test(tui): update status surface snapshots

2026-05-13 07:42:40 +00:00 · 2026-04-21 17:17:08 -07:00
880 changed files with 23733 additions and 68307 deletions
--- a/.bazelrc
+++ b/.bazelrc
@@ -29,13 +29,10 @@ common:linux --test_env=PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin
 common:macos --test_env=PATH=/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin

 # Pass through some env vars Windows needs to use powershell?
+common:windows --test_env=PATH
 common:windows --test_env=SYSTEMROOT
 common:windows --test_env=COMSPEC
 common:windows --test_env=WINDIR
-# Rust's libtest harness runs test bodies on std-spawned threads. The default
-# 2 MiB stack can be too small for large async test futures on Windows CI; see
-# https://github.com/openai/codex/pull/19067 for the motivating failure.
-common --test_env=RUST_MIN_STACK=8388608 # 8 MiB

 common --test_output=errors
 common --bes_results_url=https://app.buildbuddy.io/invocation/
--- a/.codespellignore
+++ b/.codespellignore
@@ -1,6 +1,5 @@
 iTerm
 iTerm2
 psuedo
-SOM
 te
 TE
--- a/.codespellrc
+++ b/.codespellrc
@@ -1,6 +1,6 @@
 [codespell]
 # Ref: https://github.com/codespell-project/codespell#using-a-config-file
-skip = .git*,vendor,*-lock.yaml,*.lock,.codespellrc,*test.ts,*.jsonl,frame*.txt,*.snap,*.snap.new
+skip = .git*,vendor,*-lock.yaml,*.lock,.codespellrc,*test.ts,*.jsonl,frame*.txt,*.snap,*.snap.new,*meriyah.umd.min.js
 check-hidden = true
 ignore-regex = ^\s*"image/\S+": ".*|\b(afterAll)\b
 ignore-words-list = ratatui,ser,iTerm,iterm2,iterm,te,TE,PASE,SEH
--- a/.devcontainer/Dockerfile.secure
+++ b/.devcontainer/Dockerfile.secure
@@ -4,11 +4,9 @@ ARG TZ
 ARG DEBIAN_FRONTEND=noninteractive
 ARG NODE_MAJOR=22
 ARG RUST_TOOLCHAIN=1.92.0
-# Keep this in sync with .devcontainer/codex-install/package.json and pnpm-lock.yaml.
-ARG CODEX_NPM_VERSION=0.121.0
+ARG CODEX_NPM_VERSION=latest

 ENV TZ="$TZ"
-ENV COREPACK_ENABLE_DOWNLOAD_PROMPT=0

 SHELL ["/bin/bash", "-o", "pipefail", "-c"]

@@ -45,18 +43,12 @@ RUN apt-get update \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

-COPY .devcontainer/codex-install/package.json \
-     .devcontainer/codex-install/pnpm-lock.yaml \
-     .devcontainer/codex-install/pnpm-workspace.yaml \
-     /opt/codex-install/
-
 RUN curl -fsSL "https://deb.nodesource.com/setup_${NODE_MAJOR}.x" | bash - \
    && apt-get update \
    && apt-get install -y --no-install-recommends nodejs \
-    && test "$(node -p "require('/opt/codex-install/package.json').dependencies['@openai/codex']")" = "${CODEX_NPM_VERSION}" \
-    && cd /opt/codex-install \
-    && corepack pnpm install --prod --frozen-lockfile \
-    && ln -s /opt/codex-install/node_modules/.bin/codex /usr/local/bin/codex \
+    && npm install -g corepack@latest "@openai/codex@${CODEX_NPM_VERSION}" \
+    && corepack enable \
+    && corepack prepare pnpm@10.28.2 --activate \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

--- a/.devcontainer/codex-install/package.json
+++ b/.devcontainer/codex-install/package.json
@@ -1,13 +0,0 @@
-{
-  "name": "codex-devcontainer-install",
-  "private": true,
-  "description": "Locked Codex CLI install boundary for the secure devcontainer.",
-  "dependencies": {
-    "@openai/codex": "0.121.0"
-  },
-  "engines": {
-    "node": ">=22",
-    "pnpm": ">=10.33.0"
-  },
-  "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319"
-}
--- a/.devcontainer/codex-install/pnpm-lock.yaml
+++ b/.devcontainer/codex-install/pnpm-lock.yaml
@@ -1,85 +0,0 @@
-lockfileVersion: '9.0'
-
-settings:
-  autoInstallPeers: true
-  excludeLinksFromLockfile: false
-
-importers:
-
-  .:
-    dependencies:
-      '@openai/codex':
-        specifier: 0.121.0
-        version: 0.121.0
-
-packages:
-
-  '@openai/codex@0.121.0':
-    resolution: {integrity: sha512-kCJ2NeATd4QBQRmqV04ymdN1ZU3MSwnJQDm/KzjpuzGvCuUVEn7no/T2mRyxQ2x77AACqriNOyPPoM/yufyvNg==}
-    engines: {node: '>=16'}
-    hasBin: true
-
-  '@openai/codex@0.121.0-darwin-arm64':
-    resolution: {integrity: sha512-ZyBqIB6Fb4I0hGb/h65Vu7ePYjHSmGiqqfm+/1djEuxDPkqjfi4wkxYxNYNY+6najyNGN4UijOSTTf19eDCrqw==}
-    engines: {node: '>=16'}
-    cpu: [arm64]
-    os: [darwin]
-
-  '@openai/codex@0.121.0-darwin-x64':
-    resolution: {integrity: sha512-1/OAtdkAZ5yPI3xqaEFlHuPziS1yCqL2gOZdswE7HTmmwpIxi6Z3FCo60JWDPluIp89z4tftdjq73/OCN0YVcw==}
-    engines: {node: '>=16'}
-    cpu: [x64]
-    os: [darwin]
-
-  '@openai/codex@0.121.0-linux-arm64':
-    resolution: {integrity: sha512-2UgMmdo237o7SCMsfb529cOSEM2HFUgN6OBkv5SBLwfNY1NO2Ex6JnUjlppEXlX6/4cXfZ5qjDghVz5j/+B9zw==}
-    engines: {node: '>=16'}
-    cpu: [arm64]
-    os: [linux]
-
-  '@openai/codex@0.121.0-linux-x64':
-    resolution: {integrity: sha512-vlpNJXIqss800J+32Vy7TUZzv31n61b45OLxmsVQGFkTNLJcjFrj9jDUC7I62eC4F16gLioilefNfv4CdJQOEw==}
-    engines: {node: '>=16'}
-    cpu: [x64]
-    os: [linux]
-
-  '@openai/codex@0.121.0-win32-arm64':
-    resolution: {integrity: sha512-m88q4f3XI5npn1t6OG0nWGHWWAjO5FgjRwxh4hdujbLO6t9CiCNfhfPZIOSsoATbrCNwLC+6S77m3cjbNToPNg==}
-    engines: {node: '>=16'}
-    cpu: [arm64]
-    os: [win32]
-
-  '@openai/codex@0.121.0-win32-x64':
-    resolution: {integrity: sha512-Fp0ecVOyM+VcBi/y4HVvRzhifO9YqRiHzhV3rhtAppC7flh22WPguLC4kmvXYAR0p3RPzbo35M2CedWnkOT+cw==}
-    engines: {node: '>=16'}
-    cpu: [x64]
-    os: [win32]
-
-snapshots:
-
-  '@openai/codex@0.121.0':
-    optionalDependencies:
-      '@openai/codex-darwin-arm64': '@openai/codex@0.121.0-darwin-arm64'
-      '@openai/codex-darwin-x64': '@openai/codex@0.121.0-darwin-x64'
-      '@openai/codex-linux-arm64': '@openai/codex@0.121.0-linux-arm64'
-      '@openai/codex-linux-x64': '@openai/codex@0.121.0-linux-x64'
-      '@openai/codex-win32-arm64': '@openai/codex@0.121.0-win32-arm64'
-      '@openai/codex-win32-x64': '@openai/codex@0.121.0-win32-x64'
-
-  '@openai/codex@0.121.0-darwin-arm64':
-    optional: true
-
-  '@openai/codex@0.121.0-darwin-x64':
-    optional: true
-
-  '@openai/codex@0.121.0-linux-arm64':
-    optional: true
-
-  '@openai/codex@0.121.0-linux-x64':
-    optional: true
-
-  '@openai/codex@0.121.0-win32-arm64':
-    optional: true
-
-  '@openai/codex@0.121.0-win32-x64':
-    optional: true
--- a/.devcontainer/codex-install/pnpm-workspace.yaml
+++ b/.devcontainer/codex-install/pnpm-workspace.yaml
@@ -1,12 +0,0 @@
-packages:
-  - "."
-
-minimumReleaseAge: 10080
-minimumReleaseAgeExclude: []
-
-blockExoticSubdeps: true
-strictDepBuilds: true
-trustPolicy: no-downgrade
-trustPolicyIgnoreAfter: 10080
-trustPolicyExclude: []
-allowBuilds: {}
--- a/.devcontainer/devcontainer.secure.json
+++ b/.devcontainer/devcontainer.secure.json
@@ -8,7 +8,7 @@
      "TZ": "${localEnv:TZ:UTC}",
      "NODE_MAJOR": "22",
      "RUST_TOOLCHAIN": "1.92.0",
-      "CODEX_NPM_VERSION": "0.121.0"
+      "CODEX_NPM_VERSION": "latest"
    }
  },
  "runArgs": [
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,2 +1 @@
 codex-rs/app-server-protocol/schema/** linguist-generated
-codex-rs/hooks/schema/generated/** linguist-generated
--- a/.github/actions/linux-code-sign/action.yml
+++ b/.github/actions/linux-code-sign/action.yml
@@ -7,9 +7,6 @@ inputs:
  artifacts-dir:
    description: Absolute path to the directory containing built binaries to sign.
    required: true
-  binaries:
-    description: Space-delimited binary basenames to sign.
-    default: "codex codex-responses-api-proxy"

 runs:
  using: composite
@@ -21,7 +18,6 @@ runs:
      shell: bash
      env:
        ARTIFACTS_DIR: ${{ inputs.artifacts-dir }}
-        BINARIES: ${{ inputs.binaries }}
        COSIGN_EXPERIMENTAL: "1"
        COSIGN_YES: "true"
        COSIGN_OIDC_CLIENT_ID: "sigstore"
@@ -35,7 +31,7 @@ runs:
          exit 1
        fi

-        for binary in ${BINARIES}; do
+        for binary in codex codex-responses-api-proxy; do
          artifact="${dest}/${binary}"
          if [[ ! -f "$artifact" ]]; then
            echo "Binary $artifact not found"
--- a/.github/actions/macos-code-sign/action.yml
+++ b/.github/actions/macos-code-sign/action.yml
@@ -4,9 +4,6 @@ inputs:
  target:
    description: Rust compilation target triple (e.g. aarch64-apple-darwin).
    required: true
-  binaries:
-    description: Space-delimited binary basenames to sign and notarize.
-    default: "codex codex-responses-api-proxy"
  sign-binaries:
    description: Whether to sign and notarize the macOS binaries.
    required: false
@@ -122,7 +119,6 @@ runs:
      shell: bash
      env:
        TARGET: ${{ inputs.target }}
-        BINARIES: ${{ inputs.binaries }}
      run: |
        set -euo pipefail

@@ -138,7 +134,7 @@ runs:

        entitlements_path="$GITHUB_ACTION_PATH/codex.entitlements.plist"

-        for binary in ${BINARIES}; do
+        for binary in codex codex-responses-api-proxy; do
          path="codex-rs/target/${TARGET}/release/${binary}"
          codesign --force --options runtime --timestamp --entitlements "$entitlements_path" --sign "$APPLE_CODESIGN_IDENTITY" "${keychain_args[@]}" "$path"
        done
@@ -148,7 +144,6 @@ runs:
      shell: bash
      env:
        TARGET: ${{ inputs.target }}
-        BINARIES: ${{ inputs.binaries }}
        APPLE_NOTARIZATION_KEY_P8: ${{ inputs.apple-notarization-key-p8 }}
        APPLE_NOTARIZATION_KEY_ID: ${{ inputs.apple-notarization-key-id }}
        APPLE_NOTARIZATION_ISSUER_ID: ${{ inputs.apple-notarization-issuer-id }}
@@ -187,9 +182,8 @@ runs:
          notarize_submission "$binary" "$archive_path" "$notary_key_path"
        }

-        for binary in ${BINARIES}; do
-          notarize_binary "${binary}"
-        done
+        notarize_binary "codex"
+        notarize_binary "codex-responses-api-proxy"

    - name: Sign and notarize macOS dmg
      if: ${{ inputs.sign-dmg == 'true' }}
--- a/.github/actions/prepare-bazel-ci/action.yml
+++ b/.github/actions/prepare-bazel-ci/action.yml
@@ -8,7 +8,7 @@ inputs:
    description: Logical namespace used to keep concurrent Bazel jobs from reserving the same repository cache key.
    required: true
  install-test-prereqs:
-    description: Install DotSlash for Bazel-backed test jobs.
+    description: Install Node.js and DotSlash for Bazel-backed test jobs.
    required: false
    default: "false"
 outputs:
--- a/.github/actions/run-argument-comment-lint/action.yml
+++ b/.github/actions/run-argument-comment-lint/action.yml
@@ -1,54 +0,0 @@
-name: Run argument comment lint
-description: Run argument-comment-lint on codex-rs via Bazel.
-
-inputs:
-  target:
-    description: Runner target passed to setup-bazel-ci.
-    required: true
-  buildbuddy-api-key:
-    description: BuildBuddy API key used by Bazel CI.
-    required: false
-    default: ""
-
-runs:
-  using: composite
-  steps:
-    - uses: ./.github/actions/setup-bazel-ci
-      with:
-        target: ${{ inputs.target }}
-        install-test-prereqs: true
-
-    - name: Install Linux sandbox build dependencies
-      if: ${{ runner.os == 'Linux' }}
-      shell: bash
-      run: |
-        sudo DEBIAN_FRONTEND=noninteractive apt-get update
-        sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends pkg-config libcap-dev
-
-    - name: Run argument comment lint on codex-rs via Bazel
-      if: ${{ runner.os != 'Windows' }}
-      env:
-        BUILDBUDDY_API_KEY: ${{ inputs.buildbuddy-api-key }}
-      shell: bash
-      run: |
-        bazel_targets="$(./tools/argument-comment-lint/list-bazel-targets.sh)"
-        ./.github/scripts/run-bazel-ci.sh \
-          -- \
-          build \
-          --config=argument-comment-lint \
-          --keep_going \
-          --build_metadata=COMMIT_SHA=${GITHUB_SHA} \
-          -- \
-          ${bazel_targets}
-
-    - name: Run argument comment lint on codex-rs via Bazel
-      if: ${{ runner.os == 'Windows' }}
-      env:
-        BUILDBUDDY_API_KEY: ${{ inputs.buildbuddy-api-key }}
-      shell: bash
-      run: |
-        ./.github/scripts/run-argument-comment-lint-bazel.sh \
-          --config=argument-comment-lint \
-          --platforms=//:local_windows \
-          --keep_going \
-          --build_metadata=COMMIT_SHA=${GITHUB_SHA}
--- a/.github/actions/setup-bazel-ci/action.yml
+++ b/.github/actions/setup-bazel-ci/action.yml
@@ -5,7 +5,7 @@ inputs:
    description: Target triple used for cache namespacing.
    required: true
  install-test-prereqs:
-    description: Install DotSlash for Bazel-backed test jobs.
+    description: Install Node.js and DotSlash for Bazel-backed test jobs.
    required: false
    default: "false"
 outputs:
@@ -16,6 +16,12 @@ outputs:
 runs:
  using: composite
  steps:
+    - name: Set up Node.js for js_repl tests
+      if: inputs.install-test-prereqs == 'true'
+      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+      with:
+        node-version-file: codex-rs/node-version.txt
+
    # Some integration tests rely on DotSlash being installed.
    # See https://github.com/openai/codex/pull/7617.
    - name: Install DotSlash
@@ -116,11 +122,6 @@ runs:
          }
        }

-    - name: Compute cache-stable Windows Bazel PATH
-      if: runner.os == 'Windows'
-      shell: pwsh
-      run: ./.github/scripts/compute-bazel-windows-path.ps1
-
    - name: Enable Git long paths (Windows)
      if: runner.os == 'Windows'
      shell: pwsh
--- a/.github/actions/windows-code-sign/action.yml
+++ b/.github/actions/windows-code-sign/action.yml
@@ -4,9 +4,6 @@ inputs:
  target:
    description: Target triple for the artifacts to sign.
    required: true
-  binaries:
-    description: Space-delimited binary basenames to sign.
-    default: "codex codex-responses-api-proxy codex-windows-sandbox-setup codex-command-runner"
  client-id:
    description: Azure Trusted Signing client ID.
    required: true
@@ -36,23 +33,6 @@ runs:
        tenant-id: ${{ inputs.tenant-id }}
        subscription-id: ${{ inputs.subscription-id }}

-    - name: Prepare file list
-      id: prepare
-      shell: bash
-      env:
-        TARGET: ${{ inputs.target }}
-        BINARIES: ${{ inputs.binaries }}
-      run: |
-        set -euo pipefail
-
-        {
-          echo "files<<EOF"
-          for binary in ${BINARIES}; do
-            echo "${GITHUB_WORKSPACE}/codex-rs/target/${TARGET}/release/${binary}.exe"
-          done
-          echo "EOF"
-        } >> "$GITHUB_OUTPUT"
-
    - name: Sign Windows binaries with Azure Trusted Signing
      uses: azure/trusted-signing-action@1d365fec12862c4aa68fcac418143d73f0cea293 # v0
      with:
@@ -70,4 +50,8 @@ runs:
        exclude-azure-developer-cli-credential: true
        exclude-interactive-browser-credential: true
        cache-dependencies: false
-        files: ${{ steps.prepare.outputs.files }}
+        files: |
+          ${{ github.workspace }}/codex-rs/target/${{ inputs.target }}/release/codex.exe
+          ${{ github.workspace }}/codex-rs/target/${{ inputs.target }}/release/codex-responses-api-proxy.exe
+          ${{ github.workspace }}/codex-rs/target/${{ inputs.target }}/release/codex-windows-sandbox-setup.exe
+          ${{ github.workspace }}/codex-rs/target/${{ inputs.target }}/release/codex-command-runner.exe
--- a/.github/dotslash-config.json
+++ b/.github/dotslash-config.json
@@ -28,34 +28,6 @@
        }
      }
    },
-    "codex-app-server": {
-      "platforms": {
-        "macos-aarch64": {
-          "regex": "^codex-app-server-aarch64-apple-darwin\\.zst$",
-          "path": "codex-app-server"
-        },
-        "macos-x86_64": {
-          "regex": "^codex-app-server-x86_64-apple-darwin\\.zst$",
-          "path": "codex-app-server"
-        },
-        "linux-x86_64": {
-          "regex": "^codex-app-server-x86_64-unknown-linux-musl\\.zst$",
-          "path": "codex-app-server"
-        },
-        "linux-aarch64": {
-          "regex": "^codex-app-server-aarch64-unknown-linux-musl\\.zst$",
-          "path": "codex-app-server"
-        },
-        "windows-x86_64": {
-          "regex": "^codex-app-server-x86_64-pc-windows-msvc\\.exe\\.zst$",
-          "path": "codex-app-server.exe"
-        },
-        "windows-aarch64": {
-          "regex": "^codex-app-server-aarch64-pc-windows-msvc\\.exe\\.zst$",
-          "path": "codex-app-server.exe"
-        }
-      }
-    },
    "codex-responses-api-proxy": {
      "platforms": {
        "macos-aarch64": {
--- a/.github/scripts/compute-bazel-windows-path.ps1
+++ b/.github/scripts/compute-bazel-windows-path.ps1
@@ -1,105 +0,0 @@
-<#
-BuildBuddy cache keys include the action and test environment, so Bazel should
-not inherit the full hosted-runner PATH on Windows. That PATH includes volatile
-tool entries, such as Maven, that can change independently of this repo and
-cause avoidable cache misses.
-
-This script derives a smaller, cache-stable PATH that keeps the Windows
-toolchain entries Bazel-backed CI tasks need: MSVC and Windows SDK paths, Git,
-PowerShell, Node, Python, DotSlash, and the standard Windows system
-directories.
-`setup-bazel-ci` runs this after exporting the MSVC environment, and the script
-publishes the result via `GITHUB_ENV` as `CODEX_BAZEL_WINDOWS_PATH` so later
-steps can pass that explicit PATH to Bazel.
-#>
-
-$stablePathEntries = New-Object System.Collections.Generic.List[string]
-$seenEntries = [System.Collections.Generic.HashSet[string]]::new([System.StringComparer]::OrdinalIgnoreCase)
-$windowsAppsPath = if ([string]::IsNullOrWhiteSpace($env:LOCALAPPDATA)) {
-  $null
-} else {
-  "$($env:LOCALAPPDATA)\Microsoft\WindowsApps"
-}
-$windowsDir = if ($env:WINDIR) {
-  $env:WINDIR
-} elseif ($env:SystemRoot) {
-  $env:SystemRoot
-} else {
-  $null
-}
-
-function Add-StablePathEntry {
-  param([string]$PathEntry)
-
-  if ([string]::IsNullOrWhiteSpace($PathEntry)) {
-    return
-  }
-
-  if ($seenEntries.Add($PathEntry)) {
-    [void]$stablePathEntries.Add($PathEntry)
-  }
-}
-
-foreach ($pathEntry in ($env:PATH -split ';')) {
-  if ([string]::IsNullOrWhiteSpace($pathEntry)) {
-    continue
-  }
-
-  if (
-    $pathEntry -like '*Microsoft Visual Studio*' -or
-    $pathEntry -like '*Windows Kits*' -or
-    $pathEntry -like '*Microsoft SDKs*' -or
-    $pathEntry -like 'C:\Program Files\Git\*' -or
-    $pathEntry -like 'C:\Program Files\PowerShell\*' -or
-    $pathEntry -like 'C:\hostedtoolcache\windows\node\*' -or
-    $pathEntry -like 'C:\hostedtoolcache\windows\Python\*' -or
-    $pathEntry -eq 'D:\a\_temp\install-dotslash\bin' -or
-    ($windowsDir -and ($pathEntry -eq $windowsDir -or $pathEntry -like "${windowsDir}\*"))
-  ) {
-    Add-StablePathEntry $pathEntry
-  }
-}
-
-$gitCommand = Get-Command git -ErrorAction SilentlyContinue
-if ($gitCommand) {
-  Add-StablePathEntry (Split-Path $gitCommand.Source -Parent)
-}
-
-$nodeCommand = Get-Command node -ErrorAction SilentlyContinue
-if ($nodeCommand) {
-  Add-StablePathEntry (Split-Path $nodeCommand.Source -Parent)
-}
-
-$python3Command = Get-Command python3 -ErrorAction SilentlyContinue
-if ($python3Command) {
-  Add-StablePathEntry (Split-Path $python3Command.Source -Parent)
-}
-
-$pythonCommand = Get-Command python -ErrorAction SilentlyContinue
-if ($pythonCommand) {
-  Add-StablePathEntry (Split-Path $pythonCommand.Source -Parent)
-}
-
-$pwshCommand = Get-Command pwsh -ErrorAction SilentlyContinue
-if ($pwshCommand) {
-  Add-StablePathEntry (Split-Path $pwshCommand.Source -Parent)
-}
-
-if ($windowsAppsPath) {
-  Add-StablePathEntry $windowsAppsPath
-}
-
-if ($stablePathEntries.Count -eq 0) {
-  throw 'Failed to derive cache-stable Windows PATH.'
-}
-
-if ([string]::IsNullOrWhiteSpace($env:GITHUB_ENV)) {
-  throw 'GITHUB_ENV must be set.'
-}
-
-$stablePath = $stablePathEntries -join ';'
-Write-Host 'Derived CODEX_BAZEL_WINDOWS_PATH entries:'
-foreach ($pathEntry in $stablePathEntries) {
-  Write-Host "  $pathEntry"
-}
-"CODEX_BAZEL_WINDOWS_PATH=$stablePath" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
--- a/.github/scripts/run-argument-comment-lint-bazel.sh
+++ b/.github/scripts/run-argument-comment-lint-bazel.sh
@@ -2,6 +2,16 @@

 set -euo pipefail

+ci_config=ci-linux
+case "${RUNNER_OS:-}" in
+  macOS)
+    ci_config=ci-macos
+    ;;
+  Windows)
+    ci_config=ci-windows
+    ;;
+esac
+
 bazel_lint_args=("$@")
 if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
  has_host_platform_override=0
@@ -34,6 +44,29 @@ if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
  bazel_lint_args+=("--skip_incompatible_explicit_targets")
 fi

+bazel_startup_args=()
+if [[ -n "${BAZEL_OUTPUT_USER_ROOT:-}" ]]; then
+  bazel_startup_args+=("--output_user_root=${BAZEL_OUTPUT_USER_ROOT}")
+fi
+
+run_bazel() {
+  if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
+    MSYS2_ARG_CONV_EXCL='*' bazel "$@"
+    return
+  fi
+
+  bazel "$@"
+}
+
+run_bazel_with_startup_args() {
+  if [[ ${#bazel_startup_args[@]} -gt 0 ]]; then
+    run_bazel "${bazel_startup_args[@]}" "$@"
+    return
+  fi
+
+  run_bazel "$@"
+}
+
 read_query_labels() {
  local query="$1"
  local query_stdout
@@ -41,10 +74,12 @@ read_query_labels() {
  query_stdout="$(mktemp)"
  query_stderr="$(mktemp)"

-  if ! ./.github/scripts/run-bazel-query-ci.sh \
+  if ! run_bazel_with_startup_args \
+    --noexperimental_remote_repo_contents_cache \
+    query \
    --keep_going \
    --output=label \
-    -- "$query" >"$query_stdout" 2>"$query_stderr"; then
+    "$query" >"$query_stdout" 2>"$query_stderr"; then
    cat "$query_stderr" >&2
    rm -f "$query_stdout" "$query_stderr"
    exit 1
--- a/.github/scripts/run-bazel-ci.sh
+++ b/.github/scripts/run-bazel-ci.sh
@@ -4,6 +4,7 @@ set -euo pipefail

 print_failed_bazel_test_logs=0
 print_failed_bazel_action_summary=0
+use_node_test_env=0
 remote_download_toplevel=0
 windows_msvc_host_platform=0

