docs: refresh codex-cli readme

chore: rework tools execution workflow (#5278 )
Re-work the tool execution flow. Read `orchestrator.rs` to understand the structure
2026-02-02 06:57:03 +00:00 · 2025-10-20 14:51:01 -07:00 · 2025-10-20 20:57:37 +01:00 · 2025-10-20 12:26:46 -07:00 · 2025-10-20 12:08:06 -07:00 · 2025-10-20 11:45:11 -07:00
291 changed files with 19910 additions and 6875 deletions
--- a/.github/ISSUE_TEMPLATE/2-bug-report.yml
+++ b/.github/ISSUE_TEMPLATE/2-bug-report.yml
@@ -20,6 +20,14 @@ body:
    attributes:
      label: What version of Codex is running?
      description: Copy the output of `codex --version`
+    validations:
+      required: true
+  - type: input
+    id: plan
+    attributes:
+      label: What subscription do you have?
+    validations:
+      required: true
  - type: input
    id: model
    attributes:
@@ -32,11 +40,18 @@ body:
      description: |
        For MacOS and Linux: copy the output of `uname -mprs`
        For Windows: copy the output of `"$([Environment]::OSVersion | ForEach-Object VersionString) $(if ([Environment]::Is64BitOperatingSystem) { "x64" } else { "x86" })"` in the PowerShell console
+  - type: textarea
+    id: actual
+    attributes:
+      label: What issue are you seeing?
+      description: Please include the full error messages and prompts with PII redacted. If possible, please provide text instead of a screenshot. 
+    validations:
+      required: true
  - type: textarea
    id: steps
    attributes:
      label: What steps can reproduce the bug?
-      description: Explain the bug and provide a code snippet that can reproduce it.
+      description: Explain the bug and provide a code snippet that can reproduce it. Please include session id, token limit usage, context window usage if applicable.
    validations:
      required: true
  - type: textarea
@@ -44,11 +59,6 @@ body:
    attributes:
      label: What is the expected behavior?
      description: If possible, please provide text instead of a screenshot.
-  - type: textarea
-    id: actual
-    attributes:
-      label: What do you see instead?
-      description: If possible, please provide text instead of a screenshot.
  - type: textarea
    id: notes
    attributes:
--- a/.github/ISSUE_TEMPLATE/5-vs-code-extension.yml
+++ b/.github/ISSUE_TEMPLATE/5-vs-code-extension.yml
@@ -14,11 +14,21 @@ body:
    id: version
    attributes:
      label: What version of the VS Code extension are you using?
+    validations:
+      required: true
+  - type: input
+    id: plan
+    attributes:
+      label: What subscription do you have?
+    validations:
+      required: true
  - type: input
    id: ide
    attributes:
      label: Which IDE are you using?
      description: Like `VS Code`, `Cursor`, `Windsurf`, etc.
+    validations:
+      required: true
  - type: input
    id: platform
    attributes:
@@ -26,11 +36,18 @@ body:
      description: |
        For MacOS and Linux: copy the output of `uname -mprs`
        For Windows: copy the output of `"$([Environment]::OSVersion | ForEach-Object VersionString) $(if ([Environment]::Is64BitOperatingSystem) { "x64" } else { "x86" })"` in the PowerShell console
+  - type: textarea
+    id: actual
+    attributes:
+      label: What issue are you seeing?
+      description: Please include the full error messages and prompts with PII redacted. If possible, please provide text instead of a screenshot. 
+    validations:
+      required: true
  - type: textarea
    id: steps
    attributes:
      label: What steps can reproduce the bug?
-      description: Explain the bug and provide a code snippet that can reproduce it.
+      description: Explain the bug and provide a code snippet that can reproduce it. Please include session id, token limit usage, context window usage if applicable.
    validations:
      required: true
  - type: textarea
@@ -38,11 +55,6 @@ body:
    attributes:
      label: What is the expected behavior?
      description: If possible, please provide text instead of a screenshot.
-  - type: textarea
-    id: actual
-    attributes:
-      label: What do you see instead?
-      description: If possible, please provide text instead of a screenshot.
  - type: textarea
    id: notes
    attributes:
--- a/.github/workflows/rust-ci.yml
+++ b/.github/workflows/rust-ci.yml
@@ -148,15 +148,26 @@ jobs:
          targets: ${{ matrix.target }}
          components: clippy

-      - uses: actions/cache@v4
+      # Explicit cache restore: split cargo home vs target, so we can
+      # avoid caching the large target dir on the gnu-dev job.
+      - name: Restore cargo home cache
+        id: cache_cargo_home_restore
+        uses: actions/cache/restore@v4
        with:
          path: |
            ~/.cargo/bin/
            ~/.cargo/registry/index/
            ~/.cargo/registry/cache/
            ~/.cargo/git/db/
-            ${{ github.workspace }}/codex-rs/target/
-          key: cargo-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ hashFiles('**/Cargo.lock') }}
+          key: cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ hashFiles('**/Cargo.lock') }}
+
+      - name: Restore target cache (except gnu-dev)
+        id: cache_target_restore
+        if: ${{ !(matrix.target == 'x86_64-unknown-linux-gnu' && matrix.profile != 'release') }}
+        uses: actions/cache/restore@v4
+        with:
+          path: ${{ github.workspace }}/codex-rs/target/
+          key: cargo-target-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ hashFiles('**/Cargo.lock') }}

      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
        name: Install musl build tools
@@ -194,6 +205,31 @@ jobs:
        env:
          RUST_BACKTRACE: 1

+      # Save caches explicitly; make non-fatal so cache packaging
+      # never fails the overall job. Only save when key wasn't hit.
+      - name: Save cargo home cache
+        if: always() && !cancelled() && steps.cache_cargo_home_restore.outputs.cache-hit != 'true'
+        continue-on-error: true
+        uses: actions/cache/save@v4
+        with:
+          path: |
+            ~/.cargo/bin/
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+          key: cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ hashFiles('**/Cargo.lock') }}
+
+      - name: Save target cache (except gnu-dev)
+        if: >-
+          always() && !cancelled() &&
+          (steps.cache_target_restore.outputs.cache-hit != 'true') &&
+          !(matrix.target == 'x86_64-unknown-linux-gnu' && matrix.profile != 'release')
+        continue-on-error: true
+        uses: actions/cache/save@v4
+        with:
+          path: ${{ github.workspace }}/codex-rs/target/
+          key: cargo-target-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ hashFiles('**/Cargo.lock') }}
+
      # Fail the job if any of the previous steps failed.
      - name: verify all steps passed
        if: |
--- a/.github/workflows/rust-release.yml
+++ b/.github/workflows/rust-release.yml
@@ -47,7 +47,7 @@ jobs:

  build:
    needs: tag-check
-    name: ${{ matrix.runner }} - ${{ matrix.target }}
+    name: Build - ${{ matrix.runner }} - ${{ matrix.target }}
    runs-on: ${{ matrix.runner }}
    timeout-minutes: 30
    defaults:
@@ -94,11 +94,181 @@ jobs:
      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
        name: Install musl build tools
        run: |
-          sudo apt install -y musl-tools pkg-config
+          sudo apt-get update
+          sudo apt-get install -y musl-tools pkg-config

      - name: Cargo build
        run: cargo build --target ${{ matrix.target }} --release --bin codex --bin codex-responses-api-proxy

+      - if: ${{ matrix.runner == 'macos-14' }}
+        name: Configure Apple code signing
+        shell: bash
+        env:
+          KEYCHAIN_PASSWORD: actions
+          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE_P12 }}
+          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+        run: |
+          set -euo pipefail
+
+          if [[ -z "${APPLE_CERTIFICATE:-}" ]]; then
+            echo "APPLE_CERTIFICATE is required for macOS signing"
+            exit 1
+          fi
+
+          if [[ -z "${APPLE_CERTIFICATE_PASSWORD:-}" ]]; then
+            echo "APPLE_CERTIFICATE_PASSWORD is required for macOS signing"
+            exit 1
+          fi
+
+          cert_path="${RUNNER_TEMP}/apple_signing_certificate.p12"
+          echo "$APPLE_CERTIFICATE" | base64 -d > "$cert_path"
+
+          keychain_path="${RUNNER_TEMP}/codex-signing.keychain-db"
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$keychain_path"
+          security set-keychain-settings -lut 21600 "$keychain_path"
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$keychain_path"
+
+          keychain_args=()
+          cleanup_keychain() {
+            if ((${#keychain_args[@]} > 0)); then
+              security list-keychains -s "${keychain_args[@]}" || true
+              security default-keychain -s "${keychain_args[0]}" || true
+            else
+              security list-keychains -s || true
+            fi
+            if [[ -f "$keychain_path" ]]; then
+              security delete-keychain "$keychain_path" || true
+            fi
+          }
+
+          while IFS= read -r keychain; do
+            [[ -n "$keychain" ]] && keychain_args+=("$keychain")
+          done < <(security list-keychains | sed 's/^[[:space:]]*//;s/[[:space:]]*$//;s/"//g')
+
+          if ((${#keychain_args[@]} > 0)); then
+            security list-keychains -s "$keychain_path" "${keychain_args[@]}"
+          else
+            security list-keychains -s "$keychain_path"
+          fi
+
+          security default-keychain -s "$keychain_path"
+          security import "$cert_path" -k "$keychain_path" -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security
+          security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$keychain_path" > /dev/null
+
+          codesign_hashes=()
+          while IFS= read -r hash; do
+            [[ -n "$hash" ]] && codesign_hashes+=("$hash")
+          done < <(security find-identity -v -p codesigning "$keychain_path" \
+            | sed -n 's/.*\([0-9A-F]\{40\}\).*/\1/p' \
+            | sort -u)
+
+          if ((${#codesign_hashes[@]} == 0)); then
+            echo "No signing identities found in $keychain_path"
+            cleanup_keychain
+            rm -f "$cert_path"
+            exit 1
+          fi
+
+          if ((${#codesign_hashes[@]} > 1)); then
+            echo "Multiple signing identities found in $keychain_path:"
+            printf '  %s\n' "${codesign_hashes[@]}"
+            cleanup_keychain
+            rm -f "$cert_path"
+            exit 1
+          fi
+
+          APPLE_CODESIGN_IDENTITY="${codesign_hashes[0]}"
+
+          rm -f "$cert_path"
+
+          echo "APPLE_CODESIGN_IDENTITY=$APPLE_CODESIGN_IDENTITY" >> "$GITHUB_ENV"
+          echo "APPLE_CODESIGN_KEYCHAIN=$keychain_path" >> "$GITHUB_ENV"
+          echo "::add-mask::$APPLE_CODESIGN_IDENTITY"
+
+      - if: ${{ matrix.runner == 'macos-14' }}
+        name: Sign macOS binaries
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          if [[ -z "${APPLE_CODESIGN_IDENTITY:-}" ]]; then
+            echo "APPLE_CODESIGN_IDENTITY is required for macOS signing"
+            exit 1
+          fi
+
+          keychain_args=()
+          if [[ -n "${APPLE_CODESIGN_KEYCHAIN:-}" && -f "${APPLE_CODESIGN_KEYCHAIN}" ]]; then
+            keychain_args+=(--keychain "${APPLE_CODESIGN_KEYCHAIN}")
+          fi
+
+          for binary in codex codex-responses-api-proxy; do
+            path="target/${{ matrix.target }}/release/${binary}"
+            codesign --force --options runtime --timestamp --sign "$APPLE_CODESIGN_IDENTITY" "${keychain_args[@]}" "$path"
+          done
+
+      - if: ${{ matrix.runner == 'macos-14' }}
+        name: Notarize macOS binaries
+        shell: bash
+        env:
+          APPLE_NOTARIZATION_KEY_P8: ${{ secrets.APPLE_NOTARIZATION_KEY_P8 }}
+          APPLE_NOTARIZATION_KEY_ID: ${{ secrets.APPLE_NOTARIZATION_KEY_ID }}
+          APPLE_NOTARIZATION_ISSUER_ID: ${{ secrets.APPLE_NOTARIZATION_ISSUER_ID }}
+        run: |
+          set -euo pipefail
+
+          for var in APPLE_NOTARIZATION_KEY_P8 APPLE_NOTARIZATION_KEY_ID APPLE_NOTARIZATION_ISSUER_ID; do
+            if [[ -z "${!var:-}" ]]; then
+              echo "$var is required for notarization"
+              exit 1
+            fi
+          done
+
+          notary_key_path="${RUNNER_TEMP}/notarytool.key.p8"
+          echo "$APPLE_NOTARIZATION_KEY_P8" | base64 -d > "$notary_key_path"
+          cleanup_notary() {
+            rm -f "$notary_key_path"
+          }
+          trap cleanup_notary EXIT
+
+          notarize_binary() {
+            local binary="$1"
+            local source_path="target/${{ matrix.target }}/release/${binary}"
+            local archive_path="${RUNNER_TEMP}/${binary}.zip"
+
+            if [[ ! -f "$source_path" ]]; then
+              echo "Binary $source_path not found"
+              exit 1
+            fi
+
+            rm -f "$archive_path"
+            ditto -c -k --keepParent "$source_path" "$archive_path"
+
+            submission_json=$(xcrun notarytool submit "$archive_path" \
+              --key "$notary_key_path" \
+              --key-id "$APPLE_NOTARIZATION_KEY_ID" \
+              --issuer "$APPLE_NOTARIZATION_ISSUER_ID" \
+              --output-format json \
+              --wait)
+
+            status=$(printf '%s\n' "$submission_json" | jq -r '.status // "Unknown"')
+            submission_id=$(printf '%s\n' "$submission_json" | jq -r '.id // ""')
+
+            if [[ -z "$submission_id" ]]; then
+              echo "Failed to retrieve submission ID for $binary"
+              exit 1
+            fi
+
+            echo "::notice title=Notarization::$binary submission ${submission_id} completed with status ${status}"
+
+            if [[ "$status" != "Accepted" ]]; then
+              echo "Notarization failed for ${binary} (submission ${submission_id}, status ${status})"
+              exit 1
+            fi
+          }
+
+          notarize_binary "codex"
+          notarize_binary "codex-responses-api-proxy"
+
      - name: Stage artifacts
        shell: bash
        run: |
@@ -157,6 +327,29 @@ jobs:
            zstd -T0 -19 --rm "$dest/$base"
          done

+      - name: Remove signing keychain
+        if: ${{ always() && matrix.runner == 'macos-14' }}
+        shell: bash
+        env:
+          APPLE_CODESIGN_KEYCHAIN: ${{ env.APPLE_CODESIGN_KEYCHAIN }}
+        run: |
+          set -euo pipefail
+          if [[ -n "${APPLE_CODESIGN_KEYCHAIN:-}" ]]; then
+            keychain_args=()
+            while IFS= read -r keychain; do
+              [[ "$keychain" == "$APPLE_CODESIGN_KEYCHAIN" ]] && continue
+              [[ -n "$keychain" ]] && keychain_args+=("$keychain")
+            done < <(security list-keychains | sed 's/^[[:space:]]*//;s/[[:space:]]*$//;s/"//g')
+            if ((${#keychain_args[@]} > 0)); then
+              security list-keychains -s "${keychain_args[@]}"
+              security default-keychain -s "${keychain_args[0]}"
+            fi
+
+            if [[ -f "$APPLE_CODESIGN_KEYCHAIN" ]]; then
+              security delete-keychain "$APPLE_CODESIGN_KEYCHAIN"
+            fi
+          fi
+
      - uses: actions/upload-artifact@v4
        with:
          name: ${{ matrix.target }}
--- a/.gitignore
+++ b/.gitignore
@@ -30,6 +30,7 @@ result
 # cli tools
 CLAUDE.md
 .claude/
+AGENTS.override.md

 # caches
 .cache/
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -3,6 +3,7 @@
    "rust-analyzer.check.command": "clippy",
    "rust-analyzer.check.extraArgs": ["--all-features", "--tests"],
    "rust-analyzer.rustfmt.extraArgs": ["--config", "imports_granularity=Item"],
+    "rust-analyzer.cargo.targetDir": "${workspaceFolder}/codex-rs/target/rust-analyzer",
    "[rust]": {
        "editor.defaultFormatter": "rust-lang.rust-analyzer",
        "editor.formatOnSave": true,
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -11,7 +11,9 @@ In the codex-rs folder where the rust code lives:
 - Always collapse if statements per https://rust-lang.github.io/rust-clippy/master/index.html#collapsible_if
 - Always inline format! args when possible per https://rust-lang.github.io/rust-clippy/master/index.html#uninlined_format_args
 - Use method references over closures when possible per https://rust-lang.github.io/rust-clippy/master/index.html#redundant_closure_for_method_calls
+- Do not use unsigned integer even if the number cannot be negative.
 - When writing tests, prefer comparing the equality of entire objects over fields one by one.
+- When making a change that adds or changes an API, ensure that the documentation in the `docs/` folder is up to date if applicable.

 Run `just fmt` (in `codex-rs` directory) automatically after making Rust code changes; do not ask for approval to run it. Before finalizing a change to `codex-rs`, run `just fix -p <project>` (in `codex-rs` directory) to fix any linter issues in the code. Prefer scoping with `-p` to avoid slow workspace‑wide Clippy builds; only run `just fix` without `-p` if you changed shared crates. Additionally, run the tests:

--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-<p align="center"><code>npm i -g @openai/codex</code><br />or <code>brew install codex</code></p>
+<p align="center"><code>npm i -g @openai/codex</code><br />or <code>brew install --cask codex</code></p>

 <p align="center"><strong>Codex CLI</strong> is a coding agent from OpenAI that runs locally on your computer.
 </br>
@@ -24,7 +24,7 @@ npm install -g @openai/codex
 Alternatively, if you use Homebrew:

 ```shell
-brew install codex
+brew install --cask codex
 ```

 Then simply run `codex` to get started:
@@ -75,6 +75,7 @@ Codex CLI supports a rich set of configuration options, with preferences stored
  - [CLI usage](./docs/getting-started.md#cli-usage)
  - [Running with a prompt as input](./docs/getting-started.md#running-with-a-prompt-as-input)
  - [Example prompts](./docs/getting-started.md#example-prompts)
+  - [Custom prompts](./docs/prompts.md)
  - [Memory with AGENTS.md](./docs/getting-started.md#memory-with-agentsmd)
  - [Configuration](./docs/config.md)
 - [**Sandbox & approvals**](./docs/sandbox.md)
--- a/cliff.toml
+++ b/cliff.toml
@@ -4,7 +4,7 @@
 header = """
 # Changelog

-You can install any of these versions: `npm install -g codex@version`
+You can install any of these versions: `npm install -g @openai/codex@<version>`
 """

 body = """
--- a/codex-cli/README.md
+++ b/codex-cli/README.md
@@ -3,8 +3,8 @@

 <p align="center"><code>npm i -g @openai/codex</code></p>

-> [!IMPORTANT]
-> This is the documentation for the _legacy_ TypeScript implementation of the Codex CLI. It has been superseded by the _Rust_ implementation. See the [README in the root of the Codex repository](https://github.com/openai/codex/blob/main/README.md) for details.
+> [!NOTE]
+> This README focuses on the native Rust CLI. For additional deep dives, see the [docs/](../docs) folder and the [root README](https://github.com/openai/codex/blob/main/README.md).

 ![Codex demo GIF using: codex "explain this codebase to me"](../.github/demo.gif)

@@ -94,37 +94,8 @@ export OPENAI_API_KEY="your-api-key-here"
 >
 > The CLI will automatically load variables from `.env` (via `dotenv/config`).

-<details>
-<summary><strong>Use <code>--provider</code> to use other models</strong></summary>
-
-> Codex also allows you to use other providers that support the OpenAI Chat Completions API. You can set the provider in the config file or use the `--provider` flag. The possible options for `--provider` are:
->
-> - openai (default)
-> - openrouter
-> - azure
-> - gemini
-> - ollama
-> - mistral
-> - deepseek
-> - xai
-> - groq
-> - arceeai
-> - any other provider that is compatible with the OpenAI API
->
-> If you use a provider other than OpenAI, you will need to set the API key for the provider in the config file or in the environment variable as:
->
-> ```shell
-> export <provider>_API_KEY="your-api-key-here"
-> ```
->
-> If you use a provider not listed above, you must also set the base URL for the provider:
->
-> ```shell
-> export <provider>_BASE_URL="https://your-provider-api-base-url"
-> ```
-
-</details>
-<br />
+> [!TIP]
+> The CLI ships with OpenAI and local OSS providers out of the box. To add additional providers, edit the `[model_providers]` table in `~/.codex/config.toml`. See [Configuration guide](#configuration-guide) for examples.

 Run interactively:

@@ -139,7 +110,7 @@ codex "explain this codebase to me"
 ```

 ```shell
-codex --approval-mode full-auto "create the fanciest todo-list app"
+codex --full-auto "create the fanciest todo-list app"
 ```

 That's it - Codex will scaffold a file, run it inside a sandbox, install any
@@ -165,67 +136,61 @@ And it's **fully open-source** so you can see and contribute to how it develops!

 ## Security model & permissions

-Codex lets you decide _how much autonomy_ the agent receives and auto-approval policy via the
-`--approval-mode` flag (or the interactive onboarding prompt):
+Codex lets you decide _how much autonomy_ the agent receives via the
+`--ask-for-approval` flag (or the interactive onboarding prompt). The default is `on-request`.

-| Mode                      | What the agent may do without asking                                                                | Still requires approval                                                                         |
-| ------------------------- | --------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- |
-| **Suggest** <br>(default) | <li>Read any file in the repo                                                                       | <li>**All** file writes/patches<li> **Any** arbitrary shell commands (aside from reading files) |
-| **Auto Edit**             | <li>Read **and** apply-patch writes to files                                                        | <li>**All** shell commands                                                                      |
-| **Full Auto**             | <li>Read/write files <li> Execute shell commands (network disabled, writes limited to your workdir) | -                                                                                               |
+| Mode (`--ask-for-approval …`) | Auto-approves                                                                                                                                  | Escalates to you when…                                                                                 |
+| ----------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------ |
+| `untrusted`                  | Built-in "safe" commands that only read files (`ls`, `cat`, `sed`, etc.)                                                                        | The model proposes writing to disk or running any other command.                                       |
+| `on-failure`                 | All commands, executed inside the configured sandbox with network access disabled and writes limited to the allowed directories.               | A command fails in the sandbox and the model wants to retry it without sandboxing.                     |
+| `on-request` _(default)_     | Whatever the model deems safe; it typically asks you before launching riskier commands or writing files.                                       | The model decides it wants confirmation, or the sandbox refuses a command and the model asks to retry. |
+| `never`                      | Everything, with no escalation.                                                                                                                | Never; failures are returned straight to the model.                                                    |

-In **Full Auto** every command is run **network-disabled** and confined to the
-current working directory (plus temporary files) for defense-in-depth. Codex
-will also show a warning/confirmation if you start in **auto-edit** or
-**full-auto** while the directory is _not_ tracked by Git, so you always have a
-safety net.
-
-Coming soon: you'll be able to whitelist specific commands to auto-execute with
-the network enabled, once we're confident in additional safeguards.
+Use `codex --full-auto` as a shorthand for `--ask-for-approval on-failure --sandbox workspace-write`. For air-gapped or CI environments that provide their own isolation, `--dangerously-bypass-approvals-and-sandbox` disables both confirmation prompts and sandboxing—double-check before using it.

 ### Platform sandboxing details

 The hardening mechanism Codex uses depends on your OS:

 - **macOS 12+** - commands are wrapped with **Apple Seatbelt** (`sandbox-exec`).
-
  - Everything is placed in a read-only jail except for a small set of
    writable roots (`$PWD`, `$TMPDIR`, `~/.codex`, etc.).
-  - Outbound network is _fully blocked_ by default - even if a child process
+  - Outbound network is _fully blocked_ by default – even if a child process
    tries to `curl` somewhere it will fail.

- **Linux** - there is no sandboxing by default.
-  We recommend using Docker for sandboxing, where Codex launches itself inside a **minimal
-  container image** and mounts your repo _read/write_ at the same path. A
-  custom `iptables`/`ipset` firewall script denies all egress except the
-  OpenAI API. This gives you deterministic, reproducible runs without needing
-  root on the host. You can use the [`run_in_container.sh`](../codex-cli/scripts/run_in_container.sh) script to set up the sandbox.
+- **Linux** - commands run through the bundled `codex-linux-sandbox` helper. It combines **Landlock** filesystem rules with a **seccomp** filter, mirroring the macOS policy: commands start network-disabled and only the working directory (plus a few temp paths) are writable. You still get escape hatches via the `--sandbox` flag:
+  - `--sandbox read-only` is ideal for review-only sessions.
+  - `--sandbox danger-full-access` turns the sandbox off. Pair it with `--ask-for-approval untrusted` if you still want Codex to double-check risky commands.
+
+Containers (Docker/Podman) can still be useful when you want completely reproducible toolchains, GPU access, or custom OS packages. In that case launch the CLI inside your container and keep the built-in sandbox on; it will happily sandbox _inside_ the container.

 ---

 ## System requirements

-| Requirement                 | Details                                                         |
-| --------------------------- | --------------------------------------------------------------- |
-| Operating systems           | macOS 12+, Ubuntu 20.04+/Debian 10+, or Windows 11 **via WSL2** |
-| Node.js                     | **16 or newer** (Node 20 LTS recommended)                       |
-| Git (optional, recommended) | 2.23+ for built-in PR helpers                                   |
-| RAM                         | 4-GB minimum (8-GB recommended)                                 |
+| Requirement                 | Details                                                                 |
+| --------------------------- | ----------------------------------------------------------------------- |
+| Operating systems           | macOS 12+, Ubuntu 22.04+/Debian 12+, or Windows 11 via WSL2             |
+| Runtime dependencies        | None for the packaged binaries (install via npm, Homebrew, or releases) |
+| Git (optional, recommended) | 2.39+ for built-in PR helpers                                           |
+| RAM                         | 4-GB minimum (8-GB recommended)                                         |

-> Never run `sudo npm install -g`; fix npm permissions instead.
+> Never run `sudo npm install -g`; fix npm or use another package manager instead.

 ---

 ## CLI reference

-| Command                              | Purpose                             | Example                              |
-| ------------------------------------ | ----------------------------------- | ------------------------------------ |
-| `codex`                              | Interactive REPL                    | `codex`                              |
-| `codex "..."`                        | Initial prompt for interactive REPL | `codex "fix lint errors"`            |
-| `codex -q "..."`                     | Non-interactive "quiet mode"        | `codex -q --json "explain utils.ts"` |
-| `codex completion <bash\|zsh\|fish>` | Print shell completion script       | `codex completion bash`              |
+| Command                              | Purpose                                             | Example                                              |
+| ------------------------------------ | --------------------------------------------------- | ---------------------------------------------------- |
+| `codex`                              | Launch the interactive TUI                         | `codex`                                              |
+| `codex "..."`                        | Seed the interactive session with an opening task  | `codex "fix lint errors"`                            |
+| `codex exec "..."`                   | Run a non-interactive turn in the current repo     | `codex exec "count the total number of TODO comments"` |
+| `codex exec --json "..."`            | Stream machine-readable events as JSON Lines       | `codex exec --json --full-auto "update CHANGELOG"`   |
+| `codex exec resume --last "..."`     | Resume the most recent non-interactive session     | `codex exec resume --last "ship the follow-up fix"`  |
+| `codex completion <bash\|zsh\|fish>` | Print shell completion script for your shell       | `codex completion bash`                              |

-Key flags: `--model/-m`, `--approval-mode/-a`, `--quiet/-q`, and `--notify`.
+Helpful flags: `--model/-m`, `--ask-for-approval/-a`, `--sandbox/-s`, `--oss`, `--full-auto`, `--config/-c key=value`, and `--web-search`.

 ---

@@ -237,8 +202,6 @@ You can give Codex extra instructions and guidance using `AGENTS.md` files. Code
 2. `AGENTS.md` at repo root - shared project notes
 3. `AGENTS.md` in the current working directory - sub-folder/feature specifics

-Disable loading of these files with `--no-project-doc` or the environment variable `CODEX_DISABLE_PROJECT_DOC=1`.
-
 ---

 ## Non-interactive / CI mode
@@ -250,19 +213,21 @@ Run Codex head-less in pipelines. Example GitHub Action step:
  run: |
    npm install -g @openai/codex
    export OPENAI_API_KEY="${{ secrets.OPENAI_KEY }}"
-    codex -a auto-edit --quiet "update CHANGELOG for next release"
+    codex exec --json --full-auto "update CHANGELOG for next release" > codex.log
 ```

-Set `CODEX_QUIET_MODE=1` to silence interactive UI noise.
+`codex exec` streams its progress to stderr and writes the final assistant reply to stdout. Use `--json` when you need structured output, or `-o path/to/result.json` to capture just the closing message.

 ## Tracing / verbose logging

-Setting the environment variable `DEBUG=true` prints full API request and response details:
+Set `RUST_LOG` to control structured logging. The default filter is `codex_core=info,codex_tui=info,codex_rmcp_client=info`. To turn on verbose logs for troubleshooting:

 ```shell
-DEBUG=true codex
+RUST_LOG=codex_core=debug,codex_tui=debug codex
 ```

+Logs are written to `~/.codex/logs/codex-tui.log` in addition to stderr. You can use standard `env_logger` syntax (e.g., `RUST_LOG=info,reqwest=trace`).
+
 ---

 ## Recipes
@@ -302,28 +267,21 @@ pnpm add -g @openai/codex
 <summary><strong>Build from source</strong></summary>

 ```bash
-# Clone the repository and navigate to the CLI package
+# Clone the repository and navigate to the workspace root
 git clone https://github.com/openai/codex.git
-cd codex/codex-cli
+cd codex

-# Enable corepack
-corepack enable
+# Ensure you have the latest stable Rust toolchain
+rustup default stable

-# Install dependencies and build
-pnpm install
-pnpm build
+# (Optional) install just for handy automation
+cargo install just

-# Linux-only: download prebuilt sandboxing binaries (requires gh and zstd).
-./scripts/install_native_deps.sh
+# Build the interactive CLI
+cargo build -p codex-tui

-# Get the usage and the options
-node ./dist/cli.js --help
-
-# Run the locally-built CLI directly
-node ./dist/cli.js
-
-# Or link the command globally for convenience
-pnpm link
+# Run it directly from source
+cargo run -p codex-tui -- --help
 ```

 </details>
@@ -332,153 +290,93 @@ pnpm link

 ## Configuration guide

-Codex configuration files can be placed in the `~/.codex/` directory, supporting both YAML and JSON formats.
+Codex reads configuration from `~/.codex/config.toml` (or `$CODEX_HOME/config.toml`). TOML is the only supported format. Command-line flags (`--model`, `--ask-for-approval`, `--config key=value`, etc.) override whatever is set in the file.

 ### Basic configuration parameters

-| Parameter           | Type    | Default    | Description                      | Available Options                                                                              |
-| ------------------- | ------- | ---------- | -------------------------------- | ---------------------------------------------------------------------------------------------- |
-| `model`             | string  | `o4-mini`  | AI model to use                  | Any model name supporting OpenAI API                                                           |
-| `approvalMode`      | string  | `suggest`  | AI assistant's permission mode   | `suggest` (suggestions only)<br>`auto-edit` (automatic edits)<br>`full-auto` (fully automatic) |
-| `fullAutoErrorMode` | string  | `ask-user` | Error handling in full-auto mode | `ask-user` (prompt for user input)<br>`ignore-and-continue` (ignore and proceed)               |
-| `notify`            | boolean | `true`     | Enable desktop notifications     | `true`/`false`                                                                                 |
+| Key                | Type     | Default                                      | Description                                                                                       |
+| ------------------ | -------- | -------------------------------------------- | ------------------------------------------------------------------------------------------------- |
+| `model`            | string   | `gpt-5-codex` (macOS/Linux) / `gpt-5` (WSL)  | Selects the default model.                                                                        |
+| `model_provider`   | string   | `openai`                                     | Picks an entry from the `[model_providers]` table.                                                |
+| `approval_policy`  | string   | `on-request`                                 | Matches the CLI `--ask-for-approval` flag (`untrusted`, `on-failure`, `on-request`, `never`).      |
+| `sandbox_mode`     | string   | `workspace-write` on trusted repos, otherwise read-only | Controls how shell commands are sandboxed (`read-only`, `workspace-write`, `danger-full-access`). |
+| `notify`           | array    | _unset_                                      | Optional notifier command: e.g. `notify = ["terminal-notifier", "-message", "Codex done"]`.       |
+| `tui_notifications`| table    | `{"approvals": true, "turns": true}`         | Controls OSC 9 terminal notifications.                                                            |
+| `history.persistence` | string | `save-all`                                   | `save-all`, `commands-only`, or `none`.                                                           |
+| `hide_agent_reasoning` | bool | `false`                                      | Suppress reasoning summaries in the UI.                                                           |

-### Custom AI provider configuration
+Use `codex --config key=value` to experiment without editing the file. For example, `codex --config approval_policy="untrusted"`.

-In the `providers` object, you can configure multiple AI service providers. Each provider requires the following parameters:
+### Managing model providers

-| Parameter | Type   | Description                             | Example                       |
-| --------- | ------ | --------------------------------------- | ----------------------------- |
-| `name`    | string | Display name of the provider            | `"OpenAI"`                    |
-| `baseURL` | string | API service URL                         | `"https://api.openai.com/v1"` |
-| `envKey`  | string | Environment variable name (for API key) | `"OPENAI_API_KEY"`            |
+The CLI bundles two providers: `openai` (Responses API) and `oss` (local models via Ollama). You can add more by extending the `model_providers` map. Entries do **not** replace the defaults; they are merged in.

-### History configuration
+```toml
+model = "gpt-4o"
+model_provider = "openai-chat"

-In the `history` object, you can configure conversation history settings:
+[model_providers.openai-chat]
+name = "OpenAI (Chat Completions)"
+base_url = "https://api.openai.com/v1"
+wire_api = "chat"
+env_key = "OPENAI_API_KEY"

-| Parameter           | Type    | Description                                            | Example Value |
-| ------------------- | ------- | ------------------------------------------------------ | ------------- |
-| `maxSize`           | number  | Maximum number of history entries to save              | `1000`        |
-| `saveHistory`       | boolean | Whether to save history                                | `true`        |
-| `sensitivePatterns` | array   | Patterns of sensitive information to filter in history | `[]`          |
-
-### Configuration examples
-
-1. YAML format (save as `~/.codex/config.yaml`):
-
-```yaml
-model: o4-mini
-approvalMode: suggest
-fullAutoErrorMode: ask-user
-notify: true
+[model_providers.ollama]
+name = "Ollama"
+base_url = "http://localhost:11434/v1"
 ```

-2. JSON format (save as `~/.codex/config.json`):
+Set API keys by exporting the environment variable referenced by each provider (`env_key`). If you need to override headers or query parameters, add `http_headers`, `env_http_headers`, or `query_params` within the provider block. See [`docs/config.md`](../docs/config.md#model_providers) for more examples, including Azure and custom retries.

-```json
-{
-  "model": "o4-mini",
-  "approvalMode": "suggest",
-  "fullAutoErrorMode": "ask-user",
-  "notify": true
-}
+### History, profiles, and overrides
+
+- History is controlled via the `[history]` table. Example:
+
+  ```toml
+  [history]
+  persistence = "commands-only"
+  redact_patterns = ["api_key=*"]
+  ```
+
+- Use profiles to store alternative defaults:
+
+  ```toml
+  [profiles.ops]
+  model = "gpt-5"
+  approval_policy = "untrusted"
+  sandbox_mode = "read-only"
+  ```
+
+  Launch with `codex --profile ops`.
+
+- Override individual keys for a single run: `codex --config history.persistence="none"`.
+
+### MCP servers and instructions
+
+Add MCP integrations with `[mcp_servers.<id>]` blocks (stdio or streamable HTTP). Refer to [`docs/config.md#mcps`](../docs/config.md#mcp-integration) for the schema.
+
+For persistent guidance, create `AGENTS.md` files in `~/.codex`, your repo root, or subdirectories. Codex merges them from root to current directory before each turn.
+
+### Example `config.toml`
+
+```toml
+model = "gpt-5-codex"
+model_provider = "openai"
+approval_policy = "untrusted"
+sandbox_mode = "workspace-write"
+
+[history]
+persistence = "save-all"
+
+[model_providers.azure]
+name = "Azure"
+base_url = "https://YOUR_RESOURCE_NAME.openai.azure.com/openai"
+env_key = "AZURE_OPENAI_API_KEY"
+wire_api = "responses"
+query_params = { api-version = "2025-04-01-preview" }
 ```

-### Full configuration example
-
-Below is a comprehensive example of `config.json` with multiple custom providers:
-
-```json
-{
-  "model": "o4-mini",
-  "provider": "openai",
-  "providers": {
-    "openai": {
-      "name": "OpenAI",
-      "baseURL": "https://api.openai.com/v1",
-      "envKey": "OPENAI_API_KEY"
-    },
-    "azure": {
-      "name": "AzureOpenAI",
-      "baseURL": "https://YOUR_PROJECT_NAME.openai.azure.com/openai",
-      "envKey": "AZURE_OPENAI_API_KEY"
-    },
-    "openrouter": {
-      "name": "OpenRouter",
-      "baseURL": "https://openrouter.ai/api/v1",
-      "envKey": "OPENROUTER_API_KEY"
-    },
-    "gemini": {
-      "name": "Gemini",
-      "baseURL": "https://generativelanguage.googleapis.com/v1beta/openai",
-      "envKey": "GEMINI_API_KEY"
-    },
-    "ollama": {
-      "name": "Ollama",
-      "baseURL": "http://localhost:11434/v1",
-      "envKey": "OLLAMA_API_KEY"
-    },
-    "mistral": {
-      "name": "Mistral",
-      "baseURL": "https://api.mistral.ai/v1",
-      "envKey": "MISTRAL_API_KEY"
-    },
-    "deepseek": {
-      "name": "DeepSeek",
-      "baseURL": "https://api.deepseek.com",
-      "envKey": "DEEPSEEK_API_KEY"
-    },
-    "xai": {
-      "name": "xAI",
-      "baseURL": "https://api.x.ai/v1",
-      "envKey": "XAI_API_KEY"
-    },
-    "groq": {
-      "name": "Groq",
-      "baseURL": "https://api.groq.com/openai/v1",
-      "envKey": "GROQ_API_KEY"
-    },
-    "arceeai": {
-      "name": "ArceeAI",
-      "baseURL": "https://conductor.arcee.ai/v1",
-      "envKey": "ARCEEAI_API_KEY"
-    }
-  },
-  "history": {
-    "maxSize": 1000,
-    "saveHistory": true,
-    "sensitivePatterns": []
-  }
-}
-```
-
-### Custom instructions
-
-You can create a `~/.codex/AGENTS.md` file to define custom guidance for the agent:
-
-```markdown
- Always respond with emojis
- Only use git commands when explicitly requested
-```
-
-### Environment variables setup
-
-For each AI provider, you need to set the corresponding API key in your environment variables. For example:
-
-```bash
-# OpenAI
-export OPENAI_API_KEY="your-api-key-here"
-
-# Azure OpenAI
-export AZURE_OPENAI_API_KEY="your-azure-api-key-here"
-export AZURE_OPENAI_API_VERSION="2025-04-01-preview" (Optional)
-
-# OpenRouter
-export OPENROUTER_API_KEY="your-openrouter-key-here"
-
-# Similarly for other providers
-```
+Restart Codex (or run the next command with `--config`) after editing the file to pick up changes.

 ---

@@ -494,7 +392,7 @@ In 2021, OpenAI released Codex, an AI system designed to generate code from natu
 <details>
 <summary>Which models are supported?</summary>

-Any model available with [Responses API](https://platform.openai.com/docs/api-reference/responses). The default is `o4-mini`, but pass `--model gpt-4.1` or set `model: gpt-4.1` in your config file to override.
+Any model available via the [Responses API](https://platform.openai.com/docs/api-reference/responses). The default is `gpt-5-codex` (or `gpt-5` on Windows/WSL), but pass `--model` or set `model = "gpt-4.1"` in `config.toml` to override.

 </details>
 <details>
@@ -507,13 +405,13 @@ It's possible that your [API account needs to be verified](https://help.openai.c
 <details>
 <summary>How do I stop Codex from editing my files?</summary>

-Codex runs model-generated commands in a sandbox. If a proposed command or file change doesn't look right, you can simply type **n** to deny the command or give the model feedback.
+Run with `codex --ask-for-approval untrusted` or `codex --sandbox read-only` to force Codex to ask before making changes. In interactive sessions, you can also deny a specific command or patch by answering **n** when prompted.

 </details>
 <details>
 <summary>Does it work on Windows?</summary>

-Not directly. It requires [Windows Subsystem for Linux (WSL2)](https://learn.microsoft.com/en-us/windows/wsl/install) - Codex is regularly tested on macOS and Linux with Node 20+, and also supports Node 16.
+Not natively. Use [Windows Subsystem for Linux (WSL2)](https://learn.microsoft.com/en-us/windows/wsl/install) and install the Linux build inside your WSL environment. We regularly test on macOS and Linux.

 </details>

@@ -544,59 +442,25 @@ We're excited to launch a **$1 million initiative** supporting open source proje

 ## Contributing

-This project is under active development and the code will likely change pretty significantly. We'll update this message once that's complete!
+This project is under active development and we currently prioritize external contributions that address bugs or security issues. If you are proposing a new feature or behavior change, please open an issue first and get confirmation from the team before investing significant effort.

-More broadly we welcome contributions - whether you are opening your very first pull request or you're a seasoned maintainer. At the same time we care about reliability and long-term maintainability, so the bar for merging code is intentionally **high**. The guidelines below spell out what "high-quality" means in practice and should make the whole process transparent and friendly.
+We care deeply about reliability and long-term maintainability, so the bar for merging code is intentionally **high**. Use this README together with the canonical [contributor guide](../docs/contributing.md).

 ### Development workflow

- Create a _topic branch_ from `main` - e.g. `feat/interactive-prompt`.
- Keep your changes focused. Multiple unrelated fixes should be opened as separate PRs.
- Use `pnpm test:watch` during development for super-fast feedback.
- We use **Vitest** for unit tests, **ESLint** + **Prettier** for style, and **TypeScript** for type-checking.
- Before pushing, run the full test/type/lint suite:
-
-### Git hooks with Husky
-
-This project uses [Husky](https://typicode.github.io/husky/) to enforce code quality checks:
-
- **Pre-commit hook**: Automatically runs lint-staged to format and lint files before committing
- **Pre-push hook**: Runs tests and type checking before pushing to the remote
-
-These hooks help maintain code quality and prevent pushing code with failing tests. For more details, see [HUSKY.md](./HUSKY.md).
-
-```bash
-pnpm test && pnpm run lint && pnpm run typecheck
-```
-
- If you have **not** yet signed the Contributor License Agreement (CLA), add a PR comment containing the exact text
-
-  ```text
-  I have read the CLA Document and I hereby sign the CLA
-  ```
-
-  The CLA-Assistant bot will turn the PR status green once all authors have signed.
-
-```bash
-# Watch mode (tests rerun on change)
-pnpm test:watch
-
-# Type-check without emitting files
-pnpm typecheck
-
-# Automatically fix lint + prettier issues
-pnpm lint:fix
-pnpm format:fix
-```
+- Create a topic branch from `main` (for example `feat/improve-sandbox`).
+- Keep changes focused; unrelated fixes should land as separate PRs.
+- Install Rust 1.80+ and `just`. Most commands run from the repo root:
+  - `just fmt` formats all Rust code.
+  - `just fix -p codex-tui` runs `cargo clippy --fix` and `cargo fmt` for the TUI crate (swap the crate name as appropriate).
+  - `cargo test -p codex-tui` or other crate-specific test commands keep feedback fast.
+- If you touch shared crates (for example `codex-core` or `codex-common`), prefer `cargo test --all-features` after the targeted suite passes.

 ### Debugging

-To debug the CLI with a visual debugger, do the following in the `codex-cli` folder:
-
- Run `pnpm run build` to build the CLI, which will generate `cli.js.map` alongside `cli.js` in the `dist` folder.
- Run the CLI with `node --inspect-brk ./dist/cli.js` The program then waits until a debugger is attached before proceeding. Options:
-  - In VS Code, choose **Debug: Attach to Node Process** from the command palette and choose the option in the dropdown with debug port `9229` (likely the first option)
-  - Go to <chrome://inspect> in Chrome and find **localhost:9229** and click **trace**
+- Run `cargo run -p codex-tui --` to launch the CLI under your debugger of choice. `cargo run -p codex-cli --bin codex-linux-sandbox -- --help` is helpful when iterating on the sandbox helper.
+- Set `RUST_LOG=codex_core=debug,codex_tui=debug` to capture verbose logs (see [Tracing](#tracing--verbose-logging)).
+- Use `cargo test -p <crate> -- --nocapture` to see println!/tracing output from tests while iterating on new features.

 ### Writing high-impact code changes

@@ -607,10 +471,10 @@ To debug the CLI with a visual debugger, do the following in the `codex-cli` fol

 ### Opening a pull request

- Fill in the PR template (or include similar information) - **What? Why? How?**
- Run **all** checks locally (`npm test && npm run lint && npm run typecheck`). CI failures that could have been caught locally slow down the process.
+- Fill in the PR template (or include similar information) – **What? Why? How?**
+- Run **all** checks locally (`cargo test`, `cargo clippy --tests`, `cargo fmt -- --check`, plus any `just fix -p <crate>` you relied on). CI failures that could have been caught locally slow down the process.
 - Make sure your branch is up-to-date with `main` and that you have resolved merge conflicts.
- Mark the PR as **Ready for review** only when you believe it is in a merge-able state.
+- Mark the PR as **Ready for review** only when you believe it is in a mergeable state.

 ### Review process

@@ -655,29 +519,22 @@ The **DCO check** blocks merges until every commit in the PR carries the footer

 ### Releasing `codex`

-To publish a new version of the CLI you first need to stage the npm package. A
-helper script in `codex-cli/scripts/` does all the heavy lifting. Inside the
-`codex-cli` folder run:
+To stage npm artifacts for a release, run the helper from the repo root:

 ```bash
-# Classic, JS implementation that includes small, native binaries for Linux sandboxing.
-pnpm stage-release
-
-# Optionally specify the temp directory to reuse between runs.
-RELEASE_DIR=$(mktemp -d)
-pnpm stage-release --tmp "$RELEASE_DIR"
-
-# "Fat" package that additionally bundles the native Rust CLI binaries for
-# Linux. End-users can then opt-in at runtime by setting CODEX_RUST=1.
-pnpm stage-release --native
+./scripts/stage_npm_packages.py \
+  --release-version 0.6.0 \
+  --package codex
 ```

-Go to the folder where the release is staged and verify that it works as intended. If so, run the following from the temp folder:
+The script assembles native binaries, hydrates the `vendor/` tree, and writes tarballs to `dist/npm/`. Inspect the generated package contents (for example by extracting them or running `npm pack --dry-run`). When satisfied:

+```bash
+cd dist/npm
+npm publish codex-0.6.0.tgz
 ```
-cd "$RELEASE_DIR"
-npm publish
-```
+
+Add additional `--package` flags if you need to ship the responses proxy or SDK in the same release. See [`codex-cli/scripts/README.md`](./scripts/README.md) for details and troubleshooting tips.

 ### Alternative build options

--- a/codex-cli/bin/codex.js
+++ b/codex-cli/bin/codex.js
@@ -80,6 +80,32 @@ function getUpdatedPath(newDirs) {
  return updatedPath;
 }

+/**
+ * Use heuristics to detect the package manager that was used to install Codex
+ * in order to give the user a hint about how to update it.
+ */
+function detectPackageManager() {
+  const userAgent = process.env.npm_config_user_agent || "";
+  if (/\bbun\//.test(userAgent)) {
+    return "bun";
+  }
+
+  const execPath = process.env.npm_execpath || "";
+  if (execPath.includes("bun")) {
+    return "bun";
+  }
+
+  if (
+    process.env.BUN_INSTALL ||
+    process.env.BUN_INSTALL_GLOBAL_DIR ||
+    process.env.BUN_INSTALL_BIN_DIR
+  ) {
+    return "bun";
+  }
+
+  return userAgent ? "npm" : null;
+}
+
 const additionalDirs = [];
 const pathDir = path.join(archRoot, "path");
 if (existsSync(pathDir)) {
@@ -87,9 +113,16 @@ if (existsSync(pathDir)) {
 }
 const updatedPath = getUpdatedPath(additionalDirs);

+const env = { ...process.env, PATH: updatedPath };
+const packageManagerEnvVar =
+  detectPackageManager() === "bun"
+    ? "CODEX_MANAGED_BY_BUN"
+    : "CODEX_MANAGED_BY_NPM";
+env[packageManagerEnvVar] = "1";
+
 const child = spawn(binaryPath, process.argv.slice(2), {
  stdio: "inherit",
-  env: { ...process.env, PATH: updatedPath, CODEX_MANAGED_BY_NPM: "1" },
+  env,
 });

 child.on("error", (err) => {
--- a/codex-rs/.gitignore
+++ b/codex-rs/.gitignore
@@ -1,4 +1,5 @@
 /target/
+/target-*/

 # Recommended value of CARGO_TARGET_DIR when using Docker as explained in .devcontainer/README.md.
 /target-amd64/
--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
@@ -861,9 +861,11 @@ name = "codex-app-server-protocol"
 version = "0.0.0"
 dependencies = [
 "anyhow",
+ "clap",
 "codex-protocol",
 "paste",
 "pretty_assertions",
+ "schemars 0.8.22",
 "serde",
 "serde_json",
 "strum_macros 0.27.2",
@@ -899,6 +901,16 @@ dependencies = [
 "tokio",
 ]

+[[package]]
+name = "codex-async-utils"
+version = "0.0.0"
+dependencies = [
+ "async-trait",
+ "pretty_assertions",
+ "tokio",
+ "tokio-util",
+]
+
 [[package]]
 name = "codex-backend-client"
 version = "0.0.0"
@@ -958,6 +970,7 @@ dependencies = [
 "codex-protocol-ts",
 "codex-responses-api-proxy",
 "codex-rmcp-client",
+ "codex-stdio-to-uds",
 "codex-tui",
 "ctor 0.5.0",
 "owo-colors",
@@ -1037,11 +1050,13 @@ dependencies = [
 "chrono",
 "codex-app-server-protocol",
 "codex-apply-patch",
+ "codex-async-utils",
 "codex-file-search",
 "codex-mcp-client",
 "codex-otel",
 "codex-protocol",
 "codex-rmcp-client",
+ "codex-utils-pty",
 "codex-utils-string",
 "core-foundation 0.9.4",
 "core_test_support",
@@ -1058,7 +1073,6 @@ dependencies = [
 "mcp-types",
 "openssl-sys",
 "os_info",
- "portable-pty",
 "predicates",
 "pretty_assertions",
 "rand 0.9.2",
@@ -1073,6 +1087,7 @@ dependencies = [
 "similar",
 "strum_macros 0.27.2",
 "tempfile",
+ "test-log",
 "thiserror 2.0.16",
 "time",
 "tokio",
@@ -1144,6 +1159,17 @@ dependencies = [
 "tempfile",
 ]

+[[package]]
+name = "codex-feedback"
+version = "0.0.0"
+dependencies = [
+ "anyhow",
+ "codex-protocol",
+ "pretty_assertions",
+ "sentry",
+ "tracing-subscriber",
+]
+
 [[package]]
 name = "codex-file-search"
 version = "0.0.0"
@@ -1308,6 +1334,7 @@ dependencies = [
 "icu_locale_core",
 "mcp-types",
 "mime_guess",
+ "schemars 0.8.22",
 "serde",
 "serde_json",
 "serde_with",
@@ -1352,7 +1379,9 @@ version = "0.0.0"
 dependencies = [
 "anyhow",
 "axum",
+ "codex-protocol",
 "dirs",
+ "escargot",
 "futures",
 "keyring",
 "mcp-types",
@@ -1362,6 +1391,7 @@ dependencies = [
 "rmcp",
 "serde",
 "serde_json",
+ "serial_test",
 "sha2",
 "tempfile",
 "tiny_http",
@@ -1371,6 +1401,17 @@ dependencies = [
 "webbrowser",
 ]

+[[package]]
+name = "codex-stdio-to-uds"
+version = "0.0.0"
+dependencies = [
+ "anyhow",
+ "assert_cmd",
+ "pretty_assertions",
+ "tempfile",
+ "uds_windows",
+]
+
 [[package]]
 name = "codex-tui"
 version = "0.0.0"
@@ -1387,6 +1428,7 @@ dependencies = [
 "codex-arg0",
 "codex-common",
 "codex-core",
+ "codex-feedback",
 "codex-file-search",
 "codex-git-tooling",
 "codex-login",
@@ -1421,6 +1463,7 @@ dependencies = [
 "textwrap 0.16.2",
 "tokio",
 "tokio-stream",
+ "toml",
 "tracing",
 "tracing-appender",
 "tracing-subscriber",
@@ -1441,6 +1484,15 @@ dependencies = [
 "toml",
 ]

+[[package]]
+name = "codex-utils-pty"
+version = "0.0.0"
+dependencies = [
+ "anyhow",
+ "portable-pty",
+ "tokio",
+]
+
 [[package]]
 name = "codex-utils-readiness"
 version = "0.0.0"
@@ -1576,10 +1628,12 @@ dependencies = [
 "anyhow",
 "assert_cmd",
 "codex-core",
+ "notify",
 "regex-lite",
 "serde_json",
 "tempfile",
 "tokio",
+ "walkdir",
 "wiremock",
 ]

@@ -1820,6 +1874,16 @@ version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "092966b41edc516079bdf31ec78a2e0588d1d0c08f78b91d8307215928642b2b"

+[[package]]
+name = "debugid"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bef552e6f588e446098f6ba40d89ac146c8c7b64aade83c051ee00bb5d2bc18d"
+dependencies = [
+ "serde",
+ "uuid",
+]
+
 [[package]]
 name = "debugserver-types"
 version = "0.5.0"
@@ -2298,6 +2362,18 @@ dependencies = [
 "winapi",
 ]

+[[package]]
+name = "findshlibs"
+version = "0.10.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "40b9e59cd0f7e0806cca4be089683ecb6434e602038df21fe6bf6711b2f07f64"
+dependencies = [
+ "cc",
+ "lazy_static",
+ "libc",
+ "winapi",
+]
+
 [[package]]
 name = "fixed_decimal"
 version = "0.7.0"
@@ -2370,6 +2446,15 @@ dependencies = [
 "percent-encoding",
 ]

+[[package]]
+name = "fsevent-sys"
+version = "4.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "76ee7a02da4d231650c7cea31349b889be2f45ddb3ef3032d2ec8185f6313fd2"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "futures"
 version = "0.3.31"
@@ -2657,6 +2742,17 @@ dependencies = [
 "windows-sys 0.59.0",
 ]

+[[package]]
+name = "hostname"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a56f203cd1c76362b69e3863fd987520ac36cf70a8c92627449b2f64a8cf7d65"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "windows-link 0.1.3",
+]
+
 [[package]]
 name = "http"
 version = "1.3.1"
@@ -3056,6 +3152,26 @@ version = "2.0.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f4c7245a08504955605670dbf141fceab975f15ca21570696aebe9d2e71576bd"

+[[package]]
+name = "inotify"
+version = "0.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f37dccff2791ab604f9babef0ba14fbe0be30bd368dc541e2b08d07c8aa908f3"
+dependencies = [
+ "bitflags 2.9.1",
+ "inotify-sys",
+ "libc",
+]
+
+[[package]]
+name = "inotify-sys"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e05c02b5e89bff3b946cedeca278abc628fe811e604f027c45a8aa3cf793d0eb"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "inout"
 version = "0.1.4"
@@ -3256,6 +3372,26 @@ dependencies = [
 "zeroize",
 ]

+[[package]]
+name = "kqueue"
+version = "1.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eac30106d7dce88daf4a3fcb4879ea939476d5074a9b7ddd0fb97fa4bed5596a"
+dependencies = [
+ "kqueue-sys",
+ "libc",
+]
+
+[[package]]
+name = "kqueue-sys"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ed9625ffda8729b85e45cf04090035ac368927b8cebc34898e7c120f52e4838b"
+dependencies = [
+ "bitflags 1.3.2",
+ "libc",
+]
+
 [[package]]
 name = "lalrpop"
 version = "0.19.12"
@@ -3455,6 +3591,7 @@ checksum = "47e1ffaa40ddd1f3ed91f717a33c8c0ee23fff369e3aa8772b9605cc1d22f4c3"
 name = "mcp-types"
 version = "0.0.0"
 dependencies = [
+ "schemars 0.8.22",
 "serde",
 "serde_json",
 "ts-rs",
@@ -3655,6 +3792,30 @@ version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "61807f77802ff30975e01f4f071c8ba10c022052f98b3294119f3e615d13e5be"

+[[package]]
+name = "notify"
+version = "8.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4d3d07927151ff8575b7087f245456e549fea62edf0ec4e565a5ee50c8402bc3"
+dependencies = [
+ "bitflags 2.9.1",
+ "fsevent-sys",
+ "inotify",
+ "kqueue",
+ "libc",
+ "log",
+ "mio",
+ "notify-types",
+ "walkdir",
+ "windows-sys 0.60.2",
+]
+
+[[package]]
+name = "notify-types"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5e0826a989adedc2a244799e823aece04662b66609d96af8dff7ac6df9a8925d"
+
 [[package]]
 name = "nu-ansi-term"
 version = "0.50.1"
@@ -4772,9 +4933,9 @@ dependencies = [

 [[package]]
 name = "rmcp"
-version = "0.8.0"
+version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "583d060e99feb3a3683fb48a1e4bf5f8d4a50951f429726f330ee5ff548837f8"
+checksum = "6f35acda8f89fca5fd8c96cae3c6d5b4c38ea0072df4c8030915f3b5ff469c1c"
 dependencies = [
 "base64",
 "bytes",
@@ -4806,9 +4967,9 @@ dependencies = [

 [[package]]
 name = "rmcp-macros"
-version = "0.8.0"
+version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "421d8b0ba302f479214889486f9550e63feca3af310f1190efcf6e2016802693"
+checksum = "c9f1d5220aaa23b79c3d02e18f7a554403b3ccea544bbb6c69d6bcb3e854a274"
 dependencies = [
 "darling 0.21.3",
 "proc-macro2",
@@ -4829,6 +4990,15 @@ version = "2.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "357703d41365b4b27c590e3ed91eabb1b663f07c4c084095e60cbed4362dff0d"

+[[package]]
+name = "rustc_version"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cfcb3a22ef46e85b45de6ee7e79d063319ebb6594faafcf1c225ea92ab6e9b92"
+dependencies = [
+ "semver",
+]
+
 [[package]]
 name = "rustix"
 version = "0.38.44"
@@ -5143,6 +5313,120 @@ dependencies = [
 "libc",
 ]

+[[package]]
+name = "semver"
+version = "1.0.27"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d767eb0aabc880b29956c35734170f26ed551a859dbd361d140cdbeca61ab1e2"
+
+[[package]]
+name = "sentry"
+version = "0.34.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5484316556650182f03b43d4c746ce0e3e48074a21e2f51244b648b6542e1066"
+dependencies = [
+ "httpdate",
+ "native-tls",
+ "reqwest",
+ "sentry-backtrace",
+ "sentry-contexts",
+ "sentry-core",
+ "sentry-debug-images",
+ "sentry-panic",
+ "sentry-tracing",
+ "tokio",
+ "ureq",
+]
+
+[[package]]
+name = "sentry-backtrace"
+version = "0.34.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "40aa225bb41e2ec9d7c90886834367f560efc1af028f1c5478a6cce6a59c463a"
+dependencies = [
+ "backtrace",
+ "once_cell",
+ "regex",
+ "sentry-core",
+]
+
+[[package]]
+name = "sentry-contexts"
+version = "0.34.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1a8dd746da3d16cb8c39751619cefd4fcdbd6df9610f3310fd646b55f6e39910"
+dependencies = [
+ "hostname",
+ "libc",
+ "os_info",
+ "rustc_version",
+ "sentry-core",
+ "uname",
+]
+
+[[package]]
+name = "sentry-core"
+version = "0.34.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "161283cfe8e99c8f6f236a402b9ccf726b201f365988b5bb637ebca0abbd4a30"
+dependencies = [
+ "once_cell",
+ "rand 0.8.5",
+ "sentry-types",
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "sentry-debug-images"
+version = "0.34.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8fc6b25e945fcaa5e97c43faee0267eebda9f18d4b09a251775d8fef1086238a"
+dependencies = [
+ "findshlibs",
+ "once_cell",
+ "sentry-core",
+]
+
+[[package]]
+name = "sentry-panic"
+version = "0.34.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bc74f229c7186dd971a9491ffcbe7883544aa064d1589bd30b83fb856cd22d63"
+dependencies = [
+ "sentry-backtrace",
+ "sentry-core",
+]
+
+[[package]]
+name = "sentry-tracing"
+version = "0.34.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cd3c5faf2103cd01eeda779ea439b68c4ee15adcdb16600836e97feafab362ec"
+dependencies = [
+ "sentry-backtrace",
+ "sentry-core",
+ "tracing-core",
+ "tracing-subscriber",
+]
+
+[[package]]
+name = "sentry-types"
+version = "0.34.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5d68cdf6bc41b8ff3ae2a9c4671e97426dcdd154cc1d4b6b72813f285d6b163f"
+dependencies = [
+ "debugid",
+ "hex",
+ "rand 0.8.5",
+ "serde",
+ "serde_json",
+ "thiserror 1.0.69",
+ "time",
+ "url",
+ "uuid",
+]
+
 [[package]]
 name = "serde"
 version = "1.0.226"
@@ -5775,6 +6059,28 @@ version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8f50febec83f5ee1df3015341d8bd429f2d1cc62bcba7ea2076759d315084683"

+[[package]]
+name = "test-log"
+version = "0.2.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e33b98a582ea0be1168eba097538ee8dd4bbe0f2b01b22ac92ea30054e5be7b"
+dependencies = [
+ "env_logger",
+ "test-log-macros",
+ "tracing-subscriber",
+]
+
+[[package]]
+name = "test-log-macros"
+version = "0.2.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "451b374529930d7601b1eef8d32bc79ae870b6079b069401709c2a8bf9e75f36"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
 [[package]]
 name = "textwrap"
 version = "0.11.0"
@@ -6350,6 +6656,15 @@ dependencies = [
 "winapi",
 ]

+[[package]]
+name = "uname"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b72f89f0ca32e4db1c04e2a72f5345d59796d4866a1ee0609084569f73683dc8"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "unicase"
 version = "2.8.1"
@@ -6409,6 +6724,19 @@ version = "0.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"

+[[package]]
+name = "ureq"
+version = "2.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "02d1a66277ed75f640d608235660df48c8e3c19f3b4edb6a263315626cc3c01d"
+dependencies = [
+ "base64",
+ "log",
+ "native-tls",
+ "once_cell",
+ "url",
+]
+
 [[package]]
 name = "url"
 version = "2.5.4"
--- a/codex-rs/Cargo.toml
+++ b/codex-rs/Cargo.toml
@@ -2,10 +2,12 @@
 members = [
    "backend-client",
    "ansi-escape",
+    "async-utils",
    "app-server",
    "app-server-protocol",
    "apply-patch",
    "arg0",
+    "feedback",
    "codex-backend-openapi-models",
    "cloud-tasks",
    "cloud-tasks-client",
@@ -27,11 +29,13 @@ members = [
    "protocol-ts",
    "rmcp-client",
    "responses-api-proxy",
+    "stdio-to-uds",
    "otel",
    "tui",
    "git-apply",
    "utils/json-to-toml",
    "utils/readiness",
+    "utils/pty",
    "utils/string",
 ]
 resolver = "2"
@@ -52,10 +56,12 @@ codex-app-server = { path = "app-server" }
 codex-app-server-protocol = { path = "app-server-protocol" }
 codex-apply-patch = { path = "apply-patch" }
 codex-arg0 = { path = "arg0" }
+codex-async-utils = { path = "async-utils" }
 codex-chatgpt = { path = "chatgpt" }
 codex-common = { path = "common" }
 codex-core = { path = "core" }
 codex-exec = { path = "exec" }
+codex-feedback = { path = "feedback" }
 codex-file-search = { path = "file-search" }
 codex-git-tooling = { path = "git-tooling" }
 codex-linux-sandbox = { path = "linux-sandbox" }
@@ -69,9 +75,11 @@ codex-protocol = { path = "protocol" }
 codex-protocol-ts = { path = "protocol-ts" }
 codex-responses-api-proxy = { path = "responses-api-proxy" }
 codex-rmcp-client = { path = "rmcp-client" }
+codex-stdio-to-uds = { path = "stdio-to-uds" }
 codex-tui = { path = "tui" }
 codex-utils-json-to-toml = { path = "utils/json-to-toml" }
 codex-utils-readiness = { path = "utils/readiness" }
+codex-utils-pty = { path = "utils/pty" }
 codex-utils-string = { path = "utils/string" }
 core_test_support = { path = "core/tests/common" }
 mcp-types = { path = "mcp-types" }
@@ -83,8 +91,8 @@ ansi-to-tui = "7.0.0"
 anyhow = "1"
 arboard = "3"
 askama = "0.12"
-assert_matches = "1.5.0"
 assert_cmd = "2"
+assert_matches = "1.5.0"
 async-channel = "2.3.1"
 async-stream = "0.3.6"
 async-trait = "0.1.89"
@@ -122,6 +130,7 @@ log = "0.4"
 maplit = "1.0.2"
 mime_guess = "2.0.5"
 multimap = "0.10.0"
+notify = "8.2.0"
 nucleo-matcher = "0.3.1"
 openssl-sys = "*"
 opentelemetry = "0.30.0"
@@ -146,6 +155,7 @@ reqwest = "0.12"
 rmcp = { version = "0.8.0", default-features = false }
 schemars = "0.8.22"
 seccompiler = "0.5.0"
+sentry = "0.34.0"
 serde = "1"
 serde_json = "1"
 serde_with = "3.14"
@@ -160,6 +170,7 @@ strum_macros = "0.27.2"
 supports-color = "3.0.2"
 sys-locale = "0.3.2"
 tempfile = "3.23.0"
+test-log = "0.2.18"
 textwrap = "0.16.2"
 thiserror = "2.0.16"
 time = "0.3"
@@ -179,6 +190,7 @@ tree-sitter = "0.25.10"
 tree-sitter-bash = "0.25"
 tree-sitter-highlight = "0.25.10"
 ts-rs = "11"
+uds_windows = "1.1.0"
 unicode-segmentation = "1.12.0"
 unicode-width = "0.2"
 url = "2"
--- a/codex-rs/README.md
+++ b/codex-rs/README.md
@@ -11,7 +11,12 @@ npm i -g @openai/codex
 codex
 ```

