codex: gate create-api-key guidance to legacy TUI

Co-authored-by: Codex <noreply@openai.com>

.github/dotslash-zsh-config.json

@@ -0,0 +1,23 @@
+{
+  "outputs": {
+    "codex-zsh": {
+      "platforms": {
+        "macos-aarch64": {
+          "name": "codex-zsh-aarch64-apple-darwin.tar.gz",
+          "format": "tar.gz",
+          "path": "codex-zsh/bin/zsh"
+        },
+        "linux-x86_64": {
+          "name": "codex-zsh-x86_64-unknown-linux-musl.tar.gz",
+          "format": "tar.gz",
+          "path": "codex-zsh/bin/zsh"
+        },
+        "linux-aarch64": {
+          "name": "codex-zsh-aarch64-unknown-linux-musl.tar.gz",
+          "format": "tar.gz",
+          "path": "codex-zsh/bin/zsh"
+        }
+      }
+    }
+  }
+}

.github/scripts/build-zsh-release-artifact.sh

@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+if [[ "$#" -ne 1 ]]; then
+  echo "usage: $0 <archive-path>" >&2
+  exit 1
+fi
+
+archive_path="$1"
+workspace="${GITHUB_WORKSPACE:?missing GITHUB_WORKSPACE}"
+zsh_commit="${ZSH_COMMIT:?missing ZSH_COMMIT}"
+zsh_patch="${ZSH_PATCH:?missing ZSH_PATCH}"
+temp_root="${RUNNER_TEMP:-/tmp}"
+work_root="$(mktemp -d "${temp_root%/}/codex-zsh-release.XXXXXX")"
+trap 'rm -rf "$work_root"' EXIT
+
+source_root="${work_root}/zsh"
+package_root="${work_root}/codex-zsh"
+wrapper_path="${work_root}/exec-wrapper"
+stdout_path="${work_root}/stdout.txt"
+wrapper_log_path="${work_root}/wrapper.log"
+
+git clone https://git.code.sf.net/p/zsh/code "$source_root"
+cd "$source_root"
+git checkout "$zsh_commit"
+git apply "${workspace}/${zsh_patch}"
+./Util/preconfig
+./configure
+
+cores="$(command -v nproc >/dev/null 2>&1 && nproc || getconf _NPROCESSORS_ONLN)"
+make -j"${cores}"
+
+cat > "$wrapper_path" <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+: "${CODEX_WRAPPER_LOG:?missing CODEX_WRAPPER_LOG}"
+printf '%s\n' "$@" > "$CODEX_WRAPPER_LOG"
+file="$1"
+shift
+if [[ "$#" -eq 0 ]]; then
+  exec "$file"
+fi
+arg0="$1"
+shift
+exec -a "$arg0" "$file" "$@"
+EOF
+chmod +x "$wrapper_path"
+
+CODEX_WRAPPER_LOG="$wrapper_log_path" \
+EXEC_WRAPPER="$wrapper_path" \
+"${source_root}/Src/zsh" -fc '/bin/echo smoke-zsh' > "$stdout_path"
+
+grep -Fx "smoke-zsh" "$stdout_path"
+grep -Fx "/bin/echo" "$wrapper_log_path"
+
+mkdir -p "$package_root/bin" "$(dirname "${workspace}/${archive_path}")"
+cp "${source_root}/Src/zsh" "$package_root/bin/zsh"
+chmod +x "$package_root/bin/zsh"
+
+(cd "$work_root" && tar -czf "${workspace}/${archive_path}" codex-zsh)

.github/workflows/ci.yml

@@ -15,7 +15,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@v5
         with:
           run_install: false
 

.github/workflows/rust-ci.yml

@@ -547,7 +547,7 @@ jobs:
   tests:
     name: Tests — ${{ matrix.runner }} - ${{ matrix.target }}${{ matrix.remote_env == 'true' && ' (remote)' || '' }}
     runs-on: ${{ matrix.runs_on || matrix.runner }}
-    timeout-minutes: 30
+    timeout-minutes: ${{ matrix.runner == 'windows-arm64' && 35 || 30 }}
     needs: changed
     if: ${{ needs.changed.outputs.codex == 'true' || needs.changed.outputs.workflows == 'true' || github.event_name == 'push' }}
     defaults:

.github/workflows/rust-release-zsh.yml

@@ -0,0 +1,95 @@
+name: rust-release-zsh
+
+on:
+  workflow_call:
+
+env:
+  ZSH_COMMIT: 77045ef899e53b9598bebc5a41db93a548a40ca6
+  ZSH_PATCH: codex-rs/shell-escalation/patches/zsh-exec-wrapper.patch
+
+jobs:
+  linux:
+    name: Build zsh (Linux) - ${{ matrix.variant }} - ${{ matrix.target }}
+    runs-on: ${{ matrix.runner }}
+    timeout-minutes: 30
+    container:
+      image: ${{ matrix.image }}
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: ubuntu-24.04
+            target: x86_64-unknown-linux-musl
+            variant: ubuntu-24.04
+            image: ubuntu:24.04
+            archive_name: codex-zsh-x86_64-unknown-linux-musl.tar.gz
+          - runner: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-musl
+            variant: ubuntu-24.04
+            image: arm64v8/ubuntu:24.04
+            archive_name: codex-zsh-aarch64-unknown-linux-musl.tar.gz
+
+    steps:
+      - name: Install build prerequisites
+        shell: bash
+        run: |
+          set -euo pipefail
+          apt-get update
+          DEBIAN_FRONTEND=noninteractive apt-get install -y \
+            autoconf \
+            bison \
+            build-essential \
+            ca-certificates \
+            gettext \
+            git \
+            libncursesw5-dev
+
+      - uses: actions/checkout@v6
+
+      - name: Build, smoke-test, and stage zsh artifact
+        shell: bash
+        run: |
+          "${GITHUB_WORKSPACE}/.github/scripts/build-zsh-release-artifact.sh" \
+            "dist/zsh/${{ matrix.target }}/${{ matrix.archive_name }}"
+
+      - uses: actions/upload-artifact@v7
+        with:
+          name: codex-zsh-${{ matrix.target }}
+          path: dist/zsh/${{ matrix.target }}/*
+
+  darwin:
+    name: Build zsh (macOS) - ${{ matrix.variant }} - ${{ matrix.target }}
+    runs-on: ${{ matrix.runner }}
+    timeout-minutes: 30
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: macos-15-xlarge
+            target: aarch64-apple-darwin
+            variant: macos-15
+            archive_name: codex-zsh-aarch64-apple-darwin.tar.gz
+
+    steps:
+      - name: Install build prerequisites
+        shell: bash
+        run: |
+          set -euo pipefail
+          if ! command -v autoconf >/dev/null 2>&1; then
+            brew install autoconf
+          fi
+
+      - uses: actions/checkout@v6
+
+      - name: Build, smoke-test, and stage zsh artifact
+        shell: bash
+        run: |
+          "${GITHUB_WORKSPACE}/.github/scripts/build-zsh-release-artifact.sh" \
+            "dist/zsh/${{ matrix.target }}/${{ matrix.archive_name }}"
+
+      - uses: actions/upload-artifact@v7
+        with:
+          name: codex-zsh-${{ matrix.target }}
+          path: dist/zsh/${{ matrix.target }}/*

.github/workflows/rust-release.yml

@@ -389,15 +389,6 @@ jobs:
       release-lto: ${{ contains(github.ref_name, '-alpha') && 'thin' || 'fat' }}
     secrets: inherit
 
-  shell-tool-mcp:
-    name: shell-tool-mcp
-    needs: tag-check
-    uses: ./.github/workflows/shell-tool-mcp.yml
-    with:
-      release-tag: ${{ github.ref_name }}
-      publish: true
-    secrets: inherit
-
   argument-comment-lint-release-assets:
     name: argument-comment-lint release assets
     needs: tag-check
@@ -405,12 +396,17 @@ jobs:
     with:
       publish: true
 
+  zsh-release-assets:
+    name: zsh release assets
+    needs: tag-check
+    uses: ./.github/workflows/rust-release-zsh.yml
+
   release:
     needs:
       - build
       - build-windows
-      - shell-tool-mcp
       - argument-comment-lint-release-assets
+      - zsh-release-assets
     name: release
     runs-on: ubuntu-latest
     permissions:
@@ -453,11 +449,8 @@ jobs:
       - name: List
         run: ls -R dist/
 
-      # This is a temporary fix: we should modify shell-tool-mcp.yml so these
-      # files do not end up in dist/ in the first place.
       - name: Delete entries from dist/ that should not go in the release
         run: |
-          rm -rf dist/shell-tool-mcp*
           rm -rf dist/windows-binaries*
           # cargo-timing.html appears under multiple target-specific directories.
           # If included in files: dist/**, release upload races on duplicate
@@ -499,7 +492,7 @@ jobs:
           fi
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@v5
         with:
           run_install: false
 
@@ -547,6 +540,13 @@ jobs:
           tag: ${{ github.ref_name }}
           config: .github/dotslash-config.json
 
+      - uses: facebook/dotslash-publish-release@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag: ${{ github.ref_name }}
+          config: .github/dotslash-zsh-config.json
+
       - uses: facebook/dotslash-publish-release@v2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -693,7 +693,7 @@ jobs:
 
     steps:
       - name: Publish to WinGet
-        uses: vedantmgoyal9/winget-releaser@19e706d4c9121098010096f9c495a70a7518b30f
+        uses: vedantmgoyal9/winget-releaser@7bd472be23763def6e16bd06cc8b1cdfab0e2fd5
         with:
           identifier: OpenAI.Codex
           version: ${{ needs.release.outputs.version }}

.github/workflows/sdk.yml

@@ -23,7 +23,7 @@ jobs:
           sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends pkg-config libcap-dev
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@v5
         with:
           run_install: false
 

.github/workflows/shell-tool-mcp-ci.yml

@@ -1,48 +0,0 @@
-name: shell-tool-mcp CI
-
-on:
-  push:
-    paths:
-      - "shell-tool-mcp/**"
-      - ".github/workflows/shell-tool-mcp-ci.yml"
-      - "pnpm-lock.yaml"
-      - "pnpm-workspace.yaml"
-  pull_request:
-    paths:
-      - "shell-tool-mcp/**"
-      - ".github/workflows/shell-tool-mcp-ci.yml"
-      - "pnpm-lock.yaml"
-      - "pnpm-workspace.yaml"
-
-env:
-  NODE_VERSION: 22
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          run_install: false
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          cache: "pnpm"
-
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
-
-      - name: Format check
-        run: pnpm --filter @openai/codex-shell-tool-mcp run format
-
-      - name: Run tests
-        run: pnpm --filter @openai/codex-shell-tool-mcp test
-
-      - name: Build
-        run: pnpm --filter @openai/codex-shell-tool-mcp run build

.github/workflows/shell-tool-mcp.yml

@@ -1,553 +0,0 @@
-name: shell-tool-mcp
-
-on:
-  workflow_call:
-    inputs:
-      release-version:
-        description: Version to publish (x.y.z or x.y.z-alpha.N). Defaults to GITHUB_REF_NAME when it starts with rust-v.
-        required: false
-        type: string
-      release-tag:
-        description: Tag name to use when downloading release artifacts (defaults to rust-v<version>).
-        required: false
-        type: string
-      publish:
-        description: Whether to publish to npm when the version is releasable.
-        required: false
-        default: true
-        type: boolean
-
-env:
-  NODE_VERSION: 22
-
-jobs:
-  metadata:
-    runs-on: ubuntu-latest
-    outputs:
-      version: ${{ steps.compute.outputs.version }}
-      release_tag: ${{ steps.compute.outputs.release_tag }}
-      should_publish: ${{ steps.compute.outputs.should_publish }}
-      npm_tag: ${{ steps.compute.outputs.npm_tag }}
-    steps:
-      - name: Compute version and tags
-        id: compute
-        env:
-          RELEASE_TAG_INPUT: ${{ inputs.release-tag }}
-          RELEASE_VERSION_INPUT: ${{ inputs.release-version }}
-        run: |
-          set -euo pipefail
-
-          version="$RELEASE_VERSION_INPUT"
-          release_tag="$RELEASE_TAG_INPUT"
-
-          if [[ -z "$version" ]]; then
-            if [[ -n "$release_tag" && "$release_tag" =~ ^rust-v.+ ]]; then
-              version="${release_tag#rust-v}"
-            elif [[ "${GITHUB_REF_NAME:-}" =~ ^rust-v.+ ]]; then
-              version="${GITHUB_REF_NAME#rust-v}"
-              release_tag="${GITHUB_REF_NAME}"
-            else
-              echo "release-version is required when GITHUB_REF_NAME is not a rust-v tag."
-              exit 1
-            fi
-          fi
-
-          if [[ -z "$release_tag" ]]; then
-            release_tag="rust-v${version}"
-          fi
-
-          npm_tag=""
-          should_publish="false"
-          if [[ "$version" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-            should_publish="true"
-          elif [[ "$version" =~ ^[0-9]+\.[0-9]+\.[0-9]+-alpha\.[0-9]+$ ]]; then
-            should_publish="true"
-            npm_tag="alpha"
-          fi
-
-          echo "version=${version}" >> "$GITHUB_OUTPUT"
-          echo "release_tag=${release_tag}" >> "$GITHUB_OUTPUT"
-          echo "npm_tag=${npm_tag}" >> "$GITHUB_OUTPUT"
-          echo "should_publish=${should_publish}" >> "$GITHUB_OUTPUT"
-
-  bash-linux:
-    name: Build Bash (Linux) - ${{ matrix.variant }} - ${{ matrix.target }}
-    needs: metadata
-    runs-on: ${{ matrix.runner }}
-    timeout-minutes: 30
-    container:
-      image: ${{ matrix.image }}
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            variant: ubuntu-24.04
-            image: ubuntu:24.04
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            variant: ubuntu-22.04
-            image: ubuntu:22.04
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            variant: debian-12
-            image: debian:12
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            variant: debian-11
-            image: debian:11
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            variant: centos-9
-            image: quay.io/centos/centos:stream9
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            variant: ubuntu-24.04
-            image: arm64v8/ubuntu:24.04
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            variant: ubuntu-22.04
-            image: arm64v8/ubuntu:22.04
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            variant: ubuntu-20.04
-            image: arm64v8/ubuntu:20.04
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            variant: debian-12
-            image: arm64v8/debian:12
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            variant: debian-11
-            image: arm64v8/debian:11
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            variant: centos-9
-            image: quay.io/centos/centos:stream9
-    steps:
-      - name: Install build prerequisites
-        shell: bash
-        run: |
-          set -euo pipefail
-          if command -v apt-get >/dev/null 2>&1; then
-            apt-get update
-            DEBIAN_FRONTEND=noninteractive apt-get install -y git build-essential bison autoconf gettext libncursesw5-dev
-          elif command -v dnf >/dev/null 2>&1; then
-            dnf install -y git gcc gcc-c++ make bison autoconf gettext ncurses-devel
-          elif command -v yum >/dev/null 2>&1; then
-            yum install -y git gcc gcc-c++ make bison autoconf gettext ncurses-devel
-          else
-            echo "Unsupported package manager in container"
-            exit 1
-          fi
-
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Build patched Bash
-        shell: bash
-        run: |
-          set -euo pipefail
-          git clone https://git.savannah.gnu.org/git/bash /tmp/bash
-          cd /tmp/bash
-          git checkout a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b
-          git apply "${GITHUB_WORKSPACE}/shell-tool-mcp/patches/bash-exec-wrapper.patch"
-          ./configure --without-bash-malloc
-          cores="$(command -v nproc >/dev/null 2>&1 && nproc || getconf _NPROCESSORS_ONLN)"
-          make -j"${cores}"
-
-          dest="${GITHUB_WORKSPACE}/artifacts/vendor/${{ matrix.target }}/bash/${{ matrix.variant }}"
-          mkdir -p "$dest"
-          cp bash "$dest/bash"
-
-      - uses: actions/upload-artifact@v7
-        with:
-          name: shell-tool-mcp-bash-${{ matrix.target }}-${{ matrix.variant }}
-          path: artifacts/**
-          if-no-files-found: error
-
-  bash-darwin:
-    name: Build Bash (macOS) - ${{ matrix.variant }} - ${{ matrix.target }}
-    needs: metadata
-    runs-on: ${{ matrix.runner }}
-    timeout-minutes: 30
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: macos-15-xlarge
-            target: aarch64-apple-darwin
-            variant: macos-15
-          - runner: macos-14
-            target: aarch64-apple-darwin
-            variant: macos-14
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Build patched Bash
-        shell: bash
-        run: |
-          set -euo pipefail
-          git clone https://git.savannah.gnu.org/git/bash /tmp/bash
-          cd /tmp/bash
-          git checkout a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b
-          git apply "${GITHUB_WORKSPACE}/shell-tool-mcp/patches/bash-exec-wrapper.patch"
-          ./configure --without-bash-malloc
-          cores="$(getconf _NPROCESSORS_ONLN)"
-          make -j"${cores}"
-
-          dest="${GITHUB_WORKSPACE}/artifacts/vendor/${{ matrix.target }}/bash/${{ matrix.variant }}"
-          mkdir -p "$dest"
-          cp bash "$dest/bash"
-
-      - uses: actions/upload-artifact@v7
-        with:
-          name: shell-tool-mcp-bash-${{ matrix.target }}-${{ matrix.variant }}
-          path: artifacts/**
-          if-no-files-found: error
-
-  zsh-linux:
-    name: Build zsh (Linux) - ${{ matrix.variant }} - ${{ matrix.target }}
-    needs: metadata
-    runs-on: ${{ matrix.runner }}
-    timeout-minutes: 30
-    container:
-      image: ${{ matrix.image }}
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            variant: ubuntu-24.04
-            image: ubuntu:24.04
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            variant: ubuntu-22.04
-            image: ubuntu:22.04
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            variant: debian-12
-            image: debian:12
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            variant: debian-11
-            image: debian:11
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            variant: centos-9
-            image: quay.io/centos/centos:stream9
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            variant: ubuntu-24.04
-            image: arm64v8/ubuntu:24.04
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            variant: ubuntu-22.04
-            image: arm64v8/ubuntu:22.04
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            variant: ubuntu-20.04
-            image: arm64v8/ubuntu:20.04
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            variant: debian-12
-            image: arm64v8/debian:12
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            variant: debian-11
-            image: arm64v8/debian:11
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            variant: centos-9
-            image: quay.io/centos/centos:stream9
-    steps:
-      - name: Install build prerequisites
-        shell: bash
-        run: |
-          set -euo pipefail
-          if command -v apt-get >/dev/null 2>&1; then
-            apt-get update
-            DEBIAN_FRONTEND=noninteractive apt-get install -y git build-essential bison autoconf gettext libncursesw5-dev
-          elif command -v dnf >/dev/null 2>&1; then
-            dnf install -y git gcc gcc-c++ make bison autoconf gettext ncurses-devel
-          elif command -v yum >/dev/null 2>&1; then
-            yum install -y git gcc gcc-c++ make bison autoconf gettext ncurses-devel
-          else
-            echo "Unsupported package manager in container"
-            exit 1
-          fi
-
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Build patched zsh
-        shell: bash
-        run: |
-          set -euo pipefail
-          git clone https://git.code.sf.net/p/zsh/code /tmp/zsh
-          cd /tmp/zsh
-          git checkout 77045ef899e53b9598bebc5a41db93a548a40ca6
-          git apply "${GITHUB_WORKSPACE}/shell-tool-mcp/patches/zsh-exec-wrapper.patch"
-          ./Util/preconfig
-          ./configure
-          cores="$(command -v nproc >/dev/null 2>&1 && nproc || getconf _NPROCESSORS_ONLN)"
-          make -j"${cores}"
-
-          dest="${GITHUB_WORKSPACE}/artifacts/vendor/${{ matrix.target }}/zsh/${{ matrix.variant }}"
-          mkdir -p "$dest"
-          cp Src/zsh "$dest/zsh"
-
-      - name: Smoke test zsh exec wrapper
-        shell: bash
-        run: |
-          set -euo pipefail
-          tmpdir="$(mktemp -d)"
-          cat > "$tmpdir/exec-wrapper" <<'EOF'
-          #!/usr/bin/env bash
-          set -euo pipefail
-          : "${CODEX_WRAPPER_LOG:?missing CODEX_WRAPPER_LOG}"
-          printf '%s\n' "$@" > "$CODEX_WRAPPER_LOG"
-          file="$1"
-          shift
-          if [[ "$#" -eq 0 ]]; then
-            exec "$file"
-          fi
-          arg0="$1"
-          shift
-          exec -a "$arg0" "$file" "$@"
-          EOF
-          chmod +x "$tmpdir/exec-wrapper"
-
-          CODEX_WRAPPER_LOG="$tmpdir/wrapper.log" \
-          EXEC_WRAPPER="$tmpdir/exec-wrapper" \
-          /tmp/zsh/Src/zsh -fc '/bin/echo smoke-zsh' > "$tmpdir/stdout.txt"
-
-          grep -Fx "smoke-zsh" "$tmpdir/stdout.txt"
-          grep -Fx "/bin/echo" "$tmpdir/wrapper.log"
-
-      - uses: actions/upload-artifact@v7
-        with:
-          name: shell-tool-mcp-zsh-${{ matrix.target }}-${{ matrix.variant }}
-          path: artifacts/**
-          if-no-files-found: error
-
-  zsh-darwin:
-    name: Build zsh (macOS) - ${{ matrix.variant }} - ${{ matrix.target }}
-    needs: metadata
-    runs-on: ${{ matrix.runner }}
-    timeout-minutes: 30
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: macos-15-xlarge
-            target: aarch64-apple-darwin
-            variant: macos-15
-          - runner: macos-14
-            target: aarch64-apple-darwin
-            variant: macos-14
-    steps:
-      - name: Install build prerequisites
-        shell: bash
-        run: |
-          set -euo pipefail
-          if ! command -v autoconf >/dev/null 2>&1; then
-            brew install autoconf
-          fi
-
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Build patched zsh
-        shell: bash
-        run: |
-          set -euo pipefail
-          git clone https://git.code.sf.net/p/zsh/code /tmp/zsh
-          cd /tmp/zsh
-          git checkout 77045ef899e53b9598bebc5a41db93a548a40ca6
-          git apply "${GITHUB_WORKSPACE}/shell-tool-mcp/patches/zsh-exec-wrapper.patch"
-          ./Util/preconfig
-          ./configure
-          cores="$(getconf _NPROCESSORS_ONLN)"
-          make -j"${cores}"
-
-          dest="${GITHUB_WORKSPACE}/artifacts/vendor/${{ matrix.target }}/zsh/${{ matrix.variant }}"
-          mkdir -p "$dest"
-          cp Src/zsh "$dest/zsh"
-
-      - name: Smoke test zsh exec wrapper
-        shell: bash
-        run: |
-          set -euo pipefail
-          tmpdir="$(mktemp -d)"
-          cat > "$tmpdir/exec-wrapper" <<'EOF'
-          #!/usr/bin/env bash
-          set -euo pipefail
-          : "${CODEX_WRAPPER_LOG:?missing CODEX_WRAPPER_LOG}"
-          printf '%s\n' "$@" > "$CODEX_WRAPPER_LOG"
-          file="$1"
-          shift
-          if [[ "$#" -eq 0 ]]; then
-            exec "$file"
-          fi
-          arg0="$1"
-          shift
-          exec -a "$arg0" "$file" "$@"
-          EOF
-          chmod +x "$tmpdir/exec-wrapper"
-
-          CODEX_WRAPPER_LOG="$tmpdir/wrapper.log" \
-          EXEC_WRAPPER="$tmpdir/exec-wrapper" \
-          /tmp/zsh/Src/zsh -fc '/bin/echo smoke-zsh' > "$tmpdir/stdout.txt"
-
-          grep -Fx "smoke-zsh" "$tmpdir/stdout.txt"
-          grep -Fx "/bin/echo" "$tmpdir/wrapper.log"
-
-      - uses: actions/upload-artifact@v7
-        with:
-          name: shell-tool-mcp-zsh-${{ matrix.target }}-${{ matrix.variant }}
-          path: artifacts/**
-          if-no-files-found: error
-
-  package:
-    name: Package npm module
-    needs:
-      - metadata
-      - bash-linux
-      - bash-darwin
-      - zsh-linux
-      - zsh-darwin
-    runs-on: ubuntu-latest
-    env:
-      PACKAGE_VERSION: ${{ needs.metadata.outputs.version }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          run_install: false
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-
-      - name: Install JavaScript dependencies
-        run: pnpm install --frozen-lockfile
-
-      - name: Build (shell-tool-mcp)
-        run: pnpm --filter @openai/codex-shell-tool-mcp run build
-
-      - name: Download build artifacts
-        uses: actions/download-artifact@v8
-        with:
-          path: artifacts
-
-      - name: Assemble staging directory
-        id: staging
-        shell: bash
-        run: |
-          set -euo pipefail
-          staging="${STAGING_DIR}"
-          mkdir -p "$staging" "$staging/vendor"
-          cp shell-tool-mcp/README.md "$staging/"
-          cp shell-tool-mcp/package.json "$staging/"
-
-          found_vendor="false"
-          shopt -s nullglob
-          for vendor_dir in artifacts/*/vendor; do
-            rsync -av "$vendor_dir/" "$staging/vendor/"
-            found_vendor="true"
-          done
-          if [[ "$found_vendor" == "false" ]]; then
-            echo "No vendor payloads were downloaded."
-            exit 1
-          fi
-
-          node - <<'NODE'
-            import fs from "node:fs";
-            import path from "node:path";
-
-            const stagingDir = process.env.STAGING_DIR;
-            const version = process.env.PACKAGE_VERSION;
-            const pkgPath = path.join(stagingDir, "package.json");
-            const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf8"));
-            pkg.version = version;
-            fs.writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + "\n");
-          NODE
-
-          echo "dir=$staging" >> "$GITHUB_OUTPUT"
-        env:
-          STAGING_DIR: ${{ runner.temp }}/shell-tool-mcp
-
-      - name: Ensure binaries are executable
-        env:
-          STAGING_DIR: ${{ steps.staging.outputs.dir }}
-        run: |
-          set -euo pipefail
-          chmod +x \
-            "$STAGING_DIR"/vendor/*/bash/*/bash \
-            "$STAGING_DIR"/vendor/*/zsh/*/zsh
-
-      - name: Create npm tarball
-        shell: bash
-        env:
-          STAGING_DIR: ${{ steps.staging.outputs.dir }}
-        run: |
-          set -euo pipefail
-          mkdir -p dist/npm
-          pack_info=$(cd "$STAGING_DIR" && npm pack --ignore-scripts --json --pack-destination "${GITHUB_WORKSPACE}/dist/npm")
-          filename=$(PACK_INFO="$pack_info" node -e 'const data = JSON.parse(process.env.PACK_INFO); console.log(data[0].filename);')
-          mv "dist/npm/${filename}" "dist/npm/codex-shell-tool-mcp-npm-${PACKAGE_VERSION}.tgz"
-
-      - uses: actions/upload-artifact@v7
-        with:
-          name: codex-shell-tool-mcp-npm
-          path: dist/npm/codex-shell-tool-mcp-npm-${{ env.PACKAGE_VERSION }}.tgz
-          if-no-files-found: error
-
-  publish:
-    name: Publish npm package
-    needs:
-      - metadata
-      - package
-    if: ${{ inputs.publish && needs.metadata.outputs.should_publish == 'true' }}
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      contents: read
-    steps:
-      - name: Setup Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          registry-url: https://registry.npmjs.org
-          scope: "@openai"
-
-      # Trusted publishing requires npm CLI version 11.5.1 or later.
-      - name: Update npm
-        run: npm install -g npm@latest
-
-      - name: Download npm tarball
-        uses: actions/download-artifact@v8
-        with:
-          name: codex-shell-tool-mcp-npm
-          path: dist/npm
-
-      - name: Publish to npm
-        env:
-          NPM_TAG: ${{ needs.metadata.outputs.npm_tag }}
-          VERSION: ${{ needs.metadata.outputs.version }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          tag_args=()
-          if [[ -n "${NPM_TAG}" ]]; then
-            tag_args+=(--tag "${NPM_TAG}")
-          fi
-          npm publish "dist/npm/codex-shell-tool-mcp-npm-${VERSION}.tgz" "${tag_args[@]}"

AGENTS.md

@@ -40,6 +40,7 @@ In the codex-rs folder where the rust code lives:
     `codex-rs/tui/src/bottom_pane/mod.rs`, and similarly central orchestration modules.
   - When extracting code from a large module, move the related tests and module/type docs toward
     the new implementation so the invariants stay close to the code that owns them.
+- When running Rust commands (e.g. `just fix` or `cargo test`) be patient with the command and never try to kill them using the PID. Rust lock can make the execution slow, this is expected.
 
 Run `just fmt` (in `codex-rs` directory) automatically after you have finished making Rust code changes; do not ask for approval to run it. Additionally, run the tests:
 

MODULE.bazel.lock

@@ -614,14 +614,10 @@
       "anyhow_1.0.101": "{\"dependencies\":[{\"name\":\"backtrace\",\"optional\":true,\"req\":\"^0.3.51\"},{\"default_features\":false,\"kind\":\"dev\",\"name\":\"futures\",\"req\":\"^0.3\"},{\"kind\":\"dev\",\"name\":\"rustversion\",\"req\":\"^1.0.6\"},{\"features\":[\"full\"],\"kind\":\"dev\",\"name\":\"syn\",\"req\":\"^2.0\"},{\"kind\":\"dev\",\"name\":\"thiserror\",\"req\":\"^2\"},{\"features\":[\"diff\"],\"kind\":\"dev\",\"name\":\"trybuild\",\"req\":\"^1.0.108\"}],\"features\":{\"default\":[\"std\"],\"std\":[]}}",
       "arbitrary_1.4.2": "{\"dependencies\":[{\"name\":\"derive_arbitrary\",\"optional\":true,\"req\":\"~1.4.0\"},{\"kind\":\"dev\",\"name\":\"exhaustigen\",\"req\":\"^0.1.0\"}],\"features\":{\"derive\":[\"derive_arbitrary\"]}}",
       "arboard_3.6.1": "{\"dependencies\":[{\"features\":[\"std\"],\"name\":\"clipboard-win\",\"req\":\"^5.3.1\",\"target\":\"cfg(windows)\"},{\"kind\":\"dev\",\"name\":\"env_logger\",\"req\":\"^0.10.2\"},{\"default_features\":false,\"features\":[\"png\"],\"name\":\"image\",\"optional\":true,\"req\":\"^0.25\",\"target\":\"cfg(all(unix, not(any(target_os=\\\"macos\\\", target_os=\\\"android\\\", target_os=\\\"emscripten\\\"))))\"},{\"default_features\":false,\"features\":[\"tiff\"],\"name\":\"image\",\"optional\":true,\"req\":\"^0.25\",\"target\":\"cfg(target_os = \\\"macos\\\")\"},{\"default_features\":false,\"features\":[\"png\",\"bmp\"],\"name\":\"image\",\"optional\":true,\"req\":\"^0.25\",\"target\":\"cfg(windows)\"},{\"name\":\"log\",\"req\":\"^0.4\",\"target\":\"cfg(all(unix, not(any(target_os=\\\"macos\\\", target_os=\\\"android\\\", target_os=\\\"emscripten\\\"))))\"},{\"name\":\"log\",\"req\":\"^0.4\",\"target\":\"cfg(windows)\"},{\"name\":\"objc2\",\"req\":\"^0.6.0\",\"target\":\"cfg(target_os = \\\"macos\\\")\"},{\"default_features\":false,\"features\":[\"std\",\"objc2-core-graphics\",\"NSPasteboard\",\"NSPasteboardItem\",\"NSImage\"],\"name\":\"objc2-app-kit\",\"req\":\"^0.3.0\",\"target\":\"cfg(target_os = \\\"macos\\\")\"},{\"default_features\":false,\"features\":[\"std\",\"CFCGTypes\"],\"name\":\"objc2-core-foundation\",\"optional\":true,\"req\":\"^0.3.0\",\"target\":\"cfg(target_os = \\\"macos\\\")\"},{\"default_features\":false,\"features\":[\"std\",\"CGImage\",\"CGColorSpace\",\"CGDataProvider\"],\"name\":\"objc2-core-graphics\",\"optional\":true,\"req\":\"^0.3.0\",\"target\":\"cfg(target_os = \\\"macos\\\")\"},{\"default_features\":false,\"features\":[\"std\",\"NSArray\",\"NSString\",\"NSEnumerator\",\"NSGeometry\",\"NSValue\"],\"name\":\"objc2-foundation\",\"req\":\"^0.3.0\",\"target\":\"cfg(target_os = \\\"macos\\\")\"},{\"name\":\"parking_lot\",\"req\":\"^0.12\",\"target\":\"cfg(all(unix, not(any(target_os=\\\"macos\\\", target_os=\\\"android\\\", target_os=\\\"emscripten\\\"))))\"},{\"name\":\"percent-encoding\",\"req\":\"^2.3.1\",\"target\":\"cfg(all(unix, not(any(target_os=\\\"macos\\\", target_os=\\\"android\\\", target_os=\\\"emscripten\\\"))))\"},{\"features\":[\"Win32_Foundation\",\"Win32_Storage_FileSystem\",\"Win32_System_DataExchange\",\"Win32_System_Memory\",\"Win32_System_Ole\",\"Win32_UI_Shell\"],\"name\":\"windows-sys\",\"req\":\">=0.52.0, <0.61.0\",\"target\":\"cfg(windows)\"},{\"name\":\"wl-clipboard-rs\",\"optional\":true,\"req\":\"^0.9.0\",\"target\":\"cfg(all(unix, not(any(target_os=\\\"macos\\\", target_os=\\\"android\\\", target_os=\\\"emscripten\\\"))))\"},{\"name\":\"x11rb\",\"req\":\"^0.13\",\"target\":\"cfg(all(unix, not(any(target_os=\\\"macos\\\", target_os=\\\"android\\\", target_os=\\\"emscripten\\\"))))\"}],\"features\":{\"core-graphics\":[\"dep:objc2-core-graphics\"],\"default\":[\"image-data\"],\"image\":[\"dep:image\"],\"image-data\":[\"dep:objc2-core-graphics\",\"dep:objc2-core-foundation\",\"image\",\"windows-sys\",\"core-graphics\"],\"wayland-data-control\":[\"wl-clipboard-rs\"],\"windows-sys\":[\"windows-sys/Win32_Graphics_Gdi\"],\"wl-clipboard-rs\":[\"dep:wl-clipboard-rs\"]}}",
-      "arc-swap_1.8.2": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"adaptive-barrier\",\"req\":\"~1\"},{\"kind\":\"dev\",\"name\":\"criterion\",\"req\":\"~0.7\"},{\"kind\":\"dev\",\"name\":\"crossbeam-utils\",\"req\":\"~0.8\"},{\"kind\":\"dev\",\"name\":\"itertools\",\"req\":\"^0.14\"},{\"kind\":\"dev\",\"name\":\"num_cpus\",\"req\":\"~1\"},{\"kind\":\"dev\",\"name\":\"once_cell\",\"req\":\"~1\"},{\"kind\":\"dev\",\"name\":\"parking_lot\",\"req\":\"~0.12\"},{\"kind\":\"dev\",\"name\":\"proptest\",\"req\":\"^1\"},{\"name\":\"rustversion\",\"req\":\"^1\"},{\"features\":[\"rc\"],\"name\":\"serde\",\"optional\":true,\"req\":\"^1\"},{\"kind\":\"dev\",\"name\":\"serde_derive\",\"req\":\"^1.0.130\"},{\"kind\":\"dev\",\"name\":\"serde_test\",\"req\":\"^1.0.177\"}],\"features\":{\"experimental-strategies\":[],\"experimental-thread-local\":[],\"internal-test-strategies\":[],\"weak\":[]}}",
+      "arc-swap_1.9.0": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"adaptive-barrier\",\"req\":\"~1\"},{\"kind\":\"dev\",\"name\":\"criterion\",\"req\":\"~0.7\"},{\"kind\":\"dev\",\"name\":\"crossbeam-utils\",\"req\":\"~0.8\"},{\"kind\":\"dev\",\"name\":\"itertools\",\"req\":\"^0.14\"},{\"kind\":\"dev\",\"name\":\"num_cpus\",\"req\":\"~1\"},{\"kind\":\"dev\",\"name\":\"once_cell\",\"req\":\"~1\"},{\"kind\":\"dev\",\"name\":\"parking_lot\",\"req\":\"~0.12\"},{\"kind\":\"dev\",\"name\":\"proptest\",\"req\":\"^1\"},{\"name\":\"rustversion\",\"req\":\"^1\"},{\"features\":[\"rc\"],\"name\":\"serde\",\"optional\":true,\"req\":\"^1\"},{\"kind\":\"dev\",\"name\":\"serde_derive\",\"req\":\"^1.0.130\"},{\"kind\":\"dev\",\"name\":\"serde_test\",\"req\":\"^1.0.177\"}],\"features\":{\"experimental-strategies\":[],\"experimental-thread-local\":[],\"internal-test-strategies\":[],\"weak\":[]}}",
       "arrayvec_0.7.6": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"bencher\",\"req\":\"^0.1.4\"},{\"default_features\":false,\"name\":\"borsh\",\"optional\":true,\"req\":\"^1.2.0\"},{\"kind\":\"dev\",\"name\":\"matches\",\"req\":\"^0.1\"},{\"default_features\":false,\"name\":\"serde\",\"optional\":true,\"req\":\"^1.0\"},{\"kind\":\"dev\",\"name\":\"serde_test\",\"req\":\"^1.0\"},{\"default_features\":false,\"name\":\"zeroize\",\"optional\":true,\"req\":\"^1.4\"}],\"features\":{\"default\":[\"std\"],\"std\":[]}}",
       "ascii-canvas_3.0.0": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"diff\",\"req\":\"^0.1\"},{\"name\":\"term\",\"req\":\"^0.7\"}],\"features\":{}}",
       "ascii_1.1.0": "{\"dependencies\":[{\"name\":\"serde\",\"optional\":true,\"req\":\"^1.0.25\"},{\"name\":\"serde_test\",\"optional\":true,\"req\":\"^1.0\"}],\"features\":{\"alloc\":[],\"default\":[\"std\"],\"std\":[\"alloc\"]}}",
-      "askama_0.15.4": "{\"dependencies\":[{\"default_features\":false,\"name\":\"askama_macros\",\"optional\":true,\"req\":\"=0.15.4\"},{\"kind\":\"dev\",\"name\":\"assert_matches\",\"req\":\"^1.5.0\"},{\"kind\":\"dev\",\"name\":\"criterion\",\"req\":\"^0.8\"},{\"name\":\"itoa\",\"req\":\"^1.0.11\"},{\"default_features\":false,\"name\":\"percent-encoding\",\"optional\":true,\"req\":\"^2.1.0\"},{\"default_features\":false,\"name\":\"serde\",\"optional\":true,\"req\":\"^1.0\"},{\"default_features\":false,\"name\":\"serde_json\",\"optional\":true,\"req\":\"^1.0\"}],\"features\":{\"alloc\":[\"askama_macros?/alloc\",\"serde?/alloc\",\"serde_json?/alloc\",\"percent-encoding?/alloc\"],\"code-in-doc\":[\"askama_macros?/code-in-doc\"],\"config\":[\"askama_macros?/config\"],\"default\":[\"config\",\"derive\",\"std\",\"urlencode\"],\"derive\":[\"dep:askama_macros\",\"dep:askama_macros\"],\"full\":[\"default\",\"code-in-doc\",\"serde_json\"],\"nightly-spans\":[\"askama_macros/nightly-spans\"],\"serde_json\":[\"std\",\"askama_macros?/serde_json\",\"dep:serde\",\"dep:serde_json\"],\"std\":[\"alloc\",\"askama_macros?/std\",\"serde?/std\",\"serde_json?/std\",\"percent-encoding?/std\"],\"urlencode\":[\"askama_macros?/urlencode\",\"dep:percent-encoding\"]}}",
-      "askama_derive_0.15.4": "{\"dependencies\":[{\"name\":\"basic-toml\",\"optional\":true,\"req\":\"^0.1.1\"},{\"kind\":\"dev\",\"name\":\"console\",\"req\":\"^0.16.0\"},{\"kind\":\"dev\",\"name\":\"criterion\",\"req\":\"^0.8\"},{\"name\":\"memchr\",\"req\":\"^2\"},{\"name\":\"parser\",\"package\":\"askama_parser\",\"req\":\"=0.15.4\"},{\"kind\":\"dev\",\"name\":\"prettyplease\",\"req\":\"^0.2.20\"},{\"default_features\":false,\"name\":\"proc-macro2\",\"req\":\"^1\"},{\"default_features\":false,\"name\":\"pulldown-cmark\",\"optional\":true,\"req\":\"^0.13.0\"},{\"default_features\":false,\"name\":\"quote\",\"req\":\"^1\"},{\"name\":\"rustc-hash\",\"req\":\"^2.0.0\"},{\"name\":\"serde\",\"optional\":true,\"req\":\"^1.0\"},{\"name\":\"serde_derive\",\"optional\":true,\"req\":\"^1.0\"},{\"kind\":\"dev\",\"name\":\"similar\",\"req\":\"^2.6.0\"},{\"default_features\":false,\"features\":[\"clone-impls\",\"derive\",\"full\",\"parsing\",\"printing\"],\"name\":\"syn\",\"req\":\"^2.0.3\"}],\"features\":{\"alloc\":[],\"code-in-doc\":[\"dep:pulldown-cmark\"],\"config\":[\"external-sources\",\"dep:basic-toml\",\"dep:serde\",\"dep:serde_derive\",\"parser/config\"],\"default\":[\"alloc\",\"code-in-doc\",\"config\",\"external-sources\",\"proc-macro\",\"serde_json\",\"std\",\"urlencode\"],\"external-sources\":[],\"nightly-spans\":[],\"proc-macro\":[\"proc-macro2/proc-macro\"],\"serde_json\":[],\"std\":[\"alloc\"],\"urlencode\":[]}}",
-      "askama_macros_0.15.4": "{\"dependencies\":[{\"default_features\":false,\"features\":[\"external-sources\",\"proc-macro\"],\"name\":\"askama_derive\",\"package\":\"askama_derive\",\"req\":\"=0.15.4\"}],\"features\":{\"alloc\":[\"askama_derive/alloc\"],\"code-in-doc\":[\"askama_derive/code-in-doc\"],\"config\":[\"askama_derive/config\"],\"default\":[\"config\",\"derive\",\"std\",\"urlencode\"],\"derive\":[],\"full\":[\"default\",\"code-in-doc\",\"serde_json\"],\"nightly-spans\":[\"askama_derive/nightly-spans\"],\"serde_json\":[\"askama_derive/serde_json\"],\"std\":[\"askama_derive/std\"],\"urlencode\":[\"askama_derive/urlencode\"]}}",
-      "askama_parser_0.15.4": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"criterion\",\"req\":\"^0.8\"},{\"name\":\"rustc-hash\",\"req\":\"^2.0.0\"},{\"name\":\"serde\",\"optional\":true,\"req\":\"^1.0\"},{\"name\":\"serde_derive\",\"optional\":true,\"req\":\"^1.0\"},{\"name\":\"unicode-ident\",\"req\":\"^1.0.12\"},{\"features\":[\"simd\"],\"name\":\"winnow\",\"req\":\"^0.7.0\"}],\"features\":{\"config\":[\"dep:serde\",\"dep:serde_derive\"]}}",
       "asn1-rs-derive_0.6.0": "{\"dependencies\":[{\"name\":\"proc-macro2\",\"req\":\"^1.0\"},{\"name\":\"quote\",\"req\":\"^1.0\"},{\"features\":[\"full\"],\"name\":\"syn\",\"req\":\"^2.0\"},{\"name\":\"synstructure\",\"req\":\"^0.13\"}],\"features\":{}}",
       "asn1-rs-impl_0.2.0": "{\"dependencies\":[{\"name\":\"proc-macro2\",\"req\":\"^1\"},{\"name\":\"quote\",\"req\":\"^1\"},{\"name\":\"syn\",\"req\":\"^2.0\"}],\"features\":{}}",
       "asn1-rs_0.7.1": "{\"dependencies\":[{\"name\":\"asn1-rs-derive\",\"req\":\"^0.6\"},{\"name\":\"asn1-rs-impl\",\"req\":\"^0.2\"},{\"name\":\"bitvec\",\"optional\":true,\"req\":\"^1.0\"},{\"name\":\"colored\",\"optional\":true,\"req\":\"^3.0\"},{\"kind\":\"dev\",\"name\":\"colored\",\"req\":\"^3.0\"},{\"name\":\"cookie-factory\",\"optional\":true,\"req\":\"^0.3.0\"},{\"name\":\"displaydoc\",\"req\":\"^0.2.2\"},{\"kind\":\"dev\",\"name\":\"hex-literal\",\"req\":\"^0.4\"},{\"default_features\":false,\"features\":[\"std\"],\"name\":\"nom\",\"req\":\"^7.0\"},{\"name\":\"num-bigint\",\"optional\":true,\"req\":\"^0.4\"},{\"name\":\"num-traits\",\"req\":\"^0.2.14\"},{\"kind\":\"dev\",\"name\":\"pem\",\"req\":\"^3.0\"},{\"name\":\"rusticata-macros\",\"req\":\"^4.0\"},{\"name\":\"thiserror\",\"req\":\"^2.0.0\"},{\"features\":[\"macros\",\"parsing\",\"formatting\"],\"name\":\"time\",\"optional\":true,\"req\":\"^0.3\"},{\"kind\":\"dev\",\"name\":\"trybuild\",\"req\":\"^1.0\"}],\"features\":{\"bigint\":[\"num-bigint\"],\"bits\":[\"bitvec\"],\"datetime\":[\"time\"],\"debug\":[\"std\",\"colored\"],\"default\":[\"std\"],\"serialize\":[\"cookie-factory\"],\"std\":[],\"trace\":[\"debug\"]}}",
@@ -971,6 +967,7 @@
       "jni_0.21.1": "{\"dependencies\":[{\"name\":\"cesu8\",\"req\":\"^1.1.0\"},{\"name\":\"cfg-if\",\"req\":\"^1.0.0\"},{\"name\":\"combine\",\"req\":\"^4.1.0\"},{\"name\":\"java-locator\",\"optional\":true,\"req\":\"^0.1\"},{\"name\":\"jni-sys\",\"req\":\"^0.3.0\"},{\"name\":\"libloading\",\"optional\":true,\"req\":\"^0.7\"},{\"name\":\"log\",\"req\":\"^0.4.4\"},{\"name\":\"thiserror\",\"req\":\"^1.0.20\"},{\"kind\":\"dev\",\"name\":\"assert_matches\",\"req\":\"^1.5.0\"},{\"kind\":\"dev\",\"name\":\"lazy_static\",\"req\":\"^1\"},{\"kind\":\"dev\",\"name\":\"rusty-fork\",\"req\":\"^0.3.0\"},{\"kind\":\"build\",\"name\":\"walkdir\",\"req\":\"^2\"},{\"features\":[\"Win32_Globalization\"],\"name\":\"windows-sys\",\"req\":\"^0.45.0\",\"target\":\"cfg(windows)\"},{\"kind\":\"dev\",\"name\":\"bytemuck\",\"req\":\"^1.13.0\",\"target\":\"cfg(windows)\"}],\"features\":{\"default\":[],\"invocation\":[\"java-locator\",\"libloading\"]}}",
       "jobserver_0.1.34": "{\"dependencies\":[{\"features\":[\"std\"],\"name\":\"getrandom\",\"req\":\"^0.3.2\",\"target\":\"cfg(windows)\"},{\"name\":\"libc\",\"req\":\"^0.2.171\",\"target\":\"cfg(unix)\"},{\"features\":[\"fs\"],\"kind\":\"dev\",\"name\":\"nix\",\"req\":\"^0.28.0\",\"target\":\"cfg(unix)\"},{\"kind\":\"dev\",\"name\":\"tempfile\",\"req\":\"^3.10.1\"}],\"features\":{}}",
       "js-sys_0.3.85": "{\"dependencies\":[{\"default_features\":false,\"name\":\"once_cell\",\"req\":\"^1.12\"},{\"default_features\":false,\"name\":\"wasm-bindgen\",\"req\":\"=0.2.108\"}],\"features\":{\"default\":[\"std\"],\"std\":[\"wasm-bindgen/std\"]}}",
+      "jsonwebtoken_9.3.1": "{\"dependencies\":[{\"name\":\"base64\",\"req\":\"^0.22\"},{\"default_features\":false,\"kind\":\"dev\",\"name\":\"criterion\",\"req\":\"^0.4\",\"target\":\"cfg(all(target_arch = \\\"wasm32\\\", not(any(target_os = \\\"emscripten\\\", target_os = \\\"wasi\\\"))))\"},{\"kind\":\"dev\",\"name\":\"criterion\",\"req\":\"^0.4\",\"target\":\"cfg(not(all(target_arch = \\\"wasm32\\\", not(any(target_os = \\\"emscripten\\\", target_os = \\\"wasi\\\")))))\"},{\"name\":\"js-sys\",\"req\":\"^0.3\",\"target\":\"cfg(target_arch = \\\"wasm32\\\")\"},{\"name\":\"pem\",\"optional\":true,\"req\":\"^3\"},{\"features\":[\"std\"],\"name\":\"ring\",\"req\":\"^0.17.4\",\"target\":\"cfg(not(target_arch = \\\"wasm32\\\"))\"},{\"features\":[\"std\",\"wasm32_unknown_unknown_js\"],\"name\":\"ring\",\"req\":\"^0.17.4\",\"target\":\"cfg(target_arch = \\\"wasm32\\\")\"},{\"features\":[\"derive\"],\"name\":\"serde\",\"req\":\"^1.0\"},{\"name\":\"serde_json\",\"req\":\"^1.0\"},{\"name\":\"simple_asn1\",\"optional\":true,\"req\":\"^0.6\"},{\"features\":[\"wasm-bindgen\"],\"kind\":\"dev\",\"name\":\"time\",\"req\":\"^0.3\",\"target\":\"cfg(all(target_arch = \\\"wasm32\\\", not(any(target_os = \\\"emscripten\\\", target_os = \\\"wasi\\\"))))\"},{\"kind\":\"dev\",\"name\":\"time\",\"req\":\"^0.3\",\"target\":\"cfg(not(all(target_arch = \\\"wasm32\\\", not(any(target_os = \\\"emscripten\\\", target_os = \\\"wasi\\\")))))\"},{\"kind\":\"dev\",\"name\":\"wasm-bindgen-test\",\"req\":\"^0.3.1\"}],\"features\":{\"default\":[\"use_pem\"],\"use_pem\":[\"pem\",\"simple_asn1\"]}}",
       "keyring_3.6.3": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"base64\",\"req\":\"^0.22\"},{\"name\":\"byteorder\",\"optional\":true,\"req\":\"^1.2\",\"target\":\"cfg(target_os = \\\"windows\\\")\"},{\"features\":[\"derive\",\"wrap_help\"],\"kind\":\"dev\",\"name\":\"clap\",\"req\":\"^4\"},{\"name\":\"dbus-secret-service\",\"optional\":true,\"req\":\"^4.0.0-rc.1\",\"target\":\"cfg(target_os = \\\"openbsd\\\")\"},{\"name\":\"dbus-secret-service\",\"optional\":true,\"req\":\"^4.0.0-rc.2\",\"target\":\"cfg(target_os = \\\"linux\\\")\"},{\"name\":\"dbus-secret-service\",\"optional\":true,\"req\":\"^4.0.1\",\"target\":\"cfg(target_os = \\\"freebsd\\\")\"},{\"kind\":\"dev\",\"name\":\"doc-comment\",\"req\":\"^0.3\"},{\"kind\":\"dev\",\"name\":\"env_logger\",\"req\":\"^0.11.5\"},{\"kind\":\"dev\",\"name\":\"fastrand\",\"req\":\"^2\"},{\"features\":[\"std\"],\"name\":\"linux-keyutils\",\"optional\":true,\"req\":\"^0.2\",\"target\":\"cfg(target_os = \\\"linux\\\")\"},{\"name\":\"log\",\"req\":\"^0.4.22\"},{\"name\":\"openssl\",\"optional\":true,\"req\":\"^0.10.66\"},{\"kind\":\"dev\",\"name\":\"rpassword\",\"req\":\"^7\"},{\"kind\":\"dev\",\"name\":\"rprompt\",\"req\":\"^2\"},{\"name\":\"secret-service\",\"optional\":true,\"req\":\"^4\",\"target\":\"cfg(target_os = \\\"freebsd\\\")\"},{\"name\":\"secret-service\",\"optional\":true,\"req\":\"^4\",\"target\":\"cfg(target_os = \\\"linux\\\")\"},{\"name\":\"secret-service\",\"optional\":true,\"req\":\"^4\",\"target\":\"cfg(target_os = \\\"openbsd\\\")\"},{\"name\":\"security-framework\",\"optional\":true,\"req\":\"^2\",\"target\":\"cfg(target_os = \\\"ios\\\")\"},{\"name\":\"security-framework\",\"optional\":true,\"req\":\"^3\",\"target\":\"cfg(target_os = \\\"macos\\\")\"},{\"kind\":\"dev\",\"name\":\"whoami\",\"req\":\"^1.5\"},{\"features\":[\"Win32_Foundation\",\"Win32_Security_Credentials\"],\"name\":\"windows-sys\",\"optional\":true,\"req\":\"^0.60\",\"target\":\"cfg(target_os = \\\"windows\\\")\"},{\"name\":\"zbus\",\"optional\":true,\"req\":\"^4\",\"target\":\"cfg(target_os = \\\"freebsd\\\")\"},{\"name\":\"zbus\",\"optional\":true,\"req\":\"^4\",\"target\":\"cfg(target_os = \\\"linux\\\")\"},{\"name\":\"zbus\",\"optional\":true,\"req\":\"^4\",\"target\":\"cfg(target_os = \\\"openbsd\\\")\"},{\"name\":\"zeroize\",\"req\":\"^1.8.1\",\"target\":\"cfg(target_os = \\\"windows\\\")\"}],\"features\":{\"apple-native\":[\"dep:security-framework\"],\"async-io\":[\"zbus?/async-io\"],\"async-secret-service\":[\"dep:secret-service\",\"dep:zbus\"],\"crypto-openssl\":[\"dbus-secret-service?/crypto-openssl\",\"secret-service?/crypto-openssl\"],\"crypto-rust\":[\"dbus-secret-service?/crypto-rust\",\"secret-service?/crypto-rust\"],\"linux-native\":[\"dep:linux-keyutils\"],\"linux-native-async-persistent\":[\"linux-native\",\"async-secret-service\"],\"linux-native-sync-persistent\":[\"linux-native\",\"sync-secret-service\"],\"sync-secret-service\":[\"dep:dbus-secret-service\"],\"tokio\":[\"zbus?/tokio\"],\"vendored\":[\"dbus-secret-service?/vendored\",\"openssl?/vendored\"],\"windows-native\":[\"dep:windows-sys\",\"dep:byteorder\"]}}",
       "kqueue-sys_1.0.4": "{\"dependencies\":[{\"name\":\"bitflags\",\"req\":\"^1.2.1\"},{\"name\":\"libc\",\"req\":\"^0.2.74\"}],\"features\":{}}",
       "kqueue_1.1.1": "{\"dependencies\":[{\"features\":[\"html_reports\"],\"kind\":\"dev\",\"name\":\"criterion\",\"req\":\"^0.5\"},{\"kind\":\"dev\",\"name\":\"dhat\",\"req\":\"^0.3.2\"},{\"name\":\"kqueue-sys\",\"req\":\"^1.0.4\"},{\"name\":\"libc\",\"req\":\"^0.2.17\"},{\"kind\":\"dev\",\"name\":\"tempfile\",\"req\":\"^3.1.0\"}],\"features\":{}}",
@@ -1281,6 +1278,7 @@
       "simd-adler32_0.3.8": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"adler\",\"req\":\"^1.0.2\"},{\"kind\":\"dev\",\"name\":\"adler32\",\"req\":\"^1.2.0\"},{\"kind\":\"dev\",\"name\":\"criterion\",\"req\":\"^0.3\"},{\"kind\":\"dev\",\"name\":\"rand\",\"req\":\"^0.8\"}],\"features\":{\"const-generics\":[],\"default\":[\"std\",\"const-generics\"],\"nightly\":[],\"std\":[]}}",
       "simdutf8_0.1.5": "{\"dependencies\":[],\"features\":{\"aarch64_neon\":[],\"aarch64_neon_prefetch\":[],\"default\":[\"std\"],\"hints\":[],\"public_imp\":[],\"std\":[]}}",
       "similar_2.7.0": "{\"dependencies\":[{\"default_features\":false,\"name\":\"bstr\",\"optional\":true,\"req\":\"^1.5.0\"},{\"kind\":\"dev\",\"name\":\"console\",\"req\":\"^0.15.0\"},{\"kind\":\"dev\",\"name\":\"insta\",\"req\":\"^1.10.0\"},{\"features\":[\"derive\"],\"name\":\"serde\",\"optional\":true,\"req\":\"^1.0.130\"},{\"kind\":\"dev\",\"name\":\"serde_json\",\"req\":\"^1.0.68\"},{\"name\":\"unicode-segmentation\",\"optional\":true,\"req\":\"^1.7.1\"},{\"name\":\"web-time\",\"optional\":true,\"req\":\"^1.1\"}],\"features\":{\"bytes\":[\"bstr\",\"text\"],\"default\":[\"text\"],\"inline\":[\"text\"],\"text\":[],\"unicode\":[\"text\",\"unicode-segmentation\",\"bstr?/unicode\",\"bstr?/std\"],\"wasm32_web_time\":[\"web-time\"]}}",
+      "simple_asn1_0.6.4": "{\"dependencies\":[{\"default_features\":false,\"name\":\"num-bigint\",\"req\":\"^0.4\"},{\"default_features\":false,\"name\":\"num-traits\",\"req\":\"^0.2\"},{\"kind\":\"dev\",\"name\":\"quickcheck\",\"req\":\"^1.0.3\"},{\"kind\":\"dev\",\"name\":\"rand\",\"req\":\"^0.8.4\"},{\"default_features\":false,\"name\":\"thiserror\",\"req\":\"^2\"},{\"default_features\":false,\"features\":[\"formatting\",\"macros\",\"parsing\"],\"name\":\"time\",\"req\":\"^0.3.47\"},{\"default_features\":false,\"features\":[\"formatting\",\"macros\",\"parsing\",\"quickcheck\"],\"kind\":\"dev\",\"name\":\"time\",\"req\":\"^0.3\"}],\"features\":{}}",
       "siphasher_1.0.2": "{\"dependencies\":[{\"features\":[\"derive\"],\"name\":\"serde\",\"optional\":true,\"req\":\"^1.0\"},{\"name\":\"serde_json\",\"optional\":true,\"req\":\"^1.0\"}],\"features\":{\"default\":[\"std\"],\"serde_no_std\":[\"serde/alloc\"],\"serde_std\":[\"std\",\"serde/std\"],\"std\":[]}}",
       "slab_0.4.12": "{\"dependencies\":[{\"default_features\":false,\"features\":[\"alloc\"],\"name\":\"serde\",\"optional\":true,\"req\":\"^1.0.95\"},{\"features\":[\"derive\"],\"kind\":\"dev\",\"name\":\"serde\",\"req\":\"^1\"},{\"kind\":\"dev\",\"name\":\"serde_test\",\"req\":\"^1\"}],\"features\":{\"default\":[\"std\"],\"std\":[]}}",
       "smallvec_1.15.1": "{\"dependencies\":[{\"name\":\"arbitrary\",\"optional\":true,\"req\":\"^1\"},{\"default_features\":false,\"name\":\"bincode\",\"optional\":true,\"req\":\"^2\"},{\"kind\":\"dev\",\"name\":\"bincode1\",\"package\":\"bincode\",\"req\":\"^1.0.1\"},{\"kind\":\"dev\",\"name\":\"debugger_test\",\"req\":\"^0.1.0\"},{\"kind\":\"dev\",\"name\":\"debugger_test_parser\",\"req\":\"^0.1.0\"},{\"default_features\":false,\"name\":\"malloc_size_of\",\"optional\":true,\"req\":\"^0.1\"},{\"default_features\":false,\"name\":\"serde\",\"optional\":true,\"req\":\"^1\"},{\"default_features\":false,\"name\":\"unty\",\"optional\":true,\"req\":\"^0.0.4\"}],\"features\":{\"const_generics\":[],\"const_new\":[\"const_generics\"],\"debugger_visualizer\":[],\"drain_filter\":[],\"drain_keep_rest\":[\"drain_filter\"],\"impl_bincode\":[\"bincode\",\"unty\"],\"may_dangle\":[],\"specialization\":[],\"union\":[],\"write\":[]}}",

codex-rs/Cargo.lock

@@ -380,7 +380,7 @@ version = "1.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "40c48f72fd53cd289104fc64099abca73db4166ad86ea0b4341abe65af83dadc"
 dependencies = [
- "windows-sys 0.60.2",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -391,7 +391,7 @@ checksum = "291e6a250ff86cd4a820112fb8898808a366d8f9f58ce16d1f538353ad55747d"
 dependencies = [
  "anstyle",
  "once_cell_polyfill",
- "windows-sys 0.60.2",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -410,6 +410,7 @@ dependencies = [
  "codex-app-server-protocol",
  "codex-core",
  "codex-features",
+ "codex-login",
  "codex-protocol",
  "codex-utils-cargo-bin",
  "core_test_support",
@@ -453,9 +454,9 @@ dependencies = [
 
