-use crate::exec_command::ExecCommandParams;
-use crate::exec_command::WriteStdinParams;
-use crate::exec_command_session::ExecCommandSession;
-use crate::outgoing_message_sender::OutgoingMessageSender;
-use crate::session_id::SessionId;
-
-#[derive(Debug, Default)]
-pub(crate) struct SessionManager {
-    next_session_id: AtomicU32,
-    sessions: Mutex<HashMap<SessionId, ExecCommandSession>>,
-}
-
-impl SessionManager {
-    /// Processes the request and is required to send a response via `outgoing`.
-    pub(crate) async fn handle_exec_command_request(
-        &self,
-        request_id: RequestId,
-        params: ExecCommandParams,
-        outgoing: Arc<OutgoingMessageSender>,
-    ) {
-        // Allocate a session id.
-        let session_id = SessionId(
-            self.next_session_id
-                .fetch_add(1, std::sync::atomic::Ordering::SeqCst),
-        );
-
-        let result = create_exec_command_session(session_id, params.clone()).await;
-
-        match result {
-            Ok((session, mut exit_rx)) => {
-                // Insert into session map.
-                let output_receiver = session.output_receiver();
-                self.sessions.lock().await.insert(session_id, session);
-
-                // Collect output until either timeout expires or process exits.
-                // Cap by assuming 4 bytes per token (TODO: use a real tokenizer).
-                let cap_bytes_u64 = params.max_output_tokens.saturating_mul(4);
-                let cap_bytes: usize = cap_bytes_u64.min(usize::MAX as u64) as usize;
-                let cap_hint = cap_bytes.clamp(1024, 8192);
-                let mut collected: Vec<u8> = Vec::with_capacity(cap_hint);
-
-                let deadline = Instant::now() + Duration::from_millis(params.yield_time_ms);
-                let mut exit_code: Option<i32> = None;
-
-                loop {
-                    if Instant::now() >= deadline {
-                        break;
-                    }
-                    let remaining = deadline.saturating_duration_since(Instant::now());
-                    tokio::select! {
-                        biased;
-                        exit = &mut exit_rx => {
-                            exit_code = exit.ok();
-                            // Small grace period to pull remaining buffered output
-                            let grace_deadline = Instant::now() + Duration::from_millis(25);
-                            while Instant::now() < grace_deadline {
-                                let recv_next = async {
-                                    let mut rx = output_receiver.lock().await;
-                                    rx.recv().await
-                                };
-                                if let Ok(Some(chunk)) = timeout(Duration::from_millis(1), recv_next).await {
-                                    let available = cap_bytes.saturating_sub(collected.len());
-                                    if available == 0 { break; }
-                                    let take = available.min(chunk.len());
-                                    collected.extend_from_slice(&chunk[..take]);
-                                } else {
-                                    break;
-                                }
-                            }
-                            break;
-                        }
-                        chunk = timeout(remaining, async {
-                            let mut rx = output_receiver.lock().await;
-                            rx.recv().await
-                        }) => {
-                            match chunk {
-                                Ok(Some(chunk)) => {
-                                    let available = cap_bytes.saturating_sub(collected.len());
-                                    if available == 0 { /* keep draining, but don't store */ }
-                                    else {
-                                        let take = available.min(chunk.len());
-                                        collected.extend_from_slice(&chunk[..take]);
-                                    }
-                                }
-                                Ok(None) => { break; }
-                                Err(_) => { break; }
-                            }
-                        }
-                    }
-                }
-
-                let text = String::from_utf8_lossy(&collected).to_string();
-                let mut structured = json!({ "sessionId": session_id });
-                if let Some(code) = exit_code {
-                    structured["exitCode"] = json!(code);
-                }
-                let result = CallToolResult {
-                    content: vec![ContentBlock::TextContent(TextContent {
-                        r#type: "text".to_string(),
-                        text,
-                        annotations: None,
-                    })],
-                    is_error: None,
-                    structured_content: Some(structured),
-                };
-                outgoing.send_response(request_id, result).await;
-            }
-            Err(err) => {
-                outgoing
-                    .send_error(
-                        request_id,
-                        JSONRPCErrorError {
-                            code: error_code::INTERNAL_ERROR_CODE,
-                            message: format!("failed to start exec session: {err}"),
-                            data: None,
-                        },
-                    )
-                    .await;
-            }
-        }
-    }
-
-    /// Write characters to a session's stdin and collect combined output for up to `yield_time_ms`.
-    pub(crate) async fn handle_write_stdin_request(
-        &self,
-        request_id: RequestId,
-        params: WriteStdinParams,
-        outgoing: Arc<OutgoingMessageSender>,
-    ) {
-        let WriteStdinParams {
-            session_id,
-            chars,
-            yield_time_ms,
-            max_output_tokens,
-        } = params;
-
-        // Grab handles without holding the sessions lock across await points.
-        let (writer_tx, output_rx) = {
-            let sessions = self.sessions.lock().await;
-            match sessions.get(&session_id) {
-                Some(session) => (session.writer_sender(), session.output_receiver()),
-                None => {
-                    outgoing
-                        .send_error(
-                            request_id,
-                            JSONRPCErrorError {
-                                code: error_code::INVALID_REQUEST_ERROR_CODE,
-                                message: format!("unknown session id {}", session_id.0),
-                                data: None,
-                            },
-                        )
-                        .await;
-                    return;
-                }
-            }
-        };
-
-        // Write stdin if provided.
-        if !chars.is_empty() && writer_tx.send(chars.into_bytes()).await.is_err() {
-            outgoing
-                .send_error(
-                    request_id,
-                    JSONRPCErrorError {
-                        code: error_code::INTERNAL_ERROR_CODE,
-                        message: "failed to write to stdin".to_string(),
-                        data: None,
-                    },
-                )
-                .await;
-            return;
-        }
-
-        // Collect output up to yield_time_ms, truncating to max_output_tokens bytes.
-        let mut collected: Vec<u8> = Vec::with_capacity(4096);
-        let deadline = Instant::now() + Duration::from_millis(yield_time_ms);
-        loop {
-            let now = Instant::now();
-            if now >= deadline {
-                break;
-            }
-            let remaining = deadline - now;
-            match timeout(remaining, output_rx.lock().await.recv()).await {
-                Ok(Some(chunk)) => {
-                    // Respect token/byte limit; keep draining but drop once full.
-                    let available =
-                        max_output_tokens.saturating_sub(collected.len() as u64) as usize;
-                    if available > 0 {
-                        let take = available.min(chunk.len());
-                        collected.extend_from_slice(&chunk[..take]);
-                    }
-                    // Continue loop to drain further within time.
-                }
-                Ok(None) => break, // channel closed
-                Err(_) => break,   // timeout
-            }
-        }
-
-        // Return text output as a CallToolResult
-        let text = String::from_utf8_lossy(&collected).to_string();
-        let result = CallToolResult {
-            content: vec![ContentBlock::TextContent(TextContent {
-                r#type: "text".to_string(),
-                text,
-                annotations: None,
-            })],
-            is_error: None,
-            structured_content: None,
-        };
-        outgoing.send_response(request_id, result).await;
-    }
-}
-
-/// Spawn PTY and child process per spawn_exec_command_session logic.
-async fn create_exec_command_session(
-    session_id: SessionId,
-    params: ExecCommandParams,
-) -> anyhow::Result<(ExecCommandSession, oneshot::Receiver<i32>)> {
-    let ExecCommandParams {
-        cmd,
-        yield_time_ms: _,
-        max_output_tokens: _,
-        shell,
-        login,
-    } = params;
-
-    // Use the native pty implementation for the system
-    let pty_system = native_pty_system();
-
-    // Create a new pty
-    let pair = pty_system.openpty(PtySize {
-        rows: 24,
-        cols: 80,
-        pixel_width: 0,
-        pixel_height: 0,
-    })?;
-
-    // Spawn a shell into the pty
-    let mut command_builder = CommandBuilder::new(shell);
-    let shell_mode_opt = if login { "-lc" } else { "-c" };
-    command_builder.arg(shell_mode_opt);
-    command_builder.arg(cmd);
-
-    let mut child = pair.slave.spawn_command(command_builder)?;
-
-    // Channel to forward write requests to the PTY writer.
-    let (writer_tx, mut writer_rx) = mpsc::channel::<Vec<u8>>(128);
-    // Channel for streaming PTY output to readers.
-    let (output_tx, output_rx) = mpsc::channel::<Vec<u8>>(256);
-
-    // Reader task: drain PTY and forward chunks to output channel.
-    let mut reader = pair.master.try_clone_reader()?;
-    let output_tx_clone = output_tx.clone();
-    tokio::task::spawn_blocking(move || {
-        let mut buf = [0u8; 8192];
-        loop {
-            match reader.read(&mut buf) {
-                Ok(0) => break, // EOF
-                Ok(n) => {
-                    // Forward; block if receiver is slow to avoid dropping output.
-                    let _ = output_tx_clone.blocking_send(buf[..n].to_vec());
-                }
-                Err(_) => break,
-            }
-        }
-    });
-
-    // Writer task: apply stdin writes to the PTY writer.
-    let writer = pair.master.take_writer()?;
-    let writer = Arc::new(StdMutex::new(writer));
-    tokio::spawn({
-        let writer = writer.clone();
-        async move {
-            while let Some(bytes) = writer_rx.recv().await {
-                let writer = writer.clone();
-                // Perform blocking write on a blocking thread.
-                let _ = tokio::task::spawn_blocking(move || {
-                    if let Ok(mut guard) = writer.lock() {
-                        use std::io::Write;
-                        let _ = guard.write_all(&bytes);
-                        let _ = guard.flush();
-                    }
-                })
-                .await;
-            }
-        }
-    });
-
-    // Keep the child alive until it exits, then signal exit code.
-    let (exit_tx, exit_rx) = oneshot::channel::<i32>();
-    tokio::task::spawn_blocking(move || {
-        let code = match child.wait() {
-            Ok(status) => status.exit_code() as i32,
-            Err(_) => -1,
-        };
-        let _ = exit_tx.send(code);
-    });
-
-    // Create and store the session with channels.
-    let session = ExecCommandSession::new(session_id, writer_tx, output_rx);
-    Ok((session, exit_rx))
-}

codex-rs/exec/Cargo.toml

@@ -25,6 +25,7 @@ codex-common = { path = "../common", features = [
     "sandbox_summary",
 ] }
 codex-core = { path = "../core" }
+codex-login = { path = "../login" }
 codex-ollama = { path = "../ollama" }
 codex-protocol = { path = "../protocol" }
 owo-colors = "4.2.0"

codex-rs/exec/src/event_processor_with_human_output.rs

@@ -20,6 +20,7 @@ use codex_core::protocol::McpToolCallEndEvent;
 use codex_core::protocol::PatchApplyBeginEvent;
 use codex_core::protocol::PatchApplyEndEvent;
 use codex_core::protocol::SessionConfiguredEvent;
+use codex_core::protocol::StreamErrorEvent;
 use codex_core::protocol::TaskCompleteEvent;
 use codex_core::protocol::TurnAbortReason;
 use codex_core::protocol::TurnDiffEvent;
@@ -167,6 +168,15 @@ impl EventProcessor for EventProcessorWithHumanOutput {
     fn process_event(&mut self, event: Event) -> CodexStatus {
         let Event { id: _, msg } = event;
         match msg {
+            EventMsg::SubagentBegin(_) => {
+                // Ignore in human output for now.
+            }
+            EventMsg::SubagentForwarded(_) => {
+                // Ignore; TUI will render forwarded events.
+            }
+            EventMsg::SubagentEnd(_) => {
+                // Ignore in human output for now.
+            }
             EventMsg::Error(ErrorEvent { message }) => {
                 let prefix = "ERROR:".style(self.red);
                 ts_println!(self, "{prefix} {message}");
@@ -174,6 +184,9 @@ impl EventProcessor for EventProcessorWithHumanOutput {
             EventMsg::BackgroundEvent(BackgroundEventEvent { message }) => {
                 ts_println!(self, "{}", message.style(self.dimmed));
             }
+            EventMsg::StreamError(StreamErrorEvent { message }) => {
+                ts_println!(self, "{}", message.style(self.dimmed));
+            }
             EventMsg::TaskStarted => {
                 // Ignore.
             }
@@ -283,10 +296,10 @@ impl EventProcessor for EventProcessorWithHumanOutput {
             EventMsg::ExecCommandOutputDelta(_) => {}
             EventMsg::ExecCommandEnd(ExecCommandEndEvent {
                 call_id,
-                stdout,
-                stderr,
+                aggregated_output,
                 duration,
                 exit_code,
+                ..
             }) => {
                 let exec_command = self.call_id_to_command.remove(&call_id);
                 let (duration, call) = if let Some(ExecCommandBegin { command, .. }) = exec_command
@@ -299,8 +312,7 @@ impl EventProcessor for EventProcessorWithHumanOutput {
                     ("".to_string(), format!("exec('{call_id}')"))
                 };
 
-                let output = if exit_code == 0 { stdout } else { stderr };
-                let truncated_output = output
+                let truncated_output = aggregated_output
                     .lines()
                     .take(MAX_OUTPUT_LINES_FOR_EXEC_TOOL_CALL)
                     .collect::<Vec<_>>()
@@ -535,6 +547,7 @@ impl EventProcessor for EventProcessorWithHumanOutput {
                 }
             },
             EventMsg::ShutdownComplete => return CodexStatus::Shutdown,
+            EventMsg::ConversationHistory(_) => {}
         }
         CodexStatus::Running
     }

codex-rs/exec/src/event_processor_with_json_output.rs

@@ -41,6 +41,12 @@ impl EventProcessor for EventProcessorWithJsonOutput {
 
     fn process_event(&mut self, event: Event) -> CodexStatus {
         match event.msg {
+            EventMsg::SubagentBegin(_)
+            | EventMsg::SubagentForwarded(_)
+            | EventMsg::SubagentEnd(_) => {
+                // Ignored for JSON output in exec for now.
+                CodexStatus::Running
+            }
             EventMsg::AgentMessageDelta(_) | EventMsg::AgentReasoningDelta(_) => {
                 // Suppress streaming events in JSON mode.
                 CodexStatus::Running

codex-rs/exec/src/lib.rs

@@ -20,6 +20,7 @@ use codex_core::protocol::InputItem;
 use codex_core::protocol::Op;
 use codex_core::protocol::TaskCompleteEvent;
 use codex_core::util::is_inside_git_repo;
+use codex_login::AuthManager;
 use codex_ollama::DEFAULT_OSS_MODEL;
 use codex_protocol::config_types::SandboxMode;
 use event_processor_with_human_output::EventProcessorWithHumanOutput;
@@ -145,6 +146,7 @@ pub async fn run_main(cli: Cli, codex_linux_sandbox_exe: Option<PathBuf>) -> any
         model_provider,
         codex_linux_sandbox_exe,
         base_instructions: None,
+        include_subagent_tool: None,
         include_plan_tool: None,
         include_apply_patch_tool: None,
         disable_response_storage: oss.then_some(true),
@@ -185,7 +187,10 @@ pub async fn run_main(cli: Cli, codex_linux_sandbox_exe: Option<PathBuf>) -> any
         std::process::exit(1);
     }
 
