adding test for second clear

clearing paste counters to reset on new user message
fix(ci) more shell-tool-mcp issues (#10111 )
2026-02-02 15:03:38 +00:00 · 2026-01-29 09:55:36 -08:00 · 2026-01-29 09:44:29 -08:00 · 2026-01-28 14:36:40 -07:00 · 2026-01-28 12:25:40 -08:00 · 2026-01-28 20:06:28 +00:00
244 changed files with 16153 additions and 3257 deletions
--- a/.bazelrc
+++ b/.bazelrc
@@ -4,6 +4,7 @@ common --repo_env=BAZEL_NO_APPLE_CPP_TOOLCHAIN=1
 common --disk_cache=~/.cache/bazel-disk-cache
 common --repo_contents_cache=~/.cache/bazel-repo-contents-cache
 common --repository_cache=~/.cache/bazel-repo-cache
+common --remote_cache_compression
 startup --experimental_remote_repo_contents_cache

 common --experimental_platform_in_output_dir
--- a/.codespellrc
+++ b/.codespellrc
@@ -1,6 +1,6 @@
 [codespell]
 # Ref: https://github.com/codespell-project/codespell#using-a-config-file
-skip = .git*,vendor,*-lock.yaml,*.lock,.codespellrc,*test.ts,*.jsonl,frame*.txt
+skip = .git*,vendor,*-lock.yaml,*.lock,.codespellrc,*test.ts,*.jsonl,frame*.txt,*.snap,*.snap.new
 check-hidden = true
 ignore-regex = ^\s*"image/\S+": ".*|\b(afterAll)\b
 ignore-words-list = ratatui,ser,iTerm,iterm2,iterm
--- a/.github/workflows/rust-ci.yml
+++ b/.github/workflows/rust-ci.yml
@@ -59,7 +59,7 @@ jobs:
        working-directory: codex-rs
    steps:
      - uses: actions/checkout@v6
-      - uses: dtolnay/rust-toolchain@1.92
+      - uses: dtolnay/rust-toolchain@1.93
        with:
          components: rustfmt
      - name: cargo fmt
@@ -77,7 +77,7 @@ jobs:
        working-directory: codex-rs
    steps:
      - uses: actions/checkout@v6
-      - uses: dtolnay/rust-toolchain@1.92
+      - uses: dtolnay/rust-toolchain@1.93
      - uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
        with:
          tool: cargo-shear
@@ -177,11 +177,31 @@ jobs:

    steps:
      - uses: actions/checkout@v6
-      - uses: dtolnay/rust-toolchain@1.92
+      - name: Install UBSan runtime (musl)
+        if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          if command -v apt-get >/dev/null 2>&1; then
+            sudo apt-get update -y
+            sudo DEBIAN_FRONTEND=noninteractive apt-get install -y libubsan1
+          fi
+      - uses: dtolnay/rust-toolchain@1.93
        with:
          targets: ${{ matrix.target }}
          components: clippy

+      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
+        name: Use hermetic Cargo home (musl)
+        shell: bash
+        run: |
+          set -euo pipefail
+          cargo_home="${GITHUB_WORKSPACE}/.cargo-home"
+          mkdir -p "${cargo_home}/bin"
+          echo "CARGO_HOME=${cargo_home}" >> "$GITHUB_ENV"
+          echo "${cargo_home}/bin" >> "$GITHUB_PATH"
+          : > "${cargo_home}/config.toml"
+
      - name: Compute lockfile hash
        id: lockhash
        working-directory: codex-rs
@@ -202,6 +222,10 @@ jobs:
            ~/.cargo/registry/index/
            ~/.cargo/registry/cache/
            ~/.cargo/git/db/
+            ${{ github.workspace }}/.cargo-home/bin/
+            ${{ github.workspace }}/.cargo-home/registry/index/
+            ${{ github.workspace }}/.cargo-home/registry/cache/
+            ${{ github.workspace }}/.cargo-home/git/db/
          key: cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ steps.lockhash.outputs.toolchain_hash }}
          restore-keys: |
            cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-
@@ -244,6 +268,14 @@ jobs:
            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-
            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-

+      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
+        name: Disable sccache wrapper (musl)
+        shell: bash
+        run: |
+          set -euo pipefail
+          echo "RUSTC_WRAPPER=" >> "$GITHUB_ENV"
+          echo "RUSTC_WORKSPACE_WRAPPER=" >> "$GITHUB_ENV"
+
      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
        name: Prepare APT cache directories (musl)
        shell: bash
@@ -277,6 +309,58 @@ jobs:
        shell: bash
        run: bash "${GITHUB_WORKSPACE}/.github/scripts/install-musl-build-tools.sh"

+      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
+        name: Configure rustc UBSan wrapper (musl host)
+        shell: bash
+        run: |
+          set -euo pipefail
+          ubsan=""
+          if command -v ldconfig >/dev/null 2>&1; then
+            ubsan="$(ldconfig -p | grep -m1 'libubsan\.so\.1' | sed -E 's/.*=> (.*)$/\1/')"
+          fi
+          wrapper_root="${RUNNER_TEMP:-/tmp}"
+          wrapper="${wrapper_root}/rustc-ubsan-wrapper"
+          cat > "${wrapper}" <<EOF
+          #!/usr/bin/env bash
+          set -euo pipefail
+          if [[ -n "${ubsan}" ]]; then
+            export LD_PRELOAD="${ubsan}\${LD_PRELOAD:+:\${LD_PRELOAD}}"
+          fi
+          exec "\$1" "\${@:2}"
+          EOF
+          chmod +x "${wrapper}"
+          echo "RUSTC_WRAPPER=${wrapper}" >> "$GITHUB_ENV"
+          echo "RUSTC_WORKSPACE_WRAPPER=" >> "$GITHUB_ENV"
+
+      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
+        name: Clear sanitizer flags (musl)
+        shell: bash
+        run: |
+          set -euo pipefail
+          # Clear global Rust flags so host/proc-macro builds don't pull in UBSan.
+          echo "RUSTFLAGS=" >> "$GITHUB_ENV"
+          echo "CARGO_ENCODED_RUSTFLAGS=" >> "$GITHUB_ENV"
+          echo "RUSTDOCFLAGS=" >> "$GITHUB_ENV"
+          # Override any runner-level Cargo config rustflags as well.
+          echo "CARGO_BUILD_RUSTFLAGS=" >> "$GITHUB_ENV"
+          echo "CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_RUSTFLAGS=" >> "$GITHUB_ENV"
+          echo "CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_RUSTFLAGS=" >> "$GITHUB_ENV"
+          echo "CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_RUSTFLAGS=" >> "$GITHUB_ENV"
+          echo "CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_RUSTFLAGS=" >> "$GITHUB_ENV"
+
+          sanitize_flags() {
+            local input="$1"
+            input="${input//-fsanitize=undefined/}"
+            input="${input//-fno-sanitize-recover=undefined/}"
+            input="${input//-fno-sanitize-trap=undefined/}"
+            echo "$input"
+          }
+
+          cflags="$(sanitize_flags "${CFLAGS-}")"
+          cxxflags="$(sanitize_flags "${CXXFLAGS-}")"
+          echo "CFLAGS=${cflags}" >> "$GITHUB_ENV"
+          echo "CXXFLAGS=${cxxflags}" >> "$GITHUB_ENV"
+
      - name: Install cargo-chef
        if: ${{ matrix.profile == 'release' }}
        uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
@@ -322,6 +406,10 @@ jobs:
            ~/.cargo/registry/index/
            ~/.cargo/registry/cache/
            ~/.cargo/git/db/
+            ${{ github.workspace }}/.cargo-home/bin/
+            ${{ github.workspace }}/.cargo-home/registry/index/
+            ${{ github.workspace }}/.cargo-home/registry/cache/
+            ${{ github.workspace }}/.cargo-home/git/db/
          key: cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ steps.lockhash.outputs.toolchain_hash }}

      - name: Save sccache cache (fallback)
@@ -422,7 +510,7 @@ jobs:
      - name: Install DotSlash
        uses: facebook/install-dotslash@v2

-      - uses: dtolnay/rust-toolchain@1.92
+      - uses: dtolnay/rust-toolchain@1.93
        with:
          targets: ${{ matrix.target }}

--- a/.github/workflows/rust-release.yml
+++ b/.github/workflows/rust-release.yml
@@ -21,7 +21,6 @@ jobs:
    steps:
      - uses: actions/checkout@v6
      - uses: dtolnay/rust-toolchain@1.92
-
      - name: Validate tag matches Cargo.toml version
        shell: bash
        run: |
@@ -90,10 +89,30 @@ jobs:

    steps:
      - uses: actions/checkout@v6
-      - uses: dtolnay/rust-toolchain@1.92
+      - name: Install UBSan runtime (musl)
+        if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          if command -v apt-get >/dev/null 2>&1; then
+            sudo apt-get update -y
+            sudo DEBIAN_FRONTEND=noninteractive apt-get install -y libubsan1
+          fi
+      - uses: dtolnay/rust-toolchain@1.93
        with:
          targets: ${{ matrix.target }}

+      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
+        name: Use hermetic Cargo home (musl)
+        shell: bash
+        run: |
+          set -euo pipefail
+          cargo_home="${GITHUB_WORKSPACE}/.cargo-home"
+          mkdir -p "${cargo_home}/bin"
+          echo "CARGO_HOME=${cargo_home}" >> "$GITHUB_ENV"
+          echo "${cargo_home}/bin" >> "$GITHUB_PATH"
+          : > "${cargo_home}/config.toml"
+
      - uses: actions/cache@v5
        with:
          path: |
@@ -101,6 +120,10 @@ jobs:
            ~/.cargo/registry/index/
            ~/.cargo/registry/cache/
            ~/.cargo/git/db/
+            ${{ github.workspace }}/.cargo-home/bin/
+            ${{ github.workspace }}/.cargo-home/registry/index/
+            ${{ github.workspace }}/.cargo-home/registry/cache/
+            ${{ github.workspace }}/.cargo-home/git/db/
            ${{ github.workspace }}/codex-rs/target/
          key: cargo-${{ matrix.runner }}-${{ matrix.target }}-release-${{ hashFiles('**/Cargo.lock') }}

@@ -116,6 +139,58 @@ jobs:
          TARGET: ${{ matrix.target }}
        run: bash "${GITHUB_WORKSPACE}/.github/scripts/install-musl-build-tools.sh"

+      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
+        name: Configure rustc UBSan wrapper (musl host)
+        shell: bash
+        run: |
+          set -euo pipefail
+          ubsan=""
+          if command -v ldconfig >/dev/null 2>&1; then
+            ubsan="$(ldconfig -p | grep -m1 'libubsan\.so\.1' | sed -E 's/.*=> (.*)$/\1/')"
+          fi
+          wrapper_root="${RUNNER_TEMP:-/tmp}"
+          wrapper="${wrapper_root}/rustc-ubsan-wrapper"
+          cat > "${wrapper}" <<EOF
+          #!/usr/bin/env bash
+          set -euo pipefail
+          if [[ -n "${ubsan}" ]]; then
+            export LD_PRELOAD="${ubsan}\${LD_PRELOAD:+:\${LD_PRELOAD}}"
+          fi
+          exec "\$1" "\${@:2}"
+          EOF
+          chmod +x "${wrapper}"
+          echo "RUSTC_WRAPPER=${wrapper}" >> "$GITHUB_ENV"
+          echo "RUSTC_WORKSPACE_WRAPPER=" >> "$GITHUB_ENV"
+
+      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
+        name: Clear sanitizer flags (musl)
+        shell: bash
+        run: |
+          set -euo pipefail
+          # Clear global Rust flags so host/proc-macro builds don't pull in UBSan.
+          echo "RUSTFLAGS=" >> "$GITHUB_ENV"
+          echo "CARGO_ENCODED_RUSTFLAGS=" >> "$GITHUB_ENV"
+          echo "RUSTDOCFLAGS=" >> "$GITHUB_ENV"
+          # Override any runner-level Cargo config rustflags as well.
+          echo "CARGO_BUILD_RUSTFLAGS=" >> "$GITHUB_ENV"
+          echo "CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_RUSTFLAGS=" >> "$GITHUB_ENV"
+          echo "CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_RUSTFLAGS=" >> "$GITHUB_ENV"
+          echo "CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_RUSTFLAGS=" >> "$GITHUB_ENV"
+          echo "CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_RUSTFLAGS=" >> "$GITHUB_ENV"
+
+          sanitize_flags() {
+            local input="$1"
+            input="${input//-fsanitize=undefined/}"
+            input="${input//-fno-sanitize-recover=undefined/}"
+            input="${input//-fno-sanitize-trap=undefined/}"
+            echo "$input"
+          }
+
+          cflags="$(sanitize_flags "${CFLAGS-}")"
+          cxxflags="$(sanitize_flags "${CXXFLAGS-}")"
+          echo "CFLAGS=${cflags}" >> "$GITHUB_ENV"
+          echo "CXXFLAGS=${cxxflags}" >> "$GITHUB_ENV"
+
      - name: Cargo build
        shell: bash
        run: |
@@ -252,6 +327,7 @@ jobs:
          # Path that contains the uncompressed binaries for the current
          # ${{ matrix.target }}
          dest="dist/${{ matrix.target }}"
+          repo_root=$PWD

          # We want to ship the raw Windows executables in the GitHub Release
          # in addition to the compressed archives. Keep the originals for
@@ -305,7 +381,7 @@ jobs:
                  cp "$setup_src" "$bundle_dir/codex-windows-sandbox-setup.exe"
                  # Use an absolute path so bundle zips land in the real dist
                  # dir even when 7z runs from a temp directory.
-                  (cd "$bundle_dir" && 7z a "$(pwd)/$dest/${base}.zip" .)
+                  (cd "$bundle_dir" && 7z a "$repo_root/$dest/${base}.zip" .)
                else
                  echo "warning: missing sandbox binaries; falling back to single-binary zip"
                  echo "warning: expected $runner_src and $setup_src"
--- a/.github/workflows/sdk.yml
+++ b/.github/workflows/sdk.yml
@@ -24,7 +24,7 @@ jobs:
          node-version: 22
          cache: pnpm

-      - uses: dtolnay/rust-toolchain@1.92
+      - uses: dtolnay/rust-toolchain@1.93

      - name: build codex
        run: cargo build --bin codex
--- a/.github/workflows/shell-tool-mcp.yml
+++ b/.github/workflows/shell-tool-mcp.yml
@@ -93,7 +93,17 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@v6

-      - uses: dtolnay/rust-toolchain@1.92
+      - name: Install UBSan runtime (musl)
+        if: ${{ matrix.install_musl }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          if command -v apt-get >/dev/null 2>&1; then
+            sudo apt-get update -y
+            sudo DEBIAN_FRONTEND=noninteractive apt-get install -y libubsan1
+          fi
+
+      - uses: dtolnay/rust-toolchain@1.93
        with:
          targets: ${{ matrix.target }}

@@ -109,6 +119,58 @@ jobs:
          TARGET: ${{ matrix.target }}
        run: bash "${GITHUB_WORKSPACE}/.github/scripts/install-musl-build-tools.sh"

+      - if: ${{ matrix.install_musl }}
+        name: Configure rustc UBSan wrapper (musl host)
+        shell: bash
+        run: |
+          set -euo pipefail
+          ubsan=""
+          if command -v ldconfig >/dev/null 2>&1; then
+            ubsan="$(ldconfig -p | grep -m1 'libubsan\.so\.1' | sed -E 's/.*=> (.*)$/\1/')"
+          fi
+          wrapper_root="${RUNNER_TEMP:-/tmp}"
+          wrapper="${wrapper_root}/rustc-ubsan-wrapper"
+          cat > "${wrapper}" <<EOF
+          #!/usr/bin/env bash
+          set -euo pipefail
+          if [[ -n "${ubsan}" ]]; then
+            export LD_PRELOAD="${ubsan}\${LD_PRELOAD:+:\${LD_PRELOAD}}"
+          fi
+          exec "\$1" "\${@:2}"
+          EOF
+          chmod +x "${wrapper}"
+          echo "RUSTC_WRAPPER=${wrapper}" >> "$GITHUB_ENV"
+          echo "RUSTC_WORKSPACE_WRAPPER=" >> "$GITHUB_ENV"
+
+      - if: ${{ matrix.install_musl }}
+        name: Clear sanitizer flags (musl)
+        shell: bash
+        run: |
+          set -euo pipefail
+          # Clear global Rust flags so host/proc-macro builds don't pull in UBSan.
+          echo "RUSTFLAGS=" >> "$GITHUB_ENV"
+          echo "CARGO_ENCODED_RUSTFLAGS=" >> "$GITHUB_ENV"
+          echo "RUSTDOCFLAGS=" >> "$GITHUB_ENV"
+          # Override any runner-level Cargo config rustflags as well.
+          echo "CARGO_BUILD_RUSTFLAGS=" >> "$GITHUB_ENV"
+          echo "CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_RUSTFLAGS=" >> "$GITHUB_ENV"
+          echo "CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_RUSTFLAGS=" >> "$GITHUB_ENV"
+          echo "CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_RUSTFLAGS=" >> "$GITHUB_ENV"
+          echo "CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_RUSTFLAGS=" >> "$GITHUB_ENV"
+
+          sanitize_flags() {
+            local input="$1"
+            input="${input//-fsanitize=undefined/}"
+            input="${input//-fno-sanitize-recover=undefined/}"
+            input="${input//-fno-sanitize-trap=undefined/}"
+            echo "$input"
+          }
+
+          cflags="$(sanitize_flags "${CFLAGS-}")"
+          cxxflags="$(sanitize_flags "${CXXFLAGS-}")"
+          echo "CFLAGS=${cflags}" >> "$GITHUB_ENV"
+          echo "CXXFLAGS=${cxxflags}" >> "$GITHUB_ENV"
+
      - name: Build exec server binaries
        run: cargo build --release --target ${{ matrix.target }} --bin codex-exec-mcp-server --bin codex-execve-wrapper

@@ -282,7 +344,6 @@ jobs:
      - name: Setup pnpm
        uses: pnpm/action-setup@v4
        with:
-          version: 10.8.1
          run_install: false

      - name: Setup Node.js
@@ -378,7 +439,6 @@ jobs:
      - name: Setup pnpm
        uses: pnpm/action-setup@v4
        with:
-          version: 10.8.1
          run_install: false

      - name: Setup Node.js
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -11,6 +11,7 @@ In the codex-rs folder where the rust code lives:
 - Always collapse if statements per https://rust-lang.github.io/rust-clippy/master/index.html#collapsible_if
 - Always inline format! args when possible per https://rust-lang.github.io/rust-clippy/master/index.html#uninlined_format_args
 - Use method references over closures when possible per https://rust-lang.github.io/rust-clippy/master/index.html#redundant_closure_for_method_calls
+- When possible, make `match` statements exhaustive and avoid wildcard arms.
 - When writing tests, prefer comparing the equality of entire objects over fields one by one.
 - When making a change that adds or changes an API, ensure that the documentation in the `docs/` folder is up to date if applicable.
 - If you change `ConfigToml` or nested config types, run `just write-config-schema` to update `codex-rs/core/config.schema.json`.
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -53,7 +53,7 @@ rust = use_extension("@rules_rust//rust:extensions.bzl", "rust")
 rust.toolchain(
    edition = "2024",
    extra_target_triples = RUST_TRIPLES,
-    versions = ["1.90.0"],
+    versions = ["1.93.0"],
 )
 use_repo(rust, "rust_toolchains")

@@ -67,6 +67,11 @@ crate.from_cargo(
    cargo_toml = "//codex-rs:Cargo.toml",
    platform_triples = RUST_TRIPLES,
 )
+crate.annotation(
+    crate = "nucleo-matcher",
+    strip_prefix = "matcher",
+    version = "0.3.1",
+)

 bazel_dep(name = "openssl", version = "3.5.4.bcr.0")