-You can also install via Homebrew (`brew install codex`) or download a platform-specific release directly from our [GitHub Releases](https://github.com/openai/codex/releases).
+You can also install via Homebrew (`brew install --cask codex`) or download a platform-specific release directly from our [GitHub Releases](https://github.com/openai/codex/releases).
+
+## Documentation quickstart
+
+- First run with Codex? Follow the walkthrough in [`docs/getting-started.md`](../docs/getting-started.md) for prompts, keyboard shortcuts, and session management.
+- Already shipping with Codex and want deeper control? Jump to [`docs/advanced.md`](../docs/advanced.md) and the configuration reference at [`docs/config.md`](../docs/config.md).

 ## What's new in the Rust CLI

@@ -47,30 +52,6 @@ You can enable notifications by configuring a script that is run whenever the ag

 To run Codex non-interactively, run `codex exec PROMPT` (you can also pass the prompt via `stdin`) and Codex will work on your task until it decides that it is done and exits. Output is printed to the terminal directly. You can set the `RUST_LOG` environment variable to see more about what's going on.

-### Use `@` for file search
-
-Typing `@` triggers a fuzzy-filename search over the workspace root. Use up/down to select among the results and Tab or Enter to replace the `@` with the selected path. You can use Esc to cancel the search.
-
-### Esc–Esc to edit a previous message
-
-When the chat composer is empty, press Esc to prime “backtrack” mode. Press Esc again to open a transcript preview highlighting the last user message; press Esc repeatedly to step to older user messages. Press Enter to confirm and Codex will fork the conversation from that point, trim the visible transcript accordingly, and pre‑fill the composer with the selected user message so you can edit and resubmit it.
-
-In the transcript preview, the footer shows an `Esc edit prev` hint while editing is active.
-
-### `--cd`/`-C` flag
-
-Sometimes it is not convenient to `cd` to the directory you want Codex to use as the "working root" before running Codex. Fortunately, `codex` supports a `--cd` option so you can specify whatever folder you want. You can confirm that Codex is honoring `--cd` by double-checking the **workdir** it reports in the TUI at the start of a new session.
-
-### Shell completions
-
-Generate shell completion scripts via:
-
-```shell
-codex completion bash
-codex completion zsh
-codex completion fish
-```
-
 ### Experimenting with the Codex Sandbox

 To test to see what happens when a command is run under the sandbox provided by Codex, we provide the following subcommands in Codex CLI:
--- a/codex-rs/ansi-escape/src/lib.rs
+++ b/codex-rs/ansi-escape/src/lib.rs
@@ -3,11 +3,30 @@ use ansi_to_tui::IntoText;
 use ratatui::text::Line;
 use ratatui::text::Text;

+// Expand tabs in a best-effort way for transcript rendering.
+// Tabs can interact poorly with left-gutter prefixes in our TUI and CLI
+// transcript views (e.g., `nl` separates line numbers from content with a tab).
+// Replacing tabs with spaces avoids odd visual artifacts without changing
+// semantics for our use cases.
+fn expand_tabs(s: &str) -> std::borrow::Cow<'_, str> {
+    if s.contains('\t') {
+        // Keep it simple: replace each tab with 4 spaces.
+        // We do not try to align to tab stops since most usages (like `nl`)
+        // look acceptable with a fixed substitution and this avoids stateful math
+        // across spans.
+        std::borrow::Cow::Owned(s.replace('\t', "    "))
+    } else {
+        std::borrow::Cow::Borrowed(s)
+    }
+}
+
 /// This function should be used when the contents of `s` are expected to match
 /// a single line. If multiple lines are found, a warning is logged and only the
 /// first line is returned.
 pub fn ansi_escape_line(s: &str) -> Line<'static> {
-    let text = ansi_escape(s);
+    // Normalize tabs to spaces to avoid odd gutter collisions in transcript mode.
+    let s = expand_tabs(s);
+    let text = ansi_escape(&s);
    match text.lines.as_slice() {
        [] => "".into(),
        [only] => only.clone(),
--- a/codex-rs/app-server-protocol/Cargo.toml
+++ b/codex-rs/app-server-protocol/Cargo.toml
@@ -11,8 +11,11 @@ path = "src/lib.rs"
 workspace = true

 [dependencies]
+anyhow = { workspace = true }
+clap = { workspace = true, features = ["derive"] }
 codex-protocol = { workspace = true }
 paste = { workspace = true }
+schemars = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
 serde_json = { workspace = true }
 strum_macros = { workspace = true }
--- a/codex-rs/app-server-protocol/src/bin/export.rs
+++ b/codex-rs/app-server-protocol/src/bin/export.rs
@@ -0,0 +1,22 @@
+use anyhow::Result;
+use clap::Parser;
+use std::path::PathBuf;
+
+#[derive(Parser, Debug)]
+#[command(
+    about = "Generate TypeScript bindings and JSON Schemas for the Codex app-server protocol"
+)]
+struct Args {
+    /// Output directory where generated files will be written
+    #[arg(short = 'o', long = "out", value_name = "DIR")]
+    out_dir: PathBuf,
+
+    /// Optional Prettier executable path to format generated TypeScript files
+    #[arg(short = 'p', long = "prettier", value_name = "PRETTIER_BIN")]
+    prettier: Option<PathBuf>,
+}
+
+fn main() -> Result<()> {
+    let args = Args::parse();
+    codex_app_server_protocol::generate_types(&args.out_dir, args.prettier.as_deref())
+}
--- a/codex-rs/app-server-protocol/src/export.rs
+++ b/codex-rs/app-server-protocol/src/export.rs
@@ -0,0 +1,404 @@
+use crate::ClientNotification;
+use crate::ClientRequest;
+use crate::ServerNotification;
+use crate::ServerRequest;
+use crate::export_client_response_schemas;
+use crate::export_client_responses;
+use crate::export_server_response_schemas;
+use crate::export_server_responses;
+use anyhow::Context;
+use anyhow::Result;
+use anyhow::anyhow;
+use schemars::JsonSchema;
+use schemars::schema::RootSchema;
+use schemars::schema_for;
+use serde::Serialize;
+use serde_json::Map;
+use serde_json::Value;
+use std::collections::BTreeMap;
+use std::ffi::OsStr;
+use std::fs;
+use std::io::Read;
+use std::io::Write;
+use std::path::Path;
+use std::path::PathBuf;
+use std::process::Command;
+use ts_rs::TS;
+
+const HEADER: &str = "// GENERATED CODE! DO NOT MODIFY BY HAND!\n\n";
+
+macro_rules! for_each_schema_type {
+    ($macro:ident) => {
+        $macro!(crate::RequestId);
+        $macro!(crate::JSONRPCMessage);
+        $macro!(crate::JSONRPCRequest);
+        $macro!(crate::JSONRPCNotification);
+        $macro!(crate::JSONRPCResponse);
+        $macro!(crate::JSONRPCError);
+        $macro!(crate::JSONRPCErrorError);
+        $macro!(crate::AddConversationListenerParams);
+        $macro!(crate::AddConversationSubscriptionResponse);
+        $macro!(crate::ApplyPatchApprovalParams);
+        $macro!(crate::ApplyPatchApprovalResponse);
+        $macro!(crate::ArchiveConversationParams);
+        $macro!(crate::ArchiveConversationResponse);
+        $macro!(crate::AuthMode);
+        $macro!(crate::AuthStatusChangeNotification);
+        $macro!(crate::CancelLoginChatGptParams);
+        $macro!(crate::CancelLoginChatGptResponse);
+        $macro!(crate::ClientInfo);
+        $macro!(crate::ClientNotification);
+        $macro!(crate::ClientRequest);
+        $macro!(crate::ConversationSummary);
+        $macro!(crate::ExecCommandApprovalParams);
+        $macro!(crate::ExecCommandApprovalResponse);
+        $macro!(crate::ExecOneOffCommandParams);
+        $macro!(crate::ExecOneOffCommandResponse);
+        $macro!(crate::FuzzyFileSearchParams);
+        $macro!(crate::FuzzyFileSearchResponse);
+        $macro!(crate::FuzzyFileSearchResult);
+        $macro!(crate::GetAuthStatusParams);
+        $macro!(crate::GetAuthStatusResponse);
+        $macro!(crate::GetUserAgentResponse);
+        $macro!(crate::GetUserSavedConfigResponse);
+        $macro!(crate::GitDiffToRemoteParams);
+        $macro!(crate::GitDiffToRemoteResponse);
+        $macro!(crate::GitSha);
+        $macro!(crate::InitializeParams);
+        $macro!(crate::InitializeResponse);
+        $macro!(crate::InputItem);
+        $macro!(crate::InterruptConversationParams);
+        $macro!(crate::InterruptConversationResponse);
+        $macro!(crate::ListConversationsParams);
+        $macro!(crate::ListConversationsResponse);
+        $macro!(crate::LoginApiKeyParams);
+        $macro!(crate::LoginApiKeyResponse);
+        $macro!(crate::LoginChatGptCompleteNotification);
+        $macro!(crate::LoginChatGptResponse);
+        $macro!(crate::LogoutChatGptParams);
+        $macro!(crate::LogoutChatGptResponse);
+        $macro!(crate::NewConversationParams);
+        $macro!(crate::NewConversationResponse);
+        $macro!(crate::Profile);
+        $macro!(crate::RemoveConversationListenerParams);
+        $macro!(crate::RemoveConversationSubscriptionResponse);
+        $macro!(crate::ResumeConversationParams);
+        $macro!(crate::ResumeConversationResponse);
+        $macro!(crate::SandboxSettings);
+        $macro!(crate::SendUserMessageParams);
+        $macro!(crate::SendUserMessageResponse);
+        $macro!(crate::SendUserTurnParams);
+        $macro!(crate::SendUserTurnResponse);
+        $macro!(crate::ServerNotification);
+        $macro!(crate::ServerRequest);
+        $macro!(crate::SessionConfiguredNotification);
+        $macro!(crate::SetDefaultModelParams);
+        $macro!(crate::SetDefaultModelResponse);
+        $macro!(crate::Tools);
+        $macro!(crate::UserInfoResponse);
+        $macro!(crate::UserSavedConfig);
+        $macro!(codex_protocol::protocol::EventMsg);
+        $macro!(codex_protocol::protocol::FileChange);
+        $macro!(codex_protocol::parse_command::ParsedCommand);
+        $macro!(codex_protocol::protocol::SandboxPolicy);
+    };
+}
+
+pub fn generate_types(out_dir: &Path, prettier: Option<&Path>) -> Result<()> {
+    generate_ts(out_dir, prettier)?;
+    generate_json(out_dir)?;
+    Ok(())
+}
+
+pub fn generate_ts(out_dir: &Path, prettier: Option<&Path>) -> Result<()> {
+    ensure_dir(out_dir)?;
+
+    ClientRequest::export_all_to(out_dir)?;
+    export_client_responses(out_dir)?;
+    ClientNotification::export_all_to(out_dir)?;
+
+    ServerRequest::export_all_to(out_dir)?;
+    export_server_responses(out_dir)?;
+    ServerNotification::export_all_to(out_dir)?;
+
+    generate_index_ts(out_dir)?;
+
+    let ts_files = ts_files_in(out_dir)?;
+    for file in &ts_files {
+        prepend_header_if_missing(file)?;
+    }
+
+    if let Some(prettier_bin) = prettier
+        && !ts_files.is_empty()
+    {
+        let status = Command::new(prettier_bin)
+            .arg("--write")
+            .args(ts_files.iter().map(|p| p.as_os_str()))
+            .status()
+            .with_context(|| format!("Failed to invoke Prettier at {}", prettier_bin.display()))?;
+        if !status.success() {
+            return Err(anyhow!("Prettier failed with status {status}"));
+        }
+    }
+
+    Ok(())
+}
+
+pub fn generate_json(out_dir: &Path) -> Result<()> {
+    ensure_dir(out_dir)?;
+    let mut bundle: BTreeMap<String, RootSchema> = BTreeMap::new();
+
+    macro_rules! add_schema {
+        ($ty:path) => {{
+            let name = type_basename(stringify!($ty));
+            let schema = write_json_schema_with_return::<$ty>(out_dir, &name)?;
+            bundle.insert(name, schema);
+        }};
+    }
+
+    for_each_schema_type!(add_schema);
+
+    export_client_response_schemas(out_dir)?;
+    export_server_response_schemas(out_dir)?;
+
+    let mut definitions = Map::new();
+
+    const SPECIAL_DEFINITIONS: &[&str] = &[
+        "ClientNotification",
+        "ClientRequest",
+        "EventMsg",
+        "FileChange",
+        "InputItem",
+        "ParsedCommand",
+        "SandboxPolicy",
+        "ServerNotification",
+        "ServerRequest",
+    ];
+
+    for (name, schema) in bundle {
+        let mut schema_value = serde_json::to_value(schema)?;
+        if let Value::Object(ref mut obj) = schema_value {
+            if let Some(defs) = obj.remove("definitions")
+                && let Value::Object(defs_obj) = defs
+            {
+                for (def_name, def_schema) in defs_obj {
+                    if !SPECIAL_DEFINITIONS.contains(&def_name.as_str()) {
+                        definitions.insert(def_name, def_schema);
+                    }
+                }
+            }
+
+            if let Some(Value::Array(one_of)) = obj.get_mut("oneOf") {
+                for variant in one_of.iter_mut() {
+                    if let Some(variant_name) = variant_definition_name(&name, variant)
+                        && let Value::Object(variant_obj) = variant
+                    {
+                        variant_obj.insert("title".into(), Value::String(variant_name));
+                    }
+                }
+            }
+        }
+        definitions.insert(name, schema_value);
+    }
+
+    let mut root = Map::new();
+    root.insert(
+        "$schema".to_string(),
+        Value::String("http://json-schema.org/draft-07/schema#".into()),
+    );
+    root.insert(
+        "title".to_string(),
+        Value::String("CodexAppServerProtocol".into()),
+    );
+    root.insert("type".to_string(), Value::String("object".into()));
+    root.insert("definitions".to_string(), Value::Object(definitions));
+
+    write_pretty_json(
+        out_dir.join("codex_app_server_protocol.schemas.json"),
+        &Value::Object(root),
+    )?;
+
+    Ok(())
+}
+
+fn write_json_schema_with_return<T>(out_dir: &Path, name: &str) -> Result<RootSchema>
+where
+    T: JsonSchema,
+{
+    let file_stem = name.trim();
+    let schema = schema_for!(T);
+    write_pretty_json(out_dir.join(format!("{file_stem}.json")), &schema)
+        .with_context(|| format!("Failed to write JSON schema for {file_stem}"))?;
+    Ok(schema)
+}
+
+pub(crate) fn write_json_schema<T>(out_dir: &Path, name: &str) -> Result<()>
+where
+    T: JsonSchema,
+{
+    write_json_schema_with_return::<T>(out_dir, name).map(|_| ())
+}
+
+fn write_pretty_json(path: PathBuf, value: &impl Serialize) -> Result<()> {
+    let json = serde_json::to_vec_pretty(value)
+        .with_context(|| format!("Failed to serialize JSON schema to {}", path.display()))?;
+    fs::write(&path, json).with_context(|| format!("Failed to write {}", path.display()))?;
+    Ok(())
+}
+fn type_basename(type_path: &str) -> String {
+    type_path
+        .rsplit_once("::")
+        .map(|(_, name)| name)
+        .unwrap_or(type_path)
+        .trim()
+        .to_string()
+}
+
+fn variant_definition_name(base: &str, variant: &Value) -> Option<String> {
+    if let Some(props) = variant.get("properties").and_then(Value::as_object) {
+        if let Some(method_literal) = literal_from_property(props, "method") {
+            let pascal = to_pascal_case(method_literal);
+            return Some(match base {
+                "ClientRequest" | "ServerRequest" => format!("{pascal}Request"),
+                "ClientNotification" | "ServerNotification" => format!("{pascal}Notification"),
+                _ => format!("{pascal}{base}"),
+            });
+        }
+
+        if let Some(type_literal) = literal_from_property(props, "type") {
+            let pascal = to_pascal_case(type_literal);
+            return Some(match base {
+                "EventMsg" => format!("{pascal}EventMsg"),
+                _ => format!("{pascal}{base}"),
+            });
+        }
+
+        if let Some(mode_literal) = literal_from_property(props, "mode") {
+            let pascal = to_pascal_case(mode_literal);
+            return Some(match base {
+                "SandboxPolicy" => format!("{pascal}SandboxPolicy"),
+                _ => format!("{pascal}{base}"),
+            });
+        }
+
+        if props.len() == 1
+            && let Some(key) = props.keys().next()
+        {
+            let pascal = to_pascal_case(key);
+            return Some(format!("{pascal}{base}"));
+        }
+    }
+
+    if let Some(required) = variant.get("required").and_then(Value::as_array)
+        && required.len() == 1
+        && let Some(key) = required[0].as_str()
+    {
+        let pascal = to_pascal_case(key);
+        return Some(format!("{pascal}{base}"));
+    }
+
+    None
+}
+
+fn literal_from_property<'a>(props: &'a Map<String, Value>, key: &str) -> Option<&'a str> {
+    props
+        .get(key)
+        .and_then(|value| value.get("enum"))
+        .and_then(Value::as_array)
+        .and_then(|arr| arr.first())
+        .and_then(Value::as_str)
+}
+
+fn to_pascal_case(input: &str) -> String {
+    let mut result = String::new();
+    let mut capitalize_next = true;
+
+    for c in input.chars() {
+        if c == '_' || c == '-' {
+            capitalize_next = true;
+            continue;
+        }
+
+        if capitalize_next {
+            result.extend(c.to_uppercase());
+            capitalize_next = false;
+        } else {
+            result.push(c);
+        }
+    }
+
+    result
+}
+
+fn ensure_dir(dir: &Path) -> Result<()> {
+    fs::create_dir_all(dir)
+        .with_context(|| format!("Failed to create output directory {}", dir.display()))
+}
+
+fn prepend_header_if_missing(path: &Path) -> Result<()> {
+    let mut content = String::new();
+    {
+        let mut f = fs::File::open(path)
+            .with_context(|| format!("Failed to open {} for reading", path.display()))?;
+        f.read_to_string(&mut content)
+            .with_context(|| format!("Failed to read {}", path.display()))?;
+    }
+
+    if content.starts_with(HEADER) {
+        return Ok(());
+    }
+
+    let mut f = fs::File::create(path)
+        .with_context(|| format!("Failed to open {} for writing", path.display()))?;
+    f.write_all(HEADER.as_bytes())
+        .with_context(|| format!("Failed to write header to {}", path.display()))?;
+    f.write_all(content.as_bytes())
+        .with_context(|| format!("Failed to write content to {}", path.display()))?;
+    Ok(())
+}
+
+fn ts_files_in(dir: &Path) -> Result<Vec<PathBuf>> {
+    let mut files = Vec::new();
+    for entry in
+        fs::read_dir(dir).with_context(|| format!("Failed to read dir {}", dir.display()))?
+    {
+        let entry = entry?;
+        let path = entry.path();
+        if path.is_file() && path.extension() == Some(OsStr::new("ts")) {
+            files.push(path);
+        }
+    }
+    files.sort();
+    Ok(files)
+}
+
+fn generate_index_ts(out_dir: &Path) -> Result<PathBuf> {
+    let mut entries: Vec<String> = Vec::new();
+    let mut stems: Vec<String> = ts_files_in(out_dir)?
+        .into_iter()
+        .filter_map(|p| {
+            let stem = p.file_stem()?.to_string_lossy().into_owned();
+            if stem == "index" { None } else { Some(stem) }
+        })
+        .collect();
+    stems.sort();
+    stems.dedup();
+
+    for name in stems {
+        entries.push(format!("export type {{ {name} }} from \"./{name}\";\n"));
+    }
+
+    let mut content =
+        String::with_capacity(HEADER.len() + entries.iter().map(String::len).sum::<usize>());
+    content.push_str(HEADER);
+    for line in &entries {
+        content.push_str(line);
+    }
+
+    let index_path = out_dir.join("index.ts");
+    let mut f = fs::File::create(&index_path)
+        .with_context(|| format!("Failed to create {}", index_path.display()))?;
+    f.write_all(content.as_bytes())
+        .with_context(|| format!("Failed to write {}", index_path.display()))?;
+    Ok(index_path)
+}
--- a/codex-rs/app-server-protocol/src/jsonrpc_lite.rs
+++ b/codex-rs/app-server-protocol/src/jsonrpc_lite.rs
@@ -1,13 +1,14 @@
 //! We do not do true JSON-RPC 2.0, as we neither send nor expect the
 //! "jsonrpc": "2.0" field.

+use schemars::JsonSchema;
 use serde::Deserialize;
 use serde::Serialize;
 use ts_rs::TS;

 pub const JSONRPC_VERSION: &str = "2.0";

-#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, Hash, Eq, TS)]
+#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, Hash, Eq, JsonSchema, TS)]
 #[serde(untagged)]
 pub enum RequestId {
    String(String),
@@ -18,7 +19,7 @@ pub enum RequestId {
 pub type Result = serde_json::Value;

 /// Refers to any valid JSON-RPC object that can be decoded off the wire, or encoded to be sent.
-#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, TS)]
+#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, JsonSchema, TS)]
 #[serde(untagged)]
 pub enum JSONRPCMessage {
    Request(JSONRPCRequest),
@@ -28,7 +29,7 @@ pub enum JSONRPCMessage {
 }

 /// A request that expects a response.
-#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, TS)]
+#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, JsonSchema, TS)]
 pub struct JSONRPCRequest {
    pub id: RequestId,
    pub method: String,
@@ -37,7 +38,7 @@ pub struct JSONRPCRequest {
 }

 /// A notification which does not expect a response.
-#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, TS)]
+#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, JsonSchema, TS)]
 pub struct JSONRPCNotification {
    pub method: String,
    #[serde(default, skip_serializing_if = "Option::is_none")]
@@ -45,20 +46,20 @@ pub struct JSONRPCNotification {
 }

 /// A successful (non-error) response to a request.
-#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, TS)]
+#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, JsonSchema, TS)]
 pub struct JSONRPCResponse {
    pub id: RequestId,
    pub result: Result,
 }

 /// A response to a request that indicates an error occurred.
-#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, TS)]
+#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, JsonSchema, TS)]
 pub struct JSONRPCError {
    pub error: JSONRPCErrorError,
    pub id: RequestId,
 }

-#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, TS)]
+#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, JsonSchema, TS)]
 pub struct JSONRPCErrorError {
    pub code: i64,
    #[serde(default, skip_serializing_if = "Option::is_none")]
--- a/codex-rs/app-server-protocol/src/lib.rs
+++ b/codex-rs/app-server-protocol/src/lib.rs
@@ -1,5 +1,9 @@
+mod export;
 mod jsonrpc_lite;
 mod protocol;

+pub use export::generate_json;
+pub use export::generate_ts;
+pub use export::generate_types;
 pub use jsonrpc_lite::*;
 pub use protocol::*;
--- a/codex-rs/app-server-protocol/src/protocol.rs
+++ b/codex-rs/app-server-protocol/src/protocol.rs
@@ -5,10 +5,12 @@ use crate::JSONRPCNotification;
 use crate::JSONRPCRequest;
 use crate::RequestId;
 use codex_protocol::ConversationId;
+use codex_protocol::config_types::ForcedLoginMethod;
 use codex_protocol::config_types::ReasoningEffort;
 use codex_protocol::config_types::ReasoningSummary;
 use codex_protocol::config_types::SandboxMode;
 use codex_protocol::config_types::Verbosity;
+use codex_protocol::parse_command::ParsedCommand;
 use codex_protocol::protocol::AskForApproval;
 use codex_protocol::protocol::EventMsg;
 use codex_protocol::protocol::FileChange;
@@ -16,13 +18,14 @@ use codex_protocol::protocol::ReviewDecision;
 use codex_protocol::protocol::SandboxPolicy;
 use codex_protocol::protocol::TurnAbortReason;
 use paste::paste;
+use schemars::JsonSchema;
 use serde::Deserialize;
 use serde::Serialize;
 use strum_macros::Display;
 use ts_rs::TS;
 use uuid::Uuid;

-#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema, TS)]
 #[ts(type = "string")]
 pub struct GitSha(pub String);

@@ -32,7 +35,7 @@ impl GitSha {
    }
 }

-#[derive(Serialize, Deserialize, Debug, Clone, Copy, PartialEq, Eq, Display, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, Copy, PartialEq, Eq, Display, JsonSchema, TS)]
 #[serde(rename_all = "lowercase")]
 pub enum AuthMode {
    ApiKey,
@@ -54,7 +57,7 @@ macro_rules! client_request_definitions {
        ),* $(,)?
    ) => {
        /// Request from the client to the server.
-        #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+        #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
        #[serde(tag = "method", rename_all = "camelCase")]
        pub enum ClientRequest {
            $(
@@ -76,6 +79,15 @@ macro_rules! client_request_definitions {
            )*
            Ok(())
        }
+
+        pub fn export_client_response_schemas(
+            out_dir: &::std::path::Path,
+        ) -> ::anyhow::Result<()> {
+            $(
+                crate::export::write_json_schema::<$response>(out_dir, stringify!($response))?;
+            )*
+            Ok(())
+        }
    };
 }

@@ -173,13 +185,13 @@ client_request_definitions! {
    },
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct InitializeParams {
    pub client_info: ClientInfo,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct ClientInfo {
    pub name: String,
@@ -188,13 +200,13 @@ pub struct ClientInfo {
    pub version: String,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct InitializeResponse {
    pub user_agent: String,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct NewConversationParams {
    /// Optional override for the model name (e.g. "o3", "o4-mini").
@@ -237,7 +249,7 @@ pub struct NewConversationParams {
    pub include_apply_patch_tool: Option<bool>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct NewConversationResponse {
    pub conversation_id: ConversationId,
@@ -248,7 +260,7 @@ pub struct NewConversationResponse {
    pub rollout_path: PathBuf,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct ResumeConversationResponse {
    pub conversation_id: ConversationId,
@@ -257,7 +269,7 @@ pub struct ResumeConversationResponse {
    pub initial_messages: Option<Vec<EventMsg>>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct ListConversationsParams {
    /// Optional page size; defaults to a reasonable server-side value.
@@ -268,7 +280,7 @@ pub struct ListConversationsParams {
    pub cursor: Option<String>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct ConversationSummary {
    pub conversation_id: ConversationId,
@@ -279,7 +291,7 @@ pub struct ConversationSummary {
    pub timestamp: Option<String>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct ListConversationsResponse {
    pub items: Vec<ConversationSummary>,
@@ -289,7 +301,7 @@ pub struct ListConversationsResponse {
    pub next_cursor: Option<String>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct ResumeConversationParams {
    /// Absolute path to the rollout JSONL file.
@@ -299,78 +311,81 @@ pub struct ResumeConversationParams {
    pub overrides: Option<NewConversationParams>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct AddConversationSubscriptionResponse {
+    #[schemars(with = "String")]
    pub subscription_id: Uuid,
 }

 /// The [`ConversationId`] must match the `rollout_path`.
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct ArchiveConversationParams {
    pub conversation_id: ConversationId,
    pub rollout_path: PathBuf,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct ArchiveConversationResponse {}

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct RemoveConversationSubscriptionResponse {}

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct LoginApiKeyParams {
    pub api_key: String,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct LoginApiKeyResponse {}

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct LoginChatGptResponse {
+    #[schemars(with = "String")]
    pub login_id: Uuid,
    /// URL the client should open in a browser to initiate the OAuth flow.
    pub auth_url: String,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct GitDiffToRemoteResponse {
    pub sha: GitSha,
    pub diff: String,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct CancelLoginChatGptParams {
+    #[schemars(with = "String")]
    pub login_id: Uuid,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct GitDiffToRemoteParams {
    pub cwd: PathBuf,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct CancelLoginChatGptResponse {}

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct LogoutChatGptParams {}

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct LogoutChatGptResponse {}

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct GetAuthStatusParams {
    /// If true, include the current auth token (if available) in the response.
@@ -381,7 +396,7 @@ pub struct GetAuthStatusParams {
    pub refresh_token: Option<bool>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct ExecOneOffCommandParams {
    /// Command argv to execute.
@@ -397,7 +412,7 @@ pub struct ExecOneOffCommandParams {
    pub sandbox_policy: Option<SandboxPolicy>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct ExecOneOffCommandResponse {
    pub exit_code: i32,
@@ -405,7 +420,7 @@ pub struct ExecOneOffCommandResponse {
    pub stderr: String,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct GetAuthStatusResponse {
    #[serde(skip_serializing_if = "Option::is_none")]
@@ -420,13 +435,13 @@ pub struct GetAuthStatusResponse {
    pub requires_openai_auth: Option<bool>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct GetUserAgentResponse {
    pub user_agent: String,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct UserInfoResponse {
    /// Note: `alleged_user_email` is not currently verified. We read it from
@@ -436,13 +451,13 @@ pub struct UserInfoResponse {
    pub alleged_user_email: Option<String>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct GetUserSavedConfigResponse {
    pub config: UserSavedConfig,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct SetDefaultModelParams {
    /// If set to None, this means `model` should be cleared in config.toml.
@@ -454,14 +469,14 @@ pub struct SetDefaultModelParams {
    pub reasoning_effort: Option<ReasoningEffort>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct SetDefaultModelResponse {}

 /// UserSavedConfig contains a subset of the config. It is meant to expose mcp
 /// client-configurable settings that can be specified in the NewConversation
 /// and SendUserTurn requests.
-#[derive(Deserialize, Debug, Clone, PartialEq, Serialize, TS)]
+#[derive(Deserialize, Debug, Clone, PartialEq, Serialize, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct UserSavedConfig {
    /// Approvals
@@ -472,6 +487,11 @@ pub struct UserSavedConfig {
    #[serde(skip_serializing_if = "Option::is_none")]
    pub sandbox_settings: Option<SandboxSettings>,

+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub forced_chatgpt_workspace_id: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub forced_login_method: Option<ForcedLoginMethod>,
+
    /// Model-specific configuration
    #[serde(skip_serializing_if = "Option::is_none")]
    pub model: Option<String>,
@@ -494,7 +514,7 @@ pub struct UserSavedConfig {
 }

 /// MCP representation of a [`codex_core::config_profile::ConfigProfile`].
-#[derive(Deserialize, Debug, Clone, PartialEq, Serialize, TS)]
+#[derive(Deserialize, Debug, Clone, PartialEq, Serialize, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct Profile {
    pub model: Option<String>,
@@ -508,7 +528,7 @@ pub struct Profile {
    pub chatgpt_base_url: Option<String>,
 }
 /// MCP representation of a [`codex_core::config::ToolsToml`].
-#[derive(Deserialize, Debug, Clone, PartialEq, Serialize, TS)]
+#[derive(Deserialize, Debug, Clone, PartialEq, Serialize, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct Tools {
    #[serde(skip_serializing_if = "Option::is_none")]
@@ -518,7 +538,7 @@ pub struct Tools {
 }

 /// MCP representation of a [`codex_core::config_types::SandboxWorkspaceWrite`].
-#[derive(Deserialize, Debug, Clone, PartialEq, Serialize, TS)]
+#[derive(Deserialize, Debug, Clone, PartialEq, Serialize, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct SandboxSettings {
    #[serde(default)]
@@ -531,14 +551,14 @@ pub struct SandboxSettings {
    pub exclude_slash_tmp: Option<bool>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct SendUserMessageParams {
    pub conversation_id: ConversationId,
    pub items: Vec<InputItem>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct SendUserTurnParams {
    pub conversation_id: ConversationId,
@@ -552,39 +572,40 @@ pub struct SendUserTurnParams {
    pub summary: ReasoningSummary,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct SendUserTurnResponse {}

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct InterruptConversationParams {
    pub conversation_id: ConversationId,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct InterruptConversationResponse {
    pub abort_reason: TurnAbortReason,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct SendUserMessageResponse {}

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct AddConversationListenerParams {
    pub conversation_id: ConversationId,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct RemoveConversationListenerParams {
+    #[schemars(with = "String")]
    pub subscription_id: Uuid,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[serde(tag = "type", content = "data")]
 pub enum InputItem {
@@ -616,7 +637,7 @@ macro_rules! server_request_definitions {
    ) => {
        paste! {
            /// Request initiated from the server and sent to the client.
-            #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+            #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
            #[serde(tag = "method", rename_all = "camelCase")]
            pub enum ServerRequest {
                $(
@@ -629,7 +650,7 @@ macro_rules! server_request_definitions {
                )*
            }

-            #[derive(Debug, Clone, PartialEq)]
+            #[derive(Debug, Clone, PartialEq, JsonSchema)]
            pub enum ServerRequestPayload {
                $( $variant([<$variant Params>]), )*
            }
@@ -651,6 +672,15 @@ macro_rules! server_request_definitions {
            }
            Ok(())
        }
+
+        pub fn export_server_response_schemas(
+            out_dir: &::std::path::Path,
+        ) -> ::anyhow::Result<()> {
+            paste! {
+                $(crate::export::write_json_schema::<[<$variant Response>]>(out_dir, stringify!([<$variant Response>]))?;)*
+            }
+            Ok(())
+        }
    };
 }

@@ -669,7 +699,7 @@ server_request_definitions! {
    ExecCommandApproval,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct ApplyPatchApprovalParams {
    pub conversation_id: ConversationId,
@@ -686,7 +716,7 @@ pub struct ApplyPatchApprovalParams {
    pub grant_root: Option<PathBuf>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct ExecCommandApprovalParams {
    pub conversation_id: ConversationId,
@@ -697,19 +727,20 @@ pub struct ExecCommandApprovalParams {
    pub cwd: PathBuf,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub reason: Option<String>,
+    pub parsed_cmd: Vec<ParsedCommand>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 pub struct ExecCommandApprovalResponse {
    pub decision: ReviewDecision,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 pub struct ApplyPatchApprovalResponse {
    pub decision: ReviewDecision,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(rename_all = "camelCase")]
 pub struct FuzzyFileSearchParams {
@@ -721,7 +752,7 @@ pub struct FuzzyFileSearchParams {
 }

 /// Superset of [`codex_file_search::FileMatch`]
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 pub struct FuzzyFileSearchResult {
    pub root: String,
    pub path: String,
@@ -731,21 +762,22 @@ pub struct FuzzyFileSearchResult {
    pub indices: Option<Vec<u32>>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 pub struct FuzzyFileSearchResponse {
    pub files: Vec<FuzzyFileSearchResult>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct LoginChatGptCompleteNotification {
+    #[schemars(with = "String")]
    pub login_id: Uuid,
    pub success: bool,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub error: Option<String>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct SessionConfiguredNotification {
    /// Name left as session_id instead of conversation_id for backwards compatibility.
@@ -773,7 +805,7 @@ pub struct SessionConfiguredNotification {
    pub rollout_path: PathBuf,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, TS)]
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 pub struct AuthStatusChangeNotification {
    /// Current authentication method; omitted if signed out.
@@ -782,7 +814,7 @@ pub struct AuthStatusChangeNotification {
 }

 /// Notification sent from the server to the client.
-#[derive(Serialize, Deserialize, Debug, Clone, TS, Display)]
+#[derive(Serialize, Deserialize, Debug, Clone, JsonSchema, TS, Display)]
 #[serde(tag = "method", content = "params", rename_all = "camelCase")]
 #[strum(serialize_all = "camelCase")]
 pub enum ServerNotification {
@@ -815,7 +847,7 @@ impl TryFrom<JSONRPCNotification> for ServerNotification {
 }

 /// Notification sent from the client to the server.
-#[derive(Serialize, Deserialize, Debug, Clone, TS, Display)]
+#[derive(Serialize, Deserialize, Debug, Clone, JsonSchema, TS, Display)]
 #[serde(tag = "method", content = "params", rename_all = "camelCase")]
 #[strum(serialize_all = "camelCase")]
 pub enum ClientNotification {
@@ -904,6 +936,9 @@ mod tests {
            command: vec!["echo".to_string(), "hello".to_string()],
            cwd: PathBuf::from("/tmp"),
            reason: Some("because tests".to_string()),
+            parsed_cmd: vec![ParsedCommand::Unknown {
+                cmd: "echo hello".to_string(),
+            }],
        };
        let request = ServerRequest::ExecCommandApproval {
            request_id: RequestId::Integer(7),
@@ -920,6 +955,12 @@ mod tests {
                    "command": ["echo", "hello"],
                    "cwd": "/tmp",
                    "reason": "because tests",
+                    "parsedCmd": [
+                        {
+                            "type": "unknown",
+                            "cmd": "echo hello"
+                        }
+                    ]
                }
            }),
            serde_json::to_value(&request)?,
--- a/codex-rs/app-server/src/codex_message_processor.rs
+++ b/codex-rs/app-server/src/codex_message_processor.rs
@@ -84,6 +84,7 @@ use codex_login::ServerOptions as LoginServerOptions;
 use codex_login::ShutdownHandle;
 use codex_login::run_login_server;
 use codex_protocol::ConversationId;
+use codex_protocol::config_types::ForcedLoginMethod;
 use codex_protocol::models::ContentItem;
 use codex_protocol::models::ResponseItem;
 use codex_protocol::protocol::InputMessageKind;
@@ -243,6 +244,19 @@ impl CodexMessageProcessor {
    }

    async fn login_api_key(&mut self, request_id: RequestId, params: LoginApiKeyParams) {
+        if matches!(
+            self.config.forced_login_method,
+            Some(ForcedLoginMethod::Chatgpt)
+        ) {
+            let error = JSONRPCErrorError {
+                code: INVALID_REQUEST_ERROR_CODE,
+                message: "API key login is disabled. Use ChatGPT login instead.".to_string(),
+                data: None,
+            };
+            self.outgoing.send_error(request_id, error).await;
+            return;
+        }
+
        {
            let mut guard = self.active_login.lock().await;
            if let Some(active) = guard.take() {
@@ -278,9 +292,23 @@ impl CodexMessageProcessor {
    async fn login_chatgpt(&mut self, request_id: RequestId) {
        let config = self.config.as_ref();

+        if matches!(config.forced_login_method, Some(ForcedLoginMethod::Api)) {
+            let error = JSONRPCErrorError {
+                code: INVALID_REQUEST_ERROR_CODE,
+                message: "ChatGPT login is disabled. Use API key login instead.".to_string(),
+                data: None,
+            };
+            self.outgoing.send_error(request_id, error).await;
+            return;
+        }
+
        let opts = LoginServerOptions {
            open_browser: false,
-            ..LoginServerOptions::new(config.codex_home.clone(), CLIENT_ID.to_string())
+            ..LoginServerOptions::new(
+                config.codex_home.clone(),
+                CLIENT_ID.to_string(),
+                config.forced_chatgpt_workspace_id.clone(),
+            )
        };

        enum LoginChatGptReply {
@@ -603,6 +631,7 @@ impl CodexMessageProcessor {
            env,
            with_escalated_permissions: None,
            justification: None,
+            arg0: None,
        };

        let effective_policy = params
@@ -1284,6 +1313,7 @@ async fn apply_bespoke_event_handling(
            command,
            cwd,
            reason,
+            parsed_cmd,
        }) => {
            let params = ExecCommandApprovalParams {
                conversation_id,
@@ -1291,6 +1321,7 @@ async fn apply_bespoke_event_handling(
                command,
                cwd,
                reason,
+                parsed_cmd,
            };
            let rx = outgoing
                .send_request(ServerRequestPayload::ExecCommandApproval(params))
@@ -1351,6 +1382,7 @@ async fn derive_config_from_params(
        include_view_image_tool: None,
        show_raw_agent_reasoning: None,
        tools_web_search_request: None,
+        additional_writable_roots: Vec::new(),
    };

    let cli_overrides = cli_overrides
--- a/codex-rs/app-server/tests/suite/auth.rs
+++ b/codex-rs/app-server/tests/suite/auth.rs
@@ -5,6 +5,7 @@ use app_test_support::to_response;
 use codex_app_server_protocol::AuthMode;
 use codex_app_server_protocol::GetAuthStatusParams;
 use codex_app_server_protocol::GetAuthStatusResponse;
+use codex_app_server_protocol::JSONRPCError;
 use codex_app_server_protocol::JSONRPCResponse;
 use codex_app_server_protocol::LoginApiKeyParams;
 use codex_app_server_protocol::LoginApiKeyResponse;
@@ -57,6 +58,19 @@ sandbox_mode = "danger-full-access"
    )
 }

+fn create_config_toml_forced_login(codex_home: &Path, forced_method: &str) -> std::io::Result<()> {
+    let config_toml = codex_home.join("config.toml");
+    let contents = format!(
+        r#"
+model = "mock-model"
+approval_policy = "never"
+sandbox_mode = "danger-full-access"
+forced_login_method = "{forced_method}"
+"#
+    );
+    std::fs::write(config_toml, contents)
+}
+
 async fn login_with_api_key_via_request(mcp: &mut McpProcess, api_key: &str) {
    let request_id = mcp
        .send_login_api_key_request(LoginApiKeyParams {
@@ -221,3 +235,38 @@ async fn get_auth_status_with_api_key_no_include_token() {
    assert_eq!(status.auth_method, Some(AuthMode::ApiKey));
    assert!(status.auth_token.is_none(), "token must be omitted");
 }
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn login_api_key_rejected_when_forced_chatgpt() {
+    let codex_home = TempDir::new().unwrap_or_else(|e| panic!("create tempdir: {e}"));
+    create_config_toml_forced_login(codex_home.path(), "chatgpt")
+        .unwrap_or_else(|err| panic!("write config.toml: {err}"));
+
+    let mut mcp = McpProcess::new(codex_home.path())
+        .await
+        .expect("spawn mcp process");
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize())
+        .await
+        .expect("init timeout")
+        .expect("init failed");
+
+    let request_id = mcp
+        .send_login_api_key_request(LoginApiKeyParams {
+            api_key: "sk-test-key".to_string(),
+        })
+        .await
+        .expect("send loginApiKey");
+
+    let err: JSONRPCError = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_error_message(RequestId::Integer(request_id)),
+    )
+    .await
+    .expect("loginApiKey error timeout")
+    .expect("loginApiKey error");
+
+    assert_eq!(
+        err.error.message,
+        "API key login is disabled. Use ChatGPT login instead."
+    );
+}
--- a/codex-rs/app-server/tests/suite/codex_message_processor_flow.rs
+++ b/codex-rs/app-server/tests/suite/codex_message_processor_flow.rs
@@ -27,6 +27,7 @@ use codex_core::protocol_config_types::ReasoningEffort;
 use codex_core::protocol_config_types::ReasoningSummary;
 use codex_core::spawn::CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR;
 use codex_protocol::config_types::SandboxMode;
+use codex_protocol::parse_command::ParsedCommand;
 use codex_protocol::protocol::Event;
 use codex_protocol::protocol::EventMsg;
 use codex_protocol::protocol::InputMessageKind;
@@ -311,6 +312,9 @@ async fn test_send_user_turn_changes_approval_policy_behavior() {
            ],
            cwd: working_directory.clone(),
            reason: None,
+            parsed_cmd: vec![ParsedCommand::Unknown {
+                cmd: "python3 -c 'print(42)'".to_string()
+            }],
        },
        params
    );
--- a/codex-rs/app-server/tests/suite/config.rs
+++ b/codex-rs/app-server/tests/suite/config.rs
@@ -11,6 +11,7 @@ use codex_app_server_protocol::SandboxSettings;
 use codex_app_server_protocol::Tools;
 use codex_app_server_protocol::UserSavedConfig;
 use codex_core::protocol::AskForApproval;
+use codex_protocol::config_types::ForcedLoginMethod;
 use codex_protocol::config_types::ReasoningEffort;
 use codex_protocol::config_types::ReasoningSummary;
 use codex_protocol::config_types::SandboxMode;
@@ -33,6 +34,8 @@ model_reasoning_summary = "detailed"
 model_reasoning_effort = "high"
 model_verbosity = "medium"
 profile = "test"
+forced_chatgpt_workspace_id = "12345678-0000-0000-0000-000000000000"
+forced_login_method = "chatgpt"