@@ -17,6 +18,10 @@ while [[ $# -gt 0 ]]; do
      print_failed_bazel_action_summary=1
      shift
      ;;
+    --use-node-test-env)
+      use_node_test_env=1
+      shift
+      ;;
    --remote-download-toplevel)
      remote_download_toplevel=1
      shift
@@ -37,7 +42,7 @@ while [[ $# -gt 0 ]]; do
 done

 if [[ $# -eq 0 ]]; then
-  echo "Usage: $0 [--print-failed-test-logs] [--print-failed-action-summary] [--remote-download-toplevel] [--windows-msvc-host-platform] -- <bazel args> -- <targets>" >&2
+  echo "Usage: $0 [--print-failed-test-logs] [--print-failed-action-summary] [--use-node-test-env] [--remote-download-toplevel] [--windows-msvc-host-platform] -- <bazel args> -- <targets>" >&2
  exit 1
 fi

@@ -244,6 +249,16 @@ if [[ ${#bazel_args[@]} -eq 0 || ${#bazel_targets[@]} -eq 0 ]]; then
  exit 1
 fi

+if [[ $use_node_test_env -eq 1 ]]; then
+  # Bazel test sandboxes on macOS may resolve an older Homebrew `node`
+  # before the `actions/setup-node` runtime on PATH.
+  node_bin="$(which node)"
+  if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
+    node_bin="$(cygpath -w "${node_bin}")"
+  fi
+  bazel_args+=("--test_env=CODEX_JS_REPL_NODE_PATH=${node_bin}")
+fi
+
 post_config_bazel_args=()
 if [[ "${RUNNER_OS:-}" == "Windows" && $windows_msvc_host_platform -eq 1 ]]; then
  has_host_platform_override=0
@@ -291,6 +306,7 @@ if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
    INCLUDE
    LIB
    LIBPATH
+    PATH
    UCRTVersion
    UniversalCRTSdkDir
    VCINSTALLDIR
@@ -307,17 +323,6 @@ if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
      post_config_bazel_args+=("--action_env=${env_var}" "--host_action_env=${env_var}")
    fi
  done
-
-  if [[ -z "${CODEX_BAZEL_WINDOWS_PATH:-}" ]]; then
-    echo "CODEX_BAZEL_WINDOWS_PATH must be set for Windows Bazel CI." >&2
-    exit 1
-  fi
-
-  post_config_bazel_args+=(
-    "--action_env=PATH=${CODEX_BAZEL_WINDOWS_PATH}"
-    "--host_action_env=PATH=${CODEX_BAZEL_WINDOWS_PATH}"
-    "--test_env=PATH=${CODEX_BAZEL_WINDOWS_PATH}"
-  )
 fi

 bazel_console_log="$(mktemp)"
--- a/.github/scripts/run-bazel-query-ci.sh
+++ b/.github/scripts/run-bazel-query-ci.sh
@@ -1,75 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-# Run Bazel queries with the same CI startup settings as the main build/test
-# invocation so target-discovery queries can reuse the same Bazel server.
-
-query_args=()
-while [[ $# -gt 0 ]]; do
-  case "$1" in
-    --)
-      shift
-      break
-      ;;
-    *)
-      query_args+=("$1")
-      shift
-      ;;
-  esac
-done
-
-if [[ $# -ne 1 ]]; then
-  echo "Usage: $0 [<bazel query args>...] -- <query expression>" >&2
-  exit 1
-fi
-
-query_expression="$1"
-
-ci_config=ci-linux
-case "${RUNNER_OS:-}" in
-  macOS)
-    ci_config=ci-macos
-    ;;
-  Windows)
-    ci_config=ci-windows
-    ;;
-esac
-
-bazel_startup_args=()
-if [[ -n "${BAZEL_OUTPUT_USER_ROOT:-}" ]]; then
-  bazel_startup_args+=("--output_user_root=${BAZEL_OUTPUT_USER_ROOT}")
-fi
-
-run_bazel() {
-  if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
-    MSYS2_ARG_CONV_EXCL='*' bazel "$@"
-    return
-  fi
-
-  bazel "$@"
-}
-
-bazel_query_args=(--noexperimental_remote_repo_contents_cache query)
-if [[ -n "${BUILDBUDDY_API_KEY:-}" ]]; then
-  bazel_query_args+=(
-    "--config=${ci_config}"
-    "--remote_header=x-buildbuddy-api-key=${BUILDBUDDY_API_KEY}"
-  )
-fi
-
-if [[ -n "${BAZEL_REPO_CONTENTS_CACHE:-}" ]]; then
-  bazel_query_args+=("--repo_contents_cache=${BAZEL_REPO_CONTENTS_CACHE}")
-fi
-
-if [[ -n "${BAZEL_REPOSITORY_CACHE:-}" ]]; then
-  bazel_query_args+=("--repository_cache=${BAZEL_REPOSITORY_CACHE}")
-fi
-
-bazel_query_args+=("${query_args[@]}" "$query_expression")
-
-if (( ${#bazel_startup_args[@]} > 0 )); then
-  run_bazel "${bazel_startup_args[@]}" "${bazel_query_args[@]}"
-else
-  run_bazel "${bazel_query_args[@]}"
-fi
--- a/.github/workflows/Dockerfile.bazel
+++ b/.github/workflows/Dockerfile.bazel
@@ -8,9 +8,25 @@ FROM ubuntu:24.04

 RUN apt-get update && \
    apt-get install -y --no-install-recommends \
-    curl git python3 ca-certificates && \
+    curl git python3 ca-certificates xz-utils && \
    rm -rf /var/lib/apt/lists/*

+COPY codex-rs/node-version.txt /tmp/node-version.txt
+
+RUN set -eux; \
+    node_arch="$(dpkg --print-architecture)"; \
+    case "${node_arch}" in \
+      amd64) node_dist_arch="x64" ;; \
+      arm64) node_dist_arch="arm64" ;; \
+      *) echo "unsupported architecture: ${node_arch}"; exit 1 ;; \
+    esac; \
+    node_version="$(tr -d '[:space:]' </tmp/node-version.txt)"; \
+    curl -fsSLO "https://nodejs.org/dist/v${node_version}/node-v${node_version}-linux-${node_dist_arch}.tar.xz"; \
+    tar -xJf "node-v${node_version}-linux-${node_dist_arch}.tar.xz" -C /usr/local --strip-components=1; \
+    rm "node-v${node_version}-linux-${node_dist_arch}.tar.xz" /tmp/node-version.txt; \
+    node --version; \
+    npm --version
+
 # Install dotslash.
 RUN curl -LSfs "https://github.com/facebook/dotslash/releases/download/v0.5.8/dotslash-ubuntu-22.04.$(uname -m).tar.gz" | tar fxz - -C /usr/local/bin

--- a/.github/workflows/bazel.yml
+++ b/.github/workflows/bazel.yml
@@ -17,13 +17,6 @@ concurrency:
  cancel-in-progress: ${{ github.ref_name != 'main' }}
 jobs:
  test:
-    # Even though a no-cache-hit Windows build seems to exceed the 30-minute
-    # limit on occasion, the more common reason for exceeding the limit is a
-    # true test failure in a rust_test() marked "flaky" that gets run 3x.
-    # In that case, extra time generally does not give us more signal.
-    #
-    # Ultimately we need true distributed builds (e.g.,
-    # https://www.buildbuddy.io/docs/rbe-setup/) to speed things up.
    timeout-minutes: 30
    strategy:
      fail-fast: false
@@ -92,6 +85,7 @@ jobs:

          bazel_wrapper_args=(
            --print-failed-test-logs
+            --use-node-test-env
          )
          bazel_test_args=(
            test
--- a/.github/workflows/issue-deduplicator.yml
+++ b/.github/workflows/issue-deduplicator.yml
@@ -61,7 +61,7 @@ jobs:
      # .github/prompts/issue-deduplicator.txt file is obsolete and removed.
      - id: codex-all
        name: Find duplicates (pass 1, all issues)
-        uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02 # v1.7
+        uses: openai/codex-action@0b91f4a2703c23df3102c3f0967d3c6db34eedef # v1
        with:
          openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
          allow-users: "*"
@@ -195,7 +195,7 @@ jobs:

      - id: codex-open
        name: Find duplicates (pass 2, open issues)
-        uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02 # v1.7
+        uses: openai/codex-action@0b91f4a2703c23df3102c3f0967d3c6db34eedef # v1
        with:
          openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
          allow-users: "*"
--- a/.github/workflows/issue-labeler.yml
+++ b/.github/workflows/issue-labeler.yml
@@ -20,7 +20,7 @@ jobs:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - id: codex
-        uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02 # v1.7
+        uses: openai/codex-action@0b91f4a2703c23df3102c3f0967d3c6db34eedef # v1
        with:
          openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
          allow-users: "*"
--- a/.github/workflows/rust-ci-full.yml
+++ b/.github/workflows/rust-ci-full.yml
@@ -76,8 +76,6 @@ jobs:
      - name: Test argument comment lint package
        working-directory: tools/argument-comment-lint
        run: cargo test
-        env:
-          RUST_MIN_STACK: "8388608" # 8 MiB

  argument_comment_lint_prebuilt:
    name: Argument comment lint - ${{ matrix.name }}
@@ -560,6 +558,10 @@ jobs:

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - name: Set up Node.js for js_repl tests
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        with:
+          node-version-file: codex-rs/node-version.txt
      - name: Install Linux build dependencies
        if: ${{ runner.os == 'Linux' }}
        shell: bash
@@ -669,7 +671,6 @@ jobs:
        run: cargo nextest run --no-fail-fast --target ${{ matrix.target }} --cargo-profile ci-test --timings
        env:
          RUST_BACKTRACE: 1
-          RUST_MIN_STACK: "8388608" # 8 MiB
          NEXTEST_STATUS_LEVEL: leak

      - name: Upload Cargo timings (nextest)
--- a/.github/workflows/rust-ci.yml
+++ b/.github/workflows/rust-ci.yml
@@ -41,7 +41,6 @@ jobs:
          for f in "${files[@]}"; do
            [[ $f == codex-rs/* ]] && codex=true
            [[ $f == codex-rs/* || $f == tools/argument-comment-lint/* || $f == justfile ]] && argument_comment_lint=true
-            [[ $f == defs.bzl || $f == workspace_root_test_launcher.sh.tpl || $f == workspace_root_test_launcher.bat.tpl ]] && argument_comment_lint=true
            [[ $f == tools/argument-comment-lint/* || $f == .github/workflows/rust-ci.yml || $f == .github/workflows/rust-ci-full.yml ]] && argument_comment_lint_package=true
            [[ $f == .github/* ]] && workflows=true
          done
@@ -131,14 +130,13 @@ jobs:
      - name: Test argument comment lint package
        working-directory: tools/argument-comment-lint
        run: cargo test
-        env:
-          RUST_MIN_STACK: "8388608" # 8 MiB

  argument_comment_lint_prebuilt:
    name: Argument comment lint - ${{ matrix.name }}
    runs-on: ${{ matrix.runs_on || matrix.runner }}
    timeout-minutes: ${{ matrix.timeout_minutes }}
    needs: changed
+    if: ${{ needs.changed.outputs.argument_comment_lint == 'true' || needs.changed.outputs.workflows == 'true' }}
    strategy:
      fail-fast: false
      matrix:
@@ -156,28 +154,43 @@ jobs:
              group: codex-runners
              labels: codex-windows-x64
    steps:
-      - name: Check whether argument comment lint should run
-        id: argument_comment_lint_gate
-        shell: bash
-        env:
-          ARGUMENT_COMMENT_LINT: ${{ needs.changed.outputs.argument_comment_lint }}
-          WORKFLOWS: ${{ needs.changed.outputs.workflows }}
-        run: |
-          if [[ "$ARGUMENT_COMMENT_LINT" == "true" || "$WORKFLOWS" == "true" ]]; then
-            echo "run=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          echo "No argument-comment-lint relevant changes."
-          echo "run=false" >> "$GITHUB_OUTPUT"
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        if: ${{ steps.argument_comment_lint_gate.outputs.run == 'true' }}
-      - name: Run argument comment lint on codex-rs via Bazel
-        if: ${{ steps.argument_comment_lint_gate.outputs.run == 'true' }}
-        uses: ./.github/actions/run-argument-comment-lint
+      - uses: ./.github/actions/setup-bazel-ci
        with:
          target: ${{ runner.os }}
-          buildbuddy-api-key: ${{ secrets.BUILDBUDDY_API_KEY }}
+          install-test-prereqs: true
+      - name: Install Linux sandbox build dependencies
+        if: ${{ runner.os == 'Linux' }}
+        shell: bash
+        run: |
+          sudo DEBIAN_FRONTEND=noninteractive apt-get update
+          sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends pkg-config libcap-dev
+      - name: Run argument comment lint on codex-rs via Bazel
+        if: ${{ runner.os != 'Windows' }}
+        env:
+          BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
+        shell: bash
+        run: |
+          bazel_targets="$(./tools/argument-comment-lint/list-bazel-targets.sh)"
+          ./.github/scripts/run-bazel-ci.sh \
+            -- \
+            build \
+            --config=argument-comment-lint \
+            --keep_going \
+            --build_metadata=COMMIT_SHA=${GITHUB_SHA} \
+            -- \
+            ${bazel_targets}
+      - name: Run argument comment lint on codex-rs via Bazel
+        if: ${{ runner.os == 'Windows' }}
+        env:
+          BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
+        shell: bash
+        run: |
+          ./.github/scripts/run-argument-comment-lint-bazel.sh \
+            --config=argument-comment-lint \
+            --platforms=//:local_windows \
+            --keep_going \
+            --build_metadata=COMMIT_SHA=${GITHUB_SHA}

  # --- Gatherer job that you mark as the ONLY required status -----------------
  results:
--- a/.github/workflows/rust-release-windows.yml
+++ b/.github/workflows/rust-release-windows.yml
@@ -40,42 +40,28 @@ jobs:
          - runner: windows-x64
            target: x86_64-pc-windows-msvc
            bundle: primary
-            binaries: "codex codex-responses-api-proxy"
+            build_args: --bin codex --bin codex-responses-api-proxy
            runs_on:
              group: codex-runners
              labels: codex-windows-x64
          - runner: windows-arm64
            target: aarch64-pc-windows-msvc
            bundle: primary
-            binaries: "codex codex-responses-api-proxy"
+            build_args: --bin codex --bin codex-responses-api-proxy
            runs_on:
              group: codex-runners
              labels: codex-windows-arm64
          - runner: windows-x64
            target: x86_64-pc-windows-msvc
            bundle: helpers
-            binaries: "codex-windows-sandbox-setup codex-command-runner"
+            build_args: --bin codex-windows-sandbox-setup --bin codex-command-runner
            runs_on:
              group: codex-runners
              labels: codex-windows-x64
          - runner: windows-arm64
            target: aarch64-pc-windows-msvc
            bundle: helpers
-            binaries: "codex-windows-sandbox-setup codex-command-runner"
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-arm64
-          - runner: windows-x64
-            target: x86_64-pc-windows-msvc
-            bundle: app-server
-            binaries: "codex-app-server"
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-x64
-          - runner: windows-arm64
-            target: aarch64-pc-windows-msvc
-            bundle: app-server
-            binaries: "codex-app-server"
+            build_args: --bin codex-windows-sandbox-setup --bin codex-command-runner
            runs_on:
              group: codex-runners
              labels: codex-windows-arm64
@@ -103,11 +89,7 @@ jobs:
      - name: Cargo build (Windows binaries)
        shell: bash
        run: |
-          build_args=()
-          for binary in ${{ matrix.binaries }}; do
-            build_args+=(--bin "$binary")
-          done
-          cargo build --target ${{ matrix.target }} --release --timings "${build_args[@]}"
+          cargo build --target ${{ matrix.target }} --release --timings ${{ matrix.build_args }}

      - name: Upload Cargo timings
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
@@ -121,9 +103,13 @@ jobs:
        run: |
          output_dir="target/${{ matrix.target }}/release/staged-${{ matrix.bundle }}"
          mkdir -p "$output_dir"
-          for binary in ${{ matrix.binaries }}; do
-            cp "target/${{ matrix.target }}/release/${binary}.exe" "$output_dir/${binary}.exe"
-          done
+          if [[ "${{ matrix.bundle }}" == "primary" ]]; then
+            cp target/${{ matrix.target }}/release/codex.exe "$output_dir/codex.exe"
+            cp target/${{ matrix.target }}/release/codex-responses-api-proxy.exe "$output_dir/codex-responses-api-proxy.exe"
+          else
+            cp target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe "$output_dir/codex-windows-sandbox-setup.exe"
+            cp target/${{ matrix.target }}/release/codex-command-runner.exe "$output_dir/codex-command-runner.exe"
+          fi

      - name: Upload Windows binaries
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
@@ -144,8 +130,6 @@ jobs:
    defaults:
      run:
        working-directory: codex-rs
-    env:
-      WINDOWS_BINARIES: "codex codex-responses-api-proxy codex-windows-sandbox-setup codex-command-runner codex-app-server"

    strategy:
      fail-fast: false
@@ -177,25 +161,19 @@ jobs:
          name: windows-binaries-${{ matrix.target }}-helpers
          path: codex-rs/target/${{ matrix.target }}/release

-      - name: Download prebuilt Windows app-server binary
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
-        with:
-          name: windows-binaries-${{ matrix.target }}-app-server
-          path: codex-rs/target/${{ matrix.target }}/release
-
      - name: Verify binaries
        shell: bash
        run: |
          set -euo pipefail
-          for binary in ${WINDOWS_BINARIES}; do
-            ls -lh "target/${{ matrix.target }}/release/${binary}.exe"
-          done
+          ls -lh target/${{ matrix.target }}/release/codex.exe
+          ls -lh target/${{ matrix.target }}/release/codex-responses-api-proxy.exe
+          ls -lh target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe
+          ls -lh target/${{ matrix.target }}/release/codex-command-runner.exe

      - name: Sign Windows binaries with Azure Trusted Signing
        uses: ./.github/actions/windows-code-sign
        with:
          target: ${{ matrix.target }}
-          binaries: ${{ env.WINDOWS_BINARIES }}
          client-id: ${{ secrets.AZURE_TRUSTED_SIGNING_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TRUSTED_SIGNING_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_TRUSTED_SIGNING_SUBSCRIPTION_ID }}
@@ -209,10 +187,10 @@ jobs:
          dest="dist/${{ matrix.target }}"
          mkdir -p "$dest"

-          for binary in ${WINDOWS_BINARIES}; do
-            cp "target/${{ matrix.target }}/release/${binary}.exe" \
-              "$dest/${binary}-${{ matrix.target }}.exe"
-          done
+          cp target/${{ matrix.target }}/release/codex.exe "$dest/codex-${{ matrix.target }}.exe"
+          cp target/${{ matrix.target }}/release/codex-responses-api-proxy.exe "$dest/codex-responses-api-proxy-${{ matrix.target }}.exe"
+          cp target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe "$dest/codex-windows-sandbox-setup-${{ matrix.target }}.exe"
+          cp target/${{ matrix.target }}/release/codex-command-runner.exe "$dest/codex-command-runner-${{ matrix.target }}.exe"

      - name: Install DotSlash
        uses: facebook/install-dotslash@1e4e7b3e07eaca387acb98f1d4720e0bee8dbb6a # v2
--- a/.github/workflows/rust-release.yml
+++ b/.github/workflows/rust-release.yml
@@ -47,7 +47,7 @@ jobs:

  build:
    needs: tag-check
-    name: Build - ${{ matrix.runner }} - ${{ matrix.target }} - ${{ matrix.bundle }}
+    name: Build - ${{ matrix.runner }} - ${{ matrix.target }}
    runs-on: ${{ matrix.runs_on || matrix.runner }}
    timeout-minutes: 60
    permissions:
@@ -67,53 +67,16 @@ jobs:
        include:
          - runner: macos-15-xlarge
            target: aarch64-apple-darwin
-            bundle: primary
-            artifact_name: aarch64-apple-darwin
-            binaries: "codex codex-responses-api-proxy"
-            build_dmg: "true"
-          - runner: macos-15-xlarge
-            target: aarch64-apple-darwin
-            bundle: app-server
-            artifact_name: aarch64-apple-darwin-app-server
-            binaries: "codex-app-server"
-            build_dmg: "false"
          - runner: macos-15-xlarge
            target: x86_64-apple-darwin
-            bundle: primary
-            artifact_name: x86_64-apple-darwin
-            binaries: "codex codex-responses-api-proxy"
-            build_dmg: "true"
-          - runner: macos-15-xlarge
-            target: x86_64-apple-darwin
-            bundle: app-server
-            artifact_name: x86_64-apple-darwin-app-server
-            binaries: "codex-app-server"
-            build_dmg: "false"
-          # Release artifacts intentionally ship MUSL-linked Linux binaries.
          - runner: ubuntu-24.04
            target: x86_64-unknown-linux-musl
-            bundle: primary
-            artifact_name: x86_64-unknown-linux-musl
-            binaries: "codex codex-responses-api-proxy"
-            build_dmg: "false"
          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            bundle: app-server
-            artifact_name: x86_64-unknown-linux-musl-app-server
-            binaries: "codex-app-server"
-            build_dmg: "false"
+            target: x86_64-unknown-linux-gnu
          - runner: ubuntu-24.04-arm
            target: aarch64-unknown-linux-musl
-            bundle: primary
-            artifact_name: aarch64-unknown-linux-musl
-            binaries: "codex codex-responses-api-proxy"
-            build_dmg: "false"
          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            bundle: app-server
-            artifact_name: aarch64-unknown-linux-musl-app-server
-            binaries: "codex-app-server"
-            build_dmg: "false"
+            target: aarch64-unknown-linux-gnu

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
@@ -256,17 +219,13 @@ jobs:
      - name: Cargo build
        shell: bash
        run: |
-          build_args=()
-          for binary in ${{ matrix.binaries }}; do
-            build_args+=(--bin "$binary")
-          done
          echo "CARGO_PROFILE_RELEASE_LTO: ${CARGO_PROFILE_RELEASE_LTO}"
-          cargo build --target ${{ matrix.target }} --release --timings "${build_args[@]}"
+          cargo build --target ${{ matrix.target }} --release --timings --bin codex --bin codex-responses-api-proxy

      - name: Upload Cargo timings
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
-          name: cargo-timings-rust-release-${{ matrix.target }}-${{ matrix.bundle }}
+          name: cargo-timings-rust-release-${{ matrix.target }}
          path: codex-rs/target/**/cargo-timings/cargo-timing.html
          if-no-files-found: warn

@@ -276,14 +235,12 @@ jobs:
        with:
          target: ${{ matrix.target }}
          artifacts-dir: ${{ github.workspace }}/codex-rs/target/${{ matrix.target }}/release
-          binaries: ${{ matrix.binaries }}

      - if: ${{ runner.os == 'macOS' }}
        name: MacOS code signing (binaries)
        uses: ./.github/actions/macos-code-sign
        with:
          target: ${{ matrix.target }}
-          binaries: ${{ matrix.binaries }}
          sign-binaries: "true"
          sign-dmg: "false"
          apple-certificate: ${{ secrets.APPLE_CERTIFICATE_P12 }}
@@ -292,7 +249,7 @@ jobs:
          apple-notarization-key-id: ${{ secrets.APPLE_NOTARIZATION_KEY_ID }}
          apple-notarization-issuer-id: ${{ secrets.APPLE_NOTARIZATION_ISSUER_ID }}

-      - if: ${{ runner.os == 'macOS' && matrix.build_dmg == 'true' }}
+      - if: ${{ runner.os == 'macOS' }}
        name: Build macOS dmg
        shell: bash
        run: |
@@ -307,17 +264,23 @@ jobs:
          # The previous "MacOS code signing (binaries)" step signs + notarizes the
          # built artifacts in `${release_dir}`. This step packages *those same*
          # signed binaries into a dmg.
+          codex_binary_path="${release_dir}/codex"
+          proxy_binary_path="${release_dir}/codex-responses-api-proxy"
+
          rm -rf "$dmg_root"
          mkdir -p "$dmg_root"

-          for binary in ${{ matrix.binaries }}; do
-            binary_path="${release_dir}/${binary}"
-            if [[ ! -f "${binary_path}" ]]; then
-              echo "Binary ${binary_path} not found"
-              exit 1
-            fi
-            ditto "${binary_path}" "${dmg_root}/${binary}"
-          done
+          if [[ ! -f "$codex_binary_path" ]]; then
+            echo "Binary $codex_binary_path not found"
+            exit 1
+          fi
+          if [[ ! -f "$proxy_binary_path" ]]; then
+            echo "Binary $proxy_binary_path not found"
+            exit 1
+          fi
+
+          ditto "$codex_binary_path" "${dmg_root}/codex"
+          ditto "$proxy_binary_path" "${dmg_root}/codex-responses-api-proxy"

          rm -f "$dmg_path"
          hdiutil create \
@@ -332,7 +295,7 @@ jobs:
            exit 1
          fi

-      - if: ${{ runner.os == 'macOS' && matrix.build_dmg == 'true' }}
+      - if: ${{ runner.os == 'macOS' }}
        name: MacOS code signing (dmg)
        uses: ./.github/actions/macos-code-sign
        with:
@@ -351,15 +314,15 @@ jobs:
          dest="dist/${{ matrix.target }}"
          mkdir -p "$dest"

-          for binary in ${{ matrix.binaries }}; do
-            cp "target/${{ matrix.target }}/release/${binary}" "$dest/${binary}-${{ matrix.target }}"
-            if [[ "${{ matrix.target }}" == *linux* ]]; then
-              cp "target/${{ matrix.target }}/release/${binary}.sigstore" \
-                "$dest/${binary}-${{ matrix.target }}.sigstore"
-            fi
-          done
+          cp target/${{ matrix.target }}/release/codex "$dest/codex-${{ matrix.target }}"
+          cp target/${{ matrix.target }}/release/codex-responses-api-proxy "$dest/codex-responses-api-proxy-${{ matrix.target }}"

-          if [[ "${{ matrix.build_dmg }}" == "true" ]]; then
+          if [[ "${{ matrix.target }}" == *linux* ]]; then
+            cp target/${{ matrix.target }}/release/codex.sigstore "$dest/codex-${{ matrix.target }}.sigstore"
+            cp target/${{ matrix.target }}/release/codex-responses-api-proxy.sigstore "$dest/codex-responses-api-proxy-${{ matrix.target }}.sigstore"
+          fi
+
+          if [[ "${{ matrix.target }}" == *apple-darwin ]]; then
            cp target/${{ matrix.target }}/release/codex-${{ matrix.target }}.dmg "$dest/codex-${{ matrix.target }}.dmg"
          fi

@@ -401,7 +364,7 @@ jobs:

      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
-          name: ${{ matrix.artifact_name }}
+          name: ${{ matrix.target }}
          # Upload the per-binary .zst files as well as the new .tar.gz
          # equivalents we generated in the previous step.
          path: |
@@ -651,59 +614,11 @@ jobs:
            prefix="${NPM_TAG}-"
          fi

