Merge remote-tracking branch 'origin/main' into easong/mcp-CLI-interface

We are treating assistant messages in a different way than other
messages which resulted in a duplicated history.

See #2698

.github/actions/codex/.gitignore

@@ -1 +0,0 @@
-/node_modules/

.github/actions/codex/.prettierrc.toml

@@ -1,8 +0,0 @@
-printWidth = 80
-quoteProps = "consistent"
-semi = true
-tabWidth = 2
-trailingComma = "all"
-
-# Preserve existing behavior for markdown/text wrapping.
-proseWrap = "preserve"

.github/actions/codex/README.md

@@ -1,140 +0,0 @@
-# openai/codex-action
-
-`openai/codex-action` is a GitHub Action that facilitates the use of [Codex](https://github.com/openai/codex) on GitHub issues and pull requests. Using the action, associate **labels** to run Codex with the appropriate prompt for the given context. Codex will respond by posting comments or creating PRs, whichever you specify!
-
-Here is a sample workflow that uses `openai/codex-action`:
-
-```yaml
-name: Codex
-
-on:
-  issues:
-    types: [opened, labeled]
-  pull_request:
-    branches: [main]
-    types: [labeled]
-
-jobs:
-  codex:
-    if: ... # optional, but can be effective in conserving CI resources
-    runs-on: ubuntu-latest
-    # TODO(mbolin): Need to verify if/when `write` is necessary.
-    permissions:
-      contents: write
-      issues: write
-      pull-requests: write
-    steps:
-      # By default, Codex runs network disabled using --full-auto, so perform
-      # any setup that requires network (such as installing dependencies)
-      # before openai/codex-action.
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Run Codex
-        uses: openai/codex-action@latest
-        with:
-          openai_api_key: ${{ secrets.CODEX_OPENAI_API_KEY }}
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-```
-
-See sample usage in [`codex.yml`](../../workflows/codex.yml).
-
-## Triggering the Action
-
-Using the sample workflow above, we have:
-
-```yaml
-on:
-  issues:
-    types: [opened, labeled]
-  pull_request:
-    branches: [main]
-    types: [labeled]
-```
-
-which means our workflow will be triggered when any of the following events occur:
-
-- a label is added to an issue
-- a label is added to a pull request against the `main` branch
-
-### Label-Based Triggers
-
-To define a GitHub label that should trigger Codex, create a file named `.github/codex/labels/LABEL-NAME.md` in your repository where `LABEL-NAME` is the name of the label. The content of the file is the prompt template to use when the label is added (see more on [Prompt Template Variables](#prompt-template-variables) below).
-
-For example, if the file `.github/codex/labels/codex-review.md` exists, then:
-
-- Adding the `codex-review` label will trigger the workflow containing the `openai/codex-action` GitHub Action.
-- When `openai/codex-action` starts, it will replace the `codex-review` label with `codex-review-in-progress`.
-- When `openai/codex-action` is finished, it will replace the `codex-review-in-progress` label with `codex-review-completed`.
-
-If Codex sees that either `codex-review-in-progress` or `codex-review-completed` is already present, it will not perform the action.
-
-As determined by the [default config](./src/default-label-config.ts), Codex will act on the following labels by default:
-
-- Adding the `codex-review` label to a pull request will have Codex review the PR and add it to the PR as a comment.
-- Adding the `codex-triage` label to an issue will have Codex investigate the issue and report its findings as a comment.
-- Adding the `codex-issue-fix` label to an issue will have Codex attempt to fix the issue and create a PR wit the fix, if any.
-
-## Action Inputs
-
-The `openai/codex-action` GitHub Action takes the following inputs
-
-### `openai_api_key` (required)
-
-Set your `OPENAI_API_KEY` as a [repository secret](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions). See **Secrets and varaibles** then **Actions** in the settings for your GitHub repo.
-
-Note that the secret name does not have to be `OPENAI_API_KEY`. For example, you might want to name it `CODEX_OPENAI_API_KEY` and then configure it on `openai/codex-action` as follows:
-
-```yaml
-openai_api_key: ${{ secrets.CODEX_OPENAI_API_KEY }}
-```
-
-### `github_token` (required)
-
-This is required so that Codex can post a comment or create a PR. Set this value on the action as follows:
-
-```yaml
-github_token: ${{ secrets.GITHUB_TOKEN }}
-```
-
-### `codex_args`
-
-A whitespace-delimited list of arguments to pass to Codex. Defaults to `--full-auto`, but if you want to override the default model to use `o3`:
-
-```yaml
-codex_args: "--full-auto --model o3"
-```
-
-For more complex configurations, use the `codex_home` input.
-
-### `codex_home`
-
-If set, the value to use for the `$CODEX_HOME` environment variable when running Codex. As explained [in the docs](https://github.com/openai/codex/tree/main/codex-rs#readme), this folder can contain the `config.toml` to configure Codex, custom instructions, and log files.
-
-This should be a relative path within your repo.
-
-## Prompt Template Variables
-
-As shown above, `"prompt"` and `"promptPath"` are used to define prompt templates that will be populated and passed to Codex in response to certain events. All template variables are of the form `{CODEX_ACTION_...}` and the supported values are defined below.
-
-### `CODEX_ACTION_ISSUE_TITLE`
-
-If the action was triggered on a GitHub issue, this is the issue title.
-
-Specifically it is read as the `.issue.title` from the `$GITHUB_EVENT_PATH`.
-
-### `CODEX_ACTION_ISSUE_BODY`
-
-If the action was triggered on a GitHub issue, this is the issue body.
-
-Specifically it is read as the `.issue.body` from the `$GITHUB_EVENT_PATH`.
-
-### `CODEX_ACTION_GITHUB_EVENT_PATH`
-
-The value of the `$GITHUB_EVENT_PATH` environment variable, which is the path to the file that contains the JSON payload for the event that triggered the workflow. Codex can use `jq` to read only the fields of interest from this file.
-
-### `CODEX_ACTION_PR_DIFF`
-
-If the action was triggered on a pull request, this is the diff between the base and head commits of the PR. It is the output from `git diff`.
-
-Note that the content of the diff could be quite large, so is generally safer to point Codex at `CODEX_ACTION_GITHUB_EVENT_PATH` and let it decide how it wants to explore the change.

.github/actions/codex/action.yml

@@ -1,125 +0,0 @@
-name: "Codex [reusable action]"
-description: "A reusable action that runs a Codex model."
-
-inputs:
-  openai_api_key:
-    description: "The value to use as the OPENAI_API_KEY environment variable when running Codex."
-    required: true
-  trigger_phrase:
-    description: "Text to trigger Codex from a PR/issue body or comment."
-    required: false
-    default: ""
-  github_token:
-    description: "Token so Codex can comment on the PR or issue."
-    required: true
-  codex_args:
-    description: "A whitespace-delimited list of arguments to pass to Codex. Due to limitations in YAML, arguments with spaces are not supported. For more complex configurations, use the `codex_home` input."
-    required: false
-    default: "--config hide_agent_reasoning=true --full-auto"
-  codex_home:
-    description: "Value to use as the CODEX_HOME environment variable when running Codex."
-    required: false
-  codex_release_tag:
-    description: "The release tag of the Codex model to run, e.g., 'rust-v0.3.0'. Defaults to the latest release."
-    required: false
-    default: ""
-
-runs:
-  using: "composite"
-  steps:
-    # Do this in Bash so we do not even bother to install Bun if the sender does
-    # not have write access to the repo.
-    - name: Verify user has write access to the repo.
-      env:
-        GH_TOKEN: ${{ github.token }}
-      shell: bash
-      run: |
-        set -euo pipefail
-
-        PERMISSION=$(gh api \
-          "/repos/${GITHUB_REPOSITORY}/collaborators/${{ github.event.sender.login }}/permission" \
-          | jq -r '.permission')
-
-        if [[ "$PERMISSION" != "admin" && "$PERMISSION" != "write" ]]; then
-          exit 1
-        fi
-
-    - name: Download Codex
-      env:
-        GH_TOKEN: ${{ github.token }}
-      shell: bash
-      run: |
-        set -euo pipefail
-
-        # Determine OS/arch and corresponding Codex artifact name.
-        uname_s=$(uname -s)
-        uname_m=$(uname -m)
-
-        case "$uname_s" in
-          Linux*)   os="linux" ;;
-          Darwin*)  os="apple-darwin" ;;
-          *) echo "Unsupported operating system: $uname_s"; exit 1 ;;
-        esac
-
-        case "$uname_m" in
-          x86_64*) arch="x86_64" ;;
-          arm64*|aarch64*) arch="aarch64" ;;
-          *) echo "Unsupported architecture: $uname_m"; exit 1 ;;
-        esac
-
-        # linux builds differentiate between musl and gnu.
-        if [[ "$os" == "linux" ]]; then
-          if [[ "$arch" == "x86_64" ]]; then
-            triple="${arch}-unknown-linux-musl"
-          else
-            # Only other supported linux build is aarch64 gnu.
-            triple="${arch}-unknown-linux-gnu"
-          fi
-        else
-          # macOS
-          triple="${arch}-apple-darwin"
-        fi
-
-        # Note that if we start baking version numbers into the artifact name,
-        # we will need to update this action.yml file to match.
-        artifact="codex-${triple}.tar.gz"
-
-        TAG_ARG="${{ inputs.codex_release_tag }}"
-        # The usage is `gh release download [<tag>] [flags]`, so if TAG_ARG
-        # is empty, we do not pass it so we can default to the latest release.
-        gh release download ${TAG_ARG:+$TAG_ARG} --repo openai/codex \
-          --pattern "$artifact" --output - \
-        | tar xzO > /usr/local/bin/codex
-        chmod +x /usr/local/bin/codex
-
-        # Display Codex version to confirm binary integrity.
-        codex --version
-
-    - name: Install Bun
-      uses: oven-sh/setup-bun@v2
-      with:
-        bun-version: 1.2.11
-
-    - name: Install dependencies
-      shell: bash
-      run: |
-        cd ${{ github.action_path }}
-        bun install --production
-
-    - name: Run Codex
-      shell: bash
-      run: bun run ${{ github.action_path }}/src/main.ts
-      # Process args plus environment variables often have a max of 128 KiB,
-      # so we should fit within that limit?
-      env:
-        INPUT_CODEX_ARGS: ${{ inputs.codex_args || '' }}
-        INPUT_CODEX_HOME: ${{ inputs.codex_home || ''}}
-        INPUT_TRIGGER_PHRASE: ${{ inputs.trigger_phrase || '' }}
-        OPENAI_API_KEY: ${{ inputs.openai_api_key }}
-        GITHUB_TOKEN: ${{ inputs.github_token }}
-        GITHUB_EVENT_ACTION: ${{ github.event.action || '' }}
-        GITHUB_EVENT_LABEL_NAME: ${{ github.event.label.name || '' }}
-        GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number || '' }}
-        GITHUB_EVENT_ISSUE_BODY: ${{ github.event.issue.body || '' }}
-        GITHUB_EVENT_REVIEW_BODY: ${{ github.event.review.body || '' }}
-        GITHUB_EVENT_COMMENT_BODY: ${{ github.event.comment.body || '' }}

.github/actions/codex/bun.lock

@@ -1,91 +0,0 @@
-{
-  "lockfileVersion": 1,
-  "workspaces": {
-    "": {
-      "name": "codex-action",
-      "dependencies": {
-        "@actions/core": "^1.11.1",
-        "@actions/github": "^6.0.1",
-      },
-      "devDependencies": {
-        "@types/bun": "^1.2.20",
-        "@types/node": "^24.3.0",
-        "prettier": "^3.6.2",
-        "typescript": "^5.9.2",
-      },
-    },
-  },
-  "packages": {
-    "@actions/core": ["@actions/core@1.11.1", "", { "dependencies": { "@actions/exec": "^1.1.1", "@actions/http-client": "^2.0.1" } }, "sha512-hXJCSrkwfA46Vd9Z3q4cpEpHB1rL5NG04+/rbqW9d3+CSvtB1tYe8UTpAlixa1vj0m/ULglfEK2UKxMGxCxv5A=="],
-
-    "@actions/exec": ["@actions/exec@1.1.1", "", { "dependencies": { "@actions/io": "^1.0.1" } }, "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w=="],
-
-    "@actions/github": ["@actions/github@6.0.1", "", { "dependencies": { "@actions/http-client": "^2.2.0", "@octokit/core": "^5.0.1", "@octokit/plugin-paginate-rest": "^9.2.2", "@octokit/plugin-rest-endpoint-methods": "^10.4.0", "@octokit/request": "^8.4.1", "@octokit/request-error": "^5.1.1", "undici": "^5.28.5" } }, "sha512-xbZVcaqD4XnQAe35qSQqskb3SqIAfRyLBrHMd/8TuL7hJSz2QtbDwnNM8zWx4zO5l2fnGtseNE3MbEvD7BxVMw=="],
-
-    "@actions/http-client": ["@actions/http-client@2.2.3", "", { "dependencies": { "tunnel": "^0.0.6", "undici": "^5.25.4" } }, "sha512-mx8hyJi/hjFvbPokCg4uRd4ZX78t+YyRPtnKWwIl+RzNaVuFpQHfmlGVfsKEJN8LwTCvL+DfVgAM04XaHkm6bA=="],
-
-    "@actions/io": ["@actions/io@1.1.3", "", {}, "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q=="],
-
-    "@fastify/busboy": ["@fastify/busboy@2.1.1", "", {}, "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA=="],
-
-    "@octokit/auth-token": ["@octokit/auth-token@4.0.0", "", {}, "sha512-tY/msAuJo6ARbK6SPIxZrPBms3xPbfwBrulZe0Wtr/DIY9lje2HeV1uoebShn6mx7SjCHif6EjMvoREj+gZ+SA=="],
-
-    "@octokit/core": ["@octokit/core@5.2.1", "", { "dependencies": { "@octokit/auth-token": "^4.0.0", "@octokit/graphql": "^7.1.0", "@octokit/request": "^8.4.1", "@octokit/request-error": "^5.1.1", "@octokit/types": "^13.0.0", "before-after-hook": "^2.2.0", "universal-user-agent": "^6.0.0" } }, "sha512-dKYCMuPO1bmrpuogcjQ8z7ICCH3FP6WmxpwC03yjzGfZhj9fTJg6+bS1+UAplekbN2C+M61UNllGOOoAfGCrdQ=="],
-
-    "@octokit/endpoint": ["@octokit/endpoint@9.0.6", "", { "dependencies": { "@octokit/types": "^13.1.0", "universal-user-agent": "^6.0.0" } }, "sha512-H1fNTMA57HbkFESSt3Y9+FBICv+0jFceJFPWDePYlR/iMGrwM5ph+Dd4XRQs+8X+PUFURLQgX9ChPfhJ/1uNQw=="],
-
-    "@octokit/graphql": ["@octokit/graphql@7.1.1", "", { "dependencies": { "@octokit/request": "^8.4.1", "@octokit/types": "^13.0.0", "universal-user-agent": "^6.0.0" } }, "sha512-3mkDltSfcDUoa176nlGoA32RGjeWjl3K7F/BwHwRMJUW/IteSa4bnSV8p2ThNkcIcZU2umkZWxwETSSCJf2Q7g=="],
-
-    "@octokit/openapi-types": ["@octokit/openapi-types@24.2.0", "", {}, "sha512-9sIH3nSUttelJSXUrmGzl7QUBFul0/mB8HRYl3fOlgHbIWG+WnYDXU3v/2zMtAvuzZ/ed00Ei6on975FhBfzrg=="],
-
-    "@octokit/plugin-paginate-rest": ["@octokit/plugin-paginate-rest@9.2.2", "", { "dependencies": { "@octokit/types": "^12.6.0" }, "peerDependencies": { "@octokit/core": "5" } }, "sha512-u3KYkGF7GcZnSD/3UP0S7K5XUFT2FkOQdcfXZGZQPGv3lm4F2Xbf71lvjldr8c1H3nNbF+33cLEkWYbokGWqiQ=="],
-
-    "@octokit/plugin-rest-endpoint-methods": ["@octokit/plugin-rest-endpoint-methods@10.4.1", "", { "dependencies": { "@octokit/types": "^12.6.0" }, "peerDependencies": { "@octokit/core": "5" } }, "sha512-xV1b+ceKV9KytQe3zCVqjg+8GTGfDYwaT1ATU5isiUyVtlVAO3HNdzpS4sr4GBx4hxQ46s7ITtZrAsxG22+rVg=="],
-
-    "@octokit/request": ["@octokit/request@8.4.1", "", { "dependencies": { "@octokit/endpoint": "^9.0.6", "@octokit/request-error": "^5.1.1", "@octokit/types": "^13.1.0", "universal-user-agent": "^6.0.0" } }, "sha512-qnB2+SY3hkCmBxZsR/MPCybNmbJe4KAlfWErXq+rBKkQJlbjdJeS85VI9r8UqeLYLvnAenU8Q1okM/0MBsAGXw=="],
-
-    "@octokit/request-error": ["@octokit/request-error@5.1.1", "", { "dependencies": { "@octokit/types": "^13.1.0", "deprecation": "^2.0.0", "once": "^1.4.0" } }, "sha512-v9iyEQJH6ZntoENr9/yXxjuezh4My67CBSu9r6Ve/05Iu5gNgnisNWOsoJHTP6k0Rr0+HQIpnH+kyammu90q/g=="],
-
-    "@octokit/types": ["@octokit/types@13.10.0", "", { "dependencies": { "@octokit/openapi-types": "^24.2.0" } }, "sha512-ifLaO34EbbPj0Xgro4G5lP5asESjwHracYJvVaPIyXMuiuXLlhic3S47cBdTb+jfODkTE5YtGCLt3Ay3+J97sA=="],
-
-    "@types/bun": ["@types/bun@1.2.20", "", { "dependencies": { "bun-types": "1.2.20" } }, "sha512-dX3RGzQ8+KgmMw7CsW4xT5ITBSCrSbfHc36SNT31EOUg/LA9JWq0VDdEXDRSe1InVWpd2yLUM1FUF/kEOyTzYA=="],
-
-    "@types/node": ["@types/node@24.3.0", "", { "dependencies": { "undici-types": "~7.10.0" } }, "sha512-aPTXCrfwnDLj4VvXrm+UUCQjNEvJgNA8s5F1cvwQU+3KNltTOkBm1j30uNLyqqPNe7gE3KFzImYoZEfLhp4Yow=="],
-
-    "@types/react": ["@types/react@19.1.8", "", { "dependencies": { "csstype": "^3.0.2" } }, "sha512-AwAfQ2Wa5bCx9WP8nZL2uMZWod7J7/JSplxbTmBQ5ms6QpqNYm672H0Vu9ZVKVngQ+ii4R/byguVEUZQyeg44g=="],
-
-    "before-after-hook": ["before-after-hook@2.2.3", "", {}, "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ=="],
-
-    "bun-types": ["bun-types@1.2.20", "", { "dependencies": { "@types/node": "*" }, "peerDependencies": { "@types/react": "^19" } }, "sha512-pxTnQYOrKvdOwyiyd/7sMt9yFOenN004Y6O4lCcCUoKVej48FS5cvTw9geRaEcB9TsDZaJKAxPTVvi8tFsVuXA=="],
-
-    "csstype": ["csstype@3.1.3", "", {}, "sha512-M1uQkMl8rQK/szD0LNhtqxIPLpimGm8sOBwU7lLnCpSbTyY3yeU1Vc7l4KT5zT4s/yOxHH5O7tIuuLOCnLADRw=="],
-
-    "deprecation": ["deprecation@2.3.1", "", {}, "sha512-xmHIy4F3scKVwMsQ4WnVaS8bHOx0DmVwRywosKhaILI0ywMDWPtBSku2HNxRvF7jtwDRsoEwYQSfbxj8b7RlJQ=="],
-
-    "once": ["once@1.4.0", "", { "dependencies": { "wrappy": "1" } }, "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w=="],
-
-    "prettier": ["prettier@3.6.2", "", { "bin": { "prettier": "bin/prettier.cjs" } }, "sha512-I7AIg5boAr5R0FFtJ6rCfD+LFsWHp81dolrFD8S79U9tb8Az2nGrJncnMSnys+bpQJfRUzqs9hnA81OAA3hCuQ=="],
-
-    "tunnel": ["tunnel@0.0.6", "", {}, "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg=="],
-
-    "typescript": ["typescript@5.9.2", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-CWBzXQrc/qOkhidw1OzBTQuYRbfyxDXJMVJ1XNwUHGROVmuaeiEm3OslpZ1RV96d7SKKjZKrSJu3+t/xlw3R9A=="],
-
-    "undici": ["undici@5.29.0", "", { "dependencies": { "@fastify/busboy": "^2.0.0" } }, "sha512-raqeBD6NQK4SkWhQzeYKd1KmIG6dllBOTt55Rmkt4HtI9mwdWtJljnrXjAFUBLTSN67HWrOIZ3EPF4kjUw80Bg=="],
-
-    "undici-types": ["undici-types@7.10.0", "", {}, "sha512-t5Fy/nfn+14LuOc2KNYg75vZqClpAiqscVvMygNnlsHBFpSXdJaYtXMcdNLpl/Qvc3P2cB3s6lOV51nqsFq4ag=="],
-
-    "universal-user-agent": ["universal-user-agent@6.0.1", "", {}, "sha512-yCzhz6FN2wU1NiiQRogkTQszlQSlpWaw8SvVegAc+bDxbzHgh1vX8uIe8OYyMH6DwH+sdTJsgMl36+mSMdRJIQ=="],
-
-    "wrappy": ["wrappy@1.0.2", "", {}, "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ=="],
-
-    "@octokit/plugin-paginate-rest/@octokit/types": ["@octokit/types@12.6.0", "", { "dependencies": { "@octokit/openapi-types": "^20.0.0" } }, "sha512-1rhSOfRa6H9w4YwK0yrf5faDaDTb+yLyBUKOCV4xtCDB5VmIPqd/v9yr9o6SAzOAlRxMiRiCic6JVM1/kunVkw=="],
-
-    "@octokit/plugin-rest-endpoint-methods/@octokit/types": ["@octokit/types@12.6.0", "", { "dependencies": { "@octokit/openapi-types": "^20.0.0" } }, "sha512-1rhSOfRa6H9w4YwK0yrf5faDaDTb+yLyBUKOCV4xtCDB5VmIPqd/v9yr9o6SAzOAlRxMiRiCic6JVM1/kunVkw=="],
-
-    "bun-types/@types/node": ["@types/node@24.2.1", "", { "dependencies": { "undici-types": "~7.10.0" } }, "sha512-DRh5K+ka5eJic8CjH7td8QpYEV6Zo10gfRkjHCO3weqZHWDtAaSTFtl4+VMqOJ4N5jcuhZ9/l+yy8rVgw7BQeQ=="],
-
-    "@octokit/plugin-paginate-rest/@octokit/types/@octokit/openapi-types": ["@octokit/openapi-types@20.0.0", "", {}, "sha512-EtqRBEjp1dL/15V7WiX5LJMIxxkdiGJnabzYx5Apx4FkQIFgAfKumXeYAqqJCj1s+BMX4cPFIFC4OLCR6stlnA=="],
-
-    "@octokit/plugin-rest-endpoint-methods/@octokit/types/@octokit/openapi-types": ["@octokit/openapi-types@20.0.0", "", {}, "sha512-EtqRBEjp1dL/15V7WiX5LJMIxxkdiGJnabzYx5Apx4FkQIFgAfKumXeYAqqJCj1s+BMX4cPFIFC4OLCR6stlnA=="],
-  }
-}

.github/actions/codex/package.json

@@ -1,21 +0,0 @@
-{
-    "name": "codex-action",
-    "version": "0.0.0",
-    "private": true,
-    "scripts": {
-        "format": "prettier --check src",
-        "format:fix": "prettier --write src",
-        "test": "bun test",
-        "typecheck": "tsc"
-    },
-    "dependencies": {
-        "@actions/core": "^1.11.1",
-        "@actions/github": "^6.0.1"
-    },
-    "devDependencies": {
-        "@types/bun": "^1.2.20",
-        "@types/node": "^24.3.0",
-        "prettier": "^3.6.2",
-        "typescript": "^5.9.2"
-    }
-}

.github/actions/codex/src/add-reaction.ts

@@ -1,85 +0,0 @@
-import * as github from "@actions/github";
-import type { EnvContext } from "./env-context";
-
-/**
- * Add an "eyes" reaction to the entity (issue, issue comment, or pull request
- * review comment) that triggered the current Codex invocation.
- *
- * The purpose is to provide immediate feedback to the user – similar to the
- * *-in-progress label flow – indicating that the bot has acknowledged the
- * request and is working on it.
- *
- * We attempt to add the reaction best suited for the current GitHub event:
- *
- *   • issues              → POST /repos/{owner}/{repo}/issues/{issue_number}/reactions
- *   • issue_comment       → POST /repos/{owner}/{repo}/issues/comments/{comment_id}/reactions
- *   • pull_request_review_comment → POST /repos/{owner}/{repo}/pulls/comments/{comment_id}/reactions
- *
- * If the specific target is unavailable (e.g. unexpected payload shape) we
- * silently skip instead of failing the whole action because the reaction is
- * merely cosmetic.
- */
-export async function addEyesReaction(ctx: EnvContext): Promise<void> {
-  const octokit = ctx.getOctokit();
-  const { owner, repo } = github.context.repo;
-  const eventName = github.context.eventName;
-
-  try {
-    switch (eventName) {
-      case "issue_comment": {
-        const commentId = (github.context.payload as any)?.comment?.id;
-        if (commentId) {
-          await octokit.rest.reactions.createForIssueComment({
-            owner,
-            repo,
-            comment_id: commentId,
-            content: "eyes",
-          });
-          return;
-        }
-        break;
-      }
-      case "pull_request_review_comment": {
-        const commentId = (github.context.payload as any)?.comment?.id;
-        if (commentId) {
-          await octokit.rest.reactions.createForPullRequestReviewComment({
-            owner,
-            repo,
-            comment_id: commentId,
-            content: "eyes",
-          });
-          return;
-        }
-        break;
-      }
-      case "issues": {
-        const issueNumber = github.context.issue.number;
-        if (issueNumber) {
-          await octokit.rest.reactions.createForIssue({
-            owner,
-            repo,
-            issue_number: issueNumber,
-            content: "eyes",
-          });
-          return;
-        }
-        break;
-      }
-      default: {
-        // Fallback: try to react to the issue/PR if we have a number.
-        const issueNumber = github.context.issue.number;
-        if (issueNumber) {
-          await octokit.rest.reactions.createForIssue({
-            owner,
-            repo,
-            issue_number: issueNumber,
-            content: "eyes",
-          });
-        }
-      }
-    }
-  } catch (error) {
-    // Do not fail the action if reaction creation fails – log and continue.
-    console.warn(`Failed to add \"eyes\" reaction: ${error}`);
-  }
-}

.github/actions/codex/src/comment.ts

@@ -1,53 +0,0 @@
-import type { EnvContext } from "./env-context";
-import { runCodex } from "./run-codex";
-import { postComment } from "./post-comment";
-import { addEyesReaction } from "./add-reaction";
-
-/**
- * Handle `issue_comment` and `pull_request_review_comment` events once we know
- * the action is supported.
- */
-export async function onComment(ctx: EnvContext): Promise<void> {
-  const triggerPhrase = ctx.tryGet("INPUT_TRIGGER_PHRASE");
-  if (!triggerPhrase) {
-    console.warn("Empty trigger phrase: skipping.");
-    return;
-  }
-
-  // Attempt to get the body of the comment from the environment. Depending on
-  // the event type either `GITHUB_EVENT_COMMENT_BODY` (issue & PR comments) or
-  // `GITHUB_EVENT_REVIEW_BODY` (PR reviews) is set.
-  const commentBody =
-    ctx.tryGetNonEmpty("GITHUB_EVENT_COMMENT_BODY") ??
-    ctx.tryGetNonEmpty("GITHUB_EVENT_REVIEW_BODY") ??
-    ctx.tryGetNonEmpty("GITHUB_EVENT_ISSUE_BODY");
-
-  if (!commentBody) {
-    console.warn("Comment body not found in environment: skipping.");
-    return;
-  }
-
-  // Check if the trigger phrase is present.
-  if (!commentBody.includes(triggerPhrase)) {
-    console.log(
-      `Trigger phrase '${triggerPhrase}' not found: nothing to do for this comment.`,
-    );
-    return;
-  }
-
-  // Derive the prompt by removing the trigger phrase. Remove only the first
-  // occurrence to keep any additional occurrences that might be meaningful.
-  const prompt = commentBody.replace(triggerPhrase, "").trim();
-
-  if (prompt.length === 0) {
-    console.warn("Prompt is empty after removing trigger phrase: skipping");
-    return;
-  }
-
-  // Provide immediate feedback that we are working on the request.
-  await addEyesReaction(ctx);
-
-  // Run Codex and post the response as a new comment.
-  const lastMessage = await runCodex(prompt, ctx);
-  await postComment(lastMessage, ctx);
-}

.github/actions/codex/src/config.ts

@@ -1,11 +0,0 @@
-import { readdirSync, statSync } from "fs";
-import * as path from "path";
-
-export interface Config {
-  labels: Record<string, LabelConfig>;
-}
-
-export interface LabelConfig {
-  /** Returns the prompt template. */
-  getPromptTemplate(): string;
-}

.github/actions/codex/src/default-label-config.ts

@@ -1,44 +0,0 @@
-import type { Config } from "./config";
-
-export function getDefaultConfig(): Config {
-  return {
-    labels: {
-      "codex-investigate-issue": {
-        getPromptTemplate: () =>
-          `
-Troubleshoot whether the reported issue is valid.
-
-Provide a concise and respectful comment summarizing the findings.
-
-### {CODEX_ACTION_ISSUE_TITLE}
-
-{CODEX_ACTION_ISSUE_BODY}
-`.trim(),
-      },
-      "codex-code-review": {
-        getPromptTemplate: () =>
-          `
-Review this PR and respond with a very concise final message, formatted in Markdown.
-
-There should be a summary of the changes (1-2 sentences) and a few bullet points if necessary.
-
-Then provide the **review** (1-2 sentences plus bullet points, friendly tone).
-
-{CODEX_ACTION_GITHUB_EVENT_PATH} contains the JSON that triggered this GitHub workflow. It contains the \`base\` and \`head\` refs that define this PR. Both refs are available locally.
-`.trim(),
-      },
-      "codex-attempt-fix": {
-        getPromptTemplate: () =>
-          `
-Attempt to solve the reported issue.
-
-If a code change is required, create a new branch, commit the fix, and open a pull-request that resolves the problem.
-
-### {CODEX_ACTION_ISSUE_TITLE}
-
-{CODEX_ACTION_ISSUE_BODY}
-`.trim(),
-      },
-    },
-  };
-}

.github/actions/codex/src/env-context.ts

@@ -1,116 +0,0 @@
-/*
- * Centralised access to environment variables used by the Codex GitHub
- * Action.
- *
- * To enable proper unit-testing we avoid reading from `process.env` at module
- * initialisation time.  Instead a `EnvContext` object is created (usually from
- * the real `process.env`) and passed around explicitly or – where that is not
- * yet practical – imported as the shared `defaultContext` singleton. Tests can
- * create their own context backed by a stubbed map of variables without having
- * to mutate global state.
- */
-
-import { fail } from "./fail";
-import * as github from "@actions/github";
-
-export interface EnvContext {
-  /**
-   * Return the value for a given environment variable or terminate the action
-   * via `fail` if it is missing / empty.
-   */
-  get(name: string): string;
-
-  /**
-   * Attempt to read an environment variable. Returns the value when present;
-   * otherwise returns undefined (does not call `fail`).
-   */
-  tryGet(name: string): string | undefined;
-
-  /**
-   * Attempt to read an environment variable. Returns non-empty string value or
-   * null if unset or empty string.
-   */
-  tryGetNonEmpty(name: string): string | null;
-
-  /**
-   * Return a memoised Octokit instance authenticated via the token resolved
-   * from the provided argument (when defined) or the environment variables
-   * `GITHUB_TOKEN`/`GH_TOKEN`.
-   *
-   * Subsequent calls return the same cached instance to avoid spawning
-   * multiple REST clients within a single action run.
-   */
-  getOctokit(token?: string): ReturnType<typeof github.getOctokit>;
-}
-
-/** Internal helper – *not* exported. */
-function _getRequiredEnv(
-  name: string,
-  env: Record<string, string | undefined>,
-): string | undefined {
-  const value = env[name];
-
-  // Avoid leaking secrets into logs while still logging non-secret variables.
-  if (name.endsWith("KEY") || name.endsWith("TOKEN")) {
-    if (value) {
-      console.log(`value for ${name} was found`);
-    }
-  } else {
-    console.log(`${name}=${value}`);
-  }
-
-  return value;
-}
-
-/** Create a context backed by the supplied environment map (defaults to `process.env`). */
-export function createEnvContext(
-  env: Record<string, string | undefined> = process.env,
-): EnvContext {
-  // Lazily instantiated Octokit client – shared across this context.
-  let cachedOctokit: ReturnType<typeof github.getOctokit> | null = null;
-
-  return {
-    get(name: string): string {
-      const value = _getRequiredEnv(name, env);
-      if (value == null) {
-        fail(`Missing required environment variable: ${name}`);
-      }
-      return value;
-    },
-
-    tryGet(name: string): string | undefined {
-      return _getRequiredEnv(name, env);
-    },
-
-    tryGetNonEmpty(name: string): string | null {
-      const value = _getRequiredEnv(name, env);
-      return value == null || value === "" ? null : value;
-    },
-
-    getOctokit(token?: string) {
-      if (cachedOctokit) {
-        return cachedOctokit;
-      }
-
-      // Determine the token to authenticate with.
-      const githubToken = token ?? env["GITHUB_TOKEN"] ?? env["GH_TOKEN"];
-
-      if (!githubToken) {
-        fail(
-          "Unable to locate a GitHub token. `github_token` should have been set on the action.",
-        );
-      }
-
-      cachedOctokit = github.getOctokit(githubToken!);
-      return cachedOctokit;
-    },
-  };
-}
-
-/**
- * Shared context built from the actual `process.env`.  Production code that is
- * not yet refactored to receive a context explicitly may import and use this
- * singleton.  Tests should avoid the singleton and instead pass their own
- * context to the functions they exercise.
- */
-export const defaultContext: EnvContext = createEnvContext();

.github/actions/codex/src/fail.ts

@@ -1,4 +0,0 @@
-export function fail(message: string): never {
-  console.error(message);
-  process.exit(1);
-}

.github/actions/codex/src/git-helpers.ts

@@ -1,149 +0,0 @@
-import { spawnSync } from "child_process";
-import * as github from "@actions/github";
-import { EnvContext } from "./env-context";
-
-function runGit(args: string[], silent = true): string {
-  console.info(`Running git ${args.join(" ")}`);
-  const res = spawnSync("git", args, {
-    encoding: "utf8",
-    stdio: silent ? ["ignore", "pipe", "pipe"] : "inherit",
-  });
-  if (res.error) {
-    throw res.error;
-  }
-  if (res.status !== 0) {
-    // Return stderr so caller may handle; else throw.
-    throw new Error(
-      `git ${args.join(" ")} failed with code ${res.status}: ${res.stderr}`,
-    );
-  }
-  return res.stdout.trim();
-}
-
-function stageAllChanges() {
-  runGit(["add", "-A"]);
-}
-
-function hasStagedChanges(): boolean {
-  const res = spawnSync("git", ["diff", "--cached", "--quiet", "--exit-code"]);
-  return res.status !== 0;
-}
-
-function ensureOnBranch(
-  issueNumber: number,
-  protectedBranches: string[],
-  suggestedSlug?: string,
-): string {
-  let branch = "";
-  try {
-    branch = runGit(["symbolic-ref", "--short", "-q", "HEAD"]);
-  } catch {
-    branch = "";
-  }
-
-  // If detached HEAD or on a protected branch, create a new branch.
-  if (!branch || protectedBranches.includes(branch)) {
-    if (suggestedSlug) {
-      const safeSlug = suggestedSlug
-        .toLowerCase()
-        .replace(/[^\w\s-]/g, "")
-        .trim()
-        .replace(/\s+/g, "-");
-      branch = `codex-fix-${issueNumber}-${safeSlug}`;
-    } else {
-      branch = `codex-fix-${issueNumber}-${Date.now()}`;
-    }
-    runGit(["switch", "-c", branch]);
-  }
-  return branch;
-}
-
-function commitIfNeeded(issueNumber: number) {
-  if (hasStagedChanges()) {
-    runGit([
-      "commit",
-      "-m",
-      `fix: automated fix for #${issueNumber} via Codex`,
-    ]);
-  }
-}
-
-function pushBranch(branch: string, githubToken: string, ctx: EnvContext) {
-  const repoSlug = ctx.get("GITHUB_REPOSITORY"); // owner/repo
-  const remoteUrl = `https://x-access-token:${githubToken}@github.com/${repoSlug}.git`;
-
-  runGit(["push", "--force-with-lease", "-u", remoteUrl, `HEAD:${branch}`]);
-}
-
-/**
- * If this returns a string, it is the URL of the created PR.
- */
-export async function maybePublishPRForIssue(
-  issueNumber: number,
-  lastMessage: string,
-  ctx: EnvContext,
-): Promise<string | undefined> {
-  // Only proceed if GITHUB_TOKEN available.
-  const githubToken =
-    ctx.tryGetNonEmpty("GITHUB_TOKEN") ?? ctx.tryGetNonEmpty("GH_TOKEN");
-  if (!githubToken) {
-    console.warn("No GitHub token - skipping PR creation.");
-    return undefined;
-  }
-
-  // Print `git status` for debugging.
-  runGit(["status"]);
-
-  // Stage any remaining changes so they can be committed and pushed.
-  stageAllChanges();
-
-  const octokit = ctx.getOctokit(githubToken);
-
-  const { owner, repo } = github.context.repo;
-
-  // Determine default branch to treat as protected.
-  let defaultBranch = "main";
-  try {
-    const repoInfo = await octokit.rest.repos.get({ owner, repo });
-    defaultBranch = repoInfo.data.default_branch ?? "main";
-  } catch (e) {
-    console.warn(`Failed to get default branch, assuming 'main': ${e}`);
-  }
-
-  const sanitizedMessage = lastMessage.replace(/\u2022/g, "-");
-  const [summaryLine] = sanitizedMessage.split(/\r?\n/);
-  const branch = ensureOnBranch(issueNumber, [defaultBranch, "master"], summaryLine);
-  commitIfNeeded(issueNumber);
-  pushBranch(branch, githubToken, ctx);
-
-  // Try to find existing PR for this branch
-  const headParam = `${owner}:${branch}`;
-  const existing = await octokit.rest.pulls.list({
-    owner,
-    repo,
-    head: headParam,
-    state: "open",
-  });
-  if (existing.data.length > 0) {
-    return existing.data[0].html_url;
-  }
-
-  // Determine base branch (default to main)
-  let baseBranch = "main";
-  try {
-    const repoInfo = await octokit.rest.repos.get({ owner, repo });
-    baseBranch = repoInfo.data.default_branch ?? "main";
-  } catch (e) {
-    console.warn(`Failed to get default branch, assuming 'main': ${e}`);
-  }
-
-  const pr = await octokit.rest.pulls.create({
-    owner,
-    repo,
-    title: summaryLine,
-    head: branch,
-    base: baseBranch,
-    body: sanitizedMessage,
-  });
-  return pr.data.html_url;
-}

.github/actions/codex/src/git-user.ts

@@ -1,16 +0,0 @@
-export function setGitHubActionsUser(): void {
-  const commands = [
-    ["git", "config", "--global", "user.name", "github-actions[bot]"],
-    [
-      "git",
-      "config",
-      "--global",
-      "user.email",
-      "41898282+github-actions[bot]@users.noreply.github.com",
-    ],
-  ];
-
-  for (const command of commands) {
-    Bun.spawnSync(command);
-  }
-}

.github/actions/codex/src/github-workspace.ts

@@ -1,11 +0,0 @@
-import * as pathMod from "path";
-import { EnvContext } from "./env-context";
-
-export function resolveWorkspacePath(path: string, ctx: EnvContext): string {
-  if (pathMod.isAbsolute(path)) {
-    return path;
-  } else {
-    const workspace = ctx.get("GITHUB_WORKSPACE");
-    return pathMod.join(workspace, path);
-  }
-}

.github/actions/codex/src/load-config.ts

@@ -1,56 +0,0 @@
-import type { Config, LabelConfig } from "./config";
-
-import { getDefaultConfig } from "./default-label-config";
-import { readFileSync, readdirSync, statSync } from "fs";
-import * as path from "path";
-
-/**
- * Build an in-memory configuration object by scanning the repository for
- * Markdown templates located in `.github/codex/labels`.
- *
- * Each `*.md` file in that directory represents a label that can trigger the
- * Codex GitHub Action. The filename **without** the extension is interpreted
- * as the label name, e.g. `codex-review.md` ➜ `codex-review`.
- *
- * For every such label we derive the corresponding `doneLabel` by appending
- * the suffix `-completed`.
- */
-export function loadConfig(workspace: string): Config {
-  const labelsDir = path.join(workspace, ".github", "codex", "labels");
-
-  let entries: string[];
-  try {
-    entries = readdirSync(labelsDir);
-  } catch {
-    // If the directory is missing, return the default configuration.
-    return getDefaultConfig();
-  }
-
-  const labels: Record<string, LabelConfig> = {};
-
-  for (const entry of entries) {
-    if (!entry.endsWith(".md")) {
-      continue;
-    }
-
-    const fullPath = path.join(labelsDir, entry);
-
-    if (!statSync(fullPath).isFile()) {
-      continue;
-    }
-
-    const labelName = entry.slice(0, -3); // trim ".md"
-
-    labels[labelName] = new FileLabelConfig(fullPath);
-  }
-
-  return { labels };
-}
-
-class FileLabelConfig implements LabelConfig {
-  constructor(private readonly promptPath: string) {}
-
-  getPromptTemplate(): string {
-    return readFileSync(this.promptPath, "utf8");
-  }
-}

.github/actions/codex/src/main.ts

@@ -1,80 +0,0 @@
-#!/usr/bin/env bun
-
-import type { Config } from "./config";
-
-import { defaultContext, EnvContext } from "./env-context";
-import { loadConfig } from "./load-config";
-import { setGitHubActionsUser } from "./git-user";
-import { onLabeled } from "./process-label";
-import { ensureBaseAndHeadCommitsForPRAreAvailable } from "./prompt-template";
-import { performAdditionalValidation } from "./verify-inputs";
-import { onComment } from "./comment";
-import { onReview } from "./review";
-
-async function main(): Promise<void> {
-  const ctx: EnvContext = defaultContext;
-
-  // Build the configuration dynamically by scanning `.github/codex/labels`.
-  const GITHUB_WORKSPACE = ctx.get("GITHUB_WORKSPACE");
-  const config: Config = loadConfig(GITHUB_WORKSPACE);
-
-  // Optionally perform additional validation of prompt template files.
-  performAdditionalValidation(config, GITHUB_WORKSPACE);
-
-  const GITHUB_EVENT_NAME = ctx.get("GITHUB_EVENT_NAME");
-  const GITHUB_EVENT_ACTION = ctx.get("GITHUB_EVENT_ACTION");
-
-  // Set user.name and user.email to a bot before Codex runs, just in case it
-  // creates a commit.
-  setGitHubActionsUser();
-
-  switch (GITHUB_EVENT_NAME) {
-    case "issues": {
-      if (GITHUB_EVENT_ACTION === "labeled") {
-        await onLabeled(config, ctx);
-        return;
-      } else if (GITHUB_EVENT_ACTION === "opened") {
-        await onComment(ctx);
-        return;
-      }
-      break;
-    }
-    case "issue_comment": {
-      if (GITHUB_EVENT_ACTION === "created") {
-        await onComment(ctx);
-        return;
-      }
-      break;
-    }
-    case "pull_request": {
-      if (GITHUB_EVENT_ACTION === "labeled") {
-        await ensureBaseAndHeadCommitsForPRAreAvailable(ctx);
-        await onLabeled(config, ctx);
-        return;
-      }
-      break;
-    }
-    case "pull_request_review": {
-      await ensureBaseAndHeadCommitsForPRAreAvailable(ctx);
-      if (GITHUB_EVENT_ACTION === "submitted") {
-        await onReview(ctx);
-        return;
-      }
-      break;
-    }
-    case "pull_request_review_comment": {
-      await ensureBaseAndHeadCommitsForPRAreAvailable(ctx);
-      if (GITHUB_EVENT_ACTION === "created") {
-        await onComment(ctx);
-        return;
-      }
-      break;
-    }
-  }
-
-  console.warn(
-    `Unsupported action '${GITHUB_EVENT_ACTION}' for event '${GITHUB_EVENT_NAME}'.`,
-  );
-}
-
-main();