-    let conversation_manager = ConversationManager::default();
+    let conversation_manager = ConversationManager::new(AuthManager::shared(
+        config.codex_home.clone(),
+        config.preferred_auth_method,
+    ));
     let NewConversation {
         conversation_id: _,
         conversation,

codex-rs/exec/tests/apply_patch.rs

@@ -123,6 +123,155 @@ async fn test_apply_patch_tool() -> anyhow::Result<()> {
     // Start a mock model server
     let server = MockServer::start().await;
 
+    // First response: model calls apply_patch to create test.md
+    let first = ResponseTemplate::new(200)
+        .insert_header("content-type", "text/event-stream")
+        .set_body_raw(
+            load_sse_fixture_with_id_from_str(SSE_TOOL_CALL_ADD, "call1"),
+            "text/event-stream",
+        );
+
+    Mock::given(method("POST"))
+        // .and(path("/v1/responses"))
+        .respond_with(first)
+        .up_to_n_times(1)
+        .mount(&server)
+        .await;
+
+    // Second response: model calls apply_patch to update test.md
+    let second = ResponseTemplate::new(200)
+        .insert_header("content-type", "text/event-stream")
+        .set_body_raw(
+            load_sse_fixture_with_id_from_str(SSE_TOOL_CALL_UPDATE, "call2"),
+            "text/event-stream",
+        );
+
+    Mock::given(method("POST"))
+        .and(path("/v1/responses"))
+        .respond_with(second)
+        .up_to_n_times(1)
+        .mount(&server)
+        .await;
+
+    let final_completed = ResponseTemplate::new(200)
+        .insert_header("content-type", "text/event-stream")
+        .set_body_raw(
+            load_sse_fixture_with_id_from_str(SSE_TOOL_CALL_COMPLETED, "resp3"),
+            "text/event-stream",
+        );
+
+    Mock::given(method("POST"))
+        .and(path("/v1/responses"))
+        .respond_with(final_completed)
+        .expect(1)
+        .mount(&server)
+        .await;
+
+    let tmp_cwd = TempDir::new().unwrap();
+    Command::cargo_bin("codex-exec")
+        .context("should find binary for codex-exec")?
+        .current_dir(tmp_cwd.path())
+        .env("CODEX_HOME", tmp_cwd.path())
+        .env("OPENAI_API_KEY", "dummy")
+        .env("OPENAI_BASE_URL", format!("{}/v1", server.uri()))
+        .arg("--skip-git-repo-check")
+        .arg("-s")
+        .arg("workspace-write")
+        .arg("foo")
+        .assert()
+        .success();
+
+    // Verify final file contents
+    let final_path = tmp_cwd.path().join("test.md");
+    let contents = std::fs::read_to_string(&final_path)
+        .unwrap_or_else(|e| panic!("failed reading {}: {e}", final_path.display()));
+    assert_eq!(contents, "Final text\n");
+    Ok(())
+}
+
+#[cfg(not(target_os = "windows"))]
+#[tokio::test]
+async fn test_apply_patch_freeform_tool() -> anyhow::Result<()> {
+    use core_test_support::load_sse_fixture_with_id_from_str;
+    use tempfile::TempDir;
+    use wiremock::Mock;
+    use wiremock::MockServer;
+    use wiremock::ResponseTemplate;
+    use wiremock::matchers::method;
+    use wiremock::matchers::path;
+
+    const SSE_TOOL_CALL_ADD: &str = r#"[
+  {
+    "type": "response.output_item.done",
+    "item": {
+      "type": "custom_tool_call",
+      "name": "apply_patch",
+      "input": "*** Begin Patch\n*** Add File: test.md\n+Hello world\n*** End Patch",
+      "call_id": "__ID__"
+    }
+  },
+  {
+    "type": "response.completed",
+    "response": {
+      "id": "__ID__",
+      "usage": {
+        "input_tokens": 0,
+        "input_tokens_details": null,
+        "output_tokens": 0,
+        "output_tokens_details": null,
+        "total_tokens": 0
+      },
+      "output": []
+    }
+  }
+]"#;
+
+    const SSE_TOOL_CALL_UPDATE: &str = r#"[
+  {
+    "type": "response.output_item.done",
+    "item": {
+      "type": "custom_tool_call",
+      "name": "apply_patch",
+      "input": "*** Begin Patch\n*** Update File: test.md\n@@\n-Hello world\n+Final text\n*** End Patch",
+      "call_id": "__ID__"
+    }
+  },
+  {
+    "type": "response.completed",
+    "response": {
+      "id": "__ID__",
+      "usage": {
+        "input_tokens": 0,
+        "input_tokens_details": null,
+        "output_tokens": 0,
+        "output_tokens_details": null,
+        "total_tokens": 0
+      },
+      "output": []
+    }
+  }
+]"#;
+
+    const SSE_TOOL_CALL_COMPLETED: &str = r#"[
+  {
+    "type": "response.completed",
+    "response": {
+      "id": "__ID__",
+      "usage": {
+        "input_tokens": 0,
+        "input_tokens_details": null,
+        "output_tokens": 0,
+        "output_tokens_details": null,
+        "total_tokens": 0
+      },
+      "output": []
+    }
+  }
+]"#;
+
+    // Start a mock model server
+    let server = MockServer::start().await;
+
     // First response: model calls apply_patch to create test.md
     let first = ResponseTemplate::new(200)
         .insert_header("content-type", "text/event-stream")

codex-rs/execpolicy/Cargo.toml

@@ -26,7 +26,7 @@ multimap = "0.10.0"
 path-absolutize = "3.1.1"
 regex-lite = "0.1"
 serde = { version = "1.0.194", features = ["derive"] }
-serde_json = "1.0.142"
+serde_json = "1.0.143"
 serde_with = { version = "3", features = ["macros"] }
 
 [dev-dependencies]

codex-rs/file-search/Cargo.toml

@@ -17,5 +17,5 @@ clap = { version = "4", features = ["derive"] }
 ignore = "0.4.23"
 nucleo-matcher = "0.3.1"
 serde = { version = "1", features = ["derive"] }
-serde_json = "1.0.142"
+serde_json = "1.0.143"
 tokio = { version = "1", features = ["full"] }

codex-rs/justfile

@@ -24,8 +24,8 @@ file-search *args:
 fmt:
     cargo fmt -- --config imports_granularity=Item
 
-fix:
-    cargo clippy --fix --all-features --tests --allow-dirty
+fix *args:
+    cargo clippy --fix --all-features --tests --allow-dirty "$@"
 
 install:
     rustup show active-toolchain

codex-rs/login/Cargo.toml

@@ -9,6 +9,7 @@ workspace = true
 [dependencies]
 base64 = "0.22"
 chrono = { version = "0.4", features = ["serde"] }
+codex-protocol = { path = "../protocol" }
 rand = "0.8"
 reqwest = { version = "0.12", features = ["json", "blocking"] }
 serde = { version = "1", features = ["derive"] }

codex-rs/login/src/auth_manager.rs

@@ -0,0 +1,129 @@
+use std::path::PathBuf;
+use std::sync::Arc;
+use std::sync::RwLock;
+
+use crate::AuthMode;
+use crate::CodexAuth;
+
+/// Internal cached auth state.
+#[derive(Clone, Debug)]
+struct CachedAuth {
+    preferred_auth_mode: AuthMode,
+    auth: Option<CodexAuth>,
+}
+
+/// Central manager providing a single source of truth for auth.json derived
+/// authentication data. It loads once (or on preference change) and then
+/// hands out cloned `CodexAuth` values so the rest of the program has a
+/// consistent snapshot.
+///
+/// External modifications to `auth.json` will NOT be observed until
+/// `reload()` is called explicitly. This matches the design goal of avoiding
+/// different parts of the program seeing inconsistent auth data mid‑run.
+#[derive(Debug)]
+pub struct AuthManager {
+    codex_home: PathBuf,
+    inner: RwLock<CachedAuth>,
+}
+
+impl AuthManager {
+    /// Create a new manager loading the initial auth using the provided
+    /// preferred auth method. Errors loading auth are swallowed; `auth()` will
+    /// simply return `None` in that case so callers can treat it as an
+    /// unauthenticated state.
+    pub fn new(codex_home: PathBuf, preferred_auth_mode: AuthMode) -> Self {
+        let auth = crate::CodexAuth::from_codex_home(&codex_home, preferred_auth_mode)
+            .ok()
+            .flatten();
+        Self {
+            codex_home,
+            inner: RwLock::new(CachedAuth {
+                preferred_auth_mode,
+                auth,
+            }),
+        }
+    }
+
+    /// Create an AuthManager with a specific CodexAuth, for testing only.
+    pub fn from_auth_for_testing(auth: CodexAuth) -> Arc<Self> {
+        let preferred_auth_mode = auth.mode;
+        let cached = CachedAuth {
+            preferred_auth_mode,
+            auth: Some(auth),
+        };
+        Arc::new(Self {
+            codex_home: PathBuf::new(),
+            inner: RwLock::new(cached),
+        })
+    }
+
+    /// Current cached auth (clone). May be `None` if not logged in or load failed.
+    pub fn auth(&self) -> Option<CodexAuth> {
+        self.inner.read().ok().and_then(|c| c.auth.clone())
+    }
+
+    /// Preferred auth method used when (re)loading.
+    pub fn preferred_auth_method(&self) -> AuthMode {
+        self.inner
+            .read()
+            .map(|c| c.preferred_auth_mode)
+            .unwrap_or(AuthMode::ApiKey)
+    }
+
+    /// Force a reload using the existing preferred auth method. Returns
+    /// whether the auth value changed.
+    pub fn reload(&self) -> bool {
+        let preferred = self.preferred_auth_method();
+        let new_auth = crate::CodexAuth::from_codex_home(&self.codex_home, preferred)
+            .ok()
+            .flatten();
+        if let Ok(mut guard) = self.inner.write() {
+            let changed = !AuthManager::auths_equal(&guard.auth, &new_auth);
+            guard.auth = new_auth;
+            changed
+        } else {
+            false
+        }
+    }
+
+    fn auths_equal(a: &Option<CodexAuth>, b: &Option<CodexAuth>) -> bool {
+        match (a, b) {
+            (None, None) => true,
+            (Some(a), Some(b)) => a == b,
+            _ => false,
+        }
+    }
+
+    /// Convenience constructor returning an `Arc` wrapper.
+    pub fn shared(codex_home: PathBuf, preferred_auth_mode: AuthMode) -> Arc<Self> {
+        Arc::new(Self::new(codex_home, preferred_auth_mode))
+    }
+
+    /// Attempt to refresh the current auth token (if any). On success, reload
+    /// the auth state from disk so other components observe refreshed token.
+    pub async fn refresh_token(&self) -> std::io::Result<Option<String>> {
+        let auth = match self.auth() {
+            Some(a) => a,
+            None => return Ok(None),
+        };
+        match auth.refresh_token().await {
+            Ok(token) => {
+                // Reload to pick up persisted changes.
+                self.reload();
+                Ok(Some(token))
+            }
+            Err(e) => Err(e),
+        }
+    }
+
+    /// Log out by deleting the on‑disk auth.json (if present). Returns Ok(true)
+    /// if a file was removed, Ok(false) if no auth file existed. On success,
+    /// reloads the in‑memory auth cache so callers immediately observe the
+    /// unauthenticated state.
+    pub fn logout(&self) -> std::io::Result<bool> {
+        let removed = crate::logout(&self.codex_home)?;
+        // Always reload to clear any cached auth (even if file absent).
+        self.reload();
+        Ok(removed)
+    }
+}

codex-rs/login/src/lib.rs

@@ -23,19 +23,15 @@ pub use crate::server::run_login_server;
 pub use crate::token_data::TokenData;
 use crate::token_data::parse_id_token;
 
+mod auth_manager;
 mod pkce;
 mod server;
 mod token_data;
 
 pub const CLIENT_ID: &str = "app_EMoamEEZ73f0CkXaXp7hrann";
 pub const OPENAI_API_KEY_ENV_VAR: &str = "OPENAI_API_KEY";
-
-#[derive(Clone, Debug, PartialEq, Copy, Eq, Serialize, Deserialize)]
-#[serde(rename_all = "lowercase")]
-pub enum AuthMode {
-    ApiKey,
-    ChatGPT,
-}
+pub use auth_manager::AuthManager;
+pub use codex_protocol::mcp_protocol::AuthMode;
 
 #[derive(Debug, Clone)]
 pub struct CodexAuth {
@@ -62,6 +58,39 @@ impl CodexAuth {
         }
     }
 
+    pub async fn refresh_token(&self) -> Result<String, std::io::Error> {
+        let token_data = self
+            .get_current_token_data()
+            .ok_or(std::io::Error::other("Token data is not available."))?;
+        let token = token_data.refresh_token;
+
+        let refresh_response = try_refresh_token(token)
+            .await
+            .map_err(std::io::Error::other)?;
+
+        let updated = update_tokens(
+            &self.auth_file,
+            refresh_response.id_token,
+            refresh_response.access_token,
+            refresh_response.refresh_token,
+        )
+        .await?;
+
+        if let Ok(mut auth_lock) = self.auth_dot_json.lock() {
+            *auth_lock = Some(updated.clone());
+        }
+
+        let access = match updated.tokens {
+            Some(t) => t.access_token,
+            None => {
+                return Err(std::io::Error::other(
+                    "Token data is not available after refresh.",
+                ));
+            }
+        };
+        Ok(access)
+    }
+
     /// Loads the available auth information from the auth.json or
     /// OPENAI_API_KEY environment variable.
     pub fn from_codex_home(
@@ -209,7 +238,7 @@ fn load_auth(
         // "refreshable" even if we are using the API key for auth?
         match &tokens {
             Some(tokens) => {
-                if tokens.should_use_api_key(preferred_auth_method) {
+                if tokens.should_use_api_key(preferred_auth_method, tokens.is_openai_email()) {
                     return Ok(Some(CodexAuth::from_api_key(api_key)));
                 } else {
                     // Ignore the API key and fall through to ChatGPT auth.

codex-rs/login/src/token_data.rs

@@ -25,16 +25,31 @@ pub struct TokenData {
 impl TokenData {
     /// Returns true if this is a plan that should use the traditional
     /// "metered" billing via an API key.
-    pub(crate) fn should_use_api_key(&self, preferred_auth_method: AuthMode) -> bool {
+    pub(crate) fn should_use_api_key(
+        &self,
+        preferred_auth_method: AuthMode,
+        is_openai_email: bool,
+    ) -> bool {
         if preferred_auth_method == AuthMode::ApiKey {
             return true;
         }
+        // If the email is an OpenAI email, use AuthMode::ChatGPT unless preferred_auth_method is AuthMode::ApiKey.
+        if is_openai_email {
+            return false;
+        }
 
         self.id_token
             .chatgpt_plan_type
             .as_ref()
             .is_none_or(|plan| plan.is_plan_that_should_use_api_key())
     }
+
+    pub fn is_openai_email(&self) -> bool {
+        self.id_token
+            .email
+            .as_deref()
+            .is_some_and(|email| email.trim().to_ascii_lowercase().ends_with("@openai.com"))
+    }
 }
 