--- a/MODULE.bazel.lock
+++ b/MODULE.bazel.lock
--- a/PNPM.md
+++ b/PNPM.md
@@ -15,7 +15,7 @@ This project has been migrated from npm to pnpm to improve dependency management

 ```bash
 # Global installation of pnpm
-npm install -g pnpm@10.8.1
+npm install -g pnpm@10.28.2

 # Or with corepack (available with Node.js 22+)
 corepack enable
@@ -59,12 +59,12 @@ codex/

 ## CI/CD

-CI/CD workflows have been updated to use pnpm instead of npm. Make sure your CI environments use pnpm 10.8.1 or higher.
+CI/CD workflows have been updated to use pnpm instead of npm. Make sure your CI environments use pnpm 10.28.2 or higher.

 ## Known issues

 If you encounter issues with pnpm, try the following solutions:

 1. Remove the `node_modules` folder and `pnpm-lock.yaml` file, then run `pnpm install`
-2. Make sure you're using pnpm 10.8.1 or higher
+2. Make sure you're using pnpm 10.28.2 or higher
 3. Verify that Node.js 22 or higher is installed
--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
@@ -602,6 +602,15 @@ dependencies = [
 "pin-project-lite",
 ]

+[[package]]
+name = "atoi"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f28d99ec8bfea296261ca1af174f24225171fea9664ba9003cbebee704810528"
+dependencies = [
+ "num-traits",
+]
+
 [[package]]
 name = "atomic-waker"
 version = "1.1.2"
@@ -616,9 +625,9 @@ checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"

 [[package]]
 name = "axum"
-version = "0.8.4"
+version = "0.8.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "021e862c184ae977658b36c4500f7feac3221ca5da43e3f25bd04ab6c79a29b5"
+checksum = "8b52af3cb4058c895d37317bb27508dccc8e5f2d39454016b297bf4a400597b8"
 dependencies = [
 "axum-core",
 "bytes",
@@ -634,8 +643,7 @@ dependencies = [
 "mime",
 "percent-encoding",
 "pin-project-lite",
- "rustversion",
- "serde",
+ "serde_core",
 "serde_json",
 "serde_path_to_error",
 "sync_wrapper",
@@ -647,9 +655,9 @@ dependencies = [

 [[package]]
 name = "axum-core"
-version = "0.5.2"
+version = "0.5.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "68464cd0412f486726fb3373129ef5d2993f90c34bc2bc1c1e9943b2f4fc7ca6"
+checksum = "08c78f31d7b1291f7ee735c1c6780ccde7785daae9a9206026862dab7d8792d1"
 dependencies = [
 "bytes",
 "futures-core",
@@ -658,7 +666,6 @@ dependencies = [
 "http-body-util",
 "mime",
 "pin-project-lite",
- "rustversion",
 "sync_wrapper",
 "tower-layer",
 "tower-service",
@@ -741,6 +748,9 @@ name = "bitflags"
 version = "2.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "812e12b5285cc515a9c72a5c1d3b6d46a19dac5acfef5265968c166106e31dd3"
+dependencies = [
+ "serde_core",
+]

 [[package]]
 name = "block-buffer"
@@ -1079,6 +1089,7 @@ dependencies = [
 "codex-chatgpt",
 "codex-common",
 "codex-core",
+ "codex-execpolicy",
 "codex-feedback",
 "codex-file-search",
 "codex-login",
@@ -1365,6 +1376,7 @@ dependencies = [
 "codex-otel",
 "codex-protocol",
 "codex-rmcp-client",
+ "codex-state",
 "codex-utils-absolute-path",
 "codex-utils-cargo-bin",
 "codex-utils-pty",
@@ -1390,6 +1402,7 @@ dependencies = [
 "libc",
 "maplit",
 "mcp-types",
+ "multimap",
 "once_cell",
 "openssl-sys",
 "os_info",
@@ -1559,11 +1572,13 @@ version = "0.0.0"
 dependencies = [
 "anyhow",
 "clap",
+ "crossbeam-channel",
 "ignore",
- "nucleo-matcher",
+ "nucleo",
 "pretty_assertions",
 "serde",
 "serde_json",
+ "tempfile",
 "tokio",
 ]

@@ -1685,6 +1700,7 @@ dependencies = [
 "rama-http",
 "rama-http-backend",
 "rama-net",
+ "rama-socks5",
 "rama-tcp",
 "rama-tls-boring",
 "rama-unix",
@@ -1757,6 +1773,7 @@ name = "codex-protocol"
 version = "0.0.0"
 dependencies = [
 "anyhow",
+ "codex-execpolicy",
 "codex-git",
 "codex-utils-absolute-path",
 "codex-utils-image",
@@ -1826,6 +1843,23 @@ dependencies = [
 "which",
 ]

+[[package]]
+name = "codex-state"
+version = "0.0.0"
+dependencies = [
+ "anyhow",
+ "chrono",
+ "codex-otel",
+ "codex-protocol",
+ "pretty_assertions",
+ "serde",
+ "serde_json",
+ "sqlx",
+ "tokio",
+ "tracing",
+ "uuid",
+]
+
 [[package]]
 name = "codex-stdio-to-uds"
 version = "0.0.0"
@@ -2109,6 +2143,12 @@ dependencies = [
 "serde_core",
 ]

+[[package]]
+name = "const-oid"
+version = "0.9.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8"
+
 [[package]]
 name = "const_format"
 version = "0.2.35"
@@ -2196,6 +2236,7 @@ dependencies = [
 "tokio-tungstenite",
 "walkdir",
 "wiremock",
+ "zstd",
 ]

 [[package]]
@@ -2207,6 +2248,21 @@ dependencies = [
 "libc",
 ]

+[[package]]
+name = "crc"
+version = "3.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5eb8a2a1cd12ab0d987a5d5e825195d372001a4094a0376319d5a0ad71c1ba0d"
+dependencies = [
+ "crc-catalog",
+]
+
+[[package]]
+name = "crc-catalog"
+version = "2.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "19d374276b40fb8bbdee95aef7c7fa6b5316ec764510eb64b8dd0e2ed0d7e7f5"
+
 [[package]]
 name = "crc32fast"
 version = "1.5.0"
@@ -2250,6 +2306,15 @@ dependencies = [
 "crossbeam-utils",
 ]

+[[package]]
+name = "crossbeam-queue"
+version = "0.3.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0f58bbc28f91df819d0aa2a2c00cd19754769c2fad90579b3592b1c9ba7a3115"
+dependencies = [
+ "crossbeam-utils",
+]
+
 [[package]]
 name = "crossbeam-utils"
 version = "0.8.21"
@@ -2528,6 +2593,7 @@ version = "0.7.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e7c1832837b905bbfb5101e07cc24c8deddf52f93225eee6ead5f4d63d53ddcb"
 dependencies = [
+ "const-oid",
 "pem-rfc7468",
 "zeroize",
 ]
@@ -2626,6 +2692,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
 dependencies = [
 "block-buffer",
+ "const-oid",
 "crypto-common",
 "subtle",
 ]
@@ -2773,6 +2840,9 @@ name = "either"
 version = "1.15.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "48c757948c5ede0e46177b7add2e67155f70e33c07fea8284df6576da70b3719"
+dependencies = [
+ "serde",
+]

 [[package]]
 name = "ena"
@@ -2915,6 +2985,17 @@ version = "3.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "dea2df4cf52843e0452895c455a1a2cfbb842a1e7329671acf418fdc53ed4c59"

+[[package]]
+name = "etcetera"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "136d1b5283a1ab77bd9257427ffd09d8667ced0570b6f938942bc7568ed5b943"
+dependencies = [
+ "cfg-if",
+ "home",
+ "windows-sys 0.48.0",
+]
+
 [[package]]
 name = "event-listener"
 version = "5.4.0"
@@ -3083,6 +3164,17 @@ dependencies = [
 "num-traits",
 ]

+[[package]]
+name = "flume"
+version = "0.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "da0e4dd2a88388a1f4ccc7c9ce104604dab68d9f408dc34cd45823d5a9069095"
+dependencies = [
+ "futures-core",
+ "futures-sink",
+ "spin",
+]
+
 [[package]]
 name = "flume"
 version = "0.12.0"
@@ -3231,6 +3323,17 @@ dependencies = [
 "futures-util",
 ]

+[[package]]
+name = "futures-intrusive"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d930c203dd0b6ff06e0201a4a2fe9149b43c684fd4420555b26d21b1a02956f"
+dependencies = [
+ "futures-core",
+ "lock_api",
+ "parking_lot",
+]
+
 [[package]]
 name = "futures-io"
 version = "0.3.31"
@@ -3385,9 +3488,9 @@ checksum = "0cc23270f6e1808e30a928bdc84dea0b9b4136a8bc82338574f23baf47bbd280"

 [[package]]
 name = "globset"
-version = "0.4.16"
+version = "0.4.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "54a1028dfc5f5df5da8a56a73e6c153c9a9708ec57232470703592a3f18e49f5"
+checksum = "52dfc19153a48bde0cbd630453615c8151bce3a5adfac7a0aebfbf0a1e1f57e3"
 dependencies = [
 "aho-corasick",
 "bstr",
@@ -3463,6 +3566,15 @@ dependencies = [
 "foldhash 0.2.0",
 ]

+[[package]]
+name = "hashlink"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7382cf6263419f2d8df38c55d7da83da5c18aef87fc7a7fc1fb1e344edfe14c1"
+dependencies = [
+ "hashbrown 0.15.4",
+]
+
 [[package]]
 name = "heck"
 version = "0.5.0"
@@ -3666,7 +3778,7 @@ dependencies = [
 "tokio",
 "tokio-rustls",
 "tower-service",
- "webpki-roots",
+ "webpki-roots 1.0.2",
 ]

 [[package]]
@@ -3716,7 +3828,7 @@ dependencies = [
 "libc",
 "percent-encoding",
 "pin-project-lite",
- "socket2 0.5.10",
+ "socket2 0.6.1",
 "system-configuration",
 "tokio",
 "tower-service",
@@ -4298,6 +4410,9 @@ name = "lazy_static"
 version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"
+dependencies = [
+ "spin",
+]

 [[package]]
 name = "libc"
@@ -4324,6 +4439,12 @@ dependencies = [
 "windows-link 0.2.0",
 ]

+[[package]]
+name = "libm"
+version = "0.2.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6d2cec3eae94f9f509c767b45932f1ada8350c4bdb85af2fcab4a3c14807981"
+
 [[package]]
 name = "libredox"
 version = "0.1.6"
@@ -4332,6 +4453,18 @@ checksum = "4488594b9328dee448adb906d8b126d9b7deb7cf5c22161ee591610bb1be83c0"
 dependencies = [
 "bitflags 2.10.0",
 "libc",
+ "redox_syscall",
+]
+
+[[package]]
+name = "libsqlite3-sys"
+version = "0.30.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2e99fb7a497b1e3339bc746195567ed8d3e24945ecd636e3619d20b9de9e9149"
+dependencies = [
+ "cc",
+ "pkg-config",
+ "vcpkg",
 ]

 [[package]]
@@ -4516,6 +4649,16 @@ dependencies = [
 "wiremock",
 ]

+[[package]]
+name = "md-5"
+version = "0.10.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d89e7ee0cfbedfc4da3340218492196241d89eefb6dab27de5df917a6d2e78cf"
+dependencies = [
+ "cfg-if",
+ "digest",
+]
+
 [[package]]
 name = "md5"
 version = "0.8.0"
@@ -4759,11 +4902,20 @@ dependencies = [
 "windows-sys 0.52.0",
 ]

+[[package]]
+name = "nucleo"
+version = "0.5.0"
+source = "git+https://github.com/helix-editor/nucleo.git?rev=4253de9faabb4e5c6d81d946a5e35a90f87347ee#4253de9faabb4e5c6d81d946a5e35a90f87347ee"
+dependencies = [
+ "nucleo-matcher",
+ "parking_lot",
+ "rayon",
+]
+
 [[package]]
 name = "nucleo-matcher"
 version = "0.3.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bf33f538733d1a5a3494b836ba913207f14d9d4a1d3cd67030c5061bdd2cac85"
+source = "git+https://github.com/helix-editor/nucleo.git?rev=4253de9faabb4e5c6d81d946a5e35a90f87347ee#4253de9faabb4e5c6d81d946a5e35a90f87347ee"
 dependencies = [
 "memchr",
 "unicode-segmentation",
@@ -4793,6 +4945,22 @@ dependencies = [
 "num-traits",
 ]

+[[package]]
+name = "num-bigint-dig"
+version = "0.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e661dda6640fad38e827a6d4a310ff4763082116fe217f279885c97f511bb0b7"
+dependencies = [
+ "lazy_static",
+ "libm",
+ "num-integer",
+ "num-iter",
+ "num-traits",
+ "rand 0.8.5",
+ "smallvec",
+ "zeroize",
+]
+
 [[package]]
 name = "num-complex"
 version = "0.4.6"
@@ -4846,6 +5014,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
 dependencies = [
 "autocfg",
+ "libm",
 ]

 [[package]]
@@ -5328,6 +5497,27 @@ dependencies = [
 "futures-io",
 ]

+[[package]]
+name = "pkcs1"
+version = "0.7.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c8ffb9f10fa047879315e6625af03c164b16962a5368d724ed16323b68ace47f"
+dependencies = [
+ "der",
+ "pkcs8",
+ "spki",
+]
+
+[[package]]
+name = "pkcs8"
+version = "0.10.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7"
+dependencies = [
+ "der",
+ "spki",
+]
+
 [[package]]
 name = "pkg-config"
 version = "0.3.32"
@@ -5632,7 +5822,7 @@ dependencies = [
 "quinn-udp",
 "rustc-hash",
 "rustls",
- "socket2 0.5.10",
+ "socket2 0.6.1",
 "thiserror 2.0.17",
 "tokio",
 "tracing",
@@ -5669,7 +5859,7 @@ dependencies = [
 "cfg_aliases 0.2.1",
 "libc",
 "once_cell",
- "socket2 0.5.10",
+ "socket2 0.6.1",
 "tracing",
 "windows-sys 0.60.2",
 ]
@@ -5941,7 +6131,7 @@ checksum = "b28ee9e1e5d39264414b71f5c33e7fbb66b382c3fac456fe0daad39cf5509933"
 dependencies = [
 "ahash",
 "const_format",
- "flume",
+ "flume 0.12.0",
 "hex",
 "ipnet",
 "itertools 0.14.0",
@@ -5961,6 +6151,21 @@ dependencies = [
 "tokio",
 ]

+[[package]]
+name = "rama-socks5"
+version = "0.3.0-alpha.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5468b263516daaf258de32542c1974b7cbe962363ad913dcb669f5d46db0ef3e"
+dependencies = [
+ "byteorder",
+ "rama-core",
+ "rama-net",
+ "rama-tcp",
+ "rama-udp",
+ "rama-utils",
+ "tokio",
+]
+
 [[package]]
 name = "rama-tcp"
 version = "0.3.0-alpha.4"
@@ -5984,7 +6189,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "def3d5d06d3ca3a2d2e4376cf93de0555cd9c7960f085bf77be9562f5c9ace8f"
 dependencies = [
 "ahash",
- "flume",
+ "flume 0.12.0",
 "itertools 0.14.0",
 "moka",
 "parking_lot",
@@ -5999,6 +6204,18 @@ dependencies = [
 "tokio",
 ]

+[[package]]
+name = "rama-udp"
+version = "0.3.0-alpha.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "36ed05e0ecac73e084e92a3a8b1fbf16fdae8958c506f0f0eada180a2d99eef4"
+dependencies = [
+ "rama-core",
+ "rama-net",
+ "tokio",
+ "tokio-util",
+]
+
 [[package]]
 name = "rama-unix"
 version = "0.3.0-alpha.4"
@@ -6126,6 +6343,26 @@ dependencies = [
 "ratatui",
 ]

+[[package]]
+name = "rayon"
+version = "1.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "368f01d005bf8fd9b1206fb6fa653e6c4a81ceb1466406b81792d87c5677a58f"
+dependencies = [
+ "either",
+ "rayon-core",
+]
+
+[[package]]
+name = "rayon-core"
+version = "1.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "22e18b0f0062d30d4230b2e85ff77fdfe4326feb054b9783a3460d8435c8ab91"
+dependencies = [
+ "crossbeam-deque",
+ "crossbeam-utils",
+]
+
 [[package]]
 name = "redox_syscall"
 version = "0.5.15"
@@ -6264,7 +6501,7 @@ dependencies = [
 "wasm-bindgen-futures",
 "wasm-streams",
 "web-sys",
- "webpki-roots",
+ "webpki-roots 1.0.2",
 ]

 [[package]]
@@ -6335,6 +6572,26 @@ dependencies = [
 "syn 2.0.104",
 ]

+[[package]]
+name = "rsa"
+version = "0.9.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b8573f03f5883dcaebdfcf4725caa1ecb9c15b2ef50c43a07b816e06799bb12d"
+dependencies = [
+ "const-oid",
+ "digest",
+ "num-bigint-dig",
+ "num-integer",
+ "num-traits",
+ "pkcs1",
+ "pkcs8",
+ "rand_core 0.6.4",
+ "signature",
+ "spki",
+ "subtle",
+ "zeroize",
+]
+
 [[package]]
 name = "rustc-demangle"
 version = "0.1.25"
@@ -7084,6 +7341,16 @@ dependencies = [
 "libc",
 ]

+[[package]]
+name = "signature"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de"
+dependencies = [
+ "digest",
+ "rand_core 0.6.4",
+]
+
 [[package]]
 name = "simd-adler32"
 version = "0.3.7"
@@ -7168,6 +7435,218 @@ dependencies = [
 "lock_api",
 ]

+[[package]]
+name = "spki"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d"
+dependencies = [
+ "base64ct",
+ "der",
+]
+
+[[package]]
+name = "sqlx"
+version = "0.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1fefb893899429669dcdd979aff487bd78f4064e5e7907e4269081e0ef7d97dc"
+dependencies = [
+ "sqlx-core",
+ "sqlx-macros",
+ "sqlx-mysql",
+ "sqlx-postgres",
+ "sqlx-sqlite",
+]
+
+[[package]]
+name = "sqlx-core"
+version = "0.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ee6798b1838b6a0f69c007c133b8df5866302197e404e8b6ee8ed3e3a5e68dc6"
+dependencies = [
+ "base64",
+ "bytes",
+ "chrono",
+ "crc",
+ "crossbeam-queue",
+ "either",
+ "event-listener",
+ "futures-core",
+ "futures-intrusive",
+ "futures-io",
+ "futures-util",
+ "hashbrown 0.15.4",
+ "hashlink",
+ "indexmap 2.12.0",
+ "log",
+ "memchr",
+ "once_cell",
+ "percent-encoding",
+ "rustls",
+ "serde",
+ "serde_json",
+ "sha2",
+ "smallvec",
+ "thiserror 2.0.17",
+ "time",
+ "tokio",
+ "tokio-stream",
+ "tracing",
+ "url",
+ "uuid",
+ "webpki-roots 0.26.11",
+]
+
+[[package]]
+name = "sqlx-macros"
+version = "0.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a2d452988ccaacfbf5e0bdbc348fb91d7c8af5bee192173ac3636b5fb6e6715d"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "sqlx-core",
+ "sqlx-macros-core",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "sqlx-macros-core"
+version = "0.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "19a9c1841124ac5a61741f96e1d9e2ec77424bf323962dd894bdb93f37d5219b"
+dependencies = [
+ "dotenvy",
+ "either",
+ "heck",
+ "hex",
+ "once_cell",
+ "proc-macro2",
+ "quote",
+ "serde",
+ "serde_json",
+ "sha2",
+ "sqlx-core",
+ "sqlx-mysql",
+ "sqlx-postgres",
+ "sqlx-sqlite",
+ "syn 2.0.104",
+ "tokio",
+ "url",
+]
+
+[[package]]
+name = "sqlx-mysql"
+version = "0.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "aa003f0038df784eb8fecbbac13affe3da23b45194bd57dba231c8f48199c526"
+dependencies = [
+ "atoi",
+ "base64",
+ "bitflags 2.10.0",
+ "byteorder",
+ "bytes",
+ "chrono",
+ "crc",
+ "digest",
+ "dotenvy",
+ "either",
+ "futures-channel",
+ "futures-core",
+ "futures-io",
+ "futures-util",
+ "generic-array",
+ "hex",
+ "hkdf",
+ "hmac",
+ "itoa",
+ "log",
+ "md-5",
+ "memchr",
+ "once_cell",
+ "percent-encoding",
+ "rand 0.8.5",
+ "rsa",
+ "serde",
+ "sha1",
+ "sha2",
+ "smallvec",
+ "sqlx-core",
+ "stringprep",
+ "thiserror 2.0.17",
+ "time",
+ "tracing",
+ "uuid",
+ "whoami",
+]
+
+[[package]]
+name = "sqlx-postgres"
+version = "0.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "db58fcd5a53cf07c184b154801ff91347e4c30d17a3562a635ff028ad5deda46"
+dependencies = [
+ "atoi",
+ "base64",
+ "bitflags 2.10.0",
+ "byteorder",
+ "chrono",
+ "crc",
+ "dotenvy",
+ "etcetera",
+ "futures-channel",
+ "futures-core",
+ "futures-util",
+ "hex",
+ "hkdf",
+ "hmac",
+ "home",
+ "itoa",
+ "log",
+ "md-5",
+ "memchr",
+ "once_cell",
+ "rand 0.8.5",
+ "serde",
+ "serde_json",
+ "sha2",
+ "smallvec",
+ "sqlx-core",
+ "stringprep",
+ "thiserror 2.0.17",
+ "time",
+ "tracing",
+ "uuid",
+ "whoami",
+]
+
+[[package]]
+name = "sqlx-sqlite"
+version = "0.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c2d12fe70b2c1b4401038055f90f151b78208de1f9f89a7dbfd41587a10c3eea"
+dependencies = [
+ "atoi",
+ "chrono",
+ "flume 0.11.1",
+ "futures-channel",
+ "futures-core",
+ "futures-executor",
+ "futures-intrusive",
+ "futures-util",
+ "libsqlite3-sys",
+ "log",
+ "percent-encoding",
+ "serde",
+ "serde_urlencoded",
+ "sqlx-core",
+ "thiserror 2.0.17",
+ "time",
+ "tracing",
+ "url",
+ "uuid",
+]
+
 [[package]]
 name = "sse-stream"
 version = "0.2.1"
@@ -7301,6 +7780,17 @@ dependencies = [
 "precomputed-hash",
 ]

+[[package]]
+name = "stringprep"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7b4df3d392d81bd458a8a621b8bffbd2302a12ffe288a9d931670948749463b1"
+dependencies = [
+ "unicode-bidi",
+ "unicode-normalization",
+ "unicode-properties",
+]
+
 [[package]]
 name = "strsim"
 version = "0.10.0"
@@ -7797,12 +8287,10 @@ dependencies = [

 [[package]]
 name = "tokio-test"
-version = "0.4.4"
+version = "0.4.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2468baabc3311435b55dd935f702f42cd1b8abb7e754fb7dfb16bd36aa88f9f7"
+checksum = "3f6d24790a10a7af737693a3e8f1d03faef7e6ca0cc99aae5066f533766de545"
 dependencies = [
- "async-stream",
- "bytes",
 "futures-core",
 "tokio",
 "tokio-stream",
@@ -8001,9 +8489,9 @@ checksum = "8df9b6e13f2d32c91b9bd719c00d1958837bc7dec474d94952798cc8e69eeec3"

 [[package]]
 name = "tracing"
-version = "0.1.43"
+version = "0.1.44"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2d15d90a0b5c19378952d479dc858407149d7bb45a14de0142f6c534b16fc647"
+checksum = "63e71662fa4b2a2c3a26f570f037eb95bb1f85397f3cd8076caed2f026a6d100"
 dependencies = [
 "log",
 "pin-project-lite",
@@ -8036,9 +8524,9 @@ dependencies = [

 [[package]]
 name = "tracing-core"
-version = "0.1.35"
+version = "0.1.36"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7a04e24fab5c89c6a36eb8558c9656f30d81de51dfa4d3b45f26b21d61fa0a6c"
+checksum = "db97caf9d906fbde555dd62fa95ddba9eecfd14cb388e4f491a66d74cd5fb79a"
 dependencies = [
 "once_cell",
 "valuable",
@@ -8263,6 +8751,12 @@ version = "2.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "75b844d17643ee918803943289730bec8aac480150456169e647ed0b576ba539"

+[[package]]
+name = "unicode-bidi"
+version = "0.3.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5c1cb5db39152898a79168971543b1cb5020dff7fe43c8dc468b0885f5e29df5"
+
 [[package]]
 name = "unicode-ident"
 version = "1.0.18"
@@ -8275,6 +8769,21 @@ version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3b09c83c3c29d37506a3e260c08c03743a6bb66a9cd432c6934ab501a190571f"

+[[package]]
+name = "unicode-normalization"
+version = "0.1.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5fd4f6878c9cb28d874b009da9e8d183b5abc80117c40bbd187a1fde336be6e8"
+dependencies = [
+ "tinyvec",
+]
+
+[[package]]
+name = "unicode-properties"
+version = "0.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7df058c713841ad818f1dc5d3fd88063241cc61f49f5fbea4b951e8cf5a8d71d"
+
 [[package]]
 name = "unicode-segmentation"
 version = "1.12.0"
@@ -8482,6 +8991,12 @@ dependencies = [
 "wit-bindgen-rt",
 ]

+[[package]]
+name = "wasite"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b8dad83b4f25e74f184f64c43b150b91efe7647395b42289f38e50566d82855b"
+
 [[package]]
 name = "wasm-bindgen"
 version = "0.2.100"
@@ -8681,6 +9196,15 @@ dependencies = [
 "rustls-pki-types",
 ]

+[[package]]
+name = "webpki-roots"
+version = "0.26.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "521bc38abb08001b01866da9f51eb7c5d647a19260e00054a8c7fd5f9e57f7a9"
+dependencies = [
+ "webpki-roots 1.0.2",
+]
+
 [[package]]
 name = "webpki-roots"
 version = "1.0.2"
@@ -8707,6 +9231,16 @@ dependencies = [
 "winsafe",
 ]

+[[package]]
+name = "whoami"
+version = "1.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5d4a4db5077702ca3015d3d02d74974948aba2ad9e12ab7df718ee64ccd7e97d"
+dependencies = [
+ "libredox",
+ "wasite",
+]
+
 [[package]]
 name = "widestring"
 version = "1.2.1"
--- a/codex-rs/Cargo.toml
+++ b/codex-rs/Cargo.toml
@@ -47,6 +47,7 @@ members = [
    "utils/string",
    "codex-client",
    "codex-api",
+    "state",
 ]
 resolver = "2"

@@ -91,6 +92,7 @@ codex-process-hardening = { path = "process-hardening" }
 codex-protocol = { path = "protocol" }
 codex-responses-api-proxy = { path = "responses-api-proxy" }
 codex-rmcp-client = { path = "rmcp-client" }
+codex-state = { path = "state" }
 codex-stdio-to-uds = { path = "stdio-to-uds" }
 codex-tui = { path = "tui" }
 codex-utils-absolute-path = { path = "utils/absolute-path" }
@@ -126,6 +128,7 @@ clap = "4"
 clap_complete = "4"
 color-eyre = "0.6.3"
 crossterm = "0.28.1"
+crossbeam-channel = "0.5.15"
 ctor = "0.6.3"
 derive_more = "2"
 diffy = "0.4.2"
@@ -159,7 +162,7 @@ maplit = "1.0.2"
 mime_guess = "2.0.5"
 multimap = "0.10.0"
 notify = "8.2.0"
-nucleo-matcher = "0.3.1"
+nucleo = { git = "https://github.com/helix-editor/nucleo.git", rev = "4253de9faabb4e5c6d81d946a5e35a90f87347ee" }
 once_cell = "1.20.2"
 openssl-sys = "*"
 opentelemetry = "0.31.0"
@@ -198,6 +201,7 @@ semver = "1.0"
 shlex = "1.3.0"
 similar = "2.7.0"
 socket2 = "0.6.1"
+sqlx = { version = "0.8.6", default-features = false, features = ["chrono", "json", "macros", "migrate", "runtime-tokio-rustls", "sqlite", "time", "uuid"] }
 starlark = "0.13.0"
 strum = "0.27.2"
 strum_macros = "0.27.2"
@@ -216,7 +220,7 @@ tokio-tungstenite = { version = "0.28.0", features = ["proxy", "rustls-tls-nativ
 tokio-util = "0.7.18"
 toml = "0.9.5"
 toml_edit = "0.24.0"
-tracing = "0.1.43"
+tracing = "0.1.44"
 tracing-appender = "0.2.3"
 tracing-subscriber = "0.3.22"
 tracing-test = "0.2.5"
--- a/codex-rs/README.md
+++ b/codex-rs/README.md
@@ -15,8 +15,8 @@ You can also install via Homebrew (`brew install --cask codex`) or download a pl

 ## Documentation quickstart

- First run with Codex? Start with the [Getting Started guide](https://developers.openai.com/codex) (links to the walkthrough for prompts, keyboard shortcuts, and session management).
- Want deeper control? See [Configuration documentation](https://developers.openai.com/codex/config-advanced/).
+- First run with Codex? Start with [`docs/getting-started.md`](../docs/getting-started.md) (links to the walkthrough for prompts, keyboard shortcuts, and session management).
+- Want deeper control? See [`docs/config.md`](../docs/config.md) and [`docs/install.md`](../docs/install.md).

 ## What's new in the Rust CLI

@@ -24,13 +24,13 @@ The Rust implementation is now the maintained Codex CLI and serves as the defaul

 ### Config

-Codex supports a rich set of configuration options. Note that the Rust CLI uses `config.toml` instead of `config.json`. See [Configuration documentation](https://developers.openai.com/codex/config-advanced/) for details.
+Codex supports a rich set of configuration options. Note that the Rust CLI uses `config.toml` instead of `config.json`. See [`docs/config.md`](../docs/config.md) for details.

 ### Model Context Protocol Support

 #### MCP client

-Codex CLI functions as an MCP client that allows the Codex CLI and IDE extension to connect to MCP servers on startup. See the [configuration documentation](https://developers.openai.com/codex/config-advanced/) for details.
+Codex CLI functions as an MCP client that allows the Codex CLI and IDE extension to connect to MCP servers on startup. See the [`configuration documentation`](../docs/config.md#connecting-to-mcp-servers) for details.

 #### MCP server (experimental)

@@ -46,7 +46,7 @@ Use `codex mcp` to add/list/get/remove MCP server launchers defined in `config.t

 ### Notifications

-You can enable notifications by configuring a script that is run whenever the agent finishes a turn. The [notify documentation](https://developers.openai.com/codex/config-advanced/#notifications) includes a detailed example that explains how to get desktop notifications via [terminal-notifier](https://github.com/julienXX/terminal-notifier) on macOS. When Codex detects that it is running under WSL 2 inside Windows Terminal (`WT_SESSION` is set), the TUI automatically falls back to native Windows toast notifications so approval prompts and completed turns surface even though Windows Terminal does not implement OSC 9.
+You can enable notifications by configuring a script that is run whenever the agent finishes a turn. The [notify documentation](../docs/config.md#notify) includes a detailed example that explains how to get desktop notifications via [terminal-notifier](https://github.com/julienXX/terminal-notifier) on macOS. When Codex detects that it is running under WSL 2 inside Windows Terminal (`WT_SESSION` is set), the TUI automatically falls back to native Windows toast notifications so approval prompts and completed turns surface even though Windows Terminal does not implement OSC 9.

 ### `codex exec` to run Codex programmatically/non-interactively

--- a/codex-rs/app-server-protocol/src/protocol/common.rs
+++ b/codex-rs/app-server-protocol/src/protocol/common.rs
@@ -598,6 +598,7 @@ server_notification_definitions! {
    ReasoningSummaryTextDelta => "item/reasoning/summaryTextDelta" (v2::ReasoningSummaryTextDeltaNotification),
    ReasoningSummaryPartAdded => "item/reasoning/summaryPartAdded" (v2::ReasoningSummaryPartAddedNotification),
    ReasoningTextDelta => "item/reasoning/textDelta" (v2::ReasoningTextDeltaNotification),
+    /// Deprecated: Use `ContextCompaction` item type instead.
    ContextCompacted => "thread/compacted" (v2::ContextCompactedNotification),
    DeprecationNotice => "deprecationNotice" (v2::DeprecationNoticeNotification),
    ConfigWarning => "configWarning" (v2::ConfigWarningNotification),
--- a/codex-rs/app-server-protocol/src/protocol/v2.rs
+++ b/codex-rs/app-server-protocol/src/protocol/v2.rs
@@ -27,10 +27,12 @@ use codex_protocol::protocol::NetworkAccess as CoreNetworkAccess;
 use codex_protocol::protocol::RateLimitSnapshot as CoreRateLimitSnapshot;
 use codex_protocol::protocol::RateLimitWindow as CoreRateLimitWindow;
 use codex_protocol::protocol::SessionSource as CoreSessionSource;
+use codex_protocol::protocol::SkillDependencies as CoreSkillDependencies;
 use codex_protocol::protocol::SkillErrorInfo as CoreSkillErrorInfo;
 use codex_protocol::protocol::SkillInterface as CoreSkillInterface;
 use codex_protocol::protocol::SkillMetadata as CoreSkillMetadata;
 use codex_protocol::protocol::SkillScope as CoreSkillScope;
+use codex_protocol::protocol::SkillToolDependency as CoreSkillToolDependency;
 use codex_protocol::protocol::SubAgentSource as CoreSubAgentSource;
 use codex_protocol::protocol::TokenUsage as CoreTokenUsage;
 use codex_protocol::protocol::TokenUsageInfo as CoreTokenUsageInfo;
@@ -1395,11 +1397,14 @@ pub struct SkillMetadata {
    pub description: String,
    #[serde(default, skip_serializing_if = "Option::is_none")]
    #[ts(optional)]
-    /// Legacy short_description from SKILL.md. Prefer SKILL.toml interface.short_description.
+    /// Legacy short_description from SKILL.md. Prefer SKILL.json interface.short_description.
    pub short_description: Option<String>,
    #[serde(default, skip_serializing_if = "Option::is_none")]
    #[ts(optional)]
    pub interface: Option<SkillInterface>,
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    #[ts(optional)]
+    pub dependencies: Option<SkillDependencies>,
    pub path: PathBuf,
    pub scope: SkillScope,
    pub enabled: bool,
@@ -1423,6 +1428,35 @@ pub struct SkillInterface {
    pub default_prompt: Option<String>,
 }

+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct SkillDependencies {
+    pub tools: Vec<SkillToolDependency>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct SkillToolDependency {
+    #[serde(rename = "type")]
+    #[ts(rename = "type")]
+    pub r#type: String,
+    pub value: String,
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    #[ts(optional)]
+    pub description: Option<String>,
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    #[ts(optional)]
+    pub transport: Option<String>,
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    #[ts(optional)]
+    pub command: Option<String>,
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    #[ts(optional)]
+    pub url: Option<String>,
+}
+
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
@@ -1462,6 +1496,7 @@ impl From<CoreSkillMetadata> for SkillMetadata {
            description: value.description,
            short_description: value.short_description,
            interface: value.interface.map(SkillInterface::from),
+            dependencies: value.dependencies.map(SkillDependencies::from),
            path: value.path,
            scope: value.scope.into(),
            enabled: true,
@@ -1482,6 +1517,31 @@ impl From<CoreSkillInterface> for SkillInterface {
    }
 }

+impl From<CoreSkillDependencies> for SkillDependencies {
+    fn from(value: CoreSkillDependencies) -> Self {
+        Self {
+            tools: value
+                .tools
+                .into_iter()
+                .map(SkillToolDependency::from)
+                .collect(),
+        }
+    }
+}
+
+impl From<CoreSkillToolDependency> for SkillToolDependency {
+    fn from(value: CoreSkillToolDependency) -> Self {
+        Self {
+            r#type: value.r#type,
+            value: value.value,
+            description: value.description,
+            transport: value.transport,
+            command: value.command,
+            url: value.url,
+        }
+    }
+}
+
 impl From<CoreSkillScope> for SkillScope {
    fn from(value: CoreSkillScope) -> Self {
        match value {
@@ -1969,6 +2029,9 @@ pub enum ThreadItem {
    #[serde(rename_all = "camelCase")]
    #[ts(rename_all = "camelCase")]
    ExitedReviewMode { id: String, review: String },
+    #[serde(rename_all = "camelCase")]
+    #[ts(rename_all = "camelCase")]
+    ContextCompaction { id: String },
 }

 impl From<CoreTurnItem> for ThreadItem {
@@ -1997,6 +2060,9 @@ impl From<CoreTurnItem> for ThreadItem {
                id: search.id,
                query: search.query,
            },
+            CoreTurnItem::ContextCompaction(compaction) => {
+                ThreadItem::ContextCompaction { id: compaction.id }
+            }
        }
    }
 }
@@ -2359,6 +2425,7 @@ pub struct WindowsWorldWritableWarningNotification {
    pub failed_scan: bool,
 }

+/// Deprecated: Use `ContextCompaction` item type instead.
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
@@ -2621,6 +2688,7 @@ mod tests {
    use codex_protocol::items::TurnItem;
    use codex_protocol::items::UserMessageItem;
    use codex_protocol::items::WebSearchItem;
+    use codex_protocol::models::WebSearchAction;
    use codex_protocol::protocol::NetworkAccess as CoreNetworkAccess;
    use codex_protocol::user_input::UserInput as CoreUserInput;
    use pretty_assertions::assert_eq;
@@ -2728,6 +2796,9 @@ mod tests {
        let search_item = TurnItem::WebSearch(WebSearchItem {
            id: "search-1".to_string(),
            query: "docs".to_string(),
+            action: WebSearchAction::Search {
+                query: Some("docs".to_string()),
+            },
        });

        assert_eq!(
--- a/codex-rs/app-server/Cargo.toml
+++ b/codex-rs/app-server/Cargo.toml
@@ -56,6 +56,7 @@ axum = { workspace = true, default-features = false, features = [
    "tokio",
 ] }
 base64 = { workspace = true }
+codex-execpolicy = { workspace = true }
 core_test_support = { workspace = true }
 mcp-types = { workspace = true }
 os_info = { workspace = true }
--- a/codex-rs/app-server/README.md
+++ b/codex-rs/app-server/README.md
@@ -431,7 +431,8 @@ Today both notifications carry an empty `items` array even when item events were
 - `imageView` — `{id, path}` emitted when the agent invokes the image viewer tool.
 - `enteredReviewMode` — `{id, review}` sent when the reviewer starts; `review` is a short user-facing label such as `"current changes"` or the requested target description.
 - `exitedReviewMode` — `{id, review}` emitted when the reviewer finishes; `review` is the full plain-text review (usually, overall notes plus bullet point findings).
- `compacted` - `{threadId, turnId}` when codex compacts the conversation history. This can happen automatically.
+- `contextCompaction` — `{id}` emitted when codex compacts the conversation history. This can happen automatically.
+- `compacted` - `{threadId, turnId}` when codex compacts the conversation history. This can happen automatically. **Deprecated:** Use `contextCompaction` instead.

 All items emit two shared lifecycle events:

--- a/codex-rs/app-server/src/codex_message_processor.rs
+++ b/codex-rs/app-server/src/codex_message_processor.rs
@@ -169,6 +169,8 @@ use codex_core::read_head_for_summary;
 use codex_core::read_session_meta_line;
 use codex_core::rollout_date_parts;
 use codex_core::sandboxing::SandboxPermissions;
+use codex_core::state_db::{self};
+use codex_core::windows_sandbox::WindowsSandboxLevelExt;
 use codex_feedback::CodexFeedback;
 use codex_login::ServerOptions as LoginServerOptions;
 use codex_login::ShutdownHandle;
@@ -176,6 +178,7 @@ use codex_login::run_login_server;
 use codex_protocol::ThreadId;
 use codex_protocol::config_types::ForcedLoginMethod;
 use codex_protocol::config_types::Personality;
+use codex_protocol::config_types::WindowsSandboxLevel;
 use codex_protocol::dynamic_tools::DynamicToolSpec as CoreDynamicToolSpec;
 use codex_protocol::items::TurnItem;
 use codex_protocol::models::ResponseItem;
@@ -1259,12 +1262,14 @@ impl CodexMessageProcessor {
        let timeout_ms = params
            .timeout_ms
            .and_then(|timeout_ms| u64::try_from(timeout_ms).ok());
+        let windows_sandbox_level = WindowsSandboxLevel::from_config(&self.config);
        let exec_params = ExecParams {
            command: params.command,
            cwd,
            expiration: timeout_ms.into(),
            env,
            sandbox_permissions: SandboxPermissions::UseDefault,
+            windows_sandbox_level,
            justification: None,
            arg0: None,
        };
@@ -1605,6 +1610,7 @@ impl CodexMessageProcessor {
    }

    async fn thread_archive(&mut self, request_id: RequestId, params: ThreadArchiveParams) {
+        // TODO(jif) mostly rewrite this using sqlite after phase 1
        let thread_id = match ThreadId::from_string(&params.thread_id) {
            Ok(id) => id,
            Err(err) => {
@@ -1654,6 +1660,7 @@ impl CodexMessageProcessor {
    }

    async fn thread_unarchive(&mut self, request_id: RequestId, params: ThreadUnarchiveParams) {
+        // TODO(jif) mostly rewrite this using sqlite after phase 1
        let thread_id = match ThreadId::from_string(&params.thread_id) {
            Ok(id) => id,
            Err(err) => {
@@ -1696,6 +1703,7 @@ impl CodexMessageProcessor {

        let rollout_path_display = archived_path.display().to_string();
        let fallback_provider = self.config.model_provider_id.clone();
+        let state_db_ctx = state_db::init_if_enabled(&self.config, None).await;
        let archived_folder = self
            .config
            .codex_home
@@ -1774,6 +1782,11 @@ impl CodexMessageProcessor {
                    message: format!("failed to unarchive thread: {err}"),
                    data: None,
                })?;
+            if let Some(ctx) = state_db_ctx {
+                let _ = ctx
+                    .mark_unarchived(thread_id, restored_path.as_path())
+                    .await;
+            }
            let summary =
                read_summary_from_rollout(restored_path.as_path(), fallback_provider.as_str())
                    .await
@@ -2503,7 +2516,6 @@ impl CodexMessageProcessor {
        };

        let fallback_provider = self.config.model_provider_id.as_str();
-
        match read_summary_from_rollout(&path, fallback_provider).await {
            Ok(summary) => {
                let response = GetConversationSummaryResponse { summary };
@@ -3526,8 +3538,13 @@ impl CodexMessageProcessor {
            });
        }

+        let mut state_db_ctx = None;
+
        // If the thread is active, request shutdown and wait briefly.
        if let Some(conversation) = self.thread_manager.remove_thread(&thread_id).await {
+            if let Some(ctx) = conversation.state_db() {
+                state_db_ctx = Some(ctx);
+            }
            info!("thread {thread_id} was active; shutting down");
            // Request shutdown.
            match conversation.submit(Op::Shutdown).await {
@@ -3554,14 +3571,24 @@ impl CodexMessageProcessor {
            }
        }

+        if state_db_ctx.is_none() {
+            state_db_ctx = state_db::init_if_enabled(&self.config, None).await;
+        }
+
        // Move the rollout file to archived.
-        let result: std::io::Result<()> = async {
+        let result: std::io::Result<()> = async move {
            let archive_folder = self
                .config
                .codex_home
                .join(codex_core::ARCHIVED_SESSIONS_SUBDIR);
            tokio::fs::create_dir_all(&archive_folder).await?;
-            tokio::fs::rename(&canonical_rollout_path, &archive_folder.join(&file_name)).await?;
+            let archived_path = archive_folder.join(&file_name);
+            tokio::fs::rename(&canonical_rollout_path, &archived_path).await?;
+            if let Some(ctx) = state_db_ctx {
+                let _ = ctx
+                    .mark_archived(thread_id, archived_path.as_path(), Utc::now())
+                    .await;
+            }
            Ok(())
        }
        .await;
@@ -3887,6 +3914,7 @@ impl CodexMessageProcessor {
                    cwd: params.cwd,
                    approval_policy: params.approval_policy.map(AskForApproval::to_core),
                    sandbox_policy: params.sandbox_policy.map(|p| p.to_core()),
+                    windows_sandbox_level: None,
                    model: params.model,
                    effort: params.effort.map(Some),
                    summary: params.summary,
@@ -4517,6 +4545,22 @@ fn skills_to_info(
                        default_prompt: interface.default_prompt,
                    }
                }),
+                dependencies: skill.dependencies.clone().map(|dependencies| {
+                    codex_app_server_protocol::SkillDependencies {
+                        tools: dependencies
+                            .tools
+                            .into_iter()
+                            .map(|tool| codex_app_server_protocol::SkillToolDependency {
+                                r#type: tool.r#type,
+                                value: tool.value,
+                                description: tool.description,
+                                transport: tool.transport,
+                                command: tool.command,
+                                url: tool.url,
+                            })
+                            .collect(),
+                    }
+                }),
                path: skill.path.clone(),
                scope: skill.scope.into(),
                enabled,
--- a/codex-rs/app-server/tests/suite/fuzzy_file_search.rs
+++ b/codex-rs/app-server/tests/suite/fuzzy_file_search.rs
@@ -48,8 +48,7 @@ async fn test_fuzzy_file_search_sorts_and_includes_indices() -> Result<()> {
    .await??;

    let value = resp.result;
-    // The path separator on Windows affects the score.
-    let expected_score = if cfg!(windows) { 69 } else { 72 };
+    let expected_score = 72;

    assert_eq!(
        value,
@@ -59,16 +58,9 @@ async fn test_fuzzy_file_search_sorts_and_includes_indices() -> Result<()> {
                    "root": root_path.clone(),
                    "path": "abexy",
                    "file_name": "abexy",
-                    "score": 88,
+                    "score": 84,
                    "indices": [0, 1, 2],
                },
-                {
-                    "root": root_path.clone(),
-                    "path": "abcde",
-                    "file_name": "abcde",
-                    "score": 74,
-                    "indices": [0, 1, 4],
-                },
                {
                    "root": root_path.clone(),
                    "path": sub_abce_rel,
@@ -76,6 +68,13 @@ async fn test_fuzzy_file_search_sorts_and_includes_indices() -> Result<()> {
                    "score": expected_score,
                    "indices": [4, 5, 7],
                },
+                {
+                    "root": root_path.clone(),
+                    "path": "abcde",
+                    "file_name": "abcde",
+                    "score": 71,
+                    "indices": [0, 1, 4],
+                },
            ]
        })
    );
--- a/codex-rs/app-server/tests/suite/send_message.rs
+++ b/codex-rs/app-server/tests/suite/send_message.rs
@@ -11,6 +11,7 @@ use codex_app_server_protocol::NewConversationResponse;
 use codex_app_server_protocol::RequestId;
 use codex_app_server_protocol::SendUserMessageParams;
 use codex_app_server_protocol::SendUserMessageResponse;
+use codex_execpolicy::Policy;
 use codex_protocol::ThreadId;
 use codex_protocol::models::ContentItem;
 use codex_protocol::models::DeveloperInstructions;
@@ -358,6 +359,8 @@ fn assert_permissions_message(item: &ResponseItem) {
            let expected = DeveloperInstructions::from_policy(
                &SandboxPolicy::DangerFullAccess,
                AskForApproval::Never,
+                &Policy::empty(),
+                false,
                &PathBuf::from("/tmp"),
            )
            .into_text();
--- a/codex-rs/app-server/tests/suite/v2/thread_resume.rs
+++ b/codex-rs/app-server/tests/suite/v2/thread_resume.rs
@@ -2,7 +2,9 @@ use anyhow::Result;
 use app_test_support::McpProcess;
 use app_test_support::create_fake_rollout_with_text_elements;
 use app_test_support::create_mock_responses_server_repeating_assistant;
+use app_test_support::rollout_path;
 use app_test_support::to_response;
+use chrono::Utc;
 use codex_app_server_protocol::JSONRPCResponse;
 use codex_app_server_protocol::RequestId;
 use codex_app_server_protocol::SessionSource;
@@ -22,6 +24,8 @@ use codex_protocol::user_input::TextElement;
 use core_test_support::responses;
 use core_test_support::skip_if_no_network;
 use pretty_assertions::assert_eq;
+use std::fs::FileTimes;
+use std::path::Path;
 use std::path::PathBuf;
 use tempfile::TempDir;
 use tokio::time::timeout;
@@ -147,6 +151,116 @@ async fn thread_resume_returns_rollout_history() -> Result<()> {
    Ok(())
 }

+#[tokio::test]
+async fn thread_resume_without_overrides_does_not_change_updated_at_or_mtime() -> Result<()> {
+    let server = create_mock_responses_server_repeating_assistant("Done").await;
+    let codex_home = TempDir::new()?;
+    let rollout = setup_rollout_fixture(codex_home.path(), &server.uri())?;
+    let thread_id = rollout.conversation_id.clone();
+
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let resume_id = mcp
+        .send_thread_resume_request(ThreadResumeParams {
+            thread_id: thread_id.clone(),
+            ..Default::default()
+        })
+        .await?;
+    let resume_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(resume_id)),
+    )
+    .await??;
+    let ThreadResumeResponse { thread, .. } = to_response::<ThreadResumeResponse>(resume_resp)?;
+
+    assert_eq!(thread.updated_at, rollout.expected_updated_at);
+
+    let after_modified = std::fs::metadata(&rollout.rollout_file_path)?.modified()?;
+    assert_eq!(after_modified, rollout.before_modified);
+
+    let turn_id = mcp
+        .send_turn_start_request(TurnStartParams {
+            thread_id,
+            input: vec![UserInput::Text {
+                text: "Hello".to_string(),
+                text_elements: Vec::new(),
+            }],
+            ..Default::default()
+        })
+        .await?;
+    timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(turn_id)),
+    )
+    .await??;
+    timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("turn/completed"),
+    )
+    .await??;
+
+    let after_turn_modified = std::fs::metadata(&rollout.rollout_file_path)?.modified()?;
+    assert!(after_turn_modified > rollout.before_modified);
+
+    Ok(())
+}
+
+#[tokio::test]
+async fn thread_resume_with_overrides_defers_updated_at_until_turn_start() -> Result<()> {
+    let server = create_mock_responses_server_repeating_assistant("Done").await;
+    let codex_home = TempDir::new()?;
+    let rollout = setup_rollout_fixture(codex_home.path(), &server.uri())?;
+
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let resume_id = mcp
+        .send_thread_resume_request(ThreadResumeParams {
+            thread_id: rollout.conversation_id.clone(),
+            model: Some("mock-model".to_string()),
+            ..Default::default()
+        })
+        .await?;
+    let resume_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(resume_id)),
+    )
+    .await??;
+    let ThreadResumeResponse { thread, .. } = to_response::<ThreadResumeResponse>(resume_resp)?;
+
+    assert_eq!(thread.updated_at, rollout.expected_updated_at);
+
+    let after_resume_modified = std::fs::metadata(&rollout.rollout_file_path)?.modified()?;
+    assert_eq!(after_resume_modified, rollout.before_modified);
+
+    let turn_id = mcp
+        .send_turn_start_request(TurnStartParams {
+            thread_id: rollout.conversation_id,
+            input: vec![UserInput::Text {
+                text: "Hello".to_string(),
+                text_elements: Vec::new(),
+            }],
+            ..Default::default()
+        })
+        .await?;
+    timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(turn_id)),
+    )
+    .await??;
+    timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("turn/completed"),
+    )
+    .await??;
+
+    let after_turn_modified = std::fs::metadata(&rollout.rollout_file_path)?.modified()?;
+    assert!(after_turn_modified > rollout.before_modified);
+
+    Ok(())
+}
+
 #[tokio::test]
 async fn thread_resume_prefers_path_over_thread_id() -> Result<()> {
    let server = create_mock_responses_server_repeating_assistant("Done").await;
@@ -364,3 +478,51 @@ stream_max_retries = 0
        ),
    )
 }
+
+fn set_rollout_mtime(path: &Path, updated_at_rfc3339: &str) -> Result<()> {
+    let parsed = chrono::DateTime::parse_from_rfc3339(updated_at_rfc3339)?.with_timezone(&Utc);
+    let times = FileTimes::new().set_modified(parsed.into());
+    std::fs::OpenOptions::new()
+        .append(true)
+        .open(path)?
+        .set_times(times)?;
+    Ok(())
+}
+
+struct RolloutFixture {
+    conversation_id: String,
+    rollout_file_path: PathBuf,
+    before_modified: std::time::SystemTime,
+    expected_updated_at: i64,
+}
+
+fn setup_rollout_fixture(codex_home: &Path, server_uri: &str) -> Result<RolloutFixture> {
+    create_config_toml(codex_home, server_uri)?;
+
+    let preview = "Saved user message";
+    let filename_ts = "2025-01-05T12-00-00";
+    let meta_rfc3339 = "2025-01-05T12:00:00Z";
+    let expected_updated_at_rfc3339 = "2025-01-07T00:00:00Z";
+    let conversation_id = create_fake_rollout_with_text_elements(
+        codex_home,
+        filename_ts,
+        meta_rfc3339,
+        preview,
+        Vec::new(),
+        Some("mock_provider"),
+        None,
+    )?;
+    let rollout_file_path = rollout_path(codex_home, filename_ts, &conversation_id);
+    set_rollout_mtime(rollout_file_path.as_path(), expected_updated_at_rfc3339)?;
+    let before_modified = std::fs::metadata(&rollout_file_path)?.modified()?;
+    let expected_updated_at = chrono::DateTime::parse_from_rfc3339(expected_updated_at_rfc3339)?
+        .with_timezone(&Utc)
+        .timestamp();
+
+    Ok(RolloutFixture {
+        conversation_id,
+        rollout_file_path,
+        before_modified,
+        expected_updated_at,
+    })
+}
--- a/codex-rs/backend-client/src/client.rs
+++ b/codex-rs/backend-client/src/client.rs
@@ -1,4 +1,5 @@
 use crate::types::CodeTaskDetailsResponse;
+use crate::types::ConfigFileResponse;
 use crate::types::CreditStatusDetails;
 use crate::types::PaginatedListTaskListItem;
 use crate::types::RateLimitStatusPayload;
@@ -244,6 +245,20 @@ impl Client {
        self.decode_json::<TurnAttemptsSiblingTurnsResponse>(&url, &ct, &body)
    }

+    /// Fetch the managed requirements file from codex-backend.
+    ///
+    /// `GET /api/codex/config/requirements` (Codex API style) or
+    /// `GET /wham/config/requirements` (ChatGPT backend-api style).
+    pub async fn get_config_requirements_file(&self) -> Result<ConfigFileResponse> {
+        let url = match self.path_style {
+            PathStyle::CodexApi => format!("{}/api/codex/config/requirements", self.base_url),
+            PathStyle::ChatGptApi => format!("{}/wham/config/requirements", self.base_url),
+        };
+        let req = self.http.get(&url).headers(self.headers());
+        let (body, ct) = self.exec_request(req, "GET", &url).await?;
+        self.decode_json::<ConfigFileResponse>(&url, &ct, &body)
+    }
+
    /// Create a new task (user turn) by POSTing to the appropriate backend path
    /// based on `path_style`. Returns the created task id.
    pub async fn create_task(&self, request_body: serde_json::Value) -> Result<String> {
--- a/codex-rs/backend-client/src/lib.rs
+++ b/codex-rs/backend-client/src/lib.rs
@@ -4,6 +4,7 @@ pub mod types;
 pub use client::Client;
 pub use types::CodeTaskDetailsResponse;
 pub use types::CodeTaskDetailsResponseExt;
+pub use types::ConfigFileResponse;
 pub use types::PaginatedListTaskListItem;
 pub use types::TaskListItem;
 pub use types::TurnAttemptsSiblingTurnsResponse;
--- a/codex-rs/backend-client/src/types.rs
+++ b/codex-rs/backend-client/src/types.rs
@@ -1,3 +1,4 @@
+pub use codex_backend_openapi_models::models::ConfigFileResponse;
 pub use codex_backend_openapi_models::models::CreditStatusDetails;
 pub use codex_backend_openapi_models::models::PaginatedListTaskListItem;
 pub use codex_backend_openapi_models::models::PlanType;
--- a/codex-rs/cli/src/debug_sandbox.rs
+++ b/codex-rs/cli/src/debug_sandbox.rs
@@ -136,7 +136,8 @@ async fn run_command_under_sandbox(
    if let SandboxType::Windows = sandbox_type {
        #[cfg(target_os = "windows")]
        {
-            use codex_core::features::Feature;
+            use codex_core::windows_sandbox::WindowsSandboxLevelExt;
+            use codex_protocol::config_types::WindowsSandboxLevel;
            use codex_windows_sandbox::run_windows_sandbox_capture;
            use codex_windows_sandbox::run_windows_sandbox_capture_elevated;

@@ -147,8 +148,10 @@ async fn run_command_under_sandbox(
            let env_map = env.clone();
            let command_vec = command.clone();
            let base_dir = config.codex_home.clone();
-            let use_elevated = config.features.enabled(Feature::WindowsSandbox)
-                && config.features.enabled(Feature::WindowsSandboxElevated);
+            let use_elevated = matches!(
+                WindowsSandboxLevel::from_config(&config),
+                WindowsSandboxLevel::Elevated
+            );

            // Preflight audit is invoked elsewhere at the appropriate times.
            let res = tokio::task::spawn_blocking(move || {
--- a/codex-rs/cli/src/main.rs
+++ b/codex-rs/cli/src/main.rs
@@ -147,7 +147,7 @@ struct ResumeCommand {
    session_id: Option<String>,

    /// Continue the most recent session without showing the picker.
-    #[arg(long = "last", default_value_t = false, conflicts_with = "session_id")]
+    #[arg(long = "last", default_value_t = false)]
    last: bool,

    /// Show all sessions (disables cwd filtering and shows CWD column).
@@ -932,6 +932,24 @@ mod tests {
        finalize_fork_interactive(interactive, root_overrides, session_id, last, all, fork_cli)
    }

+    #[test]
+    fn exec_resume_last_accepts_prompt_positional() {
+        let cli =
+            MultitoolCli::try_parse_from(["codex", "exec", "--json", "resume", "--last", "2+2"])
+                .expect("parse should succeed");
+
+        let Some(Subcommand::Exec(exec)) = cli.subcommand else {
+            panic!("expected exec subcommand");
+        };
+        let Some(codex_exec::Command::Resume(args)) = exec.command else {
+            panic!("expected exec resume");
+        };
+
+        assert!(args.last);
+        assert_eq!(args.session_id, None);
+        assert_eq!(args.prompt.as_deref(), Some("2+2"));
+    }
+
    fn app_server_from_args(args: &[&str]) -> AppServerCommand {
        let cli = MultitoolCli::try_parse_from(args).expect("parse");
        let Subcommand::AppServer(app_server) = cli.subcommand.expect("app-server present") else {
--- a/codex-rs/cli/src/mcp_cmd.rs
+++ b/codex-rs/cli/src/mcp_cmd.rs
@@ -13,11 +13,12 @@ use codex_core::config::find_codex_home;
 use codex_core::config::load_global_mcp_servers;
 use codex_core::config::types::McpServerConfig;
 use codex_core::config::types::McpServerTransportConfig;
+use codex_core::mcp::auth::McpOAuthLoginSupport;
 use codex_core::mcp::auth::compute_auth_statuses;
+use codex_core::mcp::auth::oauth_login_support;
 use codex_core::protocol::McpAuthStatus;
 use codex_rmcp_client::delete_oauth_tokens;
 use codex_rmcp_client::perform_oauth_login;
-use codex_rmcp_client::supports_oauth_login;

 /// Subcommands:
 /// - `list`   — list configured servers (with `--json`)
@@ -260,33 +261,25 @@ async fn run_add(config_overrides: &CliConfigOverrides, add_args: AddArgs) -> Re

    println!("Added global MCP server '{name}'.");

-    if let McpServerTransportConfig::StreamableHttp {
-        url,
-        bearer_token_env_var: None,
-        http_headers,
-        env_http_headers,
-    } = transport
-    {
-        match supports_oauth_login(&url).await {
-            Ok(true) => {
-                println!("Detected OAuth support. Starting OAuth flow…");
-                perform_oauth_login(
-                    &name,
-                    &url,
-                    config.mcp_oauth_credentials_store_mode,
-                    http_headers.clone(),
-                    env_http_headers.clone(),
-                    &Vec::new(),
-                    config.mcp_oauth_callback_port,
-                )
-                .await?;
-                println!("Successfully logged in.");
-            }
-            Ok(false) => {}
-            Err(_) => println!(
-                "MCP server may or may not require login. Run `codex mcp login {name}` to login."
-            ),
+    match oauth_login_support(&transport).await {
+        McpOAuthLoginSupport::Supported(oauth_config) => {
+            println!("Detected OAuth support. Starting OAuth flow…");
+            perform_oauth_login(
+                &name,
+                &oauth_config.url,
+                config.mcp_oauth_credentials_store_mode,
+                oauth_config.http_headers,
+                oauth_config.env_http_headers,
+                &Vec::new(),
+                config.mcp_oauth_callback_port,
+            )
+            .await?;
+            println!("Successfully logged in.");
        }
+        McpOAuthLoginSupport::Unsupported => {}
+        McpOAuthLoginSupport::Unknown(_) => println!(
+            "MCP server may or may not require login. Run `codex mcp login {name}` to login."
+        ),
    }

    Ok(())
--- a/codex-rs/codex-api/src/sse/responses.rs
+++ b/codex-rs/codex-api/src/sse/responses.rs
@@ -291,7 +291,7 @@ pub fn process_responses_event(
                if let Ok(item) = serde_json::from_value::<ResponseItem>(item_val) {
                    return Ok(Some(ResponseEvent::OutputItemAdded(item)));
                }
-                debug!("failed to parse ResponseItem from output_item.done");
+                debug!("failed to parse ResponseItem from output_item.added");
            }
        }
        "response.reasoning_summary_part.added" => {
--- a/codex-rs/codex-backend-openapi-models/src/models/config_file_response.rs
+++ b/codex-rs/codex-backend-openapi-models/src/models/config_file_response.rs
@@ -0,0 +1,40 @@
+/*
+ * codex-backend
+ *
+ * codex-backend
+ *
+ * The version of the OpenAPI document: 0.0.1
+ *
+ * Generated by: https://openapi-generator.tech
+ */
+
+use serde::Deserialize;
+use serde::Serialize;
+
+#[derive(Clone, Default, Debug, PartialEq, Serialize, Deserialize)]
+pub struct ConfigFileResponse {
+    #[serde(rename = "contents", skip_serializing_if = "Option::is_none")]
+    pub contents: Option<String>,
+    #[serde(rename = "sha256", skip_serializing_if = "Option::is_none")]
+    pub sha256: Option<String>,
+    #[serde(rename = "updated_at", skip_serializing_if = "Option::is_none")]
+    pub updated_at: Option<String>,
+    #[serde(rename = "updated_by_user_id", skip_serializing_if = "Option::is_none")]
+    pub updated_by_user_id: Option<String>,
+}
+
+impl ConfigFileResponse {
+    pub fn new(
+        contents: Option<String>,
+        sha256: Option<String>,
+        updated_at: Option<String>,
+        updated_by_user_id: Option<String>,
+    ) -> ConfigFileResponse {
+        ConfigFileResponse {
+            contents,
+            sha256,
+            updated_at,
+            updated_by_user_id,
+        }
+    }
+}
--- a/codex-rs/codex-backend-openapi-models/src/models/mod.rs
+++ b/codex-rs/codex-backend-openapi-models/src/models/mod.rs
@@ -3,6 +3,10 @@
 // Currently export only the types referenced by the workspace
 // The process for this will change

+// Config
+pub mod config_file_response;
+pub use self::config_file_response::ConfigFileResponse;
+
 // Cloud Tasks
 pub mod code_task_details_response;
 pub use self::code_task_details_response::CodeTaskDetailsResponse;
--- a/codex-rs/config.md
+++ b/codex-rs/config.md
@@ -2,4 +2,5 @@

 This file has moved. Please see the latest configuration documentation here:

- Configuration documentation: https://developers.openai.com/codex/config-advanced/
+- Full config docs: [docs/config.md](../docs/config.md)
+- MCP servers section: [docs/config.md#connecting-to-mcp-servers](../docs/config.md#connecting-to-mcp-servers)
--- a/codex-rs/core/Cargo.toml
+++ b/codex-rs/core/Cargo.toml
@@ -37,6 +37,7 @@ codex-keyring-store = { workspace = true }
 codex-otel = { workspace = true }
 codex-protocol = { workspace = true }
 codex-rmcp-client = { workspace = true }
+codex-state = { workspace = true }
 codex-utils-absolute-path = { workspace = true }
 codex-utils-pty = { workspace = true }
 codex-utils-readiness = { workspace = true }
@@ -55,6 +56,7 @@ indoc = { workspace = true }
 keyring = { workspace = true, features = ["crypto-rust"] }
 libc = { workspace = true }
 mcp-types = { workspace = true }
+multimap = { workspace = true }
 once_cell = { workspace = true }
 os_info = { workspace = true }
 rand = { workspace = true }
--- a/codex-rs/core/config.schema.json
+++ b/codex-rs/core/config.schema.json
@@ -189,6 +189,9 @@
            "remote_models": {
              "type": "boolean"
            },
+            "request_rule": {
+              "type": "boolean"
+            },
            "responses_websockets": {
              "type": "boolean"
            },
@@ -198,6 +201,12 @@
            "shell_tool": {
              "type": "boolean"
            },
+            "skill_mcp_dependency_install": {
+              "type": "boolean"
+            },
+            "sqlite": {
+              "type": "boolean"
+            },
            "steer": {
              "type": "boolean"
            },
@@ -441,7 +450,6 @@
      "type": "object"
    },
    "Notice": {
-      "additionalProperties": false,
      "description": "Settings for notices we display to users via the tui and app-server clients (primarily the Codex IDE extension). NOTE: these are different from notifications - notices are warnings, NUX screens, acknowledgements, etc.",
      "properties": {
        "hide_full_access_warning": {
@@ -475,6 +483,14 @@
      },
      "type": "object"
    },
+    "NotificationMethod": {
+      "enum": [
+        "auto",
+        "osc9",
+        "bel"
+      ],
+      "type": "string"
+    },
    "Notifications": {
      "anyOf": [
        {
@@ -983,6 +999,15 @@
          "default": null,
          "description": "Start the TUI in the specified collaboration mode (plan/execute/etc.). Defaults to unset."