-          root_tarball="dist/npm/codex-npm-${VERSION}.tgz"
-          sdk_tarball="dist/npm/codex-sdk-npm-${VERSION}.tgz"
-          # Keep this list in sync with CODEX_PLATFORM_PACKAGES in
-          # codex-cli/scripts/build_npm_package.py. The root wrapper advances
-          # @openai/codex@latest as soon as it publishes, so every platform
-          # package it aliases must already exist in the registry first.
-          platform_tarballs=(
-            "dist/npm/codex-npm-linux-x64-${VERSION}.tgz"
-            "dist/npm/codex-npm-linux-arm64-${VERSION}.tgz"
-            "dist/npm/codex-npm-darwin-x64-${VERSION}.tgz"
-            "dist/npm/codex-npm-darwin-arm64-${VERSION}.tgz"
-            "dist/npm/codex-npm-win32-x64-${VERSION}.tgz"
-            "dist/npm/codex-npm-win32-arm64-${VERSION}.tgz"
-          )
-
-          for required_tarball in "${platform_tarballs[@]}" "${root_tarball}"; do
-            if [[ ! -f "${required_tarball}" ]]; then
-              echo "Missing npm tarball: ${required_tarball}"
-              exit 1
-            fi
-          done
-
          shopt -s nullglob
-          other_tarballs=()
-          for tarball in dist/npm/*-"${VERSION}".tgz; do
-            if [[ "${tarball}" == "${root_tarball}" || "${tarball}" == "${sdk_tarball}" ]]; then
-              continue
-            fi
-
-            is_platform_tarball=false
-            for platform_tarball in "${platform_tarballs[@]}"; do
-              if [[ "${tarball}" == "${platform_tarball}" ]]; then
-                is_platform_tarball=true
-                break
-              fi
-            done
-            if [[ "${is_platform_tarball}" == true ]]; then
-              continue
-            fi
-
-            other_tarballs+=("${tarball}")
-          done
-
-          # Publish the platform packages before the root CLI wrapper. The root
-          # wrapper advances @openai/codex@latest, so it should only publish
-          # after the optional dependency versions it references exist.
-          tarballs=(
-            "${platform_tarballs[@]}"
-            "${other_tarballs[@]}"
-            "${root_tarball}"
-          )
-          if [[ -f "${sdk_tarball}" ]]; then
-            tarballs+=("${sdk_tarball}")
+          tarballs=(dist/npm/*-"${VERSION}".tgz)
+          if [[ ${#tarballs[@]} -eq 0 ]]; then
+            echo "No npm tarballs found in dist/npm for version ${VERSION}"
+            exit 1
          fi

          for tarball in "${tarballs[@]}"; do
--- a/.gitignore
+++ b/.gitignore
@@ -52,7 +52,6 @@ yarn-error.log*
 # env
 .env*
 !.env.example
-.venv/

 # package
 *.tgz
@@ -92,3 +91,4 @@ CHANGELOG.ignore.md
 # Python bytecode files
 __pycache__/
 *.pyc
+
--- a/MODULE.bazel.lock
+++ b/MODULE.bazel.lock
--- a/3
+++ b/3
@@ -4,3 +4,6 @@ Copyright 2025 OpenAI
 This project includes code derived from [Ratatui](https://github.com/ratatui/ratatui), licensed under the MIT license.
 Copyright (c) 2016-2022 Florian Dehau
 Copyright (c) 2023-2025 The Ratatui Developers
+
+This project includes Meriyah parser assets from [meriyah](https://github.com/meriyah/meriyah), licensed under the ISC license.
+Copyright (c) 2019 and later, KFlash and others.
--- a/codex-cli/.dockerignore
+++ b/codex-cli/.dockerignore
@@ -0,0 +1 @@
+node_modules/
--- a/codex-cli/Dockerfile
+++ b/codex-cli/Dockerfile
@@ -0,0 +1,59 @@
+FROM node:24-slim
+
+ARG TZ
+ENV TZ="$TZ"
+
+# Install basic development tools, ca-certificates, and iptables/ipset, then clean up apt cache to reduce image size
+RUN apt-get update && apt-get install -y --no-install-recommends \
+  aggregate \
+  ca-certificates \
+  curl \
+  dnsutils \
+  fzf \
+  gh \
+  git \
+  gnupg2 \
+  iproute2 \
+  ipset \
+  iptables \
+  jq \
+  less \
+  man-db \
+  procps \
+  unzip \
+  ripgrep \
+  zsh \
+  && rm -rf /var/lib/apt/lists/*
+
+# Ensure default node user has access to /usr/local/share
+RUN mkdir -p /usr/local/share/npm-global && \
+  chown -R node:node /usr/local/share
+
+ARG USERNAME=node
+
+# Set up non-root user
+USER node
+
+# Install global packages
+ENV NPM_CONFIG_PREFIX=/usr/local/share/npm-global
+ENV PATH=$PATH:/usr/local/share/npm-global/bin
+
+# Install codex
+COPY dist/codex.tgz codex.tgz
+RUN npm install -g codex.tgz \
+  && npm cache clean --force \
+  && rm -rf /usr/local/share/npm-global/lib/node_modules/codex-cli/node_modules/.cache \
+  && rm -rf /usr/local/share/npm-global/lib/node_modules/codex-cli/tests \
+  && rm -rf /usr/local/share/npm-global/lib/node_modules/codex-cli/docs
+
+# Inside the container we consider the environment already sufficiently locked
+# down, therefore instruct Codex CLI to allow running without sandboxing.
+ENV CODEX_UNSAFE_ALLOW_NO_SANDBOX=1
+
+# Copy and set up firewall script as root.
+USER root
+COPY scripts/init_firewall.sh /usr/local/bin/
+RUN chmod 500 /usr/local/bin/init_firewall.sh
+
+# Drop back to non-root.
+USER node
--- a/codex-cli/package.json
+++ b/codex-cli/package.json
@@ -18,5 +18,5 @@
    "url": "git+https://github.com/openai/codex.git",
    "directory": "codex-cli"
  },
-  "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319"
+  "packageManager": "pnpm@10.29.3+sha512.498e1fb4cca5aa06c1dcf2611e6fafc50972ffe7189998c409e90de74566444298ffe43e6cd2acdc775ba1aa7cc5e092a8b7054c811ba8c5770f84693d33d2dc"
 }
--- a/codex-cli/scripts/build_container.sh
+++ b/codex-cli/scripts/build_container.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -euo pipefail
+
+SCRIPT_DIR=$(realpath "$(dirname "$0")")
+trap "popd >> /dev/null" EXIT
+pushd "$SCRIPT_DIR/.." >> /dev/null || {
+  echo "Error: Failed to change directory to $SCRIPT_DIR/.."
+  exit 1
+}
+pnpm install
+pnpm run build
+rm -rf ./dist/openai-codex-*.tgz
+pnpm pack --pack-destination ./dist
+mv ./dist/openai-codex-*.tgz ./dist/codex.tgz
+docker build -t codex -f "./Dockerfile" .
--- a/codex-rs/.cargo/audit.toml
+++ b/codex-rs/.cargo/audit.toml
@@ -6,4 +6,5 @@ ignore = [
    "RUSTSEC-2024-0436", # paste 1.0.15 via starlark/ratatui; upstream crate is unmaintained
    "RUSTSEC-2024-0320", # yaml-rust via syntect; remove when syntect drops or updates it
    "RUSTSEC-2025-0141", # bincode via syntect; remove when syntect drops or updates it
+    "RUSTSEC-2026-0097", # rand 0.8.5 via age/codex-secrets and zbus/keyring; remove when transitive deps move to rand >=0.9.3
 ]
--- a/codex-rs/.config/nextest.toml
+++ b/codex-rs/.config/nextest.toml
@@ -8,11 +8,6 @@ max-threads = 1
 [test-groups.app_server_integration]
 max-threads = 1

-[test-groups.core_apply_patch_cli_integration]
-max-threads = 1
-
-[test-groups.windows_sandbox_legacy_sessions]
-max-threads = 1

 [[profile.default.overrides]]
 # Do not add new tests here
@@ -32,15 +27,3 @@ test-group = 'app_server_protocol_codegen'
 # Keep the library unit tests parallel.
 filter = 'package(codex-app-server) & kind(test)'
 test-group = 'app_server_integration'
-
-[[profile.default.overrides]]
-# These tests exercise full Codex turns and apply_patch execution, and they are
-# sensitive to Windows runner process-startup stalls when many cases launch at once.
-filter = 'package(codex-core) & kind(test) & test(apply_patch_cli)'
-test-group = 'core_apply_patch_cli_integration'
-
-[[profile.default.overrides]]
-# These tests create restricted-token Windows child processes and private desktops.
-# Serialize them to avoid exhausting Windows session/global desktop resources in CI.
-filter = 'package(codex-windows-sandbox) & test(legacy_)'
-test-group = 'windows_sandbox_legacy_sessions'
--- a/codex-rs/BUILD.bazel
+++ b/codex-rs/BUILD.bazel
@@ -1,5 +1,6 @@
 exports_files([
    "clippy.toml",
+    "node-version.txt",
 ])

 filegroup(
--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
@@ -749,48 +749,6 @@ version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"

-[[package]]
-name = "aws-config"
-version = "1.8.12"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "96571e6996817bf3d58f6b569e4b9fd2e9d2fcf9f7424eed07b2ce9bb87535e5"
-dependencies = [
- "aws-credential-types",
- "aws-runtime",
- "aws-sdk-sso",
- "aws-sdk-ssooidc",
- "aws-sdk-sts",
- "aws-smithy-async",
- "aws-smithy-http",
- "aws-smithy-json",
- "aws-smithy-runtime",
- "aws-smithy-runtime-api",
- "aws-smithy-types",
- "aws-types",
- "bytes",
- "fastrand",
- "hex",
- "http 1.4.0",
- "ring",
- "time",
- "tokio",
- "tracing",
- "url",
- "zeroize",
-]
-
-[[package]]
-name = "aws-credential-types"
-version = "1.2.11"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3cd362783681b15d136480ad555a099e82ecd8e2d10a841e14dfd0078d67fee3"
-dependencies = [
- "aws-smithy-async",
- "aws-smithy-runtime-api",
- "aws-smithy-types",
- "zeroize",
-]
-
 [[package]]
 name = "aws-lc-rs"
 version = "1.16.2"
@@ -814,302 +772,6 @@ dependencies = [
 "fs_extra",
 ]

-[[package]]
-name = "aws-runtime"
-version = "1.5.17"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d81b5b2898f6798ad58f484856768bca817e3cd9de0974c24ae0f1113fe88f1b"
-dependencies = [
- "aws-credential-types",
- "aws-sigv4",
- "aws-smithy-async",
- "aws-smithy-http",
- "aws-smithy-runtime",
- "aws-smithy-runtime-api",
- "aws-smithy-types",
- "aws-types",
- "bytes",
- "fastrand",
- "http 0.2.12",
- "http-body 0.4.6",
- "percent-encoding",
- "pin-project-lite",
- "tracing",
- "uuid",
-]
-
-[[package]]
-name = "aws-sdk-sso"
-version = "1.91.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8ee6402a36f27b52fe67661c6732d684b2635152b676aa2babbfb5204f99115d"
-dependencies = [
- "aws-credential-types",
- "aws-runtime",
- "aws-smithy-async",
- "aws-smithy-http",
- "aws-smithy-json",
- "aws-smithy-runtime",
- "aws-smithy-runtime-api",
- "aws-smithy-types",
- "aws-types",
- "bytes",
- "fastrand",
- "http 0.2.12",
- "regex-lite",
- "tracing",
-]
-
-[[package]]
-name = "aws-sdk-ssooidc"
-version = "1.93.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a45a7f750bbd170ee3677671ad782d90b894548f4e4ae168302c57ec9de5cb3e"
-dependencies = [
- "aws-credential-types",
- "aws-runtime",
- "aws-smithy-async",
- "aws-smithy-http",
- "aws-smithy-json",
- "aws-smithy-runtime",
- "aws-smithy-runtime-api",
- "aws-smithy-types",
- "aws-types",
- "bytes",
- "fastrand",
- "http 0.2.12",
- "regex-lite",
- "tracing",
-]
-
-[[package]]
-name = "aws-sdk-sts"
-version = "1.95.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "55542378e419558e6b1f398ca70adb0b2088077e79ad9f14eb09441f2f7b2164"
-dependencies = [
- "aws-credential-types",
- "aws-runtime",
- "aws-smithy-async",
- "aws-smithy-http",
- "aws-smithy-json",
- "aws-smithy-query",
- "aws-smithy-runtime",
- "aws-smithy-runtime-api",
- "aws-smithy-types",
- "aws-smithy-xml",
- "aws-types",
- "fastrand",
- "http 0.2.12",
- "regex-lite",
- "tracing",
-]
-
-[[package]]
-name = "aws-sigv4"
-version = "1.3.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "69e523e1c4e8e7e8ff219d732988e22bfeae8a1cafdbe6d9eca1546fa080be7c"
-dependencies = [
- "aws-credential-types",
- "aws-smithy-http",
- "aws-smithy-runtime-api",
- "aws-smithy-types",
- "bytes",
- "form_urlencoded",
- "hex",
- "hmac",
- "http 0.2.12",
- "http 1.4.0",
- "percent-encoding",
- "sha2",
- "time",
- "tracing",
-]
-
-[[package]]
-name = "aws-smithy-async"
-version = "1.2.14"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2ffcaf626bdda484571968400c326a244598634dc75fd451325a54ad1a59acfc"
-dependencies = [
- "futures-util",
- "pin-project-lite",
- "tokio",
-]
-
-[[package]]
-name = "aws-smithy-http"
-version = "0.62.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "826141069295752372f8203c17f28e30c464d22899a43a0c9fd9c458d469c88b"
-dependencies = [
- "aws-smithy-runtime-api",
- "aws-smithy-types",
- "bytes",
- "bytes-utils",
- "futures-core",
- "futures-util",
- "http 0.2.12",
- "http 1.4.0",
- "http-body 0.4.6",
- "percent-encoding",
- "pin-project-lite",
- "pin-utils",
- "tracing",
-]
-
-[[package]]
-name = "aws-smithy-http-client"
-version = "1.1.12"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6a2f165a7feee6f263028b899d0a181987f4fa7179a6411a32a439fba7c5f769"
-dependencies = [
- "aws-smithy-async",
- "aws-smithy-runtime-api",
- "aws-smithy-types",
- "h2",
- "http 1.4.0",
- "hyper",
- "hyper-rustls",
- "hyper-util",
- "pin-project-lite",
- "rustls",
- "rustls-native-certs",
- "rustls-pki-types",
- "tokio",
- "tokio-rustls",
- "tower",
- "tracing",
-]
-
-[[package]]
-name = "aws-smithy-json"
-version = "0.61.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "49fa1213db31ac95288d981476f78d05d9cbb0353d22cdf3472cc05bb02f6551"
-dependencies = [
- "aws-smithy-types",
-]
-
-[[package]]
-name = "aws-smithy-observability"
-version = "0.1.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "17f616c3f2260612fe44cede278bafa18e73e6479c4e393e2c4518cf2a9a228a"
-dependencies = [
- "aws-smithy-runtime-api",
-]
-
-[[package]]
-name = "aws-smithy-query"
-version = "0.60.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ae5d689cf437eae90460e944a58b5668530d433b4ff85789e69d2f2a556e057d"
-dependencies = [
- "aws-smithy-types",
- "urlencoding",
-]
-
-[[package]]
-name = "aws-smithy-runtime"
-version = "1.9.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a392db6c583ea4a912538afb86b7be7c5d8887d91604f50eb55c262ee1b4a5f5"
-dependencies = [
- "aws-smithy-async",
- "aws-smithy-http",
- "aws-smithy-http-client",
- "aws-smithy-observability",
- "aws-smithy-runtime-api",
- "aws-smithy-types",
- "bytes",
- "fastrand",
- "http 0.2.12",
- "http 1.4.0",
- "http-body 0.4.6",
- "http-body 1.0.1",
- "pin-project-lite",
- "pin-utils",
- "tokio",
- "tracing",
-]
-
-[[package]]
-name = "aws-smithy-runtime-api"
-version = "1.12.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b71a13df6ada0aafbf21a73bdfcdf9324cfa9df77d96b8446045be3cde61b42e"
-dependencies = [
- "aws-smithy-async",
- "aws-smithy-runtime-api-macros",
- "aws-smithy-types",
- "bytes",
- "http 0.2.12",
- "http 1.4.0",
- "pin-project-lite",
- "tokio",
- "tracing",
- "zeroize",
-]
-
-[[package]]
-name = "aws-smithy-runtime-api-macros"
-version = "1.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8d7396fd9500589e62e460e987ecb671bad374934e55ec3b5f498cc7a8a8a7b7"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn 2.0.114",
-]
-
-[[package]]
-name = "aws-smithy-types"
-version = "1.4.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9d73dbfbaa8e4bc57b9045137680b958d274823509a360abfd8e1d514d40c95c"
-dependencies = [
- "base64-simd",
- "bytes",
- "bytes-utils",
- "http 0.2.12",
- "http 1.4.0",
- "http-body 0.4.6",
- "http-body 1.0.1",
- "http-body-util",
- "itoa",
- "num-integer",
- "pin-project-lite",
- "pin-utils",
- "ryu",
- "serde",
- "time",
-]
-
-[[package]]
-name = "aws-smithy-xml"
-version = "0.60.13"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "11b2f670422ff42bf7065031e72b45bc52a3508bd089f743ea90731ca2b6ea57"
-dependencies = [
- "xmlparser",
-]
-
-[[package]]
-name = "aws-types"
-version = "1.3.11"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1d980627d2dd7bfc32a3c025685a033eeab8d365cc840c631ef59d1b8f428164"
-dependencies = [
- "aws-credential-types",
- "aws-smithy-async",
- "aws-smithy-runtime-api",
- "aws-smithy-types",
- "rustc_version",
- "tracing",
-]
-
 [[package]]
 name = "axum"
 version = "0.8.8"
@@ -1122,7 +784,7 @@ dependencies = [
 "form_urlencoded",
 "futures-util",
 "http 1.4.0",
- "http-body 1.0.1",
+ "http-body",
 "http-body-util",
 "hyper",
 "hyper-util",
@@ -1155,7 +817,7 @@ dependencies = [
 "bytes",
 "futures-core",
 "http 1.4.0",
- "http-body 1.0.1",
+ "http-body",
 "http-body-util",
 "mime",
 "pin-project-lite",
@@ -1198,16 +860,6 @@ version = "0.22.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"

-[[package]]
-name = "base64-simd"
-version = "0.8.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "339abbe78e73178762e23bea9dfd08e697eb3f3301cd4be981c0f78ba5859195"
-dependencies = [
- "outref",
- "vsimd",
-]
-
 [[package]]
 name = "base64ct"
 version = "1.8.3"
@@ -1294,15 +946,6 @@ dependencies = [
 "serde_core",
 ]

-[[package]]
-name = "blake2"
-version = "0.10.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "46502ad458c9a52b69d4d4d32775c788b7a1b85e8bc9d482d92250fc0e3f8efe"
-dependencies = [
- "digest",
-]
-
 [[package]]
 name = "block-buffer"
 version = "0.10.4"
@@ -1407,16 +1050,6 @@ version = "1.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1e748733b7cbc798e1434b6ac524f0c1ff2ab456fe201501e6497c8417a4fc33"

-[[package]]
-name = "bytes-utils"
-version = "0.1.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7dafe3a8757b027e2be6e4e5601ed563c55989fcf1546e933c66c8eb3a058d35"
-dependencies = [
- "bytes",
- "either",
-]
-
 [[package]]
 name = "bytestring"
 version = "1.5.0"
@@ -1748,24 +1381,6 @@ dependencies = [
 "unicode-width 0.2.1",
 ]

-[[package]]
-name = "codex-agent-identity"
-version = "0.0.0"
-dependencies = [
- "anyhow",
- "base64 0.22.1",
- "chrono",
- "codex-protocol",
- "crypto_box",
- "ed25519-dalek",
- "pretty_assertions",
- "rand 0.9.3",
- "reqwest",
- "serde",
- "serde_json",
- "sha2",
-]
-
 [[package]]
 name = "codex-analytics"
 version = "0.0.0"
@@ -1773,7 +1388,6 @@ dependencies = [
 "codex-app-server-protocol",
 "codex-git-utils",
 "codex-login",
- "codex-model-provider",
 "codex-plugin",
 "codex-protocol",
 "codex-utils-absolute-path",
@@ -1841,7 +1455,6 @@ dependencies = [
 "chrono",
 "clap",
 "codex-analytics",
- "codex-api",
 "codex-app-server-protocol",
 "codex-arg0",
 "codex-backend-client",
@@ -1858,7 +1471,6 @@ dependencies = [
 "codex-git-utils",
 "codex-login",
 "codex-mcp",
- "codex-model-provider",
 "codex-model-provider-info",
 "codex-models-manager",
 "codex-otel",
@@ -1870,7 +1482,6 @@ dependencies = [
 "codex-state",
 "codex-thread-store",
 "codex-tools",
- "codex-uds",
 "codex-utils-absolute-path",
 "codex-utils-cargo-bin",
 "codex-utils-cli",
@@ -2028,31 +1639,14 @@ dependencies = [
 "tokio-util",
 ]

-[[package]]
-name = "codex-aws-auth"
-version = "0.0.0"
-dependencies = [
- "aws-config",
- "aws-credential-types",
- "aws-sigv4",
- "aws-types",
- "bytes",
- "http 1.4.0",
- "pretty_assertions",
- "thiserror 2.0.18",
- "tokio",
-]
-
 [[package]]
 name = "codex-backend-client"
 version = "0.0.0"
 dependencies = [
 "anyhow",
- "codex-api",
 "codex-backend-openapi-models",
 "codex-client",
 "codex-login",
- "codex-model-provider",
 "codex-protocol",
 "pretty_assertions",
 "reqwest",
@@ -2076,11 +1670,11 @@ dependencies = [
 "anyhow",
 "clap",
 "codex-app-server-protocol",
+ "codex-config",
 "codex-connectors",
 "codex-core",
 "codex-git-utils",
 "codex-login",
- "codex-model-provider",
 "codex-utils-cargo-bin",
 "codex-utils-cli",
 "pretty_assertions",
@@ -2108,7 +1702,6 @@ dependencies = [
 "codex-cloud-tasks",
 "codex-config",
 "codex-core",
- "codex-core-plugins",
 "codex-exec",
 "codex-exec-server",
 "codex-execpolicy",
@@ -2121,7 +1714,6 @@ dependencies = [
 "codex-protocol",
 "codex-responses-api-proxy",
 "codex-rmcp-client",
- "codex-rollout-trace",
 "codex-sandboxing",
 "codex-state",
 "codex-stdio-to-uds",
@@ -2209,6 +1801,7 @@ version = "0.0.0"
 dependencies = [
 "anyhow",
 "async-trait",
+ "base64 0.22.1",
 "chrono",
 "clap",
 "codex-client",
@@ -2217,7 +1810,6 @@ dependencies = [
 "codex-core",
 "codex-git-utils",
 "codex-login",
- "codex-model-provider",
 "codex-tui",
 "codex-utils-cli",
 "crossterm",
@@ -2242,7 +1834,6 @@ dependencies = [
 "anyhow",
 "async-trait",
 "chrono",
- "codex-api",
 "codex-backend-client",
 "codex-git-utils",
 "serde",
@@ -2301,7 +1892,6 @@ dependencies = [
 "libc",
 "multimap",
 "pretty_assertions",
- "prost 0.14.3",
 "schemars 0.8.22",
 "serde",
 "serde_json",
@@ -2310,12 +1900,8 @@ dependencies = [
 "tempfile",
 "thiserror 2.0.18",
 "tokio",
- "tokio-stream",
 "toml 0.9.11+spec-1.1.0",
 "toml_edit 0.24.0+spec-1.1.0",
- "tonic",
- "tonic-prost",
- "tonic-prost-build",
 "tracing",
 "wildmatch",
 "winapi-util",
@@ -2375,7 +1961,6 @@ dependencies = [
 "codex-response-debug-context",
 "codex-rmcp-client",
 "codex-rollout",
- "codex-rollout-trace",
 "codex-sandboxing",
 "codex-secrets",
 "codex-shell-command",
@@ -2452,6 +2037,7 @@ dependencies = [
 "whoami",
 "windows-sys 0.52.0",
 "wiremock",
+ "zip 2.4.2",
 "zstd 0.13.3",
 ]

@@ -2459,7 +2045,6 @@ dependencies = [
 name = "codex-core-plugins"
 version = "0.0.0"
 dependencies = [
- "anyhow",
 "chrono",
 "codex-app-server-protocol",
 "codex-config",
@@ -2467,14 +2052,11 @@ dependencies = [
 "codex-exec-server",
 "codex-git-utils",
 "codex-login",
- "codex-model-provider",
- "codex-otel",
 "codex-plugin",
 "codex-protocol",
 "codex-utils-absolute-path",
 "codex-utils-plugins",
 "dirs",
- "libc",
 "pretty_assertions",
 "reqwest",
 "serde",
@@ -2485,8 +2067,6 @@ dependencies = [
 "toml 0.9.11+spec-1.1.0",
 "tracing",
 "url",
- "wiremock",
- "zip 2.4.2",
 ]

 [[package]]
@@ -2499,7 +2079,6 @@ dependencies = [
 "codex-config",
 "codex-exec-server",
 "codex-login",
- "codex-model-provider",
 "codex-otel",
 "codex-protocol",
 "codex-skills",
@@ -2536,7 +2115,6 @@ dependencies = [
 name = "codex-device-key"
 version = "0.0.0"
 dependencies = [
- "async-trait",
 "base64 0.22.1",
 "p256",
 "pretty_assertions",
@@ -2544,7 +2122,6 @@ dependencies = [
 "serde",
 "serde_json",
 "thiserror 2.0.18",
- "tokio",
 "url",
 ]

@@ -2600,9 +2177,7 @@ dependencies = [
 "arc-swap",
 "async-trait",
 "base64 0.22.1",
- "bytes",
 "codex-app-server-protocol",
- "codex-client",
 "codex-config",
 "codex-protocol",
 "codex-sandboxing",
@@ -2612,7 +2187,6 @@ dependencies = [
 "ctor 0.6.3",
 "futures",
 "pretty_assertions",
- "reqwest",
 "serde",
 "serde_json",
 "serial_test",
@@ -2621,7 +2195,6 @@ dependencies = [
 "thiserror 2.0.18",
 "tokio",
 "tokio-tungstenite",
- "tokio-util",
 "tracing",
 "uuid",
 ]
@@ -2821,7 +2394,6 @@ dependencies = [
 "async-trait",
 "base64 0.22.1",
 "chrono",
- "codex-agent-identity",
 "codex-app-server-protocol",
 "codex-client",
 "codex-config",
@@ -2860,16 +2432,15 @@ version = "0.0.0"
 dependencies = [
 "anyhow",
 "async-channel",
- "codex-api",
 "codex-async-utils",
 "codex-config",
 "codex-exec-server",
 "codex-login",
- "codex-model-provider",
 "codex-otel",
 "codex-plugin",
 "codex-protocol",
 "codex-rmcp-client",
+ "codex-utils-absolute-path",
 "codex-utils-plugins",
 "futures",
 "pretty_assertions",
@@ -2924,23 +2495,12 @@ name = "codex-model-provider"
 version = "0.0.0"
 dependencies = [
 "async-trait",
- "codex-agent-identity",
 "codex-api",
- "codex-aws-auth",
- "codex-client",
- "codex-feedback",
 "codex-login",
 "codex-model-provider-info",
- "codex-models-manager",
- "codex-otel",
 "codex-protocol",
- "codex-response-debug-context",
 "http 1.4.0",
 "pretty_assertions",
- "serde_json",
- "tokio",
- "tracing",
- "wiremock",
 ]