.github/actions/codex/src/post-comment.ts

@@ -1,62 +0,0 @@
-import { fail } from "./fail";
-import * as github from "@actions/github";
-import { EnvContext } from "./env-context";
-
-/**
- * Post a comment to the issue / pull request currently in scope.
- *
- * Provide the environment context so that token lookup (inside getOctokit) does
- * not rely on global state.
- */
-export async function postComment(
-  commentBody: string,
-  ctx: EnvContext,
-): Promise<void> {
-  // Append a footer with a link back to the workflow run, if available.
-  const footer = buildWorkflowRunFooter(ctx);
-  const bodyWithFooter = footer ? `${commentBody}${footer}` : commentBody;
-
-  const octokit = ctx.getOctokit();
-  console.info("Got Octokit instance for posting comment");
-  const { owner, repo } = github.context.repo;
-  const issueNumber = github.context.issue.number;
-
-  if (!issueNumber) {
-    console.warn(
-      "No issue or pull_request number found in GitHub context; skipping comment creation.",
-    );
-    return;
-  }
-
-  try {
-    console.info("Calling octokit.rest.issues.createComment()");
-    await octokit.rest.issues.createComment({
-      owner,
-      repo,
-      issue_number: issueNumber,
-      body: bodyWithFooter,
-    });
-  } catch (error) {
-    fail(`Failed to create comment via GitHub API: ${error}`);
-  }
-}
-
-/**
- * Helper to build a Markdown fragment linking back to the workflow run that
- * generated the current comment. Returns `undefined` if required environment
- * variables are missing – e.g. when running outside of GitHub Actions – so we
- * can gracefully skip the footer in those cases.
- */
-function buildWorkflowRunFooter(ctx: EnvContext): string | undefined {
-  const serverUrl =
-    ctx.tryGetNonEmpty("GITHUB_SERVER_URL") ?? "https://github.com";
-  const repository = ctx.tryGetNonEmpty("GITHUB_REPOSITORY");
-  const runId = ctx.tryGetNonEmpty("GITHUB_RUN_ID");
-
-  if (!repository || !runId) {
-    return undefined;
-  }
-
-  const url = `${serverUrl}/${repository}/actions/runs/${runId}`;
-  return `\n\n---\n*[_View workflow run_](${url})*`;
-}

.github/actions/codex/src/process-label.ts

@@ -1,226 +0,0 @@
-import { fail } from "./fail";
-import { EnvContext } from "./env-context";
-import { renderPromptTemplate } from "./prompt-template";
-
-import { postComment } from "./post-comment";
-import { runCodex } from "./run-codex";
-
-import * as github from "@actions/github";
-import { Config, LabelConfig } from "./config";
-import { maybePublishPRForIssue } from "./git-helpers";
-
-export async function onLabeled(
-  config: Config,
-  ctx: EnvContext,
-): Promise<void> {
-  const GITHUB_EVENT_LABEL_NAME = ctx.get("GITHUB_EVENT_LABEL_NAME");
-  const labelConfig = config.labels[GITHUB_EVENT_LABEL_NAME] as
-    | LabelConfig
-    | undefined;
-  if (!labelConfig) {
-    fail(
-      `Label \`${GITHUB_EVENT_LABEL_NAME}\` not found in config: ${JSON.stringify(config)}`,
-    );
-  }
-
-  await processLabelConfig(ctx, GITHUB_EVENT_LABEL_NAME, labelConfig);
-}
-
-/**
- * Wrapper that handles `-in-progress` and `-completed` semantics around the core lint/fix/review
- * processing. It will:
- *
- * - Skip execution if the `-in-progress` or `-completed` label is already present.
- * - Mark the PR/issue as `-in-progress`.
- * - After successful execution, mark the PR/issue as `-completed`.
- */
-async function processLabelConfig(
-  ctx: EnvContext,
-  label: string,
-  labelConfig: LabelConfig,
-): Promise<void> {
-  const octokit = ctx.getOctokit();
-  const { owner, repo, issueNumber, labelNames } =
-    await getCurrentLabels(octokit);
-
-  const inProgressLabel = `${label}-in-progress`;
-  const completedLabel = `${label}-completed`;
-  for (const markerLabel of [inProgressLabel, completedLabel]) {
-    if (labelNames.includes(markerLabel)) {
-      console.log(
-        `Label '${markerLabel}' already present on issue/PR #${issueNumber}. Skipping Codex action.`,
-      );
-
-      // Clean up: remove the triggering label to avoid confusion and re-runs.
-      await addAndRemoveLabels(octokit, {
-        owner,
-        repo,
-        issueNumber,
-        remove: markerLabel,
-      });
-
-      return;
-    }
-  }
-
-  // Mark the PR/issue as in progress.
-  await addAndRemoveLabels(octokit, {
-    owner,
-    repo,
-    issueNumber,
-    add: inProgressLabel,
-    remove: label,
-  });
-
-  // Run the core Codex processing.
-  await processLabel(ctx, label, labelConfig);
-
-  // Mark the PR/issue as completed.
-  await addAndRemoveLabels(octokit, {
-    owner,
-    repo,
-    issueNumber,
-    add: completedLabel,
-    remove: inProgressLabel,
-  });
-}
-
-async function processLabel(
-  ctx: EnvContext,
-  label: string,
-  labelConfig: LabelConfig,
-): Promise<void> {
-  const template = labelConfig.getPromptTemplate();
-
-  // If this is a review label, prepend explicit PR-diff scoping guidance to
-  // reduce out-of-scope feedback. Do this before rendering so placeholders in
-  // the guidance (e.g., {CODEX_ACTION_GITHUB_EVENT_PATH}) are substituted.
-  const isReview = label.toLowerCase().includes("review");
-  const reviewScopeGuidance = `
-PR Diff Scope
-- Only review changes between the PR's merge-base and head; do not comment on commits or files outside this range.
-- Derive the base/head SHAs from the event JSON at {CODEX_ACTION_GITHUB_EVENT_PATH}, then compute and use the PR diff for all analysis and comments.
-
-Commands to determine scope
-- Resolve SHAs:
-  - BASE_SHA=$(jq -r '.pull_request.base.sha // .pull_request.base.ref' "{CODEX_ACTION_GITHUB_EVENT_PATH}")
-  - HEAD_SHA=$(jq -r '.pull_request.head.sha // .pull_request.head.ref' "{CODEX_ACTION_GITHUB_EVENT_PATH}")
-  - BASE_SHA=$(git rev-parse "$BASE_SHA")
-  - HEAD_SHA=$(git rev-parse "$HEAD_SHA")
-- Prefer triple-dot (merge-base) semantics for PR diffs:
-  - Changed commits: git log --oneline "$BASE_SHA...$HEAD_SHA"
-  - Changed files: git diff --name-status "$BASE_SHA...$HEAD_SHA"
-  - Review hunks: git diff -U0 "$BASE_SHA...$HEAD_SHA"
-
-Review rules
-- Anchor every comment to a file and hunk present in git diff "$BASE_SHA...$HEAD_SHA".
-- If you mention context outside the diff, label it as "Follow-up (outside this PR scope)" and keep it brief (<=2 bullets).
-- Do not critique commits or files not reachable in the PR range (merge-base(base, head) → head).
-`.trim();
-
-  const effectiveTemplate = isReview
-    ? `${reviewScopeGuidance}\n\n${template}`
-    : template;
-
-  const populatedTemplate = await renderPromptTemplate(effectiveTemplate, ctx);
-
-  // Always run Codex and post the resulting message as a comment.
-  let commentBody = await runCodex(populatedTemplate, ctx);
-
-  // Current heuristic: only try to create a PR if "attempt" or "fix" is in the
-  // label name. (Yes, we plan to evolve this.)
-  if (label.indexOf("fix") !== -1 || label.indexOf("attempt") !== -1) {
-    console.info(`label ${label} indicates we should attempt to create a PR`);
-    const prUrl = await maybeFixIssue(ctx, commentBody);
-    if (prUrl) {
-      commentBody += `\n\n---\nOpened pull request: ${prUrl}`;
-    }
-  } else {
-    console.info(
-      `label ${label} does not indicate we should attempt to create a PR`,
-    );
-  }
-
-  await postComment(commentBody, ctx);
-}
-
-async function maybeFixIssue(
-  ctx: EnvContext,
-  lastMessage: string,
-): Promise<string | undefined> {
-  // Attempt to create a PR out of any changes Codex produced.
-  const issueNumber = github.context.issue.number!; // exists for issues triggering this path
-  try {
-    return await maybePublishPRForIssue(issueNumber, lastMessage, ctx);
-  } catch (e) {
-    console.warn(`Failed to publish PR: ${e}`);
-  }
-}
-
-async function getCurrentLabels(
-  octokit: ReturnType<typeof github.getOctokit>,
-): Promise<{
-  owner: string;
-  repo: string;
-  issueNumber: number;
-  labelNames: Array<string>;
-}> {
-  const { owner, repo } = github.context.repo;
-  const issueNumber = github.context.issue.number;
-
-  if (!issueNumber) {
-    fail("No issue or pull_request number found in GitHub context.");
-  }
-
-  const { data: issueData } = await octokit.rest.issues.get({
-    owner,
-    repo,
-    issue_number: issueNumber,
-  });
-
-  const labelNames =
-    issueData.labels?.map((label: any) =>
-      typeof label === "string" ? label : label.name,
-    ) ?? [];
-
-  return { owner, repo, issueNumber, labelNames };
-}
-
-async function addAndRemoveLabels(
-  octokit: ReturnType<typeof github.getOctokit>,
-  opts: {
-    owner: string;
-    repo: string;
-    issueNumber: number;
-    add?: string;
-    remove?: string;
-  },
-): Promise<void> {
-  const { owner, repo, issueNumber, add, remove } = opts;
-
-  if (add) {
-    try {
-      await octokit.rest.issues.addLabels({
-        owner,
-        repo,
-        issue_number: issueNumber,
-        labels: [add],
-      });
-    } catch (error) {
-      console.warn(`Failed to add label '${add}': ${error}`);
-    }
-  }
-
-  if (remove) {
-    try {
-      await octokit.rest.issues.removeLabel({
-        owner,
-        repo,
-        issue_number: issueNumber,
-        name: remove,
-      });
-    } catch (error) {
-      console.warn(`Failed to remove label '${remove}': ${error}`);
-    }
-  }
-}

.github/actions/codex/src/prompt-template.ts

@@ -1,284 +0,0 @@
-/*
- * Utilities to render Codex prompt templates.
- *
- * A template is a Markdown (or plain-text) file that may contain one or more
- * placeholders of the form `{CODEX_ACTION_<NAME>}`. At runtime these
- * placeholders are substituted with dynamically generated content. Each
- * placeholder is resolved **exactly once** even if it appears multiple times
- * in the same template.
- */
-
-import { readFile } from "fs/promises";
-
-import { EnvContext } from "./env-context";
-
-// ---------------------------------------------------------------------------
-// Helpers
-// ---------------------------------------------------------------------------
-
-/**
- * Lazily caches parsed `$GITHUB_EVENT_PATH` contents keyed by the file path so
- * we only hit the filesystem once per unique event payload.
- */
-const githubEventDataCache: Map<string, Promise<any>> = new Map();
-
-function getGitHubEventData(ctx: EnvContext): Promise<any> {
-  const eventPath = ctx.get("GITHUB_EVENT_PATH");
-  let cached = githubEventDataCache.get(eventPath);
-  if (!cached) {
-    cached = readFile(eventPath, "utf8").then((raw) => JSON.parse(raw));
-    githubEventDataCache.set(eventPath, cached);
-  }
-  return cached;
-}
-
-async function runCommand(args: Array<string>): Promise<string> {
-  const result = Bun.spawnSync(args, {
-    stdout: "pipe",
-    stderr: "pipe",
-  });
-
-  if (result.success) {
-    return result.stdout.toString();
-  }
-
-  console.error(`Error running ${JSON.stringify(args)}: ${result.stderr}`);
-  return "";
-}
-
-// ---------------------------------------------------------------------------
-// Public API
-// ---------------------------------------------------------------------------
-
-// Regex that captures the variable name without the surrounding { } braces.
-const VAR_REGEX = /\{(CODEX_ACTION_[A-Z0-9_]+)\}/g;
-
-// Cache individual placeholder values so each one is resolved at most once per
-// process even if many templates reference it.
-const placeholderCache: Map<string, Promise<string>> = new Map();
-
-/**
- * Parse a template string, resolve all placeholders and return the rendered
- * result.
- */
-export async function renderPromptTemplate(
-  template: string,
-  ctx: EnvContext,
-): Promise<string> {
-  // ---------------------------------------------------------------------
-  // 1) Gather all *unique* placeholders present in the template.
-  // ---------------------------------------------------------------------
-  const variables = new Set<string>();
-  for (const match of template.matchAll(VAR_REGEX)) {
-    variables.add(match[1]);
-  }
-
-  // ---------------------------------------------------------------------
-  // 2) Kick off (or reuse) async resolution for each variable.
-  // ---------------------------------------------------------------------
-  for (const variable of variables) {
-    if (!placeholderCache.has(variable)) {
-      placeholderCache.set(variable, resolveVariable(variable, ctx));
-    }
-  }
-
-  // ---------------------------------------------------------------------
-  // 3) Await completion so we can perform a simple synchronous replace below.
-  // ---------------------------------------------------------------------
-  const resolvedEntries: [string, string][] = [];
-  for (const [key, promise] of placeholderCache.entries()) {
-    resolvedEntries.push([key, await promise]);
-  }
-  const resolvedMap = new Map<string, string>(resolvedEntries);
-
-  // ---------------------------------------------------------------------
-  // 4) Replace each occurrence.  We use replace with a callback to ensure
-  //    correct substitution even if variable names overlap (they shouldn't,
-  //    but better safe than sorry).
-  // ---------------------------------------------------------------------
-  return template.replace(VAR_REGEX, (_, varName: string) => {
-    return resolvedMap.get(varName) ?? "";
-  });
-}
-
-export async function ensureBaseAndHeadCommitsForPRAreAvailable(
-  ctx: EnvContext,
-): Promise<{ baseSha: string; headSha: string } | null> {
-  const prShas = await getPrShas(ctx);
-  if (prShas == null) {
-    console.warn("Unable to resolve PR branches");
-    return null;
-  }
-
-  const event = await getGitHubEventData(ctx);
-  const pr = event.pull_request;
-  if (!pr) {
-    console.warn("event.pull_request is not defined - unexpected");
-    return null;
-  }
-
-  const workspace = ctx.get("GITHUB_WORKSPACE");
-
-  // Refs (branch names)
-  const baseRef: string | undefined = pr.base?.ref;
-  const headRef: string | undefined = pr.head?.ref;
-
-  // Clone URLs
-  const baseRemoteUrl: string | undefined = pr.base?.repo?.clone_url;
-  const headRemoteUrl: string | undefined = pr.head?.repo?.clone_url;
-
-  if (!baseRef || !headRef || !baseRemoteUrl || !headRemoteUrl) {
-    console.warn(
-      "Missing PR ref or remote URL information - cannot fetch commits",
-    );
-    return null;
-  }
-
-  // Ensure we have the base branch.
-  await runCommand([
-    "git",
-    "-C",
-    workspace,
-    "fetch",
-    "--no-tags",
-    "origin",
-    baseRef,
-  ]);
-
-  // Ensure we have the head branch.
-  if (headRemoteUrl === baseRemoteUrl) {
-    // Same repository – the commit is available from `origin`.
-    await runCommand([
-      "git",
-      "-C",
-      workspace,
-      "fetch",
-      "--no-tags",
-      "origin",
-      headRef,
-    ]);
-  } else {
-    // Fork – make sure a `pr` remote exists that points at the fork. Attempting
-    // to add a remote that already exists causes git to error, so we swallow
-    // any non-zero exit codes from that specific command.
-    await runCommand([
-      "git",
-      "-C",
-      workspace,
-      "remote",
-      "add",
-      "pr",
-      headRemoteUrl,
-    ]);
-
-    // Whether adding succeeded or the remote already existed, attempt to fetch
-    // the head ref from the `pr` remote.
-    await runCommand([
-      "git",
-      "-C",
-      workspace,
-      "fetch",
-      "--no-tags",
-      "pr",
-      headRef,
-    ]);
-  }
-
-  return prShas;
-}
-
-// ---------------------------------------------------------------------------
-// Internal helpers – still exported for use by other modules.
-// ---------------------------------------------------------------------------
-
-export async function resolvePrDiff(ctx: EnvContext): Promise<string> {
-  const prShas = await ensureBaseAndHeadCommitsForPRAreAvailable(ctx);
-  if (prShas == null) {
-    console.warn("Unable to resolve PR branches");
-    return "";
-  }
-
-  const workspace = ctx.get("GITHUB_WORKSPACE");
-  const { baseSha, headSha } = prShas;
-  return runCommand([
-    "git",
-    "-C",
-    workspace,
-    "diff",
-    "--color=never",
-    `${baseSha}..${headSha}`,
-  ]);
-}
-
-// ---------------------------------------------------------------------------
-// Placeholder resolution
-// ---------------------------------------------------------------------------
-
-async function resolveVariable(name: string, ctx: EnvContext): Promise<string> {
-  switch (name) {
-    case "CODEX_ACTION_ISSUE_TITLE": {
-      const event = await getGitHubEventData(ctx);
-      const issue = event.issue ?? event.pull_request;
-      return issue?.title ?? "";
-    }
-
-    case "CODEX_ACTION_ISSUE_BODY": {
-      const event = await getGitHubEventData(ctx);
-      const issue = event.issue ?? event.pull_request;
-      return issue?.body ?? "";
-    }
-
-    case "CODEX_ACTION_GITHUB_EVENT_PATH": {
-      return ctx.get("GITHUB_EVENT_PATH");
-    }
-
-    case "CODEX_ACTION_BASE_REF": {
-      const event = await getGitHubEventData(ctx);
-      return event?.pull_request?.base?.ref ?? "";
-    }
-
-    case "CODEX_ACTION_HEAD_REF": {
-      const event = await getGitHubEventData(ctx);
-      return event?.pull_request?.head?.ref ?? "";
-    }
-
-    case "CODEX_ACTION_PR_DIFF": {
-      return resolvePrDiff(ctx);
-    }
-
-    // -------------------------------------------------------------------
-    // Add new template variables here.
-    // -------------------------------------------------------------------
-
-    default: {
-      // Unknown variable – leave it blank to avoid leaking placeholders to the
-      // final prompt.  The alternative would be to `fail()` here, but silently
-      // ignoring unknown placeholders is more forgiving and better matches the
-      // behaviour of typical template engines.
-      console.warn(`Unknown template variable: ${name}`);
-      return "";
-    }
-  }
-}
-
-async function getPrShas(
-  ctx: EnvContext,
-): Promise<{ baseSha: string; headSha: string } | null> {
-  const event = await getGitHubEventData(ctx);
-  const pr = event.pull_request;
-  if (!pr) {
-    console.warn("event.pull_request is not defined");
-    return null;
-  }
-
-  // Prefer explicit SHAs if available to avoid relying on local branch names.
-  const baseSha: string | undefined = pr.base?.sha;
-  const headSha: string | undefined = pr.head?.sha;
-
-  if (!baseSha || !headSha) {
-    console.warn("one of base or head is not defined on event.pull_request");
-    return null;
-  }
-
-  return { baseSha, headSha };
-}

.github/actions/codex/src/review.ts

@@ -1,42 +0,0 @@
-import type { EnvContext } from "./env-context";
-import { runCodex } from "./run-codex";
-import { postComment } from "./post-comment";
-import { addEyesReaction } from "./add-reaction";
-
-/**
- * Handle `pull_request_review` events. We treat the review body the same way
- * as a normal comment.
- */
-export async function onReview(ctx: EnvContext): Promise<void> {
-  const triggerPhrase = ctx.tryGet("INPUT_TRIGGER_PHRASE");
-  if (!triggerPhrase) {
-    console.warn("Empty trigger phrase: skipping.");
-    return;
-  }
-
-  const reviewBody = ctx.tryGet("GITHUB_EVENT_REVIEW_BODY");
-
-  if (!reviewBody) {
-    console.warn("Review body not found in environment: skipping.");
-    return;
-  }
-
-  if (!reviewBody.includes(triggerPhrase)) {
-    console.log(
-      `Trigger phrase '${triggerPhrase}' not found: nothing to do for this review.`,
-    );
-    return;
-  }
-
-  const prompt = reviewBody.replace(triggerPhrase, "").trim();
-
-  if (prompt.length === 0) {
-    console.warn("Prompt is empty after removing trigger phrase: skipping.");
-    return;
-  }
-
-  await addEyesReaction(ctx);
-
-  const lastMessage = await runCodex(prompt, ctx);
-  await postComment(lastMessage, ctx);
-}

.github/actions/codex/src/run-codex.ts

@@ -1,58 +0,0 @@
-import { fail } from "./fail";
-import { EnvContext } from "./env-context";
-import { tmpdir } from "os";
-import { join } from "node:path";
-import { readFile, mkdtemp } from "fs/promises";
-import { resolveWorkspacePath } from "./github-workspace";
-
-/**
- * Runs the Codex CLI with the provided prompt and returns the output written
- * to the "last message" file.
- */
-export async function runCodex(
-  prompt: string,
-  ctx: EnvContext,
-): Promise<string> {
-  const OPENAI_API_KEY = ctx.get("OPENAI_API_KEY");
-
-  const tempDirPath = await mkdtemp(join(tmpdir(), "codex-"));
-  const lastMessageOutput = join(tempDirPath, "codex-prompt.md");
-
-  // Use the unified CLI and its `exec` subcommand instead of the old
-  // standalone `codex-exec` binary.
-  const args = ["/usr/local/bin/codex", "exec"];
-
-  const inputCodexArgs = ctx.tryGet("INPUT_CODEX_ARGS")?.trim();
-  if (inputCodexArgs) {
-    args.push(...inputCodexArgs.split(/\s+/));
-  }
-
-  args.push("--output-last-message", lastMessageOutput, prompt);
-
-  const env: Record<string, string> = { ...process.env, OPENAI_API_KEY };
-  const INPUT_CODEX_HOME = ctx.tryGet("INPUT_CODEX_HOME");
-  if (INPUT_CODEX_HOME) {
-    env.CODEX_HOME = resolveWorkspacePath(INPUT_CODEX_HOME, ctx);
-  }
-
-  console.log(`Running Codex: ${JSON.stringify(args)}`);
-  const result = Bun.spawnSync(args, {
-    stdout: "inherit",
-    stderr: "inherit",
-    env,
-  });
-
-  if (!result.success) {
-    fail(`Codex failed: see above for details.`);
-  }
-
-  // Read the output generated by Codex.
-  let lastMessage: string;
-  try {
-    lastMessage = await readFile(lastMessageOutput, "utf8");
-  } catch (err) {
-    fail(`Failed to read Codex output at '${lastMessageOutput}': ${err}`);
-  }
-
-  return lastMessage;
-}

.github/actions/codex/src/verify-inputs.ts

@@ -1,33 +0,0 @@
-// Validate the inputs passed to the composite action.
-// The script currently ensures that the provided configuration file exists and
-// matches the expected schema.
-
-import type { Config } from "./config";
-
-import { existsSync } from "fs";
-import * as path from "path";
-import { fail } from "./fail";
-
-export function performAdditionalValidation(config: Config, workspace: string) {
-  // Additional validation: ensure referenced prompt files exist and are Markdown.
-  for (const [label, details] of Object.entries(config.labels)) {
-    // Determine which prompt key is present (the schema guarantees exactly one).
-    const promptPathStr =
-      (details as any).prompt ?? (details as any).promptPath;
-
-    if (promptPathStr) {
-      const promptPath = path.isAbsolute(promptPathStr)
-        ? promptPathStr
-        : path.join(workspace, promptPathStr);
-
-      if (!existsSync(promptPath)) {
-        fail(`Prompt file for label '${label}' not found: ${promptPath}`);
-      }
-      if (!promptPath.endsWith(".md")) {
-        fail(
-          `Prompt file for label '${label}' must be a .md file (got ${promptPathStr}).`,
-        );
-      }
-    }
-  }
-}

.github/actions/codex/tsconfig.json

@@ -1,15 +0,0 @@
-{
-  "compilerOptions": {
-    "lib": ["ESNext"],
-    "target": "ESNext",
-    "module": "ESNext",
-    "moduleDetection": "force",
-    "moduleResolution": "bundler",
-
-    "noEmit": true,
-    "strict": true,
-    "skipLibCheck": true
-  },
-
-  "include": ["src"]
-}

.github/workflows/codex.yml

@@ -1,64 +0,0 @@
-name: Codex
-
-on:
-  issues:
-    types: [opened, labeled]
-  pull_request:
-    branches: [main]
-    types: [labeled]
-
-jobs:
-  codex:
-    # This `if` check provides complex filtering logic to avoid running Codex
-    # on every PR. Admittedly, one thing this does not verify is whether the
-    # sender has write access to the repo: that must be done as part of a
-    # runtime step.
-    #
-    # Note the label values should match the ones in the .github/codex/labels
-    # folder.
-    if: |
-      (github.event_name == 'issues' && (
-        (github.event.action == 'labeled' && (github.event.label.name == 'codex-attempt' || github.event.label.name == 'codex-triage'))
-      )) ||
-      (github.event_name == 'pull_request' && github.event.action == 'labeled' && (github.event.label.name == 'codex-review' || github.event.label.name == 'codex-rust-review'))
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write # can push or create branches
-      issues: write # for comments + labels on issues/PRs
-      pull-requests: write # for PR comments/labels
-    steps:
-      # TODO: Consider adding an optional mode (--dry-run?) to actions/codex
-      # that verifies whether Codex should actually be run for this event.
-      # (For example, it may be rejected because the sender does not have
-      # write access to the repo.) The benefit would be two-fold:
-      # 1. As the first step of this job, it gives us a chance to add a reaction
-      #    or comment to the PR/issue ASAP to "ack" the request.
-      # 2. It saves resources by skipping the clone and setup steps below if
-      #    Codex is not going to run.
-
-      - name: Checkout repository
-        uses: actions/checkout@v5
-
-      - uses: dtolnay/rust-toolchain@1.89
-        with:
-          targets: x86_64-unknown-linux-gnu
-          components: clippy
-
-      - uses: actions/cache@v4
-        with:
-          path: |
-            ~/.cargo/bin/
-            ~/.cargo/registry/index/
-            ~/.cargo/registry/cache/
-            ~/.cargo/git/db/
-            ${{ github.workspace }}/codex-rs/target/
-          key: cargo-ubuntu-24.04-x86_64-unknown-linux-gnu-${{ hashFiles('**/Cargo.lock') }}
-
-      # Note it is possible that the `verify` step internal to Run Codex will
-      # fail, in which case the work to setup the repo was worthless :(
-      - name: Run Codex
-        uses: ./.github/actions/codex
-        with:
-          openai_api_key: ${{ secrets.CODEX_OPENAI_API_KEY }}
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          codex_home: ./.github/codex/home

.prettierignore

@@ -1,3 +1,7 @@
 /codex-cli/dist
 /codex-cli/node_modules
 pnpm-lock.yaml
+
+prompt.md
+*_prompt.md
+*_instructions.md

AGENTS.md

@@ -2,15 +2,16 @@
 
 In the codex-rs folder where the rust code lives:
 
-- Crate names are prefixed with `codex-`. For examole, the `core` folder's crate is named `codex-core`
+- Crate names are prefixed with `codex-`. For example, the `core` folder's crate is named `codex-core`
 - When using format! and you can inline variables into {}, always do that.
 - Never add or modify any code related to `CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR` or `CODEX_SANDBOX_ENV_VAR`.
   - You operate in a sandbox where `CODEX_SANDBOX_NETWORK_DISABLED=1` will be set whenever you use the `shell` tool. Any existing code that uses `CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR` was authored with this fact in mind. It is often used to early exit out of tests that the author knew you would not be able to run given your sandbox limitations.
   - Similarly, when you spawn a process using Seatbelt (`/usr/bin/sandbox-exec`), `CODEX_SANDBOX=seatbelt` will be set on the child process. Integration tests that want to run Seatbelt themselves cannot be run under Seatbelt, so checks for `CODEX_SANDBOX=seatbelt` are also often used to early exit out of tests, as appropriate.
 
-Before finalizing a change to `codex-rs`, run `just fmt` (in `codex-rs` directory) to format the code and `just fix` (in `codex-rs` directory) to fix any linter issues in the code. Additionally, run the tests:
+Before finalizing a change to `codex-rs`, run `just fmt` (in `codex-rs` directory) to format the code and `just fix -p <project>` (in `codex-rs` directory) to fix any linter issues in the code. Additionally, run the tests:
 1. Run the test for the specific project that was changed. For example, if changes were made in `codex-rs/tui`, run `cargo test -p codex-tui`.
 2. Once those pass, if any changes were made in common, core, or protocol, run the complete test suite with `cargo test --all-features`.
+When running interactively, ask the user before running these commands to finalize.
 
 ## TUI style conventions
 

README.md

@@ -383,6 +383,13 @@ base_url = "http://my-ollama.example.com:11434/v1"
 
 ### Platform sandboxing details
 
+By default, Codex CLI runs code and shell commands inside a restricted sandbox to protect your system.  
+
+> [!IMPORTANT]
+> Not all tool calls are sandboxed. Specifically, **trusted Model Context Protocol (MCP) tool calls** are executed outside of the sandbox.  
+> This is intentional: MCP tools are explicitly configured and trusted by you, and they often need to connect to **external applications or services** (e.g. issue trackers, databases, messaging systems).  
+> Running them outside the sandbox allows Codex to integrate with these external systems without being blocked by sandbox restrictions.
+
 The mechanism Codex uses to implement the sandbox policy depends on your OS:
 
 - **macOS 12+** uses **Apple Seatbelt** and runs commands using `sandbox-exec` with a profile (`-p`) that corresponds to the `--sandbox` that was specified.

codex-rs/Cargo.lock

@@ -186,6 +186,26 @@ version = "1.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "dde20b3d026af13f561bdd0f15edf01fc734f0dafcedbaf42bba506a9517f223"
 
+[[package]]
+name = "arboard"
+version = "3.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "55f533f8e0af236ffe5eb979b99381df3258853f00ba2e44b6e1955292c75227"
+dependencies = [
+ "clipboard-win",
+ "image",
+ "log",
+ "objc2",
+ "objc2-app-kit",
+ "objc2-core-foundation",
+ "objc2-core-graphics",
+ "objc2-foundation",
+ "parking_lot",
+ "percent-encoding",
+ "windows-sys 0.59.0",
+ "x11rb",
+]
+
 [[package]]
 name = "arg_enum_proc_macro"
 version = "0.3.4"
@@ -615,6 +635,7 @@ name = "codex-apply-patch"
 version = "0.0.0"
 dependencies = [
  "anyhow",
+ "assert_cmd",
  "pretty_assertions",
  "similar",
  "tempfile",
@@ -632,6 +653,7 @@ dependencies = [
  "codex-core",
  "codex-linux-sandbox",
  "dotenvy",
+ "tempfile",
  "tokio",
 ]
 
@@ -656,6 +678,7 @@ name = "codex-cli"
 version = "0.0.0"
 dependencies = [
  "anyhow",
+ "assert_cmd",
  "clap",
  "clap_complete",
  "codex-arg0",
@@ -669,7 +692,10 @@ dependencies = [
  "codex-protocol-ts",
  "codex-tui",
  "serde_json",
+ "tempfile",
  "tokio",
+ "toml 0.9.5",
+ "toml_edit 0.23.4",
  "tracing",
  "tracing-subscriber",
 ]
@@ -711,6 +737,7 @@ dependencies = [
  "mime_guess",
  "openssl-sys",
  "os_info",
+ "portable-pty",
  "predicates",
  "pretty_assertions",
  "rand 0.9.2",
@@ -731,12 +758,13 @@ dependencies = [
  "tokio-test",
  "tokio-util",
  "toml 0.9.5",
- "toml_edit 0.23.3",
+ "toml_edit 0.23.4",
  "tracing",
  "tree-sitter",
  "tree-sitter-bash",
  "uuid",
  "walkdir",
+ "which",
  "whoami",
  "wildmatch",
  "wiremock",
@@ -753,6 +781,7 @@ dependencies = [
  "codex-arg0",
  "codex-common",
  "codex-core",
+ "codex-login",
  "codex-ollama",
  "codex-protocol",
  "core_test_support",
@@ -822,6 +851,7 @@ version = "0.0.0"
 dependencies = [
  "base64 0.22.1",
  "chrono",
+ "codex-protocol",
  "pretty_assertions",
  "rand 0.8.5",
  "reqwest",
@@ -900,13 +930,16 @@ dependencies = [
 name = "codex-protocol"
 version = "0.0.0"
 dependencies = [
+ "base64 0.22.1",
  "mcp-types",
+ "mime_guess",
  "pretty_assertions",
  "serde",
  "serde_bytes",
  "serde_json",
  "strum 0.27.2",
  "strum_macros 0.27.2",
+ "tracing",
  "ts-rs",
  "uuid",
 ]
@@ -926,6 +959,8 @@ name = "codex-tui"
 version = "0.0.0"
 dependencies = [
  "anyhow",
+ "arboard",
+ "async-stream",
  "base64 0.22.1",
  "chrono",
  "clap",
@@ -959,8 +994,10 @@ dependencies = [
  "strum 0.27.2",
  "strum_macros 0.27.2",
  "supports-color",
+ "tempfile",
  "textwrap 0.16.2",
  "tokio",
+ "tokio-stream",
  "tracing",
  "tracing-appender",
  "tracing-subscriber",
@@ -968,6 +1005,7 @@ dependencies = [
  "tui-markdown",
  "unicode-segmentation",
  "unicode-width 0.1.14",
+ "url",
  "uuid",
  "vt100",
 ]
@@ -1161,6 +1199,7 @@ checksum = "829d955a0bb380ef178a640b91779e3987da38c9aea133b20614cfed8cdea9c6"
 dependencies = [
  "bitflags 2.9.1",
  "crossterm_winapi",
+ "futures-core",
  "mio",
  "parking_lot",
  "rustix 0.38.44",
@@ -1405,6 +1444,16 @@ dependencies = [
  "winapi",
 ]
 
+[[package]]
+name = "dispatch2"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "89a09f22a6c6069a18470eb92d2298acf25463f14256d24778e1230d789a2aec"
+dependencies = [
+ "bitflags 2.9.1",
+ "objc2",
+]
+
 [[package]]
 name = "display_container"
 version = "0.9.0"
@@ -1438,6 +1487,12 @@ version = "0.15.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1aaf95b3e5c8f23aa320147307562d361db0ae0d51242340f558153b4eb2439b"
 
+[[package]]
+name = "downcast-rs"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75b325c5dbd37f80359721ad39aca5a29fb04c89279657cffdda8736d0c0b9d2"
+
 [[package]]
 name = "dupe"
 version = "0.9.1"
@@ -1683,6 +1738,17 @@ dependencies = [
  "simd-adler32",
 ]
 
+[[package]]
+name = "filedescriptor"
+version = "0.8.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e40758ed24c9b2eeb76c35fb0aebc66c626084edd827e07e1552279814c6682d"
+dependencies = [
+ "libc",
+ "thiserror 1.0.69",
+ "winapi",
+]
+
 [[package]]
 name = "fixedbitset"
 version = "0.4.2"
@@ -1858,6 +1924,16 @@ dependencies = [
  "version_check",
 ]
 
+[[package]]
+name = "gethostname"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0176e0459c2e4a1fe232f984bca6890e681076abb9934f6cea7c326f3fc47818"
+dependencies = [
+ "libc",
+ "windows-targets 0.48.5",
+]
+
 [[package]]
 name = "getopts"
 version = "0.2.23"
@@ -2651,6 +2727,7 @@ checksum = "4488594b9328dee448adb906d8b126d9b7deb7cf5c22161ee591610bb1be83c0"
 dependencies = [
  "bitflags 2.9.1",
  "libc",
+ "redox_syscall",
 ]
 
 [[package]]
@@ -3054,6 +3131,42 @@ dependencies = [
  "objc2-encode",
 ]
 
+[[package]]
+name = "objc2-app-kit"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e6f29f568bec459b0ddff777cec4fe3fd8666d82d5a40ebd0ff7e66134f89bcc"
+dependencies = [
+ "bitflags 2.9.1",
+ "objc2",
+ "objc2-core-graphics",
+ "objc2-foundation",
+]
+
+[[package]]
+name = "objc2-core-foundation"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1c10c2894a6fed806ade6027bcd50662746363a9589d3ec9d9bef30a4e4bc166"
+dependencies = [
+ "bitflags 2.9.1",
+ "dispatch2",
+ "objc2",
+]
+
+[[package]]
+name = "objc2-core-graphics"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "989c6c68c13021b5c2d6b71456ebb0f9dc78d752e86a98da7c716f4f9470f5a4"
+dependencies = [
+ "bitflags 2.9.1",
+ "dispatch2",
+ "objc2",
+ "objc2-core-foundation",
+ "objc2-io-surface",
+]
+
 [[package]]
 name = "objc2-encode"
 version = "4.1.0"
@@ -3068,6 +3181,18 @@ checksum = "900831247d2fe1a09a683278e5384cfb8c80c79fe6b166f9d14bfdde0ea1b03c"
 dependencies = [
  "bitflags 2.9.1",
  "objc2",
+ "objc2-core-foundation",
+]
+
+[[package]]
+name = "objc2-io-surface"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7282e9ac92529fa3457ce90ebb15f4ecbc383e8338060960760fa2cf75420c3c"
+dependencies = [
+ "bitflags 2.9.1",
+ "objc2",
+ "objc2-core-foundation",
 ]
 
 [[package]]
@@ -3340,6 +3465,27 @@ dependencies = [
  "portable-atomic",
 ]
 
+[[package]]
+name = "portable-pty"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b4a596a2b3d2752d94f51fac2d4a96737b8705dddd311a32b9af47211f08671e"
+dependencies = [
+ "anyhow",
+ "bitflags 1.3.2",
+ "downcast-rs",
+ "filedescriptor",
+ "lazy_static",
+ "libc",
+ "log",
+ "nix",
+ "serial2",
+ "shared_library",
+ "shell-words",
+ "winapi",
+ "winreg",
+]
+
 [[package]]
 name = "potential_utf"
 version = "0.1.2"
@@ -3789,9 +3935,9 @@ checksum = "ba39f3699c378cd8970968dcbff9c43159ea4cfbd88d43c00b22f2ef10a435d2"
 
 [[package]]
 name = "reqwest"
-version = "0.12.22"
+version = "0.12.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cbc931937e6ca3a06e3b6c0aa7841849b160a90351d6ab467a8b9b9959767531"
+checksum = "d429f34c8092b2d42c7c93cec323bb4adeb7c67698f70839adec842ec10c7ceb"
 dependencies = [
  "base64 0.22.1",
  "bytes",
@@ -4183,9 +4329,9 @@ dependencies = [
 
 [[package]]
 name = "serde_json"
-version = "1.0.142"
+version = "1.0.143"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "030fedb782600dcbd6f02d479bf0d817ac3bb40d644745b769d6a96bc3afc5a7"
+checksum = "d401abef1d108fbd9cbaebc3e46611f4b1021f714a0597a71f41ee463f5f4a5a"
 dependencies = [
  "indexmap 2.10.0",
  "itoa",
@@ -4267,6 +4413,17 @@ dependencies = [
  "syn 2.0.104",
 ]
 
+[[package]]
+name = "serial2"
+version = "0.2.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "26e1e5956803a69ddd72ce2de337b577898801528749565def03515f82bad5bb"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "winapi",
+]
+
 [[package]]
 name = "sha1"
 version = "0.10.6"
@@ -4298,6 +4455,22 @@ dependencies = [
  "lazy_static",
 ]
 
+[[package]]
+name = "shared_library"
+version = "0.1.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5a9e7e0f2bfae24d8a5b5a66c5b257a83c7412304311512a0c054cd5e619da11"
+dependencies = [
+ "lazy_static",
+ "libc",
+]
+
+[[package]]
+name = "shell-words"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "24188a676b6ae68c3b2cb3a01be17fbf7240ce009799bb56d5b1409051e78fde"
+
 [[package]]
 name = "shlex"
 version = "1.3.0"
@@ -5027,9 +5200,9 @@ dependencies = [
 
 [[package]]
 name = "toml_edit"
-version = "0.23.3"
+version = "0.23.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "17d3b47e6b7a040216ae5302712c94d1cf88c95b47efa80e2c59ce96c878267e"
+checksum = "7211ff1b8f0d3adae1663b7da9ffe396eabe1ca25f0b0bee42b0da29a9ddce93"
 dependencies = [
  "indexmap 2.10.0",
  "toml_datetime 0.7.0",
@@ -5597,12 +5770,24 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a751b3277700db47d3e574514de2eced5e54dc8a5436a3bf7a0b248b2cee16f3"
 
 [[package]]
-name = "whoami"
-version = "1.6.0"
+name = "which"
+version = "6.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6994d13118ab492c3c80c1f81928718159254c53c472bf9ce36f8dae4add02a7"
+checksum = "b4ee928febd44d98f2f459a4a79bd4d928591333a494a10a868418ac1b39cf1f"
 dependencies = [
- "redox_syscall",
+ "either",
+ "home",
+ "rustix 0.38.44",
+ "winsafe",
+]
+
+[[package]]
+name = "whoami"
+version = "1.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5d4a4db5077702ca3015d3d02d74974948aba2ad9e12ab7df718ee64ccd7e97d"
+dependencies = [
+ "libredox",
  "wasite",
  "web-sys",
 ]
@@ -5829,6 +6014,21 @@ dependencies = [
  "windows_x86_64_msvc 0.42.2",
 ]
 
+[[package]]
+name = "windows-targets"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c"
+dependencies = [
+ "windows_aarch64_gnullvm 0.48.5",
+ "windows_aarch64_msvc 0.48.5",
+ "windows_i686_gnu 0.48.5",
+ "windows_i686_msvc 0.48.5",
+ "windows_x86_64_gnu 0.48.5",
+ "windows_x86_64_gnullvm 0.48.5",
+ "windows_x86_64_msvc 0.48.5",
+]
+
 [[package]]
 name = "windows-targets"
 version = "0.52.6"
@@ -5867,6 +6067,12 @@ version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "597a5118570b68bc08d8d59125332c54f1ba9d9adeedeef5b99b02ba2b0698f8"
 
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8"
+
 [[package]]
 name = "windows_aarch64_gnullvm"
 version = "0.52.6"
@@ -5885,6 +6091,12 @@ version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e08e8864a60f06ef0d0ff4ba04124db8b0fb3be5776a5cd47641e942e58c4d43"
 
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc"
+
 [[package]]
 name = "windows_aarch64_msvc"
 version = "0.52.6"
@@ -5903,6 +6115,12 @@ version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c61d927d8da41da96a81f029489353e68739737d3beca43145c8afec9a31a84f"
 
+[[package]]
+name = "windows_i686_gnu"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e"
+
 [[package]]
 name = "windows_i686_gnu"
 version = "0.52.6"
@@ -5933,6 +6151,12 @@ version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "44d840b6ec649f480a41c8d80f9c65108b92d89345dd94027bfe06ac444d1060"
 
+[[package]]
+name = "windows_i686_msvc"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406"
+
 [[package]]
 name = "windows_i686_msvc"
 version = "0.52.6"
@@ -5951,6 +6175,12 @@ version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8de912b8b8feb55c064867cf047dda097f92d51efad5b491dfb98f6bbb70cb36"
 
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e"
+
 [[package]]
 name = "windows_x86_64_gnu"
 version = "0.52.6"
@@ -5969,6 +6199,12 @@ version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "26d41b46a36d453748aedef1486d5c7a85db22e56aff34643984ea85514e94a3"
 
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc"
+
 [[package]]
 name = "windows_x86_64_gnullvm"
 version = "0.52.6"
@@ -5987,6 +6223,12 @@ version = "0.42.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9aec5da331524158c6d1a4ac0ab1541149c0b9505fde06423b02f5ef0106b9f0"
 
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538"
+
 [[package]]
 name = "windows_x86_64_msvc"
 version = "0.52.6"
@@ -6008,6 +6250,21 @@ dependencies = [
  "memchr",
 ]
 
+[[package]]
+name = "winreg"
+version = "0.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "80d0f4e272c85def139476380b12f9ac60926689dd2e01d4923222f40580869d"
+dependencies = [
+ "winapi",
+]
+
+[[package]]
+name = "winsafe"
+version = "0.0.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d135d17ab770252ad95e9a872d365cf3090e3be864a34ab46f48555993efc904"
+
 [[package]]
 name = "wiremock"
 version = "0.6.4"
@@ -6047,6 +6304,23 @@ version = "0.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ea2f10b9bb0928dfb1b42b65e1f9e36f7f54dbdf08457afefb38afcdec4fa2bb"
 
+[[package]]
+name = "x11rb"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5d91ffca73ee7f68ce055750bf9f6eca0780b8c85eff9bc046a3b0da41755e12"
+dependencies = [
+ "gethostname",
+ "rustix 0.38.44",
+ "x11rb-protocol",
+]
+
+[[package]]
+name = "x11rb-protocol"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ec107c4503ea0b4a98ef47356329af139c0a4f7750e621cf2973cd3385ebcb3d"
+
 [[package]]
 name = "yaml-rust"
 version = "0.4.5"

codex-rs/README.md

@@ -43,6 +43,12 @@ To run Codex non-interactively, run `codex exec PROMPT` (you can also pass the p
 
 Typing `@` triggers a fuzzy-filename search over the workspace root. Use up/down to select among the results and Tab or Enter to replace the `@` with the selected path. You can use Esc to cancel the search.
 