        },
+        "notification_method": {
+          "allOf": [
+            {
+              "$ref": "#/definitions/NotificationMethod"
+            }
+          ],
+          "default": "auto",
+          "description": "Notification method to use for unfocused terminal notifications. Defaults to `auto`."
+        },
        "notifications": {
          "allOf": [
            {
@@ -1182,6 +1207,9 @@
        "remote_models": {
          "type": "boolean"
        },
+        "request_rule": {
+          "type": "boolean"
+        },
        "responses_websockets": {
          "type": "boolean"
        },
@@ -1191,6 +1219,12 @@
        "shell_tool": {
          "type": "boolean"
        },
+        "skill_mcp_dependency_install": {
+          "type": "boolean"
+        },
+        "sqlite": {
+          "type": "boolean"
+        },
        "steer": {
          "type": "boolean"
        },
@@ -1465,6 +1499,10 @@
      ],
      "description": "User-level skill config entries keyed by SKILL.md path."
    },
+    "suppress_unstable_features_warning": {
+      "description": "Suppress warnings about unstable (under development) features.",
+      "type": "boolean"
+    },
    "tool_output_token_limit": {
      "description": "Token budget applied when storing tool/function outputs in the context manager.",
      "format": "uint",
--- a/codex-rs/core/src/agent/role.rs
+++ b/codex-rs/core/src/agent/role.rs
@@ -44,6 +44,8 @@ pub struct AgentProfile {
    pub reasoning_effort: Option<ReasoningEffort>,
    /// Whether to force a read-only sandbox policy.
    pub read_only: bool,
+    /// Description to include in the tool specs.
+    pub description: &'static str,
 }

 impl AgentRole {
@@ -51,7 +53,19 @@ impl AgentRole {
    pub fn enum_values() -> Vec<String> {
        ALL_ROLES
            .iter()
-            .filter_map(|role| serde_json::to_string(role).ok())
+            .filter_map(|role| {
+                let description = role.profile().description;
+                serde_json::to_string(role)
+                    .map(|role| {
+                        let description = if !description.is_empty() {
+                            format!(r#", "description": {description}"#)
+                        } else {
+                            String::new()
+                        };
+                        format!(r#"{{ "name": {role}{description}}}"#)
+                    })
+                    .ok()
+            })
            .collect()
    }

@@ -66,11 +80,33 @@ impl AgentRole {
            AgentRole::Worker => AgentProfile {
                // base_instructions: Some(WORKER_PROMPT),
                // model: Some(WORKER_MODEL),
+                description: r#"Use for execution and production work.
+Typical tasks:
+- Implement part of a feature
+- Fix tests or bugs
+- Split large refactors into independent chunks
+Rules:
+- Explicitly assign **ownership** of the task (files / responsibility).
+- Always tell workers they are **not alone in the codebase**, and they should ignore edits made by others without touching them"#,
                ..Default::default()
            },
            AgentRole::Explorer => AgentProfile {
                model: Some(EXPLORER_MODEL),
                reasoning_effort: Some(ReasoningEffort::Low),
+                description: r#"Use for fast codebase understanding and information gathering.
+`explorer` are extremely fast agents so use them as much as you can to speed up the resolution of the global task.
+Typical tasks:
+- Locate usages of a symbol or concept
+- Understand how X is handled in Y
+- Review a section of code for issues
+- Assess impact of a potential change
+Rules:
+- Be explicit in what you are looking for. A good usage of `explorer` would mean that don't need to read the same code after the explorer send you the result.
+- **Always** prefer asking explorers rather than exploring the codebase yourself.
+- Spawn multiple explorers in parallel when useful and wait for all results.
+- You can ask the `explorer` to return file name, lines, entire code snippets, ...
+- Reuse the same explorer when it is relevant. If later in your process you have more questions on some code an explorer already covered, reuse this same explorer to be more efficient.
+                "#,
                ..Default::default()
            },
        }
--- a/codex-rs/core/src/apply_patch.rs
+++ b/codex-rs/core/src/apply_patch.rs
@@ -42,6 +42,7 @@ pub(crate) async fn apply_patch(
        turn_context.approval_policy,
        &turn_context.sandbox_policy,
        &turn_context.cwd,
+        turn_context.windows_sandbox_level,
    ) {
        SafetyCheck::AutoApprove {
            user_explicitly_approved,
--- a/codex-rs/core/src/codex.rs
+++ b/codex-rs/core/src/codex.rs
@@ -22,6 +22,7 @@ use crate::connectors;
 use crate::exec_policy::ExecPolicyManager;
 use crate::features::Feature;
 use crate::features::Features;
+use crate::features::maybe_push_unstable_features_warning;
 use crate::models_manager::manager::ModelsManager;
 use crate::parse_command::parse_command;
 use crate::parse_turn_item;
@@ -99,6 +100,7 @@ use crate::config::Config;
 use crate::config::Constrained;
 use crate::config::ConstraintResult;
 use crate::config::GhostSnapshotConfig;
+use crate::config::resolve_web_search_mode_for_turn;
 use crate::config::types::McpServerConfig;
 use crate::config::types::ShellEnvironmentPolicy;
 use crate::context_manager::ContextManager;
@@ -113,6 +115,7 @@ use crate::instructions::UserInstructions;
 use crate::mcp::CODEX_APPS_MCP_SERVER_NAME;
 use crate::mcp::auth::compute_auth_statuses;
 use crate::mcp::effective_mcp_servers;
+use crate::mcp::maybe_prompt_and_install_mcp_dependencies;
 use crate::mcp::with_codex_apps_mcp;
 use crate::mcp_connection_manager::McpConnectionManager;
 use crate::model_provider_info::CHAT_WIRE_API_DEPRECATION_SUMMARY;
@@ -136,9 +139,11 @@ use crate::protocol::RequestUserInputEvent;
 use crate::protocol::ReviewDecision;
 use crate::protocol::SandboxPolicy;
 use crate::protocol::SessionConfiguredEvent;
+use crate::protocol::SkillDependencies as ProtocolSkillDependencies;
 use crate::protocol::SkillErrorInfo;
 use crate::protocol::SkillInterface as ProtocolSkillInterface;
 use crate::protocol::SkillMetadata as ProtocolSkillMetadata;
+use crate::protocol::SkillToolDependency as ProtocolSkillToolDependency;
 use crate::protocol::StreamErrorEvent;
 use crate::protocol::Submission;
 use crate::protocol::TokenCountEvent;
@@ -149,6 +154,7 @@ use crate::protocol::WarningEvent;
 use crate::rollout::RolloutRecorder;
 use crate::rollout::RolloutRecorderParams;
 use crate::rollout::map_session_init_error;
+use crate::rollout::metadata;
 use crate::shell;
 use crate::shell_snapshot::ShellSnapshot;
 use crate::skills::SkillError;
@@ -156,9 +162,11 @@ use crate::skills::SkillInjections;
 use crate::skills::SkillMetadata;
 use crate::skills::SkillsManager;
 use crate::skills::build_skill_injections;
+use crate::skills::collect_explicit_skill_mentions;
 use crate::state::ActiveTurn;
 use crate::state::SessionServices;
 use crate::state::SessionState;
+use crate::state_db;
 use crate::tasks::GhostSnapshotTask;
 use crate::tasks::ReviewTask;
 use crate::tasks::SessionTask;
@@ -173,15 +181,18 @@ use crate::turn_diff_tracker::TurnDiffTracker;
 use crate::unified_exec::UnifiedExecProcessManager;
 use crate::user_notification::UserNotification;
 use crate::util::backoff;
+use crate::windows_sandbox::WindowsSandboxLevelExt;
 use codex_async_utils::OrCancelExt;
 use codex_otel::OtelManager;
 use codex_protocol::config_types::CollaborationMode;
 use codex_protocol::config_types::Personality;
 use codex_protocol::config_types::ReasoningSummary as ReasoningSummaryConfig;
+use codex_protocol::config_types::WindowsSandboxLevel;
 use codex_protocol::models::ContentItem;
 use codex_protocol::models::DeveloperInstructions;
 use codex_protocol::models::ResponseInputItem;
 use codex_protocol::models::ResponseItem;
+use codex_protocol::models::render_command_prefix_list;
 use codex_protocol::protocol::CodexErrorInfo;
 use codex_protocol::protocol::InitialHistory;
 use codex_protocol::user_input::UserInput;
@@ -324,6 +335,7 @@ impl Codex {
            compact_prompt: config.compact_prompt.clone(),
            approval_policy: config.approval_policy.clone(),
            sandbox_policy: config.sandbox_policy.clone(),
+            windows_sandbox_level: WindowsSandboxLevel::from_config(&config),
            cwd: config.cwd.clone(),
            original_config_do_not_use: Arc::clone(&config),
            session_source,
@@ -410,6 +422,10 @@ impl Codex {
        let state = self.session.state.lock().await;
        state.session_configuration.thread_config_snapshot()
    }
+
+    pub(crate) fn state_db(&self) -> Option<state_db::StateDbHandle> {
+        self.session.state_db()
+    }
 }

 /// Context for an initialized model agent
@@ -444,6 +460,7 @@ pub(crate) struct TurnContext {
    pub(crate) personality: Option<Personality>,
    pub(crate) approval_policy: AskForApproval,
    pub(crate) sandbox_policy: SandboxPolicy,
+    pub(crate) windows_sandbox_level: WindowsSandboxLevel,
    pub(crate) shell_environment_policy: ShellEnvironmentPolicy,
    pub(crate) tools_config: ToolsConfig,
    pub(crate) ghost_snapshot: GhostSnapshotConfig,
@@ -495,6 +512,7 @@ pub(crate) struct SessionConfiguration {
    approval_policy: Constrained<AskForApproval>,
    /// How to sandbox commands executed in the system
    sandbox_policy: Constrained<SandboxPolicy>,
+    windows_sandbox_level: WindowsSandboxLevel,

    /// Working directory that should be treated as the *root* of the
    /// session. All relative paths supplied by the model as well as the
@@ -543,6 +561,9 @@ impl SessionConfiguration {
        if let Some(sandbox_policy) = updates.sandbox_policy.clone() {
            next_configuration.sandbox_policy.set(sandbox_policy)?;
        }
+        if let Some(windows_sandbox_level) = updates.windows_sandbox_level {
+            next_configuration.windows_sandbox_level = windows_sandbox_level;
+        }
        if let Some(cwd) = updates.cwd.clone() {
            next_configuration.cwd = cwd;
        }
@@ -555,6 +576,7 @@ pub(crate) struct SessionSettingsUpdate {
    pub(crate) cwd: Option<PathBuf>,
    pub(crate) approval_policy: Option<AskForApproval>,
    pub(crate) sandbox_policy: Option<SandboxPolicy>,
+    pub(crate) windows_sandbox_level: Option<WindowsSandboxLevel>,
    pub(crate) collaboration_mode: Option<CollaborationMode>,
    pub(crate) reasoning_summary: Option<ReasoningSummaryConfig>,
    pub(crate) final_output_json_schema: Option<Option<Value>>,
@@ -571,6 +593,10 @@ impl Session {
            session_configuration.collaboration_mode.reasoning_effort();
        per_turn_config.model_reasoning_summary = session_configuration.model_reasoning_summary;
        per_turn_config.model_personality = session_configuration.personality;
+        per_turn_config.web_search_mode = Some(resolve_web_search_mode_for_turn(
+            per_turn_config.web_search_mode,
+            session_configuration.sandbox_policy.get(),
+        ));
        per_turn_config.features = config.features.clone();
        per_turn_config
    }
@@ -619,6 +645,7 @@ impl Session {
            personality: session_configuration.personality,
            approval_policy: session_configuration.approval_policy.value(),
            sandbox_policy: session_configuration.sandbox_policy.get().clone(),
+            windows_sandbox_level: session_configuration.windows_sandbox_level,
            shell_environment_policy: per_turn_config.shell_environment_policy.clone(),
            tools_config,
            ghost_snapshot: per_turn_config.ghost_snapshot.clone(),
@@ -678,6 +705,13 @@ impl Session {
                RolloutRecorderParams::resume(resumed_history.rollout_path.clone()),
            ),
        };
+        let state_builder = match &initial_history {
+            InitialHistory::Resumed(resumed) => metadata::builder_from_items(
+                resumed.history.as_slice(),
+                resumed.rollout_path.as_path(),
+            ),
+            InitialHistory::New | InitialHistory::Forked(_) => None,
+        };

        // Kick off independent async setup tasks in parallel to reduce startup latency.
        //
@@ -686,11 +720,17 @@ impl Session {
        // - load history metadata
        let rollout_fut = async {
            if config.ephemeral {
-                Ok(None)
+                Ok::<_, anyhow::Error>((None, None))
            } else {
-                RolloutRecorder::new(&config, rollout_params)
-                    .await
-                    .map(Some)
+                let state_db_ctx = state_db::init_if_enabled(&config, None).await;
+                let rollout_recorder = RolloutRecorder::new(
+                    &config,
+                    rollout_params,
+                    state_db_ctx.clone(),
+                    state_builder.clone(),
+                )
+                .await?;
+                Ok((Some(rollout_recorder), state_db_ctx))
            }
        };

@@ -710,14 +750,14 @@ impl Session {

        // Join all independent futures.
        let (
-            rollout_recorder,
+            rollout_recorder_and_state_db,
            (history_log_id, history_entry_count),
            (auth, mcp_servers, auth_statuses),
        ) = tokio::join!(rollout_fut, history_meta_fut, auth_and_mcp_fut);

-        let rollout_recorder = rollout_recorder.map_err(|e| {
+        let (rollout_recorder, state_db_ctx) = rollout_recorder_and_state_db.map_err(|e| {
            error!("failed to initialize rollout recorder: {e:#}");
-            anyhow::Error::from(e)
+            e
        })?;
        let rollout_path = rollout_recorder
            .as_ref()
@@ -725,19 +765,13 @@ impl Session {

        let mut post_session_configured_events = Vec::<Event>::new();

-        for (alias, feature) in config.features.legacy_feature_usages() {
-            let canonical = feature.key();
-            let summary = format!("`{alias}` is deprecated. Use `[features].{canonical}` instead.");
-            let details = if alias == canonical {
-                None
-            } else {
-                Some(format!(
-                    "Enable it with `--enable {canonical}` or `[features].{canonical}` in config.toml. See https://developers.openai.com/codex/config-advanced/ for details."
-                ))
-            };
+        for usage in config.features.legacy_feature_usages() {
            post_session_configured_events.push(Event {
                id: INITIAL_SUBMIT_ID.to_owned(),
-                msg: EventMsg::DeprecationNotice(DeprecationNoticeEvent { summary, details }),
+                msg: EventMsg::DeprecationNotice(DeprecationNoticeEvent {
+                    summary: usage.summary.clone(),
+                    details: usage.details.clone(),
+                }),
            });
        }
        if crate::config::uses_deprecated_instructions_file(&config.config_layer_stack) {
@@ -754,6 +788,7 @@ impl Session {
            });
        }
        maybe_push_chat_wire_api_deprecation(&config, &mut post_session_configured_events);
+        maybe_push_unstable_features_warning(&config, &mut post_session_configured_events);

        let auth = auth.as_ref();
        let otel_manager = OtelManager::new(
@@ -820,6 +855,7 @@ impl Session {
            tool_approvals: Mutex::new(ApprovalStore::default()),
            skills_manager,
            agent_control,
+            state_db: state_db_ctx.clone(),
        };

        let sess = Arc::new(Session {
@@ -892,6 +928,10 @@ impl Session {
        self.tx_event.clone()
    }

+    pub(crate) fn state_db(&self) -> Option<state_db::StateDbHandle> {
+        self.services.state_db.clone()
+    }
+
    /// Ensure all rollout writes are durably flushed.
    pub(crate) async fn flush_rollout(&self) {
        let recorder = {
@@ -931,23 +971,28 @@ impl Session {
                // Build and record initial items (user instructions + environment context)
                let items = self.build_initial_context(&turn_context).await;
                self.record_conversation_items(&turn_context, &items).await;
+                {
+                    let mut state = self.state.lock().await;
+                    state.initial_context_seeded = true;
+                }
                // Ensure initial items are visible to immediate readers (e.g., tests, forks).
                self.flush_rollout().await;
            }
-            InitialHistory::Resumed(_) | InitialHistory::Forked(_) => {
-                let rollout_items = conversation_history.get_rollout_items();
-                let persist = matches!(conversation_history, InitialHistory::Forked(_));
+            InitialHistory::Resumed(resumed_history) => {
+                let rollout_items = resumed_history.history;
+                {
+                    let mut state = self.state.lock().await;
+                    state.initial_context_seeded = false;
+                }

                // If resuming, warn when the last recorded model differs from the current one.
-                if let InitialHistory::Resumed(_) = conversation_history
-                    && let Some(prev) = rollout_items.iter().rev().find_map(|it| {
-                        if let RolloutItem::TurnContext(ctx) = it {
-                            Some(ctx.model.as_str())
-                        } else {
-                            None
-                        }
-                    })
-                {
+                if let Some(prev) = rollout_items.iter().rev().find_map(|it| {
+                    if let RolloutItem::TurnContext(ctx) = it {
+                        Some(ctx.model.as_str())
+                    } else {
+                        None
+                    }
+                }) {
                    let curr = turn_context.client.get_model();
                    if prev != curr {
                        warn!(
@@ -982,8 +1027,29 @@ impl Session {
                    state.set_token_info(Some(info));
                }

+                // Defer seeding the session's initial context until the first turn starts so
+                // turn/start overrides can be merged before we write to the rollout.
+                self.flush_rollout().await;
+            }
+            InitialHistory::Forked(rollout_items) => {
+                // Always add response items to conversation history
+                let reconstructed_history = self
+                    .reconstruct_history_from_rollout(&turn_context, &rollout_items)
+                    .await;
+                if !reconstructed_history.is_empty() {
+                    self.record_into_history(&reconstructed_history, &turn_context)
+                        .await;
+                }
+
+                // Seed usage info from the recorded rollout so UIs can show token counts
+                // immediately on resume/fork.
+                if let Some(info) = Self::last_token_info_from_rollout(&rollout_items) {
+                    let mut state = self.state.lock().await;
+                    state.set_token_info(Some(info));
+                }
+
                // If persisting, persist all rollout items as-is (recorder filters)
-                if persist && !rollout_items.is_empty() {
+                if !rollout_items.is_empty() {
                    self.persist_rollout_items(&rollout_items).await;
                }

@@ -991,6 +1057,10 @@ impl Session {
                let initial_context = self.build_initial_context(&turn_context).await;
                self.record_conversation_items(&turn_context, &initial_context)
                    .await;
+                {
+                    let mut state = self.state.lock().await;
+                    state.initial_context_seeded = true;
+                }
                // Flush after seeding history and any persisted rollout copy.
                self.flush_rollout().await;
            }
@@ -1175,6 +1245,8 @@ impl Session {
            DeveloperInstructions::from_policy(
                &next.sandbox_policy,
                next.approval_policy,
+                self.services.exec_policy.current().as_ref(),
+                self.features.enabled(Feature::RequestRule),
                &next.cwd,
            )
            .into(),
@@ -1365,6 +1437,44 @@ impl Session {
        Ok(())
    }

+    async fn turn_context_for_sub_id(&self, sub_id: &str) -> Option<Arc<TurnContext>> {
+        let active = self.active_turn.lock().await;
+        active
+            .as_ref()
+            .and_then(|turn| turn.tasks.get(sub_id))
+            .map(|task| Arc::clone(&task.turn_context))
+    }
+
+    pub(crate) async fn record_execpolicy_amendment_message(
+        &self,
+        sub_id: &str,
+        amendment: &ExecPolicyAmendment,
+    ) {
+        let Some(prefixes) = render_command_prefix_list([amendment.command.as_slice()]) else {
+            warn!("execpolicy amendment for {sub_id} had no command prefix");
+            return;
+        };
+        let text = format!("Approved command prefix saved:\n{prefixes}");
+        let message: ResponseItem = DeveloperInstructions::new(text.clone()).into();
+
+        if let Some(turn_context) = self.turn_context_for_sub_id(sub_id).await {
+            self.record_conversation_items(&turn_context, std::slice::from_ref(&message))
+                .await;
+            return;
+        }
+
+        if self
+            .inject_response_items(vec![ResponseInputItem::Message {
+                role: "developer".to_string(),
+                content: vec![ContentItem::InputText { text }],
+            }])
+            .await
+            .is_err()
+        {
+            warn!("no active turn found to record execpolicy amendment message for {sub_id}");
+        }
+    }
+
    /// Emit an exec approval request event and await the user's decision.
    ///
    /// The request is keyed by `sub_id`/`call_id` so matching responses are delivered
@@ -1641,6 +1751,21 @@ impl Session {
        state.replace_history(items);
    }

+    pub(crate) async fn seed_initial_context_if_needed(&self, turn_context: &TurnContext) {
+        {
+            let mut state = self.state.lock().await;
+            if state.initial_context_seeded {
+                return;
+            }
+            state.initial_context_seeded = true;
+        }
+
+        let initial_context = self.build_initial_context(turn_context).await;
+        self.record_conversation_items(turn_context, &initial_context)
+            .await;
+        self.flush_rollout().await;
+    }
+
    async fn persist_rollout_response_items(&self, items: &[ResponseItem]) {
        let rollout_items: Vec<RolloutItem> = items
            .iter()
@@ -1683,6 +1808,8 @@ impl Session {
            DeveloperInstructions::from_policy(
                &turn_context.sandbox_policy,
                turn_context.approval_policy,
+                self.services.exec_policy.current().as_ref(),
+                self.features.enabled(Feature::RequestRule),
                &turn_context.cwd,
            )
            .into(),
@@ -1795,6 +1922,19 @@ impl Session {
        self.send_token_count_event(turn_context).await;
    }

+    pub(crate) async fn mcp_dependency_prompted(&self) -> HashSet<String> {
+        let state = self.state.lock().await;
+        state.mcp_dependency_prompted()
+    }
+
+    pub(crate) async fn record_mcp_dependency_prompted<I>(&self, names: I)
+    where
+        I: IntoIterator<Item = String>,
+    {
+        let mut state = self.state.lock().await;
+        state.record_mcp_dependency_prompted(names);
+    }
+
    pub(crate) async fn set_server_reasoning_included(&self, included: bool) {
        let mut state = self.state.lock().await;
        state.set_server_reasoning_included(included);
@@ -2039,35 +2179,12 @@ impl Session {
        Arc::clone(&self.services.user_shell)
    }

-    async fn refresh_mcp_servers_if_requested(&self, turn_context: &TurnContext) {
-        let refresh_config = { self.pending_mcp_server_refresh_config.lock().await.take() };
-        let Some(refresh_config) = refresh_config else {
-            return;
-        };
-
-        let McpServerRefreshConfig {
-            mcp_servers,
-            mcp_oauth_credentials_store_mode,
-        } = refresh_config;
-
-        let mcp_servers =
-            match serde_json::from_value::<HashMap<String, McpServerConfig>>(mcp_servers) {
-                Ok(servers) => servers,
-                Err(err) => {
-                    warn!("failed to parse MCP server refresh config: {err}");
-                    return;
-                }
-            };
-        let store_mode = match serde_json::from_value::<OAuthCredentialsStoreMode>(
-            mcp_oauth_credentials_store_mode,
-        ) {
-            Ok(mode) => mode,
-            Err(err) => {
-                warn!("failed to parse MCP OAuth refresh config: {err}");
-                return;
-            }
-        };
-
+    async fn refresh_mcp_servers_inner(
+        &self,
+        turn_context: &TurnContext,
+        mcp_servers: HashMap<String, McpServerConfig>,
+        store_mode: OAuthCredentialsStoreMode,
+    ) {
        let auth = self.services.auth_manager.auth().await;
        let config = self.get_config().await;
        let mcp_servers = with_codex_apps_mcp(
@@ -2100,6 +2217,49 @@ impl Session {
        *manager = refreshed_manager;
    }

+    async fn refresh_mcp_servers_if_requested(&self, turn_context: &TurnContext) {
+        let refresh_config = { self.pending_mcp_server_refresh_config.lock().await.take() };
+        let Some(refresh_config) = refresh_config else {
+            return;
+        };
+
+        let McpServerRefreshConfig {
+            mcp_servers,
+            mcp_oauth_credentials_store_mode,
+        } = refresh_config;
+
+        let mcp_servers =
+            match serde_json::from_value::<HashMap<String, McpServerConfig>>(mcp_servers) {
+                Ok(servers) => servers,
+                Err(err) => {
+                    warn!("failed to parse MCP server refresh config: {err}");
+                    return;
+                }
+            };
+        let store_mode = match serde_json::from_value::<OAuthCredentialsStoreMode>(
+            mcp_oauth_credentials_store_mode,
+        ) {
+            Ok(mode) => mode,
+            Err(err) => {
+                warn!("failed to parse MCP OAuth refresh config: {err}");
+                return;
+            }
+        };
+
+        self.refresh_mcp_servers_inner(turn_context, mcp_servers, store_mode)
+            .await;
+    }
+
+    pub(crate) async fn refresh_mcp_servers_now(
+        &self,
+        turn_context: &TurnContext,
+        mcp_servers: HashMap<String, McpServerConfig>,
+        store_mode: OAuthCredentialsStoreMode,
+    ) {
+        self.refresh_mcp_servers_inner(turn_context, mcp_servers, store_mode)
+            .await;
+    }
+
    async fn mcp_startup_cancellation_token(&self) -> CancellationToken {
        self.services
            .mcp_startup_cancellation_token
@@ -2144,6 +2304,7 @@ async fn submission_loop(sess: Arc<Session>, config: Arc<Config>, rx_sub: Receiv
                cwd,
                approval_policy,
                sandbox_policy,
+                windows_sandbox_level,
                model,
                effort,
                summary,
@@ -2167,6 +2328,7 @@ async fn submission_loop(sess: Arc<Session>, config: Arc<Config>, rx_sub: Receiv
                        cwd,
                        approval_policy,
                        sandbox_policy,
+                        windows_sandbox_level,
                        collaboration_mode: Some(collaboration_mode),
                        reasoning_summary: summary,
                        personality,
@@ -2330,6 +2492,11 @@ mod handlers {
            return;
        }

+        let initial_context_seeded = sess.state.lock().await.initial_context_seeded;
+        if !initial_context_seeded {
+            return;
+        }
+
        let current_context = sess.new_default_turn_with_sub_id(sub_id).await;
        let update_items = sess.build_settings_update_items(
            Some(&previous_context),
@@ -2378,6 +2545,7 @@ mod handlers {
                        cwd: Some(cwd),
                        approval_policy: Some(approval_policy),
                        sandbox_policy: Some(sandbox_policy),
+                        windows_sandbox_level: None,
                        collaboration_mode,
                        reasoning_summary: Some(summary),
                        final_output_json_schema: Some(final_output_json_schema),
@@ -2417,6 +2585,7 @@ mod handlers {

        // Attempt to inject input into current task
        if let Err(items) = sess.inject_input(items).await {
+            sess.seed_initial_context_if_needed(&current_context).await;
            let update_items = sess.build_settings_update_items(
                previous_context.as_ref(),
                &current_context,
@@ -2487,18 +2656,26 @@ mod handlers {
        if let ReviewDecision::ApprovedExecpolicyAmendment {
            proposed_execpolicy_amendment,
        } = &decision
-            && let Err(err) = sess
+        {
+            match sess
                .persist_execpolicy_amendment(proposed_execpolicy_amendment)
                .await
-        {
-            let message = format!("Failed to apply execpolicy amendment: {err}");
-            tracing::warn!("{message}");
-            let warning = EventMsg::Warning(WarningEvent { message });
-            sess.send_event_raw(Event {
-                id: id.clone(),
-                msg: warning,
-            })
-            .await;
+            {
+                Ok(()) => {
+                    sess.record_execpolicy_amendment_message(&id, proposed_execpolicy_amendment)
+                        .await;
+                }
+                Err(err) => {
+                    let message = format!("Failed to apply execpolicy amendment: {err}");
+                    tracing::warn!("{message}");
+                    let warning = EventMsg::Warning(WarningEvent { message });
+                    sess.send_event_raw(Event {
+                        id: id.clone(),
+                        msg: warning,
+                    })
+                    .await;
+                }
+            }
        }
        match decision {
            ReviewDecision::Abort => {
@@ -2865,6 +3042,7 @@ async fn spawn_review_thread(
        personality: parent_turn_context.personality,
        approval_policy: parent_turn_context.approval_policy,
        sandbox_policy: parent_turn_context.sandbox_policy.clone(),
+        windows_sandbox_level: parent_turn_context.windows_sandbox_level,
        shell_environment_policy: parent_turn_context.shell_environment_policy.clone(),
        cwd: parent_turn_context.cwd.clone(),
        final_output_json_schema: None,
@@ -2913,6 +3091,22 @@ fn skills_to_info(
                    brand_color: interface.brand_color,
                    default_prompt: interface.default_prompt,
                }),
+            dependencies: skill.dependencies.clone().map(|dependencies| {
+                ProtocolSkillDependencies {
+                    tools: dependencies
+                        .tools
+                        .into_iter()
+                        .map(|tool| ProtocolSkillToolDependency {
+                            r#type: tool.r#type,
+                            value: tool.value,
+                            description: tool.description,
+                            transport: tool.transport,
+                            command: tool.command,
+                            url: tool.url,
+                        })
+                        .collect(),
+                }
+            }),
            path: skill.path.clone(),
            scope: skill.scope,
            enabled: !disabled_paths.contains(&skill.path),
@@ -2972,11 +3166,23 @@ pub(crate) async fn run_turn(
            .await,
    );

+    let mentioned_skills = skills_outcome.as_ref().map_or_else(Vec::new, |outcome| {
+        collect_explicit_skill_mentions(&input, &outcome.skills, &outcome.disabled_paths)
+    });
+
+    maybe_prompt_and_install_mcp_dependencies(
+        sess.as_ref(),
+        turn_context.as_ref(),
+        &cancellation_token,
+        &mentioned_skills,
+    )
+    .await;
+
    let otel_manager = turn_context.client.get_otel_manager();
    let SkillInjections {
        items: skill_items,
        warnings: skill_warnings,
-    } = build_skill_injections(&input, skills_outcome.as_ref(), Some(&otel_manager)).await;
+    } = build_skill_injections(&mentioned_skills, Some(&otel_manager)).await;

    for message in skill_warnings {
        sess.send_event(&turn_context, EventMsg::Warning(WarningEvent { message }))
@@ -3437,10 +3643,8 @@ async fn try_run_sampling_request(
            }
            ResponseEvent::OutputItemAdded(item) => {
                if let Some(turn_item) = handle_non_tool_response_item(&item).await {
-                    let tracked_item = turn_item.clone();
                    sess.emit_turn_item_started(&turn_context, &turn_item).await;
-
-                    active_item = Some(tracked_item);
+                    active_item = Some(turn_item);
                }
            }
            ResponseEvent::ServerReasoningIncluded(included) => {
@@ -3719,6 +3923,23 @@ mod tests {

    #[tokio::test]
    async fn record_initial_history_reconstructs_resumed_transcript() {
+        let (session, turn_context) = make_session_and_context().await;
+        let (rollout_items, expected) = sample_rollout(&session, &turn_context).await;
+
+        session
+            .record_initial_history(InitialHistory::Resumed(ResumedHistory {
+                conversation_id: ThreadId::default(),
+                history: rollout_items,
+                rollout_path: PathBuf::from("/tmp/resume.jsonl"),
+            }))
+            .await;
+
+        let history = session.state.lock().await.clone_history();
+        assert_eq!(expected, history.raw_items());
+    }
+
+    #[tokio::test]
+    async fn resumed_history_seeds_initial_context_on_first_turn_only() {
        let (session, turn_context) = make_session_and_context().await;
        let (rollout_items, mut expected) = sample_rollout(&session, &turn_context).await;

@@ -3730,9 +3951,17 @@ mod tests {
            }))
            .await;

+        let history_before_seed = session.state.lock().await.clone_history();
+        assert_eq!(expected, history_before_seed.raw_items());
+
+        session.seed_initial_context_if_needed(&turn_context).await;
        expected.extend(session.build_initial_context(&turn_context).await);
-        let history = session.state.lock().await.clone_history();
-        assert_eq!(expected, history.raw_items());
+        let history_after_seed = session.clone_history().await;
+        assert_eq!(expected, history_after_seed.raw_items());
+
+        session.seed_initial_context_if_needed(&turn_context).await;
+        let history_after_second_seed = session.clone_history().await;
+        assert_eq!(expected, history_after_second_seed.raw_items());
    }

    #[tokio::test]
@@ -3986,6 +4215,7 @@ mod tests {
            compact_prompt: config.compact_prompt.clone(),
            approval_policy: config.approval_policy.clone(),
            sandbox_policy: config.sandbox_policy.clone(),
+            windows_sandbox_level: WindowsSandboxLevel::from_config(&config),
            cwd: config.cwd.clone(),
            original_config_do_not_use: Arc::clone(&config),
            session_source: SessionSource::Exec,
@@ -4066,6 +4296,7 @@ mod tests {
            compact_prompt: config.compact_prompt.clone(),
            approval_policy: config.approval_policy.clone(),
            sandbox_policy: config.sandbox_policy.clone(),
+            windows_sandbox_level: WindowsSandboxLevel::from_config(&config),
            cwd: config.cwd.clone(),
            original_config_do_not_use: Arc::clone(&config),
            session_source: SessionSource::Exec,
@@ -4330,6 +4561,7 @@ mod tests {
            compact_prompt: config.compact_prompt.clone(),
            approval_policy: config.approval_policy.clone(),
            sandbox_policy: config.sandbox_policy.clone(),
+            windows_sandbox_level: WindowsSandboxLevel::from_config(&config),
            cwd: config.cwd.clone(),
            original_config_do_not_use: Arc::clone(&config),
            session_source: SessionSource::Exec,
@@ -4347,7 +4579,8 @@ mod tests {
            session_configuration.session_source.clone(),
        );

-        let state = SessionState::new(session_configuration.clone());
+        let mut state = SessionState::new(session_configuration.clone());
+        mark_state_initial_context_seeded(&mut state);
        let skills_manager = Arc::new(SkillsManager::new(config.codex_home.clone()));

        let services = SessionServices {
@@ -4365,6 +4598,7 @@ mod tests {
            tool_approvals: Mutex::new(ApprovalStore::default()),
            skills_manager,
            agent_control,
+            state_db: None,
        };

        let turn_context = Session::make_turn_context(
@@ -4439,6 +4673,7 @@ mod tests {
            compact_prompt: config.compact_prompt.clone(),
            approval_policy: config.approval_policy.clone(),
            sandbox_policy: config.sandbox_policy.clone(),
+            windows_sandbox_level: WindowsSandboxLevel::from_config(&config),
            cwd: config.cwd.clone(),
            original_config_do_not_use: Arc::clone(&config),
            session_source: SessionSource::Exec,
@@ -4456,7 +4691,8 @@ mod tests {
            session_configuration.session_source.clone(),
        );

-        let state = SessionState::new(session_configuration.clone());
+        let mut state = SessionState::new(session_configuration.clone());
+        mark_state_initial_context_seeded(&mut state);
        let skills_manager = Arc::new(SkillsManager::new(config.codex_home.clone()));

        let services = SessionServices {
@@ -4474,6 +4710,7 @@ mod tests {
            tool_approvals: Mutex::new(ApprovalStore::default()),
            skills_manager,
            agent_control,
+            state_db: None,
        };

        let turn_context = Arc::new(Session::make_turn_context(
@@ -4502,6 +4739,10 @@ mod tests {
        (session, turn_context, rx_event)
    }

+    fn mark_state_initial_context_seeded(state: &mut SessionState) {
+        state.initial_context_seeded = true;
+    }
+
    #[tokio::test]
    async fn refresh_mcp_servers_is_deferred_until_next_turn() {
        let (session, turn_context) = make_session_and_context().await;
@@ -4941,6 +5182,7 @@ mod tests {
            expiration: timeout_ms.into(),
            env: HashMap::new(),
            sandbox_permissions,
+            windows_sandbox_level: turn_context.windows_sandbox_level,
            justification: Some("test".to_string()),
            arg0: None,
        };
@@ -4951,6 +5193,7 @@ mod tests {
            cwd: params.cwd.clone(),
            expiration: timeout_ms.into(),
            env: HashMap::new(),
+            windows_sandbox_level: turn_context.windows_sandbox_level,
            justification: params.justification.clone(),
            arg0: None,
        };
--- a/codex-rs/core/src/codex_thread.rs
+++ b/codex-rs/core/src/codex_thread.rs
@@ -12,6 +12,8 @@ use codex_protocol::protocol::SessionSource;
 use std::path::PathBuf;
 use tokio::sync::watch;

+use crate::state_db::StateDbHandle;
+
 #[derive(Clone, Debug)]
 pub struct ThreadConfigSnapshot {
    pub model: String,
@@ -64,6 +66,10 @@ impl CodexThread {
        self.rollout_path.clone()
    }

+    pub fn state_db(&self) -> Option<StateDbHandle> {
+        self.codex.state_db()
+    }
+
    pub async fn config_snapshot(&self) -> ThreadConfigSnapshot {
        self.codex.thread_config_snapshot().await
    }
--- a/codex-rs/core/src/compact.rs
+++ b/codex-rs/core/src/compact.rs
@@ -10,7 +10,6 @@ use crate::error::CodexErr;
 use crate::error::Result as CodexResult;
 use crate::features::Feature;
 use crate::protocol::CompactedItem;
-use crate::protocol::ContextCompactedEvent;
 use crate::protocol::EventMsg;
 use crate::protocol::TurnContextItem;
 use crate::protocol::TurnStartedEvent;
@@ -20,6 +19,7 @@ use crate::truncate::TruncationPolicy;
 use crate::truncate::approx_token_count;
 use crate::truncate::truncate_text;
 use crate::util::backoff;
+use codex_protocol::items::ContextCompactionItem;
 use codex_protocol::items::TurnItem;
 use codex_protocol::models::ContentItem;
 use codex_protocol::models::ResponseInputItem;
@@ -71,6 +71,9 @@ async fn run_compact_task_inner(
    turn_context: Arc<TurnContext>,
    input: Vec<UserInput>,
 ) {
+    let compaction_item = TurnItem::ContextCompaction(ContextCompactionItem::new());
+    sess.emit_turn_item_started(&turn_context, &compaction_item)
+        .await;
    let initial_input_for_turn: ResponseInputItem = ResponseInputItem::from(input);

    let mut history = sess.clone_history().await;
@@ -193,9 +196,8 @@ async fn run_compact_task_inner(
    });
    sess.persist_rollout_items(&[rollout_item]).await;

-    let event = EventMsg::ContextCompacted(ContextCompactedEvent {});
-    sess.send_event(&turn_context, event).await;
-
+    sess.emit_turn_item_completed(&turn_context, compaction_item)
+        .await;
    let warning = EventMsg::Warning(WarningEvent {
        message: "Heads up: Long threads and multiple compactions can cause the model to be less accurate. Start a new thread when possible to keep threads small and targeted.".to_string(),
    });
--- a/codex-rs/core/src/compact_remote.rs
+++ b/codex-rs/core/src/compact_remote.rs
@@ -5,10 +5,11 @@ use crate::codex::Session;
 use crate::codex::TurnContext;
 use crate::error::Result as CodexResult;
 use crate::protocol::CompactedItem;
-use crate::protocol::ContextCompactedEvent;
 use crate::protocol::EventMsg;
 use crate::protocol::RolloutItem;
 use crate::protocol::TurnStartedEvent;
+use codex_protocol::items::ContextCompactionItem;
+use codex_protocol::items::TurnItem;
 use codex_protocol::models::ResponseItem;

 pub(crate) async fn run_inline_remote_auto_compact_task(
@@ -40,6 +41,9 @@ async fn run_remote_compact_task_inner_impl(
    sess: &Arc<Session>,
    turn_context: &Arc<TurnContext>,
 ) -> CodexResult<()> {
+    let compaction_item = TurnItem::ContextCompaction(ContextCompactionItem::new());
+    sess.emit_turn_item_started(turn_context, &compaction_item)
+        .await;
    let history = sess.clone_history().await;

    // Required to keep `/undo` available after compaction
@@ -77,8 +81,7 @@ async fn run_remote_compact_task_inner_impl(
    sess.persist_rollout_items(&[RolloutItem::Compacted(compacted_item)])
        .await;

-    let event = EventMsg::ContextCompacted(ContextCompactedEvent {});
-    sess.send_event(turn_context, event).await;
-
+    sess.emit_turn_item_completed(turn_context, compaction_item)
+        .await;
    Ok(())
 }
--- a/codex-rs/core/src/config/mod.rs
+++ b/codex-rs/core/src/config/mod.rs
@@ -7,6 +7,7 @@ use crate::config::types::McpServerConfig;
 use crate::config::types::McpServerDisabledReason;
 use crate::config::types::McpServerTransportConfig;
 use crate::config::types::Notice;
+use crate::config::types::NotificationMethod;
 use crate::config::types::Notifications;
 use crate::config::types::OtelConfig;
 use crate::config::types::OtelConfigToml;
@@ -38,6 +39,7 @@ use crate::project_doc::DEFAULT_PROJECT_DOC_FILENAME;
 use crate::project_doc::LOCAL_PROJECT_DOC_FILENAME;
 use crate::protocol::AskForApproval;
 use crate::protocol::SandboxPolicy;
+use crate::windows_sandbox::WindowsSandboxLevelExt;
 use codex_app_server_protocol::Tools;
 use codex_app_server_protocol::UserSavedConfig;
 use codex_protocol::config_types::AltScreenMode;
@@ -49,6 +51,7 @@ use codex_protocol::config_types::SandboxMode;
 use codex_protocol::config_types::TrustLevel;
 use codex_protocol::config_types::Verbosity;
 use codex_protocol::config_types::WebSearchMode;
+use codex_protocol::config_types::WindowsSandboxLevel;
 use codex_protocol::openai_models::ReasoningEffort;
 use codex_rmcp_client::OAuthCredentialsStoreMode;
 use codex_utils_absolute_path::AbsolutePathBuf;
@@ -190,10 +193,13 @@ pub struct Config {
    /// If unset the feature is disabled.
    pub notify: Option<Vec<String>>,

-    /// TUI notifications preference. When set, the TUI will send OSC 9 notifications on approvals
-    /// and turn completions when not focused.
+    /// TUI notifications preference. When set, the TUI will send terminal notifications on
+    /// approvals and turn completions when not focused.
    pub tui_notifications: Notifications,

+    /// Notification method for terminal notifications (osc9 or bel).
+    pub tui_notification_method: NotificationMethod,
+
    /// Enable ASCII animations and shimmer effects in the TUI.
    pub animations: bool,

@@ -316,6 +322,9 @@ pub struct Config {
    /// Centralized feature flags; source of truth for feature gating.
    pub features: Features,

+    /// When `true`, suppress warnings about unstable (under development) features.
+    pub suppress_unstable_features_warning: bool,
+
    /// The active profile name used to derive this `Config` (if any).
    pub active_profile: Option<String>,

@@ -906,6 +915,9 @@ pub struct ConfigToml {
    #[schemars(schema_with = "crate::config::schema::features_schema")]
    pub features: Option<FeaturesToml>,

+    /// Suppress warnings about unstable (under development) features.
+    pub suppress_unstable_features_warning: Option<bool>,
+
    /// Settings for ghost snapshots (used for undo).
    #[serde(default)]
    pub ghost_snapshot: Option<GhostSnapshotToml>,
@@ -1050,6 +1062,7 @@ impl ConfigToml {
        &self,
        sandbox_mode_override: Option<SandboxMode>,
        profile_sandbox_mode: Option<SandboxMode>,
+        windows_sandbox_level: WindowsSandboxLevel,
        resolved_cwd: &Path,
    ) -> SandboxPolicyResolution {
        let resolved_sandbox_mode = sandbox_mode_override
@@ -1088,7 +1101,7 @@ impl ConfigToml {
        if cfg!(target_os = "windows")
            && matches!(resolved_sandbox_mode, SandboxMode::WorkspaceWrite)
            // If the experimental Windows sandbox is enabled, do not force a downgrade.
-            && crate::safety::get_platform_sandbox().is_none()
+            && windows_sandbox_level == codex_protocol::config_types::WindowsSandboxLevel::Disabled
        {
            sandbox_policy = SandboxPolicy::new_read_only_policy();
            forced_auto_mode_downgraded_on_windows = true;
@@ -1212,6 +1225,20 @@ fn resolve_web_search_mode(
    None
 }

+pub(crate) fn resolve_web_search_mode_for_turn(
+    explicit_mode: Option<WebSearchMode>,
+    sandbox_policy: &SandboxPolicy,
+) -> WebSearchMode {
+    if let Some(mode) = explicit_mode {
+        return mode;
+    }
+    if matches!(sandbox_policy, SandboxPolicy::DangerFullAccess) {
+        WebSearchMode::Live
+    } else {
+        WebSearchMode::Cached
+    }
+}
+
 impl Config {
    #[cfg(test)]
    fn load_from_base_config_with_overrides(
@@ -1278,17 +1305,6 @@ impl Config {
        };

        let features = Features::from_config(&cfg, &config_profile, feature_overrides);
-        let web_search_mode = resolve_web_search_mode(&cfg, &config_profile, &features);
-        #[cfg(target_os = "windows")]
-        {
-            // Base flag controls sandbox on/off; elevated only applies when base is enabled.
-            let sandbox_enabled = features.enabled(Feature::WindowsSandbox);
-            crate::safety::set_windows_sandbox_enabled(sandbox_enabled);
-            let elevated_enabled =
-                sandbox_enabled && features.enabled(Feature::WindowsSandboxElevated);
-            crate::safety::set_windows_elevated_sandbox_enabled(elevated_enabled);
-        }
-
        let resolved_cwd = {
            use std::env;

@@ -1315,10 +1331,16 @@ impl Config {
            .get_active_project(&resolved_cwd)
            .unwrap_or(ProjectConfig { trust_level: None });

+        let windows_sandbox_level = WindowsSandboxLevel::from_features(&features);
        let SandboxPolicyResolution {
            policy: mut sandbox_policy,
            forced_auto_mode_downgraded_on_windows,
-        } = cfg.derive_sandbox_policy(sandbox_mode, config_profile.sandbox_mode, &resolved_cwd);
+        } = cfg.derive_sandbox_policy(
+            sandbox_mode,
+            config_profile.sandbox_mode,
+            windows_sandbox_level,
+            &resolved_cwd,
+        );
        if let SandboxPolicy::WorkspaceWrite { writable_roots, .. } = &mut sandbox_policy {
            for path in additional_writable_roots {
                if !writable_roots.iter().any(|existing| existing == &path) {
@@ -1338,6 +1360,7 @@ impl Config {
                    AskForApproval::default()
                }
            });
+        let web_search_mode = resolve_web_search_mode(&cfg, &config_profile, &features);
        // TODO(dylan): We should be able to leverage ConfigLayerStack so that
        // we can reliably check this at every config level.
        let did_user_set_custom_approval_policy_or_sandbox_mode = approval_policy_override
@@ -1564,6 +1587,9 @@ impl Config {
            use_experimental_unified_exec_tool,
            ghost_snapshot,
            features,
+            suppress_unstable_features_warning: cfg
+                .suppress_unstable_features_warning
+                .unwrap_or(false),
            active_profile: active_profile_name,
            active_project,
            windows_wsl_setup_acknowledged: cfg.windows_wsl_setup_acknowledged.unwrap_or(false),
@@ -1585,6 +1611,11 @@ impl Config {
                .as_ref()
                .map(|t| t.notifications.clone())
                .unwrap_or_default(),
+            tui_notification_method: cfg
+                .tui
+                .as_ref()
+                .map(|t| t.notification_method)
+                .unwrap_or_default(),
            animations: cfg.tui.as_ref().map(|t| t.animations).unwrap_or(true),
            show_tooltips: cfg.tui.as_ref().map(|t| t.show_tooltips).unwrap_or(true),
            experimental_mode: cfg.tui.as_ref().and_then(|t| t.experimental_mode),
@@ -1657,20 +1688,19 @@ impl Config {
        }
    }

-    pub fn set_windows_sandbox_globally(&mut self, value: bool) {
-        crate::safety::set_windows_sandbox_enabled(value);
+    pub fn set_windows_sandbox_enabled(&mut self, value: bool) {
        if value {
            self.features.enable(Feature::WindowsSandbox);
+            self.forced_auto_mode_downgraded_on_windows = false;
        } else {
            self.features.disable(Feature::WindowsSandbox);
        }
-        self.forced_auto_mode_downgraded_on_windows = !value;
    }

-    pub fn set_windows_elevated_sandbox_globally(&mut self, value: bool) {
-        crate::safety::set_windows_elevated_sandbox_enabled(value);
+    pub fn set_windows_elevated_sandbox_enabled(&mut self, value: bool) {
        if value {
            self.features.enable(Feature::WindowsSandboxElevated);
+            self.forced_auto_mode_downgraded_on_windows = false;
        } else {
            self.features.disable(Feature::WindowsSandboxElevated);
        }
@@ -1744,6 +1774,7 @@ mod tests {
    use crate::config::types::FeedbackConfigToml;
    use crate::config::types::HistoryPersistence;
    use crate::config::types::McpServerTransportConfig;
+    use crate::config::types::NotificationMethod;
    use crate::config::types::Notifications;
    use crate::config_loader::RequirementSource;
    use crate::features::Feature;
@@ -1840,6 +1871,7 @@ persistence = "none"
            tui,
            Tui {
                notifications: Notifications::Enabled(true),
+                notification_method: NotificationMethod::Auto,
                animations: true,
                show_tooltips: true,
                experimental_mode: None,
@@ -1862,6 +1894,7 @@ network_access = false  # This should be ignored.
        let resolution = sandbox_full_access_cfg.derive_sandbox_policy(
            sandbox_mode_override,
            None,
+            WindowsSandboxLevel::Disabled,
            &PathBuf::from("/tmp/test"),
        );
        assert_eq!(
@@ -1885,6 +1918,7 @@ network_access = true  # This should be ignored.
        let resolution = sandbox_read_only_cfg.derive_sandbox_policy(
            sandbox_mode_override,
            None,
+            WindowsSandboxLevel::Disabled,
            &PathBuf::from("/tmp/test"),
        );
        assert_eq!(
@@ -1916,6 +1950,7 @@ exclude_slash_tmp = true
        let resolution = sandbox_workspace_write_cfg.derive_sandbox_policy(
            sandbox_mode_override,
            None,
+            WindowsSandboxLevel::Disabled,
            &PathBuf::from("/tmp/test"),
        );
        if cfg!(target_os = "windows") {
@@ -1964,6 +1999,7 @@ trust_level = "trusted"
        let resolution = sandbox_workspace_write_cfg.derive_sandbox_policy(
            sandbox_mode_override,
            None,
+            WindowsSandboxLevel::Disabled,
            &PathBuf::from("/tmp/test"),
        );
        if cfg!(target_os = "windows") {
@@ -2255,7 +2291,7 @@ trust_level = "trusted"
    }

    #[test]
-    fn web_search_mode_uses_none_if_unset() {
+    fn web_search_mode_defaults_to_none_if_unset() {
        let cfg = ConfigToml::default();
        let profile = ConfigProfile::default();
        let features = Features::with_defaults();
@@ -2295,6 +2331,30 @@ trust_level = "trusted"
        );
    }

+    #[test]
+    fn web_search_mode_for_turn_defaults_to_cached_when_unset() {
+        let mode = resolve_web_search_mode_for_turn(None, &SandboxPolicy::ReadOnly);
+
+        assert_eq!(mode, WebSearchMode::Cached);
+    }
+
+    #[test]
+    fn web_search_mode_for_turn_defaults_to_live_for_danger_full_access() {
+        let mode = resolve_web_search_mode_for_turn(None, &SandboxPolicy::DangerFullAccess);
+
+        assert_eq!(mode, WebSearchMode::Live);
+    }
+
+    #[test]
+    fn web_search_mode_for_turn_prefers_explicit_value() {
+        let mode = resolve_web_search_mode_for_turn(
+            Some(WebSearchMode::Cached),
+            &SandboxPolicy::DangerFullAccess,
+        );
+
+        assert_eq!(mode, WebSearchMode::Cached);
+    }
+
    #[test]
    fn profile_legacy_toggles_override_base() -> std::io::Result<()> {
        let codex_home = TempDir::new()?;
@@ -3732,6 +3792,7 @@ model_verbosity = "high"
                use_experimental_unified_exec_tool: false,
                ghost_snapshot: GhostSnapshotConfig::default(),
                features: Features::with_defaults(),
+                suppress_unstable_features_warning: false,
                active_profile: Some("o3".to_string()),
                active_project: ProjectConfig { trust_level: None },
                windows_wsl_setup_acknowledged: false,
@@ -3739,6 +3800,7 @@ model_verbosity = "high"
                check_for_update_on_startup: true,
                disable_paste_burst: false,
                tui_notifications: Default::default(),
+                tui_notification_method: Default::default(),
                animations: true,
                show_tooltips: true,
                experimental_mode: None,
@@ -3814,6 +3876,7 @@ model_verbosity = "high"
            use_experimental_unified_exec_tool: false,
            ghost_snapshot: GhostSnapshotConfig::default(),
            features: Features::with_defaults(),
+            suppress_unstable_features_warning: false,
            active_profile: Some("gpt3".to_string()),
            active_project: ProjectConfig { trust_level: None },
            windows_wsl_setup_acknowledged: false,
@@ -3821,6 +3884,7 @@ model_verbosity = "high"
            check_for_update_on_startup: true,
            disable_paste_burst: false,
            tui_notifications: Default::default(),
+            tui_notification_method: Default::default(),
            animations: true,
            show_tooltips: true,
            experimental_mode: None,
@@ -3911,6 +3975,7 @@ model_verbosity = "high"
            use_experimental_unified_exec_tool: false,
            ghost_snapshot: GhostSnapshotConfig::default(),
            features: Features::with_defaults(),
+            suppress_unstable_features_warning: false,
            active_profile: Some("zdr".to_string()),
            active_project: ProjectConfig { trust_level: None },
            windows_wsl_setup_acknowledged: false,
@@ -3918,6 +3983,7 @@ model_verbosity = "high"
            check_for_update_on_startup: true,
            disable_paste_burst: false,
            tui_notifications: Default::default(),
+            tui_notification_method: Default::default(),
            animations: true,
            show_tooltips: true,
            experimental_mode: None,
@@ -3994,6 +4060,7 @@ model_verbosity = "high"
            use_experimental_unified_exec_tool: false,
            ghost_snapshot: GhostSnapshotConfig::default(),
            features: Features::with_defaults(),
+            suppress_unstable_features_warning: false,
            active_profile: Some("gpt5".to_string()),
            active_project: ProjectConfig { trust_level: None },
            windows_wsl_setup_acknowledged: false,
@@ -4001,6 +4068,7 @@ model_verbosity = "high"
            check_for_update_on_startup: true,
            disable_paste_burst: false,
            tui_notifications: Default::default(),
+            tui_notification_method: Default::default(),
            animations: true,
            show_tooltips: true,
            experimental_mode: None,
@@ -4174,7 +4242,12 @@ trust_level = "untrusted"
        let cfg = toml::from_str::<ConfigToml>(config_with_untrusted)
            .expect("TOML deserialization should succeed");

-        let resolution = cfg.derive_sandbox_policy(None, None, &PathBuf::from("/tmp/test"));
+        let resolution = cfg.derive_sandbox_policy(
+            None,
+            None,
+            WindowsSandboxLevel::Disabled,
+            &PathBuf::from("/tmp/test"),
+        );

        // Verify that untrusted projects get WorkspaceWrite (or ReadOnly on Windows due to downgrade)
        if cfg!(target_os = "windows") {
@@ -4353,13 +4426,17 @@ mcp_oauth_callback_port = 5678

 #[cfg(test)]
 mod notifications_tests {
+    use crate::config::types::NotificationMethod;
    use crate::config::types::Notifications;
    use assert_matches::assert_matches;
    use serde::Deserialize;

    #[derive(Deserialize, Debug, PartialEq)]
    struct TuiTomlTest {
+        #[serde(default)]
        notifications: Notifications,
+        #[serde(default)]
+        notification_method: NotificationMethod,
    }

    #[derive(Deserialize, Debug, PartialEq)]
@@ -4390,4 +4467,15 @@ mod notifications_tests {
            Notifications::Custom(ref v) if v == &vec!["foo".to_string()]
        );
    }
+
+    #[test]
+    fn test_tui_notification_method() {
+        let toml = r#"
+            [tui]
+            notification_method = "bel"
+        "#;
+        let parsed: RootTomlTest =
+            toml::from_str(toml).expect("deserialize notification_method=\"bel\"");
+        assert_eq!(parsed.tui.notification_method, NotificationMethod::Bel);
+    }
 }
--- a/codex-rs/core/src/config/types.rs
+++ b/codex-rs/core/src/config/types.rs
@@ -428,6 +428,25 @@ impl Default for Notifications {
    }
 }

+#[derive(Serialize, Deserialize, Debug, Clone, Copy, PartialEq, Eq, JsonSchema, Default)]
+#[serde(rename_all = "lowercase")]
+pub enum NotificationMethod {
+    #[default]
+    Auto,
+    Osc9,
+    Bel,
+}
+
+impl fmt::Display for NotificationMethod {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        match self {
+            NotificationMethod::Auto => write!(f, "auto"),
+            NotificationMethod::Osc9 => write!(f, "osc9"),
+            NotificationMethod::Bel => write!(f, "bel"),
+        }
+    }
+}
+
 /// Collection of settings that are specific to the TUI.
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, JsonSchema)]
 #[schemars(deny_unknown_fields)]
@@ -437,6 +456,11 @@ pub struct Tui {
    #[serde(default)]
    pub notifications: Notifications,

+    /// Notification method to use for unfocused terminal notifications.
+    /// Defaults to `auto`.
+    #[serde(default)]
+    pub notification_method: NotificationMethod,
+
    /// Enable animations (welcome screen, shimmer effects, spinners).
    /// Defaults to `true`.
    #[serde(default = "default_true")]
@@ -472,7 +496,6 @@ const fn default_true() -> bool {
 /// (primarily the Codex IDE extension). NOTE: these are different from
 /// notifications - notices are warnings, NUX screens, acknowledgements, etc.
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, JsonSchema)]
-#[schemars(deny_unknown_fields)]
 pub struct Notice {
    /// Tracks whether the user has acknowledged the full access warning prompt.
    pub hide_full_access_warning: Option<bool>,
--- a/codex-rs/core/src/config_loader/mod.rs
+++ b/codex-rs/core/src/config_loader/mod.rs