 [[package]]
 name = "arc-swap"
-version = "1.8.2"
+version = "1.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f9f3647c145568cec02c42054e07bdf9a5a698e15b466fb2341bfc393cd24aa5"
+checksum = "a07d1f37ff60921c83bdfc7407723bdefe89b44b98a9b772f225c8f9d67141a6"
 dependencies = [
  "rustversion",
 ]
@@ -481,58 +482,6 @@ dependencies = [
  "term",
 ]
 
-[[package]]
-name = "askama"
-version = "0.15.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "08e1676b346cadfec169374f949d7490fd80a24193d37d2afce0c047cf695e57"
-dependencies = [
- "askama_macros",
- "itoa",
- "percent-encoding",
- "serde",
- "serde_json",
-]
-
-[[package]]
-name = "askama_derive"
-version = "0.15.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7661ff56517787343f376f75db037426facd7c8d3049cef8911f1e75016f3a37"
-dependencies = [
- "askama_parser",
- "basic-toml",
- "memchr",
- "proc-macro2",
- "quote",
- "rustc-hash 2.1.1",
- "serde",
- "serde_derive",
- "syn 2.0.114",
-]
-
-[[package]]
-name = "askama_macros"
-version = "0.15.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "713ee4dbfd1eb719c2dab859465b01fa1d21cb566684614a713a6b7a99a4e47b"
-dependencies = [
- "askama_derive",
-]
-
-[[package]]
-name = "askama_parser"
-version = "0.15.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1d62d674238a526418b30c0def480d5beadb9d8964e7f38d635b03bf639c704c"
-dependencies = [
- "rustc-hash 2.1.1",
- "serde",
- "serde_derive",
- "unicode-ident",
- "winnow",
-]
-
 [[package]]
 name = "asn1-rs"
 version = "0.7.1"
@@ -1384,6 +1333,22 @@ version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e9b18233253483ce2f65329a24072ec414db782531bdbb7d0bbc4bd2ce6b7e21"
 
+[[package]]
+name = "codex-analytics"
+version = "0.0.0"
+dependencies = [
+ "codex-git-utils",
+ "codex-login",
+ "codex-plugin",
+ "codex-protocol",
+ "pretty_assertions",
+ "serde",
+ "serde_json",
+ "sha1",
+ "tokio",
+ "tracing",
+]
+
 [[package]]
 name = "codex-ansi-escape"
 version = "0.0.0"
@@ -1444,10 +1409,12 @@ dependencies = [
  "codex-features",
  "codex-feedback",
  "codex-file-search",
+ "codex-git-utils",
  "codex-login",
  "codex-otel",
  "codex-protocol",
  "codex-rmcp-client",
+ "codex-sandboxing",
  "codex-shell-command",
  "codex-state",
  "codex-utils-absolute-path",
@@ -1455,8 +1422,11 @@ dependencies = [
  "codex-utils-cli",
  "codex-utils-json-to-toml",
  "codex-utils-pty",
+ "constant_time_eq",
  "core_test_support",
  "futures",
+ "hmac",
+ "jsonwebtoken",
  "opentelemetry",
  "opentelemetry_sdk",
  "owo-colors",
@@ -1466,6 +1436,7 @@ dependencies = [
  "serde",
  "serde_json",
  "serial_test",
+ "sha2",
  "shlex",
  "tempfile",
  "time",
@@ -1488,7 +1459,6 @@ dependencies = [
  "codex-app-server-protocol",
  "codex-arg0",
  "codex-core",
- "codex-features",
  "codex-feedback",
  "codex-protocol",
  "futures",
@@ -1509,6 +1479,7 @@ dependencies = [
  "anyhow",
  "clap",
  "codex-experimental-api-macros",
+ "codex-git-utils",
  "codex-protocol",
  "codex-utils-absolute-path",
  "codex-utils-cargo-bin",
@@ -1573,6 +1544,7 @@ dependencies = [
  "anyhow",
  "codex-apply-patch",
  "codex-linux-sandbox",
+ "codex-sandboxing",
  "codex-shell-escalation",
  "codex-utils-home-dir",
  "dotenvy",
@@ -1580,27 +1552,6 @@ dependencies = [
  "tokio",
 ]
 
-[[package]]
-name = "codex-artifacts"
-version = "0.0.0"
-dependencies = [
- "codex-package-manager",
- "flate2",
- "pretty_assertions",
- "reqwest",
- "serde",
- "serde_json",
- "sha2",
- "tar",
- "tempfile",
- "thiserror 2.0.18",
- "tokio",
- "url",
- "which 8.0.0",
- "wiremock",
- "zip",
-]
-
 [[package]]
 name = "codex-async-utils"
 version = "0.0.0"
@@ -1643,7 +1594,8 @@ dependencies = [
  "clap",
  "codex-connectors",
  "codex-core",
- "codex-git",
+ "codex-git-utils",
+ "codex-login",
  "codex-utils-cargo-bin",
  "codex-utils-cli",
  "pretty_assertions",
@@ -1678,6 +1630,7 @@ dependencies = [
  "codex-protocol",
  "codex-responses-api-proxy",
  "codex-rmcp-client",
+ "codex-sandboxing",
  "codex-state",
  "codex-stdio-to-uds",
  "codex-terminal-detection",
@@ -1767,6 +1720,7 @@ dependencies = [
  "codex-client",
  "codex-cloud-tasks-client",
  "codex-core",
+ "codex-git-utils",
  "codex-login",
  "codex-tui",
  "codex-utils-cli",
@@ -1793,7 +1747,7 @@ dependencies = [
  "async-trait",
  "chrono",
  "codex-backend-client",
- "codex-git",
+ "codex-git-utils",
  "diffy",
  "serde",
  "serde_json",
@@ -1826,6 +1780,7 @@ dependencies = [
  "futures",
  "multimap",
  "pretty_assertions",
+ "schemars 0.8.22",
  "serde",
  "serde_json",
  "serde_path_to_error",
@@ -1855,7 +1810,6 @@ version = "0.0.0"
 dependencies = [
  "anyhow",
  "arc-swap",
- "askama",
  "assert_cmd",
  "assert_matches",
  "async-channel",
@@ -1865,42 +1819,48 @@ dependencies = [
  "chardetng",
  "chrono",
  "clap",
+ "codex-analytics",
  "codex-api",
  "codex-app-server-protocol",
  "codex-apply-patch",
  "codex-arg0",
- "codex-artifacts",
  "codex-async-utils",
  "codex-code-mode",
  "codex-config",
  "codex-connectors",
+ "codex-core-skills",
  "codex-exec-server",
  "codex-execpolicy",
  "codex-features",
- "codex-file-search",
- "codex-git",
+ "codex-git-utils",
  "codex-hooks",
+ "codex-instructions",
  "codex-login",
  "codex-network-proxy",
  "codex-otel",
+ "codex-plugin",
  "codex-protocol",
  "codex-rmcp-client",
+ "codex-rollout",
+ "codex-sandboxing",
  "codex-secrets",
  "codex-shell-command",
  "codex-shell-escalation",
- "codex-skills",
  "codex-state",
  "codex-terminal-detection",
- "codex-test-macros",
  "codex-utils-absolute-path",
  "codex-utils-cache",
  "codex-utils-cargo-bin",
  "codex-utils-home-dir",
  "codex-utils-image",
+ "codex-utils-output-truncation",
+ "codex-utils-path",
+ "codex-utils-plugins",
  "codex-utils-pty",
  "codex-utils-readiness",
  "codex-utils-stream-parser",
  "codex-utils-string",
+ "codex-utils-template",
  "codex-windows-sandbox",
  "core-foundation 0.9.4",
  "core_test_support",
@@ -1935,7 +1895,6 @@ dependencies = [
  "seccompiler",
  "serde",
  "serde_json",
- "serde_yaml",
  "serial_test",
  "sha1",
  "shlex",
@@ -1944,7 +1903,6 @@ dependencies = [
  "test-case",
  "test-log",
  "thiserror 2.0.18",
- "time",
  "tokio",
  "tokio-tungstenite",
  "tokio-util",
@@ -1965,6 +1923,35 @@ dependencies = [
  "zstd",
 ]
 
+[[package]]
+name = "codex-core-skills"
+version = "0.0.0"
+dependencies = [
+ "anyhow",
+ "codex-analytics",
+ "codex-app-server-protocol",
+ "codex-config",
+ "codex-instructions",
+ "codex-login",
+ "codex-otel",
+ "codex-protocol",
+ "codex-skills",
+ "codex-utils-absolute-path",
+ "codex-utils-plugins",
+ "dirs",
+ "dunce",
+ "pretty_assertions",
+ "serde",
+ "serde_json",
+ "serde_yaml",
+ "shlex",
+ "tempfile",
+ "tokio",
+ "toml 0.9.11+spec-1.1.0",
+ "tracing",
+ "zip",
+]
+
 [[package]]
 name = "codex-debug-client"
 version = "0.0.0"
@@ -1991,14 +1978,13 @@ dependencies = [
  "codex-cloud-requirements",
  "codex-core",
  "codex-feedback",
+ "codex-git-utils",
  "codex-otel",
  "codex-protocol",
  "codex-utils-absolute-path",
  "codex-utils-cargo-bin",
  "codex-utils-cli",
- "codex-utils-elapsed",
  "codex-utils-oss",
- "codex-utils-sandbox-summary",
  "core_test_support",
  "libc",
  "opentelemetry",
@@ -2006,10 +1992,8 @@ dependencies = [
  "owo-colors",
  "predicates",
  "pretty_assertions",
- "rmcp",
  "serde",
  "serde_json",
- "shlex",
  "supports-color 3.0.2",
  "tempfile",
  "tokio",
@@ -2027,6 +2011,7 @@ name = "codex-exec-server"
 version = "0.0.0"
 dependencies = [
  "anyhow",
+ "arc-swap",
  "async-trait",
  "base64 0.22.1",
  "clap",
@@ -2135,10 +2120,12 @@ dependencies = [
 ]
 
 [[package]]
-name = "codex-git"
+name = "codex-git-utils"
 version = "0.0.0"
 dependencies = [
  "assert_matches",
+ "codex-utils-absolute-path",
+ "futures",
  "once_cell",
  "pretty_assertions",
  "regex",
@@ -2146,6 +2133,7 @@ dependencies = [
  "serde",
  "tempfile",
  "thiserror 2.0.18",
+ "tokio",
  "ts-rs",
  "walkdir",
 ]
@@ -2168,6 +2156,15 @@ dependencies = [
  "tokio",
 ]
 
+[[package]]
+name = "codex-instructions"
+version = "0.0.0"
+dependencies = [
+ "codex-protocol",
+ "pretty_assertions",
+ "serde",
+]
+
 [[package]]
 name = "codex-keyring-store"
 version = "0.0.0"
@@ -2184,6 +2181,7 @@ dependencies = [
  "clap",
  "codex-core",
  "codex-protocol",
+ "codex-sandboxing",
  "codex-utils-absolute-path",
  "landlock",
  "libc",
@@ -2255,6 +2253,7 @@ dependencies = [
  "anyhow",
  "codex-arg0",
  "codex-core",
+ "codex-exec-server",
  "codex-features",
  "codex-protocol",
  "codex-shell-command",
@@ -2377,6 +2376,15 @@ dependencies = [
  "zip",
 ]
 
+[[package]]
+name = "codex-plugin"
+version = "0.0.0"
+dependencies = [
+ "codex-utils-absolute-path",
+ "codex-utils-plugins",
+ "thiserror 2.0.18",
+]
+
 [[package]]
 name = "codex-process-hardening"
 version = "0.0.0"
@@ -2391,9 +2399,10 @@ version = "0.0.0"
 dependencies = [
  "anyhow",
  "codex-execpolicy",
- "codex-git",
+ "codex-git-utils",
  "codex-utils-absolute-path",
  "codex-utils-image",
+ "codex-utils-string",
  "icu_decimal",
  "icu_locale_core",
  "icu_provider",
@@ -2462,6 +2471,48 @@ dependencies = [
  "which 8.0.0",
 ]
 
+[[package]]
+name = "codex-rollout"
+version = "0.0.0"
+dependencies = [
+ "anyhow",
+ "async-trait",
+ "chrono",
+ "codex-file-search",
+ "codex-git-utils",
+ "codex-login",
+ "codex-otel",
+ "codex-protocol",
+ "codex-state",
+ "codex-utils-path",
+ "codex-utils-string",
+ "pretty_assertions",
+ "serde",
+ "serde_json",
+ "tempfile",
+ "time",
+ "tokio",
+ "tracing",
+ "uuid",
+]
+
+[[package]]
+name = "codex-sandboxing"
+version = "0.0.0"
+dependencies = [
+ "codex-network-proxy",
+ "codex-protocol",
+ "codex-utils-absolute-path",
+ "dirs",
+ "dunce",
+ "libc",
+ "pretty_assertions",
+ "serde_json",
+ "tempfile",
+ "tracing",
+ "url",
+]
+
 [[package]]
 name = "codex-secrets"
 version = "0.0.0"
@@ -2469,6 +2520,7 @@ dependencies = [
  "age",
  "anyhow",
  "base64 0.22.1",
+ "codex-git-utils",
  "codex-keyring-store",
  "keyring",
  "pretty_assertions",
@@ -2539,6 +2591,7 @@ dependencies = [
  "anyhow",
  "chrono",
  "clap",
+ "codex-git-utils",
  "codex-protocol",
  "dirs",
  "log",
@@ -2573,15 +2626,6 @@ dependencies = [
  "tracing",
 ]
 
-[[package]]
-name = "codex-test-macros"
-version = "0.0.0"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn 2.0.114",
-]
-
 [[package]]
 name = "codex-tui"
 version = "0.0.0"
@@ -2602,9 +2646,11 @@ dependencies = [
  "codex-client",
  "codex-cloud-requirements",
  "codex-core",
+ "codex-exec-server",
  "codex-features",
  "codex-feedback",
  "codex-file-search",
+ "codex-git-utils",
  "codex-login",
  "codex-otel",
  "codex-protocol",
@@ -2698,6 +2744,7 @@ dependencies = [
  "codex-features",
  "codex-feedback",
  "codex-file-search",
+ "codex-git-utils",
  "codex-login",
  "codex-otel",
  "codex-protocol",
@@ -2865,6 +2912,34 @@ dependencies = [
  "codex-ollama",
 ]
 
+[[package]]
+name = "codex-utils-output-truncation"
+version = "0.0.0"
+dependencies = [
+ "codex-protocol",
+ "codex-utils-string",
+ "pretty_assertions",
+]
+
+[[package]]
+name = "codex-utils-path"
+version = "0.0.0"
+dependencies = [
+ "codex-utils-absolute-path",
+ "dunce",
+ "pretty_assertions",
+ "tempfile",
+]
+
+[[package]]
+name = "codex-utils-plugins"
+version = "0.0.0"
+dependencies = [
+ "serde",
+ "serde_json",
+ "tempfile",
+]
+
 [[package]]
 name = "codex-utils-pty"
 version = "0.0.0"
@@ -2934,6 +3009,13 @@ dependencies = [
  "regex-lite",
 ]
 
+[[package]]
+name = "codex-utils-template"
+version = "0.0.0"
+dependencies = [
+ "pretty_assertions",
+]
+
 [[package]]
 name = "codex-v8-poc"
 version = "0.0.0"
@@ -3821,7 +3903,7 @@ dependencies = [
  "libc",
  "option-ext",
  "redox_users 0.5.2",
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -4066,7 +4148,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
 dependencies = [
  "libc",
- "windows-sys 0.52.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -5511,7 +5593,7 @@ checksum = "3640c1c38b8e4e43584d8df18be5fc6b0aa314ce6ebf51b53313d4306cca8e46"
 dependencies = [
  "hermit-abi",
  "libc",
- "windows-sys 0.52.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -5631,6 +5713,21 @@ dependencies = [
  "wasm-bindgen",
 ]
 
+[[package]]
+name = "jsonwebtoken"
+version = "9.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5a87cc7a48537badeae96744432de36f4be2b4a34a05a5ef32e9dd8a1c169dde"
+dependencies = [
+ "base64 0.22.1",
+ "js-sys",
+ "pem",
+ "ring",
+ "serde",
+ "serde_json",
+ "simple_asn1",
+]
+
 [[package]]
 name = "keyring"
 version = "3.6.3"
@@ -6274,7 +6371,7 @@ version = "0.50.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5"
 dependencies = [
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -6918,7 +7015,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7d8fae84b431384b68627d0f9b3b1245fcf9f46f6c0e3dc902e9dce64edd1967"
 dependencies = [
  "libc",
- "windows-sys 0.45.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -8340,7 +8437,7 @@ dependencies = [
  "errno",
  "libc",
  "linux-raw-sys 0.11.0",
- "windows-sys 0.52.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -9121,6 +9218,18 @@ version = "2.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bbbb5d9659141646ae647b42fe094daf6c6192d1620870b449d9557f748b2daa"
 
+[[package]]
+name = "simple_asn1"
+version = "0.6.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0d585997b0ac10be3c5ee635f1bab02d512760d14b7c468801ac8a01d9ae5f1d"
+dependencies = [
+ "num-bigint",
+ "num-traits",
+ "thiserror 2.0.18",
+ "time",
+]
+
 [[package]]
 name = "siphasher"
 version = "1.0.2"
@@ -9773,7 +9882,7 @@ dependencies = [
  "getrandom 0.3.4",
  "once_cell",
  "rustix 1.1.3",
- "windows-sys 0.52.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -11219,7 +11328,7 @@ version = "0.1.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
 dependencies = [
- "windows-sys 0.48.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]

codex-rs/Cargo.toml

@@ -1,5 +1,6 @@
 [workspace]
 members = [
+    "analytics",
     "backend-client",
     "ansi-escape",
     "async-utils",
@@ -24,7 +25,9 @@ members = [
     "shell-escalation",
     "skills",
     "core",
+    "core-skills",
     "hooks",
+    "instructions",
     "secrets",
     "exec",
     "exec-server",
@@ -40,8 +43,10 @@ members = [
     "ollama",
     "process-hardening",
     "protocol",
+    "rollout",
     "rmcp-client",
     "responses-api-proxy",
+    "sandboxing",
     "stdio-to-uds",
     "otel",
     "tui",
@@ -49,7 +54,7 @@ members = [
     "v8-poc",
     "utils/absolute-path",
     "utils/cargo-bin",
-    "utils/git",
+    "git-utils",
     "utils/cache",
     "utils/image",
     "utils/json-to-toml",
@@ -64,16 +69,19 @@ members = [
     "utils/sleep-inhibitor",
     "utils/approval-presets",
     "utils/oss",
+    "utils/output-truncation",
+    "utils/path-utils",
+    "utils/plugins",
     "utils/fuzzy-match",
     "utils/stream-parser",
+    "utils/template",
     "codex-client",
     "codex-api",
     "state",
     "terminal-detection",
     "codex-experimental-api-macros",
-    "test-macros",
     "package-manager",
-    "artifacts",
+    "plugin",
 ]
 resolver = "2"
 
@@ -90,8 +98,8 @@ license = "Apache-2.0"
 # Internal
 app_test_support = { path = "app-server/tests/common" }
 codex-ansi-escape = { path = "ansi-escape" }
+codex-analytics = { path = "analytics" }
 codex-api = { path = "codex-api" }
-codex-artifacts = { path = "artifacts" }
 codex-code-mode = { path = "code-mode" }
 codex-package-manager = { path = "package-manager" }
 codex-app-server = { path = "app-server" }
@@ -109,6 +117,7 @@ codex-cloud-requirements = { path = "cloud-requirements" }
 codex-connectors = { path = "connectors" }
 codex-config = { path = "config" }
 codex-core = { path = "core" }
+codex-core-skills = { path = "core-skills" }
 codex-exec = { path = "exec" }
 codex-exec-server = { path = "exec-server" }
 codex-execpolicy = { path = "execpolicy" }
@@ -116,8 +125,9 @@ codex-experimental-api-macros = { path = "codex-experimental-api-macros" }
 codex-feedback = { path = "feedback" }
 codex-features = { path = "features" }
 codex-file-search = { path = "file-search" }
-codex-git = { path = "utils/git" }
+codex-git-utils = { path = "git-utils" }
 codex-hooks = { path = "hooks" }
+codex-instructions = { path = "instructions" }
 codex-keyring-store = { path = "keyring-store" }
 codex-linux-sandbox = { path = "linux-sandbox" }
 codex-lmstudio = { path = "lmstudio" }
@@ -126,17 +136,19 @@ codex-mcp-server = { path = "mcp-server" }
 codex-network-proxy = { path = "network-proxy" }
 codex-ollama = { path = "ollama" }
 codex-otel = { path = "otel" }
+codex-plugin = { path = "plugin" }
 codex-process-hardening = { path = "process-hardening" }
 codex-protocol = { path = "protocol" }
+codex-rollout = { path = "rollout" }
 codex-responses-api-proxy = { path = "responses-api-proxy" }
 codex-rmcp-client = { path = "rmcp-client" }
+codex-sandboxing = { path = "sandboxing" }
 codex-secrets = { path = "secrets" }
 codex-shell-command = { path = "shell-command" }
 codex-shell-escalation = { path = "shell-escalation" }
 codex-skills = { path = "skills" }
 codex-state = { path = "state" }
 codex-stdio-to-uds = { path = "stdio-to-uds" }
-codex-test-macros = { path = "test-macros" }
 codex-terminal-detection = { path = "terminal-detection" }
 codex-tui = { path = "tui" }
 codex-tui-app-server = { path = "tui_app_server" }
@@ -152,12 +164,16 @@ codex-utils-home-dir = { path = "utils/home-dir" }
 codex-utils-image = { path = "utils/image" }
 codex-utils-json-to-toml = { path = "utils/json-to-toml" }
 codex-utils-oss = { path = "utils/oss" }
+codex-utils-output-truncation = { path = "utils/output-truncation" }
+codex-utils-path = { path = "utils/path-utils" }
+codex-utils-plugins = { path = "utils/plugins" }
 codex-utils-pty = { path = "utils/pty" }
 codex-utils-readiness = { path = "utils/readiness" }
 codex-utils-rustls-provider = { path = "utils/rustls-provider" }
 codex-utils-sandbox-summary = { path = "utils/sandbox-summary" }
 codex-utils-sleep-inhibitor = { path = "utils/sleep-inhibitor" }
 codex-utils-stream-parser = { path = "utils/stream-parser" }
+codex-utils-template = { path = "utils/template" }
 codex-utils-string = { path = "utils/string" }
 codex-windows-sandbox = { path = "windows-sandbox-rs" }
 core_test_support = { path = "core/tests/common" }
@@ -169,7 +185,7 @@ allocative = "0.3.3"
 ansi-to-tui = "7.0.0"
 anyhow = "1"
 arboard = { version = "3", features = ["wayland-data-control"] }
-askama = "0.15.4"
+arc-swap = "1.9.0"
 assert_cmd = "2"
 assert_matches = "1.5.0"
 async-channel = "2.3.1"
@@ -184,6 +200,7 @@ chrono = "0.4.43"
 clap = "4"
 clap_complete = "4"
 color-eyre = "0.6.3"
+constant_time_eq = "0.3.1"
 crossbeam-channel = "0.5.15"
 crossterm = "0.28.1"
 csv = "1.3.1"
@@ -202,6 +219,7 @@ flate2 = "1.1.4"
 futures = { version = "0.3", default-features = false }
 gethostname = "1.1.0"
 globset = "0.4"
+hmac = "0.12.1"
 http = "1.3.1"
 icu_decimal = "2.1"
 icu_locale_core = "2.1"
@@ -214,6 +232,7 @@ indexmap = "2.12.0"
 insta = "1.46.3"
 inventory = "0.3.19"
 itertools = "0.14.0"
+jsonwebtoken = "9.3.1"
 keyring = { version = "3.6", default-features = false }
 landlock = "0.4.4"
 lazy_static = "1"
@@ -288,7 +307,7 @@ supports-color = "3.0.2"
 syntect = "5"
 sys-locale = "0.3.2"
 tempfile = "3.23.0"
-tar = "0.4.44"
+tar = "0.4.45"
 test-log = "0.2.19"
 textwrap = "0.16.2"
 thiserror = "2.0.17"
@@ -374,8 +393,9 @@ unwrap_used = "deny"
 ignored = [
     "icu_provider",
     "openssl-sys",
+    "codex-package-manager",
     "codex-utils-readiness",
-    "codex-secrets",
+    "codex-utils-template",
     "codex-v8-poc",
 ]
 

codex-rs/analytics/BUILD.bazel

@@ -1,6 +1,6 @@
 load("//:defs.bzl", "codex_rust_crate")
 
 codex_rust_crate(
-    name = "artifacts",
-    crate_name = "codex_artifacts",
+    name = "analytics",
+    crate_name = "codex_analytics",
 )

codex-rs/analytics/Cargo.toml

@@ -0,0 +1,30 @@
+[package]
+edition.workspace = true
+license.workspace = true
+name = "codex-analytics"
+version.workspace = true
+
+[lib]
+doctest = false
+name = "codex_analytics"
+path = "src/lib.rs"
+
+[lints]
+workspace = true
+
+[dependencies]
+codex-git-utils = { workspace = true }
+codex-login = { workspace = true }
+codex-plugin = { workspace = true }
+codex-protocol = { workspace = true }
+serde = { workspace = true, features = ["derive"] }
+sha1 = { workspace = true }
+tokio = { workspace = true, features = [
+    "macros",
+    "rt-multi-thread",
+] }
+tracing = { workspace = true, features = ["log"] }
+
+[dev-dependencies]
+pretty_assertions = { workspace = true }
+serde_json = { workspace = true }

codex-rs/analytics/src/analytics_client.rs

@@ -1,9 +1,9 @@
-use crate::AuthManager;
-use crate::config::Config;
-use crate::default_client::create_client;
-use crate::git_info::collect_git_info;
-use crate::git_info::get_git_repo_root;
-use crate::plugins::PluginTelemetryMetadata;
+use codex_git_utils::collect_git_info;
+use codex_git_utils::get_git_repo_root;
+use codex_login::AuthManager;
+use codex_login::default_client::create_client;
+use codex_login::default_client::originator;
+use codex_plugin::PluginTelemetryMetadata;
 use codex_protocol::protocol::SkillScope;
 use serde::Serialize;
 use sha1::Digest;
@@ -17,13 +17,13 @@ use std::time::Duration;
 use tokio::sync::mpsc;
 
 #[derive(Clone)]
-pub(crate) struct TrackEventsContext {
-    pub(crate) model_slug: String,
-    pub(crate) thread_id: String,
-    pub(crate) turn_id: String,
+pub struct TrackEventsContext {
+    pub model_slug: String,
+    pub thread_id: String,
+    pub turn_id: String,
 }
 
-pub(crate) fn build_track_events_context(
+pub fn build_track_events_context(
     model_slug: String,
     thread_id: String,
     turn_id: String,
@@ -36,24 +36,24 @@ pub(crate) fn build_track_events_context(
 }
 
 #[derive(Clone, Debug)]
-pub(crate) struct SkillInvocation {
-    pub(crate) skill_name: String,
-    pub(crate) skill_scope: SkillScope,
-    pub(crate) skill_path: PathBuf,
-    pub(crate) invocation_type: InvocationType,
+pub struct SkillInvocation {
+    pub skill_name: String,
+    pub skill_scope: SkillScope,
+    pub skill_path: PathBuf,
+    pub invocation_type: InvocationType,
 }
 
 #[derive(Clone, Copy, Debug, Serialize)]
 #[serde(rename_all = "lowercase")]
-pub(crate) enum InvocationType {
+pub enum InvocationType {
     Explicit,
     Implicit,
 }
 
-pub(crate) struct AppInvocation {
-    pub(crate) connector_id: Option<String>,
-    pub(crate) app_name: Option<String>,
-    pub(crate) invocation_type: Option<InvocationType>,
+pub struct AppInvocation {
+    pub connector_id: Option<String>,
+    pub app_name: Option<String>,
+    pub invocation_type: Option<InvocationType>,
 }
 
 #[derive(Clone)]
@@ -66,38 +66,38 @@ pub(crate) struct AnalyticsEventsQueue {
 #[derive(Clone)]
 pub struct AnalyticsEventsClient {
     queue: AnalyticsEventsQueue,
-    config: Arc<Config>,
+    analytics_enabled: Option<bool>,
 }
 
 impl AnalyticsEventsQueue {
-    pub(crate) fn new(auth_manager: Arc<AuthManager>) -> Self {
+    pub(crate) fn new(auth_manager: Arc<AuthManager>, base_url: String) -> Self {
         let (sender, mut receiver) = mpsc::channel(ANALYTICS_EVENTS_QUEUE_SIZE);
         tokio::spawn(async move {
             while let Some(job) = receiver.recv().await {
                 match job {
                     TrackEventsJob::SkillInvocations(job) => {
-                        send_track_skill_invocations(&auth_manager, job).await;
+                        send_track_skill_invocations(&auth_manager, &base_url, job).await;
                     }
                     TrackEventsJob::AppMentioned(job) => {
-                        send_track_app_mentioned(&auth_manager, job).await;
+                        send_track_app_mentioned(&auth_manager, &base_url, job).await;
                     }
                     TrackEventsJob::AppUsed(job) => {
-                        send_track_app_used(&auth_manager, job).await;
+                        send_track_app_used(&auth_manager, &base_url, job).await;
                     }
                     TrackEventsJob::PluginUsed(job) => {
-                        send_track_plugin_used(&auth_manager, job).await;
+                        send_track_plugin_used(&auth_manager, &base_url, job).await;
                     }
                     TrackEventsJob::PluginInstalled(job) => {
-                        send_track_plugin_installed(&auth_manager, job).await;
+                        send_track_plugin_installed(&auth_manager, &base_url, job).await;
                     }
                     TrackEventsJob::PluginUninstalled(job) => {
-                        send_track_plugin_uninstalled(&auth_manager, job).await;
+                        send_track_plugin_uninstalled(&auth_manager, &base_url, job).await;
                     }
                     TrackEventsJob::PluginEnabled(job) => {
-                        send_track_plugin_enabled(&auth_manager, job).await;
+                        send_track_plugin_enabled(&auth_manager, &base_url, job).await;
                     }
                     TrackEventsJob::PluginDisabled(job) => {
-                        send_track_plugin_disabled(&auth_manager, job).await;
+                        send_track_plugin_disabled(&auth_manager, &base_url, job).await;
                     }
                 }
             }
@@ -147,60 +147,51 @@ impl AnalyticsEventsQueue {
 }
 
 impl AnalyticsEventsClient {
-    pub fn new(config: Arc<Config>, auth_manager: Arc<AuthManager>) -> Self {
+    pub fn new(
+        auth_manager: Arc<AuthManager>,
+        base_url: String,
+        analytics_enabled: Option<bool>,
+    ) -> Self {
         Self {
-            queue: AnalyticsEventsQueue::new(Arc::clone(&auth_manager)),
-            config,
+            queue: AnalyticsEventsQueue::new(Arc::clone(&auth_manager), base_url),
+            analytics_enabled,
         }
     }
 
-    pub(crate) fn track_skill_invocations(
+    pub fn track_skill_invocations(
         &self,
         tracking: TrackEventsContext,
         invocations: Vec<SkillInvocation>,
     ) {
         track_skill_invocations(
             &self.queue,
-            Arc::clone(&self.config),
+            self.analytics_enabled,
             Some(tracking),
             invocations,
         );
     }
 
-    pub(crate) fn track_app_mentioned(
-        &self,
-        tracking: TrackEventsContext,
-        mentions: Vec<AppInvocation>,
-    ) {
+    pub fn track_app_mentioned(&self, tracking: TrackEventsContext, mentions: Vec<AppInvocation>) {
         track_app_mentioned(
             &self.queue,
-            Arc::clone(&self.config),
+            self.analytics_enabled,
             Some(tracking),
             mentions,
         );
     }
 
-    pub(crate) fn track_app_used(&self, tracking: TrackEventsContext, app: AppInvocation) {
-        track_app_used(&self.queue, Arc::clone(&self.config), Some(tracking), app);
+    pub fn track_app_used(&self, tracking: TrackEventsContext, app: AppInvocation) {
+        track_app_used(&self.queue, self.analytics_enabled, Some(tracking), app);
     }
 
-    pub(crate) fn track_plugin_used(
-        &self,
-        tracking: TrackEventsContext,
-        plugin: PluginTelemetryMetadata,
-    ) {
-        track_plugin_used(
-            &self.queue,
-            Arc::clone(&self.config),
-            Some(tracking),
-            plugin,
-        );
+    pub fn track_plugin_used(&self, tracking: TrackEventsContext, plugin: PluginTelemetryMetadata) {
+        track_plugin_used(&self.queue, self.analytics_enabled, Some(tracking), plugin);
     }
 
     pub fn track_plugin_installed(&self, plugin: PluginTelemetryMetadata) {
         track_plugin_management(
             &self.queue,
-            Arc::clone(&self.config),
+            self.analytics_enabled,
             PluginManagementEventType::Installed,
             plugin,
         );
@@ -209,7 +200,7 @@ impl AnalyticsEventsClient {
     pub fn track_plugin_uninstalled(&self, plugin: PluginTelemetryMetadata) {
         track_plugin_management(
             &self.queue,
-            Arc::clone(&self.config),
+            self.analytics_enabled,
             PluginManagementEventType::Uninstalled,
             plugin,
         );
@@ -218,7 +209,7 @@ impl AnalyticsEventsClient {
     pub fn track_plugin_enabled(&self, plugin: PluginTelemetryMetadata) {
         track_plugin_management(
             &self.queue,
-            Arc::clone(&self.config),
+            self.analytics_enabled,
             PluginManagementEventType::Enabled,
             plugin,
         );
@@ -227,7 +218,7 @@ impl AnalyticsEventsClient {
     pub fn track_plugin_disabled(&self, plugin: PluginTelemetryMetadata) {
         track_plugin_management(
             &self.queue,
-            Arc::clone(&self.config),
+            self.analytics_enabled,
             PluginManagementEventType::Disabled,
             plugin,
         );
@@ -246,31 +237,31 @@ enum TrackEventsJob {
 }
 
 struct TrackSkillInvocationsJob {
-    config: Arc<Config>,
+    analytics_enabled: Option<bool>,
     tracking: TrackEventsContext,
     invocations: Vec<SkillInvocation>,
 }
 
 struct TrackAppMentionedJob {
-    config: Arc<Config>,
+    analytics_enabled: Option<bool>,
     tracking: TrackEventsContext,
     mentions: Vec<AppInvocation>,
 }
 
 struct TrackAppUsedJob {
-    config: Arc<Config>,
+    analytics_enabled: Option<bool>,
     tracking: TrackEventsContext,
     app: AppInvocation,
 }
 
 struct TrackPluginUsedJob {
-    config: Arc<Config>,
+    analytics_enabled: Option<bool>,
     tracking: TrackEventsContext,
     plugin: PluginTelemetryMetadata,
 }
 
 struct TrackPluginManagementJob {
-    config: Arc<Config>,
+    analytics_enabled: Option<bool>,
     plugin: PluginTelemetryMetadata,
 }
 
@@ -379,11 +370,11 @@ struct CodexPluginUsedEventRequest {
 
 pub(crate) fn track_skill_invocations(
     queue: &AnalyticsEventsQueue,
-    config: Arc<Config>,
+    analytics_enabled: Option<bool>,
     tracking: Option<TrackEventsContext>,
     invocations: Vec<SkillInvocation>,
 ) {
-    if config.analytics_enabled == Some(false) {
+    if analytics_enabled == Some(false) {
         return;
     }
     let Some(tracking) = tracking else {
@@ -393,7 +384,7 @@ pub(crate) fn track_skill_invocations(
         return;
     }
     let job = TrackEventsJob::SkillInvocations(TrackSkillInvocationsJob {
-        config,
+        analytics_enabled,
         tracking,
         invocations,
     });
@@ -402,11 +393,11 @@ pub(crate) fn track_skill_invocations(
 
 pub(crate) fn track_app_mentioned(
     queue: &AnalyticsEventsQueue,
-    config: Arc<Config>,
+    analytics_enabled: Option<bool>,
     tracking: Option<TrackEventsContext>,
     mentions: Vec<AppInvocation>,
 ) {
-    if config.analytics_enabled == Some(false) {
+    if analytics_enabled == Some(false) {
         return;
     }
     let Some(tracking) = tracking else {
@@ -416,7 +407,7 @@ pub(crate) fn track_app_mentioned(
         return;
     }
     let job = TrackEventsJob::AppMentioned(TrackAppMentionedJob {
-        config,
+        analytics_enabled,
         tracking,
         mentions,
     });
@@ -425,11 +416,11 @@ pub(crate) fn track_app_mentioned(
 
 pub(crate) fn track_app_used(
     queue: &AnalyticsEventsQueue,
-    config: Arc<Config>,
+    analytics_enabled: Option<bool>,
     tracking: Option<TrackEventsContext>,
     app: AppInvocation,
 ) {
-    if config.analytics_enabled == Some(false) {
+    if analytics_enabled == Some(false) {
         return;
     }
     let Some(tracking) = tracking else {
@@ -439,7 +430,7 @@ pub(crate) fn track_app_used(
         return;
     }
     let job = TrackEventsJob::AppUsed(TrackAppUsedJob {
-        config,
+        analytics_enabled,
         tracking,
         app,
     });
@@ -448,11 +439,11 @@ pub(crate) fn track_app_used(
 
 pub(crate) fn track_plugin_used(
     queue: &AnalyticsEventsQueue,
-    config: Arc<Config>,
+    analytics_enabled: Option<bool>,
     tracking: Option<TrackEventsContext>,
     plugin: PluginTelemetryMetadata,
 ) {
-    if config.analytics_enabled == Some(false) {
+    if analytics_enabled == Some(false) {
         return;
     }
     let Some(tracking) = tracking else {
@@ -462,7 +453,7 @@ pub(crate) fn track_plugin_used(
         return;
     }
     let job = TrackEventsJob::PluginUsed(TrackPluginUsedJob {
-        config,
+        analytics_enabled,
         tracking,
         plugin,
     });
@@ -471,14 +462,17 @@ pub(crate) fn track_plugin_used(
 
 fn track_plugin_management(
     queue: &AnalyticsEventsQueue,
-    config: Arc<Config>,
+    analytics_enabled: Option<bool>,
     event_type: PluginManagementEventType,
     plugin: PluginTelemetryMetadata,
 ) {
-    if config.analytics_enabled == Some(false) {
+    if analytics_enabled == Some(false) {
         return;
     }
-    let job = TrackPluginManagementJob { config, plugin };
+    let job = TrackPluginManagementJob {
+        analytics_enabled,
+        plugin,
+    };
     let job = match event_type {
         PluginManagementEventType::Installed => TrackEventsJob::PluginInstalled(job),
         PluginManagementEventType::Uninstalled => TrackEventsJob::PluginUninstalled(job),
@@ -488,9 +482,13 @@ fn track_plugin_management(
     queue.try_send(job);
 }
 
-async fn send_track_skill_invocations(auth_manager: &AuthManager, job: TrackSkillInvocationsJob) {
+async fn send_track_skill_invocations(
+    auth_manager: &AuthManager,
+    base_url: &str,
+    job: TrackSkillInvocationsJob,
+) {
     let TrackSkillInvocationsJob {
-        config,
+        analytics_enabled,
         tracking,
         invocations,
     } = job;
@@ -525,7 +523,7 @@ async fn send_track_skill_invocations(auth_manager: &AuthManager, job: TrackSkil
                     thread_id: Some(tracking.thread_id.clone()),
                     invoke_type: Some(invocation.invocation_type),
                     model_slug: Some(tracking.model_slug.clone()),
-                    product_client_id: Some(crate::default_client::originator().value),
+                    product_client_id: Some(originator().value),
                     repo_url,
                     skill_scope: Some(skill_scope.to_string()),
                 },
@@ -533,12 +531,16 @@ async fn send_track_skill_invocations(auth_manager: &AuthManager, job: TrackSkil
         ));
     }
 
-    send_track_events(auth_manager, config, events).await;
+    send_track_events(auth_manager, analytics_enabled, base_url, events).await;
 }
 
-async fn send_track_app_mentioned(auth_manager: &AuthManager, job: TrackAppMentionedJob) {
+async fn send_track_app_mentioned(
+    auth_manager: &AuthManager,
+    base_url: &str,
+    job: TrackAppMentionedJob,
+) {
     let TrackAppMentionedJob {
-        config,
+        analytics_enabled,
         tracking,
         mentions,
     } = job;
@@ -553,12 +555,12 @@ async fn send_track_app_mentioned(auth_manager: &AuthManager, job: TrackAppMenti
         })
         .collect::<Vec<_>>();
 
-    send_track_events(auth_manager, config, events).await;
+    send_track_events(auth_manager, analytics_enabled, base_url, events).await;
 }
 
-async fn send_track_app_used(auth_manager: &AuthManager, job: TrackAppUsedJob) {
+async fn send_track_app_used(auth_manager: &AuthManager, base_url: &str, job: TrackAppUsedJob) {
     let TrackAppUsedJob {
-        config,
+        analytics_enabled,
         tracking,
         app,
     } = job;
@@ -568,12 +570,16 @@ async fn send_track_app_used(auth_manager: &AuthManager, job: TrackAppUsedJob) {
         event_params,
     })];
 
-    send_track_events(auth_manager, config, events).await;
+    send_track_events(auth_manager, analytics_enabled, base_url, events).await;
 }
 
-async fn send_track_plugin_used(auth_manager: &AuthManager, job: TrackPluginUsedJob) {
+async fn send_track_plugin_used(
+    auth_manager: &AuthManager,
+    base_url: &str,
+    job: TrackPluginUsedJob,
+) {
     let TrackPluginUsedJob {
-        config,
+        analytics_enabled,
         tracking,
         plugin,
     } = job;
@@ -582,31 +588,52 @@ async fn send_track_plugin_used(auth_manager: &AuthManager, job: TrackPluginUsed
         event_params: codex_plugin_used_metadata(&tracking, plugin),
     })];
 
-    send_track_events(auth_manager, config, events).await;
+    send_track_events(auth_manager, analytics_enabled, base_url, events).await;
 }
 
-async fn send_track_plugin_installed(auth_manager: &AuthManager, job: TrackPluginManagementJob) {
-    send_track_plugin_management_event(auth_manager, job, "codex_plugin_installed").await;
+async fn send_track_plugin_installed(
+    auth_manager: &AuthManager,
+    base_url: &str,
+    job: TrackPluginManagementJob,
+) {
+    send_track_plugin_management_event(auth_manager, base_url, job, "codex_plugin_installed").await;
 }
 
-async fn send_track_plugin_uninstalled(auth_manager: &AuthManager, job: TrackPluginManagementJob) {
-    send_track_plugin_management_event(auth_manager, job, "codex_plugin_uninstalled").await;
+async fn send_track_plugin_uninstalled(
+    auth_manager: &AuthManager,
+    base_url: &str,
+    job: TrackPluginManagementJob,
+) {
+    send_track_plugin_management_event(auth_manager, base_url, job, "codex_plugin_uninstalled")
+        .await;
 }
 
-async fn send_track_plugin_enabled(auth_manager: &AuthManager, job: TrackPluginManagementJob) {
-    send_track_plugin_management_event(auth_manager, job, "codex_plugin_enabled").await;
+async fn send_track_plugin_enabled(
+    auth_manager: &AuthManager,
+    base_url: &str,
+    job: TrackPluginManagementJob,
+) {
+    send_track_plugin_management_event(auth_manager, base_url, job, "codex_plugin_enabled").await;
 }
 
-async fn send_track_plugin_disabled(auth_manager: &AuthManager, job: TrackPluginManagementJob) {
-    send_track_plugin_management_event(auth_manager, job, "codex_plugin_disabled").await;
+async fn send_track_plugin_disabled(
+    auth_manager: &AuthManager,
+    base_url: &str,
+    job: TrackPluginManagementJob,
+) {
+    send_track_plugin_management_event(auth_manager, base_url, job, "codex_plugin_disabled").await;
 }
 
 async fn send_track_plugin_management_event(
     auth_manager: &AuthManager,
+    base_url: &str,
     job: TrackPluginManagementJob,
     event_type: &'static str,
 ) {
-    let TrackPluginManagementJob { config, plugin } = job;
+    let TrackPluginManagementJob {
+        analytics_enabled,
+        plugin,
+    } = job;
     let event_params = codex_plugin_metadata(plugin);
     let event = CodexPluginEventRequest {
         event_type,
@@ -620,7 +647,7 @@ async fn send_track_plugin_management_event(
         _ => unreachable!("unknown plugin management event type"),
     }];
 
-    send_track_events(auth_manager, config, events).await;
+    send_track_events(auth_manager, analytics_enabled, base_url, events).await;
 }
 
 fn codex_app_metadata(tracking: &TrackEventsContext, app: AppInvocation) -> CodexAppMetadata {
@@ -629,7 +656,7 @@ fn codex_app_metadata(tracking: &TrackEventsContext, app: AppInvocation) -> Code
         thread_id: Some(tracking.thread_id.clone()),
         turn_id: Some(tracking.turn_id.clone()),
         app_name: app.app_name,
-        product_client_id: Some(crate::default_client::originator().value),
+        product_client_id: Some(originator().value),
         invoke_type: app.invocation_type,
         model_slug: Some(tracking.model_slug.clone()),
     }
@@ -654,7 +681,7 @@ fn codex_plugin_metadata(plugin: PluginTelemetryMetadata) -> CodexPluginMetadata
                 .map(|connector_id| connector_id.0)
                 .collect()
         }),
-        product_client_id: Some(crate::default_client::originator().value),
+        product_client_id: Some(originator().value),
     }
 }
 
@@ -672,9 +699,13 @@ fn codex_plugin_used_metadata(
 
 async fn send_track_events(
     auth_manager: &AuthManager,
-    config: Arc<Config>,
+    analytics_enabled: Option<bool>,
+    base_url: &str,
     events: Vec<TrackEventRequest>,
 ) {
+    if analytics_enabled == Some(false) {
+        return;
+    }
     if events.is_empty() {
         return;
     }
@@ -692,7 +723,7 @@ async fn send_track_events(
         return;
     };
 
-    let base_url = config.chatgpt_base_url.trim_end_matches('/');
+    let base_url = base_url.trim_end_matches('/');
     let url = format!("{base_url}/codex/analytics-events/events");
     let payload = TrackEventsRequest { events };
 

codex-rs/analytics/src/analytics_client_tests.rs

@@ -11,10 +11,11 @@ use super::codex_app_metadata;
 use super::codex_plugin_metadata;
 use super::codex_plugin_used_metadata;
 use super::normalize_path_for_skill_id;
-use crate::plugins::AppConnectorId;
-use crate::plugins::PluginCapabilitySummary;
-use crate::plugins::PluginId;
-use crate::plugins::PluginTelemetryMetadata;
+use codex_login::default_client::originator;
+use codex_plugin::AppConnectorId;
+use codex_plugin::PluginCapabilitySummary;
+use codex_plugin::PluginId;
+use codex_plugin::PluginTelemetryMetadata;
 use pretty_assertions::assert_eq;
 use serde_json::json;
 use std::collections::HashSet;
@@ -109,7 +110,7 @@ fn app_mentioned_event_serializes_expected_shape() {
                 "thread_id": "thread-1",
                 "turn_id": "turn-1",
                 "app_name": "Calendar",
-                "product_client_id": crate::default_client::originator().value,
+                "product_client_id": originator().value,
                 "invoke_type": "explicit",
                 "model_slug": "gpt-5"
             }
@@ -147,7 +148,7 @@ fn app_used_event_serializes_expected_shape() {
                 "thread_id": "thread-2",
                 "turn_id": "turn-2",
                 "app_name": "Google Drive",
-                "product_client_id": crate::default_client::originator().value,
+                "product_client_id": originator().value,
                 "invoke_type": "implicit",
                 "model_slug": "gpt-5"
             }
@@ -210,7 +211,7 @@ fn plugin_used_event_serializes_expected_shape() {
                 "has_skills": true,
                 "mcp_server_count": 2,
                 "connector_ids": ["calendar", "drive"],
-                "product_client_id": crate::default_client::originator().value,
+                "product_client_id": originator().value,
                 "thread_id": "thread-3",
                 "turn_id": "turn-3",
                 "model_slug": "gpt-5"
@@ -239,7 +240,7 @@ fn plugin_management_event_serializes_expected_shape() {
                 "has_skills": true,
                 "mcp_server_count": 2,
                 "connector_ids": ["calendar", "drive"],
-                "product_client_id": crate::default_client::originator().value
+                "product_client_id": originator().value
             }
         })
     );

codex-rs/analytics/src/lib.rs

@@ -0,0 +1,8 @@
+mod analytics_client;
+
+pub use analytics_client::AnalyticsEventsClient;
+pub use analytics_client::AppInvocation;
+pub use analytics_client::InvocationType;
+pub use analytics_client::SkillInvocation;
+pub use analytics_client::TrackEventsContext;
+pub use analytics_client::build_track_events_context;

codex-rs/app-server-client/Cargo.toml

@@ -16,7 +16,6 @@ codex-app-server = { workspace = true }
 codex-app-server-protocol = { workspace = true }
 codex-arg0 = { workspace = true }
 codex-core = { workspace = true }
-codex-features = { workspace = true }
 codex-feedback = { workspace = true }
 codex-protocol = { workspace = true }
 futures = { workspace = true }

codex-rs/app-server-client/src/lib.rs

@@ -35,19 +35,14 @@ use codex_app_server_protocol::ConfigWarningNotification;
 use codex_app_server_protocol::InitializeCapabilities;
 use codex_app_server_protocol::InitializeParams;
 use codex_app_server_protocol::JSONRPCErrorError;
-use codex_app_server_protocol::JSONRPCNotification;
 use codex_app_server_protocol::RequestId;
 use codex_app_server_protocol::Result as JsonRpcResult;
 use codex_app_server_protocol::ServerNotification;
 use codex_app_server_protocol::ServerRequest;
 use codex_arg0::Arg0DispatchPaths;
-use codex_core::AuthManager;
-use codex_core::ThreadManager;
 use codex_core::config::Config;
 use codex_core::config_loader::CloudRequirementsLoader;
 use codex_core::config_loader::LoaderOverrides;
-use codex_core::models_manager::collaboration_mode_presets::CollaborationModesConfig;
-use codex_features::Feature;
 use codex_feedback::CodexFeedback;
 use codex_protocol::protocol::SessionSource;
 use serde::de::DeserializeOwned;
@@ -73,7 +68,6 @@ pub type RequestResult = std::result::Result<JsonRpcResult, JSONRPCErrorError>;
 pub enum AppServerEvent {
     Lagged { skipped: usize },
     ServerNotification(ServerNotification),
-    LegacyNotification(JSONRPCNotification),
     ServerRequest(ServerRequest),
     Disconnected { message: String },
 }
@@ -85,33 +79,134 @@ impl From<InProcessServerEvent> for AppServerEvent {
             InProcessServerEvent::ServerNotification(notification) => {
                 Self::ServerNotification(notification)
             }
-            InProcessServerEvent::LegacyNotification(notification) => {
-                Self::LegacyNotification(notification)
-            }
             InProcessServerEvent::ServerRequest(request) => Self::ServerRequest(request),
         }
     }
 }
 
 fn event_requires_delivery(event: &InProcessServerEvent) -> bool {
-    // These terminal events drive surface shutdown/completion state. Dropping
-    // them under backpressure can leave exec/TUI waiting forever even though
-    // the underlying turn has already ended.
+    // These transcript and terminal events must remain lossless. Dropping
+    // streamed assistant text or the authoritative completed item can leave
+    // the TUI with permanently corrupted markdown, while dropping completion
+    // notifications can leave surfaces waiting forever.
     match event {
-        InProcessServerEvent::ServerNotification(
-            codex_app_server_protocol::ServerNotification::TurnCompleted(_),
-        ) => true,
-        InProcessServerEvent::LegacyNotification(notification) => matches!(
-            notification
-                .method
-                .strip_prefix("codex/event/")
-                .unwrap_or(&notification.method),
-            "task_complete" | "turn_aborted" | "shutdown_complete"
-        ),
+        InProcessServerEvent::ServerNotification(notification) => {
+            server_notification_requires_delivery(notification)
+        }
         _ => false,
     }
 }
 
+/// Returns `true` for notifications that must survive backpressure.
+///
+/// Transcript events (`AgentMessageDelta`, `PlanDelta`, reasoning deltas) and
+/// the authoritative `ItemCompleted` / `TurnCompleted` form the lossless tier
+/// of the event stream. Dropping any of these corrupts the visible assistant
+/// output or leaves surfaces waiting for a completion signal that already
+/// fired. Everything else (`CommandExecutionOutputDelta`, progress, etc.) is
+/// best-effort and may be dropped with only cosmetic impact.
+///
+/// Both the in-process and remote transports delegate to this function so the
+/// classification stays in sync.
+pub(crate) fn server_notification_requires_delivery(notification: &ServerNotification) -> bool {
+    matches!(
+        notification,
+        ServerNotification::TurnCompleted(_)
+            | ServerNotification::ItemCompleted(_)
+            | ServerNotification::AgentMessageDelta(_)
+            | ServerNotification::PlanDelta(_)
+            | ServerNotification::ReasoningSummaryTextDelta(_)
+            | ServerNotification::ReasoningTextDelta(_)
+    )
+}
+
+/// Outcome of attempting to forward a single event to the consumer channel.
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+enum ForwardEventResult {
+    /// The event was delivered (or intentionally dropped); the stream is healthy.
+    Continue,
+    /// The consumer channel is closed; the caller should stop producing events.
+    DisableStream,
+}
+
+/// Forwards a single in-process event to the consumer, respecting the
+/// lossless/best-effort split.
+///
+/// Lossless events (transcript deltas, item/turn completions) block until the
+/// consumer drains capacity. Best-effort events use `try_send` and increment
+/// `skipped_events` on failure. When a lag marker needs to be flushed before a
+/// lossless event, the flush itself blocks so the marker is never lost.
+///
+/// If a dropped event is a `ServerRequest`, `reject_server_request` is called
+/// so the server does not wait for a response that will never come.
+async fn forward_in_process_event<F>(
+    event_tx: &mpsc::Sender<InProcessServerEvent>,
+    skipped_events: &mut usize,
+    event: InProcessServerEvent,
+    mut reject_server_request: F,
+) -> ForwardEventResult
+where
+    F: FnMut(ServerRequest),
+{
+    if *skipped_events > 0 {
+        if event_requires_delivery(&event) {
+            // Surface lag before the lossless event, but do not let the lag marker itself cause
+            // us to drop the transcript/completion notification the caller is blocked on.
+            if event_tx
+                .send(InProcessServerEvent::Lagged {
+                    skipped: *skipped_events,
+                })
+                .await
+                .is_err()
+            {
+                return ForwardEventResult::DisableStream;
+            }
+            *skipped_events = 0;
+        } else {
+            match event_tx.try_send(InProcessServerEvent::Lagged {
+                skipped: *skipped_events,
+            }) {
+                Ok(()) => {
+                    *skipped_events = 0;
+                }
+                Err(mpsc::error::TrySendError::Full(_)) => {
+                    *skipped_events = skipped_events.saturating_add(1);
+                    warn!("dropping in-process app-server event because consumer queue is full");
+                    if let InProcessServerEvent::ServerRequest(request) = event {
+                        reject_server_request(request);
+                    }
+                    return ForwardEventResult::Continue;
+                }
+                Err(mpsc::error::TrySendError::Closed(_)) => {
+                    return ForwardEventResult::DisableStream;
+                }
+            }
+        }
+    }
+
+    if event_requires_delivery(&event) {
+        // Block until the consumer catches up for transcript/completion notifications; this
+        // preserves the visible assistant output even when the queue is otherwise saturated.
+        if event_tx.send(event).await.is_err() {
+            return ForwardEventResult::DisableStream;
+        }
+        return ForwardEventResult::Continue;
+    }
+
+    match event_tx.try_send(event) {
+        Ok(()) => ForwardEventResult::Continue,
+        Err(mpsc::error::TrySendError::Full(event)) => {
+            *skipped_events = skipped_events.saturating_add(1);
+            warn!("dropping in-process app-server event because consumer queue is full");
+            if let InProcessServerEvent::ServerRequest(request) = event {
+                reject_server_request(request);
+            }
+            ForwardEventResult::Continue
+        }
+        Err(mpsc::error::TrySendError::Closed(_)) => ForwardEventResult::DisableStream,
+    }
+}
+
 /// Layered error for [`InProcessAppServerClient::request_typed`].
 ///
 /// This keeps transport failures, server-side JSON-RPC failures, and response
@@ -159,16 +254,6 @@ impl Error for TypedRequestError {
     }
 }
 
-#[derive(Clone)]
-struct SharedCoreManagers {
-    // Temporary bootstrap escape hatch for embedders that still need direct
-    // core handles during the in-process app-server migration. Once TUI/exec
-    // stop depending on direct manager access, remove this wrapper and keep
-    // manager ownership entirely inside the app-server runtime.
-    auth_manager: Arc<AuthManager>,
-    thread_manager: Arc<ThreadManager>,
-}
-
 #[derive(Clone)]
 pub struct InProcessClientStartArgs {
     /// Resolved argv0 dispatch paths used by command execution internals.
@@ -202,30 +287,6 @@ pub struct InProcessClientStartArgs {
 }
 
 impl InProcessClientStartArgs {
-    fn shared_core_managers(&self) -> SharedCoreManagers {
-        let auth_manager = AuthManager::shared(
-            self.config.codex_home.clone(),
-            self.enable_codex_api_key_env,
-            self.config.cli_auth_credentials_store_mode,
-        );
-        let thread_manager = Arc::new(ThreadManager::new(
-            self.config.as_ref(),
-            auth_manager.clone(),
-            self.session_source.clone(),
-            CollaborationModesConfig {
-                default_mode_request_user_input: self
-                    .config
-                    .features
-                    .enabled(Feature::DefaultModeRequestUserInput),
-            },
-        ));
-
-        SharedCoreManagers {
-            auth_manager,
-            thread_manager,
-        }
-    }
-
     /// Builds initialize params from caller-provided metadata.
     pub fn initialize_params(&self) -> InitializeParams {
         let capabilities = InitializeCapabilities {
@@ -247,7 +308,7 @@ impl InProcessClientStartArgs {
         }
     }
 
-    fn into_runtime_start_args(self, shared_core: &SharedCoreManagers) -> InProcessStartArgs {
+    fn into_runtime_start_args(self) -> InProcessStartArgs {
         let initialize = self.initialize_params();
         InProcessStartArgs {
             arg0_paths: self.arg0_paths,
@@ -255,8 +316,6 @@ impl InProcessClientStartArgs {
             cli_overrides: self.cli_overrides,
             loader_overrides: self.loader_overrides,
             cloud_requirements: self.cloud_requirements,
-            auth_manager: Some(shared_core.auth_manager.clone()),
-            thread_manager: Some(shared_core.thread_manager.clone()),
             feedback: self.feedback,
             config_warnings: self.config_warnings,
             session_source: self.session_source,
@@ -310,8 +369,6 @@ pub struct InProcessAppServerClient {
     command_tx: mpsc::Sender<ClientCommand>,
     event_rx: mpsc::Receiver<InProcessServerEvent>,
     worker_handle: tokio::task::JoinHandle<()>,
-    auth_manager: Arc<AuthManager>,
-    thread_manager: Arc<ThreadManager>,
 }
 
 #[derive(Clone)]
@@ -338,9 +395,8 @@ impl InProcessAppServerClient {
     /// with overload error instead of being silently dropped.
     pub async fn start(args: InProcessClientStartArgs) -> IoResult<Self> {
         let channel_capacity = args.channel_capacity.max(1);
-        let shared_core = args.shared_core_managers();
         let mut handle =
-            codex_app_server::in_process::start(args.into_runtime_start_args(&shared_core)).await?;
+            codex_app_server::in_process::start(args.into_runtime_start_args()).await?;
         let request_sender = handle.sender();
         let (command_tx, mut command_rx) = mpsc::channel::<ClientCommand>(channel_capacity);
         let (event_tx, event_rx) = mpsc::channel::<InProcessServerEvent>(channel_capacity);
@@ -401,84 +457,46 @@ impl InProcessAppServerClient {
                         let Some(event) = event else {
                             break;
                         };
-
-                        if skipped_events > 0 {
-                            if event_requires_delivery(&event) {
-                                // Surface lag before the terminal event, but
-                                // do not let the lag marker itself cause us to
-                                // drop the completion/abort notification that
-                                // the caller is blocked on.
-                                if event_tx
-                                    .send(InProcessServerEvent::Lagged {
-                                        skipped: skipped_events,
-                                    })
-                                    .await
-                                    .is_err()
-                                {
-                                    event_stream_enabled = false;
-                                    continue;
-                                }
-                                skipped_events = 0;
-                            } else {
-                                match event_tx.try_send(InProcessServerEvent::Lagged {
-                                    skipped: skipped_events,
-                                }) {
-                                    Ok(()) => {
-                                        skipped_events = 0;
-                                    }
-                                    Err(mpsc::error::TrySendError::Full(_)) => {
-                                        skipped_events = skipped_events.saturating_add(1);
-                                        warn!(
-                                            "dropping in-process app-server event because consumer queue is full"
-                                        );
-                                        if let InProcessServerEvent::ServerRequest(request) = event {
-                                            let _ = request_sender.fail_server_request(
-                                                request.id().clone(),
-                                                JSONRPCErrorError {
-                                                    code: -32001,
-                                                    message: "in-process app-server event queue is full".to_string(),
-                                                    data: None,
-                                                },
-                                            );
-                                        }
-                                        continue;
-                                    }
-                                    Err(mpsc::error::TrySendError::Closed(_)) => {
-                                        event_stream_enabled = false;
-                                        continue;
-                                    }
-                                }
-                            }
-                        }
-
-                        if event_requires_delivery(&event) {
-                            // Block until the consumer catches up for
-                            // terminal notifications; this preserves the
-                            // completion signal even when the queue is
-                            // otherwise saturated.
-                            if event_tx.send(event).await.is_err() {
-                                event_stream_enabled = false;
+                        if let InProcessServerEvent::ServerRequest(
+                            ServerRequest::ChatgptAuthTokensRefresh { request_id, .. }
+                        ) = &event
+                        {
+                            let send_result = request_sender.fail_server_request(
+                                request_id.clone(),
+                                JSONRPCErrorError {
+                                    code: -32000,
+                                    message: "chatgpt auth token refresh is not supported for in-process app-server clients".to_string(),
+                                    data: None,
+                                },
+                            );
+                            if let Err(err) = send_result {
+                                warn!(
+                                    "failed to reject unsupported chatgpt auth token refresh request: {err}"
+                                );
                             }
                             continue;
                         }
 