 [[package]]
@@ -2964,21 +2524,32 @@ dependencies = [
 name = "codex-models-manager"
 version = "0.0.0"
 dependencies = [
- "async-trait",
+ "base64 0.22.1",
 "chrono",
+ "codex-api",
 "codex-app-server-protocol",
 "codex-collaboration-mode-templates",
+ "codex-config",
+ "codex-feedback",
 "codex-login",
+ "codex-model-provider",
+ "codex-model-provider-info",
 "codex-otel",
 "codex-protocol",
+ "codex-response-debug-context",
+ "codex-utils-absolute-path",
 "codex-utils-output-truncation",
 "codex-utils-template",
+ "core_test_support",
+ "http 1.4.0",
 "pretty_assertions",
 "serde",
 "serde_json",
 "tempfile",
 "tokio",
 "tracing",
+ "tracing-subscriber",
+ "wiremock",
 ]

 [[package]]
@@ -3163,8 +2734,6 @@ version = "0.0.0"
 dependencies = [
 "anyhow",
 "axum",
- "bytes",
- "codex-api",
 "codex-client",
 "codex-config",
 "codex-exec-server",
@@ -3224,14 +2793,11 @@ name = "codex-rollout-trace"
 version = "0.0.0"
 dependencies = [
 "anyhow",
- "codex-code-mode",
 "codex-protocol",
 "pretty_assertions",
 "serde",
 "serde_json",
 "tempfile",
- "tracing",
- "uuid",
 ]

 [[package]]
@@ -3398,7 +2964,6 @@ dependencies = [
 "tonic",
 "tonic-prost",
 "tonic-prost-build",
- "tracing",
 "uuid",
 ]

@@ -3438,7 +3003,6 @@ dependencies = [
 "codex-cloud-requirements",
 "codex-config",
 "codex-connectors",
- "codex-core-plugins",
 "codex-core-skills",
 "codex-exec-server",
 "codex-features",
@@ -4215,40 +3779,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "78c8292055d1c1df0cce5d180393dc8cce0abec0a7102adb6c7b1eef6016d60a"
 dependencies = [
 "generic-array",
- "rand_core 0.6.4",
 "typenum",
 ]

-[[package]]
-name = "crypto_box"
-version = "0.9.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "16182b4f39a82ec8a6851155cc4c0cda3065bb1db33651726a29e1951de0f009"
-dependencies = [
- "aead",
- "blake2",
- "crypto_secretbox",
- "curve25519-dalek",
- "salsa20",
- "subtle",
- "zeroize",
-]
-
-[[package]]
-name = "crypto_secretbox"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b9d6cf87adf719ddf43a805e92c6870a531aedda35ff640442cbaf8674e141e1"
-dependencies = [
- "aead",
- "cipher",
- "generic-array",
- "poly1305",
- "salsa20",
- "subtle",
- "zeroize",
-]
-
 [[package]]
 name = "csv"
 version = "1.4.0"
@@ -4305,7 +3838,6 @@ dependencies = [
 "cfg-if",
 "cpufeatures",
 "curve25519-dalek-derive",
- "digest",
 "fiat-crypto",
 "rustc_version",
 "subtle",
@@ -4935,30 +4467,6 @@ dependencies = [
 "spki",
 ]

-[[package]]
-name = "ed25519"
-version = "2.2.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "115531babc129696a58c64a4fef0a8bf9e9698629fb97e9e40767d235cfbcd53"
-dependencies = [
- "pkcs8",
- "signature",
-]
-
-[[package]]
-name = "ed25519-dalek"
-version = "2.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "70e796c081cee67dc755e1a36a0a172b897fab85fc3f6bc48307991f64e4eca9"
-dependencies = [
- "curve25519-dalek",
- "ed25519",
- "serde",
- "sha2",
- "subtle",
- "zeroize",
-]
-
 [[package]]
 name = "either"
 version = "1.15.0"
@@ -6914,17 +6422,6 @@ dependencies = [
 "itoa",
 ]

-[[package]]
-name = "http-body"
-version = "0.4.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7ceab25649e9960c0311ea418d17bee82c0dcec1bd053b5f9a66e265a693bed2"
-dependencies = [
- "bytes",
- "http 0.2.12",
- "pin-project-lite",
-]
-
 [[package]]
 name = "http-body"
 version = "1.0.1"
@@ -6944,7 +6441,7 @@ dependencies = [
 "bytes",
 "futures-core",
 "http 1.4.0",
- "http-body 1.0.1",
+ "http-body",
 "pin-project-lite",
 ]

@@ -6978,7 +6475,7 @@ dependencies = [
 "futures-core",
 "h2",
 "http 1.4.0",
- "http-body 1.0.1",
+ "http-body",
 "httparse",
 "httpdate",
 "itoa",
@@ -7047,7 +6544,7 @@ dependencies = [
 "futures-channel",
 "futures-util",
 "http 1.4.0",
- "http-body 1.0.1",
+ "http-body",
 "hyper",
 "ipnet",
 "libc",
@@ -8668,7 +8165,7 @@ version = "5.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "51e219e79014df21a225b1860a479e2dcd7cbd9130f4defd4bd0e191ea31d67d"
 dependencies = [
- "base64 0.21.7",
+ "base64 0.22.1",
 "chrono",
 "getrandom 0.2.17",
 "http 1.4.0",
@@ -9136,15 +8633,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7d8fae84b431384b68627d0f9b3b1245fcf9f46f6c0e3dc902e9dce64edd1967"
 dependencies = [
 "libc",
- "windows-sys 0.45.0",
+ "windows-sys 0.61.2",
 ]

-[[package]]
-name = "outref"
-version = "0.5.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1a80800c0488c3a21695ea981a54918fbb37abf04f4d0720c453632255e2ff0e"
-
 [[package]]
 name = "owo-colors"
 version = "4.3.0"
@@ -10103,7 +9594,7 @@ dependencies = [
 "const_format",
 "fnv",
 "http 1.4.0",
- "http-body 1.0.1",
+ "http-body",
 "http-body-util",
 "itoa",
 "memchr",
@@ -10504,7 +9995,7 @@ dependencies = [
 "futures-util",
 "h2",
 "http 1.4.0",
- "http-body 1.0.1",
+ "http-body",
 "http-body-util",
 "hyper",
 "hyper-rustls",
@@ -10592,7 +10083,7 @@ dependencies = [
 "chrono",
 "futures",
 "http 1.4.0",
- "http-body 1.0.1",
+ "http-body",
 "http-body-util",
 "oauth2",
 "pastey",
@@ -10805,9 +10296,9 @@ dependencies = [

 [[package]]
 name = "rustls-webpki"
-version = "0.103.13"
+version = "0.103.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "61c429a8649f110dddef65e2a5ad240f747e85f7758a6bccc7e5777bd33f756e"
+checksum = "8279bb85272c9f10811ae6a6c547ff594d6a7f3c6c6b02ee9726d1d0dcfcdd06"
 dependencies = [
 "aws-lc-rs",
 "ring",
@@ -11871,7 +11362,7 @@ checksum = "eb4dc4d33c68ec1f27d386b5610a351922656e1fdf5c05bbaad930cd1519479a"
 dependencies = [
 "bytes",
 "futures-util",
- "http-body 1.0.1",
+ "http-body",
 "http-body-util",
 "pin-project-lite",
 ]
@@ -12747,7 +12238,7 @@ dependencies = [
 "bytes",
 "h2",
 "http 1.4.0",
- "http-body 1.0.1",
+ "http-body",
 "http-body-util",
 "hyper",
 "hyper-timeout",
@@ -12834,7 +12325,7 @@ dependencies = [
 "bytes",
 "futures-util",
 "http 1.4.0",
- "http-body 1.0.1",
+ "http-body",
 "iri-string",
 "pin-project-lite",
 "tower",
@@ -13378,12 +12869,6 @@ version = "0.9.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a"

-[[package]]
-name = "vsimd"
-version = "0.8.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5c3082ca00d5a5ef149bb8b555a72ae84c9c59f7250f013ac822ac2e49b19c64"
-
 [[package]]
 name = "vt100"
 version = "0.16.2"
@@ -13770,7 +13255,7 @@ version = "0.1.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
 dependencies = [
- "windows-sys 0.48.0",
+ "windows-sys 0.61.2",
 ]

 [[package]]
@@ -14450,12 +13935,6 @@ dependencies = [
 "windows-sys 0.59.0",
 ]

-[[package]]
-name = "xmlparser"
-version = "0.13.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "66fee0b777b0f5ac1c69bb06d361268faafa61cd4682ae064a171c16c433e9e4"
-
 [[package]]
 name = "xz2"
 version = "0.1.7"
--- a/codex-rs/Cargo.toml
+++ b/codex-rs/Cargo.toml
@@ -1,8 +1,6 @@
 [workspace]
 members = [
-    "aws-auth",
    "analytics",
-    "agent-identity",
    "backend-client",
    "ansi-escape",
    "async-utils",
@@ -101,7 +99,7 @@ members = [
 resolver = "2"

 [workspace.package]
-version = "0.126.0-alpha.3"
+version = "0.0.0"
 # Track the edition for all workspace crates in one place. Individual
 # crates can still override this value, but keeping it here means new
 # crates created with `cargo new -w ...` automatically inherit the 2024
@@ -113,10 +111,8 @@ license = "Apache-2.0"
 # Internal
 app_test_support = { path = "app-server/tests/common" }
 codex-analytics = { path = "analytics" }
-codex-agent-identity = { path = "agent-identity" }
 codex-ansi-escape = { path = "ansi-escape" }
 codex-api = { path = "codex-api" }
-codex-aws-auth = { path = "aws-auth" }
 codex-app-server = { path = "app-server" }
 codex-app-server-client = { path = "app-server-client" }
 codex-app-server-protocol = { path = "app-server-protocol" }
@@ -169,7 +165,6 @@ codex-responses-api-proxy = { path = "responses-api-proxy" }
 codex-response-debug-context = { path = "response-debug-context" }
 codex-rmcp-client = { path = "rmcp-client" }
 codex-rollout = { path = "rollout" }
-codex-rollout-trace = { path = "rollout-trace" }
 codex-sandboxing = { path = "sandboxing" }
 codex-secrets = { path = "secrets" }
 codex-shell-command = { path = "shell-command" }
@@ -223,10 +218,6 @@ async-channel = "2.3.1"
 async-io = "2.6.0"
 async-stream = "0.3.6"
 async-trait = "0.1.89"
-aws-config = "1"
-aws-credential-types = "1"
-aws-sigv4 = "1"
-aws-types = "1"
 axum = { version = "0.8", default-features = false }
 base64 = "0.22.1"
 bm25 = "2.3.2"
@@ -238,7 +229,6 @@ clap_complete = "4"
 color-eyre = "0.6.3"
 constant_time_eq = "0.3.1"
 crossbeam-channel = "0.5.15"
-crypto_box = { version = "0.9.1", features = ["seal"] }
 crossterm = "0.28.1"
 csv = "1.3.1"
 ctor = "0.6.3"
@@ -249,7 +239,6 @@ dirs = "6"
 dns-lookup = "3.0.1"
 dotenvy = "0.15.7"
 dunce = "1.0.4"
-ed25519-dalek = { version = "2.2.0", features = ["pkcs8"] }
 encoding_rs = "0.8.35"
 env-flags = "0.1.1"
 env_logger = "0.11.9"
--- a/codex-rs/README.md
+++ b/codex-rs/README.md
@@ -94,7 +94,7 @@ In `workspace-write`, Codex also includes `~/.codex/memories` in its writable ro

 This folder is the root of a Cargo workspace. It contains quite a bit of experimental code, but here are the key crates:

- [`core/`](./core) contains the business logic for Codex. Ultimately, we hope this becomes a library crate that is generally useful for building other Rust/native applications that use Codex.
+- [`core/`](./core) contains the business logic for Codex. Ultimately, we hope this to be a library crate that is generally useful for building other Rust/native applications that use Codex.
 - [`exec/`](./exec) "headless" CLI for use in automation.
 - [`tui/`](./tui) CLI that launches a fullscreen TUI built with [Ratatui](https://ratatui.rs/).
 - [`cli/`](./cli) CLI multitool that provides the aforementioned CLIs via subcommands.
--- a/codex-rs/agent-identity/BUILD.bazel
+++ b/codex-rs/agent-identity/BUILD.bazel
@@ -1,6 +0,0 @@
-load("//:defs.bzl", "codex_rust_crate")
-
-codex_rust_crate(
-    name = "agent-identity",
-    crate_name = "codex_agent_identity",
-)
--- a/codex-rs/agent-identity/Cargo.toml
+++ b/codex-rs/agent-identity/Cargo.toml
@@ -1,29 +0,0 @@
-[package]
-edition.workspace = true
-license.workspace = true
-name = "codex-agent-identity"
-version.workspace = true
-
-[lib]
-doctest = false
-name = "codex_agent_identity"
-path = "src/lib.rs"
-
-[lints]
-workspace = true
-
-[dependencies]
-anyhow = { workspace = true }
-base64 = { workspace = true }
-chrono = { workspace = true }
-codex-protocol = { workspace = true }
-crypto_box = { workspace = true }
-ed25519-dalek = { workspace = true }
-rand = { workspace = true }
-reqwest = { workspace = true, features = ["json"] }
-serde = { workspace = true, features = ["derive"] }
-serde_json = { workspace = true }
-sha2 = { workspace = true }
-
-[dev-dependencies]
-pretty_assertions = { workspace = true }
--- a/codex-rs/agent-identity/src/lib.rs
+++ b/codex-rs/agent-identity/src/lib.rs
@@ -1,414 +0,0 @@
-use std::collections::BTreeMap;
-use std::time::Duration;
-
-use anyhow::Context;
-use anyhow::Result;
-use base64::Engine as _;
-use base64::engine::general_purpose::STANDARD as BASE64_STANDARD;
-use base64::engine::general_purpose::URL_SAFE_NO_PAD;
-use chrono::SecondsFormat;
-use chrono::Utc;
-use codex_protocol::protocol::SessionSource;
-use crypto_box::SecretKey as Curve25519SecretKey;
-use ed25519_dalek::Signer as _;
-use ed25519_dalek::SigningKey;
-use ed25519_dalek::VerifyingKey;
-use ed25519_dalek::pkcs8::DecodePrivateKey;
-use ed25519_dalek::pkcs8::EncodePrivateKey;
-use rand::TryRngCore;
-use rand::rngs::OsRng;
-use serde::Deserialize;
-use serde::Serialize;
-use sha2::Digest as _;
-use sha2::Sha512;
-
-const AGENT_TASK_REGISTRATION_TIMEOUT: Duration = Duration::from_secs(30);
-
-/// Stored key material for a registered agent identity.
-#[derive(Clone, Copy, Debug, PartialEq, Eq)]
-pub struct AgentIdentityKey<'a> {
-    pub agent_runtime_id: &'a str,
-    pub private_key_pkcs8_base64: &'a str,
-}
-
-/// Task binding to use when constructing a task-scoped AgentAssertion.
-#[derive(Clone, Copy, Debug, PartialEq, Eq)]
-pub struct AgentTaskAuthorizationTarget<'a> {
-    pub agent_runtime_id: &'a str,
-    pub task_id: &'a str,
-}
-
-#[derive(Clone, Debug, Serialize, Deserialize, PartialEq, Eq)]
-pub struct AgentBillOfMaterials {
-    pub agent_version: String,
-    pub agent_harness_id: String,
-    pub running_location: String,
-}
-
-pub struct GeneratedAgentKeyMaterial {
-    pub private_key_pkcs8_base64: String,
-    pub public_key_ssh: String,
-}
-
-#[derive(Clone, Debug, Serialize, Deserialize, PartialEq, Eq)]
-struct AgentAssertionEnvelope {
-    agent_runtime_id: String,
-    task_id: String,
-    timestamp: String,
-    signature: String,
-}
-
-#[derive(Serialize)]
-struct RegisterTaskRequest {
-    timestamp: String,
-    signature: String,
-}
-
-#[derive(Deserialize)]
-struct RegisterTaskResponse {
-    #[serde(default)]
-    task_id: Option<String>,
-    #[serde(default, rename = "taskId")]
-    task_id_camel: Option<String>,
-    #[serde(default)]
-    encrypted_task_id: Option<String>,
-    #[serde(default, rename = "encryptedTaskId")]
-    encrypted_task_id_camel: Option<String>,
-}
-
-pub fn authorization_header_for_agent_task(
-    key: AgentIdentityKey<'_>,
-    target: AgentTaskAuthorizationTarget<'_>,
-) -> Result<String> {
-    anyhow::ensure!(
-        key.agent_runtime_id == target.agent_runtime_id,
-        "agent task runtime {} does not match stored agent identity {}",
-        target.agent_runtime_id,
-        key.agent_runtime_id
-    );
-
-    let timestamp = Utc::now().to_rfc3339_opts(SecondsFormat::Secs, true);
-    let envelope = AgentAssertionEnvelope {
-        agent_runtime_id: target.agent_runtime_id.to_string(),
-        task_id: target.task_id.to_string(),
-        timestamp: timestamp.clone(),
-        signature: sign_agent_assertion_payload(key, target.task_id, &timestamp)?,
-    };
-    let serialized_assertion = serialize_agent_assertion(&envelope)?;
-    Ok(format!("AgentAssertion {serialized_assertion}"))
-}
-
-pub fn sign_task_registration_payload(
-    key: AgentIdentityKey<'_>,
-    timestamp: &str,
-) -> Result<String> {
-    let signing_key = signing_key_from_private_key_pkcs8_base64(key.private_key_pkcs8_base64)?;
-    let payload = format!("{}:{timestamp}", key.agent_runtime_id);
-    Ok(BASE64_STANDARD.encode(signing_key.sign(payload.as_bytes()).to_bytes()))
-}
-
-pub async fn register_agent_task(
-    client: &reqwest::Client,
-    chatgpt_base_url: &str,
-    key: AgentIdentityKey<'_>,
-) -> Result<String> {
-    let timestamp = Utc::now().to_rfc3339_opts(SecondsFormat::Secs, true);
-    let request = RegisterTaskRequest {
-        signature: sign_task_registration_payload(key, &timestamp)?,
-        timestamp,
-    };
-
-    let response = client
-        .post(agent_task_registration_url(
-            chatgpt_base_url,
-            key.agent_runtime_id,
-        ))
-        .timeout(AGENT_TASK_REGISTRATION_TIMEOUT)
-        .json(&request)
-        .send()
-        .await
-        .context("failed to register agent task")?
-        .error_for_status()
-        .context("failed to register agent task")?
-        .json()
-        .await
-        .context("failed to decode agent task registration response")?;
-
-    task_id_from_register_task_response(key, response)
-}
-
-fn task_id_from_register_task_response(
-    key: AgentIdentityKey<'_>,
-    response: RegisterTaskResponse,
-) -> Result<String> {
-    if let Some(task_id) = response.task_id.or(response.task_id_camel) {
-        return Ok(task_id);
-    }
-    let encrypted_task_id = response
-        .encrypted_task_id
-        .or(response.encrypted_task_id_camel)
-        .context("agent task registration response omitted task id")?;
-    decrypt_task_id_response(key, &encrypted_task_id)
-}
-
-pub fn decrypt_task_id_response(
-    key: AgentIdentityKey<'_>,
-    encrypted_task_id: &str,
-) -> Result<String> {
-    let signing_key = signing_key_from_private_key_pkcs8_base64(key.private_key_pkcs8_base64)?;
-    let ciphertext = BASE64_STANDARD
-        .decode(encrypted_task_id)
-        .context("encrypted task id is not valid base64")?;
-    let plaintext = curve25519_secret_key_from_signing_key(&signing_key)
-        .unseal(&ciphertext)
-        .map_err(|_| anyhow::anyhow!("failed to decrypt encrypted task id"))?;
-    String::from_utf8(plaintext).context("decrypted task id is not valid UTF-8")
-}
-
-pub fn generate_agent_key_material() -> Result<GeneratedAgentKeyMaterial> {
-    let mut secret_key_bytes = [0u8; 32];
-    OsRng
-        .try_fill_bytes(&mut secret_key_bytes)
-        .context("failed to generate agent identity private key bytes")?;
-    let signing_key = SigningKey::from_bytes(&secret_key_bytes);
-    let private_key_pkcs8 = signing_key
-        .to_pkcs8_der()
-        .context("failed to encode agent identity private key as PKCS#8")?;
-
-    Ok(GeneratedAgentKeyMaterial {
-        private_key_pkcs8_base64: BASE64_STANDARD.encode(private_key_pkcs8.as_bytes()),
-        public_key_ssh: encode_ssh_ed25519_public_key(&signing_key.verifying_key()),
-    })
-}
-
-pub fn public_key_ssh_from_private_key_pkcs8_base64(
-    private_key_pkcs8_base64: &str,
-) -> Result<String> {
-    let signing_key = signing_key_from_private_key_pkcs8_base64(private_key_pkcs8_base64)?;
-    Ok(encode_ssh_ed25519_public_key(&signing_key.verifying_key()))
-}
-
-pub fn verifying_key_from_private_key_pkcs8_base64(
-    private_key_pkcs8_base64: &str,
-) -> Result<VerifyingKey> {
-    let signing_key = signing_key_from_private_key_pkcs8_base64(private_key_pkcs8_base64)?;
-    Ok(signing_key.verifying_key())
-}
-
-pub fn curve25519_secret_key_from_private_key_pkcs8_base64(
-    private_key_pkcs8_base64: &str,
-) -> Result<Curve25519SecretKey> {
-    let signing_key = signing_key_from_private_key_pkcs8_base64(private_key_pkcs8_base64)?;
-    Ok(curve25519_secret_key_from_signing_key(&signing_key))
-}
-
-pub fn agent_registration_url(chatgpt_base_url: &str) -> String {
-    let trimmed = chatgpt_base_url.trim_end_matches('/');
-    format!("{trimmed}/v1/agent/register")
-}
-
-pub fn agent_task_registration_url(chatgpt_base_url: &str, agent_runtime_id: &str) -> String {
-    let trimmed = chatgpt_base_url.trim_end_matches('/');
-    format!("{trimmed}/v1/agent/{agent_runtime_id}/task/register")
-}
-
-pub fn agent_identity_biscuit_url(chatgpt_base_url: &str) -> String {
-    let trimmed = chatgpt_base_url.trim_end_matches('/');
-    format!("{trimmed}/authenticate_app_v2")
-}
-
-pub fn agent_identity_request_id() -> Result<String> {
-    let mut request_id_bytes = [0u8; 16];
-    OsRng
-        .try_fill_bytes(&mut request_id_bytes)
-        .context("failed to generate agent identity request id")?;
-    Ok(format!(
-        "codex-agent-identity-{}",
-        URL_SAFE_NO_PAD.encode(request_id_bytes)
-    ))
-}
-
-pub fn normalize_chatgpt_base_url(chatgpt_base_url: &str) -> String {
-    let mut base_url = chatgpt_base_url.trim_end_matches('/').to_string();
-    for suffix in [
-        "/wham/remote/control/server/enroll",
-        "/wham/remote/control/server",
-    ] {
-        if let Some(stripped) = base_url.strip_suffix(suffix) {
-            base_url = stripped.to_string();
-            break;
-        }
-    }
-    if let Some(stripped) = base_url.strip_suffix("/codex") {
-        base_url = stripped.to_string();
-    }
-    if (base_url.starts_with("https://chatgpt.com")
-        || base_url.starts_with("https://chat.openai.com"))
-        && !base_url.contains("/backend-api")
-    {
-        base_url = format!("{base_url}/backend-api");
-    }
-    base_url
-}
-
-pub fn build_abom(session_source: SessionSource) -> AgentBillOfMaterials {
-    AgentBillOfMaterials {
-        agent_version: env!("CARGO_PKG_VERSION").to_string(),
-        agent_harness_id: match &session_source {
-            SessionSource::VSCode => "codex-app".to_string(),
-            SessionSource::Cli
-            | SessionSource::Exec
-            | SessionSource::Mcp
-            | SessionSource::Custom(_)
-            | SessionSource::SubAgent(_)
-            | SessionSource::Unknown => "codex-cli".to_string(),
-        },
-        running_location: format!("{}-{}", session_source, std::env::consts::OS),
-    }
-}
-
-pub fn encode_ssh_ed25519_public_key(verifying_key: &VerifyingKey) -> String {
-    let mut blob = Vec::with_capacity(4 + 11 + 4 + 32);
-    append_ssh_string(&mut blob, b"ssh-ed25519");
-    append_ssh_string(&mut blob, verifying_key.as_bytes());
-    format!("ssh-ed25519 {}", BASE64_STANDARD.encode(blob))
-}
-
-fn sign_agent_assertion_payload(
-    key: AgentIdentityKey<'_>,
-    task_id: &str,
-    timestamp: &str,
-) -> Result<String> {
-    let signing_key = signing_key_from_private_key_pkcs8_base64(key.private_key_pkcs8_base64)?;
-    let payload = format!("{}:{task_id}:{timestamp}", key.agent_runtime_id);
-    Ok(BASE64_STANDARD.encode(signing_key.sign(payload.as_bytes()).to_bytes()))
-}
-
-fn serialize_agent_assertion(envelope: &AgentAssertionEnvelope) -> Result<String> {
-    let payload = serde_json::to_vec(&BTreeMap::from([
-        ("agent_runtime_id", envelope.agent_runtime_id.as_str()),
-        ("signature", envelope.signature.as_str()),
-        ("task_id", envelope.task_id.as_str()),
-        ("timestamp", envelope.timestamp.as_str()),
-    ]))
-    .context("failed to serialize agent assertion envelope")?;
-    Ok(URL_SAFE_NO_PAD.encode(payload))
-}
-
-fn curve25519_secret_key_from_signing_key(signing_key: &SigningKey) -> Curve25519SecretKey {
-    let digest = Sha512::digest(signing_key.to_bytes());
-    let mut secret_key = [0u8; 32];
-    secret_key.copy_from_slice(&digest[..32]);
-    secret_key[0] &= 248;
-    secret_key[31] &= 127;
-    secret_key[31] |= 64;
-    Curve25519SecretKey::from(secret_key)
-}
-
-fn append_ssh_string(buf: &mut Vec<u8>, value: &[u8]) {
-    buf.extend_from_slice(&(value.len() as u32).to_be_bytes());
-    buf.extend_from_slice(value);
-}
-
-fn signing_key_from_private_key_pkcs8_base64(private_key_pkcs8_base64: &str) -> Result<SigningKey> {
-    let private_key = BASE64_STANDARD
-        .decode(private_key_pkcs8_base64)
-        .context("stored agent identity private key is not valid base64")?;
-    SigningKey::from_pkcs8_der(&private_key)
-        .context("stored agent identity private key is not valid PKCS#8")
-}
-
-#[cfg(test)]
-mod tests {
-    use base64::Engine as _;
-    use ed25519_dalek::Signature;
-    use ed25519_dalek::Verifier as _;
-    use pretty_assertions::assert_eq;
-
-    use super::*;
-
-    #[test]
-    fn authorization_header_for_agent_task_serializes_signed_agent_assertion() {
-        let signing_key = SigningKey::from_bytes(&[7u8; 32]);
-        let private_key = signing_key
-            .to_pkcs8_der()
-            .expect("encode test key material");
-        let key = AgentIdentityKey {
-            agent_runtime_id: "agent-123",
-            private_key_pkcs8_base64: &BASE64_STANDARD.encode(private_key.as_bytes()),
-        };
-        let target = AgentTaskAuthorizationTarget {
-            agent_runtime_id: "agent-123",
-            task_id: "task-123",
-        };
-
-        let header =
-            authorization_header_for_agent_task(key, target).expect("build agent assertion header");
-        let token = header
-            .strip_prefix("AgentAssertion ")
-            .expect("agent assertion scheme");
-        let payload = URL_SAFE_NO_PAD
-            .decode(token)
-            .expect("valid base64url payload");
-        let envelope: AgentAssertionEnvelope =
-            serde_json::from_slice(&payload).expect("valid assertion envelope");
-
-        assert_eq!(
-            envelope,
-            AgentAssertionEnvelope {
-                agent_runtime_id: "agent-123".to_string(),
-                task_id: "task-123".to_string(),
-                timestamp: envelope.timestamp.clone(),
-                signature: envelope.signature.clone(),
-            }
-        );
-        let signature_bytes = BASE64_STANDARD
-            .decode(&envelope.signature)
-            .expect("valid base64 signature");
-        let signature = Signature::from_slice(&signature_bytes).expect("valid signature bytes");
-        signing_key
-            .verifying_key()
-            .verify(
-                format!(
-                    "{}:{}:{}",
-                    envelope.agent_runtime_id, envelope.task_id, envelope.timestamp
-                )
-                .as_bytes(),
-                &signature,
-            )
-            .expect("signature should verify");
-    }
-
-    #[test]
-    fn authorization_header_for_agent_task_rejects_mismatched_runtime() {
-        let signing_key = SigningKey::from_bytes(&[7u8; 32]);
-        let private_key = signing_key
-            .to_pkcs8_der()
-            .expect("encode test key material");
-        let private_key_pkcs8_base64 = BASE64_STANDARD.encode(private_key.as_bytes());
-        let key = AgentIdentityKey {
-            agent_runtime_id: "agent-123",
-            private_key_pkcs8_base64: &private_key_pkcs8_base64,
-        };
-        let target = AgentTaskAuthorizationTarget {
-            agent_runtime_id: "agent-456",
-            task_id: "task-123",
-        };
-
-        let error = authorization_header_for_agent_task(key, target)
-            .expect_err("runtime mismatch should fail");
-
-        assert_eq!(
-            error.to_string(),
-            "agent task runtime agent-456 does not match stored agent identity agent-123"
-        );
-    }
-
-    #[test]
-    fn normalize_chatgpt_base_url_strips_codex_before_backend_api() {
-        assert_eq!(
-            normalize_chatgpt_base_url("https://chatgpt.com/codex"),
-            "https://chatgpt.com/backend-api"
-        );
-    }
-}
--- a/codex-rs/analytics/Cargo.toml
+++ b/codex-rs/analytics/Cargo.toml
@@ -16,7 +16,6 @@ workspace = true
 codex-app-server-protocol = { workspace = true }
 codex-git-utils = { workspace = true }
 codex-login = { workspace = true }
-codex-model-provider = { workspace = true }
 codex-plugin = { workspace = true }
 codex-protocol = { workspace = true }
 os_info = { workspace = true }
--- a/codex-rs/analytics/src/analytics_client_tests.rs
+++ b/codex-rs/analytics/src/analytics_client_tests.rs
@@ -65,7 +65,6 @@ use codex_app_server_protocol::InitializeCapabilities;
 use codex_app_server_protocol::InitializeParams;
 use codex_app_server_protocol::JSONRPCErrorError;
 use codex_app_server_protocol::NonSteerableTurnKind;
-use codex_app_server_protocol::PermissionProfile as AppServerPermissionProfile;
 use codex_app_server_protocol::RequestId;
 use codex_app_server_protocol::SandboxPolicy as AppServerSandboxPolicy;
 use codex_app_server_protocol::ServerNotification;
@@ -92,7 +91,6 @@ use codex_plugin::PluginTelemetryMetadata;
 use codex_protocol::approvals::NetworkApprovalProtocol;
 use codex_protocol::config_types::ApprovalsReviewer;
 use codex_protocol::config_types::ModeKind;
-use codex_protocol::models::PermissionProfile as CorePermissionProfile;
 use codex_protocol::protocol::AskForApproval;
 use codex_protocol::protocol::HookEventName;
 use codex_protocol::protocol::HookRunStatus;
@@ -154,16 +152,11 @@ fn sample_thread_start_response(thread_id: &str, ephemeral: bool, model: &str) -
            approval_policy: AppServerAskForApproval::OnFailure,
            approvals_reviewer: AppServerApprovalsReviewer::User,
            sandbox: AppServerSandboxPolicy::DangerFullAccess,
-            permission_profile: Some(sample_permission_profile()),
            reasoning_effort: None,
        },
    }
 }