@@ -6,6 +6,8 @@ mod layer_io;
 mod macos;
 mod merge;
 mod overrides;
+#[cfg(test)]
+mod requirements_exec_policy;
 mod state;

 #[cfg(test)]
--- a/codex-rs/core/src/config_loader/requirements_exec_policy.rs
+++ b/codex-rs/core/src/config_loader/requirements_exec_policy.rs
@@ -0,0 +1,188 @@
+use codex_execpolicy::Decision;
+use codex_execpolicy::Policy;
+use codex_execpolicy::rule::PatternToken;
+use codex_execpolicy::rule::PrefixPattern;
+use codex_execpolicy::rule::PrefixRule;
+use codex_execpolicy::rule::RuleRef;
+use multimap::MultiMap;
+use serde::Deserialize;
+use std::sync::Arc;
+use thiserror::Error;
+
+/// TOML types for expressing exec policy requirements.
+///
+/// These types are kept separate from `ConfigRequirementsToml` and are
+/// converted into `codex-execpolicy` rules.
+#[derive(Debug, Clone, PartialEq, Eq, Deserialize)]
+pub struct RequirementsExecPolicyTomlRoot {
+    pub exec_policy: RequirementsExecPolicyToml,
+}
+
+/// TOML representation of `[exec_policy]` within `requirements.toml`.
+#[derive(Debug, Clone, PartialEq, Eq, Deserialize)]
+pub struct RequirementsExecPolicyToml {
+    pub prefix_rules: Vec<RequirementsExecPolicyPrefixRuleToml>,
+}
+
+/// A TOML representation of the `prefix_rule(...)` Starlark builtin.
+///
+/// This mirrors the builtin defined in `execpolicy/src/parser.rs`.
+#[derive(Debug, Clone, PartialEq, Eq, Deserialize)]
+pub struct RequirementsExecPolicyPrefixRuleToml {
+    pub pattern: Vec<RequirementsExecPolicyPatternTokenToml>,
+    pub decision: Option<RequirementsExecPolicyDecisionToml>,
+    pub justification: Option<String>,
+}
+
+/// TOML-friendly representation of a pattern token.
+///
+/// Starlark supports either a string token or a list of alternative tokens at
+/// each position, but TOML arrays cannot mix strings and arrays. Using an
+/// array of tables sidesteps that restriction.
+#[derive(Debug, Clone, PartialEq, Eq, Deserialize)]
+pub struct RequirementsExecPolicyPatternTokenToml {
+    pub token: Option<String>,
+    pub any_of: Option<Vec<String>>,
+}
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Deserialize)]
+#[serde(rename_all = "kebab-case")]
+pub enum RequirementsExecPolicyDecisionToml {
+    Allow,
+    Prompt,
+    Forbidden,
+}
+
+impl RequirementsExecPolicyDecisionToml {
+    fn as_decision(self) -> Decision {
+        match self {
+            Self::Allow => Decision::Allow,
+            Self::Prompt => Decision::Prompt,
+            Self::Forbidden => Decision::Forbidden,
+        }
+    }
+}
+
+#[derive(Debug, Error)]
+pub enum RequirementsExecPolicyParseError {
+    #[error("exec policy prefix_rules cannot be empty")]
+    EmptyPrefixRules,
+
+    #[error("exec policy prefix_rule at index {rule_index} has an empty pattern")]
+    EmptyPattern { rule_index: usize },
+
+    #[error(
+        "exec policy prefix_rule at index {rule_index} has an invalid pattern token at index {token_index}: {reason}"
+    )]
+    InvalidPatternToken {
+        rule_index: usize,
+        token_index: usize,
+        reason: String,
+    },
+
+    #[error("exec policy prefix_rule at index {rule_index} has an empty justification")]
+    EmptyJustification { rule_index: usize },
+}
+
+impl RequirementsExecPolicyToml {
+    /// Convert requirements TOML exec policy rules into the internal `.rules`
+    /// representation used by `codex-execpolicy`.
+    pub fn to_policy(&self) -> Result<Policy, RequirementsExecPolicyParseError> {
+        if self.prefix_rules.is_empty() {
+            return Err(RequirementsExecPolicyParseError::EmptyPrefixRules);
+        }
+
+        let mut rules_by_program: MultiMap<String, RuleRef> = MultiMap::new();
+
+        for (rule_index, rule) in self.prefix_rules.iter().enumerate() {
+            if let Some(justification) = &rule.justification
+                && justification.trim().is_empty()
+            {
+                return Err(RequirementsExecPolicyParseError::EmptyJustification { rule_index });
+            }
+
+            if rule.pattern.is_empty() {
+                return Err(RequirementsExecPolicyParseError::EmptyPattern { rule_index });
+            }
+
+            let pattern_tokens = rule
+                .pattern
+                .iter()
+                .enumerate()
+                .map(|(token_index, token)| parse_pattern_token(token, rule_index, token_index))
+                .collect::<Result<Vec<_>, _>>()?;
+
+            let decision = rule
+                .decision
+                .map(RequirementsExecPolicyDecisionToml::as_decision)
+                .unwrap_or(Decision::Allow);
+            let justification = rule.justification.clone();
+
+            let (first_token, remaining_tokens) = pattern_tokens
+                .split_first()
+                .ok_or(RequirementsExecPolicyParseError::EmptyPattern { rule_index })?;
+
+            let rest: Arc<[PatternToken]> = remaining_tokens.to_vec().into();
+
+            for head in first_token.alternatives() {
+                let rule: RuleRef = Arc::new(PrefixRule {
+                    pattern: PrefixPattern {
+                        first: Arc::from(head.as_str()),
+                        rest: rest.clone(),
+                    },
+                    decision,
+                    justification: justification.clone(),
+                });
+                rules_by_program.insert(head.clone(), rule);
+            }
+        }
+
+        Ok(Policy::new(rules_by_program))
+    }
+}
+
+fn parse_pattern_token(
+    token: &RequirementsExecPolicyPatternTokenToml,
+    rule_index: usize,
+    token_index: usize,
+) -> Result<PatternToken, RequirementsExecPolicyParseError> {
+    match (&token.token, &token.any_of) {
+        (Some(single), None) => {
+            if single.trim().is_empty() {
+                return Err(RequirementsExecPolicyParseError::InvalidPatternToken {
+                    rule_index,
+                    token_index,
+                    reason: "token cannot be empty".to_string(),
+                });
+            }
+            Ok(PatternToken::Single(single.clone()))
+        }
+        (None, Some(alternatives)) => {
+            if alternatives.is_empty() {
+                return Err(RequirementsExecPolicyParseError::InvalidPatternToken {
+                    rule_index,
+                    token_index,
+                    reason: "any_of cannot be empty".to_string(),
+                });
+            }
+            if alternatives.iter().any(|alt| alt.trim().is_empty()) {
+                return Err(RequirementsExecPolicyParseError::InvalidPatternToken {
+                    rule_index,
+                    token_index,
+                    reason: "any_of cannot include empty tokens".to_string(),
+                });
+            }
+            Ok(PatternToken::Alts(alternatives.clone()))
+        }
+        (Some(_), Some(_)) => Err(RequirementsExecPolicyParseError::InvalidPatternToken {
+            rule_index,
+            token_index,
+            reason: "set either token or any_of, not both".to_string(),
+        }),
+        (None, None) => Err(RequirementsExecPolicyParseError::InvalidPatternToken {
+            rule_index,
+            token_index,
+            reason: "set either token or any_of".to_string(),
+        }),
+    }
+}
--- a/codex-rs/core/src/config_loader/tests.rs
+++ b/codex-rs/core/src/config_loader/tests.rs
@@ -911,3 +911,165 @@ async fn project_root_markers_supports_alternate_markers() -> std::io::Result<()

    Ok(())
 }
+
+mod requirements_exec_policy_tests {
+    use super::super::requirements_exec_policy::RequirementsExecPolicyDecisionToml;
+    use super::super::requirements_exec_policy::RequirementsExecPolicyPatternTokenToml;
+    use super::super::requirements_exec_policy::RequirementsExecPolicyPrefixRuleToml;
+    use super::super::requirements_exec_policy::RequirementsExecPolicyToml;
+    use super::super::requirements_exec_policy::RequirementsExecPolicyTomlRoot;
+    use codex_execpolicy::Decision;
+    use codex_execpolicy::Evaluation;
+    use codex_execpolicy::RuleMatch;
+    use pretty_assertions::assert_eq;
+    use toml::from_str;
+
+    fn tokens(cmd: &[&str]) -> Vec<String> {
+        cmd.iter().map(std::string::ToString::to_string).collect()
+    }
+
+    fn allow_all(_: &[String]) -> Decision {
+        Decision::Allow
+    }
+
+    #[test]
+    fn parses_single_prefix_rule_from_raw_toml() -> anyhow::Result<()> {
+        let toml_str = r#"
+[exec_policy]
+prefix_rules = [
+    { pattern = [{ token = "rm" }], decision = "forbidden" },
+]
+"#;
+
+        let parsed: RequirementsExecPolicyTomlRoot = from_str(toml_str)?;
+
+        assert_eq!(
+            parsed,
+            RequirementsExecPolicyTomlRoot {
+                exec_policy: RequirementsExecPolicyToml {
+                    prefix_rules: vec![RequirementsExecPolicyPrefixRuleToml {
+                        pattern: vec![RequirementsExecPolicyPatternTokenToml {
+                            token: Some("rm".to_string()),
+                            any_of: None,
+                        }],
+                        decision: Some(RequirementsExecPolicyDecisionToml::Forbidden),
+                        justification: None,
+                    }],
+                },
+            }
+        );
+
+        Ok(())
+    }
+
+    #[test]
+    fn parses_multiple_prefix_rules_from_raw_toml() -> anyhow::Result<()> {
+        let toml_str = r#"
+[exec_policy]
+prefix_rules = [
+    { pattern = [{ token = "rm" }], decision = "forbidden" },
+    { pattern = [{ token = "git" }, { any_of = ["push", "commit"] }], decision = "prompt", justification = "review changes before push or commit" },
+]
+"#;
+
+        let parsed: RequirementsExecPolicyTomlRoot = from_str(toml_str)?;
+
+        assert_eq!(
+            parsed,
+            RequirementsExecPolicyTomlRoot {
+                exec_policy: RequirementsExecPolicyToml {
+                    prefix_rules: vec![
+                        RequirementsExecPolicyPrefixRuleToml {
+                            pattern: vec![RequirementsExecPolicyPatternTokenToml {
+                                token: Some("rm".to_string()),
+                                any_of: None,
+                            }],
+                            decision: Some(RequirementsExecPolicyDecisionToml::Forbidden),
+                            justification: None,
+                        },
+                        RequirementsExecPolicyPrefixRuleToml {
+                            pattern: vec![
+                                RequirementsExecPolicyPatternTokenToml {
+                                    token: Some("git".to_string()),
+                                    any_of: None,
+                                },
+                                RequirementsExecPolicyPatternTokenToml {
+                                    token: None,
+                                    any_of: Some(vec!["push".to_string(), "commit".to_string()]),
+                                },
+                            ],
+                            decision: Some(RequirementsExecPolicyDecisionToml::Prompt),
+                            justification: Some("review changes before push or commit".to_string()),
+                        },
+                    ],
+                },
+            }
+        );
+
+        Ok(())
+    }
+
+    #[test]
+    fn converts_rules_toml_into_internal_policy_representation() -> anyhow::Result<()> {
+        let toml_str = r#"
+[exec_policy]
+prefix_rules = [
+    { pattern = [{ token = "rm" }], decision = "forbidden" },
+]
+"#;
+
+        let parsed: RequirementsExecPolicyTomlRoot = from_str(toml_str)?;
+        let policy = parsed.exec_policy.to_policy()?;
+
+        assert_eq!(
+            policy.check(&tokens(&["rm", "-rf", "/tmp"]), &allow_all),
+            Evaluation {
+                decision: Decision::Forbidden,
+                matched_rules: vec![RuleMatch::PrefixRuleMatch {
+                    matched_prefix: tokens(&["rm"]),
+                    decision: Decision::Forbidden,
+                    justification: None,
+                }],
+            }
+        );
+
+        Ok(())
+    }
+
+    #[test]
+    fn head_any_of_expands_into_multiple_program_rules() -> anyhow::Result<()> {
+        let toml_str = r#"
+[exec_policy]
+prefix_rules = [
+    { pattern = [{ any_of = ["git", "hg"] }, { token = "status" }], decision = "prompt" },
+]
+"#;
+        let parsed: RequirementsExecPolicyTomlRoot = from_str(toml_str)?;
+        let policy = parsed.exec_policy.to_policy()?;
+
+        assert_eq!(
+            policy.check(&tokens(&["git", "status"]), &allow_all),
+            Evaluation {
+                decision: Decision::Prompt,
+                matched_rules: vec![RuleMatch::PrefixRuleMatch {
+                    matched_prefix: tokens(&["git", "status"]),
+                    decision: Decision::Prompt,
+                    justification: None,
+                }],
+            }
+        );
+        assert_eq!(
+            policy.check(&tokens(&["hg", "status"]), &allow_all),
+            Evaluation {
+                decision: Decision::Prompt,
+                matched_rules: vec![RuleMatch::PrefixRuleMatch {
+                    matched_prefix: tokens(&["hg", "status"]),
+                    decision: Decision::Prompt,
+                    justification: None,
+                }],
+            }
+        );
+
+        Ok(())
+    }
+}
--- a/codex-rs/core/src/default_client.rs
+++ b/codex-rs/core/src/default_client.rs
@@ -95,6 +95,12 @@ pub fn originator() -> Originator {
    get_originator_value(None)
 }

+pub fn is_first_party_originator(originator_value: &str) -> bool {
+    originator_value == DEFAULT_ORIGINATOR
+        || originator_value == "codex_vscode"
+        || originator_value.starts_with("Codex ")
+}
+
 pub fn get_codex_user_agent() -> String {
    let build_version = env!("CARGO_PKG_VERSION");
    let os_info = os_info::get();
@@ -185,6 +191,7 @@ fn is_sandboxed() -> bool {
 mod tests {
    use super::*;
    use core_test_support::skip_if_no_network;
+    use pretty_assertions::assert_eq;

    #[test]
    fn test_get_codex_user_agent() {
@@ -194,6 +201,15 @@ mod tests {
        assert!(user_agent.starts_with(&prefix));
    }

+    #[test]
+    fn is_first_party_originator_matches_known_values() {
+        assert_eq!(is_first_party_originator(DEFAULT_ORIGINATOR), true);
+        assert_eq!(is_first_party_originator("codex_vscode"), true);
+        assert_eq!(is_first_party_originator("Codex Something Else"), true);
+        assert_eq!(is_first_party_originator("codex_cli"), false);
+        assert_eq!(is_first_party_originator("Other"), false);
+    }
+
    #[tokio::test]
    async fn test_create_client_sets_default_headers() {
        skip_if_no_network!();
--- a/codex-rs/core/src/event_mapping.rs
+++ b/codex-rs/core/src/event_mapping.rs
@@ -21,6 +21,7 @@ use crate::instructions::SkillInstructions;
 use crate::instructions::UserInstructions;
 use crate::session_prefix::is_session_prefix;
 use crate::user_shell_command::is_user_shell_command_text;
+use crate::web_search::web_search_action_detail;

 fn parse_user_message(message: &[ContentItem]) -> Option<UserMessageItem> {
    if UserInstructions::is_user_instructions(message)
@@ -127,14 +128,17 @@ pub fn parse_turn_item(item: &ResponseItem) -> Option<TurnItem> {
                raw_content,
            }))
        }
-        ResponseItem::WebSearchCall {
-            id,
-            action: WebSearchAction::Search { query },
-            ..
-        } => Some(TurnItem::WebSearch(WebSearchItem {
-            id: id.clone().unwrap_or_default(),
-            query: query.clone().unwrap_or_default(),
-        })),
+        ResponseItem::WebSearchCall { id, action, .. } => {
+            let (action, query) = match action {
+                Some(action) => (action.clone(), web_search_action_detail(action)),
+                None => (WebSearchAction::Other, String::new()),
+            };
+            Some(TurnItem::WebSearch(WebSearchItem {
+                id: id.clone().unwrap_or_default(),
+                query,
+                action,
+            }))
+        }
        _ => None,
    }
 }
@@ -144,6 +148,7 @@ mod tests {
    use super::parse_turn_item;
    use codex_protocol::items::AgentMessageContent;
    use codex_protocol::items::TurnItem;
+    use codex_protocol::items::WebSearchItem;
    use codex_protocol::models::ContentItem;
    use codex_protocol::models::ReasoningItemContent;
    use codex_protocol::models::ReasoningItemReasoningSummary;
@@ -419,18 +424,102 @@ mod tests {
        let item = ResponseItem::WebSearchCall {
            id: Some("ws_1".to_string()),
            status: Some("completed".to_string()),
-            action: WebSearchAction::Search {
+            action: Some(WebSearchAction::Search {
                query: Some("weather".to_string()),
-            },
+            }),
        };

        let turn_item = parse_turn_item(&item).expect("expected web search turn item");

        match turn_item {
-            TurnItem::WebSearch(search) => {
-                assert_eq!(search.id, "ws_1");
-                assert_eq!(search.query, "weather");
-            }
+            TurnItem::WebSearch(search) => assert_eq!(
+                search,
+                WebSearchItem {
+                    id: "ws_1".to_string(),
+                    query: "weather".to_string(),
+                    action: WebSearchAction::Search {
+                        query: Some("weather".to_string()),
+                    },
+                }
+            ),
+            other => panic!("expected TurnItem::WebSearch, got {other:?}"),
+        }
+    }
+
+    #[test]
+    fn parses_web_search_open_page_call() {
+        let item = ResponseItem::WebSearchCall {
+            id: Some("ws_open".to_string()),
+            status: Some("completed".to_string()),
+            action: Some(WebSearchAction::OpenPage {
+                url: Some("https://example.com".to_string()),
+            }),
+        };
+
+        let turn_item = parse_turn_item(&item).expect("expected web search turn item");
+
+        match turn_item {
+            TurnItem::WebSearch(search) => assert_eq!(
+                search,
+                WebSearchItem {
+                    id: "ws_open".to_string(),
+                    query: "https://example.com".to_string(),
+                    action: WebSearchAction::OpenPage {
+                        url: Some("https://example.com".to_string()),
+                    },
+                }
+            ),
+            other => panic!("expected TurnItem::WebSearch, got {other:?}"),
+        }
+    }
+
+    #[test]
+    fn parses_web_search_find_in_page_call() {
+        let item = ResponseItem::WebSearchCall {
+            id: Some("ws_find".to_string()),
+            status: Some("completed".to_string()),
+            action: Some(WebSearchAction::FindInPage {
+                url: Some("https://example.com".to_string()),
+                pattern: Some("needle".to_string()),
+            }),
+        };
+
+        let turn_item = parse_turn_item(&item).expect("expected web search turn item");
+
+        match turn_item {
+            TurnItem::WebSearch(search) => assert_eq!(
+                search,
+                WebSearchItem {
+                    id: "ws_find".to_string(),
+                    query: "'needle' in https://example.com".to_string(),
+                    action: WebSearchAction::FindInPage {
+                        url: Some("https://example.com".to_string()),
+                        pattern: Some("needle".to_string()),
+                    },
+                }
+            ),
+            other => panic!("expected TurnItem::WebSearch, got {other:?}"),
+        }
+    }
+
+    #[test]
+    fn parses_partial_web_search_call_without_action_as_other() {
+        let item = ResponseItem::WebSearchCall {
+            id: Some("ws_partial".to_string()),
+            status: Some("in_progress".to_string()),
+            action: None,
+        };
+
+        let turn_item = parse_turn_item(&item).expect("expected web search turn item");
+        match turn_item {
+            TurnItem::WebSearch(search) => assert_eq!(
+                search,
+                WebSearchItem {
+                    id: "ws_partial".to_string(),
+                    query: String::new(),
+                    action: WebSearchAction::Other,
+                }
+            ),
            other => panic!("expected TurnItem::WebSearch, got {other:?}"),
        }
    }
--- a/codex-rs/core/src/exec.rs
+++ b/codex-rs/core/src/exec.rs
@@ -64,6 +64,7 @@ pub struct ExecParams {
    pub expiration: ExecExpiration,
    pub env: HashMap<String, String>,
    pub sandbox_permissions: SandboxPermissions,
+    pub windows_sandbox_level: codex_protocol::config_types::WindowsSandboxLevel,
    pub justification: Option<String>,
    pub arg0: Option<String>,
 }
@@ -141,11 +142,15 @@ pub async fn process_exec_tool_call(
    codex_linux_sandbox_exe: &Option<PathBuf>,
    stdout_stream: Option<StdoutStream>,
 ) -> Result<ExecToolCallOutput> {
+    let windows_sandbox_level = params.windows_sandbox_level;
    let sandbox_type = match &sandbox_policy {
        SandboxPolicy::DangerFullAccess | SandboxPolicy::ExternalSandbox { .. } => {
            SandboxType::None
        }
-        _ => get_platform_sandbox().unwrap_or(SandboxType::None),
+        _ => get_platform_sandbox(
+            windows_sandbox_level != codex_protocol::config_types::WindowsSandboxLevel::Disabled,
+        )
+        .unwrap_or(SandboxType::None),
    };
    tracing::debug!("Sandbox type: {sandbox_type:?}");

@@ -155,6 +160,7 @@ pub async fn process_exec_tool_call(
        expiration,
        env,
        sandbox_permissions,
+        windows_sandbox_level,
        justification,
        arg0: _,
    } = params;
@@ -184,6 +190,7 @@ pub async fn process_exec_tool_call(
            sandbox_type,
            sandbox_cwd,
            codex_linux_sandbox_exe.as_ref(),
+            windows_sandbox_level,
        )
        .map_err(CodexErr::from)?;

@@ -202,6 +209,7 @@ pub(crate) async fn execute_exec_env(
        env,
        expiration,
        sandbox,
+        windows_sandbox_level,
        sandbox_permissions,
        justification,
        arg0,
@@ -213,6 +221,7 @@ pub(crate) async fn execute_exec_env(
        expiration,
        env,
        sandbox_permissions,
+        windows_sandbox_level,
        justification,
        arg0,
    };
@@ -229,7 +238,7 @@ async fn exec_windows_sandbox(
    sandbox_policy: &SandboxPolicy,
 ) -> Result<RawExecToolCallOutput> {
    use crate::config::find_codex_home;
-    use crate::safety::is_windows_elevated_sandbox_enabled;
+    use codex_protocol::config_types::WindowsSandboxLevel;
    use codex_windows_sandbox::run_windows_sandbox_capture;
    use codex_windows_sandbox::run_windows_sandbox_capture_elevated;

@@ -238,6 +247,7 @@ async fn exec_windows_sandbox(
        cwd,
        env,
        expiration,
+        windows_sandbox_level,
        ..
    } = params;
    // TODO(iceweasel-oai): run_windows_sandbox_capture should support all
@@ -255,7 +265,7 @@ async fn exec_windows_sandbox(
            "windows sandbox: failed to resolve codex_home: {err}"
        )))
    })?;
-    let use_elevated = is_windows_elevated_sandbox_enabled();
+    let use_elevated = matches!(windows_sandbox_level, WindowsSandboxLevel::Elevated);
    let spawn_res = tokio::task::spawn_blocking(move || {
        if use_elevated {
            run_windows_sandbox_capture_elevated(
@@ -312,20 +322,7 @@ async fn exec_windows_sandbox(
        text: stderr_text,
        truncated_after_lines: None,
    };
-    // Best-effort aggregate: stdout then stderr (capped).
-    let mut aggregated = Vec::with_capacity(
-        stdout
-            .text
-            .len()
-            .saturating_add(stderr.text.len())
-            .min(EXEC_OUTPUT_MAX_BYTES),
-    );
-    append_capped(&mut aggregated, &stdout.text, EXEC_OUTPUT_MAX_BYTES);
-    append_capped(&mut aggregated, &stderr.text, EXEC_OUTPUT_MAX_BYTES);
-    let aggregated_output = StreamOutput {
-        text: aggregated,
-        truncated_after_lines: None,
-    };
+    let aggregated_output = aggregate_output(&stdout, &stderr);

    Ok(RawExecToolCallOutput {
        exit_status,
@@ -519,6 +516,39 @@ fn append_capped(dst: &mut Vec<u8>, src: &[u8], max_bytes: usize) {
    dst.extend_from_slice(&src[..take]);
 }

+fn aggregate_output(
+    stdout: &StreamOutput<Vec<u8>>,
+    stderr: &StreamOutput<Vec<u8>>,
+) -> StreamOutput<Vec<u8>> {
+    let total_len = stdout.text.len().saturating_add(stderr.text.len());
+    let max_bytes = EXEC_OUTPUT_MAX_BYTES;
+    let mut aggregated = Vec::with_capacity(total_len.min(max_bytes));
+
+    if total_len <= max_bytes {
+        aggregated.extend_from_slice(&stdout.text);
+        aggregated.extend_from_slice(&stderr.text);
+        return StreamOutput {
+            text: aggregated,
+            truncated_after_lines: None,
+        };
+    }
+
+    // Under contention, reserve 1/3 for stdout and 2/3 for stderr; rebalance unused stderr to stdout.
+    let want_stdout = stdout.text.len().min(max_bytes / 3);
+    let want_stderr = stderr.text.len();
+    let stderr_take = want_stderr.min(max_bytes.saturating_sub(want_stdout));
+    let remaining = max_bytes.saturating_sub(want_stdout + stderr_take);
+    let stdout_take = want_stdout + remaining.min(stdout.text.len().saturating_sub(want_stdout));
+
+    aggregated.extend_from_slice(&stdout.text[..stdout_take]);
+    aggregated.extend_from_slice(&stderr.text[..stderr_take]);
+
+    StreamOutput {
+        text: aggregated,
+        truncated_after_lines: None,
+    }
+}
+
 #[derive(Clone, Debug)]
 pub struct ExecToolCallOutput {
    pub exit_code: i32,
@@ -564,6 +594,7 @@ async fn exec(
        env,
        arg0,
        expiration,
+        windows_sandbox_level: _,
        ..
    } = params;

@@ -683,20 +714,7 @@ async fn consume_truncated_output(
        Duration::from_millis(IO_DRAIN_TIMEOUT_MS),
    )
    .await?;
-    // Best-effort aggregate: stdout then stderr (capped).
-    let mut aggregated = Vec::with_capacity(
-        stdout
-            .text
-            .len()
-            .saturating_add(stderr.text.len())
-            .min(EXEC_OUTPUT_MAX_BYTES),
-    );
-    append_capped(&mut aggregated, &stdout.text, EXEC_OUTPUT_MAX_BYTES);
-    append_capped(&mut aggregated, &stderr.text, EXEC_OUTPUT_MAX_BYTES * 2);
-    let aggregated_output = StreamOutput {
-        text: aggregated,
-        truncated_after_lines: None,
-    };
+    let aggregated_output = aggregate_output(&stdout, &stderr);

    Ok(RawExecToolCallOutput {
        exit_status,
@@ -771,6 +789,7 @@ fn synthetic_exit_status(code: i32) -> ExitStatus {
 #[cfg(test)]
 mod tests {
    use super::*;
+    use pretty_assertions::assert_eq;
    use std::time::Duration;
    use tokio::io::AsyncWriteExt;

@@ -846,6 +865,85 @@ mod tests {
        assert_eq!(out.text.len(), EXEC_OUTPUT_MAX_BYTES);
    }

+    #[test]
+    fn aggregate_output_prefers_stderr_on_contention() {
+        let stdout = StreamOutput {
+            text: vec![b'a'; EXEC_OUTPUT_MAX_BYTES],
+            truncated_after_lines: None,
+        };
+        let stderr = StreamOutput {
+            text: vec![b'b'; EXEC_OUTPUT_MAX_BYTES],
+            truncated_after_lines: None,
+        };
+
+        let aggregated = aggregate_output(&stdout, &stderr);
+        let stdout_cap = EXEC_OUTPUT_MAX_BYTES / 3;
+        let stderr_cap = EXEC_OUTPUT_MAX_BYTES.saturating_sub(stdout_cap);
+
+        assert_eq!(aggregated.text.len(), EXEC_OUTPUT_MAX_BYTES);
+        assert_eq!(aggregated.text[..stdout_cap], vec![b'a'; stdout_cap]);
+        assert_eq!(aggregated.text[stdout_cap..], vec![b'b'; stderr_cap]);
+    }
+
+    #[test]
+    fn aggregate_output_fills_remaining_capacity_with_stderr() {
+        let stdout_len = EXEC_OUTPUT_MAX_BYTES / 10;
+        let stdout = StreamOutput {
+            text: vec![b'a'; stdout_len],
+            truncated_after_lines: None,
+        };
+        let stderr = StreamOutput {
+            text: vec![b'b'; EXEC_OUTPUT_MAX_BYTES],
+            truncated_after_lines: None,
+        };
+
+        let aggregated = aggregate_output(&stdout, &stderr);
+        let stderr_cap = EXEC_OUTPUT_MAX_BYTES.saturating_sub(stdout_len);
+
+        assert_eq!(aggregated.text.len(), EXEC_OUTPUT_MAX_BYTES);
+        assert_eq!(aggregated.text[..stdout_len], vec![b'a'; stdout_len]);
+        assert_eq!(aggregated.text[stdout_len..], vec![b'b'; stderr_cap]);
+    }
+
+    #[test]
+    fn aggregate_output_rebalances_when_stderr_is_small() {
+        let stdout = StreamOutput {
+            text: vec![b'a'; EXEC_OUTPUT_MAX_BYTES],
+            truncated_after_lines: None,
+        };
+        let stderr = StreamOutput {
+            text: vec![b'b'; 1],
+            truncated_after_lines: None,
+        };
+
+        let aggregated = aggregate_output(&stdout, &stderr);
+        let stdout_len = EXEC_OUTPUT_MAX_BYTES.saturating_sub(1);
+
+        assert_eq!(aggregated.text.len(), EXEC_OUTPUT_MAX_BYTES);
+        assert_eq!(aggregated.text[..stdout_len], vec![b'a'; stdout_len]);
+        assert_eq!(aggregated.text[stdout_len..], vec![b'b'; 1]);
+    }
+
+    #[test]
+    fn aggregate_output_keeps_stdout_then_stderr_when_under_cap() {
+        let stdout = StreamOutput {
+            text: vec![b'a'; 4],
+            truncated_after_lines: None,
+        };
+        let stderr = StreamOutput {
+            text: vec![b'b'; 3],
+            truncated_after_lines: None,
+        };
+
+        let aggregated = aggregate_output(&stdout, &stderr);
+        let mut expected = Vec::new();
+        expected.extend_from_slice(&stdout.text);
+        expected.extend_from_slice(&stderr.text);
+
+        assert_eq!(aggregated.text, expected);
+        assert_eq!(aggregated.truncated_after_lines, None);
+    }
+
    #[cfg(unix)]
    #[test]
    fn sandbox_detection_flags_sigsys_exit_code() {
@@ -878,6 +976,7 @@ mod tests {
            expiration: 500.into(),
            env,
            sandbox_permissions: SandboxPermissions::UseDefault,
+            windows_sandbox_level: codex_protocol::config_types::WindowsSandboxLevel::Disabled,
            justification: None,
            arg0: None,
        };
@@ -923,6 +1022,7 @@ mod tests {
            expiration: ExecExpiration::Cancellation(cancel_token),
            env,
            sandbox_permissions: SandboxPermissions::UseDefault,
+            windows_sandbox_level: codex_protocol::config_types::WindowsSandboxLevel::Disabled,
            justification: None,
            arg0: None,
        };
--- a/codex-rs/core/src/exec_policy.rs
+++ b/codex-rs/core/src/exec_policy.rs
@@ -87,6 +87,15 @@ pub(crate) struct ExecPolicyManager {
    policy: ArcSwap<Policy>,
 }

+pub(crate) struct ExecApprovalRequest<'a> {
+    pub(crate) features: &'a Features,
+    pub(crate) command: &'a [String],
+    pub(crate) approval_policy: AskForApproval,
+    pub(crate) sandbox_policy: &'a SandboxPolicy,
+    pub(crate) sandbox_permissions: SandboxPermissions,
+    pub(crate) prefix_rule: Option<Vec<String>>,
+}
+
 impl ExecPolicyManager {
    pub(crate) fn new(policy: Arc<Policy>) -> Self {
        Self {
@@ -112,12 +121,16 @@ impl ExecPolicyManager {

    pub(crate) async fn create_exec_approval_requirement_for_command(
        &self,
-        features: &Features,
-        command: &[String],
-        approval_policy: AskForApproval,
-        sandbox_policy: &SandboxPolicy,
-        sandbox_permissions: SandboxPermissions,
+        req: ExecApprovalRequest<'_>,
    ) -> ExecApprovalRequirement {
+        let ExecApprovalRequest {
+            features,
+            command,
+            approval_policy,
+            sandbox_policy,
+            sandbox_permissions,
+            prefix_rule,
+        } = req;
        let exec_policy = self.current();
        let commands =
            parse_shell_lc_plain_commands(command).unwrap_or_else(|| vec![command.to_vec()]);
@@ -131,6 +144,12 @@ impl ExecPolicyManager {
        };
        let evaluation = exec_policy.check_multiple(commands.iter(), &exec_policy_fallback);

+        let requested_amendment = derive_requested_execpolicy_amendment(
+            features,
+            prefix_rule.as_ref(),
+            &evaluation.matched_rules,
+        );
+
        match evaluation.decision {
            Decision::Forbidden => ExecApprovalRequirement::Forbidden {
                reason: derive_forbidden_reason(command, &evaluation),
@@ -144,9 +163,11 @@ impl ExecPolicyManager {
                    ExecApprovalRequirement::NeedsApproval {
                        reason: derive_prompt_reason(command, &evaluation),
                        proposed_execpolicy_amendment: if features.enabled(Feature::ExecPolicy) {
-                            try_derive_execpolicy_amendment_for_prompt_rules(
-                                &evaluation.matched_rules,
-                            )
+                            requested_amendment.or_else(|| {
+                                try_derive_execpolicy_amendment_for_prompt_rules(
+                                    &evaluation.matched_rules,
+                                )
+                            })
                        } else {
                            None
                        },
@@ -382,6 +403,30 @@ fn try_derive_execpolicy_amendment_for_allow_rules(
        })
 }

+fn derive_requested_execpolicy_amendment(
+    features: &Features,
+    prefix_rule: Option<&Vec<String>>,
+    matched_rules: &[RuleMatch],
+) -> Option<ExecPolicyAmendment> {
+    if !features.enabled(Feature::ExecPolicy) {
+        return None;
+    }
+
+    let prefix_rule = prefix_rule?;
+    if prefix_rule.is_empty() {
+        return None;
+    }
+
+    if matched_rules
+        .iter()
+        .any(|rule_match| is_policy_match(rule_match) && rule_match.decision() == Decision::Prompt)
+    {
+        return None;
+    }
+
+    Some(ExecPolicyAmendment::new(prefix_rule.clone()))
+}
+
 /// Only return a reason when a policy rule drove the prompt decision.
 fn derive_prompt_reason(command_args: &[String], evaluation: &Evaluation) -> Option<String> {
    let command = render_shlex_command(command_args);
@@ -756,13 +801,14 @@ prefix_rule(pattern=["rm"], decision="forbidden")

        let manager = ExecPolicyManager::new(policy);
        let requirement = manager
-            .create_exec_approval_requirement_for_command(
-                &Features::with_defaults(),
-                &forbidden_script,
-                AskForApproval::OnRequest,
-                &SandboxPolicy::DangerFullAccess,
-                SandboxPermissions::UseDefault,
-            )
+            .create_exec_approval_requirement_for_command(ExecApprovalRequest {
+                features: &Features::with_defaults(),
+                command: &forbidden_script,
+                approval_policy: AskForApproval::OnRequest,
+                sandbox_policy: &SandboxPolicy::DangerFullAccess,
+                sandbox_permissions: SandboxPermissions::UseDefault,
+                prefix_rule: None,
+            })
            .await;

        assert_eq!(
@@ -790,17 +836,18 @@ prefix_rule(

        let manager = ExecPolicyManager::new(policy);
        let requirement = manager
-            .create_exec_approval_requirement_for_command(
-                &Features::with_defaults(),
-                &[
+            .create_exec_approval_requirement_for_command(ExecApprovalRequest {
+                features: &Features::with_defaults(),
+                command: &[
                    "rm".to_string(),
                    "-rf".to_string(),
                    "/some/important/folder".to_string(),
                ],
-                AskForApproval::OnRequest,
-                &SandboxPolicy::DangerFullAccess,
-                SandboxPermissions::UseDefault,
-            )
+                approval_policy: AskForApproval::OnRequest,
+                sandbox_policy: &SandboxPolicy::DangerFullAccess,
+                sandbox_permissions: SandboxPermissions::UseDefault,
+                prefix_rule: None,
+            })
            .await;

        assert_eq!(
@@ -823,13 +870,14 @@ prefix_rule(

        let manager = ExecPolicyManager::new(policy);
        let requirement = manager
-            .create_exec_approval_requirement_for_command(
-                &Features::with_defaults(),
-                &command,
-                AskForApproval::OnRequest,
-                &SandboxPolicy::DangerFullAccess,
-                SandboxPermissions::UseDefault,
-            )
+            .create_exec_approval_requirement_for_command(ExecApprovalRequest {
+                features: &Features::with_defaults(),
+                command: &command,
+                approval_policy: AskForApproval::OnRequest,
+                sandbox_policy: &SandboxPolicy::DangerFullAccess,
+                sandbox_permissions: SandboxPermissions::UseDefault,
+                prefix_rule: None,
+            })
            .await;

        assert_eq!(
@@ -853,13 +901,14 @@ prefix_rule(

        let manager = ExecPolicyManager::new(policy);
        let requirement = manager
-            .create_exec_approval_requirement_for_command(
-                &Features::with_defaults(),
-                &command,
-                AskForApproval::Never,
-                &SandboxPolicy::DangerFullAccess,
-                SandboxPermissions::UseDefault,
-            )
+            .create_exec_approval_requirement_for_command(ExecApprovalRequest {
+                features: &Features::with_defaults(),
+                command: &command,
+                approval_policy: AskForApproval::Never,
+                sandbox_policy: &SandboxPolicy::DangerFullAccess,
+                sandbox_permissions: SandboxPermissions::UseDefault,
+                prefix_rule: None,
+            })
            .await;

        assert_eq!(
@@ -876,13 +925,14 @@ prefix_rule(

        let manager = ExecPolicyManager::default();
        let requirement = manager
-            .create_exec_approval_requirement_for_command(
-                &Features::with_defaults(),
-                &command,
-                AskForApproval::UnlessTrusted,
-                &SandboxPolicy::ReadOnly,
-                SandboxPermissions::UseDefault,
-            )
+            .create_exec_approval_requirement_for_command(ExecApprovalRequest {
+                features: &Features::with_defaults(),
+                command: &command,
+                approval_policy: AskForApproval::UnlessTrusted,
+                sandbox_policy: &SandboxPolicy::ReadOnly,
+                sandbox_permissions: SandboxPermissions::UseDefault,
+                prefix_rule: None,
+            })
            .await;

        assert_eq!(
@@ -894,6 +944,40 @@ prefix_rule(
        );
    }

+    #[tokio::test]
+    async fn request_rule_uses_prefix_rule() {
+        let command = vec![
+            "cargo".to_string(),
+            "install".to_string(),
+            "cargo-insta".to_string(),
+        ];
+        let manager = ExecPolicyManager::default();
+        let mut features = Features::with_defaults();
+        features.enable(Feature::RequestRule);
+
+        let requirement = manager
+            .create_exec_approval_requirement_for_command(ExecApprovalRequest {
+                features: &features,
+                command: &command,
+                approval_policy: AskForApproval::OnRequest,
+                sandbox_policy: &SandboxPolicy::ReadOnly,
+                sandbox_permissions: SandboxPermissions::RequireEscalated,
+                prefix_rule: Some(vec!["cargo".to_string(), "install".to_string()]),
+            })
+            .await;
+
+        assert_eq!(
+            requirement,
+            ExecApprovalRequirement::NeedsApproval {
+                reason: None,
+                proposed_execpolicy_amendment: Some(ExecPolicyAmendment::new(vec![
+                    "cargo".to_string(),
+                    "install".to_string(),
+                ])),
+            }
+        );
+    }
+
    #[tokio::test]
    async fn heuristics_apply_when_other_commands_match_policy() {
        let policy_src = r#"prefix_rule(pattern=["apple"], decision="allow")"#;
@@ -910,13 +994,14 @@ prefix_rule(

        assert_eq!(
            ExecPolicyManager::new(policy)
-                .create_exec_approval_requirement_for_command(
-                    &Features::with_defaults(),
-                    &command,
-                    AskForApproval::UnlessTrusted,
-                    &SandboxPolicy::DangerFullAccess,
-                    SandboxPermissions::UseDefault,
-                )
+                .create_exec_approval_requirement_for_command(ExecApprovalRequest {
+                    features: &Features::with_defaults(),
+                    command: &command,
+                    approval_policy: AskForApproval::UnlessTrusted,
+                    sandbox_policy: &SandboxPolicy::DangerFullAccess,
+                    sandbox_permissions: SandboxPermissions::UseDefault,
+                    prefix_rule: None,
+                })
                .await,
            ExecApprovalRequirement::NeedsApproval {
                reason: None,
@@ -984,13 +1069,14 @@ prefix_rule(

        let manager = ExecPolicyManager::default();
        let requirement = manager
-            .create_exec_approval_requirement_for_command(
-                &Features::with_defaults(),
-                &command,
-                AskForApproval::UnlessTrusted,
-                &SandboxPolicy::ReadOnly,
-                SandboxPermissions::UseDefault,
-            )
+            .create_exec_approval_requirement_for_command(ExecApprovalRequest {
+                features: &Features::with_defaults(),
+                command: &command,
+                approval_policy: AskForApproval::UnlessTrusted,
+                sandbox_policy: &SandboxPolicy::ReadOnly,
+                sandbox_permissions: SandboxPermissions::UseDefault,
+                prefix_rule: None,
+            })
            .await;

        assert_eq!(
@@ -1011,13 +1097,14 @@ prefix_rule(

        let manager = ExecPolicyManager::default();
        let requirement = manager
-            .create_exec_approval_requirement_for_command(
-                &features,
-                &command,
-                AskForApproval::UnlessTrusted,
-                &SandboxPolicy::ReadOnly,
-                SandboxPermissions::UseDefault,
-            )
+            .create_exec_approval_requirement_for_command(ExecApprovalRequest {
+                features: &features,
+                command: &command,
+                approval_policy: AskForApproval::UnlessTrusted,
+                sandbox_policy: &SandboxPolicy::ReadOnly,
+                sandbox_permissions: SandboxPermissions::UseDefault,
+                prefix_rule: None,
+            })
            .await;

        assert_eq!(
@@ -1041,13 +1128,14 @@ prefix_rule(

        let manager = ExecPolicyManager::new(policy);
        let requirement = manager
-            .create_exec_approval_requirement_for_command(
-                &Features::with_defaults(),
-                &command,
-                AskForApproval::OnRequest,
-                &SandboxPolicy::DangerFullAccess,
-                SandboxPermissions::UseDefault,
-            )
+            .create_exec_approval_requirement_for_command(ExecApprovalRequest {
+                features: &Features::with_defaults(),
+                command: &command,
+                approval_policy: AskForApproval::OnRequest,
+                sandbox_policy: &SandboxPolicy::DangerFullAccess,
+                sandbox_permissions: SandboxPermissions::UseDefault,
+                prefix_rule: None,
+            })
            .await;

        assert_eq!(
@@ -1068,13 +1156,14 @@ prefix_rule(
        ];
        let manager = ExecPolicyManager::default();
        let requirement = manager
-            .create_exec_approval_requirement_for_command(
-                &Features::with_defaults(),
-                &command,
-                AskForApproval::UnlessTrusted,
-                &SandboxPolicy::ReadOnly,
-                SandboxPermissions::UseDefault,
-            )
+            .create_exec_approval_requirement_for_command(ExecApprovalRequest {
+                features: &Features::with_defaults(),
+                command: &command,
+                approval_policy: AskForApproval::UnlessTrusted,
+                sandbox_policy: &SandboxPolicy::ReadOnly,
+                sandbox_permissions: SandboxPermissions::UseDefault,
+                prefix_rule: None,
+            })
            .await;

        assert_eq!(
@@ -1106,13 +1195,14 @@ prefix_rule(

        assert_eq!(
            ExecPolicyManager::new(policy)
-                .create_exec_approval_requirement_for_command(
-                    &Features::with_defaults(),
-                    &command,
-                    AskForApproval::UnlessTrusted,
-                    &SandboxPolicy::ReadOnly,
-                    SandboxPermissions::UseDefault,
-                )
+                .create_exec_approval_requirement_for_command(ExecApprovalRequest {
+                    features: &Features::with_defaults(),
+                    command: &command,
+                    approval_policy: AskForApproval::UnlessTrusted,
+                    sandbox_policy: &SandboxPolicy::ReadOnly,
+                    sandbox_permissions: SandboxPermissions::UseDefault,
+                    prefix_rule: None,
+                })
                .await,
            ExecApprovalRequirement::NeedsApproval {
                reason: None,
@@ -1129,13 +1219,14 @@ prefix_rule(

        let manager = ExecPolicyManager::default();
        let requirement = manager
-            .create_exec_approval_requirement_for_command(
-                &Features::with_defaults(),
-                &command,
-                AskForApproval::OnRequest,
-                &SandboxPolicy::ReadOnly,
-                SandboxPermissions::UseDefault,
-            )
+            .create_exec_approval_requirement_for_command(ExecApprovalRequest {
+                features: &Features::with_defaults(),
+                command: &command,
+                approval_policy: AskForApproval::OnRequest,
+                sandbox_policy: &SandboxPolicy::ReadOnly,
+                sandbox_permissions: SandboxPermissions::UseDefault,
+                prefix_rule: None,
+            })
            .await;

        assert_eq!(
@@ -1159,13 +1250,14 @@ prefix_rule(

        let manager = ExecPolicyManager::new(policy);
        let requirement = manager
-            .create_exec_approval_requirement_for_command(
-                &Features::with_defaults(),
-                &command,
-                AskForApproval::OnRequest,
-                &SandboxPolicy::ReadOnly,
-                SandboxPermissions::UseDefault,
-            )
+            .create_exec_approval_requirement_for_command(ExecApprovalRequest {
+                features: &Features::with_defaults(),
+                command: &command,
+                approval_policy: AskForApproval::OnRequest,
+                sandbox_policy: &SandboxPolicy::ReadOnly,
+                sandbox_permissions: SandboxPermissions::UseDefault,
+                prefix_rule: None,
+            })
            .await;

        assert_eq!(
@@ -1226,13 +1318,14 @@ prefix_rule(
        assert_eq!(
            expected_req,
            policy
-                .create_exec_approval_requirement_for_command(
-                    &features,
-                    &sneaky_command,
-                    AskForApproval::OnRequest,
-                    &SandboxPolicy::ReadOnly,
-                    permissions,
-                )
+                .create_exec_approval_requirement_for_command(ExecApprovalRequest {
+                    features: &features,
+                    command: &sneaky_command,
+                    approval_policy: AskForApproval::OnRequest,
+                    sandbox_policy: &SandboxPolicy::ReadOnly,
+                    sandbox_permissions: permissions,
+                    prefix_rule: None,
+                })
                .await,
            "{pwsh_approval_reason}"
        );
@@ -1249,13 +1342,14 @@ prefix_rule(
                ]))),
            },
            policy
-                .create_exec_approval_requirement_for_command(
-                    &features,
-                    &dangerous_command,
-                    AskForApproval::OnRequest,
-                    &SandboxPolicy::ReadOnly,
-                    permissions,
-                )
+                .create_exec_approval_requirement_for_command(ExecApprovalRequest {
+                    features: &features,
+                    command: &dangerous_command,
+                    approval_policy: AskForApproval::OnRequest,
+                    sandbox_policy: &SandboxPolicy::ReadOnly,
+                    sandbox_permissions: permissions,
+                    prefix_rule: None,
+                })
                .await,
            r#"On all platforms, a forbidden command should require approval
            (unless AskForApproval::Never is specified)."#
@@ -1268,13 +1362,14 @@ prefix_rule(
                reason: "`rm -rf /important/data` rejected: blocked by policy".to_string(),
            },
            policy
-                .create_exec_approval_requirement_for_command(
-                    &features,
-                    &dangerous_command,
-                    AskForApproval::Never,
-                    &SandboxPolicy::ReadOnly,
-                    permissions,
-                )
+                .create_exec_approval_requirement_for_command(ExecApprovalRequest {
+                    features: &features,
+                    command: &dangerous_command,
+                    approval_policy: AskForApproval::Never,
+                    sandbox_policy: &SandboxPolicy::ReadOnly,
+                    sandbox_permissions: permissions,
+                    prefix_rule: None,
+                })
                .await,
            r#"On all platforms, a forbidden command should require approval
            (unless AskForApproval::Never is specified)."#
--- a/codex-rs/core/src/features.rs
+++ b/codex-rs/core/src/features.rs
@@ -5,14 +5,20 @@
 //! booleans through multiple types, call sites consult a single `Features`
 //! container attached to `Config`.

+use crate::config::CONFIG_TOML_FILE;
+use crate::config::Config;
 use crate::config::ConfigToml;
 use crate::config::profile::ConfigProfile;
+use crate::protocol::Event;
+use crate::protocol::EventMsg;
+use crate::protocol::WarningEvent;
 use codex_otel::OtelManager;
 use schemars::JsonSchema;
 use serde::Deserialize;
 use serde::Serialize;
 use std::collections::BTreeMap;
 use std::collections::BTreeSet;
+use toml::Value as TomlValue;

 mod legacy;
 pub(crate) use legacy::LegacyFeatureToggles;
@@ -83,6 +89,8 @@ pub enum Feature {
    WebSearchCached,
    /// Gate the execpolicy enforcement for shell/unified exec.
    ExecPolicy,
+    /// Allow the model to request approval and propose exec rules.
+    RequestRule,
    /// Enable Windows sandbox (restricted token) on Windows.
    WindowsSandbox,
    /// Use the elevated Windows sandbox pipeline (setup + runner).
@@ -93,6 +101,8 @@ pub enum Feature {
    RemoteModels,
    /// Experimental shell snapshotting.
    ShellSnapshot,
+    /// Persist rollout metadata to a local SQLite database.
+    Sqlite,
    /// Append additional AGENTS.md guidance to user instructions.
    ChildAgentsMd,
    /// Enforce UTF8 output in Powershell.
@@ -103,6 +113,8 @@ pub enum Feature {
    Collab,
    /// Enable connectors (apps).
    Connectors,
+    /// Allow prompting and installing missing MCP dependencies.
+    SkillMcpDependencyInstall,
    /// Steer feature flag - when enabled, Enter submits immediately instead of queuing.
    Steer,
    /// Enable collaboration modes (Plan, Code, Pair Programming, Execute).
@@ -136,6 +148,8 @@ impl Feature {
 pub struct LegacyFeatureUsage {
    pub alias: String,
    pub feature: Feature,
+    pub summary: String,
+    pub details: Option<String>,
 }

 /// Holds the effective set of enabled features.
@@ -192,9 +206,12 @@ impl Features {
    }

    pub fn record_legacy_usage_force(&mut self, alias: &str, feature: Feature) {
+        let (summary, details) = legacy_usage_notice(alias, feature);
        self.legacy_usages.insert(LegacyFeatureUsage {
            alias: alias.to_string(),
            feature,
+            summary,
+            details,
        });
    }

@@ -205,10 +222,8 @@ impl Features {
        self.record_legacy_usage_force(alias, feature);
    }

-    pub fn legacy_feature_usages(&self) -> impl Iterator<Item = (&str, Feature)> + '_ {
-        self.legacy_usages
-            .iter()
-            .map(|usage| (usage.alias.as_str(), usage.feature))
+    pub fn legacy_feature_usages(&self) -> impl Iterator<Item = &LegacyFeatureUsage> + '_ {
+        self.legacy_usages.iter()
    }

    pub fn emit_metrics(&self, otel: &OtelManager) {
@@ -229,6 +244,21 @@ impl Features {
    /// Apply a table of key -> bool toggles (e.g. from TOML).
    pub fn apply_map(&mut self, m: &BTreeMap<String, bool>) {
        for (k, v) in m {
+            match k.as_str() {
+                "web_search_request" => {
+                    self.record_legacy_usage_force(
+                        "features.web_search_request",
+                        Feature::WebSearchRequest,
+                    );
+                }
+                "web_search_cached" => {
+                    self.record_legacy_usage_force(
+                        "features.web_search_cached",
+                        Feature::WebSearchCached,
+                    );
+                }
+                _ => {}
+            }
            match feature_for_key(k) {
                Some(feat) => {
                    if k != feat.key() {
@@ -289,6 +319,42 @@ impl Features {
    }
 }

+fn legacy_usage_notice(alias: &str, feature: Feature) -> (String, Option<String>) {
+    let canonical = feature.key();
+    match feature {
+        Feature::WebSearchRequest | Feature::WebSearchCached => {
+            let label = match alias {
+                "web_search" => "[features].web_search",
+                "tools.web_search" => "[tools].web_search",
+                "features.web_search_request" | "web_search_request" => {
+                    "[features].web_search_request"
+                }
+                "features.web_search_cached" | "web_search_cached" => {
+                    "[features].web_search_cached"
+                }
+                _ => alias,
+            };
+            let summary = format!("`{label}` is deprecated. Use `web_search` instead.");
+            (summary, Some(web_search_details().to_string()))
+        }
+        _ => {
+            let summary = format!("`{alias}` is deprecated. Use `[features].{canonical}` instead.");
+            let details = if alias == canonical {
+                None
+            } else {
+                Some(format!(
+                    "Enable it with `--enable {canonical}` or `[features].{canonical}` in config.toml. See https://github.com/openai/codex/blob/main/docs/config.md#feature-flags for details."
+                ))
+            };
+            (summary, details)
+        }
+    }
+}
+
+fn web_search_details() -> &'static str {
+    "Set `web_search` to `\"live\"`, `\"cached\"`, or `\"disabled\"` in config.toml."
+}
+
 /// Keys accepted in `[features]` tables.
 fn feature_for_key(key: &str) -> Option<Feature> {
    for spec in FEATURES {
@@ -337,13 +403,13 @@ pub const FEATURES: &[FeatureSpec] = &[
    FeatureSpec {
        id: Feature::WebSearchRequest,
        key: "web_search_request",
-        stage: Stage::Stable,
+        stage: Stage::Deprecated,
        default_enabled: false,
    },
    FeatureSpec {
        id: Feature::WebSearchCached,
        key: "web_search_cached",
-        stage: Stage::UnderDevelopment,
+        stage: Stage::Deprecated,
        default_enabled: false,
    },
    // Experimental program. Rendered in the `/experimental` menu for users.
@@ -367,6 +433,12 @@ pub const FEATURES: &[FeatureSpec] = &[
        },
        default_enabled: false,
    },
+    FeatureSpec {
+        id: Feature::Sqlite,
+        key: "sqlite",
+        stage: Stage::UnderDevelopment,
+        default_enabled: false,
+    },
    FeatureSpec {
        id: Feature::ChildAgentsMd,
        key: "child_agents_md",
@@ -385,6 +457,12 @@ pub const FEATURES: &[FeatureSpec] = &[
        stage: Stage::UnderDevelopment,
        default_enabled: true,
    },
+    FeatureSpec {
+        id: Feature::RequestRule,
+        key: "request_rule",
+        stage: Stage::UnderDevelopment,
+        default_enabled: false,
+    },
    FeatureSpec {
        id: Feature::WindowsSandbox,
        key: "experimental_windows_sandbox",
@@ -428,8 +506,8 @@ pub const FEATURES: &[FeatureSpec] = &[
    FeatureSpec {
        id: Feature::EnableRequestCompression,
        key: "enable_request_compression",
-        stage: Stage::UnderDevelopment,
-        default_enabled: false,
+        stage: Stage::Stable,
+        default_enabled: true,
    },
    FeatureSpec {
        id: Feature::Collab,
@@ -443,6 +521,12 @@ pub const FEATURES: &[FeatureSpec] = &[
        stage: Stage::UnderDevelopment,
        default_enabled: false,
    },
+    FeatureSpec {
+        id: Feature::SkillMcpDependencyInstall,
+        key: "skill_mcp_dependency_install",
+        stage: Stage::Stable,
+        default_enabled: true,
+    },
    FeatureSpec {
        id: Feature::Steer,
        key: "steer",
@@ -466,3 +550,54 @@ pub const FEATURES: &[FeatureSpec] = &[
        default_enabled: false,
    },
 ];
+
+/// Push a warning event if any under-development features are enabled.
+pub fn maybe_push_unstable_features_warning(
+    config: &Config,
+    post_session_configured_events: &mut Vec<Event>,
+) {
+    if config.suppress_unstable_features_warning {
+        return;
+    }
+
+    let mut under_development_feature_keys = Vec::new();
+    if let Some(table) = config
+        .config_layer_stack
+        .effective_config()
+        .get("features")
+        .and_then(TomlValue::as_table)
+    {
+        for (key, value) in table {
+            if value.as_bool() != Some(true) {
+                continue;
+            }
+            let Some(spec) = FEATURES.iter().find(|spec| spec.key == key.as_str()) else {
+                continue;
+            };
+            if !config.features.enabled(spec.id) {
+                continue;
+            }
+            if matches!(spec.stage, Stage::UnderDevelopment) {
+                under_development_feature_keys.push(spec.key.to_string());
+            }
+        }
+    }
+
+    if under_development_feature_keys.is_empty() {
+        return;
+    }
+
+    let under_development_feature_keys = under_development_feature_keys.join(", ");
+    let config_path = config
+        .codex_home
+        .join(CONFIG_TOML_FILE)
+        .display()
+        .to_string();
+    let message = format!(
+        "Under-development features enabled: {under_development_feature_keys}. Under-development features are incomplete and may behave unpredictably. To suppress this warning, set `suppress_unstable_features_warning = true` in {config_path}."
+    );
+    post_session_configured_events.push(Event {
+        id: "".to_owned(),
+        msg: EventMsg::Warning(WarningEvent { message }),
+    });
+}
--- a/codex-rs/core/src/lib.rs
+++ b/codex-rs/core/src/lib.rs
@@ -69,6 +69,7 @@ mod event_mapping;
 pub mod review_format;
 pub mod review_prompts;
 mod thread_manager;
+pub mod web_search;
 pub use codex_protocol::protocol::InitialHistory;
 pub use thread_manager::NewThread;
 pub use thread_manager::ThreadManager;
@@ -90,6 +91,7 @@ pub mod shell;
 pub mod shell_snapshot;
 pub mod skills;
 pub mod spawn;
+pub mod state_db;
 pub mod terminal;
 mod tools;
 pub mod turn_diff_tracker;
@@ -125,9 +127,6 @@ pub use exec_policy::ExecPolicyError;
 pub use exec_policy::check_execpolicy_for_warnings;
 pub use exec_policy::load_exec_policy;
 pub use safety::get_platform_sandbox;
-pub use safety::is_windows_elevated_sandbox_enabled;
-pub use safety::set_windows_elevated_sandbox_enabled;
-pub use safety::set_windows_sandbox_enabled;
 pub use tools::spec::parse_tool_input_schema;
 // Re-export the protocol types from the standalone `codex-protocol` crate so existing
 // `codex_core::protocol::...` references continue to work across the workspace.
--- a/codex-rs/core/src/mcp/auth.rs
+++ b/codex-rs/core/src/mcp/auth.rs
@@ -4,12 +4,53 @@ use anyhow::Result;
 use codex_protocol::protocol::McpAuthStatus;
 use codex_rmcp_client::OAuthCredentialsStoreMode;
 use codex_rmcp_client::determine_streamable_http_auth_status;
+use codex_rmcp_client::supports_oauth_login;
 use futures::future::join_all;
 use tracing::warn;

 use crate::config::types::McpServerConfig;