+### Esc–Esc to edit a previous message
+
+When the chat composer is empty, press Esc to prime “backtrack” mode. Press Esc again to open a transcript preview highlighting the last user message; press Esc repeatedly to step to older user messages. Press Enter to confirm and Codex will fork the conversation from that point, trim the visible transcript accordingly, and pre‑fill the composer with the selected user message so you can edit and resubmit it.
+
+In the transcript preview, the footer shows an `Esc edit prev` hint while editing is active.
+
 ### `--cd`/`-C` flag
 
 Sometimes it is not convenient to `cd` to the directory you want Codex to use as the "working root" before running Codex. Fortunately, `codex` supports a `--cd` option so you can specify whatever folder you want. You can confirm that Codex is honoring `--cd` by double-checking the **workdir** it reports in the TUI at the start of a new session.

codex-rs/apply-patch/Cargo.toml

@@ -7,6 +7,10 @@ version = { workspace = true }
 name = "codex_apply_patch"
 path = "src/lib.rs"
 
+[[bin]]
+name = "apply_patch"
+path = "src/main.rs"
+
 [lints]
 workspace = true
 
@@ -18,5 +22,6 @@ tree-sitter = "0.25.8"
 tree-sitter-bash = "0.25.0"
 
 [dev-dependencies]
+assert_cmd = "2"
 pretty_assertions = "1.4.1"
 tempfile = "3.13.0"

codex-rs/apply-patch/apply_patch_tool_instructions.md

@@ -1,17 +1,23 @@
-To edit files, ALWAYS use the `shell` tool with `apply_patch` CLI.  `apply_patch` effectively allows you to execute a diff/patch against a file, but the format of the diff specification is unique to this task, so pay careful attention to these instructions. To use the `apply_patch` CLI, you should call the shell tool with the following structure:
+## `apply_patch`
 
-```bash
-{"cmd": ["apply_patch", "<<'EOF'\\n*** Begin Patch\\n[YOUR_PATCH]\\n*** End Patch\\nEOF\\n"], "workdir": "..."}
-```
+Use the `apply_patch` shell command to edit files.
+Your patch language is a stripped‑down, file‑oriented diff format designed to be easy to parse and safe to apply. You can think of it as a high‑level envelope:
 
-Where [YOUR_PATCH] is the actual content of your patch, specified in the following V4A diff format.
+*** Begin Patch
+[ one or more file sections ]
+*** End Patch
 
-*** [ACTION] File: [path/to/file] -> ACTION can be one of Add, Update, or Delete.
-For each snippet of code that needs to be changed, repeat the following:
-[context_before] -> See below for further instructions on context.
-- [old_code] -> Precede the old code with a minus sign.
-+ [new_code] -> Precede the new, replacement code with a plus sign.
-[context_after] -> See below for further instructions on context.
+Within that envelope, you get a sequence of file operations.
+You MUST include a header to specify the action you are taking.
+Each operation starts with one of three headers:
+
+*** Add File: <path> - create a new file. Every following line is a + line (the initial contents).
+*** Delete File: <path> - remove an existing file. Nothing follows.
+*** Update File: <path> - patch an existing file in place (optionally with a rename).
+
+May be immediately followed by *** Move to: <new path> if you want to rename the file.
+Then one or more “hunks”, each introduced by @@ (optionally followed by a hunk header).
+Within a hunk each line starts with:
 
 For instructions on [context_before] and [context_after]:
 - By default, show 3 lines of code immediately above and 3 lines immediately below each change. If a change is within 3 lines of a previous change, do NOT duplicate the first change’s [context_after] lines in the second change’s [context_before] lines.
@@ -25,16 +31,45 @@ For instructions on [context_before] and [context_after]:
 - If a code block is repeated so many times in a class or function such that even a single `@@` statement and 3 lines of context cannot uniquely identify the snippet of code, you can use multiple `@@` statements to jump to the right context. For instance:
 
 @@ class BaseClass
-@@ 	def method():
+@@ 	 def method():
 [3 lines of pre-context]
 - [old_code]
 + [new_code]
 [3 lines of post-context]
 
-Note, then, that we do not use line numbers in this diff format, as the context is enough to uniquely identify code. An example of a message that you might pass as "input" to this function, in order to apply a patch, is shown below.
+The full grammar definition is below:
+Patch := Begin { FileOp } End
+Begin := "*** Begin Patch" NEWLINE
+End := "*** End Patch" NEWLINE
+FileOp := AddFile | DeleteFile | UpdateFile
+AddFile := "*** Add File: " path NEWLINE { "+" line NEWLINE }
+DeleteFile := "*** Delete File: " path NEWLINE
+UpdateFile := "*** Update File: " path NEWLINE [ MoveTo ] { Hunk }
+MoveTo := "*** Move to: " newPath NEWLINE
+Hunk := "@@" [ header ] NEWLINE { HunkLine } [ "*** End of File" NEWLINE ]
+HunkLine := (" " | "-" | "+") text NEWLINE
+
+A full patch can combine several operations:
+
+*** Begin Patch
+*** Add File: hello.txt
++Hello world
+*** Update File: src/app.py
+*** Move to: src/main.py
+@@ def greet():
+-print("Hi")
++print("Hello, world!")
+*** Delete File: obsolete.txt
+*** End Patch
+
+It is important to remember:
+
+- You must include a header with your intended action (Add/Delete/Update)
+- You must prefix new lines with `+` even when creating a new file
+- File references can only be relative, NEVER ABSOLUTE.
+
+You can invoke apply_patch like:
 
-```bash
-{"cmd": ["apply_patch", "<<'EOF'\\n*** Begin Patch\\n*** Update File: pygorithm/searching/binary_search.py\\n@@ class BaseClass\\n@@     def search():\\n-        pass\\n+        raise NotImplementedError()\\n@@ class Subclass\\n@@     def search():\\n-        pass\\n+        raise NotImplementedError()\\n*** End Patch\\nEOF\\n"], "workdir": "..."}
 ```
-
-File references can only be relative, NEVER ABSOLUTE. After the apply_patch command is run, it will always say "Done!", regardless of whether the patch was successfully applied or not. However, you can determine if there are issue and errors by looking at any warnings or logging lines printed BEFORE the "Done!" is output.
+shell {"command":["apply_patch","*** Begin Patch\n*** Add File: hello.txt\n+Hello, world!\n*** End Patch\n"]}
+```

codex-rs/apply-patch/src/lib.rs

@@ -1,5 +1,6 @@
 mod parser;
 mod seek_sequence;
+mod standalone_executable;
 
 use std::collections::HashMap;
 use std::path::Path;
@@ -19,9 +20,13 @@ use tree_sitter::LanguageError;
 use tree_sitter::Parser;
 use tree_sitter_bash::LANGUAGE as BASH;
 
+pub use standalone_executable::main;
+
 /// Detailed instructions for gpt-4.1 on how to use the `apply_patch` tool.
 pub const APPLY_PATCH_TOOL_INSTRUCTIONS: &str = include_str!("../apply_patch_tool_instructions.md");
 
+const APPLY_PATCH_COMMANDS: [&str; 2] = ["apply_patch", "applypatch"];
+
 #[derive(Debug, Error, PartialEq)]
 pub enum ApplyPatchError {
     #[error(transparent)]
@@ -82,7 +87,6 @@ pub struct ApplyPatchArgs {
 }
 
 pub fn maybe_parse_apply_patch(argv: &[String]) -> MaybeApplyPatch {
-    const APPLY_PATCH_COMMANDS: [&str; 2] = ["apply_patch", "applypatch"];
     match argv {
         [cmd, body] if APPLY_PATCH_COMMANDS.contains(&cmd.as_str()) => match parse_patch(body) {
             Ok(source) => MaybeApplyPatch::Body(source),
@@ -91,7 +95,9 @@ pub fn maybe_parse_apply_patch(argv: &[String]) -> MaybeApplyPatch {
         [bash, flag, script]
             if bash == "bash"
                 && flag == "-lc"
-                && script.trim_start().starts_with("apply_patch") =>
+                && APPLY_PATCH_COMMANDS
+                    .iter()
+                    .any(|cmd| script.trim_start().starts_with(cmd)) =>
         {
             match extract_heredoc_body_from_apply_patch_command(script) {
                 Ok(body) => match parse_patch(&body) {
@@ -262,7 +268,10 @@ pub fn maybe_parse_apply_patch_verified(argv: &[String], cwd: &Path) -> MaybeApp
 fn extract_heredoc_body_from_apply_patch_command(
     src: &str,
 ) -> std::result::Result<String, ExtractHeredocError> {
-    if !src.trim_start().starts_with("apply_patch") {
+    if !APPLY_PATCH_COMMANDS
+        .iter()
+        .any(|cmd| src.trim_start().starts_with(cmd))
+    {
         return Err(ExtractHeredocError::CommandDidNotStartWithApplyPatch);
     }
 
@@ -773,6 +782,33 @@ PATCH"#,
         }
     }
 
+    #[test]
+    fn test_heredoc_applypatch() {
+        let args = strs_to_strings(&[
+            "bash",
+            "-lc",
+            r#"applypatch <<'PATCH'
+*** Begin Patch
+*** Add File: foo
++hi
+*** End Patch
+PATCH"#,
+        ]);
+
+        match maybe_parse_apply_patch(&args) {
+            MaybeApplyPatch::Body(ApplyPatchArgs { hunks, patch: _ }) => {
+                assert_eq!(
+                    hunks,
+                    vec![Hunk::AddFile {
+                        path: PathBuf::from("foo"),
+                        contents: "hi\n".to_string()
+                    }]
+                );
+            }
+            result => panic!("expected MaybeApplyPatch::Body got {result:?}"),
+        }
+    }
+
     #[test]
     fn test_add_file_hunk_creates_file_with_contents() {
         let dir = tempdir().unwrap();

codex-rs/apply-patch/src/main.rs

@@ -0,0 +1,3 @@
+pub fn main() -> ! {
+    codex_apply_patch::main()
+}

codex-rs/apply-patch/src/standalone_executable.rs

@@ -0,0 +1,59 @@
+use std::io::Read;
+use std::io::Write;
+
+pub fn main() -> ! {
+    let exit_code = run_main();
+    std::process::exit(exit_code);
+}
+
+/// We would prefer to return `std::process::ExitCode`, but its `exit_process()`
+/// method is still a nightly API and we want main() to return !.
+pub fn run_main() -> i32 {
+    // Expect either one argument (the full apply_patch payload) or read it from stdin.
+    let mut args = std::env::args_os();
+    let _argv0 = args.next();
+
+    let patch_arg = match args.next() {
+        Some(arg) => match arg.into_string() {
+            Ok(s) => s,
+            Err(_) => {
+                eprintln!("Error: apply_patch requires a UTF-8 PATCH argument.");
+                return 1;
+            }
+        },
+        None => {
+            // No argument provided; attempt to read the patch from stdin.
+            let mut buf = String::new();
+            match std::io::stdin().read_to_string(&mut buf) {
+                Ok(_) => {
+                    if buf.is_empty() {
+                        eprintln!("Usage: apply_patch 'PATCH'\n       echo 'PATCH' | apply-patch");
+                        return 2;
+                    }
+                    buf
+                }
+                Err(err) => {
+                    eprintln!("Error: Failed to read PATCH from stdin.\n{err}");
+                    return 1;
+                }
+            }
+        }
+    };
+
+    // Refuse extra args to avoid ambiguity.
+    if args.next().is_some() {
+        eprintln!("Error: apply_patch accepts exactly one argument.");
+        return 2;
+    }
+
+    let mut stdout = std::io::stdout();
+    let mut stderr = std::io::stderr();
+    match crate::apply_patch(&patch_arg, &mut stdout, &mut stderr) {
+        Ok(()) => {
+            // Flush to ensure output ordering when used in pipelines.
+            let _ = stdout.flush();
+            0
+        }
+        Err(_) => 1,
+    }
+}

codex-rs/apply-patch/tests/all.rs

@@ -0,0 +1,3 @@
+// Single integration test binary that aggregates all test modules.
+// The submodules live in `tests/suite/`.
+mod suite;

codex-rs/apply-patch/tests/suite/cli.rs

@@ -0,0 +1,90 @@
+use assert_cmd::prelude::*;
+use std::fs;
+use std::process::Command;
+use tempfile::tempdir;
+
+#[test]
+fn test_apply_patch_cli_add_and_update() -> anyhow::Result<()> {
+    let tmp = tempdir()?;
+    let file = "cli_test.txt";
+    let absolute_path = tmp.path().join(file);
+
+    // 1) Add a file
+    let add_patch = format!(
+        r#"*** Begin Patch
+*** Add File: {file}
++hello
+*** End Patch"#
+    );
+    Command::cargo_bin("apply_patch")
+        .expect("should find apply_patch binary")
+        .arg(add_patch)
+        .current_dir(tmp.path())
+        .assert()
+        .success()
+        .stdout(format!("Success. Updated the following files:\nA {file}\n"));
+    assert_eq!(fs::read_to_string(&absolute_path)?, "hello\n");
+
+    // 2) Update the file
+    let update_patch = format!(
+        r#"*** Begin Patch
+*** Update File: {file}
+@@
+-hello
++world
+*** End Patch"#
+    );
+    Command::cargo_bin("apply_patch")
+        .expect("should find apply_patch binary")
+        .arg(update_patch)
+        .current_dir(tmp.path())
+        .assert()
+        .success()
+        .stdout(format!("Success. Updated the following files:\nM {file}\n"));
+    assert_eq!(fs::read_to_string(&absolute_path)?, "world\n");
+
+    Ok(())
+}
+
+#[test]
+fn test_apply_patch_cli_stdin_add_and_update() -> anyhow::Result<()> {
+    let tmp = tempdir()?;
+    let file = "cli_test_stdin.txt";
+    let absolute_path = tmp.path().join(file);
+
+    // 1) Add a file via stdin
+    let add_patch = format!(
+        r#"*** Begin Patch
+*** Add File: {file}
++hello
+*** End Patch"#
+    );
+    let mut cmd =
+        assert_cmd::Command::cargo_bin("apply_patch").expect("should find apply_patch binary");
+    cmd.current_dir(tmp.path());
+    cmd.write_stdin(add_patch)
+        .assert()
+        .success()
+        .stdout(format!("Success. Updated the following files:\nA {file}\n"));
+    assert_eq!(fs::read_to_string(&absolute_path)?, "hello\n");
+
+    // 2) Update the file via stdin
+    let update_patch = format!(
+        r#"*** Begin Patch
+*** Update File: {file}
+@@
+-hello
++world
+*** End Patch"#
+    );
+    let mut cmd =
+        assert_cmd::Command::cargo_bin("apply_patch").expect("should find apply_patch binary");
+    cmd.current_dir(tmp.path());
+    cmd.write_stdin(update_patch)
+        .assert()
+        .success()
+        .stdout(format!("Success. Updated the following files:\nM {file}\n"));
+    assert_eq!(fs::read_to_string(&absolute_path)?, "world\n");
+
+    Ok(())
+}

codex-rs/apply-patch/tests/suite/mod.rs

@@ -0,0 +1 @@
+mod cli;

codex-rs/arg0/Cargo.toml

@@ -16,4 +16,5 @@ codex-apply-patch = { path = "../apply-patch" }
 codex-core = { path = "../core" }
 codex-linux-sandbox = { path = "../linux-sandbox" }
 dotenvy = "0.15.7"
+tempfile = "3"
 tokio = { version = "1", features = ["rt-multi-thread"] }

codex-rs/arg0/src/lib.rs

@@ -3,6 +3,13 @@ use std::path::Path;
 use std::path::PathBuf;
 
 use codex_core::CODEX_APPLY_PATCH_ARG1;
+#[cfg(unix)]
+use std::os::unix::fs::symlink;
+use tempfile::TempDir;
+
+const LINUX_SANDBOX_ARG0: &str = "codex-linux-sandbox";
+const APPLY_PATCH_ARG0: &str = "apply_patch";
+const MISSPELLED_APPLY_PATCH_ARG0: &str = "applypatch";
 
 /// While we want to deploy the Codex CLI as a single executable for simplicity,
 /// we also want to expose some of its functionality as distinct CLIs, so we use
@@ -39,9 +46,11 @@ where
         .and_then(|s| s.to_str())
         .unwrap_or("");
 
-    if exe_name == "codex-linux-sandbox" {
+    if exe_name == LINUX_SANDBOX_ARG0 {
         // Safety: [`run_main`] never returns.
         codex_linux_sandbox::run_main();
+    } else if exe_name == APPLY_PATCH_ARG0 || exe_name == MISSPELLED_APPLY_PATCH_ARG0 {
+        codex_apply_patch::main();
     }
 
     let argv1 = args.next().unwrap_or_default();
@@ -68,6 +77,19 @@ where
     // before creating any threads/the Tokio runtime.
     load_dotenv();
 
+    // Retain the TempDir so it exists for the lifetime of the invocation of
+    // this executable. Admittedly, we could invoke `keep()` on it, but it
+    // would be nice to avoid leaving temporary directories behind, if possible.
+    let _path_entry = match prepend_path_entry_for_apply_patch() {
+        Ok(path_entry) => Some(path_entry),
+        Err(err) => {
+            // It is possible that Codex will proceed successfully even if
+            // updating the PATH fails, so warn the user and move on.
+            eprintln!("WARNING: proceeding, even though we could not update PATH: {err}");
+            None
+        }
+    };
+
     // Regular invocation – create a Tokio runtime and execute the provided
     // async entry-point.
     let runtime = tokio::runtime::Runtime::new()?;
@@ -113,3 +135,67 @@ where
         }
     }
 }
+
+/// Creates a temporary directory with either:
+///
+/// - UNIX: `apply_patch` symlink to the current executable
+/// - WINDOWS: `apply_patch.bat` batch script to invoke the current executable
+///   with the "secret" --codex-run-as-apply-patch flag.
+///
+/// This temporary directory is prepended to the PATH environment variable so
+/// that `apply_patch` can be on the PATH without requiring the user to
+/// install a separate `apply_patch` executable, simplifying the deployment of
+/// Codex CLI.
+///
+/// IMPORTANT: This function modifies the PATH environment variable, so it MUST
+/// be called before multiple threads are spawned.
+fn prepend_path_entry_for_apply_patch() -> std::io::Result<TempDir> {
+    let temp_dir = TempDir::new()?;
+    let path = temp_dir.path();
+
+    for filename in &[APPLY_PATCH_ARG0, MISSPELLED_APPLY_PATCH_ARG0] {
+        let exe = std::env::current_exe()?;
+
+        #[cfg(unix)]
+        {
+            let link = path.join(filename);
+            symlink(&exe, &link)?;
+        }
+
+        #[cfg(windows)]
+        {
+            let batch_script = path.join(format!("{filename}.bat"));
+            std::fs::write(
+                &batch_script,
+                format!(
+                    r#"@echo off
+"{}" {CODEX_APPLY_PATCH_ARG1} %*
+"#,
+                    exe.display()
+                ),
+            )?;
+        }
+    }
+
+    #[cfg(unix)]
+    const PATH_SEPARATOR: &str = ":";
+
+    #[cfg(windows)]
+    const PATH_SEPARATOR: &str = ";";
+
+    let path_element = path.display();
+    let updated_path_env_var = match std::env::var("PATH") {
+        Ok(existing_path) => {
+            format!("{path_element}{PATH_SEPARATOR}{existing_path}")
+        }
+        Err(_) => {
+            format!("{path_element}")
+        }
+    };
+
+    unsafe {
+        std::env::set_var("PATH", updated_path_env_var);
+    }
+
+    Ok(temp_dir)
+}

codex-rs/chatgpt/tests/all.rs

@@ -0,0 +1,3 @@
+// Single integration test binary that aggregates all test modules.
+// The submodules live in `tests/suite/`.
+mod suite;

codex-rs/chatgpt/tests/suite/mod.rs

@@ -0,0 +1,2 @@
+// Aggregates all former standalone integration tests as modules.
+mod apply_command_e2e;

codex-rs/cli/Cargo.toml

@@ -28,6 +28,9 @@ codex-mcp-server = { path = "../mcp-server" }
 codex-protocol = { path = "../protocol" }
 codex-tui = { path = "../tui" }
 serde_json = "1"
+toml = "0.9.5"
+toml_edit = "0.23.4"
+tempfile = "3"
 tokio = { version = "1", features = [
     "io-std",
     "macros",
@@ -38,3 +41,6 @@ tokio = { version = "1", features = [
 tracing = "0.1.41"
 tracing-subscriber = "0.3.19"
 codex-protocol-ts = { path = "../protocol-ts" }
+
+[dev-dependencies]
+assert_cmd = "2"

codex-rs/cli/src/lib.rs

@@ -1,6 +1,7 @@
 pub mod debug_sandbox;
 mod exit_status;
 pub mod login;
+pub mod mcp_cmd;
 pub mod proto;
 
 use clap::Parser;

codex-rs/cli/src/main.rs

@@ -11,6 +11,8 @@ use codex_cli::login::run_login_status;
 use codex_cli::login::run_login_with_api_key;
 use codex_cli::login::run_login_with_chatgpt;
 use codex_cli::login::run_logout;
+use codex_cli::mcp_cmd;
+use codex_cli::mcp_cmd::McpCli;
 use codex_cli::proto;
 use codex_common::CliConfigOverrides;
 use codex_exec::Cli as ExecCli;
@@ -56,8 +58,8 @@ enum Subcommand {
     /// Remove stored authentication credentials.
     Logout(LogoutCommand),
 
-    /// Experimental: run Codex as an MCP server.
-    Mcp,
+    /// Experimental: run Codex as an MCP server and manage MCP config.
+    Mcp(McpCli),
 
     /// Run the Protocol stream via stdin/stdout
     #[clap(visible_alias = "p")]
@@ -158,8 +160,9 @@ async fn cli_main(codex_linux_sandbox_exe: Option<PathBuf>) -> anyhow::Result<()
             prepend_config_flags(&mut exec_cli.config_overrides, cli.config_overrides);
             codex_exec::run_main(exec_cli, codex_linux_sandbox_exe).await?;
         }
-        Some(Subcommand::Mcp) => {
-            codex_mcp_server::run_main(codex_linux_sandbox_exe).await?;
+        Some(Subcommand::Mcp(mut mcp_cli)) => {
+            prepend_config_flags(&mut mcp_cli.config_overrides, cli.config_overrides);
+            mcp_cmd::run_main(mcp_cli, codex_linux_sandbox_exe).await?;
         }
         Some(Subcommand::Login(mut login_cli)) => {
             prepend_config_flags(&mut login_cli.config_overrides, cli.config_overrides);

codex-rs/cli/src/mcp_cmd.rs

@@ -0,0 +1,641 @@
+use std::collections::BTreeSet;
+use std::collections::HashMap;
+use std::path::PathBuf;
+
+use anyhow::Result;
+use clap::Parser;
+use codex_common::CliConfigOverrides;
+use codex_core::config::find_codex_home;
+use codex_core::config::load_config_as_toml_with_cli_overrides;
+use codex_core::config_types::McpServerConfig;
+use codex_core::git_info::resolve_root_git_project_for_trust;
+use codex_core::mcp_toml::McpToml;
+use codex_core::mcp_toml::McpTomlEntry;
+use codex_core::mcp_toml::load_project_overlays;
+use codex_core::mcp_toml::to_mcp_server_config;
+use serde_json::json;
+use tempfile as _;
+use toml::Value as TomlValue;
+use toml_edit as _; // ensure dependency is linked
+
+#[derive(Debug, Parser)]
+#[command(
+    about = "Manage MCP servers and run Codex as an MCP server",
+    long_about = "Manage Model Context Protocol (MCP) servers configured for Codex.\n\nUse subcommands to add, import, list, inspect, or remove servers.\nIf no subcommand is provided, this runs the built-in MCP server (back-compat).",
+    after_help = "Examples:\n  # Add a local stdio server (everything after -- is the server command)\n  codex mcp add airtable --env AIRTABLE_API_KEY=YOUR_KEY -- npx -y airtable-mcp-server\n\n  # Import multiple servers from a TOML file into project scope\n  codex mcp add-toml --scope project ./mcp.toml\n\n  # List configured servers (merged view with precedence local > project > user)\n  codex mcp list --json\n\n  # Show details for a specific server\n  codex mcp get airtable --json\n\n  # Remove a server from the user scope\n  codex mcp remove airtable --scope user\n\n  # Remove a server from all scopes\n  codex mcp remove airtable --all\n\n  # Windows: wrap npx with cmd /c\n  codex mcp add my-svc -- cmd /c npx -y @some/package"
+)]
+pub struct McpCli {
+    #[clap(skip)]
+    pub config_overrides: CliConfigOverrides,
+
+    #[command(subcommand)]
+    pub cmd: Option<McpSub>,
+}
+
+#[derive(Debug, clap::Subcommand)]
+pub enum McpSub {
+    /// Run Codex as an MCP server (back-compat: `codex mcp`).
+    Serve,
+    /// List configured MCP servers (merged view).
+    List {
+        #[arg(long)]
+        json: bool,
+    },
+    /// Get details for a specific server name (merged view).
+    Get {
+        name: String,
+        #[arg(long)]
+        json: bool,
+    },
+    /// Add an MCP stdio server entry to a given scope.
+    Add(AddArgs),
+    /// Remove an MCP server entry from a given scope or all scopes.
+    Remove(RemoveArgs),
+    /// Import one or more MCP servers from a TOML file with a [mcp_servers] table.
+    AddToml(AddTomlArgs),
+}
+
+pub async fn run_main(mcp_cli: McpCli, codex_linux_sandbox_exe: Option<PathBuf>) -> Result<()> {
+    match mcp_cli.cmd.unwrap_or(McpSub::Serve) {
+        McpSub::Serve => {
+            // Preserve the historical `codex mcp` behavior.
+            codex_mcp_server::run_main(codex_linux_sandbox_exe, mcp_cli.config_overrides).await?
+        }
+        McpSub::List { json } => {
+            list_servers(mcp_cli.config_overrides, json)?;
+        }
+        McpSub::Get { name, json } => {
+            get_server(mcp_cli.config_overrides, &name, json)?;
+        }
+        McpSub::Add(args) => {
+            add_server(mcp_cli.config_overrides, args)?;
+        }
+        McpSub::Remove(args) => {
+            remove_server(mcp_cli.config_overrides, args)?;
+        }
+        McpSub::AddToml(args) => {
+            add_toml(mcp_cli.config_overrides, args)?;
+        }
+    }
+    Ok(())
+}
+
+fn parse_cli_overrides(overrides: CliConfigOverrides) -> Vec<(String, TomlValue)> {
+    overrides.parse_overrides().unwrap_or_default()
+}
+
+fn load_user_project_local_maps(
+    cli_overrides: CliConfigOverrides,
+) -> Result<(
+    HashMap<String, McpServerConfig>,
+    HashMap<String, McpServerConfig>,
+    HashMap<String, McpServerConfig>,
+)> {
+    // User map via `~/.codex/config.toml` (+ -c overrides)
+    let codex_home = find_codex_home()?;
+    let user_cfg =
+        load_config_as_toml_with_cli_overrides(&codex_home, parse_cli_overrides(cli_overrides))?;
+    let mut user_map = user_cfg.mcp_servers;
+
+    // Project/local overlays via current project root
+    let cwd = std::env::current_dir()?;
+    let project_root = resolve_root_git_project_for_trust(&cwd).unwrap_or(cwd);
+    let overlays = load_project_overlays(&project_root)?;
+
+    let mut project_map = HashMap::new();
+    let mut local_map = HashMap::new();
+    for (scope, overlay) in overlays {
+        for (name, entry) in overlay.mcp_servers.into_iter() {
+            // Convert permissive overlay entry → strict config, expanding env vars.
+            if let Ok(cfg) = to_mcp_server_config(&entry, |k| std::env::var(k).ok()) {
+                match scope {
+                    codex_core::mcp_toml::Scope::Project => {
+                        project_map.insert(name, cfg);
+                    }
+                    codex_core::mcp_toml::Scope::Local => {
+                        local_map.insert(name, cfg);
+                    }
+                    codex_core::mcp_toml::Scope::User => {
+                        user_map.insert(name, cfg);
+                    }
+                }
+            }
+        }
+    }
+
+    Ok((user_map, project_map, local_map))
+}
+
+fn list_servers(cli_overrides: CliConfigOverrides, json_out: bool) -> Result<()> {
+    let (user_map, project_map, local_map) = load_user_project_local_maps(cli_overrides)?;
+    let mut names: BTreeSet<String> = BTreeSet::new();
+    names.extend(user_map.keys().cloned());
+    names.extend(project_map.keys().cloned());
+    names.extend(local_map.keys().cloned());
+
+    if json_out {
+        let mut arr = Vec::new();
+        for name in names {
+            let (scope, cfg, shadowed_by) =
+                pick_with_scope(&name, &user_map, &project_map, &local_map);
+            arr.push(json!({
+                "name": name,
+                "scope": scope,
+                "config": cfg_to_json(cfg),
+                "shadowed_by": shadowed_by,
+            }));
+        }
+        println!("{}", serde_json::to_string_pretty(&arr)?);
+    } else {
+        for name in names {
+            let (scope, cfg, _) = pick_with_scope(&name, &user_map, &project_map, &local_map);
+            let args_preview = if cfg.args.is_empty() {
+                String::new()
+            } else {
+                format!(" {}", cfg.args.join(" "))
+            };
+            println!("{} [{}] -> {}{}", name, scope, cfg.command, args_preview);
+        }
+    }
+    Ok(())
+}
+
+fn get_server(cli_overrides: CliConfigOverrides, name: &str, json_out: bool) -> Result<()> {
+    let (user_map, project_map, local_map) = load_user_project_local_maps(cli_overrides)?;
+    if !user_map.contains_key(name)
+        && !project_map.contains_key(name)
+        && !local_map.contains_key(name)
+    {
+        anyhow::bail!("MCP server `{}` not found in any scope", name);
+    }
+    let (scope, cfg, shadowed_by) = pick_with_scope(name, &user_map, &project_map, &local_map);
+    if json_out {
+        let obj = json!({
+            "name": name,
+            "scope": scope,
+            "config": cfg_to_json(cfg),
+            "shadowed_by": shadowed_by,
+        });
+        println!("{}", serde_json::to_string_pretty(&obj)?);
+    } else {
+        let args_preview = if cfg.args.is_empty() {
+            String::new()
+        } else {
+            format!(" {}", cfg.args.join(" "))
+        };
+        println!("{} [{}] -> {}{}", name, scope, cfg.command, args_preview);
+    }
+    Ok(())
+}
+
+fn pick_with_scope<'a>(
+    name: &str,
+    user_map: &'a HashMap<String, McpServerConfig>,
+    project_map: &'a HashMap<String, McpServerConfig>,
+    local_map: &'a HashMap<String, McpServerConfig>,
+) -> (&'static str, &'a McpServerConfig, Vec<&'static str>) {
+    if let Some(cfg) = local_map.get(name) {
+        (
+            "local",
+            cfg,
+            vec![
+                if project_map.contains_key(name) {
+                    "project"
+                } else {
+                    ""
+                },
+                if user_map.contains_key(name) {
+                    "user"
+                } else {
+                    ""
+                },
+            ]
+            .into_iter()
+            .filter(|s| !s.is_empty())
+            .collect(),
+        )
+    } else if let Some(cfg) = project_map.get(name) {
+        (
+            "project",
+            cfg,
+            vec![if user_map.contains_key(name) {
+                "user"
+            } else {
+                ""
+            }]
+            .into_iter()
+            .filter(|s| !s.is_empty())
+            .collect(),
+        )
+    } else if let Some(cfg) = user_map.get(name) {
+        ("user", cfg, vec![])
+    } else {
+        // Should not occur because callers pre-check membership. Return a
+        // fallback to avoid panics in release builds.
+        let fallback = user_map
+            .iter()
+            .next()
+            .or_else(|| project_map.iter().next())
+            .or_else(|| local_map.iter().next());
+        let (k, v) = match fallback {
+            Some(kv) => kv,
+            None => panic!("internal error: no MCP server entries found across scopes"),
+        };
+        let _ = k; // suppress unused warning
+        ("user", v, vec![])
+    }
+}
+
+fn cfg_to_json(cfg: &McpServerConfig) -> serde_json::Value {
+    json!({
+        "command": cfg.command,
+        "args": cfg.args,
+        "env": cfg.env,
+    })
+}
+
+// ------------------------------
+// Add/remove writers
+// ------------------------------
+
+#[derive(Copy, Clone, Debug, clap::ValueEnum)]
+enum ScopeArg {
+    Local,
+    Project,
+    User,
+}
+
+#[derive(Debug, Parser)]
+pub struct AddArgs {
+    /// Unique server name (^[A-Za-z0-9_-]+$)
+    name: String,
+    /// Target scope
+    #[arg(long, value_enum, default_value_t = ScopeArg::Local)]
+    scope: ScopeArg,
+    /// Environment variables KEY=VALUE (repeatable)
+    #[arg(long = "env")]
+    env: Vec<String>,
+    /// Command and args to launch the MCP server (after `--`)
+    #[arg(trailing_var_arg = true)]
+    cmd: Vec<String>,
+}
+
+#[derive(Debug, Parser)]
+pub struct RemoveArgs {
+    /// Server name
+    name: String,
+    /// Scope to remove from; omit with --all to remove everywhere
+    #[arg(long, value_enum)]
+    scope: Option<ScopeArg>,
+    /// Remove from all scopes
+    #[arg(long)]
+    all: bool,
+}
+
+fn add_server(cli_overrides: CliConfigOverrides, args: AddArgs) -> Result<()> {
+    validate_server_name(&args.name)?;
+    if args.cmd.is_empty() {
+        anyhow::bail!(
+            "missing server command; use: codex mcp add <name> [--scope ...] [--env KEY=VALUE]... -- <command> [args...]"
+        );
+    }
+    let command = args.cmd[0].clone();
+    let cmd_args: Vec<String> = args.cmd.iter().skip(1).cloned().collect();
+    let env_map = parse_env_kv(args.env.iter())?;
+
+    let path = match args.scope {
+        ScopeArg::User => {
+            write_user_scope(&args.name, &command, &cmd_args, &env_map, cli_overrides)?
+        }
+        ScopeArg::Project => write_overlay_scope(&args.name, &command, &cmd_args, &env_map, false)?,
+        ScopeArg::Local => write_overlay_scope(&args.name, &command, &cmd_args, &env_map, true)?,
+    };
+    println!(
+        "Added MCP server '{}' (scope: {}) → wrote {}",
+        args.name,
+        match args.scope {
+            ScopeArg::Local => "local",
+            ScopeArg::Project => "project",
+            ScopeArg::User => "user",
+        },
+        path.display()
+    );
+    Ok(())
+}
+
+fn remove_server(cli_overrides: CliConfigOverrides, args: RemoveArgs) -> Result<()> {
+    if args.all && args.scope.is_some() {
+        anyhow::bail!("cannot use --scope with --all");
+    }
+
+    if args.all {
+        let u = remove_user_scope(&args.name, cli_overrides.clone())?;
+        if u.wrote {
+            println!("Removed '{}' → wrote {}", args.name, u.path.display());
+        }
+        let p = remove_overlay_scope(&args.name, false)?;
+        if p.wrote {
+            println!("Removed '{}' → wrote {}", args.name, p.path.display());
+        }
+        let l = remove_overlay_scope(&args.name, true)?;
+        if l.wrote {
+            println!("Removed '{}' → wrote {}", args.name, l.path.display());
+        }
+        return Ok(());
+    }
+
+    let outcome = match args.scope.unwrap_or(ScopeArg::Local) {
+        ScopeArg::User => remove_user_scope(&args.name, cli_overrides)?,
+        ScopeArg::Project => remove_overlay_scope(&args.name, false)?,
+        ScopeArg::Local => remove_overlay_scope(&args.name, true)?,
+    };
+    if outcome.wrote {
+        println!("Removed '{}' → wrote {}", args.name, outcome.path.display());
+    } else {
+        println!(
+            "No changes for '{}' at {}",
+            args.name,
+            outcome.path.display()
+        );
+    }
+    Ok(())
+}
+
+#[derive(Debug, Parser)]
+pub struct AddTomlArgs {
+    /// Path to a TOML file containing a [mcp_servers] table
+    path: PathBuf,
+    /// Target scope to import into
+    #[arg(long, value_enum, default_value_t = ScopeArg::Local)]
+    scope: ScopeArg,
+}
+
+fn add_toml(_cli_overrides: CliConfigOverrides, args: AddTomlArgs) -> Result<()> {
+    let contents = std::fs::read_to_string(&args.path)?;
+    let parsed: McpToml = toml::from_str(&contents)?;
+    let mut accepted: Vec<(String, McpTomlEntry)> = Vec::new();
+    let mut rejected: Vec<(String, String)> = Vec::new();
+    for (name, entry) in parsed.mcp_servers.into_iter() {
+        if let Some(t) = entry.r#type.as_deref()
+            && !t.eq_ignore_ascii_case("stdio")
+        {
+            rejected.push((name, format!("unsupported transport `{}`", t)));
+            continue;
+        }
+        if entry.command.is_none() {
+            rejected.push((name, "missing command".to_string()));
+            continue;
+        }
+        accepted.push((name, entry));
+    }
+
+    let path = match args.scope {
+        ScopeArg::User => write_user_batch(&accepted)?,
+        ScopeArg::Project => write_overlay_batch(&accepted, false)?,
+        ScopeArg::Local => write_overlay_batch(&accepted, true)?,
+    };
+    println!(
+        "Imported {} MCP server(s) into {}",
+        accepted.len(),
+        path.display()
+    );
+
+    if !rejected.is_empty() {
+        for (n, why) in rejected {
+            eprintln!("skipped `{}`: {}", n, why);
+        }
+    }
+    Ok(())
+}
+
+fn parse_env_kv<'a>(pairs: impl Iterator<Item = &'a String>) -> Result<HashMap<String, String>> {
+    let mut map = HashMap::new();
+    for p in pairs {
+        if let Some((k, v)) = p.split_once('=') {
+            if k.is_empty() {
+                anyhow::bail!("invalid --env '{}': empty key", p);
+            }
+            map.insert(k.to_string(), v.to_string());
+        } else {
+            anyhow::bail!("invalid --env '{}': expected KEY=VALUE", p);
+        }
+    }
+    Ok(map)
+}
+
+fn validate_server_name(name: &str) -> Result<()> {
+    let ok = !name.is_empty()
+        && name
+            .chars()
+            .all(|c| c.is_ascii_alphanumeric() || c == '_' || c == '-');
+    if ok {
+        Ok(())
+    } else {
+        anyhow::bail!(
+            "invalid server name '{}': must match ^[a-zA-Z0-9_-]+$",
+            name
+        )
+    }
+}
+
+fn resolve_codex_home_for_write() -> Result<PathBuf> {
+    if let Ok(val) = std::env::var("CODEX_HOME")
+        && !val.is_empty()
+    {
+        let p = PathBuf::from(val);
+        if !p.exists() {
+            std::fs::create_dir_all(&p)?;
+        }
+        return Ok(p.canonicalize().unwrap_or(p));
+    }
+    let p = find_codex_home()?;
+    if !p.exists() {
+        std::fs::create_dir_all(&p)?;
+    }
+    Ok(p)
+}
+
+fn write_user_scope(
+    name: &str,
+    command: &str,
+    args: &[String],
+    env_map: &HashMap<String, String>,
+    cli_overrides: CliConfigOverrides,
+) -> Result<PathBuf> {
+    let codex_home = resolve_codex_home_for_write()?;
+    let path = codex_home.join("config.toml");
+    let contents = std::fs::read_to_string(&path).unwrap_or_default();
+    let mut doc = contents
+        .parse::<toml_edit::DocumentMut>()
+        .unwrap_or_default();
+    upsert_mcp_entry(&mut doc, name, command, args, env_map);
+    write_doc_atomic(&doc, &path)?;
+    let _ = cli_overrides;
+    Ok(path)
+}
+
+fn write_overlay_scope(
+    name: &str,
+    command: &str,
+    args: &[String],
+    env_map: &HashMap<String, String>,
+    local: bool,
+) -> Result<PathBuf> {
+    let cwd = std::env::current_dir()?;
+    let project_root = resolve_root_git_project_for_trust(&cwd).unwrap_or(cwd);
+    let fname = if local {
+        ".mcp.local.toml"
+    } else {
+        ".mcp.toml"
+    };
+    let path = project_root.join(fname);
+    if let Some(parent) = path.parent() {
+        std::fs::create_dir_all(parent)?;
+    }
+    let contents = std::fs::read_to_string(&path).unwrap_or_default();
+    let mut doc = contents
+        .parse::<toml_edit::DocumentMut>()
+        .unwrap_or_default();
+    upsert_mcp_entry(&mut doc, name, command, args, env_map);
+    write_doc_atomic(&doc, &path)?;
+    Ok(path)
+}
+
+fn write_user_batch(entries: &[(String, McpTomlEntry)]) -> Result<PathBuf> {
+    let codex_home = resolve_codex_home_for_write()?;
+    let path = codex_home.join("config.toml");
+    let contents = std::fs::read_to_string(&path).unwrap_or_default();
+    let mut doc = contents
+        .parse::<toml_edit::DocumentMut>()
+        .unwrap_or_default();
+    for (name, entry) in entries {
+        let args = entry.args.clone();
+        let env_map = entry.env.clone();
+        let command = entry.command.clone().unwrap_or_default();
+        upsert_mcp_entry(&mut doc, name, &command, &args, &env_map);
+    }
+    write_doc_atomic(&doc, &path)?;
+    Ok(path)
+}
+
+fn write_overlay_batch(entries: &[(String, McpTomlEntry)], local: bool) -> Result<PathBuf> {
+    let cwd = std::env::current_dir()?;
+    let project_root = resolve_root_git_project_for_trust(&cwd).unwrap_or(cwd);
+    let fname = if local {
+        ".mcp.local.toml"
+    } else {
+        ".mcp.toml"
+    };
+    let path = project_root.join(fname);
+    if let Some(parent) = path.parent() {
+        std::fs::create_dir_all(parent)?;
+    }
+    let contents = std::fs::read_to_string(&path).unwrap_or_default();
+    let mut doc = contents
+        .parse::<toml_edit::DocumentMut>()
+        .unwrap_or_default();
+    for (name, entry) in entries {
+        let args = entry.args.clone();
+        let env_map = entry.env.clone();
+        let command = entry.command.clone().unwrap_or_default();
+        upsert_mcp_entry(&mut doc, name, &command, &args, &env_map);
+    }
+    write_doc_atomic(&doc, &path)?;
+    Ok(path)
+}
+
+struct RemoveOutcome {
+    path: PathBuf,
+    wrote: bool,
+}
+
+fn remove_user_scope(name: &str, _cli_overrides: CliConfigOverrides) -> Result<RemoveOutcome> {
+    let codex_home = resolve_codex_home_for_write()?;
+    let path = codex_home.join("config.toml");
+    if !path.exists() {
+        return Ok(RemoveOutcome { path, wrote: false });
+    }
+    let contents = std::fs::read_to_string(&path)?;
+    let mut doc = contents.parse::<toml_edit::DocumentMut>()?;
+    if let Some(tbl) = doc.get_mut("mcp_servers").and_then(|i| i.as_table_mut()) {
+        if tbl.remove(name).is_some() {
+            write_doc_atomic(&doc, &path)?;
+            return Ok(RemoveOutcome { path, wrote: true });
+        }
+    }
+    Ok(RemoveOutcome { path, wrote: false })
+}
+
+fn remove_overlay_scope(name: &str, local: bool) -> Result<RemoveOutcome> {
+    let cwd = std::env::current_dir()?;
+    let project_root = resolve_root_git_project_for_trust(&cwd).unwrap_or(cwd);
+    let fname = if local {
+        ".mcp.local.toml"
+    } else {
+        ".mcp.toml"
+    };
+    let path = project_root.join(fname);
+    if !path.exists() {
+        return Ok(RemoveOutcome { path, wrote: false });
+    }
+    let contents = std::fs::read_to_string(&path)?;
+    let mut doc = contents.parse::<toml_edit::DocumentMut>()?;
+    if let Some(tbl) = doc.get_mut("mcp_servers").and_then(|i| i.as_table_mut()) {
+        if tbl.remove(name).is_some() {
+            write_doc_atomic(&doc, &path)?;
+            return Ok(RemoveOutcome { path, wrote: true });
+        }
+    }
+    Ok(RemoveOutcome { path, wrote: false })
+}
+
+fn upsert_mcp_entry(
+    doc: &mut toml_edit::DocumentMut,
+    name: &str,
+    command: &str,
+    args: &[String],
+    env_map: &HashMap<String, String>,
+) {
+    if !doc.as_table().contains_key("mcp_servers") {
+        doc.insert("mcp_servers", toml_edit::table());
+    }
+    let tbl = doc["mcp_servers"].as_table_mut().expect("table");
+    tbl.set_implicit(false);
+
+    if !tbl.contains_key(name) {
+        tbl.insert(name, toml_edit::table());
+    }
+    let st = tbl[name].as_table_mut().expect("subtable");
+    st.set_implicit(false);
+
+    st["command"] = toml_edit::value(command);
+    let mut arr = toml_edit::Array::new();
+    for a in args {
+        arr.push(a.as_str());
+    }
+    st["args"] = toml_edit::Item::Value(toml_edit::Value::Array(arr));
+
+    if env_map.is_empty() {
+        if st.contains_key("env") {
+            st.remove("env");
+        }
+    } else {
+        let mut kv = toml_edit::InlineTable::new();
+        for (k, v) in env_map {
+            kv.get_or_insert(k, toml_edit::Value::from(v.as_str()));
+        }
+        st["env"] = toml_edit::Item::Value(toml_edit::Value::InlineTable(kv));
+    }
+}
+
+fn write_doc_atomic(doc: &toml_edit::DocumentMut, path: &PathBuf) -> Result<()> {
+    if let Some(parent) = path.parent() {
+        std::fs::create_dir_all(parent)?;
+    }
+    let tmp = tempfile::NamedTempFile::new_in(
+        path.parent().unwrap_or_else(|| std::path::Path::new(".")),
+    )?;
+    std::fs::write(tmp.path(), doc.to_string())?;
+    tmp.persist(path)?;
+    Ok(())
+}

codex-rs/cli/src/proto.rs

@@ -9,6 +9,7 @@ use codex_core::config::ConfigOverrides;
 use codex_core::protocol::Event;
 use codex_core::protocol::EventMsg;
 use codex_core::protocol::Submission;
+use codex_login::AuthManager;
 use tokio::io::AsyncBufReadExt;
 use tokio::io::BufReader;
 use tracing::error;
@@ -36,7 +37,10 @@ pub async fn run_main(opts: ProtoCli) -> anyhow::Result<()> {
 
     let config = Config::load_with_cli_overrides(overrides_vec, ConfigOverrides::default())?;
     // Use conversation_manager API to start a conversation
-    let conversation_manager = ConversationManager::default();
+    let conversation_manager = ConversationManager::new(AuthManager::shared(
+        config.codex_home.clone(),
+        config.preferred_auth_method,
+    ));
     let NewConversation {
         conversation_id: _,
         conversation,

codex-rs/cli/tests/mcp_add_remove.rs

@@ -0,0 +1,88 @@
+use assert_cmd::prelude::*;
+use std::fs;
+use std::process::Command;
+
+fn write(path: &std::path::Path, contents: &str) {
+    fs::write(path, contents).unwrap();
+}
+
+#[test]
+fn add_and_remove_user_scope() {
+    let codex_home = tempfile::tempdir().unwrap();
+    // Pre-create CODEX_HOME for canonicalization logic
+    let config_path = codex_home.path().join("config.toml");
+
+    let project_dir = tempfile::tempdir().unwrap();
+    write(&project_dir.path().join(".git"), "gitdir: nowhere");
+
+    // Add
+    Command::cargo_bin("codex")
+        .unwrap()
+        .current_dir(project_dir.path())
+        .env("CODEX_HOME", codex_home.path())
+        .args([
+            "mcp", "add", "svc", "--scope", "user", "--", "tool", "--flag",
+        ])
+        .assert()
+        .success();
+
+    let config = fs::read_to_string(&config_path).unwrap();
+    assert!(config.contains("[mcp_servers.svc]"));
+    assert!(config.contains("command = \"tool\""));
+
+    // Remove
+    Command::cargo_bin("codex")
+        .unwrap()
+        .current_dir(project_dir.path())
+        .env("CODEX_HOME", codex_home.path())
+        .args(["mcp", "remove", "svc", "--scope", "user"])
+        .assert()
+        .success();
+
+    let config_after = fs::read_to_string(&config_path).unwrap();
+    assert!(!config_after.contains("[mcp_servers.svc]"));
+}
+
+#[test]
+fn add_local_and_project_scopes() {
+    let codex_home = tempfile::tempdir().unwrap();
+    let project_dir = tempfile::tempdir().unwrap();
+    write(&project_dir.path().join(".git"), "gitdir: nowhere");
+
+    // Add project
+    Command::cargo_bin("codex")
+        .unwrap()
+        .current_dir(project_dir.path())
+        .env("CODEX_HOME", codex_home.path())
+        .args(["mcp", "add", "svc", "--scope", "project", "--", "toolp"])
+        .assert()
+        .success();
+    let proj = fs::read_to_string(project_dir.path().join(".mcp.toml")).unwrap();
+    assert!(proj.contains("[mcp_servers.svc]"));
+    assert!(proj.contains("toolp"));
+
+    // Add local (override in precedence for merged view)
+    Command::cargo_bin("codex")
+        .unwrap()
+        .current_dir(project_dir.path())
+        .env("CODEX_HOME", codex_home.path())
+        .args(["mcp", "add", "svc", "--scope", "local", "--", "tooll"])
+        .assert()
+        .success();
+    let local = fs::read_to_string(project_dir.path().join(".mcp.local.toml")).unwrap();
+    assert!(local.contains("tooll"));
+
+    // Remove all
+    Command::cargo_bin("codex")
+        .unwrap()
+        .current_dir(project_dir.path())
+        .env("CODEX_HOME", codex_home.path())
+        .args(["mcp", "remove", "svc", "--all"])
+        .assert()
+        .success();
+
+    let proj_after = fs::read_to_string(project_dir.path().join(".mcp.toml")).unwrap();
+    assert!(!proj_after.contains("[mcp_servers.svc]"));
+    let local_after = fs::read_to_string(project_dir.path().join(".mcp.local.toml")).unwrap();
+    assert!(!local_after.contains("[mcp_servers.svc]"));
+}

codex-rs/cli/tests/mcp_add_toml.rs

@@ -0,0 +1,133 @@
+use assert_cmd::prelude::*;
+use serde_json::Value;
+use std::fs;
+use std::process::Command;
+
+fn write(path: &std::path::Path, contents: &str) {
+    fs::write(path, contents).unwrap();
+}
+
+#[test]
+fn add_toml_local_filters_non_stdio_and_lists() {
+    let codex_home = tempfile::tempdir().unwrap();
+    let project_dir = tempfile::tempdir().unwrap();
+    write(&project_dir.path().join(".git"), "gitdir: nowhere");
+
+    let import = tempfile::NamedTempFile::new().unwrap();
+    write(
+        import.path(),
+        r#"[mcp_servers.ok]
+type = "stdio"
+command = "tool"
+args = ["--x"]
+env = { K = "V" }
+
+[mcp_servers.bad]
+type = "http"
+url = "https://example.invalid/mcp"
+
+[mcp_servers.missing]
+type = "stdio"
+"#,
+    );
+
+    // Import into local scope
+    Command::cargo_bin("codex")
+        .unwrap()
+        .current_dir(project_dir.path())
+        .env("CODEX_HOME", codex_home.path())
+        .args([
+            "mcp",
+            "add-toml",
+            "--scope",
+            "local",
+            import.path().to_str().unwrap(),
+        ])
+        .assert()
+        .success();
+
+    // Verify file contents
+    let local_contents = fs::read_to_string(project_dir.path().join(".mcp.local.toml")).unwrap();
+    assert!(local_contents.contains("[mcp_servers.ok]"));
+    assert!(local_contents.contains("command = \"tool\""));
+    assert!(!local_contents.contains("[mcp_servers.bad]"));
+    assert!(!local_contents.contains("[mcp_servers.missing]"));
+
+    // And list shows only the accepted entry, with local scope
+    let out = Command::cargo_bin("codex")
+        .unwrap()
+        .current_dir(project_dir.path())
+        .env("CODEX_HOME", codex_home.path())
+        .args(["mcp", "list", "--json"])
+        .assert()
+        .success()
+        .get_output()
+        .stdout
+        .clone();
+    let v: Value = serde_json::from_slice(&out).unwrap();
+    let arr = v.as_array().unwrap();
+    let mut seen_ok = false;
+    for e in arr {
+        if e.get("name").and_then(|x| x.as_str()) == Some("ok") {
+            assert_eq!(e.get("scope").and_then(|x| x.as_str()), Some("local"));
+            seen_ok = true;
+        }
+        assert_ne!(e.get("name").and_then(|x| x.as_str()), Some("bad"));
+        assert_ne!(e.get("name").and_then(|x| x.as_str()), Some("missing"));
+    }
+    assert!(
+        seen_ok,
+        "expected to find imported 'ok' entry in list output"
+    );
+}
+
+#[test]
+fn add_toml_user_and_get() {
+    let codex_home = tempfile::tempdir().unwrap();
+    let project_dir = tempfile::tempdir().unwrap();
+    write(&project_dir.path().join(".git"), "gitdir: nowhere");
+
+    let import = tempfile::NamedTempFile::new().unwrap();
+    write(
+        import.path(),
+        r#"[mcp_servers.userok]
+type = "stdio"
+command = "utool"
+"#,
+    );
+
+    // Import into user scope
+    Command::cargo_bin("codex")
+        .unwrap()
+        .current_dir(project_dir.path())
+        .env("CODEX_HOME", codex_home.path())
+        .args([
+            "mcp",
+            "add-toml",
+            "--scope",
+            "user",
+            import.path().to_str().unwrap(),
+        ])
+        .assert()
+        .success();
+
+    // Get shows the user scope
+    let out = Command::cargo_bin("codex")
+        .unwrap()
+        .current_dir(project_dir.path())
+        .env("CODEX_HOME", codex_home.path())
+        .args(["mcp", "get", "userok", "--json"])
+        .assert()
+        .success()
+        .get_output()
+        .stdout
+        .clone();
+    let v: Value = serde_json::from_slice(&out).unwrap();
+    assert_eq!(v.get("scope").and_then(|x| x.as_str()), Some("user"));
+    assert_eq!(
+        v.get("config")
+            .and_then(|c| c.get("command"))
+            .and_then(|x| x.as_str()),
+        Some("utool")
+    );
+}

codex-rs/cli/tests/mcp_get.rs

@@ -0,0 +1,52 @@
+use assert_cmd::prelude::*;
+use serde_json::Value;
+use std::fs;
+use std::process::Command;
+
+fn write(path: &std::path::Path, contents: &str) {
+    fs::write(path, contents).unwrap();
+}
+
+#[test]
+fn get_returns_winning_scope() {
+    let codex_home = tempfile::tempdir().unwrap();
+    write(
+        &codex_home.path().join("config.toml"),
+        r#"[mcp_servers.svc]
+command = "user-cmd"
+"#,
+    );
+
+    let project_dir = tempfile::tempdir().unwrap();
+    write(&project_dir.path().join(".git"), "gitdir: nowhere");
+    write(
+        &project_dir.path().join(".mcp.toml"),
+        r#"[mcp_servers.svc]
+command = "project-cmd"
+"#,
+    );
+    write(
+        &project_dir.path().join(".mcp.local.toml"),
+        r#"[mcp_servers.svc]
+command = "local-cmd"
+"#,
+    );
+
+    let assert = Command::cargo_bin("codex")
+        .unwrap()
+        .current_dir(project_dir.path())
+        .env("CODEX_HOME", codex_home.path())
+        .args(["mcp", "get", "svc", "--json"])
+        .assert()
+        .success();
+    let out = String::from_utf8(assert.get_output().stdout.clone()).unwrap();
+    let v: Value = serde_json::from_str(&out).unwrap();
+    assert_eq!(v.get("name").and_then(|x| x.as_str()), Some("svc"));
+    assert_eq!(v.get("scope").and_then(|x| x.as_str()), Some("local"));
+    assert_eq!(
+        v.get("config")
+            .and_then(|c| c.get("command"))
+            .and_then(|x| x.as_str()),
+        Some("local-cmd")
+    );
+}

codex-rs/cli/tests/mcp_list.rs

@@ -0,0 +1,71 @@
+use assert_cmd::prelude::*;
+use serde_json::Value;
+use std::fs;
+use std::process::Command;
+
+fn write(path: &std::path::Path, contents: &str) {
+    fs::write(path, contents).unwrap();
+}
+
+#[test]
+fn list_shows_scopes_for_user_project_local() {
+    let codex_home = tempfile::tempdir().unwrap();
+    write(
+        &codex_home.path().join("config.toml"),
+        r#"[mcp_servers.user_svc]
+command = "user-cmd"
+"#,
+    );
+
+    let project_dir = tempfile::tempdir().unwrap();
+    // Mark git root for nicer parity with real use
+    write(&project_dir.path().join(".git"), "gitdir: nowhere");
+    write(
+        &project_dir.path().join(".mcp.toml"),
+        r#"[mcp_servers.proj_svc]
+command = "proj-cmd"
+"#,
+    );
+    write(
+        &project_dir.path().join(".mcp.local.toml"),
+        r#"[mcp_servers.local_svc]
+command = "local-cmd"
+"#,
+    );
+
+    let assert = Command::cargo_bin("codex")
+        .unwrap()
+        .current_dir(project_dir.path())
+        .env("CODEX_HOME", codex_home.path())
+        .args(["mcp", "list", "--json"])
+        .assert()
+        .success();
+    let out = String::from_utf8(assert.get_output().stdout.clone()).unwrap();
+    let v: Value = serde_json::from_str(&out).unwrap();
+    let arr = v.as_array().unwrap();
+
+    let mut found = (false, false, false);
+    for e in arr {
+        let name = e.get("name").and_then(|x| x.as_str()).unwrap();
+        let scope = e.get("scope").and_then(|x| x.as_str()).unwrap();
+        match name {
+            "user_svc" => {
+                assert_eq!(scope, "user");
+                found.0 = true;
+            }
+            "proj_svc" => {
+                assert_eq!(scope, "project");
+                found.1 = true;
+            }
+            "local_svc" => {
+                assert_eq!(scope, "local");
+                found.2 = true;
+            }
+            _ => {}
+        }
+    }
+    assert!(
+        found.0 && found.1 && found.2,
+        "expected three entries across scopes"
+    );
+}

codex-rs/common/src/approval_presets.rs

@@ -0,0 +1,46 @@
+use codex_core::protocol::AskForApproval;
+use codex_core::protocol::SandboxPolicy;
+
+/// A simple preset pairing an approval policy with a sandbox policy.
+#[derive(Debug, Clone)]
+pub struct ApprovalPreset {
+    /// Stable identifier for the preset.
+    pub id: &'static str,
+    /// Display label shown in UIs.
+    pub label: &'static str,
+    /// Short human description shown next to the label in UIs.
+    pub description: &'static str,
+    /// Approval policy to apply.
+    pub approval: AskForApproval,
+    /// Sandbox policy to apply.
+    pub sandbox: SandboxPolicy,
+}
+
+/// Built-in list of approval presets that pair approval and sandbox policy.
+///
+/// Keep this UI-agnostic so it can be reused by both TUI and MCP server.
+pub fn builtin_approval_presets() -> Vec<ApprovalPreset> {
+    vec![
+        ApprovalPreset {
+            id: "read-only",
+            label: "Read Only",
+            description: "Codex can read files and answer questions. Codex requires approval to make edits, run commands, or access network",
+            approval: AskForApproval::OnRequest,
+            sandbox: SandboxPolicy::ReadOnly,
+        },
+        ApprovalPreset {
+            id: "auto",
+            label: "Auto",
+            description: "Codex can read files, make edits, and run commands in the workspace. Codex requires approval to work outside the workspace or access network",
+            approval: AskForApproval::OnRequest,
+            sandbox: SandboxPolicy::new_workspace_write_policy(),
+        },
+        ApprovalPreset {
+            id: "full-access",
+            label: "Full Access",
+            description: "Codex can read files, make edits, and run commands with network access, without approval. Exercise caution",
+            approval: AskForApproval::Never,
+            sandbox: SandboxPolicy::DangerFullAccess,
+        },
+    ]
+}

codex-rs/common/src/lib.rs

@@ -31,3 +31,6 @@ pub use config_summary::create_config_summary_entries;
 pub mod fuzzy_match;
 // Shared model presets used by TUI and MCP server
 pub mod model_presets;
+// Shared approval presets (AskForApproval + Sandbox) used by TUI and MCP server
+// Not to be confused with AskForApproval, which we should probably rename to EscalationPolicy.
+pub mod approval_presets;

codex-rs/common/src/model_presets.rs

@@ -24,28 +24,28 @@ pub fn builtin_model_presets() -> &'static [ModelPreset] {
         ModelPreset {
             id: "gpt-5-minimal",
             label: "gpt-5 minimal",
-            description: "— Fastest responses with very limited reasoning; ideal for coding, instructions, or lightweight tasks.",
+            description: "— fastest responses with limited reasoning; ideal for coding, instructions, or lightweight tasks",
             model: "gpt-5",
             effort: ReasoningEffort::Minimal,
         },
         ModelPreset {
             id: "gpt-5-low",
             label: "gpt-5 low",
-            description: "— Balances speed with some reasoning; useful for straightforward queries and short explanations.",
+            description: "— balances speed with some reasoning; useful for straightforward queries and short explanations",
             model: "gpt-5",
             effort: ReasoningEffort::Low,
         },
         ModelPreset {
             id: "gpt-5-medium",
             label: "gpt-5 medium",
-            description: "— Default setting; provides a solid balance of reasoning depth and latency for general-purpose tasks.",
+            description: "— default setting; provides a solid balance of reasoning depth and latency for general-purpose tasks",
             model: "gpt-5",
             effort: ReasoningEffort::Medium,
         },
         ModelPreset {
             id: "gpt-5-high",
             label: "gpt-5 high",
-            description: "— Maximizes reasoning depth for complex or ambiguous problems.",
+            description: "— maximizes reasoning depth for complex or ambiguous problems",
             model: "gpt-5",
             effort: ReasoningEffort::High,
         },

codex-rs/config.md

@@ -243,6 +243,25 @@ To disable reasoning summaries, set `model_reasoning_summary` to `"none"` in you
 model_reasoning_summary = "none"  # disable reasoning summaries
 ```
 
