fix: use os-specific env var to locate .cargo folder

.github/dotslash-config.json

@@ -1,37 +0,0 @@
-{
-  "outputs": {
-    "codex-repl": {
-      "platforms": {
-        "macos-aarch64":  { "regex": "^codex-repl-aarch64-apple-darwin\\.zst$",          "path": "codex-repl" },
-        "macos-x86_64":   { "regex": "^codex-repl-x86_64-apple-darwin\\.zst$",           "path": "codex-repl" },
-        "linux-x86_64":   { "regex": "^codex-repl-x86_64-unknown-linux-musl\\.zst$",     "path": "codex-repl" },
-        "linux-aarch64":  { "regex": "^codex-repl-aarch64-unknown-linux-gnu\\.zst$",     "path": "codex-repl" }
-      }
-    },
-
-    "codex-exec": {
-      "platforms": {
-        "macos-aarch64":  { "regex": "^codex-exec-aarch64-apple-darwin\\.zst$",          "path": "codex-exec" },
-        "macos-x86_64":   { "regex": "^codex-exec-x86_64-apple-darwin\\.zst$",           "path": "codex-exec" },
-        "linux-x86_64":   { "regex": "^codex-exec-x86_64-unknown-linux-musl\\.zst$",     "path": "codex-exec" },
-        "linux-aarch64":  { "regex": "^codex-exec-aarch64-unknown-linux-gnu\\.zst$",     "path": "codex-exec" }
-      }
-    },
-
-    "codex": {
-      "platforms": {
-        "macos-aarch64":  { "regex": "^codex-aarch64-apple-darwin\\.zst$",          "path": "codex" },
-        "macos-x86_64":   { "regex": "^codex-x86_64-apple-darwin\\.zst$",           "path": "codex" },
-        "linux-x86_64":   { "regex": "^codex-x86_64-unknown-linux-musl\\.zst$",     "path": "codex" },
-        "linux-aarch64":  { "regex": "^codex-aarch64-unknown-linux-gnu\\.zst$",     "path": "codex" }
-      }
-    },
-
-    "codex-linux-sandbox": {
-      "platforms": {
-        "linux-x86_64":   { "regex": "^codex-linux-sandbox-x86_64-unknown-linux-musl\\.zst$",     "path": "codex-linux-sandbox" },
-        "linux-aarch64":  { "regex": "^codex-linux-sandbox-aarch64-unknown-linux-gnu\\.zst$",     "path": "codex-linux-sandbox" }
-      }
-    }
-  }
-}

.github/workflows/rust-ci.yml

@@ -38,6 +38,8 @@ jobs:
     defaults:
       run:
         working-directory: codex-rs
+    env:
+      CARGO_HOME: ${{ runner.os == 'Windows' && format('{0}\\.cargo', env.USERPROFILE) || format('{0}/.cargo', env.HOME) }}
 
     strategy:
       fail-fast: false
@@ -65,10 +67,10 @@ jobs:
       - uses: actions/cache@v4
         with:
           path: |
-            ~/.cargo/bin/
-            ~/.cargo/registry/index/
-            ~/.cargo/registry/cache/
-            ~/.cargo/git/db/
+            ${{ env.CARGO_HOME }}/bin/
+            ${{ env.CARGO_HOME }}/registry/index/
+            ${{ env.CARGO_HOME }}/registry/cache/
+            ${{ env.CARGO_HOME }}/git/db/
             ${{ github.workspace }}/codex-rs/target/
           key: cargo-${{ matrix.runner }}-${{ matrix.target }}-${{ hashFiles('**/Cargo.lock') }}
 

.github/workflows/rust-release.yml

@@ -1,157 +0,0 @@
-# Release workflow for codex-rs.
-# To release, follow a workflow like:
-# ```
-# git tag -a rust-v0.1.0 -m "Release 0.1.0"
-# git push origin rust-v0.1.0
-# ```
-
-name: rust-release
-on:
-  push:
-    tags:
-      - "rust-v.*.*.*"
-
-concurrency:
-  group: ${{ github.workflow }}
-  cancel-in-progress: true
-
-env:
-  TAG_REGEX: '^rust-v\.[0-9]+\.[0-9]+\.[0-9]+$'
-
-jobs:
-  tag-check:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Validate tag matches Cargo.toml version
-        shell: bash
-        run: |
-          set -euo pipefail
-          echo "::group::Tag validation"
-
-          # 1. Must be a tag and match the regex
-          [[ "${GITHUB_REF_TYPE}" == "tag" ]] \
-            || { echo "❌  Not a tag push"; exit 1; }
-          [[ "${GITHUB_REF_NAME}" =~ ${TAG_REGEX} ]] \
-            || { echo "❌  Tag '${GITHUB_REF_NAME}' != ${TAG_REGEX}"; exit 1; }
-
-          # 2. Extract versions
-          tag_ver="${GITHUB_REF_NAME#rust-v.}"
-          cargo_ver="$(grep -m1 '^version' codex-rs/Cargo.toml \
-                        | sed -E 's/version *= *"([^"]+)".*/\1/')"
-
-          # 3. Compare
-          [[ "${tag_ver}" == "${cargo_ver}" ]] \
-            || { echo "❌  Tag ${tag_ver} ≠ Cargo.toml ${cargo_ver}"; exit 1; }
-
-          echo "✅  Tag and Cargo.toml agree (${tag_ver})"
-          echo "::endgroup::"
-
-  build:
-    needs: tag-check
-    name: ${{ matrix.runner }} - ${{ matrix.target }}
-    runs-on: ${{ matrix.runner }}
-    timeout-minutes: 30
-    defaults:
-      run:
-        working-directory: codex-rs
-
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: macos-14
-            target: aarch64-apple-darwin
-          - runner: macos-14
-            target: x86_64-apple-darwin
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-gnu
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-gnu
-
-    steps:
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
-        with:
-          targets: ${{ matrix.target }}
-
-      - uses: actions/cache@v4
-        with:
-          path: |
-            ~/.cargo/bin/
-            ~/.cargo/registry/index/
-            ~/.cargo/registry/cache/
-            ~/.cargo/git/db/
-            ${{ github.workspace }}/codex-rs/target/
-          key: cargo-release-${{ matrix.runner }}-${{ matrix.target }}-${{ hashFiles('**/Cargo.lock') }}
-
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' }}
-        name: Install musl build tools
-        run: |
-          sudo apt install -y musl-tools pkg-config
-
-      - name: Cargo build
-        run: cargo build --target ${{ matrix.target }} --release --all-targets --all-features
-
-      - name: Stage artifacts
-        shell: bash
-        run: |
-          dest="dist/${{ matrix.target }}"
-          mkdir -p "$dest"
-
-          cp target/${{ matrix.target }}/release/codex-repl "$dest/codex-repl-${{ matrix.target }}"
-          cp target/${{ matrix.target }}/release/codex-exec "$dest/codex-exec-${{ matrix.target }}"
-          cp target/${{ matrix.target }}/release/codex "$dest/codex-${{ matrix.target }}"
-
-      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'x86_64-unknown-linux-gnu' || matrix.target == 'aarch64-unknown-linux-gnu' }}
-        name: Stage Linux-only artifacts
-        shell: bash
-        run: |
-          dest="dist/${{ matrix.target }}"
-          cp target/${{ matrix.target }}/release/codex-linux-sandbox "$dest/codex-linux-sandbox-${{ matrix.target }}"
-
-      - name: Compress artifacts
-        shell: bash
-        run: |
-          dest="dist/${{ matrix.target }}"
-          zstd -T0 -19 --rm "$dest"/*
-
-      - uses: actions/upload-artifact@v4
-        with:
-          name: ${{ matrix.target }}
-          path: codex-rs/dist/${{ matrix.target }}/*
-
-  release:
-    needs: build
-    name: release
-    runs-on: ubuntu-24.04
-    env:
-      RELEASE_TAG: codex-rs-${{ github.sha }}-${{ github.run_attempt }}-${{ github.ref_name }}
-
-    steps:
-      - uses: actions/download-artifact@v4
-        with:
-          path: dist
-
-      - name: List
-        run: ls -R dist/
-
-      - uses: softprops/action-gh-release@v2
-        with:
-          tag_name: ${{ env.RELEASE_TAG }}
-          files: dist/**
-          # TODO(ragona): I'm going to leave these as prerelease/draft for now.
-          # It gives us 1) clarity that these are not yet a stable version, and
-          # 2) allows a human step to review the release before publishing the draft.
-          prerelease: true
-          draft: true
-
-      - uses: facebook/dotslash-publish-release@v2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag: ${{ env.RELEASE_TAG }}
-          config: .github/dotslash-config.json

CHANGELOG.md

@@ -2,41 +2,6 @@
 
 You can install any of these versions: `npm install -g codex@version`
 
-## `0.1.2504251709`
-
-### 🚀 Features
-
-- Add openai model info configuration (#551)
-- Added provider to run quiet mode function (#571)
-- Create parent directories when creating new files (#552)
-- Print bug report URL in terminal instead of opening browser (#510) (#528)
-- Add support for custom provider configuration in the user config (#537)
-- Add support for OpenAI-Organization and OpenAI-Project headers (#626)
-- Add specific instructions for creating API keys in error msg (#581)
-- Enhance toCodePoints to prevent potential unicode 14 errors (#615)
-- More native keyboard navigation in multiline editor (#655)
-- Display error on selection of invalid model (#594)
-
-### 🪲 Bug Fixes
-
-- Model selection (#643)
-- Nits in apply patch (#640)
-- Input keyboard shortcuts (#676)
-- `apply_patch` unicode characters (#625)
-- Don't clear turn input before retries (#611)
-- More loosely match context for apply_patch (#610)
-- Update bug report template - there is no --revision flag (#614)
-- Remove outdated copy of text input and external editor feature (#670)
-- Remove unreachable "disableResponseStorage" logic flow introduced in #543 (#573)
-- Non-openai mode - fix for gemini content: null, fix 429 to throw before stream (#563)
-- Only allow going up in history when not already in history if input is empty (#654)
-- Do not grant "node" user sudo access when using run_in_container.sh (#627)
-- Update scripts/build_container.sh to use pnpm instead of npm (#631)
-- Update lint-staged config to use pnpm --filter (#582)
-- Non-openai mode - don't default temp and top_p (#572)
-- Fix error catching when checking for updates (#597)
-- Close stdin when running an exec tool call (#636)
-
 ## `0.1.2504221401`
 
 ### 🚀 Features
@@ -44,7 +9,7 @@ You can install any of these versions: `npm install -g codex@version`
 - Show actionable errors when api keys are missing (#523)
 - Add CLI `--version` flag (#492)
 
-### 🪲 Bug Fixes
+### 🐛 Bug Fixes
 
 - Agent loop for ZDR (`disableResponseStorage`) (#543)
 - Fix relative `workdir` check for `apply_patch` (#556)
@@ -75,7 +40,7 @@ You can install any of these versions: `npm install -g codex@version`
 - Add /command autocomplete (#317)
 - Allow multi-line input (#438)
 
-### 🪲 Bug Fixes
+### 🐛 Bug Fixes
 
 - `full-auto` support in quiet mode (#374)
 - Enable shell option for child process execution (#391)
@@ -99,7 +64,7 @@ You can install any of these versions: `npm install -g codex@version`
 - Add `/bug` report command (#312)
 - Notify when a newer version is available (#333)
 
-### 🪲 Bug Fixes
+### 🐛 Bug Fixes
 
 - Update context left display logic in TerminalChatInput component (#307)
 - Improper spawn of sh on Windows Powershell (#318)
@@ -112,7 +77,7 @@ You can install any of these versions: `npm install -g codex@version`
 
 - Add Nix flake for reproducible development environments (#225)
 
-### 🪲 Bug Fixes
+### 🐛 Bug Fixes
 
 - Handle invalid commands (#304)
 - Raw-exec-process-group.test improve reliability and error handling (#280)
@@ -131,7 +96,7 @@ You can install any of these versions: `npm install -g codex@version`
 - `--config`/`-c` flag to open global instructions in nvim (#158)
 - Update position of cursor when navigating input history with arrow keys to the end of the text (#255)
 
-### 🪲 Bug Fixes
+### 🐛 Bug Fixes
 
 - Correct word deletion logic for trailing spaces (Ctrl+Backspace) (#131)
 - Improve Windows compatibility for CLI commands and sandbox (#261)

cliff.toml

@@ -35,7 +35,7 @@ conventional_commits = true
 
 commit_parsers = [
   { message = "^feat", group = "<!-- 0 -->🚀 Features" },
-  { message = "^fix",  group = "<!-- 1 -->🪲 Bug Fixes" },
+  { message = "^fix",  group = "<!-- 1 -->🐛 Bug Fixes" },
   { message = "^bump", group = "<!-- 6 -->🛳️ Release" },
   # Fallback – skip anything that didn't match the above rules.
   { message = ".*",  group = "<!-- 10 -->💼 Other" },

codex-cli/Dockerfile

@@ -46,10 +46,6 @@ RUN npm install -g codex.tgz \
   && rm -rf /usr/local/share/npm-global/lib/node_modules/codex-cli/tests \
   && rm -rf /usr/local/share/npm-global/lib/node_modules/codex-cli/docs
 
-# Inside the container we consider the environment already sufficiently locked
-# down, therefore instruct Codex CLI to allow running without sandboxing.
-ENV CODEX_UNSAFE_ALLOW_NO_SANDBOX=1
-
 # Copy and set up firewall script as root.
 USER root
 COPY scripts/init_firewall.sh /usr/local/bin/

codex-cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openai/codex",
-  "version": "0.1.2504251709",
+  "version": "0.1.2504221401",
   "license": "Apache-2.0",
   "bin": {
     "codex": "bin/codex.js"

codex-cli/scripts/init_firewall.sh

@@ -2,26 +2,6 @@
 set -euo pipefail  # Exit on error, undefined vars, and pipeline failures
 IFS=$'\n\t'       # Stricter word splitting
 
-# Read allowed domains from file
-ALLOWED_DOMAINS_FILE="/etc/codex/allowed_domains.txt"
-if [ -f "$ALLOWED_DOMAINS_FILE" ]; then
-    ALLOWED_DOMAINS=()
-    while IFS= read -r domain; do
-        ALLOWED_DOMAINS+=("$domain")
-    done < "$ALLOWED_DOMAINS_FILE"
-    echo "Using domains from file: ${ALLOWED_DOMAINS[*]}"
-else
-    # Fallback to default domains
-    ALLOWED_DOMAINS=("api.openai.com")
-    echo "Domains file not found, using default: ${ALLOWED_DOMAINS[*]}"
-fi
-
-# Ensure we have at least one domain
-if [ ${#ALLOWED_DOMAINS[@]} -eq 0 ]; then
-    echo "ERROR: No allowed domains specified"
-    exit 1
-fi
-
 # Flush existing rules and delete existing ipsets
 iptables -F
 iptables -X
@@ -44,7 +24,8 @@ iptables -A OUTPUT -o lo -j ACCEPT
 ipset create allowed-domains hash:net
 
 # Resolve and add other allowed domains
-for domain in "${ALLOWED_DOMAINS[@]}"; do
+for domain in \
+    "api.openai.com"; do
     echo "Resolving $domain..."
     ips=$(dig +short A "$domain")
     if [ -z "$ips" ]; then
@@ -106,7 +87,7 @@ else
     echo "Firewall verification passed - unable to reach https://example.com as expected"
 fi
 
-# Always verify OpenAI API access is working
+# Verify OpenAI API access
 if ! curl --connect-timeout 5 https://api.openai.com >/dev/null 2>&1; then
     echo "ERROR: Firewall verification failed - unable to reach https://api.openai.com"
     exit 1

codex-cli/scripts/run_in_container.sh

@@ -10,8 +10,6 @@ set -e
 
 # Default the work directory to WORKSPACE_ROOT_DIR if not provided.
 WORK_DIR="${WORKSPACE_ROOT_DIR:-$(pwd)}"
-# Default allowed domains - can be overridden with OPENAI_ALLOWED_DOMAINS env var
-OPENAI_ALLOWED_DOMAINS="${OPENAI_ALLOWED_DOMAINS:-api.openai.com}"
 
 # Parse optional flag.
 if [ "$1" = "--work_dir" ]; then
@@ -47,12 +45,6 @@ if [ -z "$WORK_DIR" ]; then
   exit 1
 fi
 
-# Verify that OPENAI_ALLOWED_DOMAINS is not empty
-if [ -z "$OPENAI_ALLOWED_DOMAINS" ]; then
-  echo "Error: OPENAI_ALLOWED_DOMAINS is empty."
-  exit 1
-fi
-
 # Kill any existing container for the working directory using cleanup(), centralizing removal logic.
 cleanup
 
@@ -65,25 +57,8 @@ docker run --name "$CONTAINER_NAME" -d \
   codex \
   sleep infinity
 
-# Write the allowed domains to a file in the container
-docker exec --user root "$CONTAINER_NAME" bash -c "mkdir -p /etc/codex"
-for domain in $OPENAI_ALLOWED_DOMAINS; do
-  # Validate domain format to prevent injection
-  if [[ ! "$domain" =~ ^[a-zA-Z0-9][a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$ ]]; then
-    echo "Error: Invalid domain format: $domain"
-    exit 1
-  fi
-  echo "$domain" | docker exec --user root -i "$CONTAINER_NAME" bash -c "cat >> /etc/codex/allowed_domains.txt"
-done
-
-# Set proper permissions on the domains file
-docker exec --user root "$CONTAINER_NAME" bash -c "chmod 444 /etc/codex/allowed_domains.txt && chown root:root /etc/codex/allowed_domains.txt"
-
-# Initialize the firewall inside the container as root user
-docker exec --user root "$CONTAINER_NAME" bash -c "/usr/local/bin/init_firewall.sh"
-
-# Remove the firewall script after running it
-docker exec --user root "$CONTAINER_NAME" bash -c "rm -f /usr/local/bin/init_firewall.sh"
+# Initialize the firewall inside the container with root privileges.
+docker exec --user root "$CONTAINER_NAME" /usr/local/bin/init_firewall.sh
 
 # Execute the provided command in the container, ensuring it runs in the work directory.
 # We use a parameterized bash command to safely handle the command and directory.

codex-cli/src/cli.tsx

@@ -10,7 +10,6 @@ import type { ApprovalPolicy } from "./approvals";
 import type { CommandConfirmation } from "./utils/agent/agent-loop";
 import type { AppConfig } from "./utils/config";
 import type { ResponseItem } from "openai/resources/responses/responses";
-import type { ReasoningEffort } from "openai/resources.mjs";
 
 import App from "./app";
 import { runSinglePass } from "./cli-singlepass";
@@ -161,12 +160,6 @@ const cli = meow(
           "Disable truncation of command stdout/stderr messages (show everything)",
         aliases: ["no-truncate"],
       },
-      reasoning: {
-        type: "string",
-        description: "Set the reasoning effort level (low, medium, high)",
-        choices: ["low", "medium", "high"],
-        default: "high",
-      },
       // Notification
       notify: {
         type: "boolean",
@@ -191,10 +184,6 @@ const cli = meow(
   },
 );
 
-// ---------------------------------------------------------------------------
-// Global flag handling
-// ---------------------------------------------------------------------------
-
 // Handle 'completion' subcommand before any prompting or API calls
 if (cli.input[0] === "completion") {
   const shell = cli.input[1] || "bash";
@@ -294,22 +283,17 @@ if (!apiKey && !NO_API_KEY_REQUIRED.has(provider.toLowerCase())) {
   process.exit(1);
 }
 
-const flagPresent = Object.hasOwn(cli.flags, "disableResponseStorage");
-
-const disableResponseStorage = flagPresent
-  ? Boolean(cli.flags.disableResponseStorage) // value user actually passed
-  : (config.disableResponseStorage ?? false); // fall back to YAML, default to false
-
 config = {
   apiKey,
   ...config,
   model: model ?? config.model,
   notify: Boolean(cli.flags.notify),
-  reasoningEffort:
-    (cli.flags.reasoning as ReasoningEffort | undefined) ?? "high",
   flexMode: Boolean(cli.flags.flexMode),
   provider,
-  disableResponseStorage,
+  disableResponseStorage:
+    cli.flags.disableResponseStorage !== undefined
+      ? Boolean(cli.flags.disableResponseStorage)
+      : config.disableResponseStorage,
 };
 