 /// Flat subset of useful claims in id_token from auth.json.

codex-rs/mcp-server/Cargo.toml

@@ -17,7 +17,7 @@ workspace = true
 [dependencies]
 anyhow = "1"
 codex-arg0 = { path = "../arg0" }
-codex-common = { path = "../common" }
+codex-common = { path = "../common", features = ["cli"] }
 codex-core = { path = "../core" }
 codex-login = { path = "../login" }
 codex-protocol = { path = "../protocol" }

codex-rs/mcp-server/src/codex_message_processor.rs

@@ -8,11 +8,15 @@ use codex_core::ConversationManager;
 use codex_core::NewConversation;
 use codex_core::config::Config;
 use codex_core::config::ConfigOverrides;
+use codex_core::git_info::git_diff_to_remote;
 use codex_core::protocol::ApplyPatchApprovalRequestEvent;
 use codex_core::protocol::Event;
 use codex_core::protocol::EventMsg;
 use codex_core::protocol::ExecApprovalRequestEvent;
 use codex_core::protocol::ReviewDecision;
+use codex_login::AuthManager;
+use codex_protocol::mcp_protocol::AuthMode;
+use codex_protocol::mcp_protocol::GitDiffToRemoteResponse;
 use mcp_types::JSONRPCErrorError;
 use mcp_types::RequestId;
 use tokio::sync::Mutex;
@@ -36,6 +40,7 @@ use codex_protocol::mcp_protocol::AddConversationListenerParams;
 use codex_protocol::mcp_protocol::AddConversationSubscriptionResponse;
 use codex_protocol::mcp_protocol::ApplyPatchApprovalParams;
 use codex_protocol::mcp_protocol::ApplyPatchApprovalResponse;
+use codex_protocol::mcp_protocol::AuthStatusChangeNotification;
 use codex_protocol::mcp_protocol::ClientRequest;
 use codex_protocol::mcp_protocol::ConversationId;
 use codex_protocol::mcp_protocol::EXEC_COMMAND_APPROVAL_METHOD;
@@ -44,7 +49,6 @@ use codex_protocol::mcp_protocol::ExecCommandApprovalResponse;
 use codex_protocol::mcp_protocol::InputItem as WireInputItem;
 use codex_protocol::mcp_protocol::InterruptConversationParams;
 use codex_protocol::mcp_protocol::InterruptConversationResponse;
-use codex_protocol::mcp_protocol::LOGIN_CHATGPT_COMPLETE_EVENT;
 use codex_protocol::mcp_protocol::LoginChatGptCompleteNotification;
 use codex_protocol::mcp_protocol::LoginChatGptResponse;
 use codex_protocol::mcp_protocol::NewConversationParams;
@@ -55,6 +59,7 @@ use codex_protocol::mcp_protocol::SendUserMessageParams;
 use codex_protocol::mcp_protocol::SendUserMessageResponse;
 use codex_protocol::mcp_protocol::SendUserTurnParams;
 use codex_protocol::mcp_protocol::SendUserTurnResponse;
+use codex_protocol::mcp_protocol::ServerNotification;
 
 // Duration before a ChatGPT login attempt is abandoned.
 const LOGIN_CHATGPT_TIMEOUT: Duration = Duration::from_secs(10 * 60);
@@ -72,9 +77,11 @@ impl ActiveLogin {
 
 /// Handles JSON-RPC messages for Codex conversations.
 pub(crate) struct CodexMessageProcessor {
+    auth_manager: Arc<AuthManager>,
     conversation_manager: Arc<ConversationManager>,
     outgoing: Arc<OutgoingMessageSender>,
     codex_linux_sandbox_exe: Option<PathBuf>,
+    config: Arc<Config>,
     conversation_listeners: HashMap<Uuid, oneshot::Sender<()>>,
     active_login: Arc<Mutex<Option<ActiveLogin>>>,
     // Queue of pending interrupt requests per conversation. We reply when TurnAborted arrives.
@@ -83,14 +90,18 @@ pub(crate) struct CodexMessageProcessor {
 
 impl CodexMessageProcessor {
     pub fn new(
+        auth_manager: Arc<AuthManager>,
         conversation_manager: Arc<ConversationManager>,
         outgoing: Arc<OutgoingMessageSender>,
         codex_linux_sandbox_exe: Option<PathBuf>,
+        config: Arc<Config>,
     ) -> Self {
         Self {
+            auth_manager,
             conversation_manager,
             outgoing,
             codex_linux_sandbox_exe,
+            config,
             conversation_listeners: HashMap::new(),
             active_login: Arc::new(Mutex::new(None)),
             pending_interrupts: Arc::new(Mutex::new(HashMap::new())),
@@ -120,29 +131,26 @@ impl CodexMessageProcessor {
             ClientRequest::RemoveConversationListener { request_id, params } => {
                 self.remove_conversation_listener(request_id, params).await;
             }
+            ClientRequest::GitDiffToRemote { request_id, params } => {
+                self.git_diff_to_origin(request_id, params.cwd).await;
+            }
             ClientRequest::LoginChatGpt { request_id } => {
                 self.login_chatgpt(request_id).await;
             }
             ClientRequest::CancelLoginChatGpt { request_id, params } => {
                 self.cancel_login_chatgpt(request_id, params.login_id).await;
             }
+            ClientRequest::LogoutChatGpt { request_id } => {
+                self.logout_chatgpt(request_id).await;
+            }
+            ClientRequest::GetAuthStatus { request_id, params } => {
+                self.get_auth_status(request_id, params).await;
+            }
         }
     }
 
     async fn login_chatgpt(&mut self, request_id: RequestId) {
-        let config =
-            match Config::load_with_cli_overrides(Default::default(), ConfigOverrides::default()) {
-                Ok(cfg) => cfg,
-                Err(err) => {
-                    let error = JSONRPCErrorError {
-                        code: INTERNAL_ERROR_CODE,
-                        message: format!("error loading config for login: {err}"),
-                        data: None,
-                    };
-                    self.outgoing.send_error(request_id, error).await;
-                    return;
-                }
-            };
+        let config = self.config.as_ref();
 
         let opts = LoginServerOptions {
             open_browser: false,
@@ -179,6 +187,7 @@ impl CodexMessageProcessor {
                 // Spawn background task to monitor completion.
                 let outgoing_clone = self.outgoing.clone();
                 let active_login = self.active_login.clone();
+                let auth_manager = self.auth_manager.clone();
                 tokio::spawn(async move {
                     let (success, error_msg) = match tokio::time::timeout(
                         LOGIN_CHATGPT_TIMEOUT,
@@ -194,19 +203,30 @@ impl CodexMessageProcessor {
                             (false, Some("Login timed out".to_string()))
                         }
                     };
-                    let notification = LoginChatGptCompleteNotification {
+                    let payload = LoginChatGptCompleteNotification {
                         login_id,
                         success,
                         error: error_msg,
                     };
-                    let params = serde_json::to_value(&notification).ok();
                     outgoing_clone
-                        .send_notification(OutgoingNotification {
-                            method: LOGIN_CHATGPT_COMPLETE_EVENT.to_string(),
-                            params,
-                        })
+                        .send_server_notification(ServerNotification::LoginChatGptComplete(payload))
                         .await;
 
+                    // Send an auth status change notification.
+                    if success {
+                        // Update in-memory auth cache now that login completed.
+                        auth_manager.reload();
+
+                        // Notify clients with the actual current auth mode.
+                        let current_auth_method = auth_manager.auth().map(|a| a.mode);
+                        let payload = AuthStatusChangeNotification {
+                            auth_method: current_auth_method,
+                        };
+                        outgoing_clone
+                            .send_server_notification(ServerNotification::AuthStatusChange(payload))
+                            .await;
+                    }
+
                     // Clear the active login if it matches this attempt. It may have been replaced or cancelled.
                     let mut guard = active_login.lock().await;
                     if guard.as_ref().map(|l| l.login_id) == Some(login_id) {
@@ -255,6 +275,85 @@ impl CodexMessageProcessor {
         }
     }
 
+    async fn logout_chatgpt(&mut self, request_id: RequestId) {
+        {
+            // Cancel any active login attempt.
+            let mut guard = self.active_login.lock().await;
+            if let Some(active) = guard.take() {
+                active.drop();
+            }
+        }
+
+        if let Err(err) = self.auth_manager.logout() {
+            let error = JSONRPCErrorError {
+                code: INTERNAL_ERROR_CODE,
+                message: format!("logout failed: {err}"),
+                data: None,
+            };
+            self.outgoing.send_error(request_id, error).await;
+            return;
+        }
+
+        self.outgoing
+            .send_response(
+                request_id,
+                codex_protocol::mcp_protocol::LogoutChatGptResponse {},
+            )
+            .await;
+
+        // Send auth status change notification reflecting the current auth mode
+        // after logout (which may fall back to API key via env var).
+        let current_auth_method = self.auth_manager.auth().map(|auth| auth.mode);
+        let payload = AuthStatusChangeNotification {
+            auth_method: current_auth_method,
+        };
+        self.outgoing
+            .send_server_notification(ServerNotification::AuthStatusChange(payload))
+            .await;
+    }
+
+    async fn get_auth_status(
+        &self,
+        request_id: RequestId,
+        params: codex_protocol::mcp_protocol::GetAuthStatusParams,
+    ) {
+        let preferred_auth_method: AuthMode = self.auth_manager.preferred_auth_method();
+        let include_token = params.include_token.unwrap_or(false);
+        let do_refresh = params.refresh_token.unwrap_or(false);
+
+        if do_refresh && let Err(err) = self.auth_manager.refresh_token().await {
+            tracing::warn!("failed to refresh token while getting auth status: {err}");
+        }
+
+        let response = match self.auth_manager.auth() {
+            Some(auth) => {
+                let (reported_auth_method, token_opt) = match auth.get_token().await {
+                    Ok(token) if !token.is_empty() => {
+                        let tok = if include_token { Some(token) } else { None };
+                        (Some(auth.mode), tok)
+                    }
+                    Ok(_) => (None, None),
+                    Err(err) => {
+                        tracing::warn!("failed to get token for auth status: {err}");
+                        (None, None)
+                    }
+                };
+                codex_protocol::mcp_protocol::GetAuthStatusResponse {
+                    auth_method: reported_auth_method,
+                    preferred_auth_method,
+                    auth_token: token_opt,
+                }
+            }
+            None => codex_protocol::mcp_protocol::GetAuthStatusResponse {
+                auth_method: None,
+                preferred_auth_method,
+                auth_token: None,
+            },
+        };
+
+        self.outgoing.send_response(request_id, response).await;
+    }
+
     async fn process_new_conversation(&self, request_id: RequestId, params: NewConversationParams) {
         let config = match derive_config_from_params(params, self.codex_linux_sandbox_exe.clone()) {
             Ok(config) => config,
@@ -514,6 +613,27 @@ impl CodexMessageProcessor {
             }
         }
     }
+
+    async fn git_diff_to_origin(&self, request_id: RequestId, cwd: PathBuf) {
+        let diff = git_diff_to_remote(&cwd).await;
+        match diff {
+            Some(value) => {
+                let response = GitDiffToRemoteResponse {
+                    sha: value.sha,
+                    diff: value.diff,
+                };
+                self.outgoing.send_response(request_id, response).await;
+            }
+            None => {
+                let error = JSONRPCErrorError {
+                    code: INVALID_REQUEST_ERROR_CODE,
+                    message: format!("failed to compute git diff to remote for cwd: {cwd:?}"),
+                    data: None,
+                };
+                self.outgoing.send_error(request_id, error).await;
+            }
+        }
+    }
 }
 
 async fn apply_bespoke_event_handling(
@@ -616,6 +736,7 @@ fn derive_config_from_params(
         base_instructions,
         include_plan_tool,
         include_apply_patch_tool,
+        include_subagent_tool: None,
         disable_response_storage: None,
         show_raw_agent_reasoning: None,
     };

codex-rs/mcp-server/src/codex_tool_config.rs

@@ -161,6 +161,7 @@ impl CodexToolCallParam {
             base_instructions,
             include_plan_tool,
             include_apply_patch_tool: None,
+            include_subagent_tool: None,
             disable_response_storage: None,
             show_raw_agent_reasoning: None,
         };

codex-rs/mcp-server/src/codex_tool_runner.rs

@@ -174,6 +174,11 @@ async fn run_codex_tool_session_inner(
                     .await;
 
                 match event.msg {
+                    EventMsg::SubagentBegin(_)
+                    | EventMsg::SubagentForwarded(_)
+                    | EventMsg::SubagentEnd(_) => {
+                        // Ignore subagent orchestration for MCP echoing.
+                    }
                     EventMsg::ExecApprovalRequest(ExecApprovalRequestEvent {
                         command,
                         cwd,
@@ -268,12 +273,14 @@ async fn run_codex_tool_session_inner(
                     | EventMsg::ExecCommandOutputDelta(_)
                     | EventMsg::ExecCommandEnd(_)
                     | EventMsg::BackgroundEvent(_)
+                    | EventMsg::StreamError(_)
                     | EventMsg::PatchApplyBegin(_)
                     | EventMsg::PatchApplyEnd(_)
                     | EventMsg::TurnDiff(_)
                     | EventMsg::GetHistoryEntryResponse(_)
                     | EventMsg::PlanUpdate(_)
                     | EventMsg::TurnAborted(_)
+                    | EventMsg::ConversationHistory(_)
                     | EventMsg::ShutdownComplete => {
                         // For now, we do not do anything extra for these
                         // events. Note that

codex-rs/mcp-server/src/lib.rs

@@ -1,9 +1,14 @@
 //! Prototype MCP server.
 #![deny(clippy::print_stdout, clippy::print_stderr)]
 
+use std::io::ErrorKind;
 use std::io::Result as IoResult;
 use std::path::PathBuf;
 
+use codex_common::CliConfigOverrides;
+use codex_core::config::Config;
+use codex_core::config::ConfigOverrides;
+
 use mcp_types::JSONRPCMessage;
 use tokio::io::AsyncBufReadExt;
 use tokio::io::AsyncWriteExt;
@@ -41,7 +46,10 @@ pub use crate::patch_approval::PatchApprovalResponse;
 /// plenty for an interactive CLI.
 const CHANNEL_CAPACITY: usize = 128;
 
-pub async fn run_main(codex_linux_sandbox_exe: Option<PathBuf>) -> IoResult<()> {
+pub async fn run_main(
+    codex_linux_sandbox_exe: Option<PathBuf>,
+    cli_config_overrides: CliConfigOverrides,
+) -> IoResult<()> {
     // Install a simple subscriber so `tracing` output is visible.  Users can
     // control the log level with `RUST_LOG`.
     tracing_subscriber::fmt()
@@ -77,10 +85,27 @@ pub async fn run_main(codex_linux_sandbox_exe: Option<PathBuf>) -> IoResult<()>
         }
     });
 