+## model_verbosity
+
+Controls output length/detail on GPT‑5 family models when using the Responses API. Supported values:
+
+- `"low"`
+- `"medium"` (default when omitted)
+- `"high"`
+
+When set, Codex includes a `text` object in the request payload with the configured verbosity, for example: `"text": { "verbosity": "low" }`.
+
+Example:
+
+```toml
+model = "gpt-5"
+model_verbosity = "low"
+```
+
+Note: This applies only to providers using the Responses API. Chat Completions providers are unaffected.
+
 ## model_supports_reasoning_summaries
 
 By default, `reasoning` is only set on requests to OpenAI models that are known to support them. To force `reasoning` to set on requests to the current model, you can force this behavior by setting the following in `config.toml`:
@@ -300,6 +319,16 @@ This is reasonable to use if Codex is running in an environment that provides it
 
 Though using this option may also be necessary if you try to use Codex in environments where its native sandboxing mechanisms are unsupported, such as older Linux kernels or on Windows.
 
+## Approval presets
+
+Codex provides three main Approval Presets:
+
+- Read Only: Codex can read files and answer questions; edits, running commands, and network access require approval.
+- Auto: Codex can read files, make edits, and run commands in the workspace without approval; asks for approval outside the workspace or for network access.
+- Full Access: Full disk and network access without prompts; extremely risky.
+
+You can further customize how Codex runs at the command line using the `--ask-for-approval` and `--sandbox` options.
+
 ## mcp_servers
 
 Defines the list of MCP servers that Codex can consult for tool use. Currently, only servers that are launched by executing a program that communicate over stdio are supported. For servers that use the SSE transport, consider an adapter like [mcp-proxy](https://github.com/sparfenyuk/mcp-proxy).

codex-rs/core/Cargo.toml

@@ -6,6 +6,7 @@ version = { workspace = true }
 [lib]
 name = "codex_core"
 path = "src/lib.rs"
+doctest = false
 
 [lints]
 workspace = true
@@ -28,6 +29,7 @@ libc = "0.2.175"
 mcp-types = { path = "../mcp-types" }
 mime_guess = "2.0"
 os_info = "3.12.0"
+portable-pty = "0.9.0"
 rand = "0.9"
 regex-lite = "0.1.6"
 reqwest = { version = "0.12", features = ["json", "stream"] }
@@ -50,12 +52,12 @@ tokio = { version = "1", features = [
 ] }
 tokio-util = "0.7.16"
 toml = "0.9.5"
-toml_edit = "0.23.3"
+toml_edit = "0.23.4"
 tracing = { version = "0.1.41", features = ["log"] }
 tree-sitter = "0.25.8"
 tree-sitter-bash = "0.25.0"
 uuid = { version = "1", features = ["serde", "v4"] }
-whoami = "1.6.0"
+whoami = "1.6.1"
 wildmatch = "2.4.0"
 
 
@@ -71,6 +73,9 @@ openssl-sys = { version = "*", features = ["vendored"] }
 [target.aarch64-unknown-linux-musl.dependencies]
 openssl-sys = { version = "*", features = ["vendored"] }
 
+[target.'cfg(target_os = "windows")'.dependencies]
+which = "6"
+
 [dev-dependencies]
 assert_cmd = "2"
 core_test_support = { path = "tests/common" }

codex-rs/core/prompt.md

@@ -134,14 +134,6 @@ If completing the user's task requires writing or modifying files, your code and
 - Do not use one-letter variable names unless explicitly requested.
 - NEVER output inline citations like "【F:README.md†L5-L14】" in your outputs. The CLI is not able to render these so they will just be broken in the UI. Instead, if you output valid filepaths, users will be able to click on them to open the files in their editor.
 
-## Testing your work
-
-If the codebase has tests or the ability to build or run, you should use them to verify that your work is complete. Generally, your testing philosophy should be to start as specific as possible to the code you changed so that you can catch issues efficiently, then make your way to broader tests as you build confidence. If there's no test for the code you changed, and if the adjacent patterns in the codebases show that there's a logical place for you to add a test, you may do so. However, do not add tests to codebases with no tests, or where the patterns don't indicate so.
-
-Once you're confident in correctness, use formatting commands to ensure that your code is well formatted. These commands can take time so you should run them on as precise a target as possible. If there are issues you can iterate up to 3 times to get formatting right, but if you still can't manage it's better to save the user time and present them a correct solution where you call out the formatting in your final message. If the codebase does not have a formatter configured, do not add one.
-
-For all of testing, running, building, and formatting, do not attempt to fix unrelated bugs. It is not your responsibility to fix them. (You may mention them to the user in your final message though.)
-
 ## Sandbox and approvals
 
 The Codex CLI harness supports several different sandboxing, and approval configurations that the user can choose from.
@@ -177,6 +169,22 @@ Note that when sandboxing is set to read-only, you'll need to request approval f
 
 You will be told what filesystem sandboxing, network sandboxing, and approval mode are active in a developer or user message. If you are not told about this, assume that you are running with workspace-write, network sandboxing ON, and approval on-failure.
 
+## Validating your work
+
+If the codebase has tests or the ability to build or run, consider using them to verify that your work is complete. 
+
+When testing, your philosophy should be to start as specific as possible to the code you changed so that you can catch issues efficiently, then make your way to broader tests as you build confidence. If there's no test for the code you changed, and if the adjacent patterns in the codebases show that there's a logical place for you to add a test, you may do so. However, do not add tests to codebases with no tests.
+
+Similarly, once you're confident in correctness, you can suggest or use formatting commands to ensure that your code is well formatted. If there are issues you can iterate up to 3 times to get formatting right, but if you still can't manage it's better to save the user time and present them a correct solution where you call out the formatting in your final message. If the codebase does not have a formatter configured, do not add one.
+
+For all of testing, running, building, and formatting, do not attempt to fix unrelated bugs. It is not your responsibility to fix them. (You may mention them to the user in your final message though.)
+
+Be mindful of whether to run validation commands proactively. In the absence of behavioral guidance:
+
+- When running in non-interactive approval modes like **never** or **on-failure**, proactively run tests, lint and do whatever you need to ensure you've completed the task.
+- When working in interactive approval modes like **untrusted**, or **on-request**, hold off on running tests or lint commands until the user is ready for you to finalize your output, because these commands take time to run and slow down iteration. Instead suggest what you want to do next, and let the user confirm first.
+- When working on test-related tasks, such as adding tests, fixing tests, or reproducing a bug to verify behavior, you may proactively run tests regardless of approval mode. Use your judgement to decide whether this is a test-related task.
+
 ## Ambition vs. precision
 
 For tasks that have no prior context (i.e. the user is starting something brand new), you should feel free to be ambitious and demonstrate creativity with your implementation.
@@ -270,67 +278,6 @@ When using the shell, you must adhere to the following guidelines:
 - When searching for text or files, prefer using `rg` or `rg --files` respectively because `rg` is much faster than alternatives like `grep`. (If the `rg` command is not found, then use alternatives.)
 - Read files in chunks with a max chunk size of 250 lines. Do not use python scripts to attempt to output larger chunks of a file. Command line output will be truncated after 10 kilobytes or 256 lines of output, regardless of the command used.
 
-## `apply_patch`
-
-Your patch language is a stripped‑down, file‑oriented diff format designed to be easy to parse and safe to apply. You can think of it as a high‑level envelope:
-
-**_ Begin Patch
-[ one or more file sections ]
-_** End Patch
-
-Within that envelope, you get a sequence of file operations.
-You MUST include a header to specify the action you are taking.
-Each operation starts with one of three headers:
-
-**_ Add File: <path> - create a new file. Every following line is a + line (the initial contents).
-_** Delete File: <path> - remove an existing file. Nothing follows.
-\*\*\* Update File: <path> - patch an existing file in place (optionally with a rename).
-
-May be immediately followed by \*\*\* Move to: <new path> if you want to rename the file.
-Then one or more “hunks”, each introduced by @@ (optionally followed by a hunk header).
-Within a hunk each line starts with:
-
-- for inserted text,
-
-* for removed text, or
-  space ( ) for context.
-  At the end of a truncated hunk you can emit \*\*\* End of File.
-
-Patch := Begin { FileOp } End
-Begin := "**_ Begin Patch" NEWLINE
-End := "_** End Patch" NEWLINE
-FileOp := AddFile | DeleteFile | UpdateFile
-AddFile := "**_ Add File: " path NEWLINE { "+" line NEWLINE }
-DeleteFile := "_** Delete File: " path NEWLINE
-UpdateFile := "**_ Update File: " path NEWLINE [ MoveTo ] { Hunk }
-MoveTo := "_** Move to: " newPath NEWLINE
-Hunk := "@@" [ header ] NEWLINE { HunkLine } [ "*** End of File" NEWLINE ]
-HunkLine := (" " | "-" | "+") text NEWLINE
-
-A full patch can combine several operations:
-
-**_ Begin Patch
-_** Add File: hello.txt
-+Hello world
-**_ Update File: src/app.py
-_** Move to: src/main.py
-@@ def greet():
--print("Hi")
-+print("Hello, world!")
-**_ Delete File: obsolete.txt
-_** End Patch
-
-It is important to remember:
-
-- You must include a header with your intended action (Add/Delete/Update)
-- You must prefix new lines with `+` even when creating a new file
-
-You can invoke apply_patch like:
-
-```
-shell {"command":["apply_patch","*** Begin Patch\n*** Add File: hello.txt\n+Hello, world!\n*** End Patch\n"]}
-```
-
 ## `update_plan`
 
 A tool named `update_plan` is available to you. You can use it to keep an up‑to‑date, step‑by‑step plan for the task.

codex-rs/core/src/apply_patch.rs

@@ -1,13 +1,13 @@
 use crate::codex::Session;
 use crate::codex::TurnContext;
-use crate::models::FunctionCallOutputPayload;
-use crate::models::ResponseInputItem;
 use crate::protocol::FileChange;
 use crate::protocol::ReviewDecision;
 use crate::safety::SafetyCheck;
 use crate::safety::assess_patch_safety;
 use codex_apply_patch::ApplyPatchAction;
 use codex_apply_patch::ApplyPatchFileChange;
+use codex_protocol::models::FunctionCallOutputPayload;
+use codex_protocol::models::ResponseInputItem;
 use std::collections::HashMap;
 use std::path::PathBuf;
 

codex-rs/core/src/chat_completions.rs

@@ -22,11 +22,11 @@ use crate::client_common::ResponseStream;
 use crate::error::CodexErr;
 use crate::error::Result;
 use crate::model_family::ModelFamily;
-use crate::models::ContentItem;
-use crate::models::ReasoningItemContent;
-use crate::models::ResponseItem;
 use crate::openai_tools::create_tools_json_for_chat_completions_api;
 use crate::util::backoff;
+use codex_protocol::models::ContentItem;
+use codex_protocol::models::ReasoningItemContent;
+use codex_protocol::models::ResponseItem;
 
 /// Implementation for the classic Chat Completions API.
 pub(crate) async fn stream_chat_completions(
@@ -102,6 +102,33 @@ pub(crate) async fn stream_chat_completions(
                     "content": output.content,
                 }));
             }
+            ResponseItem::CustomToolCall {
+                id,
+                call_id: _,
+                name,
+                input,
+                status: _,
+            } => {
+                messages.push(json!({
+                    "role": "assistant",
+                    "content": null,
+                    "tool_calls": [{
+                        "id": id,
+                        "type": "custom",
+                        "custom": {
+                            "name": name,
+                            "input": input,
+                        }
+                    }]
+                }));
+            }
+            ResponseItem::CustomToolCallOutput { call_id, output } => {
+                messages.push(json!({
+                    "role": "tool",
+                    "tool_call_id": call_id,
+                    "content": output,
+                }));
+            }
             ResponseItem::Reasoning { .. } | ResponseItem::Other => {
                 // Omit these items from the conversation history.
                 continue;
@@ -482,16 +509,19 @@ where
                     // do NOT emit yet. Forward any other item (e.g. FunctionCall) right
                     // away so downstream consumers see it.
 
-                    let is_assistant_delta = matches!(&item, crate::models::ResponseItem::Message { role, .. } if role == "assistant");
+                    let is_assistant_delta = matches!(&item, codex_protocol::models::ResponseItem::Message { role, .. } if role == "assistant");
 
                     if is_assistant_delta {
                         // Only use the final assistant message if we have not
                         // seen any deltas; otherwise, deltas already built the
                         // cumulative text and this would duplicate it.
                         if this.cumulative.is_empty()
-                            && let crate::models::ResponseItem::Message { content, .. } = &item
+                            && let codex_protocol::models::ResponseItem::Message { content, .. } =
+                                &item
                             && let Some(text) = content.iter().find_map(|c| match c {
-                                crate::models::ContentItem::OutputText { text } => Some(text),
+                                codex_protocol::models::ContentItem::OutputText { text } => {
+                                    Some(text)
+                                }
                                 _ => None,
                             })
                         {
@@ -515,26 +545,27 @@ where
                     if !this.cumulative_reasoning.is_empty()
                         && matches!(this.mode, AggregateMode::AggregatedOnly)
                     {
-                        let aggregated_reasoning = crate::models::ResponseItem::Reasoning {
-                            id: String::new(),
-                            summary: Vec::new(),
-                            content: Some(vec![
-                                crate::models::ReasoningItemContent::ReasoningText {
-                                    text: std::mem::take(&mut this.cumulative_reasoning),
-                                },
-                            ]),
-                            encrypted_content: None,
-                        };
+                        let aggregated_reasoning =
+                            codex_protocol::models::ResponseItem::Reasoning {
+                                id: String::new(),
+                                summary: Vec::new(),
+                                content: Some(vec![
+                                    codex_protocol::models::ReasoningItemContent::ReasoningText {
+                                        text: std::mem::take(&mut this.cumulative_reasoning),
+                                    },
+                                ]),
+                                encrypted_content: None,
+                            };
                         this.pending
                             .push_back(ResponseEvent::OutputItemDone(aggregated_reasoning));
                         emitted_any = true;
                     }
 
                     if !this.cumulative.is_empty() {
-                        let aggregated_message = crate::models::ResponseItem::Message {
+                        let aggregated_message = codex_protocol::models::ResponseItem::Message {
                             id: None,
                             role: "assistant".to_string(),
-                            content: vec![crate::models::ContentItem::OutputText {
+                            content: vec![codex_protocol::models::ContentItem::OutputText {
                                 text: std::mem::take(&mut this.cumulative),
                             }],
                         };
@@ -592,6 +623,12 @@ where
                 Poll::Ready(Some(Ok(ResponseEvent::ReasoningSummaryPartAdded))) => {
                     continue;
                 }
+                Poll::Ready(Some(Ok(ResponseEvent::WebSearchCallBegin { .. }))) => {
+                    return Poll::Ready(Some(Ok(ResponseEvent::WebSearchCallBegin {
+                        call_id: String::new(),
+                        query: None,
+                    })));
+                }
             }
         }
     }

codex-rs/core/src/client.rs

@@ -1,14 +1,12 @@
 use std::io::BufRead;
 use std::path::Path;
-use std::sync::OnceLock;
 use std::time::Duration;
 
 use bytes::Bytes;
+use codex_login::AuthManager;
 use codex_login::AuthMode;
-use codex_login::CodexAuth;
 use eventsource_stream::Eventsource;
 use futures::prelude::*;
-use regex_lite::Regex;
 use reqwest::StatusCode;
 use serde::Deserialize;
 use serde::Serialize;
@@ -28,6 +26,7 @@ use crate::client_common::ResponseEvent;
 use crate::client_common::ResponseStream;
 use crate::client_common::ResponsesApiRequest;
 use crate::client_common::create_reasoning_param_for_request;
+use crate::client_common::create_text_param_for_request;
 use crate::config::Config;
 use crate::error::CodexErr;
 use crate::error::Result;
@@ -36,13 +35,14 @@ use crate::flags::CODEX_RS_SSE_FIXTURE;
 use crate::model_family::ModelFamily;
 use crate::model_provider_info::ModelProviderInfo;
 use crate::model_provider_info::WireApi;
-use crate::models::ResponseItem;
+use crate::openai_model_info::get_model_info;
 use crate::openai_tools::create_tools_json_for_responses_api;
 use crate::protocol::TokenUsage;
 use crate::user_agent::get_codex_user_agent;
 use crate::util::backoff;
 use codex_protocol::config_types::ReasoningEffort as ReasoningEffortConfig;
 use codex_protocol::config_types::ReasoningSummary as ReasoningSummaryConfig;
+use codex_protocol::models::ResponseItem;
 use std::sync::Arc;
 
 #[derive(Debug, Deserialize)]
@@ -53,14 +53,17 @@ struct ErrorResponse {
 #[derive(Debug, Deserialize)]
 struct Error {
     r#type: Option<String>,
-    code: Option<String>,
     message: Option<String>,
+
+    // Optional fields available on "usage_limit_reached" and "usage_not_included" errors
+    plan_type: Option<String>,
+    resets_in_seconds: Option<u64>,
 }
 
 #[derive(Debug, Clone)]
 pub struct ModelClient {
     config: Arc<Config>,
-    auth: Option<CodexAuth>,
+    auth_manager: Option<Arc<AuthManager>>,
     client: reqwest::Client,
     provider: ModelProviderInfo,
     session_id: Uuid,
@@ -71,7 +74,7 @@ pub struct ModelClient {
 impl ModelClient {
     pub fn new(
         config: Arc<Config>,
-        auth: Option<CodexAuth>,
+        auth_manager: Option<Arc<AuthManager>>,
         provider: ModelProviderInfo,
         effort: ReasoningEffortConfig,
         summary: ReasoningSummaryConfig,
@@ -79,7 +82,7 @@ impl ModelClient {
     ) -> Self {
         Self {
             config,
-            auth,
+            auth_manager,
             client: reqwest::Client::new(),
             provider,
             session_id,
@@ -88,6 +91,12 @@ impl ModelClient {
         }
     }
 
+    pub fn get_model_context_window(&self) -> Option<u64> {
+        self.config
+            .model_context_window
+            .or_else(|| get_model_info(&self.config.model_family).map(|info| info.context_window))
+    }
+
     /// Dispatches to either the Responses or Chat implementation depending on
     /// the provider config.  Public callers always invoke `stream()` – the
     /// specialised helpers are private to avoid accidental misuse.
@@ -140,14 +149,32 @@ impl ModelClient {
             return stream_from_fixture(path, self.provider.clone()).await;
         }
 
-        let auth = self.auth.clone();
+        let auth_manager = self.auth_manager.clone();
 
-        let auth_mode = auth.as_ref().map(|a| a.mode);
+        let auth_mode = auth_manager
+            .as_ref()
+            .and_then(|m| m.auth())
+            .as_ref()
+            .map(|a| a.mode);
 
         let store = prompt.store && auth_mode != Some(AuthMode::ChatGPT);
 
         let full_instructions = prompt.get_full_instructions(&self.config.model_family);
-        let tools_json = create_tools_json_for_responses_api(&prompt.tools)?;
+        let mut tools_json = create_tools_json_for_responses_api(&prompt.tools)?;
+        // ChatGPT backend expects the preview name for web search.
+        if auth_mode == Some(AuthMode::ChatGPT) {
+            for tool in &mut tools_json {
+                if let Some(map) = tool.as_object_mut()
+                    && map.get("type").and_then(|v| v.as_str()) == Some("web_search")
+                {
+                    map.insert(
+                        "type".to_string(),
+                        serde_json::Value::String("web_search_preview".to_string()),
+                    );
+                }
+            }
+        }
+
         let reasoning = create_reasoning_param_for_request(
             &self.config.model_family,
             self.effort,
@@ -164,6 +191,19 @@ impl ModelClient {
 
         let input_with_instructions = prompt.get_formatted_input();
 
+        // Only include `text.verbosity` for GPT-5 family models
+        let text = if self.config.model_family.family == "gpt-5" {
+            create_text_param_for_request(self.config.model_verbosity)
+        } else {
+            if self.config.model_verbosity.is_some() {
+                warn!(
+                    "model_verbosity is set but ignored for non-gpt-5 model family: {}",
+                    self.config.model_family.family
+                );
+            }
+            None
+        };
+
         let payload = ResponsesApiRequest {
             model: &self.config.model,
             instructions: &full_instructions,
@@ -176,20 +216,24 @@ impl ModelClient {
             stream: true,
             include,
             prompt_cache_key: Some(self.session_id.to_string()),
+            text,
         };
 
         let mut attempt = 0;
         let max_retries = self.provider.request_max_retries();
 
-        trace!(
-            "POST to {}: {}",
-            self.provider.get_full_url(&auth),
-            serde_json::to_string(&payload)?
-        );
-
         loop {
             attempt += 1;
 
+            // Always fetch the latest auth in case a prior attempt refreshed the token.
+            let auth = auth_manager.as_ref().and_then(|m| m.auth());
+
+            trace!(
+                "POST to {}: {}",
+                self.provider.get_full_url(&auth),
+                serde_json::to_string(&payload)?
+            );
+
             let mut req_builder = self
                 .provider
                 .create_request_builder(&self.client, &auth)
@@ -208,11 +252,7 @@ impl ModelClient {
                 req_builder = req_builder.header("chatgpt-account-id", account_id);
             }
 
-            let originator = self
-                .config
-                .internal_originator
-                .as_deref()
-                .unwrap_or("codex_cli_rs");
+            let originator = &self.config.responses_originator_header;
             req_builder = req_builder.header("originator", originator);
             req_builder = req_builder.header("User-Agent", get_codex_user_agent(Some(originator)));
 
@@ -252,6 +292,13 @@ impl ModelClient {
                         .and_then(|v| v.to_str().ok())
                         .and_then(|s| s.parse::<u64>().ok());
 
+                    if status == StatusCode::UNAUTHORIZED
+                        && let Some(manager) = auth_manager.as_ref()
+                        && manager.auth().is_some()
+                    {
+                        let _ = manager.refresh_token().await;
+                    }
+
                     // The OpenAI Responses endpoint returns structured JSON bodies even for 4xx/5xx
                     // errors. When we bubble early with only the HTTP status the caller sees an opaque
                     // "unexpected status 400 Bad Request" which makes debugging nearly impossible.
@@ -259,7 +306,10 @@ impl ModelClient {
                     // exact error message (e.g. "Unknown parameter: 'input[0].metadata'"). The body is
                     // small and this branch only runs on error paths so the extra allocation is
                     // negligible.
-                    if !(status == StatusCode::TOO_MANY_REQUESTS || status.is_server_error()) {
+                    if !(status == StatusCode::TOO_MANY_REQUESTS
+                        || status == StatusCode::UNAUTHORIZED
+                        || status.is_server_error())
+                    {
                         // Surface the error body to callers. Use `unwrap_or_default` per Clippy.
                         let body = res.text().await.unwrap_or_default();
                         return Err(CodexErr::UnexpectedStatus(status, body));
@@ -267,19 +317,20 @@ impl ModelClient {
 
                     if status == StatusCode::TOO_MANY_REQUESTS {
                         let body = res.json::<ErrorResponse>().await.ok();
-                        if let Some(ErrorResponse {
-                            error:
-                                Error {
-                                    r#type: Some(error_type),
-                                    ..
-                                },
-                        }) = body
-                        {
-                            if error_type == "usage_limit_reached" {
+                        if let Some(ErrorResponse { error }) = body {
+                            if error.r#type.as_deref() == Some("usage_limit_reached") {
+                                // Prefer the plan_type provided in the error message if present
+                                // because it's more up to date than the one encoded in the auth
+                                // token.
+                                let plan_type = error
+                                    .plan_type
+                                    .or_else(|| auth.and_then(|a| a.get_plan_type()));
+                                let resets_in_seconds = error.resets_in_seconds;
                                 return Err(CodexErr::UsageLimitReached(UsageLimitReachedError {
-                                    plan_type: auth.and_then(|a| a.get_plan_type()),
+                                    plan_type,
+                                    resets_in_seconds,
                                 }));
-                            } else if error_type == "usage_not_included" {
+                            } else if error.r#type.as_deref() == Some("usage_not_included") {
                                 return Err(CodexErr::UsageNotIncluded);
                             }
                         }
@@ -333,8 +384,8 @@ impl ModelClient {
         self.summary
     }
 
-    pub fn get_auth(&self) -> Option<CodexAuth> {
-        self.auth.clone()
+    pub fn get_auth_manager(&self) -> Option<Arc<AuthManager>> {
+        self.auth_manager.clone()
     }
 }
 
@@ -444,7 +495,8 @@ async fn process_sse<S>(
             }
         };
 
-        trace!("SSE event: {}", sse.data);
+        let raw = sse.data.clone();
+        trace!("SSE event: {}", raw);
 
         let event: SseEvent = match serde_json::from_str(&sse.data) {
             Ok(event) => event,
@@ -526,9 +578,8 @@ async fn process_sse<S>(
                     if let Some(error) = error {
                         match serde_json::from_value::<Error>(error.clone()) {
                             Ok(error) => {
-                                let delay = try_parse_retry_after(&error);
                                 let message = error.message.unwrap_or_default();
-                                response_error = Some(CodexErr::Stream(message, delay));
+                                response_error = Some(CodexErr::Stream(message, None));
                             }
                             Err(e) => {
                                 debug!("failed to parse ErrorResponse: {e}");
@@ -553,11 +604,29 @@ async fn process_sse<S>(
             }
             "response.content_part.done"
             | "response.function_call_arguments.delta"
+            | "response.custom_tool_call_input.delta"
+            | "response.custom_tool_call_input.done" // also emitted as response.output_item.done
             | "response.in_progress"
             | "response.output_item.added"
             | "response.output_text.done" => {
-                // Currently, we ignore this event, but we handle it
-                // separately to skip the logging message in the `other` case.
+                if event.kind == "response.output_item.added"
+                    && let Some(item) = event.item.as_ref()
+                {
+                    // Detect web_search_call begin and forward a synthetic event upstream.
+                    if let Some(ty) = item.get("type").and_then(|v| v.as_str())
+                        && ty == "web_search_call"
+                    {
+                        let call_id = item
+                            .get("id")
+                            .and_then(|v| v.as_str())
+                            .unwrap_or("")
+                            .to_string();
+                        let ev = ResponseEvent::WebSearchCallBegin { call_id, query: None };
+                        if tx_event.send(Ok(ev)).await.is_err() {
+                            return;
+                        }
+                    }
+                }
             }
             "response.reasoning_summary_part.added" => {
                 // Boundary between reasoning summary sections (e.g., titles).
@@ -567,7 +636,7 @@ async fn process_sse<S>(
                 }
             }
             "response.reasoning_summary_text.done" => {}
-            other => debug!(other, "sse event"),
+            _ => {}
         }
     }
 }
@@ -598,40 +667,6 @@ async fn stream_from_fixture(
     Ok(ResponseStream { rx_event })
 }
 