-                        match event_tx.try_send(event) {
-                            Ok(()) => {}
-                            Err(mpsc::error::TrySendError::Full(event)) => {
-                                skipped_events = skipped_events.saturating_add(1);
-                                warn!("dropping in-process app-server event because consumer queue is full");
-                                if let InProcessServerEvent::ServerRequest(request) = event {
-                                    let _ = request_sender.fail_server_request(
-                                        request.id().clone(),
-                                        JSONRPCErrorError {
-                                            code: -32001,
-                                            message: "in-process app-server event queue is full".to_string(),
-                                            data: None,
-                                        },
-                                    );
-                                }
-                            }
-                            Err(mpsc::error::TrySendError::Closed(_)) => {
+                        match forward_in_process_event(
+                            &event_tx,
+                            &mut skipped_events,
+                            event,
+                            |request| {
+                                let _ = request_sender.fail_server_request(
+                                    request.id().clone(),
+                                    JSONRPCErrorError {
+                                        code: -32001,
+                                        message: "in-process app-server event queue is full"
+                                            .to_string(),
+                                        data: None,
+                                    },
+                                );
+                            },
+                        )
+                        .await
+                        {
+                            ForwardEventResult::Continue => {}
+                            ForwardEventResult::DisableStream => {
                                 event_stream_enabled = false;
                             }
                         }
@@ -491,21 +509,9 @@ impl InProcessAppServerClient {
             command_tx,
             event_rx,
             worker_handle,
-            auth_manager: shared_core.auth_manager,
-            thread_manager: shared_core.thread_manager,
         })
     }
 
-    /// Temporary bootstrap escape hatch for embedders migrating toward RPC-only usage.
-    pub fn auth_manager(&self) -> Arc<AuthManager> {
-        self.auth_manager.clone()
-    }
-
-    /// Temporary bootstrap escape hatch for embedders migrating toward RPC-only usage.
-    pub fn thread_manager(&self) -> Arc<ThreadManager> {
-        self.thread_manager.clone()
-    }
-
     pub fn request_handle(&self) -> InProcessAppServerRequestHandle {
         InProcessAppServerRequestHandle {
             command_tx: self.command_tx.clone(),
@@ -664,8 +670,6 @@ impl InProcessAppServerClient {
             command_tx,
             event_rx,
             worker_handle,
-            auth_manager: _,
-            thread_manager: _,
         } = self;
         let mut worker_handle = worker_handle;
         // Drop the caller-facing receiver before asking the worker to shut
@@ -857,8 +861,6 @@ mod tests {
     use codex_app_server_protocol::ThreadStartResponse;
     use codex_app_server_protocol::ToolRequestUserInputParams;
     use codex_app_server_protocol::ToolRequestUserInputQuestion;
-    use codex_core::AuthManager;
-    use codex_core::ThreadManager;
     use codex_core::config::ConfigBuilder;
     use futures::SinkExt;
     use futures::StreamExt;
@@ -866,8 +868,11 @@ mod tests {
     use tokio::net::TcpListener;
     use tokio::time::Duration;
     use tokio::time::timeout;
-    use tokio_tungstenite::accept_async;
+    use tokio_tungstenite::accept_hdr_async;
     use tokio_tungstenite::tungstenite::Message;
+    use tokio_tungstenite::tungstenite::handshake::server::Request as WebSocketRequest;
+    use tokio_tungstenite::tungstenite::handshake::server::Response as WebSocketResponse;
+    use tokio_tungstenite::tungstenite::http::header::AUTHORIZATION;
 
     async fn build_test_config() -> Config {
         match ConfigBuilder::default().build().await {
@@ -906,6 +911,19 @@ mod tests {
     }
 
     async fn start_test_remote_server<F, Fut>(handler: F) -> String
+    where
+        F: FnOnce(tokio_tungstenite::WebSocketStream<tokio::net::TcpStream>) -> Fut
+            + Send
+            + 'static,
+        Fut: std::future::Future<Output = ()> + Send + 'static,
+    {
+        start_test_remote_server_with_auth(None, handler).await
+    }
+
+    async fn start_test_remote_server_with_auth<F, Fut>(
+        expected_auth_token: Option<String>,
+        handler: F,
+    ) -> String
     where
         F: FnOnce(tokio_tungstenite::WebSocketStream<tokio::net::TcpStream>) -> Fut
             + Send
@@ -918,9 +936,23 @@ mod tests {
         let addr = listener.local_addr().expect("listener address");
         tokio::spawn(async move {
             let (stream, _) = listener.accept().await.expect("accept should succeed");
-            let websocket = accept_async(stream)
-                .await
-                .expect("websocket upgrade should succeed");
+            let websocket = accept_hdr_async(
+                stream,
+                move |request: &WebSocketRequest, response: WebSocketResponse| {
+                    let provided_auth_token = request
+                        .headers()
+                        .get(AUTHORIZATION)
+                        .and_then(|value| value.to_str().ok())
+                        .map(str::to_owned);
+                    let expected_auth_token = expected_auth_token
+                        .as_ref()
+                        .map(|token| format!("Bearer {token}"));
+                    assert_eq!(provided_auth_token, expected_auth_token);
+                    Ok(response)
+                },
+            )
+            .await
+            .expect("websocket upgrade should succeed");
             handler(websocket).await;
         });
         format!("ws://{addr}")
@@ -985,9 +1017,57 @@ mod tests {
             .expect("message should send");
     }
 
+    fn command_execution_output_delta_notification(delta: &str) -> ServerNotification {
+        ServerNotification::CommandExecutionOutputDelta(
+            codex_app_server_protocol::CommandExecutionOutputDeltaNotification {
+                thread_id: "thread".to_string(),
+                turn_id: "turn".to_string(),
+                item_id: "item".to_string(),
+                delta: delta.to_string(),
+            },
+        )
+    }
+
+    fn agent_message_delta_notification(delta: &str) -> ServerNotification {
+        ServerNotification::AgentMessageDelta(
+            codex_app_server_protocol::AgentMessageDeltaNotification {
+                thread_id: "thread".to_string(),
+                turn_id: "turn".to_string(),
+                item_id: "item".to_string(),
+                delta: delta.to_string(),
+            },
+        )
+    }
+
+    fn item_completed_notification(text: &str) -> ServerNotification {
+        ServerNotification::ItemCompleted(codex_app_server_protocol::ItemCompletedNotification {
+            thread_id: "thread".to_string(),
+            turn_id: "turn".to_string(),
+            item: codex_app_server_protocol::ThreadItem::AgentMessage {
+                id: "item".to_string(),
+                text: text.to_string(),
+                phase: None,
+                memory_citation: None,
+            },
+        })
+    }
+
+    fn turn_completed_notification() -> ServerNotification {
+        ServerNotification::TurnCompleted(codex_app_server_protocol::TurnCompletedNotification {
+            thread_id: "thread".to_string(),
+            turn: codex_app_server_protocol::Turn {
+                id: "turn".to_string(),
+                items: Vec::new(),
+                status: codex_app_server_protocol::TurnStatus::Completed,
+                error: None,
+            },
+        })
+    }
+
     fn test_remote_connect_args(websocket_url: String) -> RemoteAppServerConnectArgs {
         RemoteAppServerConnectArgs {
             websocket_url,
+            auth_token: None,
             client_name: "codex-app-server-client-test".to_string(),
             client_version: "0.0.0-test".to_string(),
             experimental_api: true,
@@ -1052,7 +1132,7 @@ mod tests {
     }
 
     #[tokio::test]
-    async fn shared_thread_manager_tracks_threads_started_via_app_server() {
+    async fn threads_started_via_app_server_are_visible_through_typed_requests() {
         let client = start_test_client(SessionSource::Cli).await;
 
         let response: ThreadStartResponse = client
@@ -1065,17 +1145,19 @@ mod tests {
             })
             .await
             .expect("thread/start should succeed");
-        let created_thread_id = codex_protocol::ThreadId::from_string(&response.thread.id)
-            .expect("thread id should parse");
-        timeout(
-            Duration::from_secs(2),
-            client.thread_manager().get_thread(created_thread_id),
-        )
-        .await
-        .expect("timed out waiting for retained thread manager to observe started thread")
-        .expect("started thread should be visible through the shared thread manager");
-        let thread_ids = client.thread_manager().list_thread_ids().await;
-        assert!(thread_ids.contains(&created_thread_id));
+        let read = client
+            .request_typed::<codex_app_server_protocol::ThreadReadResponse>(
+                ClientRequest::ThreadRead {
+                    request_id: RequestId::Integer(4),
+                    params: codex_app_server_protocol::ThreadReadParams {
+                        thread_id: response.thread.id.clone(),
+                        include_turns: false,
+                    },
+                },
+            )
+            .await
+            .expect("thread/read should return the newly started thread");
+        assert_eq!(read.thread.id, response.thread.id);
 
         client.shutdown().await.expect("shutdown should complete");
     }
@@ -1093,6 +1175,94 @@ mod tests {
         client.shutdown().await.expect("shutdown should complete");
     }
 
+    #[tokio::test]
+    async fn forward_in_process_event_preserves_transcript_notifications_under_backpressure() {
+        let (event_tx, mut event_rx) = mpsc::channel(1);
+        event_tx
+            .send(InProcessServerEvent::ServerNotification(
+                command_execution_output_delta_notification("stdout-1"),
+            ))
+            .await
+            .expect("initial event should enqueue");
+
+        let mut skipped_events = 0usize;
+        let result = forward_in_process_event(
+            &event_tx,
+            &mut skipped_events,
+            InProcessServerEvent::ServerNotification(command_execution_output_delta_notification(
+                "stdout-2",
+            )),
+            |_| {},
+        )
+        .await;
+        assert_eq!(result, ForwardEventResult::Continue);
+        assert_eq!(skipped_events, 1);
+
+        let receive_task = tokio::spawn(async move {
+            let mut events = Vec::new();
+            for _ in 0..5 {
+                events.push(
+                    timeout(Duration::from_secs(2), event_rx.recv())
+                        .await
+                        .expect("event should arrive before timeout")
+                        .expect("event stream should stay open"),
+                );
+            }
+            events
+        });
+
+        for notification in [
+            agent_message_delta_notification("hello"),
+            item_completed_notification("hello"),
+            turn_completed_notification(),
+        ] {
+            let result = forward_in_process_event(
+                &event_tx,
+                &mut skipped_events,
+                InProcessServerEvent::ServerNotification(notification),
+                |_| {},
+            )
+            .await;
+            assert_eq!(result, ForwardEventResult::Continue);
+        }
+        assert_eq!(skipped_events, 0);
+
+        let events = receive_task
+            .await
+            .expect("receiver task should join successfully");
+        assert!(matches!(
+            &events[0],
+            InProcessServerEvent::ServerNotification(
+                ServerNotification::CommandExecutionOutputDelta(notification)
+            ) if notification.delta == "stdout-1"
+        ));
+        assert!(matches!(
+            &events[1],
+            InProcessServerEvent::Lagged { skipped: 1 }
+        ));
+        assert!(matches!(
+            &events[2],
+            InProcessServerEvent::ServerNotification(ServerNotification::AgentMessageDelta(
+                notification
+            )) if notification.delta == "hello"
+        ));
+        assert!(matches!(
+            &events[3],
+            InProcessServerEvent::ServerNotification(ServerNotification::ItemCompleted(
+                notification
+            )) if matches!(
+                &notification.item,
+                codex_app_server_protocol::ThreadItem::AgentMessage { text, .. } if text == "hello"
+            )
+        ));
+        assert!(matches!(
+            &events[4],
+            InProcessServerEvent::ServerNotification(ServerNotification::TurnCompleted(
+                notification
+            )) if notification.turn.status == codex_app_server_protocol::TurnStatus::Completed
+        ));
+    }
+
     #[tokio::test]
     async fn remote_typed_request_roundtrip_works() {
         let websocket_url = start_test_remote_server(|mut websocket| async move {
@@ -1114,6 +1284,7 @@ mod tests {
                 }),
             )
             .await;
+            websocket.close(None).await.expect("close should succeed");
         })
         .await;
         let client = RemoteAppServerClient::connect(test_remote_connect_args(websocket_url))
@@ -1134,6 +1305,59 @@ mod tests {
         client.shutdown().await.expect("shutdown should complete");
     }
 
+    #[tokio::test]
+    async fn remote_connect_includes_auth_header_when_configured() {
+        let auth_token = "remote-bearer-token".to_string();
+        let websocket_url = start_test_remote_server_with_auth(
+            Some(auth_token.clone()),
+            |mut websocket| async move {
+                expect_remote_initialize(&mut websocket).await;
+                websocket.close(None).await.expect("close should succeed");
+            },
+        )
+        .await;
+        let client = RemoteAppServerClient::connect(RemoteAppServerConnectArgs {
+            auth_token: Some(auth_token),
+            ..test_remote_connect_args(websocket_url)
+        })
+        .await
+        .expect("remote client should connect");
+
+        client.shutdown().await.expect("shutdown should complete");
+    }
+
+    #[tokio::test]
+    async fn remote_connect_rejects_non_loopback_ws_when_auth_configured() {
+        let result = RemoteAppServerClient::connect(RemoteAppServerConnectArgs {
+            websocket_url: "ws://example.com:4500".to_string(),
+            auth_token: Some("remote-bearer-token".to_string()),
+            ..test_remote_connect_args("ws://127.0.0.1:1".to_string())
+        })
+        .await;
+        let err = match result {
+            Ok(_) => panic!("non-loopback ws should be rejected before connect"),
+            Err(err) => err,
+        };
+        assert_eq!(err.kind(), ErrorKind::InvalidInput);
+        assert!(
+            err.to_string()
+                .contains("remote auth tokens require `wss://` or loopback `ws://` URLs")
+        );
+    }
+
+    #[test]
+    fn remote_auth_token_transport_policy_allows_wss_and_loopback_ws() {
+        assert!(crate::remote::websocket_url_supports_auth_token(
+            &url::Url::parse("wss://example.com:443").expect("wss URL should parse")
+        ));
+        assert!(crate::remote::websocket_url_supports_auth_token(
+            &url::Url::parse("ws://127.0.0.1:4500").expect("loopback ws URL should parse")
+        ));
+        assert!(!crate::remote::websocket_url_supports_auth_token(
+            &url::Url::parse("ws://example.com:4500").expect("non-loopback ws URL should parse")
+        ));
+    }
+
     #[tokio::test]
     async fn remote_duplicate_request_id_keeps_original_waiter() {
         let (first_request_seen_tx, first_request_seen_rx) = tokio::sync::oneshot::channel();
@@ -1257,6 +1481,108 @@ mod tests {
         client.shutdown().await.expect("shutdown should complete");
     }
 
+    #[tokio::test]
+    async fn remote_backpressure_preserves_transcript_notifications() {
+        let (done_tx, done_rx) = tokio::sync::oneshot::channel();
+        let websocket_url = start_test_remote_server(|mut websocket| async move {
+            expect_remote_initialize(&mut websocket).await;
+            for notification in [
+                command_execution_output_delta_notification("stdout-1"),
+                command_execution_output_delta_notification("stdout-2"),
+                agent_message_delta_notification("hello"),
+                item_completed_notification("hello"),
+                turn_completed_notification(),
+            ] {
+                write_websocket_message(
+                    &mut websocket,
+                    JSONRPCMessage::Notification(
+                        serde_json::from_value(
+                            serde_json::to_value(notification)
+                                .expect("notification should serialize"),
+                        )
+                        .expect("notification should convert to JSON-RPC"),
+                    ),
+                )
+                .await;
+            }
+            let _ = done_rx.await;
+        })
+        .await;
+        let mut client = RemoteAppServerClient::connect(RemoteAppServerConnectArgs {
+            websocket_url,
+            auth_token: None,
+            client_name: "codex-app-server-client-test".to_string(),
+            client_version: "0.0.0-test".to_string(),
+            experimental_api: true,
+            opt_out_notification_methods: Vec::new(),
+            channel_capacity: 1,
+        })
+        .await
+        .expect("remote client should connect");
+
+        let first_event = timeout(Duration::from_secs(2), client.next_event())
+            .await
+            .expect("first event should arrive before timeout")
+            .expect("event stream should stay open");
+        assert!(matches!(
+            first_event,
+            AppServerEvent::ServerNotification(ServerNotification::CommandExecutionOutputDelta(
+                notification
+            )) if notification.delta == "stdout-1"
+        ));
+
+        let mut remaining_events = Vec::new();
+        for _ in 0..4 {
+            remaining_events.push(
+                timeout(Duration::from_secs(2), client.next_event())
+                    .await
+                    .expect("event should arrive before timeout")
+                    .expect("event stream should stay open"),
+            );
+        }
+
+        let mut transcript_event_names = Vec::new();
+        for event in &remaining_events {
+            match event {
+                AppServerEvent::Lagged { skipped: 1 } => {}
+                AppServerEvent::ServerNotification(
+                    ServerNotification::CommandExecutionOutputDelta(notification),
+                ) if notification.delta == "stdout-2" => {}
+                AppServerEvent::ServerNotification(ServerNotification::AgentMessageDelta(
+                    notification,
+                )) if notification.delta == "hello" => {
+                    transcript_event_names.push("agent_message_delta");
+                }
+                AppServerEvent::ServerNotification(ServerNotification::ItemCompleted(
+                    notification,
+                )) if matches!(
+                    &notification.item,
+                    codex_app_server_protocol::ThreadItem::AgentMessage { text, .. } if text == "hello"
+                ) =>
+                {
+                    transcript_event_names.push("item_completed");
+                }
+                AppServerEvent::ServerNotification(ServerNotification::TurnCompleted(
+                    notification,
+                )) if notification.turn.status
+                    == codex_app_server_protocol::TurnStatus::Completed =>
+                {
+                    transcript_event_names.push("turn_completed");
+                }
+                _ => panic!("unexpected remaining event: {event:?}"),
+            }
+        }
+        assert_eq!(
+            transcript_event_names,
+            vec!["agent_message_delta", "item_completed", "turn_completed"]
+        );
+
+        done_tx
+            .send(())
+            .expect("server completion signal should send");
+        client.shutdown().await.expect("shutdown should complete");
+    }
+
     #[tokio::test]
     async fn remote_server_request_resolution_roundtrip_works() {
         let websocket_url = start_test_remote_server(|mut websocket| async move {
@@ -1472,22 +1798,6 @@ mod tests {
         let (command_tx, _command_rx) = mpsc::channel(1);
         let (event_tx, event_rx) = mpsc::channel(1);
         let worker_handle = tokio::spawn(async {});
-        let config = build_test_config().await;
-        let auth_manager = AuthManager::shared(
-            config.codex_home.clone(),
-            false,
-            config.cli_auth_credentials_store_mode,
-        );
-        let thread_manager = Arc::new(ThreadManager::new(
-            &config,
-            auth_manager.clone(),
-            SessionSource::Exec,
-            CollaborationModesConfig {
-                default_mode_request_user_input: config
-                    .features
-                    .enabled(Feature::DefaultModeRequestUserInput),
-            },
-        ));
         event_tx
             .send(InProcessServerEvent::Lagged { skipped: 3 })
             .await
@@ -1498,8 +1808,6 @@ mod tests {
             command_tx,
             event_rx,
             worker_handle,
-            auth_manager,
-            thread_manager,
         };
 
         let event = timeout(Duration::from_secs(2), client.next_event())
@@ -1514,7 +1822,7 @@ mod tests {
     }
 
     #[test]
-    fn event_requires_delivery_marks_terminal_events() {
+    fn event_requires_delivery_marks_transcript_and_terminal_events() {
         assert!(event_requires_delivery(
             &InProcessServerEvent::ServerNotification(
                 codex_app_server_protocol::ServerNotification::TurnCompleted(
@@ -1531,36 +1839,77 @@ mod tests {
             )
         ));
         assert!(event_requires_delivery(
-            &InProcessServerEvent::LegacyNotification(
-                codex_app_server_protocol::JSONRPCNotification {
-                    method: "codex/event/turn_aborted".to_string(),
-                    params: None,
-                }
+            &InProcessServerEvent::ServerNotification(
+                codex_app_server_protocol::ServerNotification::AgentMessageDelta(
+                    codex_app_server_protocol::AgentMessageDeltaNotification {
+                        thread_id: "thread".to_string(),
+                        turn_id: "turn".to_string(),
+                        item_id: "item".to_string(),
+                        delta: "hello".to_string(),
+                    }
+                )
+            )
+        ));
+        assert!(event_requires_delivery(
+            &InProcessServerEvent::ServerNotification(
+                codex_app_server_protocol::ServerNotification::ItemCompleted(
+                    codex_app_server_protocol::ItemCompletedNotification {
+                        thread_id: "thread".to_string(),
+                        turn_id: "turn".to_string(),
+                        item: codex_app_server_protocol::ThreadItem::AgentMessage {
+                            id: "item".to_string(),
+                            text: "hello".to_string(),
+                            phase: None,
+                            memory_citation: None,
+                        },
+                    }
+                )
             )
         ));
         assert!(!event_requires_delivery(&InProcessServerEvent::Lagged {
             skipped: 1
         }));
+        assert!(!event_requires_delivery(
+            &InProcessServerEvent::ServerNotification(
+                codex_app_server_protocol::ServerNotification::CommandExecutionOutputDelta(
+                    codex_app_server_protocol::CommandExecutionOutputDeltaNotification {
+                        thread_id: "thread".to_string(),
+                        turn_id: "turn".to_string(),
+                        item_id: "item".to_string(),
+                        delta: "stdout".to_string(),
+                    }
+                )
+            )
+        ));
     }
 
     #[tokio::test]
-    async fn accessors_expose_retained_shared_managers() {
-        let client = start_test_client(SessionSource::Cli).await;
+    async fn runtime_start_args_leave_manager_bootstrap_to_app_server() {
+        let config = Arc::new(build_test_config().await);
 
-        assert!(
-            Arc::ptr_eq(&client.auth_manager(), &client.auth_manager()),
-            "auth_manager accessor should clone the retained shared manager"
-        );
-        assert!(
-            Arc::ptr_eq(&client.thread_manager(), &client.thread_manager()),
-            "thread_manager accessor should clone the retained shared manager"
-        );
+        let runtime_args = InProcessClientStartArgs {
+            arg0_paths: Arg0DispatchPaths::default(),
+            config: config.clone(),
+            cli_overrides: Vec::new(),
+            loader_overrides: LoaderOverrides::default(),
+            cloud_requirements: CloudRequirementsLoader::default(),
+            feedback: CodexFeedback::new(),
+            config_warnings: Vec::new(),
+            session_source: SessionSource::Exec,
+            enable_codex_api_key_env: false,
+            client_name: "codex-app-server-client-test".to_string(),
+            client_version: "0.0.0-test".to_string(),
+            experimental_api: true,
+            opt_out_notification_methods: Vec::new(),
+            channel_capacity: DEFAULT_IN_PROCESS_CHANNEL_CAPACITY,
+        }
+        .into_runtime_start_args();
 
-        client.shutdown().await.expect("shutdown should complete");
+        assert_eq!(runtime_args.config, config);
     }
 
     #[tokio::test]
-    async fn shutdown_completes_promptly_with_retained_shared_managers() {
+    async fn shutdown_completes_promptly_without_retained_managers() {
         let client = start_test_client(SessionSource::Cli).await;
 
         timeout(Duration::from_secs(1), client.shutdown())

codex-rs/app-server-client/src/remote.rs

@@ -21,6 +21,7 @@ use crate::RequestResult;
 use crate::SHUTDOWN_TIMEOUT;
 use crate::TypedRequestError;
 use crate::request_method_name;
+use crate::server_notification_requires_delivery;
 use codex_app_server_protocol::ClientInfo;
 use codex_app_server_protocol::ClientNotification;
 use codex_app_server_protocol::ClientRequest;
@@ -47,6 +48,9 @@ use tokio_tungstenite::MaybeTlsStream;
 use tokio_tungstenite::WebSocketStream;
 use tokio_tungstenite::connect_async;
 use tokio_tungstenite::tungstenite::Message;
+use tokio_tungstenite::tungstenite::client::IntoClientRequest;
+use tokio_tungstenite::tungstenite::http::HeaderValue;
+use tokio_tungstenite::tungstenite::http::header::AUTHORIZATION;
 use tracing::warn;
 use url::Url;
 
@@ -56,6 +60,7 @@ const INITIALIZE_TIMEOUT: Duration = Duration::from_secs(10);
 #[derive(Debug, Clone)]
 pub struct RemoteAppServerConnectArgs {
     pub websocket_url: String,
+    pub auth_token: Option<String>,
     pub client_name: String,
     pub client_version: String,
     pub experimental_api: bool,
@@ -85,6 +90,16 @@ impl RemoteAppServerConnectArgs {
     }
 }
 
+pub(crate) fn websocket_url_supports_auth_token(url: &Url) -> bool {
+    match (url.scheme(), url.host()) {
+        ("wss", Some(_)) => true,
+        ("ws", Some(url::Host::Domain(domain))) => domain.eq_ignore_ascii_case("localhost"),
+        ("ws", Some(url::Host::Ipv4(addr))) => addr.is_loopback(),
+        ("ws", Some(url::Host::Ipv6(addr))) => addr.is_loopback(),
+        _ => false,
+    }
+}
+
 enum RemoteClientCommand {
     Request {
         request: Box<ClientRequest>,
@@ -131,7 +146,31 @@ impl RemoteAppServerClient {
                 format!("invalid websocket URL `{websocket_url}`: {err}"),
             )
         })?;
-        let stream = timeout(CONNECT_TIMEOUT, connect_async(url.as_str()))
+        if args.auth_token.is_some() && !websocket_url_supports_auth_token(&url) {
+            return Err(IoError::new(
+                ErrorKind::InvalidInput,
+                format!(
+                    "remote auth tokens require `wss://` or loopback `ws://` URLs; got `{websocket_url}`"
+                ),
+            ));
+        }
+        let mut request = url.as_str().into_client_request().map_err(|err| {
+            IoError::new(
+                ErrorKind::InvalidInput,
+                format!("invalid websocket URL `{websocket_url}`: {err}"),
+            )
+        })?;
+        if let Some(auth_token) = args.auth_token.as_deref() {
+            let header_value =
+                HeaderValue::from_str(&format!("Bearer {auth_token}")).map_err(|err| {
+                    IoError::new(
+                        ErrorKind::InvalidInput,
+                        format!("invalid remote authorization header value: {err}"),
+                    )
+                })?;
+            request.headers_mut().insert(AUTHORIZATION, header_value);
+        }
+        let stream = timeout(CONNECT_TIMEOUT, connect_async(request))
             .await
             .map_err(|_| {
                 IoError::new(
@@ -272,18 +311,19 @@ impl RemoteAppServerClient {
                                         }
                                     }
                                     Ok(JSONRPCMessage::Notification(notification)) => {
-                                        let event = app_server_event_from_notification(notification);
-                                        if let Err(err) = deliver_event(
-                                            &event_tx,
-                                            &mut skipped_events,
-                                            event,
-                                            &mut stream,
-                                        )
-                                        .await
-                                        {
-                                            warn!(%err, "failed to deliver remote app-server event");
-                                            break;
-                                        }
+                                        if let Some(event) =
+                                            app_server_event_from_notification(notification)
+                                            && let Err(err) = deliver_event(
+                                                &event_tx,
+                                                &mut skipped_events,
+                                                event,
+                                                &mut stream,
+                                            )
+                                            .await
+                                            {
+                                                warn!(%err, "failed to deliver remote app-server event");
+                                                break;
+                                            }
                                     }
                                     Ok(JSONRPCMessage::Request(request)) => {
                                         let request_id = request.id.clone();
@@ -673,7 +713,9 @@ async fn initialize_remote_connection(
                             )));
                         }
                         JSONRPCMessage::Notification(notification) => {
-                            pending_events.push(app_server_event_from_notification(notification));
+                            if let Some(event) = app_server_event_from_notification(notification) {
+                                pending_events.push(event);
+                            }
                         }
                         JSONRPCMessage::Request(request) => {
                             let request_id = request.id.clone();
@@ -756,10 +798,10 @@ async fn initialize_remote_connection(
     Ok(pending_events)
 }
 
-fn app_server_event_from_notification(notification: JSONRPCNotification) -> AppServerEvent {
-    match ServerNotification::try_from(notification.clone()) {
-        Ok(notification) => AppServerEvent::ServerNotification(notification),
-        Err(_) => AppServerEvent::LegacyNotification(notification),
+fn app_server_event_from_notification(notification: JSONRPCNotification) -> Option<AppServerEvent> {
+    match ServerNotification::try_from(notification) {
+        Ok(notification) => Some(AppServerEvent::ServerNotification(notification)),
+        Err(_) => None,
     }
 }
 
@@ -851,18 +893,11 @@ async fn reject_if_server_request_dropped(
 
 fn event_requires_delivery(event: &AppServerEvent) -> bool {
     match event {
-        AppServerEvent::ServerNotification(ServerNotification::TurnCompleted(_)) => true,
-        AppServerEvent::LegacyNotification(notification) => matches!(
-            notification
-                .method
-                .strip_prefix("codex/event/")
-                .unwrap_or(&notification.method),
-            "task_complete" | "turn_aborted" | "shutdown_complete"
-        ),
+        AppServerEvent::ServerNotification(notification) => {
+            server_notification_requires_delivery(notification)
+        }
         AppServerEvent::Disconnected { .. } => true,
-        AppServerEvent::Lagged { .. }
-        | AppServerEvent::ServerNotification(_)
-        | AppServerEvent::ServerRequest(_) => false,
+        AppServerEvent::Lagged { .. } | AppServerEvent::ServerRequest(_) => false,
     }
 }
 
@@ -909,3 +944,40 @@ async fn write_jsonrpc_message(
             ))
         })
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn event_requires_delivery_marks_transcript_and_disconnect_events() {
+        assert!(event_requires_delivery(
+            &AppServerEvent::ServerNotification(ServerNotification::AgentMessageDelta(
+                codex_app_server_protocol::AgentMessageDeltaNotification {
+                    thread_id: "thread".to_string(),
+                    turn_id: "turn".to_string(),
+                    item_id: "item".to_string(),
+                    delta: "hello".to_string(),
+                },
+            ),)
+        ));
+        assert!(event_requires_delivery(
+            &AppServerEvent::ServerNotification(ServerNotification::ItemCompleted(
+                codex_app_server_protocol::ItemCompletedNotification {
+                    thread_id: "thread".to_string(),
+                    turn_id: "turn".to_string(),
+                    item: codex_app_server_protocol::ThreadItem::Plan {
+                        id: "item".to_string(),
+                        text: "step".to_string(),
+                    },
+                }
+            ),)
+        ));
+        assert!(event_requires_delivery(&AppServerEvent::Disconnected {
+            message: "closed".to_string(),
+        }));
+        assert!(!event_requires_delivery(&AppServerEvent::Lagged {
+            skipped: 1
+        }));
+    }
+}

codex-rs/app-server-protocol/Cargo.toml

@@ -14,8 +14,9 @@ workspace = true
 [dependencies]
 anyhow = { workspace = true }
 clap = { workspace = true, features = ["derive"] }
-codex-protocol = { workspace = true }
 codex-experimental-api-macros = { workspace = true }
+codex-git-utils = { workspace = true }
+codex-protocol = { workspace = true }
 codex-utils-absolute-path = { workspace = true }
 schemars = { workspace = true }
 serde = { workspace = true, features = ["derive"] }

codex-rs/app-server-protocol/schema/json/ClientRequest.json

@@ -524,6 +524,21 @@
       ],
       "type": "object"
     },
+    "ExperimentalFeatureEnablementSetParams": {
+      "properties": {
+        "enablement": {
+          "additionalProperties": {
+            "type": "boolean"
+          },
+          "description": "Process-wide runtime feature enablement keyed by canonical feature name.\n\nOnly named features are updated. Omitted features are left unchanged. Send an empty map for a no-op.",
+          "type": "object"
+        }
+      },
+      "required": [
+        "enablement"
+      ],
+      "type": "object"
+    },
     "ExperimentalFeatureListParams": {
       "properties": {
         "cursor": {
@@ -781,6 +796,36 @@
       ],
       "type": "object"
     },
+    "FsUnwatchParams": {
+      "description": "Stop filesystem watch notifications for a prior `fs/watch`.",
+      "properties": {
+        "watchId": {
+          "description": "Watch identifier returned by `fs/watch`.",
+          "type": "string"
+        }
+      },
+      "required": [
+        "watchId"
+      ],
+      "type": "object"
+    },
+    "FsWatchParams": {
+      "description": "Start filesystem watch notifications for an absolute path.",
+      "properties": {
+        "path": {
+          "allOf": [
+            {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            }
+          ],
+          "description": "Absolute file or directory path to watch."
+        }
+      },
+      "required": [
+        "path"
+      ],
+      "type": "object"
+    },
     "FsWriteFileParams": {
       "description": "Write a file on the host filesystem.",
       "properties": {
@@ -2343,13 +2388,27 @@
         "enabled": {
           "type": "boolean"
         },
+        "name": {
+          "description": "Name-based selector.",
+          "type": [
+            "string",
+            "null"
+          ]
+        },
         "path": {
-          "type": "string"
+          "anyOf": [
+            {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            {
+              "type": "null"
+            }
+          ],
+          "description": "Path-based selector."
         }
       },
       "required": [
-        "enabled",
-        "path"
+        "enabled"
       ],
       "type": "object"
     },
@@ -3986,6 +4045,54 @@
       "title": "Fs/copyRequest",
       "type": "object"
     },
+    {
+      "properties": {
+        "id": {
+          "$ref": "#/definitions/RequestId"
+        },
+        "method": {
+          "enum": [
+            "fs/watch"
+          ],
+          "title": "Fs/watchRequestMethod",
+          "type": "string"
+        },
+        "params": {
+          "$ref": "#/definitions/FsWatchParams"
+        }
+      },
+      "required": [
+        "id",
+        "method",
+        "params"
+      ],
+      "title": "Fs/watchRequest",
+      "type": "object"
+    },
+    {
+      "properties": {
+        "id": {
+          "$ref": "#/definitions/RequestId"
+        },
+        "method": {
+          "enum": [
+            "fs/unwatch"
+          ],
+          "title": "Fs/unwatchRequestMethod",
+          "type": "string"
+        },
+        "params": {
+          "$ref": "#/definitions/FsUnwatchParams"
+        }
+      },
+      "required": [
+        "id",
+        "method",
+        "params"
+      ],
+      "title": "Fs/unwatchRequest",
+      "type": "object"
+    },
     {
       "properties": {
         "id": {
@@ -4202,6 +4309,30 @@
       "title": "ExperimentalFeature/listRequest",
       "type": "object"
     },
+    {
+      "properties": {
+        "id": {
+          "$ref": "#/definitions/RequestId"
+        },
+        "method": {
+          "enum": [
+            "experimentalFeature/enablement/set"
+          ],
+          "title": "ExperimentalFeature/enablement/setRequestMethod",
+          "type": "string"
+        },
+        "params": {
+          "$ref": "#/definitions/ExperimentalFeatureEnablementSetParams"
+        }
+      },
+      "required": [
+        "id",
+        "method",
+        "params"
+      ],
+      "title": "ExperimentalFeature/enablement/setRequest",
+      "type": "object"
+    },
     {
       "properties": {
         "id": {

codex-rs/app-server-protocol/schema/json/ServerNotification.json

@@ -1,6 +1,10 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
   "definitions": {
+    "AbsolutePathBuf": {
+      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
+      "type": "string"
+    },
     "AccountLoginCompletedNotification": {
       "properties": {
         "error": {
@@ -998,6 +1002,27 @@
       ],
       "type": "object"
     },
+    "FsChangedNotification": {
+      "description": "Filesystem watch notification emitted for `fs/watch` subscribers.",
+      "properties": {
+        "changedPaths": {
+          "description": "File or directory paths associated with this event.",
+          "items": {
+            "$ref": "#/definitions/AbsolutePathBuf"
+          },
+          "type": "array"
+        },
+        "watchId": {
+          "description": "Watch identifier returned by `fs/watch`.",
+          "type": "string"
+        }
+      },
+      "required": [
+        "changedPaths",
+        "watchId"
+      ],
+      "type": "object"
+    },
     "FuzzyFileSearchMatchType": {
       "enum": [
         "file",
@@ -1180,6 +1205,8 @@
     },
     "HookEventName": {
       "enum": [
+        "preToolUse",
+        "postToolUse",
         "sessionStart",
         "userPromptSubmit",
         "stop"
@@ -4393,6 +4420,26 @@
       "title": "App/list/updatedNotification",
       "type": "object"
     },
+    {
+      "properties": {
+        "method": {
+          "enum": [
+            "fs/changed"
+          ],
+          "title": "Fs/changedNotificationMethod",
+          "type": "string"
+        },
+        "params": {
+          "$ref": "#/definitions/FsChangedNotification"
+        }
+      },
+      "required": [
+        "method",
+        "params"
+      ],
+      "title": "Fs/changedNotification",
+      "type": "object"
+    },
     {
       "properties": {
         "method": {

codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json

@@ -1,6 +1,10 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
   "definitions": {
+    "AbsolutePathBuf": {
+      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
+      "type": "string"
+    },
     "AdditionalFileSystemPermissions": {
       "properties": {
         "read": {
@@ -883,6 +887,54 @@
           "title": "Fs/copyRequest",
           "type": "object"
         },
+        {
+          "properties": {
+            "id": {
+              "$ref": "#/definitions/v2/RequestId"
+            },
+            "method": {
+              "enum": [
+                "fs/watch"
+              ],
+              "title": "Fs/watchRequestMethod",
+              "type": "string"
+            },
+            "params": {
+              "$ref": "#/definitions/v2/FsWatchParams"
+            }
+          },
+          "required": [
+            "id",
+            "method",
+            "params"
+          ],
+          "title": "Fs/watchRequest",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "id": {
+              "$ref": "#/definitions/v2/RequestId"
+            },
+            "method": {
+              "enum": [
+                "fs/unwatch"
+              ],
+              "title": "Fs/unwatchRequestMethod",
+              "type": "string"
+            },
+            "params": {
+              "$ref": "#/definitions/v2/FsUnwatchParams"
+            }
+          },
+          "required": [
+            "id",
+            "method",
+            "params"
+          ],
+          "title": "Fs/unwatchRequest",
+          "type": "object"
+        },
         {
           "properties": {
             "id": {
@@ -1099,6 +1151,30 @@
           "title": "ExperimentalFeature/listRequest",
           "type": "object"
         },
+        {
+          "properties": {
+            "id": {
+              "$ref": "#/definitions/v2/RequestId"
+            },
+            "method": {
+              "enum": [
+                "experimentalFeature/enablement/set"
+              ],
+              "title": "ExperimentalFeature/enablement/setRequestMethod",
+              "type": "string"
+            },
+            "params": {
+              "$ref": "#/definitions/v2/ExperimentalFeatureEnablementSetParams"
+            }
+          },
+          "required": [
+            "id",
+            "method",
+            "params"
+          ],
+          "title": "ExperimentalFeature/enablement/setRequest",
+          "type": "object"
+        },
         {
           "properties": {
             "id": {
@@ -2257,6 +2333,14 @@
     "InitializeResponse": {
       "$schema": "http://json-schema.org/draft-07/schema#",
       "properties": {
+        "codexHome": {
+          "allOf": [
+            {
+              "$ref": "#/definitions/v2/AbsolutePathBuf"
+            }
+          ],
+          "description": "Absolute path to the server's $CODEX_HOME directory."
+        },
         "platformFamily": {
           "description": "Platform family for the running app-server target, for example `\"unix\"` or `\"windows\"`.",
           "type": "string"
@@ -2270,6 +2354,7 @@
         }
       },
       "required": [
+        "codexHome",
         "platformFamily",
         "platformOs",
         "userAgent"
@@ -4053,6 +4138,26 @@
           "title": "App/list/updatedNotification",
           "type": "object"
         },
+        {
+          "properties": {
+            "method": {
+              "enum": [
+                "fs/changed"
+              ],
+              "title": "Fs/changedNotificationMethod",
+              "type": "string"
+            },
+            "params": {
+              "$ref": "#/definitions/v2/FsChangedNotification"
+            }
+          },
+          "required": [
+            "method",
+            "params"
+          ],
+          "title": "Fs/changedNotification",
+          "type": "object"
+        },
         {
           "properties": {
             "method": {
@@ -7168,6 +7273,40 @@
         ],
         "type": "object"
       },
+      "ExperimentalFeatureEnablementSetParams": {
+        "$schema": "http://json-schema.org/draft-07/schema#",
+        "properties": {
+          "enablement": {
+            "additionalProperties": {
+              "type": "boolean"
+            },
+            "description": "Process-wide runtime feature enablement keyed by canonical feature name.\n\nOnly named features are updated. Omitted features are left unchanged. Send an empty map for a no-op.",
+            "type": "object"
+          }
+        },
+        "required": [
+          "enablement"
+        ],
+        "title": "ExperimentalFeatureEnablementSetParams",
+        "type": "object"
+      },
+      "ExperimentalFeatureEnablementSetResponse": {
+        "$schema": "http://json-schema.org/draft-07/schema#",
+        "properties": {
+          "enablement": {
+            "additionalProperties": {
+              "type": "boolean"
+            },
+            "description": "Feature enablement entries updated by this request.",
+            "type": "object"
+          }
+        },
+        "required": [
+          "enablement"
+        ],
+        "title": "ExperimentalFeatureEnablementSetResponse",
+        "type": "object"
+      },
       "ExperimentalFeatureListParams": {
         "$schema": "http://json-schema.org/draft-07/schema#",
         "properties": {
@@ -7444,6 +7583,29 @@
         ],
         "type": "string"
       },
+      "FsChangedNotification": {
+        "$schema": "http://json-schema.org/draft-07/schema#",
+        "description": "Filesystem watch notification emitted for `fs/watch` subscribers.",
+        "properties": {
+          "changedPaths": {
+            "description": "File or directory paths associated with this event.",
+            "items": {
+              "$ref": "#/definitions/v2/AbsolutePathBuf"
+            },
+            "type": "array"
+          },
+          "watchId": {
+            "description": "Watch identifier returned by `fs/watch`.",
+            "type": "string"
+          }
+        },
+        "required": [
+          "changedPaths",
+          "watchId"
+        ],
+        "title": "FsChangedNotification",
+        "type": "object"
+      },
       "FsCopyParams": {
         "$schema": "http://json-schema.org/draft-07/schema#",
         "description": "Copy a file or directory tree on the host filesystem.",
@@ -7698,6 +7860,70 @@
         "title": "FsRemoveResponse",
         "type": "object"
       },
+      "FsUnwatchParams": {
+        "$schema": "http://json-schema.org/draft-07/schema#",
+        "description": "Stop filesystem watch notifications for a prior `fs/watch`.",
+        "properties": {
+          "watchId": {
+            "description": "Watch identifier returned by `fs/watch`.",
+            "type": "string"
+          }
+        },
+        "required": [
+          "watchId"
+        ],
+        "title": "FsUnwatchParams",
+        "type": "object"
+      },
+      "FsUnwatchResponse": {
+        "$schema": "http://json-schema.org/draft-07/schema#",
+        "description": "Successful response for `fs/unwatch`.",
+        "title": "FsUnwatchResponse",
+        "type": "object"
+      },
+      "FsWatchParams": {
+        "$schema": "http://json-schema.org/draft-07/schema#",
+        "description": "Start filesystem watch notifications for an absolute path.",
+        "properties": {
+          "path": {
+            "allOf": [
+              {
+                "$ref": "#/definitions/v2/AbsolutePathBuf"
+              }
+            ],
+            "description": "Absolute file or directory path to watch."
+          }
+        },
+        "required": [
+          "path"
+        ],
+        "title": "FsWatchParams",
+        "type": "object"
+      },
+      "FsWatchResponse": {
+        "$schema": "http://json-schema.org/draft-07/schema#",
+        "description": "Created watch handle returned by `fs/watch`.",
+        "properties": {
+          "path": {
+            "allOf": [
+              {
+                "$ref": "#/definitions/v2/AbsolutePathBuf"
+              }
+            ],
+            "description": "Canonicalized path associated with the watch."
+          },
+          "watchId": {
+            "description": "Connection-scoped watch identifier used for `fs/unwatch` and `fs/changed`.",
+            "type": "string"
+          }
+        },
+        "required": [
+          "path",
+          "watchId"
+        ],
+        "title": "FsWatchResponse",
+        "type": "object"
+      },
       "FsWriteFileParams": {
         "$schema": "http://json-schema.org/draft-07/schema#",
         "description": "Write a file on the host filesystem.",
@@ -7994,6 +8220,8 @@
       },
       "HookEventName": {
         "enum": [
+          "preToolUse",
+          "postToolUse",
           "sessionStart",
           "userPromptSubmit",
           "stop"
@@ -8556,6 +8784,21 @@
         },
         "type": "object"
       },
+      "MarketplaceLoadErrorInfo": {
+        "properties": {
+          "marketplacePath": {
+            "$ref": "#/definitions/v2/AbsolutePathBuf"
+          },
+          "message": {
+            "type": "string"
+          }
+        },
+        "required": [
+          "marketplacePath",
+          "message"
+        ],
+        "type": "object"
+      },
       "McpAuthStatus": {
         "enum": [
           "unsupported",
@@ -9514,6 +9757,13 @@
             },
             "type": "array"
           },
+          "marketplaceLoadErrors": {
+            "default": [],
+            "items": {
+              "$ref": "#/definitions/v2/MarketplaceLoadErrorInfo"
+            },
+            "type": "array"
+          },
           "marketplaces": {
             "items": {
               "$ref": "#/definitions/v2/PluginMarketplaceEntry"
@@ -11352,6 +11602,9 @@
           "description": {
             "type": "string"
           },
+          "enabled": {
+            "type": "boolean"
+          },
           "interface": {
             "anyOf": [
               {
@@ -11377,6 +11630,7 @@
         },
         "required": [
           "description",
+          "enabled",
           "name",
           "path"
         ],
@@ -11433,13 +11687,27 @@
           "enabled": {
             "type": "boolean"
           },
+          "name": {
+            "description": "Name-based selector.",
+            "type": [
+              "string",
+              "null"
+            ]
+          },
           "path": {
-            "type": "string"
+            "anyOf": [
+              {
+                "$ref": "#/definitions/v2/AbsolutePathBuf"
+              },
+              {
+                "type": "null"
+              }
+            ],
+            "description": "Path-based selector."
           }
         },
         "required": [
-          "enabled",
-          "path"
+          "enabled"
         ],
         "title": "SkillsConfigWriteParams",
         "type": "object"

codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.v2.schemas.json

@@ -1417,6 +1417,54 @@
           "title": "Fs/copyRequest",
           "type": "object"
         },
+        {
+          "properties": {
+            "id": {
+              "$ref": "#/definitions/RequestId"
+            },
+            "method": {
+              "enum": [
+                "fs/watch"
+              ],
+              "title": "Fs/watchRequestMethod",
+              "type": "string"
+            },
+            "params": {
+              "$ref": "#/definitions/FsWatchParams"
+            }
+          },
+          "required": [
+            "id",
+            "method",
+            "params"
+          ],
+          "title": "Fs/watchRequest",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "id": {
+              "$ref": "#/definitions/RequestId"
+            },
+            "method": {
+              "enum": [
+                "fs/unwatch"
+              ],
+              "title": "Fs/unwatchRequestMethod",
+              "type": "string"
+            },
+            "params": {
+              "$ref": "#/definitions/FsUnwatchParams"
+            }
+          },
+          "required": [
+            "id",
+            "method",
+            "params"
+          ],
+          "title": "Fs/unwatchRequest",
+          "type": "object"
+        },
         {
           "properties": {
             "id": {
@@ -1633,6 +1681,30 @@
           "title": "ExperimentalFeature/listRequest",
           "type": "object"
         },
+        {
+          "properties": {
+            "id": {
+              "$ref": "#/definitions/RequestId"
+            },
+            "method": {
+              "enum": [
+                "experimentalFeature/enablement/set"
+              ],
+              "title": "ExperimentalFeature/enablement/setRequestMethod",
+              "type": "string"
+            },
+            "params": {
+              "$ref": "#/definitions/ExperimentalFeatureEnablementSetParams"
+            }
+          },
+          "required": [
+            "id",
+            "method",
+            "params"
+          ],
+          "title": "ExperimentalFeature/enablement/setRequest",
+          "type": "object"
+        },
         {
           "properties": {
             "id": {
@@ -3761,6 +3833,40 @@
       ],
       "type": "object"
     },
+    "ExperimentalFeatureEnablementSetParams": {
+      "$schema": "http://json-schema.org/draft-07/schema#",
+      "properties": {
+        "enablement": {
+          "additionalProperties": {
+            "type": "boolean"
+          },
+          "description": "Process-wide runtime feature enablement keyed by canonical feature name.\n\nOnly named features are updated. Omitted features are left unchanged. Send an empty map for a no-op.",
+          "type": "object"
+        }
+      },
+      "required": [
+        "enablement"
+      ],
+      "title": "ExperimentalFeatureEnablementSetParams",
+      "type": "object"
+    },
+    "ExperimentalFeatureEnablementSetResponse": {
+      "$schema": "http://json-schema.org/draft-07/schema#",
+      "properties": {
+        "enablement": {
+          "additionalProperties": {
+            "type": "boolean"
+          },
+          "description": "Feature enablement entries updated by this request.",
+          "type": "object"
+        }
+      },
+      "required": [
+        "enablement"
+      ],
+      "title": "ExperimentalFeatureEnablementSetResponse",
+      "type": "object"
+    },
     "ExperimentalFeatureListParams": {
       "$schema": "http://json-schema.org/draft-07/schema#",
       "properties": {
@@ -4037,6 +4143,29 @@
       ],
       "type": "string"
     },
+    "FsChangedNotification": {
+      "$schema": "http://json-schema.org/draft-07/schema#",
+      "description": "Filesystem watch notification emitted for `fs/watch` subscribers.",
+      "properties": {
+        "changedPaths": {
+          "description": "File or directory paths associated with this event.",
+          "items": {
+            "$ref": "#/definitions/AbsolutePathBuf"
+          },
+          "type": "array"
+        },
+        "watchId": {
+          "description": "Watch identifier returned by `fs/watch`.",
+          "type": "string"
+        }
+      },
+      "required": [
+        "changedPaths",
+        "watchId"
+      ],
+      "title": "FsChangedNotification",
+      "type": "object"
+    },
     "FsCopyParams": {
       "$schema": "http://json-schema.org/draft-07/schema#",
       "description": "Copy a file or directory tree on the host filesystem.",
@@ -4291,6 +4420,70 @@
       "title": "FsRemoveResponse",
       "type": "object"
     },
+    "FsUnwatchParams": {
+      "$schema": "http://json-schema.org/draft-07/schema#",
+      "description": "Stop filesystem watch notifications for a prior `fs/watch`.",
+      "properties": {
+        "watchId": {
+          "description": "Watch identifier returned by `fs/watch`.",
+          "type": "string"
+        }
+      },
+      "required": [
+        "watchId"
+      ],
+      "title": "FsUnwatchParams",
+      "type": "object"
+    },
+    "FsUnwatchResponse": {
+      "$schema": "http://json-schema.org/draft-07/schema#",
+      "description": "Successful response for `fs/unwatch`.",
+      "title": "FsUnwatchResponse",
+      "type": "object"
+    },
+    "FsWatchParams": {
+      "$schema": "http://json-schema.org/draft-07/schema#",
+      "description": "Start filesystem watch notifications for an absolute path.",
+      "properties": {
+        "path": {
+          "allOf": [
+            {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            }
+          ],
+          "description": "Absolute file or directory path to watch."
+        }
+      },
+      "required": [
+        "path"
+      ],
+      "title": "FsWatchParams",
+      "type": "object"
+    },
+    "FsWatchResponse": {
+      "$schema": "http://json-schema.org/draft-07/schema#",
+      "description": "Created watch handle returned by `fs/watch`.",
+      "properties": {
+        "path": {
+          "allOf": [
+            {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            }
+          ],
+          "description": "Canonicalized path associated with the watch."
+        },
+        "watchId": {
+          "description": "Connection-scoped watch identifier used for `fs/unwatch` and `fs/changed`.",
+          "type": "string"
+        }
+      },
+      "required": [
+        "path",
+        "watchId"
+      ],
+      "title": "FsWatchResponse",
+      "type": "object"
+    },
     "FsWriteFileParams": {
       "$schema": "http://json-schema.org/draft-07/schema#",
       "description": "Write a file on the host filesystem.",
@@ -4698,6 +4891,8 @@
     },
     "HookEventName": {
       "enum": [
+        "preToolUse",
+        "postToolUse",
         "sessionStart",
         "userPromptSubmit",
         "stop"
@@ -5304,6 +5499,21 @@
       },
       "type": "object"
     },
+    "MarketplaceLoadErrorInfo": {
+      "properties": {
+        "marketplacePath": {
+          "$ref": "#/definitions/AbsolutePathBuf"
+        },
+        "message": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "marketplacePath",
+        "message"
+      ],
+      "type": "object"
+    },
     "McpAuthStatus": {
       "enum": [
         "unsupported",
@@ -6262,6 +6472,13 @@
           },
           "type": "array"
         },
+        "marketplaceLoadErrors": {
+          "default": [],
+          "items": {
+            "$ref": "#/definitions/MarketplaceLoadErrorInfo"
+          },
+          "type": "array"
+        },
         "marketplaces": {
           "items": {
             "$ref": "#/definitions/PluginMarketplaceEntry"
@@ -8517,6 +8734,26 @@
           "title": "App/list/updatedNotification",
           "type": "object"
         },
+        {
+          "properties": {
+            "method": {
+              "enum": [
+                "fs/changed"
+              ],
+              "title": "Fs/changedNotificationMethod",
+              "type": "string"
+            },
+            "params": {
+              "$ref": "#/definitions/FsChangedNotification"
+            }
+          },
+          "required": [
+            "method",
+            "params"
+          ],
+          "title": "Fs/changedNotification",
+          "type": "object"
+        },
         {
           "properties": {
             "method": {
@@ -9112,6 +9349,9 @@
         "description": {
           "type": "string"
         },
+        "enabled": {
+          "type": "boolean"
+        },
         "interface": {
           "anyOf": [
             {
@@ -9137,6 +9377,7 @@
       },
       "required": [
         "description",
+        "enabled",
         "name",
         "path"
       ],
@@ -9193,13 +9434,27 @@
         "enabled": {
           "type": "boolean"
         },
+        "name": {
+          "description": "Name-based selector.",
+          "type": [
+            "string",
+            "null"
+          ]
+        },
         "path": {
-          "type": "string"
+          "anyOf": [
+            {
+              "$ref": "#/definitions/AbsolutePathBuf"
+            },
+            {
+              "type": "null"
+            }
+          ],
+          "description": "Path-based selector."
         }
       },
       "required": [
-        "enabled",
-        "path"
+        "enabled"
       ],
       "title": "SkillsConfigWriteParams",
       "type": "object"

codex-rs/app-server-protocol/schema/json/v1/InitializeResponse.json

@@ -1,6 +1,20 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
+  "definitions": {
+    "AbsolutePathBuf": {
+      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
+      "type": "string"
+    }
+  },
   "properties": {
+    "codexHome": {
+      "allOf": [
+        {
+          "$ref": "#/definitions/AbsolutePathBuf"
+        }
+      ],
+      "description": "Absolute path to the server's $CODEX_HOME directory."
+    },
     "platformFamily": {
       "description": "Platform family for the running app-server target, for example `\"unix\"` or `\"windows\"`.",
       "type": "string"
@@ -14,6 +28,7 @@
     }
   },
   "required": [
+    "codexHome",
     "platformFamily",
     "platformOs",
     "userAgent"

codex-rs/app-server-protocol/schema/json/v2/ExperimentalFeatureEnablementSetParams.json

@@ -0,0 +1,17 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "properties": {
+    "enablement": {
+      "additionalProperties": {
+        "type": "boolean"
+      },
+      "description": "Process-wide runtime feature enablement keyed by canonical feature name.\n\nOnly named features are updated. Omitted features are left unchanged. Send an empty map for a no-op.",
+      "type": "object"
+    }
+  },
+  "required": [
+    "enablement"
+  ],
+  "title": "ExperimentalFeatureEnablementSetParams",
+  "type": "object"
+}

codex-rs/app-server-protocol/schema/json/v2/ExperimentalFeatureEnablementSetResponse.json

@@ -0,0 +1,17 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "properties": {
+    "enablement": {
+      "additionalProperties": {
+        "type": "boolean"
+      },
+      "description": "Feature enablement entries updated by this request.",
+      "type": "object"
+    }
+  },
+  "required": [
+    "enablement"
+  ],
+  "title": "ExperimentalFeatureEnablementSetResponse",
+  "type": "object"
+}

codex-rs/app-server-protocol/schema/json/v2/FsChangedNotification.json

@@ -0,0 +1,29 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "definitions": {
+    "AbsolutePathBuf": {
+      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
+      "type": "string"
+    }
+  },
+  "description": "Filesystem watch notification emitted for `fs/watch` subscribers.",
+  "properties": {
+    "changedPaths": {
+      "description": "File or directory paths associated with this event.",
+      "items": {
+        "$ref": "#/definitions/AbsolutePathBuf"
+      },
+      "type": "array"
+    },
+    "watchId": {
+      "description": "Watch identifier returned by `fs/watch`.",
+      "type": "string"
+    }
+  },
+  "required": [
+    "changedPaths",
+    "watchId"
+  ],
+  "title": "FsChangedNotification",
+  "type": "object"
+}

codex-rs/app-server-protocol/schema/json/v2/FsUnwatchParams.json

@@ -0,0 +1,15 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "description": "Stop filesystem watch notifications for a prior `fs/watch`.",
+  "properties": {
+    "watchId": {
+      "description": "Watch identifier returned by `fs/watch`.",
+      "type": "string"
+    }
+  },
+  "required": [
+    "watchId"
+  ],
+  "title": "FsUnwatchParams",
+  "type": "object"
+}

codex-rs/app-server-protocol/schema/json/v2/FsUnwatchResponse.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "description": "Successful response for `fs/unwatch`.",
+  "title": "FsUnwatchResponse",
+  "type": "object"
+}

codex-rs/app-server-protocol/schema/json/v2/FsWatchParams.json

@@ -0,0 +1,25 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "definitions": {
+    "AbsolutePathBuf": {
+      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
+      "type": "string"
+    }
+  },
+  "description": "Start filesystem watch notifications for an absolute path.",
+  "properties": {
+    "path": {
+      "allOf": [
+        {
+          "$ref": "#/definitions/AbsolutePathBuf"
+        }
+      ],
+      "description": "Absolute file or directory path to watch."
+    }
+  },
+  "required": [
+    "path"
+  ],
+  "title": "FsWatchParams",
+  "type": "object"
+}

codex-rs/app-server-protocol/schema/json/v2/FsWatchResponse.json

@@ -0,0 +1,30 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "definitions": {
+    "AbsolutePathBuf": {
+      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
+      "type": "string"
+    }
+  },
+  "description": "Created watch handle returned by `fs/watch`.",
+  "properties": {
+    "path": {
+      "allOf": [
+        {
+          "$ref": "#/definitions/AbsolutePathBuf"
+        }
+      ],
+      "description": "Canonicalized path associated with the watch."
+    },
+    "watchId": {
+      "description": "Connection-scoped watch identifier used for `fs/unwatch` and `fs/changed`.",
+      "type": "string"
+    }
+  },
+  "required": [
+    "path",
+    "watchId"
+  ],
+  "title": "FsWatchResponse",
+  "type": "object"
+}

codex-rs/app-server-protocol/schema/json/v2/HookCompletedNotification.json

@@ -3,6 +3,8 @@
   "definitions": {
     "HookEventName": {
       "enum": [
+        "preToolUse",
+        "postToolUse",
         "sessionStart",
         "userPromptSubmit",
         "stop"

codex-rs/app-server-protocol/schema/json/v2/HookStartedNotification.json

@@ -3,6 +3,8 @@
   "definitions": {
     "HookEventName": {
       "enum": [
+        "preToolUse",
+        "postToolUse",
         "sessionStart",
         "userPromptSubmit",
         "stop"

codex-rs/app-server-protocol/schema/json/v2/PluginListResponse.json

@@ -16,6 +16,21 @@
       },
       "type": "object"
     },
+    "MarketplaceLoadErrorInfo": {
+      "properties": {
+        "marketplacePath": {
+          "$ref": "#/definitions/AbsolutePathBuf"
+        },
+        "message": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "marketplacePath",
+        "message"
+      ],
+      "type": "object"
+    },
     "PluginAuthPolicy": {
       "enum": [
         "ON_INSTALL",
@@ -246,6 +261,13 @@
       },
       "type": "array"
     },
+    "marketplaceLoadErrors": {
+      "default": [],
+      "items": {
+        "$ref": "#/definitions/MarketplaceLoadErrorInfo"
+      },
+      "type": "array"
+    },
     "marketplaces": {
       "items": {
         "$ref": "#/definitions/PluginMarketplaceEntry"

codex-rs/app-server-protocol/schema/json/v2/PluginReadResponse.json

@@ -318,6 +318,9 @@
         "description": {
           "type": "string"
         },
+        "enabled": {
+          "type": "boolean"
+        },
         "interface": {
           "anyOf": [
             {
@@ -343,6 +346,7 @@
       },
       "required": [
         "description",
+        "enabled",
         "name",
         "path"
       ],

codex-rs/app-server-protocol/schema/json/v2/SkillsConfigWriteParams.json

@@ -1,16 +1,36 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
+  "definitions": {
+    "AbsolutePathBuf": {
+      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
+      "type": "string"
+    }
+  },
   "properties": {
     "enabled": {
       "type": "boolean"
     },
+    "name": {
+      "description": "Name-based selector.",
+      "type": [
+        "string",
+        "null"
+      ]
+    },
     "path": {
-      "type": "string"
+      "anyOf": [
+        {
+          "$ref": "#/definitions/AbsolutePathBuf"
+        },
+        {
+          "type": "null"
+        }
+      ],
+      "description": "Path-based selector."
     }
   },
   "required": [
-    "enabled",
-    "path"
+    "enabled"
   ],
   "title": "SkillsConfigWriteParams",
   "type": "object"

codex-rs/app-server-protocol/schema/typescript/InitializeResponse.ts

@@ -1,8 +1,13 @@
 // GENERATED CODE! DO NOT MODIFY BY HAND!
 