-fn sample_permission_profile() -> AppServerPermissionProfile {
-    CorePermissionProfile::from_legacy_sandbox_policy(&SandboxPolicy::DangerFullAccess).into()
-}
-
 fn sample_app_server_client_metadata() -> CodexAppServerClientMetadata {
    CodexAppServerClientMetadata {
        product_client_id: DEFAULT_ORIGINATOR.to_string(),
@@ -210,7 +203,6 @@ fn sample_thread_resume_response_with_source(
            approval_policy: AppServerAskForApproval::OnFailure,
            approvals_reviewer: AppServerApprovalsReviewer::User,
            sandbox: AppServerSandboxPolicy::DangerFullAccess,
-            permission_profile: Some(sample_permission_profile()),
            reasoning_effort: None,
        },
    }
@@ -320,7 +312,7 @@ fn sample_turn_resolved_config(turn_id: &str) -> TurnResolvedConfigFact {
        reasoning_summary: None,
        service_tier: None,
        approval_policy: AskForApproval::OnRequest,
-        approvals_reviewer: ApprovalsReviewer::AutoReview,
+        approvals_reviewer: ApprovalsReviewer::GuardianSubagent,
        sandbox_network_access: true,
        collaboration_mode: ModeKind::Plan,
        personality: None,
@@ -1330,7 +1322,7 @@ fn subagent_thread_started_other_serializes_explicit_parent_thread_id() {
        },
    ));

-    let payload = serde_json::to_value(&event).expect("serialize auto-review subagent event");
+    let payload = serde_json::to_value(&event).expect("serialize guardian subagent event");
    assert_eq!(payload["event_params"]["subagent_source"], "guardian");
    assert_eq!(
        payload["event_params"]["parent_thread_id"],
@@ -1754,7 +1746,7 @@ fn turn_event_serializes_expected_shape() {
            reasoning_summary: Some("detailed".to_string()),
            service_tier: "flex".to_string(),
            approval_policy: "on-request".to_string(),
-            approvals_reviewer: "auto_review".to_string(),
+            approvals_reviewer: "guardian_subagent".to_string(),
            sandbox_network_access: true,
            collaboration_mode: Some("plan"),
            personality: Some("pragmatic".to_string()),
@@ -1815,7 +1807,7 @@ fn turn_event_serializes_expected_shape() {
                "reasoning_summary": "detailed",
                "service_tier": "flex",
                "approval_policy": "on-request",
-                "approvals_reviewer": "auto_review",
+                "approvals_reviewer": "guardian_subagent",
                "sandbox_network_access": true,
                "collaboration_mode": "plan",
                "personality": "pragmatic",
--- a/codex-rs/analytics/src/client.rs
+++ b/codex-rs/analytics/src/client.rs
@@ -1,6 +1,5 @@
 use crate::events::AppServerRpcTransport;
-use crate::events::GuardianReviewAnalyticsResult;
-use crate::events::GuardianReviewTrackContext;
+use crate::events::GuardianReviewEventParams;
 use crate::events::TrackEventRequest;
 use crate::events::TrackEventsRequest;
 use crate::events::current_runtime_metadata;
@@ -162,13 +161,9 @@ impl AnalyticsEventsClient {
        ));
    }

-    pub fn track_guardian_review(
-        &self,
-        tracking: &GuardianReviewTrackContext,
-        result: GuardianReviewAnalyticsResult,
-    ) {
+    pub fn track_guardian_review(&self, input: GuardianReviewEventParams) {
        self.record_fact(AnalyticsFact::Custom(CustomAnalyticsFact::GuardianReview(
-            Box::new(tracking.event_params(result)),
+            Box::new(input),
        )));
    }

@@ -312,9 +307,16 @@ async fn send_track_events(
    let Some(auth) = auth_manager.auth().await else {
        return;
    };
-    if !auth.uses_codex_backend() {
+    if !auth.is_chatgpt_auth() {
        return;
    }
+    let access_token = match auth.get_token() {
+        Ok(token) => token,
+        Err(_) => return,
+    };
+    let Some(account_id) = auth.get_account_id() else {
+        return;
+    };

    let base_url = base_url.trim_end_matches('/');
    let url = format!("{base_url}/codex/analytics-events/events");
@@ -323,7 +325,8 @@ async fn send_track_events(
    let response = create_client()
        .post(&url)
        .timeout(ANALYTICS_EVENTS_TIMEOUT)
-        .headers(codex_model_provider::auth_provider_from_auth(&auth).to_auth_headers())
+        .bearer_auth(&access_token)
+        .header("chatgpt-account-id", &account_id)
        .header("Content-Type", "application/json")
        .json(&payload)
        .send()
--- a/codex-rs/analytics/src/events.rs
+++ b/codex-rs/analytics/src/events.rs
@@ -1,5 +1,3 @@
-use std::time::Instant;
-
 use crate::facts::AppInvocation;
 use crate::facts::CodexCompactionEvent;
 use crate::facts::CompactionImplementation;
@@ -18,12 +16,11 @@ use crate::facts::TurnStatus;
 use crate::facts::TurnSteerRejectionReason;
 use crate::facts::TurnSteerResult;
 use crate::facts::TurnSubmissionType;
-use crate::now_unix_seconds;
 use codex_app_server_protocol::CodexErrorInfo;
 use codex_login::default_client::originator;
 use codex_plugin::PluginTelemetryMetadata;
 use codex_protocol::approvals::NetworkApprovalProtocol;
-use codex_protocol::models::AdditionalPermissionProfile;
+use codex_protocol::models::PermissionProfile;
 use codex_protocol::models::SandboxPermissions;
 use codex_protocol::protocol::GuardianAssessmentOutcome;
 use codex_protocol::protocol::GuardianCommandSource;
@@ -33,7 +30,6 @@ use codex_protocol::protocol::HookEventName;
 use codex_protocol::protocol::HookRunStatus;
 use codex_protocol::protocol::HookSource;
 use codex_protocol::protocol::SubAgentSource;
-use codex_protocol::protocol::TokenUsage;
 use serde::Serialize;

 #[derive(Clone, Copy, Debug, Serialize)]
@@ -180,17 +176,17 @@ pub enum GuardianApprovalRequestSource {
 pub enum GuardianReviewedAction {
    Shell {
        sandbox_permissions: SandboxPermissions,
-        additional_permissions: Option<AdditionalPermissionProfile>,
+        additional_permissions: Option<PermissionProfile>,
    },
    UnifiedExec {
        sandbox_permissions: SandboxPermissions,
-        additional_permissions: Option<AdditionalPermissionProfile>,
+        additional_permissions: Option<PermissionProfile>,
        tty: bool,
    },
    Execve {
        source: GuardianCommandSource,
        program: String,
-        additional_permissions: Option<AdditionalPermissionProfile>,
+        additional_permissions: Option<PermissionProfile>,
    },
    ApplyPatch {},
    NetworkAccess {
@@ -204,7 +200,6 @@ pub enum GuardianReviewedAction {
        connector_name: Option<String>,
        tool_title: Option<String>,
    },
-    RequestPermissions {},
 }

 #[derive(Clone, Serialize)]
@@ -240,142 +235,6 @@ pub struct GuardianReviewEventParams {
    pub total_tokens: Option<i64>,
 }

-pub struct GuardianReviewTrackContext {
-    thread_id: String,
-    turn_id: String,
-    review_id: String,
-    target_item_id: Option<String>,
-    approval_request_source: GuardianApprovalRequestSource,
-    reviewed_action: GuardianReviewedAction,
-    review_timeout_ms: u64,
-    started_at: u64,
-    started_instant: Instant,
-}
-
-impl GuardianReviewTrackContext {
-    pub fn new(
-        thread_id: String,
-        turn_id: String,
-        review_id: String,
-        target_item_id: Option<String>,
-        approval_request_source: GuardianApprovalRequestSource,
-        reviewed_action: GuardianReviewedAction,
-        review_timeout_ms: u64,
-    ) -> Self {
-        Self {
-            thread_id,
-            turn_id,
-            review_id,
-            target_item_id,
-            approval_request_source,
-            reviewed_action,
-            review_timeout_ms,
-            started_at: now_unix_seconds(),
-            started_instant: Instant::now(),
-        }
-    }
-
-    pub(crate) fn event_params(
-        &self,
-        result: GuardianReviewAnalyticsResult,
-    ) -> GuardianReviewEventParams {
-        GuardianReviewEventParams {
-            thread_id: self.thread_id.clone(),
-            turn_id: self.turn_id.clone(),
-            review_id: self.review_id.clone(),
-            target_item_id: self.target_item_id.clone(),
-            approval_request_source: self.approval_request_source,
-            reviewed_action: self.reviewed_action.clone(),
-            reviewed_action_truncated: result.reviewed_action_truncated,
-            decision: result.decision,
-            terminal_status: result.terminal_status,
-            failure_reason: result.failure_reason,
-            risk_level: result.risk_level,
-            user_authorization: result.user_authorization,
-            outcome: result.outcome,
-            guardian_thread_id: result.guardian_thread_id,
-            guardian_session_kind: result.guardian_session_kind,
-            guardian_model: result.guardian_model,
-            guardian_reasoning_effort: result.guardian_reasoning_effort,
-            had_prior_review_context: result.had_prior_review_context,
-            review_timeout_ms: self.review_timeout_ms,
-            // TODO(rhan-oai): plumb nested Guardian review session tool-call counts.
-            tool_call_count: None,
-            time_to_first_token_ms: result.time_to_first_token_ms,
-            completion_latency_ms: Some(self.started_instant.elapsed().as_millis() as u64),
-            started_at: self.started_at,
-            completed_at: Some(now_unix_seconds()),
-            input_tokens: result.token_usage.as_ref().map(|usage| usage.input_tokens),
-            cached_input_tokens: result
-                .token_usage
-                .as_ref()
-                .map(|usage| usage.cached_input_tokens),
-            output_tokens: result.token_usage.as_ref().map(|usage| usage.output_tokens),
-            reasoning_output_tokens: result
-                .token_usage
-                .as_ref()
-                .map(|usage| usage.reasoning_output_tokens),
-            total_tokens: result.token_usage.as_ref().map(|usage| usage.total_tokens),
-        }
-    }
-}
-
-#[derive(Debug)]
-pub struct GuardianReviewAnalyticsResult {
-    pub decision: GuardianReviewDecision,
-    pub terminal_status: GuardianReviewTerminalStatus,
-    pub failure_reason: Option<GuardianReviewFailureReason>,
-    pub risk_level: Option<GuardianRiskLevel>,
-    pub user_authorization: Option<GuardianUserAuthorization>,
-    pub outcome: Option<GuardianAssessmentOutcome>,
-    pub guardian_thread_id: Option<String>,
-    pub guardian_session_kind: Option<GuardianReviewSessionKind>,
-    pub guardian_model: Option<String>,
-    pub guardian_reasoning_effort: Option<String>,
-    pub had_prior_review_context: Option<bool>,
-    pub reviewed_action_truncated: bool,
-    pub token_usage: Option<TokenUsage>,
-    pub time_to_first_token_ms: Option<u64>,
-}
-
-impl GuardianReviewAnalyticsResult {
-    pub fn without_session() -> Self {
-        Self {
-            decision: GuardianReviewDecision::Denied,
-            terminal_status: GuardianReviewTerminalStatus::FailedClosed,
-            failure_reason: None,
-            risk_level: None,
-            user_authorization: None,
-            outcome: None,
-            guardian_thread_id: None,
-            guardian_session_kind: None,
-            guardian_model: None,
-            guardian_reasoning_effort: None,
-            had_prior_review_context: None,
-            reviewed_action_truncated: false,
-            token_usage: None,
-            time_to_first_token_ms: None,
-        }
-    }
-
-    pub fn from_session(
-        guardian_thread_id: String,
-        guardian_session_kind: GuardianReviewSessionKind,
-        guardian_model: String,
-        guardian_reasoning_effort: Option<String>,
-        had_prior_review_context: bool,
-    ) -> Self {
-        Self {
-            guardian_thread_id: Some(guardian_thread_id),
-            guardian_session_kind: Some(guardian_session_kind),
-            guardian_model: Some(guardian_model),
-            guardian_reasoning_effort,
-            had_prior_review_context: Some(had_prior_review_context),
-            ..Self::without_session()
-        }
-    }
-}
-
 #[derive(Serialize)]
 pub(crate) struct GuardianReviewEventPayload {
    pub(crate) app_server_client: CodexAppServerClientMetadata,
--- a/codex-rs/analytics/src/lib.rs
+++ b/codex-rs/analytics/src/lib.rs
@@ -9,13 +9,11 @@ use std::time::UNIX_EPOCH;
 pub use client::AnalyticsEventsClient;
 pub use events::AppServerRpcTransport;
 pub use events::GuardianApprovalRequestSource;
-pub use events::GuardianReviewAnalyticsResult;
 pub use events::GuardianReviewDecision;
 pub use events::GuardianReviewEventParams;
 pub use events::GuardianReviewFailureReason;
 pub use events::GuardianReviewSessionKind;
 pub use events::GuardianReviewTerminalStatus;
-pub use events::GuardianReviewTrackContext;
 pub use events::GuardianReviewedAction;
 pub use facts::AnalyticsJsonRpcError;
 pub use facts::AppInvocation;
--- a/codex-rs/app-server-client/src/lib.rs
+++ b/codex-rs/app-server-client/src/lib.rs
@@ -42,8 +42,6 @@ use codex_app_server_protocol::ServerNotification;
 use codex_app_server_protocol::ServerRequest;
 use codex_arg0::Arg0DispatchPaths;
 use codex_config::NoopThreadConfigLoader;
-use codex_config::RemoteThreadConfigLoader;
-use codex_config::ThreadConfigLoader;
 use codex_core::config::Config;
 use codex_core::config_loader::CloudRequirementsLoader;
 use codex_core::config_loader::LoaderOverrides;
@@ -100,7 +98,7 @@ pub mod legacy_core {
    }

    pub mod plugins {
-        pub use codex_core::plugins::PluginsManager;
+        pub use codex_core::plugins::*;
    }

    pub mod review_format {
@@ -359,13 +357,6 @@ pub struct InProcessClientStartArgs {
    pub channel_capacity: usize,
 }

-fn configured_thread_config_loader(config: &Config) -> Arc<dyn ThreadConfigLoader> {
-    match config.experimental_thread_config_endpoint.as_deref() {
-        Some(endpoint) => Arc::new(RemoteThreadConfigLoader::new(endpoint)),
-        None => Arc::new(NoopThreadConfigLoader),
-    }
-}
-
 impl InProcessClientStartArgs {
    /// Builds initialize params from caller-provided metadata.
    pub fn initialize_params(&self) -> InitializeParams {
@@ -390,14 +381,13 @@ impl InProcessClientStartArgs {

    fn into_runtime_start_args(self) -> InProcessStartArgs {
        let initialize = self.initialize_params();
-        let thread_config_loader = configured_thread_config_loader(&self.config);
        InProcessStartArgs {
            arg0_paths: self.arg0_paths,
            config: self.config,
            cli_overrides: self.cli_overrides,
            loader_overrides: self.loader_overrides,
            cloud_requirements: self.cloud_requirements,
-            thread_config_loader,
+            thread_config_loader: Arc::new(NoopThreadConfigLoader),
            feedback: self.feedback,
            log_db: self.log_db,
            environment_manager: self.environment_manager,
@@ -2023,42 +2013,6 @@ mod tests {
        );
    }

-    #[tokio::test]
-    async fn runtime_start_args_use_remote_thread_config_loader_when_configured() {
-        let mut config = build_test_config().await;
-        config.experimental_thread_config_endpoint = Some("not-a-valid-endpoint".to_string());
-
-        let runtime_args = InProcessClientStartArgs {
-            arg0_paths: Arg0DispatchPaths::default(),
-            config: Arc::new(config),
-            cli_overrides: Vec::new(),
-            loader_overrides: LoaderOverrides::default(),
-            cloud_requirements: CloudRequirementsLoader::default(),
-            feedback: CodexFeedback::new(),
-            log_db: None,
-            environment_manager: Arc::new(EnvironmentManager::default_for_tests()),
-            config_warnings: Vec::new(),
-            session_source: SessionSource::Exec,
-            enable_codex_api_key_env: false,
-            client_name: "codex-app-server-client-test".to_string(),
-            client_version: "0.0.0-test".to_string(),
-            experimental_api: true,
-            opt_out_notification_methods: Vec::new(),
-            channel_capacity: DEFAULT_IN_PROCESS_CHANNEL_CAPACITY,
-        }
-        .into_runtime_start_args();
-
-        let err = runtime_args
-            .thread_config_loader
-            .load(Default::default())
-            .await
-            .expect_err("configured remote loader should try to connect");
-        assert_eq!(
-            err.code(),
-            codex_config::ThreadConfigLoadErrorCode::RequestFailed
-        );
-    }
-
    #[tokio::test]
    async fn shutdown_completes_promptly_without_retained_managers() {
        let client = start_test_client(SessionSource::Cli).await;
--- a/codex-rs/app-server-client/src/remote.rs
+++ b/codex-rs/app-server-client/src/remote.rs
@@ -20,6 +20,7 @@ use crate::RequestResult;
 use crate::SHUTDOWN_TIMEOUT;
 use crate::TypedRequestError;
 use crate::request_method_name;
+use crate::server_notification_requires_delivery;
 use codex_app_server_protocol::ClientInfo;
 use codex_app_server_protocol::ClientNotification;
 use codex_app_server_protocol::ClientRequest;
@@ -125,7 +126,7 @@ enum RemoteClientCommand {

 pub struct RemoteAppServerClient {
    command_tx: mpsc::Sender<RemoteClientCommand>,
-    event_rx: mpsc::UnboundedReceiver<AppServerEvent>,
+    event_rx: mpsc::Receiver<AppServerEvent>,
    pending_events: VecDeque<AppServerEvent>,
    worker_handle: tokio::task::JoinHandle<()>,
 }
@@ -194,10 +195,11 @@ impl RemoteAppServerClient {
        .await?;

        let (command_tx, mut command_rx) = mpsc::channel::<RemoteClientCommand>(channel_capacity);
-        let (event_tx, event_rx) = mpsc::unbounded_channel::<AppServerEvent>();
+        let (event_tx, event_rx) = mpsc::channel::<AppServerEvent>(channel_capacity);
        let worker_handle = tokio::spawn(async move {
            let mut pending_requests =
                HashMap::<RequestId, oneshot::Sender<IoResult<RequestResult>>>::new();
+            let mut skipped_events = 0usize;
            loop {
                tokio::select! {
                    command = command_rx.recv() => {
@@ -229,12 +231,15 @@ impl RemoteAppServerClient {
                                    }
                                    let _ = deliver_event(
                                        &event_tx,
+                                        &mut skipped_events,
                                        AppServerEvent::Disconnected {
                                            message: format!(
                                                "remote app server at `{websocket_url}` write failed: {err_message}"
                                            ),
                                        },
-                                    );
+                                        &mut stream,
+                                    )
+                                    .await;
                                    break;
                                }
                            }
@@ -311,8 +316,11 @@ impl RemoteAppServerClient {
                                            app_server_event_from_notification(notification)
                                            && let Err(err) = deliver_event(
                                                &event_tx,
+                                                &mut skipped_events,
                                                event,
+                                                &mut stream,
                                            )
+                                            .await
                                            {
                                                warn!(%err, "failed to deliver remote app-server event");
                                                break;
@@ -325,8 +333,11 @@ impl RemoteAppServerClient {
                                            Ok(request) => {
                                                if let Err(err) = deliver_event(
                                                    &event_tx,
+                                                    &mut skipped_events,
                                                    AppServerEvent::ServerRequest(request),
+                                                    &mut stream,
                                                )
+                                                .await
                                                {
                                                    warn!(%err, "failed to deliver remote app-server server request");
                                                    break;
@@ -353,12 +364,15 @@ impl RemoteAppServerClient {
                                                    let err_message = reject_err.to_string();
                                                    let _ = deliver_event(
                                                        &event_tx,
+                                                        &mut skipped_events,
                                                        AppServerEvent::Disconnected {
                                                            message: format!(
                                                                "remote app server at `{websocket_url}` write failed: {err_message}"
                                                            ),
                                                        },
-                                                    );
+                                                        &mut stream,
+                                                    )
+                                                    .await;
                                                    break;
                                                }
                                            }
@@ -367,12 +381,15 @@ impl RemoteAppServerClient {
                                    Err(err) => {
                                        let _ = deliver_event(
                                            &event_tx,
+                                            &mut skipped_events,
                                            AppServerEvent::Disconnected {
                                                message: format!(
                                                    "remote app server at `{websocket_url}` sent invalid JSON-RPC: {err}"
                                                ),
                                            },
-                                        );
+                                            &mut stream,
+                                        )
+                                        .await;
                                        break;
                                    }
                                }
@@ -385,12 +402,15 @@ impl RemoteAppServerClient {
                                    .unwrap_or_else(|| "connection closed".to_string());
                                let _ = deliver_event(
                                    &event_tx,
+                                    &mut skipped_events,
                                    AppServerEvent::Disconnected {
                                        message: format!(
                                            "remote app server at `{websocket_url}` disconnected: {reason}"
                                        ),
                                    },
-                                );
+                                    &mut stream,
+                                )
+                                .await;
                                break;
                            }
                            Some(Ok(Message::Binary(_)))
@@ -400,23 +420,29 @@ impl RemoteAppServerClient {
                            Some(Err(err)) => {
                                let _ = deliver_event(
                                    &event_tx,
+                                    &mut skipped_events,
                                    AppServerEvent::Disconnected {
                                        message: format!(
                                            "remote app server at `{websocket_url}` transport failed: {err}"
                                        ),
                                    },
-                                );
+                                    &mut stream,
+                                )
+                                .await;
                                break;
                            }
                            None => {
                                let _ = deliver_event(
                                    &event_tx,
+                                    &mut skipped_events,
                                    AppServerEvent::Disconnected {
                                        message: format!(
                                            "remote app server at `{websocket_url}` closed the connection"
                                        ),
                                    },
-                                );
+                                    &mut stream,
+                                )
+                                .await;
                                break;
                            }
                        }
@@ -586,9 +612,14 @@ impl RemoteAppServerClient {
            .send(RemoteClientCommand::Shutdown { response_tx })
            .await
            .is_ok()
-            && let Ok(Ok(close_result)) = timeout(SHUTDOWN_TIMEOUT, response_rx).await
+            && let Ok(command_result) = timeout(SHUTDOWN_TIMEOUT, response_rx).await
        {
-            close_result?;
+            command_result.map_err(|_| {
+                IoError::new(
+                    ErrorKind::BrokenPipe,
+                    "remote app-server shutdown channel is closed",
+                )
+            })??;
        }

        if let Err(_elapsed) = timeout(SHUTDOWN_TIMEOUT, &mut worker_handle).await {
@@ -775,16 +806,100 @@ fn app_server_event_from_notification(notification: JSONRPCNotification) -> Opti
    }
 }