 // Check for updates after loading config. This is important because we write state file in

codex-cli/src/components/chat/terminal-chat-input-thinking.tsx

@@ -106,16 +106,11 @@ export default function TerminalChatInputThinking({
 
   return (
     <Box flexDirection="column" gap={1}>
-      <Box justifyContent="space-between">
-        <Box gap={2}>
-          <Text>{frameWithSeconds}</Text>
-          <Text>
-            Thinking
-            {dots}
-          </Text>
-        </Box>
+      <Box gap={2}>
+        <Text>{frameWithSeconds}</Text>
         <Text>
-          Press <Text bold>Esc</Text> twice to interrupt
+          Thinking
+          {dots}
         </Text>
       </Box>
       {awaitingConfirm && (

codex-cli/src/components/chat/terminal-chat-input.tsx

@@ -412,7 +412,7 @@ export default function TerminalChatInput({
         setInput("");
         openApprovalOverlay();
         return;
-      } else if (["exit", "q", ":q"].includes(inputValue)) {
+      } else if (inputValue === "exit") {
         setInput("");
         setTimeout(() => {
           app.exit();
@@ -881,30 +881,20 @@ function TerminalChatInputThinking({
   );
 
   return (
-    <Box width="100%" flexDirection="column" gap={1}>
-      <Box
-        flexDirection="row"
-        width="100%"
-        justifyContent="space-between"
-        paddingRight={1}
-      >
-        <Box gap={2}>
-          <Text>{frameWithSeconds}</Text>
-          <Text>
-            Thinking
-            {dots}
-          </Text>
-        </Box>
+    <Box flexDirection="column" gap={1}>
+      <Box gap={2}>
+        <Text>{frameWithSeconds}</Text>
         <Text>
-          <Text dimColor>press</Text> <Text bold>Esc</Text>{" "}
-          {awaitingConfirm ? (
-            <Text bold>again</Text>
-          ) : (
-            <Text dimColor>twice</Text>
-          )}{" "}
-          <Text dimColor>to interrupt</Text>
+          Thinking
+          {dots}
         </Text>
       </Box>
+      {awaitingConfirm && (
+        <Text dimColor>
+          Press <Text bold>Esc</Text> again to interrupt and enter a new
+          instruction
+        </Text>
+      )}
     </Box>
   );
 }

codex-cli/src/components/chat/terminal-header.tsx

@@ -73,7 +73,7 @@ const TerminalHeader: React.FC<TerminalHeaderProps> = ({
             </Text>
             <Text dimColor>
               <Text color="blueBright">↳</Text> approval:{" "}
-              <Text bold color={colorsByPolicy[approvalPolicy]}>
+              <Text bold color={colorsByPolicy[approvalPolicy]} dimColor>
                 {approvalPolicy}
               </Text>
             </Text>

codex-cli/src/text-buffer.ts

@@ -610,24 +610,6 @@ export default class TextBuffer {
     }
   }
 
-  /* ------------------------------------------------------------------
-   *  Document-level navigation helpers
-   * ---------------------------------------------------------------- */
-
-  /** Move caret to *absolute* beginning of the buffer (row-0, col-0). */
-  private moveToStartOfDocument(): void {
-    this.preferredCol = null;
-    this.cursorRow = 0;
-    this.cursorCol = 0;
-  }
-
-  /** Move caret to *absolute* end of the buffer (last row, last column). */
-  private moveToEndOfDocument(): void {
-    this.preferredCol = null;
-    this.cursorRow = this.lines.length - 1;
-    this.cursorCol = this.lineLen(this.cursorRow);
-  }
-
   /* =====================================================================
    *  Higher‑level helpers
    * =================================================================== */
@@ -798,18 +780,6 @@ export default class TextBuffer {
       key["rightArrow"]
     ) {
       this.move("wordRight");
-    }
-    // Many terminal/OS combinations (e.g. macOS Terminal.app & iTerm2 with
-    // the default key-bindings) translate ⌥← / ⌥→ into the classic readline
-    // shortcuts ESC-b / ESC-f rather than an ANSI arrow sequence that Ink
-    // would tag with `leftArrow` / `rightArrow`.  Ink parses those 2-byte
-    // escape sequences into `input === "b"|"f"` with `key.meta === true`.
-    // Handle this variant explicitly so that Option+Arrow performs word
-    // navigation consistently across environments.
-    else if (key["meta"] && (input === "b" || input === "B")) {
-      this.move("wordLeft");
-    } else if (key["meta"] && (input === "f" || input === "F")) {
-      this.move("wordRight");
     } else if (key["home"]) {
       this.move("home");
     } else if (key["end"]) {
@@ -853,11 +823,11 @@ export default class TextBuffer {
 
     // Emacs/readline-style shortcuts
     else if (key["ctrl"] && (input === "a" || input === "\x01")) {
-      // Ctrl+A → start of input (first row, first column)
-      this.moveToStartOfDocument();
+      // Ctrl+A or ⌥← → start of line
+      this.move("home");
     } else if (key["ctrl"] && (input === "e" || input === "\x05")) {
-      // Ctrl+E → end of input (last row, last column)
-      this.moveToEndOfDocument();
+      // Ctrl+E or ⌥→ → end of line
+      this.move("end");
     } else if (key["ctrl"] && (input === "b" || input === "\x02")) {
       // Ctrl+B → char left
       this.move("left");

codex-cli/src/utils/agent/agent-loop.ts

@@ -34,7 +34,7 @@ import OpenAI, { APIConnectionTimeoutError } from "openai";
 
 // Wait time before retrying after rate limit errors (ms).
 const RATE_LIMIT_RETRY_WAIT_MS = parseInt(
-  process.env["OPENAI_RATE_LIMIT_RETRY_WAIT_MS"] || "500",
+  process.env["OPENAI_RATE_LIMIT_RETRY_WAIT_MS"] || "2500",
   10,
 );
 
@@ -46,7 +46,6 @@ export type CommandConfirmation = {
 };
 
 const alreadyProcessedResponses = new Set();
-const alreadyStagedItemIds = new Set<string>();
 
 type AgentLoopParams = {
   model: string;
@@ -563,12 +562,6 @@ export class AgentLoop {
           return;
         }
 
-        // Skip items we've already processed to avoid staging duplicates
-        if (item.id && alreadyStagedItemIds.has(item.id)) {
-          return;
-        }
-        alreadyStagedItemIds.add(item.id);
-
         // Store the item so the final flush can still operate on a complete list.
         // We'll nil out entries once they're delivered.
         const idx = staged.push(item) - 1;
@@ -671,12 +664,12 @@ export class AgentLoop {
         let stream;
 
         // Retry loop for transient errors. Up to MAX_RETRIES attempts.
-        const MAX_RETRIES = 8;
+        const MAX_RETRIES = 5;
         for (let attempt = 1; attempt <= MAX_RETRIES; attempt++) {
           try {
             let reasoning: Reasoning | undefined;
             if (this.model.startsWith("o")) {
-              reasoning = { effort: this.config.reasoningEffort ?? "high" };
+              reasoning = { effort: "high" };
               if (this.model === "o3" || this.model === "o4-mini") {
                 reasoning.summary = "auto";
               }

codex-cli/src/utils/agent/handle-exec-command.ts

@@ -1,18 +1,17 @@
 import type { CommandConfirmation } from "./agent-loop.js";
-import type { ApplyPatchCommand, ApprovalPolicy } from "../../approvals.js";
+import type { AppConfig } from "../config.js";
 import type { ExecInput } from "./sandbox/interface.js";
+import type { ApplyPatchCommand, ApprovalPolicy } from "../../approvals.js";
 import type { ResponseInputItem } from "openai/resources/responses/responses.mjs";
 
-import { canAutoApprove } from "../../approvals.js";
-import { formatCommandForDisplay } from "../../format-command.js";
-import { FullAutoErrorMode } from "../auto-approval-mode.js";
-import { CODEX_UNSAFE_ALLOW_NO_SANDBOX, type AppConfig } from "../config.js";
 import { exec, execApplyPatch } from "./exec.js";
 import { ReviewDecision } from "./review.js";
-import { isLoggingEnabled, log } from "../logger/log.js";
+import { FullAutoErrorMode } from "../auto-approval-mode.js";
 import { SandboxType } from "./sandbox/interface.js";
-import { PATH_TO_SEATBELT_EXECUTABLE } from "./sandbox/macos-seatbelt.js";
-import fs from "fs/promises";
+import { canAutoApprove } from "../../approvals.js";
+import { formatCommandForDisplay } from "../../format-command.js";
+import { isLoggingEnabled, log } from "../logger/log.js";
+import { access } from "fs/promises";
 
 // ---------------------------------------------------------------------------
 // Session‑level cache of commands that the user has chosen to always approve.
@@ -218,7 +217,7 @@ async function execCommand(
   let { workdir } = execInput;
   if (workdir) {
     try {
-      await fs.access(workdir);
+      await access(workdir);
     } catch (e) {
       log(`EXEC workdir=${workdir} not found, use process.cwd() instead`);
       workdir = process.cwd();
@@ -271,45 +270,30 @@ async function execCommand(
   };
 }
 
-/** Return `true` if the `/usr/bin/sandbox-exec` is present and executable. */
-const isSandboxExecAvailable: Promise<boolean> = fs
-  .access(PATH_TO_SEATBELT_EXECUTABLE, fs.constants.X_OK)
-  .then(
-    () => true,
-    (err) => {
-      if (!["ENOENT", "ACCESS", "EPERM"].includes(err.code)) {
-        log(
-          `Unexpected error for \`stat ${PATH_TO_SEATBELT_EXECUTABLE}\`: ${err.message}`,
-        );
-      }
-      return false;
-    },
-  );
+const isInLinux = async (): Promise<boolean> => {
+  try {
+    await access("/proc/1/cgroup");
+    return true;
+  } catch {
+    return false;
+  }
+};
 
 async function getSandbox(runInSandbox: boolean): Promise<SandboxType> {
   if (runInSandbox) {
     if (process.platform === "darwin") {
-      // On macOS we rely on the system-provided `sandbox-exec` binary to
-      // enforce the Seatbelt profile.  However, starting with macOS 14 the
-      // executable may be removed from the default installation or the user
-      // might be running the CLI on a stripped-down environment (for
-      // instance, inside certain CI images).  Attempting to spawn a missing
-      // binary makes Node.js throw an *uncaught* `ENOENT` error further down
-      // the stack which crashes the whole CLI.
-      if (await isSandboxExecAvailable) {
-        return SandboxType.MACOS_SEATBELT;
-      } else {
-        throw new Error(
-          "Sandbox was mandated, but 'sandbox-exec' was not found in PATH!",
-        );
-      }
-    } else if (CODEX_UNSAFE_ALLOW_NO_SANDBOX) {
-      // Allow running without a sandbox if the user has explicitly marked the
-      // environment as already being sufficiently locked-down.
+      return SandboxType.MACOS_SEATBELT;
+    } else if (await isInLinux()) {
+      return SandboxType.NONE;
+    } else if (process.platform === "win32") {
+      // On Windows, we don't have a sandbox implementation yet, so we fall back to NONE
+      // instead of throwing an error, which would crash the application
+      log(
+        "WARNING: Sandbox was requested but is not available on Windows. Continuing without sandbox.",
+      );
       return SandboxType.NONE;
     }
-
-    // For all else, we hard fail if the user has requested a sandbox and none is available.
+    // For other platforms, still throw an error as before
     throw new Error("Sandbox was mandated, but no sandbox is available!");
   } else {
     return SandboxType.NONE;

codex-cli/src/utils/agent/sandbox/macos-seatbelt.ts

@@ -12,14 +12,6 @@ function getCommonRoots() {
   ];
 }
 
-/**
- * When working with `sandbox-exec`, only consider `sandbox-exec` in `/usr/bin`
- * to defend against an attacker trying to inject a malicious version on the
- * PATH. If /usr/bin/sandbox-exec has been tampered with, then the attacker
- * already has root access.
- */
-export const PATH_TO_SEATBELT_EXECUTABLE = "/usr/bin/sandbox-exec";
-
 export function execWithSeatbelt(
   cmd: Array<string>,
   opts: SpawnOptions,
@@ -65,7 +57,7 @@ export function execWithSeatbelt(
   );
 
   const fullCommand = [
-    PATH_TO_SEATBELT_EXECUTABLE,
+    "sandbox-exec",
     "-p",
     fullPolicy,
     ...policyTemplateParams,

codex-cli/src/utils/config.ts

@@ -7,42 +7,15 @@
 // compiled `dist/` output used by the published CLI.
 
 import type { FullAutoErrorMode } from "./auto-approval-mode.js";
-import type { ReasoningEffort } from "openai/resources.mjs";
 
 import { AutoApprovalMode } from "./auto-approval-mode.js";
 import { log } from "./logger/log.js";
 import { providers } from "./providers.js";
-import { config as loadDotenv } from "dotenv";
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
 import { load as loadYaml, dump as dumpYaml } from "js-yaml";
 import { homedir } from "os";
 import { dirname, join, extname, resolve as resolvePath } from "path";
 
-// ---------------------------------------------------------------------------
-// User‑wide environment config (~/.codex.env)
-// ---------------------------------------------------------------------------
-
-// Load a user‑level dotenv file **after** process.env and any project‑local
-// .env file (loaded via "dotenv/config" in cli.tsx) are in place.  We rely on
-// dotenv's default behaviour of *not* overriding existing variables so that
-// the precedence order becomes:
-//   1. Explicit environment variables
-//   2. Project‑local .env (handled in cli.tsx)
-//   3. User‑wide ~/.codex.env (loaded here)
-// This guarantees that users can still override the global key on a per‑project
-// basis while enjoying the convenience of a persistent default.
-
-// Skip when running inside Vitest to avoid interfering with the FS mocks used
-// by tests that stub out `fs` *after* importing this module.
-const USER_WIDE_CONFIG_PATH = join(homedir(), ".codex.env");
-
-const isVitest =
-  typeof (globalThis as { vitest?: unknown }).vitest !== "undefined";
-
-if (!isVitest) {
-  loadDotenv({ path: USER_WIDE_CONFIG_PATH });
-}
-
 export const DEFAULT_AGENTIC_MODEL = "o4-mini";
 export const DEFAULT_FULL_CONTEXT_MODEL = "gpt-4.1";
 export const DEFAULT_APPROVAL_MODE = AutoApprovalMode.SUGGEST;
@@ -63,17 +36,9 @@ export const OPENAI_TIMEOUT_MS =
   parseInt(process.env["OPENAI_TIMEOUT_MS"] || "0", 10) || undefined;
 export const OPENAI_BASE_URL = process.env["OPENAI_BASE_URL"] || "";
 export let OPENAI_API_KEY = process.env["OPENAI_API_KEY"] || "";
-
-export const DEFAULT_REASONING_EFFORT = "high";
 export const OPENAI_ORGANIZATION = process.env["OPENAI_ORGANIZATION"] || "";
 export const OPENAI_PROJECT = process.env["OPENAI_PROJECT"] || "";
 
-// Can be set `true` when Codex is running in an environment that is marked as already
-// considered sufficiently locked-down so that we allow running wihtout an explicit sandbox.
-export const CODEX_UNSAFE_ALLOW_NO_SANDBOX = Boolean(
-  process.env["CODEX_UNSAFE_ALLOW_NO_SANDBOX"] || "",
-);
-
 export function setApiKey(apiKey: string): void {
   OPENAI_API_KEY = apiKey;
 }
@@ -145,9 +110,6 @@ export type StoredConfig = {
     saveHistory?: boolean;
     sensitivePatterns?: Array<string>;
   };
-  /** User-defined safe commands */
-  safeCommands?: Array<string>;
-  reasoningEffort?: ReasoningEffort;
 };
 
 // Minimal config written on first run.  An *empty* model string ensures that
@@ -155,7 +117,7 @@ export type StoredConfig = {
 // propagating to existing users until they explicitly set a model.
 export const EMPTY_STORED_CONFIG: StoredConfig = { model: "" };
 
-// Pre‑stringified JSON variant so we don't stringify repeatedly.
+// Pre‑stringified JSON variant so we don’t stringify repeatedly.
 const EMPTY_CONFIG_JSON = JSON.stringify(EMPTY_STORED_CONFIG, null, 2) + "\n";
 
 export type MemoryConfig = {
@@ -171,7 +133,6 @@ export type AppConfig = {
   approvalMode?: AutoApprovalMode;
   fullAutoErrorMode?: FullAutoErrorMode;
   memory?: MemoryConfig;
-  reasoningEffort?: ReasoningEffort;
   /** Whether to enable desktop notifications for responses */
   notify?: boolean;
 
@@ -323,22 +284,6 @@ export const loadConfig = (
     }
   }
 
-  if (
-    storedConfig.disableResponseStorage !== undefined &&
-    typeof storedConfig.disableResponseStorage !== "boolean"
-  ) {
-    if (storedConfig.disableResponseStorage === "true") {
-      storedConfig.disableResponseStorage = true;
-    } else if (storedConfig.disableResponseStorage === "false") {
-      storedConfig.disableResponseStorage = false;
-    } else {
-      log(
-        `[codex] Warning: 'disableResponseStorage' in config is not a boolean (got '${storedConfig.disableResponseStorage}'). Ignoring this value.`,
-      );
-      delete storedConfig.disableResponseStorage;
-    }
-  }
-
   const instructionsFilePathResolved =
     instructionsPath ?? INSTRUCTIONS_FILEPATH;
   const userInstructions = existsSync(instructionsFilePathResolved)
@@ -388,8 +333,7 @@ export const loadConfig = (
     instructions: combinedInstructions,
     notify: storedConfig.notify === true,
     approvalMode: storedConfig.approvalMode,
-    disableResponseStorage: storedConfig.disableResponseStorage === true,
-    reasoningEffort: storedConfig.reasoningEffort,
+    disableResponseStorage: storedConfig.disableResponseStorage ?? false,
   };
 
   // -----------------------------------------------------------------------
@@ -504,8 +448,6 @@ export const saveConfig = (
     provider: config.provider,
     providers: config.providers,
     approvalMode: config.approvalMode,
-    disableResponseStorage: config.disableResponseStorage,
-    reasoningEffort: config.reasoningEffort,
   };
 
   // Add history settings if they exist

codex-cli/src/utils/get-diff.ts

@@ -1,26 +1,5 @@
 import { execSync } from "node:child_process";
 
-// The objects thrown by `child_process.execSync()` are `Error` instances that
-// include additional, undocumented properties such as `status` (exit code) and
-// `stdout` (captured standard output). Declare a minimal interface that captures
-// just the fields we need so that we can avoid the use of `any` while keeping
-// the checks type-safe.
-interface ExecSyncError extends Error {
-  // Exit status code. When a diff is produced, git exits with code 1 which we
-  // treat as a non-error signal.
-  status?: number;
-  // Captured stdout. We rely on this to obtain the diff output when git exits
-  // with status 1.
-  stdout?: string;
-}
-
-// Type-guard that narrows an unknown value to `ExecSyncError`.
-function isExecSyncError(err: unknown): err is ExecSyncError {
-  return (
-    typeof err === "object" && err != null && "status" in err && "stdout" in err
-  );
-}
-
 /**
  * Returns the current Git diff for the working directory. If the current
  * working directory is not inside a Git repository, `isGitRepo` will be
@@ -36,86 +15,13 @@ export function getGitDiff(): {
     execSync("git rev-parse --is-inside-work-tree", { stdio: "ignore" });
 
     // If the above call didn’t throw, we are inside a git repo. Retrieve the
-    // diff for tracked files **and** include any untracked files so that the
-    // `/diff` overlay shows a complete picture of the working tree state.
+    // diff including color codes so that the overlay can render them.
+    const output = execSync("git diff --color", {
+      encoding: "utf8",
+      maxBuffer: 10 * 1024 * 1024, // 10 MB ought to be enough for now
+    });
 
-    // 1. Diff for tracked files (unchanged behaviour)
-    let trackedDiff = "";
-    try {
-      trackedDiff = execSync("git diff --color", {
-        encoding: "utf8",
-        maxBuffer: 10 * 1024 * 1024, // 10 MB ought to be enough for now
-      });
-    } catch (err) {
-      // Exit status 1 simply means that differences were found. Capture the
-      // diff from stdout in that case. Re-throw for any other status codes.
-      if (
-        isExecSyncError(err) &&
-        err.status === 1 &&
-        typeof err.stdout === "string"
-      ) {
-        trackedDiff = err.stdout;
-      } else {
-        throw err;
-      }
-    }
-
-    // 2. Determine untracked files.
-    //    We use `git ls-files --others --exclude-standard` which outputs paths
-    //    relative to the repository root, one per line. These are files that
-    //    are not tracked *and* are not ignored by .gitignore.
-    const untrackedOutput = execSync(
-      "git ls-files --others --exclude-standard",
-      {
-        encoding: "utf8",
-        maxBuffer: 10 * 1024 * 1024,
-      },
-    );
-
-    const untrackedFiles = untrackedOutput
-      .split("\n")
-      .map((p) => p.trim())
-      .filter(Boolean);
-
-    let untrackedDiff = "";
-
-    const nullDevice = process.platform === "win32" ? "NUL" : "/dev/null";
-
-    for (const file of untrackedFiles) {
-      try {
-        // `git diff --no-index` produces a diff even outside the index by
-        // comparing two paths. We compare the file against /dev/null so that
-        // the file is treated as "new".
-        //
-        // `git diff --color --no-index /dev/null <file>` exits with status 1
-        // when differences are found, so we capture stdout from the thrown
-        // error object instead of letting it propagate.
-        execSync(`git diff --color --no-index -- "${nullDevice}" "${file}"`, {
-          encoding: "utf8",
-          stdio: ["ignore", "pipe", "ignore"],
-          maxBuffer: 10 * 1024 * 1024,
-        });
-      } catch (err) {
-        if (
-          isExecSyncError(err) &&
-          // Exit status 1 simply means that the two inputs differ, which is
-          // exactly what we expect here. Any other status code indicates a
-          // real error (e.g. the file disappeared between the ls-files and
-          // diff calls), so re-throw those.
-          err.status === 1 &&
-          typeof err.stdout === "string"
-        ) {
-          untrackedDiff += err.stdout;
-        } else {
-          throw err;
-        }
-      }
-    }
-
-    // Concatenate tracked and untracked diffs.
-    const combinedDiff = `${trackedDiff}${untrackedDiff}`;
-
-    return { isGitRepo: true, diff: combinedDiff };
+    return { isGitRepo: true, diff: output };
   } catch {
     // Either git is not installed or we’re not inside a repository.
     return { isGitRepo: false, diff: "" };

codex-cli/src/utils/session.ts

@@ -1,4 +1,4 @@
-export const CLI_VERSION = "0.1.2504251709"; // Must be in sync with package.json.
+export const CLI_VERSION = "0.1.2504221401"; // Must be in sync with package.json.
 export const ORIGIN = "codex_cli_ts";
 