+    // Parse CLI overrides once and derive the base Config eagerly so later
+    // components do not need to work with raw TOML values.
+    let cli_kv_overrides = cli_config_overrides.parse_overrides().map_err(|e| {
+        std::io::Error::new(
+            ErrorKind::InvalidInput,
+            format!("error parsing -c overrides: {e}"),
+        )
+    })?;
+    let config = Config::load_with_cli_overrides(cli_kv_overrides, ConfigOverrides::default())
+        .map_err(|e| {
+            std::io::Error::new(ErrorKind::InvalidData, format!("error loading config: {e}"))
+        })?;
+
     // Task: process incoming messages.
     let processor_handle = tokio::spawn({
         let outgoing_message_sender = OutgoingMessageSender::new(outgoing_tx);
-        let mut processor = MessageProcessor::new(outgoing_message_sender, codex_linux_sandbox_exe);
+        let mut processor = MessageProcessor::new(
+            outgoing_message_sender,
+            codex_linux_sandbox_exe,
+            std::sync::Arc::new(config),
+        );
         async move {
             while let Some(msg) = incoming_rx.recv().await {
                 match msg {

codex-rs/mcp-server/src/main.rs

@@ -1,9 +1,10 @@
 use codex_arg0::arg0_dispatch_or_else;
+use codex_common::CliConfigOverrides;
 use codex_mcp_server::run_main;
 
 fn main() -> anyhow::Result<()> {
     arg0_dispatch_or_else(|codex_linux_sandbox_exe| async move {
-        run_main(codex_linux_sandbox_exe).await?;
+        run_main(codex_linux_sandbox_exe, CliConfigOverrides::default()).await?;
         Ok(())
     })
 }

codex-rs/mcp-server/src/message_processor.rs

@@ -1,6 +1,5 @@
 use std::collections::HashMap;
 use std::path::PathBuf;
-use std::sync::Arc;
 
 use crate::codex_message_processor::CodexMessageProcessor;
 use crate::codex_tool_config::CodexToolCallParam;
@@ -12,8 +11,9 @@ use crate::outgoing_message::OutgoingMessageSender;
 use codex_protocol::mcp_protocol::ClientRequest;
 
 use codex_core::ConversationManager;
-use codex_core::config::Config as CodexConfig;
+use codex_core::config::Config;
 use codex_core::protocol::Submission;
+use codex_login::AuthManager;
 use mcp_types::CallToolRequestParams;
 use mcp_types::CallToolResult;
 use mcp_types::ClientRequest as McpClientRequest;
@@ -30,6 +30,7 @@ use mcp_types::ServerCapabilitiesTools;
 use mcp_types::ServerNotification;
 use mcp_types::TextContent;
 use serde_json::json;
+use std::sync::Arc;
 use tokio::sync::Mutex;
 use tokio::task;
 use uuid::Uuid;
@@ -49,13 +50,18 @@ impl MessageProcessor {
     pub(crate) fn new(
         outgoing: OutgoingMessageSender,
         codex_linux_sandbox_exe: Option<PathBuf>,
+        config: Arc<Config>,
     ) -> Self {
         let outgoing = Arc::new(outgoing);
-        let conversation_manager = Arc::new(ConversationManager::default());
+        let auth_manager =
+            AuthManager::shared(config.codex_home.clone(), config.preferred_auth_method);
+        let conversation_manager = Arc::new(ConversationManager::new(auth_manager.clone()));
         let codex_message_processor = CodexMessageProcessor::new(
+            auth_manager,
             conversation_manager.clone(),
             outgoing.clone(),
             codex_linux_sandbox_exe.clone(),
+            config,
         );
         Self {
             codex_message_processor,
@@ -344,7 +350,7 @@ impl MessageProcessor {
         }
     }
     async fn handle_tool_call_codex(&self, id: RequestId, arguments: Option<serde_json::Value>) {
-        let (initial_prompt, config): (String, CodexConfig) = match arguments {
+        let (initial_prompt, config): (String, Config) = match arguments {
             Some(json_val) => match serde_json::from_value::<CodexToolCallParam>(json_val) {
                 Ok(tool_cfg) => match tool_cfg.into_config(self.codex_linux_sandbox_exe.clone()) {
                     Ok(cfg) => cfg,

codex-rs/mcp-server/src/outgoing_message.rs

@@ -3,6 +3,7 @@ use std::sync::atomic::AtomicI64;
 use std::sync::atomic::Ordering;
 
 use codex_core::protocol::Event;
+use codex_protocol::mcp_protocol::ServerNotification;
 use mcp_types::JSONRPC_VERSION;
 use mcp_types::JSONRPCError;
 use mcp_types::JSONRPCErrorError;
@@ -121,6 +122,17 @@ impl OutgoingMessageSender {
         .await;
     }
 
+    pub(crate) async fn send_server_notification(&self, notification: ServerNotification) {
+        let method = format!("codex/event/{}", notification);
+        let params = match serde_json::to_value(&notification) {
+            Ok(serde_json::Value::Object(mut map)) => map.remove("data"),
+            _ => None,
+        };
+        let outgoing_message =
+            OutgoingMessage::Notification(OutgoingNotification { method, params });
+        let _ = self.sender.send(outgoing_message).await;
+    }
+
     pub(crate) async fn send_notification(&self, notification: OutgoingNotification) {
         let outgoing_message = OutgoingMessage::Notification(notification);
         let _ = self.sender.send(outgoing_message).await;

codex-rs/mcp-server/tests/auth.rs

@@ -0,0 +1,142 @@
+use std::path::Path;
+
+use codex_login::login_with_api_key;
+use codex_protocol::mcp_protocol::AuthMode;
+use codex_protocol::mcp_protocol::GetAuthStatusParams;
+use codex_protocol::mcp_protocol::GetAuthStatusResponse;
+use mcp_test_support::McpProcess;
+use mcp_test_support::to_response;
+use mcp_types::JSONRPCResponse;
+use mcp_types::RequestId;
+use pretty_assertions::assert_eq;
+use tempfile::TempDir;
+use tokio::time::timeout;
+
+const DEFAULT_READ_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(10);
+
+// Helper to create a config.toml; mirrors create_conversation.rs
+fn create_config_toml(codex_home: &Path) -> std::io::Result<()> {
+    let config_toml = codex_home.join("config.toml");
+    std::fs::write(
+        config_toml,
+        r#"
+model = "mock-model"
+approval_policy = "never"
+sandbox_mode = "danger-full-access"
+
+model_provider = "mock_provider"
+
+[model_providers.mock_provider]
+name = "Mock provider for test"
+base_url = "http://127.0.0.1:0/v1"
+wire_api = "chat"
+request_max_retries = 0
+stream_max_retries = 0
+"#,
+    )
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn get_auth_status_no_auth() {
+    let codex_home = TempDir::new().unwrap_or_else(|e| panic!("create tempdir: {e}"));
+    create_config_toml(codex_home.path()).expect("write config.toml");
+
+    let mut mcp = McpProcess::new(codex_home.path())
+        .await
+        .expect("spawn mcp process");
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize())
+        .await
+        .expect("init timeout")
+        .expect("init failed");
+
+    let request_id = mcp
+        .send_get_auth_status_request(GetAuthStatusParams {
+            include_token: Some(true),
+            refresh_token: Some(false),
+        })
+        .await
+        .expect("send getAuthStatus");
+
+    let resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
+    )
+    .await
+    .expect("getAuthStatus timeout")
+    .expect("getAuthStatus response");
+    let status: GetAuthStatusResponse = to_response(resp).expect("deserialize status");
+    assert_eq!(status.auth_method, None, "expected no auth method");
+    assert_eq!(status.auth_token, None, "expected no token");
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn get_auth_status_with_api_key() {
+    let codex_home = TempDir::new().unwrap_or_else(|e| panic!("create tempdir: {e}"));
+    create_config_toml(codex_home.path()).expect("write config.toml");
+    login_with_api_key(codex_home.path(), "sk-test-key").expect("seed api key");
+
+    let mut mcp = McpProcess::new(codex_home.path())
+        .await
+        .expect("spawn mcp process");
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize())
+        .await
+        .expect("init timeout")
+        .expect("init failed");
+
+    let request_id = mcp
+        .send_get_auth_status_request(GetAuthStatusParams {
+            include_token: Some(true),
+            refresh_token: Some(false),
+        })
+        .await
+        .expect("send getAuthStatus");
+
+    let resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
+    )
+    .await
+    .expect("getAuthStatus timeout")
+    .expect("getAuthStatus response");
+    let status: GetAuthStatusResponse = to_response(resp).expect("deserialize status");
+    assert_eq!(status.auth_method, Some(AuthMode::ApiKey));
+    assert_eq!(status.auth_token, Some("sk-test-key".to_string()));
+    assert_eq!(status.preferred_auth_method, AuthMode::ChatGPT);
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn get_auth_status_with_api_key_no_include_token() {
+    let codex_home = TempDir::new().unwrap_or_else(|e| panic!("create tempdir: {e}"));
+    create_config_toml(codex_home.path()).expect("write config.toml");
+    login_with_api_key(codex_home.path(), "sk-test-key").expect("seed api key");
+
+    let mut mcp = McpProcess::new(codex_home.path())
+        .await
+        .expect("spawn mcp process");
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize())
+        .await
+        .expect("init timeout")
+        .expect("init failed");
+
+    // Build params via struct so None field is omitted in wire JSON.
+    let params = GetAuthStatusParams {
+        include_token: None,
+        refresh_token: Some(false),
+    };
+    let request_id = mcp
+        .send_get_auth_status_request(params)
+        .await
+        .expect("send getAuthStatus");
+
+    let resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
+    )
+    .await
+    .expect("getAuthStatus timeout")
+    .expect("getAuthStatus response");
+    let status: GetAuthStatusResponse = to_response(resp).expect("deserialize status");
+    assert_eq!(status.auth_method, Some(AuthMode::ApiKey));
+    assert!(status.auth_token.is_none(), "token must be omitted");
+    assert_eq!(status.preferred_auth_method, AuthMode::ChatGPT);
+}

codex-rs/mcp-server/tests/codex_tool.rs

@@ -86,9 +86,7 @@ async fn shell_command_approval_triggers_elicitation() -> anyhow::Result<()> {
     )
     .await??;
 
-    // This is the first request from the server, so the id should be 0 given
-    // how things are currently implemented.
-    let elicitation_request_id = RequestId::Integer(0);
+    let elicitation_request_id = elicitation_request.id.clone();
     let params = serde_json::from_value::<ExecApprovalElicitRequestParams>(
         elicitation_request
             .params

codex-rs/mcp-server/tests/common/mcp_process.rs

@@ -13,6 +13,8 @@ use anyhow::Context;
 use assert_cmd::prelude::*;
 use codex_mcp_server::CodexToolCallParam;
 use codex_protocol::mcp_protocol::AddConversationListenerParams;
+use codex_protocol::mcp_protocol::CancelLoginChatGptParams;
+use codex_protocol::mcp_protocol::GetAuthStatusParams;
 use codex_protocol::mcp_protocol::InterruptConversationParams;
 use codex_protocol::mcp_protocol::NewConversationParams;
 use codex_protocol::mcp_protocol::RemoveConversationListenerParams;
@@ -217,6 +219,34 @@ impl McpProcess {
         self.send_request("interruptConversation", params).await
     }
 
+    /// Send a `getAuthStatus` JSON-RPC request.
+    pub async fn send_get_auth_status_request(
+        &mut self,
+        params: GetAuthStatusParams,
+    ) -> anyhow::Result<i64> {
+        let params = Some(serde_json::to_value(params)?);
+        self.send_request("getAuthStatus", params).await
+    }
+
+    /// Send a `loginChatGpt` JSON-RPC request.
+    pub async fn send_login_chat_gpt_request(&mut self) -> anyhow::Result<i64> {
+        self.send_request("loginChatGpt", None).await
+    }
+
+    /// Send a `cancelLoginChatGpt` JSON-RPC request.
+    pub async fn send_cancel_login_chat_gpt_request(
+        &mut self,
+        params: CancelLoginChatGptParams,
+    ) -> anyhow::Result<i64> {
+        let params = Some(serde_json::to_value(params)?);
+        self.send_request("cancelLoginChatGpt", params).await
+    }
+
+    /// Send a `logoutChatGpt` JSON-RPC request.
+    pub async fn send_logout_chat_gpt_request(&mut self) -> anyhow::Result<i64> {
+        self.send_request("logoutChatGpt", None).await
+    }
+
     async fn send_request(
         &mut self,
         method: &str,