-fn deliver_event(
-    event_tx: &mpsc::UnboundedSender<AppServerEvent>,
+async fn deliver_event(
+    event_tx: &mpsc::Sender<AppServerEvent>,
+    skipped_events: &mut usize,
    event: AppServerEvent,
+    stream: &mut WebSocketStream<MaybeTlsStream<TcpStream>>,
 ) -> IoResult<()> {
-    event_tx.send(event).map_err(|_| {
-        IoError::new(
+    if *skipped_events > 0 {
+        if event_requires_delivery(&event) {
+            if event_tx
+                .send(AppServerEvent::Lagged {
+                    skipped: *skipped_events,
+                })
+                .await
+                .is_err()
+            {
+                return Err(IoError::new(
+                    ErrorKind::BrokenPipe,
+                    "remote app-server event consumer channel is closed",
+                ));
+            }
+            *skipped_events = 0;
+        } else {
+            match event_tx.try_send(AppServerEvent::Lagged {
+                skipped: *skipped_events,
+            }) {
+                Ok(()) => *skipped_events = 0,
+                Err(mpsc::error::TrySendError::Full(_)) => {
+                    *skipped_events = (*skipped_events).saturating_add(1);
+                    reject_if_server_request_dropped(stream, &event).await?;
+                    return Ok(());
+                }
+                Err(mpsc::error::TrySendError::Closed(_)) => {
+                    return Err(IoError::new(
+                        ErrorKind::BrokenPipe,
+                        "remote app-server event consumer channel is closed",
+                    ));
+                }
+            }
+        }
+    }
+
+    if event_requires_delivery(&event) {
+        event_tx.send(event).await.map_err(|_| {
+            IoError::new(
+                ErrorKind::BrokenPipe,
+                "remote app-server event consumer channel is closed",
+            )
+        })?;
+        return Ok(());
+    }
+
+    match event_tx.try_send(event) {
+        Ok(()) => Ok(()),
+        Err(mpsc::error::TrySendError::Full(event)) => {
+            *skipped_events = (*skipped_events).saturating_add(1);
+            reject_if_server_request_dropped(stream, &event).await
+        }
+        Err(mpsc::error::TrySendError::Closed(_)) => Err(IoError::new(
            ErrorKind::BrokenPipe,
            "remote app-server event consumer channel is closed",
-        )
-    })
+        )),
+    }
+}
+
+async fn reject_if_server_request_dropped(
+    stream: &mut WebSocketStream<MaybeTlsStream<TcpStream>>,
+    event: &AppServerEvent,
+) -> IoResult<()> {
+    let AppServerEvent::ServerRequest(request) = event else {
+        return Ok(());
+    };
+    write_jsonrpc_message(
+        stream,
+        JSONRPCMessage::Error(JSONRPCError {
+            error: JSONRPCErrorError {
+                code: -32001,
+                message: "remote app-server event queue is full".to_string(),
+                data: None,
+            },
+            id: request.id().clone(),
+        }),
+        "<remote-app-server>",
+    )
+    .await
+}
+
+fn event_requires_delivery(event: &AppServerEvent) -> bool {
+    match event {
+        AppServerEvent::ServerNotification(notification) => {
+            server_notification_requires_delivery(notification)
+        }
+        AppServerEvent::Disconnected { .. } => true,
+        AppServerEvent::Lagged { .. } | AppServerEvent::ServerRequest(_) => false,
+    }
 }

 fn request_id_from_client_request(request: &ClientRequest) -> RequestId {
@@ -830,27 +945,40 @@ async fn write_jsonrpc_message(
            ))
        })
 }
+
 #[cfg(test)]
 mod tests {
    use super::*;