-fn rate_limit_regex() -> &'static Regex {
-    static RE: OnceLock<Regex> = OnceLock::new();
-
-    #[expect(clippy::unwrap_used)]
-    RE.get_or_init(|| Regex::new(r"Please try again in (\d+(?:\.\d+)?)(s|ms)").unwrap())
-}
-
-fn try_parse_retry_after(err: &Error) -> Option<Duration> {
-    if err.code != Some("rate_limit_exceeded".to_string()) {
-        return None;
-    }
-
-    // parse the Please try again in 1.898s format using regex
-    let re = rate_limit_regex();
-    if let Some(message) = &err.message
-        && let Some(captures) = re.captures(message)
-    {
-        let seconds = captures.get(1);
-        let unit = captures.get(2);
-
-        if let (Some(value), Some(unit)) = (seconds, unit) {
-            let value = value.as_str().parse::<f64>().ok()?;
-            let unit = unit.as_str();
-
-            if unit == "s" {
-                return Some(Duration::from_secs_f64(value));
-            } else if unit == "ms" {
-                return Some(Duration::from_millis(value as u64));
-            }
-        }
-    }
-    None
-}
-
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -852,7 +887,7 @@ mod tests {
                     msg,
                     "Rate limit reached for gpt-5 in organization org-AAA on tokens per min (TPM): Limit 30000, Used 22999, Requested 12528. Please try again in 11.054s. Visit https://platform.openai.com/account/rate-limits to learn more."
                 );
-                assert_eq!(*delay, Some(Duration::from_secs_f64(11.054)));
+                assert_eq!(*delay, None);
             }
             other => panic!("unexpected second event: {other:?}"),
         }
@@ -956,27 +991,4 @@ mod tests {
             );
         }
     }
-
-    #[test]
-    fn test_try_parse_retry_after() {
-        let err = Error {
-            r#type: None,
-            message: Some("Rate limit reached for gpt-5 in organization org- on tokens per min (TPM): Limit 1, Used 1, Requested 19304. Please try again in 28ms. Visit https://platform.openai.com/account/rate-limits to learn more.".to_string()),
-            code: Some("rate_limit_exceeded".to_string()),
-        };
-
-        let delay = try_parse_retry_after(&err);
-        assert_eq!(delay, Some(Duration::from_millis(28)));
-    }
-
-    #[test]
-    fn test_try_parse_retry_after_no_delay() {
-        let err = Error {
-            r#type: None,
-            message: Some("Rate limit reached for gpt-5 in organization <ORG> on tokens per min (TPM): Limit 30000, Used 6899, Requested 24050. Please try again in 1.898s. Visit https://platform.openai.com/account/rate-limits to learn more.".to_string()),
-            code: Some("rate_limit_exceeded".to_string()),
-        };
-        let delay = try_parse_retry_after(&err);
-        assert_eq!(delay, Some(Duration::from_secs_f64(1.898)));
-    }
 }

codex-rs/core/src/client_common.rs

@@ -1,12 +1,13 @@
+use crate::config_types::Verbosity as VerbosityConfig;
 use crate::error::Result;
 use crate::model_family::ModelFamily;
-use crate::models::ContentItem;
-use crate::models::ResponseItem;
 use crate::openai_tools::OpenAiTool;
 use crate::protocol::TokenUsage;
 use codex_apply_patch::APPLY_PATCH_TOOL_INSTRUCTIONS;
 use codex_protocol::config_types::ReasoningEffort as ReasoningEffortConfig;
 use codex_protocol::config_types::ReasoningSummary as ReasoningSummaryConfig;
+use codex_protocol::models::ContentItem;
+use codex_protocol::models::ResponseItem;
 use futures::Stream;
 use serde::Serialize;
 use std::borrow::Cow;
@@ -47,7 +48,18 @@ impl Prompt {
             .as_deref()
             .unwrap_or(BASE_INSTRUCTIONS);
         let mut sections: Vec<&str> = vec![base];
-        if model.needs_special_apply_patch_instructions {
+
+        // When there are no custom instructions, add apply_patch_tool_instructions if either:
+        // - the model needs special instructions (4.1), or
+        // - there is no apply_patch tool present
+        let is_apply_patch_tool_present = self.tools.iter().any(|tool| match tool {
+            OpenAiTool::Function(f) => f.name == "apply_patch",
+            OpenAiTool::Freeform(f) => f.name == "apply_patch",
+            _ => false,
+        });
+        if self.base_instructions_override.is_none()
+            && (model.needs_special_apply_patch_instructions || !is_apply_patch_tool_present)
+        {
             sections.push(APPLY_PATCH_TOOL_INSTRUCTIONS);
         }
         Cow::Owned(sections.join("\n"))
@@ -81,6 +93,10 @@ pub enum ResponseEvent {
     ReasoningSummaryDelta(String),
     ReasoningContentDelta(String),
     ReasoningSummaryPartAdded,
+    WebSearchCallBegin {
+        call_id: String,
+        query: Option<String>,
+    },
 }
 
 #[derive(Debug, Serialize)]
@@ -89,6 +105,32 @@ pub(crate) struct Reasoning {
     pub(crate) summary: ReasoningSummaryConfig,
 }
 
+/// Controls under the `text` field in the Responses API for GPT-5.
+#[derive(Debug, Serialize, Default, Clone, Copy)]
+pub(crate) struct TextControls {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(crate) verbosity: Option<OpenAiVerbosity>,
+}
+
+#[derive(Debug, Serialize, Default, Clone, Copy)]
+#[serde(rename_all = "lowercase")]
+pub(crate) enum OpenAiVerbosity {
+    Low,
+    #[default]
+    Medium,
+    High,
+}
+
+impl From<VerbosityConfig> for OpenAiVerbosity {
+    fn from(v: VerbosityConfig) -> Self {
+        match v {
+            VerbosityConfig::Low => OpenAiVerbosity::Low,
+            VerbosityConfig::Medium => OpenAiVerbosity::Medium,
+            VerbosityConfig::High => OpenAiVerbosity::High,
+        }
+    }
+}
+
 /// Request object that is serialized as JSON and POST'ed when using the
 /// Responses API.
 #[derive(Debug, Serialize)]
@@ -109,6 +151,8 @@ pub(crate) struct ResponsesApiRequest<'a> {
     pub(crate) include: Vec<String>,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub(crate) prompt_cache_key: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(crate) text: Option<TextControls>,
 }
 
 pub(crate) fn create_reasoning_param_for_request(
@@ -123,6 +167,14 @@ pub(crate) fn create_reasoning_param_for_request(
     }
 }
 
+pub(crate) fn create_text_param_for_request(
+    verbosity: Option<VerbosityConfig>,
+) -> Option<TextControls> {
+    verbosity.map(|v| TextControls {
+        verbosity: Some(v.into()),
+    })
+}
+
 pub(crate) struct ResponseStream {
     pub(crate) rx_event: mpsc::Receiver<Result<ResponseEvent>>,
 }
@@ -151,4 +203,57 @@ mod tests {
         let full = prompt.get_full_instructions(&model_family);
         assert_eq!(full, expected);
     }
+
+    #[test]
+    fn serializes_text_verbosity_when_set() {
+        let input: Vec<ResponseItem> = vec![];
+        let tools: Vec<serde_json::Value> = vec![];
+        let req = ResponsesApiRequest {
+            model: "gpt-5",
+            instructions: "i",
+            input: &input,
+            tools: &tools,
+            tool_choice: "auto",
+            parallel_tool_calls: false,
+            reasoning: None,
+            store: true,
+            stream: true,
+            include: vec![],
+            prompt_cache_key: None,
+            text: Some(TextControls {
+                verbosity: Some(OpenAiVerbosity::Low),
+            }),
+        };
+
+        let v = serde_json::to_value(&req).expect("json");
+        assert_eq!(
+            v.get("text")
+                .and_then(|t| t.get("verbosity"))
+                .and_then(|s| s.as_str()),
+            Some("low")
+        );
+    }
+
+    #[test]
+    fn omits_text_when_not_set() {
+        let input: Vec<ResponseItem> = vec![];
+        let tools: Vec<serde_json::Value> = vec![];
+        let req = ResponsesApiRequest {
+            model: "gpt-5",
+            instructions: "i",
+            input: &input,
+            tools: &tools,
+            tool_choice: "auto",
+            parallel_tool_calls: false,
+            reasoning: None,
+            store: true,
+            stream: true,
+            include: vec![],
+            prompt_cache_key: None,
+            text: None,
+        };
+
+        let v = serde_json::to_value(&req).expect("json");
+        assert!(v.get("text").is_none());
+    }
 }

codex-rs/core/src/config.rs

@@ -6,6 +6,10 @@ use crate::config_types::ShellEnvironmentPolicy;
 use crate::config_types::ShellEnvironmentPolicyToml;
 use crate::config_types::Tui;
 use crate::config_types::UriBasedFileOpener;
+use crate::config_types::Verbosity;
+use crate::git_info::resolve_root_git_project_for_trust;
+use crate::mcp_toml::load_project_overlays;
+use crate::mcp_toml::to_mcp_server_config;
 use crate::model_family::ModelFamily;
 use crate::model_family::find_family_for_model;
 use crate::model_provider_info::ModelProviderInfo;
@@ -13,7 +17,6 @@ use crate::model_provider_info::built_in_model_providers;
 use crate::openai_model_info::get_model_info;
 use crate::protocol::AskForApproval;
 use crate::protocol::SandboxPolicy;
-use crate::spawn::CODEX_ORIGINATOR_ENV_VAR;
 use codex_login::AuthMode;
 use codex_protocol::config_types::ReasoningEffort;
 use codex_protocol::config_types::ReasoningSummary;
@@ -36,6 +39,8 @@ pub(crate) const PROJECT_DOC_MAX_BYTES: usize = 32 * 1024; // 32 KiB
 
 const CONFIG_TOML_FILE: &str = "config.toml";
 
+const DEFAULT_RESPONSES_ORIGINATOR_HEADER: &str = "codex_cli_rs";
+
 /// Application configuration loaded from disk and merged with overrides.
 #[derive(Debug, Clone, PartialEq)]
 pub struct Config {
@@ -149,6 +154,9 @@ pub struct Config {
     /// request using the Responses API.
     pub model_reasoning_summary: ReasoningSummary,
 
+    /// Optional verbosity control for GPT-5 models (Responses API `text.verbosity`).
+    pub model_verbosity: Option<Verbosity>,
+
     /// Base URL for requests to ChatGPT (as opposed to the OpenAI API).
     pub chatgpt_base_url: String,
 
@@ -163,11 +171,15 @@ pub struct Config {
     /// model family's default preference.
     pub include_apply_patch_tool: bool,
 
+    pub tools_web_search_request: bool,
+
     /// The value for the `originator` header included with Responses API requests.
-    pub internal_originator: Option<String>,
+    pub responses_originator_header: String,
 
     /// If set to `true`, the API key will be signed with the `originator` header.
     pub preferred_auth_method: AuthMode,
+
+    pub use_experimental_streamable_shell_tool: bool,
 }
 
 impl Config {
@@ -258,10 +270,61 @@ pub fn set_project_trusted(codex_home: &Path, project_path: &Path) -> anyhow::Re
         Err(e) => return Err(e.into()),
     };
 
-    // Mark the project as trusted. toml_edit is very good at handling
-    // missing properties
+    // Ensure we render a human-friendly structure:
+    //
+    // [projects]
+    // [projects."/path/to/project"]
+    // trust_level = "trusted"
+    //
+    // rather than inline tables like:
+    //
+    // [projects]
+    // "/path/to/project" = { trust_level = "trusted" }
     let project_key = project_path.to_string_lossy().to_string();
-    doc["projects"][project_key.as_str()]["trust_level"] = toml_edit::value("trusted");
+
+    // Ensure top-level `projects` exists as a non-inline, explicit table. If it
+    // exists but was previously represented as a non-table (e.g., inline),
+    // replace it with an explicit table.
+    let mut created_projects_table = false;
+    {
+        let root = doc.as_table_mut();
+        let needs_table = !root.contains_key("projects")
+            || root.get("projects").and_then(|i| i.as_table()).is_none();
+        if needs_table {
+            root.insert("projects", toml_edit::table());
+            created_projects_table = true;
+        }
+    }
+    let Some(projects_tbl) = doc["projects"].as_table_mut() else {
+        return Err(anyhow::anyhow!(
+            "projects table missing after initialization"
+        ));
+    };
+
+    // If we created the `projects` table ourselves, keep it implicit so we
+    // don't render a standalone `[projects]` header.
+    if created_projects_table {
+        projects_tbl.set_implicit(true);
+    }
+
+    // Ensure the per-project entry is its own explicit table. If it exists but
+    // is not a table (e.g., an inline table), replace it with an explicit table.
+    let needs_proj_table = !projects_tbl.contains_key(project_key.as_str())
+        || projects_tbl
+            .get(project_key.as_str())
+            .and_then(|i| i.as_table())
+            .is_none();
+    if needs_proj_table {
+        projects_tbl.insert(project_key.as_str(), toml_edit::table());
+    }
+    let Some(proj_tbl) = projects_tbl
+        .get_mut(project_key.as_str())
+        .and_then(|i| i.as_table_mut())
+    else {
+        return Err(anyhow::anyhow!("project table missing for {}", project_key));
+    };
+    proj_tbl.set_implicit(false);
+    proj_tbl["trust_level"] = toml_edit::value("trusted");
 
     // ensure codex_home exists
     std::fs::create_dir_all(codex_home)?;
@@ -397,6 +460,8 @@ pub struct ConfigToml {
 
     pub model_reasoning_effort: Option<ReasoningEffort>,
     pub model_reasoning_summary: Option<ReasoningSummary>,
+    /// Optional verbosity control for GPT-5 models (Responses API `text.verbosity`).
+    pub model_verbosity: Option<Verbosity>,
 
     /// Override to force-enable reasoning summaries for the configured model.
     pub model_supports_reasoning_summaries: Option<bool>,
@@ -410,13 +475,18 @@ pub struct ConfigToml {
     /// Experimental path to a file whose contents replace the built-in BASE_INSTRUCTIONS.
     pub experimental_instructions_file: Option<PathBuf>,
 
+    pub experimental_use_exec_command_tool: Option<bool>,
+
     /// The value for the `originator` header included with Responses API requests.
-    pub internal_originator: Option<String>,
+    pub responses_originator_header_internal_override: Option<String>,
 
     pub projects: Option<HashMap<String, ProjectConfig>>,
 
     /// If set to `true`, the API key will be signed with the `originator` header.
     pub preferred_auth_method: Option<AuthMode>,
+
+    /// Nested tools section for feature toggles
+    pub tools: Option<ToolsToml>,
 }
 
 #[derive(Deserialize, Debug, Clone, PartialEq, Eq)]
@@ -424,6 +494,13 @@ pub struct ProjectConfig {
     pub trust_level: Option<String>,
 }
 
+#[derive(Deserialize, Debug, Clone, Default)]
+pub struct ToolsToml {
+    // Renamed from `web_search_request`; keep alias for backwards compatibility.
+    #[serde(default, alias = "web_search_request")]
+    pub web_search: Option<bool>,
+}
+
 impl ConfigToml {
     /// Derive the effective sandbox policy from the configuration.
     fn derive_sandbox_policy(&self, sandbox_mode_override: Option<SandboxMode>) -> SandboxPolicy {
@@ -453,10 +530,27 @@ impl ConfigToml {
     pub fn is_cwd_trusted(&self, resolved_cwd: &Path) -> bool {
         let projects = self.projects.clone().unwrap_or_default();
 
-        projects
-            .get(&resolved_cwd.to_string_lossy().to_string())
-            .map(|p| p.trust_level.clone().unwrap_or("".to_string()) == "trusted")
-            .unwrap_or(false)
+        let is_path_trusted = |path: &Path| {
+            let path_str = path.to_string_lossy().to_string();
+            projects
+                .get(&path_str)
+                .map(|p| p.trust_level.as_deref() == Some("trusted"))
+                .unwrap_or(false)
+        };
+
+        // Fast path: exact cwd match
+        if is_path_trusted(resolved_cwd) {
+            return true;
+        }
+
+        // If cwd lives inside a git worktree, check whether the root git project
+        // (the primary repository working directory) is trusted. This lets
+        // worktrees inherit trust from the main project.
+        if let Some(root_project) = resolve_root_git_project_for_trust(resolved_cwd) {
+            return is_path_trusted(&root_project);
+        }
+
+        false
     }
 
     pub fn get_config_profile(
@@ -496,6 +590,7 @@ pub struct ConfigOverrides {
     pub include_apply_patch_tool: Option<bool>,
     pub disable_response_storage: Option<bool>,
     pub show_raw_agent_reasoning: Option<bool>,
+    pub tools_web_search_request: Option<bool>,
 }
 
 impl Config {
@@ -506,6 +601,7 @@ impl Config {
         overrides: ConfigOverrides,
         codex_home: PathBuf,
     ) -> std::io::Result<Self> {
+        let mut cfg = cfg;
         let user_instructions = Self::load_instructions(Some(&codex_home));
 
         // Destructure ConfigOverrides fully to ensure all overrides are applied.
@@ -522,6 +618,7 @@ impl Config {
             include_apply_patch_tool,
             disable_response_storage,
             show_raw_agent_reasoning,
+            tools_web_search_request: override_tools_web_search_request,
         } = overrides;
 
         let config_profile = match config_profile_key.as_ref().or(cfg.profile.as_ref()) {
@@ -560,7 +657,7 @@ impl Config {
             })?
             .clone();
 
-        let shell_environment_policy = cfg.shell_environment_policy.into();
+        let shell_environment_policy = cfg.shell_environment_policy.clone().into();
 
         let resolved_cwd = {
             use std::env;
@@ -581,7 +678,11 @@ impl Config {
             }
         };
 
-        let history = cfg.history.unwrap_or_default();
+        let history = cfg.history.clone().unwrap_or_default();
+
+        let tools_web_search_request = override_tools_web_search_request
+            .or(cfg.tools.as_ref().and_then(|t| t.web_search))
+            .unwrap_or(false);
 
         let model = model
             .or(config_profile.model)
@@ -596,7 +697,7 @@ impl Config {
                 needs_special_apply_patch_instructions: false,
                 supports_reasoning_summaries,
                 uses_local_shell_tool: false,
-                uses_apply_patch_tool: false,
+                apply_patch_tool_type: None,
             }
         });
 
@@ -612,6 +713,37 @@ impl Config {
 
         let experimental_resume = cfg.experimental_resume;
 
+        // Merge project overlays (.mcp.toml and .mcp.local.toml) with precedence:
+        // user (config.toml) < project < local. Skip invalid or non-stdio entries.
+        // Determine project root using the same logic as trust checks.
+        let project_root =
+            resolve_root_git_project_for_trust(&resolved_cwd).unwrap_or(resolved_cwd.clone());
+        if let Ok(overlays) = load_project_overlays(&project_root) {
+            // Start from user-defined servers from config.toml
+            let mut merged = std::mem::take(&mut cfg.mcp_servers);
+
+            // Apply in ascending precedence order: project then local.
+            for (scope, overlay) in overlays.iter().rev() {
+                for (name, entry) in overlay.mcp_servers.iter() {
+                    match to_mcp_server_config(entry, |k| std::env::var(k).ok()) {
+                        Ok(server_cfg) => {
+                            merged.insert(name.clone(), server_cfg);
+                        }
+                        Err(e) => {
+                            tracing::warn!(
+                                "Skipping MCP server `{}` from {:?} overlay: {:#}",
+                                name,
+                                scope,
+                                e
+                            );
+                        }
+                    }
+                }
+            }
+
+            cfg.mcp_servers = merged;
+        }
+
         // Load base instructions override from a file if specified. If the
         // path is relative, resolve it against the effective cwd so the
         // behaviour matches other path-like config values.
@@ -623,12 +755,9 @@ impl Config {
             Self::get_base_instructions(experimental_instructions_path, &resolved_cwd)?;
         let base_instructions = base_instructions.or(file_base_instructions);
 
-        let include_apply_patch_tool_val =
-            include_apply_patch_tool.unwrap_or(model_family.uses_apply_patch_tool);
-
-        let originator = std::env::var(CODEX_ORIGINATOR_ENV_VAR)
-            .ok()
-            .or(cfg.internal_originator);
+        let responses_originator_header: String = cfg
+            .responses_originator_header_internal_override
+            .unwrap_or(DEFAULT_RESPONSES_ORIGINATOR_HEADER.to_owned());
 
         let config = Self {
             model,
@@ -658,7 +787,7 @@ impl Config {
             codex_home,
             history,
             file_opener: cfg.file_opener.unwrap_or(UriBasedFileOpener::VsCode),
-            tui: cfg.tui.unwrap_or_default(),
+            tui: cfg.tui.clone().unwrap_or_default(),
             codex_linux_sandbox_exe,
 
             hide_agent_reasoning: cfg.hide_agent_reasoning.unwrap_or(false),
@@ -674,17 +803,21 @@ impl Config {
                 .model_reasoning_summary
                 .or(cfg.model_reasoning_summary)
                 .unwrap_or_default(),
-
+            model_verbosity: config_profile.model_verbosity.or(cfg.model_verbosity),
             chatgpt_base_url: config_profile
                 .chatgpt_base_url
-                .or(cfg.chatgpt_base_url)
+                .or(cfg.chatgpt_base_url.clone())
                 .unwrap_or("https://chatgpt.com/backend-api/".to_string()),
 
             experimental_resume,
             include_plan_tool: include_plan_tool.unwrap_or(false),
-            include_apply_patch_tool: include_apply_patch_tool_val,
-            internal_originator: originator,
+            include_apply_patch_tool: include_apply_patch_tool.unwrap_or(false),
+            tools_web_search_request,
+            responses_originator_header,
             preferred_auth_method: cfg.preferred_auth_method.unwrap_or(AuthMode::ChatGPT),
+            use_experimental_streamable_shell_tool: cfg
+                .experimental_use_exec_command_tool
+                .unwrap_or(false),
         };
         Ok(config)
     }
@@ -1043,13 +1176,16 @@ disable_response_storage = true
                 show_raw_agent_reasoning: false,
                 model_reasoning_effort: ReasoningEffort::High,
                 model_reasoning_summary: ReasoningSummary::Detailed,
+                model_verbosity: None,
                 chatgpt_base_url: "https://chatgpt.com/backend-api/".to_string(),
                 experimental_resume: None,
                 base_instructions: None,
                 include_plan_tool: false,
                 include_apply_patch_tool: false,
-                internal_originator: None,
+                tools_web_search_request: false,
+                responses_originator_header: "codex_cli_rs".to_string(),
                 preferred_auth_method: AuthMode::ChatGPT,
+                use_experimental_streamable_shell_tool: false,
             },
             o3_profile_config
         );
@@ -1096,13 +1232,16 @@ disable_response_storage = true
             show_raw_agent_reasoning: false,
             model_reasoning_effort: ReasoningEffort::default(),
             model_reasoning_summary: ReasoningSummary::default(),
+            model_verbosity: None,
             chatgpt_base_url: "https://chatgpt.com/backend-api/".to_string(),
             experimental_resume: None,
             base_instructions: None,
             include_plan_tool: false,
             include_apply_patch_tool: false,
-            internal_originator: None,
+            tools_web_search_request: false,
+            responses_originator_header: "codex_cli_rs".to_string(),
             preferred_auth_method: AuthMode::ChatGPT,
+            use_experimental_streamable_shell_tool: false,
         };
 
         assert_eq!(expected_gpt3_profile_config, gpt3_profile_config);
@@ -1164,17 +1303,90 @@ disable_response_storage = true
             show_raw_agent_reasoning: false,
             model_reasoning_effort: ReasoningEffort::default(),
             model_reasoning_summary: ReasoningSummary::default(),
+            model_verbosity: None,
             chatgpt_base_url: "https://chatgpt.com/backend-api/".to_string(),
             experimental_resume: None,
             base_instructions: None,
             include_plan_tool: false,
             include_apply_patch_tool: false,
-            internal_originator: None,
+            tools_web_search_request: false,
+            responses_originator_header: "codex_cli_rs".to_string(),
             preferred_auth_method: AuthMode::ChatGPT,
+            use_experimental_streamable_shell_tool: false,
         };
 
         assert_eq!(expected_zdr_profile_config, zdr_profile_config);
 
         Ok(())
     }
+
+    #[test]
+    fn test_set_project_trusted_writes_explicit_tables() -> anyhow::Result<()> {
+        let codex_home = TempDir::new().unwrap();
+        let project_dir = TempDir::new().unwrap();
+
+        // Call the function under test
+        set_project_trusted(codex_home.path(), project_dir.path())?;
+
+        // Read back the generated config.toml and assert exact contents
+        let config_path = codex_home.path().join(CONFIG_TOML_FILE);
+        let contents = std::fs::read_to_string(&config_path)?;
+
+        let raw_path = project_dir.path().to_string_lossy();
+        let path_str = if raw_path.contains('\\') {
+            format!("'{}'", raw_path)
+        } else {
+            format!("\"{}\"", raw_path)
+        };
+        let expected = format!(
+            r#"[projects.{path_str}]
+trust_level = "trusted"
+"#
+        );
+        assert_eq!(contents, expected);
+
+        Ok(())
+    }
+
+    #[test]
+    fn test_set_project_trusted_converts_inline_to_explicit() -> anyhow::Result<()> {
+        let codex_home = TempDir::new().unwrap();
+        let project_dir = TempDir::new().unwrap();
+
+        // Seed config.toml with an inline project entry under [projects]
+        let config_path = codex_home.path().join(CONFIG_TOML_FILE);
+        let raw_path = project_dir.path().to_string_lossy();
+        let path_str = if raw_path.contains('\\') {
+            format!("'{}'", raw_path)
+        } else {
+            format!("\"{}\"", raw_path)
+        };
+        // Use a quoted key so backslashes don't require escaping on Windows
+        let initial = format!(
+            r#"[projects]
+{path_str} = {{ trust_level = "untrusted" }}
+"#
+        );
+        std::fs::create_dir_all(codex_home.path())?;
+        std::fs::write(&config_path, initial)?;
+
+        // Run the function; it should convert to explicit tables and set trusted
+        set_project_trusted(codex_home.path(), project_dir.path())?;
+
+        let contents = std::fs::read_to_string(&config_path)?;
+
+        // Assert exact output after conversion to explicit table
+        let expected = format!(
+            r#"[projects]
+
+[projects.{path_str}]
+trust_level = "trusted"
+"#
+        );
+        assert_eq!(contents, expected);
+
+        Ok(())
+    }
+
+    // No test enforcing the presence of a standalone [projects] header.
 }

codex-rs/core/src/config_profile.rs

@@ -1,6 +1,7 @@
 use serde::Deserialize;
 use std::path::PathBuf;
 
+use crate::config_types::Verbosity;
 use crate::protocol::AskForApproval;
 use codex_protocol::config_types::ReasoningEffort;
 use codex_protocol::config_types::ReasoningSummary;
@@ -17,6 +18,7 @@ pub struct ConfigProfile {
     pub disable_response_storage: Option<bool>,
     pub model_reasoning_effort: Option<ReasoningEffort>,
     pub model_reasoning_summary: Option<ReasoningSummary>,
+    pub model_verbosity: Option<Verbosity>,
     pub chatgpt_base_url: Option<String>,
     pub experimental_instructions_file: Option<PathBuf>,
 }

codex-rs/core/src/config_types.rs

@@ -8,6 +8,8 @@ use std::path::PathBuf;
 use wildmatch::WildMatchPattern;
 
 use serde::Deserialize;
+use serde::Serialize;
+use strum_macros::Display;
 
 #[derive(Deserialize, Debug, Clone, PartialEq)]
 pub struct McpServerConfig {
@@ -183,3 +185,43 @@ impl From<ShellEnvironmentPolicyToml> for ShellEnvironmentPolicy {
         }
     }
 }
+
+/// See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning
+#[derive(Debug, Serialize, Deserialize, Default, Clone, Copy, PartialEq, Eq, Display)]
+#[serde(rename_all = "lowercase")]
+#[strum(serialize_all = "lowercase")]
+pub enum ReasoningEffort {
+    Low,
+    #[default]
+    Medium,
+    High,
+    /// Option to disable reasoning.
+    None,
+}
+
+/// A summary of the reasoning performed by the model. This can be useful for
+/// debugging and understanding the model's reasoning process.
+/// See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#reasoning-summaries
+#[derive(Debug, Serialize, Deserialize, Default, Clone, Copy, PartialEq, Eq, Display)]
+#[serde(rename_all = "lowercase")]
+#[strum(serialize_all = "lowercase")]
+pub enum ReasoningSummary {
+    #[default]
+    Auto,
+    Concise,
+    Detailed,
+    /// Option to disable reasoning summaries.
+    None,
+}
+
+/// Controls output length/detail on GPT-5 models via the Responses API.
+/// Serialized with lowercase values to match the OpenAI API.
+#[derive(Debug, Serialize, Deserialize, Default, Clone, Copy, PartialEq, Eq, Display)]
+#[serde(rename_all = "lowercase")]
+#[strum(serialize_all = "lowercase")]
+pub enum Verbosity {
+    Low,
+    #[default]
+    Medium,
+    High,
+}

codex-rs/core/src/conversation_history.rs

@@ -1,4 +1,4 @@
-use crate::models::ResponseItem;
+use codex_protocol::models::ResponseItem;
 
 /// Transcript of conversation history
 #[derive(Debug, Clone, Default)]
@@ -28,49 +28,7 @@ impl ConversationHistory {
                 continue;
             }
 
-            // Merge adjacent assistant messages into a single history entry.
-            // This prevents duplicates when a partial assistant message was
-            // streamed into history earlier in the turn and the final full
-            // message is recorded at turn end.
-            match (&*item, self.items.last_mut()) {
-                (
-                    ResponseItem::Message {
-                        role: new_role,
-                        content: new_content,
-                        ..
-                    },
-                    Some(ResponseItem::Message {
-                        role: last_role,
-                        content: last_content,
-                        ..
-                    }),
-                ) if new_role == "assistant" && last_role == "assistant" => {
-                    append_text_content(last_content, new_content);
-                }
-                _ => {
-                    self.items.push(item.clone());
-                }
-            }
-        }
-    }
-
-    /// Append a text `delta` to the latest assistant message, creating a new
-    /// assistant entry if none exists yet (e.g. first delta for this turn).
-    pub(crate) fn append_assistant_text(&mut self, delta: &str) {
-        match self.items.last_mut() {
-            Some(ResponseItem::Message { role, content, .. }) if role == "assistant" => {
-                append_text_delta(content, delta);
-            }
-            _ => {
-                // Start a new assistant message with the delta.
-                self.items.push(ResponseItem::Message {
-                    id: None,
-                    role: "assistant".to_string(),
-                    content: vec![crate::models::ContentItem::OutputText {
-                        text: delta.to_string(),
-                    }],
-                });
-            }
+            self.items.push(item.clone());
         }
     }
 
@@ -110,44 +68,18 @@ fn is_api_message(message: &ResponseItem) -> bool {
         ResponseItem::Message { role, .. } => role.as_str() != "system",
         ResponseItem::FunctionCallOutput { .. }
         | ResponseItem::FunctionCall { .. }
+        | ResponseItem::CustomToolCall { .. }
+        | ResponseItem::CustomToolCallOutput { .. }
         | ResponseItem::LocalShellCall { .. }
         | ResponseItem::Reasoning { .. } => true,
         ResponseItem::Other => false,
     }
 }
 
-/// Helper to append the textual content from `src` into `dst` in place.
-fn append_text_content(
-    dst: &mut Vec<crate::models::ContentItem>,
-    src: &Vec<crate::models::ContentItem>,
-) {
-    for c in src {
-        if let crate::models::ContentItem::OutputText { text } = c {
-            append_text_delta(dst, text);
-        }
-    }
-}
-
-/// Append a single text delta to the last OutputText item in `content`, or
-/// push a new OutputText item if none exists.
-fn append_text_delta(content: &mut Vec<crate::models::ContentItem>, delta: &str) {
-    if let Some(crate::models::ContentItem::OutputText { text }) = content
-        .iter_mut()
-        .rev()
-        .find(|c| matches!(c, crate::models::ContentItem::OutputText { .. }))
-    {
-        text.push_str(delta);
-    } else {
-        content.push(crate::models::ContentItem::OutputText {
-            text: delta.to_string(),
-        });
-    }
-}
-
 #[cfg(test)]
 mod tests {
     use super::*;
-    use crate::models::ContentItem;
+    use codex_protocol::models::ContentItem;
 
     fn assistant_msg(text: &str) -> ResponseItem {
         ResponseItem::Message {
@@ -169,49 +101,6 @@ mod tests {
         }
     }
 
-    #[test]
-    fn merges_adjacent_assistant_messages() {
-        let mut h = ConversationHistory::default();
-        let a1 = assistant_msg("Hello");
-        let a2 = assistant_msg(", world!");
-        h.record_items([&a1, &a2]);
-
-        let items = h.contents();
-        assert_eq!(
-            items,
-            vec![ResponseItem::Message {
-                id: None,
-                role: "assistant".to_string(),
-                content: vec![ContentItem::OutputText {
-                    text: "Hello, world!".to_string()
-                }]
-            }]
-        );
-    }
-
-    #[test]
-    fn append_assistant_text_creates_and_appends() {
-        let mut h = ConversationHistory::default();
-        h.append_assistant_text("Hello");
-        h.append_assistant_text(", world");
-
-        // Now record a final full assistant message and verify it merges.
-        let final_msg = assistant_msg("!");
-        h.record_items([&final_msg]);
-
-        let items = h.contents();
-        assert_eq!(
-            items,
-            vec![ResponseItem::Message {
-                id: None,
-                role: "assistant".to_string(),
-                content: vec![ContentItem::OutputText {
-                    text: "Hello, world!".to_string()
-                }]
-            }]
-        );
-    }
-
     #[test]
     fn filters_non_api_messages() {
         let mut h = ConversationHistory::default();

codex-rs/core/src/conversation_manager.rs

@@ -1,6 +1,7 @@
 use std::collections::HashMap;
 use std::sync::Arc;
 
+use codex_login::AuthManager;
 use codex_login::CodexAuth;
 use tokio::sync::RwLock;
 use uuid::Uuid;
@@ -15,6 +16,7 @@ use crate::error::Result as CodexResult;
 use crate::protocol::Event;
 use crate::protocol::EventMsg;
 use crate::protocol::SessionConfiguredEvent;
+use codex_protocol::models::ResponseItem;
 
 /// Represents a newly created Codex conversation, including the first event
 /// (which is [`EventMsg::SessionConfigured`]).
@@ -28,34 +30,48 @@ pub struct NewConversation {
 /// maintaining them in memory.
 pub struct ConversationManager {
     conversations: Arc<RwLock<HashMap<Uuid, Arc<CodexConversation>>>>,
-}
-
-impl Default for ConversationManager {
-    fn default() -> Self {
-        Self {
-            conversations: Arc::new(RwLock::new(HashMap::new())),
-        }
-    }
+    auth_manager: Arc<AuthManager>,
 }
 
 impl ConversationManager {
-    pub async fn new_conversation(&self, config: Config) -> CodexResult<NewConversation> {
-        let auth = CodexAuth::from_codex_home(&config.codex_home, config.preferred_auth_method)?;
-        self.new_conversation_with_auth(config, auth).await
+    pub fn new(auth_manager: Arc<AuthManager>) -> Self {
+        Self {
+            conversations: Arc::new(RwLock::new(HashMap::new())),
+            auth_manager,
+        }
     }
 
-    /// Used for integration tests: should not be used by ordinary business
-    /// logic.
-    pub async fn new_conversation_with_auth(
+    /// Construct with a dummy AuthManager containing the provided CodexAuth.
+    /// Used for integration tests: should not be used by ordinary business logic.
+    pub fn with_auth(auth: CodexAuth) -> Self {
+        Self::new(codex_login::AuthManager::from_auth_for_testing(auth))
+    }
+
+    pub async fn new_conversation(&self, config: Config) -> CodexResult<NewConversation> {
+        self.spawn_conversation(config, self.auth_manager.clone())
+            .await
+    }
+
+    async fn spawn_conversation(
         &self,
         config: Config,
-        auth: Option<CodexAuth>,
+        auth_manager: Arc<AuthManager>,
     ) -> CodexResult<NewConversation> {
         let CodexSpawnOk {
             codex,
             session_id: conversation_id,
-        } = Codex::spawn(config, auth).await?;
+        } = {
+            let initial_history = None;
+            Codex::spawn(config, auth_manager, initial_history).await?
+        };
+        self.finalize_spawn(codex, conversation_id).await
+    }
 
+    async fn finalize_spawn(
+        &self,
+        codex: Codex,
+        conversation_id: Uuid,
+    ) -> CodexResult<NewConversation> {
         // The first event must be `SessionInitialized`. Validate and forward it
         // to the caller so that they can display it in the conversation
         // history.
@@ -93,4 +109,124 @@ impl ConversationManager {
             .cloned()
             .ok_or_else(|| CodexErr::ConversationNotFound(conversation_id))
     }
+
+    pub async fn remove_conversation(&self, conversation_id: Uuid) {
+        self.conversations.write().await.remove(&conversation_id);
+    }
+
+    /// Fork an existing conversation by dropping the last `drop_last_messages`
+    /// user/assistant messages from its transcript and starting a new
+    /// conversation with identical configuration (unless overridden by the
+    /// caller's `config`). The new conversation will have a fresh id.
+    pub async fn fork_conversation(
+        &self,
+        conversation_history: Vec<ResponseItem>,
+        num_messages_to_drop: usize,
+        config: Config,
+    ) -> CodexResult<NewConversation> {
+        // Compute the prefix up to the cut point.
+        let truncated_history =
+            truncate_after_dropping_last_messages(conversation_history, num_messages_to_drop);
+
+        // Spawn a new conversation with the computed initial history.
+        let auth_manager = self.auth_manager.clone();
+        let CodexSpawnOk {
+            codex,
+            session_id: conversation_id,
+        } = Codex::spawn(config, auth_manager, Some(truncated_history)).await?;
+
+        self.finalize_spawn(codex, conversation_id).await
+    }
+}
+
+/// Return a prefix of `items` obtained by dropping the last `n` user messages
+/// and all items that follow them.
+fn truncate_after_dropping_last_messages(items: Vec<ResponseItem>, n: usize) -> Vec<ResponseItem> {
+    if n == 0 || items.is_empty() {
+        return items;
+    }
+
+    // Walk backwards counting only `user` Message items, find cut index.
+    let mut count = 0usize;
+    let mut cut_index = 0usize;
+    for (idx, item) in items.iter().enumerate().rev() {
+        if let ResponseItem::Message { role, .. } = item
+            && role == "user"
+        {
+            count += 1;
+            if count == n {
+                // Cut everything from this user message to the end.
+                cut_index = idx;
+                break;
+            }
+        }
+    }
+    if count < n {
+        // If fewer than n messages exist, drop everything.
+        Vec::new()
+    } else {
+        items.into_iter().take(cut_index).collect()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use codex_protocol::models::ContentItem;
+    use codex_protocol::models::ReasoningItemReasoningSummary;
+    use codex_protocol::models::ResponseItem;
+
+    fn user_msg(text: &str) -> ResponseItem {
+        ResponseItem::Message {
+            id: None,
+            role: "user".to_string(),
+            content: vec![ContentItem::OutputText {
+                text: text.to_string(),
+            }],
+        }
+    }
+    fn assistant_msg(text: &str) -> ResponseItem {
+        ResponseItem::Message {
+            id: None,
+            role: "assistant".to_string(),
+            content: vec![ContentItem::OutputText {
+                text: text.to_string(),
+            }],
+        }
+    }
+
+    #[test]
+    fn drops_from_last_user_only() {
+        let items = vec![
+            user_msg("u1"),
+            assistant_msg("a1"),
+            assistant_msg("a2"),
+            user_msg("u2"),
+            assistant_msg("a3"),
+            ResponseItem::Reasoning {
+                id: "r1".to_string(),
+                summary: vec![ReasoningItemReasoningSummary::SummaryText {
+                    text: "s".to_string(),
+                }],
+                content: None,
+                encrypted_content: None,
+            },
+            ResponseItem::FunctionCall {
+                id: None,
+                name: "tool".to_string(),
+                arguments: "{}".to_string(),
+                call_id: "c1".to_string(),
+            },
+            assistant_msg("a4"),
+        ];
+
+        let truncated = truncate_after_dropping_last_messages(items.clone(), 1);
+        assert_eq!(
+            truncated,
+            vec![items[0].clone(), items[1].clone(), items[2].clone()]
+        );
+
+        let truncated2 = truncate_after_dropping_last_messages(items, 2);
+        assert!(truncated2.is_empty());
+    }
 }

codex-rs/core/src/environment_context.rs

@@ -2,16 +2,16 @@ use serde::Deserialize;
 use serde::Serialize;
 use strum_macros::Display as DeriveDisplay;
 
-use crate::models::ContentItem;
-use crate::models::ResponseItem;
 use crate::protocol::AskForApproval;
 use crate::protocol::SandboxPolicy;
+use crate::shell::Shell;
 use codex_protocol::config_types::SandboxMode;
-use std::fmt::Display;
+use codex_protocol::models::ContentItem;
+use codex_protocol::models::ResponseItem;
 use std::path::PathBuf;
 
 /// wraps environment context message in a tag for the model to parse more easily.
-pub(crate) const ENVIRONMENT_CONTEXT_START: &str = "<environment_context>\n";
+pub(crate) const ENVIRONMENT_CONTEXT_START: &str = "<environment_context>";
 pub(crate) const ENVIRONMENT_CONTEXT_END: &str = "</environment_context>";
 
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq, DeriveDisplay)]
@@ -24,52 +24,87 @@ pub enum NetworkAccess {
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
 #[serde(rename = "environment_context", rename_all = "snake_case")]
 pub(crate) struct EnvironmentContext {
-    pub cwd: PathBuf,
-    pub approval_policy: AskForApproval,
-    pub sandbox_mode: SandboxMode,
-    pub network_access: NetworkAccess,
+    pub cwd: Option<PathBuf>,
+    pub approval_policy: Option<AskForApproval>,
+    pub sandbox_mode: Option<SandboxMode>,
+    pub network_access: Option<NetworkAccess>,
+    pub shell: Option<Shell>,
 }
 
 impl EnvironmentContext {
     pub fn new(
-        cwd: PathBuf,
-        approval_policy: AskForApproval,
-        sandbox_policy: SandboxPolicy,
+        cwd: Option<PathBuf>,
+        approval_policy: Option<AskForApproval>,
+        sandbox_policy: Option<SandboxPolicy>,
+        shell: Option<Shell>,
     ) -> Self {
         Self {
             cwd,
             approval_policy,
             sandbox_mode: match sandbox_policy {
-                SandboxPolicy::DangerFullAccess => SandboxMode::DangerFullAccess,
-                SandboxPolicy::ReadOnly => SandboxMode::ReadOnly,
-                SandboxPolicy::WorkspaceWrite { .. } => SandboxMode::WorkspaceWrite,
+                Some(SandboxPolicy::DangerFullAccess) => Some(SandboxMode::DangerFullAccess),
+                Some(SandboxPolicy::ReadOnly) => Some(SandboxMode::ReadOnly),
+                Some(SandboxPolicy::WorkspaceWrite { .. }) => Some(SandboxMode::WorkspaceWrite),
+                None => None,
             },
             network_access: match sandbox_policy {
-                SandboxPolicy::DangerFullAccess => NetworkAccess::Enabled,
-                SandboxPolicy::ReadOnly => NetworkAccess::Restricted,
-                SandboxPolicy::WorkspaceWrite { network_access, .. } => {
+                Some(SandboxPolicy::DangerFullAccess) => Some(NetworkAccess::Enabled),
+                Some(SandboxPolicy::ReadOnly) => Some(NetworkAccess::Restricted),
+                Some(SandboxPolicy::WorkspaceWrite { network_access, .. }) => {
                     if network_access {
-                        NetworkAccess::Enabled
+                        Some(NetworkAccess::Enabled)
                     } else {
-                        NetworkAccess::Restricted
+                        Some(NetworkAccess::Restricted)
                     }
                 }
+                None => None,
             },
+            shell,
         }
     }
 }
 