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { AbsolutePathBuf } from "./AbsolutePathBuf";
 
 export type InitializeResponse = { userAgent: string, 
+/**
+ * Absolute path to the server's $CODEX_HOME directory.
+ */
+codexHome: AbsolutePathBuf, 
 /**
  * Platform family for the running app-server target, for example
  * `"unix"` or `"windows"`.

codex-rs/app-server-protocol/schema/typescript/ServerNotification.ts

@@ -15,6 +15,7 @@ import type { ContextCompactedNotification } from "./v2/ContextCompactedNotifica
 import type { DeprecationNoticeNotification } from "./v2/DeprecationNoticeNotification";
 import type { ErrorNotification } from "./v2/ErrorNotification";
 import type { FileChangeOutputDeltaNotification } from "./v2/FileChangeOutputDeltaNotification";
+import type { FsChangedNotification } from "./v2/FsChangedNotification";
 import type { HookCompletedNotification } from "./v2/HookCompletedNotification";
 import type { HookStartedNotification } from "./v2/HookStartedNotification";
 import type { ItemCompletedNotification } from "./v2/ItemCompletedNotification";
@@ -56,4 +57,4 @@ import type { WindowsWorldWritableWarningNotification } from "./v2/WindowsWorldW
 /**
  * Notification sent from the server to the client.
  */
-export type ServerNotification = { "method": "error", "params": ErrorNotification } | { "method": "thread/started", "params": ThreadStartedNotification } | { "method": "thread/status/changed", "params": ThreadStatusChangedNotification } | { "method": "thread/archived", "params": ThreadArchivedNotification } | { "method": "thread/unarchived", "params": ThreadUnarchivedNotification } | { "method": "thread/closed", "params": ThreadClosedNotification } | { "method": "skills/changed", "params": SkillsChangedNotification } | { "method": "thread/name/updated", "params": ThreadNameUpdatedNotification } | { "method": "thread/tokenUsage/updated", "params": ThreadTokenUsageUpdatedNotification } | { "method": "turn/started", "params": TurnStartedNotification } | { "method": "hook/started", "params": HookStartedNotification } | { "method": "turn/completed", "params": TurnCompletedNotification } | { "method": "hook/completed", "params": HookCompletedNotification } | { "method": "turn/diff/updated", "params": TurnDiffUpdatedNotification } | { "method": "turn/plan/updated", "params": TurnPlanUpdatedNotification } | { "method": "item/started", "params": ItemStartedNotification } | { "method": "item/autoApprovalReview/started", "params": ItemGuardianApprovalReviewStartedNotification } | { "method": "item/autoApprovalReview/completed", "params": ItemGuardianApprovalReviewCompletedNotification } | { "method": "item/completed", "params": ItemCompletedNotification } | { "method": "rawResponseItem/completed", "params": RawResponseItemCompletedNotification } | { "method": "item/agentMessage/delta", "params": AgentMessageDeltaNotification } | { "method": "item/plan/delta", "params": PlanDeltaNotification } | { "method": "command/exec/outputDelta", "params": CommandExecOutputDeltaNotification } | { "method": "item/commandExecution/outputDelta", "params": CommandExecutionOutputDeltaNotification } | { "method": "item/commandExecution/terminalInteraction", "params": TerminalInteractionNotification } | { "method": "item/fileChange/outputDelta", "params": FileChangeOutputDeltaNotification } | { "method": "serverRequest/resolved", "params": ServerRequestResolvedNotification } | { "method": "item/mcpToolCall/progress", "params": McpToolCallProgressNotification } | { "method": "mcpServer/oauthLogin/completed", "params": McpServerOauthLoginCompletedNotification } | { "method": "mcpServer/startupStatus/updated", "params": McpServerStatusUpdatedNotification } | { "method": "account/updated", "params": AccountUpdatedNotification } | { "method": "account/rateLimits/updated", "params": AccountRateLimitsUpdatedNotification } | { "method": "app/list/updated", "params": AppListUpdatedNotification } | { "method": "item/reasoning/summaryTextDelta", "params": ReasoningSummaryTextDeltaNotification } | { "method": "item/reasoning/summaryPartAdded", "params": ReasoningSummaryPartAddedNotification } | { "method": "item/reasoning/textDelta", "params": ReasoningTextDeltaNotification } | { "method": "thread/compacted", "params": ContextCompactedNotification } | { "method": "model/rerouted", "params": ModelReroutedNotification } | { "method": "deprecationNotice", "params": DeprecationNoticeNotification } | { "method": "configWarning", "params": ConfigWarningNotification } | { "method": "fuzzyFileSearch/sessionUpdated", "params": FuzzyFileSearchSessionUpdatedNotification } | { "method": "fuzzyFileSearch/sessionCompleted", "params": FuzzyFileSearchSessionCompletedNotification } | { "method": "thread/realtime/started", "params": ThreadRealtimeStartedNotification } | { "method": "thread/realtime/itemAdded", "params": ThreadRealtimeItemAddedNotification } | { "method": "thread/realtime/transcriptUpdated", "params": ThreadRealtimeTranscriptUpdatedNotification } | { "method": "thread/realtime/outputAudio/delta", "params": ThreadRealtimeOutputAudioDeltaNotification } | { "method": "thread/realtime/error", "params": ThreadRealtimeErrorNotification } | { "method": "thread/realtime/closed", "params": ThreadRealtimeClosedNotification } | { "method": "windows/worldWritableWarning", "params": WindowsWorldWritableWarningNotification } | { "method": "windowsSandbox/setupCompleted", "params": WindowsSandboxSetupCompletedNotification } | { "method": "account/login/completed", "params": AccountLoginCompletedNotification };
+export type ServerNotification = { "method": "error", "params": ErrorNotification } | { "method": "thread/started", "params": ThreadStartedNotification } | { "method": "thread/status/changed", "params": ThreadStatusChangedNotification } | { "method": "thread/archived", "params": ThreadArchivedNotification } | { "method": "thread/unarchived", "params": ThreadUnarchivedNotification } | { "method": "thread/closed", "params": ThreadClosedNotification } | { "method": "skills/changed", "params": SkillsChangedNotification } | { "method": "thread/name/updated", "params": ThreadNameUpdatedNotification } | { "method": "thread/tokenUsage/updated", "params": ThreadTokenUsageUpdatedNotification } | { "method": "turn/started", "params": TurnStartedNotification } | { "method": "hook/started", "params": HookStartedNotification } | { "method": "turn/completed", "params": TurnCompletedNotification } | { "method": "hook/completed", "params": HookCompletedNotification } | { "method": "turn/diff/updated", "params": TurnDiffUpdatedNotification } | { "method": "turn/plan/updated", "params": TurnPlanUpdatedNotification } | { "method": "item/started", "params": ItemStartedNotification } | { "method": "item/autoApprovalReview/started", "params": ItemGuardianApprovalReviewStartedNotification } | { "method": "item/autoApprovalReview/completed", "params": ItemGuardianApprovalReviewCompletedNotification } | { "method": "item/completed", "params": ItemCompletedNotification } | { "method": "rawResponseItem/completed", "params": RawResponseItemCompletedNotification } | { "method": "item/agentMessage/delta", "params": AgentMessageDeltaNotification } | { "method": "item/plan/delta", "params": PlanDeltaNotification } | { "method": "command/exec/outputDelta", "params": CommandExecOutputDeltaNotification } | { "method": "item/commandExecution/outputDelta", "params": CommandExecutionOutputDeltaNotification } | { "method": "item/commandExecution/terminalInteraction", "params": TerminalInteractionNotification } | { "method": "item/fileChange/outputDelta", "params": FileChangeOutputDeltaNotification } | { "method": "serverRequest/resolved", "params": ServerRequestResolvedNotification } | { "method": "item/mcpToolCall/progress", "params": McpToolCallProgressNotification } | { "method": "mcpServer/oauthLogin/completed", "params": McpServerOauthLoginCompletedNotification } | { "method": "mcpServer/startupStatus/updated", "params": McpServerStatusUpdatedNotification } | { "method": "account/updated", "params": AccountUpdatedNotification } | { "method": "account/rateLimits/updated", "params": AccountRateLimitsUpdatedNotification } | { "method": "app/list/updated", "params": AppListUpdatedNotification } | { "method": "fs/changed", "params": FsChangedNotification } | { "method": "item/reasoning/summaryTextDelta", "params": ReasoningSummaryTextDeltaNotification } | { "method": "item/reasoning/summaryPartAdded", "params": ReasoningSummaryPartAddedNotification } | { "method": "item/reasoning/textDelta", "params": ReasoningTextDeltaNotification } | { "method": "thread/compacted", "params": ContextCompactedNotification } | { "method": "model/rerouted", "params": ModelReroutedNotification } | { "method": "deprecationNotice", "params": DeprecationNoticeNotification } | { "method": "configWarning", "params": ConfigWarningNotification } | { "method": "fuzzyFileSearch/sessionUpdated", "params": FuzzyFileSearchSessionUpdatedNotification } | { "method": "fuzzyFileSearch/sessionCompleted", "params": FuzzyFileSearchSessionCompletedNotification } | { "method": "thread/realtime/started", "params": ThreadRealtimeStartedNotification } | { "method": "thread/realtime/itemAdded", "params": ThreadRealtimeItemAddedNotification } | { "method": "thread/realtime/transcriptUpdated", "params": ThreadRealtimeTranscriptUpdatedNotification } | { "method": "thread/realtime/outputAudio/delta", "params": ThreadRealtimeOutputAudioDeltaNotification } | { "method": "thread/realtime/error", "params": ThreadRealtimeErrorNotification } | { "method": "thread/realtime/closed", "params": ThreadRealtimeClosedNotification } | { "method": "windows/worldWritableWarning", "params": WindowsWorldWritableWarningNotification } | { "method": "windowsSandbox/setupCompleted", "params": WindowsSandboxSetupCompletedNotification } | { "method": "account/login/completed", "params": AccountLoginCompletedNotification };

codex-rs/app-server-protocol/schema/typescript/v2/ExperimentalFeatureEnablementSetParams.ts

@@ -0,0 +1,12 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+export type ExperimentalFeatureEnablementSetParams = { 
+/**
+ * Process-wide runtime feature enablement keyed by canonical feature name.
+ *
+ * Only named features are updated. Omitted features are left unchanged.
+ * Send an empty map for a no-op.
+ */
+enablement: { [key in string]?: boolean }, };

codex-rs/app-server-protocol/schema/typescript/v2/ExperimentalFeatureEnablementSetResponse.ts

@@ -0,0 +1,9 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+export type ExperimentalFeatureEnablementSetResponse = { 
+/**
+ * Feature enablement entries updated by this request.
+ */
+enablement: { [key in string]?: boolean }, };

codex-rs/app-server-protocol/schema/typescript/v2/FsChangedNotification.ts

@@ -0,0 +1,17 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { AbsolutePathBuf } from "../AbsolutePathBuf";
+
+/**
+ * Filesystem watch notification emitted for `fs/watch` subscribers.
+ */
+export type FsChangedNotification = { 
+/**
+ * Watch identifier returned by `fs/watch`.
+ */
+watchId: string, 
+/**
+ * File or directory paths associated with this event.
+ */
+changedPaths: Array<AbsolutePathBuf>, };

codex-rs/app-server-protocol/schema/typescript/v2/FsUnwatchParams.ts

@@ -0,0 +1,12 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+/**
+ * Stop filesystem watch notifications for a prior `fs/watch`.
+ */
+export type FsUnwatchParams = { 
+/**
+ * Watch identifier returned by `fs/watch`.
+ */
+watchId: string, };

codex-rs/app-server-protocol/schema/typescript/v2/FsUnwatchResponse.ts

@@ -0,0 +1,8 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+/**
+ * Successful response for `fs/unwatch`.
+ */
+export type FsUnwatchResponse = Record<string, never>;

codex-rs/app-server-protocol/schema/typescript/v2/FsWatchParams.ts

@@ -0,0 +1,13 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { AbsolutePathBuf } from "../AbsolutePathBuf";
+
+/**
+ * Start filesystem watch notifications for an absolute path.
+ */
+export type FsWatchParams = { 
+/**
+ * Absolute file or directory path to watch.
+ */
+path: AbsolutePathBuf, };

codex-rs/app-server-protocol/schema/typescript/v2/FsWatchResponse.ts

@@ -0,0 +1,17 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { AbsolutePathBuf } from "../AbsolutePathBuf";
+
+/**
+ * Created watch handle returned by `fs/watch`.
+ */
+export type FsWatchResponse = { 
+/**
+ * Connection-scoped watch identifier used for `fs/unwatch` and `fs/changed`.
+ */
+watchId: string, 
+/**
+ * Canonicalized path associated with the watch.
+ */
+path: AbsolutePathBuf, };

codex-rs/app-server-protocol/schema/typescript/v2/HookEventName.ts

@@ -2,4 +2,4 @@
 
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 
-export type HookEventName = "sessionStart" | "userPromptSubmit" | "stop";
+export type HookEventName = "preToolUse" | "postToolUse" | "sessionStart" | "userPromptSubmit" | "stop";

codex-rs/app-server-protocol/schema/typescript/v2/MarketplaceLoadErrorInfo.ts

@@ -0,0 +1,6 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { AbsolutePathBuf } from "../AbsolutePathBuf";
+
+export type MarketplaceLoadErrorInfo = { marketplacePath: AbsolutePathBuf, message: string, };

codex-rs/app-server-protocol/schema/typescript/v2/PluginListResponse.ts

@@ -1,6 +1,7 @@
 // GENERATED CODE! DO NOT MODIFY BY HAND!
 
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { MarketplaceLoadErrorInfo } from "./MarketplaceLoadErrorInfo";
 import type { PluginMarketplaceEntry } from "./PluginMarketplaceEntry";
 
-export type PluginListResponse = { marketplaces: Array<PluginMarketplaceEntry>, remoteSyncError: string | null, featuredPluginIds: Array<string>, };
+export type PluginListResponse = { marketplaces: Array<PluginMarketplaceEntry>, marketplaceLoadErrors: Array<MarketplaceLoadErrorInfo>, remoteSyncError: string | null, featuredPluginIds: Array<string>, };

codex-rs/app-server-protocol/schema/typescript/v2/SkillSummary.ts

@@ -3,4 +3,4 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { SkillInterface } from "./SkillInterface";
 
-export type SkillSummary = { name: string, description: string, shortDescription: string | null, interface: SkillInterface | null, path: string, };
+export type SkillSummary = { name: string, description: string, shortDescription: string | null, interface: SkillInterface | null, path: string, enabled: boolean, };

codex-rs/app-server-protocol/schema/typescript/v2/SkillsConfigWriteParams.ts

@@ -1,5 +1,14 @@
 // GENERATED CODE! DO NOT MODIFY BY HAND!
 
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { AbsolutePathBuf } from "../AbsolutePathBuf";
 
-export type SkillsConfigWriteParams = { path: string, enabled: boolean, };
+export type SkillsConfigWriteParams = { 
+/**
+ * Path-based selector.
+ */
+path?: AbsolutePathBuf | null, 
+/**
+ * Name-based selector.
+ */
+name?: string | null, enabled: boolean, };

codex-rs/app-server-protocol/schema/typescript/v2/index.ts

@@ -81,6 +81,8 @@ export type { DynamicToolSpec } from "./DynamicToolSpec";
 export type { ErrorNotification } from "./ErrorNotification";
 export type { ExecPolicyAmendment } from "./ExecPolicyAmendment";
 export type { ExperimentalFeature } from "./ExperimentalFeature";
+export type { ExperimentalFeatureEnablementSetParams } from "./ExperimentalFeatureEnablementSetParams";
+export type { ExperimentalFeatureEnablementSetResponse } from "./ExperimentalFeatureEnablementSetResponse";
 export type { ExperimentalFeatureListParams } from "./ExperimentalFeatureListParams";
 export type { ExperimentalFeatureListResponse } from "./ExperimentalFeatureListResponse";
 export type { ExperimentalFeatureStage } from "./ExperimentalFeatureStage";
@@ -97,6 +99,7 @@ export type { FileChangeOutputDeltaNotification } from "./FileChangeOutputDeltaN
 export type { FileChangeRequestApprovalParams } from "./FileChangeRequestApprovalParams";
 export type { FileChangeRequestApprovalResponse } from "./FileChangeRequestApprovalResponse";
 export type { FileUpdateChange } from "./FileUpdateChange";
+export type { FsChangedNotification } from "./FsChangedNotification";
 export type { FsCopyParams } from "./FsCopyParams";
 export type { FsCopyResponse } from "./FsCopyResponse";
 export type { FsCreateDirectoryParams } from "./FsCreateDirectoryParams";
@@ -110,6 +113,10 @@ export type { FsReadFileParams } from "./FsReadFileParams";
 export type { FsReadFileResponse } from "./FsReadFileResponse";
 export type { FsRemoveParams } from "./FsRemoveParams";
 export type { FsRemoveResponse } from "./FsRemoveResponse";
+export type { FsUnwatchParams } from "./FsUnwatchParams";
+export type { FsUnwatchResponse } from "./FsUnwatchResponse";
+export type { FsWatchParams } from "./FsWatchParams";
+export type { FsWatchResponse } from "./FsWatchResponse";
 export type { FsWriteFileParams } from "./FsWriteFileParams";
 export type { FsWriteFileResponse } from "./FsWriteFileResponse";
 export type { GetAccountParams } from "./GetAccountParams";
@@ -141,6 +148,7 @@ export type { LoginAccountParams } from "./LoginAccountParams";
 export type { LoginAccountResponse } from "./LoginAccountResponse";
 export type { LogoutAccountResponse } from "./LogoutAccountResponse";
 export type { MarketplaceInterface } from "./MarketplaceInterface";
+export type { MarketplaceLoadErrorInfo } from "./MarketplaceLoadErrorInfo";
 export type { McpAuthStatus } from "./McpAuthStatus";
 export type { McpElicitationArrayType } from "./McpElicitationArrayType";
 export type { McpElicitationBooleanSchema } from "./McpElicitationBooleanSchema";

codex-rs/app-server-protocol/src/lib.rs

@@ -4,6 +4,7 @@ mod jsonrpc_lite;
 mod protocol;
 mod schema_fixtures;
 
+pub use codex_git_utils::GitSha;
 pub use experimental_api::*;
 pub use export::GenerateTsOptions;
 pub use export::generate_internal_json_schema;

codex-rs/app-server-protocol/src/protocol/common.rs

@@ -14,16 +14,6 @@ use serde::Serialize;
 use strum_macros::Display;
 use ts_rs::TS;
 
-#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema, TS)]
-#[ts(type = "string")]
-pub struct GitSha(pub String);
-
-impl GitSha {
-    pub fn new(sha: &str) -> Self {
-        Self(sha.to_string())
-    }
-}
-
 /// Authentication mode for OpenAI-backed providers.
 #[derive(Serialize, Deserialize, Debug, Clone, Copy, PartialEq, Eq, Display, JsonSchema, TS)]
 #[serde(rename_all = "lowercase")]
@@ -336,6 +326,14 @@ client_request_definitions! {
         params: v2::FsCopyParams,
         response: v2::FsCopyResponse,
     },
+    FsWatch => "fs/watch" {
+        params: v2::FsWatchParams,
+        response: v2::FsWatchResponse,
+    },
+    FsUnwatch => "fs/unwatch" {
+        params: v2::FsUnwatchParams,
+        response: v2::FsUnwatchResponse,
+    },
     SkillsConfigWrite => "skills/config/write" {
         params: v2::SkillsConfigWriteParams,
         response: v2::SkillsConfigWriteResponse,
@@ -394,6 +392,10 @@ client_request_definitions! {
         params: v2::ExperimentalFeatureListParams,
         response: v2::ExperimentalFeatureListResponse,
     },
+    ExperimentalFeatureEnablementSet => "experimentalFeature/enablement/set" {
+        params: v2::ExperimentalFeatureEnablementSetParams,
+        response: v2::ExperimentalFeatureEnablementSetResponse,
+    },
     #[experimental("collaborationMode/list")]
     /// Lists collaboration mode presets.
     CollaborationModeList => "collaborationMode/list" {
@@ -909,6 +911,7 @@ server_notification_definitions! {
     AccountUpdated => "account/updated" (v2::AccountUpdatedNotification),
     AccountRateLimitsUpdated => "account/rateLimits/updated" (v2::AccountRateLimitsUpdatedNotification),
     AppListUpdated => "app/list/updated" (v2::AppListUpdatedNotification),
+    FsChanged => "fs/changed" (v2::FsChangedNotification),
     ReasoningSummaryTextDelta => "item/reasoning/summaryTextDelta" (v2::ReasoningSummaryTextDeltaNotification),
     ReasoningSummaryPartAdded => "item/reasoning/summaryPartAdded" (v2::ReasoningSummaryPartAddedNotification),
     ReasoningTextDelta => "item/reasoning/textDelta" (v2::ReasoningTextDeltaNotification),
@@ -1488,6 +1491,27 @@ mod tests {
         Ok(())
     }
 
+    #[test]
+    fn serialize_fs_watch() -> Result<()> {
+        let request = ClientRequest::FsWatch {
+            request_id: RequestId::Integer(10),
+            params: v2::FsWatchParams {
+                path: absolute_path("tmp/repo/.git"),
+            },
+        };
+        assert_eq!(
+            json!({
+                "method": "fs/watch",
+                "id": 10,
+                "params": {
+                    "path": absolute_path_string("tmp/repo/.git")
+                }
+            }),
+            serde_json::to_value(&request)?,
+        );
+        Ok(())
+    }
+
     #[test]
     fn serialize_list_experimental_features() -> Result<()> {
         let request = ClientRequest::ExperimentalFeatureList {

codex-rs/app-server-protocol/src/protocol/thread_history.rs

@@ -74,6 +74,8 @@ pub struct ThreadHistoryBuilder {
     turns: Vec<Turn>,
     current_turn: Option<PendingTurn>,
     next_item_index: i64,
+    current_rollout_index: usize,
+    next_rollout_index: usize,
 }
 
 impl Default for ThreadHistoryBuilder {
@@ -88,6 +90,8 @@ impl ThreadHistoryBuilder {
             turns: Vec::new(),
             current_turn: None,
             next_item_index: 1,
+            current_rollout_index: 0,
+            next_rollout_index: 0,
         }
     }
 
@@ -111,6 +115,19 @@ impl ThreadHistoryBuilder {
         self.current_turn.is_some()
     }
 
+    pub fn active_turn_id_if_explicit(&self) -> Option<String> {
+        self.current_turn
+            .as_ref()
+            .filter(|turn| turn.opened_explicitly)
+            .map(|turn| turn.id.clone())
+    }
+
+    pub fn active_turn_start_index(&self) -> Option<usize> {
+        self.current_turn
+            .as_ref()
+            .map(|turn| turn.rollout_start_index)
+    }
+
     /// Shared reducer for persisted rollout replay and in-memory current-turn
     /// tracking used by running thread resume/rejoin.
     ///
@@ -182,6 +199,8 @@ impl ThreadHistoryBuilder {
     }
 
     pub fn handle_rollout_item(&mut self, item: &RolloutItem) {
+        self.current_rollout_index = self.next_rollout_index;
+        self.next_rollout_index += 1;
         match item {
             RolloutItem::EventMsg(event) => self.handle_event(event),
             RolloutItem::Compacted(payload) => self.handle_compacted(payload),
@@ -974,6 +993,7 @@ impl ThreadHistoryBuilder {
             status: TurnStatus::Completed,
             opened_explicitly: false,
             saw_compaction: false,
+            rollout_start_index: self.current_rollout_index,
         }
     }
 
@@ -1137,6 +1157,8 @@ struct PendingTurn {
     /// True when this turn includes a persisted `RolloutItem::Compacted`, which
     /// should keep the turn from being dropped even without normal items.
     saw_compaction: bool,
+    /// Index of the rollout item that opened this turn during replay.
+    rollout_start_index: usize,
 }
 
 impl PendingTurn {

codex-rs/app-server-protocol/src/protocol/v1.rs

@@ -1,6 +1,7 @@
 use std::collections::HashMap;
 use std::path::PathBuf;
 
+use codex_git_utils::GitSha;
 use codex_protocol::ThreadId;
 use codex_protocol::config_types::ForcedLoginMethod;
 use codex_protocol::config_types::ReasoningSummary;
@@ -21,7 +22,6 @@ use serde::Serialize;
 use ts_rs::TS;
 
 use crate::protocol::common::AuthMode;
-use crate::protocol::common::GitSha;
 
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Default, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
@@ -56,6 +56,8 @@ pub struct InitializeCapabilities {
 #[serde(rename_all = "camelCase")]
 pub struct InitializeResponse {
     pub user_agent: String,
+    /// Absolute path to the server's $CODEX_HOME directory.
+    pub codex_home: AbsolutePathBuf,
     /// Platform family for the running app-server target, for example
     /// `"unix"` or `"windows"`.
     pub platform_family: String,

codex-rs/app-server-protocol/src/protocol/v2.rs

@@ -377,7 +377,7 @@ v2_enum_from_core!(
 
 v2_enum_from_core!(
     pub enum HookEventName from CoreHookEventName {
-        SessionStart, UserPromptSubmit, Stop
+        PreToolUse, PostToolUse, SessionStart, UserPromptSubmit, Stop
     }
 );
 
@@ -1926,6 +1926,25 @@ pub struct ExperimentalFeatureListResponse {
     pub next_cursor: Option<String>,
 }
 
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, Default, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct ExperimentalFeatureEnablementSetParams {
+    /// Process-wide runtime feature enablement keyed by canonical feature name.
+    ///
+    /// Only named features are updated. Omitted features are left unchanged.
+    /// Send an empty map for a no-op.
+    pub enablement: std::collections::BTreeMap<String, bool>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct ExperimentalFeatureEnablementSetResponse {
+    /// Feature enablement entries updated by this request.
+    pub enablement: std::collections::BTreeMap<String, bool>,
+}
+
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
@@ -2301,6 +2320,52 @@ pub struct FsCopyParams {
 #[ts(export_to = "v2/")]
 pub struct FsCopyResponse {}
 
+/// Start filesystem watch notifications for an absolute path.
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct FsWatchParams {
+    /// Absolute file or directory path to watch.
+    pub path: AbsolutePathBuf,
+}
+
+/// Created watch handle returned by `fs/watch`.
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct FsWatchResponse {
+    /// Connection-scoped watch identifier used for `fs/unwatch` and `fs/changed`.
+    pub watch_id: String,
+    /// Canonicalized path associated with the watch.
+    pub path: AbsolutePathBuf,
+}
+
+/// Stop filesystem watch notifications for a prior `fs/watch`.
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct FsUnwatchParams {
+    /// Watch identifier returned by `fs/watch`.
+    pub watch_id: String,
+}
+
+/// Successful response for `fs/unwatch`.
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct FsUnwatchResponse {}
+
+/// Filesystem watch notification emitted for `fs/watch` subscribers.
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct FsChangedNotification {
+    /// Watch identifier returned by `fs/watch`.
+    pub watch_id: String,
+    /// File or directory paths associated with this event.
+    pub changed_paths: Vec<AbsolutePathBuf>,
+}
+
 /// PTY size in character cells for `command/exec` PTY sessions.
 #[derive(Serialize, Deserialize, Debug, Clone, Copy, PartialEq, Eq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
@@ -3146,11 +3211,21 @@ pub struct PluginListParams {
 #[ts(export_to = "v2/")]
 pub struct PluginListResponse {
     pub marketplaces: Vec<PluginMarketplaceEntry>,
+    #[serde(default)]
+    pub marketplace_load_errors: Vec<MarketplaceLoadErrorInfo>,
     pub remote_sync_error: Option<String>,
     #[serde(default)]
     pub featured_plugin_ids: Vec<String>,
 }
 
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct MarketplaceLoadErrorInfo {
+    pub marketplace_path: AbsolutePathBuf,
+    pub message: String,
+}
+
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
@@ -3340,6 +3415,7 @@ pub struct SkillSummary {
     pub short_description: Option<String>,
     pub interface: Option<SkillInterface>,
     pub path: PathBuf,
+    pub enabled: bool,
 }
 
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
@@ -3378,7 +3454,12 @@ pub enum PluginSource {
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
 pub struct SkillsConfigWriteParams {
-    pub path: PathBuf,
+    /// Path-based selector.
+    #[ts(optional = nullable)]
+    pub path: Option<AbsolutePathBuf>,
+    /// Name-based selector.
+    #[ts(optional = nullable)]
+    pub name: Option<String>,
     pub enabled: bool,
 }
 
@@ -6481,6 +6562,33 @@ mod tests {
         assert_eq!(decoded, response);
     }
 
+    #[test]
+    fn fs_changed_notification_round_trips() {
+        let notification = FsChangedNotification {
+            watch_id: "0195ec6b-1d6f-7c2e-8c7a-56f2c4a8b9d1".to_string(),
+            changed_paths: vec![
+                absolute_path("tmp/repo/.git/HEAD"),
+                absolute_path("tmp/repo/.git/FETCH_HEAD"),
+            ],
+        };
+
+        let value = serde_json::to_value(&notification).expect("serialize fs/changed notification");
+        assert_eq!(
+            value,
+            json!({
+                "watchId": "0195ec6b-1d6f-7c2e-8c7a-56f2c4a8b9d1",
+                "changedPaths": [
+                    absolute_path_string("tmp/repo/.git/HEAD"),
+                    absolute_path_string("tmp/repo/.git/FETCH_HEAD"),
+                ],
+            })
+        );
+
+        let decoded = serde_json::from_value::<FsChangedNotification>(value)
+            .expect("deserialize fs/changed notification");
+        assert_eq!(decoded, notification);
+    }
+
     #[test]
     fn command_exec_params_default_optional_streaming_flags() {
         let params = serde_json::from_value::<CommandExecParams>(json!({

codex-rs/app-server/Cargo.toml

@@ -34,6 +34,7 @@ codex-cloud-requirements = { workspace = true }
 codex-core = { workspace = true }
 codex-exec-server = { workspace = true }
 codex-features = { workspace = true }
+codex-git-utils = { workspace = true }
 codex-otel = { workspace = true }
 codex-shell-command = { workspace = true }
 codex-utils-cli = { workspace = true }
@@ -46,15 +47,20 @@ codex-protocol = { workspace = true }
 codex-app-server-protocol = { workspace = true }
 codex-feedback = { workspace = true }
 codex-rmcp-client = { workspace = true }
+codex-sandboxing = { workspace = true }
 codex-state = { workspace = true }
 codex-utils-absolute-path = { workspace = true }
 codex-utils-json-to-toml = { workspace = true }
 chrono = { workspace = true }
 clap = { workspace = true, features = ["derive"] }
+constant_time_eq = { workspace = true }
 futures = { workspace = true }
+hmac = { workspace = true }
+jsonwebtoken = { workspace = true }
 owo-colors = { workspace = true, features = ["supports-colors"] }
 serde = { workspace = true, features = ["derive"] }
 serde_json = { workspace = true }
+sha2 = { workspace = true }
 tempfile = { workspace = true }
 time = { workspace = true }
 toml = { workspace = true }

codex-rs/app-server/README.md

@@ -34,6 +34,15 @@ When running with `--listen ws://IP:PORT`, the same listener also serves basic H
 
 Websocket transport is currently experimental and unsupported. Do not rely on it for production workloads.
 
+Security note:
+
+- Loopback websocket listeners (`ws://127.0.0.1:PORT`) remain appropriate for localhost and SSH port-forwarding workflows.
+- Non-loopback websocket listeners currently allow unauthenticated connections by default during rollout. If you expose one remotely, configure websocket auth explicitly now.
+- Supported auth modes are app-server flags:
+  - `--ws-auth capability-token --ws-token-file /absolute/path`
+  - `--ws-auth signed-bearer-token --ws-shared-secret-file /absolute/path` for HMAC-signed JWT/JWS bearer tokens, with optional `--ws-issuer`, `--ws-audience`, `--ws-max-clock-skew-seconds`
+- Clients present the credential as `Authorization: Bearer <token>` during the websocket handshake. Auth is enforced before JSON-RPC `initialize`.
+
 Tracing/log output:
 
 - `RUST_LOG` controls log filtering/verbosity.
@@ -75,7 +84,7 @@ Use the thread APIs to create, list, or archive conversations. Drive a conversat
 
 ## Initialization
 
-Clients must send a single `initialize` request per transport connection before invoking any other method on that connection, then acknowledge with an `initialized` notification. The server returns the user agent string it will present to upstream services plus `platformFamily` and `platformOs` strings describing the app-server runtime target; subsequent requests issued before initialization receive a `"Not initialized"` error, and repeated `initialize` calls on the same connection receive an `"Already initialized"` error.
+Clients must send a single `initialize` request per transport connection before invoking any other method on that connection, then acknowledge with an `initialized` notification. The server returns the user agent string it will present to upstream services, `codexHome` for the server's Codex home directory, and `platformFamily` and `platformOs` strings describing the app-server runtime target; subsequent requests issued before initialization receive a `"Not initialized"` error, and repeated `initialize` calls on the same connection receive an `"Already initialized"` error.
 
 `initialize.params.capabilities` also supports per-connection notification opt-out via `optOutNotificationMethods`, which is a list of exact method names to suppress for that connection. Matching is exact (no wildcards/prefixes). Unknown method names are accepted and ignored.
 
@@ -125,7 +134,7 @@ Example with notification opt-out:
 
 - `thread/start` — create a new thread; emits `thread/started` (including the current `thread.status`) and auto-subscribes you to turn/item events for that thread.
 - `thread/resume` — reopen an existing thread by id so subsequent `turn/start` calls append to it.
-- `thread/fork` — fork an existing thread into a new thread id by copying the stored history; accepts `ephemeral: true` for an in-memory temporary fork, emits `thread/started` (including the current `thread.status`), and auto-subscribes you to turn/item events for the new thread.
+- `thread/fork` — fork an existing thread into a new thread id by copying the stored history; if the source thread is currently mid-turn, the fork records the same interruption marker as `turn/interrupt` instead of inheriting an unmarked partial turn suffix. Accepts `ephemeral: true` for an in-memory temporary fork, emits `thread/started` (including the current `thread.status`), and auto-subscribes you to turn/item events for the new thread.
 - `thread/list` — page through stored rollouts; supports cursor-based pagination and optional `modelProviders`, `sourceKinds`, `archived`, `cwd`, and `searchTerm` filters. Each returned `thread` includes `status` (`ThreadStatus`), defaulting to `notLoaded` when the thread is not currently loaded.
 - `thread/loaded/list` — list the thread ids currently loaded in memory.
 - `thread/read` — read a stored thread by id without resuming it; optionally include turns via `includeTurns`. The returned `thread` includes `status` (`ThreadStatus`), defaulting to `notLoaded` when the thread is not currently loaded.
@@ -159,15 +168,19 @@ Example with notification opt-out:
 - `fs/readDirectory` — list direct child entries for an absolute directory path; each entry contains `fileName`, `isDirectory`, and `isFile`, and `fileName` is just the child name, not a path.
 - `fs/remove` — remove an absolute file or directory tree; `recursive` and `force` default to `true`.
 - `fs/copy` — copy between absolute paths; directory copies require `recursive: true`.
+- `fs/watch` — subscribe this connection to filesystem change notifications for an absolute file or directory path; returns a `watchId` and canonicalized `path`.
+- `fs/unwatch` — stop sending notifications for a prior `fs/watch`; returns `{}`.
+- `fs/changed` — notification emitted when watched paths change, including the `watchId` and `changedPaths`.
 - `model/list` — list available models (set `includeHidden: true` to include entries with `hidden: true`), with reasoning effort options, optional legacy `upgrade` model ids, optional `upgradeInfo` metadata (`model`, `upgradeCopy`, `modelLink`, `migrationMarkdown`), and optional `availabilityNux` metadata.
 - `experimentalFeature/list` — list feature flags with stage metadata (`beta`, `underDevelopment`, `stable`, etc.), enabled/default-enabled state, and cursor pagination. For non-beta flags, `displayName`/`description`/`announcement` are `null`.
+- `experimentalFeature/enablement/set` — patch the in-memory process-wide runtime feature enablement for the currently supported feature keys (`apps`, `plugins`). For each feature, precedence is: cloud requirements > --enable <feature_name> > config.toml > experimentalFeature/enablement/set (new) > code default.
 - `collaborationMode/list` — list available collaboration mode presets (experimental, no pagination). This response omits built-in developer instructions; clients should either pass `settings.developer_instructions: null` when setting a mode to use Codex's built-in instructions, or provide their own instructions explicitly.
 - `skills/list` — list skills for one or more `cwd` values (optional `forceReload`).
-- `plugin/list` — list discovered plugin marketplaces and plugin state, including effective marketplace install/auth policy metadata and best-effort `featuredPluginIds` for the official curated marketplace. `interface.category` uses the marketplace category when present; otherwise it falls back to the plugin manifest category. Pass `forceRemoteSync: true` to refresh curated plugin state before listing (**under development; do not call from production clients yet**).
-- `plugin/read` — read one plugin by `marketplacePath` plus `pluginName`, returning marketplace info, a list-style `summary`, manifest descriptions/interface metadata, and bundled skills/apps/MCP server names. Plugin app summaries also include `needsAuth` when the server can determine connector accessibility (**under development; do not call from production clients yet**).
+- `plugin/list` — list discovered plugin marketplaces and plugin state, including effective marketplace install/auth policy metadata, fail-open `marketplaceLoadErrors` entries for marketplace files that could not be parsed or loaded, and best-effort `featuredPluginIds` for the official curated marketplace. `interface.category` uses the marketplace category when present; otherwise it falls back to the plugin manifest category. Pass `forceRemoteSync: true` to refresh curated plugin state before listing (**under development; do not call from production clients yet**).
+- `plugin/read` — read one plugin by `marketplacePath` plus `pluginName`, returning marketplace info, a list-style `summary`, manifest descriptions/interface metadata, and bundled skills/apps/MCP server names. Returned plugin skills include their current `enabled` state after local config filtering. Plugin app summaries also include `needsAuth` when the server can determine connector accessibility (**under development; do not call from production clients yet**).
 - `skills/changed` — notification emitted when watched local skill files change.
 - `app/list` — list available apps.
-- `skills/config/write` — write user-level skill config by path.
+- `skills/config/write` — write user-level skill config by name or absolute path.
 - `plugin/install` — install a plugin from a discovered marketplace entry, rejecting marketplace entries marked unavailable for install, install MCPs if any, and return the effective plugin auth policy plus any apps that still need auth (**under development; do not call from production clients yet**).
 - `plugin/uninstall` — uninstall a plugin by id by removing its cached files and clearing its user-level config entry (**under development; do not call from production clients yet**).
 - `mcpServer/oauth/login` — start an OAuth login for a configured MCP server; returns an `authorization_url` and later emits `mcpServer/oauthLogin/completed` once the browser flow finishes.
@@ -240,7 +253,7 @@ Example:
 { "id": 11, "result": { "thread": { "id": "thr_123", … } } }
 ```
 
-To branch from a stored session, call `thread/fork` with the `thread.id`. This creates a new thread id and emits a `thread/started` notification for it. Pass `ephemeral: true` when the fork should stay in-memory only:
+To branch from a stored session, call `thread/fork` with the `thread.id`. This creates a new thread id and emits a `thread/started` notification for it. If the source thread is actively running, the fork snapshots it as if the current turn had been interrupted first. Pass `ephemeral: true` when the fork should stay in-memory only:
 
 ```json
 { "method": "thread/fork", "id": 12, "params": { "threadId": "thr_123", "ephemeral": true } }
@@ -795,6 +808,28 @@ All filesystem paths in this section must be absolute.
 - `fs/readFile` always returns base64 bytes via `dataBase64`, and `fs/writeFile` always expects base64 bytes in `dataBase64`.
 - `fs/copy` handles both file copies and directory-tree copies; it requires `recursive: true` when `sourcePath` is a directory. Recursive copies traverse regular files, directories, and symlinks; other entry types are skipped.
 
+### Example: Filesystem watch
+
+`fs/watch` accepts absolute file or directory paths. Watching a file emits `fs/changed` for that file path, including updates delivered via replace or rename operations.
+
+```json
+{ "method": "fs/watch", "id": 44, "params": {
+    "path": "/Users/me/project/.git/HEAD"
+} }
+{ "id": 44, "result": {
+    "watchId": "0195ec6b-1d6f-7c2e-8c7a-56f2c4a8b9d1",
+    "path": "/Users/me/project/.git/HEAD"
+} }
+{ "method": "fs/changed", "params": {
+    "watchId": "0195ec6b-1d6f-7c2e-8c7a-56f2c4a8b9d1",
+    "changedPaths": ["/Users/me/project/.git/HEAD"]
+} }
+{ "method": "fs/unwatch", "id": 45, "params": {
+    "watchId": "0195ec6b-1d6f-7c2e-8c7a-56f2c4a8b9d1"
+} }
+{ "id": 45, "result": {} }
+```
+
 ## Events
 
 Event notifications are the server-initiated event stream for thread lifecycles, turn lifecycles, and the items within them. After you start or resume a thread, keep reading stdout for `thread/started`, `thread/archived`, `thread/unarchived`, `thread/closed`, `turn/*`, and `item/*` notifications.
@@ -977,6 +1012,11 @@ Order of messages:
 
 `turnId` is best-effort. When the elicitation is correlated with an active turn, the request includes that turn id; otherwise it is `null`.
 
+For MCP tool approval elicitations, form request `meta` includes
+`codex_approval_kind: "mcp_tool_call"` and may include `persist: "session"`,
+`persist: "always"`, or `persist: ["session", "always"]` to advertise whether
+the client can offer session-scoped and/or persistent approval choices.
+
 ### Permission requests
 
 The built-in `request_permissions` tool sends an `item/permissions/requestApproval` JSON-RPC request to the client with the requested permission profile. This v2 payload mirrors the standalone tool's narrower permission shape, so it can request network access and additional filesystem access but does not include the broader `macos` branch used by command-execution `additionalPermissions`.
@@ -1145,14 +1185,29 @@ The server also emits `skills/changed` notifications when watched local skill fi
 }
 ```
 
-To enable or disable a skill by path:
+To enable or disable a skill by absolute path:
 
 ```json
 {
   "method": "skills/config/write",
   "id": 26,
   "params": {
-    "path": "/Users/me/.codex/skills/skill-creator/SKILL.md",
+    "path": "/Users/alice/.codex/skills/skill-creator/SKILL.md",
+    "name": null,
+    "enabled": false
+  }
+}
+```
+
+To enable or disable a skill by name:
+
+```json
+{
+  "method": "skills/config/write",
+  "id": 27,
+  "params": {
+    "path": null,
+    "name": "github:yeet",
     "enabled": false
   }
 }

codex-rs/app-server/src/bespoke_event_handling.rs

@@ -110,7 +110,6 @@ use codex_core::ThreadManager;
 use codex_core::find_thread_name_by_id;
 use codex_core::review_format::format_review_findings_block;
 use codex_core::review_prompts;
-use codex_core::sandboxing::intersect_permission_profiles;
 use codex_protocol::ThreadId;
 use codex_protocol::dynamic_tools::DynamicToolCallOutputContentItem as CoreDynamicToolCallOutputContentItem;
 use codex_protocol::dynamic_tools::DynamicToolResponse as CoreDynamicToolResponse;
@@ -136,6 +135,7 @@ use codex_protocol::request_permissions::RequestPermissionProfile as CoreRequest
 use codex_protocol::request_permissions::RequestPermissionsResponse as CoreRequestPermissionsResponse;
 use codex_protocol::request_user_input::RequestUserInputAnswer as CoreRequestUserInputAnswer;
 use codex_protocol::request_user_input::RequestUserInputResponse as CoreRequestUserInputResponse;
+use codex_sandboxing::policy_transforms::intersect_permission_profiles;
 use codex_shell_command::parse_command::shlex_join;
 use std::collections::HashMap;
 use std::convert::TryFrom;

codex-rs/app-server/src/codex_message_processor.rs

@@ -1,6 +1,7 @@
 use crate::bespoke_event_handling::apply_bespoke_event_handling;
 use crate::command_exec::CommandExecManager;
 use crate::command_exec::StartCommandExecParams;
+use crate::config_api::apply_runtime_feature_enablement;
 use crate::error_code::INPUT_TOO_LARGE_ERROR_CODE;
 use crate::error_code::INTERNAL_ERROR_CODE;
 use crate::error_code::INVALID_PARAMS_ERROR_CODE;
@@ -12,7 +13,6 @@ use crate::models::supported_models;
 use crate::outgoing_message::ConnectionId;
 use crate::outgoing_message::ConnectionRequestId;
 use crate::outgoing_message::OutgoingMessageSender;
-use crate::outgoing_message::OutgoingNotification;
 use crate::outgoing_message::RequestContext;
 use crate::outgoing_message::ThreadScopedOutgoingMessageSender;
 use crate::thread_status::ThreadWatchManager;
@@ -183,6 +183,7 @@ use codex_core::AuthManager;
 use codex_core::CodexAuth;
 use codex_core::CodexThread;
 use codex_core::Cursor as RolloutCursor;
+use codex_core::ForkSnapshot;
 use codex_core::NewThread;
 use codex_core::RolloutRecorder;
 use codex_core::SessionMeta;
@@ -202,6 +203,8 @@ use codex_core::config::types::McpServerTransportConfig;
 use codex_core::config_loader::CloudRequirementsLoadError;
 use codex_core::config_loader::CloudRequirementsLoadErrorCode;
 use codex_core::config_loader::CloudRequirementsLoader;
+use codex_core::config_loader::LoaderOverrides;
+use codex_core::config_loader::load_config_layers_state;
 use codex_core::default_client::set_default_client_residency_requirement;
 use codex_core::error::CodexErr;
 use codex_core::error::Result as CodexResult;
@@ -213,7 +216,6 @@ use codex_core::find_archived_thread_path_by_id_str;
 use codex_core::find_thread_name_by_id;
 use codex_core::find_thread_names_by_ids;
 use codex_core::find_thread_path_by_id_str;
-use codex_core::git_info::git_diff_to_remote;
 use codex_core::mcp::auth::discover_supported_scopes;
 use codex_core::mcp::auth::resolve_oauth_scopes;
 use codex_core::mcp::collect_mcp_snapshot;
@@ -243,6 +245,7 @@ use codex_features::FEATURES;
 use codex_features::Feature;
 use codex_features::Stage;
 use codex_feedback::CodexFeedback;
+use codex_git_utils::git_diff_to_remote;
 use codex_login::ServerOptions as LoginServerOptions;
 use codex_login::ShutdownHandle;
 use codex_login::auth::login_with_chatgpt_auth_tokens;
@@ -281,8 +284,10 @@ use codex_state::StateRuntime;
 use codex_state::ThreadMetadata;
 use codex_state::ThreadMetadataBuilder;
 use codex_state::log_db::LogDbLayer;
+use codex_utils_absolute_path::AbsolutePathBuf;
 use codex_utils_json_to_toml::json_to_toml;
 use codex_utils_pty::DEFAULT_OUTPUT_BYTES_CAP;
+use std::collections::BTreeMap;
 use std::collections::HashMap;
 use std::collections::HashSet;
 use std::ffi::OsStr;
@@ -371,7 +376,8 @@ pub(crate) struct CodexMessageProcessor {
     outgoing: Arc<OutgoingMessageSender>,
     arg0_paths: Arg0DispatchPaths,
     config: Arc<Config>,
-    cli_overrides: Vec<(String, TomlValue)>,
+    cli_overrides: Arc<RwLock<Vec<(String, TomlValue)>>>,
+    runtime_feature_enablement: Arc<RwLock<BTreeMap<String, bool>>>,
     cloud_requirements: Arc<RwLock<CloudRequirementsLoader>>,
     active_login: Arc<Mutex<Option<ActiveLogin>>>,
     pending_thread_unloads: Arc<Mutex<HashSet<ThreadId>>>,
@@ -409,13 +415,21 @@ enum EnsureConversationListenerResult {
     ConnectionClosed,
 }
 
+#[derive(Clone, Copy, Debug, Eq, PartialEq)]
+enum RefreshTokenRequestOutcome {
+    NotAttemptedOrSucceeded,
+    FailedTransiently,
+    FailedPermanently,
+}
+
 pub(crate) struct CodexMessageProcessorArgs {
     pub(crate) auth_manager: Arc<AuthManager>,
     pub(crate) thread_manager: Arc<ThreadManager>,
     pub(crate) outgoing: Arc<OutgoingMessageSender>,
     pub(crate) arg0_paths: Arg0DispatchPaths,
     pub(crate) config: Arc<Config>,
-    pub(crate) cli_overrides: Vec<(String, TomlValue)>,
+    pub(crate) cli_overrides: Arc<RwLock<Vec<(String, TomlValue)>>>,
+    pub(crate) runtime_feature_enablement: Arc<RwLock<BTreeMap<String, bool>>>,
     pub(crate) cloud_requirements: Arc<RwLock<CloudRequirementsLoader>>,
     pub(crate) feedback: CodexFeedback,
     pub(crate) log_db: Option<LogDbLayer>,
@@ -479,6 +493,7 @@ impl CodexMessageProcessor {
             arg0_paths,
             config,
             cli_overrides,
+            runtime_feature_enablement,
             cloud_requirements,
             feedback,
             log_db,
@@ -490,6 +505,7 @@ impl CodexMessageProcessor {
             arg0_paths,
             config,
             cli_overrides,
+            runtime_feature_enablement,
             cloud_requirements,
             active_login: Arc::new(Mutex::new(None)),
             pending_thread_unloads: Arc::new(Mutex::new(HashSet::new())),
@@ -510,7 +526,7 @@ impl CodexMessageProcessor {
     ) -> Result<Config, JSONRPCErrorError> {
         let cloud_requirements = self.current_cloud_requirements();
         let mut config = codex_core::config::ConfigBuilder::default()
-            .cli_overrides(self.cli_overrides.clone())
+            .cli_overrides(self.current_cli_overrides())
             .fallback_cwd(fallback_cwd)
             .cloud_requirements(cloud_requirements)
             .build()
@@ -520,6 +536,8 @@ impl CodexMessageProcessor {
                 message: format!("failed to reload config: {err}"),
                 data: None,
             })?;
+        apply_runtime_feature_enablement(&mut config, &self.current_runtime_feature_enablement());
+        config.codex_self_exe = self.arg0_paths.codex_self_exe.clone();
         config.codex_linux_sandbox_exe = self.arg0_paths.codex_linux_sandbox_exe.clone();
         config.main_execve_wrapper_exe = self.arg0_paths.main_execve_wrapper_exe.clone();
         Ok(config)
@@ -532,6 +550,20 @@ impl CodexMessageProcessor {
             .unwrap_or_default()
     }
 
+    fn current_cli_overrides(&self) -> Vec<(String, TomlValue)> {
+        self.cli_overrides
+            .read()
+            .map(|guard| guard.clone())
+            .unwrap_or_default()
+    }
+
+    fn current_runtime_feature_enablement(&self) -> BTreeMap<String, bool> {
+        self.runtime_feature_enablement
+            .read()
+            .map(|guard| guard.clone())
+            .unwrap_or_default()
+    }
+
     /// If a client sends `developer_instructions: null` during a mode switch,
     /// use the built-in instructions for that mode.
     fn normalize_turn_start_collaboration_mode(
@@ -877,7 +909,8 @@ impl CodexMessageProcessor {
             }
             ClientRequest::ConfigRead { .. }
             | ClientRequest::ConfigValueWrite { .. }
-            | ClientRequest::ConfigBatchWrite { .. } => {
+            | ClientRequest::ConfigBatchWrite { .. }
+            | ClientRequest::ExperimentalFeatureEnablementSet { .. } => {
                 warn!("Config request reached CodexMessageProcessor unexpectedly");
             }
             ClientRequest::FsReadFile { .. }
@@ -886,7 +919,9 @@ impl CodexMessageProcessor {
             | ClientRequest::FsGetMetadata { .. }
             | ClientRequest::FsReadDirectory { .. }
             | ClientRequest::FsRemove { .. }
-            | ClientRequest::FsCopy { .. } => {
+            | ClientRequest::FsCopy { .. }
+            | ClientRequest::FsWatch { .. }
+            | ClientRequest::FsUnwatch { .. } => {
                 warn!("Filesystem request reached CodexMessageProcessor unexpectedly");
             }
             ClientRequest::ConfigRequirementsRead { .. } => {
@@ -1076,7 +1111,7 @@ impl CodexMessageProcessor {
                     let cloud_requirements = self.cloud_requirements.clone();
                     let chatgpt_base_url = self.config.chatgpt_base_url.clone();
                     let codex_home = self.config.codex_home.clone();
-                    let cli_overrides = self.cli_overrides.clone();
+                    let cli_overrides = self.current_cli_overrides();
                     let auth_url = server.auth_url.clone();
                     tokio::spawn(async move {
                         let (success, error_msg) = match tokio::time::timeout(
@@ -1264,11 +1299,9 @@ impl CodexMessageProcessor {
             self.config.chatgpt_base_url.clone(),
             self.config.codex_home.clone(),
         );
-        sync_default_client_residency_requirement(
-            &self.cli_overrides,
-            self.cloud_requirements.as_ref(),
-        )
-        .await;
+        let cli_overrides = self.current_cli_overrides();
+        sync_default_client_residency_requirement(&cli_overrides, self.cloud_requirements.as_ref())
+            .await;
 
         self.outgoing
             .send_response(request_id, LoginAccountResponse::ChatgptAuthTokens {})
@@ -1338,13 +1371,19 @@ impl CodexMessageProcessor {
         }
     }
 
-    async fn refresh_token_if_requested(&self, do_refresh: bool) {
+    async fn refresh_token_if_requested(&self, do_refresh: bool) -> RefreshTokenRequestOutcome {
         if self.auth_manager.is_external_auth_active() {
-            return;
+            return RefreshTokenRequestOutcome::NotAttemptedOrSucceeded;
         }
         if do_refresh && let Err(err) = self.auth_manager.refresh_token().await {
-            tracing::warn!("failed to refresh token while getting account: {err}");
+            let failed_reason = err.failed_reason();
+            if failed_reason.is_none() {
+                tracing::warn!("failed to refresh token while getting account: {err}");
+                return RefreshTokenRequestOutcome::FailedTransiently;
+            }
+            return RefreshTokenRequestOutcome::FailedPermanently;
         }
+        RefreshTokenRequestOutcome::NotAttemptedOrSucceeded
     }
 
     async fn get_auth_status(&self, request_id: ConnectionRequestId, params: GetAuthStatusParams) {
@@ -1365,20 +1404,32 @@ impl CodexMessageProcessor {
                 requires_openai_auth: Some(false),
             }
         } else {
-            match self.auth_manager.auth().await {
+            let auth = if do_refresh {
+                self.auth_manager.auth_cached()
+            } else {
+                self.auth_manager.auth().await
+            };
+            match auth {
                 Some(auth) => {
+                    let permanent_refresh_failure =
+                        self.auth_manager.refresh_failure_for_auth(&auth).is_some();
                     let auth_mode = auth.api_auth_mode();
-                    let (reported_auth_method, token_opt) = match auth.get_token() {
-                        Ok(token) if !token.is_empty() => {
-                            let tok = if include_token { Some(token) } else { None };
-                            (Some(auth_mode), tok)
-                        }
-                        Ok(_) => (None, None),
-                        Err(err) => {
-                            tracing::warn!("failed to get token for auth status: {err}");
-                            (None, None)
-                        }
-                    };
+                    let (reported_auth_method, token_opt) =
+                        if include_token && permanent_refresh_failure {
+                            (Some(auth_mode), None)
+                        } else {
+                            match auth.get_token() {
+                                Ok(token) if !token.is_empty() => {
+                                    let tok = if include_token { Some(token) } else { None };
+                                    (Some(auth_mode), tok)
+                                }
+                                Ok(_) => (None, None),
+                                Err(err) => {
+                                    tracing::warn!("failed to get token for auth status: {err}");
+                                    (None, None)
+                                }
+                            }
+                        };
                     GetAuthStatusResponse {
                         auth_method: reported_auth_method,
                         auth_token: token_opt,
@@ -1603,7 +1654,7 @@ impl CodexMessageProcessor {
             return;
         }
 
-        let cwd = cwd.unwrap_or_else(|| self.config.cwd.clone());
+        let cwd = cwd.unwrap_or_else(|| self.config.cwd.to_path_buf());
         let mut env = create_env(
             &self.config.permissions.shell_environment_policy,
             /*thread_id*/ None,
@@ -1870,8 +1921,8 @@ impl CodexMessageProcessor {
             personality,
         );
         typesafe_overrides.ephemeral = ephemeral;
-        let cli_overrides = self.cli_overrides.clone();
         let cloud_requirements = self.current_cloud_requirements();
+        let cli_overrides = self.current_cli_overrides();
         let listener_task_context = ListenerTaskContext {
             thread_manager: Arc::clone(&self.thread_manager),
             thread_state_manager: self.thread_state_manager.clone(),
@@ -1881,10 +1932,12 @@ impl CodexMessageProcessor {
             codex_home: self.config.codex_home.clone(),
         };
         let request_trace = request_context.request_trace();
+        let runtime_feature_enablement = self.current_runtime_feature_enablement();
         let thread_start_task = async move {
             Self::thread_start_task(
                 listener_task_context,
                 cli_overrides,
+                runtime_feature_enablement,
                 cloud_requirements,
                 request_id,
                 config,
@@ -1911,6 +1964,13 @@ impl CodexMessageProcessor {
         }
     }
 
+    pub(crate) async fn cancel_active_login(&self) {
+        let mut guard = self.active_login.lock().await;
+        if let Some(active_login) = guard.take() {
+            drop(active_login);
+        }
+    }
+
     pub(crate) async fn clear_all_thread_listeners(&self) {
         self.thread_state_manager.clear_all_listeners().await;
     }
@@ -1950,6 +2010,7 @@ impl CodexMessageProcessor {
     async fn thread_start_task(
         listener_task_context: ListenerTaskContext,
         cli_overrides: Vec<(String, TomlValue)>,
+        runtime_feature_enablement: BTreeMap<String, bool>,
         cloud_requirements: CloudRequirementsLoader,
         request_id: ConnectionRequestId,
         config_overrides: Option<HashMap<String, serde_json::Value>>,
@@ -1966,6 +2027,7 @@ impl CodexMessageProcessor {
             typesafe_overrides,
             &cloud_requirements,
             &listener_task_context.codex_home,
+            &runtime_feature_enablement,
         )
         .await
         {
@@ -3468,13 +3530,16 @@ impl CodexMessageProcessor {
 