-    #[tokio::test]
-    async fn shutdown_tolerates_worker_exit_after_command_is_queued() {
-        let (command_tx, mut command_rx) = mpsc::channel(1);
-        let (_event_tx, event_rx) = mpsc::unbounded_channel::<AppServerEvent>();
-        let worker_handle = tokio::spawn(async move {
-            let _ = command_rx.recv().await;
-        });
-        let client = RemoteAppServerClient {
-            command_tx,
-            event_rx,
-            pending_events: VecDeque::new(),
-            worker_handle,
-        };
-
-        client
-            .shutdown()
-            .await
-            .expect("shutdown should complete when worker exits first");
+    #[test]
+    fn event_requires_delivery_marks_transcript_and_disconnect_events() {
+        assert!(event_requires_delivery(
+            &AppServerEvent::ServerNotification(ServerNotification::AgentMessageDelta(
+                codex_app_server_protocol::AgentMessageDeltaNotification {
+                    thread_id: "thread".to_string(),
+                    turn_id: "turn".to_string(),
+                    item_id: "item".to_string(),
+                    delta: "hello".to_string(),
+                },
+            ),)
+        ));
+        assert!(event_requires_delivery(
+            &AppServerEvent::ServerNotification(ServerNotification::ItemCompleted(
+                codex_app_server_protocol::ItemCompletedNotification {
+                    thread_id: "thread".to_string(),
+                    turn_id: "turn".to_string(),
+                    item: codex_app_server_protocol::ThreadItem::Plan {
+                        id: "item".to_string(),
+                        text: "step".to_string(),
+                    },
+                }
+            ),)
+        ));
+        assert!(event_requires_delivery(&AppServerEvent::Disconnected {
+            message: "closed".to_string(),
+        }));
+        assert!(!event_requires_delivery(&AppServerEvent::Lagged {
+            skipped: 1
+        }));
    }
 }
--- a/codex-rs/app-server-protocol/schema/json/ClientRequest.json
+++ b/codex-rs/app-server-protocol/schema/json/ClientRequest.json
@@ -13,10 +13,9 @@
      "type": "string"
    },
    "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
      "enum": [
        "user",
-        "auto_review",
        "guardian_subagent"
      ],
      "type": "string"
@@ -218,17 +217,6 @@
            "null"
          ]
        },
-        "permissionProfile": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/PermissionProfile"
-            },
-            {
-              "type": "null"
-            }
-          ],
-          "description": "Optional full permissions profile for this command.\n\nDefaults to the user's configured permissions when omitted. Cannot be combined with `sandboxPolicy`."
-        },
        "processId": {
          "description": "Optional client-supplied, connection-scoped process id.\n\nRequired for `tty`, `streamStdin`, `streamStdoutStderr`, and follow-up `command/exec/write`, `command/exec/resize`, and `command/exec/terminate` calls. When omitted, buffered execution gets an internal id that is not exposed to the client.",
          "type": [
@@ -245,7 +233,7 @@
              "type": "null"
            }
          ],
-          "description": "Optional sandbox policy for this command.\n\nUses the same shape as thread/turn execution sandbox configuration and defaults to the user's configured policy when omitted. Cannot be combined with `permissionProfile`."
+          "description": "Optional sandbox policy for this command.\n\nUses the same shape as thread/turn execution sandbox configuration and defaults to the user's configured policy when omitted."
        },
        "size": {
          "anyOf": [
@@ -909,217 +897,6 @@
      ],
      "type": "object"
    },
-    "FileSystemAccessMode": {
-      "enum": [
-        "read",
-        "write",
-        "none"
-      ],
-      "type": "string"
-    },
-    "FileSystemPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "path"
-              ],
-              "title": "PathFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "PathFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "pattern": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "glob_pattern"
-              ],
-              "title": "GlobPatternFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "pattern",
-            "type"
-          ],
-          "title": "GlobPatternFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "special"
-              ],
-              "title": "SpecialFileSystemPathType",
-              "type": "string"
-            },
-            "value": {
-              "$ref": "#/definitions/FileSystemSpecialPath"
-            }
-          },
-          "required": [
-            "type",
-            "value"
-          ],
-          "title": "SpecialFileSystemPath",
-          "type": "object"
-        }
-      ]
-    },
-    "FileSystemSandboxEntry": {
-      "properties": {
-        "access": {
-          "$ref": "#/definitions/FileSystemAccessMode"
-        },
-        "path": {
-          "$ref": "#/definitions/FileSystemPath"
-        }
-      },
-      "required": [
-        "access",
-        "path"
-      ],
-      "type": "object"
-    },
-    "FileSystemSpecialPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "root"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "RootFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "minimal"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "MinimalFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "current_working_directory"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "CurrentWorkingDirectoryFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "project_roots"
-              ],
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "KindFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "tmpdir"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "TmpdirFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "slash_tmp"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "SlashTmpFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "unknown"
-              ],
-              "type": "string"
-            },
-            "path": {
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind",
-            "path"
-          ],
-          "type": "object"
-        }
-      ]
-    },
    "FsCopyParams": {
      "description": "Copy a file or directory tree on the host filesystem.",
      "properties": {
@@ -1721,17 +1498,6 @@
      ],
      "type": "object"
    },
-    "MarketplaceUpgradeParams": {
-      "properties": {
-        "marketplaceName": {
-          "type": [
-            "string",
-            "null"
-          ]
-        }
-      },
-      "type": "object"
-    },
    "McpResourceReadParams": {
      "properties": {
        "server": {
@@ -1891,135 +1657,6 @@
      ],
      "type": "string"
    },
-    "PermissionProfile": {
-      "oneOf": [
-        {
-          "description": "Codex owns sandbox construction for this profile.",
-          "properties": {
-            "fileSystem": {
-              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
-            },
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "managed"
-              ],
-              "title": "ManagedPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "fileSystem",
-            "network",
-            "type"
-          ],
-          "title": "ManagedPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Do not apply an outer sandbox.",
-          "properties": {
-            "type": {
-              "enum": [
-                "disabled"
-              ],
-              "title": "DisabledPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "DisabledPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Filesystem isolation is enforced by an external caller.",
-          "properties": {
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "external"
-              ],
-              "title": "ExternalPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "network",
-            "type"
-          ],
-          "title": "ExternalPermissionProfile",
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfileFileSystemPermissions": {
-      "oneOf": [
-        {
-          "properties": {
-            "entries": {
-              "items": {
-                "$ref": "#/definitions/FileSystemSandboxEntry"
-              },
-              "type": "array"
-            },
-            "globScanMaxDepth": {
-              "format": "uint",
-              "minimum": 1.0,
-              "type": [
-                "integer",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "restricted"
-              ],
-              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "entries",
-            "type"
-          ],
-          "title": "RestrictedPermissionProfileFileSystemPermissions",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "unrestricted"
-              ],
-              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfileNetworkPermissions": {
-      "properties": {
-        "enabled": {
-          "type": "boolean"
-        }
-      },
-      "required": [
-        "enabled"
-      ],
-      "type": "object"
-    },
    "Personality": {
      "enum": [
        "none",
@@ -2126,6 +1763,53 @@
      ],
      "type": "object"
    },
+    "ReadOnlyAccess": {
+      "oneOf": [
+        {
+          "properties": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "fullAccess"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "RealtimeOutputModality": {
      "enum": [
        "text",
@@ -3009,6 +2693,16 @@
        },
        {
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "networkAccess": {
              "default": false,
              "type": "boolean"
@@ -3065,6 +2759,16 @@
              "default": false,
              "type": "boolean"
            },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "workspaceWrite"
@@ -3238,21 +2942,6 @@
      ],
      "type": "object"
    },
-    "ThreadApproveGuardianDeniedActionParams": {
-      "properties": {
-        "event": {
-          "description": "Serialized `codex_protocol::protocol::GuardianAssessmentEvent`."
-        },
-        "threadId": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "event",
-        "threadId"
-      ],
-      "type": "object"
-    },
    "ThreadArchiveParams": {
      "properties": {
        "threadId": {
@@ -3327,10 +3016,6 @@
        "ephemeral": {
          "type": "boolean"
        },
-        "excludeTurns": {
-          "description": "When true, return only thread metadata and live fork state without populating `thread.turns`. This is useful when the client plans to call `thread/turns/list` immediately after forking.",
-          "type": "boolean"
-        },
        "model": {
          "description": "Configuration overrides for the forked thread, if any.",
          "type": [
@@ -3344,17 +3029,6 @@
            "null"
          ]
        },
-        "permissionProfile": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/PermissionProfile"
-            },
-            {
-              "type": "null"
-            }
-          ],
-          "description": "Full permissions override for the forked thread. Cannot be combined with `sandbox`."
-        },
        "sandbox": {
          "anyOf": [
            {
@@ -3391,15 +3065,6 @@
      ],
      "type": "object"
    },
-    "ThreadGoalStatus": {
-      "enum": [
-        "active",
-        "paused",
-        "budgetLimited",
-        "complete"
-      ],
-      "type": "string"
-    },
    "ThreadInjectItemsParams": {
      "properties": {
        "items": {
@@ -3417,19 +3082,6 @@
      ],
      "type": "object"
    },
-    "ThreadListCwdFilter": {
-      "anyOf": [
-        {
-          "type": "string"
-        },
-        {
-          "items": {
-            "type": "string"
-          },
-          "type": "array"
-        }
-      ]
-    },
    "ThreadListParams": {
      "properties": {
        "archived": {
@@ -3447,15 +3099,11 @@
          ]
        },
        "cwd": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/ThreadListCwdFilter"
-            },
-            {
-              "type": "null"
-            }
-          ],
-          "description": "Optional cwd filter or filters; when set, only threads whose session cwd exactly matches one of these paths are returned."
+          "description": "Optional cwd filter; when set, only threads whose session cwd exactly matches this path are returned.",
+          "type": [
+            "string",
+            "null"
+          ]
        },
        "limit": {
          "description": "Optional page size; defaults to a reasonable server-side value.",
@@ -3514,10 +3162,6 @@
            "array",
            "null"
          ]
-        },
-        "useStateDbOnly": {
-          "description": "If true, return from the state DB without scanning JSONL rollouts to repair thread metadata. Omitted or false preserves scan-and-repair behavior.",
-          "type": "boolean"
        }
      },
      "type": "object"
@@ -3743,10 +3387,6 @@
            "null"
          ]
        },
-        "excludeTurns": {
-          "description": "When true, return only thread metadata and live-resume state without populating `thread.turns`. This is useful when the client plans to call `thread/turns/list` immediately after resuming.",
-          "type": "boolean"
-        },
        "model": {
          "description": "Configuration overrides for the resumed thread, if any.",
          "type": [
@@ -3760,17 +3400,6 @@
            "null"
          ]
        },
-        "permissionProfile": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/PermissionProfile"
-            },
-            {
-              "type": "null"
-            }
-          ],
-          "description": "Full permissions override for the resumed thread. Cannot be combined with `sandbox`."
-        },
        "personality": {
          "anyOf": [
            {
@@ -3954,17 +3583,6 @@
            "null"
          ]
        },
-        "permissionProfile": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/PermissionProfile"
-            },
-            {
-              "type": "null"
-            }
-          ],
-          "description": "Full permissions override for this thread. Cannot be combined with `sandbox`."
-        },
        "personality": {
          "anyOf": [
            {
@@ -4088,21 +3706,6 @@
      ],
      "type": "object"
    },
-    "TurnEnvironmentParams": {
-      "properties": {
-        "cwd": {
-          "$ref": "#/definitions/AbsolutePathBuf"
-        },
-        "environmentId": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "cwd",
-        "environmentId"
-      ],
-      "type": "object"
-    },
    "TurnInterruptParams": {
      "properties": {
        "threadId": {
@@ -4176,17 +3779,6 @@
        "outputSchema": {
          "description": "Optional JSON Schema used to constrain the final assistant message for this turn."
        },
-        "permissionProfile": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/PermissionProfile"
-            },
-            {
-              "type": "null"
-            }
-          ],
-          "description": "Override the full permissions profile for this turn and subsequent turns. Cannot be combined with `sandboxPolicy`."
-        },
        "personality": {
          "anyOf": [
            {
@@ -4687,30 +4279,6 @@
      "title": "Thread/shellCommandRequest",
      "type": "object"
    },
-    {
-      "properties": {
-        "id": {
-          "$ref": "#/definitions/RequestId"
-        },
-        "method": {
-          "enum": [
-            "thread/approveGuardianDeniedAction"
-          ],
-          "title": "Thread/approveGuardianDeniedActionRequestMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/ThreadApproveGuardianDeniedActionParams"
-        }
-      },
-      "required": [
-        "id",
-        "method",
-        "params"
-      ],
-      "title": "Thread/approveGuardianDeniedActionRequest",
-      "type": "object"
-    },
    {
      "properties": {
        "id": {
@@ -4928,30 +4496,6 @@
      "title": "Marketplace/removeRequest",
      "type": "object"
    },
-    {
-      "properties": {
-        "id": {
-          "$ref": "#/definitions/RequestId"
-        },
-        "method": {
-          "enum": [
-            "marketplace/upgrade"
-          ],
-          "title": "Marketplace/upgradeRequestMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/MarketplaceUpgradeParams"
-        }
-      },
-      "required": [
-        "id",
-        "method",
-        "params"
-      ],
-      "title": "Marketplace/upgradeRequest",
-      "type": "object"
-    },
    {
      "properties": {
        "id": {
--- a/codex-rs/app-server-protocol/schema/json/CommandExecutionRequestApprovalParams.json
+++ b/codex-rs/app-server-protocol/schema/json/CommandExecutionRequestApprovalParams.json
@@ -25,7 +25,6 @@
          ]
        },
        "read": {
-          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -35,7 +34,6 @@
          ]
        },
        "write": {
-          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -78,8 +76,7 @@
            {
              "type": "null"
            }
-          ],
-          "description": "Partial overlay used for per-command permission requests."
+          ]
        }
      },
      "type": "object"
--- a/codex-rs/app-server-protocol/schema/json/PermissionsRequestApprovalParams.json
+++ b/codex-rs/app-server-protocol/schema/json/PermissionsRequestApprovalParams.json
@@ -25,7 +25,6 @@
          ]
        },
        "read": {
-          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -35,7 +34,6 @@
          ]
        },
        "write": {
-          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
--- a/codex-rs/app-server-protocol/schema/json/PermissionsRequestApprovalResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/PermissionsRequestApprovalResponse.json
@@ -25,7 +25,6 @@
          ]
        },
        "read": {
-          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -35,7 +34,6 @@
          ]
        },
        "write": {
-          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -313,13 +311,6 @@
        }
      ],
      "default": "turn"
-    },
-    "strictAutoReview": {
-      "description": "Review every subsequent command in this turn before normal sandboxed execution.",
-      "type": [
-        "boolean",
-        "null"
-      ]
    }
  },
  "required": [
--- a/codex-rs/app-server-protocol/schema/json/ServerNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/ServerNotification.json
@@ -84,7 +84,6 @@
          ]
        },
        "read": {
-          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -94,7 +93,6 @@
          ]
        },
        "write": {
-          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -438,13 +436,6 @@
            "chatgptAuthTokens"
          ],
          "type": "string"
-        },
-        {
-          "description": "Programmatic Codex auth backed by a registered Agent Identity.",
-          "enum": [
-            "agentIdentity"
-          ],
-          "type": "string"
        }
      ]
    },
@@ -482,7 +473,6 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
-            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -1707,23 +1697,6 @@
      ],
      "type": "string"
    },
-    "GuardianWarningNotification": {
-      "properties": {
-        "message": {
-          "description": "Concise guardian warning message for the user.",
-          "type": "string"
-        },
-        "threadId": {
-          "description": "Thread target for the guardian warning.",
-          "type": "string"
-        }
-      },
-      "required": [
-        "message",
-        "threadId"
-      ],
-      "type": "object"
-    },
    "HookCompletedNotification": {
      "properties": {
        "run": {
@@ -2263,34 +2236,6 @@
      ],
      "type": "object"
    },
-    "ModelVerification": {
-      "enum": [
-        "trustedAccessForCyber"
-      ],
-      "type": "string"
-    },
-    "ModelVerificationNotification": {
-      "properties": {
-        "threadId": {
-          "type": "string"
-        },
-        "turnId": {
-          "type": "string"
-        },
-        "verifications": {
-          "items": {
-            "$ref": "#/definitions/ModelVerification"
-          },
-          "type": "array"
-        }
-      },
-      "required": [
-        "threadId",
-        "turnId",
-        "verifications"
-      ],
-      "type": "object"
-    },
    "NetworkApprovalProtocol": {
      "enum": [
        "http",
@@ -3028,93 +2973,6 @@
      ],
      "type": "object"
    },
-    "ThreadGoal": {
-      "properties": {
-        "createdAt": {
-          "format": "int64",
-          "type": "integer"
-        },
-        "objective": {
-          "type": "string"
-        },
-        "status": {
-          "$ref": "#/definitions/ThreadGoalStatus"
-        },
-        "threadId": {
-          "type": "string"
-        },
-        "timeUsedSeconds": {
-          "format": "int64",
-          "type": "integer"
-        },
-        "tokenBudget": {
-          "format": "int64",
-          "type": [
-            "integer",
-            "null"
-          ]
-        },
-        "tokensUsed": {
-          "format": "int64",
-          "type": "integer"
-        },
-        "updatedAt": {
-          "format": "int64",
-          "type": "integer"
-        }
-      },
-      "required": [
-        "createdAt",
-        "objective",
-        "status",
-        "threadId",
-        "timeUsedSeconds",
-        "tokensUsed",
-        "updatedAt"
-      ],
-      "type": "object"
-    },
-    "ThreadGoalClearedNotification": {
-      "properties": {
-        "threadId": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "threadId"
-      ],
-      "type": "object"
-    },
-    "ThreadGoalStatus": {
-      "enum": [
-        "active",
-        "paused",
-        "budgetLimited",
-        "complete"
-      ],
-      "type": "string"
-    },
-    "ThreadGoalUpdatedNotification": {
-      "properties": {
-        "goal": {
-          "$ref": "#/definitions/ThreadGoal"
-        },
-        "threadId": {
-          "type": "string"
-        },
-        "turnId": {
-          "type": [
-            "string",
-            "null"
-          ]
-        }
-      },
-      "required": [
-        "goal",
-        "threadId"
-      ],
-      "type": "object"
-    },
    "ThreadId": {
      "type": "string"
    },
@@ -4814,46 +4672,6 @@
      "title": "Thread/name/updatedNotification",
      "type": "object"
    },
-    {
-      "properties": {
-        "method": {
-          "enum": [
-            "thread/goal/updated"
-          ],
-          "title": "Thread/goal/updatedNotificationMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/ThreadGoalUpdatedNotification"
-        }
-      },
-      "required": [
-        "method",
-        "params"
-      ],
-      "title": "Thread/goal/updatedNotification",
-      "type": "object"
-    },
-    {
-      "properties": {
-        "method": {
-          "enum": [
-            "thread/goal/cleared"
-          ],
-          "title": "Thread/goal/clearedNotificationMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/ThreadGoalClearedNotification"
-        }
-      },
-      "required": [
-        "method",
-        "params"
-      ],
-      "title": "Thread/goal/clearedNotification",
-      "type": "object"
-    },
    {
      "properties": {
        "method": {
@@ -5497,26 +5315,6 @@
      "title": "Model/reroutedNotification",
      "type": "object"
    },
-    {
-      "properties": {
-        "method": {
-          "enum": [
-            "model/verification"
-          ],
-          "title": "Model/verificationNotificationMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/ModelVerificationNotification"
-        }
-      },
-      "required": [
-        "method",
-        "params"
-      ],
-      "title": "Model/verificationNotification",
-      "type": "object"
-    },
    {
      "properties": {
        "method": {
@@ -5537,26 +5335,6 @@
      "title": "WarningNotification",
      "type": "object"
    },
-    {
-      "properties": {
-        "method": {
-          "enum": [
-            "guardianWarning"
-          ],
-          "title": "GuardianWarningNotificationMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/GuardianWarningNotification"
-        }
-      },
-      "required": [
-        "method",
-        "params"
-      ],
-      "title": "GuardianWarningNotification",
-      "type": "object"
-    },
    {
      "properties": {
        "method": {
--- a/codex-rs/app-server-protocol/schema/json/ServerRequest.json
+++ b/codex-rs/app-server-protocol/schema/json/ServerRequest.json
@@ -25,7 +25,6 @@
          ]
        },
        "read": {
-          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -35,7 +34,6 @@
          ]
        },
        "write": {
-          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -78,8 +76,7 @@
            {
              "type": "null"
            }
-          ],
-          "description": "Partial overlay used for per-command permission requests."
+          ]
        }
      },
      "type": "object"
--- a/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json
+++ b/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json
--- a/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.v2.schemas.json
+++ b/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.v2.schemas.json
--- a/codex-rs/app-server-protocol/schema/json/v2/AccountUpdatedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/AccountUpdatedNotification.json
@@ -24,13 +24,6 @@
            "chatgptAuthTokens"
          ],
          "type": "string"
-        },
-        {
-          "description": "Programmatic Codex auth backed by a registered Agent Identity.",
-          "enum": [
-            "agentIdentity"
-          ],
-          "type": "string"
        }
      ]
    },
--- a/codex-rs/app-server-protocol/schema/json/v2/CommandExecParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/CommandExecParams.json
@@ -27,217 +27,6 @@
      ],
      "type": "object"
    },
-    "FileSystemAccessMode": {
-      "enum": [
-        "read",
-        "write",
-        "none"
-      ],
-      "type": "string"
-    },
-    "FileSystemPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "path"
-              ],
-              "title": "PathFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "PathFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "pattern": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "glob_pattern"
-              ],
-              "title": "GlobPatternFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "pattern",
-            "type"
-          ],
-          "title": "GlobPatternFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "special"
-              ],
-              "title": "SpecialFileSystemPathType",
-              "type": "string"
-            },
-            "value": {
-              "$ref": "#/definitions/FileSystemSpecialPath"
-            }
-          },
-          "required": [
-            "type",
-            "value"
-          ],
-          "title": "SpecialFileSystemPath",
-          "type": "object"
-        }
-      ]
-    },
-    "FileSystemSandboxEntry": {
-      "properties": {
-        "access": {
-          "$ref": "#/definitions/FileSystemAccessMode"
-        },
-        "path": {
-          "$ref": "#/definitions/FileSystemPath"
-        }
-      },
-      "required": [
-        "access",
-        "path"
-      ],
-      "type": "object"
-    },
-    "FileSystemSpecialPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "root"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "RootFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "minimal"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "MinimalFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "current_working_directory"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "CurrentWorkingDirectoryFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "project_roots"
-              ],
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "KindFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "tmpdir"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "TmpdirFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "slash_tmp"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "SlashTmpFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "unknown"
-              ],
-              "type": "string"
-            },
-            "path": {
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind",
-            "path"
-          ],
-          "type": "object"
-        }
-      ]
-    },
    "NetworkAccess": {
      "enum": [
        "restricted",
@@ -245,135 +34,53 @@
      ],
      "type": "string"
    },
-    "PermissionProfile": {
-      "oneOf": [
-        {
-          "description": "Codex owns sandbox construction for this profile.",
-          "properties": {
-            "fileSystem": {
-              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
-            },
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "managed"
-              ],
-              "title": "ManagedPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "fileSystem",
-            "network",
-            "type"
-          ],
-          "title": "ManagedPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Do not apply an outer sandbox.",
-          "properties": {
-            "type": {
-              "enum": [
-                "disabled"
-              ],
-              "title": "DisabledPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "DisabledPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Filesystem isolation is enforced by an external caller.",
-          "properties": {
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "external"
-              ],
-              "title": "ExternalPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "network",
-            "type"
-          ],
-          "title": "ExternalPermissionProfile",
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfileFileSystemPermissions": {
+    "ReadOnlyAccess": {
      "oneOf": [
        {
          "properties": {
-            "entries": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
              "items": {
-                "$ref": "#/definitions/FileSystemSandboxEntry"
+                "$ref": "#/definitions/AbsolutePathBuf"
              },
              "type": "array"
            },
-            "globScanMaxDepth": {
-              "format": "uint",
-              "minimum": 1.0,
-              "type": [
-                "integer",
-                "null"
-              ]
-            },
            "type": {
              "enum": [
                "restricted"
              ],
-              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
+              "title": "RestrictedReadOnlyAccessType",
              "type": "string"
            }
          },
          "required": [
-            "entries",
            "type"
          ],
-          "title": "RestrictedPermissionProfileFileSystemPermissions",
+          "title": "RestrictedReadOnlyAccess",
          "type": "object"
        },
        {
          "properties": {
            "type": {
              "enum": [
-                "unrestricted"
+                "fullAccess"
              ],
-              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
+              "title": "FullAccessReadOnlyAccessType",
              "type": "string"
            }
          },
          "required": [
            "type"
          ],
-          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
+          "title": "FullAccessReadOnlyAccess",
          "type": "object"
        }
      ]
    },
-    "PermissionProfileNetworkPermissions": {
-      "properties": {
-        "enabled": {
-          "type": "boolean"
-        }
-      },
-      "required": [
-        "enabled"
-      ],
-      "type": "object"
-    },
    "SandboxPolicy": {
      "oneOf": [
        {
@@ -394,6 +101,16 @@
        },
        {
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "networkAccess": {
              "default": false,
              "type": "boolean"
@@ -450,6 +167,16 @@
              "default": false,
              "type": "boolean"
            },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "workspaceWrite"
@@ -520,17 +247,6 @@
        "null"
      ]
    },
-    "permissionProfile": {
-      "anyOf": [
-        {
-          "$ref": "#/definitions/PermissionProfile"
-        },
-        {
-          "type": "null"
-        }
-      ],
-      "description": "Optional full permissions profile for this command.\n\nDefaults to the user's configured permissions when omitted. Cannot be combined with `sandboxPolicy`."
-    },
    "processId": {
      "description": "Optional client-supplied, connection-scoped process id.\n\nRequired for `tty`, `streamStdin`, `streamStdoutStderr`, and follow-up `command/exec/write`, `command/exec/resize`, and `command/exec/terminate` calls. When omitted, buffered execution gets an internal id that is not exposed to the client.",
      "type": [
@@ -547,7 +263,7 @@
          "type": "null"
        }
      ],
-      "description": "Optional sandbox policy for this command.\n\nUses the same shape as thread/turn execution sandbox configuration and defaults to the user's configured policy when omitted. Cannot be combined with `permissionProfile`."
+      "description": "Optional sandbox policy for this command.\n\nUses the same shape as thread/turn execution sandbox configuration and defaults to the user's configured policy when omitted."
    },
    "size": {
      "anyOf": [
--- a/codex-rs/app-server-protocol/schema/json/v2/ConfigReadResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ConfigReadResponse.json
@@ -97,10 +97,9 @@
      "type": "object"
    },
    "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
      "enum": [
        "user",
-        "auto_review",
        "guardian_subagent"
      ],
      "type": "string"
--- a/codex-rs/app-server-protocol/schema/json/v2/ConfigRequirementsReadResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ConfigRequirementsReadResponse.json
@@ -2,10 +2,9 @@
  "$schema": "http://json-schema.org/draft-07/schema#",
  "definitions": {
    "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
      "enum": [
        "user",
-        "auto_review",
        "guardian_subagent"
      ],
      "type": "string"
@@ -111,161 +110,6 @@
      },
      "type": "object"
    },
-    "ConfiguredHookHandler": {
-      "oneOf": [
-        {
-          "properties": {
-            "async": {
-              "type": "boolean"
-            },
-            "command": {
-              "type": "string"
-            },
-            "statusMessage": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
-            "timeoutSec": {
-              "format": "uint64",
-              "minimum": 0.0,
-              "type": [
-                "integer",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "command"
-              ],
-              "title": "CommandConfiguredHookHandlerType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "async",
-            "command",
-            "type"
-          ],
-          "title": "CommandConfiguredHookHandler",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "prompt"
-              ],
-              "title": "PromptConfiguredHookHandlerType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "PromptConfiguredHookHandler",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "agent"
-              ],
-              "title": "AgentConfiguredHookHandlerType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "AgentConfiguredHookHandler",
-          "type": "object"
-        }
-      ]
-    },
-    "ConfiguredHookMatcherGroup": {
-      "properties": {
-        "hooks": {
-          "items": {
-            "$ref": "#/definitions/ConfiguredHookHandler"
-          },
-          "type": "array"
-        },
-        "matcher": {
-          "type": [
-            "string",
-            "null"
-          ]
-        }
-      },
-      "required": [
-        "hooks"
-      ],
-      "type": "object"
-    },
-    "ManagedHooksRequirements": {
-      "properties": {
-        "PermissionRequest": {
-          "items": {
-            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
-          },
-          "type": "array"
-        },
-        "PostToolUse": {
-          "items": {
-            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
-          },
-          "type": "array"
-        },
-        "PreToolUse": {
-          "items": {
-            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
-          },
-          "type": "array"
-        },
-        "SessionStart": {
-          "items": {
-            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
-          },
-          "type": "array"
-        },
-        "Stop": {
-          "items": {
-            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
-          },
-          "type": "array"
-        },
-        "UserPromptSubmit": {
-          "items": {
-            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
-          },
-          "type": "array"
-        },
-        "managedDir": {
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "windowsManagedDir": {
-          "type": [
-            "string",
-            "null"
-          ]
-        }
-      },
-      "required": [
-        "PermissionRequest",
-        "PostToolUse",
-        "PreToolUse",
-        "SessionStart",
-        "Stop",
-        "UserPromptSubmit"
-      ],
-      "type": "object"
-    },
    "NetworkDomainPermission": {
      "enum": [
        "allow",
--- a/codex-rs/app-server-protocol/schema/json/v2/ErrorNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ErrorNotification.json
@@ -9,7 +9,6 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
-            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
--- a/codex-rs/app-server-protocol/schema/json/v2/GetAccountResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/GetAccountResponse.json
@@ -42,22 +42,6 @@
          ],
          "title": "ChatgptAccount",
          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "amazonBedrock"
-              ],
-              "title": "AmazonBedrockAccountType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "AmazonBedrockAccount",
-          "type": "object"
        }
      ]
    },
--- a/codex-rs/app-server-protocol/schema/json/v2/GuardianWarningNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/GuardianWarningNotification.json
@@ -1,19 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "properties": {
-    "message": {
-      "description": "Concise guardian warning message for the user.",
-      "type": "string"
-    },
-    "threadId": {
-      "description": "Thread target for the guardian warning.",
-      "type": "string"
-    }
-  },
-  "required": [
-    "message",
-    "threadId"
-  ],
-  "title": "GuardianWarningNotification",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/v2/ItemGuardianApprovalReviewCompletedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ItemGuardianApprovalReviewCompletedNotification.json
@@ -25,7 +25,6 @@
          ]
        },
        "read": {
-          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -35,7 +34,6 @@
          ]
        },
        "write": {
-          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
--- a/codex-rs/app-server-protocol/schema/json/v2/ItemGuardianApprovalReviewStartedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ItemGuardianApprovalReviewStartedNotification.json
@@ -25,7 +25,6 @@
          ]
        },
        "read": {
-          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
@@ -35,7 +34,6 @@
          ]
        },
        "write": {
-          "description": "This will be removed in favor of `entries`.",
          "items": {
            "$ref": "#/definitions/AbsolutePathBuf"
          },
--- a/codex-rs/app-server-protocol/schema/json/v2/MarketplaceUpgradeParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/MarketplaceUpgradeParams.json
@@ -1,13 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "properties": {
-    "marketplaceName": {
-      "type": [
-        "string",
-        "null"
-      ]
-    }
-  },
-  "title": "MarketplaceUpgradeParams",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/v2/MarketplaceUpgradeResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/MarketplaceUpgradeResponse.json
@@ -1,51 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "AbsolutePathBuf": {
-      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
-      "type": "string"
-    },
-    "MarketplaceUpgradeErrorInfo": {
-      "properties": {
-        "marketplaceName": {
-          "type": "string"
-        },
-        "message": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "marketplaceName",
-        "message"
-      ],
-      "type": "object"
-    }
-  },
-  "properties": {
-    "errors": {
-      "items": {
-        "$ref": "#/definitions/MarketplaceUpgradeErrorInfo"
-      },
-      "type": "array"
-    },
-    "selectedMarketplaces": {
-      "items": {
-        "type": "string"
-      },
-      "type": "array"
-    },
-    "upgradedRoots": {
-      "items": {
-        "$ref": "#/definitions/AbsolutePathBuf"
-      },
-      "type": "array"
-    }
-  },
-  "required": [
-    "errors",
-    "selectedMarketplaces",
-    "upgradedRoots"
-  ],
-  "title": "MarketplaceUpgradeResponse",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/v2/ModelVerificationNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ModelVerificationNotification.json
@@ -1,32 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "ModelVerification": {
-      "enum": [
-        "trustedAccessForCyber"
-      ],
-      "type": "string"
-    }
-  },
-  "properties": {
-    "threadId": {
-      "type": "string"
-    },
-    "turnId": {
-      "type": "string"
-    },
-    "verifications": {
-      "items": {
-        "$ref": "#/definitions/ModelVerification"
-      },
-      "type": "array"
-    }
-  },
-  "required": [
-    "threadId",
-    "turnId",
-    "verifications"
-  ],
-  "title": "ModelVerificationNotification",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/v2/PluginReadResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/PluginReadResponse.json
@@ -62,14 +62,7 @@
          "type": "string"
        },
        "marketplacePath": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            {
-              "type": "null"
-            }
-          ]
+          "$ref": "#/definitions/AbsolutePathBuf"
        },
        "mcpServers": {
          "items": {
@@ -90,6 +83,7 @@
      "required": [
        "apps",
        "marketplaceName",
+        "marketplacePath",
        "mcpServers",
        "skills",
        "summary"
@@ -429,14 +423,7 @@
          "type": "string"
        },
        "path": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            {
-              "type": "null"
-            }
-          ]
+          "$ref": "#/definitions/AbsolutePathBuf"
        },
        "shortDescription": {
          "type": [
@@ -448,7 +435,8 @@
      "required": [
        "description",
        "enabled",
-        "name"
+        "name",
+        "path"
      ],
      "type": "object"
    }
--- a/codex-rs/app-server-protocol/schema/json/v2/ReviewStartResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ReviewStartResponse.json
@@ -32,7 +32,6 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
-            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadApproveGuardianDeniedActionParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadApproveGuardianDeniedActionParams.json
@@ -1,17 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "properties": {
-    "event": {
-      "description": "Serialized `codex_protocol::protocol::GuardianAssessmentEvent`."
-    },
-    "threadId": {
-      "type": "string"
-    }
-  },
-  "required": [
-    "event",
-    "threadId"
-  ],
-  "title": "ThreadApproveGuardianDeniedActionParams",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadApproveGuardianDeniedActionResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadApproveGuardianDeniedActionResponse.json
@@ -1,5 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "title": "ThreadApproveGuardianDeniedActionResponse",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadForkParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadForkParams.json
@@ -1,15 +1,10 @@
 {
  "$schema": "http://json-schema.org/draft-07/schema#",
  "definitions": {
-    "AbsolutePathBuf": {
-      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
-      "type": "string"
-    },
    "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
      "enum": [
        "user",
-        "auto_review",
        "guardian_subagent"
      ],
      "type": "string"
@@ -64,346 +59,6 @@
        }
      ]
    },
-    "FileSystemAccessMode": {
-      "enum": [
-        "read",
-        "write",
-        "none"
-      ],
-      "type": "string"
-    },
-    "FileSystemPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "path"
-              ],
-              "title": "PathFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "PathFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "pattern": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "glob_pattern"
-              ],
-              "title": "GlobPatternFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "pattern",
-            "type"
-          ],
-          "title": "GlobPatternFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "special"
-              ],
-              "title": "SpecialFileSystemPathType",
-              "type": "string"
-            },
-            "value": {
-              "$ref": "#/definitions/FileSystemSpecialPath"
-            }
-          },
-          "required": [
-            "type",
-            "value"
-          ],
-          "title": "SpecialFileSystemPath",
-          "type": "object"
-        }
-      ]
-    },
-    "FileSystemSandboxEntry": {
-      "properties": {
-        "access": {
-          "$ref": "#/definitions/FileSystemAccessMode"
-        },
-        "path": {
-          "$ref": "#/definitions/FileSystemPath"
-        }
-      },
-      "required": [
-        "access",
-        "path"
-      ],
-      "type": "object"
-    },
-    "FileSystemSpecialPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "root"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "RootFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "minimal"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "MinimalFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "current_working_directory"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "CurrentWorkingDirectoryFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "project_roots"
-              ],
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "KindFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "tmpdir"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "TmpdirFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "slash_tmp"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "SlashTmpFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "unknown"
-              ],
-              "type": "string"
-            },
-            "path": {
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind",
-            "path"
-          ],
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfile": {
-      "oneOf": [
-        {
-          "description": "Codex owns sandbox construction for this profile.",
-          "properties": {
-            "fileSystem": {
-              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
-            },
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "managed"
-              ],
-              "title": "ManagedPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "fileSystem",
-            "network",
-            "type"
-          ],
-          "title": "ManagedPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Do not apply an outer sandbox.",
-          "properties": {
-            "type": {
-              "enum": [
-                "disabled"
-              ],
-              "title": "DisabledPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "DisabledPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Filesystem isolation is enforced by an external caller.",
-          "properties": {
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "external"
-              ],
-              "title": "ExternalPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "network",
-            "type"
-          ],
-          "title": "ExternalPermissionProfile",
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfileFileSystemPermissions": {
-      "oneOf": [
-        {
-          "properties": {
-            "entries": {
-              "items": {
-                "$ref": "#/definitions/FileSystemSandboxEntry"
-              },
-              "type": "array"
-            },
-            "globScanMaxDepth": {
-              "format": "uint",
-              "minimum": 1.0,
-              "type": [
-                "integer",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "restricted"
-              ],
-              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "entries",
-            "type"
-          ],
-          "title": "RestrictedPermissionProfileFileSystemPermissions",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "unrestricted"
-              ],
-              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfileNetworkPermissions": {
-      "properties": {
-        "enabled": {
-          "type": "boolean"
-        }
-      },
-      "required": [
-        "enabled"
-      ],
-      "type": "object"
-    },
    "SandboxMode": {
      "enum": [
        "read-only",
@@ -471,10 +126,6 @@
    "ephemeral": {
      "type": "boolean"
    },
-    "excludeTurns": {
-      "description": "When true, return only thread metadata and live fork state without populating `thread.turns`. This is useful when the client plans to call `thread/turns/list` immediately after forking.",
-      "type": "boolean"
-    },
    "model": {
      "description": "Configuration overrides for the forked thread, if any.",
      "type": [
@@ -488,17 +139,6 @@
        "null"
      ]
    },
-    "permissionProfile": {
-      "anyOf": [
-        {
-          "$ref": "#/definitions/PermissionProfile"
-        },
-        {
-          "type": "null"
-        }
-      ],
-      "description": "Full permissions override for the forked thread. Cannot be combined with `sandbox`."