-impl Display for EnvironmentContext {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        writeln!(
-            f,
-            "Current working directory: {}",
-            self.cwd.to_string_lossy()
-        )?;
-        writeln!(f, "Approval policy: {}", self.approval_policy)?;
-        writeln!(f, "Sandbox mode: {}", self.sandbox_mode)?;
-        writeln!(f, "Network access: {}", self.network_access)?;
-        Ok(())
+impl EnvironmentContext {
+    /// Serializes the environment context to XML. Libraries like `quick-xml`
+    /// require custom macros to handle Enums with newtypes, so we just do it
+    /// manually, to keep things simple. Output looks like:
+    ///
+    /// ```xml
+    /// <environment_context>
+    ///   <cwd>...</cwd>
+    ///   <approval_policy>...</approval_policy>
+    ///   <sandbox_mode>...</sandbox_mode>
+    ///   <network_access>...</network_access>
+    ///   <shell>...</shell>
+    /// </environment_context>
+    /// ```
+    pub fn serialize_to_xml(self) -> String {
+        let mut lines = vec![ENVIRONMENT_CONTEXT_START.to_string()];
+        if let Some(cwd) = self.cwd {
+            lines.push(format!("  <cwd>{}</cwd>", cwd.to_string_lossy()));
+        }
+        if let Some(approval_policy) = self.approval_policy {
+            lines.push(format!(
+                "  <approval_policy>{}</approval_policy>",
+                approval_policy
+            ));
+        }
+        if let Some(sandbox_mode) = self.sandbox_mode {
+            lines.push(format!("  <sandbox_mode>{}</sandbox_mode>", sandbox_mode));
+        }
+        if let Some(network_access) = self.network_access {
+            lines.push(format!(
+                "  <network_access>{}</network_access>",
+                network_access
+            ));
+        }
+        if let Some(shell) = self.shell
+            && let Some(shell_name) = shell.name()
+        {
+            lines.push(format!("  <shell>{}</shell>", shell_name));
+        }
+        lines.push(ENVIRONMENT_CONTEXT_END.to_string());
+        lines.join("\n")
     }
 }
 
@@ -79,7 +114,7 @@ impl From<EnvironmentContext> for ResponseItem {
             id: None,
             role: "user".to_string(),
             content: vec![ContentItem::InputText {
-                text: format!("{ENVIRONMENT_CONTEXT_START}{ec}{ENVIRONMENT_CONTEXT_END}"),
+                text: ec.serialize_to_xml(),
             }],
         }
     }

codex-rs/core/src/error.rs

@@ -128,27 +128,70 @@ pub enum CodexErr {
 #[derive(Debug)]
 pub struct UsageLimitReachedError {
     pub plan_type: Option<String>,
+    pub resets_in_seconds: Option<u64>,
 }
 
 impl std::fmt::Display for UsageLimitReachedError {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        // Base message differs slightly for legacy ChatGPT Plus plan users.
         if let Some(plan_type) = &self.plan_type
             && plan_type == "plus"
         {
             write!(
                 f,
-                "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing), or wait for limits to reset (every 5h and every week.)."
+                "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing) or try again"
             )?;
+            if let Some(secs) = self.resets_in_seconds {
+                let reset_duration = format_reset_duration(secs);
+                write!(f, " in {reset_duration}.")?;
+            } else {
+                write!(f, " later.")?;
+            }
         } else {
-            write!(
-                f,
-                "You've hit your usage limit. Limits reset every 5h and every week."
-            )?;
+            write!(f, "You've hit your usage limit.")?;
+
+            if let Some(secs) = self.resets_in_seconds {
+                let reset_duration = format_reset_duration(secs);
+                write!(f, " Try again in {reset_duration}.")?;
+            } else {
+                write!(f, " Try again later.")?;
+            }
         }
+
         Ok(())
     }
 }
 
+fn format_reset_duration(total_secs: u64) -> String {
+    let days = total_secs / 86_400;
+    let hours = (total_secs % 86_400) / 3_600;
+    let minutes = (total_secs % 3_600) / 60;
+
+    let mut parts: Vec<String> = Vec::new();
+    if days > 0 {
+        let unit = if days == 1 { "day" } else { "days" };
+        parts.push(format!("{} {}", days, unit));
+    }
+    if hours > 0 {
+        let unit = if hours == 1 { "hour" } else { "hours" };
+        parts.push(format!("{} {}", hours, unit));
+    }
+    if minutes > 0 {
+        let unit = if minutes == 1 { "minute" } else { "minutes" };
+        parts.push(format!("{} {}", minutes, unit));
+    }
+
+    if parts.is_empty() {
+        return "less than a minute".to_string();
+    }
+
+    match parts.len() {
+        1 => parts[0].clone(),
+        2 => format!("{} {}", parts[0], parts[1]),
+        _ => format!("{} {} {}", parts[0], parts[1], parts[2]),
+    }
+}
+
 #[derive(Debug)]
 pub struct EnvVarError {
     /// Name of the environment variable that is missing.
@@ -181,6 +224,8 @@ impl CodexErr {
 pub fn get_error_message_ui(e: &CodexErr) -> String {
     match e {
         CodexErr::Sandbox(SandboxErr::Denied(_, _, stderr)) => stderr.to_string(),
+        // Timeouts are not sandbox errors from a UX perspective; present them plainly
+        CodexErr::Sandbox(SandboxErr::Timeout) => "error: command timed out".to_string(),
         _ => e.to_string(),
     }
 }
@@ -193,19 +238,23 @@ mod tests {
     fn usage_limit_reached_error_formats_plus_plan() {
         let err = UsageLimitReachedError {
             plan_type: Some("plus".to_string()),
+            resets_in_seconds: None,
         };
         assert_eq!(
             err.to_string(),
-            "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing), or wait for limits to reset (every 5h and every week.)."
+            "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing) or try again later."
         );
     }
 
     #[test]
     fn usage_limit_reached_error_formats_default_when_none() {
-        let err = UsageLimitReachedError { plan_type: None };
+        let err = UsageLimitReachedError {
+            plan_type: None,
+            resets_in_seconds: None,
+        };
         assert_eq!(
             err.to_string(),
-            "You've hit your usage limit. Limits reset every 5h and every week."
+            "You've hit your usage limit. Try again later."
         );
     }
 
@@ -213,10 +262,59 @@ mod tests {
     fn usage_limit_reached_error_formats_default_for_other_plans() {
         let err = UsageLimitReachedError {
             plan_type: Some("pro".to_string()),
+            resets_in_seconds: None,
         };
         assert_eq!(
             err.to_string(),
-            "You've hit your usage limit. Limits reset every 5h and every week."
+            "You've hit your usage limit. Try again later."
+        );
+    }
+
+    #[test]
+    fn usage_limit_reached_includes_minutes_when_available() {
+        let err = UsageLimitReachedError {
+            plan_type: None,
+            resets_in_seconds: Some(5 * 60),
+        };
+        assert_eq!(
+            err.to_string(),
+            "You've hit your usage limit. Try again in 5 minutes."
+        );
+    }
+
+    #[test]
+    fn usage_limit_reached_includes_hours_and_minutes() {
+        let err = UsageLimitReachedError {
+            plan_type: Some("plus".to_string()),
+            resets_in_seconds: Some(3 * 3600 + 32 * 60),
+        };
+        assert_eq!(
+            err.to_string(),
+            "You've hit your usage limit. Upgrade to Pro (https://openai.com/chatgpt/pricing) or try again in 3 hours 32 minutes."
+        );
+    }
+
+    #[test]
+    fn usage_limit_reached_includes_days_hours_minutes() {
+        let err = UsageLimitReachedError {
+            plan_type: None,
+            resets_in_seconds: Some(2 * 86_400 + 3 * 3600 + 5 * 60),
+        };
+        assert_eq!(
+            err.to_string(),
+            "You've hit your usage limit. Try again in 2 days 3 hours 5 minutes."
+        );
+    }
+
+    #[test]
+    fn usage_limit_reached_less_than_minute() {
+        let err = UsageLimitReachedError {
+            plan_type: None,
+            resets_in_seconds: Some(30),
+        };
+        assert_eq!(
+            err.to_string(),
+            "You've hit your usage limit. Try again in less than a minute."
         );
     }
 }

codex-rs/core/src/exec.rs

@@ -28,18 +28,17 @@ use crate::spawn::StdioPolicy;
 use crate::spawn::spawn_child_async;
 use serde_bytes::ByteBuf;
 
-// Maximum we send for each stream, which is either:
-// - 10KiB OR
-// - 256 lines
-const MAX_STREAM_OUTPUT: usize = 10 * 1024;
-const MAX_STREAM_OUTPUT_LINES: usize = 256;
-
 const DEFAULT_TIMEOUT_MS: u64 = 10_000;
 
 // Hardcode these since it does not seem worth including the libc crate just
 // for these.
 const SIGKILL_CODE: i32 = 9;
 const TIMEOUT_CODE: i32 = 64;
+const EXIT_CODE_SIGNAL_BASE: i32 = 128; // conventional shell: 128 + signal
+
+// I/O buffer sizing
+const READ_CHUNK_SIZE: usize = 8192; // bytes per read
+const AGGREGATE_BUFFER_INITIAL_CAPACITY: usize = 8 * 1024; // 8 KiB
 
 #[derive(Debug, Clone)]
 pub struct ExecParams {
@@ -153,6 +152,7 @@ pub async fn process_exec_tool_call(
                 exit_code,
                 stdout,
                 stderr,
+                aggregated_output: raw_output.aggregated_output.from_utf8_lossy(),
                 duration,
             })
         }
@@ -189,10 +189,11 @@ pub struct StreamOutput<T> {
     pub truncated_after_lines: Option<u32>,
 }
 #[derive(Debug)]
-pub struct RawExecToolCallOutput {
+struct RawExecToolCallOutput {
     pub exit_status: ExitStatus,
     pub stdout: StreamOutput<Vec<u8>>,
     pub stderr: StreamOutput<Vec<u8>>,
+    pub aggregated_output: StreamOutput<Vec<u8>>,
 }
 
 impl StreamOutput<String> {
@@ -213,11 +214,17 @@ impl StreamOutput<Vec<u8>> {
     }
 }
 
+#[inline]
+fn append_all(dst: &mut Vec<u8>, src: &[u8]) {
+    dst.extend_from_slice(src);
+}
+
 #[derive(Debug)]
 pub struct ExecToolCallOutput {
     pub exit_code: i32,
     pub stdout: StreamOutput<String>,
     pub stderr: StreamOutput<String>,
+    pub aggregated_output: StreamOutput<String>,
     pub duration: Duration,
 }
 
@@ -253,7 +260,7 @@ async fn exec(
 
 /// Consumes the output of a child process, truncating it so it is suitable for
 /// use as the output of a `shell` tool call. Also enforces specified timeout.
-pub(crate) async fn consume_truncated_output(
+async fn consume_truncated_output(
     mut child: Child,
     timeout: Duration,
     stdout_stream: Option<StdoutStream>,
@@ -273,19 +280,19 @@ pub(crate) async fn consume_truncated_output(
         ))
     })?;
 
+    let (agg_tx, agg_rx) = async_channel::unbounded::<Vec<u8>>();
+
     let stdout_handle = tokio::spawn(read_capped(
         BufReader::new(stdout_reader),
-        MAX_STREAM_OUTPUT,
-        MAX_STREAM_OUTPUT_LINES,
         stdout_stream.clone(),
         false,
+        Some(agg_tx.clone()),
     ));
     let stderr_handle = tokio::spawn(read_capped(
         BufReader::new(stderr_reader),
-        MAX_STREAM_OUTPUT,
-        MAX_STREAM_OUTPUT_LINES,
         stdout_stream.clone(),
         true,
+        Some(agg_tx.clone()),
     ));
 
     let exit_status = tokio::select! {
@@ -297,38 +304,48 @@ pub(crate) async fn consume_truncated_output(
                     // timeout
                     child.start_kill()?;
                     // Debatable whether `child.wait().await` should be called here.
-                    synthetic_exit_status(128 + TIMEOUT_CODE)
+                    synthetic_exit_status(EXIT_CODE_SIGNAL_BASE + TIMEOUT_CODE)
                 }
             }
         }
         _ = tokio::signal::ctrl_c() => {
             child.start_kill()?;
-            synthetic_exit_status(128 + SIGKILL_CODE)
+            synthetic_exit_status(EXIT_CODE_SIGNAL_BASE + SIGKILL_CODE)
         }
     };
 
     let stdout = stdout_handle.await??;
     let stderr = stderr_handle.await??;
 
+    drop(agg_tx);
+
+    let mut combined_buf = Vec::with_capacity(AGGREGATE_BUFFER_INITIAL_CAPACITY);
+    while let Ok(chunk) = agg_rx.recv().await {
+        append_all(&mut combined_buf, &chunk);
+    }
+    let aggregated_output = StreamOutput {
+        text: combined_buf,
+        truncated_after_lines: None,
+    };
+
     Ok(RawExecToolCallOutput {
         exit_status,
         stdout,
         stderr,
+        aggregated_output,
     })
 }
 
 async fn read_capped<R: AsyncRead + Unpin + Send + 'static>(
     mut reader: R,
-    max_output: usize,
-    max_lines: usize,
     stream: Option<StdoutStream>,
     is_stderr: bool,
+    aggregate_tx: Option<Sender<Vec<u8>>>,
 ) -> io::Result<StreamOutput<Vec<u8>>> {
-    let mut buf = Vec::with_capacity(max_output.min(8 * 1024));
-    let mut tmp = [0u8; 8192];
+    let mut buf = Vec::with_capacity(AGGREGATE_BUFFER_INITIAL_CAPACITY);
+    let mut tmp = [0u8; READ_CHUNK_SIZE];
 
-    let mut remaining_bytes = max_output;
-    let mut remaining_lines = max_lines;
+    // No caps: append all bytes
 
     loop {
         let n = reader.read(&mut tmp).await?;
@@ -355,33 +372,17 @@ async fn read_capped<R: AsyncRead + Unpin + Send + 'static>(
             let _ = stream.tx_event.send(event).await;
         }
 
-        // Copy into the buffer only while we still have byte and line budget.
-        if remaining_bytes > 0 && remaining_lines > 0 {
-            let mut copy_len = 0;
-            for &b in &tmp[..n] {
-                if remaining_bytes == 0 || remaining_lines == 0 {
-                    break;
-                }
-                copy_len += 1;
-                remaining_bytes -= 1;
-                if b == b'\n' {
-                    remaining_lines -= 1;
-                }
-            }
-            buf.extend_from_slice(&tmp[..copy_len]);
+        if let Some(tx) = &aggregate_tx {
+            let _ = tx.send(tmp[..n].to_vec()).await;
         }
-        // Continue reading to EOF to avoid back-pressure, but discard once caps are hit.
-    }
 
-    let truncated = remaining_lines == 0 || remaining_bytes == 0;
+        append_all(&mut buf, &tmp[..n]);
+        // Continue reading to EOF to avoid back-pressure
+    }
 
     Ok(StreamOutput {
         text: buf,
-        truncated_after_lines: if truncated {
-            Some((max_lines - remaining_lines) as u32)
-        } else {
-            None
-        },
+        truncated_after_lines: None,
     })
 }
 

codex-rs/core/src/exec_command/exec_command_params.rs

@@ -0,0 +1,57 @@
+use serde::Deserialize;
+use serde::Serialize;
+
+use crate::exec_command::session_id::SessionId;
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct ExecCommandParams {
+    pub(crate) cmd: String,
+
+    #[serde(default = "default_yield_time")]
+    pub(crate) yield_time_ms: u64,
+
+    #[serde(default = "max_output_tokens")]
+    pub(crate) max_output_tokens: u64,
+
+    #[serde(default = "default_shell")]
+    pub(crate) shell: String,
+
+    #[serde(default = "default_login")]
+    pub(crate) login: bool,
+}
+
+fn default_yield_time() -> u64 {
+    10_000
+}
+
+fn max_output_tokens() -> u64 {
+    10_000
+}
+
+fn default_login() -> bool {
+    true
+}
+
+fn default_shell() -> String {
+    "/bin/bash".to_string()
+}
+
+#[derive(Debug, Deserialize, Serialize)]
+pub struct WriteStdinParams {
+    pub(crate) session_id: SessionId,
+    pub(crate) chars: String,
+
+    #[serde(default = "write_stdin_default_yield_time_ms")]
+    pub(crate) yield_time_ms: u64,
+
+    #[serde(default = "write_stdin_default_max_output_tokens")]
+    pub(crate) max_output_tokens: u64,
+}
+
+fn write_stdin_default_yield_time_ms() -> u64 {
+    250
+}
+
+fn write_stdin_default_max_output_tokens() -> u64 {
+    10_000
+}

codex-rs/core/src/exec_command/exec_command_session.rs

@@ -0,0 +1,83 @@
+use std::sync::Mutex as StdMutex;
+
+use tokio::sync::broadcast;
+use tokio::sync::mpsc;
+use tokio::task::JoinHandle;
+
+#[derive(Debug)]
+pub(crate) struct ExecCommandSession {
+    /// Queue for writing bytes to the process stdin (PTY master write side).
+    writer_tx: mpsc::Sender<Vec<u8>>,
+    /// Broadcast stream of output chunks read from the PTY. New subscribers
+    /// receive only chunks emitted after they subscribe.
+    output_tx: broadcast::Sender<Vec<u8>>,
+
+    /// Child killer handle for termination on drop (can signal independently
+    /// of a thread blocked in `.wait()`).
+    killer: StdMutex<Option<Box<dyn portable_pty::ChildKiller + Send + Sync>>>,
+
+    /// JoinHandle for the blocking PTY reader task.
+    reader_handle: StdMutex<Option<JoinHandle<()>>>,
+
+    /// JoinHandle for the stdin writer task.
+    writer_handle: StdMutex<Option<JoinHandle<()>>>,
+
+    /// JoinHandle for the child wait task.
+    wait_handle: StdMutex<Option<JoinHandle<()>>>,
+}
+
+impl ExecCommandSession {
+    pub(crate) fn new(
+        writer_tx: mpsc::Sender<Vec<u8>>,
+        output_tx: broadcast::Sender<Vec<u8>>,
+        killer: Box<dyn portable_pty::ChildKiller + Send + Sync>,
+        reader_handle: JoinHandle<()>,
+        writer_handle: JoinHandle<()>,
+        wait_handle: JoinHandle<()>,
+    ) -> Self {
+        Self {
+            writer_tx,
+            output_tx,
+            killer: StdMutex::new(Some(killer)),
+            reader_handle: StdMutex::new(Some(reader_handle)),
+            writer_handle: StdMutex::new(Some(writer_handle)),
+            wait_handle: StdMutex::new(Some(wait_handle)),
+        }
+    }
+
+    pub(crate) fn writer_sender(&self) -> mpsc::Sender<Vec<u8>> {
+        self.writer_tx.clone()
+    }
+
+    pub(crate) fn output_receiver(&self) -> broadcast::Receiver<Vec<u8>> {
+        self.output_tx.subscribe()
+    }
+}
+
+impl Drop for ExecCommandSession {
+    fn drop(&mut self) {
+        // Best-effort: terminate child first so blocking tasks can complete.
+        if let Ok(mut killer_opt) = self.killer.lock()
+            && let Some(mut killer) = killer_opt.take()
+        {
+            let _ = killer.kill();
+        }
+
+        // Abort background tasks; they may already have exited after kill.
+        if let Ok(mut h) = self.reader_handle.lock()
+            && let Some(handle) = h.take()
+        {
+            handle.abort();
+        }
+        if let Ok(mut h) = self.writer_handle.lock()
+            && let Some(handle) = h.take()
+        {
+            handle.abort();
+        }
+        if let Ok(mut h) = self.wait_handle.lock()
+            && let Some(handle) = h.take()
+        {
+            handle.abort();
+        }
+    }
+}

codex-rs/core/src/exec_command/mod.rs

@@ -0,0 +1,14 @@
+mod exec_command_params;
+mod exec_command_session;
+mod responses_api;
+mod session_id;
+mod session_manager;
+
+pub use exec_command_params::ExecCommandParams;
+pub use exec_command_params::WriteStdinParams;
+pub use responses_api::EXEC_COMMAND_TOOL_NAME;
+pub use responses_api::WRITE_STDIN_TOOL_NAME;
+pub use responses_api::create_exec_command_tool_for_responses_api;
+pub use responses_api::create_write_stdin_tool_for_responses_api;
+pub use session_manager::SessionManager as ExecSessionManager;
+pub use session_manager::result_into_payload;

codex-rs/core/src/exec_command/responses_api.rs

@@ -0,0 +1,98 @@
+use std::collections::BTreeMap;
+
+use crate::openai_tools::JsonSchema;
+use crate::openai_tools::ResponsesApiTool;
+
+pub const EXEC_COMMAND_TOOL_NAME: &str = "exec_command";
+pub const WRITE_STDIN_TOOL_NAME: &str = "write_stdin";
+
+pub fn create_exec_command_tool_for_responses_api() -> ResponsesApiTool {
+    let mut properties = BTreeMap::<String, JsonSchema>::new();
+    properties.insert(
+        "cmd".to_string(),
+        JsonSchema::String {
+            description: Some("The shell command to execute.".to_string()),
+        },
+    );
+    properties.insert(
+        "yield_time_ms".to_string(),
+        JsonSchema::Number {
+            description: Some("The maximum time in milliseconds to wait for output.".to_string()),
+        },
+    );
+    properties.insert(
+        "max_output_tokens".to_string(),
+        JsonSchema::Number {
+            description: Some("The maximum number of tokens to output.".to_string()),
+        },
+    );
+    properties.insert(
+        "shell".to_string(),
+        JsonSchema::String {
+            description: Some("The shell to use. Defaults to \"/bin/bash\".".to_string()),
+        },
+    );
+    properties.insert(
+        "login".to_string(),
+        JsonSchema::Boolean {
+            description: Some(
+                "Whether to run the command as a login shell. Defaults to true.".to_string(),
+            ),
+        },
+    );
+
+    ResponsesApiTool {
+        name: EXEC_COMMAND_TOOL_NAME.to_owned(),
+        description: r#"Execute shell commands on the local machine with streaming output."#
+            .to_string(),
+        strict: false,
+        parameters: JsonSchema::Object {
+            properties,
+            required: Some(vec!["cmd".to_string()]),
+            additional_properties: Some(false),
+        },
+    }
+}
+
+pub fn create_write_stdin_tool_for_responses_api() -> ResponsesApiTool {
+    let mut properties = BTreeMap::<String, JsonSchema>::new();
+    properties.insert(
+        "session_id".to_string(),
+        JsonSchema::Number {
+            description: Some("The ID of the exec_command session.".to_string()),
+        },
+    );
+    properties.insert(
+        "chars".to_string(),
+        JsonSchema::String {
+            description: Some("The characters to write to stdin.".to_string()),
+        },
+    );
+    properties.insert(
+        "yield_time_ms".to_string(),
+        JsonSchema::Number {
+            description: Some(
+                "The maximum time in milliseconds to wait for output after writing.".to_string(),
+            ),
+        },
+    );
+    properties.insert(
+        "max_output_tokens".to_string(),
+        JsonSchema::Number {
+            description: Some("The maximum number of tokens to output.".to_string()),
+        },
+    );
+
+    ResponsesApiTool {
+        name: WRITE_STDIN_TOOL_NAME.to_owned(),
+        description: r#"Write characters to an exec session's stdin. Returns all stdout+stderr received within yield_time_ms.
+Can write control characters (\u0003 for Ctrl-C), or an empty string to just poll stdout+stderr."#
+            .to_string(),
+        strict: false,
+        parameters: JsonSchema::Object {
+            properties,
+            required: Some(vec!["session_id".to_string(), "chars".to_string()]),
+            additional_properties: Some(false),
+        },
+    }
+}

codex-rs/core/src/exec_command/session_id.rs

@@ -0,0 +1,5 @@
+use serde::Deserialize;
+use serde::Serialize;
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
+pub(crate) struct SessionId(pub u32);

codex-rs/core/src/exec_command/session_manager.rs

@@ -0,0 +1,674 @@
+use std::collections::HashMap;
+use std::io::ErrorKind;
+use std::io::Read;
+use std::sync::Arc;
+use std::sync::Mutex as StdMutex;
+use std::sync::atomic::AtomicU32;
+
+use portable_pty::CommandBuilder;
+use portable_pty::PtySize;
+use portable_pty::native_pty_system;
+use tokio::sync::Mutex;
+use tokio::sync::mpsc;
+use tokio::sync::oneshot;
+use tokio::time::Duration;
+use tokio::time::Instant;
+use tokio::time::timeout;
+
+use crate::exec_command::exec_command_params::ExecCommandParams;
+use crate::exec_command::exec_command_params::WriteStdinParams;
+use crate::exec_command::exec_command_session::ExecCommandSession;
+use crate::exec_command::session_id::SessionId;
+use codex_protocol::models::FunctionCallOutputPayload;
+
+#[derive(Debug, Default)]
+pub struct SessionManager {
+    next_session_id: AtomicU32,
+    sessions: Mutex<HashMap<SessionId, ExecCommandSession>>,
+}
+
+#[derive(Debug)]
+pub struct ExecCommandOutput {
+    wall_time: Duration,
+    exit_status: ExitStatus,
+    original_token_count: Option<u64>,
+    output: String,
+}
+
+impl ExecCommandOutput {
+    fn to_text_output(&self) -> String {
+        let wall_time_secs = self.wall_time.as_secs_f32();
+        let termination_status = match self.exit_status {
+            ExitStatus::Exited(code) => format!("Process exited with code {code}"),
+            ExitStatus::Ongoing(session_id) => {
+                format!("Process running with session ID {}", session_id.0)
+            }
+        };
+        let truncation_status = match self.original_token_count {
+            Some(tokens) => {
+                format!("\nWarning: truncated output (original token count: {tokens})")
+            }
+            None => "".to_string(),
+        };
+        format!(
+            r#"Wall time: {wall_time_secs:.3} seconds
+{termination_status}{truncation_status}
+Output:
+{output}"#,
+            output = self.output
+        )
+    }
+}
+
+#[derive(Debug)]
+pub enum ExitStatus {
+    Exited(i32),
+    Ongoing(SessionId),
+}
+
+pub fn result_into_payload(result: Result<ExecCommandOutput, String>) -> FunctionCallOutputPayload {
+    match result {
+        Ok(output) => FunctionCallOutputPayload {
+            content: output.to_text_output(),
+            success: Some(true),
+        },
+        Err(err) => FunctionCallOutputPayload {
+            content: err,
+            success: Some(false),
+        },
+    }
+}
+
+impl SessionManager {
+    /// Processes the request and is required to send a response via `outgoing`.
+    pub async fn handle_exec_command_request(
+        &self,
+        params: ExecCommandParams,
+    ) -> Result<ExecCommandOutput, String> {
+        // Allocate a session id.
+        let session_id = SessionId(
+            self.next_session_id
+                .fetch_add(1, std::sync::atomic::Ordering::SeqCst),
+        );
+
+        let (session, mut exit_rx) =
+            create_exec_command_session(params.clone())
+                .await
+                .map_err(|err| {
+                    format!(
+                        "failed to create exec command session for session id {}: {err}",
+                        session_id.0
+                    )
+                })?;
+
+        // Insert into session map.
+        let mut output_rx = session.output_receiver();
+        self.sessions.lock().await.insert(session_id, session);
+
+        // Collect output until either timeout expires or process exits.
+        // Do not cap during collection; truncate at the end if needed.
+        // Use a modest initial capacity to avoid large preallocation.
+        let cap_bytes_u64 = params.max_output_tokens.saturating_mul(4);
+        let cap_bytes: usize = cap_bytes_u64.min(usize::MAX as u64) as usize;
+        let mut collected: Vec<u8> = Vec::with_capacity(4096);
+
+        let start_time = Instant::now();
+        let deadline = start_time + Duration::from_millis(params.yield_time_ms);
+        let mut exit_code: Option<i32> = None;
+
+        loop {
+            if Instant::now() >= deadline {
+                break;
+            }
+            let remaining = deadline.saturating_duration_since(Instant::now());
+            tokio::select! {
+                biased;
+                exit = &mut exit_rx => {
+                    exit_code = exit.ok();
+                    // Small grace period to pull remaining buffered output
+                    let grace_deadline = Instant::now() + Duration::from_millis(25);
+                    while Instant::now() < grace_deadline {
+                        match timeout(Duration::from_millis(1), output_rx.recv()).await {
+                            Ok(Ok(chunk)) => {
+                                collected.extend_from_slice(&chunk);
+                            }
+                            Ok(Err(tokio::sync::broadcast::error::RecvError::Lagged(_))) => {
+                                // Skip missed messages; keep trying within grace period.
+                                continue;
+                            }
+                            Ok(Err(tokio::sync::broadcast::error::RecvError::Closed)) => break,
+                            Err(_) => break,
+                        }
+                    }
+                    break;
+                }
+                chunk = timeout(remaining, output_rx.recv()) => {
+                    match chunk {
+                        Ok(Ok(chunk)) => {
+                            collected.extend_from_slice(&chunk);
+                        }
+                        Ok(Err(tokio::sync::broadcast::error::RecvError::Lagged(_))) => {
+                            // Skip missed messages; continue collecting fresh output.
+                        }
+                        Ok(Err(tokio::sync::broadcast::error::RecvError::Closed)) => { break; }
+                        Err(_) => { break; }
+                    }
+                }
+            }
+        }
+
+        let output = String::from_utf8_lossy(&collected).to_string();
+
+        let exit_status = if let Some(code) = exit_code {
+            ExitStatus::Exited(code)
+        } else {
+            ExitStatus::Ongoing(session_id)
+        };
+
+        // If output exceeds cap, truncate the middle and record original token estimate.
+        let (output, original_token_count) = truncate_middle(&output, cap_bytes);
+        Ok(ExecCommandOutput {
+            wall_time: Instant::now().duration_since(start_time),
+            exit_status,
+            original_token_count,
+            output,
+        })
+    }
+
+    /// Write characters to a session's stdin and collect combined output for up to `yield_time_ms`.
+    pub async fn handle_write_stdin_request(
+        &self,
+        params: WriteStdinParams,
+    ) -> Result<ExecCommandOutput, String> {
+        let WriteStdinParams {
+            session_id,
+            chars,
+            yield_time_ms,
+            max_output_tokens,
+        } = params;
+
+        // Grab handles without holding the sessions lock across await points.
+        let (writer_tx, mut output_rx) = {
+            let sessions = self.sessions.lock().await;
+            match sessions.get(&session_id) {
+                Some(session) => (session.writer_sender(), session.output_receiver()),
+                None => {
+                    return Err(format!("unknown session id {}", session_id.0));
+                }
+            }
+        };
+
+        // Write stdin if provided.
+        if !chars.is_empty() && writer_tx.send(chars.into_bytes()).await.is_err() {
+            return Err("failed to write to stdin".to_string());
+        }
+
+        // Collect output up to yield_time_ms, truncating to max_output_tokens bytes.
+        let mut collected: Vec<u8> = Vec::with_capacity(4096);
+        let start_time = Instant::now();
+        let deadline = start_time + Duration::from_millis(yield_time_ms);
+        loop {
+            let now = Instant::now();
+            if now >= deadline {
+                break;
+            }
+            let remaining = deadline - now;
+            match timeout(remaining, output_rx.recv()).await {
+                Ok(Ok(chunk)) => {
+                    // Collect all output within the time budget; truncate at the end.
+                    collected.extend_from_slice(&chunk);
+                }
+                Ok(Err(tokio::sync::broadcast::error::RecvError::Lagged(_))) => {
+                    // Skip missed messages; continue collecting fresh output.
+                }
+                Ok(Err(tokio::sync::broadcast::error::RecvError::Closed)) => break,
+                Err(_) => break, // timeout
+            }
+        }
+
+        // Return structured output, truncating middle if over cap.
+        let output = String::from_utf8_lossy(&collected).to_string();
+        let cap_bytes_u64 = max_output_tokens.saturating_mul(4);
+        let cap_bytes: usize = cap_bytes_u64.min(usize::MAX as u64) as usize;
+        let (output, original_token_count) = truncate_middle(&output, cap_bytes);
+        Ok(ExecCommandOutput {
+            wall_time: Instant::now().duration_since(start_time),
+            exit_status: ExitStatus::Ongoing(session_id),
+            original_token_count,
+            output,
+        })
+    }
+}
+
+/// Spawn PTY and child process per spawn_exec_command_session logic.
+async fn create_exec_command_session(
+    params: ExecCommandParams,
+) -> anyhow::Result<(ExecCommandSession, oneshot::Receiver<i32>)> {
+    let ExecCommandParams {
+        cmd,
+        yield_time_ms: _,
+        max_output_tokens: _,
+        shell,
+        login,
+    } = params;
+
+    // Use the native pty implementation for the system
+    let pty_system = native_pty_system();
+
+    // Create a new pty
+    let pair = pty_system.openpty(PtySize {
+        rows: 24,
+        cols: 80,
+        pixel_width: 0,
+        pixel_height: 0,
+    })?;
+
+    // Spawn a shell into the pty
+    let mut command_builder = CommandBuilder::new(shell);
+    let shell_mode_opt = if login { "-lc" } else { "-c" };
+    command_builder.arg(shell_mode_opt);
+    command_builder.arg(cmd);
+
+    let mut child = pair.slave.spawn_command(command_builder)?;
+    // Obtain a killer that can signal the process independently of `.wait()`.
+    let killer = child.clone_killer();
+
+    // Channel to forward write requests to the PTY writer.
+    let (writer_tx, mut writer_rx) = mpsc::channel::<Vec<u8>>(128);
+    // Broadcast for streaming PTY output to readers: subscribers receive from subscription time.
+    let (output_tx, _) = tokio::sync::broadcast::channel::<Vec<u8>>(256);
+
+    // Reader task: drain PTY and forward chunks to output channel.
+    let mut reader = pair.master.try_clone_reader()?;
+    let output_tx_clone = output_tx.clone();
+    let reader_handle = tokio::task::spawn_blocking(move || {
+        let mut buf = [0u8; 8192];
+        loop {
+            match reader.read(&mut buf) {
+                Ok(0) => break, // EOF
+                Ok(n) => {
+                    // Forward to broadcast; best-effort if there are subscribers.
+                    let _ = output_tx_clone.send(buf[..n].to_vec());
+                }
+                Err(ref e) if e.kind() == ErrorKind::Interrupted => {
+                    // Retry on EINTR
+                    continue;
+                }
+                Err(ref e) if e.kind() == ErrorKind::WouldBlock => {
+                    // We're in a blocking thread; back off briefly and retry.
+                    std::thread::sleep(Duration::from_millis(5));
+                    continue;
+                }
+                Err(_) => break,
+            }
+        }
+    });
+
+    // Writer task: apply stdin writes to the PTY writer.
+    let writer = pair.master.take_writer()?;
+    let writer = Arc::new(StdMutex::new(writer));
+    let writer_handle = tokio::spawn({
+        let writer = writer.clone();
+        async move {
+            while let Some(bytes) = writer_rx.recv().await {
+                let writer = writer.clone();
+                // Perform blocking write on a blocking thread.
+                let _ = tokio::task::spawn_blocking(move || {
+                    if let Ok(mut guard) = writer.lock() {
+                        use std::io::Write;
+                        let _ = guard.write_all(&bytes);
+                        let _ = guard.flush();
+                    }
+                })
+                .await;
+            }
+        }
+    });
+
+    // Keep the child alive until it exits, then signal exit code.
+    let (exit_tx, exit_rx) = oneshot::channel::<i32>();
+    let wait_handle = tokio::task::spawn_blocking(move || {
+        let code = match child.wait() {
+            Ok(status) => status.exit_code() as i32,
+            Err(_) => -1,
+        };
+        let _ = exit_tx.send(code);
+    });
+
+    // Create and store the session with channels.
+    let session = ExecCommandSession::new(
+        writer_tx,
+        output_tx,
+        killer,
+        reader_handle,
+        writer_handle,
+        wait_handle,
+    );
+    Ok((session, exit_rx))
+}
+
+/// Truncate the middle of a UTF-8 string to at most `max_bytes` bytes,
+/// preserving the beginning and the end. Returns the possibly truncated
+/// string and `Some(original_token_count)` (estimated at 4 bytes/token)
+/// if truncation occurred; otherwise returns the original string and `None`.
+fn truncate_middle(s: &str, max_bytes: usize) -> (String, Option<u64>) {
+    // No truncation needed
+    if s.len() <= max_bytes {
+        return (s.to_string(), None);
+    }
+    let est_tokens = (s.len() as u64).div_ceil(4);
+    if max_bytes == 0 {
+        // Cannot keep any content; still return a full marker (never truncated).
+        return (
+            format!("…{} tokens truncated…", est_tokens),
+            Some(est_tokens),
+        );
+    }
+
+    // Helper to truncate a string to a given byte length on a char boundary.
+    fn truncate_on_boundary(input: &str, max_len: usize) -> &str {
+        if input.len() <= max_len {
+            return input;
+        }
+        let mut end = max_len;
+        while end > 0 && !input.is_char_boundary(end) {
+            end -= 1;
+        }
+        &input[..end]
+    }
+
+    // Given a left/right budget, prefer newline boundaries; otherwise fall back
+    // to UTF-8 char boundaries.
+    fn pick_prefix_end(s: &str, left_budget: usize) -> usize {
+        if let Some(head) = s.get(..left_budget)
+            && let Some(i) = head.rfind('\n')
+        {
+            return i + 1; // keep the newline so suffix starts on a fresh line
+        }
+        truncate_on_boundary(s, left_budget).len()
+    }
+
+    fn pick_suffix_start(s: &str, right_budget: usize) -> usize {
+        let start_tail = s.len().saturating_sub(right_budget);
+        if let Some(tail) = s.get(start_tail..)
+            && let Some(i) = tail.find('\n')
+        {
+            return start_tail + i + 1; // start after newline
+        }
+        // Fall back to a char boundary at or after start_tail.
+        let mut idx = start_tail.min(s.len());
+        while idx < s.len() && !s.is_char_boundary(idx) {
+            idx += 1;
+        }
+        idx
+    }
+
+    // Refine marker length and budgets until stable. Marker is never truncated.
+    let mut guess_tokens = est_tokens; // worst-case: everything truncated
+    for _ in 0..4 {
+        let marker = format!("…{} tokens truncated…", guess_tokens);
+        let marker_len = marker.len();
+        let keep_budget = max_bytes.saturating_sub(marker_len);
+        if keep_budget == 0 {
+            // No room for any content within the cap; return a full, untruncated marker
+            // that reflects the entire truncated content.
+            return (
+                format!("…{} tokens truncated…", est_tokens),
+                Some(est_tokens),
+            );
+        }
+
+        let left_budget = keep_budget / 2;
+        let right_budget = keep_budget - left_budget;
+        let prefix_end = pick_prefix_end(s, left_budget);
+        let mut suffix_start = pick_suffix_start(s, right_budget);
+        if suffix_start < prefix_end {
+            suffix_start = prefix_end;
+        }
+        let kept_content_bytes = prefix_end + (s.len() - suffix_start);
+        let truncated_content_bytes = s.len().saturating_sub(kept_content_bytes);
+        let new_tokens = (truncated_content_bytes as u64).div_ceil(4);
+        if new_tokens == guess_tokens {
+            let mut out = String::with_capacity(marker_len + kept_content_bytes + 1);
+            out.push_str(&s[..prefix_end]);
+            out.push_str(&marker);
+            // Place marker on its own line for symmetry when we keep line boundaries.
+            out.push('\n');
+            out.push_str(&s[suffix_start..]);
+            return (out, Some(est_tokens));
+        }
+        guess_tokens = new_tokens;
+    }
+
+    // Fallback: use last guess to build output.
+    let marker = format!("…{} tokens truncated…", guess_tokens);
+    let marker_len = marker.len();
+    let keep_budget = max_bytes.saturating_sub(marker_len);
+    if keep_budget == 0 {
+        return (
+            format!("…{} tokens truncated…", est_tokens),
+            Some(est_tokens),
+        );
+    }
+    let left_budget = keep_budget / 2;
+    let right_budget = keep_budget - left_budget;
+    let prefix_end = pick_prefix_end(s, left_budget);
+    let suffix_start = pick_suffix_start(s, right_budget);
+    let mut out = String::with_capacity(marker_len + prefix_end + (s.len() - suffix_start) + 1);
+    out.push_str(&s[..prefix_end]);
+    out.push_str(&marker);
+    out.push('\n');
+    out.push_str(&s[suffix_start..]);
+    (out, Some(est_tokens))
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::exec_command::session_id::SessionId;
+
+    /// Test that verifies that [`SessionManager::handle_exec_command_request()`]
+    /// and [`SessionManager::handle_write_stdin_request()`] work as expected
+    /// in the presence of a process that never terminates (but produces
+    /// output continuously).
+    #[cfg(unix)]
+    #[allow(clippy::print_stderr)]
+    #[tokio::test(flavor = "multi_thread", worker_threads = 4)]
+    async fn session_manager_streams_and_truncates_from_now() {
+        use crate::exec_command::exec_command_params::ExecCommandParams;
+        use crate::exec_command::exec_command_params::WriteStdinParams;
+        use tokio::time::sleep;
+
+        let session_manager = SessionManager::default();
+        // Long-running loop that prints an increasing counter every ~100ms.
+        // Use Python for a portable, reliable sleep across shells/PTYs.
+        let cmd = r#"python3 - <<'PY'
+import sys, time
+count = 0
+while True:
+    print(count)
+    sys.stdout.flush()
+    count += 100
+    time.sleep(0.1)
+PY"#
+        .to_string();
+
+        // Start the session and collect ~3s of output.
+        let params = ExecCommandParams {
+            cmd,
+            yield_time_ms: 3_000,
+            max_output_tokens: 1_000, // large enough to avoid truncation here
+            shell: "/bin/bash".to_string(),
+            login: false,
+        };
+        let initial_output = match session_manager
+            .handle_exec_command_request(params.clone())
+            .await
+        {
+            Ok(v) => v,
+            Err(e) => {
+                // PTY may be restricted in some sandboxes; skip in that case.
+                if e.contains("openpty") || e.contains("Operation not permitted") {
+                    eprintln!("skipping test due to restricted PTY: {e}");
+                    return;
+                }
+                panic!("exec request failed unexpectedly: {e}");
+            }
+        };
+        eprintln!("initial output: {initial_output:?}");
+
+        // Should be ongoing (we launched a never-ending loop).
+        let session_id = match initial_output.exit_status {
+            ExitStatus::Ongoing(id) => id,
+            _ => panic!("expected ongoing session"),
+        };
+
+        // Parse the numeric lines and get the max observed value in the first window.
+        let first_nums = extract_monotonic_numbers(&initial_output.output);
+        assert!(
+            !first_nums.is_empty(),
+            "expected some output from first window"
+        );
+        let first_max = *first_nums.iter().max().unwrap();
+
+        // Wait ~4s so counters progress while we're not reading.
+        sleep(Duration::from_millis(4_000)).await;
+
+        // Now read ~3s of output "from now" only.
+        // Use a small token cap so truncation occurs and we test middle truncation.
+        let write_params = WriteStdinParams {
+            session_id,
+            chars: String::new(),
+            yield_time_ms: 3_000,
+            max_output_tokens: 16, // 16 tokens ~= 64 bytes -> likely truncation
+        };
+        let second = session_manager
+            .handle_write_stdin_request(write_params)
+            .await
+            .expect("write stdin should succeed");
+
+        // Verify truncation metadata and size bound (cap is tokens*4 bytes).
+        assert!(second.original_token_count.is_some());
+        let cap_bytes = (16u64 * 4) as usize;
+        assert!(second.output.len() <= cap_bytes);
+        // New middle marker should be present.
+        assert!(
+            second.output.contains("tokens truncated") && second.output.contains('…'),
+            "expected truncation marker in output, got: {}",
+            second.output
+        );
+
+        // Minimal freshness check: the earliest number we see in the second window
+        // should be significantly larger than the last from the first window.
+        let second_nums = extract_monotonic_numbers(&second.output);
+        assert!(
+            !second_nums.is_empty(),
+            "expected some numeric output from second window"
+        );
+        let second_min = *second_nums.iter().min().unwrap();
+
+        // We slept 4 seconds (~40 ticks at 100ms/tick, each +100), so expect
+        // an increase of roughly 4000 or more. Allow a generous margin.
+        assert!(
+            second_min >= first_max + 2000,
+            "second_min={second_min} first_max={first_max}",
+        );
+    }
+
+    #[cfg(unix)]
+    fn extract_monotonic_numbers(s: &str) -> Vec<i64> {
+        s.lines()
+            .filter_map(|line| {
+                if !line.is_empty()
+                    && line.chars().all(|c| c.is_ascii_digit())
+                    && let Ok(n) = line.parse::<i64>()
+                {
+                    // Our generator increments by 100; ignore spurious fragments.
+                    if n % 100 == 0 {
+                        return Some(n);
+                    }
+                }
+                None
+            })
+            .collect()
+    }
+
+    #[test]
+    fn to_text_output_exited_no_truncation() {
+        let out = ExecCommandOutput {
+            wall_time: Duration::from_millis(1234),
+            exit_status: ExitStatus::Exited(0),
+            original_token_count: None,
+            output: "hello".to_string(),
+        };
+        let text = out.to_text_output();
+        let expected = r#"Wall time: 1.234 seconds
+Process exited with code 0
+Output:
+hello"#;
+        assert_eq!(expected, text);
+    }
+
+    #[test]
+    fn to_text_output_ongoing_with_truncation() {
+        let out = ExecCommandOutput {
+            wall_time: Duration::from_millis(500),
+            exit_status: ExitStatus::Ongoing(SessionId(42)),
+            original_token_count: Some(1000),
+            output: "abc".to_string(),
+        };
+        let text = out.to_text_output();
+        let expected = r#"Wall time: 0.500 seconds
+Process running with session ID 42
+Warning: truncated output (original token count: 1000)
+Output:
+abc"#;
+        assert_eq!(expected, text);
+    }
+
+    #[test]
+    fn truncate_middle_no_newlines_fallback() {
+        // A long string with no newlines that exceeds the cap.
+        let s = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+        let max_bytes = 16; // force truncation
+        let (out, original) = truncate_middle(s, max_bytes);
+        // For very small caps, we return the full, untruncated marker,
+        // even if it exceeds the cap.
+        assert_eq!(out, "…16 tokens truncated…");
+        // Original string length is 62 bytes => ceil(62/4) = 16 tokens.
+        assert_eq!(original, Some(16));
+    }
+
+    #[test]
+    fn truncate_middle_prefers_newline_boundaries() {
+        // Build a multi-line string of 20 numbered lines (each "NNN\n").
+        let mut s = String::new();
+        for i in 1..=20 {
+            s.push_str(&format!("{i:03}\n"));
+        }
+        // Total length: 20 lines * 4 bytes per line = 80 bytes.
+        assert_eq!(s.len(), 80);
+
+        // Choose a cap that forces truncation while leaving room for
+        // a few lines on each side after accounting for the marker.
+        let max_bytes = 64;
+        // Expect exact output: first 4 lines, marker, last 4 lines, and correct token estimate (80/4 = 20).
+        assert_eq!(
+            truncate_middle(&s, max_bytes),
+            (
+                r#"001
+002
+003
+004
+…12 tokens truncated…
+017
+018
+019
+020
+"#
+                .to_string(),
+                Some(20)
+            )
+        );
+    }
+}

codex-rs/core/src/git_info.rs

@@ -1,5 +1,6 @@
 use std::collections::HashSet;
 use std::path::Path;
+use std::path::PathBuf;
 
 use codex_protocol::mcp_protocol::GitSha;
 use futures::future::join_all;
@@ -384,7 +385,9 @@ async fn find_closest_sha(cwd: &Path, branches: &[String], remotes: &[String]) -
 }
 
 async fn diff_against_sha(cwd: &Path, sha: &GitSha) -> Option<String> {
-    let output = run_git_command_with_timeout(&["diff", &sha.0], cwd).await?;
+    let output =
+        run_git_command_with_timeout(&["diff", "--no-textconv", "--no-ext-diff", &sha.0], cwd)
+            .await?;
     // 0 is success and no diff.
     // 1 is success but there is a diff.
     let exit_ok = output.status.code().is_some_and(|c| c == 0 || c == 1);
@@ -405,10 +408,21 @@ async fn diff_against_sha(cwd: &Path, sha: &GitSha) -> Option<String> {
             .collect();
 
         if !untracked.is_empty() {
+            // Use platform-appropriate null device and guard paths with `--`.
+            let null_device: &str = if cfg!(windows) { "NUL" } else { "/dev/null" };
             let futures_iter = untracked.into_iter().map(|file| async move {
                 let file_owned = file;
-                let args_vec: Vec<&str> =
-                    vec!["diff", "--binary", "--no-index", "/dev/null", &file_owned];
+                let args_vec: Vec<&str> = vec![
+                    "diff",
+                    "--no-textconv",
+                    "--no-ext-diff",
+                    "--binary",
+                    "--no-index",
+                    // -- ensures that filenames that start with - are not treated as options.
+                    "--",
+                    null_device,
+                    &file_owned,
+                ];
                 run_git_command_with_timeout(&args_vec, cwd).await
             });
             let results = join_all(futures_iter).await;
@@ -425,6 +439,38 @@ async fn diff_against_sha(cwd: &Path, sha: &GitSha) -> Option<String> {
     Some(diff)
 }
 