 export type TerminalChatSession = {

codex-cli/tests/agent-dedupe-items.test.ts

@@ -1,115 +0,0 @@
-import { describe, it, expect, vi } from "vitest";
-
-// ---------------------------------------------------------------------------
-// This regression test ensures that AgentLoop only surfaces each response item
-// once even when the same item appears multiple times in the OpenAI streaming
-// response (e.g. as an early `response.output_item.done` event *and* again in
-// the final `response.completed` payload).
-// ---------------------------------------------------------------------------
-
-// Fake OpenAI stream that emits the *same* message twice: first as an
-// incremental output event and then again in the turn completion payload.
-class FakeStream {
-  public controller = { abort: vi.fn() };
-
-  async *[Symbol.asyncIterator]() {
-    // 1) Early incremental item.
-    yield {
-      type: "response.output_item.done",
-      item: {
-        type: "message",
-        id: "call-dedupe-1",
-        role: "assistant",
-        content: [{ type: "input_text", text: "Hello!" }],
-      },
-    } as any;
-
-    // 2) Turn completion containing the *same* item again.
-    yield {
-      type: "response.completed",
-      response: {
-        id: "resp-dedupe-1",
-        status: "completed",
-        output: [
-          {
-            type: "message",
-            id: "call-dedupe-1",
-            role: "assistant",
-            content: [{ type: "input_text", text: "Hello!" }],
-          },
-        ],
-      },
-    } as any;
-  }
-}
-
-// Intercept the OpenAI SDK used inside AgentLoop so we can inject our fake
-// streaming implementation.
-vi.mock("openai", () => {
-  class FakeOpenAI {
-    public responses = {
-      create: async () => new FakeStream(),
-    };
-  }
-
-  class APIConnectionTimeoutError extends Error {}
-
-  return { __esModule: true, default: FakeOpenAI, APIConnectionTimeoutError };
-});
-
-// Stub approvals / formatting helpers – not relevant here.
-vi.mock("../src/approvals.js", () => ({
-  __esModule: true,
-  alwaysApprovedCommands: new Set<string>(),
-  canAutoApprove: () => ({ type: "auto-approve", runInSandbox: false }) as any,
-  isSafeCommand: () => null,
-}));
-
-vi.mock("../src/format-command.js", () => ({
-  __esModule: true,
-  formatCommandForDisplay: (cmd: Array<string>) => cmd.join(" "),
-}));
-
-vi.mock("../src/utils/agent/log.js", () => ({
-  __esModule: true,
-  log: () => {},
-  isLoggingEnabled: () => false,
-}));
-
-// After the dependency mocks we can import the module under test.
-import { AgentLoop } from "../src/utils/agent/agent-loop.js";
-
-describe("AgentLoop deduplicates output items", () => {
-  it("invokes onItem exactly once for duplicate items with the same id", async () => {
-    const received: Array<any> = [];
-
-    const agent = new AgentLoop({
-      model: "any",
-      instructions: "",
-      config: { model: "any", instructions: "", notify: false },
-      approvalPolicy: { mode: "auto" } as any,
-      additionalWritableRoots: [],
-      onItem: (item) => received.push(item),
-      onLoading: () => {},
-      getCommandConfirmation: async () => ({ review: "yes" }) as any,
-      onLastResponseId: () => {},
-    });
-
-    const userMsg = [
-      {
-        type: "message",
-        role: "user",
-        content: [{ type: "input_text", text: "hi" }],
-      },
-    ];
-
-    await agent.run(userMsg as any);
-
-    // Give the setTimeout(3ms) inside AgentLoop.stageItem a chance to fire.
-    await new Promise((r) => setTimeout(r, 20));
-
-    // Count how many times the duplicate item surfaced.
-    const appearances = received.filter((i) => i.id === "call-dedupe-1").length;
-    expect(appearances).toBe(1);
-  });
-});

codex-cli/tests/agent-rate-limit-error.test.ts

@@ -98,8 +98,10 @@ describe("AgentLoop – rate‑limit handling", () => {
       // is in progress.
       const runPromise = agent.run(userMsg as any);
 
-      // Should be done in at most 180 seconds.
-      await vi.advanceTimersByTimeAsync(180_000);
+      // The agent waits 15 000 ms between retries (rate‑limit back‑off) and does
+      // this four times (after attempts 1‑4). Fast‑forward a bit more to cover
+      // any additional small `setTimeout` calls inside the implementation.
+      await vi.advanceTimersByTimeAsync(61_000); // 4 * 15s + 1s safety margin
 
       // Ensure the promise settles without throwing.
       await expect(runPromise).resolves.not.toThrow();
@@ -108,8 +110,8 @@ describe("AgentLoop – rate‑limit handling", () => {
       await vi.advanceTimersByTimeAsync(20);
 
       // The OpenAI client should have been called the maximum number of retry
-      // attempts (8).
-      expect(openAiState.createSpy).toHaveBeenCalledTimes(8);
+      // attempts (5).
+      expect(openAiState.createSpy).toHaveBeenCalledTimes(5);
 
       // Finally, verify that the user sees a helpful system message.
       const sysMsg = received.find(

codex-cli/tests/agent-server-retry.test.ts

@@ -122,7 +122,7 @@ describe("AgentLoop – automatic retry on 5xx errors", () => {
     expect(assistant?.content?.[0]?.text).toBe("ok");
   });
 
-  it("fails after a few attempts and surfaces system message", async () => {
+  it("fails after 3 attempts and surfaces system message", async () => {
     openAiState.createSpy = vi.fn(async () => {
       const err: any = new Error("Internal Server Error");
       err.status = 502; // any 5xx
@@ -154,7 +154,7 @@ describe("AgentLoop – automatic retry on 5xx errors", () => {
 
     await new Promise((r) => setTimeout(r, 20));
 
-    expect(openAiState.createSpy).toHaveBeenCalledTimes(8);
+    expect(openAiState.createSpy).toHaveBeenCalledTimes(5);
 
     const sysMsg = received.find(
       (i) =>

codex-cli/tests/config_reasoning.test.ts

@@ -1,121 +0,0 @@
-import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
-import {
-  loadConfig,
-  DEFAULT_REASONING_EFFORT,
-  saveConfig,
-} from "../src/utils/config";
-import type { ReasoningEffort } from "openai/resources.mjs";
-import * as fs from "fs";
-
-// Mock the fs module
-vi.mock("fs", () => ({
-  existsSync: vi.fn(),
-  readFileSync: vi.fn(),
-  writeFileSync: vi.fn(),
-  mkdirSync: vi.fn(),
-}));
-
-// Mock path.dirname
-vi.mock("path", async () => {
-  const actual = await vi.importActual("path");
-  return {
-    ...actual,
-    dirname: vi.fn().mockReturnValue("/mock/dir"),
-  };
-});
-
-describe("Reasoning Effort Configuration", () => {
-  beforeEach(() => {
-    vi.resetAllMocks();
-  });
-
-  afterEach(() => {
-    vi.clearAllMocks();
-  });
-
-  it('should have "high" as the default reasoning effort', () => {
-    expect(DEFAULT_REASONING_EFFORT).toBe("high");
-  });
-
-  it("should use default reasoning effort when not specified in config", () => {
-    // Mock fs.existsSync to return true for config file
-    vi.mocked(fs.existsSync).mockImplementation(() => true);
-
-    // Mock fs.readFileSync to return a JSON with no reasoningEffort
-    vi.mocked(fs.readFileSync).mockImplementation(() =>
-      JSON.stringify({ model: "test-model" }),
-    );
-
-    const config = loadConfig("/mock/config.json", "/mock/instructions.md");
-
-    // Config should not have reasoningEffort explicitly set
-    expect(config.reasoningEffort).toBeUndefined();
-  });
-
-  it("should load reasoningEffort from config file", () => {
-    // Mock fs.existsSync to return true for config file
-    vi.mocked(fs.existsSync).mockImplementation(() => true);
-
-    // Mock fs.readFileSync to return a JSON with reasoningEffort
-    vi.mocked(fs.readFileSync).mockImplementation(() =>
-      JSON.stringify({
-        model: "test-model",
-        reasoningEffort: "low" as ReasoningEffort,
-      }),
-    );
-
-    const config = loadConfig("/mock/config.json", "/mock/instructions.md");
-
-    // Config should have the reasoningEffort from the file
-    expect(config.reasoningEffort).toBe("low");
-  });
-
-  it("should support all valid reasoning effort values", () => {
-    // Valid values for ReasoningEffort
-    const validEfforts: Array<ReasoningEffort> = ["low", "medium", "high"];
-
-    for (const effort of validEfforts) {
-      // Mock fs.existsSync to return true for config file
-      vi.mocked(fs.existsSync).mockImplementation(() => true);
-
-      // Mock fs.readFileSync to return a JSON with reasoningEffort
-      vi.mocked(fs.readFileSync).mockImplementation(() =>
-        JSON.stringify({
-          model: "test-model",
-          reasoningEffort: effort,
-        }),
-      );
-
-      const config = loadConfig("/mock/config.json", "/mock/instructions.md");
-
-      // Config should have the correct reasoningEffort
-      expect(config.reasoningEffort).toBe(effort);
-    }
-  });
-
-  it("should preserve reasoningEffort when saving configuration", () => {
-    // Setup
-    vi.mocked(fs.existsSync).mockReturnValue(false);
-
-    // Create config with reasoningEffort
-    const configToSave = {
-      model: "test-model",
-      instructions: "",
-      reasoningEffort: "medium" as ReasoningEffort,
-      notify: false,
-    };
-
-    // Act
-    saveConfig(configToSave, "/mock/config.json", "/mock/instructions.md");
-
-    // Assert
-    expect(fs.writeFileSync).toHaveBeenCalledWith(
-      "/mock/config.json",
-      expect.stringContaining('"model"'),
-      "utf-8",
-    );
-
-    // Note: Current implementation of saveConfig doesn't save reasoningEffort,
-    // this test would need to be updated if that functionality is added
-  });
-});

codex-cli/tests/disableResponseStorage.agentLoop.test.ts

@@ -1,93 +0,0 @@
-/**
- * codex-cli/tests/disableResponseStorage.agentLoop.test.ts
- *
- * Verifies AgentLoop's request-building logic for both values of
- * disableResponseStorage.
- */
-
-import { describe, it, expect, vi } from "vitest";
-import { AgentLoop } from "../src/utils/agent/agent-loop";
-import type { AppConfig } from "../src/utils/config";
-import { ReviewDecision } from "../src/utils/agent/review";
-
-/* ─────────── 1.  Spy + module mock ─────────────────────────────── */
-const createSpy = vi.fn().mockResolvedValue({
-  data: { id: "resp_123", status: "completed", output: [] },
-});
-
-vi.mock("openai", () => ({
-  default: class {
-    public responses = { create: createSpy };
-  },
-  APIConnectionTimeoutError: class extends Error {},
-}));
-
-/* ─────────── 2.  Parametrised tests ─────────────────────────────── */
-describe.each([
-  { flag: true, title: "omits previous_response_id & sets store:false" },
-  { flag: false, title: "sends previous_response_id & allows store:true" },
-])("AgentLoop with disableResponseStorage=%s", ({ flag, title }) => {
-  /* build a fresh config for each case */
-  const cfg: AppConfig = {
-    model: "o4-mini",
-    provider: "openai",
-    instructions: "",
-    disableResponseStorage: flag,
-    notify: false,
-  };
-
-  it(title, async () => {
-    /* reset spy per iteration */
-    createSpy.mockClear();
-
-    const loop = new AgentLoop({
-      model: cfg.model,
-      provider: cfg.provider,
-      config: cfg,
-      instructions: "",
-      approvalPolicy: "suggest",
-      disableResponseStorage: flag,
-      additionalWritableRoots: [],
-      onItem() {},
-      onLoading() {},
-      getCommandConfirmation: async () => ({ review: ReviewDecision.YES }),
-      onLastResponseId() {},
-    });
-
-    await loop.run([
-      {
-        type: "message",
-        role: "user",
-        content: [{ type: "input_text", text: "hello" }],
-      },
-    ]);
-
-    expect(createSpy).toHaveBeenCalledTimes(1);
-
-    const call = createSpy.mock.calls[0];
-    if (!call) {
-      throw new Error("Expected createSpy to have been called at least once");
-    }
-    const payload: any = call[0];
-
-    if (flag) {
-      /* behaviour when ZDR is *on* */
-      expect(payload).not.toHaveProperty("previous_response_id");
-      if (payload.input) {
-        payload.input.forEach((m: any) => {
-          expect(m.store === undefined ? false : m.store).toBe(false);
-        });
-      }
-    } else {
-      /* behaviour when ZDR is *off* */
-      expect(payload).toHaveProperty("previous_response_id");
-      if (payload.input) {
-        payload.input.forEach((m: any) => {
-          if ("store" in m) {
-            expect(m.store).not.toBe(false);
-          }
-        });
-      }
-    }
-  });
-});

codex-cli/tests/disableResponseStorage.test.ts

@@ -1,43 +0,0 @@
-/**
- * codex/codex-cli/tests/disableResponseStorage.test.ts
- */
-
-import { describe, it, expect, beforeAll, afterAll } from "vitest";
-import { mkdtempSync, rmSync, writeFileSync, mkdirSync } from "node:fs";
-import { join } from "node:path";
-import { tmpdir } from "node:os";
-
-import { loadConfig, saveConfig } from "../src/utils/config";
-import type { AppConfig } from "../src/utils/config";
-
-const sandboxHome: string = mkdtempSync(join(tmpdir(), "codex-home-"));
-const codexDir: string = join(sandboxHome, ".codex");
-const yamlPath: string = join(codexDir, "config.yaml");
-
-describe("disableResponseStorage persistence", () => {
-  beforeAll((): void => {
-    // mkdir -p ~/.codex inside the sandbox
-    rmSync(codexDir, { recursive: true, force: true });
-    mkdirSync(codexDir, { recursive: true });
-
-    // seed YAML with ZDR enabled
-    writeFileSync(yamlPath, "model: o4-mini\ndisableResponseStorage: true\n");
-  });
-
-  afterAll((): void => {
-    rmSync(sandboxHome, { recursive: true, force: true });
-  });
-
-  it("keeps disableResponseStorage=true across load/save cycle", async (): Promise<void> => {
-    // 1️⃣ explicitly load the sandbox file
-    const cfg1: AppConfig = loadConfig(yamlPath);
-    expect(cfg1.disableResponseStorage).toBe(true);
-
-    // 2️⃣ save right back to the same file
-    await saveConfig(cfg1, yamlPath);
-
-    // 3️⃣ reload and re-assert
-    const cfg2: AppConfig = loadConfig(yamlPath);
-    expect(cfg2.disableResponseStorage).toBe(true);
-  });
-});

codex-cli/tests/user-config-env.test.ts

@@ -1,62 +0,0 @@
-import { describe, it, expect, beforeEach, afterEach } from "vitest";
-import { mkdtempSync, writeFileSync, rmSync } from "fs";
-import { tmpdir } from "os";
-import { join } from "path";
-
-/**
- * Verifies that ~/.codex.env is parsed (lowest‑priority) when present.
- */
-
-describe("user‑wide ~/.codex.env support", () => {
-  const ORIGINAL_HOME = process.env["HOME"];
-  const ORIGINAL_API_KEY = process.env["OPENAI_API_KEY"];
-
-  let tempHome: string;
-
-  beforeEach(() => {
-    // Create an isolated fake $HOME directory.
-    tempHome = mkdtempSync(join(tmpdir(), "codex-home-"));
-    process.env["HOME"] = tempHome;
-
-    // Ensure the env var is unset so that the file value is picked up.
-    delete process.env["OPENAI_API_KEY"];
-
-    // Write ~/.codex.env with a dummy key.
-    writeFileSync(
-      join(tempHome, ".codex.env"),
-      "OPENAI_API_KEY=my-home-key\n",
-      {
-        encoding: "utf8",
-      },
-    );
-  });
-
-  afterEach(() => {
-    // Cleanup temp directory.
-    try {
-      rmSync(tempHome, { recursive: true, force: true });
-    } catch {
-      // ignore
-    }
-
-    // Restore original env.
-    if (ORIGINAL_HOME !== undefined) {
-      process.env["HOME"] = ORIGINAL_HOME;
-    } else {
-      delete process.env["HOME"];
-    }
-
-    if (ORIGINAL_API_KEY !== undefined) {
-      process.env["OPENAI_API_KEY"] = ORIGINAL_API_KEY;
-    } else {
-      delete process.env["OPENAI_API_KEY"];
-    }
-  });
-
-  it("loads the API key from ~/.codex.env when not set elsewhere", async () => {
-    // Import the config module AFTER setting up the fake env.
-    const { getApiKey } = await import("../src/utils/config.js");
-
-    expect(getApiKey("openai")).toBe("my-home-key");
-  });
-});

codex-rs/Cargo.lock

@@ -469,12 +469,13 @@ dependencies = [
 
 [[package]]
 name = "codex-cli"
-version = "0.0.2504292236"
+version = "0.1.0"
 dependencies = [
  "anyhow",
  "clap",
  "codex-core",
  "codex-exec",
+ "codex-interactive",
  "codex-repl",
  "codex-tui",
  "serde_json",
@@ -504,7 +505,6 @@ dependencies = [
  "mime_guess",
  "openssl-sys",
  "patch",
- "path-absolutize",
  "predicates",
  "rand",
  "reqwest",
@@ -524,14 +524,11 @@ dependencies = [
 
 [[package]]
 name = "codex-exec"
-version = "0.0.2504292236"
+version = "0.1.0"
 dependencies = [
  "anyhow",
- "chrono",
  "clap",
  "codex-core",
- "owo-colors 4.2.0",
- "shlex",
  "tokio",
  "tracing",
  "tracing-subscriber",
@@ -557,9 +554,19 @@ dependencies = [
  "tempfile",
 ]
 
+[[package]]
+name = "codex-interactive"
+version = "0.1.0"
+dependencies = [
+ "anyhow",
+ "clap",
+ "codex-core",
+ "tokio",
+]
+
 [[package]]
 name = "codex-repl"
-version = "0.0.2504292236"
+version = "0.1.0"
 dependencies = [
  "anyhow",
  "clap",

codex-rs/Cargo.toml

@@ -7,15 +7,7 @@ members = [
     "core",
     "exec",
     "execpolicy",
+    "interactive",
     "repl",
     "tui",
 ]
-
-[workspace.package]
-version = "0.0.2504292236"
-
-[profile.release]
-lto = "fat"
-# Because we bundle some of these executables with the TypeScript CLI, we
-# remove everything to make the binary as small as possible.
-strip = "symbols"

codex-rs/README.md

@@ -17,6 +17,7 @@ Currently, the Rust implementation is materially behind the TypeScript implement
 This folder is the root of a Cargo workspace. It contains quite a bit of experimental code, but here are the key crates:
 
 - [`core/`](./core) contains the business logic for Codex. Ultimately, we hope this to be a library crate that is generally useful for building other Rust/native applications that use Codex.
+- [`interactive/`](./interactive) CLI with a UX comparable to the TypeScript Codex CLI.
 - [`exec/`](./exec) "headless" CLI for use in automation.
 - [`tui/`](./tui) CLI that launches a fullscreen TUI built with [Ratatui](https://ratatui.rs/).
 - [`repl/`](./repl) CLI that launches a lightweight REPL similar to the Python or Node.js REPL.

codex-rs/apply-patch/src/lib.rs

@@ -86,8 +86,6 @@ pub enum ApplyPatchFileChange {
     Update {
         unified_diff: String,
         move_path: Option<PathBuf>,
-        /// new_content that will result after the unified_diff is applied.
-        new_content: String,
     },
 }
 
@@ -128,10 +126,7 @@ pub fn maybe_parse_apply_patch_verified(argv: &[String]) -> MaybeApplyPatchVerif
                         move_path,
                         chunks,
                     } => {
-                        let ApplyPatchFileUpdate {
-                            unified_diff,
-                            content: contents,
-                        } = match unified_diff_from_chunks(&path, &chunks) {
+                        let unified_diff = match unified_diff_from_chunks(&path, &chunks) {
                             Ok(diff) => diff,
                             Err(e) => {
                                 return MaybeApplyPatchVerified::CorrectnessError(e);
@@ -142,7 +137,6 @@ pub fn maybe_parse_apply_patch_verified(argv: &[String]) -> MaybeApplyPatchVerif
                             ApplyPatchFileChange::Update {
                                 unified_diff,
                                 move_path,
-                                new_content: contents,
                             },
                         );
                     }
@@ -522,17 +516,10 @@ fn apply_replacements(
     lines
 }
 
-/// Intended result of a file update for apply_patch.
-#[derive(Debug, Eq, PartialEq)]
-pub struct ApplyPatchFileUpdate {
-    unified_diff: String,
-    content: String,
-}
-
 pub fn unified_diff_from_chunks(
     path: &Path,
     chunks: &[UpdateFileChunk],
-) -> std::result::Result<ApplyPatchFileUpdate, ApplyPatchError> {
+) -> std::result::Result<String, ApplyPatchError> {
     unified_diff_from_chunks_with_context(path, chunks, 1)
 }
 
@@ -540,17 +527,13 @@ pub fn unified_diff_from_chunks_with_context(
     path: &Path,
     chunks: &[UpdateFileChunk],
     context: usize,
-) -> std::result::Result<ApplyPatchFileUpdate, ApplyPatchError> {
+) -> std::result::Result<String, ApplyPatchError> {
     let AppliedPatch {
         original_contents,
         new_contents,
     } = derive_new_contents_from_chunks(path, chunks)?;
     let text_diff = TextDiff::from_lines(&original_contents, &new_contents);
-    let unified_diff = text_diff.unified_diff().context_radius(context).to_string();
-    Ok(ApplyPatchFileUpdate {
-        unified_diff,
-        content: new_contents,
-    })
+    Ok(text_diff.unified_diff().context_radius(context).to_string())
 }
 