codex-rs/mcp-server/tests/login.rs

@@ -0,0 +1,146 @@
+use std::path::Path;
+use std::time::Duration;
+
+use codex_login::login_with_api_key;
+use codex_protocol::mcp_protocol::CancelLoginChatGptParams;
+use codex_protocol::mcp_protocol::CancelLoginChatGptResponse;
+use codex_protocol::mcp_protocol::GetAuthStatusParams;
+use codex_protocol::mcp_protocol::GetAuthStatusResponse;
+use codex_protocol::mcp_protocol::LoginChatGptResponse;
+use codex_protocol::mcp_protocol::LogoutChatGptResponse;
+use mcp_test_support::McpProcess;
+use mcp_test_support::to_response;
+use mcp_types::JSONRPCResponse;
+use mcp_types::RequestId;
+use tempfile::TempDir;
+use tokio::time::timeout;
+
+const DEFAULT_READ_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(10);
+
+// Helper to create a config.toml; mirrors create_conversation.rs
+fn create_config_toml(codex_home: &Path) -> std::io::Result<()> {
+    let config_toml = codex_home.join("config.toml");
+    std::fs::write(
+        config_toml,
+        r#"
+model = "mock-model"
+approval_policy = "never"
+sandbox_mode = "danger-full-access"
+
+model_provider = "mock_provider"
+
+[model_providers.mock_provider]
+name = "Mock provider for test"
+base_url = "http://127.0.0.1:0/v1"
+wire_api = "chat"
+request_max_retries = 0
+stream_max_retries = 0
+"#,
+    )
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn logout_chatgpt_removes_auth() {
+    let codex_home = TempDir::new().unwrap_or_else(|e| panic!("create tempdir: {e}"));
+    create_config_toml(codex_home.path()).expect("write config.toml");
+    login_with_api_key(codex_home.path(), "sk-test-key").expect("seed api key");
+    assert!(codex_home.path().join("auth.json").exists());
+
+    let mut mcp = McpProcess::new(codex_home.path())
+        .await
+        .expect("spawn mcp process");
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize())
+        .await
+        .expect("init timeout")
+        .expect("init failed");
+
+    let id = mcp
+        .send_logout_chat_gpt_request()
+        .await
+        .expect("send logoutChatGpt");
+    let resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(id)),
+    )
+    .await
+    .expect("logoutChatGpt timeout")
+    .expect("logoutChatGpt response");
+    let _ok: LogoutChatGptResponse = to_response(resp).expect("deserialize logout response");
+
+    assert!(
+        !codex_home.path().join("auth.json").exists(),
+        "auth.json should be deleted"
+    );
+
+    // Verify status reflects signed-out state.
+    let status_id = mcp
+        .send_get_auth_status_request(GetAuthStatusParams {
+            include_token: Some(true),
+            refresh_token: Some(false),
+        })
+        .await
+        .expect("send getAuthStatus");
+    let status_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(status_id)),
+    )
+    .await
+    .expect("getAuthStatus timeout")
+    .expect("getAuthStatus response");
+    let status: GetAuthStatusResponse = to_response(status_resp).expect("deserialize status");
+    assert_eq!(status.auth_method, None);
+    assert_eq!(status.auth_token, None);
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn login_and_cancel_chatgpt() {
+    let codex_home = TempDir::new().unwrap_or_else(|e| panic!("create tempdir: {e}"));
+    create_config_toml(codex_home.path()).expect("write config.toml");
+
+    let mut mcp = McpProcess::new(codex_home.path())
+        .await
+        .expect("spawn mcp process");
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize())
+        .await
+        .expect("init timeout")
+        .expect("init failed");
+
+    let login_id = mcp
+        .send_login_chat_gpt_request()
+        .await
+        .expect("send loginChatGpt");
+    let login_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(login_id)),
+    )
+    .await
+    .expect("loginChatGpt timeout")
+    .expect("loginChatGpt response");
+    let login: LoginChatGptResponse = to_response(login_resp).expect("deserialize login resp");
+
+    let cancel_id = mcp
+        .send_cancel_login_chat_gpt_request(CancelLoginChatGptParams {
+            login_id: login.login_id,
+        })
+        .await
+        .expect("send cancelLoginChatGpt");
+    let cancel_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(cancel_id)),
+    )
+    .await
+    .expect("cancelLoginChatGpt timeout")
+    .expect("cancelLoginChatGpt response");
+    let _ok: CancelLoginChatGptResponse =
+        to_response(cancel_resp).expect("deserialize cancel response");
+
+    // Optionally observe the completion notification; do not fail if it races.
+    let maybe_note = timeout(
+        Duration::from_secs(2),
+        mcp.read_stream_until_notification_message("codex/event/login_chat_gpt_complete"),
+    )
+    .await;
+    if maybe_note.is_err() {
+        eprintln!("warning: did not observe login_chat_gpt_complete notification after cancel");
+    }
+}

codex-rs/protocol-ts/src/lib.rs

@@ -32,14 +32,21 @@ pub fn generate_ts(out_dir: &Path, prettier: Option<&Path>) -> Result<()> {
     codex_protocol::mcp_protocol::SendUserTurnResponse::export_all_to(out_dir)?;
     codex_protocol::mcp_protocol::InterruptConversationParams::export_all_to(out_dir)?;
     codex_protocol::mcp_protocol::InterruptConversationResponse::export_all_to(out_dir)?;
+    codex_protocol::mcp_protocol::GitDiffToRemoteParams::export_all_to(out_dir)?;
+    codex_protocol::mcp_protocol::GitDiffToRemoteResponse::export_all_to(out_dir)?;
     codex_protocol::mcp_protocol::LoginChatGptResponse::export_all_to(out_dir)?;
     codex_protocol::mcp_protocol::LoginChatGptCompleteNotification::export_all_to(out_dir)?;
     codex_protocol::mcp_protocol::CancelLoginChatGptParams::export_all_to(out_dir)?;
     codex_protocol::mcp_protocol::CancelLoginChatGptResponse::export_all_to(out_dir)?;
+    codex_protocol::mcp_protocol::LogoutChatGptParams::export_all_to(out_dir)?;
+    codex_protocol::mcp_protocol::LogoutChatGptResponse::export_all_to(out_dir)?;
+    codex_protocol::mcp_protocol::GetAuthStatusParams::export_all_to(out_dir)?;
+    codex_protocol::mcp_protocol::GetAuthStatusResponse::export_all_to(out_dir)?;
     codex_protocol::mcp_protocol::ApplyPatchApprovalParams::export_all_to(out_dir)?;
     codex_protocol::mcp_protocol::ApplyPatchApprovalResponse::export_all_to(out_dir)?;
     codex_protocol::mcp_protocol::ExecCommandApprovalParams::export_all_to(out_dir)?;
     codex_protocol::mcp_protocol::ExecCommandApprovalResponse::export_all_to(out_dir)?;
+    codex_protocol::mcp_protocol::ServerNotification::export_all_to(out_dir)?;
 
     // Prepend header to each generated .ts file
     let ts_files = ts_files_in(out_dir)?;

codex-rs/protocol/Cargo.toml

@@ -11,12 +11,15 @@ path = "src/lib.rs"
 workspace = true
 
 [dependencies]
+base64 = "0.22.1"
 mcp-types = { path = "../mcp-types" }
+mime_guess = "2.0.5"
 serde = { version = "1", features = ["derive"] }
 serde_bytes = "0.11"
 serde_json = "1"
 strum = "0.27.2"
 strum_macros = "0.27.2"
+tracing = "0.1.41"
 ts-rs = { version = "11", features = ["uuid-impl", "serde-json-impl"] }
 uuid = { version = "1", features = ["serde", "v4"] }
 

codex-rs/protocol/src/lib.rs

@@ -1,6 +1,7 @@
 pub mod config_types;
 pub mod mcp_protocol;
 pub mod message_history;
+pub mod models;
 pub mod parse_command;
 pub mod plan_tool;
 pub mod protocol;

codex-rs/protocol/src/mcp_protocol.rs

@@ -13,6 +13,7 @@ use crate::protocol::TurnAbortReason;
 use mcp_types::RequestId;
 use serde::Deserialize;
 use serde::Serialize;
+use strum_macros::Display;
 use ts_rs::TS;
 use uuid::Uuid;
 
@@ -26,6 +27,23 @@ impl Display for ConversationId {
     }
 }
 
+#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, TS)]
+#[ts(type = "string")]
+pub struct GitSha(pub String);
+
+impl GitSha {
+    pub fn new(sha: &str) -> Self {
+        Self(sha.to_string())
+    }
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, Copy, PartialEq, Eq, TS)]
+#[serde(rename_all = "lowercase")]
+pub enum AuthMode {
+    ApiKey,
+    ChatGPT,
+}
+
 /// Request from the client to the server.
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
 #[serde(tag = "method", rename_all = "camelCase")]
@@ -60,6 +78,11 @@ pub enum ClientRequest {
         request_id: RequestId,
         params: RemoveConversationListenerParams,
     },
+    GitDiffToRemote {
+        #[serde(rename = "id")]
+        request_id: RequestId,
+        params: GitDiffToRemoteParams,
+    },
     LoginChatGpt {
         #[serde(rename = "id")]
         request_id: RequestId,
@@ -69,6 +92,15 @@ pub enum ClientRequest {
         request_id: RequestId,
         params: CancelLoginChatGptParams,
     },
+    LogoutChatGpt {
+        #[serde(rename = "id")]
+        request_id: RequestId,
+    },
+    GetAuthStatus {
+        #[serde(rename = "id")]
+        request_id: RequestId,
+        params: GetAuthStatusParams,
+    },
 }
 
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, TS)]
@@ -139,16 +171,11 @@ pub struct LoginChatGptResponse {
     pub auth_url: String,
 }
 
-// Event name for notifying client of login completion or failure.
-pub const LOGIN_CHATGPT_COMPLETE_EVENT: &str = "codex/event/login_chatgpt_complete";
-
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
 #[serde(rename_all = "camelCase")]
-pub struct LoginChatGptCompleteNotification {
-    pub login_id: Uuid,
-    pub success: bool,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub error: Option<String>,
+pub struct GitDiffToRemoteResponse {
+    pub sha: GitSha,
+    pub diff: String,
 }
 
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
@@ -157,10 +184,45 @@ pub struct CancelLoginChatGptParams {
     pub login_id: Uuid,
 }
 
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct GitDiffToRemoteParams {
+    pub cwd: PathBuf,
+}
+
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct CancelLoginChatGptResponse {}
 
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct LogoutChatGptParams {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct LogoutChatGptResponse {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct GetAuthStatusParams {
+    /// If true, include the current auth token (if available) in the response.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub include_token: Option<bool>,
+    /// If true, attempt to refresh the token before returning status.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub refresh_token: Option<bool>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct GetAuthStatusResponse {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub auth_method: Option<AuthMode>,
+    pub preferred_auth_method: AuthMode,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub auth_token: Option<String>,
+}
+
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct SendUserMessageParams {
@@ -293,6 +355,34 @@ pub struct ApplyPatchApprovalResponse {
     pub decision: ReviewDecision,
 }
 
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct LoginChatGptCompleteNotification {
+    pub login_id: Uuid,
+    pub success: bool,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub error: Option<String>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[serde(rename_all = "camelCase")]
+pub struct AuthStatusChangeNotification {
+    /// Current authentication method; omitted if signed out.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub auth_method: Option<AuthMode>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS, Display)]
+#[serde(tag = "type", content = "data", rename_all = "snake_case")]
+#[strum(serialize_all = "snake_case")]
+pub enum ServerNotification {
+    /// Authentication status changed
+    AuthStatusChange(AuthStatusChangeNotification),
+
+    /// ChatGPT login flow completed
+    LoginChatGptComplete(LoginChatGptCompleteNotification),
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;

codex-rs/protocol/src/models.rs

@@ -24,6 +24,10 @@ pub enum ResponseInputItem {
         call_id: String,
         result: Result<CallToolResult, String>,
     },
+    CustomToolCallOutput {
+        call_id: String,
+        output: String,
+    },
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
@@ -77,6 +81,20 @@ pub enum ResponseItem {
         call_id: String,
         output: FunctionCallOutputPayload,
     },
+    CustomToolCall {
+        #[serde(default, skip_serializing_if = "Option::is_none")]
+        id: Option<String>,
+        #[serde(default, skip_serializing_if = "Option::is_none")]
+        status: Option<String>,
+
+        call_id: String,
+        name: String,
+        input: String,
+    },
+    CustomToolCallOutput {
+        call_id: String,
+        output: String,
+    },
     #[serde(other)]
     Other,
 }
@@ -114,6 +132,9 @@ impl From<ResponseInputItem> for ResponseItem {
                     ),
                 },
             },
+            ResponseInputItem::CustomToolCallOutput { call_id, output } => {
+                Self::CustomToolCallOutput { call_id, output }
+            }
         }
     }
 }
@@ -183,7 +204,6 @@ impl From<Vec<InputItem>> for ResponseInputItem {
                             None
                         }
                     },
-                    _ => None,
                 })
                 .collect::<Vec<ContentItem>>(),
         }
@@ -197,10 +217,8 @@ pub struct ShellToolCallParams {
     pub command: Vec<String>,
     pub workdir: Option<String>,
 
-    /// This is the maximum time in seconds that the command is allowed to run.
-    #[serde(rename = "timeout")]
-    // The wire format uses `timeout`, which has ambiguous units, so we use
-    // `timeout_ms` as the field name so it is clear in code.
+    /// This is the maximum time in milliseconds that the command is allowed to run.
+    #[serde(alias = "timeout")]
     pub timeout_ms: Option<u64>,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub with_escalated_permissions: Option<bool>,

codex-rs/protocol/src/parse_command.rs

@@ -2,6 +2,7 @@ use serde::Deserialize;
 use serde::Serialize;
 
 #[derive(Debug, Clone, PartialEq, Eq, Deserialize, Serialize)]
+#[serde(tag = "type", rename_all = "snake_case")]
 pub enum ParsedCommand {
     Read {
         cmd: String,

codex-rs/protocol/src/protocol.rs

@@ -22,6 +22,7 @@ use uuid::Uuid;
 use crate::config_types::ReasoningEffort as ReasoningEffortConfig;
 use crate::config_types::ReasoningSummary as ReasoningSummaryConfig;
 use crate::message_history::HistoryEntry;
+use crate::models::ResponseItem;
 use crate::parse_command::ParsedCommand;
 use crate::plan_tool::UpdatePlanArgs;
 
@@ -137,6 +138,10 @@ pub enum Op {
     /// Request a single history entry identified by `log_id` + `offset`.
     GetHistoryEntryRequest { offset: usize, log_id: u64 },
 
+    /// Request the full in-memory conversation transcript for the current session.
+    /// Reply is delivered via `EventMsg::ConversationHistory`.
+    GetHistory,
+
     /// Request the list of MCP tools available across all configured servers.
     /// Reply is delivered via `EventMsg::McpListToolsResponse`.
     ListMcpTools,
@@ -446,6 +451,10 @@ pub enum EventMsg {
 
     BackgroundEvent(BackgroundEventEvent),
 
+    /// Notification that a model stream experienced an error or disconnect
+    /// and the system is handling it (e.g., retrying with backoff).
+    StreamError(StreamErrorEvent),
+
     /// Notification that the agent is about to apply a code patch. Mirrors
     /// `ExecCommandBegin` so front‑ends can show progress indicators.
     PatchApplyBegin(PatchApplyBeginEvent),
@@ -467,6 +476,16 @@ pub enum EventMsg {
 
     /// Notification that the agent is shutting down.
     ShutdownComplete,
+
+    ConversationHistory(ConversationHistoryResponseEvent),
+
+    // --- Subagent orchestration events ---
+    /// Emitted when a subagent starts.
+    SubagentBegin(SubagentBeginEvent),
+    /// Forwards a nested event produced by a running subagent.
+    SubagentForwarded(SubagentForwardedEvent),
+    /// Emitted when a subagent finishes.
+    SubagentEnd(SubagentEndEvent),
 }
 
 // Individual event payload types matching each `EventMsg` variant.
@@ -490,6 +509,28 @@ pub struct TokenUsage {
     pub total_tokens: u64,
 }
 
+#[derive(Debug, Clone, Deserialize, Serialize)]
+pub struct SubagentBeginEvent {
+    pub subagent_id: String,
+    pub name: String,
+}
+
+#[derive(Debug, Clone, Deserialize, Serialize)]
+pub struct SubagentEndEvent {
+    pub subagent_id: String,
+    pub name: String,
+    pub success: bool,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub last_agent_message: Option<String>,
+}
+
+#[derive(Debug, Clone, Deserialize, Serialize)]
+pub struct SubagentForwardedEvent {
+    pub subagent_id: String,
+    pub name: String,
+    pub event: Box<EventMsg>,
+}
+
 impl TokenUsage {
     pub fn is_zero(&self) -> bool {
         self.total_tokens == 0
@@ -647,6 +688,14 @@ impl McpToolCallEndEvent {
     }
 }
 