+/// Resolve the path that should be used for trust checks. Similar to
+/// `[utils::is_inside_git_repo]`, but resolves to the root of the main
+/// repository. Handles worktrees.
+pub fn resolve_root_git_project_for_trust(cwd: &Path) -> Option<PathBuf> {
+    let base = if cwd.is_dir() { cwd } else { cwd.parent()? };
+
+    // TODO: we should make this async, but it's primarily used deep in
+    // callstacks of sync code, and should almost always be fast
+    let git_dir_out = std::process::Command::new("git")
+        .args(["rev-parse", "--git-common-dir"])
+        .current_dir(base)
+        .output()
+        .ok()?;
+    if !git_dir_out.status.success() {
+        return None;
+    }
+    let git_dir_s = String::from_utf8(git_dir_out.stdout)
+        .ok()?
+        .trim()
+        .to_string();
+
+    let git_dir_path_raw = if Path::new(&git_dir_s).is_absolute() {
+        PathBuf::from(&git_dir_s)
+    } else {
+        base.join(&git_dir_s)
+    };
+
+    // Normalize to handle macOS /var vs /private/var and resolve ".." segments.
+    let git_dir_path = std::fs::canonicalize(&git_dir_path_raw).unwrap_or(git_dir_path_raw);
+    git_dir_path.parent().map(Path::to_path_buf)
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -732,6 +778,80 @@ mod tests {
         assert_eq!(state.sha, GitSha::new(&remote_sha));
     }
 
+    #[test]
+    fn resolve_root_git_project_for_trust_returns_none_outside_repo() {
+        let tmp = TempDir::new().expect("tempdir");
+        assert!(resolve_root_git_project_for_trust(tmp.path()).is_none());
+    }
+
+    #[tokio::test]
+    async fn resolve_root_git_project_for_trust_regular_repo_returns_repo_root() {
+        let temp_dir = TempDir::new().expect("Failed to create temp dir");
+        let repo_path = create_test_git_repo(&temp_dir).await;
+        let expected = std::fs::canonicalize(&repo_path).unwrap().to_path_buf();
+
+        assert_eq!(
+            resolve_root_git_project_for_trust(&repo_path),
+            Some(expected.clone())
+        );
+        let nested = repo_path.join("sub/dir");
+        std::fs::create_dir_all(&nested).unwrap();
+        assert_eq!(
+            resolve_root_git_project_for_trust(&nested),
+            Some(expected.clone())
+        );
+    }
+
+    #[tokio::test]
+    async fn resolve_root_git_project_for_trust_detects_worktree_and_returns_main_root() {
+        let temp_dir = TempDir::new().expect("Failed to create temp dir");
+        let repo_path = create_test_git_repo(&temp_dir).await;
+
+        // Create a linked worktree
+        let wt_root = temp_dir.path().join("wt");
+        let _ = std::process::Command::new("git")
+            .args([
+                "worktree",
+                "add",
+                wt_root.to_str().unwrap(),
+                "-b",
+                "feature/x",
+            ])
+            .current_dir(&repo_path)
+            .output()
+            .expect("git worktree add");
+
+        let expected = std::fs::canonicalize(&repo_path).ok();
+        let got = resolve_root_git_project_for_trust(&wt_root)
+            .and_then(|p| std::fs::canonicalize(p).ok());
+        assert_eq!(got, expected);
+        let nested = wt_root.join("nested/sub");
+        std::fs::create_dir_all(&nested).unwrap();
+        let got_nested =
+            resolve_root_git_project_for_trust(&nested).and_then(|p| std::fs::canonicalize(p).ok());
+        assert_eq!(got_nested, expected);
+    }
+
+    #[test]
+    fn resolve_root_git_project_for_trust_non_worktrees_gitdir_returns_none() {
+        let tmp = TempDir::new().expect("tempdir");
+        let proj = tmp.path().join("proj");
+        std::fs::create_dir_all(proj.join("nested")).unwrap();
+
+        // `.git` is a file but does not point to a worktrees path
+        std::fs::write(
+            proj.join(".git"),
+            format!(
+                "gitdir: {}\n",
+                tmp.path().join("some/other/location").display()
+            ),
+        )
+        .unwrap();
+
+        assert!(resolve_root_git_project_for_trust(&proj).is_none());
+        assert!(resolve_root_git_project_for_trust(&proj.join("nested")).is_none());
+    }
+
     #[tokio::test]
     async fn test_get_git_working_tree_state_unpushed_commit() {
         let temp_dir = TempDir::new().expect("Failed to create temp dir");

codex-rs/core/src/lib.rs

@@ -20,12 +20,14 @@ mod conversation_history;
 mod environment_context;
 pub mod error;
 pub mod exec;
+mod exec_command;
 pub mod exec_env;
 mod flags;
 pub mod git_info;
 mod is_safe_command;
 pub mod landlock;
 mod mcp_connection_manager;
+pub mod mcp_toml;
 mod mcp_tool_call;
 mod message_history;
 mod model_provider_info;
@@ -39,16 +41,17 @@ mod conversation_manager;
 pub use conversation_manager::ConversationManager;
 pub use conversation_manager::NewConversation;
 pub mod model_family;
-mod models;
 mod openai_model_info;
 mod openai_tools;
 pub mod plan_tool;
-mod project_doc;
+pub mod project_doc;
 mod rollout;
 pub(crate) mod safety;
 pub mod seatbelt;
 pub mod shell;
 pub mod spawn;
+pub mod terminal;
+mod tool_apply_patch;
 pub mod turn_diff_tracker;
 pub mod user_agent;
 mod user_notification;

codex-rs/core/src/mcp_connection_manager.rs

@@ -36,8 +36,33 @@ use crate::config_types::McpServerConfig;
 const MCP_TOOL_NAME_DELIMITER: &str = "__";
 const MAX_TOOL_NAME_LENGTH: usize = 64;
 
-/// Timeout for the `tools/list` request.
-const LIST_TOOLS_TIMEOUT: Duration = Duration::from_secs(10);
+/// Read MCP timeout (milliseconds) from the environment.
+///
+/// Falls back to 10_000 ms (10s) if the variable is not set or cannot be
+/// parsed as an integer.
+pub(crate) fn mcp_timeout_from_env() -> Duration {
+    match std::env::var("MCP_TIMEOUT") {
+        Ok(val) => parse_mcp_timeout(Some(val.trim())),
+        Err(_) => parse_mcp_timeout(None),
+    }
+}
+
+pub(crate) fn parse_mcp_timeout(val: Option<&str>) -> Duration {
+    const DEFAULT_MS: u64 = 10_000;
+    match val {
+        Some(s) => match s.parse::<u64>() {
+            Ok(ms) => Duration::from_millis(ms),
+            Err(_) => {
+                tracing::warn!(
+                    "Invalid MCP_TIMEOUT value, using default of {} ms",
+                    DEFAULT_MS
+                );
+                Duration::from_millis(DEFAULT_MS)
+            }
+        },
+        None => Duration::from_millis(DEFAULT_MS),
+    }
+}
 
 /// Map that holds a startup error for every MCP server that could **not** be
 /// spawned successfully.
@@ -154,7 +179,7 @@ impl McpConnectionManager {
                             protocol_version: mcp_types::MCP_SCHEMA_VERSION.to_owned(),
                         };
                         let initialize_notification_params = None;
-                        let timeout = Some(Duration::from_secs(10));
+                        let timeout = Some(mcp_timeout_from_env());
                         match client
                             .initialize(params, initialize_notification_params, timeout)
                             .await
@@ -242,7 +267,7 @@ async fn list_all_tools(
         let client_clone = client.clone();
         join_set.spawn(async move {
             let res = client_clone
-                .list_tools(None, Some(LIST_TOOLS_TIMEOUT))
+                .list_tools(None, Some(mcp_timeout_from_env()))
                 .await;
             (server_name_cloned, res)
         });
@@ -285,6 +310,24 @@ mod tests {
     use super::*;
     use mcp_types::ToolInputSchema;
 
+    #[test]
+    fn test_mcp_timeout_default_is_10s() {
+        let d = parse_mcp_timeout(None);
+        assert_eq!(d, Duration::from_millis(10_000));
+    }
+
+    #[test]
+    fn test_mcp_timeout_parses_ms() {
+        let d = parse_mcp_timeout(Some("1234"));
+        assert_eq!(d, Duration::from_millis(1234));
+    }
+
+    #[test]
+    fn test_mcp_timeout_invalid_uses_default() {
+        let d = parse_mcp_timeout(Some("abc"));
+        assert_eq!(d, Duration::from_millis(10_000));
+    }
+
     fn create_test_tool(server_name: &str, tool_name: &str) -> ToolInfo {
         ToolInfo {
             server_name: server_name.to_string(),

codex-rs/core/src/mcp_toml.rs

@@ -0,0 +1,395 @@
+use anyhow::Result;
+use anyhow::anyhow;
+use serde::Deserialize;
+use std::collections::HashMap;
+use std::path::Path;
+
+use crate::config_types::McpServerConfig;
+
+/// Expand `${VAR}` and `${VAR:-default}` sequences in `input`.
+///
+/// - `${VAR}`: replaced by `lookup(VAR)` or returns an error if unset.
+/// - `${VAR:-default}`: replaced by `lookup(VAR)` if set; otherwise `default`.
+///
+/// No whitespace is trimmed. Defaults are treated as literal strings (no nested
+/// expansions inside the default value). Variable names must match
+/// `^[A-Za-z_][A-Za-z0-9_]*$`.
+pub(crate) fn expand_vars(
+    input: &str,
+    mut lookup: impl FnMut(&str) -> Option<String>,
+    source_label: &str,
+) -> Result<String> {
+    let mut out = String::with_capacity(input.len());
+    let bytes = input.as_bytes();
+    let mut i = 0;
+    while i < bytes.len() {
+        if bytes[i] == b'$' && i + 1 < bytes.len() && bytes[i + 1] == b'{' {
+            // Find closing brace
+            let start_inner = i + 2;
+            let mut end = start_inner;
+            let mut found = false;
+            while end < bytes.len() {
+                if bytes[end] == b'}' {
+                    found = true;
+                    break;
+                }
+                end += 1;
+            }
+            if !found {
+                return Err(anyhow!(
+                    "unterminated variable expansion starting at byte {i} in {source_label}"
+                ));
+            }
+            let inner = &input[start_inner..end];
+            let (name, default) = match inner.split_once(":-") {
+                Some((n, d)) => (n, Some(d)),
+                None => (inner, None),
+            };
+
+            if !is_valid_var_name(name) {
+                return Err(anyhow!(
+                    "invalid variable name `{}` in {} (must match ^[A-Za-z_][A-Za-z0-9_]*$)",
+                    name,
+                    source_label
+                ));
+            }
+
+            let replacement = match (lookup(name), default) {
+                (Some(v), _) => v,
+                (None, Some(d)) => d.to_string(),
+                (None, None) => {
+                    return Err(anyhow!(
+                        "environment variable `{}` not set and no default provided in {}",
+                        name,
+                        source_label
+                    ));
+                }
+            };
+            out.push_str(&replacement);
+            i = end + 1;
+            continue;
+        }
+        // Copy through single byte as UTF-8 is preserved by slicing boundaries here.
+        out.push(bytes[i] as char);
+        i += 1;
+    }
+    Ok(out)
+}
+
+fn is_valid_var_name(name: &str) -> bool {
+    let mut chars = name.chars();
+    match chars.next() {
+        Some(c) if is_alpha_or_underscore(c) => (),
+        _ => return false,
+    }
+    chars.all(|c| is_alnum_or_underscore(c))
+}
+
+fn is_alpha_or_underscore(c: char) -> bool {
+    (c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z') || c == '_'
+}
+
+fn is_alnum_or_underscore(c: char) -> bool {
+    is_alpha_or_underscore(c) || (c >= '0' && c <= '9')
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_expand_vars_simple() {
+        let lookup = |k: &str| match k {
+            "USER" => Some("alice".into()),
+            _ => None,
+        };
+        let res = expand_vars("/home/${USER}/bin", lookup, "test");
+        match res {
+            Ok(s) => assert_eq!(s, "/home/alice/bin"),
+            Err(e) => panic!("unexpected error: {e:#}"),
+        }
+    }
+
+    #[test]
+    fn test_expand_vars_with_default() {
+        let lookup = |_k: &str| None;
+        let res = expand_vars("${REGION:-us-east}", lookup, "test");
+        match res {
+            Ok(s) => assert_eq!(s, "us-east"),
+            Err(e) => panic!("unexpected error: {e:#}"),
+        }
+    }
+
+    #[test]
+    fn test_expand_vars_missing_errors() {
+        let lookup = |_k: &str| None;
+        let res = expand_vars("x${REQUIRED}y", lookup, "test");
+        let msg = match res {
+            Ok(v) => panic!("expected error, got {v}"),
+            Err(e) => format!("{e:#}"),
+        };
+        assert!(msg.contains("environment variable `REQUIRED` not set"));
+    }
+
+    #[test]
+    fn test_expand_vars_multiple() {
+        let lookup = |k: &str| match k {
+            "A" => Some("1".into()),
+            "B" => Some("2".into()),
+            _ => None,
+        };
+        let res = expand_vars("${A}-${B}-${C:-x}", lookup, "test");
+        match res {
+            Ok(s) => assert_eq!(s, "1-2-x"),
+            Err(e) => panic!("unexpected error: {e:#}"),
+        }
+    }
+
+    #[test]
+    fn test_expand_vars_invalid_name() {
+        let lookup = |_k: &str| None;
+        let res = expand_vars("${1BAD}", lookup, "test");
+        let msg = match res {
+            Ok(v) => panic!("expected error, got {v}"),
+            Err(e) => format!("{e:#}"),
+        };
+        assert!(msg.contains("invalid variable name"));
+    }
+
+    #[test]
+    fn test_expand_vars_unterminated() {
+        let lookup = |_k: &str| None;
+        let res = expand_vars("abc ${FOO", lookup, "test-file");
+        let msg = match res {
+            Ok(v) => panic!("expected error, got {v}"),
+            Err(e) => format!("{e:#}"),
+        };
+        assert!(msg.contains("unterminated variable expansion"));
+        assert!(msg.contains("test-file"));
+    }
+}
+
+// -------------------------------
+// Serde types and converters
+// -------------------------------
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum Scope {
+    User,
+    Project,
+    Local,
+}
+
+#[derive(Debug, Deserialize, Default)]
+pub struct McpToml {
+    #[serde(default)]
+    pub mcp_servers: HashMap<String, McpTomlEntry>,
+}
+
+#[derive(Debug, Deserialize, Default)]
+pub struct McpTomlEntry {
+    #[serde(default)]
+    pub r#type: Option<String>,
+    pub command: Option<String>,
+    #[serde(default)]
+    pub args: Vec<String>,
+    #[serde(default)]
+    pub env: HashMap<String, String>,
+}
+
+/// Convert a permissive TOML entry to the strict `McpServerConfig` used by Codex.
+///
+/// - Only `stdio` (or missing) transport is accepted; anything else returns an error.
+/// - Expands variables in `command`, each `args[]`, and each `env` value.
+/// - Returns an error if `command` is missing (after expansion) or if any
+///   `${VAR}` expansion fails with no default.
+pub fn to_mcp_server_config(
+    entry: &McpTomlEntry,
+    mut lookup: impl FnMut(&str) -> Option<String>,
+) -> Result<McpServerConfig> {
+    // Transport check: only allow stdio or unspecified
+    if let Some(t) = entry.r#type.as_deref() {
+        let t_lower = t.to_ascii_lowercase();
+        if t_lower != "stdio" {
+            return Err(anyhow!(
+                "unsupported MCP transport `{}` (only `stdio` supported)",
+                t
+            ));
+        }
+    }
+
+    // Command is required
+    let command_raw = entry
+        .command
+        .as_ref()
+        .ok_or_else(|| anyhow!("missing `command` for stdio MCP server"))?;
+    let command = expand_vars(command_raw, &mut lookup, "overlay:command")?;
+
+    // Args with expansion
+    let mut args = Vec::with_capacity(entry.args.len());
+    for a in &entry.args {
+        args.push(expand_vars(a, &mut lookup, "overlay:args")?);
+    }
+
+    // Env values with expansion; keep as None if empty
+    let mut env_out: HashMap<String, String> = HashMap::with_capacity(entry.env.len());
+    for (k, v) in &entry.env {
+        env_out.insert(k.clone(), expand_vars(v, &mut lookup, "overlay:env")?);
+    }
+
+    Ok(McpServerConfig {
+        command,
+        args,
+        env: if env_out.is_empty() {
+            None
+        } else {
+            Some(env_out)
+        },
+    })
+}
+
+#[cfg(test)]
+mod convert_tests {
+    use super::*;
+
+    #[test]
+    fn test_to_mcp_server_config_stdio_ok() {
+        let entry = McpTomlEntry {
+            r#type: None,
+            command: Some("${HOME}/bin/svc".to_string()),
+            args: vec!["--region".into(), "${REGION:-us-east}".into()],
+            env: HashMap::from([(String::from("API_KEY"), String::from("${KEY}"))]),
+        };
+        let mut map = HashMap::new();
+        map.insert("HOME".to_string(), "/home/alice".to_string());
+        map.insert("KEY".to_string(), "secret".to_string());
+        let lookup = |k: &str| map.get(k).cloned();
+        let cfg = match to_mcp_server_config(&entry, lookup) {
+            Ok(c) => c,
+            Err(e) => panic!("unexpected error: {e:#}"),
+        };
+        assert_eq!(cfg.command, "/home/alice/bin/svc");
+        assert_eq!(cfg.args, vec!["--region", "us-east"]);
+        let api_key = cfg.env.as_ref().and_then(|m| m.get("API_KEY")).cloned();
+        assert_eq!(api_key.as_deref(), Some("secret"));
+    }
+
+    #[test]
+    fn test_to_mcp_server_config_reject_non_stdio() {
+        for t in ["http", "sse", "HTTP", "SSe"] {
+            let entry = McpTomlEntry {
+                r#type: Some(t.to_string()),
+                command: Some("tool".to_string()),
+                ..Default::default()
+            };
+            let msg = match to_mcp_server_config(&entry, |_k| None) {
+                Ok(v) => panic!("expected error, got {v:?}"),
+                Err(e) => format!("{e:#}"),
+            };
+            assert!(msg.to_lowercase().contains("unsupported mcp transport"));
+        }
+    }
+
+    #[test]
+    fn test_to_mcp_server_config_missing_command_errors() {
+        let entry = McpTomlEntry {
+            command: None,
+            ..Default::default()
+        };
+        let msg = match to_mcp_server_config(&entry, |_k| None) {
+            Ok(v) => panic!("expected error, got {v:?}"),
+            Err(e) => format!("{e:#}"),
+        };
+        assert!(msg.contains("missing `command`"));
+    }
+
+    #[test]
+    fn test_to_mcp_server_config_missing_env_var_errors() {
+        let entry = McpTomlEntry {
+            command: Some("tool".into()),
+            args: vec!["${REQUIRED}".into()],
+            ..Default::default()
+        };
+        let msg = match to_mcp_server_config(&entry, |_k| None) {
+            Ok(v) => panic!("expected error, got {v:?}"),
+            Err(e) => format!("{e:#}"),
+        };
+        assert!(msg.contains("environment variable `REQUIRED` not set"));
+    }
+}
+
+// -------------------------------
+// Overlay loader
+// -------------------------------
+
+/// Load `.mcp.local.toml` and `.mcp.toml` from `project_root` if they exist.
+///
+/// Returns the successfully parsed overlays in precedence order: Local then Project.
+/// Invalid TOML is logged and skipped.
+pub fn load_project_overlays(project_root: &Path) -> Result<Vec<(Scope, McpToml)>> {
+    let mut overlays = Vec::new();
+
+    let local_path = project_root.join(".mcp.local.toml");
+    if local_path.exists() {
+        match std::fs::read_to_string(&local_path) {
+            Ok(contents) => match toml::from_str::<McpToml>(&contents) {
+                Ok(parsed) => overlays.push((Scope::Local, parsed)),
+                Err(e) => tracing::warn!("Failed to parse {}: {e}", local_path.display()),
+            },
+            Err(e) => tracing::warn!("Failed to read {}: {e}", local_path.display()),
+        }
+    }
+
+    let project_path = project_root.join(".mcp.toml");
+    if project_path.exists() {
+        match std::fs::read_to_string(&project_path) {
+            Ok(contents) => match toml::from_str::<McpToml>(&contents) {
+                Ok(parsed) => overlays.push((Scope::Project, parsed)),
+                Err(e) => tracing::warn!("Failed to parse {}: {e}", project_path.display()),
+            },
+            Err(e) => tracing::warn!("Failed to read {}: {e}", project_path.display()),
+        }
+    }
+
+    Ok(overlays)
+}
+
+#[cfg(test)]
+mod overlay_tests {
+    use super::*;
+    use std::fs;
+
+    #[test]
+    fn test_load_project_overlays_reads_both_files() -> Result<()> {
+        let dir = tempfile::tempdir()?;
+        let root = dir.path();
+        // Pretend it's a git repo to mirror typical layout; not required by loader.
+        fs::write(root.join(".git"), "gitdir: nowhere")?;
+
+        // Write project overlay
+        fs::write(
+            root.join(".mcp.toml"),
+            r#"[mcp_servers.alpha]
+command = "alpha"
+"#,
+        )?;
+
+        // Write local overlay
+        fs::write(
+            root.join(".mcp.local.toml"),
+            r#"[mcp_servers.beta]
+command = "beta"
+"#,
+        )?;
+
+        let overlays = load_project_overlays(root)?;
+        assert_eq!(overlays.len(), 2);
+
+        // Expect Local first, then Project (our precedence order for merging later)
+        assert!(matches!(overlays[0].0, Scope::Local));
+        assert!(overlays[0].1.mcp_servers.contains_key("beta"));
+        assert!(matches!(overlays[1].0, Scope::Project));
+        assert!(overlays[1].1.mcp_servers.contains_key("alpha"));
+        Ok(())
+    }
+}

codex-rs/core/src/mcp_tool_call.rs

@@ -4,13 +4,13 @@ use std::time::Instant;
 use tracing::error;
 
 use crate::codex::Session;
-use crate::models::FunctionCallOutputPayload;
-use crate::models::ResponseInputItem;
 use crate::protocol::Event;
 use crate::protocol::EventMsg;
 use crate::protocol::McpInvocation;
 use crate::protocol::McpToolCallBeginEvent;
 use crate::protocol::McpToolCallEndEvent;
+use codex_protocol::models::FunctionCallOutputPayload;
+use codex_protocol::models::ResponseInputItem;
 
 /// Handles the specified tool call dispatches the appropriate
 /// `McpToolCallBegin` and `McpToolCallEnd` events to the `Session`.

codex-rs/core/src/model_family.rs

@@ -1,3 +1,5 @@
+use crate::tool_apply_patch::ApplyPatchToolType;
+
 /// A model family is a group of models that share certain characteristics.
 #[derive(Debug, Clone, PartialEq, Eq, Hash)]
 pub struct ModelFamily {
@@ -24,9 +26,9 @@ pub struct ModelFamily {
     // See https://platform.openai.com/docs/guides/tools-local-shell
     pub uses_local_shell_tool: bool,
 
-    /// True if the model performs better when `apply_patch` is provided as
-    /// a tool call instead of just a bash command.
-    pub uses_apply_patch_tool: bool,
+    /// Present if the model performs better when `apply_patch` is provided as
+    /// a tool call instead of just a bash command
+    pub apply_patch_tool_type: Option<ApplyPatchToolType>,
 }
 
 macro_rules! model_family {
@@ -40,7 +42,7 @@ macro_rules! model_family {
             needs_special_apply_patch_instructions: false,
             supports_reasoning_summaries: false,
             uses_local_shell_tool: false,
-            uses_apply_patch_tool: false,
+            apply_patch_tool_type: None,
         };
         // apply overrides
         $(
@@ -60,7 +62,7 @@ macro_rules! simple_model_family {
             needs_special_apply_patch_instructions: false,
             supports_reasoning_summaries: false,
             uses_local_shell_tool: false,
-            uses_apply_patch_tool: false,
+            apply_patch_tool_type: None,
         })
     }};
 }
@@ -95,7 +97,7 @@ pub fn find_family_for_model(slug: &str) -> Option<ModelFamily> {
             needs_special_apply_patch_instructions: true,
         )
     } else if slug.starts_with("gpt-oss") {
-        model_family!(slug, "gpt-oss", uses_apply_patch_tool: true)
+        model_family!(slug, "gpt-oss", apply_patch_tool_type: Some(ApplyPatchToolType::Function))
     } else if slug.starts_with("gpt-4o") {
         simple_model_family!(slug, "gpt-4o")
     } else if slug.starts_with("gpt-3.5") {

codex-rs/core/src/model_provider_info.rs

@@ -17,6 +17,10 @@ use crate::error::EnvVarError;
 const DEFAULT_STREAM_IDLE_TIMEOUT_MS: u64 = 300_000;
 const DEFAULT_STREAM_MAX_RETRIES: u64 = 5;
 const DEFAULT_REQUEST_MAX_RETRIES: u64 = 4;
+/// Hard cap for user-configured `stream_max_retries`.
+const MAX_STREAM_MAX_RETRIES: u64 = 100;
+/// Hard cap for user-configured `request_max_retries`.
+const MAX_REQUEST_MAX_RETRIES: u64 = 100;
 
 /// Wire protocol that the provider speaks. Most third-party services only
 /// implement the classic OpenAI Chat Completions JSON schema, whereas OpenAI
@@ -207,12 +211,14 @@ impl ModelProviderInfo {
     pub fn request_max_retries(&self) -> u64 {
         self.request_max_retries
             .unwrap_or(DEFAULT_REQUEST_MAX_RETRIES)
+            .min(MAX_REQUEST_MAX_RETRIES)
     }
 
     /// Effective maximum number of stream reconnection attempts for this provider.
     pub fn stream_max_retries(&self) -> u64 {
         self.stream_max_retries
             .unwrap_or(DEFAULT_STREAM_MAX_RETRIES)
+            .min(MAX_STREAM_MAX_RETRIES)
     }
 
     /// Effective idle timeout for streaming responses.

codex-rs/core/src/openai_model_info.rs

@@ -79,13 +79,13 @@ pub(crate) fn get_model_info(model_family: &ModelFamily) -> Option<ModelInfo> {
         }),
 
         "gpt-5" => Some(ModelInfo {
-            context_window: 200_000,
-            max_output_tokens: 100_000,
+            context_window: 400_000,
+            max_output_tokens: 128_000,
         }),
 
         _ if slug.starts_with("codex-") => Some(ModelInfo {
-            context_window: 200_000,
-            max_output_tokens: 100_000,
+            context_window: 400_000,
+            max_output_tokens: 128_000,
         }),
 
         _ => None,

codex-rs/core/src/openai_tools.rs

@@ -9,6 +9,9 @@ use crate::model_family::ModelFamily;
 use crate::plan_tool::PLAN_TOOL;
 use crate::protocol::AskForApproval;
 use crate::protocol::SandboxPolicy;
+use crate::tool_apply_patch::ApplyPatchToolType;
+use crate::tool_apply_patch::create_apply_patch_freeform_tool;
+use crate::tool_apply_patch::create_apply_patch_json_tool;
 
 #[derive(Debug, Clone, Serialize, PartialEq)]
 pub struct ResponsesApiTool {
@@ -21,6 +24,20 @@ pub struct ResponsesApiTool {
     pub(crate) parameters: JsonSchema,
 }
 
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
+pub struct FreeformTool {
+    pub(crate) name: String,
+    pub(crate) description: String,
+    pub(crate) format: FreeformToolFormat,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
+pub struct FreeformToolFormat {
+    pub(crate) r#type: String,
+    pub(crate) syntax: String,
+    pub(crate) definition: String,
+}
+
 /// When serialized as JSON, this produces a valid "Tool" in the OpenAI
 /// Responses API.
 #[derive(Debug, Clone, Serialize, PartialEq)]
@@ -30,6 +47,10 @@ pub(crate) enum OpenAiTool {
     Function(ResponsesApiTool),
     #[serde(rename = "local_shell")]
     LocalShell {},
+    #[serde(rename = "web_search")]
+    WebSearch {},
+    #[serde(rename = "custom")]
+    Freeform(FreeformTool),
 }
 
 #[derive(Debug, Clone)]
@@ -37,38 +58,68 @@ pub enum ConfigShellToolType {
     DefaultShell,
     ShellWithRequest { sandbox_policy: SandboxPolicy },
     LocalShell,
+    StreamableShell,
 }
 
 #[derive(Debug, Clone)]
-pub struct ToolsConfig {
+pub(crate) struct ToolsConfig {
     pub shell_type: ConfigShellToolType,
     pub plan_tool: bool,
-    pub apply_patch_tool: bool,
+    pub apply_patch_tool_type: Option<ApplyPatchToolType>,
+    pub web_search_request: bool,
+}
+
+pub(crate) struct ToolsConfigParams<'a> {
+    pub(crate) model_family: &'a ModelFamily,
+    pub(crate) approval_policy: AskForApproval,
+    pub(crate) sandbox_policy: SandboxPolicy,
+    pub(crate) include_plan_tool: bool,
+    pub(crate) include_apply_patch_tool: bool,
+    pub(crate) include_web_search_request: bool,
+    pub(crate) use_streamable_shell_tool: bool,
 }
 
 impl ToolsConfig {
-    pub fn new(
-        model_family: &ModelFamily,
-        approval_policy: AskForApproval,
-        sandbox_policy: SandboxPolicy,
-        include_plan_tool: bool,
-        include_apply_patch_tool: bool,
-    ) -> Self {
-        let mut shell_type = if model_family.uses_local_shell_tool {
+    pub fn new(params: &ToolsConfigParams) -> Self {
+        let ToolsConfigParams {
+            model_family,
+            approval_policy,
+            sandbox_policy,
+            include_plan_tool,
+            include_apply_patch_tool,
+            include_web_search_request,
+            use_streamable_shell_tool,
+        } = params;
+        let mut shell_type = if *use_streamable_shell_tool {
+            ConfigShellToolType::StreamableShell
+        } else if model_family.uses_local_shell_tool {
             ConfigShellToolType::LocalShell
         } else {
             ConfigShellToolType::DefaultShell
         };
-        if matches!(approval_policy, AskForApproval::OnRequest) {
+        if matches!(approval_policy, AskForApproval::OnRequest) && !use_streamable_shell_tool {
             shell_type = ConfigShellToolType::ShellWithRequest {
                 sandbox_policy: sandbox_policy.clone(),
             }
         }
 
+        let apply_patch_tool_type = match model_family.apply_patch_tool_type {
+            Some(ApplyPatchToolType::Freeform) => Some(ApplyPatchToolType::Freeform),
+            Some(ApplyPatchToolType::Function) => Some(ApplyPatchToolType::Function),
+            None => {
+                if *include_apply_patch_tool {
+                    Some(ApplyPatchToolType::Freeform)
+                } else {
+                    None
+                }
+            }
+        };
+
         Self {
             shell_type,
-            plan_tool: include_plan_tool,
-            apply_patch_tool: include_apply_patch_tool || model_family.uses_apply_patch_tool,
+            plan_tool: *include_plan_tool,
+            apply_patch_tool_type,
+            web_search_request: *include_web_search_request,
         }
     }
 }
@@ -115,16 +166,20 @@ fn create_shell_tool() -> OpenAiTool {
         "command".to_string(),
         JsonSchema::Array {
             items: Box::new(JsonSchema::String { description: None }),
-            description: None,
+            description: Some("The command to execute".to_string()),
         },
     );
     properties.insert(
         "workdir".to_string(),
-        JsonSchema::String { description: None },
+        JsonSchema::String {
+            description: Some("The working directory to execute the command in".to_string()),
+        },
     );
     properties.insert(
-        "timeout".to_string(),
-        JsonSchema::Number { description: None },
+        "timeout_ms".to_string(),
+        JsonSchema::Number {
+            description: Some("The timeout for the command in milliseconds".to_string()),
+        },
     );
 
     OpenAiTool::Function(ResponsesApiTool {
@@ -155,7 +210,7 @@ fn create_shell_tool_for_sandbox(sandbox_policy: &SandboxPolicy) -> OpenAiTool {
         },
     );
     properties.insert(
-        "timeout".to_string(),
+        "timeout_ms".to_string(),
         JsonSchema::Number {
             description: Some("The timeout for the command in milliseconds".to_string()),
         },
@@ -171,7 +226,7 @@ fn create_shell_tool_for_sandbox(sandbox_policy: &SandboxPolicy) -> OpenAiTool {
         properties.insert(
         "justification".to_string(),
         JsonSchema::String {
-            description: Some("Only set if ask_for_escalated_permissions is true. 1-sentence explanation of why we want to run this command.".to_string()),
+            description: Some("Only set if with_escalated_permissions is true. 1-sentence explanation of why we want to run this command.".to_string()),
         },
     );
     }
@@ -237,92 +292,16 @@ The shell tool is used to execute shell commands.
         },
     })
 }
-
+/// TODO(dylan): deprecate once we get rid of json tool
 #[derive(Serialize, Deserialize)]
 pub(crate) struct ApplyPatchToolArgs {
     pub(crate) input: String,
 }
 
-fn create_apply_patch_tool() -> OpenAiTool {
-    // Minimal schema: one required string argument containing the patch body
-    let mut properties = BTreeMap::new();
-    properties.insert(
-        "input".to_string(),
-        JsonSchema::String {
-            description: Some(r#"The entire contents of the apply_patch command"#.to_string()),
-        },
-    );
-
-    OpenAiTool::Function(ResponsesApiTool {
-        name: "apply_patch".to_string(),
-        description: r#"Use this tool to edit files.
-Your patch language is a stripped‑down, file‑oriented diff format designed to be easy to parse and safe to apply. You can think of it as a high‑level envelope:
-
-**_ Begin Patch
-[ one or more file sections ]
-_** End Patch
-
-Within that envelope, you get a sequence of file operations.
-You MUST include a header to specify the action you are taking.
-Each operation starts with one of three headers:
-
-**_ Add File: <path> - create a new file. Every following line is a + line (the initial contents).
-_** Delete File: <path> - remove an existing file. Nothing follows.
-\*\*\* Update File: <path> - patch an existing file in place (optionally with a rename).
-
-May be immediately followed by \*\*\* Move to: <new path> if you want to rename the file.
-Then one or more “hunks”, each introduced by @@ (optionally followed by a hunk header).
-Within a hunk each line starts with:
-
-- for inserted text,
-
-* for removed text, or
-  space ( ) for context.
-  At the end of a truncated hunk you can emit \*\*\* End of File.
-
-Patch := Begin { FileOp } End
-Begin := "**_ Begin Patch" NEWLINE
-End := "_** End Patch" NEWLINE
-FileOp := AddFile | DeleteFile | UpdateFile
-AddFile := "**_ Add File: " path NEWLINE { "+" line NEWLINE }
-DeleteFile := "_** Delete File: " path NEWLINE
-UpdateFile := "**_ Update File: " path NEWLINE [ MoveTo ] { Hunk }
-MoveTo := "_** Move to: " newPath NEWLINE
-Hunk := "@@" [ header ] NEWLINE { HunkLine } [ "*** End of File" NEWLINE ]
-HunkLine := (" " | "-" | "+") text NEWLINE
-
-A full patch can combine several operations:
-
-**_ Begin Patch
-_** Add File: hello.txt
-+Hello world
-**_ Update File: src/app.py
-_** Move to: src/main.py
-@@ def greet():
--print("Hi")
-+print("Hello, world!")
-**_ Delete File: obsolete.txt
-_** End Patch
-
-It is important to remember:
-
-- You must include a header with your intended action (Add/Delete/Update)
-- You must prefix new lines with `+` even when creating a new file
-"#
-        .to_string(),
-        strict: false,
-        parameters: JsonSchema::Object {
-            properties,
-            required: Some(vec!["input".to_string()]),
-            additional_properties: Some(false),
-        },
-    })
-}
-
 /// Returns JSON values that are compatible with Function Calling in the
 /// Responses API:
 /// https://platform.openai.com/docs/guides/function-calling?api-mode=responses
-pub(crate) fn create_tools_json_for_responses_api(
+pub fn create_tools_json_for_responses_api(
     tools: &Vec<OpenAiTool>,
 ) -> crate::error::Result<Vec<serde_json::Value>> {
     let mut tools_json = Vec::new();
@@ -533,18 +512,42 @@ pub(crate) fn get_openai_tools(
         ConfigShellToolType::LocalShell => {
             tools.push(OpenAiTool::LocalShell {});
         }
+        ConfigShellToolType::StreamableShell => {
+            tools.push(OpenAiTool::Function(
+                crate::exec_command::create_exec_command_tool_for_responses_api(),
+            ));
+            tools.push(OpenAiTool::Function(
+                crate::exec_command::create_write_stdin_tool_for_responses_api(),
+            ));
+        }
     }
 
     if config.plan_tool {
         tools.push(PLAN_TOOL.clone());
     }
 
-    if config.apply_patch_tool {
-        tools.push(create_apply_patch_tool());
+    if let Some(apply_patch_tool_type) = &config.apply_patch_tool_type {
+        match apply_patch_tool_type {
+            ApplyPatchToolType::Freeform => {
+                tools.push(create_apply_patch_freeform_tool());
+            }
+            ApplyPatchToolType::Function => {
+                tools.push(create_apply_patch_json_tool());
+            }
+        }
+    }
+
+    if config.web_search_request {
+        tools.push(OpenAiTool::WebSearch {});
     }
 
     if let Some(mcp_tools) = mcp_tools {
-        for (name, tool) in mcp_tools {
+        // Ensure deterministic ordering to maximize prompt cache hits.
+        // HashMap iteration order is non-deterministic, so sort by fully-qualified tool name.
+        let mut entries: Vec<(String, mcp_types::Tool)> = mcp_tools.into_iter().collect();
+        entries.sort_by(|a, b| a.0.cmp(&b.0));
+
+        for (name, tool) in entries.into_iter() {
             match mcp_tool_to_openai_tool(name.clone(), tool.clone()) {
                 Ok(converted_tool) => tools.push(OpenAiTool::Function(converted_tool)),
                 Err(e) => {
@@ -571,6 +574,8 @@ mod tests {
             .map(|tool| match tool {
                 OpenAiTool::Function(ResponsesApiTool { name, .. }) => name,
                 OpenAiTool::LocalShell {} => "local_shell",
+                OpenAiTool::WebSearch {} => "web_search",
+                OpenAiTool::Freeform(FreeformTool { name, .. }) => name,
             })
             .collect::<Vec<_>>();
 
@@ -591,43 +596,49 @@ mod tests {
     fn test_get_openai_tools() {
         let model_family = find_family_for_model("codex-mini-latest")
             .expect("codex-mini-latest should be a valid model family");
-        let config = ToolsConfig::new(
-            &model_family,
-            AskForApproval::Never,
-            SandboxPolicy::ReadOnly,
-            true,
-            model_family.uses_apply_patch_tool,
-        );
+        let config = ToolsConfig::new(&ToolsConfigParams {
+            model_family: &model_family,
+            approval_policy: AskForApproval::Never,
+            sandbox_policy: SandboxPolicy::ReadOnly,
+            include_plan_tool: true,
+            include_apply_patch_tool: false,
+            include_web_search_request: true,
+            use_streamable_shell_tool: false,
+        });
         let tools = get_openai_tools(&config, Some(HashMap::new()));
 
-        assert_eq_tool_names(&tools, &["local_shell", "update_plan"]);
+        assert_eq_tool_names(&tools, &["local_shell", "update_plan", "web_search"]);
     }
 
     #[test]
     fn test_get_openai_tools_default_shell() {
         let model_family = find_family_for_model("o3").expect("o3 should be a valid model family");
-        let config = ToolsConfig::new(
-            &model_family,
-            AskForApproval::Never,
-            SandboxPolicy::ReadOnly,
-            true,
-            model_family.uses_apply_patch_tool,
-        );
+        let config = ToolsConfig::new(&ToolsConfigParams {
+            model_family: &model_family,
+            approval_policy: AskForApproval::Never,
+            sandbox_policy: SandboxPolicy::ReadOnly,
+            include_plan_tool: true,
+            include_apply_patch_tool: false,
+            include_web_search_request: true,
+            use_streamable_shell_tool: false,
+        });
         let tools = get_openai_tools(&config, Some(HashMap::new()));
 