 [sandbox_workspace_write]
 writable_roots = ["/tmp"]
@@ -92,6 +95,8 @@ async fn get_config_toml_parses_all_fields() {
                exclude_tmpdir_env_var: Some(true),
                exclude_slash_tmp: Some(true),
            }),
+            forced_chatgpt_workspace_id: Some("12345678-0000-0000-0000-000000000000".into()),
+            forced_login_method: Some(ForcedLoginMethod::Chatgpt),
            model: Some("gpt-5-codex".into()),
            model_reasoning_effort: Some(ReasoningEffort::High),
            model_reasoning_summary: Some(ReasoningSummary::Detailed),
@@ -149,6 +154,8 @@ async fn get_config_toml_empty() {
            approval_policy: None,
            sandbox_mode: None,
            sandbox_settings: None,
+            forced_chatgpt_workspace_id: None,
+            forced_login_method: None,
            model: None,
            model_reasoning_effort: None,
            model_reasoning_summary: None,
--- a/codex-rs/app-server/tests/suite/login.rs
+++ b/codex-rs/app-server/tests/suite/login.rs
@@ -7,6 +7,7 @@ use codex_app_server_protocol::CancelLoginChatGptParams;
 use codex_app_server_protocol::CancelLoginChatGptResponse;
 use codex_app_server_protocol::GetAuthStatusParams;
 use codex_app_server_protocol::GetAuthStatusResponse;
+use codex_app_server_protocol::JSONRPCError;
 use codex_app_server_protocol::JSONRPCResponse;
 use codex_app_server_protocol::LoginChatGptResponse;
 use codex_app_server_protocol::LogoutChatGptResponse;
@@ -144,3 +145,97 @@ async fn login_and_cancel_chatgpt() {
        eprintln!("warning: did not observe login_chat_gpt_complete notification after cancel");
    }
 }
+
+fn create_config_toml_forced_login(codex_home: &Path, forced_method: &str) -> std::io::Result<()> {
+    let config_toml = codex_home.join("config.toml");
+    let contents = format!(
+        r#"
+model = "mock-model"
+approval_policy = "never"
+sandbox_mode = "danger-full-access"
+forced_login_method = "{forced_method}"
+"#
+    );
+    std::fs::write(config_toml, contents)
+}
+
+fn create_config_toml_forced_workspace(
+    codex_home: &Path,
+    workspace_id: &str,
+) -> std::io::Result<()> {
+    let config_toml = codex_home.join("config.toml");
+    let contents = format!(
+        r#"
+model = "mock-model"
+approval_policy = "never"
+sandbox_mode = "danger-full-access"
+forced_chatgpt_workspace_id = "{workspace_id}"
+"#
+    );
+    std::fs::write(config_toml, contents)
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn login_chatgpt_rejected_when_forced_api() {
+    let codex_home = TempDir::new().unwrap_or_else(|e| panic!("create tempdir: {e}"));
+    create_config_toml_forced_login(codex_home.path(), "api")
+        .unwrap_or_else(|err| panic!("write config.toml: {err}"));
+
+    let mut mcp = McpProcess::new(codex_home.path())
+        .await
+        .expect("spawn mcp process");
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize())
+        .await
+        .expect("init timeout")
+        .expect("init failed");
+
+    let request_id = mcp
+        .send_login_chat_gpt_request()
+        .await
+        .expect("send loginChatGpt");
+    let err: JSONRPCError = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_error_message(RequestId::Integer(request_id)),
+    )
+    .await
+    .expect("loginChatGpt error timeout")
+    .expect("loginChatGpt error");
+
+    assert_eq!(
+        err.error.message,
+        "ChatGPT login is disabled. Use API key login instead."
+    );
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn login_chatgpt_includes_forced_workspace_query_param() {
+    let codex_home = TempDir::new().unwrap_or_else(|e| panic!("create tempdir: {e}"));
+    create_config_toml_forced_workspace(codex_home.path(), "ws-forced")
+        .unwrap_or_else(|err| panic!("write config.toml: {err}"));
+
+    let mut mcp = McpProcess::new(codex_home.path())
+        .await
+        .expect("spawn mcp process");
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize())
+        .await
+        .expect("init timeout")
+        .expect("init failed");
+
+    let request_id = mcp
+        .send_login_chat_gpt_request()
+        .await
+        .expect("send loginChatGpt");
+    let resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
+    )
+    .await
+    .expect("loginChatGpt timeout")
+    .expect("loginChatGpt response");
+
+    let login: LoginChatGptResponse = to_response(resp).expect("deserialize login resp");
+    assert!(
+        login.auth_url.contains("allowed_workspace_id=ws-forced"),
+        "auth URL should include forced workspace"
+    );
+}
--- a/codex-rs/async-utils/Cargo.toml
+++ b/codex-rs/async-utils/Cargo.toml
@@ -0,0 +1,15 @@
+[package]
+edition.workspace = true
+name = "codex-async-utils"
+version.workspace = true
+
+[lints]
+workspace = true
+
+[dependencies]
+async-trait.workspace = true
+tokio = { workspace = true, features = ["macros", "rt", "rt-multi-thread", "time"] }
+tokio-util.workspace = true
+
+[dev-dependencies]
+pretty_assertions.workspace = true
--- a/codex-rs/async-utils/src/lib.rs
+++ b/codex-rs/async-utils/src/lib.rs
@@ -0,0 +1,86 @@
+use async_trait::async_trait;
+use std::future::Future;
+use tokio_util::sync::CancellationToken;
+
+#[derive(Debug, PartialEq, Eq)]
+pub enum CancelErr {
+    Cancelled,
+}
+
+#[async_trait]
+pub trait OrCancelExt: Sized {
+    type Output;
+
+    async fn or_cancel(self, token: &CancellationToken) -> Result<Self::Output, CancelErr>;
+}
+
+#[async_trait]
+impl<F> OrCancelExt for F
+where
+    F: Future + Send,
+    F::Output: Send,
+{
+    type Output = F::Output;
+
+    async fn or_cancel(self, token: &CancellationToken) -> Result<Self::Output, CancelErr> {
+        tokio::select! {
+            _ = token.cancelled() => Err(CancelErr::Cancelled),
+            res = self => Ok(res),
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use pretty_assertions::assert_eq;
+    use std::time::Duration;
+    use tokio::task;
+    use tokio::time::sleep;
+
+    #[tokio::test]
+    async fn returns_ok_when_future_completes_first() {
+        let token = CancellationToken::new();
+        let value = async { 42 };
+
+        let result = value.or_cancel(&token).await;
+
+        assert_eq!(Ok(42), result);
+    }
+
+    #[tokio::test]
+    async fn returns_err_when_token_cancelled_first() {
+        let token = CancellationToken::new();
+        let token_clone = token.clone();
+
+        let cancel_handle = task::spawn(async move {
+            sleep(Duration::from_millis(10)).await;
+            token_clone.cancel();
+        });
+
+        let result = async {
+            sleep(Duration::from_millis(100)).await;
+            7
+        }
+        .or_cancel(&token)
+        .await;
+
+        cancel_handle.await.expect("cancel task panicked");
+        assert_eq!(Err(CancelErr::Cancelled), result);
+    }
+
+    #[tokio::test]
+    async fn returns_err_when_token_already_cancelled() {
+        let token = CancellationToken::new();
+        token.cancel();
+
+        let result = async {
+            sleep(Duration::from_millis(50)).await;
+            5
+        }
+        .or_cancel(&token)
+        .await;
+
+        assert_eq!(Err(CancelErr::Cancelled), result);
+    }
+}
--- a/codex-rs/cli/Cargo.toml
+++ b/codex-rs/cli/Cargo.toml
@@ -19,8 +19,10 @@ anyhow = { workspace = true }
 clap = { workspace = true, features = ["derive"] }
 clap_complete = { workspace = true }
 codex-app-server = { workspace = true }
+codex-app-server-protocol = { workspace = true }
 codex-arg0 = { workspace = true }
 codex-chatgpt = { workspace = true }
+codex-cloud-tasks = { path = "../cloud-tasks" }
 codex-common = { workspace = true, features = ["cli"] }
 codex-core = { workspace = true }
 codex-exec = { workspace = true }
@@ -28,12 +30,11 @@ codex-login = { workspace = true }
 codex-mcp-server = { workspace = true }
 codex-process-hardening = { workspace = true }
 codex-protocol = { workspace = true }
-codex-app-server-protocol = { workspace = true }
 codex-protocol-ts = { workspace = true }
 codex-responses-api-proxy = { workspace = true }
-codex-tui = { workspace = true }
 codex-rmcp-client = { workspace = true }
-codex-cloud-tasks = { path = "../cloud-tasks" }
+codex-stdio-to-uds = { workspace = true }
+codex-tui = { workspace = true }
 ctor = { workspace = true }
 owo-colors = { workspace = true }
 serde_json = { workspace = true }
@@ -47,8 +48,8 @@ tokio = { workspace = true, features = [
 ] }

 [dev-dependencies]
-assert_matches = { workspace = true }
 assert_cmd = { workspace = true }
+assert_matches = { workspace = true }
 predicates = { workspace = true }
 pretty_assertions = { workspace = true }
 tempfile = { workspace = true }
--- a/codex-rs/cli/src/login.rs
+++ b/codex-rs/cli/src/login.rs
@@ -9,12 +9,20 @@ use codex_core::config::ConfigOverrides;
 use codex_login::ServerOptions;
 use codex_login::run_device_code_login;
 use codex_login::run_login_server;
+use codex_protocol::config_types::ForcedLoginMethod;
 use std::io::IsTerminal;
 use std::io::Read;
 use std::path::PathBuf;

-pub async fn login_with_chatgpt(codex_home: PathBuf) -> std::io::Result<()> {
-    let opts = ServerOptions::new(codex_home, CLIENT_ID.to_string());
+pub async fn login_with_chatgpt(
+    codex_home: PathBuf,
+    forced_chatgpt_workspace_id: Option<String>,
+) -> std::io::Result<()> {
+    let opts = ServerOptions::new(
+        codex_home,
+        CLIENT_ID.to_string(),
+        forced_chatgpt_workspace_id,
+    );
    let server = run_login_server(opts)?;

    eprintln!(
@@ -28,7 +36,14 @@ pub async fn login_with_chatgpt(codex_home: PathBuf) -> std::io::Result<()> {
 pub async fn run_login_with_chatgpt(cli_config_overrides: CliConfigOverrides) -> ! {
    let config = load_config_or_exit(cli_config_overrides).await;

-    match login_with_chatgpt(config.codex_home).await {
+    if matches!(config.forced_login_method, Some(ForcedLoginMethod::Api)) {
+        eprintln!("ChatGPT login is disabled. Use API key login instead.");
+        std::process::exit(1);
+    }
+
+    let forced_chatgpt_workspace_id = config.forced_chatgpt_workspace_id.clone();
+
+    match login_with_chatgpt(config.codex_home, forced_chatgpt_workspace_id).await {
        Ok(_) => {
            eprintln!("Successfully logged in");
            std::process::exit(0);
@@ -46,6 +61,11 @@ pub async fn run_login_with_api_key(
 ) -> ! {
    let config = load_config_or_exit(cli_config_overrides).await;

+    if matches!(config.forced_login_method, Some(ForcedLoginMethod::Chatgpt)) {
+        eprintln!("API key login is disabled. Use ChatGPT login instead.");
+        std::process::exit(1);
+    }
+
    match login_with_api_key(&config.codex_home, &api_key) {
        Ok(_) => {
            eprintln!("Successfully logged in");
@@ -92,9 +112,15 @@ pub async fn run_login_with_device_code(
    client_id: Option<String>,
 ) -> ! {
    let config = load_config_or_exit(cli_config_overrides).await;
+    if matches!(config.forced_login_method, Some(ForcedLoginMethod::Api)) {
+        eprintln!("ChatGPT login is disabled. Use API key login instead.");
+        std::process::exit(1);
+    }
+    let forced_chatgpt_workspace_id = config.forced_chatgpt_workspace_id.clone();
    let mut opts = ServerOptions::new(
        config.codex_home,
        client_id.unwrap_or(CLIENT_ID.to_string()),
+        forced_chatgpt_workspace_id,
    );
    if let Some(iss) = issuer_base_url {
        opts.issuer = iss;
--- a/codex-rs/cli/src/main.rs
+++ b/codex-rs/cli/src/main.rs
@@ -19,6 +19,7 @@ use codex_exec::Cli as ExecCli;
 use codex_responses_api_proxy::Args as ResponsesApiProxyArgs;
 use codex_tui::AppExitInfo;
 use codex_tui::Cli as TuiCli;
+use codex_tui::UpdateAction;
 use owo_colors::OwoColorize;
 use std::path::PathBuf;
 use supports_color::Stream;
@@ -26,6 +27,8 @@ use supports_color::Stream;
 mod mcp_cmd;

 use crate::mcp_cmd::McpCli;
+use codex_core::config::Config;
+use codex_core::config::ConfigOverrides;

 /// Codex CLI
 ///
@@ -39,12 +42,16 @@ use crate::mcp_cmd::McpCli;
    // The executable is sometimes invoked via a platform‑specific name like
    // `codex-x86_64-unknown-linux-musl`, but the help output should always use
    // the generic `codex` command name that users run.
-    bin_name = "codex"
+    bin_name = "codex",
+    override_usage = "codex [OPTIONS] [PROMPT]\n       codex [OPTIONS] <COMMAND> [ARGS]"
 )]
 struct MultitoolCli {
    #[clap(flatten)]
    pub config_overrides: CliConfigOverrides,

+    #[clap(flatten)]
+    pub feature_toggles: FeatureToggles,
+
    #[clap(flatten)]
    interactive: TuiCli,

@@ -97,6 +104,13 @@ enum Subcommand {
    /// Internal: run the responses API proxy.
    #[clap(hide = true)]
    ResponsesApiProxy(ResponsesApiProxyArgs),
+
+    /// Internal: relay stdio to a Unix domain socket.
+    #[clap(hide = true, name = "stdio-to-uds")]
+    StdioToUds(StdioToUdsCommand),
+
+    /// Inspect feature flags.
+    Features(FeaturesCli),
 }

 #[derive(Debug, Parser)]
@@ -157,9 +171,7 @@ struct LoginCommand {
    )]
    api_key: Option<String>,

-    /// EXPERIMENTAL: Use device code flow (not yet supported)
-    /// This feature is experimental and may changed in future releases.
-    #[arg(long = "experimental_use-device-code", hide = true)]
+    #[arg(long = "device-auth")]
    use_device_code: bool,

    /// EXPERIMENTAL: Use custom OAuth issuer base URL (advanced)
@@ -198,10 +210,18 @@ struct GenerateTsCommand {
    prettier: Option<PathBuf>,
 }

+#[derive(Debug, Parser)]
+struct StdioToUdsCommand {
+    /// Path to the Unix domain socket to connect to.
+    #[arg(value_name = "SOCKET_PATH")]
+    socket_path: PathBuf,
+}
+
 fn format_exit_messages(exit_info: AppExitInfo, color_enabled: bool) -> Vec<String> {
    let AppExitInfo {
        token_usage,
        conversation_id,
+        ..
    } = exit_info;

    if token_usage.is_zero() {
@@ -226,11 +246,79 @@ fn format_exit_messages(exit_info: AppExitInfo, color_enabled: bool) -> Vec<Stri
    lines
 }

-fn print_exit_messages(exit_info: AppExitInfo) {
+/// Handle the app exit and print the results. Optionally run the update action.
+fn handle_app_exit(exit_info: AppExitInfo) -> anyhow::Result<()> {
+    let update_action = exit_info.update_action;
    let color_enabled = supports_color::on(Stream::Stdout).is_some();
    for line in format_exit_messages(exit_info, color_enabled) {
        println!("{line}");
    }
+    if let Some(action) = update_action {
+        run_update_action(action)?;
+    }
+    Ok(())
+}
+
+/// Run the update action and print the result.
+fn run_update_action(action: UpdateAction) -> anyhow::Result<()> {
+    println!();
+    let (cmd, args) = action.command_args();
+    let cmd_str = action.command_str();
+    println!("Updating Codex via `{cmd_str}`...");
+    let status = std::process::Command::new(cmd).args(args).status()?;
+    if !status.success() {
+        anyhow::bail!("`{cmd_str}` failed with status {status}");
+    }
+    println!();
+    println!("🎉 Update ran successfully! Please restart Codex.");
+    Ok(())
+}
+
+#[derive(Debug, Default, Parser, Clone)]
+struct FeatureToggles {
+    /// Enable a feature (repeatable). Equivalent to `-c features.<name>=true`.
+    #[arg(long = "enable", value_name = "FEATURE", action = clap::ArgAction::Append, global = true)]
+    enable: Vec<String>,
+
+    /// Disable a feature (repeatable). Equivalent to `-c features.<name>=false`.
+    #[arg(long = "disable", value_name = "FEATURE", action = clap::ArgAction::Append, global = true)]
+    disable: Vec<String>,
+}
+
+impl FeatureToggles {
+    fn to_overrides(&self) -> Vec<String> {
+        let mut v = Vec::new();
+        for k in &self.enable {
+            v.push(format!("features.{k}=true"));
+        }
+        for k in &self.disable {
+            v.push(format!("features.{k}=false"));
+        }
+        v
+    }
+}
+
+#[derive(Debug, Parser)]
+struct FeaturesCli {
+    #[command(subcommand)]
+    sub: FeaturesSubcommand,
+}
+
+#[derive(Debug, Parser)]
+enum FeaturesSubcommand {
+    /// List known features with their stage and effective state.
+    List,
+}
+
+fn stage_str(stage: codex_core::features::Stage) -> &'static str {
+    use codex_core::features::Stage;
+    match stage {
+        Stage::Experimental => "experimental",
+        Stage::Beta => "beta",
+        Stage::Stable => "stable",
+        Stage::Deprecated => "deprecated",
+        Stage::Removed => "removed",
+    }
 }

 /// As early as possible in the process lifecycle, apply hardening measures. We
@@ -250,11 +338,17 @@ fn main() -> anyhow::Result<()> {

 async fn cli_main(codex_linux_sandbox_exe: Option<PathBuf>) -> anyhow::Result<()> {
    let MultitoolCli {
-        config_overrides: root_config_overrides,
+        config_overrides: mut root_config_overrides,
+        feature_toggles,
        mut interactive,
        subcommand,
    } = MultitoolCli::parse();

+    // Fold --enable/--disable into config overrides so they flow to all subcommands.
+    root_config_overrides
+        .raw_overrides
+        .extend(feature_toggles.to_overrides());
+
    match subcommand {
        None => {
            prepend_config_flags(
@@ -262,7 +356,7 @@ async fn cli_main(codex_linux_sandbox_exe: Option<PathBuf>) -> anyhow::Result<()
                root_config_overrides.clone(),
            );
            let exit_info = codex_tui::run_main(interactive, codex_linux_sandbox_exe).await?;
-            print_exit_messages(exit_info);
+            handle_app_exit(exit_info)?;
        }
        Some(Subcommand::Exec(mut exec_cli)) => {
            prepend_config_flags(
@@ -295,7 +389,7 @@ async fn cli_main(codex_linux_sandbox_exe: Option<PathBuf>) -> anyhow::Result<()
                config_overrides,
            );
            let exit_info = codex_tui::run_main(interactive, codex_linux_sandbox_exe).await?;
-            print_exit_messages(exit_info);
+            handle_app_exit(exit_info)?;
        }
        Some(Subcommand::Login(mut login_cli)) => {
            prepend_config_flags(
@@ -380,9 +474,38 @@ async fn cli_main(codex_linux_sandbox_exe: Option<PathBuf>) -> anyhow::Result<()
            tokio::task::spawn_blocking(move || codex_responses_api_proxy::run_main(args))
                .await??;
        }
+        Some(Subcommand::StdioToUds(cmd)) => {
+            let socket_path = cmd.socket_path;
+            tokio::task::spawn_blocking(move || codex_stdio_to_uds::run(socket_path.as_path()))
+                .await??;
+        }
        Some(Subcommand::GenerateTs(gen_cli)) => {
            codex_protocol_ts::generate_ts(&gen_cli.out_dir, gen_cli.prettier.as_deref())?;
        }
+        Some(Subcommand::Features(FeaturesCli { sub })) => match sub {
+            FeaturesSubcommand::List => {
+                // Respect root-level `-c` overrides plus top-level flags like `--profile`.
+                let cli_kv_overrides = root_config_overrides
+                    .parse_overrides()
+                    .map_err(|e| anyhow::anyhow!(e))?;
+
+                // Thread through relevant top-level flags (at minimum, `--profile`).
+                // Also honor `--search` since it maps to a feature toggle.
+                let overrides = ConfigOverrides {
+                    config_profile: interactive.config_profile.clone(),
+                    tools_web_search_request: interactive.web_search.then_some(true),
+                    ..Default::default()
+                };
+
+                let config = Config::load_with_cli_overrides(cli_kv_overrides, overrides).await?;
+                for def in codex_core::features::FEATURES.iter() {
+                    let name = def.key;
+                    let stage = stage_str(def.stage);
+                    let enabled = config.features.enabled(def.id);
+                    println!("{name}\t{stage}\t{enabled}");
+                }
+            }
+        },
    }

    Ok(())
@@ -457,6 +580,9 @@ fn merge_resume_cli_flags(interactive: &mut TuiCli, resume_cli: TuiCli) {
    if !resume_cli.images.is_empty() {
        interactive.images = resume_cli.images;
    }
+    if !resume_cli.add_dir.is_empty() {
+        interactive.add_dir.extend(resume_cli.add_dir);
+    }
    if let Some(prompt) = resume_cli.prompt {
        interactive.prompt = Some(prompt);
    }
@@ -486,6 +612,7 @@ mod tests {
            interactive,
            config_overrides: root_overrides,
            subcommand,
+            feature_toggles: _,
        } = cli;

        let Subcommand::Resume(ResumeCommand {
@@ -511,6 +638,7 @@ mod tests {
            conversation_id: conversation
                .map(ConversationId::from_string)
                .map(Result::unwrap),
+            update_action: None,
        }
    }

@@ -519,6 +647,7 @@ mod tests {
        let exit_info = AppExitInfo {
            token_usage: TokenUsage::default(),
            conversation_id: None,
+            update_action: None,
        };
        let lines = format_exit_messages(exit_info, false);
        assert!(lines.is_empty());
--- a/codex-rs/cli/src/mcp_cmd.rs
+++ b/codex-rs/cli/src/mcp_cmd.rs
@@ -4,7 +4,9 @@ use anyhow::Context;
 use anyhow::Result;
 use anyhow::anyhow;
 use anyhow::bail;
+use clap::ArgGroup;
 use codex_common::CliConfigOverrides;
+use codex_common::format_env_display::format_env_display;
 use codex_core::config::Config;
 use codex_core::config::ConfigOverrides;
 use codex_core::config::find_codex_home;
@@ -12,8 +14,12 @@ use codex_core::config::load_global_mcp_servers;
 use codex_core::config::write_global_mcp_servers;
 use codex_core::config_types::McpServerConfig;
 use codex_core::config_types::McpServerTransportConfig;
+use codex_core::features::Feature;
+use codex_core::mcp::auth::compute_auth_statuses;
+use codex_core::protocol::McpAuthStatus;
 use codex_rmcp_client::delete_oauth_tokens;
 use codex_rmcp_client::perform_oauth_login;
+use codex_rmcp_client::supports_oauth_login;

 /// [experimental] Launch Codex as an MCP server or manage configured MCP servers.
 ///
@@ -77,13 +83,61 @@ pub struct AddArgs {
    /// Name for the MCP server configuration.
    pub name: String,

-    /// Environment variables to set when launching the server.
-    #[arg(long, value_parser = parse_env_pair, value_name = "KEY=VALUE")]
-    pub env: Vec<(String, String)>,
+    #[command(flatten)]
+    pub transport_args: AddMcpTransportArgs,
+}

+#[derive(Debug, clap::Args)]
+#[command(
+    group(
+        ArgGroup::new("transport")
+            .args(["command", "url"])
+            .required(true)
+            .multiple(false)
+    )
+)]
+pub struct AddMcpTransportArgs {
+    #[command(flatten)]
+    pub stdio: Option<AddMcpStdioArgs>,
+
+    #[command(flatten)]
+    pub streamable_http: Option<AddMcpStreamableHttpArgs>,
+}
+
+#[derive(Debug, clap::Args)]
+pub struct AddMcpStdioArgs {
    /// Command to launch the MCP server.
-    #[arg(trailing_var_arg = true, num_args = 1..)]
+    /// Use --url for a streamable HTTP server.
+    #[arg(
+            trailing_var_arg = true,
+            num_args = 0..,
+        )]
    pub command: Vec<String>,
+
+    /// Environment variables to set when launching the server.
+    /// Only valid with stdio servers.
+    #[arg(
+        long,
+        value_parser = parse_env_pair,
+        value_name = "KEY=VALUE",
+    )]
+    pub env: Vec<(String, String)>,
+}
+
+#[derive(Debug, clap::Args)]
+pub struct AddMcpStreamableHttpArgs {
+    /// URL for a streamable HTTP MCP server.
+    #[arg(long)]
+    pub url: String,
+
+    /// Optional environment variable to read for a bearer token.
+    /// Only valid with streamable HTTP servers.
+    #[arg(
+        long = "bearer-token-env-var",
+        value_name = "ENV_VAR",
+        requires = "url"
+    )]
+    pub bearer_token_env_var: Option<String>,
 }

 #[derive(Debug, clap::Parser)]
@@ -138,39 +192,65 @@ impl McpCli {

 async fn run_add(config_overrides: &CliConfigOverrides, add_args: AddArgs) -> Result<()> {
    // Validate any provided overrides even though they are not currently applied.
-    config_overrides.parse_overrides().map_err(|e| anyhow!(e))?;
+    let overrides = config_overrides.parse_overrides().map_err(|e| anyhow!(e))?;
+    let config = Config::load_with_cli_overrides(overrides, ConfigOverrides::default())
+        .await
+        .context("failed to load configuration")?;

-    let AddArgs { name, env, command } = add_args;
+    let AddArgs {
+        name,
+        transport_args,
+    } = add_args;

    validate_server_name(&name)?;

-    let mut command_parts = command.into_iter();
-    let command_bin = command_parts
-        .next()
-        .ok_or_else(|| anyhow!("command is required"))?;
-    let command_args: Vec<String> = command_parts.collect();
-
-    let env_map = if env.is_empty() {
-        None
-    } else {
-        let mut map = HashMap::new();
-        for (key, value) in env {
-            map.insert(key, value);
-        }
-        Some(map)
-    };
-
    let codex_home = find_codex_home().context("failed to resolve CODEX_HOME")?;
    let mut servers = load_global_mcp_servers(&codex_home)
        .await
        .with_context(|| format!("failed to load MCP servers from {}", codex_home.display()))?;

-    let new_entry = McpServerConfig {
-        transport: McpServerTransportConfig::Stdio {
-            command: command_bin,
-            args: command_args,
-            env: env_map,
+    let transport = match transport_args {
+        AddMcpTransportArgs {
+            stdio: Some(stdio), ..
+        } => {
+            let mut command_parts = stdio.command.into_iter();
+            let command_bin = command_parts
+                .next()
+                .ok_or_else(|| anyhow!("command is required"))?;
+            let command_args: Vec<String> = command_parts.collect();
+
+            let env_map = if stdio.env.is_empty() {
+                None
+            } else {
+                Some(stdio.env.into_iter().collect::<HashMap<_, _>>())
+            };
+            McpServerTransportConfig::Stdio {
+                command: command_bin,
+                args: command_args,
+                env: env_map,
+                env_vars: Vec::new(),
+                cwd: None,
+            }
+        }
+        AddMcpTransportArgs {
+            streamable_http:
+                Some(AddMcpStreamableHttpArgs {
+                    url,
+                    bearer_token_env_var,
+                }),
+            ..
+        } => McpServerTransportConfig::StreamableHttp {
+            url,
+            bearer_token_env_var,
+            http_headers: None,
+            env_http_headers: None,
        },
+        AddMcpTransportArgs { .. } => bail!("exactly one of --command or --url must be provided"),
+    };
+
+    let new_entry = McpServerConfig {
+        transport: transport.clone(),
+        enabled: true,
        startup_timeout_sec: None,
        tool_timeout_sec: None,
    };
@@ -182,6 +262,26 @@ async fn run_add(config_overrides: &CliConfigOverrides, add_args: AddArgs) -> Re

    println!("Added global MCP server '{name}'.");

+    if let McpServerTransportConfig::StreamableHttp {
+        url,
+        bearer_token_env_var: None,
+        http_headers,
+        env_http_headers,
+    } = transport
+        && matches!(supports_oauth_login(&url).await, Ok(true))
+    {
+        println!("Detected OAuth support. Starting OAuth flow…");
+        perform_oauth_login(
+            &name,
+            &url,
+            config.mcp_oauth_credentials_store_mode,
+            http_headers.clone(),
+            env_http_headers.clone(),
+        )
+        .await?;
+        println!("Successfully logged in.");
+    }
+
    Ok(())
 }

@@ -219,7 +319,7 @@ async fn run_login(config_overrides: &CliConfigOverrides, login_args: LoginArgs)
        .await
        .context("failed to load configuration")?;

-    if !config.use_experimental_use_rmcp_client {
+    if !config.features.enabled(Feature::RmcpClient) {
        bail!(
            "OAuth login is only supported when experimental_use_rmcp_client is true in config.toml."
        );
@@ -231,12 +331,24 @@ async fn run_login(config_overrides: &CliConfigOverrides, login_args: LoginArgs)
        bail!("No MCP server named '{name}' found.");
    };

-    let url = match &server.transport {
-        McpServerTransportConfig::StreamableHttp { url, .. } => url.clone(),
+    let (url, http_headers, env_http_headers) = match &server.transport {
+        McpServerTransportConfig::StreamableHttp {
+            url,
+            http_headers,
+            env_http_headers,
+            ..
+        } => (url.clone(), http_headers.clone(), env_http_headers.clone()),
        _ => bail!("OAuth login is only supported for streamable HTTP servers."),
    };

-    perform_oauth_login(&name, &url).await?;
+    perform_oauth_login(
+        &name,
+        &url,
+        config.mcp_oauth_credentials_store_mode,
+        http_headers,
+        env_http_headers,
+    )
+    .await?;
    println!("Successfully logged in to MCP server '{name}'.");
    Ok(())
 }
@@ -259,7 +371,7 @@ async fn run_logout(config_overrides: &CliConfigOverrides, logout_args: LogoutAr
        _ => bail!("OAuth logout is only supported for streamable_http transports."),
    };

-    match delete_oauth_tokens(&name, &url) {
+    match delete_oauth_tokens(&name, &url, config.mcp_oauth_credentials_store_mode) {
        Ok(true) => println!("Removed OAuth credentials for '{name}'."),
        Ok(false) => println!("No OAuth credentials stored for '{name}'."),
        Err(err) => return Err(anyhow!("failed to delete OAuth credentials: {err}")),
@@ -276,29 +388,54 @@ async fn run_list(config_overrides: &CliConfigOverrides, list_args: ListArgs) ->

    let mut entries: Vec<_> = config.mcp_servers.iter().collect();
    entries.sort_by(|(a, _), (b, _)| a.cmp(b));
+    let auth_statuses = compute_auth_statuses(
+        config.mcp_servers.iter(),
+        config.mcp_oauth_credentials_store_mode,
+    )
+    .await;

    if list_args.json {
        let json_entries: Vec<_> = entries
            .into_iter()
            .map(|(name, cfg)| {
+                let auth_status = auth_statuses
+                    .get(name.as_str())
+                    .copied()
+                    .unwrap_or(McpAuthStatus::Unsupported);
                let transport = match &cfg.transport {
-                    McpServerTransportConfig::Stdio { command, args, env } => serde_json::json!({
+                    McpServerTransportConfig::Stdio {
+                        command,
+                        args,
+                        env,
+                        env_vars,
+                        cwd,
+                    } => serde_json::json!({
                        "type": "stdio",
                        "command": command,
                        "args": args,
                        "env": env,
+                        "env_vars": env_vars,
+                        "cwd": cwd,
                    }),
-                    McpServerTransportConfig::StreamableHttp { url, bearer_token } => {
+                    McpServerTransportConfig::StreamableHttp {
+                        url,
+                        bearer_token_env_var,
+                        http_headers,
+                        env_http_headers,
+                    } => {
                        serde_json::json!({
                            "type": "streamable_http",
                            "url": url,
-                            "bearer_token": bearer_token,
+                            "bearer_token_env_var": bearer_token_env_var,
+                            "http_headers": http_headers,
+                            "env_http_headers": env_http_headers,
                        })
                    }
                };

                serde_json::json!({
                    "name": name,
+                    "enabled": cfg.enabled,
                    "transport": transport,
                    "startup_timeout_sec": cfg
                        .startup_timeout_sec
@@ -306,6 +443,7 @@ async fn run_list(config_overrides: &CliConfigOverrides, list_args: ListArgs) ->
                    "tool_timeout_sec": cfg
                        .tool_timeout_sec
                        .map(|timeout| timeout.as_secs_f64()),
+                    "auth_status": auth_status,
                })
            })
            .collect();
@@ -319,45 +457,85 @@ async fn run_list(config_overrides: &CliConfigOverrides, list_args: ListArgs) ->
        return Ok(());
    }

-    let mut stdio_rows: Vec<[String; 4]> = Vec::new();
-    let mut http_rows: Vec<[String; 3]> = Vec::new();
+    let mut stdio_rows: Vec<[String; 7]> = Vec::new();
+    let mut http_rows: Vec<[String; 5]> = Vec::new();

    for (name, cfg) in entries {
        match &cfg.transport {
-            McpServerTransportConfig::Stdio { command, args, env } => {
+            McpServerTransportConfig::Stdio {
+                command,
+                args,
+                env,
+                env_vars,
+                cwd,
+            } => {
                let args_display = if args.is_empty() {
                    "-".to_string()
                } else {
                    args.join(" ")
                };
-                let env_display = match env.as_ref() {
-                    None => "-".to_string(),
-                    Some(map) if map.is_empty() => "-".to_string(),
-                    Some(map) => {
-                        let mut pairs: Vec<_> = map.iter().collect();
-                        pairs.sort_by(|(a, _), (b, _)| a.cmp(b));
-                        pairs
-                            .into_iter()
-                            .map(|(k, v)| format!("{k}={v}"))
-                            .collect::<Vec<_>>()
-                            .join(", ")
-                    }
-                };
-                stdio_rows.push([name.clone(), command.clone(), args_display, env_display]);
-            }
-            McpServerTransportConfig::StreamableHttp { url, bearer_token } => {
-                let has_bearer = if bearer_token.is_some() {
-                    "True"
+                let env_display = format_env_display(env.as_ref(), env_vars);
+                let cwd_display = cwd
+                    .as_ref()
+                    .map(|path| path.display().to_string())
+                    .filter(|value| !value.is_empty())
+                    .unwrap_or_else(|| "-".to_string());
+                let status = if cfg.enabled {
+                    "enabled".to_string()
                } else {
-                    "False"
+                    "disabled".to_string()
                };
-                http_rows.push([name.clone(), url.clone(), has_bearer.into()]);
+                let auth_status = auth_statuses
+                    .get(name.as_str())
+                    .copied()
+                    .unwrap_or(McpAuthStatus::Unsupported)
+                    .to_string();
+                stdio_rows.push([
+                    name.clone(),
+                    command.clone(),
+                    args_display,
+                    env_display,
+                    cwd_display,
+                    status,
+                    auth_status,
+                ]);
+            }
+            McpServerTransportConfig::StreamableHttp {
+                url,
+                bearer_token_env_var,
+                ..
+            } => {
+                let status = if cfg.enabled {
+                    "enabled".to_string()
+                } else {
+                    "disabled".to_string()
+                };
+                let auth_status = auth_statuses
+                    .get(name.as_str())
+                    .copied()
+                    .unwrap_or(McpAuthStatus::Unsupported)
+                    .to_string();
+                http_rows.push([
+                    name.clone(),
+                    url.clone(),
+                    bearer_token_env_var.clone().unwrap_or("-".to_string()),
+                    status,
+                    auth_status,
+                ]);
            }
        }
    }

    if !stdio_rows.is_empty() {
-        let mut widths = ["Name".len(), "Command".len(), "Args".len(), "Env".len()];
+        let mut widths = [
+            "Name".len(),
+            "Command".len(),
+            "Args".len(),
+            "Env".len(),
+            "Cwd".len(),
+            "Status".len(),
+            "Auth".len(),
+        ];
        for row in &stdio_rows {
            for (i, cell) in row.iter().enumerate() {
                widths[i] = widths[i].max(cell.len());
@@ -365,28 +543,40 @@ async fn run_list(config_overrides: &CliConfigOverrides, list_args: ListArgs) ->
        }

        println!(
-            "{:<name_w$}  {:<cmd_w$}  {:<args_w$}  {:<env_w$}",
-            "Name",
-            "Command",
-            "Args",
-            "Env",
+            "{name:<name_w$}  {command:<cmd_w$}  {args:<args_w$}  {env:<env_w$}  {cwd:<cwd_w$}  {status:<status_w$}  {auth:<auth_w$}",
+            name = "Name",
+            command = "Command",
+            args = "Args",
+            env = "Env",
+            cwd = "Cwd",
+            status = "Status",
+            auth = "Auth",
            name_w = widths[0],
            cmd_w = widths[1],
            args_w = widths[2],
            env_w = widths[3],
+            cwd_w = widths[4],
+            status_w = widths[5],
+            auth_w = widths[6],
        );

        for row in &stdio_rows {
            println!(
-                "{:<name_w$}  {:<cmd_w$}  {:<args_w$}  {:<env_w$}",
-                row[0],
-                row[1],
-                row[2],
-                row[3],
+                "{name:<name_w$}  {command:<cmd_w$}  {args:<args_w$}  {env:<env_w$}  {cwd:<cwd_w$}  {status:<status_w$}  {auth:<auth_w$}",
+                name = row[0].as_str(),
+                command = row[1].as_str(),
+                args = row[2].as_str(),
+                env = row[3].as_str(),
+                cwd = row[4].as_str(),
+                status = row[5].as_str(),
+                auth = row[6].as_str(),
                name_w = widths[0],
                cmd_w = widths[1],
                args_w = widths[2],
                env_w = widths[3],
+                cwd_w = widths[4],
+                status_w = widths[5],
+                auth_w = widths[6],
            );
        }
    }
@@ -396,7 +586,13 @@ async fn run_list(config_overrides: &CliConfigOverrides, list_args: ListArgs) ->
    }

    if !http_rows.is_empty() {
-        let mut widths = ["Name".len(), "Url".len(), "Has Bearer Token".len()];
+        let mut widths = [
+            "Name".len(),
+            "Url".len(),
+            "Bearer Token Env Var".len(),
+            "Status".len(),
+            "Auth".len(),
+        ];
        for row in &http_rows {
            for (i, cell) in row.iter().enumerate() {
                widths[i] = widths[i].max(cell.len());
@@ -404,24 +600,32 @@ async fn run_list(config_overrides: &CliConfigOverrides, list_args: ListArgs) ->
        }

        println!(
-            "{:<name_w$}  {:<url_w$}  {:<token_w$}",
-            "Name",
-            "Url",
-            "Has Bearer Token",
+            "{name:<name_w$}  {url:<url_w$}  {token:<token_w$}  {status:<status_w$}  {auth:<auth_w$}",
+            name = "Name",
+            url = "Url",
+            token = "Bearer Token Env Var",
+            status = "Status",
+            auth = "Auth",
            name_w = widths[0],
            url_w = widths[1],
            token_w = widths[2],
+            status_w = widths[3],
+            auth_w = widths[4],
        );

        for row in &http_rows {
            println!(
-                "{:<name_w$}  {:<url_w$}  {:<token_w$}",
-                row[0],
-                row[1],
-                row[2],
+                "{name:<name_w$}  {url:<url_w$}  {token:<token_w$}  {status:<status_w$}  {auth:<auth_w$}",
+                name = row[0].as_str(),
+                url = row[1].as_str(),
+                token = row[2].as_str(),
+                status = row[3].as_str(),
+                auth = row[4].as_str(),
                name_w = widths[0],
                url_w = widths[1],
                token_w = widths[2],
+                status_w = widths[3],
+                auth_w = widths[4],
            );
        }
    }
@@ -441,20 +645,36 @@ async fn run_get(config_overrides: &CliConfigOverrides, get_args: GetArgs) -> Re

    if get_args.json {
        let transport = match &server.transport {
-            McpServerTransportConfig::Stdio { command, args, env } => serde_json::json!({
+            McpServerTransportConfig::Stdio {
+                command,
+                args,
+                env,
+                env_vars,
+                cwd,
+            } => serde_json::json!({
                "type": "stdio",
                "command": command,
                "args": args,
                "env": env,
+                "env_vars": env_vars,
+                "cwd": cwd,
            }),
-            McpServerTransportConfig::StreamableHttp { url, bearer_token } => serde_json::json!({
+            McpServerTransportConfig::StreamableHttp {
+                url,
+                bearer_token_env_var,
+                http_headers,
+                env_http_headers,
+            } => serde_json::json!({
                "type": "streamable_http",
                "url": url,
-                "bearer_token": bearer_token,
+                "bearer_token_env_var": bearer_token_env_var,
+                "http_headers": http_headers,
+                "env_http_headers": env_http_headers,
            }),
        };
        let output = serde_json::to_string_pretty(&serde_json::json!({
            "name": get_args.name,
+            "enabled": server.enabled,
            "transport": transport,
            "startup_timeout_sec": server
                .startup_timeout_sec
@@ -468,8 +688,15 @@ async fn run_get(config_overrides: &CliConfigOverrides, get_args: GetArgs) -> Re
    }

    println!("{}", get_args.name);
+    println!("  enabled: {}", server.enabled);
    match &server.transport {
-        McpServerTransportConfig::Stdio { command, args, env } => {
+        McpServerTransportConfig::Stdio {
+            command,
+            args,
+            env,
+            env_vars,
+            cwd,
+        } => {
            println!("  transport: stdio");
            println!("  command: {command}");
            let args_display = if args.is_empty() {
@@ -478,10 +705,27 @@ async fn run_get(config_overrides: &CliConfigOverrides, get_args: GetArgs) -> Re
                args.join(" ")
            };
            println!("  args: {args_display}");
-            let env_display = match env.as_ref() {
-                None => "-".to_string(),
-                Some(map) if map.is_empty() => "-".to_string(),
-                Some(map) => {
+            let cwd_display = cwd
+                .as_ref()
+                .map(|path| path.display().to_string())
+                .filter(|value| !value.is_empty())
+                .unwrap_or_else(|| "-".to_string());
+            println!("  cwd: {cwd_display}");
+            let env_display = format_env_display(env.as_ref(), env_vars);
+            println!("  env: {env_display}");
+        }
+        McpServerTransportConfig::StreamableHttp {
+            url,
+            bearer_token_env_var,
+            http_headers,
+            env_http_headers,
+        } => {
+            println!("  transport: streamable_http");
+            println!("  url: {url}");
+            let env_var = bearer_token_env_var.as_deref().unwrap_or("-");
+            println!("  bearer_token_env_var: {env_var}");
+            let headers_display = match http_headers {
+                Some(map) if !map.is_empty() => {
                    let mut pairs: Vec<_> = map.iter().collect();
                    pairs.sort_by(|(a, _), (b, _)| a.cmp(b));
                    pairs
@@ -490,14 +734,22 @@ async fn run_get(config_overrides: &CliConfigOverrides, get_args: GetArgs) -> Re
                        .collect::<Vec<_>>()
                        .join(", ")
                }
+                _ => "-".to_string(),
            };
-            println!("  env: {env_display}");
-        }
-        McpServerTransportConfig::StreamableHttp { url, bearer_token } => {
-            println!("  transport: streamable_http");
-            println!("  url: {url}");
-            let bearer = bearer_token.as_deref().unwrap_or("-");
-            println!("  bearer_token: {bearer}");
+            println!("  http_headers: {headers_display}");
+            let env_headers_display = match env_http_headers {
+                Some(map) if !map.is_empty() => {
+                    let mut pairs: Vec<_> = map.iter().collect();
+                    pairs.sort_by(|(a, _), (b, _)| a.cmp(b));
+                    pairs
+                        .into_iter()
+                        .map(|(k, v)| format!("{k}={v}"))
+                        .collect::<Vec<_>>()
+                        .join(", ")
+                }
+                _ => "-".to_string(),
+            };
+            println!("  env_http_headers: {env_headers_display}");
        }
    }
    if let Some(timeout) = server.startup_timeout_sec {
--- a/codex-rs/cli/tests/mcp_add_remove.rs
+++ b/codex-rs/cli/tests/mcp_add_remove.rs
@@ -28,13 +28,22 @@ async fn add_and_remove_server_updates_global_config() -> Result<()> {
    assert_eq!(servers.len(), 1);
    let docs = servers.get("docs").expect("server should exist");
    match &docs.transport {
-        McpServerTransportConfig::Stdio { command, args, env } => {
+        McpServerTransportConfig::Stdio {
+            command,
+            args,
+            env,
+            env_vars,
+            cwd,
+        } => {
            assert_eq!(command, "echo");
            assert_eq!(args, &vec!["hello".to_string()]);
            assert!(env.is_none());
+            assert!(env_vars.is_empty());
+            assert!(cwd.is_none());
        }
        other => panic!("unexpected transport: {other:?}"),
    }
+    assert!(docs.enabled);

    let mut remove_cmd = codex_command(codex_home.path())?;
    remove_cmd
@@ -90,6 +99,130 @@ async fn add_with_env_preserves_key_order_and_values() -> Result<()> {
    assert_eq!(env.len(), 2);
    assert_eq!(env.get("FOO"), Some(&"bar".to_string()));
    assert_eq!(env.get("ALPHA"), Some(&"beta".to_string()));
+    assert!(envy.enabled);
+
+    Ok(())
+}
+
+#[tokio::test]
+async fn add_streamable_http_without_manual_token() -> Result<()> {
+    let codex_home = TempDir::new()?;
+
+    let mut add_cmd = codex_command(codex_home.path())?;
+    add_cmd
+        .args(["mcp", "add", "github", "--url", "https://example.com/mcp"])
+        .assert()
+        .success();
+
+    let servers = load_global_mcp_servers(codex_home.path()).await?;
+    let github = servers.get("github").expect("github server should exist");
+    match &github.transport {
+        McpServerTransportConfig::StreamableHttp {
+            url,
+            bearer_token_env_var,
+            http_headers,
+            env_http_headers,
+        } => {
+            assert_eq!(url, "https://example.com/mcp");
+            assert!(bearer_token_env_var.is_none());
+            assert!(http_headers.is_none());
+            assert!(env_http_headers.is_none());
+        }
+        other => panic!("unexpected transport: {other:?}"),
+    }
+    assert!(github.enabled);
+
+    assert!(!codex_home.path().join(".credentials.json").exists());
+    assert!(!codex_home.path().join(".env").exists());
+
+    Ok(())
+}
+
+#[tokio::test]
+async fn add_streamable_http_with_custom_env_var() -> Result<()> {
+    let codex_home = TempDir::new()?;
+
+    let mut add_cmd = codex_command(codex_home.path())?;
+    add_cmd
+        .args([
+            "mcp",
+            "add",
+            "issues",
+            "--url",
+            "https://example.com/issues",
+            "--bearer-token-env-var",
+            "GITHUB_TOKEN",
+        ])
+        .assert()
+        .success();
+
+    let servers = load_global_mcp_servers(codex_home.path()).await?;
+    let issues = servers.get("issues").expect("issues server should exist");
+    match &issues.transport {
+        McpServerTransportConfig::StreamableHttp {
+            url,
+            bearer_token_env_var,
+            http_headers,
+            env_http_headers,
+        } => {
+            assert_eq!(url, "https://example.com/issues");
+            assert_eq!(bearer_token_env_var.as_deref(), Some("GITHUB_TOKEN"));
+            assert!(http_headers.is_none());
+            assert!(env_http_headers.is_none());
+        }
+        other => panic!("unexpected transport: {other:?}"),
+    }
+    assert!(issues.enabled);
+    Ok(())
+}
+
+#[tokio::test]
+async fn add_streamable_http_rejects_removed_flag() -> Result<()> {
+    let codex_home = TempDir::new()?;
+
+    let mut add_cmd = codex_command(codex_home.path())?;
+    add_cmd
+        .args([
+            "mcp",
+            "add",
+            "github",
+            "--url",
+            "https://example.com/mcp",
+            "--with-bearer-token",
+        ])
+        .assert()
+        .failure()
+        .stderr(contains("--with-bearer-token"));
+
+    let servers = load_global_mcp_servers(codex_home.path()).await?;
+    assert!(servers.is_empty());
+
+    Ok(())
+}
+
+#[tokio::test]
+async fn add_cant_add_command_and_url() -> Result<()> {
+    let codex_home = TempDir::new()?;
+
+    let mut add_cmd = codex_command(codex_home.path())?;
+    add_cmd
+        .args([
+            "mcp",
+            "add",
+            "github",
+            "--url",
+            "https://example.com/mcp",
+            "--command",
+            "--",
+            "echo",
+            "hello",
+        ])
+        .assert()
+        .failure()
+        .stderr(contains("unexpected argument '--command' found"));
+
+    let servers = load_global_mcp_servers(codex_home.path()).await?;
+    assert!(servers.is_empty());

    Ok(())
 }
--- a/codex-rs/cli/tests/mcp_list.rs
+++ b/codex-rs/cli/tests/mcp_list.rs
@@ -1,6 +1,10 @@
 use std::path::Path;

 use anyhow::Result;
+use codex_core::config::load_global_mcp_servers;
+use codex_core::config::write_global_mcp_servers;
+use codex_core::config_types::McpServerTransportConfig;
+use predicates::prelude::PredicateBooleanExt;
 use predicates::str::contains;
 use pretty_assertions::assert_eq;
 use serde_json::Value as JsonValue;
@@ -26,8 +30,8 @@ fn list_shows_empty_state() -> Result<()> {
    Ok(())
 }

-#[test]
-fn list_and_get_render_expected_output() -> Result<()> {
+#[tokio::test]
+async fn list_and_get_render_expected_output() -> Result<()> {
    let codex_home = TempDir::new()?;

    let mut add = codex_command(codex_home.path())?;
@@ -45,6 +49,18 @@ fn list_and_get_render_expected_output() -> Result<()> {
    .assert()
    .success();

+    let mut servers = load_global_mcp_servers(codex_home.path()).await?;
+    let docs_entry = servers
+        .get_mut("docs")
+        .expect("docs server should exist after add");
+    match &mut docs_entry.transport {
+        McpServerTransportConfig::Stdio { env_vars, .. } => {
+            *env_vars = vec!["APP_TOKEN".to_string(), "WORKSPACE_ID".to_string()];
+        }
+        other => panic!("unexpected transport: {other:?}"),
+    }
+    write_global_mcp_servers(codex_home.path(), &servers)?;
+
    let mut list_cmd = codex_command(codex_home.path())?;
    let list_output = list_cmd.args(["mcp", "list"]).output()?;
    assert!(list_output.status.success());
@@ -53,6 +69,12 @@ fn list_and_get_render_expected_output() -> Result<()> {
    assert!(stdout.contains("docs"));
    assert!(stdout.contains("docs-server"));
    assert!(stdout.contains("TOKEN=secret"));
+    assert!(stdout.contains("APP_TOKEN=$APP_TOKEN"));
+    assert!(stdout.contains("WORKSPACE_ID=$WORKSPACE_ID"));
+    assert!(stdout.contains("Status"));
+    assert!(stdout.contains("Auth"));
+    assert!(stdout.contains("enabled"));
+    assert!(stdout.contains("Unsupported"));

    let mut list_json_cmd = codex_command(codex_home.path())?;
    let json_output = list_json_cmd.args(["mcp", "list", "--json"]).output()?;
@@ -64,6 +86,7 @@ fn list_and_get_render_expected_output() -> Result<()> {
        json!([
          {
            "name": "docs",
+            "enabled": true,
            "transport": {
              "type": "stdio",
              "command": "docs-server",
@@ -73,10 +96,16 @@ fn list_and_get_render_expected_output() -> Result<()> {
              ],
              "env": {
                "TOKEN": "secret"
-              }
+              },
+              "env_vars": [
+                "APP_TOKEN",
+                "WORKSPACE_ID"
+              ],
+              "cwd": null
            },
            "startup_timeout_sec": null,
-            "tool_timeout_sec": null
+            "tool_timeout_sec": null,
+            "auth_status": "unsupported"
          }
        ]
        )
@@ -91,6 +120,9 @@ fn list_and_get_render_expected_output() -> Result<()> {
    assert!(stdout.contains("command: docs-server"));
    assert!(stdout.contains("args: --port 4000"));
    assert!(stdout.contains("env: TOKEN=secret"));
+    assert!(stdout.contains("APP_TOKEN=$APP_TOKEN"));
+    assert!(stdout.contains("WORKSPACE_ID=$WORKSPACE_ID"));
+    assert!(stdout.contains("enabled: true"));
    assert!(stdout.contains("remove: codex mcp remove docs"));

    let mut get_json_cmd = codex_command(codex_home.path())?;
@@ -98,7 +130,7 @@ fn list_and_get_render_expected_output() -> Result<()> {
        .args(["mcp", "get", "docs", "--json"])
        .assert()
        .success()
-        .stdout(contains("\"name\": \"docs\""));
+        .stdout(contains("\"name\": \"docs\"").and(contains("\"enabled\": true")));

    Ok(())
 }
--- a/codex-rs/clippy.toml
+++ b/codex-rs/clippy.toml
@@ -7,3 +7,7 @@ disallowed-methods = [
    { path = "ratatui::style::Stylize::black", reason = "Avoid hardcoding black; prefer default fg or dim/bold. Exception: Disable this rule if rendering over a hardcoded ANSI background." },
    { path = "ratatui::style::Stylize::yellow", reason = "Avoid yellow; prefer other colors in `tui/styles.md`." },
 ]
+
+# Increase the size threshold for result_large_err to accommodate
+# richer error variants.
+large-error-threshold = 256
--- a/codex-rs/cloud-tasks/src/cli.rs
+++ b/codex-rs/cloud-tasks/src/cli.rs
@@ -1,3 +1,4 @@
+use clap::Args;
 use clap::Parser;
 use codex_common::CliConfigOverrides;

@@ -6,4 +7,43 @@ use codex_common::CliConfigOverrides;
 pub struct Cli {
    #[clap(skip)]
    pub config_overrides: CliConfigOverrides,
+
+    #[command(subcommand)]
+    pub command: Option<Command>,
+}
+
+#[derive(Debug, clap::Subcommand)]
+pub enum Command {
+    /// Submit a new Codex Cloud task without launching the TUI.
+    Exec(ExecCommand),
+}
+
+#[derive(Debug, Args)]
+pub struct ExecCommand {
+    /// Task prompt to run in Codex Cloud.
+    #[arg(value_name = "QUERY")]
+    pub query: Option<String>,
+
+    /// Target environment identifier (see `codex cloud` to browse).
+    #[arg(long = "env", value_name = "ENV_ID")]
+    pub environment: String,
+
+    /// Number of assistant attempts (best-of-N).
+    #[arg(
+        long = "attempts",
+        default_value_t = 1usize,
+        value_parser = parse_attempts
+    )]
+    pub attempts: usize,
+}
+
+fn parse_attempts(input: &str) -> Result<usize, String> {
+    let value: usize = input
+        .parse()
+        .map_err(|_| "attempts must be an integer between 1 and 4".to_string())?;
+    if (1..=4).contains(&value) {
+        Ok(value)
+    } else {
+        Err("attempts must be between 1 and 4".to_string())
+    }
 }
--- a/codex-rs/cloud-tasks/src/lib.rs
+++ b/codex-rs/cloud-tasks/src/lib.rs
@@ -7,7 +7,9 @@ mod ui;
 pub mod util;
 pub use cli::Cli;

+use anyhow::anyhow;
 use std::io::IsTerminal;
+use std::io::Read;
 use std::path::PathBuf;
 use std::sync::Arc;
 use std::time::Duration;
@@ -23,6 +25,175 @@ struct ApplyJob {
    diff_override: Option<String>,
 }

+struct BackendContext {
+    backend: Arc<dyn codex_cloud_tasks_client::CloudBackend>,
+    base_url: String,
+}
+
+async fn init_backend(user_agent_suffix: &str) -> anyhow::Result<BackendContext> {
+    let use_mock = matches!(
+        std::env::var("CODEX_CLOUD_TASKS_MODE").ok().as_deref(),
+        Some("mock") | Some("MOCK")
+    );
+    let base_url = std::env::var("CODEX_CLOUD_TASKS_BASE_URL")
+        .unwrap_or_else(|_| "https://chatgpt.com/backend-api".to_string());
+
+    set_user_agent_suffix(user_agent_suffix);
+
+    if use_mock {
+        return Ok(BackendContext {
+            backend: Arc::new(codex_cloud_tasks_client::MockClient),
+            base_url,
+        });
+    }
+
+    let ua = codex_core::default_client::get_codex_user_agent();
+    let mut http = codex_cloud_tasks_client::HttpClient::new(base_url.clone())?.with_user_agent(ua);
+    let style = if base_url.contains("/backend-api") {
+        "wham"
+    } else {
+        "codex-api"
+    };
+    append_error_log(format!("startup: base_url={base_url} path_style={style}"));
+
+    let auth = match codex_core::config::find_codex_home()
+        .ok()
+        .map(|home| codex_login::AuthManager::new(home, false))
+        .and_then(|am| am.auth())
+    {
+        Some(auth) => auth,
+        None => {
+            eprintln!(
+                "Not signed in. Please run 'codex login' to sign in with ChatGPT, then re-run 'codex cloud'."
+            );
+            std::process::exit(1);
+        }
+    };
+
+    if let Some(acc) = auth.get_account_id() {
+        append_error_log(format!("auth: mode=ChatGPT account_id={acc}"));
+    }
+
+    let token = match auth.get_token().await {
+        Ok(t) if !t.is_empty() => t,
+        _ => {
+            eprintln!(
+                "Not signed in. Please run 'codex login' to sign in with ChatGPT, then re-run 'codex cloud'."
+            );
+            std::process::exit(1);
+        }
+    };
+
+    http = http.with_bearer_token(token.clone());
+    if let Some(acc) = auth
+        .get_account_id()
+        .or_else(|| util::extract_chatgpt_account_id(&token))
+    {
+        append_error_log(format!("auth: set ChatGPT-Account-Id header: {acc}"));
+        http = http.with_chatgpt_account_id(acc);
+    }
+
+    Ok(BackendContext {
+        backend: Arc::new(http),
+        base_url,
+    })
+}
+
+async fn run_exec_command(args: crate::cli::ExecCommand) -> anyhow::Result<()> {
+    let crate::cli::ExecCommand {
+        query,
+        environment,
+        attempts,
+    } = args;
+    let ctx = init_backend("codex_cloud_tasks_exec").await?;
+    let prompt = resolve_query_input(query)?;
+    let env_id = resolve_environment_id(&ctx, &environment).await?;
+    let created = codex_cloud_tasks_client::CloudBackend::create_task(
+        &*ctx.backend,
+        &env_id,
+        &prompt,
+        "main",
+        false,
+        attempts,
+    )
+    .await?;
+    let url = util::task_url(&ctx.base_url, &created.id.0);
+    println!("{url}");
+    Ok(())
+}
+
+async fn resolve_environment_id(ctx: &BackendContext, requested: &str) -> anyhow::Result<String> {
+    let trimmed = requested.trim();
+    if trimmed.is_empty() {
+        return Err(anyhow!("environment id must not be empty"));
+    }
+    let normalized = util::normalize_base_url(&ctx.base_url);
+    let headers = util::build_chatgpt_headers().await;
+    let environments = crate::env_detect::list_environments(&normalized, &headers).await?;
+    if environments.is_empty() {
+        return Err(anyhow!(
+            "no cloud environments are available for this workspace"
+        ));
+    }
+
+    if let Some(row) = environments.iter().find(|row| row.id == trimmed) {
+        return Ok(row.id.clone());
+    }
+
+    let label_matches = environments
+        .iter()
+        .filter(|row| {
+            row.label
+                .as_deref()
+                .map(|label| label.eq_ignore_ascii_case(trimmed))
+                .unwrap_or(false)
+        })
+        .collect::<Vec<_>>();
+    match label_matches.as_slice() {
+        [] => Err(anyhow!(
+            "environment '{trimmed}' not found; run `codex cloud` to list available environments"
+        )),
+        [single] => Ok(single.id.clone()),
+        [first, rest @ ..] => {
+            let first_id = &first.id;
+            if rest.iter().all(|row| row.id == *first_id) {
+                Ok(first_id.clone())
+            } else {
+                Err(anyhow!(
+                    "environment label '{trimmed}' is ambiguous; run `codex cloud` to pick the desired environment id"
+                ))
+            }
+        }
+    }
+}
+
+fn resolve_query_input(query_arg: Option<String>) -> anyhow::Result<String> {
+    match query_arg {
+        Some(q) if q != "-" => Ok(q),
+        maybe_dash => {
+            let force_stdin = matches!(maybe_dash.as_deref(), Some("-"));
+            if std::io::stdin().is_terminal() && !force_stdin {
+                return Err(anyhow!(
+                    "no query provided. Pass one as an argument or pipe it via stdin."
+                ));
+            }
+            if !force_stdin {
+                eprintln!("Reading query from stdin...");
+            }
+            let mut buffer = String::new();
+            std::io::stdin()
+                .read_to_string(&mut buffer)
+                .map_err(|e| anyhow!("failed to read query from stdin: {e}"))?;
+            if buffer.trim().is_empty() {
+                return Err(anyhow!(
+                    "no query provided via stdin (received empty input)."
+                ));
+            }
+            Ok(buffer)
+        }
+    }
+}
+
 fn level_from_status(status: codex_cloud_tasks_client::ApplyStatus) -> app::ApplyResultLevel {
    match status {
        codex_cloud_tasks_client::ApplyStatus::Success => app::ApplyResultLevel::Success,
@@ -148,7 +319,14 @@ fn spawn_apply(
 // (no standalone patch summarizer needed – UI displays raw diffs)