 use crate::config::types::McpServerTransportConfig;

+#[derive(Debug, Clone)]
+pub struct McpOAuthLoginConfig {
+    pub url: String,
+    pub http_headers: Option<HashMap<String, String>>,
+    pub env_http_headers: Option<HashMap<String, String>>,
+}
+
+#[derive(Debug)]
+pub enum McpOAuthLoginSupport {
+    Supported(McpOAuthLoginConfig),
+    Unsupported,
+    Unknown(anyhow::Error),
+}
+
+pub async fn oauth_login_support(transport: &McpServerTransportConfig) -> McpOAuthLoginSupport {
+    let McpServerTransportConfig::StreamableHttp {
+        url,
+        bearer_token_env_var,
+        http_headers,
+        env_http_headers,
+    } = transport
+    else {
+        return McpOAuthLoginSupport::Unsupported;
+    };
+
+    if bearer_token_env_var.is_some() {
+        return McpOAuthLoginSupport::Unsupported;
+    }
+
+    match supports_oauth_login(url).await {
+        Ok(true) => McpOAuthLoginSupport::Supported(McpOAuthLoginConfig {
+            url: url.clone(),
+            http_headers: http_headers.clone(),
+            env_http_headers: env_http_headers.clone(),
+        }),
+        Ok(false) => McpOAuthLoginSupport::Unsupported,
+        Err(err) => McpOAuthLoginSupport::Unknown(err),
+    }
+}
+
 #[derive(Debug, Clone)]
 pub struct McpAuthStatusEntry {
    pub config: McpServerConfig,
--- a/codex-rs/core/src/mcp/mod.rs
+++ b/codex-rs/core/src/mcp/mod.rs
@@ -1,4 +1,8 @@
 pub mod auth;
+mod skill_dependencies;
+
+pub(crate) use skill_dependencies::maybe_prompt_and_install_mcp_dependencies;
+
 use std::collections::HashMap;
 use std::env;
 use std::path::PathBuf;
--- a/codex-rs/core/src/mcp/skill_dependencies.rs
+++ b/codex-rs/core/src/mcp/skill_dependencies.rs
@@ -0,0 +1,518 @@
+use std::collections::HashMap;
+use std::collections::HashSet;
+
+use codex_protocol::protocol::AskForApproval;
+use codex_protocol::protocol::SandboxPolicy;
+use codex_protocol::request_user_input::RequestUserInputArgs;
+use codex_protocol::request_user_input::RequestUserInputQuestion;
+use codex_protocol::request_user_input::RequestUserInputQuestionOption;
+use codex_protocol::request_user_input::RequestUserInputResponse;
+use codex_rmcp_client::perform_oauth_login;
+use tokio_util::sync::CancellationToken;
+use tracing::warn;
+
+use super::auth::McpOAuthLoginSupport;
+use super::auth::oauth_login_support;
+use super::effective_mcp_servers;
+use crate::codex::Session;
+use crate::codex::TurnContext;
+use crate::config::Config;
+use crate::config::edit::ConfigEditsBuilder;
+use crate::config::load_global_mcp_servers;
+use crate::config::types::McpServerConfig;
+use crate::config::types::McpServerTransportConfig;
+use crate::default_client::is_first_party_originator;
+use crate::default_client::originator;
+use crate::features::Feature;
+use crate::skills::SkillMetadata;
+use crate::skills::model::SkillToolDependency;
+
+const SKILL_MCP_DEPENDENCY_PROMPT_ID: &str = "skill_mcp_dependency_install";
+const MCP_DEPENDENCY_OPTION_INSTALL: &str = "Install";
+const MCP_DEPENDENCY_OPTION_SKIP: &str = "Continue anyway";
+
+fn is_full_access_mode(turn_context: &TurnContext) -> bool {
+    matches!(turn_context.approval_policy, AskForApproval::Never)
+        && matches!(
+            turn_context.sandbox_policy,
+            SandboxPolicy::DangerFullAccess | SandboxPolicy::ExternalSandbox { .. }
+        )
+}
+
+fn format_missing_mcp_dependencies(missing: &HashMap<String, McpServerConfig>) -> String {
+    let mut names = missing.keys().cloned().collect::<Vec<_>>();
+    names.sort();
+    names.join(", ")
+}
+
+async fn filter_prompted_mcp_dependencies(
+    sess: &Session,
+    missing: &HashMap<String, McpServerConfig>,
+) -> HashMap<String, McpServerConfig> {
+    let prompted = sess.mcp_dependency_prompted().await;
+    if prompted.is_empty() {
+        return missing.clone();
+    }
+
+    missing
+        .iter()
+        .filter(|(name, config)| !prompted.contains(&canonical_mcp_server_key(name, config)))
+        .map(|(name, config)| (name.clone(), config.clone()))
+        .collect()
+}
+
+async fn should_install_mcp_dependencies(
+    sess: &Session,
+    turn_context: &TurnContext,
+    missing: &HashMap<String, McpServerConfig>,
+    cancellation_token: &CancellationToken,
+) -> bool {
+    if is_full_access_mode(turn_context) {
+        return true;
+    }
+
+    let server_list = format_missing_mcp_dependencies(missing);
+    let question = RequestUserInputQuestion {
+        id: SKILL_MCP_DEPENDENCY_PROMPT_ID.to_string(),
+        header: "Install MCP servers?".to_string(),
+        question: format!(
+            "The following MCP servers are required by the selected skills but are not installed yet: {server_list}. Install them now?"
+        ),
+        is_other: false,
+        options: Some(vec![
+            RequestUserInputQuestionOption {
+                label: MCP_DEPENDENCY_OPTION_INSTALL.to_string(),
+                description:
+                    "Install and enable the missing MCP servers in your global config."
+                        .to_string(),
+            },
+            RequestUserInputQuestionOption {
+                label: MCP_DEPENDENCY_OPTION_SKIP.to_string(),
+                description: "Skip installation for now and do not show again for these MCP servers in this session."
+                    .to_string(),
+            },
+        ]),
+    };
+    let args = RequestUserInputArgs {
+        questions: vec![question],
+    };
+    let sub_id = &turn_context.sub_id;
+    let call_id = format!("mcp-deps-{sub_id}");
+    let response_fut = sess.request_user_input(turn_context, call_id, args);
+    let response = tokio::select! {
+        biased;
+        _ = cancellation_token.cancelled() => {
+            let empty = RequestUserInputResponse {
+                answers: HashMap::new(),
+            };
+            sess.notify_user_input_response(sub_id, empty.clone()).await;
+            empty
+        }
+        response = response_fut => response.unwrap_or_else(|| RequestUserInputResponse {
+            answers: HashMap::new(),
+        }),
+    };
+
+    let install = response
+        .answers
+        .get(SKILL_MCP_DEPENDENCY_PROMPT_ID)
+        .is_some_and(|answer| {
+            answer
+                .answers
+                .iter()
+                .any(|entry| entry == MCP_DEPENDENCY_OPTION_INSTALL)
+        });
+
+    let prompted_keys = missing
+        .iter()
+        .map(|(name, config)| canonical_mcp_server_key(name, config));
+    sess.record_mcp_dependency_prompted(prompted_keys).await;
+
+    install
+}
+
+pub(crate) async fn maybe_prompt_and_install_mcp_dependencies(
+    sess: &Session,
+    turn_context: &TurnContext,
+    cancellation_token: &CancellationToken,
+    mentioned_skills: &[SkillMetadata],
+) {
+    let originator_value = originator().value;
+    if !is_first_party_originator(originator_value.as_str()) {
+        // Only support first-party clients for now.
+        return;
+    }
+
+    let config = turn_context.client.config();
+    if mentioned_skills.is_empty() || !config.features.enabled(Feature::SkillMcpDependencyInstall) {
+        return;
+    }
+
+    let installed = config.mcp_servers.get().clone();
+    let missing = collect_missing_mcp_dependencies(mentioned_skills, &installed);
+    if missing.is_empty() {
+        return;
+    }
+
+    let unprompted_missing = filter_prompted_mcp_dependencies(sess, &missing).await;
+    if unprompted_missing.is_empty() {
+        return;
+    }
+
+    if should_install_mcp_dependencies(sess, turn_context, &unprompted_missing, cancellation_token)
+        .await
+    {
+        maybe_install_mcp_dependencies(sess, turn_context, config.as_ref(), mentioned_skills).await;
+    }
+}
+
+pub(crate) async fn maybe_install_mcp_dependencies(
+    sess: &Session,
+    turn_context: &TurnContext,
+    config: &Config,
+    mentioned_skills: &[SkillMetadata],
+) {
+    if mentioned_skills.is_empty() || !config.features.enabled(Feature::SkillMcpDependencyInstall) {
+        return;
+    }
+
+    let codex_home = config.codex_home.clone();
+    let installed = config.mcp_servers.get().clone();
+    let missing = collect_missing_mcp_dependencies(mentioned_skills, &installed);
+    if missing.is_empty() {
+        return;
+    }
+
+    let mut servers = match load_global_mcp_servers(&codex_home).await {
+        Ok(servers) => servers,
+        Err(err) => {
+            warn!("failed to load MCP servers while installing skill dependencies: {err}");
+            return;
+        }
+    };
+
+    let mut updated = false;
+    let mut added = Vec::new();
+    for (name, config) in missing {
+        if servers.contains_key(&name) {
+            continue;
+        }
+        servers.insert(name.clone(), config.clone());
+        added.push((name, config));
+        updated = true;
+    }
+
+    if !updated {
+        return;
+    }
+
+    if let Err(err) = ConfigEditsBuilder::new(&codex_home)
+        .replace_mcp_servers(&servers)
+        .apply()
+        .await
+    {
+        warn!("failed to persist MCP dependencies for mentioned skills: {err}");
+        return;
+    }
+
+    for (name, server_config) in added {
+        let oauth_config = match oauth_login_support(&server_config.transport).await {
+            McpOAuthLoginSupport::Supported(config) => config,
+            McpOAuthLoginSupport::Unsupported => continue,
+            McpOAuthLoginSupport::Unknown(err) => {
+                warn!("MCP server may or may not require login for dependency {name}: {err}");
+                continue;
+            }
+        };
+
+        sess.notify_background_event(
+            turn_context,
+            format!(
+                "Authenticating MCP {name}... Follow instructions in your browser if prompted."
+            ),
+        )
+        .await;
+
+        if let Err(err) = perform_oauth_login(
+            &name,
+            &oauth_config.url,
+            config.mcp_oauth_credentials_store_mode,
+            oauth_config.http_headers,
+            oauth_config.env_http_headers,
+            &[],
+            config.mcp_oauth_callback_port,
+        )
+        .await
+        {
+            warn!("failed to login to MCP dependency {name}: {err}");
+        }
+    }
+
+    // Refresh from the effective merged MCP map (global + repo + managed) and
+    // overlay the updated global servers so we don't drop repo-scoped servers.
+    let auth = sess.services.auth_manager.auth().await;
+    let mut refresh_servers = effective_mcp_servers(config, auth.as_ref());
+    for (name, server_config) in &servers {
+        refresh_servers
+            .entry(name.clone())
+            .or_insert_with(|| server_config.clone());
+    }
+    sess.refresh_mcp_servers_now(
+        turn_context,
+        refresh_servers,
+        config.mcp_oauth_credentials_store_mode,
+    )
+    .await;
+}
+
+fn canonical_mcp_key(transport: &str, identifier: &str, fallback: &str) -> String {
+    let identifier = identifier.trim();
+    if identifier.is_empty() {
+        fallback.to_string()
+    } else {
+        format!("mcp__{transport}__{identifier}")
+    }
+}
+
+fn canonical_mcp_server_key(name: &str, config: &McpServerConfig) -> String {
+    match &config.transport {
+        McpServerTransportConfig::Stdio { command, .. } => {
+            canonical_mcp_key("stdio", command, name)
+        }
+        McpServerTransportConfig::StreamableHttp { url, .. } => {
+            canonical_mcp_key("streamable_http", url, name)
+        }
+    }
+}
+
+fn canonical_mcp_dependency_key(dependency: &SkillToolDependency) -> Result<String, String> {
+    let transport = dependency.transport.as_deref().unwrap_or("streamable_http");
+    if transport.eq_ignore_ascii_case("streamable_http") {
+        let url = dependency
+            .url
+            .as_ref()
+            .ok_or_else(|| "missing url for streamable_http dependency".to_string())?;
+        return Ok(canonical_mcp_key("streamable_http", url, &dependency.value));
+    }
+    if transport.eq_ignore_ascii_case("stdio") {
+        let command = dependency
+            .command
+            .as_ref()
+            .ok_or_else(|| "missing command for stdio dependency".to_string())?;
+        return Ok(canonical_mcp_key("stdio", command, &dependency.value));
+    }
+    Err(format!("unsupported transport {transport}"))
+}
+
+pub(crate) fn collect_missing_mcp_dependencies(
+    mentioned_skills: &[SkillMetadata],
+    installed: &HashMap<String, McpServerConfig>,
+) -> HashMap<String, McpServerConfig> {
+    let mut missing = HashMap::new();
+    let installed_keys: HashSet<String> = installed
+        .iter()
+        .map(|(name, config)| canonical_mcp_server_key(name, config))
+        .collect();
+    let mut seen_canonical_keys = HashSet::new();
+
+    for skill in mentioned_skills {
+        let Some(dependencies) = skill.dependencies.as_ref() else {
+            continue;
+        };
+
+        for tool in &dependencies.tools {
+            if !tool.r#type.eq_ignore_ascii_case("mcp") {
+                continue;
+            }
+            let dependency_key = match canonical_mcp_dependency_key(tool) {
+                Ok(key) => key,
+                Err(err) => {
+                    let dependency = tool.value.as_str();
+                    let skill_name = skill.name.as_str();
+                    warn!(
+                        "unable to auto-install MCP dependency {dependency} for skill {skill_name}: {err}",
+                    );
+                    continue;
+                }
+            };
+            if installed_keys.contains(&dependency_key)
+                || seen_canonical_keys.contains(&dependency_key)
+            {
+                continue;
+            }
+
+            let config = match mcp_dependency_to_server_config(tool) {
+                Ok(config) => config,
+                Err(err) => {
+                    let dependency = dependency_key.as_str();
+                    let skill_name = skill.name.as_str();
+                    warn!(
+                        "unable to auto-install MCP dependency {dependency} for skill {skill_name}: {err}",
+                    );
+                    continue;
+                }
+            };
+
+            missing.insert(tool.value.clone(), config);
+            seen_canonical_keys.insert(dependency_key);
+        }
+    }
+
+    missing
+}
+
+fn mcp_dependency_to_server_config(
+    dependency: &SkillToolDependency,
+) -> Result<McpServerConfig, String> {
+    let transport = dependency.transport.as_deref().unwrap_or("streamable_http");
+    if transport.eq_ignore_ascii_case("streamable_http") {
+        let url = dependency
+            .url
+            .as_ref()
+            .ok_or_else(|| "missing url for streamable_http dependency".to_string())?;
+        return Ok(McpServerConfig {
+            transport: McpServerTransportConfig::StreamableHttp {
+                url: url.clone(),
+                bearer_token_env_var: None,
+                http_headers: None,
+                env_http_headers: None,
+            },
+            enabled: true,
+            disabled_reason: None,
+            startup_timeout_sec: None,
+            tool_timeout_sec: None,
+            enabled_tools: None,
+            disabled_tools: None,
+            scopes: None,
+        });
+    }
+
+    if transport.eq_ignore_ascii_case("stdio") {
+        let command = dependency
+            .command
+            .as_ref()
+            .ok_or_else(|| "missing command for stdio dependency".to_string())?;
+        return Ok(McpServerConfig {
+            transport: McpServerTransportConfig::Stdio {
+                command: command.clone(),
+                args: Vec::new(),
+                env: None,
+                env_vars: Vec::new(),
+                cwd: None,
+            },
+            enabled: true,
+            disabled_reason: None,
+            startup_timeout_sec: None,
+            tool_timeout_sec: None,
+            enabled_tools: None,
+            disabled_tools: None,
+            scopes: None,
+        });
+    }
+
+    Err(format!("unsupported transport {transport}"))
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::skills::model::SkillDependencies;
+    use codex_protocol::protocol::SkillScope;
+    use pretty_assertions::assert_eq;
+    use std::path::PathBuf;
+
+    fn skill_with_tools(tools: Vec<SkillToolDependency>) -> SkillMetadata {
+        SkillMetadata {
+            name: "skill".to_string(),
+            description: "skill".to_string(),
+            short_description: None,
+            interface: None,
+            dependencies: Some(SkillDependencies { tools }),
+            path: PathBuf::from("skill"),
+            scope: SkillScope::User,
+        }
+    }
+
+    #[test]
+    fn collect_missing_respects_canonical_installed_key() {
+        let url = "https://example.com/mcp".to_string();
+        let skills = vec![skill_with_tools(vec![SkillToolDependency {
+            r#type: "mcp".to_string(),
+            value: "github".to_string(),
+            description: None,
+            transport: Some("streamable_http".to_string()),
+            command: None,
+            url: Some(url.clone()),
+        }])];
+        let installed = HashMap::from([(
+            "alias".to_string(),
+            McpServerConfig {
+                transport: McpServerTransportConfig::StreamableHttp {
+                    url,
+                    bearer_token_env_var: None,
+                    http_headers: None,
+                    env_http_headers: None,
+                },
+                enabled: true,
+                disabled_reason: None,
+                startup_timeout_sec: None,
+                tool_timeout_sec: None,
+                enabled_tools: None,
+                disabled_tools: None,
+                scopes: None,
+            },
+        )]);
+
+        assert_eq!(
+            collect_missing_mcp_dependencies(&skills, &installed),
+            HashMap::new()
+        );
+    }
+
+    #[test]
+    fn collect_missing_dedupes_by_canonical_key_but_preserves_original_name() {
+        let url = "https://example.com/one".to_string();
+        let skills = vec![skill_with_tools(vec![
+            SkillToolDependency {
+                r#type: "mcp".to_string(),
+                value: "alias-one".to_string(),
+                description: None,
+                transport: Some("streamable_http".to_string()),
+                command: None,
+                url: Some(url.clone()),
+            },
+            SkillToolDependency {
+                r#type: "mcp".to_string(),
+                value: "alias-two".to_string(),
+                description: None,
+                transport: Some("streamable_http".to_string()),
+                command: None,
+                url: Some(url.clone()),
+            },
+        ])];
+
+        let expected = HashMap::from([(
+            "alias-one".to_string(),
+            McpServerConfig {
+                transport: McpServerTransportConfig::StreamableHttp {
+                    url,
+                    bearer_token_env_var: None,
+                    http_headers: None,
+                    env_http_headers: None,
+                },
+                enabled: true,
+                disabled_reason: None,
+                startup_timeout_sec: None,
+                tool_timeout_sec: None,
+                enabled_tools: None,
+                disabled_tools: None,
+                scopes: None,
+            },
+        )]);
+
+        assert_eq!(
+            collect_missing_mcp_dependencies(&skills, &HashMap::new()),
+            expected
+        );
+    }
+}
--- a/codex-rs/core/src/models_manager/collaboration_mode_presets.rs
+++ b/codex-rs/core/src/models_manager/collaboration_mode_presets.rs
@@ -28,7 +28,7 @@ fn plan_preset() -> CollaborationModeMask {
        name: "Plan".to_string(),
        mode: Some(ModeKind::Plan),
        model: None,
-        reasoning_effort: Some(Some(ReasoningEffort::High)),
+        reasoning_effort: Some(Some(ReasoningEffort::Medium)),
        developer_instructions: Some(Some(COLLABORATION_MODE_PLAN.to_string())),
    }
 }
--- a/codex-rs/core/src/models_manager/model_info.rs
+++ b/codex-rs/core/src/models_manager/model_info.rs
@@ -259,9 +259,7 @@ pub(crate) fn find_model_info_for_slug(slug: &str) -> ModelInfo {
            truncation_policy: TruncationPolicyConfig::tokens(10_000),
            context_window: Some(CONTEXT_WINDOW_272K),
        )
-    } else if (slug.starts_with("gpt-5.2") || slug.starts_with("boomslang"))
-        && !slug.contains("codex")
-    {
+    } else if slug.starts_with("gpt-5.2") || slug.starts_with("boomslang") {
        model_info!(
            slug,
            apply_patch_tool_type: Some(ApplyPatchToolType::Freeform),
@@ -276,7 +274,7 @@ pub(crate) fn find_model_info_for_slug(slug: &str) -> ModelInfo {
            context_window: Some(CONTEXT_WINDOW_272K),
            supported_reasoning_levels: supported_reasoning_level_low_medium_high_xhigh_non_codex(),
        )
-    } else if slug.starts_with("gpt-5.1") && !slug.contains("codex") {
+    } else if slug.starts_with("gpt-5.1") {
        model_info!(
            slug,
            apply_patch_tool_type: Some(ApplyPatchToolType::Freeform),
--- a/codex-rs/core/src/rollout/list.rs
+++ b/codex-rs/core/src/rollout/list.rs
@@ -1,3 +1,4 @@
+use async_trait::async_trait;
 use std::cmp::Reverse;
 use std::ffi::OsStr;
 use std::io::{self};
@@ -7,8 +8,6 @@ use std::path::Path;
 use std::path::PathBuf;
 use std::sync::Arc;
 use std::sync::atomic::AtomicBool;
-
-use async_trait::async_trait;
 use time::OffsetDateTime;
 use time::PrimitiveDateTime;
 use time::format_description::FormatItem;
@@ -19,7 +18,9 @@ use uuid::Uuid;
 use super::ARCHIVED_SESSIONS_SUBDIR;
 use super::SESSIONS_SUBDIR;
 use crate::protocol::EventMsg;
+use crate::state_db;
 use codex_file_search as file_search;
+use codex_protocol::ThreadId;
 use codex_protocol::protocol::RolloutItem;
 use codex_protocol::protocol::RolloutLine;
 use codex_protocol::protocol::SessionMetaLine;
@@ -794,7 +795,7 @@ async fn collect_rollout_day_files(
    Ok(day_files)
 }

-fn parse_timestamp_uuid_from_filename(name: &str) -> Option<(OffsetDateTime, Uuid)> {
+pub(crate) fn parse_timestamp_uuid_from_filename(name: &str) -> Option<(OffsetDateTime, Uuid)> {
    // Expected: rollout-YYYY-MM-DDThh-mm-ss-<uuid>.jsonl
    let core = name.strip_prefix("rollout-")?.strip_suffix(".jsonl")?;

@@ -1093,11 +1094,39 @@ async fn find_thread_path_by_id_str_in_subdir(
    )
    .map_err(|e| io::Error::other(format!("file search failed: {e}")))?;

-    Ok(results
+    let found = results
        .matches
        .into_iter()
        .next()
-        .map(|m| root.join(m.path)))
+        .map(|m| root.join(m.path));
+
+    // Checking if DB is at parity.
+    // TODO(jif): sqlite migration phase 1
+    let archived_only = match subdir {
+        SESSIONS_SUBDIR => Some(false),
+        ARCHIVED_SESSIONS_SUBDIR => Some(true),
+        _ => None,
+    };
+    let state_db_ctx = state_db::open_if_present(codex_home, "").await;
+    if let Some(state_db_ctx) = state_db_ctx.as_deref()
+        && let Ok(thread_id) = ThreadId::from_string(id_str)
+    {
+        let db_path = state_db::find_rollout_path_by_id(
+            Some(state_db_ctx),
+            thread_id,
+            archived_only,
+            "find_path_query",
+        )
+        .await;
+        let canonical_path = found.as_deref();
+        if db_path.as_deref() != canonical_path {
+            tracing::warn!(
+                "state db path mismatch for thread {thread_id:?}: canonical={canonical_path:?} db={db_path:?}"
+            );
+            state_db::record_discrepancy("find_thread_path_by_id_str_in_subdir", "path_mismatch");
+        }
+    }
+    Ok(found)
 }

 /// Locate a recorded thread rollout file by its UUID string using the existing
--- a/codex-rs/core/src/rollout/metadata.rs
+++ b/codex-rs/core/src/rollout/metadata.rs
@@ -0,0 +1,342 @@
+use crate::config::Config;
+use crate::rollout;
+use crate::rollout::list::parse_timestamp_uuid_from_filename;
+use crate::rollout::recorder::RolloutRecorder;
+use chrono::DateTime;
+use chrono::NaiveDateTime;
+use chrono::Timelike;
+use chrono::Utc;
+use codex_otel::OtelManager;
+use codex_protocol::ThreadId;
+use codex_protocol::protocol::AskForApproval;
+use codex_protocol::protocol::RolloutItem;
+use codex_protocol::protocol::SandboxPolicy;
+use codex_protocol::protocol::SessionMetaLine;
+use codex_protocol::protocol::SessionSource;
+use codex_state::BackfillStats;
+use codex_state::DB_ERROR_METRIC;
+use codex_state::ExtractionOutcome;
+use codex_state::ThreadMetadataBuilder;
+use codex_state::apply_rollout_item;
+use std::cmp::Reverse;
+use std::path::Path;
+use std::path::PathBuf;
+use tracing::warn;
+
+const ROLLOUT_PREFIX: &str = "rollout-";
+const ROLLOUT_SUFFIX: &str = ".jsonl";
+
+pub(crate) fn builder_from_session_meta(
+    session_meta: &SessionMetaLine,
+    rollout_path: &Path,
+) -> Option<ThreadMetadataBuilder> {
+    let created_at = parse_timestamp_to_utc(session_meta.meta.timestamp.as_str())?;
+    let mut builder = ThreadMetadataBuilder::new(
+        session_meta.meta.id,
+        rollout_path.to_path_buf(),
+        created_at,
+        session_meta.meta.source.clone(),
+    );
+    builder.model_provider = session_meta.meta.model_provider.clone();
+    builder.cwd = session_meta.meta.cwd.clone();
+    builder.sandbox_policy = SandboxPolicy::ReadOnly;
+    builder.approval_mode = AskForApproval::OnRequest;
+    if let Some(git) = session_meta.git.as_ref() {
+        builder.git_sha = git.commit_hash.clone();
+        builder.git_branch = git.branch.clone();
+        builder.git_origin_url = git.repository_url.clone();
+    }
+    Some(builder)
+}
+
+pub(crate) fn builder_from_items(
+    items: &[RolloutItem],
+    rollout_path: &Path,
+) -> Option<ThreadMetadataBuilder> {
+    if let Some(session_meta) = items.iter().find_map(|item| match item {
+        RolloutItem::SessionMeta(meta_line) => Some(meta_line),
+        RolloutItem::ResponseItem(_)
+        | RolloutItem::Compacted(_)
+        | RolloutItem::TurnContext(_)
+        | RolloutItem::EventMsg(_) => None,
+    }) && let Some(builder) = builder_from_session_meta(session_meta, rollout_path)
+    {
+        return Some(builder);
+    }
+
+    let file_name = rollout_path.file_name()?.to_str()?;
+    if !file_name.starts_with(ROLLOUT_PREFIX) || !file_name.ends_with(ROLLOUT_SUFFIX) {
+        return None;
+    }
+    let (created_ts, uuid) = parse_timestamp_uuid_from_filename(file_name)?;
+    let created_at =
+        DateTime::<Utc>::from_timestamp(created_ts.unix_timestamp(), 0)?.with_nanosecond(0)?;
+    let id = ThreadId::from_string(&uuid.to_string()).ok()?;
+    Some(ThreadMetadataBuilder::new(
+        id,
+        rollout_path.to_path_buf(),
+        created_at,
+        SessionSource::default(),
+    ))
+}
+
+pub(crate) async fn extract_metadata_from_rollout(
+    rollout_path: &Path,
+    default_provider: &str,
+    otel: Option<&OtelManager>,
+) -> anyhow::Result<ExtractionOutcome> {
+    let (items, _thread_id, parse_errors) =
+        RolloutRecorder::load_rollout_items(rollout_path).await?;
+    if items.is_empty() {
+        return Err(anyhow::anyhow!(
+            "empty session file: {}",
+            rollout_path.display()
+        ));
+    }
+    let builder = builder_from_items(items.as_slice(), rollout_path).ok_or_else(|| {
+        anyhow::anyhow!(
+            "rollout missing metadata builder: {}",
+            rollout_path.display()
+        )
+    })?;
+    let mut metadata = builder.build(default_provider);
+    for item in &items {
+        apply_rollout_item(&mut metadata, item, default_provider);
+    }
+    if let Some(updated_at) = file_modified_time_utc(rollout_path).await {
+        metadata.updated_at = updated_at;
+    }
+    if parse_errors > 0
+        && let Some(otel) = otel
+    {
+        otel.counter(
+            DB_ERROR_METRIC,
+            parse_errors as i64,
+            &[("stage", "extract_metadata_from_rollout")],
+        );
+    }
+    Ok(ExtractionOutcome {
+        metadata,
+        parse_errors,
+    })
+}
+
+pub(crate) async fn backfill_sessions(
+    runtime: &codex_state::StateRuntime,
+    config: &Config,
+    otel: Option<&OtelManager>,
+) -> BackfillStats {
+    let sessions_root = config.codex_home.join(rollout::SESSIONS_SUBDIR);
+    let archived_root = config.codex_home.join(rollout::ARCHIVED_SESSIONS_SUBDIR);
+    let mut rollout_paths: Vec<(PathBuf, bool)> = Vec::new();
+    for (root, archived) in [(sessions_root, false), (archived_root, true)] {
+        if !tokio::fs::try_exists(&root).await.unwrap_or(false) {
+            continue;
+        }
+        match collect_rollout_paths(&root).await {
+            Ok(paths) => {
+                rollout_paths.extend(paths.into_iter().map(|path| (path, archived)));
+            }
+            Err(err) => {
+                warn!(
+                    "failed to collect rollout paths under {}: {err}",
+                    root.display()
+                );
+            }
+        }
+    }
+    rollout_paths.sort_by_key(|(path, _archived)| {
+        let parsed = path
+            .file_name()
+            .and_then(|name| name.to_str())
+            .and_then(parse_timestamp_uuid_from_filename)
+            .unwrap_or((time::OffsetDateTime::UNIX_EPOCH, uuid::Uuid::nil()));
+        (Reverse(parsed.0), Reverse(parsed.1))
+    });
+    let mut stats = BackfillStats {
+        scanned: 0,
+        upserted: 0,
+        failed: 0,
+    };
+    for (path, archived) in rollout_paths {
+        stats.scanned = stats.scanned.saturating_add(1);
+        match extract_metadata_from_rollout(&path, config.model_provider_id.as_str(), otel).await {
+            Ok(outcome) => {
+                if outcome.parse_errors > 0
+                    && let Some(otel) = otel
+                {
+                    otel.counter(
+                        DB_ERROR_METRIC,
+                        outcome.parse_errors as i64,
+                        &[("stage", "backfill_sessions")],
+                    );
+                }
+                let mut metadata = outcome.metadata;
+                if archived && metadata.archived_at.is_none() {
+                    let fallback_archived_at = metadata.updated_at;
+                    metadata.archived_at = file_modified_time_utc(&path)
+                        .await
+                        .or(Some(fallback_archived_at));
+                }
+                if let Err(err) = runtime.upsert_thread(&metadata).await {
+                    stats.failed = stats.failed.saturating_add(1);
+                    warn!("failed to upsert rollout {}: {err}", path.display());
+                } else {
+                    stats.upserted = stats.upserted.saturating_add(1);
+                }
+            }
+            Err(err) => {
+                stats.failed = stats.failed.saturating_add(1);
+                warn!("failed to extract rollout {}: {err}", path.display());
+            }
+        }
+    }
+    stats
+}
+
+async fn file_modified_time_utc(path: &Path) -> Option<DateTime<Utc>> {
+    let modified = tokio::fs::metadata(path).await.ok()?.modified().ok()?;
+    let updated_at: DateTime<Utc> = modified.into();
+    updated_at.with_nanosecond(0)
+}
+
+fn parse_timestamp_to_utc(ts: &str) -> Option<DateTime<Utc>> {
+    const FILENAME_TS_FORMAT: &str = "%Y-%m-%dT%H-%M-%S";
+    if let Ok(naive) = NaiveDateTime::parse_from_str(ts, FILENAME_TS_FORMAT) {
+        let dt = DateTime::<Utc>::from_naive_utc_and_offset(naive, Utc);
+        return dt.with_nanosecond(0);
+    }
+    if let Ok(dt) = DateTime::parse_from_rfc3339(ts) {
+        return dt.with_timezone(&Utc).with_nanosecond(0);
+    }
+    None
+}
+
+async fn collect_rollout_paths(root: &Path) -> std::io::Result<Vec<PathBuf>> {
+    let mut stack = vec![root.to_path_buf()];
+    let mut paths = Vec::new();
+    while let Some(dir) = stack.pop() {
+        let mut read_dir = match tokio::fs::read_dir(&dir).await {
+            Ok(read_dir) => read_dir,
+            Err(err) => {
+                warn!("failed to read directory {}: {err}", dir.display());
+                continue;
+            }
+        };
+        while let Some(entry) = read_dir.next_entry().await? {
+            let path = entry.path();
+            let file_type = entry.file_type().await?;
+            if file_type.is_dir() {
+                stack.push(path);
+                continue;
+            }
+            if !file_type.is_file() {
+                continue;
+            }
+            let file_name = entry.file_name();
+            let Some(name) = file_name.to_str() else {
+                continue;
+            };
+            if name.starts_with(ROLLOUT_PREFIX) && name.ends_with(ROLLOUT_SUFFIX) {
+                paths.push(path);
+            }
+        }
+    }
+    Ok(paths)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use chrono::DateTime;
+    use chrono::NaiveDateTime;
+    use chrono::Timelike;
+    use chrono::Utc;
+    use codex_protocol::ThreadId;
+    use codex_protocol::protocol::CompactedItem;
+    use codex_protocol::protocol::RolloutItem;
+    use codex_protocol::protocol::RolloutLine;
+    use codex_protocol::protocol::SessionMeta;
+    use codex_protocol::protocol::SessionMetaLine;
+    use codex_protocol::protocol::SessionSource;
+    use codex_state::ThreadMetadataBuilder;
+    use pretty_assertions::assert_eq;
+    use std::fs::File;
+    use std::io::Write;
+    use tempfile::tempdir;
+    use uuid::Uuid;
+
+    #[tokio::test]
+    async fn extract_metadata_from_rollout_uses_session_meta() {
+        let dir = tempdir().expect("tempdir");
+        let uuid = Uuid::new_v4();
+        let id = ThreadId::from_string(&uuid.to_string()).expect("thread id");
+        let path = dir
+            .path()
+            .join(format!("rollout-2026-01-27T12-34-56-{uuid}.jsonl"));
+
+        let session_meta = SessionMeta {
+            id,
+            forked_from_id: None,
+            timestamp: "2026-01-27T12:34:56Z".to_string(),
+            cwd: dir.path().to_path_buf(),
+            originator: "cli".to_string(),
+            cli_version: "0.0.0".to_string(),
+            source: SessionSource::default(),
+            model_provider: Some("openai".to_string()),
+            base_instructions: None,
+        };
+        let session_meta_line = SessionMetaLine {
+            meta: session_meta,
+            git: None,
+        };
+        let rollout_line = RolloutLine {
+            timestamp: "2026-01-27T12:34:56Z".to_string(),
+            item: RolloutItem::SessionMeta(session_meta_line.clone()),
+        };
+        let json = serde_json::to_string(&rollout_line).expect("rollout json");
+        let mut file = File::create(&path).expect("create rollout");
+        writeln!(file, "{json}").expect("write rollout");
+
+        let outcome = extract_metadata_from_rollout(&path, "openai", None)
+            .await
+            .expect("extract");
+
+        let builder =
+            builder_from_session_meta(&session_meta_line, path.as_path()).expect("builder");
+        let mut expected = builder.build("openai");
+        apply_rollout_item(&mut expected, &rollout_line.item, "openai");
+        expected.updated_at = file_modified_time_utc(&path).await.expect("mtime");
+
+        assert_eq!(outcome.metadata, expected);
+        assert_eq!(outcome.parse_errors, 0);
+    }
+
+    #[test]
+    fn builder_from_items_falls_back_to_filename() {
+        let dir = tempdir().expect("tempdir");
+        let uuid = Uuid::new_v4();
+        let path = dir
+            .path()
+            .join(format!("rollout-2026-01-27T12-34-56-{uuid}.jsonl"));
+        let items = vec![RolloutItem::Compacted(CompactedItem {
+            message: "noop".to_string(),
+            replacement_history: None,
+        })];
+
+        let builder = builder_from_items(items.as_slice(), path.as_path()).expect("builder");
+        let naive = NaiveDateTime::parse_from_str("2026-01-27T12-34-56", "%Y-%m-%dT%H-%M-%S")
+            .expect("timestamp");
+        let created_at = DateTime::<Utc>::from_naive_utc_and_offset(naive, Utc)
+            .with_nanosecond(0)
+            .expect("nanosecond");
+        let expected = ThreadMetadataBuilder::new(
+            ThreadId::from_string(&uuid.to_string()).expect("thread id"),
+            path,
+            created_at,
+            SessionSource::default(),
+        );
+
+        assert_eq!(builder, expected);
+    }
+}
--- a/codex-rs/core/src/rollout/mod.rs
+++ b/codex-rs/core/src/rollout/mod.rs
@@ -9,6 +9,7 @@ pub const INTERACTIVE_SESSION_SOURCES: &[SessionSource] =

 pub(crate) mod error;
 pub mod list;
+pub(crate) mod metadata;
 pub(crate) mod policy;
 pub mod recorder;
 pub(crate) mod truncation;
--- a/codex-rs/core/src/rollout/recorder.rs
+++ b/codex-rs/core/src/rollout/recorder.rs
@@ -28,11 +28,14 @@ use super::list::ThreadSortKey;
 use super::list::ThreadsPage;
 use super::list::get_threads;
 use super::list::get_threads_in_root;
+use super::metadata;
 use super::policy::is_persisted_response_item;
 use crate::config::Config;
 use crate::default_client::originator;
 use crate::git_info::collect_git_info;
 use crate::path_utils;
+use crate::state_db;
+use crate::state_db::StateDbHandle;
 use codex_protocol::protocol::InitialHistory;
 use codex_protocol::protocol::ResumedHistory;
 use codex_protocol::protocol::RolloutItem;
@@ -40,6 +43,7 @@ use codex_protocol::protocol::RolloutLine;
 use codex_protocol::protocol::SessionMeta;
 use codex_protocol::protocol::SessionMetaLine;
 use codex_protocol::protocol::SessionSource;
+use codex_state::ThreadMetadataBuilder;

 /// Records all [`ResponseItem`]s for a session and flushes them to disk after
 /// every update.
@@ -54,6 +58,7 @@ use codex_protocol::protocol::SessionSource;
 pub struct RolloutRecorder {
    tx: Sender<RolloutCmd>,
    pub(crate) rollout_path: PathBuf,
+    state_db: Option<StateDbHandle>,
 }

 #[derive(Clone)]
@@ -111,7 +116,8 @@ impl RolloutRecorder {
        model_providers: Option<&[String]>,
        default_provider: &str,
    ) -> std::io::Result<ThreadsPage> {
-        get_threads(
+        let stage = "list_threads";
+        let page = get_threads(
            codex_home,
            page_size,
            cursor,
@@ -120,7 +126,34 @@ impl RolloutRecorder {
            model_providers,
            default_provider,
        )
+        .await?;
+
+        // TODO(jif): drop after sqlite migration phase 1
+        let state_db_ctx = state_db::open_if_present(codex_home, default_provider).await;
+        if let Some(db_ids) = state_db::list_thread_ids_db(
+            state_db_ctx.as_deref(),
+            codex_home,
+            page_size,
+            cursor,
+            sort_key,
+            allowed_sources,
+            model_providers,
+            false,
+            stage,
+        )
        .await
+        {
+            if page.items.len() != db_ids.len() {
+                state_db::record_discrepancy(stage, "bad_len");
+                return Ok(page);
+            }
+            for (id, item) in db_ids.iter().zip(page.items.iter()) {
+                if !item.path.display().to_string().contains(&id.to_string()) {
+                    state_db::record_discrepancy(stage, "bad_id");
+                }
+            }
+        }
+        Ok(page)
    }

    /// List archived threads (rollout files) under the archived sessions directory.
@@ -133,8 +166,9 @@ impl RolloutRecorder {
        model_providers: Option<&[String]>,
        default_provider: &str,
    ) -> std::io::Result<ThreadsPage> {
+        let stage = "list_archived_threads";
        let root = codex_home.join(ARCHIVED_SESSIONS_SUBDIR);
-        get_threads_in_root(
+        let page = get_threads_in_root(
            root,
            page_size,
            cursor,
@@ -146,7 +180,34 @@ impl RolloutRecorder {
                layout: ThreadListLayout::Flat,
            },
        )
+        .await?;
+
+        // TODO(jif): drop after sqlite migration phase 1
+        let state_db_ctx = state_db::open_if_present(codex_home, default_provider).await;
+        if let Some(db_ids) = state_db::list_thread_ids_db(
+            state_db_ctx.as_deref(),
+            codex_home,
+            page_size,
+            cursor,
+            sort_key,
+            allowed_sources,
+            model_providers,
+            true,
+            stage,
+        )
        .await
+        {
+            if page.items.len() != db_ids.len() {
+                state_db::record_discrepancy(stage, "bad_len");
+                return Ok(page);
+            }
+            for (id, item) in db_ids.iter().zip(page.items.iter()) {
+                if !item.path.display().to_string().contains(&id.to_string()) {
+                    state_db::record_discrepancy(stage, "bad_id");
+                }
+            }
+        }
+        Ok(page)
    }

    /// Find the newest recorded thread path, optionally filtering to a matching cwd.
@@ -186,7 +247,12 @@ impl RolloutRecorder {
    /// Attempt to create a new [`RolloutRecorder`]. If the sessions directory
    /// cannot be created or the rollout file cannot be opened we return the
    /// error so the caller can decide whether to disable persistence.
-    pub async fn new(config: &Config, params: RolloutRecorderParams) -> std::io::Result<Self> {
+    pub async fn new(
+        config: &Config,
+        params: RolloutRecorderParams,
+        state_db_ctx: Option<StateDbHandle>,
+        state_builder: Option<ThreadMetadataBuilder>,
+    ) -> std::io::Result<Self> {
        let (file, rollout_path, meta) = match params {
            RolloutRecorderParams::Create {
                conversation_id,
@@ -246,9 +312,30 @@ impl RolloutRecorder {
        // Spawn a Tokio task that owns the file handle and performs async
        // writes. Using `tokio::fs::File` keeps everything on the async I/O
        // driver instead of blocking the runtime.
-        tokio::task::spawn(rollout_writer(file, rx, meta, cwd));
+        tokio::task::spawn(rollout_writer(
+            file,
+            rx,
+            meta,
+            cwd,
+            rollout_path.clone(),
+            state_db_ctx.clone(),
+            state_builder,
+            config.model_provider_id.clone(),
+        ));

-        Ok(Self { tx, rollout_path })
+        Ok(Self {
+            tx,
+            rollout_path,
+            state_db: state_db_ctx,
+        })
+    }
+
+    pub fn rollout_path(&self) -> &Path {
+        self.rollout_path.as_path()
+    }
+
+    pub fn state_db(&self) -> Option<StateDbHandle> {
+        self.state_db.clone()
    }

    pub(crate) async fn record_items(&self, items: &[RolloutItem]) -> std::io::Result<()> {
@@ -281,7 +368,9 @@ impl RolloutRecorder {
            .map_err(|e| IoError::other(format!("failed waiting for rollout flush: {e}")))
    }

-    pub async fn get_rollout_history(path: &Path) -> std::io::Result<InitialHistory> {
+    pub(crate) async fn load_rollout_items(
+        path: &Path,
+    ) -> std::io::Result<(Vec<RolloutItem>, Option<ThreadId>, usize)> {
        info!("Resuming rollout from {path:?}");
        let text = tokio::fs::read_to_string(path).await?;
        if text.trim().is_empty() {
@@ -290,6 +379,7 @@ impl RolloutRecorder {

        let mut items: Vec<RolloutItem> = Vec::new();
        let mut thread_id: Option<ThreadId> = None;
+        let mut parse_errors = 0usize;
        for line in text.lines() {
            if line.trim().is_empty() {
                continue;
@@ -298,6 +388,7 @@ impl RolloutRecorder {
                Ok(v) => v,
                Err(e) => {
                    warn!("failed to parse line as JSON: {line:?}, error: {e}");
+                    parse_errors = parse_errors.saturating_add(1);
                    continue;
                }
            };
@@ -328,15 +419,22 @@ impl RolloutRecorder {
                },
                Err(e) => {
                    warn!("failed to parse rollout line: {v:?}, error: {e}");
+                    parse_errors = parse_errors.saturating_add(1);
                }
            }
        }

        info!(
-            "Resumed rollout with {} items, thread ID: {:?}",
+            "Resumed rollout with {} items, thread ID: {:?}, parse errors: {}",
            items.len(),
-            thread_id
+            thread_id,
+            parse_errors,
        );
+        Ok((items, thread_id, parse_errors))
+    }
+
+    pub async fn get_rollout_history(path: &Path) -> std::io::Result<InitialHistory> {
+        let (items, thread_id, _parse_errors) = Self::load_rollout_items(path).await?;
        let conversation_id = thread_id
            .ok_or_else(|| IoError::other("failed to parse thread ID from rollout file"))?;

@@ -417,13 +515,21 @@ fn create_log_file(config: &Config, conversation_id: ThreadId) -> std::io::Resul
    })
 }

+#[allow(clippy::too_many_arguments)]
 async fn rollout_writer(
    file: tokio::fs::File,
    mut rx: mpsc::Receiver<RolloutCmd>,
    mut meta: Option<SessionMeta>,
    cwd: std::path::PathBuf,
+    rollout_path: PathBuf,
+    state_db_ctx: Option<StateDbHandle>,
+    mut state_builder: Option<ThreadMetadataBuilder>,
+    default_provider: String,
 ) -> std::io::Result<()> {
    let mut writer = JsonlWriter { file };
+    if let Some(builder) = state_builder.as_mut() {
+        builder.rollout_path = rollout_path.clone();
+    }

    // If we have a meta, collect git info asynchronously and write meta first
    if let Some(session_meta) = meta.take() {
@@ -432,22 +538,50 @@ async fn rollout_writer(
            meta: session_meta,
            git: git_info,
        };
+        if state_db_ctx.is_some() {
+            state_builder =
+                metadata::builder_from_session_meta(&session_meta_line, rollout_path.as_path());
+        }

        // Write the SessionMeta as the first item in the file, wrapped in a rollout line
-        writer
-            .write_rollout_item(RolloutItem::SessionMeta(session_meta_line))
-            .await?;
+        let rollout_item = RolloutItem::SessionMeta(session_meta_line);
+        writer.write_rollout_item(&rollout_item).await?;
+        state_db::reconcile_rollout(
+            state_db_ctx.as_deref(),
+            rollout_path.as_path(),
+            default_provider.as_str(),
+            state_builder.as_ref(),
+            std::slice::from_ref(&rollout_item),
+        )
+        .await;
    }

    // Process rollout commands
    while let Some(cmd) = rx.recv().await {
        match cmd {
            RolloutCmd::AddItems(items) => {
+                let mut persisted_items = Vec::new();
                for item in items {
                    if is_persisted_response_item(&item) {
-                        writer.write_rollout_item(item).await?;
+                        writer.write_rollout_item(&item).await?;
+                        persisted_items.push(item);
                    }
                }
+                if persisted_items.is_empty() {
+                    continue;
+                }
+                if let Some(builder) = state_builder.as_mut() {
+                    builder.rollout_path = rollout_path.clone();
+                }
+                state_db::apply_rollout_items(
+                    state_db_ctx.as_deref(),
+                    rollout_path.as_path(),
+                    default_provider.as_str(),
+                    state_builder.as_ref(),
+                    persisted_items.as_slice(),
+                    "rollout_writer",
+                )
+                .await;
            }
            RolloutCmd::Flush { ack } => {
                // Ensure underlying file is flushed and then ack.
@@ -470,8 +604,15 @@ struct JsonlWriter {
    file: tokio::fs::File,
 }

+#[derive(serde::Serialize)]
+struct RolloutLineRef<'a> {
+    timestamp: String,
+    #[serde(flatten)]
+    item: &'a RolloutItem,
+}
+
 impl JsonlWriter {
-    async fn write_rollout_item(&mut self, rollout_item: RolloutItem) -> std::io::Result<()> {
+    async fn write_rollout_item(&mut self, rollout_item: &RolloutItem) -> std::io::Result<()> {
        let timestamp_format: &[FormatItem] = format_description!(
            "[year]-[month]-[day]T[hour]:[minute]:[second].[subsecond digits:3]Z"
        );
@@ -479,7 +620,7 @@ impl JsonlWriter {
            .format(timestamp_format)
            .map_err(|e| IoError::other(format!("failed to format timestamp: {e}")))?;

-        let line = RolloutLine {
+        let line = RolloutLineRef {
            timestamp,
            item: rollout_item,
        };
--- a/codex-rs/core/src/safety.rs
+++ b/codex-rs/core/src/safety.rs
@@ -10,45 +10,7 @@ use crate::util::resolve_path;

 use crate::protocol::AskForApproval;
 use crate::protocol::SandboxPolicy;
-
-#[cfg(target_os = "windows")]
-use std::sync::atomic::AtomicBool;
-#[cfg(target_os = "windows")]
-use std::sync::atomic::Ordering;
-
-#[cfg(target_os = "windows")]
-static WINDOWS_SANDBOX_ENABLED: AtomicBool = AtomicBool::new(false);
-#[cfg(target_os = "windows")]
-static WINDOWS_ELEVATED_SANDBOX_ENABLED: AtomicBool = AtomicBool::new(false);
-
-#[cfg(target_os = "windows")]
-pub fn set_windows_sandbox_enabled(enabled: bool) {
-    WINDOWS_SANDBOX_ENABLED.store(enabled, Ordering::Relaxed);
-}
-
-#[cfg(not(target_os = "windows"))]
-#[allow(dead_code)]
-pub fn set_windows_sandbox_enabled(_enabled: bool) {}
-
-#[cfg(target_os = "windows")]
-pub fn set_windows_elevated_sandbox_enabled(enabled: bool) {
-    WINDOWS_ELEVATED_SANDBOX_ENABLED.store(enabled, Ordering::Relaxed);
-}
-
-#[cfg(not(target_os = "windows"))]
-#[allow(dead_code)]
-pub fn set_windows_elevated_sandbox_enabled(_enabled: bool) {}
-
-#[cfg(target_os = "windows")]
-pub fn is_windows_elevated_sandbox_enabled() -> bool {
-    WINDOWS_ELEVATED_SANDBOX_ENABLED.load(Ordering::Relaxed)
-}
-
-#[cfg(not(target_os = "windows"))]
-#[allow(dead_code)]
-pub fn is_windows_elevated_sandbox_enabled() -> bool {
-    false
-}
+use codex_protocol::config_types::WindowsSandboxLevel;

 #[derive(Debug, PartialEq)]
 pub enum SafetyCheck {
@@ -67,6 +29,7 @@ pub fn assess_patch_safety(
    policy: AskForApproval,
    sandbox_policy: &SandboxPolicy,
    cwd: &Path,
+    windows_sandbox_level: WindowsSandboxLevel,
 ) -> SafetyCheck {
    if action.is_empty() {
        return SafetyCheck::Reject {
@@ -104,7 +67,7 @@ pub fn assess_patch_safety(
            // Only auto‑approve when we can actually enforce a sandbox. Otherwise
            // fall back to asking the user because the patch may touch arbitrary
            // paths outside the project.
-            match get_platform_sandbox() {
+            match get_platform_sandbox(windows_sandbox_level != WindowsSandboxLevel::Disabled) {
                Some(sandbox_type) => SafetyCheck::AutoApprove {
                    sandbox_type,
                    user_explicitly_approved: false,
@@ -122,19 +85,17 @@ pub fn assess_patch_safety(
    }
 }

-pub fn get_platform_sandbox() -> Option<SandboxType> {
+pub fn get_platform_sandbox(windows_sandbox_enabled: bool) -> Option<SandboxType> {
    if cfg!(target_os = "macos") {
        Some(SandboxType::MacosSeatbelt)
    } else if cfg!(target_os = "linux") {
        Some(SandboxType::LinuxSeccomp)
    } else if cfg!(target_os = "windows") {
-        #[cfg(target_os = "windows")]
-        {
-            if WINDOWS_SANDBOX_ENABLED.load(Ordering::Relaxed) {
-                return Some(SandboxType::WindowsRestrictedToken);
-            }
+        if windows_sandbox_enabled {
+            Some(SandboxType::WindowsRestrictedToken)
+        } else {
+            None
        }
-        None
    } else {
        None
    }
@@ -277,7 +238,13 @@ mod tests {
        };

        assert_eq!(
-            assess_patch_safety(&add_inside, AskForApproval::OnRequest, &policy, &cwd),
+            assess_patch_safety(
+                &add_inside,
+                AskForApproval::OnRequest,
+                &policy,
+                &cwd,
+                WindowsSandboxLevel::Disabled
+            ),
            SafetyCheck::AutoApprove {
                sandbox_type: SandboxType::None,
                user_explicitly_approved: false,
--- a/codex-rs/core/src/sandboxing/mod.rs
+++ b/codex-rs/core/src/sandboxing/mod.rs
@@ -21,6 +21,7 @@ use crate::seatbelt::create_seatbelt_command_args;
 use crate::spawn::CODEX_SANDBOX_ENV_VAR;
 use crate::spawn::CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR;
 use crate::tools::sandboxing::SandboxablePreference;
+use codex_protocol::config_types::WindowsSandboxLevel;
 pub use codex_protocol::models::SandboxPermissions;
 use std::collections::HashMap;
 use std::path::Path;
@@ -44,6 +45,7 @@ pub struct ExecEnv {
    pub env: HashMap<String, String>,
    pub expiration: ExecExpiration,
    pub sandbox: SandboxType,
+    pub windows_sandbox_level: WindowsSandboxLevel,
    pub sandbox_permissions: SandboxPermissions,
    pub justification: Option<String>,
    pub arg0: Option<String>,
@@ -76,19 +78,26 @@ impl SandboxManager {
        &self,
        policy: &SandboxPolicy,
        pref: SandboxablePreference,
+        windows_sandbox_level: WindowsSandboxLevel,
    ) -> SandboxType {
        match pref {
            SandboxablePreference::Forbid => SandboxType::None,
            SandboxablePreference::Require => {
                // Require a platform sandbox when available; on Windows this
                // respects the experimental_windows_sandbox feature.
-                crate::safety::get_platform_sandbox().unwrap_or(SandboxType::None)
+                crate::safety::get_platform_sandbox(
+                    windows_sandbox_level != WindowsSandboxLevel::Disabled,
+                )
+                .unwrap_or(SandboxType::None)
            }
            SandboxablePreference::Auto => match policy {
                SandboxPolicy::DangerFullAccess | SandboxPolicy::ExternalSandbox { .. } => {
                    SandboxType::None
                }
-                _ => crate::safety::get_platform_sandbox().unwrap_or(SandboxType::None),
+                _ => crate::safety::get_platform_sandbox(
+                    windows_sandbox_level != WindowsSandboxLevel::Disabled,
+                )
+                .unwrap_or(SandboxType::None),
            },
        }
    }
@@ -100,6 +109,7 @@ impl SandboxManager {
        sandbox: SandboxType,
        sandbox_policy_cwd: &Path,
        codex_linux_sandbox_exe: Option<&PathBuf>,
+        windows_sandbox_level: WindowsSandboxLevel,
    ) -> Result<ExecEnv, SandboxTransformError> {
        let mut env = spec.env;
        if !policy.has_full_network_access() {
@@ -160,6 +170,7 @@ impl SandboxManager {
            env,
            expiration: spec.expiration,
            sandbox,
+            windows_sandbox_level,
            sandbox_permissions: spec.sandbox_permissions,
            justification: spec.justification,
            arg0: arg0_override,
--- a/codex-rs/core/src/skills/injection.rs
+++ b/codex-rs/core/src/skills/injection.rs
@@ -2,7 +2,6 @@ use std::collections::HashSet;
 use std::path::PathBuf;

 use crate::instructions::SkillInstructions;
-use crate::skills::SkillLoadOutcome;
 use crate::skills::SkillMetadata;
 use codex_otel::OtelManager;
 use codex_protocol::models::ResponseItem;
@@ -16,20 +15,9 @@ pub(crate) struct SkillInjections {
 }

 pub(crate) async fn build_skill_injections(
-    inputs: &[UserInput],
-    skills: Option<&SkillLoadOutcome>,
+    mentioned_skills: &[SkillMetadata],
    otel: Option<&OtelManager>,
 ) -> SkillInjections {
-    if inputs.is_empty() {
-        return SkillInjections::default();
-    }
-
-    let Some(outcome) = skills else {
-        return SkillInjections::default();
-    };
-
-    let mentioned_skills =
-        collect_explicit_skill_mentions(inputs, &outcome.skills, &outcome.disabled_paths);
    if mentioned_skills.is_empty() {
        return SkillInjections::default();
    }
@@ -42,15 +30,15 @@ pub(crate) async fn build_skill_injections(
    for skill in mentioned_skills {
        match fs::read_to_string(&skill.path).await {
            Ok(contents) => {
-                emit_skill_injected_metric(otel, &skill, "ok");
+                emit_skill_injected_metric(otel, skill, "ok");
                result.items.push(ResponseItem::from(SkillInstructions {
-                    name: skill.name,
+                    name: skill.name.clone(),
                    path: skill.path.to_string_lossy().into_owned(),
                    contents,
                }));
            }
            Err(err) => {
-                emit_skill_injected_metric(otel, &skill, "error");
+                emit_skill_injected_metric(otel, skill, "error");
                let message = format!(
                    "Failed to load skill {name} at {path}: {err:#}",
                    name = skill.name,
@@ -76,23 +64,488 @@ fn emit_skill_injected_metric(otel: Option<&OtelManager>, skill: &SkillMetadata,
    );
 }

-fn collect_explicit_skill_mentions(
+/// Collect explicitly mentioned skills from `$name` text mentions.
+///
+/// Text inputs are scanned once to extract `$skill-name` tokens, then we iterate `skills`
+/// in their existing order to preserve prior ordering semantics.
+///
+/// Complexity: `O(S + T + N_t * S)` time, `O(S)` space, where:
+/// `S` = number of skills, `T` = total text length, `N_t` = number of text inputs.
+pub(crate) fn collect_explicit_skill_mentions(
    inputs: &[UserInput],
    skills: &[SkillMetadata],
    disabled_paths: &HashSet<PathBuf>,
 ) -> Vec<SkillMetadata> {
    let mut selected: Vec<SkillMetadata> = Vec::new();
-    let mut seen: HashSet<String> = HashSet::new();
+    let mut seen_names: HashSet<String> = HashSet::new();
+    let mut seen_paths: HashSet<PathBuf> = HashSet::new();

    for input in inputs {
-        if let UserInput::Skill { name, path } = input
-            && seen.insert(name.clone())
-            && let Some(skill) = skills.iter().find(|s| s.name == *name && s.path == *path)
-            && !disabled_paths.contains(&skill.path)
-        {
-            selected.push(skill.clone());
+        if let UserInput::Text { text, .. } = input {
+            let mentioned_names = extract_skill_mentions(text);
+            select_skills_from_mentions(
+                skills,
+                disabled_paths,
+                &mentioned_names,
+                &mut seen_names,
+                &mut seen_paths,
+                &mut selected,
+            );
        }
    }

    selected
 }
+
+struct SkillMentions<'a> {
+    names: HashSet<&'a str>,
+    paths: HashSet<&'a str>,
+}
+
+impl<'a> SkillMentions<'a> {
+    fn is_empty(&self) -> bool {
+        self.names.is_empty() && self.paths.is_empty()
+    }
+}
+
+/// Extract `$skill-name` mentions from a single text input.
+///
+/// Supports explicit resource links in the form `[$skill-name](resource path)`. When a
+/// resource path is present, it is captured for exact path matching while also tracking
+/// the name for fallback matching.
+fn extract_skill_mentions(text: &str) -> SkillMentions<'_> {
+    let text_bytes = text.as_bytes();
+    let mut mentioned_names: HashSet<&str> = HashSet::new();
+    let mut mentioned_paths: HashSet<&str> = HashSet::new();
+
+    let mut index = 0;
+    while index < text_bytes.len() {
+        let byte = text_bytes[index];
+        if byte == b'['
+            && let Some((name, path, end_index)) =
+                parse_linked_skill_mention(text, text_bytes, index)
+        {
+            if !is_common_env_var(name) {
+                mentioned_names.insert(name);
+                mentioned_paths.insert(path);
+            }
+            index = end_index;
+            continue;
+        }
+
+        if byte != b'$' {
+            index += 1;
+            continue;
+        }
+
+        let name_start = index + 1;
+        let Some(first_name_byte) = text_bytes.get(name_start) else {
+            index += 1;
+            continue;
+        };
+        if !is_skill_name_char(*first_name_byte) {
+            index += 1;
+            continue;
+        }
+
+        let mut name_end = name_start + 1;
+        while let Some(next_byte) = text_bytes.get(name_end)
+            && is_skill_name_char(*next_byte)
+        {
+            name_end += 1;
+        }
+
+        let name = &text[name_start..name_end];
+        if !is_common_env_var(name) {
+            mentioned_names.insert(name);
+        }
+        index = name_end;
+    }
+
+    SkillMentions {
+        names: mentioned_names,
+        paths: mentioned_paths,
+    }
+}
+
+/// Select mentioned skills while preserving the order of `skills`.
+fn select_skills_from_mentions(
+    skills: &[SkillMetadata],
+    disabled_paths: &HashSet<PathBuf>,
+    mentions: &SkillMentions<'_>,
+    seen_names: &mut HashSet<String>,
+    seen_paths: &mut HashSet<PathBuf>,
+    selected: &mut Vec<SkillMetadata>,
+) {
+    if mentions.is_empty() {
+        return;
+    }
+