         // Derive a Config using the same logic as new conversation, honoring overrides if provided.
         let cloud_requirements = self.current_cloud_requirements();
+        let cli_overrides = self.current_cli_overrides();
+        let runtime_feature_enablement = self.current_runtime_feature_enablement();
         let config = match derive_config_for_cwd(
-            &self.cli_overrides,
+            &cli_overrides,
             request_overrides,
             typesafe_overrides,
             history_cwd,
             &cloud_requirements,
             &self.config.codex_home,
+            &runtime_feature_enablement,
         )
         .await
         {
@@ -4010,13 +4075,16 @@ impl CodexMessageProcessor {
         typesafe_overrides.ephemeral = ephemeral.then_some(true);
         // Derive a Config using the same logic as new conversation, honoring overrides if provided.
         let cloud_requirements = self.current_cloud_requirements();
+        let cli_overrides = self.current_cli_overrides();
+        let runtime_feature_enablement = self.current_runtime_feature_enablement();
         let config = match derive_config_for_cwd(
-            &self.cli_overrides,
+            &cli_overrides,
             request_overrides,
             typesafe_overrides,
             history_cwd,
             &cloud_requirements,
             &self.config.codex_home,
+            &runtime_feature_enablement,
         )
         .await
         {
@@ -4039,7 +4107,7 @@ impl CodexMessageProcessor {
         } = match self
             .thread_manager
             .fork_thread(
-                usize::MAX,
+                ForkSnapshot::Interrupted,
                 config,
                 rollout_path.clone(),
                 persist_extended_history,
@@ -5405,7 +5473,7 @@ impl CodexMessageProcessor {
             per_cwd_extra_user_roots,
         } = params;
         let cwds = if cwds.is_empty() {
-            vec![self.config.cwd.clone()]
+            vec![self.config.cwd.to_path_buf()]
         } else {
             cwds
         };
@@ -5450,13 +5518,63 @@ impl CodexMessageProcessor {
             }
         };
         let skills_manager = self.thread_manager.skills_manager();
+        let plugins_manager = self.thread_manager.plugins_manager();
+        let cli_overrides = self.current_cli_overrides();
         let mut data = Vec::new();
         for cwd in cwds {
             let extra_roots = extra_roots_by_cwd
                 .get(&cwd)
                 .map_or(&[][..], std::vec::Vec::as_slice);
+            let cwd_abs = match AbsolutePathBuf::try_from(cwd.as_path()) {
+                Ok(path) => path,
+                Err(err) => {
+                    let error_path = cwd.clone();
+                    data.push(codex_app_server_protocol::SkillsListEntry {
+                        cwd,
+                        skills: Vec::new(),
+                        errors: errors_to_info(&[codex_core::skills::SkillError {
+                            path: error_path,
+                            message: err.to_string(),
+                        }]),
+                    });
+                    continue;
+                }
+            };
+            let config_layer_stack = match load_config_layers_state(
+                &self.config.codex_home,
+                Some(cwd_abs),
+                &cli_overrides,
+                LoaderOverrides::default(),
+                CloudRequirementsLoader::default(),
+            )
+            .await
+            {
+                Ok(config_layer_stack) => config_layer_stack,
+                Err(err) => {
+                    let error_path = cwd.clone();
+                    data.push(codex_app_server_protocol::SkillsListEntry {
+                        cwd,
+                        skills: Vec::new(),
+                        errors: errors_to_info(&[codex_core::skills::SkillError {
+                            path: error_path,
+                            message: err.to_string(),
+                        }]),
+                    });
+                    continue;
+                }
+            };
+            let effective_skill_roots = plugins_manager.effective_skill_roots_for_layer_stack(
+                &config_layer_stack,
+                config.features.enabled(Feature::Plugins),
+            );
+            let skills_input = codex_core::skills::SkillsLoadInput::new(
+                cwd.clone(),
+                effective_skill_roots,
+                config_layer_stack,
+                config.bundled_skills_enabled(),
+            );
             let outcome = skills_manager
-                .skills_for_cwd_with_extra_user_roots(&cwd, &config, force_reload, extra_roots)
+                .skills_for_cwd_with_extra_user_roots(&skills_input, force_reload, extra_roots)
                 .await;
             let errors = errors_to_info(&outcome.errors);
             let skills = skills_to_info(&outcome.skills, &outcome.disabled_paths);
@@ -5523,11 +5641,18 @@ impl CodexMessageProcessor {
 
         let config_for_marketplace_listing = config.clone();
         let plugins_manager_for_marketplace_listing = plugins_manager.clone();
-        let data = match tokio::task::spawn_blocking(move || {
-            let marketplaces = plugins_manager_for_marketplace_listing
+        let (data, marketplace_load_errors) = match tokio::task::spawn_blocking(move || {
+            let outcome = plugins_manager_for_marketplace_listing
                 .list_marketplaces_for_config(&config_for_marketplace_listing, &roots)?;
-            Ok::<Vec<PluginMarketplaceEntry>, MarketplaceError>(
-                marketplaces
+            Ok::<
+                (
+                    Vec<PluginMarketplaceEntry>,
+                    Vec<codex_app_server_protocol::MarketplaceLoadErrorInfo>,
+                ),
+                MarketplaceError,
+            >((
+                outcome
+                    .marketplaces
                     .into_iter()
                     .map(|marketplace| PluginMarketplaceEntry {
                         name: marketplace.name,
@@ -5551,11 +5676,19 @@ impl CodexMessageProcessor {
                             .collect(),
                     })
                     .collect(),
-            )
+                outcome
+                    .errors
+                    .into_iter()
+                    .map(|err| codex_app_server_protocol::MarketplaceLoadErrorInfo {
+                        marketplace_path: err.path,
+                        message: err.message,
+                    })
+                    .collect(),
+            ))
         })
         .await
         {
-            Ok(Ok(data)) => data,
+            Ok(Ok(outcome)) => outcome,
             Ok(Err(err)) => {
                 self.send_marketplace_error(request_id, err, "list marketplace plugins")
                     .await;
@@ -5597,6 +5730,7 @@ impl CodexMessageProcessor {
                 request_id,
                 PluginListResponse {
                     marketplaces: data,
+                    marketplace_load_errors,
                     remote_sync_error,
                     featured_plugin_ids,
                 },
@@ -5672,7 +5806,7 @@ impl CodexMessageProcessor {
                 interface: outcome.plugin.interface.map(plugin_interface_to_info),
             },
             description: outcome.plugin.description,
-            skills: plugin_skills_to_info(&visible_skills),
+            skills: plugin_skills_to_info(&visible_skills, &outcome.plugin.disabled_skill_paths),
             apps: app_summaries,
             mcp_servers: outcome.plugin.mcp_server_names,
         };
@@ -5687,8 +5821,30 @@ impl CodexMessageProcessor {
         request_id: ConnectionRequestId,
         params: SkillsConfigWriteParams,
     ) {
-        let SkillsConfigWriteParams { path, enabled } = params;
-        let edits = vec![ConfigEdit::SetSkillConfig { path, enabled }];
+        let SkillsConfigWriteParams {
+            path,
+            name,
+            enabled,
+        } = params;
+        let edit = match (path, name) {
+            (Some(path), None) => ConfigEdit::SetSkillConfig {
+                path: path.into_path_buf(),
+                enabled,
+            },
+            (None, Some(name)) if !name.trim().is_empty() => {
+                ConfigEdit::SetSkillConfigByName { name, enabled }
+            }
+            _ => {
+                let error = JSONRPCErrorError {
+                    code: INVALID_PARAMS_ERROR_CODE,
+                    message: "skills/config/write requires exactly one of path or name".to_string(),
+                    data: None,
+                };
+                self.outgoing.send_error(request_id, error).await;
+                return;
+            }
+        };
+        let edits = vec![edit];
         let result = ConfigEditsBuilder::new(&self.config.codex_home)
             .with_edits(edits)
             .apply()
@@ -5696,6 +5852,7 @@ impl CodexMessageProcessor {
 
         match result {
             Ok(()) => {
+                self.thread_manager.plugins_manager().clear_cache();
                 self.thread_manager.skills_manager().clear_cache();
                 self.outgoing
                     .send_response(
@@ -6485,7 +6642,7 @@ impl CodexMessageProcessor {
         } = self
             .thread_manager
             .fork_thread(
-                usize::MAX,
+                ForkSnapshot::Interrupted,
                 config,
                 rollout_path,
                 /*persist_extended_history*/ false,
@@ -6807,43 +6964,9 @@ impl CodexMessageProcessor {
                             }
                         };
 
-                        // For now, we send a notification for every event,
-                        // Legacy `codex/event/*` notifications are still
-                        // produced here because the in-process app-server lane
-                        // (`codex exec` and other in-process consumers) still
-                        // depends on them. External transports now drop
-                        // `OutgoingMessage::Notification` in `transport.rs`,
-                        // so stdio/websocket clients only observe the typed
-                        // `ServerNotification` translations emitted below.
-                        //
-                        // TODO: remove this raw legacy-notification emission
-                        // entirely once the remaining in-process consumers are
-                        // migrated off `codex/event/*`.
-                        let event_formatted = match &event.msg {
-                            EventMsg::TurnStarted(_) => "task_started",
-                            EventMsg::TurnComplete(_) => "task_complete",
-                            _ => &event.msg.to_string(),
-                        };
-                        let request_event_name = format!("codex/event/{event_formatted}");
-                        tracing::trace!(
-                            conversation_id = %conversation_id,
-                            "app-server event: {request_event_name}"
-                        );
-                        let mut params = match serde_json::to_value(event.clone()) {
-                            Ok(serde_json::Value::Object(map)) => map,
-                            Ok(_) => {
-                                error!("event did not serialize to an object");
-                                continue;
-                            }
-                            Err(err) => {
-                                error!("failed to serialize event: {err}");
-                                continue;
-                            }
-                        };
-                        params.insert(
-                            "conversationId".to_string(),
-                            conversation_id.to_string().into(),
-                        );
+                        // Track the event before emitting any typed
+                        // translations so thread-local state such as raw event
+                        // opt-in stays synchronized with the conversation.
                         let raw_events_enabled = {
                             let mut thread_state = thread_state.lock().await;
                             thread_state.track_current_turn_event(&event.msg);
@@ -6856,18 +6979,6 @@ impl CodexMessageProcessor {
                             continue;
                         }
 
-                        if !subscribed_connection_ids.is_empty() {
-                            outgoing_for_task
-                                .send_notification_to_connections(
-                                    &subscribed_connection_ids,
-                                    OutgoingNotification {
-                                        method: request_event_name,
-                                        params: Some(params.into()),
-                                    },
-                                )
-                                .await;
-                        }
-
                         let thread_outgoing = ThreadScopedOutgoingMessageSender::new(
                             outgoing_for_task.clone(),
                             subscribed_connection_ids,
@@ -7202,12 +7313,13 @@ impl CodexMessageProcessor {
             WindowsSandboxSetupMode::Unelevated => CoreWindowsSandboxSetupMode::Unelevated,
         };
         let config = Arc::clone(&self.config);
-        let cli_overrides = self.cli_overrides.clone();
         let cloud_requirements = self.current_cloud_requirements();
         let command_cwd = params
             .cwd
             .map(PathBuf::from)
-            .unwrap_or_else(|| config.cwd.clone());
+            .unwrap_or_else(|| config.cwd.to_path_buf());
+        let cli_overrides = self.current_cli_overrides();
+        let runtime_feature_enablement = self.current_runtime_feature_enablement();
         let outgoing = Arc::clone(&self.outgoing);
         let connection_id = request_id.connection_id;
 
@@ -7222,6 +7334,7 @@ impl CodexMessageProcessor {
                 Some(command_cwd.clone()),
                 &cloud_requirements,
                 &config.codex_home,
+                &runtime_feature_enablement,
             )
             .await;
             let setup_result = match derived_config {
@@ -7229,7 +7342,7 @@ impl CodexMessageProcessor {
                     let setup_request = WindowsSandboxSetupRequest {
                         mode,
                         policy: config.permissions.sandbox_policy.get().clone(),
-                        policy_cwd: config.cwd.clone(),
+                        policy_cwd: config.cwd.to_path_buf(),
                         command_cwd,
                         env_map: std::env::vars().collect(),
                         codex_home: config.codex_home.clone(),
@@ -7669,7 +7782,10 @@ fn skills_to_info(
         .collect()
 }
 
-fn plugin_skills_to_info(skills: &[codex_core::skills::SkillMetadata]) -> Vec<SkillSummary> {
+fn plugin_skills_to_info(
+    skills: &[codex_core::skills::SkillMetadata],
+    disabled_skill_paths: &std::collections::HashSet<PathBuf>,
+) -> Vec<SkillSummary> {
     skills
         .iter()
         .map(|skill| SkillSummary {
@@ -7687,6 +7803,7 @@ fn plugin_skills_to_info(skills: &[codex_core::skills::SkillMetadata]) -> Vec<Sk
                 }
             }),
             path: skill.path_to_skills_md.clone(),
+            enabled: !disabled_skill_paths.contains(&skill.path_to_skills_md),
         })
         .collect()
 }
@@ -7847,6 +7964,7 @@ async fn derive_config_from_params(
     typesafe_overrides: ConfigOverrides,
     cloud_requirements: &CloudRequirementsLoader,
     codex_home: &Path,
+    runtime_feature_enablement: &BTreeMap<String, bool>,
 ) -> std::io::Result<Config> {
     let merged_cli_overrides = cli_overrides
         .iter()
@@ -7859,13 +7977,15 @@ async fn derive_config_from_params(
         )
         .collect::<Vec<_>>();
 
-    codex_core::config::ConfigBuilder::default()
+    let mut config = codex_core::config::ConfigBuilder::default()
         .codex_home(codex_home.to_path_buf())
         .cli_overrides(merged_cli_overrides)
         .harness_overrides(typesafe_overrides)
         .cloud_requirements(cloud_requirements.clone())
         .build()
-        .await
+        .await?;
+    apply_runtime_feature_enablement(&mut config, runtime_feature_enablement);
+    Ok(config)
 }
 
 async fn derive_config_for_cwd(
@@ -7875,6 +7995,7 @@ async fn derive_config_for_cwd(
     cwd: Option<PathBuf>,
     cloud_requirements: &CloudRequirementsLoader,
     codex_home: &Path,
+    runtime_feature_enablement: &BTreeMap<String, bool>,
 ) -> std::io::Result<Config> {
     let merged_cli_overrides = cli_overrides
         .iter()
@@ -7887,14 +8008,16 @@ async fn derive_config_for_cwd(
         )
         .collect::<Vec<_>>();
 
-    codex_core::config::ConfigBuilder::default()
+    let mut config = codex_core::config::ConfigBuilder::default()
         .codex_home(codex_home.to_path_buf())
         .cli_overrides(merged_cli_overrides)
         .harness_overrides(typesafe_overrides)
         .fallback_cwd(cwd)
         .cloud_requirements(cloud_requirements.clone())
         .build()
-        .await
+        .await?;
+    apply_runtime_feature_enablement(&mut config, runtime_feature_enablement);
+    Ok(config)
 }
 
 async fn read_history_cwd_from_state_db(
@@ -8207,7 +8330,7 @@ fn extract_conversation_summary(
 
 fn map_git_info(git_info: &CoreGitInfo) -> ConversationGitInfo {
     ConversationGitInfo {
-        sha: git_info.commit_hash.clone(),
+        sha: git_info.commit_hash.as_ref().map(|sha| sha.0.clone()),
         branch: git_info.branch.clone(),
         origin_url: git_info.repository_url.clone(),
     }
@@ -8890,6 +9013,7 @@ mod tests {
                     request_id: sent_request_id,
                     ..
                 }),
+            ..
         } = request_message
         else {
             panic!("expected tool request to be sent to the subscribed connection");

codex-rs/app-server/src/codex_message_processor/plugin_mcp_oauth.rs

@@ -9,7 +9,7 @@ use codex_core::mcp::auth::McpOAuthLoginSupport;
 use codex_core::mcp::auth::oauth_login_support;
 use codex_core::mcp::auth::resolve_oauth_scopes;
 use codex_core::mcp::auth::should_retry_without_scopes;
-use codex_rmcp_client::perform_oauth_login;
+use codex_rmcp_client::perform_oauth_login_silent;
 use tracing::warn;
 
 use super::CodexMessageProcessor;
@@ -45,7 +45,7 @@ impl CodexMessageProcessor {
             let notification_name = name.clone();
 
             tokio::spawn(async move {
-                let first_attempt = perform_oauth_login(
+                let first_attempt = perform_oauth_login_silent(
                     &name,
                     &oauth_config.url,
                     store_mode,
@@ -60,7 +60,7 @@ impl CodexMessageProcessor {
 
                 let final_result = match first_attempt {
                     Err(err) if should_retry_without_scopes(&resolved_scopes, &err) => {
-                        perform_oauth_login(
+                        perform_oauth_login_silent(
                             &name,
                             &oauth_config.url,
                             store_mode,

codex-rs/app-server/src/command_exec.rs

@@ -23,8 +23,8 @@ use codex_core::config::StartedNetworkProxy;
 use codex_core::exec::DEFAULT_EXEC_COMMAND_TIMEOUT_MS;
 use codex_core::exec::ExecExpiration;
 use codex_core::exec::IO_DRAIN_TIMEOUT_MS;
-use codex_core::exec::SandboxType;
 use codex_core::sandboxing::ExecRequest;
+use codex_sandboxing::SandboxType;
 use codex_utils_pty::DEFAULT_OUTPUT_BYTES_CAP;
 use codex_utils_pty::ProcessHandle;
 use codex_utils_pty::SpawnedProcess;
@@ -42,6 +42,7 @@ use crate::outgoing_message::ConnectionRequestId;
 use crate::outgoing_message::OutgoingMessageSender;
 
 const EXEC_TIMEOUT_EXIT_CODE: i32 = 124;
+const OUTPUT_CHUNK_SIZE_HINT: usize = 64 * 1024;
 
 #[derive(Clone)]
 pub(crate) struct CommandExecManager {
@@ -577,13 +578,19 @@ fn spawn_process_output(params: SpawnProcessOutputParams) -> tokio::task::JoinHa
         let mut buffer: Vec<u8> = Vec::new();
         let mut observed_num_bytes = 0usize;
         loop {
-            let chunk = tokio::select! {
+            let mut chunk = tokio::select! {
                 chunk = output_rx.recv() => match chunk {
                     Some(chunk) => chunk,
                     None => break,
                 },
                 _ = stdio_timeout_rx.wait_for(|&v| v) => break,
             };
+            // Individual chunks are at most 8KiB, so overshooting a bit is acceptable.
+            while chunk.len() < OUTPUT_CHUNK_SIZE_HINT
+                && let Ok(next_chunk) = output_rx.try_recv()
+            {
+                chunk.extend_from_slice(&next_chunk);
+            }
             let capped_chunk = match output_bytes_cap {
                 Some(output_bytes_cap) => {
                     let capped_chunk_len = output_bytes_cap
@@ -597,8 +604,8 @@ fn spawn_process_output(params: SpawnProcessOutputParams) -> tokio::task::JoinHa
             let cap_reached = Some(observed_num_bytes) == output_bytes_cap;
             if let (true, Some(process_id)) = (stream_output, process_id.as_ref()) {
                 outgoing
-                    .send_server_notification_to_connections(
-                        &[connection_id],
+                    .send_server_notification_to_connection_and_wait(
+                        connection_id,
                         ServerNotification::CommandExecOutputDelta(
                             CommandExecOutputDeltaNotification {
                                 process_id: process_id.clone(),
@@ -727,23 +734,21 @@ mod tests {
             access: ReadOnlyAccess::FullAccess,
             network_access: false,
         };
-        ExecRequest {
-            command: vec!["cmd".to_string()],
-            cwd: PathBuf::from("."),
-            env: HashMap::new(),
-            network: None,
-            expiration: ExecExpiration::DefaultTimeout,
-            capture_policy: codex_core::exec::ExecCapturePolicy::ShellTool,
-            sandbox: SandboxType::WindowsRestrictedToken,
-            windows_sandbox_level: WindowsSandboxLevel::Disabled,
-            windows_sandbox_private_desktop: false,
-            sandbox_permissions: codex_core::sandboxing::SandboxPermissions::UseDefault,
-            sandbox_policy: sandbox_policy.clone(),
-            file_system_sandbox_policy: FileSystemSandboxPolicy::from(&sandbox_policy),
-            network_sandbox_policy: NetworkSandboxPolicy::from(&sandbox_policy),
-            justification: None,
-            arg0: None,
-        }
+        ExecRequest::new(
+            vec!["cmd".to_string()],
+            PathBuf::from("."),
+            HashMap::new(),
+            /*network*/ None,
+            ExecExpiration::DefaultTimeout,
+            codex_core::exec::ExecCapturePolicy::ShellTool,
+            SandboxType::WindowsRestrictedToken,
+            WindowsSandboxLevel::Disabled,
+            /*windows_sandbox_private_desktop*/ false,
+            sandbox_policy.clone(),
+            FileSystemSandboxPolicy::from(&sandbox_policy),
+            NetworkSandboxPolicy::from(&sandbox_policy),
+            /*arg0*/ None,
+        )
     }
 
     #[tokio::test]
@@ -809,6 +814,7 @@ mod tests {
         let OutgoingEnvelope::ToConnection {
             connection_id,
             message,
+            ..
         } = envelope
         else {
             panic!("expected connection-scoped outgoing message");
@@ -840,23 +846,21 @@ mod tests {
                 outgoing: Arc::new(OutgoingMessageSender::new(tx)),
                 request_id: request_id.clone(),
                 process_id: Some("proc-100".to_string()),
-                exec_request: ExecRequest {
-                    command: vec!["sh".to_string(), "-lc".to_string(), "sleep 30".to_string()],
-                    cwd: PathBuf::from("."),
-                    env: HashMap::new(),
-                    network: None,
-                    expiration: ExecExpiration::Cancellation(CancellationToken::new()),
-                    capture_policy: codex_core::exec::ExecCapturePolicy::ShellTool,
-                    sandbox: SandboxType::None,
-                    windows_sandbox_level: WindowsSandboxLevel::Disabled,
-                    windows_sandbox_private_desktop: false,
-                    sandbox_permissions: codex_core::sandboxing::SandboxPermissions::UseDefault,
-                    sandbox_policy: sandbox_policy.clone(),
-                    file_system_sandbox_policy: FileSystemSandboxPolicy::from(&sandbox_policy),
-                    network_sandbox_policy: NetworkSandboxPolicy::from(&sandbox_policy),
-                    justification: None,
-                    arg0: None,
-                },
+                exec_request: ExecRequest::new(
+                    vec!["sh".to_string(), "-lc".to_string(), "sleep 30".to_string()],
+                    PathBuf::from("."),
+                    HashMap::new(),
+                    /*network*/ None,
+                    ExecExpiration::Cancellation(CancellationToken::new()),
+                    codex_core::exec::ExecCapturePolicy::ShellTool,
+                    SandboxType::None,
+                    WindowsSandboxLevel::Disabled,
+                    /*windows_sandbox_private_desktop*/ false,
+                    sandbox_policy.clone(),
+                    FileSystemSandboxPolicy::from(&sandbox_policy),
+                    NetworkSandboxPolicy::from(&sandbox_policy),
+                    /*arg0*/ None,
+                ),
                 started_network_proxy: None,
                 tty: false,
                 stream_stdin: false,
@@ -891,6 +895,7 @@ mod tests {
         let OutgoingEnvelope::ToConnection {
             connection_id,
             message,
+            ..
         } = envelope
         else {
             panic!("expected connection-scoped outgoing message");

codex-rs/app-server/src/config_api.rs

@@ -9,11 +9,14 @@ use codex_app_server_protocol::ConfigRequirementsReadResponse;
 use codex_app_server_protocol::ConfigValueWriteParams;
 use codex_app_server_protocol::ConfigWriteErrorCode;
 use codex_app_server_protocol::ConfigWriteResponse;
+use codex_app_server_protocol::ExperimentalFeatureEnablementSetParams;
+use codex_app_server_protocol::ExperimentalFeatureEnablementSetResponse;
 use codex_app_server_protocol::JSONRPCErrorError;
 use codex_app_server_protocol::NetworkRequirements;
 use codex_app_server_protocol::SandboxMode;
 use codex_core::AnalyticsEventsClient;
 use codex_core::ThreadManager;
+use codex_core::config::Config;
 use codex_core::config::ConfigService;
 use codex_core::config::ConfigServiceError;
 use codex_core::config_loader::CloudRequirementsLoader;
@@ -24,15 +27,27 @@ use codex_core::config_loader::SandboxModeRequirement as CoreSandboxModeRequirem
 use codex_core::plugins::PluginId;
 use codex_core::plugins::collect_plugin_enabled_candidates;
 use codex_core::plugins::installed_plugin_telemetry_metadata;
+use codex_features::canonical_feature_for_key;
+use codex_features::feature_for_key;
 use codex_protocol::config_types::WebSearchMode;
 use codex_protocol::protocol::Op;
 use serde_json::json;
+use std::collections::BTreeMap;
+use std::collections::BTreeSet;
 use std::path::PathBuf;
 use std::sync::Arc;
 use std::sync::RwLock;
 use toml::Value as TomlValue;
 use tracing::warn;
 
+const SUPPORTED_EXPERIMENTAL_FEATURE_ENABLEMENT: &[&str] = &[
+    "apps",
+    "plugins",
+    "tool_search",
+    "tool_suggest",
+    "tool_call_mcp_elicitation",
+];
+
 #[async_trait]
 pub(crate) trait UserConfigReloader: Send + Sync {
     async fn reload_user_config(&self);
@@ -56,7 +71,8 @@ impl UserConfigReloader for ThreadManager {
 #[derive(Clone)]
 pub(crate) struct ConfigApi {
     codex_home: PathBuf,
-    cli_overrides: Vec<(String, TomlValue)>,
+    cli_overrides: Arc<RwLock<Vec<(String, TomlValue)>>>,
+    runtime_feature_enablement: Arc<RwLock<BTreeMap<String, bool>>>,
     loader_overrides: LoaderOverrides,
     cloud_requirements: Arc<RwLock<CloudRequirementsLoader>>,
     user_config_reloader: Arc<dyn UserConfigReloader>,
@@ -66,7 +82,8 @@ pub(crate) struct ConfigApi {
 impl ConfigApi {
     pub(crate) fn new(
         codex_home: PathBuf,
-        cli_overrides: Vec<(String, TomlValue)>,
+        cli_overrides: Arc<RwLock<Vec<(String, TomlValue)>>>,
+        runtime_feature_enablement: Arc<RwLock<BTreeMap<String, bool>>>,
         loader_overrides: LoaderOverrides,
         cloud_requirements: Arc<RwLock<CloudRequirementsLoader>>,
         user_config_reloader: Arc<dyn UserConfigReloader>,
@@ -75,6 +92,7 @@ impl ConfigApi {
         Self {
             codex_home,
             cli_overrides,
+            runtime_feature_enablement,
             loader_overrides,
             cloud_requirements,
             user_config_reloader,
@@ -83,24 +101,87 @@ impl ConfigApi {
     }
 
     fn config_service(&self) -> ConfigService {
-        let cloud_requirements = self
-            .cloud_requirements
-            .read()
-            .map(|guard| guard.clone())
-            .unwrap_or_default();
         ConfigService::new(
             self.codex_home.clone(),
-            self.cli_overrides.clone(),
+            self.current_cli_overrides(),
             self.loader_overrides.clone(),
-            cloud_requirements,
+            self.current_cloud_requirements(),
         )
     }
 
+    fn current_cli_overrides(&self) -> Vec<(String, TomlValue)> {
+        self.cli_overrides
+            .read()
+            .map(|guard| guard.clone())
+            .unwrap_or_default()
+    }
+
+    fn current_runtime_feature_enablement(&self) -> BTreeMap<String, bool> {
+        self.runtime_feature_enablement
+            .read()
+            .map(|guard| guard.clone())
+            .unwrap_or_default()
+    }
+
+    fn current_cloud_requirements(&self) -> CloudRequirementsLoader {
+        self.cloud_requirements
+            .read()
+            .map(|guard| guard.clone())
+            .unwrap_or_default()
+    }
+
+    pub(crate) async fn load_latest_config(
+        &self,
+        fallback_cwd: Option<PathBuf>,
+    ) -> Result<Config, JSONRPCErrorError> {
+        let mut config = codex_core::config::ConfigBuilder::default()
+            .codex_home(self.codex_home.clone())
+            .cli_overrides(self.current_cli_overrides())
+            .loader_overrides(self.loader_overrides.clone())
+            .fallback_cwd(fallback_cwd)
+            .cloud_requirements(self.current_cloud_requirements())
+            .build()
+            .await
+            .map_err(|err| JSONRPCErrorError {
+                code: INTERNAL_ERROR_CODE,
+                message: format!("failed to resolve feature override precedence: {err}"),
+                data: None,
+            })?;
+        apply_runtime_feature_enablement(&mut config, &self.current_runtime_feature_enablement());
+        Ok(config)
+    }
+
     pub(crate) async fn read(
         &self,
         params: ConfigReadParams,
     ) -> Result<ConfigReadResponse, JSONRPCErrorError> {
-        self.config_service().read(params).await.map_err(map_error)
+        let fallback_cwd = params.cwd.as_ref().map(PathBuf::from);
+        let mut response = self
+            .config_service()
+            .read(params)
+            .await
+            .map_err(map_error)?;
+        let config = self.load_latest_config(fallback_cwd).await?;
+        for feature_key in SUPPORTED_EXPERIMENTAL_FEATURE_ENABLEMENT {
+            let Some(feature) = feature_for_key(feature_key) else {
+                continue;
+            };
+            let features = response
+                .config
+                .additional
+                .entry("features".to_string())
+                .or_insert_with(|| json!({}));
+            if !features.is_object() {
+                *features = json!({});
+            }
+            if let Some(features) = features.as_object_mut() {
+                features.insert(
+                    (*feature_key).to_string(),
+                    json!(config.features.enabled(feature)),
+                );
+            }
+        }
+        Ok(response)
     }
 
     pub(crate) async fn config_requirements_read(
@@ -154,6 +235,68 @@ impl ConfigApi {
         Ok(response)
     }
 
+    pub(crate) async fn set_experimental_feature_enablement(
+        &self,
+        params: ExperimentalFeatureEnablementSetParams,
+    ) -> Result<ExperimentalFeatureEnablementSetResponse, JSONRPCErrorError> {
+        let ExperimentalFeatureEnablementSetParams { enablement } = params;
+        for key in enablement.keys() {
+            if canonical_feature_for_key(key).is_some() {
+                if SUPPORTED_EXPERIMENTAL_FEATURE_ENABLEMENT.contains(&key.as_str()) {
+                    continue;
+                }
+
+                return Err(JSONRPCErrorError {
+                    code: INVALID_REQUEST_ERROR_CODE,
+                    message: format!(
+                        "unsupported feature enablement `{key}`: currently supported features are {}",
+                        SUPPORTED_EXPERIMENTAL_FEATURE_ENABLEMENT.join(", ")
+                    ),
+                    data: None,
+                });
+            }
+
+            let message = if let Some(feature) = feature_for_key(key) {
+                format!(
+                    "invalid feature enablement `{key}`: use canonical feature key `{}`",
+                    feature.key()
+                )
+            } else {
+                format!("invalid feature enablement `{key}`")
+            };
+            return Err(JSONRPCErrorError {
+                code: INVALID_REQUEST_ERROR_CODE,
+                message,
+                data: None,
+            });
+        }
+
+        if enablement.is_empty() {
+            return Ok(ExperimentalFeatureEnablementSetResponse { enablement });
+        }
+
+        {
+            let mut runtime_feature_enablement =
+                self.runtime_feature_enablement
+                    .write()
+                    .map_err(|_| JSONRPCErrorError {
+                        code: INTERNAL_ERROR_CODE,
+                        message: "failed to update feature enablement".to_string(),
+                        data: None,
+                    })?;
+            runtime_feature_enablement.extend(
+                enablement
+                    .iter()
+                    .map(|(name, enabled)| (name.clone(), *enabled)),
+            );
+        }
+
+        self.load_latest_config(/*fallback_cwd*/ None).await?;
+        self.user_config_reloader.reload_user_config().await;
+
+        Ok(ExperimentalFeatureEnablementSetResponse { enablement })
+    }
+
     fn emit_plugin_toggle_events(&self, pending_changes: std::collections::BTreeMap<String, bool>) {
         for (plugin_id, enabled) in pending_changes {
             let Ok(plugin_id) = PluginId::parse(&plugin_id) else {
@@ -170,6 +313,49 @@ impl ConfigApi {
     }
 }
 
+pub(crate) fn protected_feature_keys(
+    config_layer_stack: &codex_core::config_loader::ConfigLayerStack,
+) -> BTreeSet<String> {
+    let mut protected_features = config_layer_stack
+        .effective_config()
+        .get("features")
+        .and_then(toml::Value::as_table)
+        .map(|features| features.keys().cloned().collect::<BTreeSet<_>>())
+        .unwrap_or_default();
+
+    if let Some(feature_requirements) = config_layer_stack
+        .requirements_toml()
+        .feature_requirements
+        .as_ref()
+    {
+        protected_features.extend(feature_requirements.entries.keys().cloned());
+    }
+
+    protected_features
+}
+
+pub(crate) fn apply_runtime_feature_enablement(
+    config: &mut Config,
+    runtime_feature_enablement: &BTreeMap<String, bool>,
+) {
+    let protected_features = protected_feature_keys(&config.config_layer_stack);
+    for (name, enabled) in runtime_feature_enablement {
+        if protected_features.contains(name) {
+            continue;
+        }
+        let Some(feature) = feature_for_key(name) else {
+            continue;
+        };
+        if let Err(err) = config.features.set_enabled(feature, *enabled) {
+            warn!(
+                feature = name,
+                error = %err,
+                "failed to apply runtime feature enablement"
+            );
+        }
+    }
+}
+
 fn map_requirements_toml_to_api(requirements: ConfigRequirementsToml) -> ConfigRequirements {
     ConfigRequirements {
         allowed_approval_policies: requirements.allowed_approval_policies.map(|policies| {
@@ -264,7 +450,10 @@ fn config_write_error(code: ConfigWriteErrorCode, message: impl Into<String>) ->
 mod tests {
     use super::*;
     use codex_core::AnalyticsEventsClient;
+    use codex_core::AuthManager;
+    use codex_core::CodexAuth;
     use codex_core::config_loader::NetworkRequirementsToml as CoreNetworkRequirementsToml;
+    use codex_features::Feature;
     use codex_protocol::protocol::AskForApproval as CoreAskForApproval;
     use pretty_assertions::assert_eq;
     use serde_json::json;
@@ -392,6 +581,66 @@ mod tests {
         );
     }
 
+    #[tokio::test]
+    async fn apply_runtime_feature_enablement_keeps_cli_overrides_above_config_and_runtime() {
+        let codex_home = TempDir::new().expect("create temp dir");
+        std::fs::write(
+            codex_home.path().join("config.toml"),
+            "[features]\napps = false\n",
+        )
+        .expect("write config");
+
+        let mut config = codex_core::config::ConfigBuilder::default()
+            .codex_home(codex_home.path().to_path_buf())
+            .fallback_cwd(Some(codex_home.path().to_path_buf()))
+            .cli_overrides(vec![(
+                "features.apps".to_string(),
+                TomlValue::Boolean(true),
+            )])
+            .build()
+            .await
+            .expect("load config");
+
+        apply_runtime_feature_enablement(
+            &mut config,
+            &BTreeMap::from([("apps".to_string(), false)]),
+        );
+
+        assert!(config.features.enabled(Feature::Apps));
+    }
+
+    #[tokio::test]
+    async fn apply_runtime_feature_enablement_keeps_cloud_pins_above_cli_and_runtime() {
+        let codex_home = TempDir::new().expect("create temp dir");
+
+        let mut config = codex_core::config::ConfigBuilder::default()
+            .codex_home(codex_home.path().to_path_buf())
+            .cli_overrides(vec![(
+                "features.apps".to_string(),
+                TomlValue::Boolean(true),
+            )])
+            .cloud_requirements(CloudRequirementsLoader::new(async {
+                Ok(Some(ConfigRequirementsToml {
+                    feature_requirements: Some(
+                        codex_core::config_loader::FeatureRequirementsToml {
+                            entries: BTreeMap::from([("apps".to_string(), false)]),
+                        },
+                    ),
+                    ..Default::default()
+                }))
+            }))
+            .build()
+            .await
+            .expect("load config");
+
+        apply_runtime_feature_enablement(
+            &mut config,
+            &BTreeMap::from([("apps".to_string(), true)]),
+        );
+
+        assert!(!config.features.enabled(Feature::Apps));
+    }
+
     #[tokio::test]
     async fn batch_write_reloads_user_config_when_requested() {
         let codex_home = TempDir::new().expect("create temp dir");
@@ -404,17 +653,21 @@ mod tests {
                 .await
                 .expect("load analytics config"),
         );
+        let auth_manager = AuthManager::from_auth_for_testing(CodexAuth::from_api_key("test"));
         let config_api = ConfigApi::new(
             codex_home.path().to_path_buf(),
-            Vec::new(),
+            Arc::new(RwLock::new(Vec::new())),
+            Arc::new(RwLock::new(BTreeMap::new())),
             LoaderOverrides::default(),
             Arc::new(RwLock::new(CloudRequirementsLoader::default())),
             reloader.clone(),
             AnalyticsEventsClient::new(
-                analytics_config,
-                codex_core::test_support::auth_manager_from_auth(
-                    codex_core::CodexAuth::from_api_key("test"),
-                ),
+                auth_manager,
+                analytics_config
+                    .chatgpt_base_url
+                    .trim_end_matches('/')
+                    .to_string(),
+                analytics_config.analytics_enabled,
             ),
         );
 

codex-rs/app-server/src/fs_api.rs

@@ -159,7 +159,7 @@ impl FsApi {
     }
 }
 
-fn invalid_request(message: impl Into<String>) -> JSONRPCErrorError {
+pub(crate) fn invalid_request(message: impl Into<String>) -> JSONRPCErrorError {
     JSONRPCErrorError {
         code: INVALID_REQUEST_ERROR_CODE,
         message: message.into(),
@@ -167,7 +167,7 @@ fn invalid_request(message: impl Into<String>) -> JSONRPCErrorError {
     }
 }
 
-fn map_fs_error(err: io::Error) -> JSONRPCErrorError {
+pub(crate) fn map_fs_error(err: io::Error) -> JSONRPCErrorError {
     if err.kind() == io::ErrorKind::InvalidInput {
         invalid_request(err.to_string())
     } else {

codex-rs/app-server/src/fs_watch.rs

@@ -0,0 +1,379 @@
+use crate::outgoing_message::ConnectionId;
+use crate::outgoing_message::OutgoingMessageSender;
+use codex_app_server_protocol::FsChangedNotification;
+use codex_app_server_protocol::FsUnwatchParams;
+use codex_app_server_protocol::FsUnwatchResponse;
+use codex_app_server_protocol::FsWatchParams;
+use codex_app_server_protocol::FsWatchResponse;
+use codex_app_server_protocol::JSONRPCErrorError;
+use codex_app_server_protocol::ServerNotification;
+use codex_core::file_watcher::FileWatcher;
+use codex_core::file_watcher::FileWatcherEvent;
+use codex_core::file_watcher::FileWatcherSubscriber;
+use codex_core::file_watcher::Receiver;
+use codex_core::file_watcher::WatchPath;
+use codex_core::file_watcher::WatchRegistration;
+use codex_utils_absolute_path::AbsolutePathBuf;
+use std::collections::HashMap;
+use std::collections::HashSet;
+use std::hash::Hash;
+use std::path::PathBuf;
+use std::sync::Arc;
+use std::time::Duration;
+use tokio::sync::Mutex as AsyncMutex;
+#[cfg(test)]
+use tokio::sync::mpsc;
+use tokio::sync::oneshot;
+use tokio::time::Instant;
+use tracing::warn;
+use uuid::Uuid;
+
+const FS_CHANGED_NOTIFICATION_DEBOUNCE: Duration = Duration::from_millis(200);
+
+struct DebouncedReceiver {
+    rx: Receiver,
+    interval: Duration,
+    changed_paths: HashSet<PathBuf>,
+    next_allowance: Option<Instant>,
+}
+
+impl DebouncedReceiver {
+    fn new(rx: Receiver, interval: Duration) -> Self {
+        Self {
+            rx,
+            interval,
+            changed_paths: HashSet::new(),
+            next_allowance: None,
+        }
+    }
+
+    async fn recv(&mut self) -> Option<FileWatcherEvent> {
+        while self.changed_paths.is_empty() {
+            self.changed_paths.extend(self.rx.recv().await?.paths);
+        }
+        let next_allowance = *self
+            .next_allowance
+            .get_or_insert_with(|| Instant::now() + self.interval);
+
+        loop {
+            tokio::select! {
+                event = self.rx.recv() => self.changed_paths.extend(event?.paths),
+                _ = tokio::time::sleep_until(next_allowance) => break,
+            }
+        }
+
+        Some(FileWatcherEvent {
+            paths: self.changed_paths.drain().collect(),
+        })
+    }
+}
+
+#[derive(Clone)]
+pub(crate) struct FsWatchManager {
+    outgoing: Arc<OutgoingMessageSender>,
+    file_watcher: Arc<FileWatcher>,
+    state: Arc<AsyncMutex<FsWatchState>>,
+}
+
+#[derive(Default)]
+struct FsWatchState {
+    entries: HashMap<WatchKey, WatchEntry>,
+}
+
+struct WatchEntry {
+    terminate_tx: oneshot::Sender<oneshot::Sender<()>>,
+    _subscriber: FileWatcherSubscriber,
+    _registration: WatchRegistration,
+}
+
+#[derive(Clone, Debug, Eq, Hash, PartialEq)]
+struct WatchKey {
+    connection_id: ConnectionId,
+    watch_id: String,
+}
+
+impl FsWatchManager {
+    pub(crate) fn new(outgoing: Arc<OutgoingMessageSender>) -> Self {
+        let file_watcher = match FileWatcher::new() {
+            Ok(file_watcher) => Arc::new(file_watcher),
+            Err(err) => {
+                warn!("filesystem watch manager falling back to noop core watcher: {err}");
+                Arc::new(FileWatcher::noop())
+            }
+        };
+        Self::new_with_file_watcher(outgoing, file_watcher)
+    }
+
+    fn new_with_file_watcher(
+        outgoing: Arc<OutgoingMessageSender>,
+        file_watcher: Arc<FileWatcher>,
+    ) -> Self {
+        Self {
+            outgoing,
+            file_watcher,
+            state: Arc::new(AsyncMutex::new(FsWatchState::default())),
+        }
+    }
+
+    pub(crate) async fn watch(
+        &self,
+        connection_id: ConnectionId,
+        params: FsWatchParams,
+    ) -> Result<FsWatchResponse, JSONRPCErrorError> {
+        let watch_id = Uuid::now_v7().to_string();
+        let outgoing = self.outgoing.clone();
+        let (subscriber, rx) = self.file_watcher.add_subscriber();
+        let watch_root = params.path.to_path_buf().clone();
+        let registration = subscriber.register_paths(vec![WatchPath {
+            path: params.path.to_path_buf(),
+            recursive: false,
+        }]);
+        let (terminate_tx, terminate_rx) = oneshot::channel();
+
+        self.state.lock().await.entries.insert(
+            WatchKey {
+                connection_id,
+                watch_id: watch_id.clone(),
+            },
+            WatchEntry {
+                terminate_tx,
+                _subscriber: subscriber,
+                _registration: registration,
+            },
+        );
+
+        let task_watch_id = watch_id.clone();
+        tokio::spawn(async move {
+            let mut rx = DebouncedReceiver::new(rx, FS_CHANGED_NOTIFICATION_DEBOUNCE);
+            tokio::pin!(terminate_rx);
+            loop {
+                let event = tokio::select! {
+                    biased;
+                    _ = &mut terminate_rx => break,
+                    event = rx.recv() => match event {
+                        Some(event) => event,
+                        None => break,
+                    },
+                };
+                let mut changed_paths = event
+                    .paths
+                    .into_iter()
+                    .filter_map(|path| {
+                        match AbsolutePathBuf::resolve_path_against_base(&path, &watch_root) {
+                            Ok(path) => Some(path),
+                            Err(err) => {
+                                warn!(
+                                    "failed to normalize watch event path ({}) for {}: {err}",
+                                    path.display(),
+                                    watch_root.display()
+                                );
+                                None
+                            }
+                        }
+                    })
+                    .collect::<Vec<_>>();
+                changed_paths.sort_by(|left, right| left.as_path().cmp(right.as_path()));
+                if !changed_paths.is_empty() {
+                    outgoing
+                        .send_server_notification_to_connection_and_wait(
+                            connection_id,
+                            ServerNotification::FsChanged(FsChangedNotification {
+                                watch_id: task_watch_id.clone(),
+                                changed_paths,
+                            }),
+                        )
+                        .await;
+                }
+            }
+        });
+
+        Ok(FsWatchResponse {
+            watch_id,
+            path: params.path,
+        })
+    }
+
+    pub(crate) async fn unwatch(
+        &self,
+        connection_id: ConnectionId,
+        params: FsUnwatchParams,
+    ) -> Result<FsUnwatchResponse, JSONRPCErrorError> {
+        let watch_key = WatchKey {
+            connection_id,
+            watch_id: params.watch_id,
+        };
+        let entry = self.state.lock().await.entries.remove(&watch_key);
+        if let Some(entry) = entry {
+            // Wait for the oneshot to be destroyed by the task to ensure that no notifications
+            // are send after the unwatch response.
+            let (done_tx, done_rx) = oneshot::channel();
+            let _ = entry.terminate_tx.send(done_tx);
+            let _ = done_rx.await;
+        }
+        Ok(FsUnwatchResponse {})
+    }
+
+    pub(crate) async fn connection_closed(&self, connection_id: ConnectionId) {
+        let mut state = self.state.lock().await;
+        state
+            .entries
+            .extract_if(|key, _| key.connection_id == connection_id)
+            .count();
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use codex_utils_absolute_path::AbsolutePathBuf;
+    use pretty_assertions::assert_eq;
+    use tempfile::TempDir;
+    use uuid::Version;
+
+    fn absolute_path(path: PathBuf) -> AbsolutePathBuf {
+        assert!(
+            path.is_absolute(),
+            "path must be absolute: {}",
+            path.display()
+        );
+        AbsolutePathBuf::try_from(path).expect("path should be absolute")
+    }
+
+    fn manager_with_noop_watcher() -> FsWatchManager {
+        const OUTGOING_BUFFER: usize = 1;
+        let (tx, _rx) = mpsc::channel(OUTGOING_BUFFER);
+        FsWatchManager::new_with_file_watcher(
+            Arc::new(OutgoingMessageSender::new(tx)),
+            Arc::new(FileWatcher::noop()),
+        )
+    }
+
+    #[tokio::test]
+    async fn watch_returns_a_v7_id_and_tracks_the_owner_scoped_entry() {
+        let temp_dir = TempDir::new().expect("temp dir");
+        let head_path = temp_dir.path().join("HEAD");
+        std::fs::write(&head_path, "ref: refs/heads/main\n").expect("write HEAD");
+
+        let manager = manager_with_noop_watcher();
+        let path = absolute_path(head_path);
+        let response = manager
+            .watch(ConnectionId(1), FsWatchParams { path: path.clone() })
+            .await
+            .expect("watch should succeed");
+
+        assert_eq!(response.path, path);
+        let watch_id = Uuid::parse_str(&response.watch_id).expect("watch id should be a UUID");
+        assert_eq!(watch_id.get_version(), Some(Version::SortRand));
+
+        let state = manager.state.lock().await;
+        assert_eq!(
+            state.entries.keys().cloned().collect::<HashSet<_>>(),
+            HashSet::from([WatchKey {
+                connection_id: ConnectionId(1),
+                watch_id: response.watch_id,
+            }])
+        );
+    }
+
+    #[tokio::test]
+    async fn unwatch_is_scoped_to_the_connection_that_created_the_watch() {
+        let temp_dir = TempDir::new().expect("temp dir");
+        let head_path = temp_dir.path().join("HEAD");
+        std::fs::write(&head_path, "ref: refs/heads/main\n").expect("write HEAD");
+
+        let manager = manager_with_noop_watcher();
+        let response = manager
+            .watch(
+                ConnectionId(1),
+                FsWatchParams {
+                    path: absolute_path(head_path),
+                },
+            )
+            .await
+            .expect("watch should succeed");
+        let watch_key = WatchKey {
+            connection_id: ConnectionId(1),
+            watch_id: response.watch_id.clone(),
+        };
+
+        manager
+            .unwatch(
+                ConnectionId(2),
+                FsUnwatchParams {
+                    watch_id: response.watch_id.clone(),
+                },
+            )
+            .await
+            .expect("foreign unwatch should be a no-op");
+        assert!(manager.state.lock().await.entries.contains_key(&watch_key));
+
+        manager
+            .unwatch(
+                ConnectionId(1),
+                FsUnwatchParams {
+                    watch_id: response.watch_id,
+                },
+            )
+            .await
+            .expect("owner unwatch should succeed");
+        assert!(!manager.state.lock().await.entries.contains_key(&watch_key));
+    }
+
+    #[tokio::test]
+    async fn connection_closed_removes_only_that_connections_watches() {
+        let temp_dir = TempDir::new().expect("temp dir");
+        let head_path = temp_dir.path().join("HEAD");
+        let fetch_head_path = temp_dir.path().join("FETCH_HEAD");
+        let packed_refs_path = temp_dir.path().join("packed-refs");
+        std::fs::write(&head_path, "ref: refs/heads/main\n").expect("write HEAD");
+        std::fs::write(&fetch_head_path, "old-fetch\n").expect("write FETCH_HEAD");
+        std::fs::write(&packed_refs_path, "refs\n").expect("write packed-refs");
+
+        let manager = manager_with_noop_watcher();
+        let response_1 = manager
+            .watch(
+                ConnectionId(1),
+                FsWatchParams {
+                    path: absolute_path(head_path),
+                },
+            )
+            .await
+            .expect("first watch should succeed");
+        let response_2 = manager
+            .watch(
+                ConnectionId(1),
+                FsWatchParams {
+                    path: absolute_path(fetch_head_path),
+                },
+            )
+            .await
+            .expect("second watch should succeed");
+        let response_3 = manager
+            .watch(
+                ConnectionId(2),
+                FsWatchParams {
+                    path: absolute_path(packed_refs_path),
+                },
+            )
+            .await
+            .expect("third watch should succeed");
+
+        manager.connection_closed(ConnectionId(1)).await;
+
+        assert_eq!(
+            manager
+                .state
+                .lock()
+                .await
+                .entries
+                .keys()
+                .cloned()
+                .collect::<HashSet<_>>(),
+            HashSet::from([WatchKey {
+                connection_id: ConnectionId(2),
+                watch_id: response_3.watch_id,
+            }])
+        );
+        assert_ne!(response_1.watch_id, response_2.watch_id);
+    }
+}

codex-rs/app-server/src/in_process.rs

@@ -60,6 +60,7 @@ use crate::outgoing_message::ConnectionId;
 use crate::outgoing_message::OutgoingEnvelope;
 use crate::outgoing_message::OutgoingMessage;
 use crate::outgoing_message::OutgoingMessageSender;
+use crate::outgoing_message::QueuedOutgoingMessage;
 use crate::transport::CHANNEL_CAPACITY;
 use crate::transport::OutboundConnectionState;
 use crate::transport::route_outgoing_envelope;
@@ -68,17 +69,15 @@ use codex_app_server_protocol::ClientRequest;
 use codex_app_server_protocol::ConfigWarningNotification;
 use codex_app_server_protocol::InitializeParams;
 use codex_app_server_protocol::JSONRPCErrorError;
-use codex_app_server_protocol::JSONRPCNotification;
 use codex_app_server_protocol::RequestId;
 use codex_app_server_protocol::Result;
 use codex_app_server_protocol::ServerNotification;
 use codex_app_server_protocol::ServerRequest;
 use codex_arg0::Arg0DispatchPaths;
-use codex_core::AuthManager;
-use codex_core::ThreadManager;
 use codex_core::config::Config;
 use codex_core::config_loader::CloudRequirementsLoader;
 use codex_core::config_loader::LoaderOverrides;
+use codex_exec_server::EnvironmentManager;
 use codex_feedback::CodexFeedback;
 use codex_protocol::protocol::SessionSource;
 use tokio::sync::mpsc;
@@ -98,16 +97,6 @@ fn server_notification_requires_delivery(notification: &ServerNotification) -> b
     matches!(notification, ServerNotification::TurnCompleted(_))
 }
 
-fn legacy_notification_requires_delivery(notification: &JSONRPCNotification) -> bool {
-    matches!(
-        notification
-            .method
-            .strip_prefix("codex/event/")
-            .unwrap_or(&notification.method),
-        "task_complete" | "turn_aborted" | "shutdown_complete"
-    )
-}
-
 /// Input needed to start an in-process app-server runtime.
 ///
 /// These fields mirror the pieces of ambient process state that stdio and
@@ -124,10 +113,6 @@ pub struct InProcessStartArgs {
     pub loader_overrides: LoaderOverrides,
     /// Preloaded cloud requirements provider.
     pub cloud_requirements: CloudRequirementsLoader,
-    /// Optional prebuilt auth manager reused by an embedding caller.
-    pub auth_manager: Option<Arc<AuthManager>>,
-    /// Optional prebuilt thread manager reused by an embedding caller.
-    pub thread_manager: Option<Arc<ThreadManager>>,
     /// Feedback sink used by app-server/core telemetry and logs.
     pub feedback: CodexFeedback,
     /// Startup warnings emitted after initialize succeeds.
@@ -144,11 +129,6 @@ pub struct InProcessStartArgs {
 
 /// Event emitted from the app-server to the in-process client.
 ///
-/// The stream carries three event families because CLI surfaces are mid-migration
-/// from the legacy `codex_protocol::Event` model to the typed app-server
-/// notification model. Once all surfaces consume only [`ServerNotification`],
-/// [`LegacyNotification`](Self::LegacyNotification) can be removed.
-///
 /// [`Lagged`](Self::Lagged) is a transport health marker, not an application
 /// event — it signals that the consumer fell behind and some events were dropped.
 #[derive(Debug, Clone)]
@@ -157,8 +137,6 @@ pub enum InProcessServerEvent {
     ServerRequest(ServerRequest),
     /// App-server notification directed to the embedded client.
     ServerNotification(ServerNotification),
-    /// Legacy JSON-RPC notification from core event bridge.
-    LegacyNotification(JSONRPCNotification),
     /// Indicates one or more events were dropped due to backpressure.
     Lagged { skipped: usize },
 }
@@ -377,7 +355,7 @@ fn start_uninitialized(args: InProcessStartArgs) -> InProcessClientHandle {
         let (outgoing_tx, mut outgoing_rx) = mpsc::channel::<OutgoingEnvelope>(channel_capacity);
         let outgoing_message_sender = Arc::new(OutgoingMessageSender::new(outgoing_tx));
 
-        let (writer_tx, mut writer_rx) = mpsc::channel::<OutgoingMessage>(channel_capacity);
+        let (writer_tx, mut writer_rx) = mpsc::channel::<QueuedOutgoingMessage>(channel_capacity);
         let outbound_initialized = Arc::new(AtomicBool::new(false));
         let outbound_experimental_api_enabled = Arc::new(AtomicBool::new(false));
         let outbound_opted_out_notification_methods = Arc::new(RwLock::new(HashSet::new()));
@@ -390,7 +368,6 @@ fn start_uninitialized(args: InProcessStartArgs) -> InProcessClientHandle {
                 Arc::clone(&outbound_initialized),
                 Arc::clone(&outbound_experimental_api_enabled),
                 Arc::clone(&outbound_opted_out_notification_methods),
-                /*allow_legacy_notifications*/ true,
                 /*disconnect_sender*/ None,
             ),
         );
@@ -407,11 +384,10 @@ fn start_uninitialized(args: InProcessStartArgs) -> InProcessClientHandle {
                 outgoing: Arc::clone(&processor_outgoing),
                 arg0_paths: args.arg0_paths,
                 config: args.config,
+                environment_manager: Arc::new(EnvironmentManager::from_env()),
                 cli_overrides: args.cli_overrides,
                 loader_overrides: args.loader_overrides,
                 cloud_requirements: args.cloud_requirements,
-                auth_manager: args.auth_manager,
-                thread_manager: args.thread_manager,
                 feedback: args.feedback,
                 log_db: None,
                 config_warnings: args.config_warnings,
@@ -484,6 +460,7 @@ fn start_uninitialized(args: InProcessStartArgs) -> InProcessClientHandle {
             }
 
             processor.clear_runtime_references();
+            processor.cancel_active_login().await;
             processor.connection_closed(IN_PROCESS_CONNECTION_ID).await;
             processor.clear_all_thread_listeners().await;
             processor.drain_background_tasks().await;
@@ -574,10 +551,11 @@ fn start_uninitialized(args: InProcessStartArgs) -> InProcessClientHandle {
                         }
                     }
                 }
-                outgoing_message = writer_rx.recv() => {
-                    let Some(outgoing_message) = outgoing_message else {
+                queued_message = writer_rx.recv() => {
+                    let Some(queued_message) = queued_message else {
                         break;
                     };
+                    let outgoing_message = queued_message.message;
                     match outgoing_message {
                         OutgoingMessage::Response(response) => {
                             if let Some(response_tx) = pending_request_responses.remove(&response.id) {
@@ -655,32 +633,9 @@ fn start_uninitialized(args: InProcessStartArgs) -> InProcessClientHandle {
                                 }
                             }
                         }
-                        OutgoingMessage::Notification(notification) => {
-                            let notification = JSONRPCNotification {
-                                method: notification.method,
-                                params: notification.params,
-                            };
-                            if legacy_notification_requires_delivery(&notification) {
-                                if event_tx
-                                    .send(InProcessServerEvent::LegacyNotification(notification))
-                                    .await
-                                    .is_err()
-                                {
-                                    break;
-                                }
-                            } else if let Err(send_error) =
-                                event_tx.try_send(InProcessServerEvent::LegacyNotification(notification))
-                            {
-                                match send_error {
-                                    mpsc::error::TrySendError::Full(_) => {
-                                        warn!("dropping in-process legacy notification (queue full)");
-                                    }
-                                    mpsc::error::TrySendError::Closed(_) => {
-                                        break;
-                                    }
-                                }
-                            }
-                        }
+                    }
+                    if let Some(write_complete_tx) = queued_message.write_complete_tx {
+                        let _ = write_complete_tx.send(());
                     }
                 }
             }
@@ -759,8 +714,6 @@ mod tests {
             cli_overrides: Vec::new(),
             loader_overrides: LoaderOverrides::default(),
             cloud_requirements: CloudRequirementsLoader::default(),
-            auth_manager: None,
-            thread_manager: None,
             feedback: CodexFeedback::new(),
             config_warnings: Vec::new(),
             session_source,
@@ -858,7 +811,7 @@ mod tests {
     }
 
     #[test]
-    fn guaranteed_delivery_helpers_cover_terminal_notifications() {
+    fn guaranteed_delivery_helpers_cover_terminal_server_notifications() {
         assert!(server_notification_requires_delivery(
             &ServerNotification::TurnCompleted(TurnCompletedNotification {
                 thread_id: "thread-1".to_string(),
@@ -870,30 +823,5 @@ mod tests {
                 },
             })
         ));
-
-        assert!(legacy_notification_requires_delivery(
-            &JSONRPCNotification {
-                method: "codex/event/task_complete".to_string(),
-                params: None,
-            }
-        ));
-        assert!(legacy_notification_requires_delivery(
-            &JSONRPCNotification {
-                method: "codex/event/turn_aborted".to_string(),
-                params: None,
-            }
-        ));
-        assert!(legacy_notification_requires_delivery(
-            &JSONRPCNotification {
-                method: "codex/event/shutdown_complete".to_string(),
-                params: None,
-            }
-        ));
-        assert!(!legacy_notification_requires_delivery(
-            &JSONRPCNotification {
-                method: "codex/event/item_started".to_string(),
-                params: None,
-            }
-        ));
     }
 }

codex-rs/app-server/src/lib.rs

@@ -22,10 +22,12 @@ use crate::message_processor::MessageProcessorArgs;
 use crate::outgoing_message::ConnectionId;
 use crate::outgoing_message::OutgoingEnvelope;
 use crate::outgoing_message::OutgoingMessageSender;
+use crate::outgoing_message::QueuedOutgoingMessage;
 use crate::transport::CHANNEL_CAPACITY;
 use crate::transport::ConnectionState;
 use crate::transport::OutboundConnectionState;
 use crate::transport::TransportEvent;
+use crate::transport::auth::policy_from_settings;
 use crate::transport::route_outgoing_envelope;
 use crate::transport::start_stdio_connection;
 use crate::transport::start_websocket_acceptor;
@@ -38,6 +40,7 @@ use codex_core::ExecPolicyError;
 use codex_core::check_execpolicy_for_warnings;
 use codex_core::config_loader::ConfigLoadError;
 use codex_core::config_loader::TextRange as CoreTextRange;
+use codex_exec_server::EnvironmentManager;
 use codex_feedback::CodexFeedback;
 use codex_protocol::protocol::SessionSource;
 use codex_state::log_db;
@@ -66,6 +69,7 @@ mod error_code;
 mod external_agent_config_api;
 mod filters;
 mod fs_api;
+mod fs_watch;
 mod fuzzy_file_search;
 pub mod in_process;
 mod message_processor;
@@ -79,6 +83,9 @@ mod transport;
 pub use crate::error_code::INPUT_TOO_LARGE_ERROR_CODE;
 pub use crate::error_code::INVALID_PARAMS_ERROR_CODE;
 pub use crate::transport::AppServerTransport;
+pub use crate::transport::auth::AppServerWebsocketAuthArgs;
+pub use crate::transport::auth::AppServerWebsocketAuthSettings;
+pub use crate::transport::auth::WebsocketAuthCliMode;
 
 const LOG_FORMAT_ENV_VAR: &str = "LOG_FORMAT";
 