-    },
    "sandbox": {
      "anyOf": [
        {
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadForkResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadForkResponse.json
@@ -9,10 +9,9 @@
      "type": "string"
    },
    "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
      "enum": [
        "user",
-        "auto_review",
        "guardian_subagent"
      ],
      "type": "string"
@@ -94,7 +93,6 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
-            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -450,217 +448,6 @@
      ],
      "type": "string"
    },
-    "FileSystemAccessMode": {
-      "enum": [
-        "read",
-        "write",
-        "none"
-      ],
-      "type": "string"
-    },
-    "FileSystemPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "path"
-              ],
-              "title": "PathFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "PathFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "pattern": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "glob_pattern"
-              ],
-              "title": "GlobPatternFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "pattern",
-            "type"
-          ],
-          "title": "GlobPatternFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "special"
-              ],
-              "title": "SpecialFileSystemPathType",
-              "type": "string"
-            },
-            "value": {
-              "$ref": "#/definitions/FileSystemSpecialPath"
-            }
-          },
-          "required": [
-            "type",
-            "value"
-          ],
-          "title": "SpecialFileSystemPath",
-          "type": "object"
-        }
-      ]
-    },
-    "FileSystemSandboxEntry": {
-      "properties": {
-        "access": {
-          "$ref": "#/definitions/FileSystemAccessMode"
-        },
-        "path": {
-          "$ref": "#/definitions/FileSystemPath"
-        }
-      },
-      "required": [
-        "access",
-        "path"
-      ],
-      "type": "object"
-    },
-    "FileSystemSpecialPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "root"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "RootFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "minimal"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "MinimalFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "current_working_directory"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "CurrentWorkingDirectoryFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "project_roots"
-              ],
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "KindFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "tmpdir"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "TmpdirFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "slash_tmp"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "SlashTmpFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "unknown"
-              ],
-              "type": "string"
-            },
-            "path": {
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind",
-            "path"
-          ],
-          "type": "object"
-        }
-      ]
-    },
    "FileUpdateChange": {
      "properties": {
        "diff": {
@@ -899,135 +686,53 @@
        }
      ]
    },
-    "PermissionProfile": {
-      "oneOf": [
-        {
-          "description": "Codex owns sandbox construction for this profile.",
-          "properties": {
-            "fileSystem": {
-              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
-            },
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "managed"
-              ],
-              "title": "ManagedPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "fileSystem",
-            "network",
-            "type"
-          ],
-          "title": "ManagedPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Do not apply an outer sandbox.",
-          "properties": {
-            "type": {
-              "enum": [
-                "disabled"
-              ],
-              "title": "DisabledPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "DisabledPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Filesystem isolation is enforced by an external caller.",
-          "properties": {
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "external"
-              ],
-              "title": "ExternalPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "network",
-            "type"
-          ],
-          "title": "ExternalPermissionProfile",
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfileFileSystemPermissions": {
+    "ReadOnlyAccess": {
      "oneOf": [
        {
          "properties": {
-            "entries": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
              "items": {
-                "$ref": "#/definitions/FileSystemSandboxEntry"
+                "$ref": "#/definitions/AbsolutePathBuf"
              },
              "type": "array"
            },
-            "globScanMaxDepth": {
-              "format": "uint",
-              "minimum": 1.0,
-              "type": [
-                "integer",
-                "null"
-              ]
-            },
            "type": {
              "enum": [
                "restricted"
              ],
-              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
+              "title": "RestrictedReadOnlyAccessType",
              "type": "string"
            }
          },
          "required": [
-            "entries",
            "type"
          ],
-          "title": "RestrictedPermissionProfileFileSystemPermissions",
+          "title": "RestrictedReadOnlyAccess",
          "type": "object"
        },
        {
          "properties": {
            "type": {
              "enum": [
-                "unrestricted"
+                "fullAccess"
              ],
-              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
+              "title": "FullAccessReadOnlyAccessType",
              "type": "string"
            }
          },
          "required": [
            "type"
          ],
-          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
+          "title": "FullAccessReadOnlyAccess",
          "type": "object"
        }
      ]
    },
-    "PermissionProfileNetworkPermissions": {
-      "properties": {
-        "enabled": {
-          "type": "boolean"
-        }
-      },
-      "required": [
-        "enabled"
-      ],
-      "type": "object"
-    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -1060,6 +765,16 @@
        },
        {
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "networkAccess": {
              "default": false,
              "type": "boolean"
@@ -1116,6 +831,16 @@
              "default": false,
              "type": "boolean"
            },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "workspaceWrite"
@@ -2500,18 +2225,6 @@
    "modelProvider": {
      "type": "string"
    },
-    "permissionProfile": {
-      "anyOf": [
-        {
-          "$ref": "#/definitions/PermissionProfile"
-        },
-        {
-          "type": "null"
-        }
-      ],
-      "default": null,
-      "description": "Canonical active permissions view for this thread."
-    },
    "reasoningEffort": {
      "anyOf": [
        {
@@ -2523,12 +2236,7 @@
      ]
    },
    "sandbox": {
-      "allOf": [
-        {
-          "$ref": "#/definitions/SandboxPolicy"
-        }
-      ],
-      "description": "Legacy sandbox policy retained for compatibility. New clients should use `permissionProfile` when present as the canonical active permissions view."
+      "$ref": "#/definitions/SandboxPolicy"
    },
    "serviceTier": {
      "anyOf": [
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadGoalClearedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadGoalClearedNotification.json
@@ -1,13 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "properties": {
-    "threadId": {
-      "type": "string"
-    }
-  },
-  "required": [
-    "threadId"
-  ],
-  "title": "ThreadGoalClearedNotification",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadGoalUpdatedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadGoalUpdatedNotification.json
@@ -1,80 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "ThreadGoal": {
-      "properties": {
-        "createdAt": {
-          "format": "int64",
-          "type": "integer"
-        },
-        "objective": {
-          "type": "string"
-        },
-        "status": {
-          "$ref": "#/definitions/ThreadGoalStatus"
-        },
-        "threadId": {
-          "type": "string"
-        },
-        "timeUsedSeconds": {
-          "format": "int64",
-          "type": "integer"
-        },
-        "tokenBudget": {
-          "format": "int64",
-          "type": [
-            "integer",
-            "null"
-          ]
-        },
-        "tokensUsed": {
-          "format": "int64",
-          "type": "integer"
-        },
-        "updatedAt": {
-          "format": "int64",
-          "type": "integer"
-        }
-      },
-      "required": [
-        "createdAt",
-        "objective",
-        "status",
-        "threadId",
-        "timeUsedSeconds",
-        "tokensUsed",
-        "updatedAt"
-      ],
-      "type": "object"
-    },
-    "ThreadGoalStatus": {
-      "enum": [
-        "active",
-        "paused",
-        "budgetLimited",
-        "complete"
-      ],
-      "type": "string"
-    }
-  },
-  "properties": {
-    "goal": {
-      "$ref": "#/definitions/ThreadGoal"
-    },
-    "threadId": {
-      "type": "string"
-    },
-    "turnId": {
-      "type": [
-        "string",
-        "null"
-      ]
-    }
-  },
-  "required": [
-    "goal",
-    "threadId"
-  ],
-  "title": "ThreadGoalUpdatedNotification",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadListParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadListParams.json
@@ -8,19 +8,6 @@
      ],
      "type": "string"
    },
-    "ThreadListCwdFilter": {
-      "anyOf": [
-        {
-          "type": "string"
-        },
-        {
-          "items": {
-            "type": "string"
-          },
-          "type": "array"
-        }
-      ]
-    },
    "ThreadSortKey": {
      "enum": [
        "created_at",
@@ -60,15 +47,11 @@
      ]
    },
    "cwd": {
-      "anyOf": [
-        {
-          "$ref": "#/definitions/ThreadListCwdFilter"
-        },
-        {
-          "type": "null"
-        }
-      ],
-      "description": "Optional cwd filter or filters; when set, only threads whose session cwd exactly matches one of these paths are returned."
+      "description": "Optional cwd filter; when set, only threads whose session cwd exactly matches this path are returned.",
+      "type": [
+        "string",
+        "null"
+      ]
    },
    "limit": {
      "description": "Optional page size; defaults to a reasonable server-side value.",
@@ -127,10 +110,6 @@
        "array",
        "null"
      ]
-    },
-    "useStateDbOnly": {
-      "description": "If true, return from the state DB without scanning JSONL rollouts to repair thread metadata. Omitted or false preserves scan-and-repair behavior.",
-      "type": "boolean"
    }
  },
  "title": "ThreadListParams",
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadListResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadListResponse.json
@@ -35,7 +35,6 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
-            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadMetadataUpdateResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadMetadataUpdateResponse.json
@@ -35,7 +35,6 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
-            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadReadResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadReadResponse.json
@@ -35,7 +35,6 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
-            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadResumeParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadResumeParams.json
@@ -1,15 +1,10 @@
 {
  "$schema": "http://json-schema.org/draft-07/schema#",
  "definitions": {
-    "AbsolutePathBuf": {
-      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
-      "type": "string"
-    },
    "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
      "enum": [
        "user",
-        "auto_review",
        "guardian_subagent"
      ],
      "type": "string"
@@ -138,217 +133,6 @@
        }
      ]
    },
-    "FileSystemAccessMode": {
-      "enum": [
-        "read",
-        "write",
-        "none"
-      ],
-      "type": "string"
-    },
-    "FileSystemPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "path"
-              ],
-              "title": "PathFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "PathFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "pattern": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "glob_pattern"
-              ],
-              "title": "GlobPatternFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "pattern",
-            "type"
-          ],
-          "title": "GlobPatternFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "special"
-              ],
-              "title": "SpecialFileSystemPathType",
-              "type": "string"
-            },
-            "value": {
-              "$ref": "#/definitions/FileSystemSpecialPath"
-            }
-          },
-          "required": [
-            "type",
-            "value"
-          ],
-          "title": "SpecialFileSystemPath",
-          "type": "object"
-        }
-      ]
-    },
-    "FileSystemSandboxEntry": {
-      "properties": {
-        "access": {
-          "$ref": "#/definitions/FileSystemAccessMode"
-        },
-        "path": {
-          "$ref": "#/definitions/FileSystemPath"
-        }
-      },
-      "required": [
-        "access",
-        "path"
-      ],
-      "type": "object"
-    },
-    "FileSystemSpecialPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "root"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "RootFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "minimal"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "MinimalFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "current_working_directory"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "CurrentWorkingDirectoryFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "project_roots"
-              ],
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "KindFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "tmpdir"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "TmpdirFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "slash_tmp"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "SlashTmpFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "unknown"
-              ],
-              "type": "string"
-            },
-            "path": {
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind",
-            "path"
-          ],
-          "type": "object"
-        }
-      ]
-    },
    "FunctionCallOutputBody": {
      "anyOf": [
        {
@@ -541,135 +325,6 @@
        }
      ]
    },
-    "PermissionProfile": {
-      "oneOf": [
-        {
-          "description": "Codex owns sandbox construction for this profile.",
-          "properties": {
-            "fileSystem": {
-              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
-            },
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "managed"
-              ],
-              "title": "ManagedPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "fileSystem",
-            "network",
-            "type"
-          ],
-          "title": "ManagedPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Do not apply an outer sandbox.",
-          "properties": {
-            "type": {
-              "enum": [
-                "disabled"
-              ],
-              "title": "DisabledPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "DisabledPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Filesystem isolation is enforced by an external caller.",
-          "properties": {
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "external"
-              ],
-              "title": "ExternalPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "network",
-            "type"
-          ],
-          "title": "ExternalPermissionProfile",
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfileFileSystemPermissions": {
-      "oneOf": [
-        {
-          "properties": {
-            "entries": {
-              "items": {
-                "$ref": "#/definitions/FileSystemSandboxEntry"
-              },
-              "type": "array"
-            },
-            "globScanMaxDepth": {
-              "format": "uint",
-              "minimum": 1.0,
-              "type": [
-                "integer",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "restricted"
-              ],
-              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "entries",
-            "type"
-          ],
-          "title": "RestrictedPermissionProfileFileSystemPermissions",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "unrestricted"
-              ],
-              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfileNetworkPermissions": {
-      "properties": {
-        "enabled": {
-          "type": "boolean"
-        }
-      },
-      "required": [
-        "enabled"
-      ],
-      "type": "object"
-    },
    "Personality": {
      "enum": [
        "none",
@@ -1384,10 +1039,6 @@
        "null"
      ]
    },
-    "excludeTurns": {
-      "description": "When true, return only thread metadata and live-resume state without populating `thread.turns`. This is useful when the client plans to call `thread/turns/list` immediately after resuming.",
-      "type": "boolean"
-    },
    "model": {
      "description": "Configuration overrides for the resumed thread, if any.",
      "type": [
@@ -1401,17 +1052,6 @@
        "null"
      ]
    },
-    "permissionProfile": {
-      "anyOf": [
-        {
-          "$ref": "#/definitions/PermissionProfile"
-        },
-        {
-          "type": "null"
-        }
-      ],
-      "description": "Full permissions override for the resumed thread. Cannot be combined with `sandbox`."
-    },
    "personality": {
      "anyOf": [
        {
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadResumeResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadResumeResponse.json
@@ -9,10 +9,9 @@
      "type": "string"
    },
    "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
      "enum": [
        "user",
-        "auto_review",
        "guardian_subagent"
      ],
      "type": "string"
@@ -94,7 +93,6 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
-            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -450,217 +448,6 @@
      ],
      "type": "string"
    },
-    "FileSystemAccessMode": {
-      "enum": [
-        "read",
-        "write",
-        "none"
-      ],
-      "type": "string"
-    },
-    "FileSystemPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "path"
-              ],
-              "title": "PathFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "PathFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "pattern": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "glob_pattern"
-              ],
-              "title": "GlobPatternFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "pattern",
-            "type"
-          ],
-          "title": "GlobPatternFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "special"
-              ],
-              "title": "SpecialFileSystemPathType",
-              "type": "string"
-            },
-            "value": {
-              "$ref": "#/definitions/FileSystemSpecialPath"
-            }
-          },
-          "required": [
-            "type",
-            "value"
-          ],
-          "title": "SpecialFileSystemPath",
-          "type": "object"
-        }
-      ]
-    },
-    "FileSystemSandboxEntry": {
-      "properties": {
-        "access": {
-          "$ref": "#/definitions/FileSystemAccessMode"
-        },
-        "path": {
-          "$ref": "#/definitions/FileSystemPath"
-        }
-      },
-      "required": [
-        "access",
-        "path"
-      ],
-      "type": "object"
-    },
-    "FileSystemSpecialPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "root"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "RootFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "minimal"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "MinimalFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "current_working_directory"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "CurrentWorkingDirectoryFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "project_roots"
-              ],
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "KindFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "tmpdir"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "TmpdirFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "slash_tmp"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "SlashTmpFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "unknown"
-              ],
-              "type": "string"
-            },
-            "path": {
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind",
-            "path"
-          ],
-          "type": "object"
-        }
-      ]
-    },
    "FileUpdateChange": {
      "properties": {
        "diff": {
@@ -899,135 +686,53 @@
        }
      ]
    },
-    "PermissionProfile": {
-      "oneOf": [
-        {
-          "description": "Codex owns sandbox construction for this profile.",
-          "properties": {
-            "fileSystem": {
-              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
-            },
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "managed"
-              ],
-              "title": "ManagedPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "fileSystem",
-            "network",
-            "type"
-          ],
-          "title": "ManagedPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Do not apply an outer sandbox.",
-          "properties": {
-            "type": {
-              "enum": [
-                "disabled"
-              ],
-              "title": "DisabledPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "DisabledPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Filesystem isolation is enforced by an external caller.",
-          "properties": {
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "external"
-              ],
-              "title": "ExternalPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "network",
-            "type"
-          ],
-          "title": "ExternalPermissionProfile",
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfileFileSystemPermissions": {
+    "ReadOnlyAccess": {
      "oneOf": [
        {
          "properties": {
-            "entries": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
              "items": {
-                "$ref": "#/definitions/FileSystemSandboxEntry"
+                "$ref": "#/definitions/AbsolutePathBuf"
              },
              "type": "array"
            },
-            "globScanMaxDepth": {
-              "format": "uint",
-              "minimum": 1.0,
-              "type": [
-                "integer",
-                "null"
-              ]
-            },
            "type": {
              "enum": [
                "restricted"
              ],
-              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
+              "title": "RestrictedReadOnlyAccessType",
              "type": "string"
            }
          },
          "required": [
-            "entries",
            "type"
          ],
-          "title": "RestrictedPermissionProfileFileSystemPermissions",
+          "title": "RestrictedReadOnlyAccess",
          "type": "object"
        },
        {
          "properties": {
            "type": {
              "enum": [
-                "unrestricted"
+                "fullAccess"
              ],
-              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
+              "title": "FullAccessReadOnlyAccessType",
              "type": "string"
            }
          },
          "required": [
            "type"
          ],
-          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
+          "title": "FullAccessReadOnlyAccess",
          "type": "object"
        }
      ]
    },
-    "PermissionProfileNetworkPermissions": {
-      "properties": {
-        "enabled": {
-          "type": "boolean"
-        }
-      },
-      "required": [
-        "enabled"
-      ],
-      "type": "object"
-    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -1060,6 +765,16 @@
        },
        {
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "networkAccess": {
              "default": false,
              "type": "boolean"
@@ -1116,6 +831,16 @@
              "default": false,
              "type": "boolean"
            },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "workspaceWrite"
@@ -2500,18 +2225,6 @@
    "modelProvider": {
      "type": "string"
    },
-    "permissionProfile": {
-      "anyOf": [
-        {
-          "$ref": "#/definitions/PermissionProfile"
-        },
-        {
-          "type": "null"
-        }
-      ],
-      "default": null,
-      "description": "Canonical active permissions view for this thread."
-    },
    "reasoningEffort": {
      "anyOf": [
        {
@@ -2523,12 +2236,7 @@
      ]
    },
    "sandbox": {
-      "allOf": [
-        {
-          "$ref": "#/definitions/SandboxPolicy"
-        }
-      ],
-      "description": "Legacy sandbox policy retained for compatibility. New clients should use `permissionProfile` when present as the canonical active permissions view."
+      "$ref": "#/definitions/SandboxPolicy"
    },
    "serviceTier": {
      "anyOf": [
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadRollbackResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadRollbackResponse.json
@@ -35,7 +35,6 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
-            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadStartParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadStartParams.json
@@ -1,15 +1,10 @@
 {
  "$schema": "http://json-schema.org/draft-07/schema#",
  "definitions": {
-    "AbsolutePathBuf": {
-      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
-      "type": "string"
-    },
    "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
      "enum": [
        "user",
-        "auto_review",
        "guardian_subagent"
      ],
      "type": "string"
@@ -90,346 +85,6 @@
      ],
      "type": "object"
    },
-    "FileSystemAccessMode": {
-      "enum": [
-        "read",
-        "write",
-        "none"
-      ],
-      "type": "string"
-    },
-    "FileSystemPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "path"
-              ],
-              "title": "PathFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "PathFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "pattern": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "glob_pattern"
-              ],
-              "title": "GlobPatternFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "pattern",
-            "type"
-          ],
-          "title": "GlobPatternFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "special"
-              ],
-              "title": "SpecialFileSystemPathType",
-              "type": "string"
-            },
-            "value": {
-              "$ref": "#/definitions/FileSystemSpecialPath"
-            }
-          },
-          "required": [
-            "type",
-            "value"
-          ],
-          "title": "SpecialFileSystemPath",
-          "type": "object"
-        }
-      ]
-    },
-    "FileSystemSandboxEntry": {
-      "properties": {
-        "access": {
-          "$ref": "#/definitions/FileSystemAccessMode"
-        },
-        "path": {
-          "$ref": "#/definitions/FileSystemPath"
-        }
-      },
-      "required": [
-        "access",
-        "path"
-      ],
-      "type": "object"
-    },
-    "FileSystemSpecialPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "root"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "RootFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "minimal"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "MinimalFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "current_working_directory"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "CurrentWorkingDirectoryFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "project_roots"
-              ],
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "KindFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "tmpdir"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "TmpdirFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "slash_tmp"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "SlashTmpFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "unknown"
-              ],
-              "type": "string"
-            },
-            "path": {
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind",
-            "path"
-          ],
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfile": {
-      "oneOf": [
-        {
-          "description": "Codex owns sandbox construction for this profile.",
-          "properties": {
-            "fileSystem": {
-              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
-            },
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "managed"
-              ],
-              "title": "ManagedPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "fileSystem",
-            "network",
-            "type"
-          ],
-          "title": "ManagedPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Do not apply an outer sandbox.",
-          "properties": {
-            "type": {
-              "enum": [
-                "disabled"
-              ],
-              "title": "DisabledPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "DisabledPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Filesystem isolation is enforced by an external caller.",
-          "properties": {
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "external"
-              ],
-              "title": "ExternalPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "network",
-            "type"
-          ],
-          "title": "ExternalPermissionProfile",
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfileFileSystemPermissions": {
-      "oneOf": [
-        {
-          "properties": {
-            "entries": {
-              "items": {
-                "$ref": "#/definitions/FileSystemSandboxEntry"
-              },
-              "type": "array"
-            },
-            "globScanMaxDepth": {
-              "format": "uint",
-              "minimum": 1.0,
-              "type": [
-                "integer",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "restricted"
-              ],
-              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "entries",
-            "type"
-          ],
-          "title": "RestrictedPermissionProfileFileSystemPermissions",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "unrestricted"
-              ],
-              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfileNetworkPermissions": {
-      "properties": {
-        "enabled": {
-          "type": "boolean"
-        }
-      },
-      "required": [
-        "enabled"
-      ],
-      "type": "object"
-    },
    "Personality": {
      "enum": [
        "none",
@@ -459,21 +114,6 @@
        "clear"
      ],
      "type": "string"
-    },
-    "TurnEnvironmentParams": {
-      "properties": {
-        "cwd": {
-          "$ref": "#/definitions/AbsolutePathBuf"
-        },
-        "environmentId": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "cwd",
-        "environmentId"
-      ],
-      "type": "object"
    }
  },
  "properties": {
@@ -541,17 +181,6 @@
        "null"
      ]
    },
-    "permissionProfile": {
-      "anyOf": [
-        {
-          "$ref": "#/definitions/PermissionProfile"
-        },
-        {
-          "type": "null"
-        }
-      ],
-      "description": "Full permissions override for this thread. Cannot be combined with `sandbox`."
-    },
    "personality": {
      "anyOf": [
        {
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadStartResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadStartResponse.json
@@ -9,10 +9,9 @@
      "type": "string"
    },
    "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
      "enum": [
        "user",
-        "auto_review",
        "guardian_subagent"
      ],
      "type": "string"
@@ -94,7 +93,6 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
-            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -450,217 +448,6 @@
      ],
      "type": "string"
    },
-    "FileSystemAccessMode": {
-      "enum": [
-        "read",
-        "write",
-        "none"
-      ],
-      "type": "string"
-    },
-    "FileSystemPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "path"
-              ],
-              "title": "PathFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "PathFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "pattern": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "glob_pattern"
-              ],
-              "title": "GlobPatternFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "pattern",
-            "type"
-          ],
-          "title": "GlobPatternFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "special"
-              ],
-              "title": "SpecialFileSystemPathType",
-              "type": "string"
-            },
-            "value": {
-              "$ref": "#/definitions/FileSystemSpecialPath"
-            }
-          },
-          "required": [
-            "type",
-            "value"
-          ],
-          "title": "SpecialFileSystemPath",
-          "type": "object"
-        }
-      ]
-    },
-    "FileSystemSandboxEntry": {
-      "properties": {
-        "access": {
-          "$ref": "#/definitions/FileSystemAccessMode"
-        },
-        "path": {
-          "$ref": "#/definitions/FileSystemPath"
-        }
-      },
-      "required": [
-        "access",
-        "path"
-      ],
-      "type": "object"
-    },
-    "FileSystemSpecialPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "root"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "RootFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "minimal"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "MinimalFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "current_working_directory"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "CurrentWorkingDirectoryFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "project_roots"
-              ],
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "KindFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "tmpdir"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "TmpdirFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "slash_tmp"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "SlashTmpFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "unknown"
-              ],
-              "type": "string"
-            },
-            "path": {
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind",
-            "path"
-          ],
-          "type": "object"
-        }
-      ]
-    },
    "FileUpdateChange": {
      "properties": {
        "diff": {
@@ -899,135 +686,53 @@
        }
      ]
    },
-    "PermissionProfile": {
-      "oneOf": [
-        {
-          "description": "Codex owns sandbox construction for this profile.",
-          "properties": {
-            "fileSystem": {
-              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
-            },
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "managed"
-              ],
-              "title": "ManagedPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "fileSystem",
-            "network",
-            "type"
-          ],
-          "title": "ManagedPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Do not apply an outer sandbox.",
-          "properties": {
-            "type": {
-              "enum": [
-                "disabled"
-              ],
-              "title": "DisabledPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "DisabledPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Filesystem isolation is enforced by an external caller.",
-          "properties": {
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "external"
-              ],
-              "title": "ExternalPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "network",
-            "type"
-          ],
-          "title": "ExternalPermissionProfile",
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfileFileSystemPermissions": {
+    "ReadOnlyAccess": {
      "oneOf": [
        {
          "properties": {
-            "entries": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
              "items": {
-                "$ref": "#/definitions/FileSystemSandboxEntry"
+                "$ref": "#/definitions/AbsolutePathBuf"
              },
              "type": "array"
            },
-            "globScanMaxDepth": {
-              "format": "uint",
-              "minimum": 1.0,
-              "type": [
-                "integer",
-                "null"
-              ]
-            },
            "type": {
              "enum": [
                "restricted"
              ],
-              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
+              "title": "RestrictedReadOnlyAccessType",
              "type": "string"
            }
          },
          "required": [
-            "entries",
            "type"
          ],
-          "title": "RestrictedPermissionProfileFileSystemPermissions",
+          "title": "RestrictedReadOnlyAccess",
          "type": "object"
        },
        {
          "properties": {
            "type": {
              "enum": [
-                "unrestricted"
+                "fullAccess"
              ],
-              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
+              "title": "FullAccessReadOnlyAccessType",
              "type": "string"
            }
          },
          "required": [
            "type"
          ],
-          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
+          "title": "FullAccessReadOnlyAccess",
          "type": "object"
        }
      ]
    },
-    "PermissionProfileNetworkPermissions": {
-      "properties": {
-        "enabled": {
-          "type": "boolean"
-        }
-      },
-      "required": [
-        "enabled"
-      ],
-      "type": "object"
-    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -1060,6 +765,16 @@
        },
        {
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "networkAccess": {
              "default": false,
              "type": "boolean"
@@ -1116,6 +831,16 @@
              "default": false,
              "type": "boolean"
            },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "workspaceWrite"
@@ -2500,18 +2225,6 @@
    "modelProvider": {
      "type": "string"
    },
-    "permissionProfile": {
-      "anyOf": [
-        {
-          "$ref": "#/definitions/PermissionProfile"
-        },
-        {
-          "type": "null"
-        }
-      ],
-      "default": null,
-      "description": "Canonical active permissions view for this thread."
-    },
    "reasoningEffort": {
      "anyOf": [
        {
@@ -2523,12 +2236,7 @@
      ]
    },
    "sandbox": {
-      "allOf": [
-        {
-          "$ref": "#/definitions/SandboxPolicy"
-        }
-      ],
-      "description": "Legacy sandbox policy retained for compatibility. New clients should use `permissionProfile` when present as the canonical active permissions view."
+      "$ref": "#/definitions/SandboxPolicy"
    },
    "serviceTier": {
      "anyOf": [
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadStartedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadStartedNotification.json
@@ -35,7 +35,6 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
-            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadTurnsListResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadTurnsListResponse.json
@@ -32,7 +32,6 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
-            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadUnarchiveResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadUnarchiveResponse.json
@@ -35,7 +35,6 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
-            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
--- a/codex-rs/app-server-protocol/schema/json/v2/TurnCompletedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/TurnCompletedNotification.json
@@ -32,7 +32,6 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
-            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
--- a/codex-rs/app-server-protocol/schema/json/v2/TurnStartParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/TurnStartParams.json
@@ -6,10 +6,9 @@
      "type": "string"
    },
    "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
      "enum": [
        "user",
-        "auto_review",
        "guardian_subagent"
      ],
      "type": "string"
@@ -99,217 +98,6 @@
      ],
      "type": "object"
    },
-    "FileSystemAccessMode": {
-      "enum": [
-        "read",
-        "write",
-        "none"
-      ],
-      "type": "string"
-    },
-    "FileSystemPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "path"
-              ],
-              "title": "PathFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "PathFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "pattern": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "glob_pattern"
-              ],
-              "title": "GlobPatternFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "pattern",
-            "type"
-          ],
-          "title": "GlobPatternFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "special"
-              ],
-              "title": "SpecialFileSystemPathType",
-              "type": "string"
-            },
-            "value": {
-              "$ref": "#/definitions/FileSystemSpecialPath"
-            }
-          },
-          "required": [
-            "type",
-            "value"
-          ],
-          "title": "SpecialFileSystemPath",
-          "type": "object"
-        }
-      ]
-    },
-    "FileSystemSandboxEntry": {
-      "properties": {
-        "access": {
-          "$ref": "#/definitions/FileSystemAccessMode"
-        },
-        "path": {
-          "$ref": "#/definitions/FileSystemPath"
-        }
-      },
-      "required": [
-        "access",
-        "path"
-      ],
-      "type": "object"
-    },
-    "FileSystemSpecialPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "root"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "RootFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "minimal"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "MinimalFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "current_working_directory"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "CurrentWorkingDirectoryFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "project_roots"
-              ],
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "KindFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "tmpdir"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "TmpdirFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "slash_tmp"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "SlashTmpFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "unknown"
-              ],
-              "type": "string"
-            },
-            "path": {
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind",
-            "path"
-          ],
-          "type": "object"
-        }
-      ]
-    },
    "ModeKind": {
      "description": "Initial collaboration mode to use when the TUI starts.",
      "enum": [
@@ -325,135 +113,6 @@
      ],
      "type": "string"
    },
-    "PermissionProfile": {
-      "oneOf": [
-        {
-          "description": "Codex owns sandbox construction for this profile.",
-          "properties": {
-            "fileSystem": {
-              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
-            },
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "managed"
-              ],
-              "title": "ManagedPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "fileSystem",
-            "network",
-            "type"
-          ],
-          "title": "ManagedPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Do not apply an outer sandbox.",
-          "properties": {
-            "type": {
-              "enum": [
-                "disabled"
-              ],
-              "title": "DisabledPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "DisabledPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Filesystem isolation is enforced by an external caller.",
-          "properties": {
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "external"
-              ],
-              "title": "ExternalPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "network",
-            "type"
-          ],
-          "title": "ExternalPermissionProfile",
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfileFileSystemPermissions": {
-      "oneOf": [
-        {
-          "properties": {
-            "entries": {
-              "items": {
-                "$ref": "#/definitions/FileSystemSandboxEntry"
-              },
-              "type": "array"
-            },
-            "globScanMaxDepth": {
-              "format": "uint",
-              "minimum": 1.0,
-              "type": [
-                "integer",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "restricted"
-              ],
-              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "entries",
-            "type"
-          ],
-          "title": "RestrictedPermissionProfileFileSystemPermissions",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "unrestricted"
-              ],
-              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfileNetworkPermissions": {
-      "properties": {
-        "enabled": {
-          "type": "boolean"
-        }
-      },
-      "required": [
-        "enabled"
-      ],
-      "type": "object"
-    },
    "Personality": {
      "enum": [
        "none",
@@ -462,6 +121,53 @@
      ],
      "type": "string"
    },
+    "ReadOnlyAccess": {
+      "oneOf": [
+        {
+          "properties": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "fullAccess"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -514,6 +220,16 @@
        },
        {
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "networkAccess": {
              "default": false,
              "type": "boolean"
@@ -570,6 +286,16 @@
              "default": false,
              "type": "boolean"
            },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "workspaceWrite"
@@ -651,21 +377,6 @@
      ],
      "type": "object"
    },
-    "TurnEnvironmentParams": {
-      "properties": {
-        "cwd": {
-          "$ref": "#/definitions/AbsolutePathBuf"
-        },
-        "environmentId": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "cwd",
-        "environmentId"
-      ],
-      "type": "object"
-    },
    "UserInput": {
      "oneOf": [
        {
@@ -844,17 +555,6 @@
    "outputSchema": {
      "description": "Optional JSON Schema used to constrain the final assistant message for this turn."
    },
-    "permissionProfile": {
-      "anyOf": [
-        {
-          "$ref": "#/definitions/PermissionProfile"
-        },
-        {
-          "type": "null"
-        }
-      ],
-      "description": "Override the full permissions profile for this turn and subsequent turns. Cannot be combined with `sandboxPolicy`."
-    },
    "personality": {
      "anyOf": [
        {
--- a/codex-rs/app-server-protocol/schema/json/v2/TurnStartResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/TurnStartResponse.json
@@ -32,7 +32,6 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
-            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
--- a/codex-rs/app-server-protocol/schema/json/v2/TurnStartedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/TurnStartedNotification.json
@@ -32,7 +32,6 @@
            "contextWindowExceeded",
            "usageLimitExceeded",
            "serverOverloaded",
-            "cyberPolicy",
            "internalServerError",
            "unauthorized",
            "badRequest",
--- a/codex-rs/app-server-protocol/schema/typescript/AuthMode.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/AuthMode.ts
@@ -5,4 +5,4 @@
 /**
 * Authentication mode for OpenAI-backed providers.
 */
-export type AuthMode = "apikey" | "chatgpt" | "chatgptAuthTokens" | "agentIdentity";
+export type AuthMode = "apikey" | "chatgpt" | "chatgptAuthTokens";
--- a/codex-rs/app-server-protocol/schema/typescript/ClientRequest.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/ClientRequest.ts
--- a/codex-rs/app-server-protocol/schema/typescript/ServerNotification.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/ServerNotification.ts
--- a/codex-rs/app-server-protocol/schema/typescript/v2/Account.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/Account.ts
@@ -3,4 +3,4 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { PlanType } from "../PlanType";

-export type Account = { "type": "apiKey", } | { "type": "chatgpt", email: string, planType: PlanType, } | { "type": "amazonBedrock", };
+export type Account = { "type": "apiKey", } | { "type": "chatgpt", email: string, planType: PlanType, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/AdditionalFileSystemPermissions.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/AdditionalFileSystemPermissions.ts
@@ -4,12 +4,4 @@
 import type { AbsolutePathBuf } from "../AbsolutePathBuf";
 import type { FileSystemSandboxEntry } from "./FileSystemSandboxEntry";

-export type AdditionalFileSystemPermissions = {
-/**
- * This will be removed in favor of `entries`.
- */
-read: Array<AbsolutePathBuf> | null,
-/**
- * This will be removed in favor of `entries`.
- */
-write: Array<AbsolutePathBuf> | null, globScanMaxDepth?: number, entries?: Array<FileSystemSandboxEntry>, };
+export type AdditionalFileSystemPermissions = { read: Array<AbsolutePathBuf> | null, write: Array<AbsolutePathBuf> | null, globScanMaxDepth?: number, entries?: Array<FileSystemSandboxEntry>, };
--- a/Show More
+++ b/Show More