 /// Print the summary of changes in git-style format.
@@ -915,11 +898,7 @@ PATCH"#,
 -qux
 +QUX
 "#;
-        let expected = ApplyPatchFileUpdate {
-            unified_diff: expected_diff.to_string(),
-            content: "foo\nBAR\nbaz\nQUX\n".to_string(),
-        };
-        assert_eq!(expected, diff);
+        assert_eq!(expected_diff, diff);
     }
 
     #[test]
@@ -951,11 +930,7 @@ PATCH"#,
 +FOO
  bar
 "#;
-        let expected = ApplyPatchFileUpdate {
-            unified_diff: expected_diff.to_string(),
-            content: "FOO\nbar\nbaz\n".to_string(),
-        };
-        assert_eq!(expected, diff);
+        assert_eq!(expected_diff, diff);
     }
 
     #[test]
@@ -988,11 +963,7 @@ PATCH"#,
 -baz
 +BAZ
 "#;
-        let expected = ApplyPatchFileUpdate {
-            unified_diff: expected_diff.to_string(),
-            content: "foo\nbar\nBAZ\n".to_string(),
-        };
-        assert_eq!(expected, diff);
+        assert_eq!(expected_diff, diff);
     }
 
     #[test]
@@ -1022,11 +993,7 @@ PATCH"#,
  baz
 +quux
 "#;
-        let expected = ApplyPatchFileUpdate {
-            unified_diff: expected_diff.to_string(),
-            content: "foo\nbar\nbaz\nquux\n".to_string(),
-        };
-        assert_eq!(expected, diff);
+        assert_eq!(expected_diff, diff);
     }
 
     #[test]
@@ -1065,7 +1032,7 @@ PATCH"#,
 
         let diff = unified_diff_from_chunks(&path, chunks).unwrap();
 
-        let expected_diff = r#"@@ -1,6 +1,7 @@
+        let expected = r#"@@ -1,6 +1,7 @@
  a
 -b
 +B
@@ -1077,11 +1044,6 @@ PATCH"#,
 +g
 "#;
 
-        let expected = ApplyPatchFileUpdate {
-            unified_diff: expected_diff.to_string(),
-            content: "a\nB\nc\nd\nE\nf\ng\n".to_string(),
-        };
-
         assert_eq!(expected, diff);
 
         let mut stdout = Vec::new();

codex-rs/cli/Cargo.toml

@@ -1,25 +1,18 @@
 [package]
 name = "codex-cli"
-version = { workspace = true }
+version = "0.1.0"
 edition = "2021"
 
 [[bin]]
 name = "codex"
 path = "src/main.rs"
 
-[[bin]]
-name = "codex-linux-sandbox"
-path = "src/linux-sandbox/main.rs"
-
-[lib]
-name = "codex_cli"
-path = "src/lib.rs"
-
 [dependencies]
 anyhow = "1"
 clap = { version = "4", features = ["derive"] }
 codex-core = { path = "../core" }
 codex-exec = { path = "../exec" }
+codex-interactive = { path = "../interactive" }
 codex-repl = { path = "../repl" }
 codex-tui = { path = "../tui" }
 serde_json = "1"

codex-rs/cli/src/landlock.rs

@@ -1,37 +0,0 @@
-//! `debug landlock` implementation for the Codex CLI.
-//!
-//! On Linux the command is executed inside a Landlock + seccomp sandbox by
-//! calling the low-level `exec_linux` helper from `codex_core::linux`.
-
-use codex_core::protocol::SandboxPolicy;
-use std::os::unix::process::ExitStatusExt;
-use std::process;
-use std::process::Command;
-use std::process::ExitStatus;
-
-/// Execute `command` in a Linux sandbox (Landlock + seccomp) the way Codex
-/// would.
-pub fn run_landlock(command: Vec<String>, sandbox_policy: SandboxPolicy) -> anyhow::Result<()> {
-    if command.is_empty() {
-        anyhow::bail!("command args are empty");
-    }
-
-    // Spawn a new thread and apply the sandbox policies there.
-    let handle = std::thread::spawn(move || -> anyhow::Result<ExitStatus> {
-        codex_core::linux::apply_sandbox_policy_to_current_thread(sandbox_policy)?;
-        let status = Command::new(&command[0]).args(&command[1..]).status()?;
-        Ok(status)
-    });
-    let status = handle
-        .join()
-        .map_err(|e| anyhow::anyhow!("Failed to join thread: {e:?}"))??;
-
-    // Use ExitStatus to derive the exit code.
-    if let Some(code) = status.code() {
-        process::exit(code);
-    } else if let Some(signal) = status.signal() {
-        process::exit(128 + signal);
-    } else {
-        process::exit(1);
-    }
-}

codex-rs/cli/src/lib.rs

@@ -1,47 +0,0 @@
-#[cfg(target_os = "linux")]
-pub mod landlock;
-pub mod proto;
-pub mod seatbelt;
-
-use clap::Parser;
-use codex_core::protocol::SandboxPolicy;
-use codex_core::SandboxPermissionOption;
-
-#[derive(Debug, Parser)]
-pub struct SeatbeltCommand {
-    /// Convenience alias for low-friction sandboxed automatic execution (network-disabled sandbox that can write to cwd and TMPDIR)
-    #[arg(long = "full-auto", default_value_t = false)]
-    pub full_auto: bool,
-
-    #[clap(flatten)]
-    pub sandbox: SandboxPermissionOption,
-
-    /// Full command args to run under seatbelt.
-    #[arg(trailing_var_arg = true)]
-    pub command: Vec<String>,
-}
-
-#[derive(Debug, Parser)]
-pub struct LandlockCommand {
-    /// Convenience alias for low-friction sandboxed automatic execution (network-disabled sandbox that can write to cwd and TMPDIR)
-    #[arg(long = "full-auto", default_value_t = false)]
-    pub full_auto: bool,
-
-    #[clap(flatten)]
-    pub sandbox: SandboxPermissionOption,
-
-    /// Full command args to run under landlock.
-    #[arg(trailing_var_arg = true)]
-    pub command: Vec<String>,
-}
-
-pub fn create_sandbox_policy(full_auto: bool, sandbox: SandboxPermissionOption) -> SandboxPolicy {
-    if full_auto {
-        SandboxPolicy::new_full_auto_policy()
-    } else {
-        match sandbox.permissions.map(Into::into) {
-            Some(sandbox_policy) => sandbox_policy,
-            None => SandboxPolicy::new_read_only_policy(),
-        }
-    }
-}

codex-rs/cli/src/linux-sandbox/main.rs

@@ -1,22 +0,0 @@
-#[cfg(not(target_os = "linux"))]
-fn main() -> anyhow::Result<()> {
-    eprintln!("codex-linux-sandbox is not supported on this platform.");
-    std::process::exit(1);
-}
-
-#[cfg(target_os = "linux")]
-fn main() -> anyhow::Result<()> {
-    use clap::Parser;
-    use codex_cli::create_sandbox_policy;
-    use codex_cli::landlock;
-    use codex_cli::LandlockCommand;
-
-    let LandlockCommand {
-        full_auto,
-        sandbox,
-        command,
-    } = LandlockCommand::parse();
-    let sandbox_policy = create_sandbox_policy(full_auto, sandbox);
-    landlock::run_landlock(command, sandbox_policy)?;
-    Ok(())
-}

codex-rs/cli/src/main.rs

@@ -1,10 +1,12 @@
+mod proto;
+mod seatbelt;
+
+use std::path::PathBuf;
+
+use clap::ArgAction;
 use clap::Parser;
-use codex_cli::create_sandbox_policy;
-use codex_cli::proto;
-use codex_cli::seatbelt;
-use codex_cli::LandlockCommand;
-use codex_cli::SeatbeltCommand;
 use codex_exec::Cli as ExecCli;
+use codex_interactive::Cli as InteractiveCli;
 use codex_repl::Cli as ReplCli;
 use codex_tui::Cli as TuiCli;
 
@@ -22,7 +24,7 @@ use crate::proto::ProtoCli;
 )]
 struct MultitoolCli {
     #[clap(flatten)]
-    interactive: TuiCli,
+    interactive: InteractiveCli,
 
     #[clap(subcommand)]
     subcommand: Option<Subcommand>,
@@ -34,6 +36,10 @@ enum Subcommand {
     #[clap(visible_alias = "e")]
     Exec(ExecCli),
 
+    /// Run the TUI.
+    #[clap(visible_alias = "t")]
+    Tui(TuiCli),
+
     /// Run the REPL.
     #[clap(visible_alias = "r")]
     Repl(ReplCli),
@@ -56,9 +62,17 @@ struct DebugArgs {
 enum DebugCommand {
     /// Run a command under Seatbelt (macOS only).
     Seatbelt(SeatbeltCommand),
+}
 
-    /// Run a command under Landlock+seccomp (Linux only).
-    Landlock(LandlockCommand),
+#[derive(Debug, Parser)]
+struct SeatbeltCommand {
+    /// Writable folder for sandbox in full-auto mode (can be specified multiple times).
+    #[arg(long = "writable-root", short = 'w', value_name = "DIR", action = ArgAction::Append, use_value_delimiter = false)]
+    writable_roots: Vec<PathBuf>,
+
+    /// Full command args to run under seatbelt.
+    #[arg(trailing_var_arg = true)]
+    command: Vec<String>,
 }
 
 #[derive(Debug, Parser)]
@@ -70,11 +84,14 @@ async fn main() -> anyhow::Result<()> {
 
     match cli.subcommand {
         None => {
-            codex_tui::run_main(cli.interactive)?;
+            codex_interactive::run_main(cli.interactive).await?;
         }
         Some(Subcommand::Exec(exec_cli)) => {
             codex_exec::run_main(exec_cli).await?;
         }
+        Some(Subcommand::Tui(tui_cli)) => {
+            codex_tui::run_main(tui_cli)?;
+        }
         Some(Subcommand::Repl(repl_cli)) => {
             codex_repl::run_main(repl_cli).await?;
         }
@@ -84,24 +101,9 @@ async fn main() -> anyhow::Result<()> {
         Some(Subcommand::Debug(debug_args)) => match debug_args.cmd {
             DebugCommand::Seatbelt(SeatbeltCommand {
                 command,
-                sandbox,
-                full_auto,
+                writable_roots,
             }) => {
-                let sandbox_policy = create_sandbox_policy(full_auto, sandbox);
-                seatbelt::run_seatbelt(command, sandbox_policy).await?;
-            }
-            #[cfg(target_os = "linux")]
-            DebugCommand::Landlock(LandlockCommand {
-                command,
-                sandbox,
-                full_auto,
-            }) => {
-                let sandbox_policy = create_sandbox_policy(full_auto, sandbox);
-                codex_cli::landlock::run_landlock(command, sandbox_policy)?;
-            }
-            #[cfg(not(target_os = "linux"))]
-            DebugCommand::Landlock(_) => {
-                anyhow::bail!("Landlock is only supported on Linux.");
+                seatbelt::run_seatbelt(command, writable_roots).await?;
             }
         },
     }

codex-rs/cli/src/seatbelt.rs

@@ -1,11 +1,11 @@
 use codex_core::exec::create_seatbelt_command;
-use codex_core::protocol::SandboxPolicy;
+use std::path::PathBuf;
 
-pub async fn run_seatbelt(
+pub(crate) async fn run_seatbelt(
     command: Vec<String>,
-    sandbox_policy: SandboxPolicy,
+    writable_roots: Vec<PathBuf>,
 ) -> anyhow::Result<()> {
-    let seatbelt_command = create_seatbelt_command(command, &sandbox_policy);
+    let seatbelt_command = create_seatbelt_command(command, &writable_roots);
     let status = tokio::process::Command::new(seatbelt_command[0].clone())
         .args(&seatbelt_command[1..])
         .spawn()

codex-rs/core/Cargo.toml

@@ -21,7 +21,6 @@ fs-err = "3.1.0"
 futures = "0.3"
 mime_guess = "2.0"
 patch = "0.7"
-path-absolutize = "3.1.1"
 rand = "0.9"
 reqwest = { version = "0.12", features = ["json", "stream"] }
 serde = { version = "1", features = ["derive"] }

codex-rs/core/src/approval_mode_cli_arg.rs

@@ -1,16 +1,12 @@
 //! Standard type to use with the `--approval-mode` CLI option.
 //! Available when the `cli` feature is enabled for the crate.
 
-use std::path::PathBuf;
-
-use clap::ArgAction;
-use clap::Parser;
 use clap::ValueEnum;
 
 use crate::protocol::AskForApproval;
-use crate::protocol::SandboxPermission;
+use crate::protocol::SandboxPolicy;
 
-#[derive(Clone, Copy, Debug, ValueEnum)]
+#[derive(Clone, Debug, ValueEnum)]
 #[value(rename_all = "kebab-case")]
 pub enum ApprovalModeCliArg {
     /// Run all commands without asking for user approval.
@@ -28,6 +24,19 @@ pub enum ApprovalModeCliArg {
     Never,
 }
 
+#[derive(Clone, Debug, ValueEnum)]
+#[value(rename_all = "kebab-case")]
+pub enum SandboxModeCliArg {
+    /// Network syscalls will be blocked
+    NetworkRestricted,
+    /// Filesystem writes will be restricted
+    FileWriteRestricted,
+    /// Network and filesystem writes will be restricted
+    NetworkAndFileWriteRestricted,
+    /// No restrictions; full "unsandboxed" mode
+    DangerousNoRestrictions,
+}
+
 impl From<ApprovalModeCliArg> for AskForApproval {
     fn from(value: ApprovalModeCliArg) -> Self {
         match value {
@@ -38,83 +47,15 @@ impl From<ApprovalModeCliArg> for AskForApproval {
     }
 }
 
-#[derive(Parser, Debug)]
-pub struct SandboxPermissionOption {
-    /// Specify this flag multiple times to specify the full set of permissions
-    /// to grant to Codex.
-    ///
-    /// ```shell
-    /// codex -s disk-full-read-access \
-    ///       -s disk-write-cwd \
-    ///       -s disk-write-platform-user-temp-folder \
-    ///       -s disk-write-platform-global-temp-folder
-    /// ```
-    ///
-    /// Note disk-write-folder takes a value:
-    ///
-    /// ```shell
-    ///     -s disk-write-folder=$HOME/.pyenv/shims
-    /// ```
-    ///
-    /// These permissions are quite broad and should be used with caution:
-    ///
-    /// ```shell
-    ///     -s disk-full-write-access
-    ///     -s network-full-access
-    /// ```
-    #[arg(long = "sandbox-permission", short = 's', action = ArgAction::Append, value_parser = parse_sandbox_permission)]
-    pub permissions: Option<Vec<SandboxPermission>>,
-}
-
-/// Custom value-parser so we can keep the CLI surface small *and*
-/// still handle the parameterised `disk-write-folder` case.
-fn parse_sandbox_permission(raw: &str) -> std::io::Result<SandboxPermission> {
-    let base_path = std::env::current_dir()?;
-    parse_sandbox_permission_with_base_path(raw, base_path)
-}
-
-pub(crate) fn parse_sandbox_permission_with_base_path(
-    raw: &str,
-    base_path: PathBuf,
-) -> std::io::Result<SandboxPermission> {
-    use SandboxPermission::*;
-
-    if let Some(path) = raw.strip_prefix("disk-write-folder=") {
-        return if path.is_empty() {
-            Err(std::io::Error::new(
-                std::io::ErrorKind::InvalidInput,
-                "--sandbox-permission disk-write-folder=<PATH> requires a non-empty PATH",
-            ))
-        } else {
-            use path_absolutize::*;
-
-            let file = PathBuf::from(path);
-            let absolute_path = if file.is_relative() {
-                file.absolutize_from(base_path)
-            } else {
-                file.absolutize()
+impl From<SandboxModeCliArg> for SandboxPolicy {
+    fn from(value: SandboxModeCliArg) -> Self {
+        match value {
+            SandboxModeCliArg::NetworkRestricted => SandboxPolicy::NetworkRestricted,
+            SandboxModeCliArg::FileWriteRestricted => SandboxPolicy::FileWriteRestricted,
+            SandboxModeCliArg::NetworkAndFileWriteRestricted => {
+                SandboxPolicy::NetworkAndFileWriteRestricted
             }
-            .map(|path| path.into_owned())?;
-            Ok(DiskWriteFolder {
-                folder: absolute_path,
-            })
-        };
-    }
-
-    match raw {
-        "disk-full-read-access" => Ok(DiskFullReadAccess),
-        "disk-write-platform-user-temp-folder" => Ok(DiskWritePlatformUserTempFolder),
-        "disk-write-platform-global-temp-folder" => Ok(DiskWritePlatformGlobalTempFolder),
-        "disk-write-cwd" => Ok(DiskWriteCwd),
-        "disk-full-write-access" => Ok(DiskFullWriteAccess),
-        "network-full-access" => Ok(NetworkFullAccess),
-        _ => Err(
-            std::io::Error::new(
-                std::io::ErrorKind::InvalidInput,
-                format!(
-                    "`{raw}` is not a recognised permission.\nRun with `--help` to see the accepted values."
-                ),
-            )
-        ),
+            SandboxModeCliArg::DangerousNoRestrictions => SandboxPolicy::DangerousNoRestrictions,
+        }
     }
 }

codex-rs/core/src/codex.rs

@@ -3,6 +3,8 @@ use std::collections::HashSet;
 use std::io::Write;
 use std::path::Path;
 use std::path::PathBuf;
+use std::process::Command;
+use std::process::Stdio;
 use std::sync::Arc;
 use std::sync::Mutex;
 
@@ -34,6 +36,7 @@ use crate::exec::process_exec_tool_call;
 use crate::exec::ExecParams;
 use crate::exec::ExecToolCallOutput;
 use crate::exec::SandboxType;
+use crate::flags::OPENAI_DEFAULT_MODEL;
 use crate::flags::OPENAI_STREAM_MAX_RETRIES;
 use crate::models::ContentItem;
 use crate::models::FunctionCallOutputPayload;
@@ -483,6 +486,7 @@ async fn submission_loop(
                 sandbox_policy,
                 disable_response_storage,
             } => {
+                let model = model.unwrap_or_else(|| OPENAI_DEFAULT_MODEL.to_string());
                 info!(model, "Configuring session");
                 let client = ModelClient::new(model.clone());
 
@@ -861,7 +865,7 @@ async fn handle_function_call(
                 assess_command_safety(
                     &params.command,
                     sess.approval_policy,
-                    &sess.sandbox_policy,
+                    sess.sandbox_policy,
                     &state.approved_commands,
                 )
             };
@@ -916,11 +920,14 @@ async fn handle_function_call(
             )
             .await;
 
+            let roots_snapshot = { sess.writable_roots.lock().unwrap().clone() };
+
             let output_result = process_exec_tool_call(
                 params.clone(),
                 sandbox_type,
+                &roots_snapshot,
                 sess.ctrl_c.clone(),
-                &sess.sandbox_policy,
+                sess.sandbox_policy,
             )
             .await;
 
@@ -1003,13 +1010,16 @@ async fn handle_function_call(
                             )
                             .await;
 
+                            let retry_roots = { sess.writable_roots.lock().unwrap().clone() };
+
                             // This is an escalated retry; the policy will not be
                             // examined and the sandbox has been set to `None`.
                             let retry_output_result = process_exec_tool_call(
                                 params.clone(),
                                 SandboxType::None,
+                                &retry_roots,
                                 sess.ctrl_c.clone(),
-                                &sess.sandbox_policy,
+                                sess.sandbox_policy,
                             )
                             .await;
 
@@ -1338,7 +1348,6 @@ fn convert_apply_patch_to_protocol(
             ApplyPatchFileChange::Update {
                 unified_diff,
                 move_path,
-                new_content: _new_content,
             } => FileChange::Update {
                 unified_diff: unified_diff.clone(),
                 move_path: move_path.clone(),
@@ -1393,10 +1402,28 @@ fn apply_changes_from_apply_patch(
                 deleted.push(path.clone());
             }
             ApplyPatchFileChange::Update {
-                unified_diff: _unified_diff,
+                unified_diff,
                 move_path,
-                new_content,
             } => {
+                // TODO(mbolin): `patch` is not guaranteed to be available.
+                // Allegedly macOS provides it, but minimal Linux installs
+                // might omit it.
+                Command::new("patch")
+                    .arg(path)
+                    .arg("-p0")
+                    .stdout(Stdio::null())
+                    .stderr(Stdio::null())
+                    .stdin(Stdio::piped())
+                    .spawn()
+                    .and_then(|mut child| {
+                        let mut stdin = child.stdin.take().unwrap();
+                        stdin.write_all(unified_diff.as_bytes())?;
+                        stdin.flush()?;
+                        // Drop stdin to send EOF.
+                        drop(stdin);
+                        child.wait()
+                    })
+                    .with_context(|| format!("Failed to apply patch to {}", path.display()))?;
                 if let Some(move_path) = move_path {
                     if let Some(parent) = move_path.parent() {
                         if !parent.as_os_str().is_empty() {
@@ -1408,14 +1435,11 @@ fn apply_changes_from_apply_patch(
                             })?;
                         }
                     }
-
                     std::fs::rename(path, move_path)
                         .with_context(|| format!("Failed to rename file {}", path.display()))?;
-                    std::fs::write(move_path, new_content)?;
                     modified.push(move_path.clone());
                     deleted.push(path.clone());
                 } else {
-                    std::fs::write(path, new_content)?;
                     modified.push(path.clone());
                 }
             }

codex-rs/core/src/codex_wrapper.rs

@@ -2,29 +2,39 @@ use std::sync::atomic::AtomicU64;
 use std::sync::Arc;
 
 use crate::config::Config;
+use crate::protocol::AskForApproval;
 use crate::protocol::Event;
 use crate::protocol::EventMsg;
 use crate::protocol::Op;
+use crate::protocol::SandboxPolicy;
 use crate::protocol::Submission;
 use crate::util::notify_on_sigint;
 use crate::Codex;
 use tokio::sync::Notify;
+use tracing::debug;
 