@@ -103,9 +110,7 @@ enum OutboundControlEvent {
     /// Register a new writer for an opened connection.
     Opened {
         connection_id: ConnectionId,
-        writer: mpsc::Sender<crate::outgoing_message::OutgoingMessage>,
-        // Allow codex/event/* notifications to be emitted.
-        allow_legacy_notifications: bool,
+        writer: mpsc::Sender<QueuedOutgoingMessage>,
         disconnect_sender: Option<CancellationToken>,
         initialized: Arc<AtomicBool>,
         experimental_api_enabled: Arc<AtomicBool>,
@@ -337,6 +342,7 @@ pub async fn run_main(
         default_analytics_enabled,
         AppServerTransport::Stdio,
         SessionSource::VSCode,
+        AppServerWebsocketAuthSettings::default(),
     )
     .await
 }
@@ -348,44 +354,15 @@ pub async fn run_main_with_transport(
     default_analytics_enabled: bool,
     transport: AppServerTransport,
     session_source: SessionSource,
+    auth: AppServerWebsocketAuthSettings,
 ) -> IoResult<()> {
+    let environment_manager = Arc::new(EnvironmentManager::from_env());
     let (transport_event_tx, mut transport_event_rx) =
         mpsc::channel::<TransportEvent>(CHANNEL_CAPACITY);
     let (outgoing_tx, mut outgoing_rx) = mpsc::channel::<OutgoingEnvelope>(CHANNEL_CAPACITY);
     let (outbound_control_tx, mut outbound_control_rx) =
         mpsc::channel::<OutboundControlEvent>(CHANNEL_CAPACITY);
 
-    enum TransportRuntime {
-        Stdio,
-        WebSocket {
-            accept_handle: JoinHandle<()>,
-            shutdown_token: CancellationToken,
-        },
-    }
-
-    let mut stdio_handles = Vec::<JoinHandle<()>>::new();
-    let transport_runtime = match transport {
-        AppServerTransport::Stdio => {
-            start_stdio_connection(transport_event_tx.clone(), &mut stdio_handles).await?;
-            TransportRuntime::Stdio
-        }
-        AppServerTransport::WebSocket { bind_address } => {
-            let shutdown_token = CancellationToken::new();
-            let accept_handle = start_websocket_acceptor(
-                bind_address,
-                transport_event_tx.clone(),
-                shutdown_token.clone(),
-            )
-            .await?;
-            TransportRuntime::WebSocket {
-                accept_handle,
-                shutdown_token,
-            }
-        }
-    };
-    let single_client_mode = matches!(&transport_runtime, TransportRuntime::Stdio);
-    let shutdown_when_no_connections = single_client_mode;
-    let graceful_signal_restart_enabled = !single_client_mode;
     // Parse CLI overrides once and derive the base Config eagerly so later
     // components do not need to work with raw TOML values.
     let cli_kv_overrides = cli_config_overrides.parse_overrides().map_err(|e| {
@@ -549,6 +526,30 @@ pub async fn run_main_with_transport(
         }
     }
 
+    let transport_shutdown_token = CancellationToken::new();
+    let mut transport_accept_handles = Vec::<JoinHandle<()>>::new();
+
+    let single_client_mode = matches!(&transport, AppServerTransport::Stdio);
+    let shutdown_when_no_connections = single_client_mode;
+    let graceful_signal_restart_enabled = !single_client_mode;
+
+    match transport {
+        AppServerTransport::Stdio => {
+            start_stdio_connection(transport_event_tx.clone(), &mut transport_accept_handles)
+                .await?;
+        }
+        AppServerTransport::WebSocket { bind_address } => {
+            let accept_handle = start_websocket_acceptor(
+                bind_address,
+                transport_event_tx.clone(),
+                transport_shutdown_token.clone(),
+                policy_from_settings(&auth)?,
+            )
+            .await?;
+            transport_accept_handles.push(accept_handle);
+        }
+    }
+
     let outbound_handle = tokio::spawn(async move {
         let mut outbound_connections = HashMap::<ConnectionId, OutboundConnectionState>::new();
         loop {
@@ -562,7 +563,6 @@ pub async fn run_main_with_transport(
                             OutboundControlEvent::Opened {
                                 connection_id,
                                 writer,
-                                allow_legacy_notifications,
                                 disconnect_sender,
                                 initialized,
                                 experimental_api_enabled,
@@ -575,7 +575,6 @@ pub async fn run_main_with_transport(
                                         initialized,
                                         experimental_api_enabled,
                                         opted_out_notification_methods,
-                                        allow_legacy_notifications,
                                         disconnect_sender,
                                     ),
                                 );
@@ -615,11 +614,10 @@ pub async fn run_main_with_transport(
             outgoing: outgoing_message_sender,
             arg0_paths,
             config: Arc::new(config),
+            environment_manager,
             cli_overrides,
             loader_overrides,
             cloud_requirements: cloud_requirements.clone(),
-            auth_manager: None,
-            thread_manager: None,
             feedback: feedback.clone(),
             log_db,
             config_warnings,
@@ -629,10 +627,7 @@ pub async fn run_main_with_transport(
         let mut thread_created_rx = processor.thread_created_receiver();
         let mut running_turn_count_rx = processor.subscribe_running_assistant_turn_count();
         let mut connections = HashMap::<ConnectionId, ConnectionState>::new();
-        let websocket_accept_shutdown = match &transport_runtime {
-            TransportRuntime::WebSocket { shutdown_token, .. } => Some(shutdown_token.clone()),
-            TransportRuntime::Stdio => None,
-        };
+        let transport_shutdown_token = transport_shutdown_token.clone();
         async move {
             let mut listen_for_threads = true;
             let mut shutdown_state = ShutdownState::default();
@@ -645,9 +640,7 @@ pub async fn run_main_with_transport(
                     shutdown_state.update(running_turn_count, connections.len()),
                     ShutdownAction::Finish
                 ) {
-                    if let Some(shutdown_token) = &websocket_accept_shutdown {
-                        shutdown_token.cancel();
-                    }
+                    transport_shutdown_token.cancel();
                     let _ = outbound_control_tx
                         .send(OutboundControlEvent::DisconnectAll)
                         .await;
@@ -675,7 +668,6 @@ pub async fn run_main_with_transport(
                             TransportEvent::ConnectionOpened {
                                 connection_id,
                                 writer,
-                                allow_legacy_notifications,
                                 disconnect_sender,
                             } => {
                                 let outbound_initialized = Arc::new(AtomicBool::new(false));
@@ -687,7 +679,6 @@ pub async fn run_main_with_transport(
                                     .send(OutboundControlEvent::Opened {
                                         connection_id,
                                         writer,
-                                        allow_legacy_notifications,
                                         disconnect_sender,
                                         initialized: Arc::clone(&outbound_initialized),
                                         experimental_api_enabled: Arc::clone(
@@ -843,16 +834,8 @@ pub async fn run_main_with_transport(
     let _ = processor_handle.await;
     let _ = outbound_handle.await;
 
-    if let TransportRuntime::WebSocket {
-        accept_handle,
-        shutdown_token,
-    } = transport_runtime
-    {
-        shutdown_token.cancel();
-        let _ = accept_handle.await;
-    }
-
-    for handle in stdio_handles {
+    transport_shutdown_token.cancel();
+    for handle in transport_accept_handles {
         let _ = handle.await;
     }
 

codex-rs/app-server/src/main.rs

@@ -1,5 +1,6 @@
 use clap::Parser;
 use codex_app_server::AppServerTransport;
+use codex_app_server::AppServerWebsocketAuthArgs;
 use codex_app_server::run_main_with_transport;
 use codex_arg0::Arg0DispatchPaths;
 use codex_arg0::arg0_dispatch_or_else;
@@ -31,6 +32,9 @@ struct AppServerArgs {
         value_parser = SessionSource::from_startup_arg
     )]
     session_source: SessionSource,
+
+    #[command(flatten)]
+    auth: AppServerWebsocketAuthArgs,
 }
 
 fn main() -> anyhow::Result<()> {
@@ -43,6 +47,7 @@ fn main() -> anyhow::Result<()> {
         };
         let transport = args.listen;
         let session_source = args.session_source;
+        let auth = args.auth.try_into_settings()?;
 
         run_main_with_transport(
             arg0_paths,
@@ -51,6 +56,7 @@ fn main() -> anyhow::Result<()> {
             /*default_analytics_enabled*/ false,
             transport,
             session_source,
+            auth,
         )
         .await?;
         Ok(())

codex-rs/app-server/src/message_processor.rs

@@ -1,3 +1,4 @@
+use std::collections::BTreeMap;
 use std::collections::HashSet;
 use std::future::Future;
 use std::sync::Arc;
@@ -8,15 +9,18 @@ use std::sync::atomic::Ordering;
 use crate::codex_message_processor::CodexMessageProcessor;
 use crate::codex_message_processor::CodexMessageProcessorArgs;
 use crate::config_api::ConfigApi;
+use crate::error_code::INTERNAL_ERROR_CODE;
 use crate::error_code::INVALID_REQUEST_ERROR_CODE;
 use crate::external_agent_config_api::ExternalAgentConfigApi;
 use crate::fs_api::FsApi;
+use crate::fs_watch::FsWatchManager;
 use crate::outgoing_message::ConnectionId;
 use crate::outgoing_message::ConnectionRequestId;
 use crate::outgoing_message::OutgoingMessageSender;
 use crate::outgoing_message::RequestContext;
 use crate::transport::AppServerTransport;
 use async_trait::async_trait;
+use codex_app_server_protocol::AppListUpdatedNotification;
 use codex_app_server_protocol::ChatgptAuthTokensRefreshParams;
 use codex_app_server_protocol::ChatgptAuthTokensRefreshReason;
 use codex_app_server_protocol::ChatgptAuthTokensRefreshResponse;
@@ -28,6 +32,7 @@ use codex_app_server_protocol::ConfigReadParams;
 use codex_app_server_protocol::ConfigValueWriteParams;
 use codex_app_server_protocol::ConfigWarningNotification;
 use codex_app_server_protocol::ExperimentalApi;
+use codex_app_server_protocol::ExperimentalFeatureEnablementSetParams;
 use codex_app_server_protocol::ExternalAgentConfigDetectParams;
 use codex_app_server_protocol::ExternalAgentConfigImportParams;
 use codex_app_server_protocol::FsCopyParams;
@@ -36,6 +41,8 @@ use codex_app_server_protocol::FsGetMetadataParams;
 use codex_app_server_protocol::FsReadDirectoryParams;
 use codex_app_server_protocol::FsReadFileParams;
 use codex_app_server_protocol::FsRemoveParams;
+use codex_app_server_protocol::FsUnwatchParams;
+use codex_app_server_protocol::FsWatchParams;
 use codex_app_server_protocol::FsWriteFileParams;
 use codex_app_server_protocol::InitializeResponse;
 use codex_app_server_protocol::JSONRPCError;
@@ -47,6 +54,7 @@ use codex_app_server_protocol::ServerNotification;
 use codex_app_server_protocol::ServerRequestPayload;
 use codex_app_server_protocol::experimental_required_message;
 use codex_arg0::Arg0DispatchPaths;
+use codex_chatgpt::connectors;
 use codex_core::AnalyticsEventsClient;
 use codex_core::AuthManager;
 use codex_core::ThreadManager;
@@ -60,6 +68,7 @@ use codex_core::default_client::get_codex_user_agent;
 use codex_core::default_client::set_default_client_residency_requirement;
 use codex_core::default_client::set_default_originator;
 use codex_core::models_manager::collaboration_mode_presets::CollaborationModesConfig;
+use codex_exec_server::EnvironmentManager;
 use codex_features::Feature;
 use codex_feedback::CodexFeedback;
 use codex_login::auth::ExternalAuthRefreshContext;
@@ -152,6 +161,7 @@ pub(crate) struct MessageProcessor {
     external_agent_config_api: ExternalAgentConfigApi,
     fs_api: FsApi,
     auth_manager: Arc<AuthManager>,
+    fs_watch_manager: FsWatchManager,
     config: Arc<Config>,
     config_warnings: Arc<Vec<ConfigWarningNotification>>,
 }
@@ -169,11 +179,10 @@ pub(crate) struct MessageProcessorArgs {
     pub(crate) outgoing: Arc<OutgoingMessageSender>,
     pub(crate) arg0_paths: Arg0DispatchPaths,
     pub(crate) config: Arc<Config>,
+    pub(crate) environment_manager: Arc<EnvironmentManager>,
     pub(crate) cli_overrides: Vec<(String, TomlValue)>,
     pub(crate) loader_overrides: LoaderOverrides,
     pub(crate) cloud_requirements: CloudRequirementsLoader,
-    pub(crate) auth_manager: Option<Arc<AuthManager>>,
-    pub(crate) thread_manager: Option<Arc<ThreadManager>>,
     pub(crate) feedback: CodexFeedback,
     pub(crate) log_db: Option<LogDbLayer>,
     pub(crate) config_warnings: Vec<ConfigWarningNotification>,
@@ -189,49 +198,47 @@ impl MessageProcessor {
             outgoing,
             arg0_paths,
             config,
+            environment_manager,
             cli_overrides,
             loader_overrides,
             cloud_requirements,
-            auth_manager,
-            thread_manager,
             feedback,
             log_db,
             config_warnings,
             session_source,
             enable_codex_api_key_env,
         } = args;
-        let (auth_manager, thread_manager) = match (auth_manager, thread_manager) {
-            (Some(auth_manager), Some(thread_manager)) => (auth_manager, thread_manager),
-            (None, None) => {
-                let auth_manager = AuthManager::shared(
-                    config.codex_home.clone(),
-                    enable_codex_api_key_env,
-                    config.cli_auth_credentials_store_mode,
-                );
-                let thread_manager = Arc::new(ThreadManager::new(
-                    config.as_ref(),
-                    auth_manager.clone(),
-                    session_source,
-                    CollaborationModesConfig {
-                        default_mode_request_user_input: config
-                            .features
-                            .enabled(Feature::DefaultModeRequestUserInput),
-                    },
-                ));
-                (auth_manager, thread_manager)
-            }
-            _ => panic!("MessageProcessorArgs must provide both auth_manager and thread_manager"),
-        };
+        let auth_manager = AuthManager::shared(
+            config.codex_home.clone(),
+            enable_codex_api_key_env,
+            config.cli_auth_credentials_store_mode,
+        );
+        let thread_manager = Arc::new(ThreadManager::new(
+            config.as_ref(),
+            auth_manager.clone(),
+            session_source,
+            CollaborationModesConfig {
+                default_mode_request_user_input: config
+                    .features
+                    .enabled(Feature::DefaultModeRequestUserInput),
+            },
+            environment_manager,
+        ));
         auth_manager.set_forced_chatgpt_workspace_id(config.forced_chatgpt_workspace_id.clone());
         auth_manager.set_external_auth_refresher(Arc::new(ExternalAuthRefreshBridge {
             outgoing: outgoing.clone(),
         }));
-        let analytics_events_client =
-            AnalyticsEventsClient::new(Arc::clone(&config), Arc::clone(&auth_manager));
+        let analytics_events_client = AnalyticsEventsClient::new(
+            Arc::clone(&auth_manager),
+            config.chatgpt_base_url.trim_end_matches('/').to_string(),
+            config.analytics_enabled,
+        );
         thread_manager
             .plugins_manager()
             .set_analytics_events_client(analytics_events_client.clone());
 
+        let cli_overrides = Arc::new(RwLock::new(cli_overrides));
+        let runtime_feature_enablement = Arc::new(RwLock::new(BTreeMap::new()));
         let cloud_requirements = Arc::new(RwLock::new(cloud_requirements));
         let codex_message_processor = CodexMessageProcessor::new(CodexMessageProcessorArgs {
             auth_manager: auth_manager.clone(),
@@ -240,6 +247,7 @@ impl MessageProcessor {
             arg0_paths,
             config: Arc::clone(&config),
             cli_overrides: cli_overrides.clone(),
+            runtime_feature_enablement: runtime_feature_enablement.clone(),
             cloud_requirements: cloud_requirements.clone(),
             feedback,
             log_db,
@@ -252,6 +260,7 @@ impl MessageProcessor {
         let config_api = ConfigApi::new(
             config.codex_home.clone(),
             cli_overrides,
+            runtime_feature_enablement,
             loader_overrides,
             cloud_requirements,
             thread_manager,
@@ -259,6 +268,7 @@ impl MessageProcessor {
         );
         let external_agent_config_api = ExternalAgentConfigApi::new(config.codex_home.clone());
         let fs_api = FsApi::default();
+        let fs_watch_manager = FsWatchManager::new(outgoing.clone());
 
         Self {
             outgoing,
@@ -267,6 +277,7 @@ impl MessageProcessor {
             external_agent_config_api,
             fs_api,
             auth_manager,
+            fs_watch_manager,
             config,
             config_warnings: Arc::new(config_warnings),
         }
@@ -462,6 +473,10 @@ impl MessageProcessor {
         self.codex_message_processor.drain_background_tasks().await;
     }
 
+    pub(crate) async fn cancel_active_login(&self) {
+        self.codex_message_processor.cancel_active_login().await;
+    }
+
     pub(crate) async fn clear_all_thread_listeners(&self) {
         self.codex_message_processor
             .clear_all_thread_listeners()
@@ -474,6 +489,7 @@ impl MessageProcessor {
 
     pub(crate) async fn connection_closed(&mut self, connection_id: ConnectionId) {
         self.outgoing.connection_closed(connection_id).await;
+        self.fs_watch_manager.connection_closed(connection_id).await;
         self.codex_message_processor
             .connection_closed(connection_id)
             .await;
@@ -590,8 +606,21 @@ impl MessageProcessor {
                 }
 
                 let user_agent = get_codex_user_agent();
+                let codex_home = match self.config.codex_home.clone().try_into() {
+                    Ok(codex_home) => codex_home,
+                    Err(err) => {
+                        let error = JSONRPCErrorError {
+                            code: INTERNAL_ERROR_CODE,
+                            message: format!("Invalid CODEX_HOME: {err}"),
+                            data: None,
+                        };
+                        self.outgoing.send_error(connection_request_id, error).await;
+                        return;
+                    }
+                };
                 let response = InitializeResponse {
                     user_agent,
+                    codex_home,
                     platform_family: std::env::consts::FAMILY.to_string(),
                     platform_os: std::env::consts::OS.to_string(),
                 };
@@ -686,6 +715,16 @@ impl MessageProcessor {
                 )
                 .await;
             }
+            ClientRequest::ExperimentalFeatureEnablementSet { request_id, params } => {
+                self.handle_experimental_feature_enablement_set(
+                    ConnectionRequestId {
+                        connection_id,
+                        request_id,
+                    },
+                    params,
+                )
+                .await;
+            }
             ClientRequest::ConfigRequirementsRead {
                 request_id,
                 params: _,
@@ -766,6 +805,28 @@ impl MessageProcessor {
                 )
                 .await;
             }
+            ClientRequest::FsWatch { request_id, params } => {
+                self.handle_fs_watch(
+                    ConnectionRequestId {
+                        connection_id,
+                        request_id,
+                    },
+                    connection_id,
+                    params,
+                )
+                .await;
+            }
+            ClientRequest::FsUnwatch { request_id, params } => {
+                self.handle_fs_unwatch(
+                    ConnectionRequestId {
+                        connection_id,
+                        request_id,
+                    },
+                    connection_id,
+                    params,
+                )
+                .await;
+            }
             other => {
                 // Box the delegated future so this wrapper's async state machine does not
                 // inline the full `CodexMessageProcessor::process_request` future, which
@@ -812,7 +873,104 @@ impl MessageProcessor {
         request_id: ConnectionRequestId,
         params: ConfigBatchWriteParams,
     ) {
-        match self.config_api.batch_write(params).await {
+        self.handle_config_mutation_result(request_id, self.config_api.batch_write(params).await)
+            .await;
+    }
+
+    async fn handle_experimental_feature_enablement_set(
+        &self,
+        request_id: ConnectionRequestId,
+        params: ExperimentalFeatureEnablementSetParams,
+    ) {
+        let should_refresh_apps_list = params.enablement.get("apps").copied() == Some(true);
+        match self
+            .config_api
+            .set_experimental_feature_enablement(params)
+            .await
+        {
+            Ok(response) => {
+                self.codex_message_processor.clear_plugin_related_caches();
+                self.codex_message_processor
+                    .maybe_start_plugin_startup_tasks_for_latest_config()
+                    .await;
+                self.outgoing.send_response(request_id, response).await;
+                if should_refresh_apps_list {
+                    self.refresh_apps_list_after_experimental_feature_enablement_set()
+                        .await;
+                }
+            }
+            Err(error) => self.outgoing.send_error(request_id, error).await,
+        }
+    }
+
+    async fn refresh_apps_list_after_experimental_feature_enablement_set(&self) {
+        let config = match self
+            .config_api
+            .load_latest_config(/*fallback_cwd*/ None)
+            .await
+        {
+            Ok(config) => config,
+            Err(error) => {
+                tracing::warn!(
+                    "failed to load config for apps list refresh after experimental feature enablement: {}",
+                    error.message
+                );
+                return;
+            }
+        };
+        if !config.features.apps_enabled(Some(&self.auth_manager)).await {
+            return;
+        }
+
+        let outgoing = Arc::clone(&self.outgoing);
+        tokio::spawn(async move {
+            let (all_connectors_result, accessible_connectors_result) = tokio::join!(
+                connectors::list_all_connectors_with_options(&config, /*force_refetch*/ true),
+                connectors::list_accessible_connectors_from_mcp_tools_with_options(
+                    &config, /*force_refetch*/ true,
+                ),
+            );
+            let all_connectors = match all_connectors_result {
+                Ok(connectors) => connectors,
+                Err(err) => {
+                    tracing::warn!(
+                        "failed to force-refresh directory apps after experimental feature enablement: {err:#}"
+                    );
+                    return;
+                }
+            };
+            let accessible_connectors = match accessible_connectors_result {
+                Ok(connectors) => connectors,
+                Err(err) => {
+                    tracing::warn!(
+                        "failed to force-refresh accessible apps after experimental feature enablement: {err:#}"
+                    );
+                    return;
+                }
+            };
+
+            let data = connectors::with_app_enabled_state(
+                connectors::merge_connectors_with_accessible(
+                    all_connectors,
+                    accessible_connectors,
+                    /*all_connectors_loaded*/ true,
+                ),
+                &config,
+            );
+            outgoing
+                .send_server_notification(ServerNotification::AppListUpdated(
+                    AppListUpdatedNotification { data },
+                ))
+                .await;
+        });
+    }
+
+    async fn handle_config_mutation_result<T: serde::Serialize>(
+        &self,
+        request_id: ConnectionRequestId,
+        result: std::result::Result<T, JSONRPCErrorError>,
+    ) {
+        match result {
             Ok(response) => {
                 self.codex_message_processor.clear_plugin_related_caches();
                 self.codex_message_processor
@@ -917,6 +1075,30 @@ impl MessageProcessor {
             Err(error) => self.outgoing.send_error(request_id, error).await,
         }
     }
+
+    async fn handle_fs_watch(
+        &self,
+        request_id: ConnectionRequestId,
+        connection_id: ConnectionId,
+        params: FsWatchParams,
+    ) {
+        match self.fs_watch_manager.watch(connection_id, params).await {
+            Ok(response) => self.outgoing.send_response(request_id, response).await,
+            Err(error) => self.outgoing.send_error(request_id, error).await,
+        }
+    }
+
+    async fn handle_fs_unwatch(
+        &self,
+        request_id: ConnectionRequestId,
+        connection_id: ConnectionId,
+        params: FsUnwatchParams,
+    ) {
+        match self.fs_watch_manager.unwatch(connection_id, params).await {
+            Ok(response) => self.outgoing.send_response(request_id, response).await,
+            Err(error) => self.outgoing.send_error(request_id, error).await,
+        }
+    }
 }
 
 #[cfg(test)]

codex-rs/app-server/src/message_processor/tracing_tests.rs

@@ -24,6 +24,7 @@ use codex_core::config::Config;
 use codex_core::config::ConfigBuilder;
 use codex_core::config_loader::CloudRequirementsLoader;
 use codex_core::config_loader::LoaderOverrides;
+use codex_exec_server::EnvironmentManager;
 use codex_feedback::CodexFeedback;
 use codex_protocol::protocol::SessionSource;
 use codex_protocol::protocol::W3cTraceContext;
@@ -236,11 +237,10 @@ fn build_test_processor(
         outgoing,
         arg0_paths: Arg0DispatchPaths::default(),
         config,
+        environment_manager: Arc::new(EnvironmentManager::new(/*exec_server_url*/ None)),
         cli_overrides: Vec::new(),
         loader_overrides: LoaderOverrides::default(),
         cloud_requirements: CloudRequirementsLoader::default(),
-        auth_manager: None,
-        thread_manager: None,
         feedback: CodexFeedback::new(),
         log_db: None,
         config_warnings: Vec::new(),
@@ -392,6 +392,7 @@ async fn read_response<T: serde::de::DeserializeOwned>(
         let crate::outgoing_message::OutgoingEnvelope::ToConnection {
             connection_id,
             message,
+            ..
         } = envelope
         else {
             continue;
@@ -422,6 +423,7 @@ async fn read_thread_started_notification(
             crate::outgoing_message::OutgoingEnvelope::ToConnection {
                 connection_id,
                 message,
+                ..
             } => {
                 if connection_id != TEST_CONNECTION_ID {
                     continue;

codex-rs/app-server/src/outgoing_message.rs

@@ -81,17 +81,33 @@ impl RequestContext {
     }
 }
 
-#[derive(Debug, Clone)]
+#[derive(Debug)]
 pub(crate) enum OutgoingEnvelope {
     ToConnection {
         connection_id: ConnectionId,
         message: OutgoingMessage,
+        write_complete_tx: Option<oneshot::Sender<()>>,
     },
     Broadcast {
         message: OutgoingMessage,
     },
 }
 
+#[derive(Debug)]
+pub(crate) struct QueuedOutgoingMessage {
+    pub(crate) message: OutgoingMessage,
+    pub(crate) write_complete_tx: Option<oneshot::Sender<()>>,
+}
+
+impl QueuedOutgoingMessage {
+    pub(crate) fn new(message: OutgoingMessage) -> Self {
+        Self {
+            message,
+            write_complete_tx: None,
+        }
+    }
+}
+
 /// Sends messages to the client and manages request callbacks.
 pub(crate) struct OutgoingMessageSender {
     next_server_request_id: AtomicI64,
@@ -299,6 +315,7 @@ impl OutgoingMessageSender {
                         .send(OutgoingEnvelope::ToConnection {
                             connection_id: *connection_id,
                             message: outgoing_message.clone(),
+                            write_complete_tx: None,
                         })
                         .await
                     {
@@ -333,6 +350,7 @@ impl OutgoingMessageSender {
                 .send(OutgoingEnvelope::ToConnection {
                     connection_id,
                     message: OutgoingMessage::Request(request),
+                    write_complete_tx: None,
                 })
                 .await
             {
@@ -519,6 +537,7 @@ impl OutgoingMessageSender {
                 .send(OutgoingEnvelope::ToConnection {
                     connection_id: *connection_id,
                     message: outgoing_message.clone(),
+                    write_complete_tx: None,
                 })
                 .await
             {
@@ -527,36 +546,26 @@ impl OutgoingMessageSender {
         }
     }
 
-    pub(crate) async fn send_notification_to_connections(
+    pub(crate) async fn send_server_notification_to_connection_and_wait(
         &self,
-        connection_ids: &[ConnectionId],
-        notification: OutgoingNotification,
+        connection_id: ConnectionId,
+        notification: ServerNotification,
     ) {
-        let outgoing_message = OutgoingMessage::Notification(notification);
-        if connection_ids.is_empty() {
-            if let Err(err) = self
-                .sender
-                .send(OutgoingEnvelope::Broadcast {
-                    message: outgoing_message,
-                })
-                .await
-            {
-                warn!("failed to send notification to client: {err:?}");
-            }
-            return;
-        }
-        for connection_id in connection_ids {
-            if let Err(err) = self
-                .sender
-                .send(OutgoingEnvelope::ToConnection {
-                    connection_id: *connection_id,
-                    message: outgoing_message.clone(),
-                })
-                .await
-            {
-                warn!("failed to send notification to client: {err:?}");
-            }
+        tracing::trace!("app-server event: {notification}");
+        let outgoing_message = OutgoingMessage::AppServerNotification(notification);
+        let (write_complete_tx, write_complete_rx) = oneshot::channel();
+        if let Err(err) = self
+            .sender
+            .send(OutgoingEnvelope::ToConnection {
+                connection_id,
+                message: outgoing_message,
+                write_complete_tx: Some(write_complete_tx),
+            })
+            .await
+        {
+            warn!("failed to send server notification to client: {err:?}");
         }
+        let _ = write_complete_rx.await;
     }
 
     pub(crate) async fn send_error(
@@ -598,6 +607,7 @@ impl OutgoingMessageSender {
         let send_fut = self.sender.send(OutgoingEnvelope::ToConnection {
             connection_id,
             message,
+            write_complete_tx: None,
         });
         let send_result = if let Some(request_context) = request_context {
             send_fut.instrument(request_context.span()).await
@@ -616,7 +626,6 @@ impl OutgoingMessageSender {
 #[serde(untagged)]
 pub(crate) enum OutgoingMessage {
     Request(ServerRequest),
-    Notification(OutgoingNotification),
     /// AppServerNotification is specific to the case where this is run as an
     /// "app server" as opposed to an MCP server.
     AppServerNotification(ServerNotification),
@@ -624,13 +633,6 @@ pub(crate) enum OutgoingMessage {
     Error(OutgoingError),
 }
 
-#[derive(Debug, Clone, PartialEq, Serialize)]
-pub(crate) struct OutgoingNotification {
-    pub method: String,
-    #[serde(default, skip_serializing_if = "Option::is_none")]
-    pub params: Option<serde_json::Value>,
-}
-
 #[derive(Debug, Clone, PartialEq, Serialize)]
 pub(crate) struct OutgoingResponse {
     pub id: RequestId,
@@ -858,6 +860,7 @@ mod tests {
             OutgoingEnvelope::ToConnection {
                 connection_id,
                 message,
+                ..
             } => {
                 assert_eq!(connection_id, ConnectionId(42));
                 let OutgoingMessage::Response(response) = message else {
@@ -920,6 +923,7 @@ mod tests {
             OutgoingEnvelope::ToConnection {
                 connection_id,
                 message,
+                ..
             } => {
                 assert_eq!(connection_id, ConnectionId(9));
                 let OutgoingMessage::Error(outgoing_error) = message else {
@@ -932,6 +936,50 @@ mod tests {
         }
     }
 
+    #[tokio::test]
+    async fn send_server_notification_to_connection_and_wait_tracks_write_completion() {
+        let (tx, mut rx) = mpsc::channel::<OutgoingEnvelope>(4);
+        let outgoing = OutgoingMessageSender::new(tx);
+        let send_task = tokio::spawn(async move {
+            outgoing
+                .send_server_notification_to_connection_and_wait(
+                    ConnectionId(42),
+                    ServerNotification::ModelRerouted(ModelReroutedNotification {
+                        thread_id: "thread-1".to_string(),
+                        turn_id: "turn-1".to_string(),
+                        from_model: "gpt-5.3-codex".to_string(),
+                        to_model: "gpt-5.2".to_string(),
+                        reason: ModelRerouteReason::HighRiskCyberActivity,
+                    }),
+                )
+                .await
+        });
+
+        let envelope = timeout(Duration::from_secs(1), rx.recv())
+            .await
+            .expect("should receive envelope before timeout")
+            .expect("channel should contain one message");
+        let OutgoingEnvelope::ToConnection {
+            connection_id,
+            message,
+            write_complete_tx,
+        } = envelope
+        else {
+            panic!("expected targeted server notification envelope");
+        };
+        assert_eq!(connection_id, ConnectionId(42));
+        assert!(matches!(message, OutgoingMessage::AppServerNotification(_)));
+        write_complete_tx
+            .expect("write completion sender should be attached")
+            .send(())
+            .expect("receiver should still be waiting");
+
+        timeout(Duration::from_secs(1), send_task)
+            .await
+            .expect("send task should finish after write completion is signaled")
+            .expect("send task should not panic");
+    }
+
     #[tokio::test]
     async fn connection_closed_clears_registered_request_contexts() {
         let (tx, _rx) = mpsc::channel::<OutgoingEnvelope>(4);

codex-rs/app-server/src/transport/auth.rs

@@ -0,0 +1,583 @@
+use anyhow::Context;
+use axum::http::HeaderMap;
+use axum::http::StatusCode;
+use axum::http::header::AUTHORIZATION;
+use clap::Args;
+use clap::ValueEnum;
+use codex_utils_absolute_path::AbsolutePathBuf;
+use constant_time_eq::constant_time_eq_32;
+use jsonwebtoken::Algorithm;
+use jsonwebtoken::DecodingKey;
+use jsonwebtoken::Validation;
+use jsonwebtoken::decode;
+use serde::Deserialize;
+use sha2::Digest;
+use sha2::Sha256;
+use std::io;
+use std::io::ErrorKind;
+use std::net::SocketAddr;
+use std::path::Path;
+use std::path::PathBuf;
+use time::OffsetDateTime;
+
+const DEFAULT_MAX_CLOCK_SKEW_SECONDS: u64 = 30;
+const MIN_SIGNED_BEARER_SECRET_BYTES: usize = 32;
+const INVALID_AUTHORIZATION_HEADER_MESSAGE: &str = "invalid authorization header";
+
+#[derive(Debug, Clone, Default, PartialEq, Eq, Args)]
+pub struct AppServerWebsocketAuthArgs {
+    /// Websocket auth mode for non-loopback listeners.
+    #[arg(long = "ws-auth", value_name = "MODE", value_enum)]
+    pub ws_auth: Option<WebsocketAuthCliMode>,
+
+    /// Absolute path to the capability-token file.
+    #[arg(long = "ws-token-file", value_name = "PATH")]
+    pub ws_token_file: Option<PathBuf>,
+
+    /// Absolute path to the shared secret file for signed JWT bearer tokens.
+    #[arg(long = "ws-shared-secret-file", value_name = "PATH")]
+    pub ws_shared_secret_file: Option<PathBuf>,
+
+    /// Expected issuer for signed JWT bearer tokens.
+    #[arg(long = "ws-issuer", value_name = "ISSUER")]
+    pub ws_issuer: Option<String>,
+
+    /// Expected audience for signed JWT bearer tokens.
+    #[arg(long = "ws-audience", value_name = "AUDIENCE")]
+    pub ws_audience: Option<String>,
+
+    /// Maximum clock skew when validating signed JWT bearer tokens.
+    #[arg(long = "ws-max-clock-skew-seconds", value_name = "SECONDS")]
+    pub ws_max_clock_skew_seconds: Option<u64>,
+}
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq, ValueEnum)]
+pub enum WebsocketAuthCliMode {
+    CapabilityToken,
+    SignedBearerToken,
+}
+
+#[derive(Debug, Clone, Default, PartialEq, Eq)]
+pub struct AppServerWebsocketAuthSettings {
+    pub config: Option<AppServerWebsocketAuthConfig>,
+}
+
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub enum AppServerWebsocketAuthConfig {
+    CapabilityToken {
+        token_file: AbsolutePathBuf,
+    },
+    SignedBearerToken {
+        shared_secret_file: AbsolutePathBuf,
+        issuer: Option<String>,
+        audience: Option<String>,
+        max_clock_skew_seconds: u64,
+    },
+}
+
+#[derive(Clone, Debug, Default)]
+pub(crate) struct WebsocketAuthPolicy {
+    pub(crate) mode: Option<WebsocketAuthMode>,
+}
+
+#[derive(Clone, Debug)]
+pub(crate) enum WebsocketAuthMode {
+    CapabilityToken {
+        token_sha256: [u8; 32],
+    },
+    SignedBearerToken {
+        shared_secret: Vec<u8>,
+        issuer: Option<String>,
+        audience: Option<String>,
+        max_clock_skew_seconds: i64,
+    },
+}
+
+#[derive(Debug)]
+pub(crate) struct WebsocketAuthError {
+    status_code: StatusCode,
+    message: &'static str,
+}
+
+#[derive(Deserialize)]
+struct JwtClaims {
+    exp: i64,
+    nbf: Option<i64>,
+    iss: Option<String>,
+    aud: Option<JwtAudienceClaim>,
+}
+
+#[derive(Deserialize)]
+#[serde(untagged)]
+enum JwtAudienceClaim {
+    Single(String),
+    Multiple(Vec<String>),
+}
+
+impl WebsocketAuthError {
+    pub(crate) fn status_code(&self) -> StatusCode {
+        self.status_code
+    }
+
+    pub(crate) fn message(&self) -> &'static str {
+        self.message
+    }
+}
+
+impl AppServerWebsocketAuthArgs {
+    pub fn try_into_settings(self) -> anyhow::Result<AppServerWebsocketAuthSettings> {
+        let normalize = |value: Option<String>| {
+            value.and_then(|value| {
+                let trimmed = value.trim();
+                (!trimmed.is_empty()).then(|| trimmed.to_string())
+            })
+        };
+
+        let config = match self.ws_auth {
+            Some(WebsocketAuthCliMode::CapabilityToken) => {
+                if self.ws_shared_secret_file.is_some()
+                    || self.ws_issuer.is_some()
+                    || self.ws_audience.is_some()
+                    || self.ws_max_clock_skew_seconds.is_some()
+                {
+                    anyhow::bail!(
+                        "`--ws-shared-secret-file`, `--ws-issuer`, `--ws-audience`, and `--ws-max-clock-skew-seconds` require `--ws-auth signed-bearer-token`"
+                    );
+                }
+                let token_file = self.ws_token_file.context(
+                    "`--ws-token-file` is required when `--ws-auth capability-token` is set",
+                )?;
+                Some(AppServerWebsocketAuthConfig::CapabilityToken {
+                    token_file: absolute_path_arg("--ws-token-file", token_file)?,
+                })
+            }
+            Some(WebsocketAuthCliMode::SignedBearerToken) => {
+                if self.ws_token_file.is_some() {
+                    anyhow::bail!(
+                        "`--ws-token-file` requires `--ws-auth capability-token`, not `signed-bearer-token`"
+                    );
+                }
+                let shared_secret_file = self.ws_shared_secret_file.context(
+                    "`--ws-shared-secret-file` is required when `--ws-auth signed-bearer-token` is set",
+                )?;
+                Some(AppServerWebsocketAuthConfig::SignedBearerToken {
+                    shared_secret_file: absolute_path_arg(
+                        "--ws-shared-secret-file",
+                        shared_secret_file,
+                    )?,
+                    issuer: normalize(self.ws_issuer),
+                    audience: normalize(self.ws_audience),
+                    max_clock_skew_seconds: self
+                        .ws_max_clock_skew_seconds
+                        .unwrap_or(DEFAULT_MAX_CLOCK_SKEW_SECONDS),
+                })
+            }
+            None => {
+                if self.ws_token_file.is_some()
+                    || self.ws_shared_secret_file.is_some()
+                    || self.ws_issuer.is_some()
+                    || self.ws_audience.is_some()
+                    || self.ws_max_clock_skew_seconds.is_some()
+                {
+                    anyhow::bail!(
+                        "websocket auth flags require `--ws-auth capability-token` or `--ws-auth signed-bearer-token`"
+                    );
+                }
+                None
+            }
+        };
+
+        Ok(AppServerWebsocketAuthSettings { config })
+    }
+}
+
+pub(crate) fn policy_from_settings(
+    settings: &AppServerWebsocketAuthSettings,
+) -> io::Result<WebsocketAuthPolicy> {
+    let mode = match settings.config.as_ref() {
+        Some(AppServerWebsocketAuthConfig::CapabilityToken { token_file }) => {
+            let token = read_trimmed_secret(token_file.as_ref())?;
+            Some(WebsocketAuthMode::CapabilityToken {
+                token_sha256: sha256_digest(token.as_bytes()),
+            })
+        }
+        Some(AppServerWebsocketAuthConfig::SignedBearerToken {
+            shared_secret_file,
+            issuer,
+            audience,
+            max_clock_skew_seconds,
+        }) => {
+            let shared_secret = read_trimmed_secret(shared_secret_file.as_ref())?.into_bytes();
+            validate_signed_bearer_secret(shared_secret_file.as_ref(), &shared_secret)?;
+            let max_clock_skew_seconds = i64::try_from(*max_clock_skew_seconds).map_err(|_| {
+                io::Error::new(
+                    ErrorKind::InvalidInput,
+                    "websocket auth clock skew must fit in a signed 64-bit integer",
+                )
+            })?;
+            Some(WebsocketAuthMode::SignedBearerToken {
+                shared_secret,
+                issuer: issuer.clone(),
+                audience: audience.clone(),
+                max_clock_skew_seconds,
+            })
+        }
+        None => None,
+    };
+
+    Ok(WebsocketAuthPolicy { mode })
+}
+
+pub(crate) fn should_warn_about_unauthenticated_non_loopback_listener(
+    bind_address: SocketAddr,
+    policy: &WebsocketAuthPolicy,
+) -> bool {
+    !bind_address.ip().is_loopback() && policy.mode.is_none()
+}
+
+pub(crate) fn authorize_upgrade(
+    headers: &HeaderMap,
+    policy: &WebsocketAuthPolicy,
+) -> Result<(), WebsocketAuthError> {
+    let Some(mode) = policy.mode.as_ref() else {
+        return Ok(());
+    };
+
+    let token = bearer_token_from_headers(headers)?;
+    match mode {
+        WebsocketAuthMode::CapabilityToken { token_sha256 } => {
+            let actual_sha256 = sha256_digest(token.as_bytes());
+            if constant_time_eq_32(token_sha256, &actual_sha256) {
+                Ok(())
+            } else {
+                Err(unauthorized("invalid websocket bearer token"))
+            }
+        }
+        WebsocketAuthMode::SignedBearerToken {
+            shared_secret,
+            issuer,
+            audience,
+            max_clock_skew_seconds,
+        } => verify_signed_bearer_token(
+            token,
+            shared_secret,
+            issuer.as_deref(),
+            audience.as_deref(),
+            *max_clock_skew_seconds,
+        ),
+    }
+}
+
+fn verify_signed_bearer_token(
+    token: &str,
+    shared_secret: &[u8],
+    issuer: Option<&str>,
+    audience: Option<&str>,
+    max_clock_skew_seconds: i64,
+) -> Result<(), WebsocketAuthError> {
+    let claims = decode_jwt_claims(token, shared_secret)?;
+    validate_jwt_claims(&claims, issuer, audience, max_clock_skew_seconds)
+}
+
+fn decode_jwt_claims(token: &str, shared_secret: &[u8]) -> Result<JwtClaims, WebsocketAuthError> {
+    let mut validation = Validation::new(Algorithm::HS256);
+    validation.required_spec_claims.clear();
+    validation.validate_exp = false;
+    validation.validate_nbf = false;
+    validation.validate_aud = false;
+
+    decode::<JwtClaims>(token, &DecodingKey::from_secret(shared_secret), &validation)
+        .map(|token_data| token_data.claims)
+        .map_err(|_| unauthorized("invalid websocket jwt"))
+}
+
+fn validate_jwt_claims(
+    claims: &JwtClaims,
+    issuer: Option<&str>,
+    audience: Option<&str>,
+    max_clock_skew_seconds: i64,
+) -> Result<(), WebsocketAuthError> {
+    let now = OffsetDateTime::now_utc().unix_timestamp();
+    if now > claims.exp.saturating_add(max_clock_skew_seconds) {
+        return Err(unauthorized("expired websocket jwt"));
+    }
+    if let Some(nbf) = claims.nbf
+        && now < nbf.saturating_sub(max_clock_skew_seconds)
+    {
+        return Err(unauthorized("websocket jwt is not valid yet"));
+    }
+    if let Some(expected_issuer) = issuer
+        && claims.iss.as_deref() != Some(expected_issuer)
+    {
+        return Err(unauthorized("websocket jwt issuer mismatch"));
+    }
+    if let Some(expected_audience) = audience
+        && !audience_matches(claims.aud.as_ref(), expected_audience)
+    {
+        return Err(unauthorized("websocket jwt audience mismatch"));
+    }
+
+    Ok(())
+}
+
+fn audience_matches(audience: Option<&JwtAudienceClaim>, expected_audience: &str) -> bool {
+    match audience {
+        Some(JwtAudienceClaim::Single(actual)) => actual == expected_audience,
+        Some(JwtAudienceClaim::Multiple(actual)) => {
+            actual.iter().any(|audience| audience == expected_audience)
+        }
+        None => false,
+    }
+}
+
+fn bearer_token_from_headers(headers: &HeaderMap) -> Result<&str, WebsocketAuthError> {
+    let raw_header = headers
+        .get(AUTHORIZATION)
+        .ok_or_else(|| unauthorized("missing websocket bearer token"))?;
+    let header = raw_header
+        .to_str()
+        .map_err(|_| unauthorized(INVALID_AUTHORIZATION_HEADER_MESSAGE))?;
+    let Some((scheme, token)) = header.split_once(' ') else {
+        return Err(unauthorized(INVALID_AUTHORIZATION_HEADER_MESSAGE));
+    };
+    if !scheme.eq_ignore_ascii_case("Bearer") {
+        return Err(unauthorized(INVALID_AUTHORIZATION_HEADER_MESSAGE));
+    }
+    let token = token.trim();
+    if token.is_empty() {
+        return Err(unauthorized(INVALID_AUTHORIZATION_HEADER_MESSAGE));
+    }
+    Ok(token)
+}
+
+fn validate_signed_bearer_secret(path: &Path, shared_secret: &[u8]) -> io::Result<()> {
+    if shared_secret.len() < MIN_SIGNED_BEARER_SECRET_BYTES {
+        return Err(io::Error::new(
+            ErrorKind::InvalidInput,
+            format!(
+                "signed websocket bearer secret {} must be at least {MIN_SIGNED_BEARER_SECRET_BYTES} bytes",
+                path.display()
+            ),
+        ));
+    }
+    Ok(())
+}
+
+fn read_trimmed_secret(path: &std::path::Path) -> io::Result<String> {
+    let raw = std::fs::read_to_string(path).map_err(|err| {
+        io::Error::new(
+            err.kind(),
+            format!(
+                "failed to read websocket auth secret {}: {err}",
+                path.display()
+            ),
+        )
+    })?;
+    let trimmed = raw.trim();
+    if trimmed.is_empty() {
+        return Err(io::Error::new(
+            ErrorKind::InvalidInput,
+            format!("websocket auth secret {} must not be empty", path.display()),
+        ));
+    }
+    Ok(trimmed.to_string())
+}
+
+fn absolute_path_arg(flag_name: &str, path: PathBuf) -> anyhow::Result<AbsolutePathBuf> {
+    AbsolutePathBuf::try_from(path).with_context(|| format!("{flag_name} must be an absolute path"))
+}
+
+fn sha256_digest(input: &[u8]) -> [u8; 32] {
+    let mut digest = [0u8; 32];
+    digest.copy_from_slice(&Sha256::digest(input));
+    digest
+}
+
+fn unauthorized(message: &'static str) -> WebsocketAuthError {
+    WebsocketAuthError {
+        status_code: StatusCode::UNAUTHORIZED,
+        message,
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use base64::Engine;
+    use base64::engine::general_purpose::URL_SAFE_NO_PAD;
+    use hmac::Hmac;
+    use hmac::Mac;
+    use serde_json::json;
+
+    type HmacSha256 = Hmac<Sha256>;
+
+    fn signed_token(shared_secret: &[u8], claims: serde_json::Value) -> String {
+        let header = URL_SAFE_NO_PAD.encode(br#"{"alg":"HS256","typ":"JWT"}"#);
+        let claims_segment = URL_SAFE_NO_PAD.encode(serde_json::to_vec(&claims).unwrap());
+        let payload = format!("{header}.{claims_segment}");
+        let mut mac = HmacSha256::new_from_slice(shared_secret).unwrap();
+        mac.update(payload.as_bytes());
+        let signature = URL_SAFE_NO_PAD.encode(mac.finalize().into_bytes());
+        format!("{payload}.{signature}")
+    }
+
+    #[test]
+    fn warns_about_unauthenticated_non_loopback_listener() {
+        let policy = WebsocketAuthPolicy::default();
+        assert!(should_warn_about_unauthenticated_non_loopback_listener(
+            "0.0.0.0:8765".parse().unwrap(),
+            &policy,
+        ));
+        assert!(!should_warn_about_unauthenticated_non_loopback_listener(
+            "127.0.0.1:8765".parse().unwrap(),
+            &policy,
+        ));
+        assert!(!should_warn_about_unauthenticated_non_loopback_listener(
+            "0.0.0.0:8765".parse().unwrap(),
+            &WebsocketAuthPolicy {
+                mode: Some(WebsocketAuthMode::CapabilityToken {
+                    token_sha256: [0u8; 32],
+                }),
+            },
+        ));
+    }
+
+    #[test]
+    fn capability_token_args_require_token_file() {
+        let err = AppServerWebsocketAuthArgs {
+            ws_auth: Some(WebsocketAuthCliMode::CapabilityToken),
+            ..Default::default()
+        }
+        .try_into_settings()
+        .expect_err("capability-token mode should require a token file");
+        assert!(
+            err.to_string().contains("--ws-token-file"),
+            "unexpected error: {err}"
+        );
+    }
+
+    #[test]
+    fn signed_bearer_args_require_mode_when_mode_specific_flags_are_set() {
+        let err = AppServerWebsocketAuthArgs {
+            ws_shared_secret_file: Some(PathBuf::from("/tmp/secret")),
+            ..Default::default()
+        }
+        .try_into_settings()
+        .expect_err("mode-specific flags should require --ws-auth");
+        assert!(
+            err.to_string().contains("websocket auth flags require"),
+            "unexpected error: {err}"
+        );
+    }
+
+    #[test]
+    fn signed_bearer_args_default_clock_skew_and_trim_optional_claims() {
+        let settings = AppServerWebsocketAuthArgs {
+            ws_auth: Some(WebsocketAuthCliMode::SignedBearerToken),
+            ws_shared_secret_file: Some(PathBuf::from("/tmp/secret")),
+            ws_issuer: Some(" issuer ".to_string()),
+            ws_audience: Some("   ".to_string()),
+            ..Default::default()
+        }
+        .try_into_settings()
+        .expect("signed bearer args should parse");
+
+        assert_eq!(
+            settings,
+            AppServerWebsocketAuthSettings {
+                config: Some(AppServerWebsocketAuthConfig::SignedBearerToken {
+                    shared_secret_file: AbsolutePathBuf::from_absolute_path("/tmp/secret")
+                        .expect("absolute path"),
+                    issuer: Some("issuer".to_string()),
+                    audience: None,
+                    max_clock_skew_seconds: DEFAULT_MAX_CLOCK_SKEW_SECONDS,
+                }),
+            }
+        );
+    }
+
+    #[test]
+    fn signed_bearer_token_verification_rejects_tampering() {
+        let shared_secret = b"0123456789abcdef0123456789abcdef";
+        let token = signed_token(
+            shared_secret,
+            json!({
+                "exp": OffsetDateTime::now_utc().unix_timestamp() + 60,
+            }),
+        );
+        let tampered = token.replace(".eyJleHAi", ".eyJleHBi");
+        let err = verify_signed_bearer_token(&tampered, shared_secret, None, None, 30)
+            .expect_err("tampered jwt should fail");
+        assert_eq!(err.status_code(), StatusCode::UNAUTHORIZED);
+    }
+
+    #[test]
+    fn signed_bearer_token_verification_accepts_valid_token() {
+        let shared_secret = b"0123456789abcdef0123456789abcdef";
+        let token = signed_token(
+            shared_secret,
+            json!({
+                "exp": OffsetDateTime::now_utc().unix_timestamp() + 60,
+                "iss": "issuer",
+                "aud": "audience",
+            }),
+        );
+        verify_signed_bearer_token(&token, shared_secret, Some("issuer"), Some("audience"), 30)
+            .expect("valid signed token should verify");
+    }
+
+    #[test]
+    fn signed_bearer_token_verification_accepts_multiple_audiences() {
+        let shared_secret = b"0123456789abcdef0123456789abcdef";
+        let token = signed_token(
+            shared_secret,
+            json!({
+                "exp": OffsetDateTime::now_utc().unix_timestamp() + 60,
+                "aud": ["other-audience", "audience"],
+            }),
+        );
+        verify_signed_bearer_token(&token, shared_secret, None, Some("audience"), 30)
+            .expect("jwt audience arrays should verify");
+    }
+
+    #[test]
+    fn signed_bearer_token_verification_rejects_alg_none_tokens() {
+        let claims_segment = URL_SAFE_NO_PAD.encode(
+            serde_json::to_vec(&json!({
+                "exp": OffsetDateTime::now_utc().unix_timestamp() + 60,
+            }))
+            .unwrap(),
+        );
+        let header_segment = URL_SAFE_NO_PAD.encode(br#"{"alg":"none","typ":"JWT"}"#);
+        let token = format!("{header_segment}.{claims_segment}.");
+        let err =
+            verify_signed_bearer_token(&token, b"0123456789abcdef0123456789abcdef", None, None, 30)
+                .expect_err("alg=none jwt should be rejected");
+        assert_eq!(err.status_code(), StatusCode::UNAUTHORIZED);
+    }
+
+    #[test]
+    fn signed_bearer_token_verification_rejects_missing_exp() {
+        let shared_secret = b"0123456789abcdef0123456789abcdef";
+        let token = signed_token(
+            shared_secret,
+            json!({
+                "iss": "issuer",
+            }),
+        );
+        let err = verify_signed_bearer_token(&token, shared_secret, None, None, 30)
+            .expect_err("jwt without exp should be rejected");
+        assert_eq!(err.status_code(), StatusCode::UNAUTHORIZED);
+    }
+
+    #[test]
+    fn validate_signed_bearer_secret_rejects_short_secret() {
+        let err = validate_signed_bearer_secret(Path::new("/tmp/secret"), b"too-short")
+            .expect_err("short shared secret should be rejected");
+        assert_eq!(err.kind(), ErrorKind::InvalidInput);
+        assert!(
+            err.to_string().contains("must be at least 32 bytes"),
+            "unexpected error: {err}"
+        );
+    }
+}

codex-rs/app-server/src/transport/mod.rs

@@ -1,55 +1,26 @@
+pub(crate) mod auth;
+
 use crate::error_code::OVERLOADED_ERROR_CODE;
 use crate::message_processor::ConnectionSessionState;
 use crate::outgoing_message::ConnectionId;
 use crate::outgoing_message::OutgoingEnvelope;
 use crate::outgoing_message::OutgoingError;
 use crate::outgoing_message::OutgoingMessage;
-use axum::Router;
-use axum::body::Body;
-use axum::extract::ConnectInfo;
-use axum::extract::State;
-use axum::extract::ws::Message as WebSocketMessage;
-use axum::extract::ws::WebSocket;
-use axum::extract::ws::WebSocketUpgrade;
-use axum::http::Request;
-use axum::http::StatusCode;
-use axum::http::header::ORIGIN;
-use axum::middleware;
-use axum::middleware::Next;
-use axum::response::IntoResponse;
-use axum::response::Response;
-use axum::routing::any;
-use axum::routing::get;
+use crate::outgoing_message::QueuedOutgoingMessage;
 use codex_app_server_protocol::JSONRPCErrorError;
 use codex_app_server_protocol::JSONRPCMessage;
 use codex_app_server_protocol::ServerRequest;
-use futures::SinkExt;
-use futures::StreamExt;
-use owo_colors::OwoColorize;
-use owo_colors::Stream;
-use owo_colors::Style;
 use std::collections::HashMap;
 use std::collections::HashSet;
-use std::io::ErrorKind;
-use std::io::Result as IoResult;
 use std::net::SocketAddr;
 use std::str::FromStr;
 use std::sync::Arc;
 use std::sync::RwLock;
 use std::sync::atomic::AtomicBool;
-use std::sync::atomic::AtomicU64;
 use std::sync::atomic::Ordering;
-use tokio::io::AsyncBufReadExt;
-use tokio::io::AsyncWriteExt;
-use tokio::io::BufReader;
-use tokio::io::{self};
-use tokio::net::TcpListener;
 use tokio::sync::mpsc;
-use tokio::task::JoinHandle;
 use tokio_util::sync::CancellationToken;
-use tracing::debug;
 use tracing::error;
-use tracing::info;
 use tracing::warn;
 
 /// Size of the bounded channels used to communicate between tasks. The value
@@ -57,73 +28,11 @@ use tracing::warn;
 /// plenty for an interactive CLI.
 pub(crate) const CHANNEL_CAPACITY: usize = 128;
 
-fn colorize(text: &str, style: Style) -> String {
-    text.if_supports_color(Stream::Stderr, |value| value.style(style))
-        .to_string()
-}
+mod stdio;
+mod websocket;
 
-#[allow(clippy::print_stderr)]
-fn print_websocket_startup_banner(addr: SocketAddr) {
-    let title = colorize("codex app-server (WebSockets)", Style::new().bold().cyan());
-    let listening_label = colorize("listening on:", Style::new().dimmed());
-    let listen_url = colorize(&format!("ws://{addr}"), Style::new().green());
-    let ready_label = colorize("readyz:", Style::new().dimmed());
-    let ready_url = colorize(&format!("http://{addr}/readyz"), Style::new().green());
-    let health_label = colorize("healthz:", Style::new().dimmed());
-    let health_url = colorize(&format!("http://{addr}/healthz"), Style::new().green());
-    let note_label = colorize("note:", Style::new().dimmed());
-    eprintln!("{title}");
-    eprintln!("  {listening_label} {listen_url}");
-    eprintln!("  {ready_label} {ready_url}");
-    eprintln!("  {health_label} {health_url}");
-    if addr.ip().is_loopback() {
-        eprintln!(
-            "  {note_label} binds localhost only (use SSH port-forwarding for remote access)"
-        );
-    } else {
-        eprintln!(
-            "  {note_label} this is a raw WS server; consider running behind TLS/auth for real remote use"
-        );
-    }
-}
-
-#[derive(Clone)]
-struct WebSocketListenerState {
-    transport_event_tx: mpsc::Sender<TransportEvent>,
-    connection_counter: Arc<AtomicU64>,
-}
-
-async fn health_check_handler() -> StatusCode {
-    StatusCode::OK
-}
-
-async fn reject_requests_with_origin_header(
-    request: Request<Body>,
-    next: Next,
-) -> Result<Response, StatusCode> {
-    if request.headers().contains_key(ORIGIN) {
-        warn!(
-            method = %request.method(),
-            uri = %request.uri(),
-            "rejecting websocket listener request with Origin header"
-        );
-        Err(StatusCode::FORBIDDEN)
-    } else {
-        Ok(next.run(request).await)
-    }
-}
-
-async fn websocket_upgrade_handler(
-    websocket: WebSocketUpgrade,
-    ConnectInfo(peer_addr): ConnectInfo<SocketAddr>,
-    State(state): State<WebSocketListenerState>,
-) -> impl IntoResponse {
-    let connection_id = ConnectionId(state.connection_counter.fetch_add(1, Ordering::Relaxed));
-    info!(%peer_addr, "websocket client connected");
-    websocket.on_upgrade(move |stream| async move {
-        run_websocket_connection(connection_id, stream, state.transport_event_tx).await;
-    })
-}
+pub(crate) use stdio::start_stdio_connection;
+pub(crate) use websocket::start_websocket_acceptor;
 
 #[derive(Clone, Copy, Debug, Eq, PartialEq)]
 pub enum AppServerTransport {
@@ -187,8 +96,7 @@ impl FromStr for AppServerTransport {
 pub(crate) enum TransportEvent {
     ConnectionOpened {
         connection_id: ConnectionId,
-        writer: mpsc::Sender<OutgoingMessage>,
-        allow_legacy_notifications: bool,
+        writer: mpsc::Sender<QueuedOutgoingMessage>,
         disconnect_sender: Option<CancellationToken>,
     },
     ConnectionClosed {
@@ -226,25 +134,22 @@ pub(crate) struct OutboundConnectionState {
     pub(crate) initialized: Arc<AtomicBool>,
     pub(crate) experimental_api_enabled: Arc<AtomicBool>,
     pub(crate) opted_out_notification_methods: Arc<RwLock<HashSet<String>>>,
-    pub(crate) allow_legacy_notifications: bool,
-    pub(crate) writer: mpsc::Sender<OutgoingMessage>,
+    pub(crate) writer: mpsc::Sender<QueuedOutgoingMessage>,
     disconnect_sender: Option<CancellationToken>,
 }
 
 impl OutboundConnectionState {
     pub(crate) fn new(
-        writer: mpsc::Sender<OutgoingMessage>,
+        writer: mpsc::Sender<QueuedOutgoingMessage>,
         initialized: Arc<AtomicBool>,
         experimental_api_enabled: Arc<AtomicBool>,
         opted_out_notification_methods: Arc<RwLock<HashSet<String>>>,
-        allow_legacy_notifications: bool,
         disconnect_sender: Option<CancellationToken>,
     ) -> Self {
         Self {
             initialized,
             experimental_api_enabled,
             opted_out_notification_methods,
-            allow_legacy_notifications,
             writer,
             disconnect_sender,
         }
@@ -261,253 +166,9 @@ impl OutboundConnectionState {
     }
 }
 