+/// Response payload for `Op::GetHistory` containing the current session's
+/// in-memory transcript.
+#[derive(Debug, Clone, Deserialize, Serialize)]
+pub struct ConversationHistoryResponseEvent {
+    pub conversation_id: Uuid,
+    pub entries: Vec<ResponseItem>,
+}
+
 #[derive(Debug, Clone, Deserialize, Serialize)]
 pub struct ExecCommandBeginEvent {
     /// Identifier so this can be paired with the ExecCommandEnd event.
@@ -666,10 +715,15 @@ pub struct ExecCommandEndEvent {
     pub stdout: String,
     /// Captured stderr
     pub stderr: String,
+    /// Captured aggregated output
+    #[serde(default)]
+    pub aggregated_output: String,
     /// The command's exit code.
     pub exit_code: i32,
     /// The duration of the command execution.
     pub duration: Duration,
+    /// Formatted output from the command, as seen by the model.
+    pub formatted_output: String,
 }
 
 #[derive(Debug, Clone, Deserialize, Serialize)]
@@ -721,6 +775,11 @@ pub struct BackgroundEventEvent {
     pub message: String,
 }
 
+#[derive(Debug, Clone, Deserialize, Serialize)]
+pub struct StreamErrorEvent {
+    pub message: String,
+}
+
 #[derive(Debug, Clone, Deserialize, Serialize)]
 pub struct PatchApplyBeginEvent {
     /// Identifier so this can be paired with the PatchApplyEnd event.

codex-rs/tui/Cargo.toml

@@ -22,6 +22,8 @@ workspace = true
 
 [dependencies]
 anyhow = "1"
+arboard = "3"
+async-stream = "0.3.6"
 base64 = "0.22.1"
 chrono = { version = "0.4", features = ["serde"] }
 clap = { version = "4", features = ["derive"] }
@@ -33,18 +35,22 @@ codex-common = { path = "../common", features = [
     "sandbox_summary",
 ] }
 codex-core = { path = "../core" }
-codex-protocol = { path = "../protocol" }
 codex-file-search = { path = "../file-search" }
 codex-login = { path = "../login" }
 codex-ollama = { path = "../ollama" }
+codex-protocol = { path = "../protocol" }
 color-eyre = "0.6.3"
-crossterm = { version = "0.28.1", features = ["bracketed-paste"] }
+crossterm = { version = "0.28.1", features = ["bracketed-paste", "event-stream"] }
 diffy = "0.4.2"
-image = { version = "^0.25.6", default-features = false, features = ["jpeg"] }
+image = { version = "^0.25.6", default-features = false, features = [
+    "jpeg",
+    "png",
+] }
 lazy_static = "1"
-once_cell = "1"
 mcp-types = { path = "../mcp-types" }
+once_cell = "1"
 path-clean = "1.0.1"
+rand = "0.9"
 ratatui = { version = "0.29.0", features = [
     "scrolling-regions",
     "unstable-rendered-line-info",
@@ -59,6 +65,7 @@ shlex = "1.3.0"
 strum = "0.27.2"
 strum_macros = "0.27.2"
 supports-color = "3.0.2"
+tempfile = "3"
 textwrap = "0.16.2"
 tokio = { version = "1", features = [
     "io-std",
@@ -67,6 +74,7 @@ tokio = { version = "1", features = [
     "rt-multi-thread",
     "signal",
 ] }
+tokio-stream = "0.1.17"
 tracing = { version = "0.1.41", features = ["log"] }
 tracing-appender = "0.2.3"
 tracing-subscriber = { version = "0.3.19", features = ["env-filter"] }
@@ -75,7 +83,6 @@ tui-markdown = "0.3.3"
 unicode-segmentation = "1.12.0"
 unicode-width = "0.1"
 uuid = "1"
-rand = "0.9"
 
 [target.'cfg(unix)'.dependencies]
 libc = "0.2"

codex-rs/tui/src/app.rs

@@ -1,714 +1,318 @@
-use crate::LoginStatus;
 use crate::app_event::AppEvent;
 use crate::app_event_sender::AppEventSender;
 use crate::chatwidget::ChatWidget;
 use crate::file_search::FileSearchManager;
-use crate::get_git_diff::get_git_diff;
-use crate::get_login_status;
-use crate::onboarding::onboarding_screen::KeyboardHandler;
-use crate::onboarding::onboarding_screen::OnboardingScreen;
-use crate::onboarding::onboarding_screen::OnboardingScreenArgs;
-use crate::slash_command::SlashCommand;
+use crate::transcript_app::TranscriptApp;
 use crate::tui;
+use crate::tui::TuiEvent;
+use codex_ansi_escape::ansi_escape_line;
 use codex_core::ConversationManager;
 use codex_core::config::Config;
-use codex_core::protocol::Event;
-use codex_core::protocol::Op;
+use codex_core::protocol::TokenUsage;
+use codex_login::AuthManager;
 use color_eyre::eyre::Result;
-use crossterm::SynchronizedUpdate;
 use crossterm::event::KeyCode;
 use crossterm::event::KeyEvent;
 use crossterm::event::KeyEventKind;
 use crossterm::terminal::supports_keyboard_enhancement;
-use ratatui::layout::Offset;
-use ratatui::prelude::Backend;
+use ratatui::style::Stylize;
 use ratatui::text::Line;
 use std::path::PathBuf;
 use std::sync::Arc;
 use std::sync::atomic::AtomicBool;
 use std::sync::atomic::Ordering;
-use std::sync::mpsc::Receiver;
-use std::sync::mpsc::channel;
 use std::thread;
 use std::time::Duration;
-use std::time::Instant;
+use tokio::select;
+use tokio::sync::mpsc::unbounded_channel;
 
-/// Time window for debouncing redraw requests.
-const REDRAW_DEBOUNCE: Duration = Duration::from_millis(1);
-
-/// Top-level application state: which full-screen view is currently active.
-#[allow(clippy::large_enum_variant)]
-enum AppState<'a> {
-    Onboarding {
-        screen: OnboardingScreen,
-    },
-    /// The main chat UI is visible.
-    Chat {
-        /// Boxed to avoid a large enum variant and reduce the overall size of
-        /// `AppState`.
-        widget: Box<ChatWidget<'a>>,
-    },
-}
-
-pub(crate) struct App<'a> {
+pub(crate) struct App {
     server: Arc<ConversationManager>,
     app_event_tx: AppEventSender,
-    app_event_rx: Receiver<AppEvent>,
-    app_state: AppState<'a>,
+    chat_widget: ChatWidget,
 
     /// Config is stored here so we can recreate ChatWidgets as needed.
     config: Config,
 
     file_search: FileSearchManager,
 
-    pending_history_lines: Vec<Line<'static>>,
+    transcript_lines: Vec<Line<'static>>,
+
+    // Transcript overlay state
+    transcript_overlay: Option<TranscriptApp>,
+    deferred_history_lines: Vec<Line<'static>>,
 
     enhanced_keys_supported: bool,
 
     /// Controls the animation thread that sends CommitTick events.
     commit_anim_running: Arc<AtomicBool>,
-
-    /// Channel to schedule one-shot animation frames; coalesced by a single
-    /// scheduler thread.
-    frame_schedule_tx: std::sync::mpsc::Sender<Instant>,
 }
 
-/// Aggregate parameters needed to create a `ChatWidget`, as creation may be
-/// deferred until after the Git warning screen is dismissed.
-#[derive(Clone, Debug)]
-pub(crate) struct ChatWidgetArgs {
-    pub(crate) config: Config,
-    initial_prompt: Option<String>,
-    initial_images: Vec<PathBuf>,
-    enhanced_keys_supported: bool,
-}
-
-impl App<'_> {
-    pub(crate) fn new(
+impl App {
+    pub async fn run(
+        tui: &mut tui::Tui,
+        auth_manager: Arc<AuthManager>,
         config: Config,
         initial_prompt: Option<String>,
-        initial_images: Vec<std::path::PathBuf>,
-        show_trust_screen: bool,
-    ) -> Self {
-        let conversation_manager = Arc::new(ConversationManager::default());
-
-        let (app_event_tx, app_event_rx) = channel();
+        initial_images: Vec<PathBuf>,
+    ) -> Result<TokenUsage> {
+        use tokio_stream::StreamExt;
+        let (app_event_tx, mut app_event_rx) = unbounded_channel();
         let app_event_tx = AppEventSender::new(app_event_tx);
 
+        let conversation_manager = Arc::new(ConversationManager::new(auth_manager.clone()));
+
         let enhanced_keys_supported = supports_keyboard_enhancement().unwrap_or(false);
 
-        // Spawn a dedicated thread for reading the crossterm event loop and
-        // re-publishing the events as AppEvents, as appropriate.
-        {
-            let app_event_tx = app_event_tx.clone();
-            std::thread::spawn(move || {
-                loop {
-                    // This timeout is necessary to avoid holding the event lock
-                    // that crossterm::event::read() acquires. In particular,
-                    // reading the cursor position (crossterm::cursor::position())
-                    // needs to acquire the event lock, and so will fail if it
-                    // can't acquire it within 2 sec. Resizing the terminal
-                    // crashes the app if the cursor position can't be read.
-                    if let Ok(true) = crossterm::event::poll(Duration::from_millis(100)) {
-                        if let Ok(event) = crossterm::event::read() {
-                            match event {
-                                crossterm::event::Event::Key(key_event) => {
-                                    app_event_tx.send(AppEvent::KeyEvent(key_event));
-                                }
-                                crossterm::event::Event::Resize(_, _) => {
-                                    app_event_tx.send(AppEvent::RequestRedraw);
-                                }
-                                crossterm::event::Event::Paste(pasted) => {
-                                    // Many terminals convert newlines to \r when pasting (e.g., iTerm2),
-                                    // but tui-textarea expects \n. Normalize CR to LF.
-                                    // [tui-textarea]: https://github.com/rhysd/tui-textarea/blob/4d18622eeac13b309e0ff6a55a46ac6706da68cf/src/textarea.rs#L782-L783
-                                    // [iTerm2]: https://github.com/gnachman/iTerm2/blob/5d0c0d9f68523cbd0494dad5422998964a2ecd8d/sources/iTermPasteHelper.m#L206-L216
-                                    let pasted = pasted.replace("\r", "\n");
-                                    app_event_tx.send(AppEvent::Paste(pasted));
-                                }
-                                _ => {
-                                    // Ignore any other events.
-                                }
-                            }
-                        }
-                    } else {
-                        // Timeout expired, no `Event` is available
-                    }
-                }
-            });
-        }
-
-        let login_status = get_login_status(&config);
-        let should_show_onboarding =
-            should_show_onboarding(login_status, &config, show_trust_screen);
-        let app_state = if should_show_onboarding {
-            let show_login_screen = should_show_login_screen(login_status, &config);
-            let chat_widget_args = ChatWidgetArgs {
-                config: config.clone(),
-                initial_prompt,
-                initial_images,
-                enhanced_keys_supported,
-            };
-            AppState::Onboarding {
-                screen: OnboardingScreen::new(OnboardingScreenArgs {
-                    event_tx: app_event_tx.clone(),
-                    codex_home: config.codex_home.clone(),
-                    cwd: config.cwd.clone(),
-                    show_trust_screen,
-                    show_login_screen,
-                    chat_widget_args,
-                    login_status,
-                }),
-            }
-        } else {
-            let chat_widget = ChatWidget::new(
-                config.clone(),
-                conversation_manager.clone(),
-                app_event_tx.clone(),
-                initial_prompt,
-                initial_images,
-                enhanced_keys_supported,
-            );
-            AppState::Chat {
-                widget: Box::new(chat_widget),
-            }
-        };
+        let chat_widget = ChatWidget::new(
+            config.clone(),
+            conversation_manager.clone(),
+            tui.frame_requester(),
+            app_event_tx.clone(),
+            initial_prompt,
+            initial_images,
+            enhanced_keys_supported,
+        );
 
         let file_search = FileSearchManager::new(config.cwd.clone(), app_event_tx.clone());
 
-        // Spawn a single scheduler thread that coalesces both debounced redraw
-        // requests and animation frame requests, and emits a single Redraw event
-        // at the earliest requested time.
-        let (frame_tx, frame_rx) = channel::<Instant>();
-        {
-            let app_event_tx = app_event_tx.clone();
-            std::thread::spawn(move || {
-                use std::sync::mpsc::RecvTimeoutError;
-                let mut next_deadline: Option<Instant> = None;
-                loop {
-                    if next_deadline.is_none() {
-                        match frame_rx.recv() {
-                            Ok(deadline) => next_deadline = Some(deadline),
-                            Err(_) => break,
-                        }
-                    }
-
-                    #[expect(clippy::expect_used)]
-                    let deadline = next_deadline.expect("deadline set");
-                    let now = Instant::now();
-                    let timeout = if deadline > now {
-                        deadline - now
-                    } else {
-                        Duration::from_millis(0)
-                    };
-
-                    match frame_rx.recv_timeout(timeout) {
-                        Ok(new_deadline) => {
-                            next_deadline =
-                                Some(next_deadline.map_or(new_deadline, |d| d.min(new_deadline)));
-                        }
-                        Err(RecvTimeoutError::Timeout) => {
-                            app_event_tx.send(AppEvent::Redraw);
-                            next_deadline = None;
-                        }
-                        Err(RecvTimeoutError::Disconnected) => break,
-                    }
-                }
-            });
-        }
-        Self {
+        let mut app = Self {
             server: conversation_manager,
             app_event_tx,
-            pending_history_lines: Vec::new(),
-            app_event_rx,
-            app_state,
+            chat_widget,
             config,
             file_search,
             enhanced_keys_supported,
+            transcript_lines: Vec::new(),
+            transcript_overlay: None,
+            deferred_history_lines: Vec::new(),
             commit_anim_running: Arc::new(AtomicBool::new(false)),
-            frame_schedule_tx: frame_tx,
-        }
+        };
+
+        let tui_events = tui.event_stream();
+        tokio::pin!(tui_events);
+
+        tui.frame_requester().schedule_frame();
+
+        while select! {
+            Some(event) = app_event_rx.recv() => {
+                app.handle_event(tui, event)?
+            }
+            Some(event) = tui_events.next() => {
+                app.handle_tui_event(tui, event).await?
+            }
+        } {}
+        tui.terminal.clear()?;
+        Ok(app.token_usage())
     }
 