 /// Spawn a new [`Codex`] and initialise the session.
 ///
 /// Returns the wrapped [`Codex`] **and** the `SessionInitialized` event that
 /// is received as a response to the initial `ConfigureSession` submission so
 /// that callers can surface the information to the UI.
-pub async fn init_codex(config: Config) -> anyhow::Result<(CodexWrapper, Event, Arc<Notify>)> {
+pub async fn init_codex(
+    approval_policy: AskForApproval,
+    sandbox_policy: SandboxPolicy,
+    disable_response_storage: bool,
+    model_override: Option<String>,
+) -> anyhow::Result<(CodexWrapper, Event, Arc<Notify>)> {
     let ctrl_c = notify_on_sigint();
+    let config = Config::load().unwrap_or_default();
+    debug!("loaded config: {config:?}");
     let codex = CodexWrapper::new(Codex::spawn(ctrl_c.clone())?);
     let init_id = codex
         .submit(Op::ConfigureSession {
-            model: config.model.clone(),
-            instructions: config.instructions.clone(),
-            approval_policy: config.approval_policy,
-            sandbox_policy: config.sandbox_policy,
-            disable_response_storage: config.disable_response_storage,
+            model: model_override.or_else(|| config.model.clone()),
+            instructions: config.instructions,
+            approval_policy,
+            sandbox_policy,
+            disable_response_storage,
         })
         .await?;
 

codex-rs/core/src/config.rs

@@ -1,264 +1,42 @@
-use crate::approval_mode_cli_arg::parse_sandbox_permission_with_base_path;
-use crate::flags::OPENAI_DEFAULT_MODEL;
-use crate::protocol::AskForApproval;
-use crate::protocol::SandboxPermission;
-use crate::protocol::SandboxPolicy;
 use dirs::home_dir;
 use serde::Deserialize;
-use std::path::PathBuf;
 
-/// Embedded fallback instructions that mirror the TypeScript CLI’s default
-/// system prompt. These are compiled into the binary so a clean install behaves
-/// correctly even if the user has not created `~/.codex/instructions.md`.
+/// Embedded fallback instructions that mirror the TypeScript CLI’s default system prompt. These
+/// are compiled into the binary so a clean install behaves correctly even if the user has not
+/// created `~/.codex/instructions.md`.
 const EMBEDDED_INSTRUCTIONS: &str = include_str!("../prompt.md");
 
-/// Application configuration loaded from disk and merged with overrides.
-#[derive(Debug, Clone)]
+#[derive(Default, Deserialize, Debug, Clone)]
 pub struct Config {
-    /// Optional override of model selection.
-    pub model: String,
-
-    /// Approval policy for executing commands.
-    pub approval_policy: AskForApproval,
-
-    pub sandbox_policy: SandboxPolicy,
-
-    /// Disable server-side response storage (sends the full conversation
-    /// context with every request). Currently necessary for OpenAI customers
-    /// who have opted into Zero Data Retention (ZDR).
-    pub disable_response_storage: bool,
-
-    /// System instructions.
-    pub instructions: Option<String>,
-}
-
-/// Base config deserialized from ~/.codex/config.toml.
-#[derive(Deserialize, Debug, Clone, Default)]
-pub struct ConfigToml {
-    /// Optional override of model selection.
     pub model: Option<String>,
-
-    /// Default approval policy for executing commands.
-    pub approval_policy: Option<AskForApproval>,
-
-    // The `default` attribute ensures that the field is treated as `None` when
-    // the key is omitted from the TOML. Without it, Serde treats the field as
-    // required because we supply a custom deserializer.
-    #[serde(default, deserialize_with = "deserialize_sandbox_permissions")]
-    pub sandbox_permissions: Option<Vec<SandboxPermission>>,
-
-    /// Disable server-side response storage (sends the full conversation
-    /// context with every request). Currently necessary for OpenAI customers
-    /// who have opted into Zero Data Retention (ZDR).
-    pub disable_response_storage: Option<bool>,
-
-    /// System instructions.
     pub instructions: Option<String>,
 }
 
-impl ConfigToml {
-    /// Attempt to parse the file at `~/.codex/config.toml`. If it does not
-    /// exist, return a default config. Though if it exists and cannot be
-    /// parsed, report that to the user and force them to fix it.
-    fn load_from_toml() -> std::io::Result<Self> {
-        let config_toml_path = codex_dir()?.join("config.toml");
-        match std::fs::read_to_string(&config_toml_path) {
-            Ok(contents) => toml::from_str::<Self>(&contents).map_err(|e| {
-                tracing::error!("Failed to parse config.toml: {e}");
-                std::io::Error::new(std::io::ErrorKind::InvalidData, e)
-            }),
-            Err(e) if e.kind() == std::io::ErrorKind::NotFound => {
-                tracing::info!("config.toml not found, using defaults");
-                Ok(Self::default())
-            }
-            Err(e) => {
-                tracing::error!("Failed to read config.toml: {e}");
-                Err(e)
-            }
-        }
-    }
-}
-
-fn deserialize_sandbox_permissions<'de, D>(
-    deserializer: D,
-) -> Result<Option<Vec<SandboxPermission>>, D::Error>
-where
-    D: serde::Deserializer<'de>,
-{
-    let permissions: Option<Vec<String>> = Option::deserialize(deserializer)?;
-
-    match permissions {
-        Some(raw_permissions) => {
-            let base_path = codex_dir().map_err(serde::de::Error::custom)?;
-
-            let converted = raw_permissions
-                .into_iter()
-                .map(|raw| {
-                    parse_sandbox_permission_with_base_path(&raw, base_path.clone())
-                        .map_err(serde::de::Error::custom)
-                })
-                .collect::<Result<Vec<_>, D::Error>>()?;
-
-            Ok(Some(converted))
-        }
-        None => Ok(None),
-    }
-}
-
-/// Optional overrides for user configuration (e.g., from CLI flags).
-#[derive(Default, Debug, Clone)]
-pub struct ConfigOverrides {
-    pub model: Option<String>,
-    pub approval_policy: Option<AskForApproval>,
-    pub sandbox_policy: Option<SandboxPolicy>,
-    pub disable_response_storage: Option<bool>,
-}
-
 impl Config {
-    /// Load configuration, optionally applying overrides (CLI flags). Merges
-    /// ~/.codex/config.toml, ~/.codex/instructions.md, embedded defaults, and
-    /// any values provided in `overrides` (highest precedence).
-    pub fn load_with_overrides(overrides: ConfigOverrides) -> std::io::Result<Self> {
-        let cfg: ConfigToml = ConfigToml::load_from_toml()?;
-        tracing::warn!("Config parsed from config.toml: {cfg:?}");
-        Ok(Self::load_from_base_config_with_overrides(cfg, overrides))
-    }
+    /// Load ~/.codex/config.toml and ~/.codex/instructions.md (if present).
+    /// Returns `None` if neither file exists.
+    pub fn load() -> Option<Self> {
+        let mut cfg: Config = Self::load_from_toml().unwrap_or_default();
 
-    fn load_from_base_config_with_overrides(cfg: ConfigToml, overrides: ConfigOverrides) -> Self {
-        // Instructions: user-provided instructions.md > embedded default.
-        let instructions =
+        // Highest precedence → user‑provided ~/.codex/instructions.md (if present)
+        // Fallback           → embedded default instructions baked into the binary
+
+        cfg.instructions =
             Self::load_instructions().or_else(|| Some(EMBEDDED_INSTRUCTIONS.to_string()));
 
-        // Destructure ConfigOverrides fully to ensure all overrides are applied.
-        let ConfigOverrides {
-            model,
-            approval_policy,
-            sandbox_policy,
-            disable_response_storage,
-        } = overrides;
+        Some(cfg)
+    }
 
-        let sandbox_policy = match sandbox_policy {
-            Some(sandbox_policy) => sandbox_policy,
-            None => {
-                // Derive a SandboxPolicy from the permissions in the config.
-                match cfg.sandbox_permissions {
-                    // Note this means the user can explicitly set permissions
-                    // to the empty list in the config file, granting it no
-                    // permissions whatsoever.
-                    Some(permissions) => SandboxPolicy::from(permissions),
-                    // Default to read only rather than completely locked down.
-                    None => SandboxPolicy::new_read_only_policy(),
-                }
-            }
-        };
-
-        Self {
-            model: model.or(cfg.model).unwrap_or_else(default_model),
-            approval_policy: approval_policy
-                .or(cfg.approval_policy)
-                .unwrap_or_else(AskForApproval::default),
-            sandbox_policy,
-            disable_response_storage: disable_response_storage
-                .or(cfg.disable_response_storage)
-                .unwrap_or(false),
-            instructions,
-        }
+    fn load_from_toml() -> Option<Self> {
+        let mut p = home_dir()?;
+        p.push(".codex/config.toml");
+        let contents = std::fs::read_to_string(&p).ok()?;
+        toml::from_str(&contents).ok()
     }
 
     fn load_instructions() -> Option<String> {
-        let mut p = codex_dir().ok()?;
-        p.push("instructions.md");
+        let mut p = home_dir()?;
+        p.push(".codex/instructions.md");
         std::fs::read_to_string(&p).ok()
     }
-
-    /// Meant to be used exclusively for tests: `load_with_overrides()` should
-    /// be used in all other cases.
-    pub fn load_default_config_for_test() -> Self {
-        Self::load_from_base_config_with_overrides(
-            ConfigToml::default(),
-            ConfigOverrides::default(),
-        )
-    }
-}
-
-fn default_model() -> String {
-    OPENAI_DEFAULT_MODEL.to_string()
-}
-
-/// Returns the path to the Codex configuration directory, which is `~/.codex`.
-/// Does not verify that the directory exists.
-pub fn codex_dir() -> std::io::Result<PathBuf> {
-    let mut p = home_dir().ok_or_else(|| {
-        std::io::Error::new(
-            std::io::ErrorKind::NotFound,
-            "Could not find home directory",
-        )
-    })?;
-    p.push(".codex");
-    Ok(p)
-}
-
-/// Returns the path to the folder where Codex logs are stored. Does not verify
-/// that the directory exists.
-pub fn log_dir() -> std::io::Result<PathBuf> {
-    let mut p = codex_dir()?;
-    p.push("log");
-    Ok(p)
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    /// Verify that the `sandbox_permissions` field on `ConfigToml` correctly
-    /// differentiates between a value that is completely absent in the
-    /// provided TOML (i.e. `None`) and one that is explicitly specified as an
-    /// empty array (i.e. `Some(vec![])`). This ensures that downstream logic
-    /// that treats these two cases differently (default read-only policy vs a
-    /// fully locked-down sandbox) continues to function.
-    #[test]
-    fn test_sandbox_permissions_none_vs_empty_vec() {
-        // Case 1: `sandbox_permissions` key is *absent* from the TOML source.
-        let toml_source_without_key = "";
-        let cfg_without_key: ConfigToml = toml::from_str(toml_source_without_key)
-            .expect("TOML deserialization without key should succeed");
-        assert!(cfg_without_key.sandbox_permissions.is_none());
-
-        // Case 2: `sandbox_permissions` is present but set to an *empty array*.
-        let toml_source_with_empty = "sandbox_permissions = []";
-        let cfg_with_empty: ConfigToml = toml::from_str(toml_source_with_empty)
-            .expect("TOML deserialization with empty array should succeed");
-        assert_eq!(Some(vec![]), cfg_with_empty.sandbox_permissions);
-
-        // Case 3: `sandbox_permissions` contains a non-empty list of valid values.
-        let toml_source_with_values = r#"
-            sandbox_permissions = ["disk-full-read-access", "network-full-access"]
-        "#;
-        let cfg_with_values: ConfigToml = toml::from_str(toml_source_with_values)
-            .expect("TOML deserialization with valid permissions should succeed");
-
-        assert_eq!(
-            Some(vec![
-                SandboxPermission::DiskFullReadAccess,
-                SandboxPermission::NetworkFullAccess
-            ]),
-            cfg_with_values.sandbox_permissions
-        );
-    }
-
-    /// Deserializing a TOML string containing an *invalid* permission should
-    /// fail with a helpful error rather than silently defaulting or
-    /// succeeding.
-    #[test]
-    fn test_sandbox_permissions_illegal_value() {
-        let toml_bad = r#"sandbox_permissions = ["not-a-real-permission"]"#;
-
-        let err = toml::from_str::<ConfigToml>(toml_bad)
-            .expect_err("Deserialization should fail for invalid permission");
-
-        // Make sure the error message contains the invalid value so users have
-        // useful feedback.
-        let msg = err.to_string();
-        assert!(msg.contains("not-a-real-permission"));
-    }
 }

codex-rs/core/src/exec.rs

@@ -1,6 +1,7 @@
 use std::io;
 #[cfg(target_family = "unix")]
 use std::os::unix::process::ExitStatusExt;
+use std::path::PathBuf;
 use std::process::ExitStatus;
 use std::process::Stdio;
 use std::sync::Arc;
@@ -32,13 +33,7 @@ const DEFAULT_TIMEOUT_MS: u64 = 10_000;
 const SIGKILL_CODE: i32 = 9;
 const TIMEOUT_CODE: i32 = 64;
 
-const MACOS_SEATBELT_BASE_POLICY: &str = include_str!("seatbelt_base_policy.sbpl");
-
-/// When working with `sandbox-exec`, only consider `sandbox-exec` in `/usr/bin`
-/// to defend against an attacker trying to inject a malicious version on the
-/// PATH. If /usr/bin/sandbox-exec has been tampered with, then the attacker
-/// already has root access.
-const MACOS_PATH_TO_SEATBELT_EXECUTABLE: &str = "/usr/bin/sandbox-exec";
+const MACOS_SEATBELT_READONLY_POLICY: &str = include_str!("seatbelt_readonly_policy.sbpl");
 
 #[derive(Deserialize, Debug, Clone)]
 pub struct ExecParams {
@@ -66,17 +61,19 @@ pub enum SandboxType {
 #[cfg(target_os = "linux")]
 async fn exec_linux(
     params: ExecParams,
+    writable_roots: &[PathBuf],
     ctrl_c: Arc<Notify>,
-    sandbox_policy: &SandboxPolicy,
+    sandbox_policy: SandboxPolicy,
 ) -> Result<RawExecToolCallOutput> {
-    crate::linux::exec_linux(params, ctrl_c, sandbox_policy).await
+    crate::linux::exec_linux(params, writable_roots, ctrl_c, sandbox_policy).await
 }
 
 #[cfg(not(target_os = "linux"))]
 async fn exec_linux(
     _params: ExecParams,
+    _writable_roots: &[PathBuf],
     _ctrl_c: Arc<Notify>,
-    _sandbox_policy: &SandboxPolicy,
+    _sandbox_policy: SandboxPolicy,
 ) -> Result<RawExecToolCallOutput> {
     Err(CodexErr::Io(io::Error::new(
         io::ErrorKind::InvalidInput,
@@ -87,8 +84,9 @@ async fn exec_linux(
 pub async fn process_exec_tool_call(
     params: ExecParams,
     sandbox_type: SandboxType,
+    writable_roots: &[PathBuf],
     ctrl_c: Arc<Notify>,
-    sandbox_policy: &SandboxPolicy,
+    sandbox_policy: SandboxPolicy,
 ) -> Result<ExecToolCallOutput> {
     let start = Instant::now();
 
@@ -100,7 +98,7 @@ pub async fn process_exec_tool_call(
                 workdir,
                 timeout_ms,
             } = params;
-            let seatbelt_command = create_seatbelt_command(command, sandbox_policy);
+            let seatbelt_command = create_seatbelt_command(command, writable_roots);
             exec(
                 ExecParams {
                     command: seatbelt_command,
@@ -111,7 +109,9 @@ pub async fn process_exec_tool_call(
             )
             .await
         }
-        SandboxType::LinuxSeccomp => exec_linux(params, ctrl_c, sandbox_policy).await,
+        SandboxType::LinuxSeccomp => {
+            exec_linux(params, writable_roots, ctrl_c, sandbox_policy).await
+        }
     };
     let duration = start.elapsed();
     match raw_output_result {
@@ -154,63 +154,31 @@ pub async fn process_exec_tool_call(
     }
 }
 
-pub fn create_seatbelt_command(
-    command: Vec<String>,
-    sandbox_policy: &SandboxPolicy,
-) -> Vec<String> {
-    let (file_write_policy, extra_cli_args) = {
-        if sandbox_policy.has_full_disk_write_access() {
-            // Allegedly, this is more permissive than `(allow file-write*)`.
-            (
-                r#"(allow file-write* (regex #"^/"))"#.to_string(),
-                Vec::<String>::new(),
-            )
-        } else {
-            let writable_roots = sandbox_policy.get_writable_roots();
-            let (writable_folder_policies, cli_args): (Vec<String>, Vec<String>) = writable_roots
-                .iter()
-                .enumerate()
-                .map(|(index, root)| {
-                    let param_name = format!("WRITABLE_ROOT_{index}");
-                    let policy: String = format!("(subpath (param \"{param_name}\"))");
-                    let cli_arg = format!("-D{param_name}={}", root.to_string_lossy());
-                    (policy, cli_arg)
-                })
-                .unzip();
-            if writable_folder_policies.is_empty() {
-                ("".to_string(), Vec::<String>::new())
-            } else {
-                let file_write_policy = format!(
-                    "(allow file-write*\n{}\n)",
-                    writable_folder_policies.join(" ")
-                );
-                (file_write_policy, cli_args)
-            }
-        }
-    };
+pub fn create_seatbelt_command(command: Vec<String>, writable_roots: &[PathBuf]) -> Vec<String> {
+    let (policies, cli_args): (Vec<String>, Vec<String>) = writable_roots
+        .iter()
+        .enumerate()
+        .map(|(index, root)| {
+            let param_name = format!("WRITABLE_ROOT_{index}");
+            let policy: String = format!("(subpath (param \"{param_name}\"))");
+            let cli_arg = format!("-D{param_name}={}", root.to_string_lossy());
+            (policy, cli_arg)
+        })
+        .unzip();
 
-    let file_read_policy = if sandbox_policy.has_full_disk_read_access() {
-        "; allow read-only file operations\n(allow file-read*)"
+    let full_policy = if policies.is_empty() {
+        MACOS_SEATBELT_READONLY_POLICY.to_string()
     } else {
-        ""
+        let scoped_write_policy = format!("(allow file-write*\n{}\n)", policies.join(" "));
+        format!("{MACOS_SEATBELT_READONLY_POLICY}\n{scoped_write_policy}")
     };
 
-    // TODO(mbolin): apply_patch calls must also honor the SandboxPolicy.
-    let network_policy = if sandbox_policy.has_full_network_access() {
-        "(allow network-outbound)\n(allow network-inbound)\n(allow system-socket)"
-    } else {
-        ""
-    };
-
-    let full_policy = format!(
-        "{MACOS_SEATBELT_BASE_POLICY}\n{file_read_policy}\n{file_write_policy}\n{network_policy}"
-    );
     let mut seatbelt_command: Vec<String> = vec![
-        MACOS_PATH_TO_SEATBELT_EXECUTABLE.to_string(),
+        "sandbox-exec".to_string(),
         "-p".to_string(),
-        full_policy,
+        full_policy.to_string(),
     ];
-    seatbelt_command.extend(extra_cli_args);
+    seatbelt_command.extend(cli_args);
     seatbelt_command.push("--".to_string());
     seatbelt_command.extend(command);
     seatbelt_command

codex-rs/core/src/lib.rs

@@ -14,7 +14,7 @@ pub mod exec;
 mod flags;
 mod is_safe_command;
 #[cfg(target_os = "linux")]
-pub mod linux;
+mod linux;
 mod models;
 pub mod protocol;
 mod safety;
@@ -28,4 +28,4 @@ mod approval_mode_cli_arg;
 #[cfg(feature = "cli")]
 pub use approval_mode_cli_arg::ApprovalModeCliArg;
 #[cfg(feature = "cli")]
-pub use approval_mode_cli_arg::SandboxPermissionOption;
+pub use approval_mode_cli_arg::SandboxModeCliArg;

codex-rs/core/src/linux.rs

@@ -32,13 +32,14 @@ use tokio::sync::Notify;
 
 pub async fn exec_linux(
     params: ExecParams,
+    writable_roots: &[PathBuf],
     ctrl_c: Arc<Notify>,
-    sandbox_policy: &SandboxPolicy,
+    sandbox_policy: SandboxPolicy,
 ) -> Result<RawExecToolCallOutput> {
     // Allow READ on /
     // Allow WRITE on /dev/null
     let ctrl_c_copy = ctrl_c.clone();
-    let sandbox_policy = sandbox_policy.clone();
+    let writable_roots_copy = writable_roots.to_vec();
 
     // Isolate thread to run the sandbox from
     let tool_call_output = std::thread::spawn(move || {
@@ -48,7 +49,14 @@ pub async fn exec_linux(
             .expect("Failed to create runtime");
 
         rt.block_on(async {
-            apply_sandbox_policy_to_current_thread(sandbox_policy)?;
+            if sandbox_policy.is_network_restricted() {
+                install_network_seccomp_filter_on_current_thread()?;
+            }
+
+            if sandbox_policy.is_file_write_restricted() {
+                install_filesystem_landlock_rules_on_current_thread(writable_roots_copy)?;
+            }
+
             exec(params, ctrl_c_copy).await
         })
     })
@@ -64,30 +72,6 @@ pub async fn exec_linux(
     }
 }
 