-pub(crate) async fn start_stdio_connection(
-    transport_event_tx: mpsc::Sender<TransportEvent>,
-    stdio_handles: &mut Vec<JoinHandle<()>>,
-) -> IoResult<()> {
-    let connection_id = ConnectionId(0);
-    let (writer_tx, mut writer_rx) = mpsc::channel::<OutgoingMessage>(CHANNEL_CAPACITY);
-    let writer_tx_for_reader = writer_tx.clone();
-    transport_event_tx
-        .send(TransportEvent::ConnectionOpened {
-            connection_id,
-            writer: writer_tx,
-            allow_legacy_notifications: false,
-            disconnect_sender: None,
-        })
-        .await
-        .map_err(|_| std::io::Error::new(ErrorKind::BrokenPipe, "processor unavailable"))?;
-
-    let transport_event_tx_for_reader = transport_event_tx.clone();
-    stdio_handles.push(tokio::spawn(async move {
-        let stdin = io::stdin();
-        let reader = BufReader::new(stdin);
-        let mut lines = reader.lines();
-
-        loop {
-            match lines.next_line().await {
-                Ok(Some(line)) => {
-                    if !forward_incoming_message(
-                        &transport_event_tx_for_reader,
-                        &writer_tx_for_reader,
-                        connection_id,
-                        &line,
-                    )
-                    .await
-                    {
-                        break;
-                    }
-                }
-                Ok(None) => break,
-                Err(err) => {
-                    error!("Failed reading stdin: {err}");
-                    break;
-                }
-            }
-        }
-
-        let _ = transport_event_tx_for_reader
-            .send(TransportEvent::ConnectionClosed { connection_id })
-            .await;
-        debug!("stdin reader finished (EOF)");
-    }));
-
-    stdio_handles.push(tokio::spawn(async move {
-        let mut stdout = io::stdout();
-        while let Some(outgoing_message) = writer_rx.recv().await {
-            let Some(mut json) = serialize_outgoing_message(outgoing_message) else {
-                continue;
-            };
-            json.push('\n');
-            if let Err(err) = stdout.write_all(json.as_bytes()).await {
-                error!("Failed to write to stdout: {err}");
-                break;
-            }
-        }
-        info!("stdout writer exited (channel closed)");
-    }));
-
-    Ok(())
-}
-
-pub(crate) async fn start_websocket_acceptor(
-    bind_address: SocketAddr,
-    transport_event_tx: mpsc::Sender<TransportEvent>,
-    shutdown_token: CancellationToken,
-) -> IoResult<JoinHandle<()>> {
-    let listener = TcpListener::bind(bind_address).await?;
-    let local_addr = listener.local_addr()?;
-    print_websocket_startup_banner(local_addr);
-    info!("app-server websocket listening on ws://{local_addr}");
-
-    let router = Router::new()
-        .route("/readyz", get(health_check_handler))
-        .route("/healthz", get(health_check_handler))
-        .fallback(any(websocket_upgrade_handler))
-        .layer(middleware::from_fn(reject_requests_with_origin_header))
-        .with_state(WebSocketListenerState {
-            transport_event_tx,
-            connection_counter: Arc::new(AtomicU64::new(1)),
-        });
-    let server = axum::serve(
-        listener,
-        router.into_make_service_with_connect_info::<SocketAddr>(),
-    )
-    .with_graceful_shutdown(async move {
-        shutdown_token.cancelled().await;
-    });
-    Ok(tokio::spawn(async move {
-        if let Err(err) = server.await {
-            error!("websocket acceptor failed: {err}");
-        }
-        info!("websocket acceptor shutting down");
-    }))
-}
-
-async fn run_websocket_connection(
-    connection_id: ConnectionId,
-    websocket_stream: WebSocket,
-    transport_event_tx: mpsc::Sender<TransportEvent>,
-) {
-    let (writer_tx, writer_rx) = mpsc::channel::<OutgoingMessage>(CHANNEL_CAPACITY);
-    let writer_tx_for_reader = writer_tx.clone();
-    let disconnect_token = CancellationToken::new();
-    if transport_event_tx
-        .send(TransportEvent::ConnectionOpened {
-            connection_id,
-            writer: writer_tx,
-            allow_legacy_notifications: false,
-            disconnect_sender: Some(disconnect_token.clone()),
-        })
-        .await
-        .is_err()
-    {
-        return;
-    }
-
-    let (websocket_writer, websocket_reader) = websocket_stream.split();
-    let (writer_control_tx, writer_control_rx) =
-        mpsc::channel::<WebSocketMessage>(CHANNEL_CAPACITY);
-    let mut outbound_task = tokio::spawn(run_websocket_outbound_loop(
-        websocket_writer,
-        writer_rx,
-        writer_control_rx,
-        disconnect_token.clone(),
-    ));
-    let mut inbound_task = tokio::spawn(run_websocket_inbound_loop(
-        websocket_reader,
-        transport_event_tx.clone(),
-        writer_tx_for_reader,
-        writer_control_tx,
-        connection_id,
-        disconnect_token.clone(),
-    ));
-
-    tokio::select! {
-        _ = &mut outbound_task => {
-            disconnect_token.cancel();
-            inbound_task.abort();
-        }
-        _ = &mut inbound_task => {
-            disconnect_token.cancel();
-            outbound_task.abort();
-        }
-    }
-
-    let _ = transport_event_tx
-        .send(TransportEvent::ConnectionClosed { connection_id })
-        .await;
-}
-
-async fn run_websocket_outbound_loop(
-    mut websocket_writer: futures::stream::SplitSink<WebSocket, WebSocketMessage>,
-    mut writer_rx: mpsc::Receiver<OutgoingMessage>,
-    mut writer_control_rx: mpsc::Receiver<WebSocketMessage>,
-    disconnect_token: CancellationToken,
-) {
-    loop {
-        tokio::select! {
-            _ = disconnect_token.cancelled() => {
-                break;
-            }
-            message = writer_control_rx.recv() => {
-                let Some(message) = message else {
-                    break;
-                };
-                if websocket_writer.send(message).await.is_err() {
-                    break;
-                }
-            }
-            outgoing_message = writer_rx.recv() => {
-                let Some(outgoing_message) = outgoing_message else {
-                    break;
-                };
-                let Some(json) = serialize_outgoing_message(outgoing_message) else {
-                    continue;
-                };
-                if websocket_writer.send(WebSocketMessage::Text(json.into())).await.is_err() {
-                    break;
-                }
-            }
-        }
-    }
-}
-
-async fn run_websocket_inbound_loop(
-    mut websocket_reader: futures::stream::SplitStream<WebSocket>,
-    transport_event_tx: mpsc::Sender<TransportEvent>,
-    writer_tx_for_reader: mpsc::Sender<OutgoingMessage>,
-    writer_control_tx: mpsc::Sender<WebSocketMessage>,
-    connection_id: ConnectionId,
-    disconnect_token: CancellationToken,
-) {
-    loop {
-        tokio::select! {
-            _ = disconnect_token.cancelled() => {
-                break;
-            }
-            incoming_message = websocket_reader.next() => {
-                match incoming_message {
-                    Some(Ok(WebSocketMessage::Text(text))) => {
-                        if !forward_incoming_message(
-                            &transport_event_tx,
-                            &writer_tx_for_reader,
-                            connection_id,
-                            text.as_ref(),
-                        )
-                        .await
-                        {
-                            break;
-                        }
-                    }
-                    Some(Ok(WebSocketMessage::Ping(payload))) => {
-                        match writer_control_tx.try_send(WebSocketMessage::Pong(payload)) {
-                            Ok(()) => {}
-                            Err(tokio::sync::mpsc::error::TrySendError::Closed(_)) => break,
-                            Err(tokio::sync::mpsc::error::TrySendError::Full(_)) => {
-                                warn!("websocket control queue full while replying to ping; closing connection");
-                                break;
-                            }
-                        }
-                    }
-                    Some(Ok(WebSocketMessage::Pong(_))) => {}
-                    Some(Ok(WebSocketMessage::Close(_))) | None => break,
-                    Some(Ok(WebSocketMessage::Binary(_))) => {
-                        warn!("dropping unsupported binary websocket message");
-                    }
-                    Some(Err(err)) => {
-                        warn!("websocket receive error: {err}");
-                        break;
-                    }
-                }
-            }
-        }
-    }
-}
-
 async fn forward_incoming_message(
     transport_event_tx: &mpsc::Sender<TransportEvent>,
-    writer: &mpsc::Sender<OutgoingMessage>,
+    writer: &mpsc::Sender<QueuedOutgoingMessage>,
     connection_id: ConnectionId,
     payload: &str,
 ) -> bool {
@@ -524,7 +185,7 @@ async fn forward_incoming_message(
 
 async fn enqueue_incoming_message(
     transport_event_tx: &mpsc::Sender<TransportEvent>,
-    writer: &mpsc::Sender<OutgoingMessage>,
+    writer: &mpsc::Sender<QueuedOutgoingMessage>,
     connection_id: ConnectionId,
     message: JSONRPCMessage,
 ) -> bool {
@@ -547,7 +208,7 @@ async fn enqueue_incoming_message(
                     data: None,
                 },
             });
-            match writer.try_send(overload_error) {
+            match writer.try_send(QueuedOutgoingMessage::new(overload_error)) {
                 Ok(()) => true,
                 Err(mpsc::error::TrySendError::Closed(_)) => false,
                 Err(mpsc::error::TrySendError::Full(_overload_error)) => {
@@ -584,16 +245,6 @@ fn should_skip_notification_for_connection(
     connection_state: &OutboundConnectionState,
     message: &OutgoingMessage,
 ) -> bool {
-    if !connection_state.allow_legacy_notifications
-        && matches!(message, OutgoingMessage::Notification(_))
-    {
-        // Raw legacy `codex/event/*` notifications are still emitted upstream
-        // for in-process compatibility, but they are no longer part of the
-        // external app-server contract. Keep dropping them here until the
-        // producer path can be deleted entirely.
-        return true;
-    }
-
     let Ok(opted_out_notification_methods) = connection_state.opted_out_notification_methods.read()
     else {
         warn!("failed to read outbound opted-out notifications");
@@ -604,9 +255,6 @@ fn should_skip_notification_for_connection(
             let method = notification.to_string();
             opted_out_notification_methods.contains(method.as_str())
         }
-        OutgoingMessage::Notification(notification) => {
-            opted_out_notification_methods.contains(notification.method.as_str())
-        }
         _ => false,
     }
 }
@@ -626,6 +274,7 @@ async fn send_message_to_connection(
     connections: &mut HashMap<ConnectionId, OutboundConnectionState>,
     connection_id: ConnectionId,
     message: OutgoingMessage,
+    write_complete_tx: Option<tokio::sync::oneshot::Sender<()>>,
 ) -> bool {
     let Some(connection_state) = connections.get(&connection_id) else {
         warn!("dropping message for disconnected connection: {connection_id:?}");
@@ -637,8 +286,12 @@ async fn send_message_to_connection(
     }
 
     let writer = connection_state.writer.clone();
+    let queued_message = QueuedOutgoingMessage {
+        message,
+        write_complete_tx,
+    };
     if connection_state.can_disconnect() {
-        match writer.try_send(message) {
+        match writer.try_send(queued_message) {
             Ok(()) => false,
             Err(mpsc::error::TrySendError::Full(_)) => {
                 warn!(
@@ -650,7 +303,7 @@ async fn send_message_to_connection(
                 disconnect_connection(connections, connection_id)
             }
         }
-    } else if writer.send(message).await.is_err() {
+    } else if writer.send(queued_message).await.is_err() {
         disconnect_connection(connections, connection_id)
     } else {
         false
@@ -689,8 +342,11 @@ pub(crate) async fn route_outgoing_envelope(
         OutgoingEnvelope::ToConnection {
             connection_id,
             message,
+            write_complete_tx,
         } => {
-            let _ = send_message_to_connection(connections, connection_id, message).await;
+            let _ =
+                send_message_to_connection(connections, connection_id, message, write_complete_tx)
+                    .await;
         }
         OutgoingEnvelope::Broadcast { message } => {
             let target_connections: Vec<ConnectionId> = connections
@@ -707,8 +363,13 @@ pub(crate) async fn route_outgoing_envelope(
                 .collect();
 
             for connection_id in target_connections {
-                let _ =
-                    send_message_to_connection(connections, connection_id, message.clone()).await;
+                let _ = send_message_to_connection(
+                    connections,
+                    connection_id,
+                    message.clone(),
+                    /*write_complete_tx*/ None,
+                )
+                .await;
             }
         }
     }
@@ -719,6 +380,8 @@ mod tests {
     use super::*;
     use crate::error_code::OVERLOADED_ERROR_CODE;
     use codex_app_server_protocol::CommandExecutionRequestApprovalSkillMetadata;
+    use codex_app_server_protocol::ConfigWarningNotification;
+    use codex_app_server_protocol::ServerNotification;
     use codex_utils_absolute_path::AbsolutePathBuf;
     use pretty_assertions::assert_eq;
     use serde_json::json;
@@ -817,7 +480,8 @@ mod tests {
             .recv()
             .await
             .expect("request should receive overload error");
-        let overload_json = serde_json::to_value(overload).expect("serialize overload error");
+        let overload_json =
+            serde_json::to_value(overload.message).expect("serialize overload error");
         assert_eq!(
             overload_json,
             json!({
@@ -921,11 +585,15 @@ mod tests {
             .expect("transport queue should accept first message");
 
         writer_tx
-            .send(OutgoingMessage::Notification(
-                crate::outgoing_message::OutgoingNotification {
-                    method: "queued".to_string(),
-                    params: None,
-                },
+            .send(QueuedOutgoingMessage::new(
+                OutgoingMessage::AppServerNotification(ServerNotification::ConfigWarning(
+                    ConfigWarningNotification {
+                        summary: "queued".to_string(),
+                        details: None,
+                        path: None,
+                        range: None,
+                    },
+                )),
             ))
             .await
             .expect("writer queue should accept first message");
@@ -949,8 +617,18 @@ mod tests {
             .recv()
             .await
             .expect("writer queue should still contain original message");
-        let queued_json = serde_json::to_value(queued_outgoing).expect("serialize queued message");
-        assert_eq!(queued_json, json!({ "method": "queued" }));
+        let queued_json =
+            serde_json::to_value(queued_outgoing.message).expect("serialize queued message");
+        assert_eq!(
+            queued_json,
+            json!({
+                "method": "configWarning",
+                "params": {
+                    "summary": "queued",
+                    "details": null,
+                },
+            })
+        );
     }
 
     #[tokio::test]
@@ -958,9 +636,8 @@ mod tests {
         let connection_id = ConnectionId(7);
         let (writer_tx, mut writer_rx) = mpsc::channel(1);
         let initialized = Arc::new(AtomicBool::new(true));
-        let opted_out_notification_methods = Arc::new(RwLock::new(HashSet::from([
-            "codex/event/task_started".to_string(),
-        ])));
+        let opted_out_notification_methods =
+            Arc::new(RwLock::new(HashSet::from(["configWarning".to_string()])));
 
         let mut connections = HashMap::new();
         connections.insert(
@@ -970,7 +647,6 @@ mod tests {
                 initialized,
                 Arc::new(AtomicBool::new(true)),
                 opted_out_notification_methods,
-                false,
                 None,
             ),
         );
@@ -979,12 +655,15 @@ mod tests {
             &mut connections,
             OutgoingEnvelope::ToConnection {
                 connection_id,
-                message: OutgoingMessage::Notification(
-                    crate::outgoing_message::OutgoingNotification {
-                        method: "codex/event/task_started".to_string(),
-                        params: None,
+                message: OutgoingMessage::AppServerNotification(ServerNotification::ConfigWarning(
+                    ConfigWarningNotification {
+                        summary: "task_started".to_string(),
+                        details: None,
+                        path: None,
+                        range: None,
                     },
-                ),
+                )),
+                write_complete_tx: None,
             },
         )
         .await;
@@ -996,7 +675,7 @@ mod tests {
     }
 
     #[tokio::test]
-    async fn to_connection_legacy_notifications_are_dropped_for_external_clients() {
+    async fn to_connection_notifications_are_dropped_for_opted_out_clients() {
         let connection_id = ConnectionId(10);
         let (writer_tx, mut writer_rx) = mpsc::channel(1);
 
@@ -1007,8 +686,7 @@ mod tests {
                 writer_tx,
                 Arc::new(AtomicBool::new(true)),
                 Arc::new(AtomicBool::new(true)),
-                Arc::new(RwLock::new(HashSet::new())),
-                false,
+                Arc::new(RwLock::new(HashSet::from(["configWarning".to_string()]))),
                 None,
             ),
         );
@@ -1017,24 +695,27 @@ mod tests {
             &mut connections,
             OutgoingEnvelope::ToConnection {
                 connection_id,
-                message: OutgoingMessage::Notification(
-                    crate::outgoing_message::OutgoingNotification {
-                        method: "codex/event/task_started".to_string(),
-                        params: None,
+                message: OutgoingMessage::AppServerNotification(ServerNotification::ConfigWarning(
+                    ConfigWarningNotification {
+                        summary: "task_started".to_string(),
+                        details: None,
+                        path: None,
+                        range: None,
                     },
-                ),
+                )),
+                write_complete_tx: None,
             },
         )
         .await;
 
         assert!(
             writer_rx.try_recv().is_err(),
-            "legacy notifications should not reach external clients"
+            "opted-out notifications should not reach clients"
         );
     }
 
     #[tokio::test]
-    async fn to_connection_legacy_notifications_are_preserved_for_in_process_clients() {
+    async fn to_connection_notifications_are_preserved_for_non_opted_out_clients() {
         let connection_id = ConnectionId(11);
         let (writer_tx, mut writer_rx) = mpsc::channel(1);
 
@@ -1046,7 +727,6 @@ mod tests {
                 Arc::new(AtomicBool::new(true)),
                 Arc::new(AtomicBool::new(true)),
                 Arc::new(RwLock::new(HashSet::new())),
-                true,
                 None,
             ),
         );
@@ -1055,12 +735,15 @@ mod tests {
             &mut connections,
             OutgoingEnvelope::ToConnection {
                 connection_id,
-                message: OutgoingMessage::Notification(
-                    crate::outgoing_message::OutgoingNotification {
-                        method: "codex/event/task_started".to_string(),
-                        params: None,
+                message: OutgoingMessage::AppServerNotification(ServerNotification::ConfigWarning(
+                    ConfigWarningNotification {
+                        summary: "task_started".to_string(),
+                        details: None,
+                        path: None,
+                        range: None,
                     },
-                ),
+                )),
+                write_complete_tx: None,
             },
         )
         .await;
@@ -1068,13 +751,12 @@ mod tests {
         let message = writer_rx
             .recv()
             .await
-            .expect("legacy notification should reach in-process clients");
+            .expect("notification should reach non-opted-out clients");
         assert!(matches!(
-            message,
-            OutgoingMessage::Notification(crate::outgoing_message::OutgoingNotification {
-                method,
-                params: None,
-            }) if method == "codex/event/task_started"
+            message.message,
+            OutgoingMessage::AppServerNotification(ServerNotification::ConfigWarning(
+                ConfigWarningNotification { summary, .. }
+            )) if summary == "task_started"
         ));
     }
 
@@ -1091,7 +773,6 @@ mod tests {
                 Arc::new(AtomicBool::new(true)),
                 Arc::new(AtomicBool::new(false)),
                 Arc::new(RwLock::new(HashSet::new())),
-                false,
                 None,
             ),
         );
@@ -1132,6 +813,7 @@ mod tests {
                         available_decisions: None,
                     },
                 }),
+                write_complete_tx: None,
             },
         )
         .await;
@@ -1140,7 +822,7 @@ mod tests {
             .recv()
             .await
             .expect("request should be delivered to the connection");
-        let json = serde_json::to_value(message).expect("request should serialize");
+        let json = serde_json::to_value(message.message).expect("request should serialize");
         assert_eq!(json["params"].get("additionalPermissions"), None);
         assert_eq!(json["params"].get("skillMetadata"), None);
     }
@@ -1158,7 +840,6 @@ mod tests {
                 Arc::new(AtomicBool::new(true)),
                 Arc::new(AtomicBool::new(true)),
                 Arc::new(RwLock::new(HashSet::new())),
-                false,
                 None,
             ),
         );
@@ -1199,6 +880,7 @@ mod tests {
                         available_decisions: None,
                     },
                 }),
+                write_complete_tx: None,
             },
         )
         .await;
@@ -1207,7 +889,7 @@ mod tests {
             .recv()
             .await
             .expect("request should be delivered to the connection");
-        let json = serde_json::to_value(message).expect("request should serialize");
+        let json = serde_json::to_value(message.message).expect("request should serialize");
         let allowed_path = absolute_path("/tmp/allowed").to_string_lossy().into_owned();
         assert_eq!(
             json["params"]["additionalPermissions"],
@@ -1246,7 +928,6 @@ mod tests {
                 Arc::new(AtomicBool::new(true)),
                 Arc::new(AtomicBool::new(true)),
                 Arc::new(RwLock::new(HashSet::new())),
-                false,
                 Some(fast_disconnect_token.clone()),
             ),
         );
@@ -1257,25 +938,30 @@ mod tests {
                 Arc::new(AtomicBool::new(true)),
                 Arc::new(AtomicBool::new(true)),
                 Arc::new(RwLock::new(HashSet::new())),
-                false,
                 Some(slow_disconnect_token.clone()),
             ),
         );
 
-        let queued_message =
-            OutgoingMessage::Notification(crate::outgoing_message::OutgoingNotification {
-                method: "codex/event/already-buffered".to_string(),
-                params: None,
-            });
+        let queued_message = OutgoingMessage::AppServerNotification(
+            ServerNotification::ConfigWarning(ConfigWarningNotification {
+                summary: "already-buffered".to_string(),
+                details: None,
+                path: None,
+                range: None,
+            }),
+        );
         slow_writer_tx
-            .try_send(queued_message)
+            .try_send(QueuedOutgoingMessage::new(queued_message))
             .expect("channel should have room");
 
-        let broadcast_message =
-            OutgoingMessage::Notification(crate::outgoing_message::OutgoingNotification {
-                method: "codex/event/test".to_string(),
-                params: None,
-            });
+        let broadcast_message = OutgoingMessage::AppServerNotification(
+            ServerNotification::ConfigWarning(ConfigWarningNotification {
+                summary: "test".to_string(),
+                details: None,
+                path: None,
+                range: None,
+            }),
+        );
         timeout(
             Duration::from_millis(100),
             route_outgoing_envelope(
@@ -1286,24 +972,28 @@ mod tests {
             ),
         )
         .await
-        .expect("broadcast should return even when legacy notifications are dropped");
-        assert!(connections.contains_key(&slow_connection_id));
-        assert!(!slow_disconnect_token.is_cancelled());
+        .expect("broadcast should return even when one connection is slow");
+        assert!(!connections.contains_key(&slow_connection_id));
+        assert!(slow_disconnect_token.is_cancelled());
         assert!(!fast_disconnect_token.is_cancelled());
-        assert!(
-            fast_writer_rx.try_recv().is_err(),
-            "broadcast legacy notification should be dropped for fast connections"
-        );
+        let fast_message = fast_writer_rx
+            .try_recv()
+            .expect("fast connection should receive the broadcast notification");
+        assert!(matches!(
+            fast_message.message,
+            OutgoingMessage::AppServerNotification(ServerNotification::ConfigWarning(
+                ConfigWarningNotification { summary, .. }
+            )) if summary == "test"
+        ));
 
         let slow_message = slow_writer_rx
             .try_recv()
             .expect("slow connection should retain its original buffered message");
         assert!(matches!(
-            slow_message,
-            OutgoingMessage::Notification(crate::outgoing_message::OutgoingNotification {
-                method,
-                params: None,
-            }) if method == "codex/event/already-buffered"
+            slow_message.message,
+            OutgoingMessage::AppServerNotification(ServerNotification::ConfigWarning(
+                ConfigWarningNotification { summary, .. }
+            )) if summary == "already-buffered"
         ));
     }
 
@@ -1312,11 +1002,15 @@ mod tests {
         let connection_id = ConnectionId(3);
         let (writer_tx, mut writer_rx) = mpsc::channel(1);
         writer_tx
-            .send(OutgoingMessage::Notification(
-                crate::outgoing_message::OutgoingNotification {
-                    method: "queued".to_string(),
-                    params: None,
-                },
+            .send(QueuedOutgoingMessage::new(
+                OutgoingMessage::AppServerNotification(ServerNotification::ConfigWarning(
+                    ConfigWarningNotification {
+                        summary: "queued".to_string(),
+                        details: None,
+                        path: None,
+                        range: None,
+                    },
+                )),
             ))
             .await
             .expect("channel should accept the first queued message");
@@ -1329,7 +1023,6 @@ mod tests {
                 Arc::new(AtomicBool::new(true)),
                 Arc::new(AtomicBool::new(true)),
                 Arc::new(RwLock::new(HashSet::new())),
-                false,
                 None,
             ),
         );
@@ -1339,12 +1032,15 @@ mod tests {
                 &mut connections,
                 OutgoingEnvelope::ToConnection {
                     connection_id,
-                    message: OutgoingMessage::Notification(
-                        crate::outgoing_message::OutgoingNotification {
-                            method: "second".to_string(),
-                            params: None,
-                        },
+                    message: OutgoingMessage::AppServerNotification(
+                        ServerNotification::ConfigWarning(ConfigWarningNotification {
+                            summary: "second".to_string(),
+                            details: None,
+                            path: None,
+                            range: None,
+                        }),
                     ),
+                    write_complete_tx: None,
                 },
             )
             .await
@@ -1356,20 +1052,23 @@ mod tests {
             .expect("first queued message should exist");
         timeout(Duration::from_millis(100), route_task)
             .await
-            .expect("routing should finish immediately when legacy notifications are dropped")
+            .expect("routing should finish after the first queued message is drained")
             .expect("routing task should succeed");
 
         assert!(matches!(
-            first,
-            OutgoingMessage::Notification(crate::outgoing_message::OutgoingNotification {
-                method,
-                params: None,
-            }) if method == "queued"
+            first.message,
+            OutgoingMessage::AppServerNotification(ServerNotification::ConfigWarning(
+                ConfigWarningNotification { summary, .. }
+            )) if summary == "queued"
         ));
+        let second = writer_rx
+            .try_recv()
+            .expect("second notification should be delivered once the queue has room");
         assert!(matches!(
-            writer_rx.try_recv(),
-            Err(tokio::sync::mpsc::error::TryRecvError::Empty)
-                | Err(tokio::sync::mpsc::error::TryRecvError::Disconnected)
+            second.message,
+            OutgoingMessage::AppServerNotification(ServerNotification::ConfigWarning(
+                ConfigWarningNotification { summary, .. }
+            )) if summary == "second"
         ));
     }
 }

codex-rs/app-server/src/transport/stdio.rs

@@ -0,0 +1,88 @@
+use super::CHANNEL_CAPACITY;
+use super::TransportEvent;
+use super::forward_incoming_message;
+use super::serialize_outgoing_message;
+use crate::outgoing_message::ConnectionId;
+use crate::outgoing_message::QueuedOutgoingMessage;
+use std::io::ErrorKind;
+use std::io::Result as IoResult;
+use tokio::io;
+use tokio::io::AsyncBufReadExt;
+use tokio::io::AsyncWriteExt;
+use tokio::io::BufReader;
+use tokio::sync::mpsc;
+use tokio::task::JoinHandle;
+use tracing::debug;
+use tracing::error;
+use tracing::info;
+
+pub(crate) async fn start_stdio_connection(
+    transport_event_tx: mpsc::Sender<TransportEvent>,
+    stdio_handles: &mut Vec<JoinHandle<()>>,
+) -> IoResult<()> {
+    let connection_id = ConnectionId(0);
+    let (writer_tx, mut writer_rx) = mpsc::channel::<QueuedOutgoingMessage>(CHANNEL_CAPACITY);
+    let writer_tx_for_reader = writer_tx.clone();
+    transport_event_tx
+        .send(TransportEvent::ConnectionOpened {
+            connection_id,
+            writer: writer_tx,
+            disconnect_sender: None,
+        })
+        .await
+        .map_err(|_| std::io::Error::new(ErrorKind::BrokenPipe, "processor unavailable"))?;
+
+    let transport_event_tx_for_reader = transport_event_tx.clone();
+    stdio_handles.push(tokio::spawn(async move {
+        let stdin = io::stdin();
+        let reader = BufReader::new(stdin);
+        let mut lines = reader.lines();
+
+        loop {
+            match lines.next_line().await {
+                Ok(Some(line)) => {
+                    if !forward_incoming_message(
+                        &transport_event_tx_for_reader,
+                        &writer_tx_for_reader,
+                        connection_id,
+                        &line,
+                    )
+                    .await
+                    {
+                        break;
+                    }
+                }
+                Ok(None) => break,
+                Err(err) => {
+                    error!("Failed reading stdin: {err}");
+                    break;
+                }
+            }
+        }
+
+        let _ = transport_event_tx_for_reader
+            .send(TransportEvent::ConnectionClosed { connection_id })
+            .await;
+        debug!("stdin reader finished (EOF)");
+    }));
+
+    stdio_handles.push(tokio::spawn(async move {
+        let mut stdout = io::stdout();
+        while let Some(queued_message) = writer_rx.recv().await {
+            let Some(mut json) = serialize_outgoing_message(queued_message.message) else {
+                continue;
+            };
+            json.push('\n');
+            if let Err(err) = stdout.write_all(json.as_bytes()).await {
+                error!("Failed to write to stdout: {err}");
+                break;
+            }
+            if let Some(write_complete_tx) = queued_message.write_complete_tx {
+                let _ = write_complete_tx.send(());
+            }
+        }
+        info!("stdout writer exited (channel closed)");
+    }));
+
+    Ok(())
+}

codex-rs/app-server/src/transport/websocket.rs

@@ -0,0 +1,308 @@
+use super::CHANNEL_CAPACITY;
+use super::TransportEvent;
+use super::auth::WebsocketAuthPolicy;
+use super::auth::authorize_upgrade;
+use super::auth::should_warn_about_unauthenticated_non_loopback_listener;
+use super::forward_incoming_message;
+use super::serialize_outgoing_message;
+use crate::outgoing_message::ConnectionId;
+use crate::outgoing_message::QueuedOutgoingMessage;
+use axum::Router;
+use axum::body::Body;
+use axum::extract::ConnectInfo;
+use axum::extract::State;
+use axum::extract::ws::Message as WebSocketMessage;
+use axum::extract::ws::WebSocket;
+use axum::extract::ws::WebSocketUpgrade;
+use axum::http::HeaderMap;
+use axum::http::Request;
+use axum::http::StatusCode;
+use axum::http::header::ORIGIN;
+use axum::middleware;
+use axum::middleware::Next;
+use axum::response::IntoResponse;
+use axum::response::Response;
+use axum::routing::any;
+use axum::routing::get;
+use futures::SinkExt;
+use futures::StreamExt;
+use owo_colors::OwoColorize;
+use owo_colors::Stream;
+use owo_colors::Style;
+use std::io::Result as IoResult;
+use std::net::SocketAddr;
+use std::sync::Arc;
+use std::sync::atomic::AtomicU64;
+use std::sync::atomic::Ordering;
+use tokio::net::TcpListener;
+use tokio::sync::mpsc;
+use tokio::task::JoinHandle;
+use tokio_util::sync::CancellationToken;
+use tracing::error;
+use tracing::info;
+use tracing::warn;
+
+fn colorize(text: &str, style: Style) -> String {
+    text.if_supports_color(Stream::Stderr, |value| value.style(style))
+        .to_string()
+}
+
+#[allow(clippy::print_stderr)]
+fn print_websocket_startup_banner(addr: SocketAddr) {
+    let title = colorize("codex app-server (WebSockets)", Style::new().bold().cyan());
+    let listening_label = colorize("listening on:", Style::new().dimmed());
+    let listen_url = colorize(&format!("ws://{addr}"), Style::new().green());
+    let ready_label = colorize("readyz:", Style::new().dimmed());
+    let ready_url = colorize(&format!("http://{addr}/readyz"), Style::new().green());
+    let health_label = colorize("healthz:", Style::new().dimmed());
+    let health_url = colorize(&format!("http://{addr}/healthz"), Style::new().green());
+    let note_label = colorize("note:", Style::new().dimmed());
+    eprintln!("{title}");
+    eprintln!("  {listening_label} {listen_url}");
+    eprintln!("  {ready_label} {ready_url}");
+    eprintln!("  {health_label} {health_url}");
+    if addr.ip().is_loopback() {
+        eprintln!(
+            "  {note_label} binds localhost only (use SSH port-forwarding for remote access)"
+        );
+    } else {
+        eprintln!(
+            "  {note_label} websocket auth is opt-in in this build; configure `--ws-auth ...` before real remote use"
+        );
+    }
+}
+
+#[derive(Clone)]
+struct WebSocketListenerState {
+    transport_event_tx: mpsc::Sender<TransportEvent>,
+    connection_counter: Arc<AtomicU64>,
+    auth_policy: Arc<WebsocketAuthPolicy>,
+}
+
+async fn health_check_handler() -> StatusCode {
+    StatusCode::OK
+}
+
+async fn reject_requests_with_origin_header(
+    request: Request<Body>,
+    next: Next,
+) -> Result<Response, StatusCode> {
+    if request.headers().contains_key(ORIGIN) {
+        warn!(
+            method = %request.method(),
+            uri = %request.uri(),
+            "rejecting websocket listener request with Origin header"
+        );
+        Err(StatusCode::FORBIDDEN)
+    } else {
+        Ok(next.run(request).await)
+    }
+}
+
+async fn websocket_upgrade_handler(
+    websocket: WebSocketUpgrade,
+    ConnectInfo(peer_addr): ConnectInfo<SocketAddr>,
+    State(state): State<WebSocketListenerState>,
+    headers: HeaderMap,
+) -> impl IntoResponse {
+    if let Err(err) = authorize_upgrade(&headers, state.auth_policy.as_ref()) {
+        warn!(
+            %peer_addr,
+            message = err.message(),
+            "rejecting websocket client during upgrade"
+        );
+        return (err.status_code(), err.message()).into_response();
+    }
+    let connection_id = ConnectionId(state.connection_counter.fetch_add(1, Ordering::Relaxed));
+    info!(%peer_addr, "websocket client connected");
+    websocket
+        .on_upgrade(move |stream| async move {
+            run_websocket_connection(connection_id, stream, state.transport_event_tx).await;
+        })
+        .into_response()
+}
+
+pub(crate) async fn start_websocket_acceptor(
+    bind_address: SocketAddr,
+    transport_event_tx: mpsc::Sender<TransportEvent>,
+    shutdown_token: CancellationToken,
+    auth_policy: WebsocketAuthPolicy,
+) -> IoResult<JoinHandle<()>> {
+    if should_warn_about_unauthenticated_non_loopback_listener(bind_address, &auth_policy) {
+        warn!(
+            %bind_address,
+            "starting non-loopback websocket listener without auth; websocket auth is opt-in for now and will become the default in a future release"
+        );
+    }
+    let listener = TcpListener::bind(bind_address).await?;
+    let local_addr = listener.local_addr()?;
+    print_websocket_startup_banner(local_addr);
+    info!("app-server websocket listening on ws://{local_addr}");
+
+    let router = Router::new()
+        .route("/readyz", get(health_check_handler))
+        .route("/healthz", get(health_check_handler))
+        .fallback(any(websocket_upgrade_handler))
+        .layer(middleware::from_fn(reject_requests_with_origin_header))
+        .with_state(WebSocketListenerState {
+            transport_event_tx,
+            connection_counter: Arc::new(AtomicU64::new(1)),
+            auth_policy: Arc::new(auth_policy),
+        });
+    let server = axum::serve(
+        listener,
+        router.into_make_service_with_connect_info::<SocketAddr>(),
+    )
+    .with_graceful_shutdown(async move {
+        shutdown_token.cancelled().await;
+    });
+    Ok(tokio::spawn(async move {
+        if let Err(err) = server.await {
+            error!("websocket acceptor failed: {err}");
+        }
+        info!("websocket acceptor shutting down");
+    }))
+}
+
+async fn run_websocket_connection(
+    connection_id: ConnectionId,
+    websocket_stream: WebSocket,
+    transport_event_tx: mpsc::Sender<TransportEvent>,
+) {
+    let (writer_tx, writer_rx) = mpsc::channel::<QueuedOutgoingMessage>(CHANNEL_CAPACITY);
+    let writer_tx_for_reader = writer_tx.clone();
+    let disconnect_token = CancellationToken::new();
+    if transport_event_tx
+        .send(TransportEvent::ConnectionOpened {
+            connection_id,
+            writer: writer_tx,
+            disconnect_sender: Some(disconnect_token.clone()),
+        })
+        .await
+        .is_err()
+    {
+        return;
+    }
+
+    let (websocket_writer, websocket_reader) = websocket_stream.split();
+    let (writer_control_tx, writer_control_rx) =
+        mpsc::channel::<WebSocketMessage>(CHANNEL_CAPACITY);
+    let mut outbound_task = tokio::spawn(run_websocket_outbound_loop(
+        websocket_writer,
+        writer_rx,
+        writer_control_rx,
+        disconnect_token.clone(),
+    ));
+    let mut inbound_task = tokio::spawn(run_websocket_inbound_loop(
+        websocket_reader,
+        transport_event_tx.clone(),
+        writer_tx_for_reader,
+        writer_control_tx,
+        connection_id,
+        disconnect_token.clone(),
+    ));
+
+    tokio::select! {
+        _ = &mut outbound_task => {
+            disconnect_token.cancel();
+            inbound_task.abort();
+        }
+        _ = &mut inbound_task => {
+            disconnect_token.cancel();
+            outbound_task.abort();
+        }
+    }
+
+    let _ = transport_event_tx
+        .send(TransportEvent::ConnectionClosed { connection_id })
+        .await;
+}
+
+async fn run_websocket_outbound_loop(
+    mut websocket_writer: futures::stream::SplitSink<WebSocket, WebSocketMessage>,
+    mut writer_rx: mpsc::Receiver<QueuedOutgoingMessage>,
+    mut writer_control_rx: mpsc::Receiver<WebSocketMessage>,
+    disconnect_token: CancellationToken,
+) {
+    loop {
+        tokio::select! {
+            _ = disconnect_token.cancelled() => {
+                break;
+            }
+            message = writer_control_rx.recv() => {
+                let Some(message) = message else {
+                    break;
+                };
+                if websocket_writer.send(message).await.is_err() {
+                    break;
+                }
+            }
+            queued_message = writer_rx.recv() => {
+                let Some(queued_message) = queued_message else {
+                    break;
+                };
+                let Some(json) = serialize_outgoing_message(queued_message.message) else {
+                    continue;
+                };
+                if websocket_writer.send(WebSocketMessage::Text(json.into())).await.is_err() {
+                    break;
+                }
+                if let Some(write_complete_tx) = queued_message.write_complete_tx {
+                    let _ = write_complete_tx.send(());
+                }
+            }
+        }
+    }
+}
+
+async fn run_websocket_inbound_loop(
+    mut websocket_reader: futures::stream::SplitStream<WebSocket>,
+    transport_event_tx: mpsc::Sender<TransportEvent>,
+    writer_tx_for_reader: mpsc::Sender<QueuedOutgoingMessage>,
+    writer_control_tx: mpsc::Sender<WebSocketMessage>,
+    connection_id: ConnectionId,
+    disconnect_token: CancellationToken,
+) {
+    loop {
+        tokio::select! {
+            _ = disconnect_token.cancelled() => {
+                break;
+            }
+            incoming_message = websocket_reader.next() => {
+                match incoming_message {
+                    Some(Ok(WebSocketMessage::Text(text))) => {
+                        if !forward_incoming_message(
+                            &transport_event_tx,
+                            &writer_tx_for_reader,
+                            connection_id,
+                            text.as_ref(),
+                        )
+                        .await
+                        {
+                            break;
+                        }
+                    }
+                    Some(Ok(WebSocketMessage::Ping(payload))) => {
+                        match writer_control_tx.try_send(WebSocketMessage::Pong(payload)) {
+                            Ok(()) => {}
+                            Err(tokio::sync::mpsc::error::TrySendError::Closed(_)) => break,
+                            Err(tokio::sync::mpsc::error::TrySendError::Full(_)) => {
+                                warn!("websocket control queue full while replying to ping; closing connection");
+                                break;
+                            }
+                        }
+                    }
+                    Some(Ok(WebSocketMessage::Pong(_))) => {}
+                    Some(Ok(WebSocketMessage::Close(_))) | None => break,
+                    Some(Ok(WebSocketMessage::Binary(_))) => {
+                        warn!("dropping unsupported binary websocket message");
+                    }
+                    Some(Err(err)) => {
+                        warn!("websocket receive error: {err}");
+                        break;
+                    }
+                }
+            }
+        }
+    }
+}

codex-rs/app-server/tests/common/Cargo.toml

@@ -14,6 +14,7 @@ chrono = { workspace = true }
 codex-app-server-protocol = { workspace = true }
 codex-core = { workspace = true }
 codex-features = { workspace = true }
+codex-login = { workspace = true }
 codex-protocol = { workspace = true }
 codex-utils-cargo-bin = { workspace = true }
 serde = { workspace = true }

codex-rs/app-server/tests/common/auth_fixtures.rs

@@ -10,8 +10,8 @@ use codex_app_server_protocol::AuthMode;
 use codex_core::auth::AuthCredentialsStoreMode;
 use codex_core::auth::AuthDotJson;
 use codex_core::auth::save_auth;
-use codex_core::token_data::TokenData;
-use codex_core::token_data::parse_chatgpt_jwt_claims;
+use codex_login::token_data::TokenData;
+use codex_login::token_data::parse_chatgpt_jwt_claims;
 use serde_json::json;
 
 /// Builder for writing a fake ChatGPT auth.json in tests.

codex-rs/app-server/tests/common/mcp_process.rs

@@ -31,6 +31,8 @@ use codex_app_server_protocol::FsGetMetadataParams;
 use codex_app_server_protocol::FsReadDirectoryParams;
 use codex_app_server_protocol::FsReadFileParams;
 use codex_app_server_protocol::FsRemoveParams;
+use codex_app_server_protocol::FsUnwatchParams;
+use codex_app_server_protocol::FsWatchParams;
 use codex_app_server_protocol::FsWriteFileParams;
 use codex_app_server_protocol::GetAccountParams;
 use codex_app_server_protocol::GetAuthStatusParams;
@@ -463,6 +465,16 @@ impl McpProcess {
         self.send_request("experimentalFeature/list", params).await
     }
 
+    /// Send an `experimentalFeature/enablement/set` JSON-RPC request.
+    pub async fn send_experimental_feature_enablement_set_request(
+        &mut self,
+        params: codex_app_server_protocol::ExperimentalFeatureEnablementSetParams,
+    ) -> anyhow::Result<i64> {
+        let params = Some(serde_json::to_value(params)?);
+        self.send_request("experimentalFeature/enablement/set", params)
+            .await
+    }
+
     /// Send an `app/list` JSON-RPC request.
     pub async fn send_apps_list_request(&mut self, params: AppsListParams) -> anyhow::Result<i64> {
         let params = Some(serde_json::to_value(params)?);
@@ -790,6 +802,19 @@ impl McpProcess {
         self.send_request("fs/copy", params).await
     }
 
+    pub async fn send_fs_watch_request(&mut self, params: FsWatchParams) -> anyhow::Result<i64> {
+        let params = Some(serde_json::to_value(params)?);
+        self.send_request("fs/watch", params).await
+    }
+
+    pub async fn send_fs_unwatch_request(
+        &mut self,
+        params: FsUnwatchParams,
+    ) -> anyhow::Result<i64> {
+        let params = Some(serde_json::to_value(params)?);
+        self.send_request("fs/unwatch", params).await
+    }
+
     /// Send an `account/logout` JSON-RPC request.
     pub async fn send_logout_account_request(&mut self) -> anyhow::Result<i64> {
         self.send_request("account/logout", /*params*/ None).await

codex-rs/app-server/tests/suite/auth.rs

@@ -1,6 +1,10 @@
 use anyhow::Result;
+use app_test_support::ChatGptAuthFixture;
 use app_test_support::McpProcess;
 use app_test_support::to_response;
+use app_test_support::write_chatgpt_auth;
+use chrono::Duration;
+use chrono::Utc;
 use codex_app_server_protocol::AuthMode;
 use codex_app_server_protocol::GetAuthStatusParams;
 use codex_app_server_protocol::GetAuthStatusResponse;
@@ -8,10 +12,17 @@ use codex_app_server_protocol::JSONRPCError;
 use codex_app_server_protocol::JSONRPCResponse;
 use codex_app_server_protocol::LoginAccountResponse;
 use codex_app_server_protocol::RequestId;
+use codex_core::auth::AuthCredentialsStoreMode;
+use codex_core::auth::REFRESH_TOKEN_URL_OVERRIDE_ENV_VAR;
 use pretty_assertions::assert_eq;
 use std::path::Path;
 use tempfile::TempDir;
 use tokio::time::timeout;
+use wiremock::Mock;
+use wiremock::MockServer;
+use wiremock::ResponseTemplate;
+use wiremock::matchers::method;
+use wiremock::matchers::path;
 
 const DEFAULT_READ_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(10);
 
@@ -207,6 +218,288 @@ async fn get_auth_status_with_api_key_no_include_token() -> Result<()> {
     Ok(())
 }
 
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn get_auth_status_with_api_key_refresh_requested() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    create_config_toml(codex_home.path())?;
+
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    login_with_api_key_via_request(&mut mcp, "sk-test-key").await?;
+
+    let request_id = mcp
+        .send_get_auth_status_request(GetAuthStatusParams {
+            include_token: Some(true),
+            refresh_token: Some(true),
+        })
+        .await?;
+
+    let resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
+    )
+    .await??;
+    let status: GetAuthStatusResponse = to_response(resp)?;
+    assert_eq!(
+        status,
+        GetAuthStatusResponse {
+            auth_method: Some(AuthMode::ApiKey),
+            auth_token: Some("sk-test-key".to_string()),
+            requires_openai_auth: Some(true),
+        }
+    );
+    Ok(())
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn get_auth_status_omits_token_after_permanent_refresh_failure() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    create_config_toml(codex_home.path())?;
+    write_chatgpt_auth(
+        codex_home.path(),
+        ChatGptAuthFixture::new("stale-access-token")
+            .refresh_token("stale-refresh-token")
+            .account_id("acct_123")
+            .email("user@example.com")
+            .plan_type("pro"),
+        AuthCredentialsStoreMode::File,
+    )?;
+
+    let server = MockServer::start().await;
+    Mock::given(method("POST"))
+        .and(path("/oauth/token"))
+        .respond_with(ResponseTemplate::new(401).set_body_json(serde_json::json!({
+            "error": {
+                "code": "refresh_token_reused"
+            }
+        })))
+        .expect(1)
+        .mount(&server)
+        .await;
+
+    let refresh_url = format!("{}/oauth/token", server.uri());
+    let mut mcp = McpProcess::new_with_env(
+        codex_home.path(),
+        &[
+            ("OPENAI_API_KEY", None),
+            (
+                REFRESH_TOKEN_URL_OVERRIDE_ENV_VAR,
+                Some(refresh_url.as_str()),
+            ),
+        ],
+    )
+    .await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let request_id = mcp
+        .send_get_auth_status_request(GetAuthStatusParams {
+            include_token: Some(true),
+            refresh_token: Some(true),
+        })
+        .await?;
+
+    let resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
+    )
+    .await??;
+    let status: GetAuthStatusResponse = to_response(resp)?;
+    assert_eq!(
+        status,
+        GetAuthStatusResponse {
+            auth_method: Some(AuthMode::Chatgpt),
+            auth_token: None,
+            requires_openai_auth: Some(true),
+        }
+    );
+
+    let second_request_id = mcp
+        .send_get_auth_status_request(GetAuthStatusParams {
+            include_token: Some(true),
+            refresh_token: Some(true),
+        })
+        .await?;
+
+    let second_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(second_request_id)),
+    )
+    .await??;
+    let second_status: GetAuthStatusResponse = to_response(second_resp)?;
+    assert_eq!(second_status, status);
+
+    server.verify().await;
+    Ok(())
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn get_auth_status_omits_token_after_proactive_refresh_failure() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    create_config_toml(codex_home.path())?;
+    write_chatgpt_auth(
+        codex_home.path(),
+        ChatGptAuthFixture::new("stale-access-token")
+            .refresh_token("stale-refresh-token")
+            .account_id("acct_123")
+            .email("user@example.com")
+            .plan_type("pro")
+            .last_refresh(Some(Utc::now() - Duration::days(9))),
+        AuthCredentialsStoreMode::File,
+    )?;
+
+    let server = MockServer::start().await;
+    Mock::given(method("POST"))
+        .and(path("/oauth/token"))
+        .respond_with(ResponseTemplate::new(401).set_body_json(serde_json::json!({
+            "error": {
+                "code": "refresh_token_reused"
+            }
+        })))
+        .expect(2)
+        .mount(&server)
+        .await;
+
+    let refresh_url = format!("{}/oauth/token", server.uri());
+    let mut mcp = McpProcess::new_with_env(
+        codex_home.path(),
+        &[
+            ("OPENAI_API_KEY", None),
+            (
+                REFRESH_TOKEN_URL_OVERRIDE_ENV_VAR,
+                Some(refresh_url.as_str()),
+            ),
+        ],
+    )
+    .await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let request_id = mcp
+        .send_get_auth_status_request(GetAuthStatusParams {
+            include_token: Some(true),
+            refresh_token: Some(false),
+        })
+        .await?;
+
+    let resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
+    )
+    .await??;
+    let status: GetAuthStatusResponse = to_response(resp)?;
+    assert_eq!(
+        status,
+        GetAuthStatusResponse {
+            auth_method: Some(AuthMode::Chatgpt),
+            auth_token: None,
+            requires_openai_auth: Some(true),
+        }
+    );
+
+    server.verify().await;
+    Ok(())
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn get_auth_status_returns_token_after_proactive_refresh_recovery() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    create_config_toml(codex_home.path())?;
+    write_chatgpt_auth(
+        codex_home.path(),
+        ChatGptAuthFixture::new("stale-access-token")
+            .refresh_token("stale-refresh-token")
+            .account_id("acct_123")
+            .email("user@example.com")
+            .plan_type("pro")
+            .last_refresh(Some(Utc::now() - Duration::days(9))),
+        AuthCredentialsStoreMode::File,
+    )?;
+
+    let server = MockServer::start().await;
+    Mock::given(method("POST"))
+        .and(path("/oauth/token"))
+        .respond_with(ResponseTemplate::new(401).set_body_json(serde_json::json!({
+            "error": {
+                "code": "refresh_token_reused"
+            }
+        })))
+        .expect(2)
+        .mount(&server)
+        .await;
+
+    let refresh_url = format!("{}/oauth/token", server.uri());
+    let mut mcp = McpProcess::new_with_env(
+        codex_home.path(),
+        &[
+            ("OPENAI_API_KEY", None),
+            (
+                REFRESH_TOKEN_URL_OVERRIDE_ENV_VAR,
+                Some(refresh_url.as_str()),
+            ),
+        ],
+    )
+    .await?;
+    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
+
+    let failed_request_id = mcp
+        .send_get_auth_status_request(GetAuthStatusParams {
+            include_token: Some(true),
+            refresh_token: Some(true),
+        })
+        .await?;
+
+    let failed_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(failed_request_id)),
+    )
+    .await??;
+    let failed_status: GetAuthStatusResponse = to_response(failed_resp)?;
+    assert_eq!(
+        failed_status,
+        GetAuthStatusResponse {
+            auth_method: Some(AuthMode::Chatgpt),
+            auth_token: None,
+            requires_openai_auth: Some(true),
+        }
+    );
+
+    write_chatgpt_auth(
+        codex_home.path(),
+        ChatGptAuthFixture::new("recovered-access-token")
+            .refresh_token("recovered-refresh-token")
+            .account_id("acct_123")
+            .email("user@example.com")
+            .plan_type("pro")
+            .last_refresh(Some(Utc::now())),
+        AuthCredentialsStoreMode::File,
+    )?;
+
+    let recovered_request_id = mcp
+        .send_get_auth_status_request(GetAuthStatusParams {
+            include_token: Some(true),
+            refresh_token: Some(false),
+        })
+        .await?;
+
+    let recovered_resp: JSONRPCResponse = timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(recovered_request_id)),
+    )
+    .await??;
+    let recovered_status: GetAuthStatusResponse = to_response(recovered_resp)?;
+    assert_eq!(
+        recovered_status,
+        GetAuthStatusResponse {
+            auth_method: Some(AuthMode::Chatgpt),
+            auth_token: Some("recovered-access-token".to_string()),
+            requires_openai_auth: Some(true),
+        }
+    );
+
+    server.verify().await;
+    Ok(())
+}
+
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
 async fn login_api_key_rejected_when_forced_chatgpt() -> Result<()> {
     let codex_home = TempDir::new()?;

codex-rs/app-server/tests/suite/bash

@@ -1,75 +0,0 @@
-#!/usr/bin/env dotslash
-
-// This is an instance of the fork of Bash that we bundle with
-// https://www.npmjs.com/package/@openai/codex-shell-tool-mcp.
-// Fetching the prebuilt version via DotSlash makes it easier to write
-// integration tests for shell execution flows.
-//
-// TODO(mbolin): Currently, we use a .tgz artifact that includes binaries for
-// multiple platforms, but we could save a bit of space by making arch-specific
-// artifacts available in the GitHub releases and referencing those here.
-{
-  "name": "codex-bash",
-  "platforms": {
-    // macOS 13 builds (and therefore x86_64) were dropped in
-    // https://github.com/openai/codex/pull/7295, so we only provide an
-    // Apple Silicon build for now.
-    "macos-aarch64": {
-      "size": 37003612,
-      "hash": "blake3",
-      "digest": "d9cd5928c993b65c340507931c61c02bd6e9179933f8bf26a548482bb5fa53bb",
-      "format": "tar.gz",
-      "path": "package/vendor/aarch64-apple-darwin/bash/macos-15/bash",
-      "providers": [
-        {
-          "url": "https://github.com/openai/codex/releases/download/rust-v0.65.0/codex-shell-tool-mcp-npm-0.65.0.tgz"
-        },
-        {
-          "type": "github-release",
-          "repo": "openai/codex",
-          "tag": "rust-v0.65.0",
-          "name": "codex-shell-tool-mcp-npm-0.65.0.tgz"
-        }
-      ]
-    },
-    // Note the `musl` parts of the Linux paths are misleading: the Bash
-    // binaries are actually linked against `glibc`, but the
-    // `codex-execve-wrapper` that invokes them is linked against `musl`.
-    "linux-x86_64": {
-      "size": 37003612,
-      "hash": "blake3",
-      "digest": "d9cd5928c993b65c340507931c61c02bd6e9179933f8bf26a548482bb5fa53bb",
-      "format": "tar.gz",
-      "path": "package/vendor/x86_64-unknown-linux-musl/bash/ubuntu-24.04/bash",
-      "providers": [
-        {
-          "url": "https://github.com/openai/codex/releases/download/rust-v0.65.0/codex-shell-tool-mcp-npm-0.65.0.tgz"
-        },
-        {
-          "type": "github-release",
-          "repo": "openai/codex",
-          "tag": "rust-v0.65.0",
-          "name": "codex-shell-tool-mcp-npm-0.65.0.tgz"
-        }
-      ]
-    },
-    "linux-aarch64": {
-      "size": 37003612,
-      "hash": "blake3",
-      "digest": "d9cd5928c993b65c340507931c61c02bd6e9179933f8bf26a548482bb5fa53bb",
-      "format": "tar.gz",
-      "path": "package/vendor/aarch64-unknown-linux-musl/bash/ubuntu-24.04/bash",
-      "providers": [
-        {
-          "url": "https://github.com/openai/codex/releases/download/rust-v0.65.0/codex-shell-tool-mcp-npm-0.65.0.tgz"
-        },
-        {
-          "type": "github-release",
-          "repo": "openai/codex",
-          "tag": "rust-v0.65.0",
-          "name": "codex-shell-tool-mcp-npm-0.65.0.tgz"
-        }
-      ]
-    },
-  }
-}

codex-rs/app-server/tests/suite/v2/app_list.rs

@@ -1,4 +1,5 @@
 use std::borrow::Cow;
+use std::collections::BTreeMap;
 use std::collections::HashMap;
 use std::sync::Arc;
 use std::sync::Mutex as StdMutex;
@@ -27,6 +28,7 @@ use codex_app_server_protocol::AppScreenshot;
 use codex_app_server_protocol::AppsListParams;
 use codex_app_server_protocol::AppsListResponse;
 use codex_app_server_protocol::AuthMode;
+use codex_app_server_protocol::ExperimentalFeatureEnablementSetParams;
 use codex_app_server_protocol::JSONRPCError;
 use codex_app_server_protocol::JSONRPCResponse;
 use codex_app_server_protocol::RequestId;
@@ -1201,6 +1203,108 @@ async fn list_apps_force_refetch_patches_updates_from_cached_snapshots() -> Resu
     Ok(())
 }
 
+#[tokio::test]
+async fn experimental_feature_enablement_set_refreshes_apps_list_when_apps_turn_on() -> Result<()> {
+    let initial_connectors = vec![AppInfo {
+        id: "alpha".to_string(),
+        name: "Alpha".to_string(),
+        description: Some("Alpha v1".to_string()),
+        logo_url: None,
+        logo_url_dark: None,
+        distribution_channel: None,
+        branding: None,
+        app_metadata: None,
+        labels: None,
+        install_url: None,
+        is_accessible: false,
+        is_enabled: true,
+        plugin_display_names: Vec::new(),
+    }];
+    let (server_url, server_handle, server_control) = start_apps_server_with_delays_and_control(
+        initial_connectors,
+        Vec::new(),
+        Duration::ZERO,
+        Duration::ZERO,
+    )
+    .await?;
+
+    let codex_home = TempDir::new()?;
+    write_connectors_config(codex_home.path(), &server_url)?;
+    write_chatgpt_auth(
+        codex_home.path(),
+        ChatGptAuthFixture::new("chatgpt-token")
+            .account_id("account-123")
+            .chatgpt_user_id("user-enable-refresh")
+            .chatgpt_account_id("account-123"),
+        AuthCredentialsStoreMode::File,
+    )?;
+
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_TIMEOUT, mcp.initialize()).await??;
+
+    let disable_request = mcp
+        .send_experimental_feature_enablement_set_request(ExperimentalFeatureEnablementSetParams {
+            enablement: BTreeMap::from([("apps".to_string(), false)]),
+        })
+        .await?;
+    let _disable_response: JSONRPCResponse = timeout(
+        DEFAULT_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(disable_request)),
+    )
+    .await??;
+
+    server_control.set_connectors(vec![AppInfo {
+        id: "alpha".to_string(),
+        name: "Alpha".to_string(),
+        description: Some("Alpha v2".to_string()),
+        logo_url: None,
+        logo_url_dark: None,
+        distribution_channel: None,
+        branding: None,
+        app_metadata: None,
+        labels: None,
+        install_url: None,
+        is_accessible: false,
+        is_enabled: true,
+        plugin_display_names: Vec::new(),
+    }]);
+    server_control.set_tools(vec![connector_tool("alpha", "Alpha App")?]);
+
+    let enable_request = mcp
+        .send_experimental_feature_enablement_set_request(ExperimentalFeatureEnablementSetParams {
+            enablement: BTreeMap::from([("apps".to_string(), true)]),
+        })
+        .await?;
+    let _enable_response: JSONRPCResponse = timeout(
+        DEFAULT_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(enable_request)),
+    )
+    .await??;
+
+    let update = read_app_list_updated_notification(&mut mcp).await?;
+    assert_eq!(
+        update.data,
+        vec![AppInfo {
+            id: "alpha".to_string(),
+            name: "Alpha".to_string(),
+            description: Some("Alpha v2".to_string()),
+            logo_url: None,
+            logo_url_dark: None,
+            distribution_channel: None,
+            branding: None,
+            app_metadata: None,
+            labels: None,
+            install_url: Some("https://chatgpt.com/apps/alpha/alpha".to_string()),
+            is_accessible: true,
+            is_enabled: true,
+            plugin_display_names: Vec::new(),
+        }]
+    );
+
+    server_handle.abort();
+    Ok(())
+}
+
 async fn read_app_list_updated_notification(
     mcp: &mut McpProcess,
 ) -> Result<AppListUpdatedNotification> {

codex-rs/app-server/tests/suite/v2/connection_handling_websocket.rs

@@ -2,6 +2,8 @@ use anyhow::Context;
 use anyhow::Result;
 use anyhow::bail;
 use app_test_support::create_mock_responses_server_sequence_unchecked;
+use base64::Engine;
+use base64::engine::general_purpose::URL_SAFE_NO_PAD;
 use codex_app_server_protocol::ClientInfo;
 use codex_app_server_protocol::InitializeParams;
 use codex_app_server_protocol::JSONRPCError;
@@ -12,12 +14,16 @@ use codex_app_server_protocol::JSONRPCResponse;
 use codex_app_server_protocol::RequestId;
 use futures::SinkExt;
 use futures::StreamExt;
+use hmac::Hmac;
+use hmac::Mac;
 use reqwest::StatusCode;
 use serde_json::json;
+use sha2::Sha256;
 use std::net::SocketAddr;
 use std::path::Path;
 use std::process::Stdio;
 use tempfile::TempDir;
+use time::OffsetDateTime;
 use tokio::io::AsyncBufReadExt;
 use tokio::io::BufReader;
 use tokio::process::Child;
@@ -29,15 +35,17 @@ use tokio::time::timeout;
 use tokio_tungstenite::MaybeTlsStream;
 use tokio_tungstenite::WebSocketStream;
 use tokio_tungstenite::connect_async;
-use tokio_tungstenite::tungstenite::Error as WebSocketError;
+use tokio_tungstenite::tungstenite::Error as WsError;
 use tokio_tungstenite::tungstenite::Message as WebSocketMessage;
 use tokio_tungstenite::tungstenite::client::IntoClientRequest;
 use tokio_tungstenite::tungstenite::http::HeaderValue;
+use tokio_tungstenite::tungstenite::http::header::AUTHORIZATION;
 use tokio_tungstenite::tungstenite::http::header::ORIGIN;
 