 /// Entry point for the `codex cloud` subcommand.
-pub async fn run_main(_cli: Cli, _codex_linux_sandbox_exe: Option<PathBuf>) -> anyhow::Result<()> {
+pub async fn run_main(cli: Cli, _codex_linux_sandbox_exe: Option<PathBuf>) -> anyhow::Result<()> {
+    if let Some(command) = cli.command {
+        return match command {
+            crate::cli::Command::Exec(args) => run_exec_command(args).await,
+        };
+    }
+    let Cli { .. } = cli;
+
    // Very minimal logging setup; mirrors other crates' pattern.
    let default_level = "error";
    let _ = tracing_subscriber::fmt()
@@ -162,72 +340,8 @@ pub async fn run_main(_cli: Cli, _codex_linux_sandbox_exe: Option<PathBuf>) -> a
        .try_init();

    info!("Launching Cloud Tasks list UI");
-    set_user_agent_suffix("codex_cloud_tasks_tui");
-
-    // Default to online unless explicitly configured to use mock.
-    let use_mock = matches!(
-        std::env::var("CODEX_CLOUD_TASKS_MODE").ok().as_deref(),
-        Some("mock") | Some("MOCK")
-    );
-
-    let backend: Arc<dyn codex_cloud_tasks_client::CloudBackend> = if use_mock {
-        Arc::new(codex_cloud_tasks_client::MockClient)
-    } else {
-        // Build an HTTP client against the configured (or default) base URL.
-        let base_url = std::env::var("CODEX_CLOUD_TASKS_BASE_URL")
-            .unwrap_or_else(|_| "https://chatgpt.com/backend-api".to_string());
-        let ua = codex_core::default_client::get_codex_user_agent();
-        let mut http =
-            codex_cloud_tasks_client::HttpClient::new(base_url.clone())?.with_user_agent(ua);
-        // Log which base URL and path style we're going to use.
-        let style = if base_url.contains("/backend-api") {
-            "wham"
-        } else {
-            "codex-api"
-        };
-        append_error_log(format!("startup: base_url={base_url} path_style={style}"));
-
-        // Require ChatGPT login (SWIC). Exit with a clear message if missing.
-        let _token = match codex_core::config::find_codex_home()
-            .ok()
-            .map(|home| codex_login::AuthManager::new(home, false))
-            .and_then(|am| am.auth())
-        {
-            Some(auth) => {
-                // Log account context for debugging workspace selection.
-                if let Some(acc) = auth.get_account_id() {
-                    append_error_log(format!("auth: mode=ChatGPT account_id={acc}"));
-                }
-                match auth.get_token().await {
-                    Ok(t) if !t.is_empty() => {
-                        // Attach token and ChatGPT-Account-Id header if available
-                        http = http.with_bearer_token(t.clone());
-                        if let Some(acc) = auth
-                            .get_account_id()
-                            .or_else(|| util::extract_chatgpt_account_id(&t))
-                        {
-                            append_error_log(format!("auth: set ChatGPT-Account-Id header: {acc}"));
-                            http = http.with_chatgpt_account_id(acc);
-                        }
-                        t
-                    }
-                    _ => {
-                        eprintln!(
-                            "Not signed in. Please run 'codex login' to sign in with ChatGPT, then re-run 'codex cloud'."
-                        );
-                        std::process::exit(1);
-                    }
-                }
-            }
-            None => {
-                eprintln!(
-                    "Not signed in. Please run 'codex login' to sign in with ChatGPT, then re-run 'codex cloud'."
-                );
-                std::process::exit(1);
-            }
-        };
-        Arc::new(http)
-    };
+    let BackendContext { backend, .. } = init_backend("codex_cloud_tasks_tui").await?;
+    let backend = backend;

    // Terminal setup
    use crossterm::ExecutableCommand;
--- a/codex-rs/cloud-tasks/src/util.rs
+++ b/codex-rs/cloud-tasks/src/util.rs
@@ -91,3 +91,18 @@ pub async fn build_chatgpt_headers() -> HeaderMap {
    }
    headers
 }
+
+/// Construct a browser-friendly task URL for the given backend base URL.
+pub fn task_url(base_url: &str, task_id: &str) -> String {
+    let normalized = normalize_base_url(base_url);
+    if let Some(root) = normalized.strip_suffix("/backend-api") {
+        return format!("{root}/codex/tasks/{task_id}");
+    }
+    if let Some(root) = normalized.strip_suffix("/api/codex") {
+        return format!("{root}/codex/tasks/{task_id}");
+    }
+    if normalized.ends_with("/codex") {
+        return format!("{normalized}/tasks/{task_id}");
+    }
+    format!("{normalized}/codex/tasks/{task_id}")
+}
--- a/codex-rs/common/src/format_env_display.rs
+++ b/codex-rs/common/src/format_env_display.rs
@@ -0,0 +1,66 @@
+use std::collections::HashMap;
+
+pub fn format_env_display(env: Option<&HashMap<String, String>>, env_vars: &[String]) -> String {
+    let mut parts: Vec<String> = Vec::new();
+
+    if let Some(map) = env {
+        let mut pairs: Vec<_> = map.iter().collect();
+        pairs.sort_by(|(a, _), (b, _)| a.cmp(b));
+        parts.extend(
+            pairs
+                .into_iter()
+                .map(|(key, value)| format!("{key}={value}")),
+        );
+    }
+
+    if !env_vars.is_empty() {
+        parts.extend(env_vars.iter().map(|var| format!("{var}=${var}")));
+    }
+
+    if parts.is_empty() {
+        "-".to_string()
+    } else {
+        parts.join(", ")
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn returns_dash_when_empty() {
+        assert_eq!(format_env_display(None, &[]), "-");
+
+        let empty_map = HashMap::new();
+        assert_eq!(format_env_display(Some(&empty_map), &[]), "-");
+    }
+
+    #[test]
+    fn formats_sorted_env_pairs() {
+        let mut env = HashMap::new();
+        env.insert("B".to_string(), "two".to_string());
+        env.insert("A".to_string(), "one".to_string());
+
+        assert_eq!(format_env_display(Some(&env), &[]), "A=one, B=two");
+    }
+
+    #[test]
+    fn formats_env_vars_with_dollar_prefix() {
+        let vars = vec!["TOKEN".to_string(), "PATH".to_string()];
+
+        assert_eq!(format_env_display(None, &vars), "TOKEN=$TOKEN, PATH=$PATH");
+    }
+
+    #[test]
+    fn combines_env_pairs_and_vars() {
+        let mut env = HashMap::new();
+        env.insert("HOME".to_string(), "/tmp".to_string());
+        let vars = vec!["TOKEN".to_string()];
+
+        assert_eq!(
+            format_env_display(Some(&env), &vars),
+            "HOME=/tmp, TOKEN=$TOKEN"
+        );
+    }
+}
--- a/codex-rs/common/src/lib.rs
+++ b/codex-rs/common/src/lib.rs
@@ -13,6 +13,9 @@ mod sandbox_mode_cli_arg;
 #[cfg(feature = "cli")]
 pub use sandbox_mode_cli_arg::SandboxModeCliArg;

+#[cfg(feature = "cli")]
+pub mod format_env_display;
+
 #[cfg(any(feature = "cli", test))]
 mod config_override;

--- a/codex-rs/config.md
+++ b/codex-rs/config.md
@@ -3,4 +3,4 @@
 This file has moved. Please see the latest configuration documentation here:

 - Full config docs: [docs/config.md](../docs/config.md)
- MCP servers section: [docs/config.md#mcp_servers](../docs/config.md#mcp_servers) 
+- MCP servers section: [docs/config.md#connecting-to-mcp-servers](../docs/config.md#connecting-to-mcp-servers)
--- a/codex-rs/core/Cargo.toml
+++ b/codex-rs/core/Cargo.toml
@@ -26,7 +26,9 @@ codex-mcp-client = { workspace = true }
 codex-otel = { workspace = true, features = ["otel"] }
 codex-protocol = { workspace = true }
 codex-rmcp-client = { workspace = true }
+codex-async-utils = { workspace = true }
 codex-utils-string = { workspace = true }
+codex-utils-pty = { workspace = true }
 dirs = { workspace = true }
 dunce = { workspace = true }
 env-flags = { workspace = true }
@@ -36,7 +38,6 @@ indexmap = { workspace = true }
 libc = { workspace = true }
 mcp-types = { workspace = true }
 os_info = { workspace = true }
-portable-pty = { workspace = true }
 rand = { workspace = true }
 regex-lite = { workspace = true }
 reqwest = { workspace = true, features = ["json", "stream"] }
@@ -47,6 +48,7 @@ shlex = { workspace = true }
 similar = { workspace = true }
 strum_macros = { workspace = true }
 tempfile = { workspace = true }
+test-log = { workspace = true }
 thiserror = { workspace = true }
 time = { workspace = true, features = [
    "formatting",
--- a/codex-rs/core/README.md
+++ b/codex-rs/core/README.md
@@ -4,7 +4,7 @@ This crate implements the business logic for Codex. It is designed to be used by

 ## Dependencies

-Note that `codex-core` makes some assumptions about certain helper utilities being available in the environment. Currently, this
+Note that `codex-core` makes some assumptions about certain helper utilities being available in the environment. Currently, this support matrix is:

 ### macOS

--- a/codex-rs/core/src/auth.rs
+++ b/codex-rs/core/src/auth.rs
@@ -2,6 +2,8 @@ use chrono::DateTime;
 use chrono::Utc;
 use serde::Deserialize;
 use serde::Serialize;
+#[cfg(test)]
+use serial_test::serial;
 use std::env;
 use std::fs::File;
 use std::fs::OpenOptions;
@@ -16,7 +18,9 @@ use std::sync::Mutex;
 use std::time::Duration;

 use codex_app_server_protocol::AuthMode;
+use codex_protocol::config_types::ForcedLoginMethod;

+use crate::config::Config;
 use crate::token_data::PlanType;
 use crate::token_data::TokenData;
 use crate::token_data::parse_id_token;
@@ -135,6 +139,10 @@ impl CodexAuth {
        self.get_current_token_data().and_then(|t| t.account_id)
    }

+    pub fn get_account_email(&self) -> Option<String> {
+        self.get_current_token_data().and_then(|t| t.id_token.email)
+    }
+
    pub(crate) fn get_plan_type(&self) -> Option<PlanType> {
        self.get_current_token_data()
            .and_then(|t| t.id_token.chatgpt_plan_type)
@@ -229,6 +237,74 @@ pub fn login_with_api_key(codex_home: &Path, api_key: &str) -> std::io::Result<(
    write_auth_json(&get_auth_file(codex_home), &auth_dot_json)
 }

+pub async fn enforce_login_restrictions(config: &Config) -> std::io::Result<()> {
+    let Some(auth) = load_auth(&config.codex_home, true)? else {
+        return Ok(());
+    };
+
+    if let Some(required_method) = config.forced_login_method {
+        let method_violation = match (required_method, auth.mode) {
+            (ForcedLoginMethod::Api, AuthMode::ApiKey) => None,
+            (ForcedLoginMethod::Chatgpt, AuthMode::ChatGPT) => None,
+            (ForcedLoginMethod::Api, AuthMode::ChatGPT) => Some(
+                "API key login is required, but ChatGPT is currently being used. Logging out."
+                    .to_string(),
+            ),
+            (ForcedLoginMethod::Chatgpt, AuthMode::ApiKey) => Some(
+                "ChatGPT login is required, but an API key is currently being used. Logging out."
+                    .to_string(),
+            ),
+        };
+
+        if let Some(message) = method_violation {
+            return logout_with_message(&config.codex_home, message);
+        }
+    }
+
+    if let Some(expected_account_id) = config.forced_chatgpt_workspace_id.as_deref() {
+        if auth.mode != AuthMode::ChatGPT {
+            return Ok(());
+        }
+
+        let token_data = match auth.get_token_data().await {
+            Ok(data) => data,
+            Err(err) => {
+                return logout_with_message(
+                    &config.codex_home,
+                    format!(
+                        "Failed to load ChatGPT credentials while enforcing workspace restrictions: {err}. Logging out."
+                    ),
+                );
+            }
+        };
+
+        // workspace is the external identifier for account id.
+        let chatgpt_account_id = token_data.id_token.chatgpt_account_id.as_deref();
+        if chatgpt_account_id != Some(expected_account_id) {
+            let message = match chatgpt_account_id {
+                Some(actual) => format!(
+                    "Login is restricted to workspace {expected_account_id}, but current credentials belong to {actual}. Logging out."
+                ),
+                None => format!(
+                    "Login is restricted to workspace {expected_account_id}, but current credentials lack a workspace identifier. Logging out."
+                ),
+            };
+            return logout_with_message(&config.codex_home, message);
+        }
+    }
+
+    Ok(())
+}
+
+fn logout_with_message(codex_home: &Path, message: String) -> std::io::Result<()> {
+    match logout(codex_home) {
+        Ok(_) => Err(std::io::Error::other(message)),
+        Err(err) => Err(std::io::Error::other(format!(
+            "{message}. Failed to remove auth.json: {err}"
+        ))),
+    }
+}
+
 fn load_auth(
    codex_home: &Path,
    enable_codex_api_key_env: bool,
@@ -245,9 +321,8 @@ fn load_auth(
    let client = crate::default_client::create_client();
    let auth_dot_json = match try_read_auth_json(&auth_file) {
        Ok(auth) => auth,
-        Err(e) => {
-            return Err(e);
-        }
+        Err(err) if err.kind() == std::io::ErrorKind::NotFound => return Ok(None),
+        Err(err) => return Err(err),
    };

    let AuthDotJson {
@@ -399,17 +474,19 @@ struct CachedAuth {
 #[cfg(test)]
 mod tests {
    use super::*;
+    use crate::config::Config;
+    use crate::config::ConfigOverrides;
+    use crate::config::ConfigToml;
    use crate::token_data::IdTokenInfo;
    use crate::token_data::KnownPlan;
    use crate::token_data::PlanType;
    use base64::Engine;
+    use codex_protocol::config_types::ForcedLoginMethod;
    use pretty_assertions::assert_eq;
    use serde::Serialize;
    use serde_json::json;
    use tempfile::tempdir;

-    const LAST_REFRESH: &str = "2025-08-06T20:41:36.232376Z";
-
    #[tokio::test]
    async fn roundtrip_auth_dot_json() {
        let codex_home = tempdir().unwrap();
@@ -417,6 +494,7 @@ mod tests {
            AuthFileParams {
                openai_api_key: None,
                chatgpt_plan_type: "pro".to_string(),
+                chatgpt_account_id: None,
            },
            codex_home.path(),
        )
@@ -456,6 +534,13 @@ mod tests {
        assert!(auth.tokens.is_none(), "tokens should be cleared");
    }

+    #[test]
+    fn missing_auth_json_returns_none() {
+        let dir = tempdir().unwrap();
+        let auth = CodexAuth::from_codex_home(dir.path()).expect("call should succeed");
+        assert_eq!(auth, None);
+    }
+
    #[tokio::test]
    async fn pro_account_with_no_api_key_uses_chatgpt_auth() {
        let codex_home = tempdir().unwrap();
@@ -463,6 +548,7 @@ mod tests {
            AuthFileParams {
                openai_api_key: None,
                chatgpt_plan_type: "pro".to_string(),
+                chatgpt_account_id: None,
            },
            codex_home.path(),
        )
@@ -480,6 +566,10 @@ mod tests {

        let guard = auth_dot_json.lock().unwrap();
        let auth_dot_json = guard.as_ref().expect("AuthDotJson should exist");
+        let last_refresh = auth_dot_json
+            .last_refresh
+            .expect("last_refresh should be recorded");
+
        assert_eq!(
            &AuthDotJson {
                openai_api_key: None,
@@ -487,20 +577,17 @@ mod tests {
                    id_token: IdTokenInfo {
                        email: Some("user@example.com".to_string()),
                        chatgpt_plan_type: Some(PlanType::Known(KnownPlan::Pro)),
+                        chatgpt_account_id: None,
                        raw_jwt: fake_jwt,
                    },
                    access_token: "test-access-token".to_string(),
                    refresh_token: "test-refresh-token".to_string(),
                    account_id: None,
                }),
-                last_refresh: Some(
-                    DateTime::parse_from_rfc3339(LAST_REFRESH)
-                        .unwrap()
-                        .with_timezone(&Utc)
-                ),
+                last_refresh: Some(last_refresh),
            },
            auth_dot_json
-        )
+        );
    }

    #[tokio::test]
@@ -539,6 +626,7 @@ mod tests {
    struct AuthFileParams {
        openai_api_key: Option<String>,
        chatgpt_plan_type: String,
+        chatgpt_account_id: Option<String>,
    }

    fn write_auth_file(params: AuthFileParams, codex_home: &Path) -> std::io::Result<String> {
@@ -553,15 +641,21 @@ mod tests {
            alg: "none",
            typ: "JWT",
        };
+        let mut auth_payload = serde_json::json!({
+            "chatgpt_plan_type": params.chatgpt_plan_type,
+            "chatgpt_user_id": "user-12345",
+            "user_id": "user-12345",
+        });
+
+        if let Some(chatgpt_account_id) = params.chatgpt_account_id {
+            let org_value = serde_json::Value::String(chatgpt_account_id);
+            auth_payload["chatgpt_account_id"] = org_value;
+        }
+
        let payload = serde_json::json!({
            "email": "user@example.com",
            "email_verified": true,
-            "https://api.openai.com/auth": {
-                "chatgpt_account_id": "bc3618e3-489d-4d49-9362-1561dc53ba53",
-                "chatgpt_plan_type": params.chatgpt_plan_type,
-                "chatgpt_user_id": "user-12345",
-                "user_id": "user-12345",
-            }
+            "https://api.openai.com/auth": auth_payload,
        });
        let b64 = |b: &[u8]| base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(b);
        let header_b64 = b64(&serde_json::to_vec(&header)?);
@@ -576,12 +670,159 @@ mod tests {
                "access_token": "test-access-token",
                "refresh_token": "test-refresh-token"
            },
-            "last_refresh": LAST_REFRESH,
+            "last_refresh": Utc::now(),
        });
        let auth_json = serde_json::to_string_pretty(&auth_json_data)?;
        std::fs::write(auth_file, auth_json)?;
        Ok(fake_jwt)
    }
+
+    fn build_config(
+        codex_home: &Path,
+        forced_login_method: Option<ForcedLoginMethod>,
+        forced_chatgpt_workspace_id: Option<String>,
+    ) -> Config {
+        let mut config = Config::load_from_base_config_with_overrides(
+            ConfigToml::default(),
+            ConfigOverrides::default(),
+            codex_home.to_path_buf(),
+        )
+        .expect("config should load");
+        config.forced_login_method = forced_login_method;
+        config.forced_chatgpt_workspace_id = forced_chatgpt_workspace_id;
+        config
+    }
+
+    /// Use sparingly.
+    /// TODO (gpeal): replace this with an injectable env var provider.
+    #[cfg(test)]
+    struct EnvVarGuard {
+        key: &'static str,
+        original: Option<std::ffi::OsString>,
+    }
+
+    #[cfg(test)]
+    impl EnvVarGuard {
+        fn set(key: &'static str, value: &str) -> Self {
+            let original = env::var_os(key);
+            unsafe {
+                env::set_var(key, value);
+            }
+            Self { key, original }
+        }
+    }
+
+    #[cfg(test)]
+    impl Drop for EnvVarGuard {
+        fn drop(&mut self) {
+            unsafe {
+                match &self.original {
+                    Some(value) => env::set_var(self.key, value),
+                    None => env::remove_var(self.key),
+                }
+            }
+        }
+    }
+
+    #[tokio::test]
+    async fn enforce_login_restrictions_logs_out_for_method_mismatch() {
+        let codex_home = tempdir().unwrap();
+        login_with_api_key(codex_home.path(), "sk-test").expect("seed api key");
+
+        let config = build_config(codex_home.path(), Some(ForcedLoginMethod::Chatgpt), None);
+
+        let err = super::enforce_login_restrictions(&config)
+            .await
+            .expect_err("expected method mismatch to error");
+        assert!(err.to_string().contains("ChatGPT login is required"));
+        assert!(
+            !codex_home.path().join("auth.json").exists(),
+            "auth.json should be removed on mismatch"
+        );
+    }
+
+    #[tokio::test]
+    async fn enforce_login_restrictions_logs_out_for_workspace_mismatch() {
+        let codex_home = tempdir().unwrap();
+        let _jwt = write_auth_file(
+            AuthFileParams {
+                openai_api_key: None,
+                chatgpt_plan_type: "pro".to_string(),
+                chatgpt_account_id: Some("org_another_org".to_string()),
+            },
+            codex_home.path(),
+        )
+        .expect("failed to write auth file");
+
+        let config = build_config(codex_home.path(), None, Some("org_mine".to_string()));
+
+        let err = super::enforce_login_restrictions(&config)
+            .await
+            .expect_err("expected workspace mismatch to error");
+        assert!(err.to_string().contains("workspace org_mine"));
+        assert!(
+            !codex_home.path().join("auth.json").exists(),
+            "auth.json should be removed on mismatch"
+        );
+    }
+
+    #[tokio::test]
+    async fn enforce_login_restrictions_allows_matching_workspace() {
+        let codex_home = tempdir().unwrap();
+        let _jwt = write_auth_file(
+            AuthFileParams {
+                openai_api_key: None,
+                chatgpt_plan_type: "pro".to_string(),
+                chatgpt_account_id: Some("org_mine".to_string()),
+            },
+            codex_home.path(),
+        )
+        .expect("failed to write auth file");
+
+        let config = build_config(codex_home.path(), None, Some("org_mine".to_string()));
+
+        super::enforce_login_restrictions(&config)
+            .await
+            .expect("matching workspace should succeed");
+        assert!(
+            codex_home.path().join("auth.json").exists(),
+            "auth.json should remain when restrictions pass"
+        );
+    }
+
+    #[tokio::test]
+    async fn enforce_login_restrictions_allows_api_key_if_login_method_not_set_but_forced_chatgpt_workspace_id_is_set()
+     {
+        let codex_home = tempdir().unwrap();
+        login_with_api_key(codex_home.path(), "sk-test").expect("seed api key");
+
+        let config = build_config(codex_home.path(), None, Some("org_mine".to_string()));
+
+        super::enforce_login_restrictions(&config)
+            .await
+            .expect("matching workspace should succeed");
+        assert!(
+            codex_home.path().join("auth.json").exists(),
+            "auth.json should remain when restrictions pass"
+        );
+    }
+
+    #[tokio::test]
+    #[serial(codex_api_key)]
+    async fn enforce_login_restrictions_blocks_env_api_key_when_chatgpt_required() {
+        let _guard = EnvVarGuard::set(CODEX_API_KEY_ENV_VAR, "sk-env");
+        let codex_home = tempdir().unwrap();
+
+        let config = build_config(codex_home.path(), Some(ForcedLoginMethod::Chatgpt), None);
+
+        let err = super::enforce_login_restrictions(&config)
+            .await
+            .expect_err("environment API key should not satisfy forced ChatGPT login");
+        assert!(
+            err.to_string()
+                .contains("ChatGPT login is required, but an API key is currently being used.")
+        );
+    }
 }

 /// Central manager providing a single source of truth for auth.json derived
--- a/codex-rs/core/src/chat_completions.rs
+++ b/codex-rs/core/src/chat_completions.rs
@@ -5,11 +5,13 @@ use crate::client_common::Prompt;
 use crate::client_common::ResponseEvent;
 use crate::client_common::ResponseStream;
 use crate::error::CodexErr;
+use crate::error::ConnectionFailedError;
+use crate::error::ResponseStreamFailed;
 use crate::error::Result;
 use crate::error::RetryLimitReachedError;
 use crate::error::UnexpectedResponseError;
 use crate::model_family::ModelFamily;
-use crate::openai_tools::create_tools_json_for_chat_completions_api;
+use crate::tools::spec::create_tools_json_for_chat_completions_api;
 use crate::util::backoff;
 use bytes::Bytes;
 use codex_otel::otel_event_manager::OtelEventManager;
@@ -309,7 +311,12 @@ pub(crate) async fn stream_chat_completions(
        match res {
            Ok(resp) if resp.status().is_success() => {
                let (tx_event, rx_event) = mpsc::channel::<Result<ResponseEvent>>(1600);
-                let stream = resp.bytes_stream().map_err(CodexErr::Reqwest);
+                let stream = resp.bytes_stream().map_err(|e| {
+                    CodexErr::ResponseStreamFailed(ResponseStreamFailed {
+                        source: e,
+                        request_id: None,
+                    })
+                });
                tokio::spawn(process_chat_sse(
                    stream,
                    tx_event,
@@ -349,7 +356,9 @@ pub(crate) async fn stream_chat_completions(
            }
            Err(e) => {
                if attempt > max_retries {
-                    return Err(e.into());
+                    return Err(CodexErr::ConnectionFailed(ConnectionFailedError {
+                        source: e,
+                    }));
                }
                let delay = backoff(attempt);
                tokio::time::sleep(delay).await;
@@ -389,10 +398,12 @@ async fn process_chat_sse<S>(
    let mut reasoning_text = String::new();

    loop {
-        let sse = match otel_event_manager
-            .log_sse_event(|| timeout(idle_timeout, stream.next()))
-            .await
-        {
+        let start = std::time::Instant::now();
+        let response = timeout(idle_timeout, stream.next()).await;
+        let duration = start.elapsed();
+        otel_event_manager.log_sse_event(&response, duration);
+
+        let sse = match response {
            Ok(Some(Ok(ev))) => ev,
            Ok(Some(Err(e))) => {
                let _ = tx_event
--- a/codex-rs/core/src/client.rs
+++ b/codex-rs/core/src/client.rs
@@ -5,6 +5,8 @@ use std::time::Duration;

 use crate::AuthManager;
 use crate::auth::CodexAuth;
+use crate::error::ConnectionFailedError;
+use crate::error::ResponseStreamFailed;
 use crate::error::RetryLimitReachedError;
 use crate::error::UnexpectedResponseError;
 use bytes::Bytes;
@@ -43,12 +45,15 @@ use crate::model_family::ModelFamily;
 use crate::model_provider_info::ModelProviderInfo;
 use crate::model_provider_info::WireApi;
 use crate::openai_model_info::get_model_info;
-use crate::openai_tools::create_tools_json_for_responses_api;
 use crate::protocol::RateLimitSnapshot;
 use crate::protocol::RateLimitWindow;
 use crate::protocol::TokenUsage;
+use crate::state::TaskKind;
 use crate::token_data::PlanType;
+use crate::tools::spec::create_tools_json_for_responses_api;
 use crate::util::backoff;
+use chrono::DateTime;
+use chrono::Utc;
 use codex_otel::otel_event_manager::OtelEventManager;
 use codex_protocol::config_types::ReasoningEffort as ReasoningEffortConfig;
 use codex_protocol::config_types::ReasoningSummary as ReasoningSummaryConfig;
@@ -68,7 +73,7 @@ struct Error {

    // Optional fields available on "usage_limit_reached" and "usage_not_included" errors
    plan_type: Option<PlanType>,
-    resets_in_seconds: Option<u64>,
+    resets_at: Option<i64>,
 }

 #[derive(Debug, Clone)]
@@ -107,10 +112,12 @@ impl ModelClient {
        }
    }

-    pub fn get_model_context_window(&self) -> Option<u64> {
+    pub fn get_model_context_window(&self) -> Option<i64> {
+        let pct = self.config.model_family.effective_context_window_percent;
        self.config
            .model_context_window
            .or_else(|| get_model_info(&self.config.model_family).map(|info| info.context_window))
+            .map(|w| w.saturating_mul(pct) / 100)
    }

    pub fn get_auto_compact_token_limit(&self) -> Option<i64> {
@@ -123,8 +130,16 @@ impl ModelClient {
    /// the provider config.  Public callers always invoke `stream()` – the
    /// specialised helpers are private to avoid accidental misuse.
    pub async fn stream(&self, prompt: &Prompt) -> Result<ResponseStream> {
+        self.stream_with_task_kind(prompt, TaskKind::Regular).await
+    }
+
+    pub(crate) async fn stream_with_task_kind(
+        &self,
+        prompt: &Prompt,
+        task_kind: TaskKind,
+    ) -> Result<ResponseStream> {
        match self.provider.wire_api {
-            WireApi::Responses => self.stream_responses(prompt).await,
+            WireApi::Responses => self.stream_responses(prompt, task_kind).await,
            WireApi::Chat => {
                // Create the raw streaming connection first.
                let response_stream = stream_chat_completions(
@@ -165,7 +180,11 @@ impl ModelClient {
    }

    /// Implementation for the OpenAI *Responses* experimental API.
-    async fn stream_responses(&self, prompt: &Prompt) -> Result<ResponseStream> {
+    async fn stream_responses(
+        &self,
+        prompt: &Prompt,
+        task_kind: TaskKind,
+    ) -> Result<ResponseStream> {
        if let Some(path) = &*CODEX_RS_SSE_FIXTURE {
            // short circuit for tests
            warn!(path, "Streaming from fixture");
@@ -244,7 +263,7 @@ impl ModelClient {
        let max_attempts = self.provider.request_max_retries();
        for attempt in 0..=max_attempts {
            match self
-                .attempt_stream_responses(attempt, &payload_json, &auth_manager)
+                .attempt_stream_responses(attempt, &payload_json, &auth_manager, task_kind)
                .await
            {
                Ok(stream) => {
@@ -272,6 +291,7 @@ impl ModelClient {
        attempt: u64,
        payload_json: &Value,
        auth_manager: &Option<Arc<AuthManager>>,
+        task_kind: TaskKind,
    ) -> std::result::Result<ResponseStream, StreamAttemptError> {
        // Always fetch the latest auth in case a prior attempt refreshed the token.
        let auth = auth_manager.as_ref().and_then(|m| m.auth());
@@ -294,6 +314,7 @@ impl ModelClient {
            .header("conversation_id", self.conversation_id.to_string())
            .header("session_id", self.conversation_id.to_string())
            .header(reqwest::header::ACCEPT, "text/event-stream")
+            .header("Codex-Task-Type", task_kind.header_value())
            .json(payload_json);

        if let Some(auth) = auth.as_ref()
@@ -336,7 +357,12 @@ impl ModelClient {
                }

                // spawn task to process SSE
-                let stream = resp.bytes_stream().map_err(CodexErr::Reqwest);
+                let stream = resp.bytes_stream().map_err(move |e| {
+                    CodexErr::ResponseStreamFailed(ResponseStreamFailed {
+                        source: e,
+                        request_id: request_id.clone(),
+                    })
+                });
                tokio::spawn(process_sse(
                    stream,
                    tx_event,
@@ -397,10 +423,12 @@ impl ModelClient {
                            let plan_type = error
                                .plan_type
                                .or_else(|| auth.as_ref().and_then(CodexAuth::get_plan_type));
-                            let resets_in_seconds = error.resets_in_seconds;
+                            let resets_at = error
+                                .resets_at
+                                .and_then(|seconds| DateTime::<Utc>::from_timestamp(seconds, 0));
                            let codex_err = CodexErr::UsageLimitReached(UsageLimitReachedError {
                                plan_type,
-                                resets_in_seconds,
+                                resets_at,
                                rate_limits: rate_limit_snapshot,
                            });
                            return Err(StreamAttemptError::Fatal(codex_err));
@@ -416,7 +444,9 @@ impl ModelClient {
                    request_id,
                })
            }
-            Err(e) => Err(StreamAttemptError::RetryableTransportError(e.into())),
+            Err(e) => Err(StreamAttemptError::RetryableTransportError(
+                CodexErr::ConnectionFailed(ConnectionFailedError { source: e }),
+            )),
        }
    }

@@ -514,11 +544,11 @@ struct ResponseCompleted {

 #[derive(Debug, Deserialize)]
 struct ResponseCompletedUsage {
-    input_tokens: u64,
+    input_tokens: i64,
    input_tokens_details: Option<ResponseCompletedInputTokensDetails>,
-    output_tokens: u64,
+    output_tokens: i64,
    output_tokens_details: Option<ResponseCompletedOutputTokensDetails>,
-    total_tokens: u64,
+    total_tokens: i64,
 }

 impl From<ResponseCompletedUsage> for TokenUsage {
@@ -541,12 +571,12 @@ impl From<ResponseCompletedUsage> for TokenUsage {

 #[derive(Debug, Deserialize)]
 struct ResponseCompletedInputTokensDetails {
-    cached_tokens: u64,
+    cached_tokens: i64,
 }

 #[derive(Debug, Deserialize)]
 struct ResponseCompletedOutputTokensDetails {
-    reasoning_tokens: u64,
+    reasoning_tokens: i64,
 }

 fn attach_item_ids(payload_json: &mut Value, original_items: &[ResponseItem]) {
@@ -581,14 +611,14 @@ fn parse_rate_limit_snapshot(headers: &HeaderMap) -> Option<RateLimitSnapshot> {
        headers,
        "x-codex-primary-used-percent",
        "x-codex-primary-window-minutes",
-        "x-codex-primary-reset-after-seconds",
+        "x-codex-primary-reset-at",
    );

    let secondary = parse_rate_limit_window(
        headers,
        "x-codex-secondary-used-percent",
        "x-codex-secondary-window-minutes",
-        "x-codex-secondary-reset-after-seconds",
+        "x-codex-secondary-reset-at",
    );

    Some(RateLimitSnapshot { primary, secondary })
@@ -603,17 +633,17 @@ fn parse_rate_limit_window(
    let used_percent: Option<f64> = parse_header_f64(headers, used_percent_header);

    used_percent.and_then(|used_percent| {
-        let window_minutes = parse_header_u64(headers, window_minutes_header);
-        let resets_in_seconds = parse_header_u64(headers, resets_header);
+        let window_minutes = parse_header_i64(headers, window_minutes_header);
+        let resets_at = parse_header_i64(headers, resets_header);

        let has_data = used_percent != 0.0
            || window_minutes.is_some_and(|minutes| minutes != 0)
-            || resets_in_seconds.is_some_and(|seconds| seconds != 0);
+            || resets_at.is_some();

        has_data.then_some(RateLimitWindow {
            used_percent,
            window_minutes,
-            resets_in_seconds,
+            resets_at,
        })
    })
 }
@@ -625,8 +655,8 @@ fn parse_header_f64(headers: &HeaderMap, name: &str) -> Option<f64> {
        .filter(|v| v.is_finite())
 }

-fn parse_header_u64(headers: &HeaderMap, name: &str) -> Option<u64> {
-    parse_header_str(headers, name)?.parse::<u64>().ok()
+fn parse_header_i64(headers: &HeaderMap, name: &str) -> Option<i64> {
+    parse_header_str(headers, name)?.parse::<i64>().ok()
 }

 fn parse_header_str<'a>(headers: &'a HeaderMap, name: &str) -> Option<&'a str> {
@@ -649,10 +679,12 @@ async fn process_sse<S>(
    let mut response_error: Option<CodexErr> = None;

    loop {
-        let sse = match otel_event_manager
-            .log_sse_event(|| timeout(idle_timeout, stream.next()))
-            .await
-        {
+        let start = std::time::Instant::now();
+        let response = timeout(idle_timeout, stream.next()).await;
+        let duration = start.elapsed();
+        otel_event_manager.log_sse_event(&response, duration);
+
+        let sse = match response {
            Ok(Some(Ok(sse))) => sse,
            Ok(Some(Err(e))) => {
                debug!("SSE Error: {e:#}");
@@ -1013,6 +1045,7 @@ mod tests {
            "test",
            "test",
            None,
+            Some("test@test.com".to_string()),
            Some(AuthMode::ChatGPT),
            false,
            "test".to_string(),
@@ -1363,7 +1396,7 @@ mod tests {
            message: Some("Rate limit reached for gpt-5 in organization org- on tokens per min (TPM): Limit 1, Used 1, Requested 19304. Please try again in 28ms. Visit https://platform.openai.com/account/rate-limits to learn more.".to_string()),
            code: Some("rate_limit_exceeded".to_string()),
            plan_type: None,
-            resets_in_seconds: None
+            resets_at: None
        };

        let delay = try_parse_retry_after(&err);
@@ -1377,20 +1410,20 @@ mod tests {
            message: Some("Rate limit reached for gpt-5 in organization <ORG> on tokens per min (TPM): Limit 30000, Used 6899, Requested 24050. Please try again in 1.898s. Visit https://platform.openai.com/account/rate-limits to learn more.".to_string()),
            code: Some("rate_limit_exceeded".to_string()),
            plan_type: None,
-            resets_in_seconds: None
+            resets_at: None
        };
        let delay = try_parse_retry_after(&err);
        assert_eq!(delay, Some(Duration::from_secs_f64(1.898)));
    }

    #[test]
-    fn error_response_deserializes_old_schema_known_plan_type_and_serializes_back() {
+    fn error_response_deserializes_schema_known_plan_type_and_serializes_back() {
        use crate::token_data::KnownPlan;
        use crate::token_data::PlanType;

-        let json = r#"{"error":{"type":"usage_limit_reached","plan_type":"pro","resets_in_seconds":3600}}"#;
-        let resp: ErrorResponse =
-            serde_json::from_str(json).expect("should deserialize old schema");
+        let json =
+            r#"{"error":{"type":"usage_limit_reached","plan_type":"pro","resets_at":1704067200}}"#;
+        let resp: ErrorResponse = serde_json::from_str(json).expect("should deserialize schema");

        assert_matches!(resp.error.plan_type, Some(PlanType::Known(KnownPlan::Pro)));

@@ -1399,13 +1432,12 @@ mod tests {
    }

    #[test]
-    fn error_response_deserializes_old_schema_unknown_plan_type_and_serializes_back() {
+    fn error_response_deserializes_schema_unknown_plan_type_and_serializes_back() {
        use crate::token_data::PlanType;

        let json =
-            r#"{"error":{"type":"usage_limit_reached","plan_type":"vip","resets_in_seconds":60}}"#;
-        let resp: ErrorResponse =
-            serde_json::from_str(json).expect("should deserialize old schema");
+            r#"{"error":{"type":"usage_limit_reached","plan_type":"vip","resets_at":1704067260}}"#;
+        let resp: ErrorResponse = serde_json::from_str(json).expect("should deserialize schema");

        assert_matches!(resp.error.plan_type, Some(PlanType::Unknown(ref s)) if s == "vip");

--- a/codex-rs/core/src/client_common.rs
+++ b/codex-rs/core/src/client_common.rs
@@ -281,7 +281,7 @@ pub(crate) struct ResponsesApiRequest<'a> {
 }

 pub(crate) mod tools {
-    use crate::openai_tools::JsonSchema;
+    use crate::tools::spec::JsonSchema;
    use serde::Deserialize;
    use serde::Serialize;

--- a/codex-rs/core/src/codex.rs
+++ b/codex-rs/core/src/codex.rs
--- a/codex-rs/core/src/codex/compact.rs
+++ b/codex-rs/core/src/codex/compact.rs
@@ -16,6 +16,7 @@ use crate::protocol::InputItem;
 use crate::protocol::InputMessageKind;
 use crate::protocol::TaskStartedEvent;
 use crate::protocol::TurnContextItem;
+use crate::state::TaskKind;
 use crate::truncate::truncate_middle;
 use crate::util::backoff;
 use askama::Template;
@@ -70,14 +71,10 @@ async fn run_compact_task_inner(
    input: Vec<InputItem>,
 ) {
    let initial_input_for_turn: ResponseInputItem = ResponseInputItem::from(input);
-    let turn_input = sess
+    let mut turn_input = sess
        .turn_input_with_history(vec![initial_input_for_turn.clone().into()])
        .await;
-
-    let prompt = Prompt {
-        input: turn_input,
-        ..Default::default()
-    };
+    let mut truncated_count = 0usize;

    let max_retries = turn_context.client.get_provider().stream_max_retries();
    let mut retries = 0;
@@ -93,17 +90,36 @@ async fn run_compact_task_inner(
    sess.persist_rollout_items(&[rollout_item]).await;

    loop {
+        let prompt = Prompt {
+            input: turn_input.clone(),
+            ..Default::default()
+        };
        let attempt_result =
            drain_to_completed(&sess, turn_context.as_ref(), &sub_id, &prompt).await;

        match attempt_result {
            Ok(()) => {
+                if truncated_count > 0 {
+                    sess.notify_background_event(
+                        &sub_id,
+                        format!(
+                            "Trimmed {truncated_count} older conversation item(s) before compacting so the prompt fits the model context window."
+                        ),
+                    )
+                    .await;
+                }
                break;
            }
            Err(CodexErr::Interrupted) => {
                return;
            }
            Err(e @ CodexErr::ContextWindowExceeded) => {
+                if turn_input.len() > 1 {
+                    turn_input.remove(0);
+                    truncated_count += 1;
+                    retries = 0;
+                    continue;
+                }
                sess.set_total_tokens_full(&sub_id, turn_context.as_ref())
                    .await;
                let event = Event {
@@ -121,9 +137,7 @@ async fn run_compact_task_inner(
                    let delay = backoff(retries);
                    sess.notify_stream_error(
                        &sub_id,
-                        format!(
-                            "stream error: {e}; retrying {retries}/{max_retries} in {delay:?}…"
-                        ),
+                        format!("Re-connecting... {retries}/{max_retries}"),
                    )
                    .await;
                    tokio::time::sleep(delay).await;
@@ -245,7 +259,11 @@ async fn drain_to_completed(
    sub_id: &str,
    prompt: &Prompt,
 ) -> CodexResult<()> {
-    let mut stream = turn_context.client.clone().stream(prompt).await?;
+    let mut stream = turn_context
+        .client
+        .clone()
+        .stream_with_task_kind(prompt, TaskKind::Compact)
+        .await?;
    loop {
        let maybe_event = stream.next().await;
        let Some(event) = maybe_event else {
--- a/codex-rs/core/src/command_safety/is_safe_command.rs
+++ b/codex-rs/core/src/command_safety/is_safe_command.rs
@@ -1,15 +1,25 @@
 use crate::bash::parse_bash_lc_plain_commands;

 pub fn is_known_safe_command(command: &[String]) -> bool {
+    let command: Vec<String> = command
+        .iter()
+        .map(|s| {
+            if s == "zsh" {
+                "bash".to_string()
+            } else {
+                s.clone()
+            }
+        })
+        .collect();
    #[cfg(target_os = "windows")]
    {
        use super::windows_safe_commands::is_safe_command_windows;
-        if is_safe_command_windows(command) {
+        if is_safe_command_windows(&command) {
            return true;
        }
    }

-    if is_safe_to_call_with_exec(command) {
+    if is_safe_to_call_with_exec(&command) {
        return true;
    }

@@ -19,7 +29,7 @@ pub fn is_known_safe_command(command: &[String]) -> bool {
    // introduce side effects ( "&&", "||", ";", and "|" ). If every
    // individual command in the script is itself a known‑safe command, then
    // the composite expression is considered safe.
-    if let Some(all_commands) = parse_bash_lc_plain_commands(command)
+    if let Some(all_commands) = parse_bash_lc_plain_commands(&command)
        && !all_commands.is_empty()
        && all_commands
            .iter()
@@ -31,9 +41,14 @@ pub fn is_known_safe_command(command: &[String]) -> bool {
 }

 fn is_safe_to_call_with_exec(command: &[String]) -> bool {
-    let cmd0 = command.first().map(String::as_str);
+    let Some(cmd0) = command.first().map(String::as_str) else {
+        return false;
+    };

-    match cmd0 {
+    match std::path::Path::new(&cmd0)
+        .file_name()
+        .and_then(|osstr| osstr.to_str())
+    {
        #[rustfmt::skip]
        Some(
            "cat" |
@@ -103,13 +118,12 @@ fn is_safe_to_call_with_exec(command: &[String]) -> bool {
        // Rust
        Some("cargo") if command.get(1).map(String::as_str) == Some("check") => true,

-        // Special-case `sed -n {N|M,N}p FILE`
+        // Special-case `sed -n {N|M,N}p`
        Some("sed")
            if {
-                command.len() == 4
+                command.len() <= 4
                    && command.get(1).map(String::as_str) == Some("-n")
                    && is_valid_sed_n_arg(command.get(2).map(String::as_str))
-                    && command.get(3).map(String::is_empty) == Some(false)
            } =>
        {
            true
--- a/codex-rs/core/src/config.rs
+++ b/codex-rs/core/src/config.rs
--- a/codex-rs/core/src/config_profile.rs
+++ b/codex-rs/core/src/config_profile.rs
@@ -20,6 +20,18 @@ pub struct ConfigProfile {
    pub model_verbosity: Option<Verbosity>,
    pub chatgpt_base_url: Option<String>,
    pub experimental_instructions_file: Option<PathBuf>,
+    pub include_plan_tool: Option<bool>,
+    pub include_apply_patch_tool: Option<bool>,
+    pub include_view_image_tool: Option<bool>,
+    pub experimental_use_unified_exec_tool: Option<bool>,
+    pub experimental_use_exec_command_tool: Option<bool>,
+    pub experimental_use_rmcp_client: Option<bool>,
+    pub experimental_use_freeform_apply_patch: Option<bool>,
+    pub tools_web_search: Option<bool>,
+    pub tools_view_image: Option<bool>,
+    /// Optional feature toggles scoped to this profile.
+    #[serde(default)]
+    pub features: Option<crate::features::FeaturesToml>,
 }

 impl From<ConfigProfile> for codex_app_server_protocol::Profile {
--- a/codex-rs/core/src/config_types.rs
+++ b/codex-rs/core/src/config_types.rs
@@ -20,6 +20,10 @@ pub struct McpServerConfig {
    #[serde(flatten)]
    pub transport: McpServerTransportConfig,

+    /// When `false`, Codex skips initializing this MCP server.
+    #[serde(default = "default_enabled")]
+    pub enabled: bool,
+
    /// Startup timeout in seconds for initializing MCP server & initially listing tools.
    #[serde(
        default,
@@ -40,21 +44,34 @@ impl<'de> Deserialize<'de> for McpServerConfig {
    {
        #[derive(Deserialize)]
        struct RawMcpServerConfig {
+            // stdio
            command: Option<String>,
            #[serde(default)]
            args: Option<Vec<String>>,
            #[serde(default)]
            env: Option<HashMap<String, String>>,
+            #[serde(default)]
+            env_vars: Option<Vec<String>>,
+            #[serde(default)]
+            cwd: Option<PathBuf>,
+            http_headers: Option<HashMap<String, String>>,
+            #[serde(default)]
+            env_http_headers: Option<HashMap<String, String>>,

+            // streamable_http
            url: Option<String>,
            bearer_token: Option<String>,
+            bearer_token_env_var: Option<String>,

+            // shared
            #[serde(default)]
            startup_timeout_sec: Option<f64>,
            #[serde(default)]
            startup_timeout_ms: Option<u64>,
            #[serde(default, with = "option_duration_secs")]
            tool_timeout_sec: Option<Duration>,
+            #[serde(default)]
+            enabled: Option<bool>,
        }

        let raw = RawMcpServerConfig::deserialize(deserializer)?;
@@ -85,30 +102,58 @@ impl<'de> Deserialize<'de> for McpServerConfig {
                command: Some(command),
                args,
                env,
+                env_vars,
+                cwd,
                url,
-                bearer_token,
+                bearer_token_env_var,
+                http_headers,
+                env_http_headers,
                ..
            } => {
                throw_if_set("stdio", "url", url.as_ref())?;
-                throw_if_set("stdio", "bearer_token", bearer_token.as_ref())?;
+                throw_if_set(
+                    "stdio",
+                    "bearer_token_env_var",
+                    bearer_token_env_var.as_ref(),
+                )?;
+                throw_if_set("stdio", "http_headers", http_headers.as_ref())?;
+                throw_if_set("stdio", "env_http_headers", env_http_headers.as_ref())?;
                McpServerTransportConfig::Stdio {
                    command,
                    args: args.unwrap_or_default(),
                    env,
+                    env_vars: env_vars.unwrap_or_default(),
+                    cwd,
                }
            }
            RawMcpServerConfig {
                url: Some(url),
                bearer_token,
+                bearer_token_env_var,
                command,
                args,
                env,
-                ..
+                env_vars,
+                cwd,
+                http_headers,
+                env_http_headers,
+                startup_timeout_sec: _,
+                tool_timeout_sec: _,
+                startup_timeout_ms: _,
+                enabled: _,
            } => {
                throw_if_set("streamable_http", "command", command.as_ref())?;
                throw_if_set("streamable_http", "args", args.as_ref())?;
                throw_if_set("streamable_http", "env", env.as_ref())?;
-                McpServerTransportConfig::StreamableHttp { url, bearer_token }
+                throw_if_set("streamable_http", "env_vars", env_vars.as_ref())?;
+                throw_if_set("streamable_http", "cwd", cwd.as_ref())?;
+                throw_if_set("streamable_http", "bearer_token", bearer_token.as_ref())?;
+                McpServerTransportConfig::StreamableHttp {
+                    url,
+                    bearer_token_env_var,
+                    http_headers,
+                    env_http_headers,
+                }
            }
            _ => return Err(SerdeError::custom("invalid transport")),
        };
@@ -117,10 +162,15 @@ impl<'de> Deserialize<'de> for McpServerConfig {
            transport,
            startup_timeout_sec,
            tool_timeout_sec: raw.tool_timeout_sec,
+            enabled: raw.enabled.unwrap_or_else(default_enabled),
        })
    }
 }

+const fn default_enabled() -> bool {
+    true
+}
+
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq)]
 #[serde(untagged, deny_unknown_fields, rename_all = "snake_case")]
 pub enum McpServerTransportConfig {
@@ -131,15 +181,25 @@ pub enum McpServerTransportConfig {
        args: Vec<String>,
        #[serde(default, skip_serializing_if = "Option::is_none")]
        env: Option<HashMap<String, String>>,
+        #[serde(default, skip_serializing_if = "Vec::is_empty")]
+        env_vars: Vec<String>,
+        #[serde(default, skip_serializing_if = "Option::is_none")]
+        cwd: Option<PathBuf>,
    },
    /// https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#streamable-http
    StreamableHttp {
        url: String,
-        /// A plain text bearer token to use for authentication.
-        /// This bearer token will be included in the HTTP request header as an `Authorization: Bearer <token>` header.
-        /// This should be used with caution because it lives on disk in clear text.
+        /// Name of the environment variable to read for an HTTP bearer token.
+        /// When set, requests will include the token via `Authorization: Bearer <token>`.
+        /// The actual secret value must be provided via the environment.
        #[serde(default, skip_serializing_if = "Option::is_none")]
-        bearer_token: Option<String>,
+        bearer_token_env_var: Option<String>,
+        /// Additional HTTP headers to include in requests to this server.
+        #[serde(default, skip_serializing_if = "Option::is_none")]
+        http_headers: Option<HashMap<String, String>>,
+        /// HTTP headers where the value is sourced from an environment variable.
+        #[serde(default, skip_serializing_if = "Option::is_none")]
+        env_http_headers: Option<HashMap<String, String>>,
    },
 }

@@ -301,6 +361,20 @@ pub struct Tui {
    pub notifications: Notifications,
 }

+/// Settings for notices we display to users via the tui and app-server clients
+/// (primarily the Codex IDE extension). NOTE: these are different from
+/// notifications - notices are warnings, NUX screens, acknowledgements, etc.
+#[derive(Deserialize, Debug, Clone, PartialEq, Default)]
+pub struct Notice {
+    /// Tracks whether the user has acknowledged the full access warning prompt.
+    pub hide_full_access_warning: Option<bool>,
+}
+
+impl Notice {
+    /// used by set_hide_full_access_warning until we refactor config updates
+    pub(crate) const TABLE_KEY: &'static str = "notice";
+}
+
 #[derive(Deserialize, Debug, Clone, PartialEq, Default)]
 pub struct SandboxWorkspaceWrite {
    #[serde(default)]
@@ -447,9 +521,12 @@ mod tests {
            McpServerTransportConfig::Stdio {
                command: "echo".to_string(),
                args: vec![],
-                env: None
+                env: None,
+                env_vars: Vec::new(),
+                cwd: None,
            }
        );
+        assert!(cfg.enabled);
    }

    #[test]
@@ -467,9 +544,12 @@ mod tests {
            McpServerTransportConfig::Stdio {
                command: "echo".to_string(),
                args: vec!["hello".to_string(), "world".to_string()],
-                env: None
+                env: None,
+                env_vars: Vec::new(),
+                cwd: None,
            }
        );
+        assert!(cfg.enabled);
    }

    #[test]
@@ -488,9 +568,69 @@ mod tests {
            McpServerTransportConfig::Stdio {
                command: "echo".to_string(),
                args: vec!["hello".to_string(), "world".to_string()],
-                env: Some(HashMap::from([("FOO".to_string(), "BAR".to_string())]))
+                env: Some(HashMap::from([("FOO".to_string(), "BAR".to_string())])),
+                env_vars: Vec::new(),
+                cwd: None,
            }
        );
+        assert!(cfg.enabled);
+    }
+
+    #[test]
+    fn deserialize_stdio_command_server_config_with_env_vars() {
+        let cfg: McpServerConfig = toml::from_str(
+            r#"
+            command = "echo"
+            env_vars = ["FOO", "BAR"]
+        "#,
+        )
+        .expect("should deserialize command config with env_vars");
+
+        assert_eq!(
+            cfg.transport,
+            McpServerTransportConfig::Stdio {
+                command: "echo".to_string(),
+                args: vec![],
+                env: None,
+                env_vars: vec!["FOO".to_string(), "BAR".to_string()],
+                cwd: None,
+            }
+        );
+    }
+
+    #[test]
+    fn deserialize_stdio_command_server_config_with_cwd() {
+        let cfg: McpServerConfig = toml::from_str(
+            r#"
+            command = "echo"
+            cwd = "/tmp"
+        "#,
+        )
+        .expect("should deserialize command config with cwd");
+
+        assert_eq!(
+            cfg.transport,
+            McpServerTransportConfig::Stdio {
+                command: "echo".to_string(),
+                args: vec![],
+                env: None,
+                env_vars: Vec::new(),
+                cwd: Some(PathBuf::from("/tmp")),
+            }
+        );
+    }
+
+    #[test]
+    fn deserialize_disabled_server_config() {
+        let cfg: McpServerConfig = toml::from_str(
+            r#"
+            command = "echo"
+            enabled = false
+        "#,
+        )
+        .expect("should deserialize disabled server config");
+
+        assert!(!cfg.enabled);
    }

    #[test]
@@ -506,17 +646,20 @@ mod tests {
            cfg.transport,
            McpServerTransportConfig::StreamableHttp {
                url: "https://example.com/mcp".to_string(),
-                bearer_token: None
+                bearer_token_env_var: None,
+                http_headers: None,
+                env_http_headers: None,
            }
        );
+        assert!(cfg.enabled);
    }