-/// Apply sandbox policies inside this thread so only the child inherits
-/// them, not the entire CLI process.
-pub fn apply_sandbox_policy_to_current_thread(sandbox_policy: SandboxPolicy) -> Result<()> {
-    if !sandbox_policy.has_full_network_access() {
-        install_network_seccomp_filter_on_current_thread()?;
-    }
-
-    if !sandbox_policy.has_full_disk_write_access() {
-        let writable_roots = sandbox_policy.get_writable_roots();
-        install_filesystem_landlock_rules_on_current_thread(writable_roots)?;
-    }
-
-    // TODO(ragona): Add appropriate restrictions if
-    // `sandbox_policy.has_full_disk_read_access()` is `false`.
-
-    Ok(())
-}
-
-/// Installs Landlock file-system rules on the current thread allowing read
-/// access to the entire file-system while restricting write access to
-/// `/dev/null` and the provided list of `writable_roots`.
-///
-/// # Errors
-/// Returns [`CodexErr::Sandbox`] variants when the ruleset fails to apply.
 fn install_filesystem_landlock_rules_on_current_thread(writable_roots: Vec<PathBuf>) -> Result<()> {
     let abi = ABI::V5;
     let access_rw = AccessFs::from_all(abi);
@@ -114,8 +98,6 @@ fn install_filesystem_landlock_rules_on_current_thread(writable_roots: Vec<PathB
     Ok(())
 }
 
-/// Installs a seccomp filter that blocks outbound network access except for
-/// AF_UNIX domain sockets.
 fn install_network_seccomp_filter_on_current_thread() -> std::result::Result<(), SandboxErr> {
     // Build rule map.
     let mut rules: BTreeMap<i64, Vec<SeccompRule>> = BTreeMap::new();
@@ -192,14 +174,15 @@ mod tests_linux {
             workdir: None,
             timeout_ms: Some(timeout_ms),
         };
-
-        let sandbox_policy =
-            SandboxPolicy::new_read_only_policy_with_writable_roots(writable_roots);
-        let ctrl_c = Arc::new(Notify::new());
-        let res =
-            process_exec_tool_call(params, SandboxType::LinuxSeccomp, ctrl_c, &sandbox_policy)
-                .await
-                .unwrap();
+        let res = process_exec_tool_call(
+            params,
+            SandboxType::LinuxSeccomp,
+            writable_roots,
+            Arc::new(Notify::new()),
+            SandboxPolicy::NetworkAndFileWriteRestricted,
+        )
+        .await
+        .unwrap();
 
         if res.exit_code != 0 {
             println!("stdout:\n{}", res.stdout);
@@ -242,9 +225,7 @@ mod tests_linux {
                 &format!("echo blah > {}", file_path.to_string_lossy()),
             ],
             &[tmpdir.path().to_path_buf()],
-            // We have seen timeouts when running this test in CI on GitHub,
-            // so we are using a generous timeout until we can diagnose further.
-            1_000,
+            500,
         )
         .await;
     }
@@ -268,11 +249,14 @@ mod tests_linux {
             timeout_ms: Some(2_000),
         };
 
-        let sandbox_policy = SandboxPolicy::new_read_only_policy();
-        let ctrl_c = Arc::new(Notify::new());
-        let result =
-            process_exec_tool_call(params, SandboxType::LinuxSeccomp, ctrl_c, &sandbox_policy)
-                .await;
+        let result = process_exec_tool_call(
+            params,
+            SandboxType::LinuxSeccomp,
+            &[],
+            Arc::new(Notify::new()),
+            SandboxPolicy::NetworkRestricted,
+        )
+        .await;
 
         let (exit_code, stdout, stderr) = match result {
             Ok(output) => (output.exit_code, output.stdout, output.stderr),

codex-rs/core/src/protocol.rs

@@ -26,7 +26,7 @@ pub enum Op {
     /// Configure the model session.
     ConfigureSession {
         /// If not specified, server will use its default model.
-        model: String,
+        model: Option<String>,
         /// Model instructions
         instructions: Option<String>,
         /// When to escalate for approval for execution
@@ -66,13 +66,11 @@ pub enum Op {
 }
 
 /// Determines how liberally commands are auto‑approved by the system.
-#[derive(Debug, Clone, Copy, Default, PartialEq, Eq, Hash, Serialize, Deserialize)]
-#[serde(rename_all = "kebab-case")]
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
 pub enum AskForApproval {
     /// Under this policy, only “known safe” commands—as determined by
     /// `is_safe_command()`—that **only read files** are auto‑approved.
     /// Everything else will ask the user to approve.
-    #[default]
     UnlessAllowListed,
 
     /// In addition to everything allowed by **`Suggest`**, commands that
@@ -93,159 +91,42 @@ pub enum AskForApproval {
 }
 
 /// Determines execution restrictions for model shell commands
-#[derive(Debug, Clone, PartialEq, Eq, Deserialize, Serialize)]
-#[serde(rename_all = "kebab-case")]
-pub struct SandboxPolicy {
-    permissions: Vec<SandboxPermission>,
-}
-
-impl From<Vec<SandboxPermission>> for SandboxPolicy {
-    fn from(permissions: Vec<SandboxPermission>) -> Self {
-        Self { permissions }
-    }
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
+pub enum SandboxPolicy {
+    /// Network syscalls will be blocked
+    NetworkRestricted,
+    /// Filesystem writes will be restricted
+    FileWriteRestricted,
+    /// Network and filesystem writes will be restricted
+    NetworkAndFileWriteRestricted,
+    /// No restrictions; full "unsandboxed" mode
+    DangerousNoRestrictions,
 }
 
 impl SandboxPolicy {
-    pub fn new_read_only_policy() -> Self {
-        Self {
-            permissions: vec![SandboxPermission::DiskFullReadAccess],
+    pub fn is_dangerous(&self) -> bool {
+        match self {
+            SandboxPolicy::NetworkRestricted => false,
+            SandboxPolicy::FileWriteRestricted => false,
+            SandboxPolicy::NetworkAndFileWriteRestricted => false,
+            SandboxPolicy::DangerousNoRestrictions => true,
         }
     }
 
-    pub fn new_read_only_policy_with_writable_roots(writable_roots: &[PathBuf]) -> Self {
-        let mut permissions = Self::new_read_only_policy().permissions;
-        permissions.extend(writable_roots.iter().map(|folder| {
-            SandboxPermission::DiskWriteFolder {
-                folder: folder.clone(),
-            }
-        }));
-        Self { permissions }
+    pub fn is_network_restricted(&self) -> bool {
+        matches!(
+            self,
+            SandboxPolicy::NetworkRestricted | SandboxPolicy::NetworkAndFileWriteRestricted
+        )
     }
 
-    pub fn new_full_auto_policy() -> Self {
-        Self {
-            permissions: vec![
-                SandboxPermission::DiskFullReadAccess,
-                SandboxPermission::DiskWritePlatformUserTempFolder,
-                SandboxPermission::DiskWriteCwd,
-            ],
-        }
-    }
-
-    pub fn has_full_disk_read_access(&self) -> bool {
-        self.permissions
-            .iter()
-            .any(|perm| matches!(perm, SandboxPermission::DiskFullReadAccess))
-    }
-
-    pub fn has_full_disk_write_access(&self) -> bool {
-        self.permissions
-            .iter()
-            .any(|perm| matches!(perm, SandboxPermission::DiskFullWriteAccess))
-    }
-
-    pub fn has_full_network_access(&self) -> bool {
-        self.permissions
-            .iter()
-            .any(|perm| matches!(perm, SandboxPermission::NetworkFullAccess))
-    }
-
-    pub fn get_writable_roots(&self) -> Vec<PathBuf> {
-        let mut writable_roots = Vec::<PathBuf>::new();
-        for perm in &self.permissions {
-            use SandboxPermission::*;
-            match perm {
-                DiskWritePlatformUserTempFolder => {
-                    if cfg!(target_os = "macos") {
-                        if let Some(tempdir) = std::env::var_os("TMPDIR") {
-                            // Likely something that starts with /var/folders/...
-                            let tmpdir_path = PathBuf::from(&tempdir);
-                            if tmpdir_path.is_absolute() {
-                                writable_roots.push(tmpdir_path.clone());
-                                match tmpdir_path.canonicalize() {
-                                    Ok(canonicalized) => {
-                                        // Likely something that starts with /private/var/folders/...
-                                        if canonicalized != tmpdir_path {
-                                            writable_roots.push(canonicalized);
-                                        }
-                                    }
-                                    Err(e) => {
-                                        tracing::error!("Failed to canonicalize TMPDIR: {e}");
-                                    }
-                                }
-                            } else {
-                                tracing::error!("TMPDIR is not an absolute path: {tempdir:?}");
-                            }
-                        }
-                    }
-
-                    // For Linux, should this be XDG_RUNTIME_DIR, /run/user/<uid>, or something else?
-                }
-                DiskWritePlatformGlobalTempFolder => {
-                    if cfg!(unix) {
-                        writable_roots.push(PathBuf::from("/tmp"));
-                    }
-                }
-                DiskWriteCwd => match std::env::current_dir() {
-                    Ok(cwd) => writable_roots.push(cwd),
-                    Err(err) => {
-                        tracing::error!("Failed to get current working directory: {err}");
-                    }
-                },
-                DiskWriteFolder { folder } => {
-                    writable_roots.push(folder.clone());
-                }
-                DiskFullReadAccess | NetworkFullAccess => {}
-                DiskFullWriteAccess => {
-                    // Currently, we expect callers to only invoke this method
-                    // after verifying has_full_disk_write_access() is false.
-                }
-            }
-        }
-        writable_roots
-    }
-
-    pub fn is_unrestricted(&self) -> bool {
-        self.has_full_disk_read_access()
-            && self.has_full_disk_write_access()
-            && self.has_full_network_access()
+    pub fn is_file_write_restricted(&self) -> bool {
+        matches!(
+            self,
+            SandboxPolicy::FileWriteRestricted | SandboxPolicy::NetworkAndFileWriteRestricted
+        )
     }
 }
-
-/// Permissions that should be granted to the sandbox in which the agent
-/// operates.
-#[derive(Debug, Clone, PartialEq, Eq, Hash, Serialize, Deserialize)]
-#[serde(rename_all = "kebab-case")]
-pub enum SandboxPermission {
-    /// Is allowed to read all files on disk.
-    DiskFullReadAccess,
-
-    /// Is allowed to write to the operating system's temp dir that
-    /// is restricted to the user the agent is running as. For
-    /// example, on macOS, this is generally something under
-    /// `/var/folders` as opposed to `/tmp`.
-    DiskWritePlatformUserTempFolder,
-
-    /// Is allowed to write to the operating system's shared temp
-    /// dir. On UNIX, this is generally `/tmp`.
-    DiskWritePlatformGlobalTempFolder,
-
-    /// Is allowed to write to the current working directory (in practice, this
-    /// is the `cwd` where `codex` was spawned).
-    DiskWriteCwd,
-
-    /// Is allowed to the specified folder. `PathBuf` must be an
-    /// absolute path, though it is up to the caller to canonicalize
-    /// it if the path contains symlinks.
-    DiskWriteFolder { folder: PathBuf },
-
-    /// Is allowed to write to any file on disk.
-    DiskFullWriteAccess,
-
-    /// Can make arbitrary network requests.
-    NetworkFullAccess,
-}
-
 /// User input
 #[non_exhaustive]
 #[derive(Debug, Clone, Deserialize, Serialize)]

codex-rs/core/src/safety.rs

@@ -65,7 +65,7 @@ pub fn assess_patch_safety(
 pub fn assess_command_safety(
     command: &[String],
     approval_policy: AskForApproval,
-    sandbox_policy: &SandboxPolicy,
+    sandbox_policy: SandboxPolicy,
     approved: &HashSet<Vec<String>>,
 ) -> SafetyCheck {
     let approve_without_sandbox = || SafetyCheck::AutoApprove {
@@ -81,10 +81,11 @@ pub fn assess_command_safety(
     }
 
     // Command was not known-safe or allow-listed
-    if sandbox_policy.is_unrestricted() {
-        approve_without_sandbox()
-    } else {
-        match get_platform_sandbox() {
+    match sandbox_policy {
+        // Only the dangerous sandbox policy will run arbitrary commands outside a sandbox
+        SandboxPolicy::DangerousNoRestrictions => approve_without_sandbox(),
+        // All other policies try to run the command in a sandbox if it is available
+        _ => match get_platform_sandbox() {
             // We have a sandbox, so we can approve the command in all modes
             Some(sandbox_type) => SafetyCheck::AutoApprove { sandbox_type },
             None => {
@@ -98,7 +99,7 @@ pub fn assess_command_safety(
                     _ => SafetyCheck::AskUser,
                 }
             }
-        }
+        },
     }
 }
 

codex-rs/core/src/seatbelt_readonly_policy.sbpl

@@ -6,6 +6,9 @@
 ; start with closed-by-default
 (deny default)
 
+; allow read-only file operations
+(allow file-read*)
+
 ; child processes inherit the policy of their parent
 (allow process-exec)
 (allow process-fork)

codex-rs/core/tests/live_agent.rs

@@ -17,7 +17,7 @@
 
 use std::time::Duration;
 
-use codex_core::config::Config;
+use codex_core::protocol::AskForApproval;
 use codex_core::protocol::EventMsg;
 use codex_core::protocol::InputItem;
 use codex_core::protocol::Op;
@@ -47,15 +47,14 @@ async fn spawn_codex() -> Codex {
 
     let agent = Codex::spawn(std::sync::Arc::new(Notify::new())).unwrap();
 
-    let config = Config::load_default_config_for_test();
     agent
         .submit(Submission {
             id: "init".into(),
             op: Op::ConfigureSession {
-                model: config.model,
+                model: None,
                 instructions: None,
-                approval_policy: config.approval_policy,
-                sandbox_policy: SandboxPolicy::new_read_only_policy(),
+                approval_policy: AskForApproval::OnFailure,
+                sandbox_policy: SandboxPolicy::NetworkAndFileWriteRestricted,
                 disable_response_storage: false,
             },
         })

codex-rs/core/tests/previous_response_id.rs

@@ -1,6 +1,6 @@
 use std::time::Duration;
 
-use codex_core::config::Config;
+use codex_core::protocol::AskForApproval;
 use codex_core::protocol::InputItem;
 use codex_core::protocol::Op;
 use codex_core::protocol::SandboxPolicy;
@@ -87,15 +87,14 @@ async fn keeps_previous_response_id_between_tasks() {
     let codex = Codex::spawn(std::sync::Arc::new(tokio::sync::Notify::new())).unwrap();
 
     // Init session
-    let config = Config::load_default_config_for_test();
     codex
         .submit(Submission {
             id: "init".into(),
             op: Op::ConfigureSession {
-                model: config.model,
+                model: None,
                 instructions: None,
-                approval_policy: config.approval_policy,
-                sandbox_policy: SandboxPolicy::new_read_only_policy(),
+                approval_policy: AskForApproval::OnFailure,
+                sandbox_policy: SandboxPolicy::NetworkAndFileWriteRestricted,
                 disable_response_storage: false,
             },
         })

codex-rs/core/tests/stream_no_completed.rs

@@ -3,7 +3,7 @@
 
 use std::time::Duration;
 
-use codex_core::config::Config;
+use codex_core::protocol::AskForApproval;
 use codex_core::protocol::InputItem;
 use codex_core::protocol::Op;
 use codex_core::protocol::SandboxPolicy;
@@ -70,15 +70,14 @@ async fn retries_on_early_close() {
 
     let codex = Codex::spawn(std::sync::Arc::new(tokio::sync::Notify::new())).unwrap();
 
-    let config = Config::load_default_config_for_test();
     codex
         .submit(Submission {
             id: "init".into(),
             op: Op::ConfigureSession {
-                model: config.model,
+                model: None,
                 instructions: None,
-                approval_policy: config.approval_policy,
-                sandbox_policy: SandboxPolicy::new_read_only_policy(),
+                approval_policy: AskForApproval::OnFailure,
+                sandbox_policy: SandboxPolicy::NetworkAndFileWriteRestricted,
                 disable_response_storage: false,
             },
         })

codex-rs/exec/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "codex-exec"
-version = { workspace = true }
+version = "0.1.0"
 edition = "2021"
 
 [[bin]]
@@ -13,11 +13,8 @@ path = "src/lib.rs"
 
 [dependencies]
 anyhow = "1"
-chrono = "0.4.40"
 clap = { version = "4", features = ["derive"] }
-codex-core = { path = "../core", features = ["cli"] }
-owo-colors = "4.2.0"
-shlex = "1.3.0"
+codex-core = { path = "../core" }
 tokio = { version = "1", features = [
     "io-std",
     "macros",

codex-rs/exec/src/cli.rs

@@ -1,6 +1,4 @@
 use clap::Parser;
-use clap::ValueEnum;
-use codex_core::SandboxPermissionOption;
 use std::path::PathBuf;
 
 #[derive(Parser, Debug)]
@@ -14,13 +12,6 @@ pub struct Cli {
     #[arg(long, short = 'm')]
     pub model: Option<String>,
 
-    /// Convenience alias for low-friction sandboxed automatic execution (network-disabled sandbox that can write to cwd and TMPDIR)
-    #[arg(long = "full-auto", default_value_t = false)]
-    pub full_auto: bool,
-
-    #[clap(flatten)]
-    pub sandbox: SandboxPermissionOption,
-
     /// Allow running Codex outside a Git repository.
     #[arg(long = "skip-git-repo-check", default_value_t = false)]
     pub skip_git_repo_check: bool,
@@ -29,19 +20,6 @@ pub struct Cli {
     #[arg(long = "disable-response-storage", default_value_t = false)]
     pub disable_response_storage: bool,
 
-    /// Specifies color settings for use in the output.
-    #[arg(long = "color", value_enum, default_value_t = Color::Auto)]
-    pub color: Color,
-
     /// Initial instructions for the agent.
-    pub prompt: String,
-}
-
-#[derive(Debug, Clone, Copy, Default, PartialEq, Eq, ValueEnum)]
-#[value(rename_all = "kebab-case")]
-pub enum Color {
-    Always,
-    Never,
-    #[default]
-    Auto,
+    pub prompt: Option<String>,
 }