-    fn schedule_frame_in(&self, dur: Duration) {
-        let _ = self.frame_schedule_tx.send(Instant::now() + dur);
-    }
-
-    pub(crate) fn run(&mut self, terminal: &mut tui::Tui) -> Result<()> {
-        // Schedule the first render immediately.
-        let _ = self.frame_schedule_tx.send(Instant::now());
-
-        while let Ok(event) = self.app_event_rx.recv() {
+    pub(crate) async fn handle_tui_event(
+        &mut self,
+        tui: &mut tui::Tui,
+        event: TuiEvent,
+    ) -> Result<bool> {
+        if let Some(overlay) = &mut self.transcript_overlay {
+            overlay.handle_event(tui, event)?;
+            if overlay.is_done {
+                // Exit alternate screen and restore viewport.
+                let _ = tui.leave_alt_screen();
+                if !self.deferred_history_lines.is_empty() {
+                    let lines = std::mem::take(&mut self.deferred_history_lines);
+                    tui.insert_history_lines(lines);
+                }
+                self.transcript_overlay = None;
+                tui.frame_requester().schedule_frame();
+            }
+        } else {
             match event {
-                AppEvent::InsertHistory(lines) => {
-                    self.pending_history_lines.extend(lines);
-                    self.app_event_tx.send(AppEvent::RequestRedraw);
+                TuiEvent::Key(key_event) => {
+                    self.handle_key_event(tui, key_event).await;
                 }
-                AppEvent::RequestRedraw => {
-                    self.schedule_frame_in(REDRAW_DEBOUNCE);
+                TuiEvent::Paste(pasted) => {
+                    // Many terminals convert newlines to \r when pasting (e.g., iTerm2),
+                    // but tui-textarea expects \n. Normalize CR to LF.
+                    // [tui-textarea]: https://github.com/rhysd/tui-textarea/blob/4d18622eeac13b309e0ff6a55a46ac6706da68cf/src/textarea.rs#L782-L783
+                    // [iTerm2]: https://github.com/gnachman/iTerm2/blob/5d0c0d9f68523cbd0494dad5422998964a2ecd8d/sources/iTermPasteHelper.m#L206-L216
+                    let pasted = pasted.replace("\r", "\n");
+                    self.chat_widget.handle_paste(pasted);
                 }
-                AppEvent::ScheduleFrameIn(dur) => {
-                    self.schedule_frame_in(dur);
-                }
-                AppEvent::Redraw => {
-                    std::io::stdout().sync_update(|_| self.draw_next_frame(terminal))??;
-                }
-                AppEvent::StartCommitAnimation => {
-                    if self
-                        .commit_anim_running
-                        .compare_exchange(false, true, Ordering::Acquire, Ordering::Relaxed)
-                        .is_ok()
-                    {
-                        let tx = self.app_event_tx.clone();
-                        let running = self.commit_anim_running.clone();
-                        thread::spawn(move || {
-                            while running.load(Ordering::Relaxed) {
-                                thread::sleep(Duration::from_millis(50));
-                                tx.send(AppEvent::CommitTick);
-                            }
-                        });
-                    }
-                }
-                AppEvent::StopCommitAnimation => {
-                    self.commit_anim_running.store(false, Ordering::Release);
-                }
-                AppEvent::CommitTick => {
-                    if let AppState::Chat { widget } = &mut self.app_state {
-                        widget.on_commit_tick();
-                    }
-                }
-                AppEvent::KeyEvent(key_event) => {
-                    match key_event {
-                        KeyEvent {
-                            code: KeyCode::Char('c'),
-                            modifiers: crossterm::event::KeyModifiers::CONTROL,
-                            kind: KeyEventKind::Press,
-                            ..
-                        } => match &mut self.app_state {
-                            AppState::Chat { widget } => {
-                                widget.on_ctrl_c();
-                            }
-                            AppState::Onboarding { .. } => {
-                                self.app_event_tx.send(AppEvent::ExitRequest);
+                TuiEvent::Draw => {
+                    tui.draw(
+                        self.chat_widget.desired_height(tui.terminal.size()?.width),
+                        |frame| {
+                            frame.render_widget_ref(&self.chat_widget, frame.area());
+                            if let Some((x, y)) = self.chat_widget.cursor_pos(frame.area()) {
+                                frame.set_cursor_position((x, y));
                             }
                         },
-                        KeyEvent {
-                            code: KeyCode::Char('z'),
-                            modifiers: crossterm::event::KeyModifiers::CONTROL,
-                            kind: KeyEventKind::Press,
-                            ..
-                        } => {
-                            #[cfg(unix)]
-                            {
-                                self.suspend(terminal)?;
-                            }
-                            // No-op on non-Unix platforms.
-                        }
-                        KeyEvent {
-                            code: KeyCode::Char('d'),
-                            modifiers: crossterm::event::KeyModifiers::CONTROL,
-                            kind: KeyEventKind::Press,
-                            ..
-                        } => {
-                            match &mut self.app_state {
-                                AppState::Chat { widget } => {
-                                    if widget.composer_is_empty() {
-                                        self.app_event_tx.send(AppEvent::ExitRequest);
-                                    } else {
-                                        // Treat Ctrl+D as a normal key event when the composer
-                                        // is not empty so that it doesn't quit the application
-                                        // prematurely.
-                                        self.dispatch_key_event(key_event);
-                                    }
-                                }
-                                AppState::Onboarding { .. } => {
-                                    self.app_event_tx.send(AppEvent::ExitRequest);
-                                }
-                            }
-                        }
-                        KeyEvent {
-                            kind: KeyEventKind::Press | KeyEventKind::Repeat,
-                            ..
-                        } => {
-                            self.dispatch_key_event(key_event);
-                        }
-                        _ => {
-                            // Ignore Release key events.
-                        }
-                    };
+                    )?;
                 }
-                AppEvent::Paste(text) => {
-                    self.dispatch_paste_event(text);
-                }
-                AppEvent::CodexEvent(event) => {
-                    self.dispatch_codex_event(event);
-                }
-                AppEvent::ExitRequest => {
-                    break;
-                }
-                AppEvent::CodexOp(op) => match &mut self.app_state {
-                    AppState::Chat { widget } => widget.submit_op(op),
-                    AppState::Onboarding { .. } => {}
-                },
-                AppEvent::DiffResult(text) => {
-                    if let AppState::Chat { widget } = &mut self.app_state {
-                        widget.add_diff_output(text);
-                    }
-                }
-                AppEvent::DispatchCommand(command) => match command {
-                    SlashCommand::New => {
-                        // User accepted – switch to chat view.
-                        let new_widget = Box::new(ChatWidget::new(
-                            self.config.clone(),
-                            self.server.clone(),
-                            self.app_event_tx.clone(),
-                            None,
-                            Vec::new(),
-                            self.enhanced_keys_supported,
-                        ));
-                        self.app_state = AppState::Chat { widget: new_widget };
-                        self.app_event_tx.send(AppEvent::RequestRedraw);
-                    }
-                    SlashCommand::Init => {
-                        // Guard: do not run if a task is active.
-                        if let AppState::Chat { widget } = &mut self.app_state {
-                            const INIT_PROMPT: &str = include_str!("../prompt_for_init_command.md");
-                            widget.submit_text_message(INIT_PROMPT.to_string());
-                        }
-                    }
-                    SlashCommand::Compact => {
-                        if let AppState::Chat { widget } = &mut self.app_state {
-                            widget.clear_token_usage();
-                            self.app_event_tx.send(AppEvent::CodexOp(Op::Compact));
-                        }
-                    }
-                    SlashCommand::Model => {
-                        if let AppState::Chat { widget } = &mut self.app_state {
-                            widget.open_model_popup();
-                        }
-                    }
-                    SlashCommand::Quit => {
-                        break;
-                    }
-                    SlashCommand::Logout => {
-                        if let Err(e) = codex_login::logout(&self.config.codex_home) {
-                            tracing::error!("failed to logout: {e}");
-                        }
-                        break;
-                    }
-                    SlashCommand::Diff => {
-                        if let AppState::Chat { widget } = &mut self.app_state {
-                            widget.add_diff_in_progress();
-                        }
-
-                        let tx = self.app_event_tx.clone();
-                        tokio::spawn(async move {
-                            let text = match get_git_diff().await {
-                                Ok((is_git_repo, diff_text)) => {
-                                    if is_git_repo {
-                                        diff_text
-                                    } else {
-                                        "`/diff` — _not inside a git repository_".to_string()
-                                    }
-                                }
-                                Err(e) => format!("Failed to compute diff: {e}"),
-                            };
-                            tx.send(AppEvent::DiffResult(text));
-                        });
-                    }
-                    SlashCommand::Mention => {
-                        if let AppState::Chat { widget } = &mut self.app_state {
-                            widget.insert_str("@");
-                        }
-                    }
-                    SlashCommand::Status => {
-                        if let AppState::Chat { widget } = &mut self.app_state {
-                            widget.add_status_output();
-                        }
-                    }
-                    SlashCommand::Mcp => {
-                        if let AppState::Chat { widget } = &mut self.app_state {
-                            widget.add_mcp_output();
-                        }
-                    }
-                    #[cfg(debug_assertions)]
-                    SlashCommand::TestApproval => {
-                        use codex_core::protocol::EventMsg;
-                        use std::collections::HashMap;
-
-                        use codex_core::protocol::ApplyPatchApprovalRequestEvent;
-                        use codex_core::protocol::FileChange;
-
-                        self.app_event_tx.send(AppEvent::CodexEvent(Event {
-                            id: "1".to_string(),
-                            // msg: EventMsg::ExecApprovalRequest(ExecApprovalRequestEvent {
-                            //     call_id: "1".to_string(),
-                            //     command: vec!["git".into(), "apply".into()],
-                            //     cwd: self.config.cwd.clone(),
-                            //     reason: Some("test".to_string()),
-                            // }),
-                            msg: EventMsg::ApplyPatchApprovalRequest(
-                                ApplyPatchApprovalRequestEvent {
-                                    call_id: "1".to_string(),
-                                    changes: HashMap::from([
-                                        (
-                                            PathBuf::from("/tmp/test.txt"),
-                                            FileChange::Add {
-                                                content: "test".to_string(),
-                                            },
-                                        ),
-                                        (
-                                            PathBuf::from("/tmp/test2.txt"),
-                                            FileChange::Update {
-                                                unified_diff: "+test\n-test2".to_string(),
-                                                move_path: None,
-                                            },
-                                        ),
-                                    ]),
-                                    reason: None,
-                                    grant_root: Some(PathBuf::from("/tmp")),
-                                },
-                            ),
-                        }));
-                    }
-                },
-                AppEvent::OnboardingAuthComplete(result) => {
-                    if let AppState::Onboarding { screen } = &mut self.app_state {
-                        screen.on_auth_complete(result);
-                    }
-                }
-                AppEvent::OnboardingComplete(ChatWidgetArgs {
-                    config,
-                    enhanced_keys_supported,
-                    initial_images,
-                    initial_prompt,
-                }) => {
-                    self.app_state = AppState::Chat {
-                        widget: Box::new(ChatWidget::new(
-                            config,
-                            self.server.clone(),
-                            self.app_event_tx.clone(),
-                            initial_prompt,
-                            initial_images,
-                            enhanced_keys_supported,
-                        )),
-                    }
-                }
-                AppEvent::StartFileSearch(query) => {
-                    if !query.is_empty() {
-                        self.file_search.on_user_query(query);
-                    }
-                }
-                AppEvent::FileSearchResult { query, matches } => {
-                    if let AppState::Chat { widget } = &mut self.app_state {
-                        widget.apply_file_search_result(query, matches);
-                    }
-                }
-                AppEvent::UpdateReasoningEffort(effort) => {
-                    if let AppState::Chat { widget } = &mut self.app_state {
-                        widget.set_reasoning_effort(effort);
-                    }
-                }
-                AppEvent::UpdateModel(model) => {
-                    if let AppState::Chat { widget } = &mut self.app_state {
-                        widget.set_model(model);
-                    }
+                TuiEvent::AttachImage {
+                    path,
+                    width,
+                    height,
+                    format_label,
+                } => {
+                    self.chat_widget
+                        .attach_image(path, width, height, format_label);
                 }
             }
         }
-        terminal.clear()?;
-
-        Ok(())
+        Ok(true)
     }
 
-    #[cfg(unix)]
-    fn suspend(&mut self, terminal: &mut tui::Tui) -> Result<()> {
-        tui::restore()?;
-        // SAFETY: Unix-only code path. We intentionally send SIGTSTP to the
-        // current process group (pid 0) to trigger standard job-control
-        // suspension semantics. This FFI does not involve any raw pointers,
-        // is not called from a signal handler, and uses a constant signal.
-        // Errors from kill are acceptable (e.g., if already stopped) — the
-        // subsequent re-init path will still leave the terminal in a good state.
-        // We considered `nix`, but didn't think it was worth pulling in for this one call.
-        unsafe { libc::kill(0, libc::SIGTSTP) };
-        *terminal = tui::init(&self.config)?;
-        terminal.clear()?;
-        self.app_event_tx.send(AppEvent::RequestRedraw);
-        Ok(())
+    fn handle_event(&mut self, tui: &mut tui::Tui, event: AppEvent) -> Result<bool> {
+        match event {
+            AppEvent::NewSession => {
+                self.chat_widget = ChatWidget::new(
+                    self.config.clone(),
+                    self.server.clone(),
+                    tui.frame_requester(),
+                    self.app_event_tx.clone(),
+                    None,
+                    Vec::new(),
+                    self.enhanced_keys_supported,
+                );
+                tui.frame_requester().schedule_frame();
+            }
+            AppEvent::InsertHistoryLines(lines) => {
+                if let Some(overlay) = &mut self.transcript_overlay {
+                    overlay.insert_lines(lines.clone());
+                    tui.frame_requester().schedule_frame();
+                }
+                self.transcript_lines.extend(lines.clone());
+                if self.transcript_overlay.is_some() {
+                    self.deferred_history_lines.extend(lines);
+                } else {
+                    tui.insert_history_lines(lines);
+                }
+            }
+            AppEvent::InsertHistoryCell(cell) => {
+                if let Some(overlay) = &mut self.transcript_overlay {
+                    overlay.insert_lines(cell.transcript_lines());
+                    tui.frame_requester().schedule_frame();
+                }
+                self.transcript_lines.extend(cell.transcript_lines());
+                let display = cell.display_lines();
+                if !display.is_empty() {
+                    if self.transcript_overlay.is_some() {
+                        self.deferred_history_lines.extend(display);
+                    } else {
+                        tui.insert_history_lines(display);
+                    }
+                }
+            }
+            AppEvent::StartCommitAnimation => {
+                if self
+                    .commit_anim_running
+                    .compare_exchange(false, true, Ordering::Acquire, Ordering::Relaxed)
+                    .is_ok()
+                {
+                    let tx = self.app_event_tx.clone();
+                    let running = self.commit_anim_running.clone();
+                    thread::spawn(move || {
+                        while running.load(Ordering::Relaxed) {
+                            thread::sleep(Duration::from_millis(50));
+                            tx.send(AppEvent::CommitTick);
+                        }
+                    });
+                }
+            }
+            AppEvent::StopCommitAnimation => {
+                self.commit_anim_running.store(false, Ordering::Release);
+            }
+            AppEvent::CommitTick => {
+                self.chat_widget.on_commit_tick();
+            }
+            AppEvent::CodexEvent(event) => {
+                self.chat_widget.handle_codex_event(event);
+            }
+            AppEvent::ExitRequest => {
+                return Ok(false);
+            }
+            AppEvent::CodexOp(op) => self.chat_widget.submit_op(op),
+            AppEvent::DiffResult(text) => {
+                // Clear the in-progress state in the bottom pane
+                self.chat_widget.on_diff_complete();
+                // Enter alternate screen using TUI helper and build pager lines
+                let _ = tui.enter_alt_screen();
+                let pager_lines: Vec<ratatui::text::Line<'static>> = if text.trim().is_empty() {
+                    vec!["No changes detected.".italic().into()]
+                } else {
+                    text.lines().map(ansi_escape_line).collect()
+                };
+                self.transcript_overlay = Some(TranscriptApp::with_title(
+                    pager_lines,
+                    "D I F F".to_string(),
+                ));
+                tui.frame_requester().schedule_frame();
+            }
+            AppEvent::StartFileSearch(query) => {
+                if !query.is_empty() {
+                    self.file_search.on_user_query(query);
+                }
+            }
+            AppEvent::FileSearchResult { query, matches } => {
+                self.chat_widget.apply_file_search_result(query, matches);
+            }
+            AppEvent::UpdateReasoningEffort(effort) => {
+                self.chat_widget.set_reasoning_effort(effort);
+            }
+            AppEvent::UpdateModel(model) => {
+                self.chat_widget.set_model(model);
+            }
+            AppEvent::UpdateAskForApprovalPolicy(policy) => {
+                self.chat_widget.set_approval_policy(policy);
+            }
+            AppEvent::UpdateSandboxPolicy(policy) => {
+                self.chat_widget.set_sandbox_policy(policy);
+            }
+        }
+        Ok(true)
     }
 
     pub(crate) fn token_usage(&self) -> codex_core::protocol::TokenUsage {
-        match &self.app_state {
-            AppState::Chat { widget } => widget.token_usage().clone(),
-            AppState::Onboarding { .. } => codex_core::protocol::TokenUsage::default(),
-        }
+        self.chat_widget.token_usage().clone()
     }
 