    #[test]
-    fn deserialize_streamable_http_server_config_with_bearer_token() {
+    fn deserialize_streamable_http_server_config_with_env_var() {
        let cfg: McpServerConfig = toml::from_str(
            r#"
            url = "https://example.com/mcp"
-            bearer_token = "secret"
+            bearer_token_env_var = "GITHUB_TOKEN"
        "#,
        )
        .expect("should deserialize http config");
@@ -525,7 +668,35 @@ mod tests {
            cfg.transport,
            McpServerTransportConfig::StreamableHttp {
                url: "https://example.com/mcp".to_string(),
-                bearer_token: Some("secret".to_string())
+                bearer_token_env_var: Some("GITHUB_TOKEN".to_string()),
+                http_headers: None,
+                env_http_headers: None,
+            }
+        );
+        assert!(cfg.enabled);
+    }
+
+    #[test]
+    fn deserialize_streamable_http_server_config_with_headers() {
+        let cfg: McpServerConfig = toml::from_str(
+            r#"
+            url = "https://example.com/mcp"
+            http_headers = { "X-Foo" = "bar" }
+            env_http_headers = { "X-Token" = "TOKEN_ENV" }
+        "#,
+        )
+        .expect("should deserialize http config with headers");
+
+        assert_eq!(
+            cfg.transport,
+            McpServerTransportConfig::StreamableHttp {
+                url: "https://example.com/mcp".to_string(),
+                bearer_token_env_var: None,
+                http_headers: Some(HashMap::from([("X-Foo".to_string(), "bar".to_string())])),
+                env_http_headers: Some(HashMap::from([(
+                    "X-Token".to_string(),
+                    "TOKEN_ENV".to_string()
+                )])),
            }
        );
    }
@@ -553,13 +724,37 @@ mod tests {
    }

    #[test]
-    fn deserialize_rejects_bearer_token_for_stdio_transport() {
+    fn deserialize_rejects_headers_for_stdio() {
        toml::from_str::<McpServerConfig>(
            r#"
            command = "echo"
+            http_headers = { "X-Foo" = "bar" }
+        "#,
+        )
+        .expect_err("should reject http_headers for stdio transport");
+
+        toml::from_str::<McpServerConfig>(
+            r#"
+            command = "echo"
+            env_http_headers = { "X-Foo" = "BAR_ENV" }
+        "#,
+        )
+        .expect_err("should reject env_http_headers for stdio transport");
+    }
+
+    #[test]
+    fn deserialize_rejects_inline_bearer_token_field() {
+        let err = toml::from_str::<McpServerConfig>(
+            r#"
+            url = "https://example.com"
            bearer_token = "secret"
        "#,
        )
-        .expect_err("should reject bearer token for stdio transport");
+        .expect_err("should reject bearer_token field");
+
+        assert!(
+            err.to_string().contains("bearer_token is not supported"),
+            "unexpected error: {err}"
+        );
    }
 }
--- a/codex-rs/core/src/environment_context.rs
+++ b/codex-rs/core/src/environment_context.rs
@@ -93,6 +93,25 @@ impl EnvironmentContext {
            && self.network_access == *network_access
            && self.writable_roots == *writable_roots
    }
+
+    pub fn diff(before: &TurnContext, after: &TurnContext) -> Self {
+        let cwd = if before.cwd != after.cwd {
+            Some(after.cwd.clone())
+        } else {
+            None
+        };
+        let approval_policy = if before.approval_policy != after.approval_policy {
+            Some(after.approval_policy)
+        } else {
+            None
+        };
+        let sandbox_policy = if before.sandbox_policy != after.sandbox_policy {
+            Some(after.sandbox_policy.clone())
+        } else {
+            None
+        };
+        EnvironmentContext::new(cwd, approval_policy, sandbox_policy, None)
+    }
 }

 impl From<&TurnContext> for EnvironmentContext {
--- a/codex-rs/core/src/error.rs
+++ b/codex-rs/core/src/error.rs
@@ -1,6 +1,10 @@
 use crate::exec::ExecToolCallOutput;
 use crate::token_data::KnownPlan;
 use crate::token_data::PlanType;
+use crate::truncate::truncate_middle;
+use chrono::DateTime;
+use chrono::Utc;
+use codex_async_utils::CancelErr;
 use codex_protocol::ConversationId;
 use codex_protocol::protocol::RateLimitSnapshot;
 use reqwest::StatusCode;
@@ -12,6 +16,9 @@ use tokio::task::JoinError;

 pub type Result<T> = std::result::Result<T, CodexErr>;

+/// Limit UI error messages to a reasonable size while keeping useful context.
+const ERROR_MESSAGE_UI_MAX_BYTES: usize = 2 * 1024; // 4 KiB
+
 #[derive(Error, Debug)]
 pub enum SandboxErr {
    /// Error from sandbox execution
@@ -46,6 +53,9 @@ pub enum SandboxErr {

 #[derive(Error, Debug)]
 pub enum CodexErr {
+    #[error("turn aborted")]
+    TurnAborted,
+
    /// Returned by ResponsesClient when the SSE stream disconnects or errors out **after** the HTTP
    /// handshake has succeeded but **before** it finished emitting `response.completed`.
    ///
@@ -87,6 +97,12 @@ pub enum CodexErr {
    #[error("{0}")]
    UsageLimitReached(UsageLimitReachedError),

+    #[error("{0}")]
+    ResponseStreamFailed(ResponseStreamFailed),
+
+    #[error("{0}")]
+    ConnectionFailed(ConnectionFailedError),
+
    #[error(
        "To use Codex with your ChatGPT plan, upgrade to Plus: https://openai.com/chatgpt/pricing."
    )]
@@ -122,9 +138,6 @@ pub enum CodexErr {
    #[error(transparent)]
    Io(#[from] io::Error),

-    #[error(transparent)]
-    Reqwest(#[from] reqwest::Error),
-
    #[error(transparent)]
    Json(#[from] serde_json::Error),

@@ -143,6 +156,43 @@ pub enum CodexErr {
    EnvVar(EnvVarError),
 }

+impl From<CancelErr> for CodexErr {
+    fn from(_: CancelErr) -> Self {
+        CodexErr::TurnAborted
+    }
+}
+
+#[derive(Debug)]
+pub struct ConnectionFailedError {
+    pub source: reqwest::Error,
+}
+
+impl std::fmt::Display for ConnectionFailedError {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        write!(f, "Connection failed: {}", self.source)
+    }
+}
+
+#[derive(Debug)]
+pub struct ResponseStreamFailed {
+    pub source: reqwest::Error,
+    pub request_id: Option<String>,
+}
+
+impl std::fmt::Display for ResponseStreamFailed {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        write!(
+            f,
+            "Error while reading the server response: {}{}",
+            self.source,
+            self.request_id
+                .as_ref()
+                .map(|id| format!(", request id: {id}"))
+                .unwrap_or_default()
+        )
+    }
+}
+
 #[derive(Debug)]
 pub struct UnexpectedResponseError {
    pub status: StatusCode,
@@ -189,7 +239,7 @@ impl std::fmt::Display for RetryLimitReachedError {
 #[derive(Debug)]
 pub struct UsageLimitReachedError {
    pub(crate) plan_type: Option<PlanType>,
-    pub(crate) resets_in_seconds: Option<u64>,
+    pub(crate) resets_at: Option<DateTime<Utc>>,
    pub(crate) rate_limits: Option<RateLimitSnapshot>,
 }

@@ -198,12 +248,12 @@ impl std::fmt::Display for UsageLimitReachedError {
        let message = match self.plan_type.as_ref() {
            Some(PlanType::Known(KnownPlan::Plus)) => format!(
                "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing){}",
-                retry_suffix_after_or(self.resets_in_seconds)
+                retry_suffix_after_or(self.resets_at.as_ref())
            ),
            Some(PlanType::Known(KnownPlan::Team)) | Some(PlanType::Known(KnownPlan::Business)) => {
                format!(
                    "You've hit your usage limit. To get more access now, send a request to your admin{}",
-                    retry_suffix_after_or(self.resets_in_seconds)
+                    retry_suffix_after_or(self.resets_at.as_ref())
                )
            }
            Some(PlanType::Known(KnownPlan::Free)) => {
@@ -214,11 +264,11 @@ impl std::fmt::Display for UsageLimitReachedError {
            | Some(PlanType::Known(KnownPlan::Enterprise))
            | Some(PlanType::Known(KnownPlan::Edu)) => format!(
                "You've hit your usage limit.{}",
-                retry_suffix(self.resets_in_seconds)
+                retry_suffix(self.resets_at.as_ref())
            ),
            Some(PlanType::Unknown(_)) | None => format!(
                "You've hit your usage limit.{}",
-                retry_suffix(self.resets_in_seconds)
+                retry_suffix(self.resets_at.as_ref())
            ),
        };

@@ -226,8 +276,8 @@ impl std::fmt::Display for UsageLimitReachedError {
    }
 }

-fn retry_suffix(resets_in_seconds: Option<u64>) -> String {
-    if let Some(secs) = resets_in_seconds {
+fn retry_suffix(resets_at: Option<&DateTime<Utc>>) -> String {
+    if let Some(secs) = remaining_seconds(resets_at) {
        let reset_duration = format_reset_duration(secs);
        format!(" Try again in {reset_duration}.")
    } else {
@@ -235,8 +285,8 @@ fn retry_suffix(resets_in_seconds: Option<u64>) -> String {
    }
 }

-fn retry_suffix_after_or(resets_in_seconds: Option<u64>) -> String {
-    if let Some(secs) = resets_in_seconds {
+fn retry_suffix_after_or(resets_at: Option<&DateTime<Utc>>) -> String {
+    if let Some(secs) = remaining_seconds(resets_at) {
        let reset_duration = format_reset_duration(secs);
        format!(" or try again in {reset_duration}.")
    } else {
@@ -244,6 +294,29 @@ fn retry_suffix_after_or(resets_in_seconds: Option<u64>) -> String {
    }
 }

+fn remaining_seconds(resets_at: Option<&DateTime<Utc>>) -> Option<u64> {
+    let resets_at = resets_at.cloned()?;
+    let now = now_for_retry();
+    let secs = resets_at.signed_duration_since(now).num_seconds();
+    Some(if secs <= 0 { 0 } else { secs as u64 })
+}
+
+#[cfg(test)]
+thread_local! {
+    static NOW_OVERRIDE: std::cell::RefCell<Option<DateTime<Utc>>> =
+        const { std::cell::RefCell::new(None) };
+}
+
+fn now_for_retry() -> DateTime<Utc> {
+    #[cfg(test)]
+    {
+        if let Some(now) = NOW_OVERRIDE.with(|cell| *cell.borrow()) {
+            return now;
+        }
+    }
+    Utc::now()
+}
+
 fn format_reset_duration(total_secs: u64) -> String {
    let days = total_secs / 86_400;
    let hours = (total_secs % 86_400) / 3_600;
@@ -304,42 +377,86 @@ impl CodexErr {
 }

 pub fn get_error_message_ui(e: &CodexErr) -> String {
-    match e {
-        CodexErr::Sandbox(SandboxErr::Denied { output }) => output.stderr.text.clone(),
+    let message = match e {
+        CodexErr::Sandbox(SandboxErr::Denied { output }) => {
+            let aggregated = output.aggregated_output.text.trim();
+            if !aggregated.is_empty() {
+                output.aggregated_output.text.clone()
+            } else {
+                let stderr = output.stderr.text.trim();
+                let stdout = output.stdout.text.trim();
+                match (stderr.is_empty(), stdout.is_empty()) {
+                    (false, false) => format!("{stderr}\n{stdout}"),
+                    (false, true) => output.stderr.text.clone(),
+                    (true, false) => output.stdout.text.clone(),
+                    (true, true) => format!(
+                        "command failed inside sandbox with exit code {}",
+                        output.exit_code
+                    ),
+                }
+            }
+        }
        // Timeouts are not sandbox errors from a UX perspective; present them plainly
-        CodexErr::Sandbox(SandboxErr::Timeout { output }) => format!(
-            "error: command timed out after {} ms",
-            output.duration.as_millis()
-        ),
+        CodexErr::Sandbox(SandboxErr::Timeout { output }) => {
+            format!(
+                "error: command timed out after {} ms",
+                output.duration.as_millis()
+            )
+        }
        _ => e.to_string(),
-    }
+    };
+
+    truncate_middle(&message, ERROR_MESSAGE_UI_MAX_BYTES).0
 }

 #[cfg(test)]
 mod tests {
    use super::*;
+    use crate::exec::StreamOutput;
+    use chrono::DateTime;
+    use chrono::Duration as ChronoDuration;
+    use chrono::TimeZone;
+    use chrono::Utc;
    use codex_protocol::protocol::RateLimitWindow;
+    use pretty_assertions::assert_eq;

    fn rate_limit_snapshot() -> RateLimitSnapshot {
+        let primary_reset_at = Utc
+            .with_ymd_and_hms(2024, 1, 1, 1, 0, 0)
+            .unwrap()
+            .timestamp();
+        let secondary_reset_at = Utc
+            .with_ymd_and_hms(2024, 1, 1, 2, 0, 0)
+            .unwrap()
+            .timestamp();
        RateLimitSnapshot {
            primary: Some(RateLimitWindow {
                used_percent: 50.0,
                window_minutes: Some(60),
-                resets_in_seconds: Some(3600),
+                resets_at: Some(primary_reset_at),
            }),
            secondary: Some(RateLimitWindow {
                used_percent: 30.0,
                window_minutes: Some(120),
-                resets_in_seconds: Some(7200),
+                resets_at: Some(secondary_reset_at),
            }),
        }
    }

+    fn with_now_override<T>(now: DateTime<Utc>, f: impl FnOnce() -> T) -> T {
+        NOW_OVERRIDE.with(|cell| {
+            *cell.borrow_mut() = Some(now);
+            let result = f();
+            *cell.borrow_mut() = None;
+            result
+        })
+    }
+
    #[test]
    fn usage_limit_reached_error_formats_plus_plan() {
        let err = UsageLimitReachedError {
            plan_type: Some(PlanType::Known(KnownPlan::Plus)),
-            resets_in_seconds: None,
+            resets_at: None,
            rate_limits: Some(rate_limit_snapshot()),
        };
        assert_eq!(
@@ -348,11 +465,78 @@ mod tests {
        );
    }

+    #[test]
+    fn sandbox_denied_uses_aggregated_output_when_stderr_empty() {
+        let output = ExecToolCallOutput {
+            exit_code: 77,
+            stdout: StreamOutput::new(String::new()),
+            stderr: StreamOutput::new(String::new()),
+            aggregated_output: StreamOutput::new("aggregate detail".to_string()),
+            duration: Duration::from_millis(10),
+            timed_out: false,
+        };
+        let err = CodexErr::Sandbox(SandboxErr::Denied {
+            output: Box::new(output),
+        });
+        assert_eq!(get_error_message_ui(&err), "aggregate detail");
+    }
+
+    #[test]
+    fn sandbox_denied_reports_both_streams_when_available() {
+        let output = ExecToolCallOutput {
+            exit_code: 9,
+            stdout: StreamOutput::new("stdout detail".to_string()),
+            stderr: StreamOutput::new("stderr detail".to_string()),
+            aggregated_output: StreamOutput::new(String::new()),
+            duration: Duration::from_millis(10),
+            timed_out: false,
+        };
+        let err = CodexErr::Sandbox(SandboxErr::Denied {
+            output: Box::new(output),
+        });
+        assert_eq!(get_error_message_ui(&err), "stderr detail\nstdout detail");
+    }
+
+    #[test]
+    fn sandbox_denied_reports_stdout_when_no_stderr() {
+        let output = ExecToolCallOutput {
+            exit_code: 11,
+            stdout: StreamOutput::new("stdout only".to_string()),
+            stderr: StreamOutput::new(String::new()),
+            aggregated_output: StreamOutput::new(String::new()),
+            duration: Duration::from_millis(8),
+            timed_out: false,
+        };
+        let err = CodexErr::Sandbox(SandboxErr::Denied {
+            output: Box::new(output),
+        });
+        assert_eq!(get_error_message_ui(&err), "stdout only");
+    }
+
+    #[test]
+    fn sandbox_denied_reports_exit_code_when_no_output_available() {
+        let output = ExecToolCallOutput {
+            exit_code: 13,
+            stdout: StreamOutput::new(String::new()),
+            stderr: StreamOutput::new(String::new()),
+            aggregated_output: StreamOutput::new(String::new()),
+            duration: Duration::from_millis(5),
+            timed_out: false,
+        };
+        let err = CodexErr::Sandbox(SandboxErr::Denied {
+            output: Box::new(output),
+        });
+        assert_eq!(
+            get_error_message_ui(&err),
+            "command failed inside sandbox with exit code 13"
+        );
+    }
+
    #[test]
    fn usage_limit_reached_error_formats_free_plan() {
        let err = UsageLimitReachedError {
            plan_type: Some(PlanType::Known(KnownPlan::Free)),
-            resets_in_seconds: Some(3600),
+            resets_at: None,
            rate_limits: Some(rate_limit_snapshot()),
        };
        assert_eq!(
@@ -365,7 +549,7 @@ mod tests {
    fn usage_limit_reached_error_formats_default_when_none() {
        let err = UsageLimitReachedError {
            plan_type: None,
-            resets_in_seconds: None,
+            resets_at: None,
            rate_limits: Some(rate_limit_snapshot()),
        };
        assert_eq!(
@@ -376,22 +560,26 @@ mod tests {

    #[test]
    fn usage_limit_reached_error_formats_team_plan() {
-        let err = UsageLimitReachedError {
-            plan_type: Some(PlanType::Known(KnownPlan::Team)),
-            resets_in_seconds: Some(3600),
-            rate_limits: Some(rate_limit_snapshot()),
-        };
-        assert_eq!(
-            err.to_string(),
-            "You've hit your usage limit. To get more access now, send a request to your admin or try again in 1 hour."
-        );
+        let base = Utc.with_ymd_and_hms(2024, 1, 1, 0, 0, 0).unwrap();
+        let resets_at = base + ChronoDuration::hours(1);
+        with_now_override(base, move || {
+            let err = UsageLimitReachedError {
+                plan_type: Some(PlanType::Known(KnownPlan::Team)),
+                resets_at: Some(resets_at),
+                rate_limits: Some(rate_limit_snapshot()),
+            };
+            assert_eq!(
+                err.to_string(),
+                "You've hit your usage limit. To get more access now, send a request to your admin or try again in 1 hour."
+            );
+        });
    }

    #[test]
    fn usage_limit_reached_error_formats_business_plan_without_reset() {
        let err = UsageLimitReachedError {
            plan_type: Some(PlanType::Known(KnownPlan::Business)),
-            resets_in_seconds: None,
+            resets_at: None,
            rate_limits: Some(rate_limit_snapshot()),
        };
        assert_eq!(
@@ -404,7 +592,7 @@ mod tests {
    fn usage_limit_reached_error_formats_default_for_other_plans() {
        let err = UsageLimitReachedError {
            plan_type: Some(PlanType::Known(KnownPlan::Pro)),
-            resets_in_seconds: None,
+            resets_at: None,
            rate_limits: Some(rate_limit_snapshot()),
        };
        assert_eq!(
@@ -415,53 +603,70 @@ mod tests {

    #[test]
    fn usage_limit_reached_includes_minutes_when_available() {
-        let err = UsageLimitReachedError {
-            plan_type: None,
-            resets_in_seconds: Some(5 * 60),
-            rate_limits: Some(rate_limit_snapshot()),
-        };
-        assert_eq!(
-            err.to_string(),
-            "You've hit your usage limit. Try again in 5 minutes."
-        );
+        let base = Utc.with_ymd_and_hms(2024, 1, 1, 0, 0, 0).unwrap();
+        let resets_at = base + ChronoDuration::minutes(5);
+        with_now_override(base, move || {
+            let err = UsageLimitReachedError {
+                plan_type: None,
+                resets_at: Some(resets_at),
+                rate_limits: Some(rate_limit_snapshot()),
+            };
+            assert_eq!(
+                err.to_string(),
+                "You've hit your usage limit. Try again in 5 minutes."
+            );
+        });
    }

    #[test]
    fn usage_limit_reached_includes_hours_and_minutes() {
-        let err = UsageLimitReachedError {
-            plan_type: Some(PlanType::Known(KnownPlan::Plus)),
-            resets_in_seconds: Some(3 * 3600 + 32 * 60),
-            rate_limits: Some(rate_limit_snapshot()),
-        };
-        assert_eq!(
-            err.to_string(),
-            "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing) or try again in 3 hours 32 minutes."
-        );
+        let base = Utc.with_ymd_and_hms(2024, 1, 1, 0, 0, 0).unwrap();
+        let resets_at = base + ChronoDuration::hours(3) + ChronoDuration::minutes(32);
+        with_now_override(base, move || {
+            let err = UsageLimitReachedError {
+                plan_type: Some(PlanType::Known(KnownPlan::Plus)),
+                resets_at: Some(resets_at),
+                rate_limits: Some(rate_limit_snapshot()),
+            };
+            assert_eq!(
+                err.to_string(),
+                "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing) or try again in 3 hours 32 minutes."
+            );
+        });
    }

    #[test]
    fn usage_limit_reached_includes_days_hours_minutes() {
-        let err = UsageLimitReachedError {
-            plan_type: None,
-            resets_in_seconds: Some(2 * 86_400 + 3 * 3600 + 5 * 60),
-            rate_limits: Some(rate_limit_snapshot()),
-        };
-        assert_eq!(
-            err.to_string(),
-            "You've hit your usage limit. Try again in 2 days 3 hours 5 minutes."
-        );
+        let base = Utc.with_ymd_and_hms(2024, 1, 1, 0, 0, 0).unwrap();
+        let resets_at =
+            base + ChronoDuration::days(2) + ChronoDuration::hours(3) + ChronoDuration::minutes(5);
+        with_now_override(base, move || {
+            let err = UsageLimitReachedError {
+                plan_type: None,
+                resets_at: Some(resets_at),
+                rate_limits: Some(rate_limit_snapshot()),
+            };
+            assert_eq!(
+                err.to_string(),
+                "You've hit your usage limit. Try again in 2 days 3 hours 5 minutes."
+            );
+        });
    }

    #[test]
    fn usage_limit_reached_less_than_minute() {
-        let err = UsageLimitReachedError {
-            plan_type: None,
-            resets_in_seconds: Some(30),
-            rate_limits: Some(rate_limit_snapshot()),
-        };
-        assert_eq!(
-            err.to_string(),
-            "You've hit your usage limit. Try again in less than a minute."
-        );
+        let base = Utc.with_ymd_and_hms(2024, 1, 1, 0, 0, 0).unwrap();
+        let resets_at = base + ChronoDuration::seconds(30);
+        with_now_override(base, move || {
+            let err = UsageLimitReachedError {
+                plan_type: None,
+                resets_at: Some(resets_at),
+                rate_limits: Some(rate_limit_snapshot()),
+            };
+            assert_eq!(
+                err.to_string(),
+                "You've hit your usage limit. Try again in less than a minute."
+            );
+        });
    }
 }
--- a/codex-rs/core/src/exec.rs
+++ b/codex-rs/core/src/exec.rs
@@ -18,13 +18,14 @@ use tokio::process::Child;
 use crate::error::CodexErr;
 use crate::error::Result;
 use crate::error::SandboxErr;
-use crate::landlock::spawn_command_under_linux_sandbox;
 use crate::protocol::Event;
 use crate::protocol::EventMsg;
 use crate::protocol::ExecCommandOutputDeltaEvent;
 use crate::protocol::ExecOutputStream;
 use crate::protocol::SandboxPolicy;
-use crate::seatbelt::spawn_command_under_seatbelt;
+use crate::sandboxing::CommandSpec;
+use crate::sandboxing::ExecEnv;
+use crate::sandboxing::SandboxManager;
 use crate::spawn::StdioPolicy;
 use crate::spawn::spawn_child_async;

@@ -53,6 +54,7 @@ pub struct ExecParams {
    pub env: HashMap<String, String>,
    pub with_escalated_permissions: Option<bool>,
    pub justification: Option<String>,
+    pub arg0: Option<String>,
 }

 impl ExecParams {
@@ -87,57 +89,85 @@ pub async fn process_exec_tool_call(
    codex_linux_sandbox_exe: &Option<PathBuf>,
    stdout_stream: Option<StdoutStream>,
 ) -> Result<ExecToolCallOutput> {
-    let start = Instant::now();
+    let ExecParams {
+        command,
+        cwd,
+        timeout_ms,
+        env,
+        with_escalated_permissions,
+        justification,
+        arg0: _,
+    } = params;

-    let timeout_duration = params.timeout_duration();
+    let (program, args) = command.split_first().ok_or_else(|| {
+        CodexErr::Io(io::Error::new(
+            io::ErrorKind::InvalidInput,
+            "command args are empty",
+        ))
+    })?;

-    let raw_output_result: std::result::Result<RawExecToolCallOutput, CodexErr> = match sandbox_type
-    {
-        SandboxType::None => exec(params, sandbox_policy, stdout_stream.clone()).await,
-        SandboxType::MacosSeatbelt => {
-            let ExecParams {
-                command,
-                cwd: command_cwd,
-                env,
-                ..
-            } = params;
-            let child = spawn_command_under_seatbelt(
-                command,
-                command_cwd,
-                sandbox_policy,
-                sandbox_cwd,
-                StdioPolicy::RedirectForShellTool,
-                env,
-            )
-            .await?;
-            consume_truncated_output(child, timeout_duration, stdout_stream.clone()).await
-        }
-        SandboxType::LinuxSeccomp => {
-            let ExecParams {
-                command,
-                cwd: command_cwd,
-                env,
-                ..
-            } = params;
-
-            let codex_linux_sandbox_exe = codex_linux_sandbox_exe
-                .as_ref()
-                .ok_or(CodexErr::LandlockSandboxExecutableNotProvided)?;
-            let child = spawn_command_under_linux_sandbox(
-                codex_linux_sandbox_exe,
-                command,
-                command_cwd,
-                sandbox_policy,
-                sandbox_cwd,
-                StdioPolicy::RedirectForShellTool,
-                env,
-            )
-            .await?;
-
-            consume_truncated_output(child, timeout_duration, stdout_stream).await
-        }
+    let spec = CommandSpec {
+        program: program.clone(),
+        args: args.to_vec(),
+        cwd,
+        env,
+        timeout_ms,
+        with_escalated_permissions,
+        justification,
    };
+
+    let manager = SandboxManager::new();
+    let exec_env = manager
+        .transform(
+            &spec,
+            sandbox_policy,
+            sandbox_type,
+            sandbox_cwd,
+            codex_linux_sandbox_exe.as_ref(),
+        )
+        .map_err(CodexErr::from)?;
+
+    // Route through the sandboxing module for a single, unified execution path.
+    crate::sandboxing::execute_env(&exec_env, sandbox_policy, stdout_stream).await
+}
+
+pub(crate) async fn execute_exec_env(
+    env: ExecEnv,
+    sandbox_policy: &SandboxPolicy,
+    stdout_stream: Option<StdoutStream>,
+) -> Result<ExecToolCallOutput> {
+    let ExecEnv {
+        command,
+        cwd,
+        env,
+        timeout_ms,
+        sandbox,
+        with_escalated_permissions,
+        justification,
+        arg0,
+    } = env;
+
+    let params = ExecParams {
+        command,
+        cwd,
+        timeout_ms,
+        env,
+        with_escalated_permissions,
+        justification,
+        arg0,
+    };
+
+    let start = Instant::now();
+    let raw_output_result = exec(params, sandbox_policy, stdout_stream).await;
    let duration = start.elapsed();
+    finalize_exec_result(raw_output_result, sandbox, duration)
+}
+
+fn finalize_exec_result(
+    raw_output_result: std::result::Result<RawExecToolCallOutput, CodexErr>,
+    sandbox_type: SandboxType,
+    duration: Duration,
+) -> Result<ExecToolCallOutput> {
    match raw_output_result {
        Ok(raw_output) => {
            #[allow(unused_mut)]
@@ -177,7 +207,7 @@ pub async fn process_exec_tool_call(
                }));
            }

-            if exit_code != 0 && is_likely_sandbox_denied(sandbox_type, exit_code) {
+            if is_likely_sandbox_denied(sandbox_type, &exec_output) {
                return Err(CodexErr::Sandbox(SandboxErr::Denied {
                    output: Box::new(exec_output),
                }));
@@ -192,31 +222,89 @@ pub async fn process_exec_tool_call(
    }
 }

+pub(crate) mod errors {
+    use super::CodexErr;
+    use crate::sandboxing::SandboxTransformError;
+
+    impl From<SandboxTransformError> for CodexErr {
+        fn from(err: SandboxTransformError) -> Self {
+            match err {
+                SandboxTransformError::MissingLinuxSandboxExecutable => {
+                    CodexErr::LandlockSandboxExecutableNotProvided
+                }
+            }
+        }
+    }
+}
+
 /// We don't have a fully deterministic way to tell if our command failed
 /// because of the sandbox - a command in the user's zshrc file might hit an
 /// error, but the command itself might fail or succeed for other reasons.
-/// For now, we conservatively check for 'command not found' (exit code 127),
-/// and can add additional cases as necessary.
-fn is_likely_sandbox_denied(sandbox_type: SandboxType, exit_code: i32) -> bool {
-    if sandbox_type == SandboxType::None {
+/// For now, we conservatively check for well known command failure exit codes and
+/// also look for common sandbox denial keywords in the command output.
+pub(crate) fn is_likely_sandbox_denied(
+    sandbox_type: SandboxType,
+    exec_output: &ExecToolCallOutput,
+) -> bool {
+    if sandbox_type == SandboxType::None || exec_output.exit_code == 0 {
        return false;
    }

    // Quick rejects: well-known non-sandbox shell exit codes
-    // 127: command not found, 2: misuse of shell builtins
-    if exit_code == 127 {
+    // 2: misuse of shell builtins
+    // 126: permission denied
+    // 127: command not found
+    const SANDBOX_DENIED_KEYWORDS: [&str; 7] = [
+        "operation not permitted",
+        "permission denied",
+        "read-only file system",
+        "seccomp",
+        "sandbox",
+        "landlock",
+        "failed to write file",
+    ];
+
+    let has_sandbox_keyword = [
+        &exec_output.stderr.text,
+        &exec_output.stdout.text,
+        &exec_output.aggregated_output.text,
+    ]
+    .into_iter()
+    .any(|section| {
+        let lower = section.to_lowercase();
+        SANDBOX_DENIED_KEYWORDS
+            .iter()
+            .any(|needle| lower.contains(needle))
+    });
+
+    if has_sandbox_keyword {
+        return true;
+    }
+
+    const QUICK_REJECT_EXIT_CODES: [i32; 3] = [2, 126, 127];
+    if QUICK_REJECT_EXIT_CODES.contains(&exec_output.exit_code) {
        return false;
    }

-    // For all other cases, we assume the sandbox is the cause
-    true
+    #[cfg(unix)]
+    {
+        const SIGSYS_CODE: i32 = libc::SIGSYS;
+        if sandbox_type == SandboxType::LinuxSeccomp
+            && exec_output.exit_code == EXIT_CODE_SIGNAL_BASE + SIGSYS_CODE
+        {
+            return true;
+        }
+    }
+
+    false
 }

-#[derive(Debug)]
-pub struct StreamOutput<T> {
+#[derive(Debug, Clone)]
+pub struct StreamOutput<T: Clone> {
    pub text: T,
    pub truncated_after_lines: Option<u32>,
 }
+
 #[derive(Debug)]
 struct RawExecToolCallOutput {
    pub exit_status: ExitStatus,
@@ -249,7 +337,7 @@ fn append_all(dst: &mut Vec<u8>, src: &[u8]) {
    dst.extend_from_slice(src);
 }

-#[derive(Debug)]
+#[derive(Clone, Debug)]
 pub struct ExecToolCallOutput {
    pub exit_code: i32,
    pub stdout: StreamOutput<String>,
@@ -266,7 +354,11 @@ async fn exec(
 ) -> Result<RawExecToolCallOutput> {
    let timeout = params.timeout_duration();
    let ExecParams {
-        command, cwd, env, ..
+        command,
+        cwd,
+        env,
+        arg0,
+        ..
    } = params;