codex-rs/exec/src/event_processor.rs

@@ -1,307 +0,0 @@
-use chrono::Utc;
-use codex_core::protocol::Event;
-use codex_core::protocol::EventMsg;
-use codex_core::protocol::FileChange;
-use owo_colors::OwoColorize;
-use owo_colors::Style;
-use shlex::try_join;
-use std::collections::HashMap;
-
-/// This should be configurable. When used in CI, users may not want to impose
-/// a limit so they can see the full transcript.
-const MAX_OUTPUT_LINES_FOR_EXEC_TOOL_CALL: usize = 20;
-
-pub(crate) struct EventProcessor {
-    call_id_to_command: HashMap<String, ExecCommandBegin>,
-    call_id_to_patch: HashMap<String, PatchApplyBegin>,
-
-    // To ensure that --color=never is respected, ANSI escapes _must_ be added
-    // using .style() with one of these fields. If you need a new style, add a
-    // new field here.
-    bold: Style,
-    dimmed: Style,
-
-    magenta: Style,
-    red: Style,
-    green: Style,
-}
-
-impl EventProcessor {
-    pub(crate) fn create_with_ansi(with_ansi: bool) -> Self {
-        let call_id_to_command = HashMap::new();
-        let call_id_to_patch = HashMap::new();
-
-        if with_ansi {
-            Self {
-                call_id_to_command,
-                call_id_to_patch,
-                bold: Style::new().bold(),
-                dimmed: Style::new().dimmed(),
-                magenta: Style::new().magenta(),
-                red: Style::new().red(),
-                green: Style::new().green(),
-            }
-        } else {
-            Self {
-                call_id_to_command,
-                call_id_to_patch,
-                bold: Style::new(),
-                dimmed: Style::new(),
-                magenta: Style::new(),
-                red: Style::new(),
-                green: Style::new(),
-            }
-        }
-    }
-}
-
-struct ExecCommandBegin {
-    command: Vec<String>,
-    start_time: chrono::DateTime<Utc>,
-}
-
-struct PatchApplyBegin {
-    start_time: chrono::DateTime<Utc>,
-    auto_approved: bool,
-}
-
-macro_rules! ts_println {
-    ($($arg:tt)*) => {{
-        let now = Utc::now();
-        let formatted = now.format("%Y-%m-%dT%H:%M:%S").to_string();
-        print!("[{}] ", formatted);
-        println!($($arg)*);
-    }};
-}
-
-impl EventProcessor {
-    pub(crate) fn process_event(&mut self, event: Event) {
-        let Event { id, msg } = event;
-        match msg {
-            EventMsg::Error { message } => {
-                let prefix = "ERROR:".style(self.red);
-                ts_println!("{prefix} {message}");
-            }
-            EventMsg::BackgroundEvent { message } => {
-                ts_println!("{}", message.style(self.dimmed));
-            }
-            EventMsg::TaskStarted => {
-                let msg = format!("Task started: {id}");
-                ts_println!("{}", msg.style(self.dimmed));
-            }
-            EventMsg::TaskComplete => {
-                let msg = format!("Task complete: {id}");
-                ts_println!("{}", msg.style(self.bold));
-            }
-            EventMsg::AgentMessage { message } => {
-                let prefix = "Agent message:".style(self.bold);
-                ts_println!("{prefix} {message}");
-            }
-            EventMsg::ExecCommandBegin {
-                call_id,
-                command,
-                cwd,
-            } => {
-                self.call_id_to_command.insert(
-                    call_id.clone(),
-                    ExecCommandBegin {
-                        command: command.clone(),
-                        start_time: Utc::now(),
-                    },
-                );
-                ts_println!(
-                    "{} {} in {}",
-                    "exec".style(self.magenta),
-                    escape_command(&command).style(self.bold),
-                    cwd,
-                );
-            }
-            EventMsg::ExecCommandEnd {
-                call_id,
-                stdout,
-                stderr,
-                exit_code,
-            } => {
-                let exec_command = self.call_id_to_command.remove(&call_id);
-                let (duration, call) = if let Some(ExecCommandBegin {
-                    command,
-                    start_time,
-                }) = exec_command
-                {
-                    (
-                        format_duration(start_time),
-                        format!("{}", escape_command(&command).style(self.bold)),
-                    )
-                } else {
-                    ("".to_string(), format!("exec('{call_id}')"))
-                };
-
-                let output = if exit_code == 0 { stdout } else { stderr };
-                let truncated_output = output
-                    .lines()
-                    .take(MAX_OUTPUT_LINES_FOR_EXEC_TOOL_CALL)
-                    .collect::<Vec<_>>()
-                    .join("\n");
-                match exit_code {
-                    0 => {
-                        let title = format!("{call} succeded{duration}:");
-                        ts_println!("{}", title.style(self.green));
-                    }
-                    _ => {
-                        let title = format!("{call} exited {exit_code}{duration}:");
-                        ts_println!("{}", title.style(self.red));
-                    }
-                }
-                println!("{}", truncated_output.style(self.dimmed));
-            }
-            EventMsg::PatchApplyBegin {
-                call_id,
-                auto_approved,
-                changes,
-            } => {
-                // Store metadata so we can calculate duration later when we
-                // receive the corresponding PatchApplyEnd event.
-                self.call_id_to_patch.insert(
-                    call_id.clone(),
-                    PatchApplyBegin {
-                        start_time: Utc::now(),
-                        auto_approved,
-                    },
-                );
-
-                ts_println!(
-                    "{} auto_approved={}:",
-                    "apply_patch".style(self.magenta),
-                    auto_approved,
-                );
-
-                // Pretty-print the patch summary with colored diff markers so
-                // it’s easy to scan in the terminal output.
-                for (path, change) in changes.iter() {
-                    match change {
-                        FileChange::Add { content } => {
-                            let header = format!(
-                                "{} {}",
-                                format_file_change(change),
-                                path.to_string_lossy()
-                            );
-                            println!("{}", header.style(self.magenta));
-                            for line in content.lines() {
-                                println!("{}", line.style(self.green));
-                            }
-                        }
-                        FileChange::Delete => {
-                            let header = format!(
-                                "{} {}",
-                                format_file_change(change),
-                                path.to_string_lossy()
-                            );
-                            println!("{}", header.style(self.magenta));
-                        }
-                        FileChange::Update {
-                            unified_diff,
-                            move_path,
-                        } => {
-                            let header = if let Some(dest) = move_path {
-                                format!(
-                                    "{} {} -> {}",
-                                    format_file_change(change),
-                                    path.to_string_lossy(),
-                                    dest.to_string_lossy()
-                                )
-                            } else {
-                                format!("{} {}", format_file_change(change), path.to_string_lossy())
-                            };
-                            println!("{}", header.style(self.magenta));
-
-                            // Colorize diff lines. We keep file header lines
-                            // (--- / +++) without extra coloring so they are
-                            // still readable.
-                            for diff_line in unified_diff.lines() {
-                                if diff_line.starts_with('+') && !diff_line.starts_with("+++") {
-                                    println!("{}", diff_line.style(self.green));
-                                } else if diff_line.starts_with('-')
-                                    && !diff_line.starts_with("---")
-                                {
-                                    println!("{}", diff_line.style(self.red));
-                                } else {
-                                    println!("{diff_line}");
-                                }
-                            }
-                        }
-                    }
-                }
-            }
-            EventMsg::PatchApplyEnd {
-                call_id,
-                stdout,
-                stderr,
-                success,
-            } => {
-                let patch_begin = self.call_id_to_patch.remove(&call_id);
-
-                // Compute duration and summary label similar to exec commands.
-                let (duration, label) = if let Some(PatchApplyBegin {
-                    start_time,
-                    auto_approved,
-                }) = patch_begin
-                {
-                    (
-                        format_duration(start_time),
-                        format!("apply_patch(auto_approved={})", auto_approved),
-                    )
-                } else {
-                    (String::new(), format!("apply_patch('{call_id}')"))
-                };
-
-                let (exit_code, output, title_style) = if success {
-                    (0, stdout, self.green)
-                } else {
-                    (1, stderr, self.red)
-                };
-
-                let title = format!("{label} exited {exit_code}{duration}:");
-                ts_println!("{}", title.style(title_style));
-                for line in output.lines() {
-                    println!("{}", line.style(self.dimmed));
-                }
-            }
-            EventMsg::ExecApprovalRequest { .. } => {
-                // Should we exit?
-            }
-            EventMsg::ApplyPatchApprovalRequest { .. } => {
-                // Should we exit?
-            }
-            _ => {
-                // Ignore event.
-            }
-        }
-    }
-}
-
-fn escape_command(command: &[String]) -> String {
-    try_join(command.iter().map(|s| s.as_str())).unwrap_or_else(|_| command.join(" "))
-}
-
-fn format_file_change(change: &FileChange) -> &'static str {
-    match change {
-        FileChange::Add { .. } => "A",
-        FileChange::Delete => "D",
-        FileChange::Update {
-            move_path: Some(_), ..
-        } => "R",
-        FileChange::Update {
-            move_path: None, ..
-        } => "M",
-    }
-}
-
-fn format_duration(start_time: chrono::DateTime<Utc>) -> String {
-    let elapsed = Utc::now().signed_duration_since(start_time);
-    let millis = elapsed.num_milliseconds();
-    if millis < 1000 {
-        format!(" in {}ms", millis)
-    } else {
-        format!(" in {:.2}s", millis as f64 / 1000.0)
-    }
-}

codex-rs/exec/src/lib.rs

@@ -1,89 +1,63 @@
 mod cli;
-mod event_processor;
-
-use std::io::IsTerminal;
 use std::sync::Arc;
 
 pub use cli::Cli;
 use codex_core::codex_wrapper;
-use codex_core::config::Config;
-use codex_core::config::ConfigOverrides;
 use codex_core::protocol::AskForApproval;
 use codex_core::protocol::Event;
 use codex_core::protocol::EventMsg;
+use codex_core::protocol::FileChange;
 use codex_core::protocol::InputItem;
 use codex_core::protocol::Op;
 use codex_core::protocol::SandboxPolicy;
 use codex_core::util::is_inside_git_repo;
-use event_processor::EventProcessor;
-use owo_colors::OwoColorize;
-use owo_colors::Style;
 use tracing::debug;
 use tracing::error;
 use tracing::info;
 use tracing_subscriber::EnvFilter;
 
 pub async fn run_main(cli: Cli) -> anyhow::Result<()> {
-    let Cli {
-        images,
-        model,
-        full_auto,
-        sandbox,
-        skip_git_repo_check,
-        disable_response_storage,
-        color,
-        prompt,
-    } = cli;
-
-    let (stdout_with_ansi, stderr_with_ansi) = match color {
-        cli::Color::Always => (true, true),
-        cli::Color::Never => (false, false),
-        cli::Color::Auto => (
-            std::io::stdout().is_terminal(),
-            std::io::stderr().is_terminal(),
-        ),
-    };
-
-    assert_api_key(stderr_with_ansi);
-
-    if !skip_git_repo_check && !is_inside_git_repo() {
-        eprintln!("Not inside a Git repo and --skip-git-repo-check was not specified.");
-        std::process::exit(1);
-    }
-
     // TODO(mbolin): Take a more thoughtful approach to logging.
     let default_level = "error";
+    let allow_ansi = true;
     let _ = tracing_subscriber::fmt()
         .with_env_filter(
             EnvFilter::try_from_default_env()
                 .or_else(|_| EnvFilter::try_new(default_level))
                 .unwrap(),
         )
-        .with_ansi(stderr_with_ansi)
+        .with_ansi(allow_ansi)
         .with_writer(std::io::stderr)
         .try_init();
 
-    let sandbox_policy = if full_auto {
-        Some(SandboxPolicy::new_full_auto_policy())
-    } else {
-        sandbox.permissions.clone().map(Into::into)
-    };
-
-    // Load configuration and determine approval policy
-    let overrides = ConfigOverrides {
+    let Cli {
+        images,
         model,
-        // This CLI is intended to be headless and has no affordances for asking
-        // the user for approval.
-        approval_policy: Some(AskForApproval::Never),
+        skip_git_repo_check,
+        disable_response_storage,
+        prompt,
+        ..
+    } = cli;
+
+    if !skip_git_repo_check && !is_inside_git_repo() {
+        eprintln!("Not inside a Git repo and --skip-git-repo-check was not specified.");
+        std::process::exit(1);
+    } else if images.is_empty() && prompt.is_none() {
+        eprintln!("No images or prompt specified.");
+        std::process::exit(1);
+    }
+
+    // TODO(mbolin): We are reworking the CLI args right now, so this will
+    // likely come from a new --execution-policy arg.
+    let approval_policy = AskForApproval::Never;
+    let sandbox_policy = SandboxPolicy::NetworkAndFileWriteRestricted;
+    let (codex_wrapper, event, ctrl_c) = codex_wrapper::init_codex(
+        approval_policy,
         sandbox_policy,
-        disable_response_storage: if disable_response_storage {
-            Some(true)
-        } else {
-            None
-        },
-    };
-    let config = Config::load_with_overrides(overrides)?;
-    let (codex_wrapper, event, ctrl_c) = codex_wrapper::init_codex(config).await?;
+        disable_response_storage,
+        model,
+    )
+    .await?;
     let codex = Arc::new(codex_wrapper);
     info!("Codex initialized with event: {event:?}");
 
@@ -109,6 +83,7 @@ pub async fn run_main(cli: Cli) -> anyhow::Result<()> {
                     res = codex.next_event() => match res {
                         Ok(event) => {
                             debug!("Received event: {event:?}");
+                            process_event(&event);
                             if let Err(e) = tx.send(event) {
                                 error!("Error sending event: {e:?}");
                                 break;
@@ -124,8 +99,8 @@ pub async fn run_main(cli: Cli) -> anyhow::Result<()> {
         });
     }
 
-    // Send images first, if any.
     if !images.is_empty() {
+        // Send images first.
         let items: Vec<InputItem> = images
             .into_iter()
             .map(|path| InputItem::LocalImage { path })
@@ -139,56 +114,101 @@ pub async fn run_main(cli: Cli) -> anyhow::Result<()> {
         }
     }
 
-    // Send the prompt.
-    let items: Vec<InputItem> = vec![InputItem::Text { text: prompt }];
-    let initial_prompt_task_id = codex.submit(Op::UserInput { items }).await?;
-    info!("Sent prompt with event ID: {initial_prompt_task_id}");
-
-    // Run the loop until the task is complete.
-    let mut event_processor = EventProcessor::create_with_ansi(stdout_with_ansi);
-    while let Some(event) = rx.recv().await {
-        let last_event =
-            event.id == initial_prompt_task_id && matches!(event.msg, EventMsg::TaskComplete);
-        event_processor.process_event(event);
-        if last_event {
-            break;
+    if let Some(prompt) = prompt {
+        // Send the prompt.
+        let items: Vec<InputItem> = vec![InputItem::Text { text: prompt }];
+        let initial_prompt_task_id = codex.submit(Op::UserInput { items }).await?;
+        info!("Sent prompt with event ID: {initial_prompt_task_id}");
+        while let Some(event) = rx.recv().await {
+            if event.id == initial_prompt_task_id && matches!(event.msg, EventMsg::TaskComplete) {
+                break;
+            }
         }
     }
 
     Ok(())
 }
 
-/// If a valid API key is not present in the environment, print an error to
-/// stderr and exits with 1; otherwise, does nothing.
-fn assert_api_key(stderr_with_ansi: bool) {
-    if !has_api_key() {
-        let (msg_style, var_style, url_style) = if stderr_with_ansi {
-            (
-                Style::new().red(),
-                Style::new().bold(),
-                Style::new().bold().underline(),
-            )
-        } else {
-            (Style::new(), Style::new(), Style::new())
-        };
-
-        eprintln!(
-            "\n{msg}\n\nSet the environment variable {var} and re-run this command.\nYou can create a key here: {url}\n",
-            msg = "Missing OpenAI API key.".style(msg_style),
-            var = "OPENAI_API_KEY".style(var_style),
-            url = "https://platform.openai.com/account/api-keys".style(url_style),
-        );
-        std::process::exit(1);
+fn process_event(event: &Event) {
+    let Event { id, msg } = event;
+    match msg {
+        EventMsg::Error { message } => {
+            println!("Error: {message}");
+        }
+        EventMsg::BackgroundEvent { .. } => {
+            // Ignore these for now.
+        }
+        EventMsg::TaskStarted => {
+            println!("Task started: {id}");
+        }
+        EventMsg::TaskComplete => {
+            println!("Task complete: {id}");
+        }
+        EventMsg::AgentMessage { message } => {
+            println!("Agent message: {message}");
+        }
+        EventMsg::ExecCommandBegin {
+            call_id,
+            command,
+            cwd,
+        } => {
+            println!("exec('{call_id}'): {:?} in {cwd}", command);
+        }
+        EventMsg::ExecCommandEnd {
+            call_id,
+            stdout,
+            stderr,
+            exit_code,
+        } => {
+            let output = if *exit_code == 0 { stdout } else { stderr };
+            let truncated_output = output.lines().take(5).collect::<Vec<_>>().join("\n");
+            println!("exec('{call_id}') exited {exit_code}:\n{truncated_output}");
+        }
+        EventMsg::PatchApplyBegin {
+            call_id,
+            auto_approved,
+            changes,
+        } => {
+            let changes = changes
+                .iter()
+                .map(|(path, change)| {
+                    format!("{} {}", format_file_change(change), path.to_string_lossy())
+                })
+                .collect::<Vec<_>>()
+                .join("\n");
+            println!("apply_patch('{call_id}') auto_approved={auto_approved}:\n{changes}");
+        }
+        EventMsg::PatchApplyEnd {
+            call_id,
+            stdout,
+            stderr,
+            success,
+        } => {
+            let (exit_code, output) = if *success { (0, stdout) } else { (1, stderr) };
+            let truncated_output = output.lines().take(5).collect::<Vec<_>>().join("\n");
+            println!("apply_patch('{call_id}') exited {exit_code}:\n{truncated_output}");
+        }
+        EventMsg::ExecApprovalRequest { .. } => {
+            // Should we exit?
+        }
+        EventMsg::ApplyPatchApprovalRequest { .. } => {
+            // Should we exit?
+        }
+        _ => {
+            // Ignore event.
+        }
     }
 }
 
-/// Returns `true` if a recognized API key is present in the environment.
-///
-/// At present we only support `OPENAI_API_KEY`, mirroring the behavior of the
-/// Node-based `codex-cli`. Additional providers can be added here when the
-/// Rust implementation gains first-class support for them.
-fn has_api_key() -> bool {
-    std::env::var("OPENAI_API_KEY")
-        .map(|s| !s.trim().is_empty())
-        .unwrap_or(false)
+fn format_file_change(change: &FileChange) -> &'static str {
+    match change {
+        FileChange::Add { .. } => "A",
+        FileChange::Delete => "D",
+        FileChange::Update {
+            move_path: Some(_), ..
+        } => "R",
+        FileChange::Update {
+            move_path: None, ..
+        } => "M",
+    }
 }

codex-rs/interactive/Cargo.toml

@@ -0,0 +1,24 @@
+[package]
+name = "codex-interactive"
+version = "0.1.0"
+edition = "2021"
+
+[[bin]]
+name = "codex-interactive"
+path = "src/main.rs"
+
+[lib]
+name = "codex_interactive"
+path = "src/lib.rs"
+
+[dependencies]
+anyhow = "1"
+clap = { version = "4", features = ["derive"] }
+codex-core = { path = "../core", features = ["cli"] }
+tokio = { version = "1", features = [
+    "io-std",
+    "macros",
+    "process",
+    "rt-multi-thread",
+    "signal",
+] }

codex-rs/interactive/src/cli.rs

@@ -0,0 +1,33 @@
+use clap::Parser;
+use codex_core::ApprovalModeCliArg;
+use codex_core::SandboxModeCliArg;
+use std::path::PathBuf;
+
+#[derive(Parser, Debug)]
+#[command(version)]
+pub struct Cli {
+    /// Optional image(s) to attach to the initial prompt.
+    #[arg(long = "image", short = 'i', value_name = "FILE", value_delimiter = ',', num_args = 1..)]
+    pub images: Vec<PathBuf>,
+
+    /// Model the agent should use.
+    #[arg(long, short = 'm')]
+    pub model: Option<String>,
+
+    /// Configure when the model requires human approval before executing a command.
+    #[arg(long = "ask-for-approval", short = 'a', value_enum, default_value_t = ApprovalModeCliArg::OnFailure)]
+    pub approval_policy: ApprovalModeCliArg,
+
+    /// Configure the process restrictions when a command is executed.
+    ///
+    /// Uses OS-specific sandboxing tools; Seatbelt on OSX, landlock+seccomp on Linux.
+    #[arg(long = "sandbox", short = 's', value_enum, default_value_t = SandboxModeCliArg::NetworkAndFileWriteRestricted)]
+    pub sandbox_policy: SandboxModeCliArg,
+
+    /// Allow running Codex outside a Git repository.
+    #[arg(long = "skip-git-repo-check", default_value_t = false)]
+    pub skip_git_repo_check: bool,
+
+    /// Initial instructions for the agent.
+    pub prompt: Option<String>,
+}

codex-rs/interactive/src/lib.rs

@@ -0,0 +1,7 @@
+mod cli;
+pub use cli::Cli;
+
+pub async fn run_main(_cli: Cli) -> anyhow::Result<()> {
+    eprintln!("Interactive mode is not implemented yet.");
+    std::process::exit(1);
+}

codex-rs/interactive/src/main.rs

@@ -0,0 +1,11 @@
+use clap::Parser;
+use codex_interactive::run_main;
+use codex_interactive::Cli;
+
+#[tokio::main]
+async fn main() -> anyhow::Result<()> {
+    let cli = Cli::parse();
+    run_main(cli).await?;
+
+    Ok(())
+}

codex-rs/repl/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "codex-repl"
-version = { workspace = true }
+version = "0.1.0"
 edition = "2021"
 
 [[bin]]

codex-rs/repl/src/cli.rs

@@ -1,7 +1,7 @@
 use clap::ArgAction;
 use clap::Parser;
 use codex_core::ApprovalModeCliArg;
-use codex_core::SandboxPermissionOption;
+use codex_core::SandboxModeCliArg;
 use std::path::PathBuf;
 
 /// Command‑line arguments.
@@ -34,15 +34,14 @@ pub struct Cli {
     pub no_ansi: bool,
 
     /// Configure when the model requires human approval before executing a command.
-    #[arg(long = "ask-for-approval", short = 'a')]
-    pub approval_policy: Option<ApprovalModeCliArg>,
+    #[arg(long = "ask-for-approval", short = 'a', value_enum, default_value_t = ApprovalModeCliArg::OnFailure)]
+    pub approval_policy: ApprovalModeCliArg,
 
-    /// Convenience alias for low-friction sandboxed automatic execution (-a on-failure, network-disabled sandbox that can write to cwd and TMPDIR)
-    #[arg(long = "full-auto", default_value_t = false)]
-    pub full_auto: bool,
-
-    #[clap(flatten)]
-    pub sandbox: SandboxPermissionOption,
+    /// Configure the process restrictions when a command is executed.
+    ///
+    /// Uses OS-specific sandboxing tools; Seatbelt on OSX, landlock+seccomp on Linux.
+    #[arg(long = "sandbox", short = 's', value_enum, default_value_t = SandboxModeCliArg::NetworkAndFileWriteRestricted)]
+    pub sandbox_policy: SandboxModeCliArg,
 
     /// Allow running Codex outside a Git repository.  By default the CLI
     /// aborts early when the current working directory is **not** inside a

codex-rs/repl/src/lib.rs

@@ -4,11 +4,8 @@ use std::io::Write;
 use std::sync::Arc;
 
 use codex_core::config::Config;
-use codex_core::config::ConfigOverrides;
 use codex_core::protocol;
-use codex_core::protocol::AskForApproval;
 use codex_core::protocol::FileChange;
-use codex_core::protocol::SandboxPolicy;
 use codex_core::util::is_inside_git_repo;
 use codex_core::util::notify_on_sigint;
 use codex_core::Codex;
@@ -78,33 +75,12 @@ pub async fn run_main(cli: Cli) -> anyhow::Result<()> {
     // Initialize logging before any other work so early errors are captured.
     init_logger(cli.verbose, !cli.no_ansi);
 
-    let (sandbox_policy, approval_policy) = if cli.full_auto {
-        (
-            Some(SandboxPolicy::new_full_auto_policy()),
-            Some(AskForApproval::OnFailure),
-        )
-    } else {
-        let sandbox_policy = cli.sandbox.permissions.clone().map(Into::into);
-        (sandbox_policy, cli.approval_policy.map(Into::into))
-    };
-
-    // Load config file and apply CLI overrides (model & approval policy)
-    let overrides = ConfigOverrides {
-        model: cli.model.clone(),
-        approval_policy,
-        sandbox_policy,
-        disable_response_storage: if cli.disable_response_storage {
-            Some(true)
-        } else {
-            None
-        },
-    };
-    let config = Config::load_with_overrides(overrides)?;
+    let config = Config::load().unwrap_or_default();
 
     codex_main(cli, config, ctrl_c).await
 }
 
-async fn codex_main(cli: Cli, cfg: Config, ctrl_c: Arc<Notify>) -> anyhow::Result<()> {
+async fn codex_main(mut cli: Cli, cfg: Config, ctrl_c: Arc<Notify>) -> anyhow::Result<()> {
     let mut builder = Codex::builder();
     if let Some(path) = cli.record_submissions {
         builder = builder.record_submissions(path);
@@ -117,11 +93,11 @@ async fn codex_main(cli: Cli, cfg: Config, ctrl_c: Arc<Notify>) -> anyhow::Resul
     let init = protocol::Submission {
         id: init_id.clone(),
         op: protocol::Op::ConfigureSession {
-            model: cfg.model,
+            model: cli.model.or(cfg.model),
             instructions: cfg.instructions,
-            approval_policy: cfg.approval_policy,
-            sandbox_policy: cfg.sandbox_policy,
-            disable_response_storage: cfg.disable_response_storage,
+            approval_policy: cli.approval_policy.into(),
+            sandbox_policy: cli.sandbox_policy.into(),
+            disable_response_storage: cli.disable_response_storage,
         },
     };
 