-    fn draw_next_frame(&mut self, terminal: &mut tui::Tui) -> Result<()> {
-        if matches!(self.app_state, AppState::Onboarding { .. }) {
-            terminal.clear()?;
-        }
-
-        let screen_size = terminal.size()?;
-        let last_known_screen_size = terminal.last_known_screen_size;
-        if screen_size != last_known_screen_size {
-            let cursor_pos = terminal.get_cursor_position()?;
-            let last_known_cursor_pos = terminal.last_known_cursor_pos;
-            if cursor_pos.y != last_known_cursor_pos.y {
-                // The terminal was resized. The only point of reference we have for where our viewport
-                // was moved is the cursor position.
-                // NB this assumes that the cursor was not wrapped as part of the resize.
-                let cursor_delta = cursor_pos.y as i32 - last_known_cursor_pos.y as i32;
-
-                let new_viewport_area = terminal.viewport_area.offset(Offset {
-                    x: 0,
-                    y: cursor_delta,
-                });
-                terminal.set_viewport_area(new_viewport_area);
-                terminal.clear()?;
+    async fn handle_key_event(&mut self, tui: &mut tui::Tui, key_event: KeyEvent) {
+        match key_event {
+            KeyEvent {
+                code: KeyCode::Char('c'),
+                modifiers: crossterm::event::KeyModifiers::CONTROL,
+                kind: KeyEventKind::Press,
+                ..
+            } => {
+                self.chat_widget.on_ctrl_c();
+            }
+            KeyEvent {
+                code: KeyCode::Char('d'),
+                modifiers: crossterm::event::KeyModifiers::CONTROL,
+                kind: KeyEventKind::Press,
+                ..
+            } if self.chat_widget.composer_is_empty() => {
+                self.app_event_tx.send(AppEvent::ExitRequest);
+            }
+            KeyEvent {
+                code: KeyCode::Char('t'),
+                modifiers: crossterm::event::KeyModifiers::CONTROL,
+                kind: KeyEventKind::Press,
+                ..
+            } => {
+                // Enter alternate screen and set viewport to full size.
+                let _ = tui.enter_alt_screen();
+                self.transcript_overlay = Some(TranscriptApp::new(self.transcript_lines.clone()));
+                tui.frame_requester().schedule_frame();
+            }
+            KeyEvent {
+                kind: KeyEventKind::Press | KeyEventKind::Repeat,
+                ..
+            } => {
+                self.chat_widget.handle_key_event(key_event);
+            }
+            _ => {
+                // Ignore Release key events.
             }
-        }
-
-        let size = terminal.size()?;
-        let desired_height = match &self.app_state {
-            AppState::Chat { widget } => widget.desired_height(size.width),
-            AppState::Onboarding { .. } => size.height,
         };
-
-        let mut area = terminal.viewport_area;
-        area.height = desired_height.min(size.height);
-        area.width = size.width;
-        if area.bottom() > size.height {
-            terminal
-                .backend_mut()
-                .scroll_region_up(0..area.top(), area.bottom() - size.height)?;
-            area.y = size.height - area.height;
-        }
-        if area != terminal.viewport_area {
-            terminal.clear()?;
-            terminal.set_viewport_area(area);
-        }
-        if !self.pending_history_lines.is_empty() {
-            crate::insert_history::insert_history_lines(
-                terminal,
-                self.pending_history_lines.clone(),
-            );
-            self.pending_history_lines.clear();
-        }
-        terminal.draw(|frame| match &mut self.app_state {
-            AppState::Chat { widget } => {
-                if let Some((x, y)) = widget.cursor_pos(frame.area()) {
-                    frame.set_cursor_position((x, y));
-                }
-                frame.render_widget_ref(&**widget, frame.area())
-            }
-            AppState::Onboarding { screen } => frame.render_widget_ref(&*screen, frame.area()),
-        })?;
-        Ok(())
-    }
-
-    /// Dispatch a KeyEvent to the current view and let it decide what to do
-    /// with it.
-    fn dispatch_key_event(&mut self, key_event: KeyEvent) {
-        match &mut self.app_state {
-            AppState::Chat { widget } => {
-                widget.handle_key_event(key_event);
-            }
-            AppState::Onboarding { screen } => match key_event.code {
-                KeyCode::Char('q') => {
-                    self.app_event_tx.send(AppEvent::ExitRequest);
-                }
-                _ => screen.handle_key_event(key_event),
-            },
-        }
-    }
-
-    fn dispatch_paste_event(&mut self, pasted: String) {
-        match &mut self.app_state {
-            AppState::Chat { widget } => widget.handle_paste(pasted),
-            AppState::Onboarding { .. } => {}
-        }
-    }
-
-    fn dispatch_codex_event(&mut self, event: Event) {
-        match &mut self.app_state {
-            AppState::Chat { widget } => widget.handle_codex_event(event),
-            AppState::Onboarding { .. } => {}
-        }
-    }
-}
-
-fn should_show_onboarding(
-    login_status: LoginStatus,
-    config: &Config,
-    show_trust_screen: bool,
-) -> bool {
-    if show_trust_screen {
-        return true;
-    }
-
-    should_show_login_screen(login_status, config)
-}
-
-fn should_show_login_screen(login_status: LoginStatus, config: &Config) -> bool {
-    match login_status {
-        LoginStatus::NotAuthenticated => true,
-        LoginStatus::AuthMode(method) => method != config.preferred_auth_method,
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use codex_core::config::ConfigOverrides;
-    use codex_core::config::ConfigToml;
-    use codex_login::AuthMode;
-
-    fn make_config(preferred: AuthMode) -> Config {
-        let mut cfg = Config::load_from_base_config_with_overrides(
-            ConfigToml::default(),
-            ConfigOverrides::default(),
-            std::env::temp_dir(),
-        )
-        .expect("load default config");
-        cfg.preferred_auth_method = preferred;
-        cfg
-    }
-
-    #[test]
-    fn shows_login_when_not_authenticated() {
-        let cfg = make_config(AuthMode::ChatGPT);
-        assert!(should_show_login_screen(
-            LoginStatus::NotAuthenticated,
-            &cfg
-        ));
-    }
-
-    #[test]
-    fn shows_login_when_api_key_but_prefers_chatgpt() {
-        let cfg = make_config(AuthMode::ChatGPT);
-        assert!(should_show_login_screen(
-            LoginStatus::AuthMode(AuthMode::ApiKey),
-            &cfg
-        ))
-    }
-
-    #[test]
-    fn hides_login_when_api_key_and_prefers_api_key() {
-        let cfg = make_config(AuthMode::ApiKey);
-        assert!(!should_show_login_screen(
-            LoginStatus::AuthMode(AuthMode::ApiKey),
-            &cfg
-        ))
-    }
-
-    #[test]
-    fn hides_login_when_chatgpt_and_prefers_chatgpt() {
-        let cfg = make_config(AuthMode::ChatGPT);
-        assert!(!should_show_login_screen(
-            LoginStatus::AuthMode(AuthMode::ChatGPT),
-            &cfg
-        ))
     }
 }

codex-rs/tui/src/app_event.rs

@@ -1,11 +1,11 @@
 use codex_core::protocol::Event;
 use codex_file_search::FileMatch;
-use crossterm::event::KeyEvent;
 use ratatui::text::Line;
-use std::time::Duration;
 
-use crate::app::ChatWidgetArgs;
-use crate::slash_command::SlashCommand;
+use crate::history_cell::HistoryCell;
+
+use codex_core::protocol::AskForApproval;
+use codex_core::protocol::SandboxPolicy;
 use codex_core::protocol_config_types::ReasoningEffort;
 
 #[allow(clippy::large_enum_variant)]
@@ -13,20 +13,8 @@ use codex_core::protocol_config_types::ReasoningEffort;
 pub(crate) enum AppEvent {
     CodexEvent(Event),
 
-    /// Request a redraw which will be debounced by the [`App`].
-    RequestRedraw,
-
-    /// Actually draw the next frame.
-    Redraw,
-
-    /// Schedule a one-shot animation frame roughly after the given duration.
-    /// Multiple requests are coalesced by the central frame scheduler.
-    ScheduleFrameIn(Duration),
-
-    KeyEvent(KeyEvent),
-
-    /// Text pasted from the terminal clipboard.
-    Paste(String),
+    /// Start a new session.
+    NewSession,
 
     /// Request to exit the application gracefully.
     ExitRequest,
@@ -35,10 +23,6 @@ pub(crate) enum AppEvent {
     /// bubbling channels through layers of widgets.
     CodexOp(codex_core::protocol::Op),
 
-    /// Dispatch a recognized slash command from the UI (composer) to the app
-    /// layer so it can be handled centrally.
-    DispatchCommand(SlashCommand),
-
     /// Kick off an asynchronous file search for the given query (text after
     /// the `@`). Previous searches may be cancelled by the app layer so there
     /// is at most one in-flight search.
@@ -55,19 +39,22 @@ pub(crate) enum AppEvent {
     /// Result of computing a `/diff` command.
     DiffResult(String),
 
-    InsertHistory(Vec<Line<'static>>),
+    InsertHistoryLines(Vec<Line<'static>>),
+    InsertHistoryCell(Box<dyn HistoryCell>),
 
     StartCommitAnimation,
     StopCommitAnimation,
     CommitTick,
 
-    /// Onboarding: result of login_with_chatgpt.
-    OnboardingAuthComplete(Result<(), String>),
-    OnboardingComplete(ChatWidgetArgs),
-
     /// Update the current reasoning effort in the running app and widget.
     UpdateReasoningEffort(ReasoningEffort),
 
     /// Update the current model slug in the running app and widget.
     UpdateModel(String),
+
+    /// Update the current approval policy in the running app and widget.
+    UpdateAskForApprovalPolicy(AskForApproval),
+
+    /// Update the current sandbox policy in the running app and widget.
+    UpdateSandboxPolicy(SandboxPolicy),
 }

codex-rs/tui/src/app_event_sender.rs

@@ -1,15 +1,15 @@
-use std::sync::mpsc::Sender;
+use tokio::sync::mpsc::UnboundedSender;
 
 use crate::app_event::AppEvent;
 use crate::session_log;
 
 #[derive(Clone, Debug)]
 pub(crate) struct AppEventSender {
-    pub app_event_tx: Sender<AppEvent>,
+    pub app_event_tx: UnboundedSender<AppEvent>,
 }
 
 impl AppEventSender {
-    pub(crate) fn new(app_event_tx: Sender<AppEvent>) -> Self {
+    pub(crate) fn new(app_event_tx: UnboundedSender<AppEvent>) -> Self {
         Self { app_event_tx }
     }
 

codex-rs/tui/src/bottom_pane/approval_modal_view.rs

@@ -12,13 +12,13 @@ use super::BottomPaneView;
 use super::CancellationEvent;
 
 /// Modal overlay asking the user to approve/deny a sequence of requests.
-pub(crate) struct ApprovalModalView<'a> {
-    current: UserApprovalWidget<'a>,
+pub(crate) struct ApprovalModalView {
+    current: UserApprovalWidget,
     queue: Vec<ApprovalRequest>,
     app_event_tx: AppEventSender,
 }
 
-impl ApprovalModalView<'_> {
+impl ApprovalModalView {
     pub fn new(request: ApprovalRequest, app_event_tx: AppEventSender) -> Self {
         Self {
             current: UserApprovalWidget::new(request, app_event_tx.clone()),
@@ -41,13 +41,13 @@ impl ApprovalModalView<'_> {
     }
 }
 
-impl<'a> BottomPaneView<'a> for ApprovalModalView<'a> {
-    fn handle_key_event(&mut self, _pane: &mut BottomPane<'a>, key_event: KeyEvent) {
+impl BottomPaneView for ApprovalModalView {
+    fn handle_key_event(&mut self, _pane: &mut BottomPane, key_event: KeyEvent) {
         self.current.handle_key_event(key_event);
         self.maybe_advance();
     }
 
-    fn on_ctrl_c(&mut self, _pane: &mut BottomPane<'a>) -> CancellationEvent {
+    fn on_ctrl_c(&mut self, _pane: &mut BottomPane) -> CancellationEvent {
         self.current.on_ctrl_c();
         self.queue.clear();
         CancellationEvent::Handled
@@ -75,7 +75,7 @@ impl<'a> BottomPaneView<'a> for ApprovalModalView<'a> {
 mod tests {
     use super::*;
     use crate::app_event::AppEvent;
-    use std::sync::mpsc::channel;
+    use tokio::sync::mpsc::unbounded_channel;
 
     fn make_exec_request() -> ApprovalRequest {
         ApprovalRequest::Exec {
@@ -87,15 +87,16 @@ mod tests {
 
     #[test]
     fn ctrl_c_aborts_and_clears_queue() {
-        let (tx_raw, _rx) = channel::<AppEvent>();
-        let tx = AppEventSender::new(tx_raw);
+        let (tx, _rx) = unbounded_channel::<AppEvent>();
+        let tx = AppEventSender::new(tx);
         let first = make_exec_request();
         let mut view = ApprovalModalView::new(first, tx);
         view.enqueue_request(make_exec_request());
 
-        let (tx_raw2, _rx2) = channel::<AppEvent>();
+        let (tx2, _rx2) = unbounded_channel::<AppEvent>();
         let mut pane = BottomPane::new(super::super::BottomPaneParams {
-            app_event_tx: AppEventSender::new(tx_raw2),
+            app_event_tx: AppEventSender::new(tx2),
+            frame_requester: crate::tui::FrameRequester::test_dummy(),
             has_input_focus: true,
             enhanced_keys_supported: false,
             placeholder_text: "Ask Codex to do anything".to_string(),