    let (program, args) = command.split_first().ok_or_else(|| {
@@ -275,11 +367,11 @@ async fn exec(
            "command args are empty",
        ))
    })?;
-    let arg0 = None;
+    let arg0_ref = arg0.as_deref();
    let child = spawn_child_async(
        PathBuf::from(program),
        args.into(),
-        arg0,
+        arg0_ref,
        cwd,
        sandbox_policy,
        StdioPolicy::RedirectForShellTool,
@@ -436,3 +528,77 @@ fn synthetic_exit_status(code: i32) -> ExitStatus {
    #[expect(clippy::unwrap_used)]
    std::process::ExitStatus::from_raw(code.try_into().unwrap())
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use std::time::Duration;
+
+    fn make_exec_output(
+        exit_code: i32,
+        stdout: &str,
+        stderr: &str,
+        aggregated: &str,
+    ) -> ExecToolCallOutput {
+        ExecToolCallOutput {
+            exit_code,
+            stdout: StreamOutput::new(stdout.to_string()),
+            stderr: StreamOutput::new(stderr.to_string()),
+            aggregated_output: StreamOutput::new(aggregated.to_string()),
+            duration: Duration::from_millis(1),
+            timed_out: false,
+        }
+    }
+
+    #[test]
+    fn sandbox_detection_requires_keywords() {
+        let output = make_exec_output(1, "", "", "");
+        assert!(!is_likely_sandbox_denied(
+            SandboxType::LinuxSeccomp,
+            &output
+        ));
+    }
+
+    #[test]
+    fn sandbox_detection_identifies_keyword_in_stderr() {
+        let output = make_exec_output(1, "", "Operation not permitted", "");
+        assert!(is_likely_sandbox_denied(SandboxType::LinuxSeccomp, &output));
+    }
+
+    #[test]
+    fn sandbox_detection_respects_quick_reject_exit_codes() {
+        let output = make_exec_output(127, "", "command not found", "");
+        assert!(!is_likely_sandbox_denied(
+            SandboxType::LinuxSeccomp,
+            &output
+        ));
+    }
+
+    #[test]
+    fn sandbox_detection_ignores_non_sandbox_mode() {
+        let output = make_exec_output(1, "", "Operation not permitted", "");
+        assert!(!is_likely_sandbox_denied(SandboxType::None, &output));
+    }
+
+    #[test]
+    fn sandbox_detection_uses_aggregated_output() {
+        let output = make_exec_output(
+            101,
+            "",
+            "",
+            "cargo failed: Read-only file system when writing target",
+        );
+        assert!(is_likely_sandbox_denied(
+            SandboxType::MacosSeatbelt,
+            &output
+        ));
+    }
+
+    #[cfg(unix)]
+    #[test]
+    fn sandbox_detection_flags_sigsys_exit_code() {
+        let exit_code = EXIT_CODE_SIGNAL_BASE + libc::SIGSYS;
+        let output = make_exec_output(exit_code, "", "", "");
+        assert!(is_likely_sandbox_denied(SandboxType::LinuxSeccomp, &output));
+    }
+}
--- a/codex-rs/core/src/exec_command/exec_command_params.rs
+++ b/codex-rs/core/src/exec_command/exec_command_params.rs
@@ -1,57 +0,0 @@
-use serde::Deserialize;
-use serde::Serialize;
-
-use crate::exec_command::session_id::SessionId;
-
-#[derive(Debug, Clone, Deserialize)]
-pub struct ExecCommandParams {
-    pub(crate) cmd: String,
-
-    #[serde(default = "default_yield_time")]
-    pub(crate) yield_time_ms: u64,
-
-    #[serde(default = "max_output_tokens")]
-    pub(crate) max_output_tokens: u64,
-
-    #[serde(default = "default_shell")]
-    pub(crate) shell: String,
-
-    #[serde(default = "default_login")]
-    pub(crate) login: bool,
-}
-
-fn default_yield_time() -> u64 {
-    10_000
-}
-
-fn max_output_tokens() -> u64 {
-    10_000
-}
-
-fn default_login() -> bool {
-    true
-}
-
-fn default_shell() -> String {
-    "/bin/bash".to_string()
-}
-
-#[derive(Debug, Deserialize, Serialize)]
-pub struct WriteStdinParams {
-    pub(crate) session_id: SessionId,
-    pub(crate) chars: String,
-
-    #[serde(default = "write_stdin_default_yield_time_ms")]
-    pub(crate) yield_time_ms: u64,
-
-    #[serde(default = "write_stdin_default_max_output_tokens")]
-    pub(crate) max_output_tokens: u64,
-}
-
-fn write_stdin_default_yield_time_ms() -> u64 {
-    250
-}
-
-fn write_stdin_default_max_output_tokens() -> u64 {
-    10_000
-}
--- a/codex-rs/core/src/exec_command/exec_command_session.rs
+++ b/codex-rs/core/src/exec_command/exec_command_session.rs
@@ -1,96 +0,0 @@
-use std::sync::Mutex as StdMutex;
-
-use tokio::sync::broadcast;
-use tokio::sync::mpsc;
-use tokio::task::JoinHandle;
-
-#[derive(Debug)]
-pub(crate) struct ExecCommandSession {
-    /// Queue for writing bytes to the process stdin (PTY master write side).
-    writer_tx: mpsc::Sender<Vec<u8>>,
-    /// Broadcast stream of output chunks read from the PTY. New subscribers
-    /// receive only chunks emitted after they subscribe.
-    output_tx: broadcast::Sender<Vec<u8>>,
-
-    /// Child killer handle for termination on drop (can signal independently
-    /// of a thread blocked in `.wait()`).
-    killer: StdMutex<Option<Box<dyn portable_pty::ChildKiller + Send + Sync>>>,
-
-    /// JoinHandle for the blocking PTY reader task.
-    reader_handle: StdMutex<Option<JoinHandle<()>>>,
-
-    /// JoinHandle for the stdin writer task.
-    writer_handle: StdMutex<Option<JoinHandle<()>>>,
-
-    /// JoinHandle for the child wait task.
-    wait_handle: StdMutex<Option<JoinHandle<()>>>,
-
-    /// Tracks whether the underlying process has exited.
-    exit_status: std::sync::Arc<std::sync::atomic::AtomicBool>,
-}
-
-impl ExecCommandSession {
-    pub(crate) fn new(
-        writer_tx: mpsc::Sender<Vec<u8>>,
-        output_tx: broadcast::Sender<Vec<u8>>,
-        killer: Box<dyn portable_pty::ChildKiller + Send + Sync>,
-        reader_handle: JoinHandle<()>,
-        writer_handle: JoinHandle<()>,
-        wait_handle: JoinHandle<()>,
-        exit_status: std::sync::Arc<std::sync::atomic::AtomicBool>,
-    ) -> (Self, broadcast::Receiver<Vec<u8>>) {
-        let initial_output_rx = output_tx.subscribe();
-        (
-            Self {
-                writer_tx,
-                output_tx,
-                killer: StdMutex::new(Some(killer)),
-                reader_handle: StdMutex::new(Some(reader_handle)),
-                writer_handle: StdMutex::new(Some(writer_handle)),
-                wait_handle: StdMutex::new(Some(wait_handle)),
-                exit_status,
-            },
-            initial_output_rx,
-        )
-    }
-
-    pub(crate) fn writer_sender(&self) -> mpsc::Sender<Vec<u8>> {
-        self.writer_tx.clone()
-    }
-
-    pub(crate) fn output_receiver(&self) -> broadcast::Receiver<Vec<u8>> {
-        self.output_tx.subscribe()
-    }
-
-    pub(crate) fn has_exited(&self) -> bool {
-        self.exit_status.load(std::sync::atomic::Ordering::SeqCst)
-    }
-}
-
-impl Drop for ExecCommandSession {
-    fn drop(&mut self) {
-        // Best-effort: terminate child first so blocking tasks can complete.
-        if let Ok(mut killer_opt) = self.killer.lock()
-            && let Some(mut killer) = killer_opt.take()
-        {
-            let _ = killer.kill();
-        }
-
-        // Abort background tasks; they may already have exited after kill.
-        if let Ok(mut h) = self.reader_handle.lock()
-            && let Some(handle) = h.take()
-        {
-            handle.abort();
-        }
-        if let Ok(mut h) = self.writer_handle.lock()
-            && let Some(handle) = h.take()
-        {
-            handle.abort();
-        }
-        if let Ok(mut h) = self.wait_handle.lock()
-            && let Some(handle) = h.take()
-        {
-            handle.abort();
-        }
-    }
-}
--- a/codex-rs/core/src/exec_command/mod.rs
+++ b/codex-rs/core/src/exec_command/mod.rs
@@ -1,14 +0,0 @@
-mod exec_command_params;
-mod exec_command_session;
-mod responses_api;
-mod session_id;
-mod session_manager;
-
-pub use exec_command_params::ExecCommandParams;
-pub use exec_command_params::WriteStdinParams;
-pub(crate) use exec_command_session::ExecCommandSession;
-pub use responses_api::EXEC_COMMAND_TOOL_NAME;
-pub use responses_api::WRITE_STDIN_TOOL_NAME;
-pub use responses_api::create_exec_command_tool_for_responses_api;
-pub use responses_api::create_write_stdin_tool_for_responses_api;
-pub use session_manager::SessionManager as ExecSessionManager;
--- a/codex-rs/core/src/exec_command/responses_api.rs
+++ b/codex-rs/core/src/exec_command/responses_api.rs
@@ -1,98 +0,0 @@
-use std::collections::BTreeMap;
-
-use crate::client_common::tools::ResponsesApiTool;
-use crate::openai_tools::JsonSchema;
-
-pub const EXEC_COMMAND_TOOL_NAME: &str = "exec_command";
-pub const WRITE_STDIN_TOOL_NAME: &str = "write_stdin";
-
-pub fn create_exec_command_tool_for_responses_api() -> ResponsesApiTool {
-    let mut properties = BTreeMap::<String, JsonSchema>::new();
-    properties.insert(
-        "cmd".to_string(),
-        JsonSchema::String {
-            description: Some("The shell command to execute.".to_string()),
-        },
-    );
-    properties.insert(
-        "yield_time_ms".to_string(),
-        JsonSchema::Number {
-            description: Some("The maximum time in milliseconds to wait for output.".to_string()),
-        },
-    );
-    properties.insert(
-        "max_output_tokens".to_string(),
-        JsonSchema::Number {
-            description: Some("The maximum number of tokens to output.".to_string()),
-        },
-    );
-    properties.insert(
-        "shell".to_string(),
-        JsonSchema::String {
-            description: Some("The shell to use. Defaults to \"/bin/bash\".".to_string()),
-        },
-    );
-    properties.insert(
-        "login".to_string(),
-        JsonSchema::Boolean {
-            description: Some(
-                "Whether to run the command as a login shell. Defaults to true.".to_string(),
-            ),
-        },
-    );
-
-    ResponsesApiTool {
-        name: EXEC_COMMAND_TOOL_NAME.to_owned(),
-        description: r#"Execute shell commands on the local machine with streaming output."#
-            .to_string(),
-        strict: false,
-        parameters: JsonSchema::Object {
-            properties,
-            required: Some(vec!["cmd".to_string()]),
-            additional_properties: Some(false.into()),
-        },
-    }
-}
-
-pub fn create_write_stdin_tool_for_responses_api() -> ResponsesApiTool {
-    let mut properties = BTreeMap::<String, JsonSchema>::new();
-    properties.insert(
-        "session_id".to_string(),
-        JsonSchema::Number {
-            description: Some("The ID of the exec_command session.".to_string()),
-        },
-    );
-    properties.insert(
-        "chars".to_string(),
-        JsonSchema::String {
-            description: Some("The characters to write to stdin.".to_string()),
-        },
-    );
-    properties.insert(
-        "yield_time_ms".to_string(),
-        JsonSchema::Number {
-            description: Some(
-                "The maximum time in milliseconds to wait for output after writing.".to_string(),
-            ),
-        },
-    );
-    properties.insert(
-        "max_output_tokens".to_string(),
-        JsonSchema::Number {
-            description: Some("The maximum number of tokens to output.".to_string()),
-        },
-    );
-
-    ResponsesApiTool {
-        name: WRITE_STDIN_TOOL_NAME.to_owned(),
-        description: r#"Write characters to an exec session's stdin. Returns all stdout+stderr received within yield_time_ms.
-Can write control characters (\u0003 for Ctrl-C), or an empty string to just poll stdout+stderr."#
-            .to_string(),
-        strict: false,
-        parameters: JsonSchema::Object {
-            properties,
-            required: Some(vec!["session_id".to_string(), "chars".to_string()]),
-            additional_properties: Some(false.into()),
-        },
-    }
-}
--- a/codex-rs/core/src/exec_command/session_id.rs
+++ b/codex-rs/core/src/exec_command/session_id.rs
@@ -1,5 +0,0 @@
-use serde::Deserialize;
-use serde::Serialize;
-
-#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
-pub(crate) struct SessionId(pub u32);
--- a/codex-rs/core/src/exec_command/session_manager.rs
+++ b/codex-rs/core/src/exec_command/session_manager.rs
@@ -1,506 +0,0 @@
-use std::collections::HashMap;
-use std::io::ErrorKind;
-use std::io::Read;
-use std::sync::Arc;
-use std::sync::Mutex as StdMutex;
-use std::sync::atomic::AtomicBool;
-use std::sync::atomic::AtomicU32;
-
-use portable_pty::CommandBuilder;
-use portable_pty::PtySize;
-use portable_pty::native_pty_system;
-use tokio::sync::Mutex;
-use tokio::sync::mpsc;
-use tokio::sync::oneshot;
-use tokio::time::Duration;
-use tokio::time::Instant;
-use tokio::time::timeout;
-
-use crate::exec_command::exec_command_params::ExecCommandParams;
-use crate::exec_command::exec_command_params::WriteStdinParams;
-use crate::exec_command::exec_command_session::ExecCommandSession;
-use crate::exec_command::session_id::SessionId;
-use crate::truncate::truncate_middle;
-
-#[derive(Debug, Default)]
-pub struct SessionManager {
-    next_session_id: AtomicU32,
-    sessions: Mutex<HashMap<SessionId, ExecCommandSession>>,
-}
-
-#[derive(Debug)]
-pub struct ExecCommandOutput {
-    wall_time: Duration,
-    exit_status: ExitStatus,
-    original_token_count: Option<u64>,
-    output: String,
-}
-
-impl ExecCommandOutput {
-    pub(crate) fn to_text_output(&self) -> String {
-        let wall_time_secs = self.wall_time.as_secs_f32();
-        let termination_status = match self.exit_status {
-            ExitStatus::Exited(code) => format!("Process exited with code {code}"),
-            ExitStatus::Ongoing(session_id) => {
-                format!("Process running with session ID {}", session_id.0)
-            }
-        };
-        let truncation_status = match self.original_token_count {
-            Some(tokens) => {
-                format!("\nWarning: truncated output (original token count: {tokens})")
-            }
-            None => "".to_string(),
-        };
-        format!(
-            r#"Wall time: {wall_time_secs:.3} seconds
-{termination_status}{truncation_status}
-Output:
-{output}"#,
-            output = self.output
-        )
-    }
-}
-
-#[derive(Debug)]
-pub enum ExitStatus {
-    Exited(i32),
-    Ongoing(SessionId),
-}
-
-impl SessionManager {
-    /// Processes the request and is required to send a response via `outgoing`.
-    pub async fn handle_exec_command_request(
-        &self,
-        params: ExecCommandParams,
-    ) -> Result<ExecCommandOutput, String> {
-        // Allocate a session id.
-        let session_id = SessionId(
-            self.next_session_id
-                .fetch_add(1, std::sync::atomic::Ordering::SeqCst),
-        );
-
-        let (session, mut output_rx, mut exit_rx) = create_exec_command_session(params.clone())
-            .await
-            .map_err(|err| {
-                format!(
-                    "failed to create exec command session for session id {}: {err}",
-                    session_id.0
-                )
-            })?;
-
-        // Insert into session map.
-        self.sessions.lock().await.insert(session_id, session);
-
-        // Collect output until either timeout expires or process exits.
-        // Do not cap during collection; truncate at the end if needed.
-        // Use a modest initial capacity to avoid large preallocation.
-        let cap_bytes_u64 = params.max_output_tokens.saturating_mul(4);
-        let cap_bytes: usize = cap_bytes_u64.min(usize::MAX as u64) as usize;
-        let mut collected: Vec<u8> = Vec::with_capacity(4096);
-
-        let start_time = Instant::now();
-        let deadline = start_time + Duration::from_millis(params.yield_time_ms);
-        let mut exit_code: Option<i32> = None;
-
-        loop {
-            if Instant::now() >= deadline {
-                break;
-            }
-            let remaining = deadline.saturating_duration_since(Instant::now());
-            tokio::select! {
-                biased;
-                exit = &mut exit_rx => {
-                    exit_code = exit.ok();
-                    // Small grace period to pull remaining buffered output
-                    let grace_deadline = Instant::now() + Duration::from_millis(25);
-                    while Instant::now() < grace_deadline {
-                        match timeout(Duration::from_millis(1), output_rx.recv()).await {
-                            Ok(Ok(chunk)) => {
-                                collected.extend_from_slice(&chunk);
-                            }
-                            Ok(Err(tokio::sync::broadcast::error::RecvError::Lagged(_))) => {
-                                // Skip missed messages; keep trying within grace period.
-                                continue;
-                            }
-                            Ok(Err(tokio::sync::broadcast::error::RecvError::Closed)) => break,
-                            Err(_) => break,
-                        }
-                    }
-                    break;
-                }
-                chunk = timeout(remaining, output_rx.recv()) => {
-                    match chunk {
-                        Ok(Ok(chunk)) => {
-                            collected.extend_from_slice(&chunk);
-                        }
-                        Ok(Err(tokio::sync::broadcast::error::RecvError::Lagged(_))) => {
-                            // Skip missed messages; continue collecting fresh output.
-                        }
-                        Ok(Err(tokio::sync::broadcast::error::RecvError::Closed)) => { break; }
-                        Err(_) => { break; }
-                    }
-                }
-            }
-        }
-
-        let output = String::from_utf8_lossy(&collected).to_string();
-
-        let exit_status = if let Some(code) = exit_code {
-            ExitStatus::Exited(code)
-        } else {
-            ExitStatus::Ongoing(session_id)
-        };
-
-        // If output exceeds cap, truncate the middle and record original token estimate.
-        let (output, original_token_count) = truncate_middle(&output, cap_bytes);
-        Ok(ExecCommandOutput {
-            wall_time: Instant::now().duration_since(start_time),
-            exit_status,
-            original_token_count,
-            output,
-        })
-    }
-
-    /// Write characters to a session's stdin and collect combined output for up to `yield_time_ms`.
-    pub async fn handle_write_stdin_request(
-        &self,
-        params: WriteStdinParams,
-    ) -> Result<ExecCommandOutput, String> {
-        let WriteStdinParams {
-            session_id,
-            chars,
-            yield_time_ms,
-            max_output_tokens,
-        } = params;
-
-        // Grab handles without holding the sessions lock across await points.
-        let (writer_tx, mut output_rx) = {
-            let sessions = self.sessions.lock().await;
-            match sessions.get(&session_id) {
-                Some(session) => (session.writer_sender(), session.output_receiver()),
-                None => {
-                    return Err(format!("unknown session id {}", session_id.0));
-                }
-            }
-        };
-
-        // Write stdin if provided.
-        if !chars.is_empty() && writer_tx.send(chars.into_bytes()).await.is_err() {
-            return Err("failed to write to stdin".to_string());
-        }
-
-        // Collect output up to yield_time_ms, truncating to max_output_tokens bytes.
-        let mut collected: Vec<u8> = Vec::with_capacity(4096);
-        let start_time = Instant::now();
-        let deadline = start_time + Duration::from_millis(yield_time_ms);
-        loop {
-            let now = Instant::now();
-            if now >= deadline {
-                break;
-            }
-            let remaining = deadline - now;
-            match timeout(remaining, output_rx.recv()).await {
-                Ok(Ok(chunk)) => {
-                    // Collect all output within the time budget; truncate at the end.
-                    collected.extend_from_slice(&chunk);
-                }
-                Ok(Err(tokio::sync::broadcast::error::RecvError::Lagged(_))) => {
-                    // Skip missed messages; continue collecting fresh output.
-                }
-                Ok(Err(tokio::sync::broadcast::error::RecvError::Closed)) => break,
-                Err(_) => break, // timeout
-            }
-        }
-
-        // Return structured output, truncating middle if over cap.
-        let output = String::from_utf8_lossy(&collected).to_string();
-        let cap_bytes_u64 = max_output_tokens.saturating_mul(4);
-        let cap_bytes: usize = cap_bytes_u64.min(usize::MAX as u64) as usize;
-        let (output, original_token_count) = truncate_middle(&output, cap_bytes);
-        Ok(ExecCommandOutput {
-            wall_time: Instant::now().duration_since(start_time),
-            exit_status: ExitStatus::Ongoing(session_id),
-            original_token_count,
-            output,
-        })
-    }
-}
-
-/// Spawn PTY and child process per spawn_exec_command_session logic.
-async fn create_exec_command_session(
-    params: ExecCommandParams,
-) -> anyhow::Result<(
-    ExecCommandSession,
-    tokio::sync::broadcast::Receiver<Vec<u8>>,
-    oneshot::Receiver<i32>,
-)> {
-    let ExecCommandParams {
-        cmd,
-        yield_time_ms: _,
-        max_output_tokens: _,
-        shell,
-        login,
-    } = params;
-
-    // Use the native pty implementation for the system
-    let pty_system = native_pty_system();
-
-    // Create a new pty
-    let pair = pty_system.openpty(PtySize {
-        rows: 24,
-        cols: 80,
-        pixel_width: 0,
-        pixel_height: 0,
-    })?;
-
-    // Spawn a shell into the pty
-    let mut command_builder = CommandBuilder::new(shell);
-    let shell_mode_opt = if login { "-lc" } else { "-c" };
-    command_builder.arg(shell_mode_opt);
-    command_builder.arg(cmd);
-
-    let mut child = pair.slave.spawn_command(command_builder)?;
-    // Obtain a killer that can signal the process independently of `.wait()`.
-    let killer = child.clone_killer();
-
-    // Channel to forward write requests to the PTY writer.
-    let (writer_tx, mut writer_rx) = mpsc::channel::<Vec<u8>>(128);
-    // Broadcast for streaming PTY output to readers: subscribers receive from subscription time.
-    let (output_tx, _) = tokio::sync::broadcast::channel::<Vec<u8>>(256);
-    // Reader task: drain PTY and forward chunks to output channel.
-    let mut reader = pair.master.try_clone_reader()?;
-    let output_tx_clone = output_tx.clone();
-    let reader_handle = tokio::task::spawn_blocking(move || {
-        let mut buf = [0u8; 8192];
-        loop {
-            match reader.read(&mut buf) {
-                Ok(0) => break, // EOF
-                Ok(n) => {
-                    // Forward to broadcast; best-effort if there are subscribers.
-                    let _ = output_tx_clone.send(buf[..n].to_vec());
-                }
-                Err(ref e) if e.kind() == ErrorKind::Interrupted => {
-                    // Retry on EINTR
-                    continue;
-                }
-                Err(ref e) if e.kind() == ErrorKind::WouldBlock => {
-                    // We're in a blocking thread; back off briefly and retry.
-                    std::thread::sleep(Duration::from_millis(5));
-                    continue;
-                }
-                Err(_) => break,
-            }
-        }
-    });
-
-    // Writer task: apply stdin writes to the PTY writer.
-    let writer = pair.master.take_writer()?;
-    let writer = Arc::new(StdMutex::new(writer));
-    let writer_handle = tokio::spawn({
-        let writer = writer.clone();
-        async move {
-            while let Some(bytes) = writer_rx.recv().await {
-                let writer = writer.clone();
-                // Perform blocking write on a blocking thread.
-                let _ = tokio::task::spawn_blocking(move || {
-                    if let Ok(mut guard) = writer.lock() {
-                        use std::io::Write;
-                        let _ = guard.write_all(&bytes);
-                        let _ = guard.flush();
-                    }
-                })
-                .await;
-            }
-        }
-    });
-
-    // Keep the child alive until it exits, then signal exit code.
-    let (exit_tx, exit_rx) = oneshot::channel::<i32>();
-    let exit_status = Arc::new(AtomicBool::new(false));
-    let wait_exit_status = exit_status.clone();
-    let wait_handle = tokio::task::spawn_blocking(move || {
-        let code = match child.wait() {
-            Ok(status) => status.exit_code() as i32,
-            Err(_) => -1,
-        };
-        wait_exit_status.store(true, std::sync::atomic::Ordering::SeqCst);
-        let _ = exit_tx.send(code);
-    });
-
-    // Create and store the session with channels.
-    let (session, initial_output_rx) = ExecCommandSession::new(
-        writer_tx,
-        output_tx,
-        killer,
-        reader_handle,
-        writer_handle,
-        wait_handle,
-        exit_status,
-    );
-    Ok((session, initial_output_rx, exit_rx))
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use crate::exec_command::session_id::SessionId;
-
-    /// Test that verifies that [`SessionManager::handle_exec_command_request()`]
-    /// and [`SessionManager::handle_write_stdin_request()`] work as expected
-    /// in the presence of a process that never terminates (but produces
-    /// output continuously).
-    #[cfg(unix)]
-    #[allow(clippy::print_stderr)]
-    #[tokio::test(flavor = "multi_thread", worker_threads = 4)]
-    async fn session_manager_streams_and_truncates_from_now() {
-        use crate::exec_command::exec_command_params::ExecCommandParams;
-        use crate::exec_command::exec_command_params::WriteStdinParams;
-        use tokio::time::sleep;
-
-        let session_manager = SessionManager::default();
-        // Long-running loop that prints an increasing counter every ~100ms.
-        // Use Python for a portable, reliable sleep across shells/PTYs.
-        let cmd = r#"python3 - <<'PY'
-import sys, time
-count = 0
-while True:
-    print(count)
-    sys.stdout.flush()
-    count += 100
-    time.sleep(0.1)
-PY"#
-        .to_string();
-
-        // Start the session and collect ~3s of output.
-        let params = ExecCommandParams {
-            cmd,
-            yield_time_ms: 3_000,
-            max_output_tokens: 1_000, // large enough to avoid truncation here
-            shell: "/bin/bash".to_string(),
-            login: false,
-        };
-        let initial_output = match session_manager
-            .handle_exec_command_request(params.clone())
-            .await
-        {
-            Ok(v) => v,
-            Err(e) => {
-                // PTY may be restricted in some sandboxes; skip in that case.
-                if e.contains("openpty") || e.contains("Operation not permitted") {
-                    eprintln!("skipping test due to restricted PTY: {e}");
-                    return;
-                }
-                panic!("exec request failed unexpectedly: {e}");
-            }
-        };
-        eprintln!("initial output: {initial_output:?}");
-
-        // Should be ongoing (we launched a never-ending loop).
-        let session_id = match initial_output.exit_status {
-            ExitStatus::Ongoing(id) => id,
-            _ => panic!("expected ongoing session"),
-        };
-
-        // Parse the numeric lines and get the max observed value in the first window.
-        let first_nums = extract_monotonic_numbers(&initial_output.output);
-        assert!(
-            !first_nums.is_empty(),
-            "expected some output from first window"
-        );
-        let first_max = *first_nums.iter().max().unwrap();
-
-        // Wait ~4s so counters progress while we're not reading.
-        sleep(Duration::from_millis(4_000)).await;
-
-        // Now read ~3s of output "from now" only.
-        // Use a small token cap so truncation occurs and we test middle truncation.
-        let write_params = WriteStdinParams {
-            session_id,
-            chars: String::new(),
-            yield_time_ms: 3_000,
-            max_output_tokens: 16, // 16 tokens ~= 64 bytes -> likely truncation
-        };
-        let second = session_manager
-            .handle_write_stdin_request(write_params)
-            .await
-            .expect("write stdin should succeed");
-
-        // Verify truncation metadata and size bound (cap is tokens*4 bytes).
-        assert!(second.original_token_count.is_some());
-        let cap_bytes = (16u64 * 4) as usize;
-        assert!(second.output.len() <= cap_bytes);
-        // New middle marker should be present.
-        assert!(
-            second.output.contains("tokens truncated") && second.output.contains('…'),
-            "expected truncation marker in output, got: {}",
-            second.output
-        );
-
-        // Minimal freshness check: the earliest number we see in the second window
-        // should be significantly larger than the last from the first window.
-        let second_nums = extract_monotonic_numbers(&second.output);
-        assert!(
-            !second_nums.is_empty(),
-            "expected some numeric output from second window"
-        );
-        let second_min = *second_nums.iter().min().unwrap();
-
-        // We slept 4 seconds (~40 ticks at 100ms/tick, each +100), so expect
-        // an increase of roughly 4000 or more. Allow a generous margin.
-        assert!(
-            second_min >= first_max + 2000,
-            "second_min={second_min} first_max={first_max}",
-        );
-    }
-
-    #[cfg(unix)]
-    fn extract_monotonic_numbers(s: &str) -> Vec<i64> {
-        s.lines()
-            .filter_map(|line| {
-                if !line.is_empty()
-                    && line.chars().all(|c| c.is_ascii_digit())
-                    && let Ok(n) = line.parse::<i64>()
-                {
-                    // Our generator increments by 100; ignore spurious fragments.
-                    if n % 100 == 0 {
-                        return Some(n);
-                    }
-                }
-                None
-            })
-            .collect()
-    }
-
-    #[test]
-    fn to_text_output_exited_no_truncation() {
-        let out = ExecCommandOutput {
-            wall_time: Duration::from_millis(1234),
-            exit_status: ExitStatus::Exited(0),
-            original_token_count: None,
-            output: "hello".to_string(),
-        };
-        let text = out.to_text_output();
-        let expected = r#"Wall time: 1.234 seconds
-Process exited with code 0
-Output:
-hello"#;
-        assert_eq!(expected, text);
-    }
-
-    #[test]
-    fn to_text_output_ongoing_with_truncation() {
-        let out = ExecCommandOutput {
-            wall_time: Duration::from_millis(500),
-            exit_status: ExitStatus::Ongoing(SessionId(42)),
-            original_token_count: Some(1000),
-            output: "abc".to_string(),
-        };
-        let text = out.to_text_output();
-        let expected = r#"Wall time: 0.500 seconds
-Process running with session ID 42
-Warning: truncated output (original token count: 1000)
-Output:
-abc"#;
-        assert_eq!(expected, text);
-    }
-}
--- a/codex-rs/core/src/executor/backends.rs
+++ b/codex-rs/core/src/executor/backends.rs
@@ -1,101 +0,0 @@
-use std::collections::HashMap;
-use std::env;
-
-use async_trait::async_trait;
-
-use crate::CODEX_APPLY_PATCH_ARG1;
-use crate::apply_patch::ApplyPatchExec;
-use crate::exec::ExecParams;
-use crate::function_tool::FunctionCallError;
-
-pub(crate) enum ExecutionMode {
-    Shell,
-    ApplyPatch(ApplyPatchExec),
-}
-
-#[async_trait]
-/// Backend-specific hooks that prepare and post-process execution requests for a
-/// given [`ExecutionMode`].
-pub(crate) trait ExecutionBackend: Send + Sync {
-    fn prepare(
-        &self,
-        params: ExecParams,
-        // Required for downcasting the apply_patch.
-        mode: &ExecutionMode,
-    ) -> Result<ExecParams, FunctionCallError>;
-
-    fn stream_stdout(&self, _mode: &ExecutionMode) -> bool {
-        true
-    }
-}
-
-static SHELL_BACKEND: ShellBackend = ShellBackend;
-static APPLY_PATCH_BACKEND: ApplyPatchBackend = ApplyPatchBackend;
-
-pub(crate) fn backend_for_mode(mode: &ExecutionMode) -> &'static dyn ExecutionBackend {
-    match mode {
-        ExecutionMode::Shell => &SHELL_BACKEND,
-        ExecutionMode::ApplyPatch(_) => &APPLY_PATCH_BACKEND,
-    }
-}
-
-struct ShellBackend;
-
-#[async_trait]
-impl ExecutionBackend for ShellBackend {
-    fn prepare(
-        &self,
-        params: ExecParams,
-        mode: &ExecutionMode,
-    ) -> Result<ExecParams, FunctionCallError> {
-        match mode {
-            ExecutionMode::Shell => Ok(params),
-            _ => Err(FunctionCallError::RespondToModel(
-                "shell backend invoked with non-shell mode".to_string(),
-            )),
-        }
-    }
-}
-
-struct ApplyPatchBackend;
-
-#[async_trait]
-impl ExecutionBackend for ApplyPatchBackend {
-    fn prepare(
-        &self,
-        params: ExecParams,
-        mode: &ExecutionMode,
-    ) -> Result<ExecParams, FunctionCallError> {
-        match mode {
-            ExecutionMode::ApplyPatch(exec) => {
-                let path_to_codex = env::current_exe()
-                    .ok()
-                    .map(|p| p.to_string_lossy().to_string())
-                    .ok_or_else(|| {
-                        FunctionCallError::RespondToModel(
-                            "failed to determine path to codex executable".to_string(),
-                        )
-                    })?;
-
-                let patch = exec.action.patch.clone();
-                Ok(ExecParams {
-                    command: vec![path_to_codex, CODEX_APPLY_PATCH_ARG1.to_string(), patch],
-                    cwd: exec.action.cwd.clone(),
-                    timeout_ms: params.timeout_ms,
-                    // Run apply_patch with a minimal environment for determinism and to
-                    // avoid leaking host environment variables into the patch process.
-                    env: HashMap::new(),
-                    with_escalated_permissions: params.with_escalated_permissions,
-                    justification: params.justification,
-                })
-            }
-            ExecutionMode::Shell => Err(FunctionCallError::RespondToModel(
-                "apply_patch backend invoked without patch context".to_string(),
-            )),
-        }
-    }
-
-    fn stream_stdout(&self, _mode: &ExecutionMode) -> bool {
-        false
-    }
-}
--- a/codex-rs/core/src/executor/cache.rs
+++ b/codex-rs/core/src/executor/cache.rs
@@ -1,51 +0,0 @@
-use std::collections::HashSet;
-use std::sync::Arc;
-use std::sync::Mutex;
-
-#[derive(Clone, Debug, Default)]
-/// Thread-safe store of user approvals so repeated commands can reuse
-/// previously granted trust.
-pub(crate) struct ApprovalCache {
-    inner: Arc<Mutex<HashSet<Vec<String>>>>,
-}
-
-impl ApprovalCache {
-    pub(crate) fn insert(&self, command: Vec<String>) {
-        if command.is_empty() {
-            return;
-        }
-        if let Ok(mut guard) = self.inner.lock() {
-            guard.insert(command);
-        }
-    }
-
-    pub(crate) fn snapshot(&self) -> HashSet<Vec<String>> {
-        self.inner.lock().map(|g| g.clone()).unwrap_or_default()
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use pretty_assertions::assert_eq;
-
-    #[test]
-    fn insert_ignores_empty_and_dedupes() {
-        let cache = ApprovalCache::default();
-
-        // Empty should be ignored
-        cache.insert(vec![]);
-        assert!(cache.snapshot().is_empty());
-
-        // Insert a command and verify snapshot contains it
-        let cmd = vec!["foo".to_string(), "bar".to_string()];
-        cache.insert(cmd.clone());
-        let snap1 = cache.snapshot();
-        assert!(snap1.contains(&cmd));
-
-        // Reinserting should not create duplicates
-        cache.insert(cmd);
-        let snap2 = cache.snapshot();
-        assert_eq!(snap1, snap2);
-    }
-}
--- a/codex-rs/core/src/executor/mod.rs
+++ b/codex-rs/core/src/executor/mod.rs
@@ -1,64 +0,0 @@
-mod backends;
-mod cache;
-mod runner;
-mod sandbox;
-
-pub(crate) use backends::ExecutionMode;
-pub(crate) use runner::ExecutionRequest;
-pub(crate) use runner::Executor;
-pub(crate) use runner::ExecutorConfig;
-pub(crate) use runner::normalize_exec_result;
-
-pub(crate) mod linkers {
-    use crate::exec::ExecParams;
-    use crate::exec::StdoutStream;
-    use crate::executor::backends::ExecutionMode;
-    use crate::executor::runner::ExecutionRequest;
-    use crate::tools::context::ExecCommandContext;
-
-    pub struct PreparedExec {
-        pub(crate) context: ExecCommandContext,
-        pub(crate) request: ExecutionRequest,
-    }
-
-    impl PreparedExec {
-        pub fn new(
-            context: ExecCommandContext,
-            params: ExecParams,
-            approval_command: Vec<String>,
-            mode: ExecutionMode,
-            stdout_stream: Option<StdoutStream>,
-            use_shell_profile: bool,
-        ) -> Self {
-            let request = ExecutionRequest {
-                params,
-                approval_command,
-                mode,
-                stdout_stream,
-                use_shell_profile,
-            };
-
-            Self { context, request }
-        }
-    }
-}
-
-pub mod errors {
-    use crate::error::CodexErr;
-    use crate::function_tool::FunctionCallError;
-    use thiserror::Error;
-
-    #[derive(Debug, Error)]
-    pub enum ExecError {
-        #[error(transparent)]
-        Function(#[from] FunctionCallError),
-        #[error(transparent)]
-        Codex(#[from] CodexErr),
-    }
-
-    impl ExecError {
-        pub(crate) fn rejection(msg: impl Into<String>) -> Self {
-            FunctionCallError::RespondToModel(msg.into()).into()
-        }
-    }
-}
--- a/codex-rs/core/src/executor/runner.rs
+++ b/codex-rs/core/src/executor/runner.rs
@@ -1,409 +0,0 @@
-use std::path::PathBuf;
-use std::sync::Arc;
-use std::sync::RwLock;
-use std::time::Duration;
-
-use super::backends::ExecutionMode;
-use super::backends::backend_for_mode;
-use super::cache::ApprovalCache;
-use crate::codex::Session;
-use crate::error::CodexErr;
-use crate::error::SandboxErr;
-use crate::error::get_error_message_ui;
-use crate::exec::ExecParams;
-use crate::exec::ExecToolCallOutput;
-use crate::exec::SandboxType;
-use crate::exec::StdoutStream;
-use crate::exec::StreamOutput;
-use crate::exec::process_exec_tool_call;
-use crate::executor::errors::ExecError;
-use crate::executor::sandbox::select_sandbox;
-use crate::function_tool::FunctionCallError;
-use crate::protocol::AskForApproval;
-use crate::protocol::ReviewDecision;
-use crate::protocol::SandboxPolicy;
-use crate::shell;
-use crate::tools::context::ExecCommandContext;
-use codex_otel::otel_event_manager::ToolDecisionSource;
-
-#[derive(Clone, Debug)]
-pub(crate) struct ExecutorConfig {
-    pub(crate) sandbox_policy: SandboxPolicy,
-    pub(crate) sandbox_cwd: PathBuf,
-    codex_linux_sandbox_exe: Option<PathBuf>,
-}
-
-impl ExecutorConfig {
-    pub(crate) fn new(
-        sandbox_policy: SandboxPolicy,
-        sandbox_cwd: PathBuf,
-        codex_linux_sandbox_exe: Option<PathBuf>,
-    ) -> Self {
-        Self {
-            sandbox_policy,
-            sandbox_cwd,
-            codex_linux_sandbox_exe,
-        }
-    }
-}
-
-/// Coordinates sandbox selection, backend-specific preparation, and command
-/// execution for tool calls requested by the model.
-pub(crate) struct Executor {
-    approval_cache: ApprovalCache,
-    config: Arc<RwLock<ExecutorConfig>>,
-}
-
-impl Executor {
-    pub(crate) fn new(config: ExecutorConfig) -> Self {
-        Self {
-            approval_cache: ApprovalCache::default(),
-            config: Arc::new(RwLock::new(config)),
-        }
-    }
-
-    /// Updates the sandbox policy and working directory used for future
-    /// executions without recreating the executor.
-    pub(crate) fn update_environment(&self, sandbox_policy: SandboxPolicy, sandbox_cwd: PathBuf) {
-        if let Ok(mut cfg) = self.config.write() {
-            cfg.sandbox_policy = sandbox_policy;
-            cfg.sandbox_cwd = sandbox_cwd;
-        }
-    }
-
-    /// Runs a prepared execution request end-to-end: prepares parameters, decides on
-    /// sandbox placement (prompting the user when necessary), launches the command,
-    /// and lets the backend post-process the final output.
-    pub(crate) async fn run(
-        &self,
-        mut request: ExecutionRequest,
-        session: &Session,
-        approval_policy: AskForApproval,
-        context: &ExecCommandContext,
-    ) -> Result<ExecToolCallOutput, ExecError> {
-        if matches!(request.mode, ExecutionMode::Shell) {
-            request.params =
-                maybe_translate_shell_command(request.params, session, request.use_shell_profile);
-        }
-
-        // Step 1: Normalise parameters via the selected backend.
-        let backend = backend_for_mode(&request.mode);
-        let stdout_stream = if backend.stream_stdout(&request.mode) {
-            request.stdout_stream.clone()
-        } else {
-            None
-        };
-        request.params = backend
-            .prepare(request.params, &request.mode)
-            .map_err(ExecError::from)?;
-
-        // Step 2: Snapshot sandbox configuration so it stays stable for this run.
-        let config = self
-            .config
-            .read()
-            .map_err(|_| ExecError::rejection("executor config poisoned"))?
-            .clone();
-
-        // Step 3: Decide sandbox placement, prompting for approval when needed.
-        let sandbox_decision = select_sandbox(
-            &request,
-            approval_policy,
-            self.approval_cache.snapshot(),
-            &config,
-            session,
-            &context.sub_id,
-            &context.call_id,
-            &context.otel_event_manager,
-        )
-        .await?;
-        if sandbox_decision.record_session_approval {
-            self.approval_cache.insert(request.approval_command.clone());
-        }
-
-        // Step 4: Launch the command within the chosen sandbox.
-        let first_attempt = self
-            .spawn(
-                request.params.clone(),
-                sandbox_decision.initial_sandbox,
-                &config,
-                stdout_stream.clone(),
-            )
-            .await;
-
-        // Step 5: Handle sandbox outcomes, optionally escalating to an unsandboxed retry.
-        match first_attempt {
-            Ok(output) => Ok(output),
-            Err(CodexErr::Sandbox(SandboxErr::Timeout { output })) => {
-                Err(CodexErr::Sandbox(SandboxErr::Timeout { output }).into())
-            }
-            Err(CodexErr::Sandbox(error)) => {
-                if sandbox_decision.escalate_on_failure {
-                    self.retry_without_sandbox(
-                        &request,
-                        &config,
-                        session,
-                        context,
-                        stdout_stream,
-                        error,
-                    )
-                    .await
-                } else {
-                    let message = sandbox_failure_message(error);
-                    Err(ExecError::rejection(message))
-                }
-            }
-            Err(err) => Err(err.into()),
-        }
-    }
-
-    /// Fallback path invoked when a sandboxed run is denied so the user can
-    /// approve rerunning without isolation.
-    async fn retry_without_sandbox(
-        &self,
-        request: &ExecutionRequest,
-        config: &ExecutorConfig,
-        session: &Session,
-        context: &ExecCommandContext,
-        stdout_stream: Option<StdoutStream>,
-        sandbox_error: SandboxErr,
-    ) -> Result<ExecToolCallOutput, ExecError> {
-        session
-            .notify_background_event(
-                &context.sub_id,
-                format!("Execution failed: {sandbox_error}"),
-            )
-            .await;
-        let decision = session
-            .request_command_approval(
-                context.sub_id.to_string(),
-                context.call_id.to_string(),
-                request.approval_command.clone(),
-                request.params.cwd.clone(),
-                Some("command failed; retry without sandbox?".to_string()),
-            )
-            .await;
-
-        context.otel_event_manager.tool_decision(
-            &context.tool_name,
-            &context.call_id,
-            decision,
-            ToolDecisionSource::User,
-        );
-        match decision {
-            ReviewDecision::Approved | ReviewDecision::ApprovedForSession => {
-                if matches!(decision, ReviewDecision::ApprovedForSession) {
-                    self.approval_cache.insert(request.approval_command.clone());
-                }
-                session
-                    .notify_background_event(&context.sub_id, "retrying command without sandbox")
-                    .await;
-
-                let retry_output = self
-                    .spawn(
-                        request.params.clone(),
-                        SandboxType::None,
-                        config,
-                        stdout_stream,
-                    )
-                    .await?;
-
-                Ok(retry_output)
-            }
-            ReviewDecision::Denied | ReviewDecision::Abort => {
-                Err(ExecError::rejection("exec command rejected by user"))
-            }
-        }
-    }
-
-    async fn spawn(
-        &self,
-        params: ExecParams,
-        sandbox: SandboxType,
-        config: &ExecutorConfig,
-        stdout_stream: Option<StdoutStream>,
-    ) -> Result<ExecToolCallOutput, CodexErr> {
-        process_exec_tool_call(
-            params,
-            sandbox,
-            &config.sandbox_policy,
-            &config.sandbox_cwd,
-            &config.codex_linux_sandbox_exe,
-            stdout_stream,
-        )
-        .await
-    }
-}
-
-fn maybe_translate_shell_command(
-    params: ExecParams,
-    session: &Session,
-    use_shell_profile: bool,
-) -> ExecParams {
-    let should_translate =
-        matches!(session.user_shell(), shell::Shell::PowerShell(_)) || use_shell_profile;
-
-    if should_translate
-        && let Some(command) = session
-            .user_shell()
-            .format_default_shell_invocation(params.command.clone())
-    {
-        return ExecParams { command, ..params };
-    }
-
-    params
-}
-
-fn sandbox_failure_message(error: SandboxErr) -> String {
-    let codex_error = CodexErr::Sandbox(error);
-    let friendly = get_error_message_ui(&codex_error);
-    format!("failed in sandbox: {friendly}")
-}
-
-pub(crate) struct ExecutionRequest {
-    pub params: ExecParams,
-    pub approval_command: Vec<String>,
-    pub mode: ExecutionMode,
-    pub stdout_stream: Option<StdoutStream>,
-    pub use_shell_profile: bool,
-}
-
-pub(crate) struct NormalizedExecOutput<'a> {
-    borrowed: Option<&'a ExecToolCallOutput>,
-    synthetic: Option<ExecToolCallOutput>,
-}
-
-impl<'a> NormalizedExecOutput<'a> {
-    pub(crate) fn event_output(&'a self) -> &'a ExecToolCallOutput {
-        match (self.borrowed, self.synthetic.as_ref()) {
-            (Some(output), _) => output,
-            (None, Some(output)) => output,
-            (None, None) => unreachable!("normalized exec output missing data"),
-        }
-    }
-}
-
-/// Converts a raw execution result into a uniform view that always exposes an
-/// [`ExecToolCallOutput`], synthesizing error output when the command fails
-/// before producing a response.
-pub(crate) fn normalize_exec_result(
-    result: &Result<ExecToolCallOutput, ExecError>,
-) -> NormalizedExecOutput<'_> {
-    match result {
-        Ok(output) => NormalizedExecOutput {
-            borrowed: Some(output),
-            synthetic: None,
-        },
-        Err(ExecError::Codex(CodexErr::Sandbox(SandboxErr::Timeout { output }))) => {
-            NormalizedExecOutput {
-                borrowed: Some(output.as_ref()),
-                synthetic: None,
-            }
-        }
-        Err(err) => {
-            let message = match err {
-                ExecError::Function(FunctionCallError::RespondToModel(msg)) => msg.clone(),
-                ExecError::Codex(e) => get_error_message_ui(e),
-                err => err.to_string(),
-            };
-            let synthetic = ExecToolCallOutput {
-                exit_code: -1,
-                stdout: StreamOutput::new(String::new()),
-                stderr: StreamOutput::new(message.clone()),
-                aggregated_output: StreamOutput::new(message),
-                duration: Duration::default(),
-                timed_out: false,
-            };
-            NormalizedExecOutput {
-                borrowed: None,
-                synthetic: Some(synthetic),
-            }
-        }
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use crate::error::CodexErr;
-    use crate::error::EnvVarError;
-    use crate::error::SandboxErr;
-    use crate::exec::StreamOutput;
-    use pretty_assertions::assert_eq;
-
-    fn make_output(text: &str) -> ExecToolCallOutput {
-        ExecToolCallOutput {
-            exit_code: 1,
-            stdout: StreamOutput::new(String::new()),
-            stderr: StreamOutput::new(String::new()),
-            aggregated_output: StreamOutput::new(text.to_string()),
-            duration: Duration::from_millis(123),
-            timed_out: false,
-        }
-    }
-
-    #[test]
-    fn normalize_success_borrows() {
-        let out = make_output("ok");
-        let result: Result<ExecToolCallOutput, ExecError> = Ok(out);
-        let normalized = normalize_exec_result(&result);
-        assert_eq!(normalized.event_output().aggregated_output.text, "ok");
-    }
-
-    #[test]
-    fn normalize_timeout_borrows_embedded_output() {
-        let out = make_output("timed out payload");
-        let err = CodexErr::Sandbox(SandboxErr::Timeout {
-            output: Box::new(out),
-        });
-        let result: Result<ExecToolCallOutput, ExecError> = Err(ExecError::Codex(err));
-        let normalized = normalize_exec_result(&result);
-        assert_eq!(
-            normalized.event_output().aggregated_output.text,
-            "timed out payload"
-        );
-    }
-
-    #[test]
-    fn sandbox_failure_message_uses_denied_stderr() {
-        let output = ExecToolCallOutput {
-            exit_code: 101,
-            stdout: StreamOutput::new(String::new()),
-            stderr: StreamOutput::new("sandbox stderr".to_string()),
-            aggregated_output: StreamOutput::new(String::new()),
-            duration: Duration::from_millis(10),
-            timed_out: false,
-        };
-        let err = SandboxErr::Denied {
-            output: Box::new(output),
-        };
-        let message = sandbox_failure_message(err);
-        assert_eq!(message, "failed in sandbox: sandbox stderr");
-    }
-
-    #[test]
-    fn normalize_function_error_synthesizes_payload() {
-        let err = FunctionCallError::RespondToModel("boom".to_string());
-        let result: Result<ExecToolCallOutput, ExecError> = Err(ExecError::Function(err));
-        let normalized = normalize_exec_result(&result);
-        assert_eq!(normalized.event_output().aggregated_output.text, "boom");
-    }
-
-    #[test]
-    fn normalize_codex_error_synthesizes_user_message() {
-        // Use a simple EnvVar error which formats to a clear message
-        let e = CodexErr::EnvVar(EnvVarError {
-            var: "FOO".to_string(),
-            instructions: Some("set it".to_string()),
-        });
-        let result: Result<ExecToolCallOutput, ExecError> = Err(ExecError::Codex(e));
-        let normalized = normalize_exec_result(&result);
-        assert!(
-            normalized
-                .event_output()
-                .aggregated_output
-                .text
-                .contains("Missing environment variable: `FOO`"),
-            "expected synthesized user-friendly message"
-        );
-    }
-}
--- a/codex-rs/core/src/executor/sandbox.rs
+++ b/codex-rs/core/src/executor/sandbox.rs
@@ -1,405 +0,0 @@
-use crate::apply_patch::ApplyPatchExec;
-use crate::codex::Session;
-use crate::exec::SandboxType;
-use crate::executor::ExecutionMode;
-use crate::executor::ExecutionRequest;
-use crate::executor::ExecutorConfig;
-use crate::executor::errors::ExecError;
-use crate::safety::SafetyCheck;
-use crate::safety::assess_command_safety;
-use crate::safety::assess_patch_safety;
-use codex_otel::otel_event_manager::OtelEventManager;
-use codex_otel::otel_event_manager::ToolDecisionSource;
-use codex_protocol::protocol::AskForApproval;
-use codex_protocol::protocol::ReviewDecision;
-use std::collections::HashSet;
-
-/// Sandbox placement options selected for an execution run, including whether
-/// to escalate after failures and whether approvals should persist.
-pub(crate) struct SandboxDecision {
-    pub(crate) initial_sandbox: SandboxType,
-    pub(crate) escalate_on_failure: bool,
-    pub(crate) record_session_approval: bool,
-}
-
-impl SandboxDecision {
-    fn auto(sandbox: SandboxType, escalate_on_failure: bool) -> Self {
-        Self {
-            initial_sandbox: sandbox,
-            escalate_on_failure,
-            record_session_approval: false,
-        }
-    }
-
-    fn user_override(record_session_approval: bool) -> Self {
-        Self {
-            initial_sandbox: SandboxType::None,
-            escalate_on_failure: false,
-            record_session_approval,
-        }
-    }
-}
-
-fn should_escalate_on_failure(approval: AskForApproval, sandbox: SandboxType) -> bool {
-    matches!(
-        (approval, sandbox),
-        (
-            AskForApproval::UnlessTrusted | AskForApproval::OnFailure,
-            SandboxType::MacosSeatbelt | SandboxType::LinuxSeccomp
-        )
-    )
-}
-
-/// Determines how a command should be sandboxed, prompting the user when
-/// policy requires explicit approval.
-#[allow(clippy::too_many_arguments)]
-pub async fn select_sandbox(
-    request: &ExecutionRequest,
-    approval_policy: AskForApproval,
-    approval_cache: HashSet<Vec<String>>,
-    config: &ExecutorConfig,
-    session: &Session,
-    sub_id: &str,
-    call_id: &str,
-    otel_event_manager: &OtelEventManager,
-) -> Result<SandboxDecision, ExecError> {
-    match &request.mode {
-        ExecutionMode::Shell => {
-            select_shell_sandbox(
-                request,
-                approval_policy,
-                approval_cache,
-                config,
-                session,
-                sub_id,
-                call_id,
-                otel_event_manager,
-            )
-            .await
-        }
-        ExecutionMode::ApplyPatch(exec) => {
-            select_apply_patch_sandbox(exec, approval_policy, config)
-        }
-    }
-}
-
-#[allow(clippy::too_many_arguments)]
-async fn select_shell_sandbox(
-    request: &ExecutionRequest,
-    approval_policy: AskForApproval,
-    approved_snapshot: HashSet<Vec<String>>,
-    config: &ExecutorConfig,
-    session: &Session,
-    sub_id: &str,
-    call_id: &str,
-    otel_event_manager: &OtelEventManager,
-) -> Result<SandboxDecision, ExecError> {
-    let command_for_safety = if request.approval_command.is_empty() {
-        request.params.command.clone()
-    } else {
-        request.approval_command.clone()
-    };
-
-    let safety = assess_command_safety(
-        &command_for_safety,
-        approval_policy,
-        &config.sandbox_policy,
-        &approved_snapshot,
-        request.params.with_escalated_permissions.unwrap_or(false),
-    );
-
-    match safety {
-        SafetyCheck::AutoApprove {
-            sandbox_type,
-            user_explicitly_approved,
-        } => {
-            let mut decision = SandboxDecision::auto(
-                sandbox_type,
-                should_escalate_on_failure(approval_policy, sandbox_type),
-            );
-            if user_explicitly_approved {
-                decision.record_session_approval = true;
-            }
-            let (decision_for_event, source) = if user_explicitly_approved {
-                (ReviewDecision::ApprovedForSession, ToolDecisionSource::User)
-            } else {
-                (ReviewDecision::Approved, ToolDecisionSource::Config)
-            };
-            otel_event_manager.tool_decision("local_shell", call_id, decision_for_event, source);
-            Ok(decision)
-        }
-        SafetyCheck::AskUser => {
-            let decision = session
-                .request_command_approval(
-                    sub_id.to_string(),
-                    call_id.to_string(),
-                    request.approval_command.clone(),
-                    request.params.cwd.clone(),
-                    request.params.justification.clone(),
-                )
-                .await;
-
-            otel_event_manager.tool_decision(
-                "local_shell",
-                call_id,
-                decision,
-                ToolDecisionSource::User,
-            );
-            match decision {
-                ReviewDecision::Approved => Ok(SandboxDecision::user_override(false)),
-                ReviewDecision::ApprovedForSession => Ok(SandboxDecision::user_override(true)),
-                ReviewDecision::Denied | ReviewDecision::Abort => {
-                    Err(ExecError::rejection("exec command rejected by user"))
-                }
-            }
-        }
-        SafetyCheck::Reject { reason } => Err(ExecError::rejection(format!(
-            "exec command rejected: {reason}"
-        ))),
-    }
-}
-
-fn select_apply_patch_sandbox(
-    exec: &ApplyPatchExec,
-    approval_policy: AskForApproval,
-    config: &ExecutorConfig,
-) -> Result<SandboxDecision, ExecError> {
-    if exec.user_explicitly_approved_this_action {
-        return Ok(SandboxDecision::user_override(false));
-    }
-
-    match assess_patch_safety(
-        &exec.action,
-        approval_policy,
-        &config.sandbox_policy,
-        &config.sandbox_cwd,
-    ) {
-        SafetyCheck::AutoApprove { sandbox_type, .. } => Ok(SandboxDecision::auto(
-            sandbox_type,
-            should_escalate_on_failure(approval_policy, sandbox_type),
-        )),
-        SafetyCheck::AskUser => Err(ExecError::rejection(
-            "patch requires approval but none was recorded",
-        )),
-        SafetyCheck::Reject { reason } => {
-            Err(ExecError::rejection(format!("patch rejected: {reason}")))
-        }
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use crate::codex::make_session_and_context;
-    use crate::exec::ExecParams;
-    use crate::function_tool::FunctionCallError;
-    use crate::protocol::SandboxPolicy;
-    use codex_apply_patch::ApplyPatchAction;
-    use pretty_assertions::assert_eq;
-
-    #[tokio::test]
-    async fn select_apply_patch_user_override_when_explicit() {
-        let (session, ctx) = make_session_and_context();
-        let tmp = tempfile::tempdir().expect("tmp");
-        let p = tmp.path().join("a.txt");
-        let action = ApplyPatchAction::new_add_for_test(&p, "hello".to_string());
-        let exec = ApplyPatchExec {
-            action,
-            user_explicitly_approved_this_action: true,
-        };
-        let cfg = ExecutorConfig::new(SandboxPolicy::ReadOnly, std::env::temp_dir(), None);
-        let request = ExecutionRequest {
-            params: ExecParams {
-                command: vec!["apply_patch".into()],
-                cwd: std::env::temp_dir(),
-                timeout_ms: None,
-                env: std::collections::HashMap::new(),
-                with_escalated_permissions: None,
-                justification: None,
-            },
-            approval_command: vec!["apply_patch".into()],
-            mode: ExecutionMode::ApplyPatch(exec),
-            stdout_stream: None,
-            use_shell_profile: false,
-        };
-        let otel_event_manager = ctx.client.get_otel_event_manager();
-        let decision = select_sandbox(
-            &request,
-            AskForApproval::OnRequest,
-            Default::default(),
-            &cfg,
-            &session,
-            "sub",
-            "call",
-            &otel_event_manager,
-        )
-        .await
-        .expect("ok");
-        // Explicit user override runs without sandbox
-        assert_eq!(decision.initial_sandbox, SandboxType::None);
-        assert_eq!(decision.escalate_on_failure, false);
-    }
-
-    #[tokio::test]
-    async fn select_apply_patch_autoapprove_in_danger() {
-        let (session, ctx) = make_session_and_context();
-        let tmp = tempfile::tempdir().expect("tmp");
-        let p = tmp.path().join("a.txt");
-        let action = ApplyPatchAction::new_add_for_test(&p, "hello".to_string());
-        let exec = ApplyPatchExec {
-            action,
-            user_explicitly_approved_this_action: false,
-        };
-        let cfg = ExecutorConfig::new(SandboxPolicy::DangerFullAccess, std::env::temp_dir(), None);
-        let request = ExecutionRequest {
-            params: ExecParams {
-                command: vec!["apply_patch".into()],
-                cwd: std::env::temp_dir(),
-                timeout_ms: None,
-                env: std::collections::HashMap::new(),
-                with_escalated_permissions: None,
-                justification: None,
-            },
-            approval_command: vec!["apply_patch".into()],
-            mode: ExecutionMode::ApplyPatch(exec),
-            stdout_stream: None,
-            use_shell_profile: false,
-        };
-        let otel_event_manager = ctx.client.get_otel_event_manager();
-        let decision = select_sandbox(
-            &request,
-            AskForApproval::OnRequest,
-            Default::default(),
-            &cfg,
-            &session,
-            "sub",
-            "call",
-            &otel_event_manager,
-        )
-        .await
-        .expect("ok");
-        // On platforms with a sandbox, DangerFullAccess still prefers it
-        let expected = crate::safety::get_platform_sandbox().unwrap_or(SandboxType::None);
-        assert_eq!(decision.initial_sandbox, expected);
-        assert_eq!(decision.escalate_on_failure, false);
-    }
-
-    #[tokio::test]
-    async fn select_apply_patch_requires_approval_on_unless_trusted() {
-        let (session, ctx) = make_session_and_context();
-        let tempdir = tempfile::tempdir().expect("tmpdir");
-        let p = tempdir.path().join("a.txt");
-        let action = ApplyPatchAction::new_add_for_test(&p, "hello".to_string());
-        let exec = ApplyPatchExec {
-            action,
-            user_explicitly_approved_this_action: false,
-        };
-        let cfg = ExecutorConfig::new(SandboxPolicy::ReadOnly, std::env::temp_dir(), None);
-        let request = ExecutionRequest {
-            params: ExecParams {
-                command: vec!["apply_patch".into()],
-                cwd: std::env::temp_dir(),
-                timeout_ms: None,
-                env: std::collections::HashMap::new(),
-                with_escalated_permissions: None,
-                justification: None,
-            },
-            approval_command: vec!["apply_patch".into()],
-            mode: ExecutionMode::ApplyPatch(exec),
-            stdout_stream: None,
-            use_shell_profile: false,
-        };
-        let otel_event_manager = ctx.client.get_otel_event_manager();
-        let result = select_sandbox(
-            &request,
-            AskForApproval::UnlessTrusted,
-            Default::default(),
-            &cfg,
-            &session,
-            "sub",
-            "call",
-            &otel_event_manager,
-        )
-        .await;
-        match result {
-            Ok(_) => panic!("expected error"),
-            Err(ExecError::Function(FunctionCallError::RespondToModel(msg))) => {
-                assert!(msg.contains("requires approval"))
-            }
-            Err(other) => panic!("unexpected error: {other:?}"),
-        }
-    }
-
-    #[tokio::test]
-    async fn select_shell_autoapprove_in_danger_mode() {
-        let (session, ctx) = make_session_and_context();
-        let cfg = ExecutorConfig::new(SandboxPolicy::DangerFullAccess, std::env::temp_dir(), None);
-        let request = ExecutionRequest {
-            params: ExecParams {
-                command: vec!["some-unknown".into()],
-                cwd: std::env::temp_dir(),
-                timeout_ms: None,
-                env: std::collections::HashMap::new(),
-                with_escalated_permissions: None,
-                justification: None,
-            },
-            approval_command: vec!["some-unknown".into()],
-            mode: ExecutionMode::Shell,
-            stdout_stream: None,
-            use_shell_profile: false,
-        };
-        let otel_event_manager = ctx.client.get_otel_event_manager();
-        let decision = select_sandbox(
-            &request,
-            AskForApproval::OnRequest,
-            Default::default(),
-            &cfg,
-            &session,
-            "sub",
-            "call",
-            &otel_event_manager,
-        )
-        .await
-        .expect("ok");
-        assert_eq!(decision.initial_sandbox, SandboxType::None);
-        assert_eq!(decision.escalate_on_failure, false);
-    }
-
-    #[cfg(any(target_os = "macos", target_os = "linux"))]
-    #[tokio::test]
-    async fn select_shell_escalates_on_failure_with_platform_sandbox() {
-        let (session, ctx) = make_session_and_context();
-        let cfg = ExecutorConfig::new(SandboxPolicy::ReadOnly, std::env::temp_dir(), None);
-        let request = ExecutionRequest {
-            params: ExecParams {
-                // Unknown command => untrusted but not flagged dangerous
-                command: vec!["some-unknown".into()],
-                cwd: std::env::temp_dir(),
-                timeout_ms: None,
-                env: std::collections::HashMap::new(),
-                with_escalated_permissions: None,
-                justification: None,
-            },
-            approval_command: vec!["some-unknown".into()],
-            mode: ExecutionMode::Shell,
-            stdout_stream: None,
-            use_shell_profile: false,
-        };
-        let otel_event_manager = ctx.client.get_otel_event_manager();
-        let decision = select_sandbox(
-            &request,
-            AskForApproval::OnFailure,
-            Default::default(),
-            &cfg,
-            &session,
-            "sub",
-            "call",
-            &otel_event_manager,
-        )
-        .await
-        .expect("ok");
-        // On macOS/Linux we should have a platform sandbox and escalate on failure
-        assert_ne!(decision.initial_sandbox, SandboxType::None);
-        assert_eq!(decision.escalate_on_failure, true);
-    }
-}
--- a/codex-rs/core/src/features.rs
+++ b/codex-rs/core/src/features.rs
@@ -0,0 +1,258 @@
+//! Centralized feature flags and metadata.
+//!
+//! This module defines a small set of toggles that gate experimental and
+//! optional behavior across the codebase. Instead of wiring individual
+//! booleans through multiple types, call sites consult a single `Features`
+//! container attached to `Config`.
+
+use crate::config::ConfigToml;
+use crate::config_profile::ConfigProfile;
+use serde::Deserialize;
+use std::collections::BTreeMap;
+use std::collections::BTreeSet;
+
+mod legacy;
+pub(crate) use legacy::LegacyFeatureToggles;
+
+/// High-level lifecycle stage for a feature.
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum Stage {
+    Experimental,
+    Beta,
+    Stable,
+    Deprecated,
+    Removed,
+}
+
+/// Unique features toggled via configuration.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash)]
+pub enum Feature {
+    /// Use the single unified PTY-backed exec tool.
+    UnifiedExec,
+    /// Use the streamable exec-command/write-stdin tool pair.
+    StreamableShell,
+    /// Use the official Rust MCP client (rmcp).
+    RmcpClient,
+    /// Include the plan tool.
+    PlanTool,
+    /// Include the freeform apply_patch tool.
+    ApplyPatchFreeform,
+    /// Include the view_image tool.
+    ViewImageTool,
+    /// Allow the model to request web searches.
+    WebSearchRequest,
+    /// Automatically approve all approval requests from the harness.
+    ApproveAll,
+}
+
+impl Feature {
+    pub fn key(self) -> &'static str {
+        self.info().key
+    }
+
+    pub fn stage(self) -> Stage {
+        self.info().stage
+    }
+
+    pub fn default_enabled(self) -> bool {
+        self.info().default_enabled
+    }
+
+    fn info(self) -> &'static FeatureSpec {
+        FEATURES
+            .iter()
+            .find(|spec| spec.id == self)
+            .unwrap_or_else(|| unreachable!("missing FeatureSpec for {:?}", self))
+    }
+}
+
+/// Holds the effective set of enabled features.
+#[derive(Debug, Clone, Default, PartialEq)]
+pub struct Features {
+    enabled: BTreeSet<Feature>,
+}
+
+#[derive(Debug, Clone, Default)]
+pub struct FeatureOverrides {
+    pub include_plan_tool: Option<bool>,
+    pub include_apply_patch_tool: Option<bool>,
+    pub include_view_image_tool: Option<bool>,
+    pub web_search_request: Option<bool>,
+}
+
+impl FeatureOverrides {
+    fn apply(self, features: &mut Features) {
+        LegacyFeatureToggles {
+            include_plan_tool: self.include_plan_tool,
+            include_apply_patch_tool: self.include_apply_patch_tool,
+            include_view_image_tool: self.include_view_image_tool,
+            tools_web_search: self.web_search_request,
+            ..Default::default()
+        }
+        .apply(features);
+    }
+}
+
+impl Features {
+    /// Starts with built-in defaults.
+    pub fn with_defaults() -> Self {
+        let mut set = BTreeSet::new();
+        for spec in FEATURES {
+            if spec.default_enabled {
+                set.insert(spec.id);
+            }
+        }
+        Self { enabled: set }
+    }
+
+    pub fn enabled(&self, f: Feature) -> bool {
+        self.enabled.contains(&f)
+    }
+
+    pub fn enable(&mut self, f: Feature) {
+        self.enabled.insert(f);
+    }
+
+    pub fn disable(&mut self, f: Feature) {
+        self.enabled.remove(&f);
+    }
+
+    /// Apply a table of key -> bool toggles (e.g. from TOML).
+    pub fn apply_map(&mut self, m: &BTreeMap<String, bool>) {
+        for (k, v) in m {
+            match feature_for_key(k) {
+                Some(feat) => {
+                    if *v {
+                        self.enable(feat);
+                    } else {
+                        self.disable(feat);
+                    }
+                }
+                None => {
+                    tracing::warn!("unknown feature key in config: {k}");
+                }
+            }
+        }
+    }
+
+    pub fn from_config(
+        cfg: &ConfigToml,
+        config_profile: &ConfigProfile,
+        overrides: FeatureOverrides,
+    ) -> Self {
+        let mut features = Features::with_defaults();
+
+        let base_legacy = LegacyFeatureToggles {
+            experimental_use_freeform_apply_patch: cfg.experimental_use_freeform_apply_patch,
+            experimental_use_exec_command_tool: cfg.experimental_use_exec_command_tool,
+            experimental_use_unified_exec_tool: cfg.experimental_use_unified_exec_tool,
+            experimental_use_rmcp_client: cfg.experimental_use_rmcp_client,
+            tools_web_search: cfg.tools.as_ref().and_then(|t| t.web_search),
+            tools_view_image: cfg.tools.as_ref().and_then(|t| t.view_image),
+            ..Default::default()
+        };
+        base_legacy.apply(&mut features);
+
+        if let Some(base_features) = cfg.features.as_ref() {
+            features.apply_map(&base_features.entries);
+        }
+
+        let profile_legacy = LegacyFeatureToggles {
+            include_plan_tool: config_profile.include_plan_tool,
+            include_apply_patch_tool: config_profile.include_apply_patch_tool,
+            include_view_image_tool: config_profile.include_view_image_tool,
+            experimental_use_freeform_apply_patch: config_profile
+                .experimental_use_freeform_apply_patch,
+            experimental_use_exec_command_tool: config_profile.experimental_use_exec_command_tool,
+            experimental_use_unified_exec_tool: config_profile.experimental_use_unified_exec_tool,
+            experimental_use_rmcp_client: config_profile.experimental_use_rmcp_client,
+            tools_web_search: config_profile.tools_web_search,
+            tools_view_image: config_profile.tools_view_image,
+        };
+        profile_legacy.apply(&mut features);
+        if let Some(profile_features) = config_profile.features.as_ref() {
+            features.apply_map(&profile_features.entries);
+        }
+
+        overrides.apply(&mut features);
+
+        features
+    }
+}
+
+/// Keys accepted in `[features]` tables.
+fn feature_for_key(key: &str) -> Option<Feature> {
+    for spec in FEATURES {
+        if spec.key == key {
+            return Some(spec.id);
+        }
+    }
+    legacy::feature_for_key(key)
+}
+
+/// Deserializable features table for TOML.
+#[derive(Deserialize, Debug, Clone, Default, PartialEq)]
+pub struct FeaturesToml {
+    #[serde(flatten)]
+    pub entries: BTreeMap<String, bool>,
+}
+
+/// Single, easy-to-read registry of all feature definitions.
+#[derive(Debug, Clone, Copy)]
+pub struct FeatureSpec {
+    pub id: Feature,
+    pub key: &'static str,
+    pub stage: Stage,
+    pub default_enabled: bool,
+}
+
+pub const FEATURES: &[FeatureSpec] = &[
+    FeatureSpec {
+        id: Feature::UnifiedExec,
+        key: "unified_exec",
+        stage: Stage::Experimental,
+        default_enabled: false,
+    },
+    FeatureSpec {
+        id: Feature::StreamableShell,
+        key: "streamable_shell",
+        stage: Stage::Experimental,
+        default_enabled: false,
+    },
+    FeatureSpec {
+        id: Feature::RmcpClient,
+        key: "rmcp_client",
+        stage: Stage::Experimental,
+        default_enabled: false,
+    },
+    FeatureSpec {
+        id: Feature::PlanTool,
+        key: "plan_tool",
+        stage: Stage::Stable,
+        default_enabled: false,
+    },
+    FeatureSpec {
+        id: Feature::ApplyPatchFreeform,
+        key: "apply_patch_freeform",
+        stage: Stage::Beta,
+        default_enabled: false,
+    },
+    FeatureSpec {
+        id: Feature::ViewImageTool,
+        key: "view_image_tool",
+        stage: Stage::Stable,
+        default_enabled: true,
+    },
+    FeatureSpec {
+        id: Feature::WebSearchRequest,
+        key: "web_search_request",
+        stage: Stage::Stable,
+        default_enabled: false,
+    },
+    FeatureSpec {
+        id: Feature::ApproveAll,
+        key: "approve_all",
+        stage: Stage::Experimental,
+        default_enabled: false,
+    },
+];
--- a/codex-rs/core/src/features/legacy.rs
+++ b/codex-rs/core/src/features/legacy.rs
@@ -0,0 +1,158 @@
+use super::Feature;
+use super::Features;
+use tracing::info;
+
+#[derive(Clone, Copy)]
+struct Alias {
+    legacy_key: &'static str,
+    feature: Feature,
+}
+
+const ALIASES: &[Alias] = &[
+    Alias {
+        legacy_key: "experimental_use_unified_exec_tool",
+        feature: Feature::UnifiedExec,
+    },
+    Alias {
+        legacy_key: "experimental_use_exec_command_tool",
+        feature: Feature::StreamableShell,
+    },
+    Alias {
+        legacy_key: "experimental_use_rmcp_client",
+        feature: Feature::RmcpClient,
+    },
+    Alias {
+        legacy_key: "experimental_use_freeform_apply_patch",
+        feature: Feature::ApplyPatchFreeform,
+    },
+    Alias {
+        legacy_key: "include_apply_patch_tool",
+        feature: Feature::ApplyPatchFreeform,
+    },
+    Alias {
+        legacy_key: "include_plan_tool",
+        feature: Feature::PlanTool,
+    },
+    Alias {
+        legacy_key: "include_view_image_tool",
+        feature: Feature::ViewImageTool,
+    },
+    Alias {
+        legacy_key: "web_search",
+        feature: Feature::WebSearchRequest,
+    },
+];
+
+pub(crate) fn feature_for_key(key: &str) -> Option<Feature> {
+    ALIASES
+        .iter()
+        .find(|alias| alias.legacy_key == key)
+        .map(|alias| {
+            log_alias(alias.legacy_key, alias.feature);
+            alias.feature
+        })
+}
+
+#[derive(Debug, Default)]
+pub struct LegacyFeatureToggles {
+    pub include_plan_tool: Option<bool>,
+    pub include_apply_patch_tool: Option<bool>,
+    pub include_view_image_tool: Option<bool>,
+    pub experimental_use_freeform_apply_patch: Option<bool>,
+    pub experimental_use_exec_command_tool: Option<bool>,
+    pub experimental_use_unified_exec_tool: Option<bool>,
+    pub experimental_use_rmcp_client: Option<bool>,
+    pub tools_web_search: Option<bool>,
+    pub tools_view_image: Option<bool>,
+}
+
+impl LegacyFeatureToggles {
+    pub fn apply(self, features: &mut Features) {
+        set_if_some(
+            features,
+            Feature::PlanTool,
+            self.include_plan_tool,
+            "include_plan_tool",
+        );
+        set_if_some(
+            features,
+            Feature::ApplyPatchFreeform,
+            self.include_apply_patch_tool,
+            "include_apply_patch_tool",
+        );
+        set_if_some(
+            features,
+            Feature::ApplyPatchFreeform,
+            self.experimental_use_freeform_apply_patch,
+            "experimental_use_freeform_apply_patch",
+        );
+        set_if_some(
+            features,
+            Feature::StreamableShell,
+            self.experimental_use_exec_command_tool,
+            "experimental_use_exec_command_tool",
+        );
+        set_if_some(
+            features,
+            Feature::UnifiedExec,
+            self.experimental_use_unified_exec_tool,
+            "experimental_use_unified_exec_tool",
+        );
+        set_if_some(
+            features,
+            Feature::RmcpClient,
+            self.experimental_use_rmcp_client,
+            "experimental_use_rmcp_client",
+        );
+        set_if_some(
+            features,
+            Feature::WebSearchRequest,
+            self.tools_web_search,
+            "tools.web_search",
+        );
+        set_if_some(
+            features,
+            Feature::ViewImageTool,
+            self.include_view_image_tool,
+            "include_view_image_tool",
+        );
+        set_if_some(
+            features,
+            Feature::ViewImageTool,
+            self.tools_view_image,
+            "tools.view_image",
+        );
+    }
+}
+
+fn set_if_some(
+    features: &mut Features,
+    feature: Feature,
+    maybe_value: Option<bool>,
+    alias_key: &'static str,
+) {
+    if let Some(enabled) = maybe_value {
+        set_feature(features, feature, enabled);
+        log_alias(alias_key, feature);
+    }
+}
+
+fn set_feature(features: &mut Features, feature: Feature, enabled: bool) {
+    if enabled {
+        features.enable(feature);
+    } else {
+        features.disable(feature);
+    }
+}
+
+fn log_alias(alias: &str, feature: Feature) {
+    let canonical = feature.key();
+    if alias == canonical {
+        return;
+    }
+    info!(
+        %alias,
+        canonical,
+        "legacy feature toggle detected; prefer `[features].{canonical}`"
+    );
+}
--- a/codex-rs/core/src/function_tool.rs
+++ b/codex-rs/core/src/function_tool.rs
@@ -4,6 +4,9 @@ use thiserror::Error;
 pub enum FunctionCallError {
    #[error("{0}")]
    RespondToModel(String),
+    #[error("{0}")]
+    #[allow(dead_code)] // TODO(jif) fix in a follow-up PR
+    Denied(String),
    #[error("LocalShellCall without call_id or id")]
    MissingLocalShellCallId,
    #[error("Fatal error: {0}")]
--- a/codex-rs/core/src/landlock.rs
+++ b/codex-rs/core/src/landlock.rs
@@ -40,7 +40,7 @@ where
 }

 /// Converts the sandbox policy into the CLI invocation for `codex-linux-sandbox`.
-fn create_linux_sandbox_command_args(
+pub(crate) fn create_linux_sandbox_command_args(
    command: Vec<String>,
    sandbox_policy: &SandboxPolicy,
    sandbox_policy_cwd: &Path,
@@ -56,7 +56,9 @@ fn create_linux_sandbox_command_args(
        serde_json::to_string(sandbox_policy).expect("Failed to serialize SandboxPolicy to JSON");

    let mut linux_cmd: Vec<String> = vec![
+        "--sandbox-policy-cwd".to_string(),
        sandbox_policy_cwd,
+        "--sandbox-policy".to_string(),
        sandbox_policy_json,
        // Separator so that command arguments starting with `-` are not parsed as
        // options of the helper itself.
--- a/codex-rs/core/src/lib.rs
+++ b/codex-rs/core/src/lib.rs
@@ -13,7 +13,6 @@ mod client;
 mod client_common;
 pub mod codex;
 mod codex_conversation;
-pub mod token_data;
 pub use codex_conversation::CodexConversation;
 mod command_safety;
 pub mod config;
@@ -26,17 +25,19 @@ pub mod custom_prompts;
 mod environment_context;
 pub mod error;
 pub mod exec;
-mod exec_command;
 pub mod exec_env;
-pub mod executor;
+pub mod features;
 mod flags;
 pub mod git_info;
 pub mod landlock;
+pub mod mcp;
 mod mcp_connection_manager;
 mod mcp_tool_call;
 mod message_history;
 mod model_provider_info;
 pub mod parse_command;
+pub mod sandboxing;
+pub mod token_data;
 mod truncate;
 mod unified_exec;
 mod user_instructions;
@@ -57,7 +58,6 @@ pub use auth::CodexAuth;
 pub mod default_client;
 pub mod model_family;
 mod openai_model_info;
-mod openai_tools;
 pub mod project_doc;
 mod rollout;
 pub(crate) mod safety;
@@ -105,5 +105,4 @@ pub use codex_protocol::models::LocalShellExecAction;
 pub use codex_protocol::models::LocalShellStatus;
 pub use codex_protocol::models::ReasoningItemContent;
 pub use codex_protocol::models::ResponseItem;
-
 pub mod otel_init;
--- a/codex-rs/core/src/mcp/auth.rs
+++ b/codex-rs/core/src/mcp/auth.rs
@@ -0,0 +1,62 @@
+use std::collections::HashMap;
+
+use anyhow::Result;
+use codex_protocol::protocol::McpAuthStatus;
+use codex_rmcp_client::OAuthCredentialsStoreMode;
+use codex_rmcp_client::determine_streamable_http_auth_status;
+use futures::future::join_all;
+use tracing::warn;
+
+use crate::config_types::McpServerConfig;
+use crate::config_types::McpServerTransportConfig;
+
+pub async fn compute_auth_statuses<'a, I>(
+    servers: I,
+    store_mode: OAuthCredentialsStoreMode,
+) -> HashMap<String, McpAuthStatus>
+where
+    I: IntoIterator<Item = (&'a String, &'a McpServerConfig)>,
+{
+    let futures = servers.into_iter().map(|(name, config)| {
+        let name = name.clone();
+        let config = config.clone();
+        async move {
+            let status = match compute_auth_status(&name, &config, store_mode).await {
+                Ok(status) => status,
+                Err(error) => {
+                    warn!("failed to determine auth status for MCP server `{name}`: {error:?}");
+                    McpAuthStatus::Unsupported
+                }
+            };
+            (name, status)
+        }
+    });
+
+    join_all(futures).await.into_iter().collect()
+}
+
+async fn compute_auth_status(
+    server_name: &str,
+    config: &McpServerConfig,
+    store_mode: OAuthCredentialsStoreMode,
+) -> Result<McpAuthStatus> {
+    match &config.transport {
+        McpServerTransportConfig::Stdio { .. } => Ok(McpAuthStatus::Unsupported),
+        McpServerTransportConfig::StreamableHttp {
+            url,
+            bearer_token_env_var,
+            http_headers,
+            env_http_headers,
+        } => {
+            determine_streamable_http_auth_status(
+                server_name,
+                url,
+                bearer_token_env_var.as_deref(),
+                http_headers.clone(),
+                env_http_headers.clone(),
+                store_mode,
+            )
+            .await
+        }
+    }
+}
--- a/codex-rs/core/src/mcp/mod.rs
+++ b/codex-rs/core/src/mcp/mod.rs
@@ -0,0 +1 @@
+pub mod auth;
--- a/codex-rs/core/src/mcp_connection_manager.rs
+++ b/codex-rs/core/src/mcp_connection_manager.rs
@@ -8,7 +8,9 @@

 use std::collections::HashMap;
 use std::collections::HashSet;
+use std::env;
 use std::ffi::OsString;
+use std::path::PathBuf;
 use std::sync::Arc;
 use std::time::Duration;