@@ -157,8 +133,8 @@ async fn codex_main(cli: Cli, cfg: Config, ctrl_c: Arc<Notify>) -> anyhow::Resul
     // run loop
     let mut reader = InputReader::new(ctrl_c.clone());
     loop {
-        let text = match &cli.prompt {
-            Some(input) => input.clone(),
+        let text = match cli.prompt.take() {
+            Some(input) => input,
             None => match reader.request_input().await? {
                 Some(input) => input,
                 None => {

codex-rs/tui/src/app.rs

@@ -4,9 +4,10 @@ use crate::git_warning_screen::GitWarningOutcome;
 use crate::git_warning_screen::GitWarningScreen;
 use crate::scroll_event_helper::ScrollEventHelper;
 use crate::tui;
-use codex_core::config::Config;
+use codex_core::protocol::AskForApproval;
 use codex_core::protocol::Event;
 use codex_core::protocol::Op;
+use codex_core::protocol::SandboxPolicy;
 use color_eyre::eyre::Result;
 use crossterm::event::KeyCode;
 use crossterm::event::KeyEvent;
@@ -33,10 +34,13 @@ pub(crate) struct App<'a> {
 
 impl App<'_> {
     pub(crate) fn new(
-        config: Config,
+        approval_policy: AskForApproval,
+        sandbox_policy: SandboxPolicy,
         initial_prompt: Option<String>,
         show_git_warning: bool,
         initial_images: Vec<std::path::PathBuf>,
+        model: Option<String>,
+        disable_response_storage: bool,
     ) -> Self {
         let (app_event_tx, app_event_rx) = channel();
         let scroll_event_helper = ScrollEventHelper::new(app_event_tx.clone());
@@ -76,10 +80,13 @@ impl App<'_> {
         }
 
         let chat_widget = ChatWidget::new(
-            config,
+            approval_policy,
+            sandbox_policy,
             app_event_tx.clone(),
             initial_prompt.clone(),
             initial_images,
+            model,
+            disable_response_storage,
         );
 
         let app_state = if show_git_warning {

codex-rs/tui/src/chatwidget.rs

@@ -3,11 +3,12 @@ use std::sync::mpsc::Sender;
 use std::sync::Arc;
 
 use codex_core::codex_wrapper::init_codex;
-use codex_core::config::Config;
+use codex_core::protocol::AskForApproval;
 use codex_core::protocol::Event;
 use codex_core::protocol::EventMsg;
 use codex_core::protocol::InputItem;
 use codex_core::protocol::Op;
+use codex_core::protocol::SandboxPolicy;
 use crossterm::event::KeyEvent;
 use ratatui::buffer::Buffer;
 use ratatui::layout::Constraint;
@@ -33,7 +34,7 @@ pub(crate) struct ChatWidget<'a> {
     conversation_history: ConversationHistoryWidget,
     bottom_pane: BottomPane<'a>,
     input_focus: InputFocus,
-    config: Config,
+    approval_policy: AskForApproval,
     cwd: std::path::PathBuf,
 }
 
@@ -45,10 +46,13 @@ enum InputFocus {
 
 impl ChatWidget<'_> {
     pub(crate) fn new(
-        config: Config,
+        approval_policy: AskForApproval,
+        sandbox_policy: SandboxPolicy,
         app_event_tx: Sender<AppEvent>,
         initial_prompt: Option<String>,
         initial_images: Vec<std::path::PathBuf>,
+        model: Option<String>,
+        disable_response_storage: bool,
     ) -> Self {
         let (codex_op_tx, mut codex_op_rx) = unbounded_channel::<Op>();
 
@@ -59,12 +63,19 @@ impl ChatWidget<'_> {
 
         let app_event_tx_clone = app_event_tx.clone();
         // Create the Codex asynchronously so the UI loads as quickly as possible.
-        let config_for_agent_loop = config.clone();
         tokio::spawn(async move {
-            let (codex, session_event, _ctrl_c) = match init_codex(config_for_agent_loop).await {
+            // Initialize session; storage enabled by default
+            let (codex, session_event, _ctrl_c) = match init_codex(
+                approval_policy,
+                sandbox_policy,
+                disable_response_storage,
+                model,
+            )
+            .await
+            {
                 Ok(vals) => vals,
                 Err(e) => {
-                    // TODO: surface this error to the user.
+                    // TODO(mbolin): This error needs to be surfaced to the user.
                     tracing::error!("failed to initialize codex: {e}");
                     return;
                 }
@@ -104,7 +115,7 @@ impl ChatWidget<'_> {
                 has_input_focus: true,
             }),
             input_focus: InputFocus::BottomPane,
-            config,
+            approval_policy,
             cwd: cwd.clone(),
         };
 
@@ -232,8 +243,11 @@ impl ChatWidget<'_> {
         match msg {
             EventMsg::SessionConfigured { model } => {
                 // Record session information at the top of the conversation.
-                self.conversation_history
-                    .add_session_info(&self.config, model, self.cwd.clone());
+                self.conversation_history.add_session_info(
+                    model,
+                    self.cwd.clone(),
+                    self.approval_policy,
+                );
                 self.request_redraw()?;
             }
             EventMsg::AgentMessage { message } => {

codex-rs/tui/src/cli.rs

@@ -1,6 +1,6 @@
 use clap::Parser;
 use codex_core::ApprovalModeCliArg;
-use codex_core::SandboxPermissionOption;
+use codex_core::SandboxModeCliArg;
 use std::path::PathBuf;
 
 #[derive(Parser, Debug)]
@@ -18,15 +18,14 @@ pub struct Cli {
     pub model: Option<String>,
 
     /// Configure when the model requires human approval before executing a command.
-    #[arg(long = "ask-for-approval", short = 'a')]
-    pub approval_policy: Option<ApprovalModeCliArg>,
+    #[arg(long = "ask-for-approval", short = 'a', value_enum, default_value_t = ApprovalModeCliArg::OnFailure)]
+    pub approval_policy: ApprovalModeCliArg,
 
-    /// Convenience alias for low-friction sandboxed automatic execution (-a on-failure, network-disabled sandbox that can write to cwd and TMPDIR)
-    #[arg(long = "full-auto", default_value_t = false)]
-    pub full_auto: bool,
-
-    #[clap(flatten)]
-    pub sandbox: SandboxPermissionOption,
+    /// Configure the process restrictions when a command is executed.
+    ///
+    /// Uses OS-specific sandboxing tools; Seatbelt on OSX, landlock+seccomp on Linux.
+    #[arg(long = "sandbox", short = 's', value_enum, default_value_t = SandboxModeCliArg::NetworkAndFileWriteRestricted)]
+    pub sandbox_policy: SandboxModeCliArg,
 
     /// Allow running Codex outside a Git repository.
     #[arg(long = "skip-git-repo-check", default_value_t = false)]
@@ -35,4 +34,12 @@ pub struct Cli {
     /// Disable server‑side response storage (sends the full conversation context with every request)
     #[arg(long = "disable-response-storage", default_value_t = false)]
     pub disable_response_storage: bool,
+
+    /// Convenience alias for low-friction sandboxed automatic execution (-a on-failure, -s network-and-file-write-restricted)
+    #[arg(long = "full-auto", default_value_t = true)]
+    pub full_auto: bool,
+
+    /// Convenience alias for supervised sandboxed execution (-a unless-allow-listed, -s network-and-file-write-restricted)
+    #[arg(long = "suggest", default_value_t = false)]
+    pub suggest: bool,
 }

codex-rs/tui/src/conversation_history_widget.rs

@@ -1,7 +1,6 @@
 use crate::history_cell::CommandOutput;
 use crate::history_cell::HistoryCell;
 use crate::history_cell::PatchEventType;
-use codex_core::config::Config;
 use codex_core::protocol::FileChange;
 use crossterm::event::KeyCode;
 use crossterm::event::KeyEvent;
@@ -48,11 +47,11 @@ impl ConversationHistoryWidget {
                 self.scroll_down(1);
                 true
             }
-            KeyCode::PageUp | KeyCode::Char('b') => {
+            KeyCode::PageUp | KeyCode::Char('b') | KeyCode::Char('u') | KeyCode::Char('U') => {
                 self.scroll_page_up();
                 true
             }
-            KeyCode::PageDown | KeyCode::Char(' ') => {
+            KeyCode::PageDown | KeyCode::Char(' ') | KeyCode::Char('d') | KeyCode::Char('D') => {
                 self.scroll_page_down();
                 true
             }
@@ -182,10 +181,13 @@ impl ConversationHistoryWidget {
         self.add_to_history(HistoryCell::new_patch_event(event_type, changes));
     }
 
-    /// Note `model` could differ from `config.model` if the agent decided to
-    /// use a different model than the one requested by the user.
-    pub fn add_session_info(&mut self, config: &Config, model: String, cwd: PathBuf) {
-        self.add_to_history(HistoryCell::new_session_info(config, model, cwd));
+    pub fn add_session_info(
+        &mut self,
+        model: String,
+        cwd: std::path::PathBuf,
+        approval_policy: codex_core::protocol::AskForApproval,
+    ) {
+        self.add_to_history(HistoryCell::new_session_info(model, cwd, approval_policy));
     }
 
     pub fn add_active_exec_command(&mut self, call_id: String, command: Vec<String>) {
@@ -238,7 +240,7 @@ impl WidgetRef for ConversationHistoryWidget {
     fn render_ref(&self, area: Rect, buf: &mut Buffer) {
         let (title, border_style) = if self.has_input_focus {
             (
-                "Messages (↑/↓ or j/k = line,  b/space = page)",
+                "Messages (↑/↓ or j/k = line,  b/u = PgUp, space/d = PgDn)",
                 Style::default().fg(Color::LightYellow),
             )
         } else {

codex-rs/tui/src/history_cell.rs

@@ -1,5 +1,4 @@
 use codex_ansi_escape::ansi_escape_line;
-use codex_core::config::Config;
 use codex_core::protocol::FileChange;
 use ratatui::prelude::*;
 use ratatui::style::Color;
@@ -145,9 +144,9 @@ impl HistoryCell {
     }
 
     pub(crate) fn new_session_info(
-        config: &Config,
         model: String,
         cwd: std::path::PathBuf,
+        approval_policy: codex_core::protocol::AskForApproval,
     ) -> Self {
         let mut lines: Vec<Line<'static>> = Vec::new();
 
@@ -159,11 +158,7 @@ impl HistoryCell {
         ]));
         lines.push(Line::from(vec![
             "↳ approval: ".bold(),
-            format!("{:?}", config.approval_policy).into(),
-        ]));
-        lines.push(Line::from(vec![
-            "↳ sandbox: ".bold(),
-            format!("{:?}", config.sandbox_policy).into(),
+            format!("{:?}", approval_policy).into(),
         ]));
         lines.push(Line::from(""));
 

codex-rs/tui/src/lib.rs

@@ -4,10 +4,6 @@
 #![deny(clippy::print_stdout, clippy::print_stderr)]
 
 use app::App;
-use codex_core::config::Config;
-use codex_core::config::ConfigOverrides;
-use codex_core::protocol::AskForApproval;
-use codex_core::protocol::SandboxPolicy;
 use codex_core::util::is_inside_git_repo;
 use log_layer::TuiLogLayer;
 use std::fs::OpenOptions;
@@ -35,63 +31,19 @@ pub use cli::Cli;
 pub fn run_main(cli: Cli) -> std::io::Result<()> {
     assert_env_var_set();
 
-    let (sandbox_policy, approval_policy) = if cli.full_auto {
-        (
-            Some(SandboxPolicy::new_full_auto_policy()),
-            Some(AskForApproval::OnFailure),
-        )
-    } else {
-        let sandbox_policy = cli.sandbox.permissions.clone().map(Into::into);
-        (sandbox_policy, cli.approval_policy.map(Into::into))
-    };
-
-    let config = {
-        // Load configuration and support CLI overrides.
-        let overrides = ConfigOverrides {
-            model: cli.model.clone(),
-            approval_policy,
-            sandbox_policy,
-            disable_response_storage: if cli.disable_response_storage {
-                Some(true)
-            } else {
-                None
-            },
-        };
-        #[allow(clippy::print_stderr)]
-        match Config::load_with_overrides(overrides) {
-            Ok(config) => config,
-            Err(err) => {
-                eprintln!("Error loading configuration: {err}");
-                std::process::exit(1);
-            }
-        }
-    };
-
-    let log_dir = codex_core::config::log_dir()?;
-    std::fs::create_dir_all(&log_dir)?;
     // Open (or create) your log file, appending to it.
-    let mut log_file_opts = OpenOptions::new();
-    log_file_opts.create(true).append(true);
-
-    // Ensure the file is only readable and writable by the current user.
-    // Doing the equivalent to `chmod 600` on Windows is quite a bit more code
-    // and requires the Windows API crates, so we can reconsider that when
-    // Codex CLI is officially supported on Windows.
-    #[cfg(unix)]
-    {
-        use std::os::unix::fs::OpenOptionsExt;
-        log_file_opts.mode(0o600);
-    }
-
-    let log_file = log_file_opts.open(log_dir.join("codex-tui.log"))?;
+    let file = OpenOptions::new()
+        .create(true)
+        .append(true)
+        .open("/tmp/codex-rs.log")?;
 
     // Wrap file in non‑blocking writer.
-    let (non_blocking, _guard) = non_blocking(log_file);
+    let (non_blocking, _guard) = non_blocking(file);
 
-    // use RUST_LOG env var, default to info for codex crates.
+    // use RUST_LOG env var, default to trace for codex crates.
     let env_filter = || {
         EnvFilter::try_from_default_env()
-            .unwrap_or_else(|_| EnvFilter::new("codex_core=info,codex_tui=info"))
+            .unwrap_or_else(|_| EnvFilter::new("codex=trace,codex_tui=trace"))
     };
 
     // Build layered subscriber:
@@ -115,7 +67,7 @@ pub fn run_main(cli: Cli) -> std::io::Result<()> {
     // `--allow-no-git-exec` flag.
     let show_git_warning = !cli.skip_git_repo_check && !is_inside_git_repo();
 
-    try_run_ratatui_app(cli, config, show_git_warning, log_rx);
+    try_run_ratatui_app(cli, show_git_warning, log_rx);
     Ok(())
 }
 
@@ -125,18 +77,16 @@ pub fn run_main(cli: Cli) -> std::io::Result<()> {
 )]
 fn try_run_ratatui_app(
     cli: Cli,
-    config: Config,
     show_git_warning: bool,
     log_rx: tokio::sync::mpsc::UnboundedReceiver<String>,
 ) {
-    if let Err(report) = run_ratatui_app(cli, config, show_git_warning, log_rx) {
+    if let Err(report) = run_ratatui_app(cli, show_git_warning, log_rx) {
         eprintln!("Error: {report:?}");
     }
 }
 
 fn run_ratatui_app(
     cli: Cli,
-    config: Config,
     show_git_warning: bool,
     mut log_rx: tokio::sync::mpsc::UnboundedReceiver<String>,
 ) -> color_eyre::Result<()> {
@@ -151,8 +101,28 @@ fn run_ratatui_app(
     let mut terminal = tui::init()?;
     terminal.clear()?;
 
-    let Cli { prompt, images, .. } = cli;
-    let mut app = App::new(config.clone(), prompt, show_git_warning, images);
+    let Cli {
+        prompt,
+        images,
+        approval_policy,
+        sandbox_policy: sandbox,
+        model,
+        disable_response_storage,
+        ..
+    } = cli;
+
+    let approval_policy = approval_policy.into();
+    let sandbox_policy = sandbox.into();
+
+    let mut app = App::new(
+        approval_policy,
+        sandbox_policy,
+        prompt,
+        show_git_warning,
+        images,
+        model,
+        disable_response_storage,
+    );
 
     // Bridge log receiver into the AppEvent channel so latest log lines update the UI.
     {

scripts/release_codex.py

@@ -1,152 +0,0 @@
-#!/usr/bin/env python3
-"""
-Automate the release procedure documented in `../README.md → Releasing codex`.
-
-Run this script from the repository *root*:
-
-```bash
-python release_codex.py
-```
-
-It performs the same steps that the README lists manually:
-
-1. Create and switch to a `bump-version-<timestamp>` branch.
-2. Bump the timestamp-based version in `codex-cli/package.json` **and**
-   `codex-cli/src/utils/session.ts`.
-3. Commit with a DCO sign-off.
-4. Copy the top-level `README.md` into `codex-cli/` (npm consumers see it).
-5. Run `pnpm release` (copies README again, builds, publishes to npm).
-6. Push the branch so you can open a PR that merges the version bump.
-
-The current directory can live anywhere; all paths are resolved relative to
-this file so moving it elsewhere (e.g. into `scripts/`) still works.
-"""
-
-from __future__ import annotations
-
-import datetime as _dt
-import json as _json
-import os
-import re
-import shutil
-import subprocess as _sp
-import sys
-from pathlib import Path
-
-# ---------------------------------------------------------------------------
-# Paths
-# ---------------------------------------------------------------------------
-
-#   repo-root/
-#   ├── codex-cli/
-#   ├── scripts/       <-- you are here
-#   └── README.md
-
-REPO_ROOT = Path(__file__).resolve().parent.parent
-CODEX_CLI = REPO_ROOT / "codex-cli"
-PKG_JSON = CODEX_CLI / "package.json"
-SESSION_TS = CODEX_CLI / "src" / "utils" / "session.ts"
-README_SRC = REPO_ROOT / "README.md"
-README_DST = CODEX_CLI / "README.md"
-
-
-# ---------------------------------------------------------------------------
-# Helpers
-# ---------------------------------------------------------------------------
-
-
-def sh(cmd: list[str] | str, *, cwd: Path | None = None) -> None:
-    """Run *cmd* printing it first and exit on non-zero status."""
-
-    if isinstance(cmd, list):
-        printable = " ".join(cmd)
-    else:
-        printable = cmd
-
-    print("+", printable)
-
-    _sp.run(cmd, cwd=cwd, shell=isinstance(cmd, str), check=True)
-
-
-def _new_version() -> str:
-    """Return a new timestamp version string such as `0.1.2504301234`."""
-
-    return "0.1." + _dt.datetime.utcnow().strftime("%y%m%d%H%M")
-
-
-def bump_version() -> str:
-    """Update package.json and session.ts, returning the new version."""
-
-    new_ver = _new_version()
-
-    # ---- package.json
-    data = _json.loads(PKG_JSON.read_text())
-    old_ver = data.get("version", "<unknown>")
-    data["version"] = new_ver
-    PKG_JSON.write_text(_json.dumps(data, indent=2) + "\n")
-
-    # ---- session.ts
-    pattern = r'CLI_VERSION = "0\\.1\\.\\d{10}"'
-    repl = f'CLI_VERSION = "{new_ver}"'
-    _text = SESSION_TS.read_text()
-    if re.search(pattern, _text):
-        SESSION_TS.write_text(re.sub(pattern, repl, _text))
-    else:
-        print(
-            "WARNING: CLI_VERSION constant not found – file format may have changed",
-            file=sys.stderr,
-        )
-
-    print(f"Version bump: {old_ver} → {new_ver}")
-    return new_ver
-
-
-# ---------------------------------------------------------------------------
-# Main
-# ---------------------------------------------------------------------------
-
-
-def main() -> None:  # noqa: C901 – readable top-level flow is desired
-    # Ensure we can locate required files.
-    for p in (CODEX_CLI, PKG_JSON, SESSION_TS, README_SRC):
-        if not p.exists():
-            sys.exit(f"Required path missing: {p.relative_to(REPO_ROOT)}")
-
-    os.chdir(REPO_ROOT)
-
-    # ------------------------------- create release branch
-    branch = "bump-version-" + _dt.datetime.utcnow().strftime("%Y%m%d-%H%M")
-    sh(["git", "checkout", "-b", branch])
-
-    # ------------------------------- bump version + commit
-    new_ver = bump_version()
-    sh(
-        [
-            "git",
-            "add",
-            str(PKG_JSON.relative_to(REPO_ROOT)),
-            str(SESSION_TS.relative_to(REPO_ROOT)),
-        ]
-    )
-    sh(["git", "commit", "-s", "-m", f"chore(release): codex-cli v{new_ver}"])
-
-    # ------------------------------- copy README (shown on npmjs.com)
-    shutil.copyfile(README_SRC, README_DST)
-
-    # ------------------------------- build + publish via pnpm script
-    sh(["pnpm", "install"], cwd=CODEX_CLI)
-    sh(["pnpm", "release"], cwd=CODEX_CLI)
-
-    # ------------------------------- push branch
-    sh(["git", "push", "-u", "origin", branch])
-
-    print("\n✅  Release script finished!")
-    print(f"   • npm publish run by pnpm script (branch: {branch})")
-    print("   • Open a PR to merge the version bump once CI passes.")
-
-
-if __name__ == "__main__":
-    try:
-        main()
-    except KeyboardInterrupt:
-        sys.exit("\nCancelled by user")