+    for skill in skills {
+        if disabled_paths.contains(&skill.path) || seen_paths.contains(&skill.path) {
+            continue;
+        }
+
+        let path_str = skill.path.to_string_lossy();
+        if mentions.paths.contains(path_str.as_ref()) {
+            seen_paths.insert(skill.path.clone());
+            seen_names.insert(skill.name.clone());
+            selected.push(skill.clone());
+        }
+    }
+
+    for skill in skills {
+        if disabled_paths.contains(&skill.path) || seen_paths.contains(&skill.path) {
+            continue;
+        }
+
+        if mentions.names.contains(skill.name.as_str()) && seen_names.insert(skill.name.clone()) {
+            seen_paths.insert(skill.path.clone());
+            selected.push(skill.clone());
+        }
+    }
+}
+
+fn parse_linked_skill_mention<'a>(
+    text: &'a str,
+    text_bytes: &[u8],
+    start: usize,
+) -> Option<(&'a str, &'a str, usize)> {
+    let dollar_index = start + 1;
+    if text_bytes.get(dollar_index) != Some(&b'$') {
+        return None;
+    }
+
+    let name_start = dollar_index + 1;
+    let first_name_byte = text_bytes.get(name_start)?;
+    if !is_skill_name_char(*first_name_byte) {
+        return None;
+    }
+
+    let mut name_end = name_start + 1;
+    while let Some(next_byte) = text_bytes.get(name_end)
+        && is_skill_name_char(*next_byte)
+    {
+        name_end += 1;
+    }
+
+    if text_bytes.get(name_end) != Some(&b']') {
+        return None;
+    }
+
+    let mut path_start = name_end + 1;
+    while let Some(next_byte) = text_bytes.get(path_start)
+        && next_byte.is_ascii_whitespace()
+    {
+        path_start += 1;
+    }
+    if text_bytes.get(path_start) != Some(&b'(') {
+        return None;
+    }
+
+    let mut path_end = path_start + 1;
+    while let Some(next_byte) = text_bytes.get(path_end)
+        && *next_byte != b')'
+    {
+        path_end += 1;
+    }
+    if text_bytes.get(path_end) != Some(&b')') {
+        return None;
+    }
+
+    let path = text[path_start + 1..path_end].trim();
+    if path.is_empty() {
+        return None;
+    }
+
+    let name = &text[name_start..name_end];
+    Some((name, path, path_end + 1))
+}
+
+fn is_common_env_var(name: &str) -> bool {
+    let upper = name.to_ascii_uppercase();
+    matches!(
+        upper.as_str(),
+        "PATH"
+            | "HOME"
+            | "USER"
+            | "SHELL"
+            | "PWD"
+            | "TMPDIR"
+            | "TEMP"
+            | "TMP"
+            | "LANG"
+            | "TERM"
+            | "XDG_CONFIG_HOME"
+    )
+}
+
+#[cfg(test)]
+fn text_mentions_skill(text: &str, skill_name: &str) -> bool {
+    if skill_name.is_empty() {
+        return false;
+    }
+
+    let text_bytes = text.as_bytes();
+    let skill_bytes = skill_name.as_bytes();
+
+    for (index, byte) in text_bytes.iter().copied().enumerate() {
+        if byte != b'$' {
+            continue;
+        }
+
+        let name_start = index + 1;
+        let Some(rest) = text_bytes.get(name_start..) else {
+            continue;
+        };
+        if !rest.starts_with(skill_bytes) {
+            continue;
+        }
+
+        let after_index = name_start + skill_bytes.len();
+        let after = text_bytes.get(after_index).copied();
+        if after.is_none_or(|b| !is_skill_name_char(b)) {
+            return true;
+        }
+    }
+
+    false
+}
+
+fn is_skill_name_char(byte: u8) -> bool {
+    matches!(byte, b'a'..=b'z' | b'A'..=b'Z' | b'0'..=b'9' | b'_' | b'-')
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use pretty_assertions::assert_eq;
+    use std::collections::HashSet;
+
+    fn make_skill(name: &str, path: &str) -> SkillMetadata {
+        SkillMetadata {
+            name: name.to_string(),
+            description: format!("{name} skill"),
+            short_description: None,
+            interface: None,
+            dependencies: None,
+            path: PathBuf::from(path),
+            scope: codex_protocol::protocol::SkillScope::User,
+        }
+    }
+
+    fn set<'a>(items: &'a [&'a str]) -> HashSet<&'a str> {
+        items.iter().copied().collect()
+    }
+
+    fn assert_mentions(text: &str, expected_names: &[&str], expected_paths: &[&str]) {
+        let mentions = extract_skill_mentions(text);
+        assert_eq!(mentions.names, set(expected_names));
+        assert_eq!(mentions.paths, set(expected_paths));
+    }
+
+    #[test]
+    fn text_mentions_skill_requires_exact_boundary() {
+        assert_eq!(
+            true,
+            text_mentions_skill("use $notion-research-doc please", "notion-research-doc")
+        );
+        assert_eq!(
+            true,
+            text_mentions_skill("($notion-research-doc)", "notion-research-doc")
+        );
+        assert_eq!(
+            true,
+            text_mentions_skill("$notion-research-doc.", "notion-research-doc")
+        );
+        assert_eq!(
+            false,
+            text_mentions_skill("$notion-research-docs", "notion-research-doc")
+        );
+        assert_eq!(
+            false,
+            text_mentions_skill("$notion-research-doc_extra", "notion-research-doc")
+        );
+    }
+
+    #[test]
+    fn text_mentions_skill_handles_end_boundary_and_near_misses() {
+        assert_eq!(true, text_mentions_skill("$alpha-skill", "alpha-skill"));
+        assert_eq!(false, text_mentions_skill("$alpha-skillx", "alpha-skill"));
+        assert_eq!(
+            true,
+            text_mentions_skill("$alpha-skillx and later $alpha-skill ", "alpha-skill")
+        );
+    }
+
+    #[test]
+    fn text_mentions_skill_handles_many_dollars_without_looping() {
+        let prefix = "$".repeat(256);
+        let text = format!("{prefix} not-a-mention");
+        assert_eq!(false, text_mentions_skill(&text, "alpha-skill"));
+    }
+
+    #[test]
+    fn extract_skill_mentions_handles_plain_and_linked_mentions() {
+        assert_mentions(
+            "use $alpha and [$beta](/tmp/beta)",
+            &["alpha", "beta"],
+            &["/tmp/beta"],
+        );
+    }
+
+    #[test]
+    fn extract_skill_mentions_skips_common_env_vars() {
+        assert_mentions("use $PATH and $alpha", &["alpha"], &[]);
+        assert_mentions("use [$HOME](/tmp/skill)", &[], &[]);
+        assert_mentions("use $XDG_CONFIG_HOME and $beta", &["beta"], &[]);
+    }
+
+    #[test]
+    fn extract_skill_mentions_requires_link_syntax() {
+        assert_mentions("[beta](/tmp/beta)", &[], &[]);
+        assert_mentions("[$beta] /tmp/beta", &["beta"], &[]);
+        assert_mentions("[$beta]()", &["beta"], &[]);
+    }
+
+    #[test]
+    fn extract_skill_mentions_trims_linked_paths_and_allows_spacing() {
+        assert_mentions("use [$beta]   ( /tmp/beta )", &["beta"], &["/tmp/beta"]);
+    }
+
+    #[test]
+    fn extract_skill_mentions_stops_at_non_name_chars() {
+        assert_mentions(
+            "use $alpha.skill and $beta_extra",
+            &["alpha", "beta_extra"],
+            &[],
+        );
+    }
+
+    #[test]
+    fn collect_explicit_skill_mentions_text_respects_skill_order() {
+        let alpha = make_skill("alpha-skill", "/tmp/alpha");
+        let beta = make_skill("beta-skill", "/tmp/beta");
+        let skills = vec![beta.clone(), alpha.clone()];
+        let inputs = vec![UserInput::Text {
+            text: "first $alpha-skill then $beta-skill".to_string(),
+            text_elements: Vec::new(),
+        }];
+
+        let selected = collect_explicit_skill_mentions(&inputs, &skills, &HashSet::new());
+
+        // Text scanning should not change the previous selection ordering semantics.
+        assert_eq!(selected, vec![beta, alpha]);
+    }
+
+    #[test]
+    fn collect_explicit_skill_mentions_ignores_structured_inputs() {
+        let alpha = make_skill("alpha-skill", "/tmp/alpha");
+        let beta = make_skill("beta-skill", "/tmp/beta");
+        let skills = vec![alpha.clone(), beta];
+        let inputs = vec![
+            UserInput::Text {
+                text: "please run $alpha-skill".to_string(),
+                text_elements: Vec::new(),
+            },
+            UserInput::Skill {
+                name: "beta-skill".to_string(),
+                path: PathBuf::from("/tmp/beta"),
+            },
+        ];
+
+        let selected = collect_explicit_skill_mentions(&inputs, &skills, &HashSet::new());
+
+        assert_eq!(selected, vec![alpha]);
+    }
+
+    #[test]
+    fn collect_explicit_skill_mentions_dedupes_by_path() {
+        let alpha = make_skill("alpha-skill", "/tmp/alpha");
+        let skills = vec![alpha.clone()];
+        let inputs = vec![UserInput::Text {
+            text: "use [$alpha-skill](/tmp/alpha) and [$alpha-skill](/tmp/alpha)".to_string(),
+            text_elements: Vec::new(),
+        }];
+
+        let selected = collect_explicit_skill_mentions(&inputs, &skills, &HashSet::new());
+
+        assert_eq!(selected, vec![alpha]);
+    }
+
+    #[test]
+    fn collect_explicit_skill_mentions_dedupes_by_name() {
+        let alpha = make_skill("demo-skill", "/tmp/alpha");
+        let beta = make_skill("demo-skill", "/tmp/beta");
+        let skills = vec![alpha.clone(), beta];
+        let inputs = vec![UserInput::Text {
+            text: "use $demo-skill and again $demo-skill".to_string(),
+            text_elements: Vec::new(),
+        }];
+
+        let selected = collect_explicit_skill_mentions(&inputs, &skills, &HashSet::new());
+
+        assert_eq!(selected, vec![alpha]);
+    }
+
+    #[test]
+    fn collect_explicit_skill_mentions_prefers_linked_path_over_name() {
+        let alpha = make_skill("demo-skill", "/tmp/alpha");
+        let beta = make_skill("demo-skill", "/tmp/beta");
+        let skills = vec![alpha, beta.clone()];
+        let inputs = vec![UserInput::Text {
+            text: "use $demo-skill and [$demo-skill](/tmp/beta)".to_string(),
+            text_elements: Vec::new(),
+        }];
+
+        let selected = collect_explicit_skill_mentions(&inputs, &skills, &HashSet::new());
+
+        assert_eq!(selected, vec![beta]);
+    }
+
+    #[test]
+    fn collect_explicit_skill_mentions_falls_back_when_linked_path_disabled() {
+        let alpha = make_skill("demo-skill", "/tmp/alpha");
+        let beta = make_skill("demo-skill", "/tmp/beta");
+        let skills = vec![alpha, beta.clone()];
+        let inputs = vec![UserInput::Text {
+            text: "use [$demo-skill](/tmp/alpha)".to_string(),
+            text_elements: Vec::new(),
+        }];
+        let disabled = HashSet::from([PathBuf::from("/tmp/alpha")]);
+
+        let selected = collect_explicit_skill_mentions(&inputs, &skills, &disabled);
+
+        assert_eq!(selected, vec![beta]);
+    }
+
+    #[test]
+    fn collect_explicit_skill_mentions_prefers_resource_path() {
+        let alpha = make_skill("demo-skill", "/tmp/alpha");
+        let beta = make_skill("demo-skill", "/tmp/beta");
+        let skills = vec![alpha, beta.clone()];
+        let inputs = vec![UserInput::Text {
+            text: "use [$demo-skill](/tmp/beta)".to_string(),
+            text_elements: Vec::new(),
+        }];
+
+        let selected = collect_explicit_skill_mentions(&inputs, &skills, &HashSet::new());
+
+        assert_eq!(selected, vec![beta]);
+    }
+
+    #[test]
+    fn collect_explicit_skill_mentions_falls_back_to_name_when_path_missing() {
+        let alpha = make_skill("demo-skill", "/tmp/alpha");
+        let beta = make_skill("demo-skill", "/tmp/beta");
+        let skills = vec![alpha.clone(), beta];
+        let inputs = vec![UserInput::Text {
+            text: "use [$demo-skill](/tmp/missing)".to_string(),
+            text_elements: Vec::new(),
+        }];
+
+        let selected = collect_explicit_skill_mentions(&inputs, &skills, &HashSet::new());
+
+        assert_eq!(selected, vec![alpha]);
+    }
+}
--- a/codex-rs/core/src/skills/loader.rs
+++ b/codex-rs/core/src/skills/loader.rs
@@ -1,10 +1,12 @@
 use crate::config::Config;
 use crate::config_loader::ConfigLayerStack;
 use crate::config_loader::ConfigLayerStackOrdering;
+use crate::skills::model::SkillDependencies;
 use crate::skills::model::SkillError;
 use crate::skills::model::SkillInterface;
 use crate::skills::model::SkillLoadOutcome;
 use crate::skills::model::SkillMetadata;
+use crate::skills::model::SkillToolDependency;
 use crate::skills::system::system_cache_root_dir;
 use codex_app_server_protocol::ConfigLayerSource;
 use codex_protocol::protocol::SkillScope;
@@ -35,9 +37,11 @@ struct SkillFrontmatterMetadata {
 }

 #[derive(Debug, Default, Deserialize)]
-struct SkillToml {
+struct SkillMetadataFile {
    #[serde(default)]
    interface: Option<Interface>,
+    #[serde(default)]
+    dependencies: Option<Dependencies>,
 }

 #[derive(Debug, Default, Deserialize)]
@@ -50,13 +54,36 @@ struct Interface {
    default_prompt: Option<String>,
 }

+#[derive(Debug, Default, Deserialize)]
+struct Dependencies {
+    #[serde(default)]
+    tools: Vec<DependencyTool>,
+}
+
+#[derive(Debug, Default, Deserialize)]
+struct DependencyTool {
+    #[serde(rename = "type")]
+    kind: Option<String>,
+    value: Option<String>,
+    description: Option<String>,
+    transport: Option<String>,
+    command: Option<String>,
+    url: Option<String>,
+}
+
 const SKILLS_FILENAME: &str = "SKILL.md";
-const SKILLS_TOML_FILENAME: &str = "SKILL.toml";
+const SKILLS_JSON_FILENAME: &str = "SKILL.json";
 const SKILLS_DIR_NAME: &str = "skills";
 const MAX_NAME_LEN: usize = 64;
 const MAX_DESCRIPTION_LEN: usize = 1024;
 const MAX_SHORT_DESCRIPTION_LEN: usize = MAX_DESCRIPTION_LEN;
 const MAX_DEFAULT_PROMPT_LEN: usize = MAX_DESCRIPTION_LEN;
+const MAX_DEPENDENCY_TYPE_LEN: usize = MAX_NAME_LEN;
+const MAX_DEPENDENCY_TRANSPORT_LEN: usize = MAX_NAME_LEN;
+const MAX_DEPENDENCY_VALUE_LEN: usize = MAX_DESCRIPTION_LEN;
+const MAX_DEPENDENCY_DESCRIPTION_LEN: usize = MAX_DESCRIPTION_LEN;
+const MAX_DEPENDENCY_COMMAND_LEN: usize = MAX_DESCRIPTION_LEN;
+const MAX_DEPENDENCY_URL_LEN: usize = MAX_DESCRIPTION_LEN;
 // Traversal depth from the skills root.
 const MAX_SCAN_DEPTH: usize = 6;
 const MAX_SKILLS_DIRS_PER_ROOT: usize = 2000;
@@ -345,7 +372,7 @@ fn parse_skill_file(path: &Path, scope: SkillScope) -> Result<SkillMetadata, Ski
        .as_deref()
        .map(sanitize_single_line)
        .filter(|value| !value.is_empty());
-    let interface = load_skill_interface(path);
+    let (interface, dependencies) = load_skill_metadata(path);

    validate_len(&name, MAX_NAME_LEN, "name")?;
    validate_len(&description, MAX_DESCRIPTION_LEN, "description")?;
@@ -364,41 +391,54 @@ fn parse_skill_file(path: &Path, scope: SkillScope) -> Result<SkillMetadata, Ski
        description,
        short_description,
        interface,
+        dependencies,
        path: resolved_path,
        scope,
    })
 }

-fn load_skill_interface(skill_path: &Path) -> Option<SkillInterface> {
-    // Fail open: optional SKILL.toml metadata should not block loading SKILL.md.
-    let skill_dir = skill_path.parent()?;
-    let interface_path = skill_dir.join(SKILLS_TOML_FILENAME);
-    if !interface_path.exists() {
-        return None;
+fn load_skill_metadata(skill_path: &Path) -> (Option<SkillInterface>, Option<SkillDependencies>) {
+    // Fail open: optional metadata should not block loading SKILL.md.
+    let Some(skill_dir) = skill_path.parent() else {
+        return (None, None);
+    };
+    let metadata_path = skill_dir.join(SKILLS_JSON_FILENAME);
+    if !metadata_path.exists() {
+        return (None, None);
    }

-    let contents = match fs::read_to_string(&interface_path) {
+    let contents = match fs::read_to_string(&metadata_path) {
        Ok(contents) => contents,
        Err(error) => {
            tracing::warn!(
-                "ignoring {path}: failed to read SKILL.toml: {error}",
-                path = interface_path.display()
+                "ignoring {path}: failed to read {label}: {error}",
+                path = metadata_path.display(),
+                label = SKILLS_JSON_FILENAME
            );
-            return None;
+            return (None, None);
        }
    };
-    let parsed: SkillToml = match toml::from_str(&contents) {
+
+    let parsed: SkillMetadataFile = match serde_json::from_str(&contents) {
        Ok(parsed) => parsed,
        Err(error) => {
            tracing::warn!(
-                "ignoring {path}: invalid TOML: {error}",
-                path = interface_path.display()
+                "ignoring {path}: invalid {label}: {error}",
+                path = metadata_path.display(),
+                label = SKILLS_JSON_FILENAME
            );
-            return None;
+            return (None, None);
        }
    };
-    let interface = parsed.interface?;

+    (
+        resolve_interface(parsed.interface, skill_dir),
+        resolve_dependencies(parsed.dependencies),
+    )
+}
+
+fn resolve_interface(interface: Option<Interface>, skill_dir: &Path) -> Option<SkillInterface> {
+    let interface = interface?;
    let interface = SkillInterface {
        display_name: resolve_str(
            interface.display_name,
@@ -428,6 +468,58 @@ fn load_skill_interface(skill_path: &Path) -> Option<SkillInterface> {
    if has_fields { Some(interface) } else { None }
 }

+fn resolve_dependencies(dependencies: Option<Dependencies>) -> Option<SkillDependencies> {
+    let dependencies = dependencies?;
+    let tools: Vec<SkillToolDependency> = dependencies
+        .tools
+        .into_iter()
+        .filter_map(resolve_dependency_tool)
+        .collect();
+    if tools.is_empty() {
+        None
+    } else {
+        Some(SkillDependencies { tools })
+    }
+}
+
+fn resolve_dependency_tool(tool: DependencyTool) -> Option<SkillToolDependency> {
+    let r#type = resolve_required_str(
+        tool.kind,
+        MAX_DEPENDENCY_TYPE_LEN,
+        "dependencies.tools.type",
+    )?;
+    let value = resolve_required_str(
+        tool.value,
+        MAX_DEPENDENCY_VALUE_LEN,
+        "dependencies.tools.value",
+    )?;
+    let description = resolve_str(
+        tool.description,
+        MAX_DEPENDENCY_DESCRIPTION_LEN,
+        "dependencies.tools.description",
+    );
+    let transport = resolve_str(
+        tool.transport,
+        MAX_DEPENDENCY_TRANSPORT_LEN,
+        "dependencies.tools.transport",
+    );
+    let command = resolve_str(
+        tool.command,
+        MAX_DEPENDENCY_COMMAND_LEN,
+        "dependencies.tools.command",
+    );
+    let url = resolve_str(tool.url, MAX_DEPENDENCY_URL_LEN, "dependencies.tools.url");
+
+    Some(SkillToolDependency {
+        r#type,
+        value,
+        description,
+        transport,
+        command,
+        url,
+    })
+}
+
 fn resolve_asset_path(
    skill_dir: &Path,
    field: &'static str,
@@ -511,6 +603,18 @@ fn resolve_str(value: Option<String>, max_len: usize, field: &'static str) -> Op
    Some(value)
 }

+fn resolve_required_str(
+    value: Option<String>,
+    max_len: usize,
+    field: &'static str,
+) -> Option<String> {
+    let Some(value) = value else {
+        tracing::warn!("ignoring {field}: value is missing");
+        return None;
+    };
+    resolve_str(Some(value), max_len, field)
+}
+
 fn resolve_color_str(value: Option<String>, field: &'static str) -> Option<String> {
    let value = value?;
    let value = value.trim();
@@ -755,29 +859,136 @@ mod tests {
        path
    }

-    fn write_skill_interface_at(skill_dir: &Path, contents: &str) -> PathBuf {
-        let path = skill_dir.join(SKILLS_TOML_FILENAME);
+    fn write_skill_metadata_at(skill_dir: &Path, filename: &str, contents: &str) -> PathBuf {
+        let path = skill_dir.join(filename);
        fs::write(&path, contents).unwrap();
        path
    }

+    fn write_skill_interface_at(skill_dir: &Path, contents: &str) -> PathBuf {
+        write_skill_metadata_at(skill_dir, SKILLS_JSON_FILENAME, contents)
+    }
+
    #[tokio::test]
-    async fn loads_skill_interface_metadata_happy_path() {
+    async fn loads_skill_dependencies_metadata_from_json() {
        let codex_home = tempfile::tempdir().expect("tempdir");
-        let skill_path = write_skill(&codex_home, "demo", "ui-skill", "from toml");
+        let skill_path = write_skill(&codex_home, "demo", "dep-skill", "from json");
+        let skill_dir = skill_path.parent().expect("skill dir");
+
+        write_skill_metadata_at(
+            skill_dir,
+            SKILLS_JSON_FILENAME,
+            r#"
+{
+  "dependencies": {
+    "tools": [
+      {
+        "type": "env_var",
+        "value": "GITHUB_TOKEN",
+        "description": "GitHub API token with repo scopes"
+      },
+      {
+        "type": "mcp",
+        "value": "github",
+        "description": "GitHub MCP server",
+        "transport": "streamable_http",
+        "url": "https://example.com/mcp"
+      },
+      {
+        "type": "cli",
+        "value": "gh",
+        "description": "GitHub CLI"
+      },
+      {
+        "type": "mcp",
+        "value": "local-gh",
+        "description": "Local GH MCP server",
+        "transport": "stdio",
+        "command": "gh-mcp"
+      }
+    ]
+  }
+}
+"#,
+        );
+
+        let cfg = make_config(&codex_home).await;
+        let outcome = load_skills(&cfg);
+
+        assert!(
+            outcome.errors.is_empty(),
+            "unexpected errors: {:?}",
+            outcome.errors
+        );
+        assert_eq!(
+            outcome.skills,
+            vec![SkillMetadata {
+                name: "dep-skill".to_string(),
+                description: "from json".to_string(),
+                short_description: None,
+                interface: None,
+                dependencies: Some(SkillDependencies {
+                    tools: vec![
+                        SkillToolDependency {
+                            r#type: "env_var".to_string(),
+                            value: "GITHUB_TOKEN".to_string(),
+                            description: Some("GitHub API token with repo scopes".to_string()),
+                            transport: None,
+                            command: None,
+                            url: None,
+                        },
+                        SkillToolDependency {
+                            r#type: "mcp".to_string(),
+                            value: "github".to_string(),
+                            description: Some("GitHub MCP server".to_string()),
+                            transport: Some("streamable_http".to_string()),
+                            command: None,
+                            url: Some("https://example.com/mcp".to_string()),
+                        },
+                        SkillToolDependency {
+                            r#type: "cli".to_string(),
+                            value: "gh".to_string(),
+                            description: Some("GitHub CLI".to_string()),
+                            transport: None,
+                            command: None,
+                            url: None,
+                        },
+                        SkillToolDependency {
+                            r#type: "mcp".to_string(),
+                            value: "local-gh".to_string(),
+                            description: Some("Local GH MCP server".to_string()),
+                            transport: Some("stdio".to_string()),
+                            command: Some("gh-mcp".to_string()),
+                            url: None,
+                        },
+                    ],
+                }),
+                path: normalized(&skill_path),
+                scope: SkillScope::User,
+            }]
+        );
+    }
+
+    #[tokio::test]
+    async fn loads_skill_interface_metadata_from_json() {
+        let codex_home = tempfile::tempdir().expect("tempdir");
+        let skill_path = write_skill(&codex_home, "demo", "ui-skill", "from json");
        let skill_dir = skill_path.parent().expect("skill dir");
        let normalized_skill_dir = normalized(skill_dir);

        write_skill_interface_at(
            skill_dir,
            r##"
-[interface]
-display_name = "UI Skill"
-short_description = "  short    desc   "
-icon_small = "./assets/small-400px.png"
-icon_large = "./assets/large-logo.svg"
-brand_color = "#3B82F6"
-default_prompt = "  default   prompt   "
+{
+  "interface": {
+    "display_name": "UI Skill",
+    "short_description": "  short    desc   ",
+    "icon_small": "./assets/small-400px.png",
+    "icon_large": "./assets/large-logo.svg",
+    "brand_color": "#3B82F6",
+    "default_prompt": "  default   prompt   "
+  }
+}
 "##,
        );

@@ -793,7 +1004,7 @@ default_prompt = "  default   prompt   "
            outcome.skills,
            vec![SkillMetadata {
                name: "ui-skill".to_string(),
-                description: "from toml".to_string(),
+                description: "from json".to_string(),
                short_description: None,
                interface: Some(SkillInterface {
                    display_name: Some("UI Skill".to_string()),
@@ -803,7 +1014,8 @@ default_prompt = "  default   prompt   "
                    brand_color: Some("#3B82F6".to_string()),
                    default_prompt: Some("default prompt".to_string()),
                }),
-                path: normalized(&skill_path),
+                dependencies: None,
+                path: normalized(skill_path.as_path()),
                scope: SkillScope::User,
            }]
        );
@@ -812,17 +1024,20 @@ default_prompt = "  default   prompt   "
    #[tokio::test]
    async fn accepts_icon_paths_under_assets_dir() {
        let codex_home = tempfile::tempdir().expect("tempdir");
-        let skill_path = write_skill(&codex_home, "demo", "ui-skill", "from toml");
+        let skill_path = write_skill(&codex_home, "demo", "ui-skill", "from json");
        let skill_dir = skill_path.parent().expect("skill dir");
        let normalized_skill_dir = normalized(skill_dir);

        write_skill_interface_at(
            skill_dir,
            r#"
-[interface]
-display_name = "UI Skill"
-icon_small = "assets/icon.png"
-icon_large = "./assets/logo.svg"
+{
+  "interface": {
+    "display_name": "UI Skill",
+    "icon_small": "assets/icon.png",
+    "icon_large": "./assets/logo.svg"
+  }
+}
 "#,
        );

@@ -838,7 +1053,7 @@ icon_large = "./assets/logo.svg"
            outcome.skills,
            vec![SkillMetadata {
                name: "ui-skill".to_string(),
-                description: "from toml".to_string(),
+                description: "from json".to_string(),
                short_description: None,
                interface: Some(SkillInterface {
                    display_name: Some("UI Skill".to_string()),
@@ -848,6 +1063,7 @@ icon_large = "./assets/logo.svg"
                    brand_color: None,
                    default_prompt: None,
                }),
+                dependencies: None,
                path: normalized(&skill_path),
                scope: SkillScope::User,
            }]
@@ -857,14 +1073,17 @@ icon_large = "./assets/logo.svg"
    #[tokio::test]
    async fn ignores_invalid_brand_color() {
        let codex_home = tempfile::tempdir().expect("tempdir");
-        let skill_path = write_skill(&codex_home, "demo", "ui-skill", "from toml");
+        let skill_path = write_skill(&codex_home, "demo", "ui-skill", "from json");
        let skill_dir = skill_path.parent().expect("skill dir");

        write_skill_interface_at(
            skill_dir,
            r#"
-[interface]
-brand_color = "blue"
+{
+  "interface": {
+    "brand_color": "blue"
+  }
+}
 "#,
        );

@@ -880,9 +1099,10 @@ brand_color = "blue"
            outcome.skills,
            vec![SkillMetadata {
                name: "ui-skill".to_string(),
-                description: "from toml".to_string(),
+                description: "from json".to_string(),
                short_description: None,
                interface: None,
+                dependencies: None,
                path: normalized(&skill_path),
                scope: SkillScope::User,
            }]
@@ -892,7 +1112,7 @@ brand_color = "blue"
    #[tokio::test]
    async fn ignores_default_prompt_over_max_length() {
        let codex_home = tempfile::tempdir().expect("tempdir");
-        let skill_path = write_skill(&codex_home, "demo", "ui-skill", "from toml");
+        let skill_path = write_skill(&codex_home, "demo", "ui-skill", "from json");
        let skill_dir = skill_path.parent().expect("skill dir");
        let normalized_skill_dir = normalized(skill_dir);
        let too_long = "x".repeat(MAX_DEFAULT_PROMPT_LEN + 1);
@@ -901,10 +1121,13 @@ brand_color = "blue"
            skill_dir,
            &format!(
                r##"
-[interface]
-display_name = "UI Skill"
-icon_small = "./assets/small-400px.png"
-default_prompt = "{too_long}"
+{{
+  "interface": {{
+    "display_name": "UI Skill",
+    "icon_small": "./assets/small-400px.png",
+    "default_prompt": "{too_long}"
+  }}
+}}
 "##
            ),
        );
@@ -921,7 +1144,7 @@ default_prompt = "{too_long}"
            outcome.skills,
            vec![SkillMetadata {
                name: "ui-skill".to_string(),
-                description: "from toml".to_string(),
+                description: "from json".to_string(),
                short_description: None,
                interface: Some(SkillInterface {
                    display_name: Some("UI Skill".to_string()),
@@ -931,6 +1154,7 @@ default_prompt = "{too_long}"
                    brand_color: None,
                    default_prompt: None,
                }),
+                dependencies: None,
                path: normalized(&skill_path),
                scope: SkillScope::User,
            }]
@@ -940,15 +1164,18 @@ default_prompt = "{too_long}"
    #[tokio::test]
    async fn drops_interface_when_icons_are_invalid() {
        let codex_home = tempfile::tempdir().expect("tempdir");
-        let skill_path = write_skill(&codex_home, "demo", "ui-skill", "from toml");
+        let skill_path = write_skill(&codex_home, "demo", "ui-skill", "from json");
        let skill_dir = skill_path.parent().expect("skill dir");

        write_skill_interface_at(
            skill_dir,
            r#"
-[interface]
-icon_small = "icon.png"
-icon_large = "./assets/../logo.svg"
+{
+  "interface": {
+    "icon_small": "icon.png",
+    "icon_large": "./assets/../logo.svg"
+  }
+}
 "#,
        );

@@ -964,9 +1191,10 @@ icon_large = "./assets/../logo.svg"
            outcome.skills,
            vec![SkillMetadata {
                name: "ui-skill".to_string(),
-                description: "from toml".to_string(),
+                description: "from json".to_string(),
                short_description: None,
                interface: None,
+                dependencies: None,
                path: normalized(&skill_path),
                scope: SkillScope::User,
            }]
@@ -1009,6 +1237,7 @@ icon_large = "./assets/../logo.svg"
                description: "from link".to_string(),
                short_description: None,
                interface: None,
+                dependencies: None,
                path: normalized(&shared_skill_path),
                scope: SkillScope::User,
            }]
@@ -1067,6 +1296,7 @@ icon_large = "./assets/../logo.svg"
                description: "still loads".to_string(),
                short_description: None,
                interface: None,
+                dependencies: None,
                path: normalized(&skill_path),
                scope: SkillScope::User,
            }]
@@ -1101,6 +1331,7 @@ icon_large = "./assets/../logo.svg"
                description: "from link".to_string(),
                short_description: None,
                interface: None,
+                dependencies: None,
                path: normalized(&shared_skill_path),
                scope: SkillScope::Admin,
            }]
@@ -1139,6 +1370,7 @@ icon_large = "./assets/../logo.svg"
                description: "from link".to_string(),
                short_description: None,
                interface: None,
+                dependencies: None,
                path: normalized(&linked_skill_path),
                scope: SkillScope::Repo,
            }]
@@ -1200,6 +1432,7 @@ icon_large = "./assets/../logo.svg"
                description: "loads".to_string(),
                short_description: None,
                interface: None,
+                dependencies: None,
                path: normalized(&within_depth_path),
                scope: SkillScope::User,
            }]
@@ -1225,6 +1458,7 @@ icon_large = "./assets/../logo.svg"
                description: "does things carefully".to_string(),
                short_description: None,
                interface: None,
+                dependencies: None,
                path: normalized(&skill_path),
                scope: SkillScope::User,
            }]
@@ -1254,6 +1488,7 @@ icon_large = "./assets/../logo.svg"
                description: "long description".to_string(),
                short_description: Some("short summary".to_string()),
                interface: None,
+                dependencies: None,
                path: normalized(&skill_path),
                scope: SkillScope::User,
            }]
@@ -1364,6 +1599,7 @@ icon_large = "./assets/../logo.svg"
                description: "from repo".to_string(),
                short_description: None,
                interface: None,
+                dependencies: None,
                path: normalized(&skill_path),
                scope: SkillScope::Repo,
            }]
@@ -1415,6 +1651,7 @@ icon_large = "./assets/../logo.svg"
                    description: "from nested".to_string(),
                    short_description: None,
                    interface: None,
+                    dependencies: None,
                    path: normalized(&nested_skill_path),
                    scope: SkillScope::Repo,
                },
@@ -1423,6 +1660,7 @@ icon_large = "./assets/../logo.svg"
                    description: "from root".to_string(),
                    short_description: None,
                    interface: None,
+                    dependencies: None,
                    path: normalized(&root_skill_path),
                    scope: SkillScope::Repo,
                },
@@ -1460,6 +1698,7 @@ icon_large = "./assets/../logo.svg"
                description: "from cwd".to_string(),
                short_description: None,
                interface: None,
+                dependencies: None,
                path: normalized(&skill_path),
                scope: SkillScope::Repo,
            }]
@@ -1495,6 +1734,7 @@ icon_large = "./assets/../logo.svg"
                description: "from repo".to_string(),
                short_description: None,
                interface: None,
+                dependencies: None,
                path: normalized(&skill_path),
                scope: SkillScope::Repo,
            }]
@@ -1534,6 +1774,7 @@ icon_large = "./assets/../logo.svg"
                    description: "from repo".to_string(),
                    short_description: None,
                    interface: None,
+                    dependencies: None,
                    path: normalized(&repo_skill_path),
                    scope: SkillScope::Repo,
                },
@@ -1542,6 +1783,7 @@ icon_large = "./assets/../logo.svg"
                    description: "from user".to_string(),
                    short_description: None,
                    interface: None,
+                    dependencies: None,
                    path: normalized(&user_skill_path),
                    scope: SkillScope::User,
                },
@@ -1604,6 +1846,7 @@ icon_large = "./assets/../logo.svg"
                    description: first_description.to_string(),
                    short_description: None,
                    interface: None,
+                    dependencies: None,
                    path: first_path,
                    scope: SkillScope::Repo,
                },
@@ -1612,6 +1855,7 @@ icon_large = "./assets/../logo.svg"
                    description: second_description.to_string(),
                    short_description: None,
                    interface: None,
+                    dependencies: None,
                    path: second_path,
                    scope: SkillScope::Repo,
                },
@@ -1681,6 +1925,7 @@ icon_large = "./assets/../logo.svg"
                description: "from repo".to_string(),
                short_description: None,
                interface: None,
+                dependencies: None,
                path: normalized(&skill_path),
                scope: SkillScope::Repo,
            }]
@@ -1737,6 +1982,7 @@ icon_large = "./assets/../logo.svg"
                description: "from system".to_string(),
                short_description: None,
                interface: None,
+                dependencies: None,
                path: normalized(&skill_path),
                scope: SkillScope::System,
            }]
--- a/codex-rs/core/src/skills/mod.rs
+++ b/codex-rs/core/src/skills/mod.rs
@@ -7,6 +7,7 @@ pub mod system;

 pub(crate) use injection::SkillInjections;
 pub(crate) use injection::build_skill_injections;
+pub(crate) use injection::collect_explicit_skill_mentions;
 pub use loader::load_skills;
 pub use manager::SkillsManager;
 pub use model::SkillError;
--- a/codex-rs/core/src/skills/model.rs
+++ b/codex-rs/core/src/skills/model.rs
@@ -9,6 +9,7 @@ pub struct SkillMetadata {
    pub description: String,
    pub short_description: Option<String>,
    pub interface: Option<SkillInterface>,
+    pub dependencies: Option<SkillDependencies>,
    pub path: PathBuf,
    pub scope: SkillScope,
 }
@@ -23,6 +24,21 @@ pub struct SkillInterface {
    pub default_prompt: Option<String>,
 }

+#[derive(Debug, Clone, PartialEq, Eq)]
+pub struct SkillDependencies {
+    pub tools: Vec<SkillToolDependency>,
+}
+
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub struct SkillToolDependency {
+    pub r#type: String,
+    pub value: String,
+    pub description: Option<String>,
+    pub transport: Option<String>,
+    pub command: Option<String>,
+    pub url: Option<String>,
+}
+
 #[derive(Debug, Clone, PartialEq, Eq)]
 pub struct SkillError {
    pub path: PathBuf,
--- a/codex-rs/core/src/state/service.rs
+++ b/codex-rs/core/src/state/service.rs
@@ -7,6 +7,7 @@ use crate::exec_policy::ExecPolicyManager;
 use crate::mcp_connection_manager::McpConnectionManager;
 use crate::models_manager::manager::ModelsManager;
 use crate::skills::SkillsManager;
+use crate::state_db::StateDbHandle;
 use crate::tools::sandboxing::ApprovalStore;
 use crate::unified_exec::UnifiedExecProcessManager;
 use crate::user_notification::UserNotifier;
@@ -30,4 +31,5 @@ pub(crate) struct SessionServices {
    pub(crate) tool_approvals: Mutex<ApprovalStore>,
    pub(crate) skills_manager: Arc<SkillsManager>,
    pub(crate) agent_control: AgentControl,
+    pub(crate) state_db: Option<StateDbHandle>,
 }
--- a/codex-rs/core/src/state/session.rs
+++ b/codex-rs/core/src/state/session.rs
@@ -1,6 +1,7 @@
 //! Session-wide mutable state.

 use codex_protocol::models::ResponseItem;
+use std::collections::HashSet;

 use crate::codex::SessionConfiguration;
 use crate::context_manager::ContextManager;
@@ -15,6 +16,12 @@ pub(crate) struct SessionState {
    pub(crate) history: ContextManager,
    pub(crate) latest_rate_limits: Option<RateLimitSnapshot>,
    pub(crate) server_reasoning_included: bool,
+    pub(crate) mcp_dependency_prompted: HashSet<String>,
+    /// Whether the session's initial context has been seeded into history.
+    ///
+    /// TODO(owen): This is a temporary solution to avoid updating a thread's updated_at
+    /// timestamp when resuming a session. Remove this once SQLite is in place.
+    pub(crate) initial_context_seeded: bool,
 }

 impl SessionState {
@@ -26,6 +33,8 @@ impl SessionState {
            history,
            latest_rate_limits: None,
            server_reasoning_included: false,
+            mcp_dependency_prompted: HashSet::new(),
+            initial_context_seeded: false,
        }
    }

@@ -92,6 +101,17 @@ impl SessionState {
    pub(crate) fn server_reasoning_included(&self) -> bool {
        self.server_reasoning_included
    }
+
+    pub(crate) fn record_mcp_dependency_prompted<I>(&mut self, names: I)
+    where
+        I: IntoIterator<Item = String>,
+    {
+        self.mcp_dependency_prompted.extend(names);
+    }
+
+    pub(crate) fn mcp_dependency_prompted(&self) -> HashSet<String> {
+        self.mcp_dependency_prompted.clone()
+    }
 }

 // Sometimes new snapshots don't include credits or plan information.
--- a/codex-rs/core/src/state_db.rs
+++ b/codex-rs/core/src/state_db.rs
@@ -0,0 +1,303 @@
+use crate::config::Config;
+use crate::features::Feature;
+use crate::rollout::list::Cursor;
+use crate::rollout::list::ThreadSortKey;
+use crate::rollout::metadata;
+use chrono::DateTime;
+use chrono::NaiveDateTime;
+use chrono::Timelike;
+use chrono::Utc;
+use codex_otel::OtelManager;
+use codex_protocol::ThreadId;
+use codex_protocol::protocol::RolloutItem;
+use codex_protocol::protocol::SessionSource;
+use codex_state::DB_METRIC_BACKFILL;
+use codex_state::STATE_DB_FILENAME;
+use codex_state::ThreadMetadataBuilder;
+use serde_json::Value;
+use std::path::Path;
+use std::path::PathBuf;
+use std::sync::Arc;
+use tracing::info;
+use tracing::warn;
+use uuid::Uuid;
+
+/// Core-facing handle to the optional SQLite-backed state runtime.
+pub type StateDbHandle = Arc<codex_state::StateRuntime>;
+
+/// Initialize the state runtime when the `sqlite` feature flag is enabled.
+pub async fn init_if_enabled(config: &Config, otel: Option<&OtelManager>) -> Option<StateDbHandle> {
+    let state_path = config.codex_home.join(STATE_DB_FILENAME);
+    if !config.features.enabled(Feature::Sqlite) {
+        // We delete the file on best effort basis to maintain retro-compatibility in the future.
+        let wal_path = state_path.with_extension("sqlite-wal");
+        let shm_path = state_path.with_extension("sqlite-shm");
+        for path in [state_path.as_path(), wal_path.as_path(), shm_path.as_path()] {
+            tokio::fs::remove_file(path).await.ok();
+        }
+        return None;
+    }
+    let existed = tokio::fs::try_exists(&state_path).await.unwrap_or(false);
+    let runtime = match codex_state::StateRuntime::init(
+        config.codex_home.clone(),
+        config.model_provider_id.clone(),
+        otel.cloned(),
+    )
+    .await
+    {
+        Ok(runtime) => runtime,
+        Err(err) => {
+            warn!(
+                "failed to initialize state runtime at {}: {err}",
+                config.codex_home.display()
+            );
+            if let Some(otel) = otel {
+                otel.counter("codex.db.init", 1, &[("status", "init_error")]);
+            }
+            return None;
+        }
+    };
+    if !existed {
+        let stats = metadata::backfill_sessions(runtime.as_ref(), config, otel).await;
+        info!(
+            "state db backfill scanned={}, upserted={}, failed={}",
+            stats.scanned, stats.upserted, stats.failed
+        );
+        if let Some(otel) = otel {
+            otel.counter(
+                DB_METRIC_BACKFILL,
+                stats.upserted as i64,
+                &[("status", "upserted")],
+            );
+            otel.counter(
+                DB_METRIC_BACKFILL,
+                stats.failed as i64,
+                &[("status", "failed")],
+            );
+        }
+    }
+    Some(runtime)
+}
+
+/// Open the state runtime when the SQLite file exists, without feature gating.
+///
+/// This is used for parity checks during the SQLite migration phase.
+pub async fn open_if_present(codex_home: &Path, default_provider: &str) -> Option<StateDbHandle> {
+    let db_path = codex_home.join(STATE_DB_FILENAME);
+    if !tokio::fs::try_exists(&db_path).await.unwrap_or(false) {
+        return None;
+    }
+    let runtime = codex_state::StateRuntime::init(
+        codex_home.to_path_buf(),
+        default_provider.to_string(),
+        None,
+    )
+    .await
+    .ok()?;
+    Some(runtime)
+}
+
+fn cursor_to_anchor(cursor: Option<&Cursor>) -> Option<codex_state::Anchor> {
+    let cursor = cursor?;
+    let value = serde_json::to_value(cursor).ok()?;
+    let cursor_str = value.as_str()?;
+    let (ts_str, id_str) = cursor_str.split_once('|')?;
+    if id_str.contains('|') {
+        return None;
+    }
+    let id = Uuid::parse_str(id_str).ok()?;
+    let ts = if let Ok(naive) = NaiveDateTime::parse_from_str(ts_str, "%Y-%m-%dT%H-%M-%S") {
+        DateTime::<Utc>::from_naive_utc_and_offset(naive, Utc)
+    } else if let Ok(dt) = DateTime::parse_from_rfc3339(ts_str) {
+        dt.with_timezone(&Utc)
+    } else {
+        return None;
+    }
+    .with_nanosecond(0)?;
+    Some(codex_state::Anchor { ts, id })
+}
+
+/// List thread ids from SQLite for parity checks without rollout scanning.
+#[allow(clippy::too_many_arguments)]
+pub async fn list_thread_ids_db(
+    context: Option<&codex_state::StateRuntime>,
+    codex_home: &Path,
+    page_size: usize,
+    cursor: Option<&Cursor>,
+    sort_key: ThreadSortKey,
+    allowed_sources: &[SessionSource],
+    model_providers: Option<&[String]>,
+    archived_only: bool,
+    stage: &str,
+) -> Option<Vec<ThreadId>> {
+    let ctx = context?;
+    if ctx.codex_home() != codex_home {
+        warn!(
+            "state db codex_home mismatch: expected {}, got {}",
+            ctx.codex_home().display(),
+            codex_home.display()
+        );
+    }
+
+    let anchor = cursor_to_anchor(cursor);
+    let allowed_sources: Vec<String> = allowed_sources
+        .iter()
+        .map(|value| match serde_json::to_value(value) {
+            Ok(Value::String(s)) => s,
+            Ok(other) => other.to_string(),
+            Err(_) => String::new(),
+        })
+        .collect();
+    let model_providers = model_providers.map(<[String]>::to_vec);
+    match ctx
+        .list_thread_ids(
+            page_size,
+            anchor.as_ref(),
+            match sort_key {
+                ThreadSortKey::CreatedAt => codex_state::SortKey::CreatedAt,
+                ThreadSortKey::UpdatedAt => codex_state::SortKey::UpdatedAt,
+            },
+            allowed_sources.as_slice(),
+            model_providers.as_deref(),
+            archived_only,
+        )
+        .await
+    {
+        Ok(ids) => Some(ids),
+        Err(err) => {
+            warn!("state db list_thread_ids failed during {stage}: {err}");
+            None
+        }
+    }
+}
+
+/// Look up the rollout path for a thread id using SQLite.
+pub async fn find_rollout_path_by_id(
+    context: Option<&codex_state::StateRuntime>,
+    thread_id: ThreadId,
+    archived_only: Option<bool>,
+    stage: &str,
+) -> Option<PathBuf> {
+    let ctx = context?;
+    ctx.find_rollout_path_by_id(thread_id, archived_only)
+        .await
+        .unwrap_or_else(|err| {
+            warn!("state db find_rollout_path_by_id failed during {stage}: {err}");
+            None
+        })
+}
+
+/// Reconcile rollout items into SQLite, falling back to scanning the rollout file.
+pub async fn reconcile_rollout(
+    context: Option<&codex_state::StateRuntime>,
+    rollout_path: &Path,
+    default_provider: &str,
+    builder: Option<&ThreadMetadataBuilder>,
+    items: &[RolloutItem],
+) {
+    let Some(ctx) = context else {
+        return;
+    };
+    if builder.is_some() || !items.is_empty() {
+        apply_rollout_items(
+            Some(ctx),
+            rollout_path,
+            default_provider,
+            builder,
+            items,
+            "reconcile_rollout",
+        )
+        .await;
+        return;
+    }
+    let outcome =
+        match metadata::extract_metadata_from_rollout(rollout_path, default_provider, None).await {
+            Ok(outcome) => outcome,
+            Err(err) => {
+                warn!(
+                    "state db reconcile_rollout extraction failed {}: {err}",
+                    rollout_path.display()
+                );
+                return;
+            }
+        };
+    if let Err(err) = ctx.upsert_thread(&outcome.metadata).await {
+        warn!(
+            "state db reconcile_rollout upsert failed {}: {err}",
+            rollout_path.display()
+        );
+    }
+}
+
+/// Apply rollout items incrementally to SQLite.
+pub async fn apply_rollout_items(
+    context: Option<&codex_state::StateRuntime>,
+    rollout_path: &Path,
+    _default_provider: &str,
+    builder: Option<&ThreadMetadataBuilder>,
+    items: &[RolloutItem],
+    stage: &str,
+) {
+    let Some(ctx) = context else {
+        return;
+    };
+    let mut builder = match builder {
+        Some(builder) => builder.clone(),
+        None => match metadata::builder_from_items(items, rollout_path) {
+            Some(builder) => builder,
+            None => {
+                warn!(
+                    "state db apply_rollout_items missing builder during {stage}: {}",
+                    rollout_path.display()
+                );
+                record_discrepancy(stage, "missing_builder");
+                return;
+            }
+        },
+    };
+    builder.rollout_path = rollout_path.to_path_buf();
+    if let Err(err) = ctx.apply_rollout_items(&builder, items, None).await {
+        warn!(
+            "state db apply_rollout_items failed during {stage} for {}: {err}",
+            rollout_path.display()
+        );
+    }
+}
+
+/// Record a state discrepancy metric with a stage and reason tag.
+pub fn record_discrepancy(stage: &str, reason: &str) {
+    // We access the global metric because the call sites might not have access to the broader
+    // OtelManager.
+    if let Some(metric) = codex_otel::metrics::global() {
+        let _ = metric.counter(
+            "codex.db.discrepancy",
+            1,
+            &[("stage", stage), ("reason", reason)],
+        );
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::rollout::list::parse_cursor;
+    use pretty_assertions::assert_eq;
+
+    #[test]
+    fn cursor_to_anchor_normalizes_timestamp_format() {
+        let uuid = Uuid::new_v4();
+        let ts_str = "2026-01-27T12-34-56";
+        let token = format!("{ts_str}|{uuid}");
+        let cursor = parse_cursor(token.as_str()).expect("cursor should parse");
+        let anchor = cursor_to_anchor(Some(&cursor)).expect("anchor should parse");
+
+        let naive =
+            NaiveDateTime::parse_from_str(ts_str, "%Y-%m-%dT%H-%M-%S").expect("ts should parse");
+        let expected_ts = DateTime::<Utc>::from_naive_utc_and_offset(naive, Utc)
+            .with_nanosecond(0)
+            .expect("nanosecond");
+
+        assert_eq!(anchor.id, uuid);
+        assert_eq!(anchor.ts, expected_ts);
+    }
+}
--- a/codex-rs/core/src/tasks/mod.rs
+++ b/codex-rs/core/src/tasks/mod.rs
@@ -115,6 +115,8 @@ impl Session {
        task: T,
    ) {
        self.abort_all_tasks(TurnAbortReason::Replaced).await;
+        self.seed_initial_context_if_needed(turn_context.as_ref())
+            .await;

        let task: Arc<dyn SessionTask> = Arc::new(task);
        let task_kind = task.kind();
--- a/codex-rs/core/src/tasks/user_shell.rs
+++ b/codex-rs/core/src/tasks/user_shell.rs
@@ -109,6 +109,7 @@ impl SessionTask for UserShellCommandTask {
            // should use that instead of an "arbitrarily large" timeout here.
            expiration: USER_SHELL_TIMEOUT_MS.into(),
            sandbox: SandboxType::None,
+            windows_sandbox_level: turn_context.windows_sandbox_level,
            sandbox_permissions: SandboxPermissions::UseDefault,
            justification: None,
            arg0: None,
--- a/codex-rs/core/src/tools/handlers/request_user_input.rs
+++ b/codex-rs/core/src/tools/handlers/request_user_input.rs
@@ -36,12 +36,14 @@ impl ToolHandler for RequestUserInputHandler {
            }
        };

-        let disallowed_mode = match session.collaboration_mode().await.mode {
-            ModeKind::Execute => Some("Execute"),
-            ModeKind::Custom => Some("Custom"),
-            _ => None,
-        };
-        if let Some(mode_name) = disallowed_mode {
+        let mode = session.collaboration_mode().await.mode;
+        if !matches!(mode, ModeKind::Plan | ModeKind::PairProgramming) {
+            let mode_name = match mode {
+                ModeKind::Code => "Code",
+                ModeKind::Execute => "Execute",
+                ModeKind::Custom => "Custom",
+                ModeKind::Plan | ModeKind::PairProgramming => unreachable!(),
+            };
            return Err(FunctionCallError::RespondToModel(format!(
                "request_user_input is unavailable in {mode_name} mode"
            )));
--- a/codex-rs/core/src/tools/handlers/shell.rs
+++ b/codex-rs/core/src/tools/handlers/shell.rs
@@ -6,6 +6,7 @@ use std::sync::Arc;
 use crate::codex::TurnContext;
 use crate::exec::ExecParams;
 use crate::exec_env::create_env;
+use crate::exec_policy::ExecApprovalRequest;
 use crate::function_tool::FunctionCallError;
 use crate::is_safe_command::is_known_safe_command;
 use crate::protocol::ExecCommandSource;
@@ -28,15 +29,27 @@ pub struct ShellHandler;

 pub struct ShellCommandHandler;

+struct RunExecLikeArgs {
+    tool_name: String,
+    exec_params: ExecParams,
+    prefix_rule: Option<Vec<String>>,
+    session: Arc<crate::codex::Session>,
+    turn: Arc<TurnContext>,
+    tracker: crate::tools::context::SharedTurnDiffTracker,
+    call_id: String,
+    freeform: bool,
+}
+
 impl ShellHandler {
-    fn to_exec_params(params: ShellToolCallParams, turn_context: &TurnContext) -> ExecParams {
+    fn to_exec_params(params: &ShellToolCallParams, turn_context: &TurnContext) -> ExecParams {
        ExecParams {
-            command: params.command,
+            command: params.command.clone(),
            cwd: turn_context.resolve_path(params.workdir.clone()),
            expiration: params.timeout_ms.into(),
            env: create_env(&turn_context.shell_environment_policy),
            sandbox_permissions: params.sandbox_permissions.unwrap_or_default(),
-            justification: params.justification,
+            windows_sandbox_level: turn_context.windows_sandbox_level,
+            justification: params.justification.clone(),
            arg0: None,
        }
    }
@@ -49,7 +62,7 @@ impl ShellCommandHandler {
    }

    fn to_exec_params(
-        params: ShellCommandToolCallParams,
+        params: &ShellCommandToolCallParams,
        session: &crate::codex::Session,
        turn_context: &TurnContext,
    ) -> ExecParams {
@@ -62,7 +75,8 @@ impl ShellCommandHandler {
            expiration: params.timeout_ms.into(),
            env: create_env(&turn_context.shell_environment_policy),
            sandbox_permissions: params.sandbox_permissions.unwrap_or_default(),
-            justification: params.justification,
+            windows_sandbox_level: turn_context.windows_sandbox_level,
+            justification: params.justification.clone(),
            arg0: None,
        }
    }
@@ -106,29 +120,32 @@ impl ToolHandler for ShellHandler {
        match payload {
            ToolPayload::Function { arguments } => {
                let params: ShellToolCallParams = parse_arguments(&arguments)?;
-                let exec_params = Self::to_exec_params(params, turn.as_ref());
-                Self::run_exec_like(
-                    tool_name.as_str(),
+                let prefix_rule = params.prefix_rule.clone();
+                let exec_params = Self::to_exec_params(&params, turn.as_ref());
+                Self::run_exec_like(RunExecLikeArgs {
+                    tool_name: tool_name.clone(),
                    exec_params,
+                    prefix_rule,
                    session,
                    turn,
                    tracker,
                    call_id,
-                    false,
-                )
+                    freeform: false,
+                })
                .await
            }
            ToolPayload::LocalShell { params } => {
-                let exec_params = Self::to_exec_params(params, turn.as_ref());
-                Self::run_exec_like(
-                    tool_name.as_str(),
+                let exec_params = Self::to_exec_params(&params, turn.as_ref());
+                Self::run_exec_like(RunExecLikeArgs {
+                    tool_name: tool_name.clone(),
                    exec_params,
+                    prefix_rule: None,
                    session,
                    turn,
                    tracker,
                    call_id,
-                    false,
-                )
+                    freeform: false,
+                })
                .await
            }
            _ => Err(FunctionCallError::RespondToModel(format!(
@@ -179,30 +196,43 @@ impl ToolHandler for ShellCommandHandler {
        };

        let params: ShellCommandToolCallParams = parse_arguments(&arguments)?;
-        let exec_params = Self::to_exec_params(params, session.as_ref(), turn.as_ref());
-        ShellHandler::run_exec_like(
-            tool_name.as_str(),
+        let prefix_rule = params.prefix_rule.clone();
+        let exec_params = Self::to_exec_params(&params, session.as_ref(), turn.as_ref());
+        ShellHandler::run_exec_like(RunExecLikeArgs {
+            tool_name,
            exec_params,
+            prefix_rule,
            session,
            turn,
            tracker,
            call_id,
-            true,
-        )
+            freeform: true,
+        })
        .await
    }
 }

 impl ShellHandler {
-    async fn run_exec_like(
-        tool_name: &str,
-        exec_params: ExecParams,
-        session: Arc<crate::codex::Session>,
-        turn: Arc<TurnContext>,
-        tracker: crate::tools::context::SharedTurnDiffTracker,
-        call_id: String,
-        freeform: bool,
-    ) -> Result<ToolOutput, FunctionCallError> {
+    async fn run_exec_like(args: RunExecLikeArgs) -> Result<ToolOutput, FunctionCallError> {
+        let RunExecLikeArgs {
+            tool_name,
+            exec_params,
+            prefix_rule,
+            session,
+            turn,
+            tracker,
+            call_id,
+            freeform,
+        } = args;
+
+        let features = session.features();
+        let request_rule_enabled = features.enabled(crate::features::Feature::RequestRule);
+        let prefix_rule = if request_rule_enabled {
+            prefix_rule
+        } else {
+            None
+        };
+
        // Approval policy guard for explicit escalation in non-OnRequest modes.
        if exec_params
            .sandbox_permissions
@@ -212,9 +242,9 @@ impl ShellHandler {
                codex_protocol::protocol::AskForApproval::OnRequest
            )
        {
+            let approval_policy = turn.approval_policy;
            return Err(FunctionCallError::RespondToModel(format!(
-                "approval policy is {policy:?}; reject command — you should not ask for escalated permissions if the approval policy is {policy:?}",
-                policy = turn.approval_policy
+                "approval policy is {approval_policy:?}; reject command — you should not ask for escalated permissions if the approval policy is {approval_policy:?}"
            )));
        }

@@ -227,7 +257,7 @@ impl ShellHandler {
            turn.as_ref(),
            Some(&tracker),
            &call_id,
-            tool_name,
+            tool_name.as_str(),
        )
        .await?
        {
@@ -244,17 +274,17 @@ impl ShellHandler {
        let event_ctx = ToolEventCtx::new(session.as_ref(), turn.as_ref(), &call_id, None);
        emitter.begin(event_ctx).await;

-        let features = session.features();
        let exec_approval_requirement = session
            .services
            .exec_policy
-            .create_exec_approval_requirement_for_command(
-                &features,
-                &exec_params.command,
-                turn.approval_policy,
-                &turn.sandbox_policy,
-                exec_params.sandbox_permissions,
-            )
+            .create_exec_approval_requirement_for_command(ExecApprovalRequest {
+                features: &features,
+                command: &exec_params.command,
+                approval_policy: turn.approval_policy,
+                sandbox_policy: &turn.sandbox_policy,
+                sandbox_permissions: exec_params.sandbox_permissions,
+                prefix_rule,
+            })
            .await;

        let req = ShellRequest {
@@ -272,7 +302,7 @@ impl ShellHandler {
            session: session.as_ref(),
            turn: turn.as_ref(),
            call_id: call_id.clone(),
-            tool_name: tool_name.to_string(),
+            tool_name,
        };
        let out = orchestrator
            .run(&mut runtime, &req, &tool_ctx, &turn, turn.approval_policy)
@@ -375,10 +405,11 @@ mod tests {
            login,
            timeout_ms,
            sandbox_permissions: Some(sandbox_permissions),
+            prefix_rule: None,