@@ -16,9 +18,18 @@ use anyhow::Context;
 use anyhow::Result;
 use anyhow::anyhow;
 use codex_mcp_client::McpClient;
+use codex_rmcp_client::OAuthCredentialsStoreMode;
 use codex_rmcp_client::RmcpClient;
 use mcp_types::ClientCapabilities;
 use mcp_types::Implementation;
+use mcp_types::ListResourceTemplatesRequestParams;
+use mcp_types::ListResourceTemplatesResult;
+use mcp_types::ListResourcesRequestParams;
+use mcp_types::ListResourcesResult;
+use mcp_types::ReadResourceRequestParams;
+use mcp_types::ReadResourceResult;
+use mcp_types::Resource;
+use mcp_types::ResourceTemplate;
 use mcp_types::Tool;

 use serde_json::json;
@@ -54,8 +65,8 @@ fn qualify_tools(tools: Vec<ToolInfo>) -> HashMap<String, ToolInfo> {
    let mut qualified_tools = HashMap::new();
    for tool in tools {
        let mut qualified_name = format!(
-            "{}{}{}",
-            tool.server_name, MCP_TOOL_NAME_DELIMITER, tool.tool_name
+            "mcp{}{}{}{}",
+            MCP_TOOL_NAME_DELIMITER, tool.server_name, MCP_TOOL_NAME_DELIMITER, tool.tool_name
        );
        if qualified_name.len() > MAX_TOOL_NAME_LENGTH {
            let mut hasher = Sha1::new();
@@ -100,34 +111,51 @@ enum McpClientAdapter {
 }

 impl McpClientAdapter {
+    #[allow(clippy::too_many_arguments)]
    async fn new_stdio_client(
        use_rmcp_client: bool,
        program: OsString,
        args: Vec<OsString>,
        env: Option<HashMap<String, String>>,
+        env_vars: Vec<String>,
+        cwd: Option<PathBuf>,
        params: mcp_types::InitializeRequestParams,
        startup_timeout: Duration,
    ) -> Result<Self> {
        if use_rmcp_client {
-            let client = Arc::new(RmcpClient::new_stdio_client(program, args, env).await?);
+            let client =
+                Arc::new(RmcpClient::new_stdio_client(program, args, env, &env_vars, cwd).await?);
            client.initialize(params, Some(startup_timeout)).await?;
            Ok(McpClientAdapter::Rmcp(client))
        } else {
-            let client = Arc::new(McpClient::new_stdio_client(program, args, env).await?);
+            let client =
+                Arc::new(McpClient::new_stdio_client(program, args, env, &env_vars, cwd).await?);
            client.initialize(params, Some(startup_timeout)).await?;
            Ok(McpClientAdapter::Legacy(client))
        }
    }

+    #[allow(clippy::too_many_arguments)]
    async fn new_streamable_http_client(
        server_name: String,
        url: String,
        bearer_token: Option<String>,
+        http_headers: Option<HashMap<String, String>>,
+        env_http_headers: Option<HashMap<String, String>>,
        params: mcp_types::InitializeRequestParams,
        startup_timeout: Duration,
+        store_mode: OAuthCredentialsStoreMode,
    ) -> Result<Self> {
        let client = Arc::new(
-            RmcpClient::new_streamable_http_client(&server_name, &url, bearer_token).await?,
+            RmcpClient::new_streamable_http_client(
+                &server_name,
+                &url,
+                bearer_token,
+                http_headers,
+                env_http_headers,
+                store_mode,
+            )
+            .await?,
        );
        client.initialize(params, Some(startup_timeout)).await?;
        Ok(McpClientAdapter::Rmcp(client))
@@ -144,6 +172,47 @@ impl McpClientAdapter {
        }
    }

+    async fn list_resources(
+        &self,
+        params: Option<mcp_types::ListResourcesRequestParams>,
+        timeout: Option<Duration>,
+    ) -> Result<mcp_types::ListResourcesResult> {
+        match self {
+            McpClientAdapter::Legacy(_) => Ok(ListResourcesResult {
+                next_cursor: None,
+                resources: Vec::new(),
+            }),
+            McpClientAdapter::Rmcp(client) => client.list_resources(params, timeout).await,
+        }
+    }
+
+    async fn read_resource(
+        &self,
+        params: mcp_types::ReadResourceRequestParams,
+        timeout: Option<Duration>,
+    ) -> Result<mcp_types::ReadResourceResult> {
+        match self {
+            McpClientAdapter::Legacy(_) => Err(anyhow!(
+                "resources/read is not supported by legacy MCP clients"
+            )),
+            McpClientAdapter::Rmcp(client) => client.read_resource(params, timeout).await,
+        }
+    }
+
+    async fn list_resource_templates(
+        &self,
+        params: Option<mcp_types::ListResourceTemplatesRequestParams>,
+        timeout: Option<Duration>,
+    ) -> Result<mcp_types::ListResourceTemplatesResult> {
+        match self {
+            McpClientAdapter::Legacy(_) => Ok(ListResourceTemplatesResult {
+                next_cursor: None,
+                resource_templates: Vec::new(),
+            }),
+            McpClientAdapter::Rmcp(client) => client.list_resource_templates(params, timeout).await,
+        }
+    }
+
    async fn call_tool(
        &self,
        name: String,
@@ -182,6 +251,7 @@ impl McpConnectionManager {
    pub async fn new(
        mcp_servers: HashMap<String, McpServerConfig>,
        use_rmcp_client: bool,
+        store_mode: OAuthCredentialsStoreMode,
    ) -> Result<(Self, ClientStartErrors)> {
        // Early exit if no servers are configured.
        if mcp_servers.is_empty() {
@@ -202,9 +272,21 @@ impl McpConnectionManager {
                continue;
            }

+            if !cfg.enabled {
+                continue;
+            }
+
            let startup_timeout = cfg.startup_timeout_sec.unwrap_or(DEFAULT_STARTUP_TIMEOUT);
            let tool_timeout = cfg.tool_timeout_sec.unwrap_or(DEFAULT_TOOL_TIMEOUT);

+            let resolved_bearer_token = match &cfg.transport {
+                McpServerTransportConfig::StreamableHttp {
+                    bearer_token_env_var,
+                    ..
+                } => resolve_bearer_token(&server_name, bearer_token_env_var.as_deref()),
+                _ => Ok(None),
+            };
+
            join_set.spawn(async move {
                let McpServerConfig { transport, .. } = cfg;
                let params = mcp_types::InitializeRequestParams {
@@ -229,7 +311,13 @@ impl McpConnectionManager {
                };

                let client = match transport {
-                    McpServerTransportConfig::Stdio { command, args, env } => {
+                    McpServerTransportConfig::Stdio {
+                        command,
+                        args,
+                        env,
+                        env_vars,
+                        cwd,
+                    } => {
                        let command_os: OsString = command.into();
                        let args_os: Vec<OsString> = args.into_iter().map(Into::into).collect();
                        McpClientAdapter::new_stdio_client(
@@ -237,18 +325,28 @@ impl McpConnectionManager {
                            command_os,
                            args_os,
                            env,
+                            env_vars,
+                            cwd,
                            params,
                            startup_timeout,
                        )
                        .await
                    }
-                    McpServerTransportConfig::StreamableHttp { url, bearer_token } => {
+                    McpServerTransportConfig::StreamableHttp {
+                        url,
+                        http_headers,
+                        env_http_headers,
+                        ..
+                    } => {
                        McpClientAdapter::new_streamable_http_client(
                            server_name.clone(),
                            url,
-                            bearer_token,
+                            resolved_bearer_token.unwrap_or_default(),
+                            http_headers,
+                            env_http_headers,
                            params,
                            startup_timeout,
+                            store_mode,
                        )
                        .await
                    }
@@ -300,7 +398,7 @@ impl McpConnectionManager {
        Ok((Self { clients, tools }, errors))
    }

-    /// Returns a single map that contains **all** tools. Each key is the
+    /// Returns a single map that contains all tools. Each key is the
    /// fully-qualified name for the tool.
    pub fn list_all_tools(&self) -> HashMap<String, Tool> {
        self.tools
@@ -309,6 +407,133 @@ impl McpConnectionManager {
            .collect()
    }

+    /// Returns a single map that contains all resources. Each key is the
+    /// server name and the value is a vector of resources.
+    pub async fn list_all_resources(&self) -> HashMap<String, Vec<Resource>> {
+        let mut join_set = JoinSet::new();
+
+        for (server_name, managed_client) in &self.clients {
+            let server_name_cloned = server_name.clone();
+            let client_clone = managed_client.client.clone();
+            let timeout = managed_client.tool_timeout;
+
+            join_set.spawn(async move {
+                let mut collected: Vec<Resource> = Vec::new();
+                let mut cursor: Option<String> = None;
+
+                loop {
+                    let params = cursor.as_ref().map(|next| ListResourcesRequestParams {
+                        cursor: Some(next.clone()),
+                    });
+                    let response = match client_clone.list_resources(params, timeout).await {
+                        Ok(result) => result,
+                        Err(err) => return (server_name_cloned, Err(err)),
+                    };
+
+                    collected.extend(response.resources);
+
+                    match response.next_cursor {
+                        Some(next) => {
+                            if cursor.as_ref() == Some(&next) {
+                                return (
+                                    server_name_cloned,
+                                    Err(anyhow!("resources/list returned duplicate cursor")),
+                                );
+                            }
+                            cursor = Some(next);
+                        }
+                        None => return (server_name_cloned, Ok(collected)),
+                    }
+                }
+            });
+        }
+
+        let mut aggregated: HashMap<String, Vec<Resource>> = HashMap::new();
+
+        while let Some(join_res) = join_set.join_next().await {
+            match join_res {
+                Ok((server_name, Ok(resources))) => {
+                    aggregated.insert(server_name, resources);
+                }
+                Ok((server_name, Err(err))) => {
+                    warn!("Failed to list resources for MCP server '{server_name}': {err:#}");
+                }
+                Err(err) => {
+                    warn!("Task panic when listing resources for MCP server: {err:#}");
+                }
+            }
+        }
+
+        aggregated
+    }
+
+    /// Returns a single map that contains all resource templates. Each key is the
+    /// server name and the value is a vector of resource templates.
+    pub async fn list_all_resource_templates(&self) -> HashMap<String, Vec<ResourceTemplate>> {
+        let mut join_set = JoinSet::new();
+
+        for (server_name, managed_client) in &self.clients {
+            let server_name_cloned = server_name.clone();
+            let client_clone = managed_client.client.clone();
+            let timeout = managed_client.tool_timeout;
+
+            join_set.spawn(async move {
+                let mut collected: Vec<ResourceTemplate> = Vec::new();
+                let mut cursor: Option<String> = None;
+
+                loop {
+                    let params = cursor
+                        .as_ref()
+                        .map(|next| ListResourceTemplatesRequestParams {
+                            cursor: Some(next.clone()),
+                        });
+                    let response = match client_clone.list_resource_templates(params, timeout).await
+                    {
+                        Ok(result) => result,
+                        Err(err) => return (server_name_cloned, Err(err)),
+                    };
+
+                    collected.extend(response.resource_templates);
+
+                    match response.next_cursor {
+                        Some(next) => {
+                            if cursor.as_ref() == Some(&next) {
+                                return (
+                                    server_name_cloned,
+                                    Err(anyhow!(
+                                        "resources/templates/list returned duplicate cursor"
+                                    )),
+                                );
+                            }
+                            cursor = Some(next);
+                        }
+                        None => return (server_name_cloned, Ok(collected)),
+                    }
+                }
+            });
+        }
+
+        let mut aggregated: HashMap<String, Vec<ResourceTemplate>> = HashMap::new();
+
+        while let Some(join_res) = join_set.join_next().await {
+            match join_res {
+                Ok((server_name, Ok(templates))) => {
+                    aggregated.insert(server_name, templates);
+                }
+                Ok((server_name, Err(err))) => {
+                    warn!(
+                        "Failed to list resource templates for MCP server '{server_name}': {err:#}"
+                    );
+                }
+                Err(err) => {
+                    warn!("Task panic when listing resource templates for MCP server: {err:#}");
+                }
+            }
+        }
+
+        aggregated
+    }
+
    /// Invoke the tool indicated by the (server, tool) pair.
    pub async fn call_tool(
        &self,
@@ -320,7 +545,7 @@ impl McpConnectionManager {
            .clients
            .get(server)
            .ok_or_else(|| anyhow!("unknown MCP server '{server}'"))?;
-        let client = managed.client.clone();
+        let client = &managed.client;
        let timeout = managed.tool_timeout;

        client
@@ -329,6 +554,64 @@ impl McpConnectionManager {
            .with_context(|| format!("tool call failed for `{server}/{tool}`"))
    }

+    /// List resources from the specified server.
+    pub async fn list_resources(
+        &self,
+        server: &str,
+        params: Option<ListResourcesRequestParams>,
+    ) -> Result<ListResourcesResult> {
+        let managed = self
+            .clients
+            .get(server)
+            .ok_or_else(|| anyhow!("unknown MCP server '{server}'"))?;
+        let client = managed.client.clone();
+        let timeout = managed.tool_timeout;
+
+        client
+            .list_resources(params, timeout)
+            .await
+            .with_context(|| format!("resources/list failed for `{server}`"))
+    }
+
+    /// List resource templates from the specified server.
+    pub async fn list_resource_templates(
+        &self,
+        server: &str,
+        params: Option<ListResourceTemplatesRequestParams>,
+    ) -> Result<ListResourceTemplatesResult> {
+        let managed = self
+            .clients
+            .get(server)
+            .ok_or_else(|| anyhow!("unknown MCP server '{server}'"))?;
+        let client = managed.client.clone();
+        let timeout = managed.tool_timeout;
+
+        client
+            .list_resource_templates(params, timeout)
+            .await
+            .with_context(|| format!("resources/templates/list failed for `{server}`"))
+    }
+
+    /// Read a resource from the specified server.
+    pub async fn read_resource(
+        &self,
+        server: &str,
+        params: ReadResourceRequestParams,
+    ) -> Result<ReadResourceResult> {
+        let managed = self
+            .clients
+            .get(server)
+            .ok_or_else(|| anyhow!("unknown MCP server '{server}'"))?;
+        let client = managed.client.clone();
+        let timeout = managed.tool_timeout;
+        let uri = params.uri.clone();
+
+        client
+            .read_resource(params, timeout)
+            .await
+            .with_context(|| format!("resources/read failed for `{server}` ({uri})"))
+    }
+
    pub fn parse_tool_name(&self, tool_name: &str) -> Option<(String, String)> {
        self.tools
            .get(tool_name)
@@ -336,8 +619,35 @@ impl McpConnectionManager {
    }
 }

+fn resolve_bearer_token(
+    server_name: &str,
+    bearer_token_env_var: Option<&str>,
+) -> Result<Option<String>> {
+    let Some(env_var) = bearer_token_env_var else {
+        return Ok(None);
+    };
+
+    match env::var(env_var) {
+        Ok(value) => {
+            if value.is_empty() {
+                Err(anyhow!(
+                    "Environment variable {env_var} for MCP server '{server_name}' is empty"
+                ))
+            } else {
+                Ok(Some(value))
+            }
+        }
+        Err(env::VarError::NotPresent) => Err(anyhow!(
+            "Environment variable {env_var} for MCP server '{server_name}' is not set"
+        )),
+        Err(env::VarError::NotUnicode(_)) => Err(anyhow!(
+            "Environment variable {env_var} for MCP server '{server_name}' contains invalid Unicode"
+        )),
+    }
+}
+
 /// Query every server for its available tools and return a single map that
-/// contains **all** tools. Each key is the fully-qualified name for the tool.
+/// contains all tools. Each key is the fully-qualified name for the tool.
 async fn list_all_tools(clients: &HashMap<String, ManagedClient>) -> Result<Vec<ToolInfo>> {
    let mut join_set = JoinSet::new();

@@ -431,8 +741,8 @@ mod tests {
        let qualified_tools = qualify_tools(tools);

        assert_eq!(qualified_tools.len(), 2);
-        assert!(qualified_tools.contains_key("server1__tool1"));
-        assert!(qualified_tools.contains_key("server1__tool2"));
+        assert!(qualified_tools.contains_key("mcp__server1__tool1"));
+        assert!(qualified_tools.contains_key("mcp__server1__tool2"));
    }

    #[test]
@@ -446,7 +756,7 @@ mod tests {

        // Only the first tool should remain, the second is skipped
        assert_eq!(qualified_tools.len(), 1);
-        assert!(qualified_tools.contains_key("server1__duplicate_tool"));
+        assert!(qualified_tools.contains_key("mcp__server1__duplicate_tool"));
    }

    #[test]
@@ -474,13 +784,13 @@ mod tests {
        assert_eq!(keys[0].len(), 64);
        assert_eq!(
            keys[0],
-            "my_server__extremely_lena02e507efc5a9de88637e436690364fd4219e4ef"
+            "mcp__my_server__extremel119a2b97664e41363932dc84de21e2ff1b93b3e9"
        );

        assert_eq!(keys[1].len(), 64);
        assert_eq!(
            keys[1],
-            "my_server__yet_another_e1c3987bd9c50b826cbe1687966f79f0c602d19ca"
+            "mcp__my_server__yet_anot419a82a89325c1b477274a41f8c65ea5f3a7f341"
        );
    }
 }
--- a/codex-rs/core/src/mcp_tool_call.rs
+++ b/codex-rs/core/src/mcp_tool_call.rs
@@ -58,7 +58,10 @@ pub(crate) async fn handle_mcp_tool_call(
    let result = sess
        .call_tool(&server, &tool_name, arguments_value.clone())
        .await
-        .map_err(|e| format!("tool call error: {e}"));
+        .map_err(|e| format!("tool call error: {e:?}"));
+    if let Err(e) = &result {
+        tracing::warn!("MCP tool call error: {e:?}");
+    }
    let tool_call_end_event = EventMsg::McpToolCallEnd(McpToolCallEndEvent {
        call_id: call_id.clone(),
        invocation,
--- a/codex-rs/core/src/model_family.rs
+++ b/codex-rs/core/src/model_family.rs
@@ -48,6 +48,12 @@ pub struct ModelFamily {

    /// Names of beta tools that should be exposed to this model family.
    pub experimental_supported_tools: Vec<String>,
+
+    /// Percentage of the context window considered usable for inputs, after
+    /// reserving headroom for system prompts, tool overhead, and model output.
+    /// This is applied when computing the effective context window seen by
+    /// consumers.
+    pub effective_context_window_percent: i64,
 }

 macro_rules! model_family {
@@ -66,6 +72,7 @@ macro_rules! model_family {
            apply_patch_tool_type: None,
            base_instructions: BASE_INSTRUCTIONS.to_string(),
            experimental_supported_tools: Vec::new(),
+            effective_context_window_percent: 95,
        };
        // apply overrides
        $(
@@ -119,9 +126,10 @@ pub fn find_family_for_model(mut slug: &str) -> Option<ModelFamily> {
            reasoning_summary_format: ReasoningSummaryFormat::Experimental,
            base_instructions: GPT_5_CODEX_INSTRUCTIONS.to_string(),
            experimental_supported_tools: vec![
-                "read_file".to_string(),
+                "grep_files".to_string(),
                "list_dir".to_string(),
-                "test_sync_tool".to_string()
+                "read_file".to_string(),
+                "test_sync_tool".to_string(),
            ],
            supports_parallel_tool_calls: true,
        )
@@ -134,7 +142,11 @@ pub fn find_family_for_model(mut slug: &str) -> Option<ModelFamily> {
            reasoning_summary_format: ReasoningSummaryFormat::Experimental,
            base_instructions: GPT_5_CODEX_INSTRUCTIONS.to_string(),
            apply_patch_tool_type: Some(ApplyPatchToolType::Freeform),
-            experimental_supported_tools: vec!["read_file".to_string(), "list_dir".to_string()],
+            experimental_supported_tools: vec![
+                "grep_files".to_string(),
+                "list_dir".to_string(),
+                "read_file".to_string(),
+            ],
            supports_parallel_tool_calls: true,
        )

@@ -170,5 +182,6 @@ pub fn derive_default_model_family(model: &str) -> ModelFamily {
        apply_patch_tool_type: None,
        base_instructions: BASE_INSTRUCTIONS.to_string(),
        experimental_supported_tools: Vec::new(),
+        effective_context_window_percent: 95,
    }
 }
--- a/codex-rs/core/src/openai_model_info.rs
+++ b/codex-rs/core/src/openai_model_info.rs
@@ -1,5 +1,9 @@
 use crate::model_family::ModelFamily;

+// Shared constants for commonly used window/token sizes.
+pub(crate) const CONTEXT_WINDOW_272K: i64 = 272_000;
+pub(crate) const MAX_OUTPUT_TOKENS_128K: i64 = 128_000;
+
 /// Metadata about a model, particularly OpenAI models.
 /// We may want to consider including details like the pricing for
 /// input tokens, output tokens, etc., though users will need to be able to
@@ -8,10 +12,10 @@ use crate::model_family::ModelFamily;
 #[derive(Debug)]
 pub(crate) struct ModelInfo {
    /// Size of the context window in tokens. This is the maximum size of the input context.
-    pub(crate) context_window: u64,
+    pub(crate) context_window: i64,

    /// Maximum number of output tokens that can be generated for the model.
-    pub(crate) max_output_tokens: u64,
+    pub(crate) max_output_tokens: i64,

    /// Token threshold where we should automatically compact conversation history. This considers
    /// input tokens + output tokens of this turn.
@@ -19,13 +23,17 @@ pub(crate) struct ModelInfo {
 }

 impl ModelInfo {
-    const fn new(context_window: u64, max_output_tokens: u64) -> Self {
+    const fn new(context_window: i64, max_output_tokens: i64) -> Self {
        Self {
            context_window,
            max_output_tokens,
-            auto_compact_token_limit: None,
+            auto_compact_token_limit: Some(Self::default_auto_compact_limit(context_window)),
        }
    }
+
+    const fn default_auto_compact_limit(context_window: i64) -> i64 {
+        (context_window * 9) / 10
+    }
 }

 pub(crate) fn get_model_info(model_family: &ModelFamily) -> Option<ModelInfo> {
@@ -62,15 +70,17 @@ pub(crate) fn get_model_info(model_family: &ModelFamily) -> Option<ModelInfo> {
        // https://platform.openai.com/docs/models/gpt-3.5-turbo
        "gpt-3.5-turbo" => Some(ModelInfo::new(16_385, 4_096)),

-        _ if slug.starts_with("gpt-5-codex") => Some(ModelInfo {
-            context_window: 272_000,
-            max_output_tokens: 128_000,
-            auto_compact_token_limit: Some(350_000),
-        }),
+        _ if slug.starts_with("gpt-5-codex") => {
+            Some(ModelInfo::new(CONTEXT_WINDOW_272K, MAX_OUTPUT_TOKENS_128K))
+        }

-        _ if slug.starts_with("gpt-5") => Some(ModelInfo::new(272_000, 128_000)),
+        _ if slug.starts_with("gpt-5") => {
+            Some(ModelInfo::new(CONTEXT_WINDOW_272K, MAX_OUTPUT_TOKENS_128K))
+        }

-        _ if slug.starts_with("codex-") => Some(ModelInfo::new(272_000, 128_000)),
+        _ if slug.starts_with("codex-") => {
+            Some(ModelInfo::new(CONTEXT_WINDOW_272K, MAX_OUTPUT_TOKENS_128K))
+        }

        _ => None,
    }
--- a/codex-rs/core/src/openai_tools.rs
+++ b/codex-rs/core/src/openai_tools.rs
@@ -1 +0,0 @@
-pub use crate::tools::spec::*;
--- a/codex-rs/core/src/parse_command.rs
+++ b/codex-rs/core/src/parse_command.rs
@@ -1,43 +1,9 @@
 use crate::bash::try_parse_bash;
 use crate::bash::try_parse_word_only_commands_sequence;
-use serde::Deserialize;
-use serde::Serialize;
+use codex_protocol::parse_command::ParsedCommand;
 use shlex::split as shlex_split;
 use shlex::try_join as shlex_try_join;
-
-#[derive(Debug, Clone, PartialEq, Eq, Deserialize, Serialize)]
-pub enum ParsedCommand {
-    Read {
-        cmd: String,
-        name: String,
-    },
-    ListFiles {
-        cmd: String,
-        path: Option<String>,
-    },
-    Search {
-        cmd: String,
-        query: Option<String>,
-        path: Option<String>,
-    },
-    Unknown {
-        cmd: String,
-    },
-}
-
-// Convert core's parsed command enum into the protocol's simplified type so
-// events can carry the canonical representation across process boundaries.
-impl From<ParsedCommand> for codex_protocol::parse_command::ParsedCommand {
-    fn from(v: ParsedCommand) -> Self {
-        use codex_protocol::parse_command::ParsedCommand as P;
-        match v {
-            ParsedCommand::Read { cmd, name } => P::Read { cmd, name },
-            ParsedCommand::ListFiles { cmd, path } => P::ListFiles { cmd, path },
-            ParsedCommand::Search { cmd, query, path } => P::Search { cmd, query, path },
-            ParsedCommand::Unknown { cmd } => P::Unknown { cmd },
-        }
-    }
-}
+use std::path::PathBuf;

 fn shlex_join(tokens: &[String]) -> String {
    shlex_try_join(tokens.iter().map(String::as_str))
@@ -72,6 +38,7 @@ pub fn parse_command(command: &[String]) -> Vec<ParsedCommand> {
 /// Tests are at the top to encourage using TDD + Codex to fix the implementation.
 mod tests {
    use super::*;
+    use std::path::PathBuf;
    use std::string::ToString;

    fn shlex_split_safe(s: &str) -> Vec<String> {
@@ -221,6 +188,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: inner.to_string(),
                name: "README.md".to_string(),
+                path: PathBuf::from("webview/README.md"),
            }],
        );
    }
@@ -232,6 +200,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: "cat foo.txt".to_string(),
                name: "foo.txt".to_string(),
+                path: PathBuf::from("foo/foo.txt"),
            }],
        );
    }
@@ -254,6 +223,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: "cat foo.txt".to_string(),
                name: "foo.txt".to_string(),
+                path: PathBuf::from("foo/foo.txt"),
            }],
        );
    }
@@ -278,6 +248,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: inner.to_string(),
                name: "Cargo.toml".to_string(),
+                path: PathBuf::from("Cargo.toml"),
            }],
        );
    }
@@ -290,6 +261,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: inner.to_string(),
                name: "Cargo.toml".to_string(),
+                path: PathBuf::from("tui/Cargo.toml"),
            }],
        );
    }
@@ -302,6 +274,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: inner.to_string(),
                name: "README.md".to_string(),
+                path: PathBuf::from("README.md"),
            }],
        );
    }
@@ -315,6 +288,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: inner.to_string(),
                name: "README.md".to_string(),
+                path: PathBuf::from("README.md"),
            }]
        );
    }
@@ -484,6 +458,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: inner.to_string(),
                name: "parse_command.rs".to_string(),
+                path: PathBuf::from("core/src/parse_command.rs"),
            }],
        );
    }
@@ -496,6 +471,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: inner.to_string(),
                name: "history_cell.rs".to_string(),
+                path: PathBuf::from("tui/src/history_cell.rs"),
            }],
        );
    }
@@ -509,6 +485,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: "cat -- ansi-escape/Cargo.toml".to_string(),
                name: "Cargo.toml".to_string(),
+                path: PathBuf::from("ansi-escape/Cargo.toml"),
            }],
        );
    }
@@ -538,6 +515,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: "sed -n '260,640p' exec/src/event_processor_with_human_output.rs".to_string(),
                name: "event_processor_with_human_output.rs".to_string(),
+                path: PathBuf::from("exec/src/event_processor_with_human_output.rs"),
            }],
        );
    }
@@ -697,6 +675,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: r#"cat "pkg\\src\\main.rs""#.to_string(),
                name: "main.rs".to_string(),
+                path: PathBuf::from(r#"pkg\src\main.rs"#),
            }],
        );
    }
@@ -708,6 +687,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: "head -n50 Cargo.toml".to_string(),
                name: "Cargo.toml".to_string(),
+                path: PathBuf::from("Cargo.toml"),
            }],
        );
    }
@@ -738,6 +718,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: "tail -n+10 README.md".to_string(),
                name: "README.md".to_string(),
+                path: PathBuf::from("README.md"),
            }],
        );
    }
@@ -774,6 +755,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: "cat -- ./-strange-file-name".to_string(),
                name: "-strange-file-name".to_string(),
+                path: PathBuf::from("./-strange-file-name"),
            }],
        );

@@ -783,6 +765,7 @@ mod tests {
            vec![ParsedCommand::Read {
                cmd: "sed -n '12,20p' Cargo.toml".to_string(),
                name: "Cargo.toml".to_string(),
+                path: PathBuf::from("Cargo.toml"),
            }],
        );
    }
@@ -875,11 +858,39 @@ pub fn parse_command_impl(command: &[String]) -> Vec<ParsedCommand> {
    // Preserve left-to-right execution order for all commands, including bash -c/-lc
    // so summaries reflect the order they will run.

-    // Map each pipeline segment to its parsed summary.
-    let mut commands: Vec<ParsedCommand> = parts
-        .iter()
-        .map(|tokens| summarize_main_tokens(tokens))
-        .collect();
+    // Map each pipeline segment to its parsed summary, tracking `cd` to compute paths.
+    let mut commands: Vec<ParsedCommand> = Vec::new();
+    let mut cwd: Option<String> = None;
+    for tokens in &parts {
+        if let Some((head, tail)) = tokens.split_first()
+            && head == "cd"
+        {
+            if let Some(dir) = tail.first() {
+                cwd = Some(match &cwd {
+                    Some(base) => join_paths(base, dir),
+                    None => dir.clone(),
+                });
+            }
+            continue;
+        }
+        let parsed = summarize_main_tokens(tokens);
+        let parsed = match parsed {
+            ParsedCommand::Read { cmd, name, path } => {
+                if let Some(base) = &cwd {
+                    let full = join_paths(base, &path.to_string_lossy());
+                    ParsedCommand::Read {
+                        cmd,
+                        name,
+                        path: PathBuf::from(full),
+                    }
+                } else {
+                    ParsedCommand::Read { cmd, name, path }
+                }
+            }
+            other => other,
+        };
+        commands.push(parsed);
+    }

    while let Some(next) = simplify_once(&commands) {
        commands = next;
@@ -1164,10 +1175,39 @@ fn parse_bash_lc_commands(original: &[String]) -> Option<Vec<ParsedCommand>> {
                cmd: script.clone(),
            }]);
        }
-        let mut commands: Vec<ParsedCommand> = filtered_commands
-            .into_iter()
-            .map(|tokens| summarize_main_tokens(&tokens))
-            .collect();
+        // Build parsed commands, tracking `cd` segments to compute effective file paths.
+        let mut commands: Vec<ParsedCommand> = Vec::new();
+        let mut cwd: Option<String> = None;
+        for tokens in filtered_commands.into_iter() {
+            if let Some((head, tail)) = tokens.split_first()
+                && head == "cd"
+            {
+                if let Some(dir) = tail.first() {
+                    cwd = Some(match &cwd {
+                        Some(base) => join_paths(base, dir),
+                        None => dir.clone(),
+                    });
+                }
+                continue;
+            }
+            let parsed = summarize_main_tokens(&tokens);
+            let parsed = match parsed {
+                ParsedCommand::Read { cmd, name, path } => {
+                    if let Some(base) = &cwd {
+                        let full = join_paths(base, &path.to_string_lossy());
+                        ParsedCommand::Read {
+                            cmd,
+                            name,
+                            path: PathBuf::from(full),
+                        }
+                    } else {
+                        ParsedCommand::Read { cmd, name, path }
+                    }
+                }
+                other => other,
+            };
+            commands.push(parsed);
+        }
        if commands.len() > 1 {
            commands.retain(|pc| !matches!(pc, ParsedCommand::Unknown { cmd } if cmd == "true"));
            // Apply the same simplifications used for non-bash parsing, e.g., drop leading `cd`.
@@ -1187,7 +1227,7 @@ fn parse_bash_lc_commands(original: &[String]) -> Option<Vec<ParsedCommand>> {
            commands = commands
                .into_iter()
                .map(|pc| match pc {
-                    ParsedCommand::Read { name, cmd, .. } => {
+                    ParsedCommand::Read { name, cmd, path } => {
                        if had_connectors {
                            let has_pipe = script_tokens.iter().any(|t| t == "|");
                            let has_sed_n = script_tokens.windows(2).any(|w| {
@@ -1198,14 +1238,16 @@ fn parse_bash_lc_commands(original: &[String]) -> Option<Vec<ParsedCommand>> {
                                ParsedCommand::Read {
                                    cmd: script.clone(),
                                    name,
+                                    path,
                                }
                            } else {
-                                ParsedCommand::Read { cmd, name }
+                                ParsedCommand::Read { cmd, name, path }
                            }
                        } else {
                            ParsedCommand::Read {
                                cmd: shlex_join(&script_tokens),
                                name,
+                                path,
                            }
                        }
                    }
@@ -1370,10 +1412,12 @@ fn summarize_main_tokens(main_cmd: &[String]) -> ParsedCommand {
                tail
            };
            if effective_tail.len() == 1 {
-                let name = short_display_path(&effective_tail[0]);
+                let path = effective_tail[0].clone();
+                let name = short_display_path(&path);
                ParsedCommand::Read {
                    cmd: shlex_join(main_cmd),
                    name,
+                    path: PathBuf::from(path),
                }
            } else {
                ParsedCommand::Unknown {
@@ -1408,10 +1452,12 @@ fn summarize_main_tokens(main_cmd: &[String]) -> ParsedCommand {
                    i += 1;
                }
                if let Some(p) = candidates.into_iter().find(|p| !p.starts_with('-')) {
-                    let name = short_display_path(p);
+                    let path = p.clone();
+                    let name = short_display_path(&path);
                    return ParsedCommand::Read {
                        cmd: shlex_join(main_cmd),
                        name,
+                        path: PathBuf::from(path),
                    };
                }
            }
@@ -1450,10 +1496,12 @@ fn summarize_main_tokens(main_cmd: &[String]) -> ParsedCommand {
                    i += 1;
                }
                if let Some(p) = candidates.into_iter().find(|p| !p.starts_with('-')) {
-                    let name = short_display_path(p);
+                    let path = p.clone();
+                    let name = short_display_path(&path);
                    return ParsedCommand::Read {
                        cmd: shlex_join(main_cmd),
                        name,
+                        path: PathBuf::from(path),
                    };
                }
            }
@@ -1465,10 +1513,12 @@ fn summarize_main_tokens(main_cmd: &[String]) -> ParsedCommand {
            // Avoid treating option values as paths (e.g., nl -s "  ").
            let candidates = skip_flag_values(tail, &["-s", "-w", "-v", "-i", "-b"]);
            if let Some(p) = candidates.into_iter().find(|p| !p.starts_with('-')) {
-                let name = short_display_path(p);
+                let path = p.clone();
+                let name = short_display_path(&path);
                ParsedCommand::Read {
                    cmd: shlex_join(main_cmd),
                    name,
+                    path: PathBuf::from(path),
                }
            } else {
                ParsedCommand::Unknown {
@@ -1483,10 +1533,12 @@ fn summarize_main_tokens(main_cmd: &[String]) -> ParsedCommand {
                && is_valid_sed_n_arg(tail.get(1).map(String::as_str)) =>
        {
            if let Some(path) = tail.get(2) {
-                let name = short_display_path(path);
+                let path = path.clone();
+                let name = short_display_path(&path);
                ParsedCommand::Read {
                    cmd: shlex_join(main_cmd),
                    name,
+                    path: PathBuf::from(path),
                }
            } else {
                ParsedCommand::Unknown {
@@ -1500,3 +1552,30 @@ fn summarize_main_tokens(main_cmd: &[String]) -> ParsedCommand {
        },
    }
 }
+
+fn is_abs_like(path: &str) -> bool {
+    if std::path::Path::new(path).is_absolute() {
+        return true;
+    }
+    let mut chars = path.chars();
+    match (chars.next(), chars.next(), chars.next()) {
+        // Windows drive path like C:\
+        (Some(d), Some(':'), Some('\\')) if d.is_ascii_alphabetic() => return true,
+        // UNC path like \\server\share
+        (Some('\\'), Some('\\'), _) => return true,
+        _ => {}
+    }
+    false
+}
+
+fn join_paths(base: &str, rel: &str) -> String {
+    if is_abs_like(rel) {
+        return rel.to_string();
+    }
+    if base.is_empty() {
+        return rel.to_string();
+    }
+    let mut buf = PathBuf::from(base);
+    buf.push(rel);
+    buf.to_string_lossy().to_string()
+}
--- a/codex-rs/core/src/project_doc.rs
+++ b/codex-rs/core/src/project_doc.rs
@@ -21,6 +21,8 @@ use tracing::error;

 /// Default filename scanned for project-level docs.
 pub const DEFAULT_PROJECT_DOC_FILENAME: &str = "AGENTS.md";
+/// Preferred local override for project-level docs.
+pub const LOCAL_PROJECT_DOC_FILENAME: &str = "AGENTS.override.md";

 /// When both `Config::instructions` and the project doc are present, they will
 /// be concatenated with the following separator.
@@ -178,7 +180,8 @@ pub fn discover_project_doc_paths(config: &Config) -> std::io::Result<Vec<PathBu

 fn candidate_filenames<'a>(config: &'a Config) -> Vec<&'a str> {
    let mut names: Vec<&'a str> =
-        Vec::with_capacity(1 + config.project_doc_fallback_filenames.len());
+        Vec::with_capacity(2 + config.project_doc_fallback_filenames.len());
+    names.push(LOCAL_PROJECT_DOC_FILENAME);
    names.push(DEFAULT_PROJECT_DOC_FILENAME);
    for candidate in &config.project_doc_fallback_filenames {
        let candidate = candidate.as_str();
@@ -381,6 +384,29 @@ mod tests {
        assert_eq!(res, "root doc\n\ncrate doc");
    }

+    /// AGENTS.override.md is preferred over AGENTS.md when both are present.
+    #[tokio::test]
+    async fn agents_local_md_preferred() {
+        let tmp = tempfile::tempdir().expect("tempdir");
+        fs::write(tmp.path().join(DEFAULT_PROJECT_DOC_FILENAME), "versioned").unwrap();
+        fs::write(tmp.path().join(LOCAL_PROJECT_DOC_FILENAME), "local").unwrap();
+
+        let cfg = make_config(&tmp, 4096, None);
+
+        let res = get_user_instructions(&cfg)
+            .await
+            .expect("local doc expected");
+
+        assert_eq!(res, "local");
+
+        let discovery = discover_project_doc_paths(&cfg).expect("discover paths");
+        assert_eq!(discovery.len(), 1);
+        assert_eq!(
+            discovery[0].file_name().unwrap().to_string_lossy(),
+            LOCAL_PROJECT_DOC_FILENAME
+        );
+    }
+
    /// When AGENTS.md is absent but a configured fallback exists, the fallback is used.
    #[tokio::test]
    async fn uses_configured_fallback_when_agents_missing() {
--- a/codex-rs/core/src/safety.rs
+++ b/codex-rs/core/src/safety.rs
@@ -1,4 +1,3 @@
-use std::collections::HashSet;
 use std::path::Component;
 use std::path::Path;
 use std::path::PathBuf;
@@ -8,8 +7,6 @@ use codex_apply_patch::ApplyPatchFileChange;

 use crate::exec::SandboxType;

-use crate::command_safety::is_dangerous_command::command_might_be_dangerous;
-use crate::command_safety::is_safe_command::is_known_safe_command;
 use crate::protocol::AskForApproval;
 use crate::protocol::SandboxPolicy;

@@ -48,30 +45,29 @@ pub fn assess_patch_safety(
        }
    }

-    // Even though the patch *appears* to be constrained to writable paths, it
-    // is possible that paths in the patch are hard links to files outside the
-    // writable roots, so we should still run `apply_patch` in a sandbox in that
-    // case.
+    // Even though the patch appears to be constrained to writable paths, it is
+    // possible that paths in the patch are hard links to files outside the
+    // writable roots, so we should still run `apply_patch` in a sandbox in that case.
    if is_write_patch_constrained_to_writable_paths(action, sandbox_policy, cwd)
        || policy == AskForApproval::OnFailure
    {
-        // Only auto‑approve when we can actually enforce a sandbox. Otherwise
-        // fall back to asking the user because the patch may touch arbitrary
-        // paths outside the project.
-        match get_platform_sandbox() {
-            Some(sandbox_type) => SafetyCheck::AutoApprove {
-                sandbox_type,
+        if matches!(sandbox_policy, SandboxPolicy::DangerFullAccess) {
+            // DangerFullAccess is intended to bypass sandboxing entirely.
+            SafetyCheck::AutoApprove {
+                sandbox_type: SandboxType::None,
                user_explicitly_approved: false,
-            },
-            None if sandbox_policy == &SandboxPolicy::DangerFullAccess => {
-                // If the user has explicitly requested DangerFullAccess, then
-                // we can auto-approve even without a sandbox.
-                SafetyCheck::AutoApprove {
-                    sandbox_type: SandboxType::None,
-                    user_explicitly_approved: false,
-                }
            }
-            None => SafetyCheck::AskUser,
+        } else {
+            // Only auto‑approve when we can actually enforce a sandbox. Otherwise
+            // fall back to asking the user because the patch may touch arbitrary
+            // paths outside the project.
+            match get_platform_sandbox() {
+                Some(sandbox_type) => SafetyCheck::AutoApprove {
+                    sandbox_type,
+                    user_explicitly_approved: false,
+                },
+                None => SafetyCheck::AskUser,
+            }
        }
    } else if policy == AskForApproval::Never {
        SafetyCheck::Reject {
@@ -83,124 +79,6 @@ pub fn assess_patch_safety(
    }
 }

-/// For a command to be run _without_ a sandbox, one of the following must be
-/// true:
-///
-/// - the user has explicitly approved the command
-/// - the command is on the "known safe" list
-/// - `DangerFullAccess` was specified and `UnlessTrusted` was not
-pub fn assess_command_safety(
-    command: &[String],
-    approval_policy: AskForApproval,
-    sandbox_policy: &SandboxPolicy,
-    approved: &HashSet<Vec<String>>,
-    with_escalated_permissions: bool,
-) -> SafetyCheck {
-    // Some commands look dangerous. Even if they are run inside a sandbox,
-    // unless the user has explicitly approved them, we should ask,
-    // or reject if the approval_policy tells us not to ask.
-    if command_might_be_dangerous(command) && !approved.contains(command) {
-        if approval_policy == AskForApproval::Never {
-            return SafetyCheck::Reject {
-                reason: "dangerous command detected; rejected by user approval settings"
-                    .to_string(),
-            };
-        }
-
-        return SafetyCheck::AskUser;
-    }
-
-    // A command is "trusted" because either:
-    // - it belongs to a set of commands we consider "safe" by default, or
-    // - the user has explicitly approved the command for this session
-    //
-    // Currently, whether a command is "trusted" is a simple boolean, but we
-    // should include more metadata on this command test to indicate whether it
-    // should be run inside a sandbox or not. (This could be something the user
-    // defines as part of `execpolicy`.)
-    //
-    // For example, when `is_known_safe_command(command)` returns `true`, it
-    // would probably be fine to run the command in a sandbox, but when
-    // `approved.contains(command)` is `true`, the user may have approved it for
-    // the session _because_ they know it needs to run outside a sandbox.
-
-    if is_known_safe_command(command) || approved.contains(command) {
-        let user_explicitly_approved = approved.contains(command);
-        return SafetyCheck::AutoApprove {
-            sandbox_type: SandboxType::None,
-            user_explicitly_approved,
-        };
-    }
-
-    assess_safety_for_untrusted_command(approval_policy, sandbox_policy, with_escalated_permissions)
-}
-
-pub(crate) fn assess_safety_for_untrusted_command(
-    approval_policy: AskForApproval,
-    sandbox_policy: &SandboxPolicy,
-    with_escalated_permissions: bool,
-) -> SafetyCheck {
-    use AskForApproval::*;
-    use SandboxPolicy::*;
-
-    match (approval_policy, sandbox_policy) {
-        (UnlessTrusted, _) => {
-            // Even though the user may have opted into DangerFullAccess,
-            // they also requested that we ask for approval for untrusted
-            // commands.
-            SafetyCheck::AskUser
-        }
-        (OnFailure, DangerFullAccess)
-        | (Never, DangerFullAccess)
-        | (OnRequest, DangerFullAccess) => SafetyCheck::AutoApprove {
-            sandbox_type: SandboxType::None,
-            user_explicitly_approved: false,
-        },
-        (OnRequest, ReadOnly) | (OnRequest, WorkspaceWrite { .. }) => {
-            if with_escalated_permissions {
-                SafetyCheck::AskUser
-            } else {
-                match get_platform_sandbox() {
-                    Some(sandbox_type) => SafetyCheck::AutoApprove {
-                        sandbox_type,
-                        user_explicitly_approved: false,
-                    },
-                    // Fall back to asking since the command is untrusted and
-                    // we do not have a sandbox available
-                    None => SafetyCheck::AskUser,
-                }
-            }
-        }
-        (Never, ReadOnly)
-        | (Never, WorkspaceWrite { .. })
-        | (OnFailure, ReadOnly)
-        | (OnFailure, WorkspaceWrite { .. }) => {
-            match get_platform_sandbox() {
-                Some(sandbox_type) => SafetyCheck::AutoApprove {
-                    sandbox_type,
-                    user_explicitly_approved: false,
-                },
-                None => {
-                    if matches!(approval_policy, OnFailure) {
-                        // Since the command is not trusted, even though the
-                        // user has requested to only ask for approval on
-                        // failure, we will ask the user because no sandbox is
-                        // available.
-                        SafetyCheck::AskUser
-                    } else {
-                        // We are in non-interactive mode and lack approval, so
-                        // all we can do is reject the command.
-                        SafetyCheck::Reject {
-                            reason: "auto-rejected because command is not on trusted list"
-                                .to_string(),
-                        }
-                    }
-                }
-            }
-        }
-    }
-}
-
 pub fn get_platform_sandbox() -> Option<SandboxType> {
    if cfg!(target_os = "macos") {
        Some(SandboxType::MacosSeatbelt)
@@ -339,101 +217,4 @@ mod tests {
            &cwd,
        ));
    }
-
-    #[test]
-    fn test_request_escalated_privileges() {
-        // Should not be a trusted command
-        let command = vec!["git commit".to_string()];
-        let approval_policy = AskForApproval::OnRequest;
-        let sandbox_policy = SandboxPolicy::ReadOnly;
-        let approved: HashSet<Vec<String>> = HashSet::new();
-        let request_escalated_privileges = true;
-
-        let safety_check = assess_command_safety(
-            &command,
-            approval_policy,
-            &sandbox_policy,
-            &approved,
-            request_escalated_privileges,
-        );
-
-        assert_eq!(safety_check, SafetyCheck::AskUser);
-    }
-
-    #[test]
-    fn dangerous_command_allowed_if_explicitly_approved() {
-        let command = vec!["git".to_string(), "reset".to_string(), "--hard".to_string()];
-        let approval_policy = AskForApproval::OnRequest;
-        let sandbox_policy = SandboxPolicy::ReadOnly;
-        let mut approved: HashSet<Vec<String>> = HashSet::new();
-        approved.insert(command.clone());
-        let request_escalated_privileges = false;
-
-        let safety_check = assess_command_safety(
-            &command,
-            approval_policy,
-            &sandbox_policy,
-            &approved,
-            request_escalated_privileges,
-        );
-
-        assert_eq!(
-            safety_check,
-            SafetyCheck::AutoApprove {
-                sandbox_type: SandboxType::None,
-                user_explicitly_approved: true,
-            }
-        );
-    }
-
-    #[test]
-    fn dangerous_command_not_allowed_if_not_explicitly_approved() {
-        let command = vec!["git".to_string(), "reset".to_string(), "--hard".to_string()];
-        let approval_policy = AskForApproval::Never;
-        let sandbox_policy = SandboxPolicy::ReadOnly;
-        let approved: HashSet<Vec<String>> = HashSet::new();
-        let request_escalated_privileges = false;
-
-        let safety_check = assess_command_safety(
-            &command,
-            approval_policy,
-            &sandbox_policy,
-            &approved,
-            request_escalated_privileges,
-        );
-
-        assert_eq!(
-            safety_check,
-            SafetyCheck::Reject {
-                reason: "dangerous command detected; rejected by user approval settings"
-                    .to_string(),
-            }
-        );
-    }
-
-    #[test]
-    fn test_request_escalated_privileges_no_sandbox_fallback() {
-        let command = vec!["git".to_string(), "commit".to_string()];
-        let approval_policy = AskForApproval::OnRequest;
-        let sandbox_policy = SandboxPolicy::ReadOnly;
-        let approved: HashSet<Vec<String>> = HashSet::new();
-        let request_escalated_privileges = false;
-
-        let safety_check = assess_command_safety(
-            &command,
-            approval_policy,
-            &sandbox_policy,
-            &approved,
-            request_escalated_privileges,
-        );
-
-        let expected = match get_platform_sandbox() {
-            Some(sandbox_type) => SafetyCheck::AutoApprove {
-                sandbox_type,
-                user_explicitly_approved: false,
-            },
-            None => SafetyCheck::AskUser,
-        };
-        assert_eq!(safety_check, expected);
-    }
 }
--- a/codex-rs/core/src/sandboxing/mod.rs
+++ b/codex-rs/core/src/sandboxing/mod.rs
@@ -0,0 +1,170 @@
+/*
+Module: sandboxing
+
+Build platform wrappers and produce ExecEnv for execution. Owns low‑level
+sandbox placement and transformation of portable CommandSpec into a
+ready‑to‑spawn environment.
+*/
+use crate::exec::ExecToolCallOutput;
+use crate::exec::SandboxType;
+use crate::exec::StdoutStream;
+use crate::exec::execute_exec_env;
+use crate::landlock::create_linux_sandbox_command_args;
+use crate::protocol::SandboxPolicy;
+use crate::seatbelt::MACOS_PATH_TO_SEATBELT_EXECUTABLE;
+use crate::seatbelt::create_seatbelt_command_args;
+use crate::spawn::CODEX_SANDBOX_ENV_VAR;
+use crate::spawn::CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR;
+use crate::tools::sandboxing::SandboxablePreference;
+use std::collections::HashMap;
+use std::path::Path;
+use std::path::PathBuf;
+
+#[derive(Clone, Debug)]
+pub struct CommandSpec {
+    pub program: String,
+    pub args: Vec<String>,
+    pub cwd: PathBuf,
+    pub env: HashMap<String, String>,
+    pub timeout_ms: Option<u64>,
+    pub with_escalated_permissions: Option<bool>,
+    pub justification: Option<String>,
+}
+
+#[derive(Clone, Debug)]
+pub struct ExecEnv {
+    pub command: Vec<String>,
+    pub cwd: PathBuf,
+    pub env: HashMap<String, String>,
+    pub timeout_ms: Option<u64>,
+    pub sandbox: SandboxType,
+    pub with_escalated_permissions: Option<bool>,
+    pub justification: Option<String>,
+    pub arg0: Option<String>,
+}
+
+pub enum SandboxPreference {
+    Auto,
+    Require,
+    Forbid,
+}
+
+#[derive(Debug, thiserror::Error)]
+pub(crate) enum SandboxTransformError {
+    #[error("missing codex-linux-sandbox executable path")]
+    MissingLinuxSandboxExecutable,
+}
+
+#[derive(Default)]
+pub struct SandboxManager;
+
+impl SandboxManager {
+    pub fn new() -> Self {
+        Self
+    }
+
+    pub(crate) fn select_initial(
+        &self,
+        policy: &SandboxPolicy,
+        pref: SandboxablePreference,
+    ) -> SandboxType {
+        match pref {
+            SandboxablePreference::Forbid => SandboxType::None,
+            SandboxablePreference::Require => {
+                #[cfg(target_os = "macos")]
+                {
+                    return SandboxType::MacosSeatbelt;
+                }
+                #[cfg(target_os = "linux")]
+                {
+                    return SandboxType::LinuxSeccomp;
+                }
+                #[allow(unreachable_code)]
+                SandboxType::None
+            }
+            SandboxablePreference::Auto => match policy {
+                SandboxPolicy::DangerFullAccess => SandboxType::None,
+                #[cfg(target_os = "macos")]
+                _ => SandboxType::MacosSeatbelt,
+                #[cfg(target_os = "linux")]
+                _ => SandboxType::LinuxSeccomp,
+                #[cfg(not(any(target_os = "macos", target_os = "linux")))]
+                _ => SandboxType::None,
+            },
+        }
+    }
+
+    pub(crate) fn transform(
+        &self,
+        spec: &CommandSpec,
+        policy: &SandboxPolicy,
+        sandbox: SandboxType,
+        sandbox_policy_cwd: &Path,
+        codex_linux_sandbox_exe: Option<&PathBuf>,
+    ) -> Result<ExecEnv, SandboxTransformError> {
+        let mut env = spec.env.clone();
+        if !policy.has_full_network_access() {
+            env.insert(
+                CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR.to_string(),
+                "1".to_string(),
+            );
+        }
+
+        let mut command = Vec::with_capacity(1 + spec.args.len());
+        command.push(spec.program.clone());
+        command.extend(spec.args.iter().cloned());
+
+        let (command, sandbox_env, arg0_override) = match sandbox {
+            SandboxType::None => (command, HashMap::new(), None),
+            SandboxType::MacosSeatbelt => {
+                let mut seatbelt_env = HashMap::new();
+                seatbelt_env.insert(CODEX_SANDBOX_ENV_VAR.to_string(), "seatbelt".to_string());
+                let mut args =
+                    create_seatbelt_command_args(command.clone(), policy, sandbox_policy_cwd);
+                let mut full_command = Vec::with_capacity(1 + args.len());
+                full_command.push(MACOS_PATH_TO_SEATBELT_EXECUTABLE.to_string());
+                full_command.append(&mut args);
+                (full_command, seatbelt_env, None)
+            }
+            SandboxType::LinuxSeccomp => {
+                let exe = codex_linux_sandbox_exe
+                    .ok_or(SandboxTransformError::MissingLinuxSandboxExecutable)?;
+                let mut args =
+                    create_linux_sandbox_command_args(command.clone(), policy, sandbox_policy_cwd);
+                let mut full_command = Vec::with_capacity(1 + args.len());
+                full_command.push(exe.to_string_lossy().to_string());
+                full_command.append(&mut args);
+                (
+                    full_command,
+                    HashMap::new(),
+                    Some("codex-linux-sandbox".to_string()),
+                )
+            }
+        };
+
+        env.extend(sandbox_env);
+
+        Ok(ExecEnv {
+            command,
+            cwd: spec.cwd.clone(),
+            env,
+            timeout_ms: spec.timeout_ms,
+            sandbox,
+            with_escalated_permissions: spec.with_escalated_permissions,
+            justification: spec.justification.clone(),
+            arg0: arg0_override,
+        })
+    }
+
+    pub fn denied(&self, sandbox: SandboxType, out: &ExecToolCallOutput) -> bool {
+        crate::exec::is_likely_sandbox_denied(sandbox, out)
+    }
+}
+
+pub async fn execute_env(
+    env: &ExecEnv,
+    policy: &SandboxPolicy,
+    stdout_stream: Option<StdoutStream>,
+) -> crate::error::Result<ExecToolCallOutput> {
+    execute_exec_env(env.clone(), policy, stdout_stream).await
+}
--- a/codex-rs/core/src/seatbelt.rs
+++ b/codex-rs/core/src/seatbelt.rs
@@ -14,7 +14,7 @@ const MACOS_SEATBELT_BASE_POLICY: &str = include_str!("seatbelt_base_policy.sbpl
 /// to defend against an attacker trying to inject a malicious version on the
 /// PATH. If /usr/bin/sandbox-exec has been tampered with, then the attacker
 /// already has root access.
-const MACOS_PATH_TO_SEATBELT_EXECUTABLE: &str = "/usr/bin/sandbox-exec";
+pub(crate) const MACOS_PATH_TO_SEATBELT_EXECUTABLE: &str = "/usr/bin/sandbox-exec";

 pub async fn spawn_command_under_seatbelt(
    command: Vec<String>,
@@ -39,7 +39,7 @@ pub async fn spawn_command_under_seatbelt(
    .await
 }