-pub(super) const DEFAULT_READ_TIMEOUT: Duration = Duration::from_secs(5);
+pub(super) const DEFAULT_READ_TIMEOUT: Duration = Duration::from_secs(10);
 
 pub(super) type WsClient = WebSocketStream<MaybeTlsStream<tokio::net::TcpStream>>;
+type HmacSha256 = Hmac<Sha256>;
 
 #[tokio::test]
 async fn websocket_transport_routes_per_connection_handshake_and_responses() -> Result<()> {
@@ -112,46 +120,26 @@ async fn websocket_transport_serves_health_endpoints_on_same_listener() -> Resul
 }
 
 #[tokio::test]
-async fn websocket_transport_rejects_requests_with_origin_header() -> Result<()> {
+async fn websocket_transport_rejects_browser_origin_without_auth() -> Result<()> {
     let server = create_mock_responses_server_sequence_unchecked(Vec::new()).await;
     let codex_home = TempDir::new()?;
     create_config_toml(codex_home.path(), &server.uri(), "never")?;
 
     let (mut process, bind_addr) = spawn_websocket_server(codex_home.path()).await?;
-    let client = reqwest::Client::new();
 
-    let deadline = Instant::now() + Duration::from_secs(10);
-    let healthz = loop {
-        match client
-            .get(format!("http://{bind_addr}/healthz"))
-            .header(ORIGIN.as_str(), "https://example.com")
-            .send()
-            .await
-            .with_context(|| format!("failed to GET http://{bind_addr}/healthz with Origin header"))
-        {
-            Ok(response) => break response,
-            Err(err) => {
-                if Instant::now() >= deadline {
-                    bail!("failed to GET http://{bind_addr}/healthz with Origin header: {err}");
-                }
-                sleep(Duration::from_millis(50)).await;
-            }
-        }
-    };
-    assert_eq!(healthz.status(), StatusCode::FORBIDDEN);
+    let mut ws = connect_websocket(bind_addr).await?;
+    send_initialize_request(&mut ws, 1, "ws_loopback_client").await?;
+    let init = read_response_for_id(&mut ws, 1).await?;
+    assert_eq!(init.id, RequestId::Integer(1));
+    drop(ws);
 
-    let url = format!("ws://{bind_addr}");
-    let mut request = url.into_client_request()?;
-    request
-        .headers_mut()
-        .insert(ORIGIN, HeaderValue::from_static("https://example.com"));
-    match connect_async(request).await {
-        Err(WebSocketError::Http(response)) => {
-            assert_eq!(response.status(), StatusCode::FORBIDDEN);
-        }
-        Ok(_) => bail!("expected websocket handshake with Origin header to be rejected"),
-        Err(err) => bail!("expected HTTP rejection for Origin header, got {err}"),
-    }
+    assert_websocket_connect_rejected_with_headers(
+        bind_addr,
+        None,
+        Some("https://evil.example"),
+        StatusCode::FORBIDDEN,
+    )
+    .await?;
 
     process
         .kill()
@@ -160,12 +148,205 @@ async fn websocket_transport_rejects_requests_with_origin_header() -> Result<()>
     Ok(())
 }
 
+#[tokio::test]
+async fn websocket_transport_rejects_missing_and_invalid_capability_tokens() -> Result<()> {
+    let server = create_mock_responses_server_sequence_unchecked(Vec::new()).await;
+    let codex_home = TempDir::new()?;
+    let token_file = codex_home.path().join("app-server-token");
+    std::fs::write(&token_file, "super-secret-token\n")?;
+    create_config_toml(codex_home.path(), &server.uri(), "never")?;
+    let auth_args = vec![
+        "--ws-auth".to_string(),
+        "capability-token".to_string(),
+        "--ws-token-file".to_string(),
+        token_file.display().to_string(),
+    ];
+
+    let (mut process, bind_addr) =
+        spawn_websocket_server_with_args(codex_home.path(), "ws://127.0.0.1:0", &auth_args).await?;
+
+    assert_websocket_connect_rejected(bind_addr, None).await?;
+    assert_websocket_connect_rejected(bind_addr, Some("wrong-token")).await?;
+
+    let mut ws = connect_websocket_with_bearer(bind_addr, Some("super-secret-token")).await?;
+    send_initialize_request(&mut ws, 1, "ws_auth_client").await?;
+    let init = read_response_for_id(&mut ws, 1).await?;
+    assert_eq!(init.id, RequestId::Integer(1));
+
+    process
+        .kill()
+        .await
+        .context("failed to stop websocket app-server process")?;
+    Ok(())
+}
+
+#[tokio::test]
+async fn websocket_transport_verifies_signed_short_lived_bearer_tokens() -> Result<()> {
+    let server = create_mock_responses_server_sequence_unchecked(Vec::new()).await;
+    let codex_home = TempDir::new()?;
+    let shared_secret_file = codex_home.path().join("app-server-signing-secret");
+    let shared_secret = "0123456789abcdef0123456789abcdef";
+    std::fs::write(&shared_secret_file, format!("{shared_secret}\n"))?;
+    create_config_toml(codex_home.path(), &server.uri(), "never")?;
+    let auth_args = vec![
+        "--ws-auth".to_string(),
+        "signed-bearer-token".to_string(),
+        "--ws-shared-secret-file".to_string(),
+        shared_secret_file.display().to_string(),
+        "--ws-issuer".to_string(),
+        "codex-enroller".to_string(),
+        "--ws-audience".to_string(),
+        "codex-app-server".to_string(),
+        "--ws-max-clock-skew-seconds".to_string(),
+        "1".to_string(),
+    ];
+
+    let (mut process, bind_addr) =
+        spawn_websocket_server_with_args(codex_home.path(), "ws://127.0.0.1:0", &auth_args).await?;
+    let expired_token = signed_bearer_token(
+        shared_secret.as_bytes(),
+        json!({
+            "exp": OffsetDateTime::now_utc().unix_timestamp() - 30,
+            "iss": "codex-enroller",
+            "aud": "codex-app-server",
+        }),
+    )?;
+    assert_websocket_connect_rejected(bind_addr, Some(expired_token.as_str())).await?;
+
+    let malformed_token = "not-a-jwt";
+    assert_websocket_connect_rejected(bind_addr, Some(malformed_token)).await?;
+
+    let not_yet_valid_token = signed_bearer_token(
+        shared_secret.as_bytes(),
+        json!({
+            "exp": OffsetDateTime::now_utc().unix_timestamp() + 60,
+            "nbf": OffsetDateTime::now_utc().unix_timestamp() + 30,
+            "iss": "codex-enroller",
+            "aud": "codex-app-server",
+        }),
+    )?;
+    assert_websocket_connect_rejected(bind_addr, Some(not_yet_valid_token.as_str())).await?;
+
+    let wrong_issuer_token = signed_bearer_token(
+        shared_secret.as_bytes(),
+        json!({
+            "exp": OffsetDateTime::now_utc().unix_timestamp() + 60,
+            "iss": "someone-else",
+            "aud": "codex-app-server",
+        }),
+    )?;
+    assert_websocket_connect_rejected(bind_addr, Some(wrong_issuer_token.as_str())).await?;
+
+    let wrong_audience_token = signed_bearer_token(
+        shared_secret.as_bytes(),
+        json!({
+            "exp": OffsetDateTime::now_utc().unix_timestamp() + 60,
+            "iss": "codex-enroller",
+            "aud": "wrong-audience",
+        }),
+    )?;
+    assert_websocket_connect_rejected(bind_addr, Some(wrong_audience_token.as_str())).await?;
+
+    let wrong_signature_token = signed_bearer_token(
+        b"fedcba9876543210fedcba9876543210",
+        json!({
+            "exp": OffsetDateTime::now_utc().unix_timestamp() + 60,
+            "iss": "codex-enroller",
+            "aud": "codex-app-server",
+        }),
+    )?;
+    assert_websocket_connect_rejected(bind_addr, Some(wrong_signature_token.as_str())).await?;
+
+    let valid_token = signed_bearer_token(
+        shared_secret.as_bytes(),
+        json!({
+            "exp": OffsetDateTime::now_utc().unix_timestamp() + 60,
+            "iss": "codex-enroller",
+            "aud": "codex-app-server",
+        }),
+    )?;
+    let mut ws = connect_websocket_with_bearer(bind_addr, Some(valid_token.as_str())).await?;
+    send_initialize_request(&mut ws, 1, "ws_signed_auth_client").await?;
+    let init = read_response_for_id(&mut ws, 1).await?;
+    assert_eq!(init.id, RequestId::Integer(1));
+
+    process
+        .kill()
+        .await
+        .context("failed to stop websocket app-server process")?;
+    Ok(())
+}
+
+#[tokio::test]
+async fn websocket_transport_rejects_short_signed_bearer_secret_configuration() -> Result<()> {
+    let server = create_mock_responses_server_sequence_unchecked(Vec::new()).await;
+    let codex_home = TempDir::new()?;
+    let shared_secret_file = codex_home.path().join("app-server-signing-secret");
+    std::fs::write(&shared_secret_file, "too-short\n")?;
+    create_config_toml(codex_home.path(), &server.uri(), "never")?;
+
+    let output = run_websocket_server_to_completion_with_args(
+        codex_home.path(),
+        "ws://127.0.0.1:0",
+        &[
+            "--ws-auth".to_string(),
+            "signed-bearer-token".to_string(),
+            "--ws-shared-secret-file".to_string(),
+            shared_secret_file.display().to_string(),
+        ],
+    )
+    .await?;
+    assert!(
+        !output.status.success(),
+        "short shared secret should fail websocket server startup"
+    );
+    let stderr = String::from_utf8(output.stderr).context("stderr should be valid utf-8")?;
+    assert!(
+        stderr.contains("must be at least 32 bytes"),
+        "unexpected stderr: {stderr}"
+    );
+
+    Ok(())
+}
+
+#[tokio::test]
+async fn websocket_transport_allows_unauthenticated_non_loopback_startup_by_default() -> Result<()>
+{
+    let server = create_mock_responses_server_sequence_unchecked(Vec::new()).await;
+    let codex_home = TempDir::new()?;
+    create_config_toml(codex_home.path(), &server.uri(), "never")?;
+
+    let (mut process, bind_addr) =
+        spawn_websocket_server_with_args(codex_home.path(), "ws://0.0.0.0:0", &[]).await?;
+
+    let mut ws = connect_websocket(bind_addr).await?;
+    send_initialize_request(&mut ws, 1, "ws_non_loopback_default_client").await?;
+    let init = read_response_for_id(&mut ws, 1).await?;
+    assert_eq!(init.id, RequestId::Integer(1));
+
+    process
+        .kill()
+        .await
+        .context("failed to stop websocket app-server process")?;
+
+    Ok(())
+}
+
 pub(super) async fn spawn_websocket_server(codex_home: &Path) -> Result<(Child, SocketAddr)> {
+    spawn_websocket_server_with_args(codex_home, "ws://127.0.0.1:0", &[]).await
+}
+
+pub(super) async fn spawn_websocket_server_with_args(
+    codex_home: &Path,
+    listen_url: &str,
+    extra_args: &[String],
+) -> Result<(Child, SocketAddr)> {
     let program = codex_utils_cargo_bin::cargo_bin("codex-app-server")
         .context("should find app-server binary")?;
     let mut cmd = Command::new(program);
     cmd.arg("--listen")
-        .arg("ws://127.0.0.1:0")
+        .arg(listen_url)
+        .args(extra_args)
         .stdin(Stdio::null())
         .stdout(Stdio::null())
         .stderr(Stdio::piped())
@@ -230,10 +411,18 @@ pub(super) async fn spawn_websocket_server(codex_home: &Path) -> Result<(Child,
 }
 
 pub(super) async fn connect_websocket(bind_addr: SocketAddr) -> Result<WsClient> {
-    let url = format!("ws://{bind_addr}");
+    connect_websocket_with_bearer(bind_addr, None).await
+}
+
+pub(super) async fn connect_websocket_with_bearer(
+    bind_addr: SocketAddr,
+    bearer_token: Option<&str>,
+) -> Result<WsClient> {
+    let url = format!("ws://{}", connectable_bind_addr(bind_addr));
+    let request = websocket_request(url.as_str(), bearer_token, None)?;
     let deadline = Instant::now() + Duration::from_secs(10);
     loop {
-        match connect_async(&url).await {
+        match connect_async(request.clone()).await {
             Ok((stream, _response)) => return Ok(stream),
             Err(err) => {
                 if Instant::now() >= deadline {
@@ -245,23 +434,83 @@ pub(super) async fn connect_websocket(bind_addr: SocketAddr) -> Result<WsClient>
     }
 }
 
+async fn assert_websocket_connect_rejected(
+    bind_addr: SocketAddr,
+    bearer_token: Option<&str>,
+) -> Result<()> {
+    assert_websocket_connect_rejected_with_headers(
+        bind_addr,
+        bearer_token,
+        None,
+        StatusCode::UNAUTHORIZED,
+    )
+    .await
+}
+
+async fn assert_websocket_connect_rejected_with_headers(
+    bind_addr: SocketAddr,
+    bearer_token: Option<&str>,
+    origin: Option<&str>,
+    expected_status: StatusCode,
+) -> Result<()> {
+    let url = format!("ws://{}", connectable_bind_addr(bind_addr));
+    let request = websocket_request(url.as_str(), bearer_token, origin)?;
+
+    match connect_async(request).await {
+        Ok((_stream, response)) => {
+            bail!(
+                "expected websocket handshake rejection, got {}",
+                response.status()
+            )
+        }
+        Err(WsError::Http(response)) => {
+            assert_eq!(response.status(), expected_status);
+            Ok(())
+        }
+        Err(err) => bail!("expected http rejection during websocket handshake: {err}"),
+    }
+}
+
+async fn run_websocket_server_to_completion_with_args(
+    codex_home: &Path,
+    listen_url: &str,
+    extra_args: &[String],
+) -> Result<std::process::Output> {
+    let program = codex_utils_cargo_bin::cargo_bin("codex-app-server")
+        .context("should find app-server binary")?;
+    let mut cmd = Command::new(program);
+    cmd.arg("--listen")
+        .arg(listen_url)
+        .args(extra_args)
+        .stdin(Stdio::null())
+        .stdout(Stdio::null())
+        .stderr(Stdio::piped())
+        .env("CODEX_HOME", codex_home)
+        .env("RUST_LOG", "debug");
+    timeout(Duration::from_secs(10), cmd.output())
+        .await
+        .context("timed out waiting for websocket app-server to exit")?
+        .context("failed to run websocket app-server")
+}
+
 async fn http_get(
     client: &reqwest::Client,
     bind_addr: SocketAddr,
     path: &str,
 ) -> Result<reqwest::Response> {
+    let connectable_bind_addr = connectable_bind_addr(bind_addr);
     let deadline = Instant::now() + Duration::from_secs(10);
     loop {
         match client
-            .get(format!("http://{bind_addr}{path}"))
+            .get(format!("http://{connectable_bind_addr}{path}"))
             .send()
             .await
-            .with_context(|| format!("failed to GET http://{bind_addr}{path}"))
+            .with_context(|| format!("failed to GET http://{connectable_bind_addr}{path}"))
         {
             Ok(response) => return Ok(response),
             Err(err) => {
                 if Instant::now() >= deadline {
-                    bail!("failed to GET http://{bind_addr}{path}: {err}");
+                    bail!("failed to GET http://{connectable_bind_addr}{path}: {err}");
                 }
                 sleep(Duration::from_millis(50)).await;
             }
@@ -269,6 +518,30 @@ async fn http_get(
     }
 }
 
+fn websocket_request(
+    url: &str,
+    bearer_token: Option<&str>,
+    origin: Option<&str>,
+) -> Result<tokio_tungstenite::tungstenite::http::Request<()>> {
+    let mut request = url
+        .into_client_request()
+        .context("failed to create websocket request")?;
+    if let Some(bearer_token) = bearer_token {
+        request.headers_mut().insert(
+            AUTHORIZATION,
+            HeaderValue::from_str(&format!("Bearer {bearer_token}"))
+                .context("invalid bearer token header")?,
+        );
+    }
+    if let Some(origin) = origin {
+        request.headers_mut().insert(
+            ORIGIN,
+            HeaderValue::from_str(origin).context("invalid origin header")?,
+        );
+    }
+    Ok(request)
+}
+
 pub(super) async fn send_initialize_request(
     stream: &mut WsClient,
     id: i64,
@@ -459,3 +732,25 @@ stream_max_retries = 0
         ),
     )
 }
+
+fn connectable_bind_addr(bind_addr: SocketAddr) -> SocketAddr {
+    match bind_addr {
+        SocketAddr::V4(addr) if addr.ip().is_unspecified() => {
+            SocketAddr::from(([127, 0, 0, 1], addr.port()))
+        }
+        SocketAddr::V6(addr) if addr.ip().is_unspecified() => {
+            SocketAddr::from(([0, 0, 0, 0, 0, 0, 0, 1], addr.port()))
+        }
+        _ => bind_addr,
+    }
+}
+
+fn signed_bearer_token(shared_secret: &[u8], claims: serde_json::Value) -> Result<String> {
+    let header_segment = URL_SAFE_NO_PAD.encode(br#"{"alg":"HS256","typ":"JWT"}"#);
+    let claims_segment = URL_SAFE_NO_PAD.encode(serde_json::to_vec(&claims)?);
+    let payload = format!("{header_segment}.{claims_segment}");
+    let mut mac = HmacSha256::new_from_slice(shared_secret).context("failed to create hmac")?;
+    mac.update(payload.as_bytes());
+    let signature = URL_SAFE_NO_PAD.encode(mac.finalize().into_bytes());
+    Ok(format!("{payload}.{signature}"))
+}

codex-rs/app-server/tests/suite/v2/experimental_feature_list.rs

@@ -3,16 +3,24 @@ use std::time::Duration;
 use anyhow::Result;
 use app_test_support::McpProcess;
 use app_test_support::to_response;
+use codex_app_server_protocol::ConfigReadParams;
+use codex_app_server_protocol::ConfigReadResponse;
 use codex_app_server_protocol::ExperimentalFeature;
+use codex_app_server_protocol::ExperimentalFeatureEnablementSetParams;
+use codex_app_server_protocol::ExperimentalFeatureEnablementSetResponse;
 use codex_app_server_protocol::ExperimentalFeatureListParams;
 use codex_app_server_protocol::ExperimentalFeatureListResponse;
 use codex_app_server_protocol::ExperimentalFeatureStage;
+use codex_app_server_protocol::JSONRPCError;
 use codex_app_server_protocol::JSONRPCResponse;
 use codex_app_server_protocol::RequestId;
 use codex_core::config::ConfigBuilder;
 use codex_features::FEATURES;
 use codex_features::Stage;
 use pretty_assertions::assert_eq;
+use serde::de::DeserializeOwned;
+use serde_json::json;
+use std::collections::BTreeMap;
 use tempfile::TempDir;
 use tokio::time::timeout;
 
@@ -34,13 +42,7 @@ async fn experimental_feature_list_returns_feature_metadata_with_stage() -> Resu
         .send_experimental_feature_list_request(ExperimentalFeatureListParams::default())
         .await?;
 
-    let response: JSONRPCResponse = timeout(
-        DEFAULT_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
-    )
-    .await??;
-
-    let actual = to_response::<ExperimentalFeatureListResponse>(response)?;
+    let actual = read_response::<ExperimentalFeatureListResponse>(&mut mcp, request_id).await?;
     let expected_data = FEATURES
         .iter()
         .map(|spec| {
@@ -82,3 +84,240 @@ async fn experimental_feature_list_returns_feature_metadata_with_stage() -> Resu
     assert_eq!(actual, expected);
     Ok(())
 }
+
+#[tokio::test]
+async fn experimental_feature_enablement_set_applies_to_global_and_thread_config_reads()
+-> Result<()> {
+    let codex_home = TempDir::new()?;
+    let project_cwd = codex_home.path().join("project");
+    std::fs::create_dir_all(&project_cwd)?;
+
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_TIMEOUT, mcp.initialize()).await??;
+
+    let actual =
+        set_experimental_feature_enablement(&mut mcp, BTreeMap::from([("apps".to_string(), true)]))
+            .await?;
+    assert_eq!(
+        actual,
+        ExperimentalFeatureEnablementSetResponse {
+            enablement: BTreeMap::from([("apps".to_string(), true)]),
+        }
+    );
+
+    for cwd in [None, Some(project_cwd.display().to_string())] {
+        let ConfigReadResponse { config, .. } = read_config(&mut mcp, cwd).await?;
+
+        assert_eq!(
+            config
+                .additional
+                .get("features")
+                .and_then(|features| features.get("apps")),
+            Some(&json!(true))
+        );
+    }
+
+    Ok(())
+}
+
+#[tokio::test]
+async fn experimental_feature_enablement_set_does_not_override_user_config() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    std::fs::write(
+        codex_home.path().join("config.toml"),
+        "[features]\napps = false\n",
+    )?;
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_TIMEOUT, mcp.initialize()).await??;
+
+    let actual =
+        set_experimental_feature_enablement(&mut mcp, BTreeMap::from([("apps".to_string(), true)]))
+            .await?;
+    assert_eq!(
+        actual,
+        ExperimentalFeatureEnablementSetResponse {
+            enablement: BTreeMap::from([("apps".to_string(), true)]),
+        }
+    );
+
+    let ConfigReadResponse { config, .. } = read_config(&mut mcp, /*cwd*/ None).await?;
+
+    assert_eq!(
+        config
+            .additional
+            .get("features")
+            .and_then(|features| features.get("apps")),
+        Some(&json!(false))
+    );
+
+    Ok(())
+}
+
+#[tokio::test]
+async fn experimental_feature_enablement_set_only_updates_named_features() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_TIMEOUT, mcp.initialize()).await??;
+
+    set_experimental_feature_enablement(&mut mcp, BTreeMap::from([("apps".to_string(), true)]))
+        .await?;
+    let actual = set_experimental_feature_enablement(
+        &mut mcp,
+        BTreeMap::from([
+            ("plugins".to_string(), true),
+            ("tool_search".to_string(), true),
+            ("tool_suggest".to_string(), true),
+            ("tool_call_mcp_elicitation".to_string(), false),
+        ]),
+    )
+    .await?;
+
+    assert_eq!(
+        actual,
+        ExperimentalFeatureEnablementSetResponse {
+            enablement: BTreeMap::from([
+                ("plugins".to_string(), true),
+                ("tool_search".to_string(), true),
+                ("tool_suggest".to_string(), true),
+                ("tool_call_mcp_elicitation".to_string(), false),
+            ]),
+        }
+    );
+
+    let ConfigReadResponse { config, .. } = read_config(&mut mcp, /*cwd*/ None).await?;
+
+    assert_eq!(
+        config
+            .additional
+            .get("features")
+            .and_then(|features| features.get("apps")),
+        Some(&json!(true))
+    );
+    assert_eq!(
+        config
+            .additional
+            .get("features")
+            .and_then(|features| features.get("plugins")),
+        Some(&json!(true))
+    );
+    assert_eq!(
+        config
+            .additional
+            .get("features")
+            .and_then(|features| features.get("tool_search")),
+        Some(&json!(true))
+    );
+    assert_eq!(
+        config
+            .additional
+            .get("features")
+            .and_then(|features| features.get("tool_suggest")),
+        Some(&json!(true))
+    );
+    assert_eq!(
+        config
+            .additional
+            .get("features")
+            .and_then(|features| features.get("tool_call_mcp_elicitation")),
+        Some(&json!(false))
+    );
+
+    Ok(())
+}
+
+#[tokio::test]
+async fn experimental_feature_enablement_set_empty_map_is_no_op() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_TIMEOUT, mcp.initialize()).await??;
+
+    set_experimental_feature_enablement(&mut mcp, BTreeMap::from([("apps".to_string(), true)]))
+        .await?;
+    let actual = set_experimental_feature_enablement(&mut mcp, BTreeMap::new()).await?;
+
+    assert_eq!(
+        actual,
+        ExperimentalFeatureEnablementSetResponse {
+            enablement: BTreeMap::new(),
+        }
+    );
+
+    let ConfigReadResponse { config, .. } = read_config(&mut mcp, /*cwd*/ None).await?;
+
+    assert_eq!(
+        config
+            .additional
+            .get("features")
+            .and_then(|features| features.get("apps")),
+        Some(&json!(true))
+    );
+
+    Ok(())
+}
+
+#[tokio::test]
+async fn experimental_feature_enablement_set_rejects_non_allowlisted_feature() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    let mut mcp = McpProcess::new(codex_home.path()).await?;
+    timeout(DEFAULT_TIMEOUT, mcp.initialize()).await??;
+
+    let request_id = mcp
+        .send_experimental_feature_enablement_set_request(ExperimentalFeatureEnablementSetParams {
+            enablement: BTreeMap::from([("personality".to_string(), true)]),
+        })
+        .await?;
+    let JSONRPCError { error, .. } = timeout(
+        DEFAULT_TIMEOUT,
+        mcp.read_stream_until_error_message(RequestId::Integer(request_id)),
+    )
+    .await??;
+
+    assert_eq!(error.code, -32600);
+    assert!(
+        error
+            .message
+            .contains("unsupported feature enablement `personality`"),
+        "{}",
+        error.message
+    );
+    assert!(
+        error
+            .message
+            .contains("apps, plugins, tool_search, tool_suggest, tool_call_mcp_elicitation"),
+        "{}",
+        error.message
+    );
+
+    Ok(())
+}
+
+async fn set_experimental_feature_enablement(
+    mcp: &mut McpProcess,
+    enablement: BTreeMap<String, bool>,
+) -> Result<ExperimentalFeatureEnablementSetResponse> {
+    let request_id = mcp
+        .send_experimental_feature_enablement_set_request(ExperimentalFeatureEnablementSetParams {
+            enablement,
+        })
+        .await?;
+    read_response(mcp, request_id).await
+}
+
+async fn read_config(mcp: &mut McpProcess, cwd: Option<String>) -> Result<ConfigReadResponse> {
+    let request_id = mcp
+        .send_config_read_request(ConfigReadParams {
+            include_layers: false,
+            cwd,
+        })
+        .await?;
+    read_response(mcp, request_id).await
+}
+
+async fn read_response<T: DeserializeOwned>(mcp: &mut McpProcess, request_id: i64) -> Result<T> {
+    let response: JSONRPCResponse = timeout(
+        DEFAULT_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
+    )
+    .await??;
+    to_response(response)
+}

codex-rs/app-server/tests/suite/v2/fs.rs

@@ -4,11 +4,15 @@ use app_test_support::McpProcess;
 use app_test_support::to_response;
 use base64::Engine;
 use base64::engine::general_purpose::STANDARD;
+use codex_app_server_protocol::FsChangedNotification;
 use codex_app_server_protocol::FsCopyParams;
 use codex_app_server_protocol::FsGetMetadataResponse;
 use codex_app_server_protocol::FsReadDirectoryEntry;
 use codex_app_server_protocol::FsReadFileResponse;
+use codex_app_server_protocol::FsUnwatchParams;
+use codex_app_server_protocol::FsWatchResponse;
 use codex_app_server_protocol::FsWriteFileParams;
+use codex_app_server_protocol::JSONRPCNotification;
 use codex_app_server_protocol::RequestId;
 use codex_utils_absolute_path::AbsolutePathBuf;
 use pretty_assertions::assert_eq;
@@ -17,6 +21,8 @@ use std::path::PathBuf;
 use tempfile::TempDir;
 use tokio::time::Duration;
 use tokio::time::timeout;
+use uuid::Uuid;
+use uuid::Version;
 
 #[cfg(unix)]
 use std::os::unix::fs::symlink;
@@ -611,3 +617,195 @@ async fn fs_copy_rejects_standalone_fifo_source() -> Result<()> {
 
     Ok(())
 }
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn fs_watch_directory_reports_changed_child_paths_and_unwatch_stops_notifications()
+-> Result<()> {
+    let codex_home = TempDir::new()?;
+    let git_dir = codex_home.path().join("repo").join(".git");
+    let fetch_head = git_dir.join("FETCH_HEAD");
+    std::fs::create_dir_all(&git_dir)?;
+    std::fs::write(&fetch_head, "old\n")?;
+
+    let mut mcp = initialized_mcp(&codex_home).await?;
+    let watch_request_id = mcp
+        .send_fs_watch_request(codex_app_server_protocol::FsWatchParams {
+            path: absolute_path(git_dir.clone()),
+        })
+        .await?;
+    let watch_response: FsWatchResponse = to_response(
+        timeout(
+            DEFAULT_READ_TIMEOUT,
+            mcp.read_stream_until_response_message(RequestId::Integer(watch_request_id)),
+        )
+        .await??,
+    )?;
+    assert_eq!(watch_response.path, absolute_path(git_dir.clone()));
+    let watch_id = Uuid::parse_str(&watch_response.watch_id)?;
+    assert_eq!(watch_id.get_version(), Some(Version::SortRand));
+
+    std::fs::write(&fetch_head, "updated\n")?;
+
+    // Kernel file watching is not reliable in every sandboxed test environment.
+    // Keep validating notification shape when the backend does emit, but do not
+    // fail the whole suite if no OS event arrives.
+    if let Some(changed) = maybe_fs_changed_notification(&mut mcp).await? {
+        assert_eq!(changed.watch_id, watch_response.watch_id.clone());
+        assert_eq!(
+            changed.changed_paths,
+            vec![absolute_path(fetch_head.clone())]
+        );
+    }
+    while timeout(
+        Duration::from_millis(200),
+        mcp.read_stream_until_notification_message("fs/changed"),
+    )
+    .await
+    .is_ok()
+    {}
+
+    let unwatch_request_id = mcp
+        .send_fs_unwatch_request(FsUnwatchParams {
+            watch_id: watch_response.watch_id,
+        })
+        .await?;
+    timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(unwatch_request_id)),
+    )
+    .await??;
+
+    std::fs::write(git_dir.join("packed-refs"), "refs\n")?;
+    let maybe_notification = timeout(
+        Duration::from_millis(1500),
+        mcp.read_stream_until_notification_message("fs/changed"),
+    )
+    .await;
+    assert!(
+        maybe_notification.is_err(),
+        "fs/unwatch should stop future change notifications"
+    );
+
+    Ok(())
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn fs_watch_file_reports_atomic_replace_events() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    let git_dir = codex_home.path().join("repo").join(".git");
+    let head_path = git_dir.join("HEAD");
+    std::fs::create_dir_all(&git_dir)?;
+    std::fs::write(&head_path, "ref: refs/heads/main\n")?;
+
+    let mut mcp = initialized_mcp(&codex_home).await?;
+    let watch_request_id = mcp
+        .send_fs_watch_request(codex_app_server_protocol::FsWatchParams {
+            path: absolute_path(head_path.clone()),
+        })
+        .await?;
+    let watch_response: FsWatchResponse = to_response(
+        timeout(
+            DEFAULT_READ_TIMEOUT,
+            mcp.read_stream_until_response_message(RequestId::Integer(watch_request_id)),
+        )
+        .await??,
+    )?;
+    assert_eq!(watch_response.path, absolute_path(head_path.clone()));
+
+    replace_file_atomically(&head_path, "ref: refs/heads/feature\n")?;
+
+    if let Some(changed) = maybe_fs_changed_notification(&mut mcp).await? {
+        assert_eq!(
+            changed,
+            FsChangedNotification {
+                watch_id: watch_response.watch_id,
+                changed_paths: vec![absolute_path(head_path.clone())],
+            }
+        );
+    }
+
+    Ok(())
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn fs_watch_allows_missing_file_targets() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    let git_dir = codex_home.path().join("repo").join(".git");
+    let fetch_head = git_dir.join("FETCH_HEAD");
+    std::fs::create_dir_all(&git_dir)?;
+
+    let mut mcp = initialized_mcp(&codex_home).await?;
+    let watch_request_id = mcp
+        .send_fs_watch_request(codex_app_server_protocol::FsWatchParams {
+            path: absolute_path(fetch_head.clone()),
+        })
+        .await?;
+    let watch_response: FsWatchResponse = to_response(
+        timeout(
+            DEFAULT_READ_TIMEOUT,
+            mcp.read_stream_until_response_message(RequestId::Integer(watch_request_id)),
+        )
+        .await??,
+    )?;
+    assert_eq!(watch_response.path, absolute_path(fetch_head.clone()));
+
+    replace_file_atomically(&fetch_head, "origin/main\n")?;
+
+    if let Some(changed) = maybe_fs_changed_notification(&mut mcp).await? {
+        assert_eq!(
+            changed,
+            FsChangedNotification {
+                watch_id: watch_response.watch_id,
+                changed_paths: vec![absolute_path(fetch_head.clone())],
+            }
+        );
+    }
+
+    Ok(())
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn fs_watch_rejects_relative_paths() -> Result<()> {
+    let codex_home = TempDir::new()?;
+    let mut mcp = initialized_mcp(&codex_home).await?;
+
+    let watch_id = mcp
+        .send_raw_request("fs/watch", Some(json!({ "path": "relative-path" })))
+        .await?;
+    expect_error_message(
+        &mut mcp,
+        watch_id,
+        "Invalid request: AbsolutePathBuf deserialized without a base path",
+    )
+    .await?;
+
+    Ok(())
+}
+
+fn fs_changed_notification(notification: JSONRPCNotification) -> Result<FsChangedNotification> {
+    let params = notification
+        .params
+        .context("fs/changed notification should include params")?;
+    Ok(serde_json::from_value::<FsChangedNotification>(params)?)
+}
+
+async fn maybe_fs_changed_notification(
+    mcp: &mut McpProcess,
+) -> Result<Option<FsChangedNotification>> {
+    match timeout(
+        DEFAULT_READ_TIMEOUT,
+        mcp.read_stream_until_notification_message("fs/changed"),
+    )
+    .await
+    {
+        Ok(notification) => Ok(Some(fs_changed_notification(notification?)?)),
+        Err(_) => Ok(None),
+    }
+}
+
+fn replace_file_atomically(path: &PathBuf, contents: &str) -> Result<()> {
+    let temp_path = path.with_extension("lock");
+    std::fs::write(&temp_path, contents)?;
+    std::fs::rename(temp_path, path)?;
+    Ok(())
+}

codex-rs/app-server/tests/suite/v2/initialize.rs

@@ -14,6 +14,7 @@ use codex_app_server_protocol::ThreadStartResponse;
 use codex_app_server_protocol::TurnStartParams;
 use codex_app_server_protocol::TurnStartResponse;
 use codex_app_server_protocol::UserInput as V2UserInput;
+use codex_utils_absolute_path::AbsolutePathBuf;
 use codex_utils_cargo_bin::cargo_bin;
 use core_test_support::fs_wait;
 use pretty_assertions::assert_eq;
@@ -30,6 +31,7 @@ async fn initialize_uses_client_info_name_as_originator() -> Result<()> {
     let responses = Vec::new();
     let server = create_mock_responses_server_sequence_unchecked(responses).await;
     let codex_home = TempDir::new()?;
+    let expected_codex_home = AbsolutePathBuf::try_from(codex_home.path().canonicalize()?)?;
     create_config_toml(codex_home.path(), &server.uri(), "never")?;
     let mut mcp = McpProcess::new(codex_home.path()).await?;
 
@@ -48,11 +50,13 @@ async fn initialize_uses_client_info_name_as_originator() -> Result<()> {
     };
     let InitializeResponse {
         user_agent,
+        codex_home: response_codex_home,
         platform_family,
         platform_os,
     } = to_response::<InitializeResponse>(response)?;
 
     assert!(user_agent.starts_with("codex_vscode/"));
+    assert_eq!(response_codex_home, expected_codex_home);
     assert_eq!(platform_family, std::env::consts::FAMILY);
     assert_eq!(platform_os, std::env::consts::OS);
     Ok(())
@@ -63,6 +67,7 @@ async fn initialize_respects_originator_override_env_var() -> Result<()> {
     let responses = Vec::new();
     let server = create_mock_responses_server_sequence_unchecked(responses).await;
     let codex_home = TempDir::new()?;
+    let expected_codex_home = AbsolutePathBuf::try_from(codex_home.path().canonicalize()?)?;
     create_config_toml(codex_home.path(), &server.uri(), "never")?;
     let mut mcp = McpProcess::new_with_env(
         codex_home.path(),
@@ -88,11 +93,13 @@ async fn initialize_respects_originator_override_env_var() -> Result<()> {
     };
     let InitializeResponse {
         user_agent,
+        codex_home: response_codex_home,
         platform_family,
         platform_os,
     } = to_response::<InitializeResponse>(response)?;
 
     assert!(user_agent.starts_with("codex_originator_via_env_var/"));
+    assert_eq!(response_codex_home, expected_codex_home);
     assert_eq!(platform_family, std::env::consts::FAMILY);
     assert_eq!(platform_os, std::env::consts::OS);
     Ok(())

codex-rs/app-server/tests/suite/v2/plugin_list.rs

@@ -11,6 +11,9 @@ use codex_app_server_protocol::PluginAuthPolicy;
 use codex_app_server_protocol::PluginInstallPolicy;
 use codex_app_server_protocol::PluginListParams;
 use codex_app_server_protocol::PluginListResponse;
+use codex_app_server_protocol::PluginMarketplaceEntry;
+use codex_app_server_protocol::PluginSource;
+use codex_app_server_protocol::PluginSummary;
 use codex_app_server_protocol::RequestId;
 use codex_core::auth::AuthCredentialsStoreMode;
 use codex_core::config::set_project_trust_level;
@@ -41,16 +44,15 @@ plugins = true
 }
 
 #[tokio::test]
-async fn plugin_list_skips_invalid_marketplace_file() -> Result<()> {
+async fn plugin_list_skips_invalid_marketplace_file_and_reports_error() -> Result<()> {
     let codex_home = TempDir::new()?;
     let repo_root = TempDir::new()?;
     std::fs::create_dir_all(repo_root.path().join(".git"))?;
     std::fs::create_dir_all(repo_root.path().join(".agents/plugins"))?;
     write_plugins_enabled_config(codex_home.path())?;
-    std::fs::write(
-        repo_root.path().join(".agents/plugins/marketplace.json"),
-        "{not json",
-    )?;
+    let marketplace_path =
+        AbsolutePathBuf::try_from(repo_root.path().join(".agents/plugins/marketplace.json"))?;
+    std::fs::write(marketplace_path.as_path(), "{not json")?;
 
     let home = codex_home.path().to_string_lossy().into_owned();
     let mut mcp = McpProcess::new_with_env(
@@ -78,15 +80,24 @@ async fn plugin_list_skips_invalid_marketplace_file() -> Result<()> {
     let response: PluginListResponse = to_response(response)?;
 
     assert!(
-        response.marketplaces.iter().all(|marketplace| {
-            marketplace.path
-                != AbsolutePathBuf::try_from(
-                    repo_root.path().join(".agents/plugins/marketplace.json"),
-                )
-                .expect("absolute marketplace path")
-        }),
+        response
+            .marketplaces
+            .iter()
+            .all(|marketplace| { marketplace.path != marketplace_path }),
         "invalid marketplace should be skipped"
     );
+    assert_eq!(response.marketplace_load_errors.len(), 1);
+    assert_eq!(
+        response.marketplace_load_errors[0].marketplace_path,
+        marketplace_path
+    );
+    assert!(
+        response.marketplace_load_errors[0]
+            .message
+            .contains("invalid marketplace file"),
+        "unexpected error: {:?}",
+        response.marketplace_load_errors
+    );
     Ok(())
 }
 
@@ -116,6 +127,124 @@ async fn plugin_list_rejects_relative_cwds() -> Result<()> {
     Ok(())
 }
 
+#[tokio::test]
+async fn plugin_list_keeps_valid_marketplaces_when_another_marketplace_fails_to_load() -> Result<()>
+{
+    let codex_home = TempDir::new()?;
+    let valid_repo_root = TempDir::new()?;
+    let invalid_repo_root = TempDir::new()?;
+    std::fs::create_dir_all(valid_repo_root.path().join(".git"))?;
+    std::fs::create_dir_all(valid_repo_root.path().join(".agents/plugins"))?;
+    std::fs::create_dir_all(
+        valid_repo_root
+            .path()
+            .join("plugins/valid-plugin/.codex-plugin"),
+    )?;
+    std::fs::create_dir_all(invalid_repo_root.path().join(".git"))?;
+    std::fs::create_dir_all(invalid_repo_root.path().join(".agents/plugins"))?;
+    write_plugins_enabled_config(codex_home.path())?;
+
+    let valid_marketplace_path = AbsolutePathBuf::try_from(
+        valid_repo_root
+            .path()
+            .join(".agents/plugins/marketplace.json"),
+    )?;
+    let invalid_marketplace_path = AbsolutePathBuf::try_from(
+        invalid_repo_root
+            .path()
+            .join(".agents/plugins/marketplace.json"),
+    )?;
+    let valid_plugin_path =
+        AbsolutePathBuf::try_from(valid_repo_root.path().join("plugins/valid-plugin"))?;
+
+    std::fs::write(
+        valid_marketplace_path.as_path(),
+        r#"{
+  "name": "valid-marketplace",
+  "plugins": [
+    {
+      "name": "valid-plugin",
+      "source": {
+        "source": "local",
+        "path": "./plugins/valid-plugin"
+      }
+    }
+  ]
+}"#,
+    )?;
+    std::fs::write(
+        valid_repo_root
+            .path()
+            .join("plugins/valid-plugin/.codex-plugin/plugin.json"),
+        r#"{"name":"valid-plugin"}"#,
+    )?;
+    std::fs::write(invalid_marketplace_path.as_path(), "{not json")?;
+
+    let home = codex_home.path().to_string_lossy().into_owned();
+    let mut mcp = McpProcess::new_with_env(
+        codex_home.path(),
+        &[
+            ("HOME", Some(home.as_str())),
+            ("USERPROFILE", Some(home.as_str())),
+        ],
+    )
+    .await?;
+    timeout(DEFAULT_TIMEOUT, mcp.initialize()).await??;
+
+    let request_id = mcp
+        .send_plugin_list_request(PluginListParams {
+            cwds: Some(vec![
+                AbsolutePathBuf::try_from(valid_repo_root.path())?,
+                AbsolutePathBuf::try_from(invalid_repo_root.path())?,
+            ]),
+            force_remote_sync: false,
+        })
+        .await?;
+
+    let response: JSONRPCResponse = timeout(
+        DEFAULT_TIMEOUT,
+        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
+    )
+    .await??;
+    let response: PluginListResponse = to_response(response)?;
+
+    assert_eq!(
+        response.marketplaces,
+        vec![PluginMarketplaceEntry {
+            name: "valid-marketplace".to_string(),
+            path: valid_marketplace_path,
+            interface: None,
+            plugins: vec![PluginSummary {
+                id: "valid-plugin@valid-marketplace".to_string(),
+                name: "valid-plugin".to_string(),
+                source: PluginSource::Local {
+                    path: valid_plugin_path,
+                },
+                installed: false,
+                enabled: false,
+                install_policy: PluginInstallPolicy::Available,
+                auth_policy: PluginAuthPolicy::OnInstall,
+                interface: None,
+            }],
+        }]
+    );
+    assert_eq!(response.marketplace_load_errors.len(), 1);
+    assert_eq!(
+        response.marketplace_load_errors[0].marketplace_path,
+        invalid_marketplace_path
+    );
+    assert!(
+        response.marketplace_load_errors[0]
+            .message
+            .contains("invalid marketplace file"),
+        "unexpected error: {:?}",
+        response.marketplace_load_errors
+    );
+    assert_eq!(response.remote_sync_error, None);
+    assert!(response.featured_plugin_ids.is_empty());
+    Ok(())
+}
+
 #[tokio::test]
 async fn plugin_list_accepts_omitted_cwds() -> Result<()> {
     let codex_home = TempDir::new()?;

codex-rs/app-server/tests/suite/v2/plugin_read.rs

@@ -162,6 +162,10 @@ description: Visible only for ChatGPT
         r#"[features]
 plugins = true
 
+[[skills.config]]
+name = "demo-plugin:thread-summarizer"
+enabled = false
+
 [plugins."demo-plugin@codex-curated"]
 enabled = true
 "#,
@@ -244,6 +248,7 @@ enabled = true
         response.plugin.skills[0].description,
         "Summarize email threads"
     );
+    assert!(!response.plugin.skills[0].enabled);
     assert_eq!(response.plugin.apps.len(), 1);
     assert_eq!(response.plugin.apps[0].id, "gmail");
     assert_eq!(response.plugin.apps[0].name, "gmail");

codex-rs/app-server/tests/suite/v2/thread_fork.rs

@@ -123,7 +123,7 @@ async fn thread_fork_creates_new_thread_and_emits_started() -> Result<()> {
         "expected forked thread to include one turn"
     );
     let turn = &thread.turns[0];
-    assert_eq!(turn.status, TurnStatus::Completed);
+    assert_eq!(turn.status, TurnStatus::Interrupted);
     assert_eq!(turn.items.len(), 1, "expected user message item");
     match &turn.items[0] {
         ThreadItem::UserMessage { content, .. } => {

codex-rs/app-server/tests/suite/v2/thread_list.rs

@@ -23,6 +23,7 @@ use codex_app_server_protocol::TurnStartParams;
 use codex_app_server_protocol::TurnStartResponse;
 use codex_app_server_protocol::UserInput;
 use codex_core::ARCHIVED_SESSIONS_SUBDIR;
+use codex_git_utils::GitSha;
 use codex_protocol::ThreadId;
 use codex_protocol::protocol::GitInfo as CoreGitInfo;
 use codex_protocol::protocol::RolloutItem;
@@ -959,7 +960,7 @@ async fn thread_list_includes_git_info() -> Result<()> {
     create_minimal_config(codex_home.path())?;
 
     let git_info = CoreGitInfo {
-        commit_hash: Some("abc123".to_string()),
+        commit_hash: Some(GitSha::new("abc123")),
         branch: Some("main".to_string()),
         repository_url: Some("https://example.com/repo.git".to_string()),
     };

codex-rs/app-server/tests/suite/v2/thread_metadata_update.rs

@@ -20,6 +20,7 @@ use codex_app_server_protocol::ThreadStartResponse;
 use codex_app_server_protocol::ThreadStatus;
 use codex_core::ARCHIVED_SESSIONS_SUBDIR;
 use codex_core::state_db::reconcile_rollout;
+use codex_git_utils::GitSha;
 use codex_protocol::ThreadId;
 use codex_protocol::protocol::GitInfo as RolloutGitInfo;
 use codex_state::StateRuntime;
@@ -378,7 +379,7 @@ async fn thread_metadata_update_can_clear_stored_git_fields() -> Result<()> {
         "Thread preview",
         Some("mock_provider"),
         Some(RolloutGitInfo {
-            commit_hash: Some("abc123".to_string()),
+            commit_hash: Some(GitSha::new("abc123")),
             branch: Some("feature/sidebar-pr".to_string()),
             repository_url: Some("git@example.com:openai/codex.git".to_string()),
         }),

codex-rs/app-server/tests/suite/v2/thread_start.rs

@@ -585,9 +585,10 @@ request_max_retries = 0
 stream_max_retries = 0
 
 [mcp_servers.required_broken]
-command = "codex-definitely-not-a-real-binary"
+{required_broken_transport}
 required = true
-"#
+"#,
+            required_broken_transport = broken_mcp_transport_toml()
         ),
     )
 }
@@ -615,8 +616,21 @@ request_max_retries = 0
 stream_max_retries = 0
 
 [mcp_servers.optional_broken]
-command = "codex-definitely-not-a-real-binary"
-"#
+{optional_broken_transport}
+"#,
+            optional_broken_transport = broken_mcp_transport_toml()
         ),
     )
 }
+
+#[cfg(target_os = "windows")]
+fn broken_mcp_transport_toml() -> &'static str {
+    r#"command = "cmd"
+args = ["/C", "exit 1"]"#
+}
+
+#[cfg(not(target_os = "windows"))]
+fn broken_mcp_transport_toml() -> &'static str {
+    r#"command = "/bin/sh"
+args = ["-c", "exit 1"]"#
+}

codex-rs/app-server/tests/suite/zsh

@@ -1,13 +1,14 @@
 #!/usr/bin/env dotslash
 
-// This is the patched zsh fork built by
-// `.github/workflows/shell-tool-mcp.yml` for the shell-tool-mcp package.
+// This is the patched zsh fork corresponding to
+// `codex-rs/shell-escalation/patches/zsh-exec-wrapper.patch`.
 // Fetching the prebuilt version via DotSlash makes it easier to write
 // integration tests that exercise the zsh fork behavior in app-server tests.
 //
-// TODO(mbolin): Currently, we use a .tgz artifact that includes binaries for
-// multiple platforms, but we could save a bit of space by making arch-specific
-// artifacts available in the GitHub releases and referencing those here.
+// This checked-in fixture is still pinned to the latest released bundle that
+// contains this binary. New releases publish standalone `codex-zsh-*.tar.gz`
+// assets plus a generated `codex-zsh` DotSlash release asset, so this file can
+// be retargeted when a newer fork build needs to be exercised in tests.
 {
   "name": "codex-zsh",
   "platforms": {

codex-rs/arg0/Cargo.toml

@@ -15,6 +15,7 @@ workspace = true
 anyhow = { workspace = true }
 codex-apply-patch = { workspace = true }
 codex-linux-sandbox = { workspace = true }
+codex-sandboxing = { workspace = true }
 codex-shell-escalation = { workspace = true }
 codex-utils-home-dir = { workspace = true }
 dotenvy = { workspace = true }

codex-rs/arg0/src/lib.rs

@@ -4,12 +4,12 @@ use std::path::Path;
 use std::path::PathBuf;
 
 use codex_apply_patch::CODEX_CORE_APPLY_PATCH_ARG1;
+use codex_sandboxing::landlock::CODEX_LINUX_SANDBOX_ARG0;
 use codex_utils_home_dir::find_codex_home;
 #[cfg(unix)]
 use std::os::unix::fs::symlink;
 use tempfile::TempDir;
 
-const LINUX_SANDBOX_ARG0: &str = "codex-linux-sandbox";
 const APPLY_PATCH_ARG0: &str = "apply_patch";
 const MISSPELLED_APPLY_PATCH_ARG0: &str = "applypatch";
 #[cfg(unix)]
@@ -19,6 +19,12 @@ const TOKIO_WORKER_STACK_SIZE_BYTES: usize = 16 * 1024 * 1024;
 
 #[derive(Clone, Debug, Default, Eq, PartialEq)]
 pub struct Arg0DispatchPaths {
+    /// Stable path to the current Codex executable for child re-execs.
+    ///
+    /// Prefer this over [`std::env::current_exe()`] in code that may run under
+    /// a test harness, where `current_exe()` can point at the harness binary
+    /// instead of the real Codex CLI.
+    pub codex_self_exe: Option<PathBuf>,
     pub codex_linux_sandbox_exe: Option<PathBuf>,
     pub main_execve_wrapper_exe: Option<PathBuf>,
 }
@@ -79,7 +85,7 @@ pub fn arg0_dispatch() -> Option<Arg0PathEntryGuard> {
         }
     }
 
-    if exe_name == LINUX_SANDBOX_ARG0 {
+    if exe_name == CODEX_LINUX_SANDBOX_ARG0 {
         // Safety: [`run_main`] never returns.
         codex_linux_sandbox::run_main();
     } else if exe_name == APPLY_PATCH_ARG0 || exe_name == MISSPELLED_APPLY_PATCH_ARG0 {
@@ -133,8 +139,10 @@ pub fn arg0_dispatch() -> Option<Arg0PathEntryGuard> {
 ///
 /// 1.  Load `.env` values from `~/.codex/.env` before creating any threads.
 /// 2.  Construct a Tokio multi-thread runtime.
-/// 3.  Derive the path to the current executable (so children can re-invoke the
-///     sandbox) when running on Linux.
+/// 3.  Capture the current executable path and derive the
+///     `codex-linux-sandbox` helper path (falling back to the current
+///     executable if needed) so children can re-invoke the sandbox when running
+///     on Linux.
 /// 4.  Execute the provided async `main_fn` inside that runtime, forwarding any
 ///     error. Note that `main_fn` receives [`Arg0DispatchPaths`], which
 ///     contains the helper executable paths needed to construct
@@ -150,7 +158,7 @@ where
     // Retain the TempDir so it exists for the lifetime of the invocation of
     // this executable. Admittedly, we could invoke `keep()` on it, but it
     // would be nice to avoid leaving temporary directories behind, if possible.
-    let path_entry = arg0_dispatch();
+    let path_entry_guard = arg0_dispatch();
 
     // Regular invocation – create a Tokio runtime and execute the provided
     // async entry-point.
@@ -158,16 +166,13 @@ where
     runtime.block_on(async move {
         let current_exe = std::env::current_exe().ok();
         let paths = Arg0DispatchPaths {
+            codex_self_exe: current_exe.clone(),
             codex_linux_sandbox_exe: if cfg!(target_os = "linux") {
-                current_exe.or_else(|| {
-                    path_entry
-                        .as_ref()
-                        .and_then(|path_entry| path_entry.paths().codex_linux_sandbox_exe.clone())
-                })
+                linux_sandbox_exe_path(path_entry_guard.as_ref(), current_exe)
             } else {
                 None
             },
-            main_execve_wrapper_exe: path_entry
+            main_execve_wrapper_exe: path_entry_guard
                 .as_ref()
                 .and_then(|path_entry| path_entry.paths().main_execve_wrapper_exe.clone()),
         };
@@ -176,6 +181,18 @@ where
     })
 }
 
+fn linux_sandbox_exe_path(
+    path_entry_guard: Option<&Arg0PathEntryGuard>,
+    current_exe: Option<PathBuf>,
+) -> Option<PathBuf> {
+    // Prefer the `codex-linux-sandbox` alias when available so callers can
+    // re-exec through a path whose basename still triggers arg0 dispatch on
+    // bubblewrap builds that do not support `--argv0`.
+    path_entry_guard
+        .and_then(|path_entry| path_entry.paths().codex_linux_sandbox_exe.clone())
+        .or(current_exe)
+}
+
 fn build_runtime() -> anyhow::Result<tokio::runtime::Runtime> {
     let mut builder = tokio::runtime::Builder::new_multi_thread();
     builder.enable_all();
@@ -276,7 +293,7 @@ pub fn prepend_path_entry_for_codex_aliases() -> std::io::Result<Arg0PathEntryGu
         APPLY_PATCH_ARG0,
         MISSPELLED_APPLY_PATCH_ARG0,
         #[cfg(target_os = "linux")]
-        LINUX_SANDBOX_ARG0,
+        CODEX_LINUX_SANDBOX_ARG0,
         #[cfg(unix)]
         EXECVE_WRAPPER_ARG0,
     ] {
@@ -309,14 +326,16 @@ pub fn prepend_path_entry_for_codex_aliases() -> std::io::Result<Arg0PathEntryGu
     #[cfg(windows)]
     const PATH_SEPARATOR: &str = ";";
 
-    let path_element = path.display();
-    let updated_path_env_var = match std::env::var("PATH") {
-        Ok(existing_path) => {
-            format!("{path_element}{PATH_SEPARATOR}{existing_path}")
-        }
-        Err(_) => {
-            format!("{path_element}")
+    let updated_path_env_var = match std::env::var_os("PATH") {
+        Some(existing_path) => {
+            let mut path_env_var =
+                std::ffi::OsString::with_capacity(path.as_os_str().len() + 1 + existing_path.len());
+            path_env_var.push(path);
+            path_env_var.push(PATH_SEPARATOR);
+            path_env_var.push(existing_path);
+            path_env_var
         }
+        None => path.as_os_str().to_owned(),
     };
 
     unsafe {
@@ -324,10 +343,11 @@ pub fn prepend_path_entry_for_codex_aliases() -> std::io::Result<Arg0PathEntryGu
     }
 
     let paths = Arg0DispatchPaths {
+        codex_self_exe: std::env::current_exe().ok(),
         codex_linux_sandbox_exe: {
             #[cfg(target_os = "linux")]
             {
-                Some(path.join(LINUX_SANDBOX_ARG0))
+                Some(path.join(CODEX_LINUX_SANDBOX_ARG0))
             }
             #[cfg(not(target_os = "linux"))]
             {
@@ -395,11 +415,16 @@ fn try_lock_dir(dir: &Path) -> std::io::Result<Option<File>> {
 
 #[cfg(test)]
 mod tests {
+    use super::Arg0DispatchPaths;
+    use super::Arg0PathEntryGuard;
     use super::LOCK_FILENAME;
     use super::janitor_cleanup;
+    use super::linux_sandbox_exe_path;
     use std::fs;
     use std::fs::File;
     use std::path::Path;
+    use std::path::PathBuf;
+    use tempfile::TempDir;
 
     fn create_lock(dir: &Path) -> std::io::Result<File> {
         let lock_path = dir.join(LOCK_FILENAME);
@@ -411,6 +436,28 @@ mod tests {
             .open(lock_path)
     }
 
+    #[test]
+    fn linux_sandbox_exe_path_prefers_codex_linux_sandbox_alias() -> std::io::Result<()> {
+        let temp_dir = TempDir::new()?;
+        let lock_file = create_lock(temp_dir.path())?;
+        let alias_path = temp_dir.path().join("codex-linux-sandbox");
+        let path_entry = Arg0PathEntryGuard::new(
+            temp_dir,
+            lock_file,
+            Arg0DispatchPaths {
+                codex_self_exe: Some(PathBuf::from("/usr/bin/codex")),
+                codex_linux_sandbox_exe: Some(alias_path.clone()),
+                main_execve_wrapper_exe: None,
+            },
+        );
+
+        assert_eq!(
+            linux_sandbox_exe_path(Some(&path_entry), Some(PathBuf::from("/usr/bin/codex"))),
+            Some(alias_path),
+        );
+        Ok(())
+    }
+
     #[test]
     fn janitor_skips_dirs_without_lock_file() -> std::io::Result<()> {
         let root = tempfile::tempdir()?;

codex-rs/artifacts/Cargo.toml

@@ -1,28 +0,0 @@
-[package]
-name = "codex-artifacts"
-version.workspace = true
-edition.workspace = true
-license.workspace = true
-
-[dependencies]
-codex-package-manager = { workspace = true }
-reqwest = { workspace = true }
-serde = { workspace = true, features = ["derive"] }
-serde_json = { workspace = true }
-tempfile = { workspace = true }
-thiserror = { workspace = true }
-tokio = { workspace = true, features = ["fs", "io-util", "process", "time"] }
-url = { workspace = true }
-which = { workspace = true }
-
-[lints]
-workspace = true
-
-[dev-dependencies]
-flate2 = { workspace = true }
-pretty_assertions = { workspace = true }
-sha2 = { workspace = true }
-tar = { workspace = true }
-tokio = { workspace = true, features = ["fs", "io-util", "macros", "process", "rt", "rt-multi-thread", "time"] }
-wiremock = { workspace = true }
-zip = { workspace = true }

codex-rs/artifacts/README.md

@@ -1,36 +0,0 @@
-# codex-artifacts
-
-Runtime and process-management helpers for Codex artifact generation.
-
-This crate has two main responsibilities:
-
-- locating, validating, and optionally downloading the pinned artifact runtime
-- spawning the artifact build or render command against that runtime
-
-## Module layout
-
-- `src/client.rs`
-  Runs build and render commands once a runtime has been resolved.
-- `src/runtime/manager.rs`
-  Defines the release locator and the package-manager-backed runtime installer.
-- `src/runtime/installed.rs`
-  Loads an extracted runtime from disk and validates its manifest and entrypoints.
-- `src/runtime/js_runtime.rs`
-  Chooses the JavaScript executable to use for artifact execution.
-- `src/runtime/manifest.rs`
-  Manifest types for release metadata and extracted runtimes.
-- `src/runtime/error.rs`
-  Public runtime-loading and installation errors.
-- `src/tests.rs`
-  Crate-level tests that exercise the public API and integration seams.
-
-## Public API
-
-- `ArtifactRuntimeManager`
-  Resolves or installs a runtime package into `~/.codex/packages/artifacts/...`.
-- `load_cached_runtime`
-  Reads a previously installed runtime from a caller-provided cache root without attempting a download.
-- `is_js_runtime_available`
-  Checks whether artifact execution is possible with either a cached runtime or a host JS runtime.
-- `ArtifactsClient`
-  Executes artifact build or render requests using either a managed or preinstalled runtime.