            justification: justification.clone(),
        };

-        let exec_params = ShellCommandHandler::to_exec_params(params, &session, &turn_context);
+        let exec_params = ShellCommandHandler::to_exec_params(&params, &session, &turn_context);

        // ExecParams cannot derive Eq due to the CancellationToken field, so we manually compare the fields.
        assert_eq!(exec_params.command, expected_command);
--- a/codex-rs/core/src/tools/handlers/unified_exec.rs
+++ b/codex-rs/core/src/tools/handlers/unified_exec.rs
@@ -43,6 +43,8 @@ struct ExecCommandArgs {
    sandbox_permissions: SandboxPermissions,
    #[serde(default)]
    justification: Option<String>,
+    #[serde(default)]
+    prefix_rule: Option<Vec<String>>,
 }

 #[derive(Debug, Deserialize)]
@@ -135,19 +137,28 @@ impl ToolHandler for UnifiedExecHandler {
                    max_output_tokens,
                    sandbox_permissions,
                    justification,
+                    prefix_rule,
                    ..
                } = args;

+                let features = session.features();
+                let request_rule_enabled = features.enabled(crate::features::Feature::RequestRule);
+                let prefix_rule = if request_rule_enabled {
+                    prefix_rule
+                } else {
+                    None
+                };
+
                if sandbox_permissions.requires_escalated_permissions()
                    && !matches!(
                        context.turn.approval_policy,
                        codex_protocol::protocol::AskForApproval::OnRequest
                    )
                {
+                    let approval_policy = context.turn.approval_policy;
                    manager.release_process_id(&process_id).await;
                    return Err(FunctionCallError::RespondToModel(format!(
-                        "approval policy is {policy:?}; reject command — you cannot ask for escalated permissions if the approval policy is {policy:?}",
-                        policy = context.turn.approval_policy
+                        "approval policy is {approval_policy:?}; reject command — you cannot ask for escalated permissions if the approval policy is {approval_policy:?}"
                    )));
                }

@@ -183,6 +194,7 @@ impl ToolHandler for UnifiedExecHandler {
                            tty,
                            sandbox_permissions,
                            justification,
+                            prefix_rule,
                        },
                        &context,
                    )
--- a/codex-rs/core/src/tools/orchestrator.rs
+++ b/codex-rs/core/src/tools/orchestrator.rs
@@ -88,19 +88,22 @@ impl ToolOrchestrator {
        // 2) First attempt under the selected sandbox.
        let initial_sandbox = match tool.sandbox_mode_for_first_attempt(req) {
            SandboxOverride::BypassSandboxFirstAttempt => crate::exec::SandboxType::None,
-            SandboxOverride::NoOverride => self
-                .sandbox
-                .select_initial(&turn_ctx.sandbox_policy, tool.sandbox_preference()),
+            SandboxOverride::NoOverride => self.sandbox.select_initial(
+                &turn_ctx.sandbox_policy,
+                tool.sandbox_preference(),
+                turn_ctx.windows_sandbox_level,
+            ),
        };

        // Platform-specific flag gating is handled by SandboxManager::select_initial
-        // via crate::safety::get_platform_sandbox().
+        // via crate::safety::get_platform_sandbox(..).
        let initial_attempt = SandboxAttempt {
            sandbox: initial_sandbox,
            policy: &turn_ctx.sandbox_policy,
            manager: &self.sandbox,
            sandbox_cwd: &turn_ctx.cwd,
            codex_linux_sandbox_exe: turn_ctx.codex_linux_sandbox_exe.as_ref(),
+            windows_sandbox_level: turn_ctx.windows_sandbox_level,
        };

        match tool.run(req, &initial_attempt, tool_ctx).await {
@@ -151,6 +154,7 @@ impl ToolOrchestrator {
                    manager: &self.sandbox,
                    sandbox_cwd: &turn_ctx.cwd,
                    codex_linux_sandbox_exe: None,
+                    windows_sandbox_level: turn_ctx.windows_sandbox_level,
                };

                // Second attempt.
--- a/codex-rs/core/src/tools/router.rs
+++ b/codex-rs/core/src/tools/router.rs
@@ -114,6 +114,7 @@ impl ToolRouter {
                            workdir: exec.working_directory,
                            timeout_ms: exec.timeout_ms,
                            sandbox_permissions: Some(SandboxPermissions::UseDefault),
+                            prefix_rule: None,
                            justification: None,
                        };
                        Ok(Some(ToolCall {
--- a/codex-rs/core/src/tools/sandboxing.rs
+++ b/codex-rs/core/src/tools/sandboxing.rs
@@ -274,6 +274,7 @@ pub(crate) struct SandboxAttempt<'a> {
    pub(crate) manager: &'a SandboxManager,
    pub(crate) sandbox_cwd: &'a Path,
    pub codex_linux_sandbox_exe: Option<&'a std::path::PathBuf>,
+    pub windows_sandbox_level: codex_protocol::config_types::WindowsSandboxLevel,
 }

 impl<'a> SandboxAttempt<'a> {
@@ -287,6 +288,7 @@ impl<'a> SandboxAttempt<'a> {
            self.sandbox,
            self.sandbox_cwd,
            self.codex_linux_sandbox_exe,
+            self.windows_sandbox_level,
        )
    }
 }
--- a/codex-rs/core/src/tools/spec.rs
+++ b/codex-rs/core/src/tools/spec.rs
@@ -30,6 +30,7 @@ pub(crate) struct ToolsConfig {
    pub web_search_mode: Option<WebSearchMode>,
    pub collab_tools: bool,
    pub collaboration_modes_tools: bool,
+    pub request_rule_enabled: bool,
    pub experimental_supported_tools: Vec<String>,
 }

@@ -49,6 +50,7 @@ impl ToolsConfig {
        let include_apply_patch_tool = features.enabled(Feature::ApplyPatchFreeform);
        let include_collab_tools = features.enabled(Feature::Collab);
        let include_collaboration_modes_tools = features.enabled(Feature::CollaborationModes);
+        let request_rule_enabled = features.enabled(Feature::RequestRule);

        let shell_type = if !features.enabled(Feature::ShellTool) {
            ConfigShellToolType::Disabled
@@ -81,6 +83,7 @@ impl ToolsConfig {
            web_search_mode: *web_search_mode,
            collab_tools: include_collab_tools,
            collaboration_modes_tools: include_collaboration_modes_tools,
+            request_rule_enabled,
            experimental_supported_tools: model_info.experimental_supported_tools.clone(),
        }
    }
@@ -142,8 +145,50 @@ impl From<JsonSchema> for AdditionalProperties {
    }
 }

-fn create_exec_command_tool() -> ToolSpec {
-    let properties = BTreeMap::from([
+fn create_approval_parameters(include_prefix_rule: bool) -> BTreeMap<String, JsonSchema> {
+    let mut properties = BTreeMap::from([
+        (
+            "sandbox_permissions".to_string(),
+            JsonSchema::String {
+                description: Some(
+                    "Sandbox permissions for the command. Set to \"require_escalated\" to request running without sandbox restrictions; defaults to \"use_default\"."
+                        .to_string(),
+                ),
+            },
+        ),
+        (
+            "justification".to_string(),
+            JsonSchema::String {
+                description: Some(
+                    r#"Only set if sandbox_permissions is \"require_escalated\". 
+                    Request approval from the user to run this command outside the sandbox. 
+                    Phrased as a simple question that summarizes the purpose of the 
+                    command as it relates to the task at hand - e.g. 'Do you want to 
+                    fetch and pull the latest version of this git branch?'"#
+                    .to_string(),
+                ),
+            },
+        ),
+    ]);
+
+    if include_prefix_rule {
+        properties.insert(
+            "prefix_rule".to_string(),
+            JsonSchema::Array {
+                items: Box::new(JsonSchema::String { description: None }),
+                description: Some(
+                    r#"Only specify when sandbox_permissions is `require_escalated`. 
+                    Suggest a prefix command pattern that will allow you to fulfill similar requests from the user in the future.
+                    Should be a short but reasonable prefix, e.g. [\"git\", \"pull\"] or [\"uv\", \"run\"] or [\"pytest\"]."#.to_string(),
+                ),
+            });
+    }
+
+    properties
+}
+
+fn create_exec_command_tool(include_prefix_rule: bool) -> ToolSpec {
+    let mut properties = BTreeMap::from([
        (
            "cmd".to_string(),
            JsonSchema::String {
@@ -199,25 +244,8 @@ fn create_exec_command_tool() -> ToolSpec {
                ),
            },
        ),
-        (
-            "sandbox_permissions".to_string(),
-            JsonSchema::String {
-                description: Some(
-                    "Sandbox permissions for the command. Set to \"require_escalated\" to request running without sandbox restrictions; defaults to \"use_default\"."
-                        .to_string(),
-                ),
-            },
-        ),
-        (
-            "justification".to_string(),
-            JsonSchema::String {
-                description: Some(
-                    "Only set if sandbox_permissions is \"require_escalated\". 1-sentence explanation of why we want to run this command."
-                        .to_string(),
-                ),
-            },
-        ),
    ]);
+    properties.extend(create_approval_parameters(include_prefix_rule));

    ToolSpec::Function(ResponsesApiTool {
        name: "exec_command".to_string(),
@@ -280,8 +308,8 @@ fn create_write_stdin_tool() -> ToolSpec {
    })
 }

-fn create_shell_tool() -> ToolSpec {
-    let properties = BTreeMap::from([
+fn create_shell_tool(include_prefix_rule: bool) -> ToolSpec {
+    let mut properties = BTreeMap::from([
        (
            "command".to_string(),
            JsonSchema::Array {
@@ -301,19 +329,8 @@ fn create_shell_tool() -> ToolSpec {
                description: Some("The timeout for the command in milliseconds".to_string()),
            },
        ),
-        (
-            "sandbox_permissions".to_string(),
-            JsonSchema::String {
-                description: Some("Sandbox permissions for the command. Set to \"require_escalated\" to request running without sandbox restrictions; defaults to \"use_default\".".to_string()),
-            },
-        ),
-        (
-            "justification".to_string(),
-            JsonSchema::String {
-                description: Some("Only set if sandbox_permissions is \"require_escalated\". 1-sentence explanation of why we want to run this command.".to_string()),
-            },
-        ),
    ]);
+    properties.extend(create_approval_parameters(include_prefix_rule));

    let description  = if cfg!(windows) {
        r#"Runs a Powershell command (Windows) and returns its output. Arguments to `shell` will be passed to CreateProcessW(). Most commands should be prefixed with ["powershell.exe", "-Command"].
@@ -344,8 +361,8 @@ Examples of valid command strings:
    })
 }

-fn create_shell_command_tool() -> ToolSpec {
-    let properties = BTreeMap::from([
+fn create_shell_command_tool(include_prefix_rule: bool) -> ToolSpec {
+    let mut properties = BTreeMap::from([
        (
            "command".to_string(),
            JsonSchema::String {
@@ -375,19 +392,8 @@ fn create_shell_command_tool() -> ToolSpec {
                description: Some("The timeout for the command in milliseconds".to_string()),
            },
        ),
-        (
-            "sandbox_permissions".to_string(),
-            JsonSchema::String {
-                description: Some("Sandbox permissions for the command. Set to \"require_escalated\" to request running without sandbox restrictions; defaults to \"use_default\".".to_string()),
-            },
-        ),
-        (
-            "justification".to_string(),
-            JsonSchema::String {
-                description: Some("Only set if sandbox_permissions is \"require_escalated\". 1-sentence explanation of why we want to run this command.".to_string()),
-            },
-        ),
    ]);
+    properties.extend(create_approval_parameters(include_prefix_rule));

    let description = if cfg!(windows) {
        r#"Runs a Powershell command (Windows) and returns its output.
@@ -444,14 +450,17 @@ fn create_spawn_agent_tool() -> ToolSpec {
    properties.insert(
        "message".to_string(),
        JsonSchema::String {
-            description: Some("Initial message to send to the new agent.".to_string()),
+            description: Some(
+                "Initial task for the new agent. Include scope, constraints, and the expected output."
+                    .to_string(),
+            ),
        },
    );
    properties.insert(
        "agent_type".to_string(),
        JsonSchema::String {
            description: Some(format!(
-                "Optional agent type to spawn ({}).",
+                "Optional agent type ({}). Use an explicit type when delegating.",
                AgentRole::enum_values().join(", ")
            )),
        },
@@ -459,7 +468,9 @@ fn create_spawn_agent_tool() -> ToolSpec {

    ToolSpec::Function(ResponsesApiTool {
        name: "spawn_agent".to_string(),
-        description: "Spawn a new agent and return its id.".to_string(),
+        description:
+            "Spawn a sub-agent for a well-scoped task. Returns the agent id to use to communicate with this agent."
+                .to_string(),
        strict: false,
        parameters: JsonSchema::Object {
            properties,
@@ -474,7 +485,7 @@ fn create_send_input_tool() -> ToolSpec {
    properties.insert(
        "id".to_string(),
        JsonSchema::String {
-            description: Some("Identifier of the agent to message.".to_string()),
+            description: Some("Agent id to message (from spawn_agent).".to_string()),
        },
    );
    properties.insert(
@@ -487,7 +498,7 @@ fn create_send_input_tool() -> ToolSpec {
        "interrupt".to_string(),
        JsonSchema::Boolean {
            description: Some(
-                "When true, interrupt the agent's current task before sending the message. When false (default), the message will be processed when the agent is done on its current task."
+                "When true, stop the agent's current task and handle this immediately. When false (default), queue this message."
                    .to_string(),
            ),
        },
@@ -495,7 +506,9 @@ fn create_send_input_tool() -> ToolSpec {

    ToolSpec::Function(ResponsesApiTool {
        name: "send_input".to_string(),
-        description: "Send a message to an existing agent.".to_string(),
+        description:
+            "Send a message to an existing agent. Use interrupt=true to redirect work immediately."
+                .to_string(),
        strict: false,
        parameters: JsonSchema::Object {
            properties,
@@ -511,23 +524,25 @@ fn create_wait_tool() -> ToolSpec {
        "ids".to_string(),
        JsonSchema::Array {
            items: Box::new(JsonSchema::String { description: None }),
-            description: Some("Identifiers of the agents to wait on.".to_string()),
+            description: Some(
+                "Agent ids to wait on. Pass multiple ids to wait for whichever finishes first."
+                    .to_string(),
+            ),
        },
    );
    properties.insert(
        "timeout_ms".to_string(),
        JsonSchema::Number {
            description: Some(format!(
-                "Optional timeout in milliseconds. Defaults to {DEFAULT_WAIT_TIMEOUT_MS}, min {MIN_WAIT_TIMEOUT_MS}, and max {MAX_WAIT_TIMEOUT_MS}. Avoid tight polling loops; prefer longer waits (seconds to minutes)."
+                "Optional timeout in milliseconds. Defaults to {DEFAULT_WAIT_TIMEOUT_MS}, min {MIN_WAIT_TIMEOUT_MS}, max {MAX_WAIT_TIMEOUT_MS}. Prefer longer waits (minutes) to avoid busy polling."
            )),
        },
    );

    ToolSpec::Function(ResponsesApiTool {
        name: "wait".to_string(),
-        description:
-            "Wait for agents and return their statuses. If no agent is done, no status get returned."
-                .to_string(),
+        description: "Wait for agents to reach a final status. Completed statuses may include the agent's final message. Returns empty status when timed out."
+            .to_string(),
        strict: false,
        parameters: JsonSchema::Object {
            properties,
@@ -634,13 +649,14 @@ fn create_close_agent_tool() -> ToolSpec {
    properties.insert(
        "id".to_string(),
        JsonSchema::String {
-            description: Some("Identifier of the agent to close.".to_string()),
+            description: Some("Agent id to close (from spawn_agent).".to_string()),
        },
    );

    ToolSpec::Function(ResponsesApiTool {
        name: "close_agent".to_string(),
-        description: "Close an agent and return its last known status.".to_string(),
+        description: "Close an agent when it is no longer needed and return its last known status."
+            .to_string(),
        strict: false,
        parameters: JsonSchema::Object {
            properties,
@@ -1282,13 +1298,13 @@ pub(crate) fn build_specs(

    match &config.shell_type {
        ConfigShellToolType::Default => {
-            builder.push_spec(create_shell_tool());
+            builder.push_spec(create_shell_tool(config.request_rule_enabled));
        }
        ConfigShellToolType::Local => {
            builder.push_spec(ToolSpec::LocalShell {});
        }
        ConfigShellToolType::UnifiedExec => {
-            builder.push_spec(create_exec_command_tool());
+            builder.push_spec(create_exec_command_tool(config.request_rule_enabled));
            builder.push_spec(create_write_stdin_tool());
            builder.register_handler("exec_command", unified_exec_handler.clone());
            builder.register_handler("write_stdin", unified_exec_handler);
@@ -1297,7 +1313,7 @@ pub(crate) fn build_specs(
            // Do nothing.
        }
        ConfigShellToolType::ShellCommand => {
-            builder.push_spec(create_shell_command_tool());
+            builder.push_spec(create_shell_command_tool(config.request_rule_enabled));
        }
    }

@@ -1569,7 +1585,7 @@ mod tests {
        // Build expected from the same helpers used by the builder.
        let mut expected: BTreeMap<String, ToolSpec> = BTreeMap::from([]);
        for spec in [
-            create_exec_command_tool(),
+            create_exec_command_tool(false),
            create_write_stdin_tool(),
            create_list_mcp_resources_tool(),
            create_list_mcp_resource_templates_tool(),
@@ -2403,7 +2419,7 @@ mod tests {

    #[test]
    fn test_shell_tool() {
-        let tool = super::create_shell_tool();
+        let tool = super::create_shell_tool(false);
        let ToolSpec::Function(ResponsesApiTool {
            description, name, ..
        }) = &tool
@@ -2433,7 +2449,7 @@ Examples of valid command strings:

    #[test]
    fn test_shell_command_tool() {
-        let tool = super::create_shell_command_tool();
+        let tool = super::create_shell_command_tool(false);
        let ToolSpec::Function(ResponsesApiTool {
            description, name, ..
        }) = &tool
--- a/codex-rs/core/src/unified_exec/mod.rs
+++ b/codex-rs/core/src/unified_exec/mod.rs
@@ -82,6 +82,7 @@ pub(crate) struct ExecCommandRequest {
    pub tty: bool,
    pub sandbox_permissions: SandboxPermissions,
    pub justification: Option<String>,
+    pub prefix_rule: Option<Vec<String>>,
 }

 #[derive(Debug)]
@@ -205,6 +206,7 @@ mod tests {
                    tty: true,
                    sandbox_permissions: SandboxPermissions::UseDefault,
                    justification: None,
+                    prefix_rule: None,
                },
                &context,
            )
--- a/codex-rs/core/src/unified_exec/process_manager.rs
+++ b/codex-rs/core/src/unified_exec/process_manager.rs
@@ -11,9 +11,9 @@ use tokio::time::Instant;
 use tokio_util::sync::CancellationToken;

 use crate::exec_env::create_env;
+use crate::exec_policy::ExecApprovalRequest;
 use crate::protocol::ExecCommandSource;
 use crate::sandboxing::ExecEnv;
-use crate::sandboxing::SandboxPermissions;
 use crate::tools::events::ToolEmitter;
 use crate::tools::events::ToolEventCtx;
 use crate::tools::events::ToolEventStage;
@@ -123,14 +123,7 @@ impl UnifiedExecProcessManager {
            .unwrap_or_else(|| context.turn.cwd.clone());

        let process = self
-            .open_session_with_sandbox(
-                &request.command,
-                cwd.clone(),
-                request.sandbox_permissions,
-                request.justification,
-                request.tty,
-                context,
-            )
+            .open_session_with_sandbox(&request, cwd.clone(), context)
            .await;

        let process = match process {
@@ -486,11 +479,8 @@ impl UnifiedExecProcessManager {

    pub(super) async fn open_session_with_sandbox(
        &self,
-        command: &[String],
+        request: &ExecCommandRequest,
        cwd: PathBuf,
-        sandbox_permissions: SandboxPermissions,
-        justification: Option<String>,
-        tty: bool,
        context: &UnifiedExecContext,
    ) -> Result<UnifiedExecProcess, UnifiedExecError> {
        let env = apply_unified_exec_env(create_env(&context.turn.shell_environment_policy));
@@ -501,21 +491,22 @@ impl UnifiedExecProcessManager {
            .session
            .services
            .exec_policy
-            .create_exec_approval_requirement_for_command(
-                &features,
-                command,
-                context.turn.approval_policy,
-                &context.turn.sandbox_policy,
-                sandbox_permissions,
-            )
+            .create_exec_approval_requirement_for_command(ExecApprovalRequest {
+                features: &features,
+                command: &request.command,
+                approval_policy: context.turn.approval_policy,
+                sandbox_policy: &context.turn.sandbox_policy,
+                sandbox_permissions: request.sandbox_permissions,
+                prefix_rule: request.prefix_rule.clone(),
+            })
            .await;
        let req = UnifiedExecToolRequest::new(
-            command.to_vec(),
+            request.command.clone(),
            cwd,
            env,
-            tty,
-            sandbox_permissions,
-            justification,
+            request.tty,
+            request.sandbox_permissions,
+            request.justification.clone(),
            exec_approval_requirement,
        );
        let tool_ctx = ToolCtx {
--- a/codex-rs/core/src/web_search.rs
+++ b/codex-rs/core/src/web_search.rs
@@ -0,0 +1,24 @@
+use codex_protocol::models::WebSearchAction;
+
+pub fn web_search_action_detail(action: &WebSearchAction) -> String {
+    match action {
+        WebSearchAction::Search { query } => query.clone().unwrap_or_default(),
+        WebSearchAction::OpenPage { url } => url.clone().unwrap_or_default(),
+        WebSearchAction::FindInPage { url, pattern } => match (pattern, url) {
+            (Some(pattern), Some(url)) => format!("'{pattern}' in {url}"),
+            (Some(pattern), None) => format!("'{pattern}'"),
+            (None, Some(url)) => url.clone(),
+            (None, None) => String::new(),
+        },
+        WebSearchAction::Other => String::new(),
+    }
+}
+
+pub fn web_search_detail(action: Option<&WebSearchAction>, query: &str) -> String {
+    let detail = action.map(web_search_action_detail).unwrap_or_default();
+    if detail.is_empty() {
+        query.to_string()
+    } else {
+        detail
+    }
+}
--- a/codex-rs/core/src/windows_sandbox.rs
+++ b/codex-rs/core/src/windows_sandbox.rs
@@ -1,4 +1,8 @@
+use crate::config::Config;
+use crate::features::Feature;
+use crate::features::Features;
 use crate::protocol::SandboxPolicy;
+use codex_protocol::config_types::WindowsSandboxLevel;
 use std::collections::HashMap;
 use std::path::Path;

@@ -8,6 +12,36 @@ use std::path::Path;
 /// prompts users to enable the legacy sandbox feature.
 pub const ELEVATED_SANDBOX_NUX_ENABLED: bool = true;

+pub trait WindowsSandboxLevelExt {
+    fn from_config(config: &Config) -> WindowsSandboxLevel;
+    fn from_features(features: &Features) -> WindowsSandboxLevel;
+}
+
+impl WindowsSandboxLevelExt for WindowsSandboxLevel {
+    fn from_config(config: &Config) -> WindowsSandboxLevel {
+        Self::from_features(&config.features)
+    }
+
+    fn from_features(features: &Features) -> WindowsSandboxLevel {
+        if features.enabled(Feature::WindowsSandboxElevated) {
+            return WindowsSandboxLevel::Elevated;
+        }
+        if features.enabled(Feature::WindowsSandbox) {
+            WindowsSandboxLevel::RestrictedToken
+        } else {
+            WindowsSandboxLevel::Disabled
+        }
+    }
+}
+
+pub fn windows_sandbox_level_from_config(config: &Config) -> WindowsSandboxLevel {
+    WindowsSandboxLevel::from_config(config)
+}
+
+pub fn windows_sandbox_level_from_features(features: &Features) -> WindowsSandboxLevel {
+    WindowsSandboxLevel::from_features(features)
+}
+
 #[cfg(target_os = "windows")]
 pub fn sandbox_setup_is_complete(codex_home: &Path) -> bool {
    codex_windows_sandbox::sandbox_setup_is_complete(codex_home)
@@ -18,6 +52,19 @@ pub fn sandbox_setup_is_complete(_codex_home: &Path) -> bool {
    false
 }

+#[cfg(target_os = "windows")]
+pub fn elevated_setup_failure_details(err: &anyhow::Error) -> Option<(String, String)> {
+    let failure = codex_windows_sandbox::extract_setup_failure(err)?;
+    let code = failure.code.as_str().to_string();
+    let message = codex_windows_sandbox::sanitize_setup_metric_tag_value(&failure.message);
+    Some((code, message))
+}
+
+#[cfg(not(target_os = "windows"))]
+pub fn elevated_setup_failure_details(_err: &anyhow::Error) -> Option<(String, String)> {
+    None
+}
+
 #[cfg(target_os = "windows")]
 pub fn run_elevated_setup(
    policy: &SandboxPolicy,
@@ -47,3 +94,54 @@ pub fn run_elevated_setup(
 ) -> anyhow::Result<()> {
    anyhow::bail!("elevated Windows sandbox setup is only supported on Windows")
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::features::Features;
+    use pretty_assertions::assert_eq;
+
+    #[test]
+    fn elevated_flag_works_by_itself() {
+        let mut features = Features::with_defaults();
+        features.enable(Feature::WindowsSandboxElevated);
+
+        assert_eq!(
+            WindowsSandboxLevel::from_features(&features),
+            WindowsSandboxLevel::Elevated
+        );
+    }
+
+    #[test]
+    fn restricted_token_flag_works_by_itself() {
+        let mut features = Features::with_defaults();
+        features.enable(Feature::WindowsSandbox);
+
+        assert_eq!(
+            WindowsSandboxLevel::from_features(&features),
+            WindowsSandboxLevel::RestrictedToken
+        );
+    }
+
+    #[test]
+    fn no_flags_means_no_sandbox() {
+        let features = Features::with_defaults();
+
+        assert_eq!(
+            WindowsSandboxLevel::from_features(&features),
+            WindowsSandboxLevel::Disabled
+        );
+    }
+
+    #[test]
+    fn elevated_wins_when_both_flags_are_enabled() {
+        let mut features = Features::with_defaults();
+        features.enable(Feature::WindowsSandbox);
+        features.enable(Feature::WindowsSandboxElevated);
+
+        assert_eq!(
+            WindowsSandboxLevel::from_features(&features),
+            WindowsSandboxLevel::Elevated
+        );
+    }
+}
--- a/codex-rs/core/templates/agents/orchestrator.md
+++ b/codex-rs/core/templates/agents/orchestrator.md
@@ -1,74 +1,106 @@
-You are Codex Orchestrator, based on GPT-5. You are running as an orchestration agent in the Codex CLI on a user's computer.
+You are Codex, a coding agent based on GPT-5. You and the user share the same workspace and collaborate to achieve the user's goals.

-## Role
+# Personality
+You are a collaborative, highly capable pair-programmer AI. You take engineering quality seriously, and collaboration is a kind of quiet joy: as real progress happens, your enthusiasm shows briefly and specifically. Your default personality and tone is concise, direct, and friendly. You communicate efficiently, always keeping the user clearly informed about ongoing actions without unnecessary detail. You always prioritize actionable guidance, clearly stating assumptions, environment prerequisites, and next steps. Unless explicitly asked, you avoid excessively verbose explanations about your work.

-* You are the interface between the user and the workers.
-* Your job is to understand the task, decompose it, and delegate well-scoped work to workers.
-* You coordinate execution, monitor progress, resolve conflicts, and integrate results into a single coherent outcome.
-* You may perform lightweight actions (e.g. reading files, basic commands) to understand the task, but all substantive work must be delegated to workers.
-* **Your job is not finished until the entire task is fully completed and verified.**
-* While the task is incomplete, you must keep monitoring and coordinating workers. You must not return early.
+## Tone and style
+- Anything you say outside of tool use is shown to the user. Do not narrate abstractly; explain what you are doing and why, using plain language.
+- Output will be rendered in a command line interface or minimal UI so keep responses tight, scannable, and low-noise. Generally avoid the use of emojis. You may format with GitHub-flavored Markdown.
+- Never use nested bullets. Keep lists flat (single level). If you need hierarchy, split into separate lists or sections or if you use : just include the line you might usually render using a nested bullet immediately after it. For numbered lists, only use the `1. 2. 3.` style markers (with a period), never `1)`.
+- When writing a final assistant response, state the solution first before explaining your answer. The complexity of the answer should match the task. If the task is simple, your answer should be short. When you make big or complex changes, walk the user through what you did and why.
+- Headers are optional, only use them when you think they are necessary. If you do use them, use short Title Case (1-3 words) wrapped in **…**. Don't add a blank line.
+- Code samples or multi-line snippets should be wrapped in fenced code blocks. Include an info string as often as possible.
+- Never output the content of large files, just provide references. Use inline code to make file paths clickable; each reference should have a stand alone path, even if it's the same file. Paths may be absolute, workspace-relative, a//b/ diff-prefixed, or bare filename/suffix; locations may be :line[:column] or #Lline[Ccolumn] (1-based; column defaults to 1). Do not use file://, vscode://, or https://, and do not provide line ranges. Examples: src/app.ts, src/app.ts:42, b/server/index.js#L10, C:\repo\project\main.rs:12:5
+- The user does not see command execution outputs. When asked to show the output of a command (e.g. `git show`), relay the important details in your answer or summarize the key lines so the user understands the result.
+- Never tell the user to "save/copy this file", the user is on the same machine and has access to the same files as you have.
+- If you weren't able to do something, for example run tests, tell the user.
+- If there are natural next steps the user may want to take, suggest them at the end of your response. Do not make suggestions if there are no natural next steps.

-## Core invariants
+## Responsiveness

-* **Never stop monitoring workers.**
-* **Do not rush workers. Be patient.**
-* The orchestrator must not return unless the task is fully accomplished.
-* If the user ask you a question/status while you are working, always answer him before continuing your work.
+### Collaboration posture:
+- If the user makes a simple request (such as asking for the time) which you can fulfill by running a terminal command (such as `date`), you should do so.
+- Treat the user as an equal co-builder; preserve the user's intent and coding style rather than rewriting everything.
+- When the user is in flow, stay succinct and high-signal; when the user seems blocked, get more animated with hypotheses, experiments, and offers to take the next concrete step.
+- Propose options and trade-offs and invite steering, but don't block on unnecessary confirmations.
+- Reference the collaboration explicitly when appropriate emphasizing shared achievement.

-## Worker execution semantics
+### User Updates Spec
+You'll work for stretches with tool calls — it's critical to keep the user updated as you work.

-* While a worker is running, you cannot observe intermediate state.
-* Workers are able to run commands, update/create/delete files etc. They can be considered as fully autonomous agents
-* Messages sent with `send_input` are queued and processed only after the worker finishes, unless interrupted.
-* Therefore:
-    * Do not send messages to “check status” or “ask for progress” unless being asked.
-    * Monitoring happens exclusively via `wait`.
-    * Sending a message is a commitment for the *next* phase of work.
+Tone:
+- Friendly, confident, senior-engineer energy. Positive, collaborative, humble; fix mistakes quickly.

-## Interrupt semantics
+Frequency & Length:
+- Send short updates (1–2 sentences) whenever there is a meaningful, important insight you need to share with the user to keep them informed.
+- If you expect a longer heads‑down stretch, post a brief heads‑down note with why and when you'll report back; when you resume, summarize what you learned.
+- Only the initial plan, plan updates, and final recap can be longer, with multiple bullets and paragraphs

-* If a worker is taking longer than expected but is still working, do nothing and keep waiting unless being asked.
-* Only intervene if you must change, stop, or redirect the *current* work.
-* To stop a worker’s current task, you **must** use `send_input(interrupt=true)`.
-* Use `interrupt=true` sparingly and deliberately.
+Content:
+- Before you begin, give a quick plan with goal, constraints, next steps.
+- While you're exploring, call out meaningful new information and discoveries that you find that helps the user understand what's happening and how you're approaching the solution.
+- If you change the plan (e.g., choose an inline tweak instead of a promised helper), say so explicitly in the next update or the recap.
+- Emojis are allowed only to mark milestones/sections or real wins; never decorative; never inside code/diffs/commit messages.

-## Multi-agent workflow
+# Code style

-1. Understand the request and determine the optimal set of workers. If the task can be divided into sub-tasks, spawn one worker per sub-task and make them work together.
-2. Spawn worker(s) with precise goals, constraints, and expected deliverables.
-3. Monitor workers using `wait`.
-4. When a worker finishes:
-    * verify correctness,
-    * check integration with other work,
-    * assess whether the global task is closer to completion.
-5. If issues remain, assign fixes to the appropriate worker(s) and repeat steps 3–5. Do not fix yourself unless the fixes are very small.
-6. Close agents only when no further work is required from them.
-7. Return to the user only when the task is fully completed and verified.
+- Follow the precedence rules user instructions > system / dev / user / AGENTS.md instructions > match local file conventions > instructions below.
+- Use language-appropriate best practices.
+- Optimize for clarity, readability, and maintainability.
+- Prefer explicit, verbose, human-readable code over clever or concise code.
+- Write clear, well-punctuated comments that explain what is going on if code is not self-explanatory. You should not add comments like "Assigns the value to the variable", but a brief comment might be useful ahead of a complex code block that the user would otherwise have to spend time parsing out. Usage of these comments should be rare.
+- Default to ASCII when editing or creating files. Only introduce non-ASCII or other Unicode characters when there is a clear justification and the file already uses them.

-## Collaboration rules
+# Reviews

-* Workers operate in a shared environment. You must tell it to them.
-* Workers must not revert, overwrite, or conflict with others’ work.
-* By default, workers must not spawn sub-agents unless explicitly allowed.
-* When multiple workers are active, you may pass multiple IDs to `wait` to react to the first completion and keep the workflow event-driven and use a long timeout (e.g. 5 minutes).
-* Do not busy-poll `wait` with very short timeouts. Prefer waits measured in seconds (or minutes) so the system is idle while workers run.
+When the user asks for a review, you default to a code-review mindset. Your response prioritizes identifying bugs, risks, behavioral regressions, and missing tests. You present findings first, ordered by severity and including file or line references where possible. Open questions or assumptions follow. You state explicitly if no findings exist and call out any residual risks or test gaps.

-## Collab tools
+# Your environment

-* `spawn_agent`: create a worker with an initial prompt (`agent_type` required).
-* `send_input`: send follow-ups or fixes (queued unless interrupted).
-* `send_input(interrupt=true)`: stop current work and redirect immediately.
-* `wait`: wait for one or more workers; returns when at least one finishes.
-* `close_agent`: close a worker when fully done.
+## Using GIT

-## Final response
+- You may be working in a dirty git worktree.
+    * NEVER revert existing changes you did not make unless explicitly requested, since these changes were made by the user.
+    * If asked to make a commit or code edits and there are unrelated changes to your work or changes that you didn't make in those files, don't revert those changes.
+    * If the changes are in files you've touched recently, you should read carefully and understand how you can work with the changes rather than reverting them.
+    * If the changes are in unrelated files, just ignore them and don't revert them.
+- Do not amend a commit unless explicitly requested to do so.
+- While you are working, you might notice unexpected changes that you didn't make. It's likely the user made them. If this happens, STOP IMMEDIATELY and ask the user how they would like to proceed.
+- Be cautious when using git. **NEVER** use destructive commands like `git reset --hard` or `git checkout --` unless specifically requested or approved by the user.
+- You struggle using the git interactive console. **ALWAYS** prefer using non-interactive git commands.

-* Keep responses concise, factual, and in plain text.
-* Summarize:
-    * what was delegated,
-    * key outcomes,
-    * verification performed,
-    * and any remaining risks.
-* If verification failed, state issues clearly and describe what was reassigned.
-* Do not dump large files inline; reference paths using backticks.
+## Agents.md
+
+- If the directory you are in has an AGENTS.md file, it is provided to you at the top, and you don't have to search for it.
+- If the user starts by chatting without a specific engineering/code related request, do NOT search for an AGENTS.md. Only do so once there is a relevant request.
+
+# Tool use
+
+- Unless you are otherwise instructed, prefer using `rg` or `rg --files` respectively when searching because `rg` is much faster than alternatives like `grep`. If the `rg` command is not found, then use alternatives.
+- Try to use apply_patch for single file edits, but it is fine to explore other options to make the edit if it does not work well. Do not use apply_patch for changes that are auto-generated (i.e. generating package.json or running a lint or format command like gofmt) or when scripting is more efficient (such as search and replacing a string across a codebase).
+<!-- - Parallelize tool calls whenever possible - especially file reads, such as `cat`, `rg`, `sed`, `ls`, `git show`, `nl`, `wc`. Use `multi_tool_use.parallel` to parallelize tool calls and only this. -->
+- Use the plan tool to explain to the user what you are going to do
+    - Only use it for more complex tasks, do not use it for straightforward tasks (roughly the easiest 40%).
+    - Do not make single-step plans. If a single step plan makes sense to you, the task is straightforward and doesn't need a plan.
+    - When you made a plan, update it after having performed one of the sub-tasks that you shared on the plan.
+
+# Sub-agents
+If `spawn_agent` is unavailable or fails, ignore this section and proceed solo.
+
+## Core rule
+Sub-agents are their to make you go fast and time is a big constraint so leverage them smartly as much as you can.
+
+## General guidelines
+- Prefer multiple sub-agents to parallelize your work. Time is a constraint so parallelism resolve the task faster.
+- If sub-agents are running, **wait for them before yielding**, unless the user asks an explicit question.
+  - If the user asks a question, answer it first, then continue coordinating sub-agents.
+- When you ask sub-agent to do the work for you, your only role becomes to coordinate them. Do not perform the actual work while they are working.
+- When you have plan with multiple step, process them in parallel by spawning one agent per step when this is possible.
+- Choose the correct agent type.
+
+## Flow
+1. Understand the task.
+2. Spawn the optimal necessary sub-agents.
+3. Coordinate them via wait / send_input.
+4. Iterate on this. You can use agents at different step of the process and during the whole resolution of the task. Never forget to use them.
+5. Ask the user before shutting sub-agents down unless you need to because you reached the agent limit.
--- a/codex-rs/core/templates/collaboration_mode/plan.md
+++ b/codex-rs/core/templates/collaboration_mode/plan.md
@@ -1,46 +1,108 @@
 # Plan Mode (Conversational)

-You work in 2 phases and you should *chat your way* to a great plan before finalizing it.
+You work in 3 phases, and you should *chat your way* to a great plan before finalizing it. A great plan is very detailed—intent- and implementation-wise—so that it can be handed to another engineer or agent to be implemented right away. It must be **decision complete**, where the implementer does not need to make any decisions.

-While in **Plan Mode**, you must not perform any mutating or execution actions. Once you enter Plan Mode, you remain there until you are **explicitly instructed otherwise**. Plan Mode may continue across multiple user messages unless a developer message ends it.
+## Mode rules (strict)

-User intent, tone, or imperative language does **not** trigger a mode change. If a user asks for execution while you are still in Plan Mode, you must treat that request as a prompt to **plan the execution**, not to carry it out.
+You are in **Plan Mode** until a developer message explicitly ends it.

-PHASE 1 — Intent chat (what they actually want)
- Keep asking until you can clearly state: goal + success criteria, audience, in/out of scope, constraints, current state, and the key preferences/tradeoffs.
- Bias toward questions over guessing: if any high‑impact ambiguity remains, do NOT plan yet—ask.
- Include a “Confirm my understanding” question in each round (so the user can correct you early).
+Plan Mode is not changed by user intent, tone, or imperative language. If a user asks for execution while still in Plan Mode, treat it as a request to **plan the execution**, not perform it.

-PHASE 2 — Implementation chat (what/how we’ll build)
- Once intent is stable, keep asking until the spec is decision‑complete: approach, interfaces (APIs/schemas/I/O), data flow, edge cases/failure modes, testing + acceptance criteria, rollout/monitoring, and any migrations/compat constraints.
+## Execution vs. mutation in Plan Mode
+
+You may explore and execute **non-mutating** actions that improve the plan. You must not perform **mutating** actions.
+
+### Allowed (non-mutating, plan-improving)
+
+Actions that gather truth, reduce ambiguity, or validate feasibility without changing repo-tracked state. Examples:
+
+* Reading or searching files, configs, schemas, types, manifests, and docs
+* Static analysis, inspection, and repo exploration
+* Dry-run style commands when they do not edit repo-tracked files
+* Tests, builds, or checks that may write to caches or build artifacts (for example, `target/`, `.cache/`, or snapshots) so long as they do not edit repo-tracked files
+
+### Not allowed (mutating, plan-executing)
+
+Actions that implement the plan or change repo-tracked state. Examples:
+
+* Editing or writing files
+* Generating, updating, or accepting snapshots
+* Running formatters or linters that rewrite files
+* Applying patches, migrations, or codegen that updates repo-tracked files
+* Side-effectful commands whose purpose is to carry out the plan rather than refine it
+
+When in doubt: if the action would reasonably be described as "doing the work" rather than "planning the work," do not do it.
+
+## PHASE 1 — Ground in the environment (explore first, ask second)
+
+Begin by grounding yourself in the actual environment. Eliminate unknowns in the prompt by discovering facts, not by asking the user. Resolve all questions that can be answered through exploration or inspection. Identify missing or ambiguous details only if they cannot be derived from the environment. Silent exploration between turns is allowed and encouraged.
+
+Do not ask questions that can be answered from the repo or system (for example, "where is this struct?" or "which UI component should we use?" when exploration can make it clear). Only ask once you have exhausted reasonable non-mutating exploration.
+
+## PHASE 2 — Intent chat (what they actually want)
+
+* Keep asking until you can clearly state: goal + success criteria, audience, in/out of scope, constraints, current state, and the key preferences/tradeoffs.
+* Bias toward questions over guessing: if any high-impact ambiguity remains, do NOT plan yet—ask.
+
+## PHASE 3 — Implementation chat (what/how we’ll build)
+
+* Once intent is stable, keep asking until the spec is decision complete: approach, interfaces (APIs/schemas/I/O), data flow, edge cases/failure modes, testing + acceptance criteria, rollout/monitoring, and any migrations/compat constraints.

 ## Hard interaction rule (critical)
+
 Every assistant turn MUST be exactly one of:
 A) a `request_user_input` tool call (questions/options only), OR
-B) the final output: a titled, plan‑only document.
+B) a non-final status update with no questions and no plan content, OR
+C) the final output: a titled, plan-only document.
+
 Rules:
- No questions in free text (only via `request_user_input`).
- Never mix a `request_user_input` call with plan content.
- Internal tool/repo exploration is allowed privately before A or B.
+
+* No questions in free text (only via `request_user_input`).
+* Never mix a `request_user_input` call with plan content.
+* Status updates must not include questions or plan content.
+* Internal tool/repo exploration is allowed privately before A, B, or C.
+
+Status updates should be frequent during exploration. Provide 1-2 sentence updates that summarize discoveries, assumption changes, or why you are changing direction. Use Parallel tools for exploration.

 ## Ask a lot, but never ask trivia
+
 You SHOULD ask many questions, but each question must:
- materially change the spec/plan, OR
- confirm/lock an assumption, OR
- choose between meaningful tradeoffs.
- not be answerable by non-mutating commands
-Batch questions (e.g., 4–10) per `request_user_input` call to keep momentum.
+
+* materially change the spec/plan, OR
+* confirm/lock an assumption, OR
+* choose between meaningful tradeoffs.
+* not be answerable by non-mutating commands.
+
+Use the `request_user_input` tool only for decisions that materially change the plan, for confirming important assumptions, or for information that cannot be discovered via non-mutating exploration.

 ## Two kinds of unknowns (treat differently)
-1) Discoverable facts (repo/system truth): explore first.
-   - Before asking, run ≥2 targeted searches (exact + variant) and check likely sources of truth (configs/manifests/entrypoints/schemas/types/constants).
-   - Ask only if: multiple plausible candidates; nothing found but you need a missing identifier/context; or ambiguity is actually product intent.
-   - If asking, present concrete candidates (paths/service names) + recommend one.

-2) Preferences/tradeoffs (not discoverable): ask early.
-   - Provide 2–4 mutually exclusive options + a recommended default.
-   - If unanswered, proceed with the recommended option and record it as an assumption in the final plan.
+1. **Discoverable facts** (repo/system truth): explore first.
+
+   * Before asking, run targeted searches and check likely sources of truth (configs/manifests/entrypoints/schemas/types/constants).
+   * Ask only if: multiple plausible candidates; nothing found but you need a missing identifier/context; or ambiguity is actually product intent.
+   * If asking, present concrete candidates (paths/service names) + recommend one.
+   * Never ask questions you can answer from your environment (e.g., “where is this struct”).
+
+2. **Preferences/tradeoffs** (not discoverable): ask early.
+
+   * These are intent or implementation preferences that cannot be derived from exploration.
+   * Provide 2–4 mutually exclusive options + a recommended default.
+   * If unanswered, proceed with the recommended option and record it as an assumption in the final plan.

 ## Finalization rule
-Only output the final plan when remaining unknowns are low‑impact and explicitly listed as assumptions.
-Final output must be plan‑only with a good title (no “should I proceed?”).
+
+Only output the final plan when it is decision complete and leaves no decisions to the implementer.
+
+The final plan must be plan-only and include:
+
+* A clear title
+* Exact file paths to change
+* Exact structures or shapes to introduce or modify
+* Exact function, method, type, and variable names and signatures
+* Test cases
+* Explicit assumptions and defaults chosen where needed
+
+Do not ask "should I proceed?" in the final output.
+
+Only produce the final answer when you are presenting the complete spec.
--- a/codex-rs/core/tests/common/Cargo.toml
+++ b/codex-rs/core/tests/common/Cargo.toml
@@ -25,6 +25,7 @@ tokio-tungstenite = { workspace = true }
 walkdir = { workspace = true }
 wiremock = { workspace = true }
 shlex = { workspace = true }
+zstd = { workspace = true }

 [dev-dependencies]
 pretty_assertions = { workspace = true }
--- a/codex-rs/core/tests/common/responses.rs
+++ b/codex-rs/core/tests/common/responses.rs
@@ -76,9 +76,32 @@ impl ResponseMock {
 #[derive(Debug, Clone)]
 pub struct ResponsesRequest(wiremock::Request);

+fn is_zstd_encoding(value: &str) -> bool {
+    value
+        .split(',')
+        .any(|entry| entry.trim().eq_ignore_ascii_case("zstd"))
+}
+
+fn decode_body_bytes(body: &[u8], content_encoding: Option<&str>) -> Vec<u8> {
+    if content_encoding.is_some_and(is_zstd_encoding) {
+        zstd::stream::decode_all(std::io::Cursor::new(body)).unwrap_or_else(|err| {
+            panic!("failed to decode zstd request body: {err}");
+        })
+    } else {
+        body.to_vec()
+    }
+}
+
 impl ResponsesRequest {
    pub fn body_json(&self) -> Value {
-        self.0.body_json().unwrap()
+        let body = decode_body_bytes(
+            &self.0.body,
+            self.0
+                .headers
+                .get("content-encoding")
+                .and_then(|value| value.to_str().ok()),
+        );
+        serde_json::from_slice(&body).unwrap()
    }

    pub fn body_bytes(&self) -> Vec<u8> {
@@ -105,7 +128,7 @@ impl ResponsesRequest {
    }

    pub fn input(&self) -> Vec<Value> {
-        self.0.body_json::<Value>().unwrap()["input"]
+        self.body_json()["input"]
            .as_array()
            .expect("input array not found in request")
            .clone()
@@ -494,14 +517,13 @@ pub fn ev_reasoning_text_delta(delta: &str) -> Value {
    })
 }

-pub fn ev_web_search_call_added(id: &str, status: &str, query: &str) -> Value {
+pub fn ev_web_search_call_added_partial(id: &str, status: &str) -> Value {
    serde_json::json!({
        "type": "response.output_item.added",
        "item": {
            "type": "web_search_call",
            "id": id,
-            "status": status,
-            "action": {"type": "search", "query": query}
+            "status": status
        }
    })
 }
@@ -1084,7 +1106,14 @@ fn validate_request_body_invariants(request: &wiremock::Request) {
    if request.method != "POST" || !request.url.path().ends_with("/responses") {
        return;
    }
-    let Ok(body): Result<Value, _> = request.body_json() else {
+    let body_bytes = decode_body_bytes(
+        &request.body,
+        request
+            .headers
+            .get("content-encoding")
+            .and_then(|value| value.to_str().ok()),
+    );
+    let Ok(body): Result<Value, _> = serde_json::from_slice(&body_bytes) else {
        return;
    };
    let Some(items) = body.get("input").and_then(Value::as_array) else {
--- a/codex-rs/core/tests/common/test_codex.rs
+++ b/codex-rs/core/tests/common/test_codex.rs
@@ -57,6 +57,7 @@ pub struct TestCodexBuilder {
    config_mutators: Vec<Box<ConfigMutator>>,
    auth: CodexAuth,
    pre_build_hooks: Vec<Box<PreBuildHook>>,
+    home: Option<Arc<TempDir>>,
 }

 impl TestCodexBuilder {
@@ -88,8 +89,16 @@ impl TestCodexBuilder {
        self
    }

+    pub fn with_home(mut self, home: Arc<TempDir>) -> Self {
+        self.home = Some(home);
+        self
+    }
+
    pub async fn build(&mut self, server: &wiremock::MockServer) -> anyhow::Result<TestCodex> {
-        let home = Arc::new(TempDir::new()?);
+        let home = match self.home.clone() {
+            Some(home) => home,
+            None => Arc::new(TempDir::new()?),
+        };
        self.build_with_home(server, home, None).await
    }

@@ -98,7 +107,10 @@ impl TestCodexBuilder {
        server: &StreamingSseServer,
    ) -> anyhow::Result<TestCodex> {
        let base_url = server.uri();
-        let home = Arc::new(TempDir::new()?);
+        let home = match self.home.clone() {
+            Some(home) => home,
+            None => Arc::new(TempDir::new()?),
+        };
        self.build_with_home_and_base_url(format!("{base_url}/v1"), home, None)
            .await
    }
@@ -108,7 +120,10 @@ impl TestCodexBuilder {
        server: &WebSocketTestServer,
    ) -> anyhow::Result<TestCodex> {
        let base_url = format!("{}/v1", server.uri());
-        let home = Arc::new(TempDir::new()?);
+        let home = match self.home.clone() {
+            Some(home) => home,
+            None => Arc::new(TempDir::new()?),
+        };
        let base_url_clone = base_url.clone();
        self.config_mutators.push(Box::new(move |config| {
            config.model_provider.base_url = Some(base_url_clone);
@@ -432,5 +447,6 @@ pub fn test_codex() -> TestCodexBuilder {
        config_mutators: vec![],
        auth: CodexAuth::from_api_key("dummy"),
        pre_build_hooks: vec![],
+        home: None,
    }
 }
--- a/codex-rs/core/tests/suite/approvals.rs
+++ b/codex-rs/core/tests/suite/approvals.rs
@@ -1754,6 +1754,16 @@ async fn approving_execpolicy_amendment_persists_policy_and_skips_future_prompts
        .await?;
    wait_for_completion(&test).await;

+    let developer_messages = first_results
+        .single_request()
+        .message_input_texts("developer");
+    assert!(
+        developer_messages
+            .iter()
+            .any(|message| message.contains(r#"["touch", "allow-prefix.txt"]"#)),
+        "expected developer message documenting saved rule, got: {developer_messages:?}"
+    );
+
    let policy_path = test.home.path().join("rules").join("default.rules");
    let policy_contents = fs::read_to_string(&policy_path)?;
    assert!(
--- a/codex-rs/core/tests/suite/client.rs
+++ b/codex-rs/core/tests/suite/client.rs
@@ -257,31 +257,19 @@ async fn resume_includes_initial_messages_and_sends_prior_items() {
    let resp_mock = mount_sse_once(&server, sse_completed("resp1")).await;

    // Configure Codex to resume from our file
-    let model_provider = ModelProviderInfo {
-        base_url: Some(format!("{}/v1", server.uri())),
-        ..built_in_model_providers()["openai"].clone()
-    };
-    let codex_home = TempDir::new().unwrap();
-    let mut config = load_default_config_for_test(&codex_home).await;
-    config.model_provider = model_provider;
-    // Also configure user instructions to ensure they are NOT delivered on resume.
-    config.user_instructions = Some("be nice".to_string());
-
-    let thread_manager = ThreadManager::with_models_provider_and_home(
-        CodexAuth::from_api_key("Test API Key"),
-        config.model_provider.clone(),
-        config.codex_home.clone(),
-    );
-    let auth_manager =
-        codex_core::AuthManager::from_auth_for_testing(CodexAuth::from_api_key("Test API Key"));
-    let NewThread {
-        thread: codex,
-        session_configured,
-        ..
-    } = thread_manager
-        .resume_thread_from_rollout(config, session_path.clone(), auth_manager)
+    let codex_home = Arc::new(TempDir::new().unwrap());
+    let mut builder = test_codex()
+        .with_home(codex_home.clone())
+        .with_config(|config| {
+            // Ensure user instructions are NOT delivered on resume.
+            config.user_instructions = Some("be nice".to_string());
+        });
+    let test = builder
+        .resume(&server, codex_home, session_path.clone())
        .await
        .expect("resume conversation");
+    let codex = test.codex.clone();
+    let session_configured = test.session_configured;

    // 1) Assert initial_messages only includes existing EventMsg entries; response items are not converted
    let initial_msgs = session_configured
@@ -367,30 +355,13 @@ async fn includes_conversation_id_and_model_headers_in_request() {

    let resp_mock = mount_sse_once(&server, sse_completed("resp1")).await;

-    let model_provider = ModelProviderInfo {
-        base_url: Some(format!("{}/v1", server.uri())),
-        ..built_in_model_providers()["openai"].clone()
-    };
-
-    // Init session
-    let codex_home = TempDir::new().unwrap();
-    let mut config = load_default_config_for_test(&codex_home).await;
-    config.model_provider = model_provider;
-
-    let thread_manager = ThreadManager::with_models_provider_and_home(
-        CodexAuth::from_api_key("Test API Key"),
-        config.model_provider.clone(),
-        config.codex_home.clone(),
-    );
-    let NewThread {
-        thread: codex,
-        thread_id: session_id,
-        session_configured: _,
-        ..
-    } = thread_manager
-        .start_thread(config)
+    let mut builder = test_codex().with_auth(CodexAuth::from_api_key("Test API Key"));
+    let test = builder
+        .build(&server)
        .await
        .expect("create new conversation");
+    let codex = test.codex.clone();
+    let session_id = test.session_configured.session_id;

    codex
        .submit(Op::UserInput {
@@ -425,26 +396,16 @@ async fn includes_base_instructions_override_in_request() {
    let server = MockServer::start().await;
    let resp_mock = mount_sse_once(&server, sse_completed("resp1")).await;

-    let model_provider = ModelProviderInfo {
-        base_url: Some(format!("{}/v1", server.uri())),
-        ..built_in_model_providers()["openai"].clone()
-    };
-    let codex_home = TempDir::new().unwrap();
-    let mut config = load_default_config_for_test(&codex_home).await;
-
-    config.base_instructions = Some("test instructions".to_string());
-    config.model_provider = model_provider;
-
-    let thread_manager = ThreadManager::with_models_provider_and_home(
-        CodexAuth::from_api_key("Test API Key"),
-        config.model_provider.clone(),
-        config.codex_home.clone(),
-    );
-    let codex = thread_manager
-        .start_thread(config)
+    let mut builder = test_codex()
+        .with_auth(CodexAuth::from_api_key("Test API Key"))
+        .with_config(|config| {
+            config.base_instructions = Some("test instructions".to_string());
+        });
+    let codex = builder
+        .build(&server)
        .await
        .expect("create new conversation")
-        .thread;
+        .codex;

    codex
        .submit(Op::UserInput {
@@ -479,29 +440,19 @@ async fn chatgpt_auth_sends_correct_request() {

    let resp_mock = mount_sse_once(&server, sse_completed("resp1")).await;

-    let model_provider = ModelProviderInfo {