-fn create_seatbelt_command_args(
+pub(crate) fn create_seatbelt_command_args(
    command: Vec<String>,
    sandbox_policy: &SandboxPolicy,
    sandbox_policy_cwd: &Path,
--- a/codex-rs/core/src/shell.rs
+++ b/codex-rs/core/src/shell.rs
@@ -347,6 +347,7 @@ mod tests {
                    )]),
                    with_escalated_permissions: None,
                    justification: None,
+                    arg0: None,
                },
                SandboxType::None,
                &SandboxPolicy::DangerFullAccess,
@@ -455,6 +456,7 @@ mod macos_tests {
                    )]),
                    with_escalated_permissions: None,
                    justification: None,
+                    arg0: None,
                },
                SandboxType::None,
                &SandboxPolicy::DangerFullAccess,
--- a/codex-rs/core/src/state/service.rs
+++ b/codex-rs/core/src/state/service.rs
@@ -1,18 +1,22 @@
+use std::sync::Arc;
+
+use crate::AuthManager;
 use crate::RolloutRecorder;
-use crate::exec_command::ExecSessionManager;
-use crate::executor::Executor;
 use crate::mcp_connection_manager::McpConnectionManager;
+use crate::tools::sandboxing::ApprovalStore;
 use crate::unified_exec::UnifiedExecSessionManager;
 use crate::user_notification::UserNotifier;
+use codex_otel::otel_event_manager::OtelEventManager;
 use tokio::sync::Mutex;

 pub(crate) struct SessionServices {
    pub(crate) mcp_connection_manager: McpConnectionManager,
-    pub(crate) session_manager: ExecSessionManager,
    pub(crate) unified_exec_manager: UnifiedExecSessionManager,
    pub(crate) notifier: UserNotifier,
    pub(crate) rollout: Mutex<Option<RolloutRecorder>>,
    pub(crate) user_shell: crate::shell::Shell,
    pub(crate) show_raw_agent_reasoning: bool,
-    pub(crate) executor: Executor,
+    pub(crate) auth_manager: Arc<AuthManager>,
+    pub(crate) otel_event_manager: OtelEventManager,
+    pub(crate) tool_approvals: Mutex<ApprovalStore>,
 }
--- a/codex-rs/core/src/state/session.rs
+++ b/codex-rs/core/src/state/session.rs
@@ -2,14 +2,15 @@

 use codex_protocol::models::ResponseItem;

+use crate::codex::SessionConfiguration;
 use crate::conversation_history::ConversationHistory;
 use crate::protocol::RateLimitSnapshot;
 use crate::protocol::TokenUsage;
 use crate::protocol::TokenUsageInfo;

 /// Persistent, session-scoped state previously stored directly on `Session`.
-#[derive(Default)]
 pub(crate) struct SessionState {
+    pub(crate) session_configuration: SessionConfiguration,
    pub(crate) history: ConversationHistory,
    pub(crate) token_info: Option<TokenUsageInfo>,
    pub(crate) latest_rate_limits: Option<RateLimitSnapshot>,
@@ -17,10 +18,12 @@ pub(crate) struct SessionState {

 impl SessionState {
    /// Create a new session state mirroring previous `State::default()` semantics.
-    pub(crate) fn new() -> Self {
+    pub(crate) fn new(session_configuration: SessionConfiguration) -> Self {
        Self {
+            session_configuration,
            history: ConversationHistory::new(),
-            ..Default::default()
+            token_info: None,
+            latest_rate_limits: None,
        }
    }

@@ -45,7 +48,7 @@ impl SessionState {
    pub(crate) fn update_token_info_from_usage(
        &mut self,
        usage: &TokenUsage,
-        model_context_window: Option<u64>,
+        model_context_window: Option<i64>,
    ) {
        self.token_info = TokenUsageInfo::new_or_append(
            &self.token_info,
@@ -64,7 +67,7 @@ impl SessionState {
        (self.token_info.clone(), self.latest_rate_limits.clone())
    }

-    pub(crate) fn set_token_usage_full(&mut self, context_window: u64) {
+    pub(crate) fn set_token_usage_full(&mut self, context_window: i64) {
        match &mut self.token_info {
            Some(info) => info.fill_to_context_window(context_window),
            None => {
--- a/codex-rs/core/src/state/turn.rs
+++ b/codex-rs/core/src/state/turn.rs
@@ -4,7 +4,9 @@ use indexmap::IndexMap;
 use std::collections::HashMap;
 use std::sync::Arc;
 use tokio::sync::Mutex;
-use tokio::task::AbortHandle;
+use tokio::sync::Notify;
+use tokio_util::sync::CancellationToken;
+use tokio_util::task::AbortOnDropHandle;

 use codex_protocol::models::ResponseInputItem;
 use tokio::sync::oneshot;
@@ -34,11 +36,23 @@ pub(crate) enum TaskKind {
    Compact,
 }

+impl TaskKind {
+    pub(crate) fn header_value(self) -> &'static str {
+        match self {
+            TaskKind::Regular => "standard",
+            TaskKind::Review => "review",
+            TaskKind::Compact => "compact",
+        }
+    }
+}
+
 #[derive(Clone)]
 pub(crate) struct RunningTask {
-    pub(crate) handle: AbortHandle,
+    pub(crate) done: Arc<Notify>,
    pub(crate) kind: TaskKind,
    pub(crate) task: Arc<dyn SessionTask>,
+    pub(crate) cancellation_token: CancellationToken,
+    pub(crate) handle: Arc<AbortOnDropHandle<()>>,
 }

 impl ActiveTurn {
@@ -105,11 +119,16 @@ impl ActiveTurn {
        let mut ts = self.turn_state.lock().await;
        ts.clear_pending();
    }
+}

-    /// Best-effort, non-blocking variant for synchronous contexts (Drop/interrupt).
-    pub(crate) fn try_clear_pending_sync(&self) {
-        if let Ok(mut ts) = self.turn_state.try_lock() {
-            ts.clear_pending();
-        }
+#[cfg(test)]
+mod tests {
+    use super::TaskKind;
+
+    #[test]
+    fn header_value_matches_expected_labels() {
+        assert_eq!(TaskKind::Regular.header_value(), "standard");
+        assert_eq!(TaskKind::Review.header_value(), "review");
+        assert_eq!(TaskKind::Compact.header_value(), "compact");
    }
 }
--- a/codex-rs/core/src/tasks/compact.rs
+++ b/codex-rs/core/src/tasks/compact.rs
@@ -1,6 +1,7 @@
 use std::sync::Arc;

 use async_trait::async_trait;
+use tokio_util::sync::CancellationToken;

 use crate::codex::TurnContext;
 use crate::codex::compact;
@@ -25,6 +26,7 @@ impl SessionTask for CompactTask {
        ctx: Arc<TurnContext>,
        sub_id: String,
        input: Vec<InputItem>,
+        _cancellation_token: CancellationToken,
    ) -> Option<String> {
        compact::run_compact_task(session.clone_session(), ctx, sub_id, input).await
    }
--- a/codex-rs/core/src/tasks/mod.rs
+++ b/codex-rs/core/src/tasks/mod.rs
@@ -3,9 +3,15 @@ mod regular;
 mod review;

 use std::sync::Arc;
+use std::time::Duration;

 use async_trait::async_trait;
+use tokio::select;
+use tokio::sync::Notify;
+use tokio_util::sync::CancellationToken;
+use tokio_util::task::AbortOnDropHandle;
 use tracing::trace;
+use tracing::warn;

 use crate::codex::Session;
 use crate::codex::TurnContext;
@@ -23,6 +29,8 @@ pub(crate) use compact::CompactTask;
 pub(crate) use regular::RegularTask;
 pub(crate) use review::ReviewTask;

+const GRACEFULL_INTERRUPTION_TIMEOUT_MS: u64 = 100;
+
 /// Thin wrapper that exposes the parts of [`Session`] task runners need.
 #[derive(Clone)]
 pub(crate) struct SessionTaskContext {
@@ -49,6 +57,7 @@ pub(crate) trait SessionTask: Send + Sync + 'static {
        ctx: Arc<TurnContext>,
        sub_id: String,
        input: Vec<InputItem>,
+        cancellation_token: CancellationToken,
    ) -> Option<String>;

    async fn abort(&self, session: Arc<SessionTaskContext>, sub_id: &str) {
@@ -69,26 +78,42 @@ impl Session {
        let task: Arc<dyn SessionTask> = Arc::new(task);
        let task_kind = task.kind();

+        let cancellation_token = CancellationToken::new();
+        let done = Arc::new(Notify::new());
+
+        let done_clone = Arc::clone(&done);
        let handle = {
            let session_ctx = Arc::new(SessionTaskContext::new(Arc::clone(self)));
            let ctx = Arc::clone(&turn_context);
            let task_for_run = Arc::clone(&task);
            let sub_clone = sub_id.clone();
+            let task_cancellation_token = cancellation_token.child_token();
            tokio::spawn(async move {
                let last_agent_message = task_for_run
-                    .run(Arc::clone(&session_ctx), ctx, sub_clone.clone(), input)
+                    .run(
+                        Arc::clone(&session_ctx),
+                        ctx,
+                        sub_clone.clone(),
+                        input,
+                        task_cancellation_token.child_token(),
+                    )
                    .await;
-                // Emit completion uniformly from spawn site so all tasks share the same lifecycle.
-                let sess = session_ctx.clone_session();
-                sess.on_task_finished(sub_clone, last_agent_message).await;
+
+                if !task_cancellation_token.is_cancelled() {
+                    // Emit completion uniformly from spawn site so all tasks share the same lifecycle.
+                    let sess = session_ctx.clone_session();
+                    sess.on_task_finished(sub_clone, last_agent_message).await;
+                }
+                done_clone.notify_waiters();
            })
-            .abort_handle()
        };

        let running_task = RunningTask {
-            handle,
+            done,
+            handle: Arc::new(AbortOnDropHandle::new(handle)),
            kind: task_kind,
            task,
+            cancellation_token,
        };
        self.register_new_active_task(sub_id, running_task).await;
    }
@@ -143,14 +168,24 @@ impl Session {
        task: RunningTask,
        reason: TurnAbortReason,
    ) {
-        if task.handle.is_finished() {
+        if task.cancellation_token.is_cancelled() {
            return;
        }

        trace!(task_kind = ?task.kind, sub_id, "aborting running task");
+        task.cancellation_token.cancel();
        let session_task = task.task;
-        let handle = task.handle;
-        handle.abort();
+
+        select! {
+            _ = task.done.notified() => {
+            },
+            _ = tokio::time::sleep(Duration::from_millis(GRACEFULL_INTERRUPTION_TIMEOUT_MS)) => {
+                warn!("task {sub_id} didn't complete gracefully after {}ms", GRACEFULL_INTERRUPTION_TIMEOUT_MS);
+            }
+        }
+
+        task.handle.abort();
+
        let session_ctx = Arc::new(SessionTaskContext::new(Arc::clone(self)));
        session_task.abort(session_ctx, &sub_id).await;

--- a/codex-rs/core/src/tasks/regular.rs
+++ b/codex-rs/core/src/tasks/regular.rs
@@ -1,6 +1,7 @@
 use std::sync::Arc;

 use async_trait::async_trait;
+use tokio_util::sync::CancellationToken;

 use crate::codex::TurnContext;
 use crate::codex::run_task;
@@ -25,8 +26,17 @@ impl SessionTask for RegularTask {
        ctx: Arc<TurnContext>,
        sub_id: String,
        input: Vec<InputItem>,
+        cancellation_token: CancellationToken,
    ) -> Option<String> {
        let sess = session.clone_session();
-        run_task(sess, ctx, sub_id, input).await
+        run_task(
+            sess,
+            ctx,
+            sub_id,
+            input,
+            TaskKind::Regular,
+            cancellation_token,
+        )
+        .await
    }
 }
--- a/codex-rs/core/src/tasks/review.rs
+++ b/codex-rs/core/src/tasks/review.rs
@@ -1,6 +1,7 @@
 use std::sync::Arc;

 use async_trait::async_trait;
+use tokio_util::sync::CancellationToken;

 use crate::codex::TurnContext;
 use crate::codex::exit_review_mode;
@@ -26,9 +27,18 @@ impl SessionTask for ReviewTask {
        ctx: Arc<TurnContext>,
        sub_id: String,
        input: Vec<InputItem>,
+        cancellation_token: CancellationToken,
    ) -> Option<String> {
        let sess = session.clone_session();
-        run_task(sess, ctx, sub_id, input).await
+        run_task(
+            sess,
+            ctx,
+            sub_id,
+            input,
+            TaskKind::Review,
+            cancellation_token,
+        )
+        .await
    }

    async fn abort(&self, session: Arc<SessionTaskContext>, sub_id: &str) {
--- a/codex-rs/core/src/token_data.rs
+++ b/codex-rs/core/src/token_data.rs
@@ -28,6 +28,8 @@ pub struct IdTokenInfo {
    /// (e.g., "free", "plus", "pro", "business", "enterprise", "edu").
    /// (Note: values may vary by backend.)
    pub(crate) chatgpt_plan_type: Option<PlanType>,
+    /// Organization/workspace identifier associated with the token, if present.
+    pub chatgpt_account_id: Option<String>,
    pub raw_jwt: String,
 }

@@ -71,6 +73,8 @@ struct IdClaims {
 struct AuthClaims {
    #[serde(default)]
    chatgpt_plan_type: Option<PlanType>,
+    #[serde(default)]
+    chatgpt_account_id: Option<String>,
 }

 #[derive(Debug, Error)]
@@ -94,11 +98,20 @@ pub fn parse_id_token(id_token: &str) -> Result<IdTokenInfo, IdTokenInfoError> {
    let payload_bytes = base64::engine::general_purpose::URL_SAFE_NO_PAD.decode(payload_b64)?;
    let claims: IdClaims = serde_json::from_slice(&payload_bytes)?;

-    Ok(IdTokenInfo {
-        email: claims.email,
-        chatgpt_plan_type: claims.auth.and_then(|a| a.chatgpt_plan_type),
-        raw_jwt: id_token.to_string(),
-    })
+    match claims.auth {
+        Some(auth) => Ok(IdTokenInfo {
+            email: claims.email,
+            raw_jwt: id_token.to_string(),
+            chatgpt_plan_type: auth.chatgpt_plan_type,
+            chatgpt_account_id: auth.chatgpt_account_id,
+        }),
+        None => Ok(IdTokenInfo {
+            email: claims.email,
+            raw_jwt: id_token.to_string(),
+            chatgpt_plan_type: None,
+            chatgpt_account_id: None,
+        }),
+    }
 }

 fn deserialize_id_token<'de, D>(deserializer: D) -> Result<IdTokenInfo, D::Error>
--- a/codex-rs/core/src/tools/context.rs
+++ b/codex-rs/core/src/tools/context.rs
@@ -232,6 +232,7 @@ mod tests {
 }

 #[derive(Clone, Debug)]
+#[allow(dead_code)]
 pub(crate) struct ExecCommandContext {
    pub(crate) sub_id: String,
    pub(crate) call_id: String,
@@ -243,6 +244,7 @@ pub(crate) struct ExecCommandContext {
 }

 #[derive(Clone, Debug)]
+#[allow(dead_code)]
 pub(crate) struct ApplyPatchCommandContext {
    pub(crate) user_explicitly_approved_this_action: bool,
    pub(crate) changes: HashMap<PathBuf, FileChange>,
--- a/codex-rs/core/src/tools/events.rs
+++ b/codex-rs/core/src/tools/events.rs
@@ -0,0 +1,235 @@
+use crate::codex::Session;
+use crate::exec::ExecToolCallOutput;
+use crate::parse_command::parse_command;
+use crate::protocol::Event;
+use crate::protocol::EventMsg;
+use crate::protocol::ExecCommandBeginEvent;
+use crate::protocol::ExecCommandEndEvent;
+use crate::protocol::FileChange;
+use crate::protocol::PatchApplyBeginEvent;
+use crate::protocol::PatchApplyEndEvent;
+use crate::protocol::TurnDiffEvent;
+use crate::tools::context::SharedTurnDiffTracker;
+use std::collections::HashMap;
+use std::path::PathBuf;
+use std::time::Duration;
+
+use super::format_exec_output;
+use super::format_exec_output_str;
+
+#[derive(Clone, Copy)]
+pub(crate) struct ToolEventCtx<'a> {
+    pub session: &'a Session,
+    pub sub_id: &'a str,
+    pub call_id: &'a str,
+    pub turn_diff_tracker: Option<&'a SharedTurnDiffTracker>,
+}
+
+impl<'a> ToolEventCtx<'a> {
+    pub fn new(
+        session: &'a Session,
+        sub_id: &'a str,
+        call_id: &'a str,
+        turn_diff_tracker: Option<&'a SharedTurnDiffTracker>,
+    ) -> Self {
+        Self {
+            session,
+            sub_id,
+            call_id,
+            turn_diff_tracker,
+        }
+    }
+}
+
+pub(crate) enum ToolEventStage {
+    Begin,
+    Success(ExecToolCallOutput),
+    Failure(ToolEventFailure),
+}
+
+pub(crate) enum ToolEventFailure {
+    Output(ExecToolCallOutput),
+    Message(String),
+}
+// Concrete, allocation-free emitter: avoid trait objects and boxed futures.
+pub(crate) enum ToolEmitter {
+    Shell {
+        command: Vec<String>,
+        cwd: PathBuf,
+    },
+    ApplyPatch {
+        changes: HashMap<PathBuf, FileChange>,
+        auto_approved: bool,
+    },
+}
+
+impl ToolEmitter {
+    pub fn shell(command: Vec<String>, cwd: PathBuf) -> Self {
+        Self::Shell { command, cwd }
+    }
+
+    pub fn apply_patch(changes: HashMap<PathBuf, FileChange>, auto_approved: bool) -> Self {
+        Self::ApplyPatch {
+            changes,
+            auto_approved,
+        }
+    }
+
+    pub async fn emit(&self, ctx: ToolEventCtx<'_>, stage: ToolEventStage) {
+        match (self, stage) {
+            (Self::Shell { command, cwd }, ToolEventStage::Begin) => {
+                ctx.session
+                    .send_event(Event {
+                        id: ctx.sub_id.to_string(),
+                        msg: EventMsg::ExecCommandBegin(ExecCommandBeginEvent {
+                            call_id: ctx.call_id.to_string(),
+                            command: command.clone(),
+                            cwd: cwd.clone(),
+                            parsed_cmd: parse_command(command),
+                        }),
+                    })
+                    .await;
+            }
+            (Self::Shell { .. }, ToolEventStage::Success(output)) => {
+                emit_exec_end(
+                    ctx,
+                    output.stdout.text.clone(),
+                    output.stderr.text.clone(),
+                    output.aggregated_output.text.clone(),
+                    output.exit_code,
+                    output.duration,
+                    format_exec_output_str(&output),
+                )
+                .await;
+            }
+            (Self::Shell { .. }, ToolEventStage::Failure(ToolEventFailure::Output(output))) => {
+                emit_exec_end(
+                    ctx,
+                    output.stdout.text.clone(),
+                    output.stderr.text.clone(),
+                    output.aggregated_output.text.clone(),
+                    output.exit_code,
+                    output.duration,
+                    format_exec_output_str(&output),
+                )
+                .await;
+            }
+            (Self::Shell { .. }, ToolEventStage::Failure(ToolEventFailure::Message(message))) => {
+                emit_exec_end(
+                    ctx,
+                    String::new(),
+                    (*message).to_string(),
+                    (*message).to_string(),
+                    -1,
+                    Duration::ZERO,
+                    format_exec_output(&message),
+                )
+                .await;
+            }
+
+            (
+                Self::ApplyPatch {
+                    changes,
+                    auto_approved,
+                },
+                ToolEventStage::Begin,
+            ) => {
+                if let Some(tracker) = ctx.turn_diff_tracker {
+                    let mut guard = tracker.lock().await;
+                    guard.on_patch_begin(changes);
+                }
+                ctx.session
+                    .send_event(Event {
+                        id: ctx.sub_id.to_string(),
+                        msg: EventMsg::PatchApplyBegin(PatchApplyBeginEvent {
+                            call_id: ctx.call_id.to_string(),
+                            auto_approved: *auto_approved,
+                            changes: changes.clone(),
+                        }),
+                    })
+                    .await;
+            }
+            (Self::ApplyPatch { .. }, ToolEventStage::Success(output)) => {
+                emit_patch_end(
+                    ctx,
+                    output.stdout.text.clone(),
+                    output.stderr.text.clone(),
+                    output.exit_code == 0,
+                )
+                .await;
+            }
+            (
+                Self::ApplyPatch { .. },
+                ToolEventStage::Failure(ToolEventFailure::Output(output)),
+            ) => {
+                emit_patch_end(
+                    ctx,
+                    output.stdout.text.clone(),
+                    output.stderr.text.clone(),
+                    output.exit_code == 0,
+                )
+                .await;
+            }
+            (
+                Self::ApplyPatch { .. },
+                ToolEventStage::Failure(ToolEventFailure::Message(message)),
+            ) => {
+                emit_patch_end(ctx, String::new(), (*message).to_string(), false).await;
+            }
+        }
+    }
+}
+
+async fn emit_exec_end(
+    ctx: ToolEventCtx<'_>,
+    stdout: String,
+    stderr: String,
+    aggregated_output: String,
+    exit_code: i32,
+    duration: Duration,
+    formatted_output: String,
+) {
+    ctx.session
+        .send_event(Event {
+            id: ctx.sub_id.to_string(),
+            msg: EventMsg::ExecCommandEnd(ExecCommandEndEvent {
+                call_id: ctx.call_id.to_string(),
+                stdout,
+                stderr,
+                aggregated_output,
+                exit_code,
+                duration,
+                formatted_output,
+            }),
+        })
+        .await;
+}
+
+async fn emit_patch_end(ctx: ToolEventCtx<'_>, stdout: String, stderr: String, success: bool) {
+    ctx.session
+        .send_event(Event {
+            id: ctx.sub_id.to_string(),
+            msg: EventMsg::PatchApplyEnd(PatchApplyEndEvent {
+                call_id: ctx.call_id.to_string(),
+                stdout,
+                stderr,
+                success,
+            }),
+        })
+        .await;
+
+    if let Some(tracker) = ctx.turn_diff_tracker {
+        let unified_diff = {
+            let mut guard = tracker.lock().await;
+            guard.get_unified_diff()
+        };
+        if let Ok(Some(unified_diff)) = unified_diff {
+            ctx.session
+                .send_event(Event {
+                    id: ctx.sub_id.to_string(),
+                    msg: EventMsg::TurnDiff(TurnDiffEvent { unified_diff }),
+                })
+                .await;
+        }
+    }
+}
--- a/codex-rs/core/src/tools/handlers/apply_patch.rs
+++ b/codex-rs/core/src/tools/handlers/apply_patch.rs
@@ -8,7 +8,6 @@ use crate::client_common::tools::ResponsesApiTool;
 use crate::client_common::tools::ToolSpec;
 use crate::exec::ExecParams;
 use crate::function_tool::FunctionCallError;
-use crate::openai_tools::JsonSchema;
 use crate::tools::context::ToolInvocation;
 use crate::tools::context::ToolOutput;
 use crate::tools::context::ToolPayload;
@@ -16,6 +15,7 @@ use crate::tools::handle_container_exec_with_params;
 use crate::tools::registry::ToolHandler;
 use crate::tools::registry::ToolKind;
 use crate::tools::spec::ApplyPatchToolArgs;
+use crate::tools::spec::JsonSchema;
 use async_trait::async_trait;
 use serde::Deserialize;
 use serde::Serialize;
@@ -72,6 +72,7 @@ impl ToolHandler for ApplyPatchHandler {
            env: HashMap::new(),
            with_escalated_permissions: None,
            justification: None,
+            arg0: None,
        };

        let content = handle_container_exec_with_params(
--- a/codex-rs/core/src/tools/handlers/exec_stream.rs
+++ b/codex-rs/core/src/tools/handlers/exec_stream.rs
@@ -1,68 +0,0 @@
-use async_trait::async_trait;
-
-use crate::exec_command::EXEC_COMMAND_TOOL_NAME;
-use crate::exec_command::ExecCommandParams;
-use crate::exec_command::WRITE_STDIN_TOOL_NAME;
-use crate::exec_command::WriteStdinParams;
-use crate::function_tool::FunctionCallError;
-use crate::tools::context::ToolInvocation;
-use crate::tools::context::ToolOutput;
-use crate::tools::context::ToolPayload;
-use crate::tools::registry::ToolHandler;
-use crate::tools::registry::ToolKind;
-
-pub struct ExecStreamHandler;
-
-#[async_trait]
-impl ToolHandler for ExecStreamHandler {
-    fn kind(&self) -> ToolKind {
-        ToolKind::Function
-    }
-
-    async fn handle(&self, invocation: ToolInvocation) -> Result<ToolOutput, FunctionCallError> {
-        let ToolInvocation {
-            session,
-            tool_name,
-            payload,
-            ..
-        } = invocation;
-
-        let arguments = match payload {
-            ToolPayload::Function { arguments } => arguments,
-            _ => {
-                return Err(FunctionCallError::RespondToModel(
-                    "exec_stream handler received unsupported payload".to_string(),
-                ));
-            }
-        };
-
-        let content = match tool_name.as_str() {
-            EXEC_COMMAND_TOOL_NAME => {
-                let params: ExecCommandParams = serde_json::from_str(&arguments).map_err(|e| {
-                    FunctionCallError::RespondToModel(format!(
-                        "failed to parse function arguments: {e:?}"
-                    ))
-                })?;
-                session.handle_exec_command_tool(params).await?
-            }
-            WRITE_STDIN_TOOL_NAME => {
-                let params: WriteStdinParams = serde_json::from_str(&arguments).map_err(|e| {
-                    FunctionCallError::RespondToModel(format!(
-                        "failed to parse function arguments: {e:?}"
-                    ))
-                })?;
-                session.handle_write_stdin_tool(params).await?
-            }
-            _ => {
-                return Err(FunctionCallError::RespondToModel(format!(
-                    "exec_stream handler does not support tool {tool_name}"
-                )));
-            }
-        };
-
-        Ok(ToolOutput::Function {
-            content,
-            success: Some(true),
-        })
-    }
-}
--- a/codex-rs/core/src/tools/handlers/grep_files.rs
+++ b/codex-rs/core/src/tools/handlers/grep_files.rs
@@ -0,0 +1,272 @@
+use std::path::Path;
+use std::time::Duration;
+
+use async_trait::async_trait;
+use serde::Deserialize;
+use tokio::process::Command;
+use tokio::time::timeout;
+
+use crate::function_tool::FunctionCallError;
+use crate::tools::context::ToolInvocation;
+use crate::tools::context::ToolOutput;
+use crate::tools::context::ToolPayload;
+use crate::tools::registry::ToolHandler;
+use crate::tools::registry::ToolKind;
+
+pub struct GrepFilesHandler;
+
+const DEFAULT_LIMIT: usize = 100;
+const MAX_LIMIT: usize = 2000;
+const COMMAND_TIMEOUT: Duration = Duration::from_secs(30);
+
+fn default_limit() -> usize {
+    DEFAULT_LIMIT
+}
+
+#[derive(Deserialize)]
+struct GrepFilesArgs {
+    pattern: String,
+    #[serde(default)]
+    include: Option<String>,
+    #[serde(default)]
+    path: Option<String>,
+    #[serde(default = "default_limit")]
+    limit: usize,
+}
+
+#[async_trait]
+impl ToolHandler for GrepFilesHandler {
+    fn kind(&self) -> ToolKind {
+        ToolKind::Function
+    }
+
+    async fn handle(&self, invocation: ToolInvocation) -> Result<ToolOutput, FunctionCallError> {
+        let ToolInvocation { payload, turn, .. } = invocation;
+
+        let arguments = match payload {
+            ToolPayload::Function { arguments } => arguments,
+            _ => {
+                return Err(FunctionCallError::RespondToModel(
+                    "grep_files handler received unsupported payload".to_string(),
+                ));
+            }
+        };
+
+        let args: GrepFilesArgs = serde_json::from_str(&arguments).map_err(|err| {
+            FunctionCallError::RespondToModel(format!(
+                "failed to parse function arguments: {err:?}"
+            ))
+        })?;
+
+        let pattern = args.pattern.trim();
+        if pattern.is_empty() {
+            return Err(FunctionCallError::RespondToModel(
+                "pattern must not be empty".to_string(),
+            ));
+        }
+
+        if args.limit == 0 {
+            return Err(FunctionCallError::RespondToModel(
+                "limit must be greater than zero".to_string(),
+            ));
+        }
+
+        let limit = args.limit.min(MAX_LIMIT);
+        let search_path = turn.resolve_path(args.path.clone());
+
+        verify_path_exists(&search_path).await?;
+
+        let include = args.include.as_deref().map(str::trim).and_then(|val| {
+            if val.is_empty() {
+                None
+            } else {
+                Some(val.to_string())
+            }
+        });
+
+        let search_results =
+            run_rg_search(pattern, include.as_deref(), &search_path, limit, &turn.cwd).await?;
+
+        if search_results.is_empty() {
+            Ok(ToolOutput::Function {
+                content: "No matches found.".to_string(),
+                success: Some(false),
+            })
+        } else {
+            Ok(ToolOutput::Function {
+                content: search_results.join("\n"),
+                success: Some(true),
+            })
+        }
+    }
+}
+
+async fn verify_path_exists(path: &Path) -> Result<(), FunctionCallError> {
+    tokio::fs::metadata(path).await.map_err(|err| {
+        FunctionCallError::RespondToModel(format!("unable to access `{}`: {err}", path.display()))
+    })?;
+    Ok(())
+}
+
+async fn run_rg_search(
+    pattern: &str,
+    include: Option<&str>,
+    search_path: &Path,
+    limit: usize,
+    cwd: &Path,
+) -> Result<Vec<String>, FunctionCallError> {
+    let mut command = Command::new("rg");
+    command
+        .current_dir(cwd)
+        .arg("--files-with-matches")
+        .arg("--sortr=modified")
+        .arg("--regexp")
+        .arg(pattern)
+        .arg("--no-messages");
+
+    if let Some(glob) = include {
+        command.arg("--glob").arg(glob);
+    }
+
+    command.arg("--").arg(search_path);
+
+    let output = timeout(COMMAND_TIMEOUT, command.output())
+        .await
+        .map_err(|_| {
+            FunctionCallError::RespondToModel("rg timed out after 30 seconds".to_string())
+        })?
+        .map_err(|err| {
+            FunctionCallError::RespondToModel(format!(
+                "failed to launch rg: {err}. Ensure ripgrep is installed and on PATH."
+            ))
+        })?;
+
+    match output.status.code() {
+        Some(0) => Ok(parse_results(&output.stdout, limit)),
+        Some(1) => Ok(Vec::new()),
+        _ => {
+            let stderr = String::from_utf8_lossy(&output.stderr);
+            Err(FunctionCallError::RespondToModel(format!(
+                "rg failed: {stderr}"
+            )))
+        }
+    }
+}
+
+fn parse_results(stdout: &[u8], limit: usize) -> Vec<String> {
+    let mut results = Vec::new();
+    for line in stdout.split(|byte| *byte == b'\n') {
+        if line.is_empty() {
+            continue;
+        }
+        if let Ok(text) = std::str::from_utf8(line) {
+            if text.is_empty() {
+                continue;
+            }
+            results.push(text.to_string());
+            if results.len() == limit {
+                break;
+            }
+        }
+    }
+    results
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use std::process::Command as StdCommand;
+    use tempfile::tempdir;
+
+    #[test]
+    fn parses_basic_results() {
+        let stdout = b"/tmp/file_a.rs\n/tmp/file_b.rs\n";
+        let parsed = parse_results(stdout, 10);
+        assert_eq!(
+            parsed,
+            vec!["/tmp/file_a.rs".to_string(), "/tmp/file_b.rs".to_string()]
+        );
+    }
+
+    #[test]
+    fn parse_truncates_after_limit() {
+        let stdout = b"/tmp/file_a.rs\n/tmp/file_b.rs\n/tmp/file_c.rs\n";
+        let parsed = parse_results(stdout, 2);
+        assert_eq!(
+            parsed,
+            vec!["/tmp/file_a.rs".to_string(), "/tmp/file_b.rs".to_string()]
+        );
+    }
+
+    #[tokio::test]
+    async fn run_search_returns_results() -> anyhow::Result<()> {
+        if !rg_available() {
+            return Ok(());
+        }
+        let temp = tempdir().expect("create temp dir");
+        let dir = temp.path();
+        std::fs::write(dir.join("match_one.txt"), "alpha beta gamma").unwrap();
+        std::fs::write(dir.join("match_two.txt"), "alpha delta").unwrap();
+        std::fs::write(dir.join("other.txt"), "omega").unwrap();
+
+        let results = run_rg_search("alpha", None, dir, 10, dir).await?;
+        assert_eq!(results.len(), 2);
+        assert!(results.iter().any(|path| path.ends_with("match_one.txt")));
+        assert!(results.iter().any(|path| path.ends_with("match_two.txt")));
+        Ok(())
+    }
+
+    #[tokio::test]
+    async fn run_search_with_glob_filter() -> anyhow::Result<()> {
+        if !rg_available() {
+            return Ok(());
+        }
+        let temp = tempdir().expect("create temp dir");
+        let dir = temp.path();
+        std::fs::write(dir.join("match_one.rs"), "alpha beta gamma").unwrap();
+        std::fs::write(dir.join("match_two.txt"), "alpha delta").unwrap();
+
+        let results = run_rg_search("alpha", Some("*.rs"), dir, 10, dir).await?;
+        assert_eq!(results.len(), 1);
+        assert!(results.iter().all(|path| path.ends_with("match_one.rs")));
+        Ok(())
+    }
+
+    #[tokio::test]
+    async fn run_search_respects_limit() -> anyhow::Result<()> {
+        if !rg_available() {
+            return Ok(());
+        }
+        let temp = tempdir().expect("create temp dir");
+        let dir = temp.path();
+        std::fs::write(dir.join("one.txt"), "alpha one").unwrap();
+        std::fs::write(dir.join("two.txt"), "alpha two").unwrap();
+        std::fs::write(dir.join("three.txt"), "alpha three").unwrap();
+
+        let results = run_rg_search("alpha", None, dir, 2, dir).await?;
+        assert_eq!(results.len(), 2);
+        Ok(())
+    }
+
+    #[tokio::test]
+    async fn run_search_handles_no_matches() -> anyhow::Result<()> {
+        if !rg_available() {
+            return Ok(());
+        }
+        let temp = tempdir().expect("create temp dir");
+        let dir = temp.path();
+        std::fs::write(dir.join("one.txt"), "omega").unwrap();
+
+        let results = run_rg_search("alpha", None, dir, 5, dir).await?;
+        assert!(results.is_empty());
+        Ok(())
+    }
+
+    fn rg_available() -> bool {
+        StdCommand::new("rg")
+            .arg("--version")
+            .output()
+            .map(|output| output.status.success())
+            .unwrap_or(false)
+    }
+}
--- a/codex-rs/core/src/tools/handlers/mcp_resource.rs
+++ b/codex-rs/core/src/tools/handlers/mcp_resource.rs
@@ -0,0 +1,773 @@
+use std::collections::HashMap;
+use std::sync::Arc;
+use std::time::Duration;
+use std::time::Instant;
+
+use async_trait::async_trait;
+use mcp_types::CallToolResult;
+use mcp_types::ContentBlock;
+use mcp_types::ListResourceTemplatesRequestParams;
+use mcp_types::ListResourceTemplatesResult;
+use mcp_types::ListResourcesRequestParams;
+use mcp_types::ListResourcesResult;
+use mcp_types::ReadResourceRequestParams;
+use mcp_types::ReadResourceResult;
+use mcp_types::Resource;
+use mcp_types::ResourceTemplate;
+use mcp_types::TextContent;
+use serde::Deserialize;
+use serde::Serialize;
+use serde::de::DeserializeOwned;
+use serde_json::Value;
+
+use crate::codex::Session;
+use crate::function_tool::FunctionCallError;
+use crate::protocol::Event;
+use crate::protocol::EventMsg;
+use crate::protocol::McpInvocation;
+use crate::protocol::McpToolCallBeginEvent;
+use crate::protocol::McpToolCallEndEvent;
+use crate::tools::context::ToolInvocation;
+use crate::tools::context::ToolOutput;
+use crate::tools::context::ToolPayload;
+use crate::tools::registry::ToolHandler;
+use crate::tools::registry::ToolKind;
+
+pub struct McpResourceHandler;
+
+#[derive(Debug, Deserialize, Default)]
+struct ListResourcesArgs {
+    /// Lists all resources from all servers if not specified.
+    #[serde(default)]
+    server: Option<String>,
+    #[serde(default)]
+    cursor: Option<String>,
+}
+
+#[derive(Debug, Deserialize, Default)]
+struct ListResourceTemplatesArgs {
+    /// Lists all resource templates from all servers if not specified.
+    #[serde(default)]
+    server: Option<String>,
+    #[serde(default)]
+    cursor: Option<String>,
+}
+
+#[derive(Debug, Deserialize)]
+struct ReadResourceArgs {
+    server: String,
+    uri: String,
+}
+
+#[derive(Debug, Serialize)]
+struct ResourceWithServer {
+    server: String,
+    #[serde(flatten)]
+    resource: Resource,
+}
+
+impl ResourceWithServer {
+    fn new(server: String, resource: Resource) -> Self {
+        Self { server, resource }
+    }
+}
+
+#[derive(Debug, Serialize)]
+struct ResourceTemplateWithServer {
+    server: String,
+    #[serde(flatten)]
+    template: ResourceTemplate,
+}
+
+impl ResourceTemplateWithServer {
+    fn new(server: String, template: ResourceTemplate) -> Self {
+        Self { server, template }
+    }
+}
+
+#[derive(Debug, Serialize)]
+#[serde(rename_all = "camelCase")]
+struct ListResourcesPayload {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    server: Option<String>,
+    resources: Vec<ResourceWithServer>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    next_cursor: Option<String>,
+}
+
+impl ListResourcesPayload {
+    fn from_single_server(server: String, result: ListResourcesResult) -> Self {
+        let resources = result
+            .resources
+            .into_iter()
+            .map(|resource| ResourceWithServer::new(server.clone(), resource))
+            .collect();
+        Self {
+            server: Some(server),
+            resources,
+            next_cursor: result.next_cursor,
+        }
+    }
+
+    fn from_all_servers(resources_by_server: HashMap<String, Vec<Resource>>) -> Self {
+        let mut entries: Vec<(String, Vec<Resource>)> = resources_by_server.into_iter().collect();
+        entries.sort_by(|a, b| a.0.cmp(&b.0));
+
+        let mut resources = Vec::new();
+        for (server, server_resources) in entries {
+            for resource in server_resources {
+                resources.push(ResourceWithServer::new(server.clone(), resource));
+            }
+        }
+
+        Self {
+            server: None,
+            resources,
+            next_cursor: None,
+        }
+    }
+}
+
+#[derive(Debug, Serialize)]
+#[serde(rename_all = "camelCase")]
+struct ListResourceTemplatesPayload {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    server: Option<String>,
+    resource_templates: Vec<ResourceTemplateWithServer>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    next_cursor: Option<String>,
+}
+
+impl ListResourceTemplatesPayload {
+    fn from_single_server(server: String, result: ListResourceTemplatesResult) -> Self {
+        let resource_templates = result
+            .resource_templates
+            .into_iter()
+            .map(|template| ResourceTemplateWithServer::new(server.clone(), template))
+            .collect();
+        Self {
+            server: Some(server),
+            resource_templates,
+            next_cursor: result.next_cursor,
+        }
+    }
+
+    fn from_all_servers(templates_by_server: HashMap<String, Vec<ResourceTemplate>>) -> Self {
+        let mut entries: Vec<(String, Vec<ResourceTemplate>)> =
+            templates_by_server.into_iter().collect();
+        entries.sort_by(|a, b| a.0.cmp(&b.0));
+
+        let mut resource_templates = Vec::new();
+        for (server, server_templates) in entries {
+            for template in server_templates {
+                resource_templates.push(ResourceTemplateWithServer::new(server.clone(), template));
+            }
+        }
+
+        Self {
+            server: None,
+            resource_templates,
+            next_cursor: None,
+        }
+    }
+}
+
+#[derive(Debug, Serialize)]
+struct ReadResourcePayload {
+    server: String,
+    uri: String,
+    #[serde(flatten)]
+    result: ReadResourceResult,
+}
+
+#[async_trait]
+impl ToolHandler for McpResourceHandler {
+    fn kind(&self) -> ToolKind {
+        ToolKind::Function
+    }
+
+    async fn handle(&self, invocation: ToolInvocation) -> Result<ToolOutput, FunctionCallError> {
+        let ToolInvocation {
+            session,
+            sub_id,
+            call_id,
+            tool_name,
+            payload,
+            ..
+        } = invocation;
+
+        let arguments = match payload {
+            ToolPayload::Function { arguments } => arguments,
+            _ => {
+                return Err(FunctionCallError::RespondToModel(
+                    "mcp_resource handler received unsupported payload".to_string(),
+                ));
+            }
+        };
+
+        let arguments_value = parse_arguments(arguments.as_str())?;
+
+        match tool_name.as_str() {
+            "list_mcp_resources" => {
+                handle_list_resources(
+                    Arc::clone(&session),
+                    sub_id.clone(),
+                    call_id.clone(),
+                    arguments_value.clone(),
+                )
+                .await
+            }
+            "list_mcp_resource_templates" => {
+                handle_list_resource_templates(
+                    Arc::clone(&session),
+                    sub_id.clone(),
+                    call_id.clone(),
+                    arguments_value.clone(),
+                )
+                .await
+            }
+            "read_mcp_resource" => {
+                handle_read_resource(Arc::clone(&session), sub_id, call_id, arguments_value).await
+            }
+            other => Err(FunctionCallError::RespondToModel(format!(
+                "unsupported MCP resource tool: {other}"
+            ))),
+        }
+    }
+}
+
+async fn handle_list_resources(
+    session: Arc<Session>,
+    sub_id: String,
+    call_id: String,
+    arguments: Option<Value>,
+) -> Result<ToolOutput, FunctionCallError> {
+    let args: ListResourcesArgs = parse_args_with_default(arguments.clone())?;
+    let ListResourcesArgs { server, cursor } = args;
+    let server = normalize_optional_string(server);
+    let cursor = normalize_optional_string(cursor);
+
+    let invocation = McpInvocation {
+        server: server.clone().unwrap_or_else(|| "codex".to_string()),
+        tool: "list_mcp_resources".to_string(),
+        arguments: arguments.clone(),
+    };
+
+    emit_tool_call_begin(&session, &sub_id, &call_id, invocation.clone()).await;
+    let start = Instant::now();
+
+    let payload_result: Result<ListResourcesPayload, FunctionCallError> = async {
+        if let Some(server_name) = server.clone() {
+            let params = cursor.clone().map(|value| ListResourcesRequestParams {
+                cursor: Some(value),
+            });
+            let result = session
+                .list_resources(&server_name, params)
+                .await
+                .map_err(|err| {
+                    FunctionCallError::RespondToModel(format!("resources/list failed: {err:#}"))
+                })?;
+            Ok(ListResourcesPayload::from_single_server(
+                server_name,
+                result,
+            ))
+        } else {
+            if cursor.is_some() {
+                return Err(FunctionCallError::RespondToModel(
+                    "cursor can only be used when a server is specified".to_string(),
+                ));
+            }
+
+            let resources = session
+                .services
+                .mcp_connection_manager
+                .list_all_resources()
+                .await;
+            Ok(ListResourcesPayload::from_all_servers(resources))
+        }
+    }
+    .await;
+
+    match payload_result {
+        Ok(payload) => match serialize_function_output(payload) {
+            Ok(output) => {
+                let ToolOutput::Function { content, success } = &output else {
+                    unreachable!("MCP resource handler should return function output");
+                };
+                let duration = start.elapsed();
+                emit_tool_call_end(
+                    &session,
+                    &sub_id,
+                    &call_id,
+                    invocation,
+                    duration,
+                    Ok(call_tool_result_from_content(content, *success)),
+                )
+                .await;
+                Ok(output)
+            }
+            Err(err) => {
+                let duration = start.elapsed();
+                let message = err.to_string();
+                emit_tool_call_end(
+                    &session,
+                    &sub_id,
+                    &call_id,
+                    invocation,
+                    duration,
+                    Err(message.clone()),
+                )
+                .await;
+                Err(err)
+            }
+        },
+        Err(err) => {
+            let duration = start.elapsed();
+            let message = err.to_string();
+            emit_tool_call_end(
+                &session,
+                &sub_id,
+                &call_id,
+                invocation,
+                duration,
+                Err(message.clone()),
+            )
+            .await;
+            Err(err)
+        }
+    }
+}
+
+async fn handle_list_resource_templates(
+    session: Arc<Session>,
+    sub_id: String,
+    call_id: String,
+    arguments: Option<Value>,
+) -> Result<ToolOutput, FunctionCallError> {
+    let args: ListResourceTemplatesArgs = parse_args_with_default(arguments.clone())?;
+    let ListResourceTemplatesArgs { server, cursor } = args;
+    let server = normalize_optional_string(server);
+    let cursor = normalize_optional_string(cursor);
+
+    let invocation = McpInvocation {
+        server: server.clone().unwrap_or_else(|| "codex".to_string()),
+        tool: "list_mcp_resource_templates".to_string(),
+        arguments: arguments.clone(),
+    };
+
+    emit_tool_call_begin(&session, &sub_id, &call_id, invocation.clone()).await;
+    let start = Instant::now();
+
+    let payload_result: Result<ListResourceTemplatesPayload, FunctionCallError> = async {
+        if let Some(server_name) = server.clone() {
+            let params = cursor
+                .clone()
+                .map(|value| ListResourceTemplatesRequestParams {
+                    cursor: Some(value),
+                });
+            let result = session
+                .list_resource_templates(&server_name, params)
+                .await
+                .map_err(|err| {
+                    FunctionCallError::RespondToModel(format!(
+                        "resources/templates/list failed: {err:#}"
+                    ))
+                })?;
+            Ok(ListResourceTemplatesPayload::from_single_server(
+                server_name,
+                result,
+            ))
+        } else {
+            if cursor.is_some() {
+                return Err(FunctionCallError::RespondToModel(
+                    "cursor can only be used when a server is specified".to_string(),
+                ));
+            }
+
+            let templates = session
+                .services
+                .mcp_connection_manager
+                .list_all_resource_templates()
+                .await;
+            Ok(ListResourceTemplatesPayload::from_all_servers(templates))
+        }
+    }
+    .await;
+
+    match payload_result {
+        Ok(payload) => match serialize_function_output(payload) {
+            Ok(output) => {
+                let ToolOutput::Function { content, success } = &output else {
+                    unreachable!("MCP resource handler should return function output");
+                };
+                let duration = start.elapsed();
+                emit_tool_call_end(
+                    &session,
+                    &sub_id,
+                    &call_id,
+                    invocation,
+                    duration,
+                    Ok(call_tool_result_from_content(content, *success)),
+                )
+                .await;
+                Ok(output)
+            }
+            Err(err) => {
+                let duration = start.elapsed();
+                let message = err.to_string();
+                emit_tool_call_end(
+                    &session,
+                    &sub_id,
+                    &call_id,
+                    invocation,
+                    duration,
+                    Err(message.clone()),
+                )
+                .await;
+                Err(err)
+            }
+        },
+        Err(err) => {
+            let duration = start.elapsed();
+            let message = err.to_string();
+            emit_tool_call_end(
+                &session,
+                &sub_id,
+                &call_id,
+                invocation,
+                duration,
+                Err(message.clone()),
+            )
+            .await;
+            Err(err)
+        }
+    }
+}
+
+async fn handle_read_resource(
+    session: Arc<Session>,
+    sub_id: String,
+    call_id: String,
+    arguments: Option<Value>,
+) -> Result<ToolOutput, FunctionCallError> {
+    let args: ReadResourceArgs = parse_args(arguments.clone())?;
+    let ReadResourceArgs { server, uri } = args;
+    let server = normalize_required_string("server", server)?;
+    let uri = normalize_required_string("uri", uri)?;
+
+    let invocation = McpInvocation {
+        server: server.clone(),
+        tool: "read_mcp_resource".to_string(),
+        arguments: arguments.clone(),
+    };
+
+    emit_tool_call_begin(&session, &sub_id, &call_id, invocation.clone()).await;
+    let start = Instant::now();
+
+    let payload_result: Result<ReadResourcePayload, FunctionCallError> = async {
+        let result = session
+            .read_resource(&server, ReadResourceRequestParams { uri: uri.clone() })
+            .await
+            .map_err(|err| {
+                FunctionCallError::RespondToModel(format!("resources/read failed: {err:#}"))
+            })?;
+
+        Ok(ReadResourcePayload {
+            server,
+            uri,
+            result,
+        })
+    }
+    .await;
+
+    match payload_result {
+        Ok(payload) => match serialize_function_output(payload) {
+            Ok(output) => {
+                let ToolOutput::Function { content, success } = &output else {
+                    unreachable!("MCP resource handler should return function output");
+                };
+                let duration = start.elapsed();
+                emit_tool_call_end(
+                    &session,
+                    &sub_id,
+                    &call_id,
+                    invocation,
+                    duration,
+                    Ok(call_tool_result_from_content(content, *success)),
+                )
+                .await;
+                Ok(output)
+            }
+            Err(err) => {
+                let duration = start.elapsed();
+                let message = err.to_string();
+                emit_tool_call_end(
+                    &session,
+                    &sub_id,
+                    &call_id,
+                    invocation,
+                    duration,
+                    Err(message.clone()),
+                )
+                .await;
+                Err(err)
+            }
+        },
+        Err(err) => {
+            let duration = start.elapsed();
+            let message = err.to_string();
+            emit_tool_call_end(
+                &session,
+                &sub_id,
+                &call_id,
+                invocation,
+                duration,
+                Err(message.clone()),
+            )
+            .await;
+            Err(err)
+        }
+    }
+}
+
+fn call_tool_result_from_content(content: &str, success: Option<bool>) -> CallToolResult {
+    CallToolResult {
+        content: vec![ContentBlock::TextContent(TextContent {
+            annotations: None,
+            text: content.to_string(),
+            r#type: "text".to_string(),
+        })],
+        is_error: success.map(|value| !value),
+        structured_content: None,
+    }
+}
+
+async fn emit_tool_call_begin(
+    session: &Arc<Session>,
+    sub_id: &str,
+    call_id: &str,
+    invocation: McpInvocation,
+) {
+    session
+        .send_event(Event {
+            id: sub_id.to_string(),
+            msg: EventMsg::McpToolCallBegin(McpToolCallBeginEvent {
+                call_id: call_id.to_string(),
+                invocation,
+            }),
+        })
+        .await;
+}
+
+async fn emit_tool_call_end(
+    session: &Arc<Session>,
+    sub_id: &str,
+    call_id: &str,
+    invocation: McpInvocation,
+    duration: Duration,
+    result: Result<CallToolResult, String>,
+) {
+    session
+        .send_event(Event {
+            id: sub_id.to_string(),
+            msg: EventMsg::McpToolCallEnd(McpToolCallEndEvent {
+                call_id: call_id.to_string(),
+                invocation,
+                duration,
+                result,
+            }),
+        })
+        .await;
+}
+
+fn normalize_optional_string(input: Option<String>) -> Option<String> {
+    input.and_then(|value| {
+        let trimmed = value.trim().to_string();
+        if trimmed.is_empty() {
+            None
+        } else {
+            Some(trimmed)
+        }
+    })
+}
+
+fn normalize_required_string(field: &str, value: String) -> Result<String, FunctionCallError> {
+    match normalize_optional_string(Some(value)) {
+        Some(normalized) => Ok(normalized),
+        None => Err(FunctionCallError::RespondToModel(format!(
+            "{field} must be provided"
+        ))),
+    }
+}
+
+fn serialize_function_output<T>(payload: T) -> Result<ToolOutput, FunctionCallError>
+where
+    T: Serialize,
+{
+    let content = serde_json::to_string(&payload).map_err(|err| {
+        FunctionCallError::RespondToModel(format!(
+            "failed to serialize MCP resource response: {err}"
+        ))
+    })?;
+
+    Ok(ToolOutput::Function {
+        content,
+        success: Some(true),
+    })
+}
+
+fn parse_arguments(raw_args: &str) -> Result<Option<Value>, FunctionCallError> {
+    if raw_args.trim().is_empty() {
+        Ok(None)
+    } else {
+        serde_json::from_str(raw_args).map(Some).map_err(|err| {
+            FunctionCallError::RespondToModel(format!("failed to parse function arguments: {err}"))
+        })
+    }
+}
+
+fn parse_args<T>(arguments: Option<Value>) -> Result<T, FunctionCallError>
+where
+    T: DeserializeOwned,
+{
+    match arguments {
+        Some(value) => serde_json::from_value(value).map_err(|err| {
+            FunctionCallError::RespondToModel(format!("failed to parse function arguments: {err}"))
+        }),
+        None => Err(FunctionCallError::RespondToModel(
+            "failed to parse function arguments: expected value".to_string(),
+        )),
+    }
+}
+
+fn parse_args_with_default<T>(arguments: Option<Value>) -> Result<T, FunctionCallError>
+where
+    T: DeserializeOwned + Default,
+{
+    match arguments {
+        Some(value) => parse_args(Some(value)),
+        None => Ok(T::default()),
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use mcp_types::ListResourcesResult;
+    use mcp_types::ResourceTemplate;
+    use pretty_assertions::assert_eq;
+    use serde_json::json;
+
+    fn resource(uri: &str, name: &str) -> Resource {
+        Resource {
+            annotations: None,
+            description: None,
+            mime_type: None,
+            name: name.to_string(),
+            size: None,
+            title: None,
+            uri: uri.to_string(),
+        }
+    }
+
+    fn template(uri_template: &str, name: &str) -> ResourceTemplate {
+        ResourceTemplate {
+            annotations: None,
+            description: None,
+            mime_type: None,
+            name: name.to_string(),
+            title: None,
+            uri_template: uri_template.to_string(),
+        }
+    }
+
+    #[test]
+    fn resource_with_server_serializes_server_field() {
+        let entry = ResourceWithServer::new("test".to_string(), resource("memo://id", "memo"));
+        let value = serde_json::to_value(&entry).expect("serialize resource");
+
+        assert_eq!(value["server"], json!("test"));
+        assert_eq!(value["uri"], json!("memo://id"));
+        assert_eq!(value["name"], json!("memo"));
+    }
+
+    #[test]
+    fn list_resources_payload_from_single_server_copies_next_cursor() {
+        let result = ListResourcesResult {
+            next_cursor: Some("cursor-1".to_string()),
+            resources: vec![resource("memo://id", "memo")],
+        };
+        let payload = ListResourcesPayload::from_single_server("srv".to_string(), result);
+        let value = serde_json::to_value(&payload).expect("serialize payload");
+
+        assert_eq!(value["server"], json!("srv"));
+        assert_eq!(value["nextCursor"], json!("cursor-1"));
+        let resources = value["resources"].as_array().expect("resources array");
+        assert_eq!(resources.len(), 1);
+        assert_eq!(resources[0]["server"], json!("srv"));
+    }
+
+    #[test]
+    fn list_resources_payload_from_all_servers_is_sorted() {
+        let mut map = HashMap::new();
+        map.insert("beta".to_string(), vec![resource("memo://b-1", "b-1")]);
+        map.insert(
+            "alpha".to_string(),
+            vec![resource("memo://a-1", "a-1"), resource("memo://a-2", "a-2")],
+        );
+
+        let payload = ListResourcesPayload::from_all_servers(map);
+        let value = serde_json::to_value(&payload).expect("serialize payload");
+        let uris: Vec<String> = value["resources"]
+            .as_array()
+            .expect("resources array")
+            .iter()
+            .map(|entry| entry["uri"].as_str().unwrap().to_string())
+            .collect();
+
+        assert_eq!(
+            uris,
+            vec![
+                "memo://a-1".to_string(),
+                "memo://a-2".to_string(),
+                "memo://b-1".to_string()
+            ]
+        );
+    }
+
+    #[test]
+    fn call_tool_result_from_content_marks_success() {
+        let result = call_tool_result_from_content("{}", Some(true));
+        assert_eq!(result.is_error, Some(false));
+        assert_eq!(result.content.len(), 1);
+    }
+
+    #[test]
+    fn parse_arguments_handles_empty_and_json() {
+        assert!(
+            parse_arguments(" \n\t").unwrap().is_none(),
+            "expected None for empty arguments"
+        );
+
+        let value = parse_arguments(r#"{"server":"figma"}"#)
+            .expect("parse json")
+            .expect("value present");
+        assert_eq!(value["server"], json!("figma"));
+    }
+
+    #[test]
+    fn template_with_server_serializes_server_field() {
+        let entry =
+            ResourceTemplateWithServer::new("srv".to_string(), template("memo://{id}", "memo"));
+        let value = serde_json::to_value(&entry).expect("serialize template");
+
+        assert_eq!(
+            value,
+            json!({
+                "server": "srv",
+                "uriTemplate": "memo://{id}",
+                "name": "memo"
+            })
+        );
+    }
+}
--- a/Show More
+++ b/Show More