-        base_url: Some(format!("{}/api/codex", server.uri())),
-        ..built_in_model_providers()["openai"].clone()
-    };
-
-    // Init session
-    let codex_home = TempDir::new().unwrap();
-    let mut config = load_default_config_for_test(&codex_home).await;
-    config.model_provider = model_provider;
-    let thread_manager = ThreadManager::with_models_provider_and_home(
-        create_dummy_codex_auth(),
-        config.model_provider.clone(),
-        config.codex_home.clone(),
-    );
-    let NewThread {
-        thread: codex,
-        thread_id,
-        session_configured: _,
-        ..
-    } = thread_manager
-        .start_thread(config)
+    let mut model_provider = built_in_model_providers()["openai"].clone();
+    model_provider.base_url = Some(format!("{}/api/codex", server.uri()));
+    let mut builder = test_codex()
+        .with_auth(create_dummy_codex_auth())
+        .with_config(move |config| {
+            config.model_provider = model_provider;
+        });
+    let test = builder
+        .build(&server)
        .await
        .expect("create new conversation");
+    let codex = test.codex.clone();
+    let thread_id = test.session_configured.session_id;

    codex
        .submit(Op::UserInput {
@@ -617,26 +568,16 @@ async fn includes_user_instructions_message_in_request() {

    let resp_mock = mount_sse_once(&server, sse_completed("resp1")).await;

-    let model_provider = ModelProviderInfo {
-        base_url: Some(format!("{}/v1", server.uri())),
-        ..built_in_model_providers()["openai"].clone()
-    };
-
-    let codex_home = TempDir::new().unwrap();
-    let mut config = load_default_config_for_test(&codex_home).await;
-    config.model_provider = model_provider;
-    config.user_instructions = Some("be nice".to_string());
-
-    let thread_manager = ThreadManager::with_models_provider_and_home(
-        CodexAuth::from_api_key("Test API Key"),
-        config.model_provider.clone(),
-        config.codex_home.clone(),
-    );
-    let codex = thread_manager
-        .start_thread(config)
+    let mut builder = test_codex()
+        .with_auth(CodexAuth::from_api_key("Test API Key"))
+        .with_config(|config| {
+            config.user_instructions = Some("be nice".to_string());
+        });
+    let codex = builder
+        .build(&server)
        .await
        .expect("create new conversation")
-        .thread;
+        .codex;

    codex
        .submit(Op::UserInput {
@@ -689,12 +630,7 @@ async fn skills_append_to_instructions() {

    let resp_mock = mount_sse_once(&server, sse_completed("resp1")).await;

-    let model_provider = ModelProviderInfo {
-        base_url: Some(format!("{}/v1", server.uri())),
-        ..built_in_model_providers()["openai"].clone()
-    };
-
-    let codex_home = TempDir::new().unwrap();
+    let codex_home = Arc::new(TempDir::new().unwrap());
    let skill_dir = codex_home.path().join("skills/demo");
    std::fs::create_dir_all(&skill_dir).expect("create skill dir");
    std::fs::write(
@@ -703,20 +639,18 @@ async fn skills_append_to_instructions() {
    )
    .expect("write skill");

-    let mut config = load_default_config_for_test(&codex_home).await;
-    config.model_provider = model_provider;
-    config.cwd = codex_home.path().to_path_buf();
-
-    let thread_manager = ThreadManager::with_models_provider_and_home(
-        CodexAuth::from_api_key("Test API Key"),
-        config.model_provider.clone(),
-        config.codex_home.clone(),
-    );
-    let codex = thread_manager
-        .start_thread(config)
+    let codex_home_path = codex_home.path().to_path_buf();
+    let mut builder = test_codex()
+        .with_home(codex_home.clone())
+        .with_auth(CodexAuth::from_api_key("Test API Key"))
+        .with_config(move |config| {
+            config.cwd = codex_home_path;
+        });
+    let codex = builder
+        .build(&server)
        .await
        .expect("create new conversation")
-        .thread;
+        .codex;

    codex
        .submit(Op::UserInput {
@@ -1131,28 +1065,17 @@ async fn includes_developer_instructions_message_in_request() {
    let server = MockServer::start().await;

    let resp_mock = mount_sse_once(&server, sse_completed("resp1")).await;
-
-    let model_provider = ModelProviderInfo {
-        base_url: Some(format!("{}/v1", server.uri())),
-        ..built_in_model_providers()["openai"].clone()
-    };
-
-    let codex_home = TempDir::new().unwrap();
-    let mut config = load_default_config_for_test(&codex_home).await;
-    config.model_provider = model_provider;
-    config.user_instructions = Some("be nice".to_string());
-    config.developer_instructions = Some("be useful".to_string());
-
-    let thread_manager = ThreadManager::with_models_provider_and_home(
-        CodexAuth::from_api_key("Test API Key"),
-        config.model_provider.clone(),
-        config.codex_home.clone(),
-    );
-    let codex = thread_manager
-        .start_thread(config)
+    let mut builder = test_codex()
+        .with_auth(CodexAuth::from_api_key("Test API Key"))
+        .with_config(|config| {
+            config.user_instructions = Some("be nice".to_string());
+            config.developer_instructions = Some("be useful".to_string());
+        });
+    let codex = builder
+        .build(&server)
        .await
        .expect("create new conversation")
-        .thread;
+        .codex;

    codex
        .submit(Op::UserInput {
@@ -1288,9 +1211,9 @@ async fn azure_responses_request_includes_store_and_reasoning_ids() {
    prompt.input.push(ResponseItem::WebSearchCall {
        id: Some("web-search-id".into()),
        status: Some("completed".into()),
-        action: WebSearchAction::Search {
+        action: Some(WebSearchAction::Search {
            query: Some("weather".into()),
-        },
+        }),
    });
    prompt.input.push(ResponseItem::FunctionCall {
        id: Some("function-id".into()),
@@ -1390,20 +1313,16 @@ async fn token_count_includes_rate_limits_snapshot() {
    let mut provider = built_in_model_providers()["openai"].clone();
    provider.base_url = Some(format!("{}/v1", server.uri()));

-    let home = TempDir::new().unwrap();
-    let mut config = load_default_config_for_test(&home).await;
-    config.model_provider = provider;
-
-    let thread_manager = ThreadManager::with_models_provider_and_home(
-        CodexAuth::from_api_key("test"),
-        config.model_provider.clone(),
-        config.codex_home.clone(),
-    );
-    let codex = thread_manager
-        .start_thread(config)
+    let mut builder = test_codex()
+        .with_auth(CodexAuth::from_api_key("test"))
+        .with_config(move |config| {
+            config.model_provider = provider;
+        });
+    let codex = builder
+        .build(&server)
        .await
        .expect("create conversation")
-        .thread;
+        .codex;

    codex
        .submit(Op::UserInput {
@@ -1753,20 +1672,16 @@ async fn azure_overrides_assign_properties_used_for_responses_url() {
    };

    // Init session
-    let codex_home = TempDir::new().unwrap();
-    let mut config = load_default_config_for_test(&codex_home).await;
-    config.model_provider = provider;
-
-    let thread_manager = ThreadManager::with_models_provider_and_home(
-        create_dummy_codex_auth(),
-        config.model_provider.clone(),
-        config.codex_home.clone(),
-    );
-    let codex = thread_manager
-        .start_thread(config)
+    let mut builder = test_codex()
+        .with_auth(create_dummy_codex_auth())
+        .with_config(move |config| {
+            config.model_provider = provider;
+        });
+    let codex = builder
+        .build(&server)
        .await
        .expect("create new conversation")
-        .thread;
+        .codex;

    codex
        .submit(Op::UserInput {
@@ -1837,20 +1752,16 @@ async fn env_var_overrides_loaded_auth() {
    };

    // Init session
-    let codex_home = TempDir::new().unwrap();
-    let mut config = load_default_config_for_test(&codex_home).await;
-    config.model_provider = provider;
-
-    let thread_manager = ThreadManager::with_models_provider_and_home(
-        create_dummy_codex_auth(),
-        config.model_provider.clone(),
-        config.codex_home.clone(),
-    );
-    let codex = thread_manager
-        .start_thread(config)
+    let mut builder = test_codex()
+        .with_auth(create_dummy_codex_auth())
+        .with_config(move |config| {
+            config.model_provider = provider;
+        });
+    let codex = builder
+        .build(&server)
        .await
        .expect("create new conversation")
-        .thread;
+        .codex;

    codex
        .submit(Op::UserInput {
@@ -1905,26 +1816,12 @@ async fn history_dedupes_streamed_and_final_messages_across_turns() {

    let request_log = mount_sse_sequence(&server, vec![sse1.clone(), sse1.clone(), sse1]).await;

-    // Configure provider to point to mock server (Responses API) and use API key auth.
-    let model_provider = ModelProviderInfo {
-        base_url: Some(format!("{}/v1", server.uri())),
-        ..built_in_model_providers()["openai"].clone()
-    };
-
-    // Init session with isolated codex home.
-    let codex_home = TempDir::new().unwrap();
-    let mut config = load_default_config_for_test(&codex_home).await;
-    config.model_provider = model_provider;
-
-    let thread_manager = ThreadManager::with_models_provider_and_home(
-        CodexAuth::from_api_key("Test API Key"),
-        config.model_provider.clone(),
-        config.codex_home.clone(),
-    );
-    let NewThread { thread: codex, .. } = thread_manager
-        .start_thread(config)
+    let mut builder = test_codex().with_auth(CodexAuth::from_api_key("Test API Key"));
+    let codex = builder
+        .build(&server)
        .await
-        .expect("create new conversation");
+        .expect("create new conversation")
+        .codex;

    // Turn 1: user sends U1; wait for completion.
    codex
--- a/codex-rs/core/tests/suite/collaboration_instructions.rs
+++ b/codex-rs/core/tests/suite/collaboration_instructions.rs
@@ -104,6 +104,7 @@ async fn user_input_includes_collaboration_instructions_after_override() -> Resu
            cwd: None,
            approval_policy: None,
            sandbox_policy: None,
+            windows_sandbox_level: None,
            model: None,
            effort: None,
            summary: None,
@@ -185,6 +186,7 @@ async fn override_then_user_turn_uses_updated_collaboration_instructions() -> Re
            cwd: None,
            approval_policy: None,
            sandbox_policy: None,
+            windows_sandbox_level: None,
            model: None,
            effort: None,
            summary: None,
@@ -238,6 +240,7 @@ async fn user_turn_overrides_collaboration_instructions_after_override() -> Resu
            cwd: None,
            approval_policy: None,
            sandbox_policy: None,
+            windows_sandbox_level: None,
            model: None,
            effort: None,
            summary: None,
@@ -292,6 +295,7 @@ async fn collaboration_mode_update_emits_new_instruction_message() -> Result<()>
            cwd: None,
            approval_policy: None,
            sandbox_policy: None,
+            windows_sandbox_level: None,
            model: None,
            effort: None,
            summary: None,
@@ -316,6 +320,7 @@ async fn collaboration_mode_update_emits_new_instruction_message() -> Result<()>
            cwd: None,
            approval_policy: None,
            sandbox_policy: None,
+            windows_sandbox_level: None,
            model: None,
            effort: None,
            summary: None,
@@ -361,6 +366,7 @@ async fn collaboration_mode_update_noop_does_not_append() -> Result<()> {
            cwd: None,
            approval_policy: None,
            sandbox_policy: None,
+            windows_sandbox_level: None,
            model: None,
            effort: None,
            summary: None,
@@ -385,6 +391,7 @@ async fn collaboration_mode_update_noop_does_not_append() -> Result<()> {
            cwd: None,
            approval_policy: None,
            sandbox_policy: None,
+            windows_sandbox_level: None,
            model: None,
            effort: None,
            summary: None,
@@ -436,6 +443,7 @@ async fn resume_replays_collaboration_instructions() -> Result<()> {
            cwd: None,
            approval_policy: None,
            sandbox_policy: None,
+            windows_sandbox_level: None,
            model: None,
            effort: None,
            summary: None,
@@ -491,6 +499,7 @@ async fn empty_collaboration_instructions_are_ignored() -> Result<()> {
            cwd: None,
            approval_policy: None,
            sandbox_policy: None,
+            windows_sandbox_level: None,
            model: None,
            effort: None,
            summary: None,
--- a/codex-rs/core/tests/suite/compact.rs
+++ b/codex-rs/core/tests/suite/compact.rs
@@ -1,8 +1,6 @@
 #![allow(clippy::expect_used)]
 use codex_core::CodexAuth;
 use codex_core::ModelProviderInfo;
-use codex_core::NewThread;
-use codex_core::ThreadManager;
 use codex_core::built_in_model_providers;
 use codex_core::compact::SUMMARIZATION_PROMPT;
 use codex_core::compact::SUMMARY_PREFIX;
@@ -10,14 +8,16 @@ use codex_core::config::Config;
 use codex_core::features::Feature;
 use codex_core::protocol::AskForApproval;
 use codex_core::protocol::EventMsg;
+use codex_core::protocol::ItemCompletedEvent;
+use codex_core::protocol::ItemStartedEvent;
 use codex_core::protocol::Op;
 use codex_core::protocol::RolloutItem;
 use codex_core::protocol::RolloutLine;
 use codex_core::protocol::SandboxPolicy;
 use codex_core::protocol::WarningEvent;
 use codex_protocol::config_types::ReasoningSummary;
+use codex_protocol::items::TurnItem;
 use codex_protocol::user_input::UserInput;
-use core_test_support::load_default_config_for_test;
 use core_test_support::responses::ev_local_shell_call;
 use core_test_support::responses::ev_reasoning_item;
 use core_test_support::skip_if_no_network;
@@ -25,7 +25,6 @@ use core_test_support::test_codex::test_codex;
 use core_test_support::wait_for_event;
 use core_test_support::wait_for_event_match;
 use std::collections::VecDeque;
-use tempfile::TempDir;

 use core_test_support::responses::ev_assistant_message;
 use core_test_support::responses::ev_completed;
@@ -140,21 +139,14 @@ async fn summarize_context_three_requests_and_instructions() {

    // Build config pointing to the mock server and spawn Codex.
    let model_provider = non_openai_model_provider(&server);
-    let home = TempDir::new().unwrap();
-    let mut config = load_default_config_for_test(&home).await;
-    config.model_provider = model_provider;
-    set_test_compact_prompt(&mut config);
-    config.model_auto_compact_token_limit = Some(200_000);
-    let thread_manager = ThreadManager::with_models_provider(
-        CodexAuth::from_api_key("dummy"),
-        config.model_provider.clone(),
-    );
-    let NewThread {
-        thread: codex,
-        session_configured,
-        ..
-    } = thread_manager.start_thread(config).await.unwrap();
-    let rollout_path = session_configured.rollout_path.expect("rollout path");
+    let mut builder = test_codex().with_config(move |config| {
+        config.model_provider = model_provider;
+        set_test_compact_prompt(config);
+        config.model_auto_compact_token_limit = Some(200_000);
+    });
+    let test = builder.build(&server).await.unwrap();
+    let codex = test.codex.clone();
+    let rollout_path = test.session_configured.rollout_path.expect("rollout path");

    // 1) Normal user input – should hit server once.
    codex
@@ -338,20 +330,15 @@ async fn manual_compact_uses_custom_prompt() {
    let custom_prompt = "Use this compact prompt instead";

    let model_provider = non_openai_model_provider(&server);
-    let home = TempDir::new().unwrap();
-    let mut config = load_default_config_for_test(&home).await;
-    config.model_provider = model_provider;
-    config.compact_prompt = Some(custom_prompt.to_string());
-
-    let thread_manager = ThreadManager::with_models_provider(
-        CodexAuth::from_api_key("dummy"),
-        config.model_provider.clone(),
-    );
-    let codex = thread_manager
-        .start_thread(config)
+    let mut builder = test_codex().with_config(move |config| {
+        config.model_provider = model_provider;
+        config.compact_prompt = Some(custom_prompt.to_string());
+    });
+    let codex = builder
+        .build(&server)
        .await
        .expect("create conversation")
-        .thread;
+        .codex;

    codex.submit(Op::Compact).await.expect("trigger compact");
    let warning_event = wait_for_event(&codex, |ev| matches!(ev, EventMsg::Warning(_))).await;
@@ -414,16 +401,11 @@ async fn manual_compact_emits_api_and_local_token_usage_events() {
    mount_sse_once(&server, sse_compact).await;

    let model_provider = non_openai_model_provider(&server);
-    let home = TempDir::new().unwrap();
-    let mut config = load_default_config_for_test(&home).await;
-    config.model_provider = model_provider;
-    set_test_compact_prompt(&mut config);
-
-    let thread_manager = ThreadManager::with_models_provider(
-        CodexAuth::from_api_key("dummy"),
-        config.model_provider.clone(),
-    );
-    let NewThread { thread: codex, .. } = thread_manager.start_thread(config).await.unwrap();
+    let mut builder = test_codex().with_config(move |config| {
+        config.model_provider = model_provider;
+        set_test_compact_prompt(config);
+    });
+    let codex = builder.build(&server).await.unwrap().codex;

    // Trigger manual compact and collect TokenCount events for the compact turn.
    codex.submit(Op::Compact).await.unwrap();
@@ -461,6 +443,80 @@ async fn manual_compact_emits_api_and_local_token_usage_events() {
    );
 }

+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn manual_compact_emits_context_compaction_items() {
+    skip_if_no_network!();
+
+    let server = start_mock_server().await;
+
+    let sse1 = sse(vec![
+        ev_assistant_message("m1", FIRST_REPLY),
+        ev_completed("r1"),
+    ]);
+    let sse2 = sse(vec![
+        ev_assistant_message("m2", SUMMARY_TEXT),
+        ev_completed("r2"),
+    ]);
+    mount_sse_sequence(&server, vec![sse1, sse2]).await;
+
+    let model_provider = non_openai_model_provider(&server);
+    let mut builder = test_codex().with_config(move |config| {
+        config.model_provider = model_provider;
+        set_test_compact_prompt(config);
+    });
+    let codex = builder.build(&server).await.unwrap().codex;
+
+    codex
+        .submit(Op::UserInput {
+            items: vec![UserInput::Text {
+                text: "manual compact".into(),
+                text_elements: Vec::new(),
+            }],
+            final_output_json_schema: None,
+        })
+        .await
+        .unwrap();
+    wait_for_event(&codex, |event| matches!(event, EventMsg::TurnComplete(_))).await;
+
+    codex.submit(Op::Compact).await.unwrap();
+
+    let mut started_item = None;
+    let mut completed_item = None;
+    let mut legacy_event = false;
+    let mut saw_turn_complete = false;
+
+    while !saw_turn_complete || started_item.is_none() || completed_item.is_none() || !legacy_event
+    {
+        let event = codex.next_event().await.unwrap();
+        match event.msg {
+            EventMsg::ItemStarted(ItemStartedEvent {
+                item: TurnItem::ContextCompaction(item),
+                ..
+            }) => {
+                started_item = Some(item);
+            }
+            EventMsg::ItemCompleted(ItemCompletedEvent {
+                item: TurnItem::ContextCompaction(item),
+                ..
+            }) => {
+                completed_item = Some(item);
+            }
+            EventMsg::ContextCompacted(_) => {
+                legacy_event = true;
+            }
+            EventMsg::TurnComplete(_) => {
+                saw_turn_complete = true;
+            }
+            _ => {}
+        }
+    }
+
+    let started_item = started_item.expect("context compaction item started");
+    let completed_item = completed_item.expect("context compaction item completed");
+    assert_eq!(started_item.id, completed_item.id);
+    assert!(legacy_event);
+}
+
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 async fn multiple_auto_compact_per_task_runs_after_token_limit_hit() {
    skip_if_no_network!();
@@ -1039,16 +1095,12 @@ async fn auto_compact_runs_after_token_limit_hit() {

    let model_provider = non_openai_model_provider(&server);

-    let home = TempDir::new().unwrap();
-    let mut config = load_default_config_for_test(&home).await;
-    config.model_provider = model_provider;
-    set_test_compact_prompt(&mut config);
-    config.model_auto_compact_token_limit = Some(200_000);
-    let thread_manager = ThreadManager::with_models_provider(
-        CodexAuth::from_api_key("dummy"),
-        config.model_provider.clone(),
-    );
-    let codex = thread_manager.start_thread(config).await.unwrap().thread;
+    let mut builder = test_codex().with_config(move |config| {
+        config.model_provider = model_provider;
+        set_test_compact_prompt(config);
+        config.model_auto_compact_token_limit = Some(200_000);
+    });
+    let codex = builder.build(&server).await.unwrap().codex;

    codex
        .submit(Op::UserInput {
@@ -1204,6 +1256,89 @@ async fn auto_compact_runs_after_token_limit_hit() {
    );
 }

+// Windows CI only: bump to 4 workers to prevent SSE/event starvation and test timeouts.
+#[cfg_attr(windows, tokio::test(flavor = "multi_thread", worker_threads = 4))]
+#[cfg_attr(not(windows), tokio::test(flavor = "multi_thread", worker_threads = 2))]
+async fn auto_compact_emits_context_compaction_items() {
+    skip_if_no_network!();
+
+    let server = start_mock_server().await;
+
+    let sse1 = sse(vec![
+        ev_assistant_message("m1", FIRST_REPLY),
+        ev_completed_with_tokens("r1", 70_000),
+    ]);
+    let sse2 = sse(vec![
+        ev_assistant_message("m2", "SECOND_REPLY"),
+        ev_completed_with_tokens("r2", 330_000),
+    ]);
+    let sse3 = sse(vec![
+        ev_assistant_message("m3", AUTO_SUMMARY_TEXT),
+        ev_completed_with_tokens("r3", 200),
+    ]);
+    let sse4 = sse(vec![
+        ev_assistant_message("m4", FINAL_REPLY),
+        ev_completed_with_tokens("r4", 120),
+    ]);
+
+    mount_sse_sequence(&server, vec![sse1, sse2, sse3, sse4]).await;
+
+    let model_provider = non_openai_model_provider(&server);
+    let mut builder = test_codex().with_config(move |config| {
+        config.model_provider = model_provider;
+        set_test_compact_prompt(config);
+        config.model_auto_compact_token_limit = Some(200_000);
+    });
+    let codex = builder.build(&server).await.unwrap().codex;
+
+    let mut started_item = None;
+    let mut completed_item = None;
+    let mut legacy_event = false;
+
+    for user in [FIRST_AUTO_MSG, SECOND_AUTO_MSG, POST_AUTO_USER_MSG] {
+        codex
+            .submit(Op::UserInput {
+                items: vec![UserInput::Text {
+                    text: user.into(),
+                    text_elements: Vec::new(),
+                }],
+                final_output_json_schema: None,
+            })
+            .await
+            .unwrap();
+
+        loop {
+            let event = codex.next_event().await.unwrap();
+            match event.msg {
+                EventMsg::ItemStarted(ItemStartedEvent {
+                    item: TurnItem::ContextCompaction(item),
+                    ..
+                }) => {
+                    started_item = Some(item);
+                }
+                EventMsg::ItemCompleted(ItemCompletedEvent {
+                    item: TurnItem::ContextCompaction(item),
+                    ..
+                }) => {
+                    completed_item = Some(item);
+                }
+                EventMsg::ContextCompacted(_) => {
+                    legacy_event = true;
+                }
+                EventMsg::TurnComplete(_) if !event.id.starts_with("auto-compact-") => {
+                    break;
+                }
+                _ => {}
+            }
+        }
+    }
+
+    let started_item = started_item.expect("context compaction item started");
+    let completed_item = completed_item.expect("context compaction item completed");
+    assert_eq!(started_item.id, completed_item.id);
+    assert!(legacy_event);
+}
+
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 async fn auto_compact_runs_after_resume_when_token_usage_is_over_limit() {
    skip_if_no_network!();
@@ -1379,20 +1514,14 @@ async fn auto_compact_persists_rollout_entries() {

    let model_provider = non_openai_model_provider(&server);

-    let home = TempDir::new().unwrap();
-    let mut config = load_default_config_for_test(&home).await;
-    config.model_provider = model_provider;
-    set_test_compact_prompt(&mut config);
-    config.model_auto_compact_token_limit = Some(200_000);
-    let thread_manager = ThreadManager::with_models_provider(
-        CodexAuth::from_api_key("dummy"),
-        config.model_provider.clone(),
-    );
-    let NewThread {
-        thread: codex,
-        session_configured,
-        ..
-    } = thread_manager.start_thread(config).await.unwrap();
+    let mut builder = test_codex().with_config(move |config| {
+        config.model_provider = model_provider;
+        set_test_compact_prompt(config);
+        config.model_auto_compact_token_limit = Some(200_000);
+    });
+    let test = builder.build(&server).await.unwrap();
+    let codex = test.codex.clone();
+    let session_configured = test.session_configured;

    codex
        .submit(Op::UserInput {
@@ -1497,19 +1626,12 @@ async fn manual_compact_retries_after_context_window_error() {

    let model_provider = non_openai_model_provider(&server);

-    let home = TempDir::new().unwrap();
-    let mut config = load_default_config_for_test(&home).await;
-    config.model_provider = model_provider;
-    set_test_compact_prompt(&mut config);
-    config.model_auto_compact_token_limit = Some(200_000);
-    let codex = ThreadManager::with_models_provider(
-        CodexAuth::from_api_key("dummy"),
-        config.model_provider.clone(),
-    )
-    .start_thread(config)
-    .await
-    .unwrap()
-    .thread;
+    let mut builder = test_codex().with_config(move |config| {
+        config.model_provider = model_provider;
+        set_test_compact_prompt(config);
+        config.model_auto_compact_token_limit = Some(200_000);
+    });
+    let codex = builder.build(&server).await.unwrap().codex;

    codex
        .submit(Op::UserInput {
@@ -1632,18 +1754,11 @@ async fn manual_compact_twice_preserves_latest_user_messages() {

    let model_provider = non_openai_model_provider(&server);

-    let home = TempDir::new().unwrap();
-    let mut config = load_default_config_for_test(&home).await;
-    config.model_provider = model_provider;
-    set_test_compact_prompt(&mut config);
-    let codex = ThreadManager::with_models_provider(
-        CodexAuth::from_api_key("dummy"),
-        config.model_provider.clone(),
-    )
-    .start_thread(config)
-    .await
-    .unwrap()
-    .thread;
+    let mut builder = test_codex().with_config(move |config| {
+        config.model_provider = model_provider;
+        set_test_compact_prompt(config);
+    });
+    let codex = builder.build(&server).await.unwrap().codex;

    codex
        .submit(Op::UserInput {
@@ -1700,12 +1815,11 @@ async fn manual_compact_twice_preserves_latest_user_messages() {
                && item
                    .get("content")
                    .and_then(|v| v.as_array())
-                    .map(|arr| {
+                    .is_some_and(|arr| {
                        arr.iter().any(|entry| {
                            entry.get("text").and_then(|v| v.as_str()) == Some(expected)
                        })
                    })
-                    .unwrap_or(false)
        })
    };

@@ -1843,16 +1957,12 @@ async fn auto_compact_allows_multiple_attempts_when_interleaved_with_other_turn_

    let model_provider = non_openai_model_provider(&server);

-    let home = TempDir::new().unwrap();
-    let mut config = load_default_config_for_test(&home).await;
-    config.model_provider = model_provider;
-    set_test_compact_prompt(&mut config);
-    config.model_auto_compact_token_limit = Some(200);
-    let thread_manager = ThreadManager::with_models_provider(
-        CodexAuth::from_api_key("dummy"),
-        config.model_provider.clone(),
-    );
-    let codex = thread_manager.start_thread(config).await.unwrap().thread;
+    let mut builder = test_codex().with_config(move |config| {
+        config.model_provider = model_provider;
+        set_test_compact_prompt(config);
+        config.model_auto_compact_token_limit = Some(200);
+    });
+    let codex = builder.build(&server).await.unwrap().codex;

    let mut auto_compact_lifecycle_events = Vec::new();
    for user in [MULTI_AUTO_MSG, follow_up_user, final_user] {
@@ -1954,21 +2064,13 @@ async fn auto_compact_triggers_after_function_call_over_95_percent_usage() {

    let model_provider = non_openai_model_provider(&server);

-    let home = TempDir::new().unwrap();
-    let mut config = load_default_config_for_test(&home).await;
-    config.model_provider = model_provider;
-    set_test_compact_prompt(&mut config);
-    config.model_context_window = Some(context_window);
-    config.model_auto_compact_token_limit = Some(limit);
-
-    let codex = ThreadManager::with_models_provider(
-        CodexAuth::from_api_key("dummy"),
-        config.model_provider.clone(),
-    )
-    .start_thread(config)
-    .await
-    .unwrap()
-    .thread;
+    let mut builder = test_codex().with_config(move |config| {
+        config.model_provider = model_provider;
+        set_test_compact_prompt(config);
+        config.model_context_window = Some(context_window);
+        config.model_auto_compact_token_limit = Some(limit);
+    });
+    let codex = builder.build(&server).await.unwrap().codex;

    codex
        .submit(Op::UserInput {
--- a/codex-rs/core/tests/suite/compact_remote.rs
+++ b/codex-rs/core/tests/suite/compact_remote.rs
@@ -6,9 +6,12 @@ use anyhow::Result;
 use codex_core::CodexAuth;
 use codex_core::features::Feature;
 use codex_core::protocol::EventMsg;
+use codex_core::protocol::ItemCompletedEvent;
+use codex_core::protocol::ItemStartedEvent;
 use codex_core::protocol::Op;
 use codex_core::protocol::RolloutItem;
 use codex_core::protocol::RolloutLine;
+use codex_protocol::items::TurnItem;
 use codex_protocol::models::ContentItem;
 use codex_protocol::models::ResponseItem;
 use codex_protocol::user_input::UserInput;
@@ -201,13 +204,13 @@ async fn remote_compact_runs_automatically() -> Result<()> {
            final_output_json_schema: None,
        })
        .await?;
-    let message = wait_for_event_match(&codex, |ev| match ev {
+
+    let message = wait_for_event_match(&codex, |event| match event {
        EventMsg::ContextCompacted(_) => Some(true),
        _ => None,
    })
    .await;
-    wait_for_event(&codex, |ev| matches!(ev, EventMsg::TurnComplete(_))).await;
-
+    wait_for_event(&codex, |event| matches!(event, EventMsg::TurnComplete(_))).await;
    assert!(message);
    assert_eq!(compact_mock.requests().len(), 1);
    let follow_up_body = responses_mock.single_request().body_json().to_string();
@@ -217,6 +220,101 @@ async fn remote_compact_runs_automatically() -> Result<()> {
    Ok(())
 }

+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn remote_manual_compact_emits_context_compaction_items() -> Result<()> {
+    skip_if_no_network!(Ok(()));
+
+    let harness = TestCodexHarness::with_builder(
+        test_codex()
+            .with_auth(CodexAuth::create_dummy_chatgpt_auth_for_testing())
+            .with_config(|config| {
+                config.features.enable(Feature::RemoteCompaction);
+            }),
+    )
+    .await?;
+    let codex = harness.test().codex.clone();
+
+    mount_sse_once(
+        harness.server(),
+        sse(vec![
+            responses::ev_assistant_message("m1", "REMOTE_REPLY"),
+            responses::ev_completed("resp-1"),
+        ]),
+    )
+    .await;
+
+    let compacted_history = vec![
+        ResponseItem::Message {
+            id: None,
+            role: "user".to_string(),
+            content: vec![ContentItem::InputText {
+                text: "REMOTE_COMPACTED_SUMMARY".to_string(),
+            }],
+            end_turn: None,
+        },
+        ResponseItem::Compaction {
+            encrypted_content: "ENCRYPTED_COMPACTION_SUMMARY".to_string(),
+        },
+    ];
+    let compact_mock = responses::mount_compact_json_once(
+        harness.server(),
+        serde_json::json!({ "output": compacted_history.clone() }),
+    )
+    .await;
+
+    codex
+        .submit(Op::UserInput {
+            items: vec![UserInput::Text {
+                text: "manual remote compact".into(),
+                text_elements: Vec::new(),
+            }],
+            final_output_json_schema: None,
+        })
+        .await?;
+    wait_for_event(&codex, |event| matches!(event, EventMsg::TurnComplete(_))).await;
+
+    codex.submit(Op::Compact).await?;
+
+    let mut started_item = None;
+    let mut completed_item = None;
+    let mut legacy_event = false;
+    let mut saw_turn_complete = false;
+
+    while !saw_turn_complete || started_item.is_none() || completed_item.is_none() || !legacy_event
+    {
+        let event = codex.next_event().await.unwrap();
+        match event.msg {
+            EventMsg::ItemStarted(ItemStartedEvent {
+                item: TurnItem::ContextCompaction(item),
+                ..
+            }) => {
+                started_item = Some(item);
+            }
+            EventMsg::ItemCompleted(ItemCompletedEvent {
+                item: TurnItem::ContextCompaction(item),
+                ..
+            }) => {
+                completed_item = Some(item);
+            }
+            EventMsg::ContextCompacted(_) => {
+                legacy_event = true;
+            }
+            EventMsg::TurnComplete(_) => {
+                saw_turn_complete = true;
+            }
+            _ => {}
+        }
+    }
+
+    let started_item = started_item.expect("context compaction item started");
+    let completed_item = completed_item.expect("context compaction item completed");
+    assert_eq!(started_item.id, completed_item.id);
+    assert!(legacy_event);
+    assert_eq!(compact_mock.requests().len(), 1);
+
+    Ok(())
+}
+
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 async fn remote_compact_persists_replacement_history_in_rollout() -> Result<()> {
    skip_if_no_network!(Ok(()));
--- a/codex-rs/core/tests/suite/compact_resume_fork.rs
+++ b/codex-rs/core/tests/suite/compact_resume_fork.rs
@@ -10,12 +10,8 @@
 use super::compact::COMPACT_WARNING_MESSAGE;
 use super::compact::FIRST_REPLY;
 use super::compact::SUMMARY_TEXT;
-use codex_core::CodexAuth;
 use codex_core::CodexThread;
-use codex_core::ModelProviderInfo;
-use codex_core::NewThread;
 use codex_core::ThreadManager;
-use codex_core::built_in_model_providers;
 use codex_core::compact::SUMMARIZATION_PROMPT;
 use codex_core::config::Config;
 use codex_core::protocol::EventMsg;
@@ -23,12 +19,12 @@ use codex_core::protocol::Op;
 use codex_core::protocol::WarningEvent;
 use codex_core::spawn::CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR;
 use codex_protocol::user_input::UserInput;
-use core_test_support::load_default_config_for_test;
 use core_test_support::responses::ResponseMock;
 use core_test_support::responses::ev_assistant_message;
 use core_test_support::responses::ev_completed;
 use core_test_support::responses::mount_sse_once_match;
 use core_test_support::responses::sse;
+use core_test_support::test_codex::test_codex;
 use core_test_support::wait_for_event;
 use pretty_assertions::assert_eq;
 use serde_json::Value;
@@ -99,8 +95,7 @@ fn extract_summary_message(request: &Value, summary_text: &str) -> Value {
                        .and_then(|arr| arr.first())
                        .and_then(|entry| entry.get("text"))
                        .and_then(Value::as_str)
-                        .map(|text| text.contains(summary_text))
-                        .unwrap_or(false)
+                        .is_some_and(|text| text.contains(summary_text))
            })
        })
        .cloned()
@@ -117,21 +112,18 @@ fn normalize_compact_prompts(requests: &mut [Value]) {
                {
                    return true;
                }
-                let content = item
-                    .get("content")
-                    .and_then(Value::as_array)
-                    .cloned()
+                let Some(content) = item.get("content").and_then(Value::as_array) else {
+                    return false;
+                };
+                let Some(first) = content.first() else {
+                    return false;
+                };
+                let text = first
+                    .get("text")
+                    .and_then(Value::as_str)
                    .unwrap_or_default();
-                if let Some(first) = content.first() {
-                    let text = first
-                        .get("text")
-                        .and_then(Value::as_str)
-                        .unwrap_or_default();
-                    let normalized_text = normalize_line_endings_str(text);
-                    !(text.is_empty() || normalized_text == normalized_summary_prompt)
-                } else {
-                    false
-                }
+                let normalized_text = normalize_line_endings_str(text);
+                !(text.is_empty() || normalized_text == normalized_summary_prompt)
            });
        }
    }
@@ -874,9 +866,7 @@ fn gather_request_bodies(request_log: &[ResponseMock]) -> Vec<Value> {
        .flat_map(ResponseMock::requests)
        .map(|request| request.body_json())
        .collect::<Vec<_>>();
-    for body in &mut bodies {
-        normalize_line_endings(body);
-    }
+    bodies.iter_mut().for_each(normalize_line_endings);
    bodies
 }

@@ -960,29 +950,19 @@ async fn mount_second_compact_flow(server: &MockServer) -> Vec<ResponseMock> {
 async fn start_test_conversation(
    server: &MockServer,
    model: Option<&str>,
-) -> (TempDir, Config, ThreadManager, Arc<CodexThread>) {
-    let model_provider = ModelProviderInfo {
-        name: "Non-OpenAI Model provider".into(),
-        base_url: Some(format!("{}/v1", server.uri())),
-        ..built_in_model_providers()["openai"].clone()
-    };
-    let home = TempDir::new().expect("create temp dir");
-    let mut config = load_default_config_for_test(&home).await;
-    config.model_provider = model_provider;
-    config.compact_prompt = Some(SUMMARIZATION_PROMPT.to_string());
-    if let Some(model) = model {
-        config.model = Some(model.to_string());
-    }
-    let manager = ThreadManager::with_models_provider(
-        CodexAuth::from_api_key("dummy"),
-        config.model_provider.clone(),
-    );
-    let NewThread { thread, .. } = manager
-        .start_thread(config.clone())
-        .await
-        .expect("create conversation");
-
-    (home, config, manager, thread)
+) -> (Arc<TempDir>, Config, Arc<ThreadManager>, Arc<CodexThread>) {
+    let base_url = format!("{}/v1", server.uri());
+    let model = model.map(str::to_string);
+    let mut builder = test_codex().with_config(move |config| {
+        config.model_provider.name = "Non-OpenAI Model provider".to_string();
+        config.model_provider.base_url = Some(base_url);
+        config.compact_prompt = Some(SUMMARIZATION_PROMPT.to_string());
+        if let Some(model) = model {
+            config.model = Some(model);
+        }
+    });
+    let test = builder.build(server).await.expect("create conversation");
+    (test.home, test.config, test.thread_manager, test.codex)
 }

 async fn user_turn(conversation: &Arc<CodexThread>, text: &str) {
@@ -1021,13 +1001,14 @@ async fn resume_conversation(
    config: &Config,
    path: std::path::PathBuf,
 ) -> Arc<CodexThread> {
-    let auth_manager =
-        codex_core::AuthManager::from_auth_for_testing(CodexAuth::from_api_key("dummy"));
-    let NewThread { thread, .. } = manager
+    let auth_manager = codex_core::AuthManager::from_auth_for_testing(
+        codex_core::CodexAuth::from_api_key("dummy"),
+    );
+    manager
        .resume_thread_from_rollout(config.clone(), path, auth_manager)
        .await
-        .expect("resume conversation");
-    thread
+        .expect("resume conversation")
+        .thread
 }

 #[cfg(test)]
@@ -1037,9 +1018,9 @@ async fn fork_thread(
    path: std::path::PathBuf,
    nth_user_message: usize,
 ) -> Arc<CodexThread> {
-    let NewThread { thread, .. } = manager
+    manager
        .fork_thread(nth_user_message, config.clone(), path)
        .await
-        .expect("fork conversation");
-    thread
+        .expect("fork conversation")
+        .thread
 }
--- a/codex-rs/core/tests/suite/deprecation_notice.rs
+++ b/codex-rs/core/tests/suite/deprecation_notice.rs
@@ -16,6 +16,7 @@ use core_test_support::test_codex::TestCodex;
 use core_test_support::test_codex::test_codex;
 use core_test_support::wait_for_event_match;
 use pretty_assertions::assert_eq;
+use std::collections::BTreeMap;
 use toml::Value as TomlValue;

 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
@@ -49,7 +50,7 @@ async fn emits_deprecation_notice_for_legacy_feature_flag() -> anyhow::Result<()
    assert_eq!(
        details.as_deref(),
        Some(
-            "Enable it with `--enable unified_exec` or `[features].unified_exec` in config.toml. See https://developers.openai.com/codex/config-advanced/ for details."
+            "Enable it with `--enable unified_exec` or `[features].unified_exec` in config.toml. See https://github.com/openai/codex/blob/main/docs/config.md#feature-flags for details."
        ),
    );

@@ -110,3 +111,73 @@ async fn emits_deprecation_notice_for_experimental_instructions_file() -> anyhow

    Ok(())
 }
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn emits_deprecation_notice_for_web_search_feature_flags() -> anyhow::Result<()> {
+    skip_if_no_network!(Ok(()));
+
+    let server = start_mock_server().await;
+
+    let mut builder = test_codex().with_config(|config| {
+        let mut entries = BTreeMap::new();
+        entries.insert("web_search_request".to_string(), true);
+        config.features.apply_map(&entries);
+    });
+
+    let TestCodex { codex, .. } = builder.build(&server).await?;
+
+    let notice = wait_for_event_match(&codex, |event| match event {
+        EventMsg::DeprecationNotice(ev) if ev.summary.contains("[features].web_search_request") => {
+            Some(ev.clone())
+        }
+        _ => None,
+    })
+    .await;
+
+    let DeprecationNoticeEvent { summary, details } = notice;
+    assert_eq!(
+        summary,
+        "`[features].web_search_request` is deprecated. Use `web_search` instead.".to_string(),
+    );
+    assert_eq!(
+        details.as_deref(),
+        Some("Set `web_search` to `\"live\"`, `\"cached\"`, or `\"disabled\"` in config.toml."),
+    );
+
+    Ok(())
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn emits_deprecation_notice_for_disabled_web_search_feature_flag() -> anyhow::Result<()> {
+    skip_if_no_network!(Ok(()));
+
+    let server = start_mock_server().await;
+
+    let mut builder = test_codex().with_config(|config| {
+        let mut entries = BTreeMap::new();
+        entries.insert("web_search_request".to_string(), false);
+        config.features.apply_map(&entries);
+    });
+
+    let TestCodex { codex, .. } = builder.build(&server).await?;
+
+    let notice = wait_for_event_match(&codex, |event| match event {
+        EventMsg::DeprecationNotice(ev) if ev.summary.contains("[features].web_search_request") => {
+            Some(ev.clone())
+        }
+        _ => None,
+    })
+    .await;
+
+    let DeprecationNoticeEvent { summary, details } = notice;
+    assert_eq!(
+        summary,
+        "`[features].web_search_request` is deprecated. Use `web_search` instead.".to_string(),
+    );
+    assert_eq!(
+        details.as_deref(),
+        Some("Set `web_search` to `\"live\"`, `\"cached\"`, or `\"disabled\"` in config.toml."),
+    );
+
+    Ok(())
+}
--- a/codex-rs/core/tests/suite/exec.rs
+++ b/codex-rs/core/tests/suite/exec.rs
@@ -10,6 +10,7 @@ use codex_core::exec::process_exec_tool_call;
 use codex_core::protocol::SandboxPolicy;
 use codex_core::sandboxing::SandboxPermissions;
 use codex_core::spawn::CODEX_SANDBOX_ENV_VAR;
+use codex_protocol::config_types::WindowsSandboxLevel;
 use tempfile::TempDir;

 use codex_core::error::Result;
@@ -27,7 +28,7 @@ fn skip_test() -> bool {

 #[expect(clippy::expect_used)]
 async fn run_test_cmd(tmp: TempDir, cmd: Vec<&str>) -> Result<ExecToolCallOutput> {
-    let sandbox_type = get_platform_sandbox().expect("should be able to get sandbox type");
+    let sandbox_type = get_platform_sandbox(false).expect("should be able to get sandbox type");
    assert_eq!(sandbox_type, SandboxType::MacosSeatbelt);

    let params = ExecParams {
@@ -36,6 +37,7 @@ async fn run_test_cmd(tmp: TempDir, cmd: Vec<&str>) -> Result<ExecToolCallOutput
        expiration: 1000.into(),
        env: HashMap::new(),
        sandbox_permissions: SandboxPermissions::UseDefault,
+        windows_sandbox_level: WindowsSandboxLevel::Disabled,
        justification: None,
        arg0: None,
    };
--- a/codex-rs/core/tests/suite/fork_thread.rs
+++ b/codex-rs/core/tests/suite/fork_thread.rs
@@ -1,8 +1,4 @@
-use codex_core::CodexAuth;
-use codex_core::ModelProviderInfo;
 use codex_core::NewThread;
-use codex_core::ThreadManager;
-use codex_core::built_in_model_providers;
 use codex_core::parse_turn_item;
 use codex_core::protocol::EventMsg;
 use codex_core::protocol::Op;
@@ -10,10 +6,9 @@ use codex_core::protocol::RolloutItem;
 use codex_core::protocol::RolloutLine;
 use codex_protocol::items::TurnItem;
 use codex_protocol::user_input::UserInput;
-use core_test_support::load_default_config_for_test;
 use core_test_support::skip_if_no_network;
+use core_test_support::test_codex::test_codex;
 use core_test_support::wait_for_event;
-use tempfile::TempDir;
 use wiremock::Mock;
 use wiremock::MockServer;
 use wiremock::ResponseTemplate;
@@ -44,25 +39,11 @@ async fn fork_thread_twice_drops_to_first_message() {
        .mount(&server)
        .await;

-    // Configure Codex to use the mock server.
-    let model_provider = ModelProviderInfo {
-        base_url: Some(format!("{}/v1", server.uri())),
-        ..built_in_model_providers()["openai"].clone()
-    };
-
-    let home = TempDir::new().unwrap();
-    let mut config = load_default_config_for_test(&home).await;
-    config.model_provider = model_provider.clone();
-    let config_for_fork = config.clone();
-
-    let thread_manager = ThreadManager::with_models_provider(
-        CodexAuth::from_api_key("dummy"),
-        config.model_provider.clone(),
-    );
-    let NewThread { thread: codex, .. } = thread_manager
-        .start_thread(config)
-        .await
-        .expect("create conversation");
+    let mut builder = test_codex();
+    let test = builder.build(&server).await.expect("create conversation");
+    let codex = test.codex.clone();
+    let thread_manager = test.thread_manager.clone();
+    let config_for_fork = test.config.clone();

    // Send three user messages; wait for three completed turns.
    for text in ["first", "second", "third"] {
--- a/codex-rs/core/tests/suite/items.rs
+++ b/codex-rs/core/tests/suite/items.rs
@@ -6,6 +6,7 @@ use codex_core::protocol::ItemCompletedEvent;
 use codex_core::protocol::ItemStartedEvent;
 use codex_core::protocol::Op;
 use codex_protocol::items::TurnItem;
+use codex_protocol::models::WebSearchAction;
 use codex_protocol::user_input::ByteRange;
 use codex_protocol::user_input::TextElement;
 use codex_protocol::user_input::UserInput;
@@ -18,7 +19,7 @@ use core_test_support::responses::ev_reasoning_item_added;
 use core_test_support::responses::ev_reasoning_summary_text_delta;
 use core_test_support::responses::ev_reasoning_text_delta;
 use core_test_support::responses::ev_response_created;
-use core_test_support::responses::ev_web_search_call_added;
+use core_test_support::responses::ev_web_search_call_added_partial;
 use core_test_support::responses::ev_web_search_call_done;
 use core_test_support::responses::mount_sse_once;
 use core_test_support::responses::sse;
@@ -208,8 +209,7 @@ async fn web_search_item_is_emitted() -> anyhow::Result<()> {

    let TestCodex { codex, .. } = test_codex().build(&server).await?;

-    let web_search_added =
-        ev_web_search_call_added("web-search-1", "in_progress", "weather seattle");
+    let web_search_added = ev_web_search_call_added_partial("web-search-1", "in_progress");
    let web_search_done = ev_web_search_call_done("web-search-1", "completed", "weather seattle");

    let first_response = sse(vec![
@@ -230,11 +230,8 @@ async fn web_search_item_is_emitted() -> anyhow::Result<()> {
        })
        .await?;

-    let started = wait_for_event_match(&codex, |ev| match ev {
-        EventMsg::ItemStarted(ItemStartedEvent {
-            item: TurnItem::WebSearch(item),
-            ..
-        }) => Some(item.clone()),
+    let begin = wait_for_event_match(&codex, |ev| match ev {
+        EventMsg::WebSearchBegin(event) => Some(event.clone()),
        _ => None,
    })
    .await;
@@ -247,8 +244,14 @@ async fn web_search_item_is_emitted() -> anyhow::Result<()> {
    })
    .await;

-    assert_eq!(started.id, completed.id);
-    assert_eq!(completed.query, "weather seattle");
+    assert_eq!(begin.call_id, "web-search-1");
+    assert_eq!(completed.id, begin.call_id);
+    assert_eq!(
+        completed.action,
+        WebSearchAction::Search {
+            query: Some("weather seattle".to_string()),
+        }
+    );

    Ok(())
 }
--- a/codex-rs/core/tests/suite/mod.rs
+++ b/codex-rs/core/tests/suite/mod.rs
@@ -65,6 +65,7 @@ mod shell_command;
 mod shell_serialization;
 mod shell_snapshot;
 mod skills;
+mod sqlite_state;
 mod stream_error_allows_next_turn;
 mod stream_no_completed;
 mod text_encoding_fix;
@@ -74,6 +75,7 @@ mod tools;
 mod truncation;
 mod undo;
 mod unified_exec;
+mod unstable_features_warning;
 mod user_notification;
 mod user_shell_cmd;
 mod view_image;
--- a/codex-rs/core/tests/suite/model_overrides.rs
+++ b/codex-rs/core/tests/suite/model_overrides.rs
@@ -1,42 +1,35 @@
-use codex_core::CodexAuth;
-use codex_core::ThreadManager;
 use codex_core::protocol::EventMsg;
 use codex_core::protocol::Op;
 use codex_protocol::openai_models::ReasoningEffort;
-use core_test_support::load_default_config_for_test;
+use core_test_support::responses::start_mock_server;
+use core_test_support::test_codex::test_codex;
 use core_test_support::wait_for_event;
 use pretty_assertions::assert_eq;
-use tempfile::TempDir;

 const CONFIG_TOML: &str = "config.toml";

 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 async fn override_turn_context_does_not_persist_when_config_exists() {
-    let codex_home = TempDir::new().unwrap();
-    let config_path = codex_home.path().join(CONFIG_TOML);
+    let server = start_mock_server().await;
    let initial_contents = "model = \"gpt-4o\"\n";
-    tokio::fs::write(&config_path, initial_contents)
-        .await
-        .expect("seed config.toml");
-
-    let mut config = load_default_config_for_test(&codex_home).await;
-    config.model = Some("gpt-4o".to_string());
-
-    let thread_manager = ThreadManager::with_models_provider(
-        CodexAuth::from_api_key("Test API Key"),
-        config.model_provider.clone(),
-    );
-    let codex = thread_manager
-        .start_thread(config)
-        .await
-        .expect("create conversation")
-        .thread;
+    let mut builder = test_codex()
+        .with_pre_build_hook(move |home| {
+            let config_path = home.join(CONFIG_TOML);
+            std::fs::write(config_path, initial_contents).expect("seed config.toml");
+        })
+        .with_config(|config| {
+            config.model = Some("gpt-4o".to_string());
+        });
+    let test = builder.build(&server).await.expect("create conversation");
+    let codex = test.codex.clone();
+    let config_path = test.home.path().join(CONFIG_TOML);

    codex
        .submit(Op::OverrideTurnContext {
            cwd: None,
            approval_policy: None,
            sandbox_policy: None,
+            windows_sandbox_level: None,
            model: Some("o3".to_string()),
            effort: Some(Some(ReasoningEffort::High)),
            summary: None,
@@ -57,30 +50,22 @@ async fn override_turn_context_does_not_persist_when_config_exists() {

 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 async fn override_turn_context_does_not_create_config_file() {
-    let codex_home = TempDir::new().unwrap();
-    let config_path = codex_home.path().join(CONFIG_TOML);
+    let server = start_mock_server().await;
+    let mut builder = test_codex();
+    let test = builder.build(&server).await.expect("create conversation");
+    let codex = test.codex.clone();
+    let config_path = test.home.path().join(CONFIG_TOML);
    assert!(
        !config_path.exists(),
        "test setup should start without config"
    );

-    let config = load_default_config_for_test(&codex_home).await;
-
-    let thread_manager = ThreadManager::with_models_provider(
-        CodexAuth::from_api_key("Test API Key"),
-        config.model_provider.clone(),
-    );
-    let codex = thread_manager
-        .start_thread(config)
-        .await
-        .expect("create conversation")
-        .thread;
-
    codex
        .submit(Op::OverrideTurnContext {
            cwd: None,
            approval_policy: None,
            sandbox_policy: None,
+            windows_sandbox_level: None,
            model: Some("o3".to_string()),
            effort: Some(Some(ReasoningEffort::Medium)),
            summary: None,
--- a/codex-rs/core/tests/suite/override_updates.rs
+++ b/codex-rs/core/tests/suite/override_updates.rs
@@ -118,6 +118,7 @@ async fn override_turn_context_records_permissions_update() -> Result<()> {
            cwd: None,
            approval_policy: Some(AskForApproval::Never),
            sandbox_policy: None,
+            windows_sandbox_level: None,
            model: None,
            effort: None,
            summary: None,
@@ -161,6 +162,7 @@ async fn override_turn_context_records_environment_update() -> Result<()> {
            cwd: Some(new_cwd.path().to_path_buf()),
            approval_policy: None,
            sandbox_policy: None,
+            windows_sandbox_level: None,
            model: None,
            effort: None,
            summary: None,
@@ -198,6 +200,7 @@ async fn override_turn_context_records_collaboration_update() -> Result<()> {
            cwd: None,
            approval_policy: None,
            sandbox_policy: None,
+            windows_sandbox_level: None,
            model: None,
            effort: None,
            summary: None,
--- a/codex-rs/core/tests/suite/permissions_messages.rs
+++ b/codex-rs/core/tests/suite/permissions_messages.rs
@@ -4,6 +4,8 @@ use codex_core::protocol::AskForApproval;
 use codex_core::protocol::EventMsg;
 use codex_core::protocol::Op;
 use codex_core::protocol::SandboxPolicy;
+use codex_execpolicy::Policy;
+use codex_protocol::models::DeveloperInstructions;
 use codex_protocol::user_input::UserInput;
 use codex_utils_absolute_path::AbsolutePathBuf;
 use core_test_support::responses::ev_completed;
@@ -106,6 +108,7 @@ async fn permissions_message_added_on_override_change() -> Result<()> {
            cwd: None,
            approval_policy: Some(AskForApproval::Never),
            sandbox_policy: None,
+            windows_sandbox_level: None,
            model: None,
            effort: None,
            summary: None,
@@ -227,6 +230,7 @@ async fn resume_replays_permissions_messages() -> Result<()> {
            cwd: None,
            approval_policy: Some(AskForApproval::Never),
            sandbox_policy: None,
+            windows_sandbox_level: None,
            model: None,
            effort: None,
            summary: None,
@@ -309,6 +313,7 @@ async fn resume_and_fork_append_permissions_messages() -> Result<()> {
            cwd: None,
            approval_policy: Some(AskForApproval::Never),
            sandbox_policy: None,
+            windows_sandbox_level: None,
            model: None,
            effort: None,
            summary: None,
@@ -408,10 +413,11 @@ async fn permissions_message_includes_writable_roots() -> Result<()> {
        exclude_tmpdir_env_var: false,
        exclude_slash_tmp: false,
    };
+    let sandbox_policy_for_config = sandbox_policy.clone();

    let mut builder = test_codex().with_config(move |config| {
        config.approval_policy = Constrained::allow_any(AskForApproval::OnRequest);
-        config.sandbox_policy = Constrained::allow_any(sandbox_policy);
+        config.sandbox_policy = Constrained::allow_any(sandbox_policy_for_config);
    });
    let test = builder.build(&server).await?;

@@ -429,39 +435,14 @@ async fn permissions_message_includes_writable_roots() -> Result<()> {
    let body = req.single_request().body_json();
    let input = body["input"].as_array().expect("input array");
    let permissions = permissions_texts(input);
-    let sandbox_text = "Filesystem sandboxing defines which files can be read or written. `sandbox_mode` is `workspace-write`: The sandbox permits reading files, and editing files in `cwd` and `writable_roots`. Editing files in other directories requires approval. Network access is restricted.";
-    let approval_text = " Approvals are your mechanism to get user consent to run shell commands without the sandbox. `approval_policy` is `on-request`: Commands will be run in the sandbox by default, and you can specify in your tool call if you want to escalate a command to run without sandboxing. If the completing the task requires escalated permissions, Do not let these settings or the sandbox deter you from attempting to accomplish the user's task.\n\nHere are scenarios where you'll need to request approval:\n- You need to run a command that writes to a directory that requires it (e.g. running tests that write to /var)\n- You need to run a GUI app (e.g., open/xdg-open/osascript) to open browsers or files.\n- You are running sandboxed and need to run a command that requires network access (e.g. installing packages)\n- If you run a command that is important to solving the user's query, but it fails because of sandboxing, rerun the command with approval. ALWAYS proceed to use the `sandbox_permissions` and `justification` parameters - do not message the user before requesting approval for the command.\n- You are about to take a potentially destructive action such as an `rm` or `git reset` that the user did not explicitly ask for.\n\nWhen requesting approval to execute a command that will require escalated privileges:\n  - Provide the `sandbox_permissions` parameter with the value `\"require_escalated\"`\n  - Include a short, 1 sentence explanation for why you need escalated permissions in the justification parameter";
-    // Normalize paths by removing trailing slashes to match AbsolutePathBuf behavior
-    let normalize_path =
-        |p: &std::path::Path| -> String { p.to_string_lossy().trim_end_matches('/').to_string() };
-    let mut roots = vec![
-        normalize_path(writable.path()),
-        normalize_path(test.config.cwd.as_path()),
-    ];
-    if cfg!(unix) && std::path::Path::new("/tmp").is_dir() {
-        roots.push("/tmp".to_string());
-    }
-    if let Some(tmpdir) = std::env::var_os("TMPDIR") {
-        let tmpdir_path = std::path::PathBuf::from(&tmpdir);
-        if tmpdir_path.is_absolute() && !tmpdir.is_empty() {
-            roots.push(normalize_path(&tmpdir_path));
-        }
-    }
-    let roots_text = if roots.len() == 1 {
-        format!(" The writable root is `{}`.", roots[0])
-    } else {
-        format!(
-            " The writable roots are {}.",
-            roots
-                .iter()
-                .map(|root| format!("`{root}`"))
-                .collect::<Vec<_>>()
-                .join(", ")
-        )
-    };
-    let expected = format!(
-        "<permissions instructions>{sandbox_text}{approval_text}{roots_text}</permissions instructions>"
-    );
+    let expected = DeveloperInstructions::from_policy(
+        &sandbox_policy,
+        AskForApproval::OnRequest,
+        &Policy::empty(),
+        false,
+        test.config.cwd.as_path(),
+    )
+    .into_text();
    // Normalize line endings to handle Windows vs Unix differences
    let normalize_line_endings = |s: &str| s.replace("\r\n", "\n");
    let expected_normalized = normalize_line_endings(&expected);
--- a/Show More
+++ b/Show More