-        assert_eq_tool_names(&tools, &["shell", "update_plan"]);
+        assert_eq_tool_names(&tools, &["shell", "update_plan", "web_search"]);
     }
 
     #[test]
     fn test_get_openai_tools_mcp_tools() {
         let model_family = find_family_for_model("o3").expect("o3 should be a valid model family");
-        let config = ToolsConfig::new(
-            &model_family,
-            AskForApproval::Never,
-            SandboxPolicy::ReadOnly,
-            false,
-            model_family.uses_apply_patch_tool,
-        );
+        let config = ToolsConfig::new(&ToolsConfigParams {
+            model_family: &model_family,
+            approval_policy: AskForApproval::Never,
+            sandbox_policy: SandboxPolicy::ReadOnly,
+            include_plan_tool: false,
+            include_apply_patch_tool: false,
+            include_web_search_request: true,
+            use_streamable_shell_tool: false,
+        });
         let tools = get_openai_tools(
             &config,
             Some(HashMap::from([(
@@ -649,8 +660,8 @@ mod tests {
                                     "number_property": { "type": "number" },
                                 },
                                 "required": [
-                                    "string_property",
-                                    "number_property"
+                                    "string_property".to_string(),
+                                    "number_property".to_string()
                                 ],
                                 "additionalProperties": Some(false),
                             },
@@ -666,10 +677,13 @@ mod tests {
             )])),
         );
 
-        assert_eq_tool_names(&tools, &["shell", "test_server/do_something_cool"]);
+        assert_eq_tool_names(
+            &tools,
+            &["shell", "web_search", "test_server/do_something_cool"],
+        );
 
         assert_eq!(
-            tools[1],
+            tools[2],
             OpenAiTool::Function(ResponsesApiTool {
                 name: "test_server/do_something_cool".to_string(),
                 parameters: JsonSchema::Object {
@@ -712,16 +726,93 @@ mod tests {
         );
     }
 
+    #[test]
+    fn test_get_openai_tools_mcp_tools_sorted_by_name() {
+        let model_family = find_family_for_model("o3").expect("o3 should be a valid model family");
+        let config = ToolsConfig::new(&ToolsConfigParams {
+            model_family: &model_family,
+            approval_policy: AskForApproval::Never,
+            sandbox_policy: SandboxPolicy::ReadOnly,
+            include_plan_tool: false,
+            include_apply_patch_tool: false,
+            include_web_search_request: false,
+            use_streamable_shell_tool: false,
+        });
+
+        // Intentionally construct a map with keys that would sort alphabetically.
+        let tools_map: HashMap<String, mcp_types::Tool> = HashMap::from([
+            (
+                "test_server/do".to_string(),
+                mcp_types::Tool {
+                    name: "a".to_string(),
+                    input_schema: ToolInputSchema {
+                        properties: Some(serde_json::json!({})),
+                        required: None,
+                        r#type: "object".to_string(),
+                    },
+                    output_schema: None,
+                    title: None,
+                    annotations: None,
+                    description: Some("a".to_string()),
+                },
+            ),
+            (
+                "test_server/something".to_string(),
+                mcp_types::Tool {
+                    name: "b".to_string(),
+                    input_schema: ToolInputSchema {
+                        properties: Some(serde_json::json!({})),
+                        required: None,
+                        r#type: "object".to_string(),
+                    },
+                    output_schema: None,
+                    title: None,
+                    annotations: None,
+                    description: Some("b".to_string()),
+                },
+            ),
+            (
+                "test_server/cool".to_string(),
+                mcp_types::Tool {
+                    name: "c".to_string(),
+                    input_schema: ToolInputSchema {
+                        properties: Some(serde_json::json!({})),
+                        required: None,
+                        r#type: "object".to_string(),
+                    },
+                    output_schema: None,
+                    title: None,
+                    annotations: None,
+                    description: Some("c".to_string()),
+                },
+            ),
+        ]);
+
+        let tools = get_openai_tools(&config, Some(tools_map));
+        // Expect shell first, followed by MCP tools sorted by fully-qualified name.
+        assert_eq_tool_names(
+            &tools,
+            &[
+                "shell",
+                "test_server/cool",
+                "test_server/do",
+                "test_server/something",
+            ],
+        );
+    }
+
     #[test]
     fn test_mcp_tool_property_missing_type_defaults_to_string() {
         let model_family = find_family_for_model("o3").expect("o3 should be a valid model family");
-        let config = ToolsConfig::new(
-            &model_family,
-            AskForApproval::Never,
-            SandboxPolicy::ReadOnly,
-            false,
-            model_family.uses_apply_patch_tool,
-        );
+        let config = ToolsConfig::new(&ToolsConfigParams {
+            model_family: &model_family,
+            approval_policy: AskForApproval::Never,
+            sandbox_policy: SandboxPolicy::ReadOnly,
+            include_plan_tool: false,
+            include_apply_patch_tool: false,
+            include_web_search_request: true,
+            use_streamable_shell_tool: false,
+        });
 
         let tools = get_openai_tools(
             &config,
@@ -746,10 +837,10 @@ mod tests {
             )])),
         );
 
-        assert_eq_tool_names(&tools, &["shell", "dash/search"]);
+        assert_eq_tool_names(&tools, &["shell", "web_search", "dash/search"]);
 
         assert_eq!(
-            tools[1],
+            tools[2],
             OpenAiTool::Function(ResponsesApiTool {
                 name: "dash/search".to_string(),
                 parameters: JsonSchema::Object {
@@ -771,13 +862,15 @@ mod tests {
     #[test]
     fn test_mcp_tool_integer_normalized_to_number() {
         let model_family = find_family_for_model("o3").expect("o3 should be a valid model family");
-        let config = ToolsConfig::new(
-            &model_family,
-            AskForApproval::Never,
-            SandboxPolicy::ReadOnly,
-            false,
-            model_family.uses_apply_patch_tool,
-        );
+        let config = ToolsConfig::new(&ToolsConfigParams {
+            model_family: &model_family,
+            approval_policy: AskForApproval::Never,
+            sandbox_policy: SandboxPolicy::ReadOnly,
+            include_plan_tool: false,
+            include_apply_patch_tool: false,
+            include_web_search_request: true,
+            use_streamable_shell_tool: false,
+        });
 
         let tools = get_openai_tools(
             &config,
@@ -800,9 +893,9 @@ mod tests {
             )])),
         );
 
-        assert_eq_tool_names(&tools, &["shell", "dash/paginate"]);
+        assert_eq_tool_names(&tools, &["shell", "web_search", "dash/paginate"]);
         assert_eq!(
-            tools[1],
+            tools[2],
             OpenAiTool::Function(ResponsesApiTool {
                 name: "dash/paginate".to_string(),
                 parameters: JsonSchema::Object {
@@ -822,13 +915,15 @@ mod tests {
     #[test]
     fn test_mcp_tool_array_without_items_gets_default_string_items() {
         let model_family = find_family_for_model("o3").expect("o3 should be a valid model family");
-        let config = ToolsConfig::new(
-            &model_family,
-            AskForApproval::Never,
-            SandboxPolicy::ReadOnly,
-            false,
-            model_family.uses_apply_patch_tool,
-        );
+        let config = ToolsConfig::new(&ToolsConfigParams {
+            model_family: &model_family,
+            approval_policy: AskForApproval::Never,
+            sandbox_policy: SandboxPolicy::ReadOnly,
+            include_plan_tool: false,
+            include_apply_patch_tool: false,
+            include_web_search_request: true,
+            use_streamable_shell_tool: false,
+        });
 
         let tools = get_openai_tools(
             &config,
@@ -851,9 +946,9 @@ mod tests {
             )])),
         );
 
-        assert_eq_tool_names(&tools, &["shell", "dash/tags"]);
+        assert_eq_tool_names(&tools, &["shell", "web_search", "dash/tags"]);
         assert_eq!(
-            tools[1],
+            tools[2],
             OpenAiTool::Function(ResponsesApiTool {
                 name: "dash/tags".to_string(),
                 parameters: JsonSchema::Object {
@@ -876,13 +971,15 @@ mod tests {
     #[test]
     fn test_mcp_tool_anyof_defaults_to_string() {
         let model_family = find_family_for_model("o3").expect("o3 should be a valid model family");
-        let config = ToolsConfig::new(
-            &model_family,
-            AskForApproval::Never,
-            SandboxPolicy::ReadOnly,
-            false,
-            model_family.uses_apply_patch_tool,
-        );
+        let config = ToolsConfig::new(&ToolsConfigParams {
+            model_family: &model_family,
+            approval_policy: AskForApproval::Never,
+            sandbox_policy: SandboxPolicy::ReadOnly,
+            include_plan_tool: false,
+            include_apply_patch_tool: false,
+            include_web_search_request: true,
+            use_streamable_shell_tool: false,
+        });
 
         let tools = get_openai_tools(
             &config,
@@ -905,9 +1002,9 @@ mod tests {
             )])),
         );
 
-        assert_eq_tool_names(&tools, &["shell", "dash/value"]);
+        assert_eq_tool_names(&tools, &["shell", "web_search", "dash/value"]);
         assert_eq!(
-            tools[1],
+            tools[2],
             OpenAiTool::Function(ResponsesApiTool {
                 name: "dash/value".to_string(),
                 parameters: JsonSchema::Object {

codex-rs/core/src/plan_tool.rs

@@ -2,13 +2,13 @@ use std::collections::BTreeMap;
 use std::sync::LazyLock;
 
 use crate::codex::Session;
-use crate::models::FunctionCallOutputPayload;
-use crate::models::ResponseInputItem;
 use crate::openai_tools::JsonSchema;
 use crate::openai_tools::OpenAiTool;
 use crate::openai_tools::ResponsesApiTool;
 use crate::protocol::Event;
 use crate::protocol::EventMsg;
+use codex_protocol::models::FunctionCallOutputPayload;
+use codex_protocol::models::ResponseInputItem;
 
 // Use the canonical plan tool types from the protocol crate to ensure
 // type-identity matches events transported via `codex_protocol`.

codex-rs/core/src/project_doc.rs

@@ -1,18 +1,19 @@
 //! Project-level documentation discovery.
 //!
-//! Project-level documentation can be stored in a file named `AGENTS.md`.
-//! Currently, we include only the contents of the first file found as follows:
+//! Project-level documentation can be stored in files named `AGENTS.md`.
+//! We include the concatenation of all files found along the path from the
+//! repository root to the current working directory as follows:
 //!
-//! 1.  Look for the doc file in the current working directory (as determined
-//!     by the `Config`).
-//! 2.  If not found, walk *upwards* until the Git repository root is reached
-//!     (detected by the presence of a `.git` directory/file), or failing that,
-//!     the filesystem root.
-//! 3.  If the Git root is encountered, look for the doc file there. If it
-//!     exists, the search stops – we do **not** walk past the Git root.
+//! 1.  Determine the Git repository root by walking upwards from the current
+//!     working directory until a `.git` directory or file is found. If no Git
+//!     root is found, only the current working directory is considered.
+//! 2.  Collect every `AGENTS.md` found from the repository root down to the
+//!     current working directory (inclusive) and concatenate their contents in
+//!     that order.
+//! 3.  We do **not** walk past the Git root.
 
 use crate::config::Config;
-use std::path::Path;
+use std::path::PathBuf;
 use tokio::io::AsyncReadExt;
 use tracing::error;
 
@@ -26,7 +27,7 @@ const PROJECT_DOC_SEPARATOR: &str = "\n\n--- project-doc ---\n\n";
 /// Combines `Config::instructions` and `AGENTS.md` (if present) into a single
 /// string of instructions.
 pub(crate) async fn get_user_instructions(config: &Config) -> Option<String> {
-    match find_project_doc(config).await {
+    match read_project_docs(config).await {
         Ok(Some(project_doc)) => match &config.user_instructions {
             Some(original_instructions) => Some(format!(
                 "{original_instructions}{PROJECT_DOC_SEPARATOR}{project_doc}"
@@ -41,95 +42,135 @@ pub(crate) async fn get_user_instructions(config: &Config) -> Option<String> {
     }
 }
 
-/// Attempt to locate and load the project documentation. Currently, the search
-/// starts from `Config::cwd`, but if we may want to consider other directories
-/// in the future, e.g., additional writable directories in the `SandboxPolicy`.
+/// Attempt to locate and load the project documentation.
 ///
-/// On success returns `Ok(Some(contents))`. If no documentation file is found
-/// the function returns `Ok(None)`. Unexpected I/O failures bubble up as
-/// `Err` so callers can decide how to handle them.
-async fn find_project_doc(config: &Config) -> std::io::Result<Option<String>> {
-    let max_bytes = config.project_doc_max_bytes;
+/// On success returns `Ok(Some(contents))` where `contents` is the
+/// concatenation of all discovered docs. If no documentation file is found the
+/// function returns `Ok(None)`. Unexpected I/O failures bubble up as `Err` so
+/// callers can decide how to handle them.
+pub async fn read_project_docs(config: &Config) -> std::io::Result<Option<String>> {
+    let max_total = config.project_doc_max_bytes;
 
-    // Attempt to load from the working directory first.
-    if let Some(doc) = load_first_candidate(&config.cwd, CANDIDATE_FILENAMES, max_bytes).await? {
-        return Ok(Some(doc));
+    if max_total == 0 {
+        return Ok(None);
     }
 
-    // Walk up towards the filesystem root, stopping once we encounter the Git
-    // repository root. The presence of **either** a `.git` *file* or
-    // *directory* counts.
-    let mut dir = config.cwd.clone();
+    let paths = discover_project_doc_paths(config)?;
+    if paths.is_empty() {
+        return Ok(None);
+    }
 
-    // Canonicalize the path so that we do not end up in an infinite loop when
-    // `cwd` contains `..` components.
+    let mut remaining: u64 = max_total as u64;
+    let mut parts: Vec<String> = Vec::new();
+
+    for p in paths {
+        if remaining == 0 {
+            break;
+        }
+
+        let file = match tokio::fs::File::open(&p).await {
+            Ok(f) => f,
+            Err(e) if e.kind() == std::io::ErrorKind::NotFound => continue,
+            Err(e) => return Err(e),
+        };
+
+        let size = file.metadata().await?.len();
+        let mut reader = tokio::io::BufReader::new(file).take(remaining);
+        let mut data: Vec<u8> = Vec::new();
+        reader.read_to_end(&mut data).await?;
+
+        if size > remaining {
+            tracing::warn!(
+                "Project doc `{}` exceeds remaining budget ({} bytes) - truncating.",
+                p.display(),
+                remaining,
+            );
+        }
+
+        let text = String::from_utf8_lossy(&data).to_string();
+        if !text.trim().is_empty() {
+            parts.push(text);
+            remaining = remaining.saturating_sub(data.len() as u64);
+        }
+    }
+
+    if parts.is_empty() {
+        Ok(None)
+    } else {
+        Ok(Some(parts.join("\n\n")))
+    }
+}
+
+/// Discover the list of AGENTS.md files using the same search rules as
+/// `read_project_docs`, but return the file paths instead of concatenated
+/// contents. The list is ordered from repository root to the current working
+/// directory (inclusive). Symlinks are allowed. When `project_doc_max_bytes`
+/// is zero, returns an empty list.
+pub fn discover_project_doc_paths(config: &Config) -> std::io::Result<Vec<PathBuf>> {
+    let mut dir = config.cwd.clone();
     if let Ok(canon) = dir.canonicalize() {
         dir = canon;
     }
 
-    while let Some(parent) = dir.parent() {
-        // `.git` can be a *file* (for worktrees or submodules) or a *dir*.
-        let git_marker = dir.join(".git");
-        let git_exists = match tokio::fs::metadata(&git_marker).await {
+    // Build chain from cwd upwards and detect git root.
+    let mut chain: Vec<PathBuf> = vec![dir.clone()];
+    let mut git_root: Option<PathBuf> = None;
+    let mut cursor = dir.clone();
+    while let Some(parent) = cursor.parent() {
+        let git_marker = cursor.join(".git");
+        let git_exists = match std::fs::metadata(&git_marker) {
             Ok(_) => true,
             Err(e) if e.kind() == std::io::ErrorKind::NotFound => false,
             Err(e) => return Err(e),
         };
 
         if git_exists {
-            // We are at the repo root – attempt one final load.
-            if let Some(doc) = load_first_candidate(&dir, CANDIDATE_FILENAMES, max_bytes).await? {
-                return Ok(Some(doc));
-            }
+            git_root = Some(cursor.clone());
             break;
         }
 
-        dir = parent.to_path_buf();
+        chain.push(parent.to_path_buf());
+        cursor = parent.to_path_buf();
     }
 
-    Ok(None)
-}
-
-/// Attempt to load the first candidate file found in `dir`. Returns the file
-/// contents (truncated if it exceeds `max_bytes`) when successful.
-async fn load_first_candidate(
-    dir: &Path,
-    names: &[&str],
-    max_bytes: usize,
-) -> std::io::Result<Option<String>> {
-    for name in names {
-        let candidate = dir.join(name);
-
-        let file = match tokio::fs::File::open(&candidate).await {
-            Err(e) if e.kind() == std::io::ErrorKind::NotFound => continue,
-            Err(e) => return Err(e),
-            Ok(f) => f,
-        };
-
-        let size = file.metadata().await?.len();
-
-        let reader = tokio::io::BufReader::new(file);
-        let mut data = Vec::with_capacity(std::cmp::min(size as usize, max_bytes));
-        let mut limited = reader.take(max_bytes as u64);
-        limited.read_to_end(&mut data).await?;
-
-        if size as usize > max_bytes {
-            tracing::warn!(
-                "Project doc `{}` exceeds {max_bytes} bytes - truncating.",
-                candidate.display(),
-            );
+    let search_dirs: Vec<PathBuf> = if let Some(root) = git_root {
+        let mut dirs: Vec<PathBuf> = Vec::new();
+        let mut saw_root = false;
+        for p in chain.iter().rev() {
+            if !saw_root {
+                if p == &root {
+                    saw_root = true;
+                } else {
+                    continue;
+                }
+            }
+            dirs.push(p.clone());
         }
+        dirs
+    } else {
+        vec![config.cwd.clone()]
+    };
 
-        let contents = String::from_utf8_lossy(&data).to_string();
-        if contents.trim().is_empty() {
-            // Empty file – treat as not found.
-            continue;
+    let mut found: Vec<PathBuf> = Vec::new();
+    for d in search_dirs {
+        for name in CANDIDATE_FILENAMES {
+            let candidate = d.join(name);
+            match std::fs::symlink_metadata(&candidate) {
+                Ok(md) => {
+                    let ft = md.file_type();
+                    // Allow regular files and symlinks; opening will later fail for dangling links.
+                    if ft.is_file() || ft.is_symlink() {
+                        found.push(candidate);
+                        break;
+                    }
+                }
+                Err(e) if e.kind() == std::io::ErrorKind::NotFound => continue,
+                Err(e) => return Err(e),
+            }
         }
-
-        return Ok(Some(contents));
     }
 
-    Ok(None)
+    Ok(found)
 }
 
 #[cfg(test)]
@@ -278,4 +319,32 @@ mod tests {
 
         assert_eq!(res, Some(INSTRUCTIONS.to_string()));
     }
+
+    /// When both the repository root and the working directory contain
+    /// AGENTS.md files, their contents are concatenated from root to cwd.
+    #[tokio::test]
+    async fn concatenates_root_and_cwd_docs() {
+        let repo = tempfile::tempdir().expect("tempdir");
+
+        // Simulate a git repository.
+        std::fs::write(
+            repo.path().join(".git"),
+            "gitdir: /path/to/actual/git/dir\n",
+        )
+        .unwrap();
+
+        // Repo root doc.
+        fs::write(repo.path().join("AGENTS.md"), "root doc").unwrap();
+
+        // Nested working directory with its own doc.
+        let nested = repo.path().join("workspace/crate_a");
+        std::fs::create_dir_all(&nested).unwrap();
+        fs::write(nested.join("AGENTS.md"), "crate doc").unwrap();
+
+        let mut cfg = make_config(&repo, 4096, None);
+        cfg.cwd = nested;
+
+        let res = get_user_instructions(&cfg).await.expect("doc expected");
+        assert_eq!(res, "root doc\n\ncrate doc");
+    }
 }

codex-rs/core/src/rollout.rs

@@ -22,7 +22,7 @@ use uuid::Uuid;
 use crate::config::Config;
 use crate::git_info::GitInfo;
 use crate::git_info::collect_git_info;
-use crate::models::ResponseItem;
+use codex_protocol::models::ResponseItem;
 
 const SESSIONS_SUBDIR: &str = "sessions";
 
@@ -132,6 +132,8 @@ impl RolloutRecorder {
                 | ResponseItem::LocalShellCall { .. }
                 | ResponseItem::FunctionCall { .. }
                 | ResponseItem::FunctionCallOutput { .. }
+                | ResponseItem::CustomToolCall { .. }
+                | ResponseItem::CustomToolCallOutput { .. }
                 | ResponseItem::Reasoning { .. } => filtered.push(item.clone()),
                 ResponseItem::Other => {
                     // These should never be serialized.
@@ -194,6 +196,8 @@ impl RolloutRecorder {
                     | ResponseItem::LocalShellCall { .. }
                     | ResponseItem::FunctionCall { .. }
                     | ResponseItem::FunctionCallOutput { .. }
+                    | ResponseItem::CustomToolCall { .. }
+                    | ResponseItem::CustomToolCallOutput { .. }
                     | ResponseItem::Reasoning { .. } => items.push(item),
                     ResponseItem::Other => {}
                 },
@@ -317,6 +321,8 @@ async fn rollout_writer(
                         | ResponseItem::LocalShellCall { .. }
                         | ResponseItem::FunctionCall { .. }
                         | ResponseItem::FunctionCallOutput { .. }
+                        | ResponseItem::CustomToolCall { .. }
+                        | ResponseItem::CustomToolCallOutput { .. }
                         | ResponseItem::Reasoning { .. } => {
                             writer.write_line(&item).await?;
                         }

codex-rs/core/src/shell.rs

@@ -1,14 +1,24 @@
+use serde::Deserialize;
+use serde::Serialize;
 use shlex;
+use std::path::PathBuf;
 
-#[derive(Debug, PartialEq, Eq)]
+#[derive(Debug, PartialEq, Eq, Clone, Serialize, Deserialize)]
 pub struct ZshShell {
     shell_path: String,
     zshrc_path: String,
 }
 
-#[derive(Debug, PartialEq, Eq)]
+#[derive(Debug, PartialEq, Eq, Clone, Serialize, Deserialize)]
+pub struct PowerShellConfig {
+    exe: String, // Executable name or path, e.g. "pwsh" or "powershell.exe".
+    bash_exe_fallback: Option<PathBuf>, // In case the model generates a bash command.
+}
+
+#[derive(Debug, PartialEq, Eq, Clone, Serialize, Deserialize)]
 pub enum Shell {
     Zsh(ZshShell),
+    PowerShell(PowerShellConfig),
     Unknown,
 }
 
@@ -33,6 +43,61 @@ impl Shell {
                 }
                 Some(result)
             }
+            Shell::PowerShell(ps) => {
+                // If model generated a bash command, prefer a detected bash fallback
+                if let Some(script) = strip_bash_lc(&command) {
+                    return match &ps.bash_exe_fallback {
+                        Some(bash) => Some(vec![
+                            bash.to_string_lossy().to_string(),
+                            "-lc".to_string(),
+                            script,
+                        ]),
+
+                        // No bash fallback → run the script under PowerShell.
+                        // It will likely fail (except for some simple commands), but the error
+                        // should give a clue to the model to fix upon retry that it's running under PowerShell.
+                        None => Some(vec![
+                            ps.exe.clone(),
+                            "-NoProfile".to_string(),
+                            "-Command".to_string(),
+                            script,
+                        ]),
+                    };
+                }
+
+                // Not a bash command. If model did not generate a PowerShell command,
+                // turn it into a PowerShell command.
+                let first = command.first().map(String::as_str);
+                if first != Some(ps.exe.as_str()) {
+                    // TODO (CODEX_2900): Handle escaping newlines.
+                    if command.iter().any(|a| a.contains('\n') || a.contains('\r')) {
+                        return Some(command);
+                    }
+
+                    let joined = shlex::try_join(command.iter().map(|s| s.as_str())).ok();
+                    return joined.map(|arg| {
+                        vec![
+                            ps.exe.clone(),
+                            "-NoProfile".to_string(),
+                            "-Command".to_string(),
+                            arg,
+                        ]
+                    });
+                }
+
+                // Model generated a PowerShell command. Run it.
+                Some(command)
+            }
+            Shell::Unknown => None,
+        }
+    }
+
+    pub fn name(&self) -> Option<String> {
+        match self {
+            Shell::Zsh(zsh) => std::path::Path::new(&zsh.shell_path)
+                .file_name()
+                .map(|s| s.to_string_lossy().to_string()),
+            Shell::PowerShell(ps) => Some(ps.exe.clone()),
             Shell::Unknown => None,
         }
     }
@@ -86,11 +151,51 @@ pub async fn default_user_shell() -> Shell {
     }
 }
 
-#[cfg(not(target_os = "macos"))]
+#[cfg(all(not(target_os = "macos"), not(target_os = "windows")))]
 pub async fn default_user_shell() -> Shell {
     Shell::Unknown
 }
 
+#[cfg(target_os = "windows")]
+pub async fn default_user_shell() -> Shell {
+    use tokio::process::Command;
+
+    // Prefer PowerShell 7+ (`pwsh`) if available, otherwise fall back to Windows PowerShell.
+    let has_pwsh = Command::new("pwsh")
+        .arg("-NoLogo")
+        .arg("-NoProfile")
+        .arg("-Command")
+        .arg("$PSVersionTable.PSVersion.Major")
+        .output()
+        .await
+        .map(|o| o.status.success())
+        .unwrap_or(false);
+    let bash_exe = if Command::new("bash.exe")
+        .arg("--version")
+        .output()
+        .await
+        .ok()
+        .map(|o| o.status.success())
+        .unwrap_or(false)
+    {
+        which::which("bash.exe").ok()
+    } else {
+        None
+    };
+
+    if has_pwsh {
+        Shell::PowerShell(PowerShellConfig {
+            exe: "pwsh.exe".to_string(),
+            bash_exe_fallback: bash_exe,
+        })
+    } else {
+        Shell::PowerShell(PowerShellConfig {
+            exe: "powershell.exe".to_string(),
+            bash_exe_fallback: bash_exe,
+        })
+    }
+}
+
 #[cfg(test)]
 #[cfg(target_os = "macos")]
 mod tests {
@@ -231,3 +336,97 @@ mod tests {
         }
     }
 }
+
+#[cfg(test)]
+#[cfg(target_os = "windows")]
+mod tests_windows {
+    use super::*;
+
+    #[test]
+    fn test_format_default_shell_invocation_powershell() {
+        let cases = vec![
+            (
+                Shell::PowerShell(PowerShellConfig {
+                    exe: "pwsh.exe".to_string(),
+                    bash_exe_fallback: None,
+                }),
+                vec!["bash", "-lc", "echo hello"],
+                vec!["pwsh.exe", "-NoProfile", "-Command", "echo hello"],
+            ),
+            (
+                Shell::PowerShell(PowerShellConfig {
+                    exe: "powershell.exe".to_string(),
+                    bash_exe_fallback: None,
+                }),
+                vec!["bash", "-lc", "echo hello"],
+                vec!["powershell.exe", "-NoProfile", "-Command", "echo hello"],
+            ),
+            (
+                Shell::PowerShell(PowerShellConfig {
+                    exe: "pwsh.exe".to_string(),
+                    bash_exe_fallback: Some(PathBuf::from("bash.exe")),
+                }),
+                vec!["bash", "-lc", "echo hello"],
+                vec!["bash.exe", "-lc", "echo hello"],
+            ),
+            (
+                Shell::PowerShell(PowerShellConfig {
+                    exe: "pwsh.exe".to_string(),
+                    bash_exe_fallback: Some(PathBuf::from("bash.exe")),
+                }),
+                vec![
+                    "bash",
+                    "-lc",
+                    "apply_patch <<'EOF'\n*** Begin Patch\n*** Update File: destination_file.txt\n-original content\n+modified content\n*** End Patch\nEOF",
+                ],
+                vec![
+                    "bash.exe",
+                    "-lc",
+                    "apply_patch <<'EOF'\n*** Begin Patch\n*** Update File: destination_file.txt\n-original content\n+modified content\n*** End Patch\nEOF",
+                ],
+            ),
+            (
+                Shell::PowerShell(PowerShellConfig {
+                    exe: "pwsh.exe".to_string(),
+                    bash_exe_fallback: Some(PathBuf::from("bash.exe")),
+                }),
+                vec!["echo", "hello"],
+                vec!["pwsh.exe", "-NoProfile", "-Command", "echo hello"],
+            ),
+            (
+                Shell::PowerShell(PowerShellConfig {
+                    exe: "pwsh.exe".to_string(),
+                    bash_exe_fallback: Some(PathBuf::from("bash.exe")),
+                }),
+                vec!["pwsh.exe", "-NoProfile", "-Command", "echo hello"],
+                vec!["pwsh.exe", "-NoProfile", "-Command", "echo hello"],
+            ),
+            (
+                // TODO (CODEX_2900): Handle escaping newlines for powershell invocation.
+                Shell::PowerShell(PowerShellConfig {
+                    exe: "powershell.exe".to_string(),
+                    bash_exe_fallback: Some(PathBuf::from("bash.exe")),
+                }),
+                vec![
+                    "codex-mcp-server.exe",
+                    "--codex-run-as-apply-patch",
+                    "*** Begin Patch\n*** Update File: C:\\Users\\person\\destination_file.txt\n-original content\n+modified content\n*** End Patch",
+                ],
+                vec![
+                    "codex-mcp-server.exe",
+                    "--codex-run-as-apply-patch",
+                    "*** Begin Patch\n*** Update File: C:\\Users\\person\\destination_file.txt\n-original content\n+modified content\n*** End Patch",
+                ],
+            ),
+        ];
+
+        for (shell, input, expected_cmd) in cases {
+            let actual_cmd = shell
+                .format_default_shell_invocation(input.iter().map(|s| s.to_string()).collect());
+            assert_eq!(
+                actual_cmd,
+                Some(expected_cmd.iter().map(|s| s.to_string()).collect())
+            );
+        }
+    }
+}

codex-rs/core/src/spawn.rs

@@ -22,9 +22,6 @@ pub const CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR: &str = "CODEX_SANDBOX_NETWORK_
 /// accommodate sandboxing configuration and other sandboxing mechanisms.
 pub const CODEX_SANDBOX_ENV_VAR: &str = "CODEX_SANDBOX";
 
-/// Set this to change the originator sent with all network requests.
-pub const CODEX_ORIGINATOR_ENV_VAR: &str = "CODEX_ORIGINATOR";
-
 #[derive(Debug, Clone, Copy)]
 pub enum StdioPolicy {
     RedirectForShellTool,

codex-rs/core/src/terminal.rs

@@ -0,0 +1,72 @@
+use std::sync::OnceLock;
+
+static TERMINAL: OnceLock<String> = OnceLock::new();
+
+pub fn user_agent() -> String {
+    TERMINAL.get_or_init(detect_terminal).to_string()
+}
+
+/// Sanitize a header value to be used in a User-Agent string.
+///
+/// This function replaces any characters that are not allowed in a User-Agent string with an underscore.
+///
+/// # Arguments
+///
+/// * `value` - The value to sanitize.
+fn is_valid_header_value_char(c: char) -> bool {
+    c.is_ascii_alphanumeric() || c == '-' || c == '_' || c == '.' || c == '/'
+}
+
+fn sanitize_header_value(value: String) -> String {
+    value.replace(|c| !is_valid_header_value_char(c), "_")
+}
+
+fn detect_terminal() -> String {
+    sanitize_header_value(
+        if let Ok(tp) = std::env::var("TERM_PROGRAM")
+            && !tp.trim().is_empty()
+        {
+            let ver = std::env::var("TERM_PROGRAM_VERSION").ok();
+            match ver {
+                Some(v) if !v.trim().is_empty() => format!("{tp}/{v}"),
+                _ => tp,
+            }
+        } else if let Ok(v) = std::env::var("WEZTERM_VERSION") {
+            if !v.trim().is_empty() {
+                format!("WezTerm/{v}")
+            } else {
+                "WezTerm".to_string()
+            }
+        } else if std::env::var("KITTY_WINDOW_ID").is_ok()
+            || std::env::var("TERM")
+                .map(|t| t.contains("kitty"))
+                .unwrap_or(false)
+        {
+            "kitty".to_string()
+        } else if std::env::var("ALACRITTY_SOCKET").is_ok()
+            || std::env::var("TERM")
+                .map(|t| t == "alacritty")
+                .unwrap_or(false)
+        {
+            "Alacritty".to_string()
+        } else if let Ok(v) = std::env::var("KONSOLE_VERSION") {
+            if !v.trim().is_empty() {
+                format!("Konsole/{v}")
+            } else {
+                "Konsole".to_string()
+            }
+        } else if std::env::var("GNOME_TERMINAL_SCREEN").is_ok() {
+            return "gnome-terminal".to_string();
+        } else if let Ok(v) = std::env::var("VTE_VERSION") {
+            if !v.trim().is_empty() {
+                format!("VTE/{v}")
+            } else {
+                "VTE".to_string()
+            }
+        } else if std::env::var("WT_SESSION").is_ok() {
+            return "WindowsTerminal".to_string();
+        } else {
+            std::env::var("TERM").unwrap_or_else(|_| "unknown".to_string())
+        },
+    )
+}

codex-rs/core/src/tool_apply_patch.rs

@@ -0,0 +1,145 @@
+use serde::Deserialize;
+use serde::Serialize;
+use std::collections::BTreeMap;
+
+use crate::openai_tools::FreeformTool;
+use crate::openai_tools::FreeformToolFormat;
+use crate::openai_tools::JsonSchema;
+use crate::openai_tools::OpenAiTool;
+use crate::openai_tools::ResponsesApiTool;
+
+#[derive(Serialize, Deserialize)]
+pub(crate) struct ApplyPatchToolArgs {
+    pub(crate) input: String,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, Hash)]
+#[serde(rename_all = "snake_case")]
+pub enum ApplyPatchToolType {
+    Freeform,
+    Function,
+}
+
+/// Returns a custom tool that can be used to edit files. Well-suited for GPT-5 models
+/// https://platform.openai.com/docs/guides/function-calling#custom-tools
+pub(crate) fn create_apply_patch_freeform_tool() -> OpenAiTool {
+    OpenAiTool::Freeform(FreeformTool {
+        name: "apply_patch".to_string(),
+        description: "Use the `apply_patch` tool to edit files".to_string(),
+        format: FreeformToolFormat {
+            r#type: "grammar".to_string(),
+            syntax: "lark".to_string(),
+            definition: r#"start: begin_patch hunk+ end_patch
+begin_patch: "*** Begin Patch" LF
+end_patch: "*** End Patch" LF?
+
+hunk: add_hunk | delete_hunk | update_hunk
+add_hunk: "*** Add File: " filename LF add_line+
+delete_hunk: "*** Delete File: " filename LF
+update_hunk: "*** Update File: " filename LF change_move? change?
+
+filename: /(.+)/
+add_line: "+" /(.+)/ LF -> line
+
+change_move: "*** Move to: " filename LF
+change: (change_context | change_line)+ eof_line?
+change_context: ("@@" | "@@ " /(.+)/) LF
+change_line: ("+" | "-" | " ") /(.+)/ LF
+eof_line: "*** End of File" LF
+
+%import common.LF
+"#
+            .to_string(),
+        },
+    })
+}
+
+/// Returns a json tool that can be used to edit files. Should only be used with gpt-oss models
+pub(crate) fn create_apply_patch_json_tool() -> OpenAiTool {
+    let mut properties = BTreeMap::new();
+    properties.insert(
+        "input".to_string(),
+        JsonSchema::String {
+            description: Some(r#"The entire contents of the apply_patch command"#.to_string()),
+        },
+    );
+
+    OpenAiTool::Function(ResponsesApiTool {
+        name: "apply_patch".to_string(),
+        description: r#"Use the `apply_patch` tool to edit files.
+Your patch language is a stripped‑down, file‑oriented diff format designed to be easy to parse and safe to apply. You can think of it as a high‑level envelope:
+
+*** Begin Patch
+[ one or more file sections ]
+*** End Patch
+
+Within that envelope, you get a sequence of file operations.
+You MUST include a header to specify the action you are taking.
+Each operation starts with one of three headers:
+
+*** Add File: <path> - create a new file. Every following line is a + line (the initial contents).
+*** Delete File: <path> - remove an existing file. Nothing follows.
+*** Update File: <path> - patch an existing file in place (optionally with a rename).
+
+May be immediately followed by *** Move to: <new path> if you want to rename the file.
+Then one or more “hunks”, each introduced by @@ (optionally followed by a hunk header).
+Within a hunk each line starts with:
+
+For instructions on [context_before] and [context_after]:
+- By default, show 3 lines of code immediately above and 3 lines immediately below each change. If a change is within 3 lines of a previous change, do NOT duplicate the first change’s [context_after] lines in the second change’s [context_before] lines.
+- If 3 lines of context is insufficient to uniquely identify the snippet of code within the file, use the @@ operator to indicate the class or function to which the snippet belongs. For instance, we might have:
+@@ class BaseClass
+[3 lines of pre-context]
+- [old_code]
++ [new_code]
+[3 lines of post-context]
+
+- If a code block is repeated so many times in a class or function such that even a single `@@` statement and 3 lines of context cannot uniquely identify the snippet of code, you can use multiple `@@` statements to jump to the right context. For instance:
+
+@@ class BaseClass
+@@ 	 def method():
+[3 lines of pre-context]
+- [old_code]
++ [new_code]
+[3 lines of post-context]
+
+The full grammar definition is below:
+Patch := Begin { FileOp } End
+Begin := "*** Begin Patch" NEWLINE
+End := "*** End Patch" NEWLINE
+FileOp := AddFile | DeleteFile | UpdateFile
+AddFile := "*** Add File: " path NEWLINE { "+" line NEWLINE }
+DeleteFile := "*** Delete File: " path NEWLINE
+UpdateFile := "*** Update File: " path NEWLINE [ MoveTo ] { Hunk }
+MoveTo := "*** Move to: " newPath NEWLINE
+Hunk := "@@" [ header ] NEWLINE { HunkLine } [ "*** End of File" NEWLINE ]
+HunkLine := (" " | "-" | "+") text NEWLINE
+
+A full patch can combine several operations:
+
+*** Begin Patch
+*** Add File: hello.txt
++Hello world
+*** Update File: src/app.py
+*** Move to: src/main.py
+@@ def greet():
+-print("Hi")
++print("Hello, world!")
+*** Delete File: obsolete.txt
+*** End Patch
+
+It is important to remember:
+
+- You must include a header with your intended action (Add/Delete/Update)
+- You must prefix new lines with `+` even when creating a new file
+- File references can only be relative, NEVER ABSOLUTE.
+"#
+        .to_string(),
+        strict: false,
+        parameters: JsonSchema::Object {
+            properties,
+            required: Some(vec!["input".to_string()]),
+            additional_properties: Some(false),
+        },
+    })
+}

codex-rs/core/src/user_agent.rs

@@ -4,11 +4,12 @@ pub fn get_codex_user_agent(originator: Option<&str>) -> String {
     let build_version = env!("CARGO_PKG_VERSION");
     let os_info = os_info::get();
     format!(
-        "{}/{build_version} ({} {}; {})",
+        "{}/{build_version} ({} {}; {}) {}",
         originator.unwrap_or(DEFAULT_ORIGINATOR),
         os_info.os_type(),
         os_info.version(),
         os_info.architecture().unwrap_or("unknown"),
+        crate::terminal::user_agent()
     )
 }
 
@@ -27,9 +28,10 @@ mod tests {
     fn test_macos() {
         use regex_lite::Regex;
         let user_agent = get_codex_user_agent(None);
-        let re =
-            Regex::new(r"^codex_cli_rs/\d+\.\d+\.\d+ \(Mac OS \d+\.\d+\.\d+; (x86_64|arm64)\)$")
-                .unwrap();
+        let re = Regex::new(
+            r"^codex_cli_rs/\d+\.\d+\.\d+ \(Mac OS \d+\.\d+\.\d+; (x86_64|arm64)\) (\S+)$",
+        )
+        .unwrap();
         assert!(re.is_match(&user_agent));
     }
 }

codex-rs/core/tests/all.rs

@@ -0,0 +1,3 @@
+// Single integration test binary that aggregates all test modules.
+// The submodules live in `tests/all/`.
+mod suite;

codex-rs/core/tests/suite/client.rs

@@ -12,6 +12,7 @@ use codex_login::CodexAuth;
 use core_test_support::load_default_config_for_test;
 use core_test_support::load_sse_fixture_with_id;
 use core_test_support::wait_for_event;
+use serde_json::json;
 use tempfile::TempDir;
 use wiremock::Mock;
 use wiremock::MockServer;
@@ -66,7 +67,6 @@ fn write_auth_json(
     account_id: Option<&str>,
 ) -> String {
     use base64::Engine as _;
-    use serde_json::json;
 
     let header = json!({ "alg": "none", "typ": "JWT" });
     let payload = json!({
@@ -142,13 +142,14 @@ async fn includes_session_id_and_model_headers_in_request() {
     let mut config = load_default_config_for_test(&codex_home);
     config.model_provider = model_provider;
 
-    let conversation_manager = ConversationManager::default();
+    let conversation_manager =
+        ConversationManager::with_auth(CodexAuth::from_api_key("Test API Key"));
     let NewConversation {
         conversation: codex,
         conversation_id,
         session_configured: _,
     } = conversation_manager
-        .new_conversation_with_auth(config, Some(CodexAuth::from_api_key("Test API Key")))
+        .new_conversation(config)
         .await
         .expect("create new conversation");
 
@@ -207,9 +208,10 @@ async fn includes_base_instructions_override_in_request() {
     config.base_instructions = Some("test instructions".to_string());
     config.model_provider = model_provider;
 
-    let conversation_manager = ConversationManager::default();
+    let conversation_manager =
+        ConversationManager::with_auth(CodexAuth::from_api_key("Test API Key"));
     let codex = conversation_manager
-        .new_conversation_with_auth(config, Some(CodexAuth::from_api_key("Test API Key")))
+        .new_conversation(config)
         .await
         .expect("create new conversation")
         .conversation;
@@ -260,11 +262,12 @@ async fn originator_config_override_is_used() {
     let codex_home = TempDir::new().unwrap();
     let mut config = load_default_config_for_test(&codex_home);
     config.model_provider = model_provider;
-    config.internal_originator = Some("my_override".to_string());
+    config.responses_originator_header = "my_override".to_owned();
 
-    let conversation_manager = ConversationManager::default();
+    let conversation_manager =
+        ConversationManager::with_auth(CodexAuth::from_api_key("Test API Key"));
     let codex = conversation_manager
-        .new_conversation_with_auth(config, Some(CodexAuth::from_api_key("Test API Key")))
+        .new_conversation(config)
         .await
         .expect("create new conversation")
         .conversation;
@@ -318,13 +321,13 @@ async fn chatgpt_auth_sends_correct_request() {
     let codex_home = TempDir::new().unwrap();
     let mut config = load_default_config_for_test(&codex_home);
     config.model_provider = model_provider;
-    let conversation_manager = ConversationManager::default();
+    let conversation_manager = ConversationManager::with_auth(create_dummy_codex_auth());
     let NewConversation {
         conversation: codex,
         conversation_id,
         session_configured: _,
     } = conversation_manager
-        .new_conversation_with_auth(config, Some(create_dummy_codex_auth()))
+        .new_conversation(config)
         .await
         .expect("create new conversation");
 
@@ -411,7 +414,13 @@ async fn prefers_chatgpt_token_when_config_prefers_chatgpt() {
     config.model_provider = model_provider;
     config.preferred_auth_method = AuthMode::ChatGPT;
 
-    let conversation_manager = ConversationManager::default();
+    let auth_manager =
+        match CodexAuth::from_codex_home(codex_home.path(), config.preferred_auth_method) {
+            Ok(Some(auth)) => codex_login::AuthManager::from_auth_for_testing(auth),
+            Ok(None) => panic!("No CodexAuth found in codex_home"),
+            Err(e) => panic!("Failed to load CodexAuth: {}", e),
+        };
+    let conversation_manager = ConversationManager::new(auth_manager);
     let NewConversation {
         conversation: codex,
         ..
@@ -486,7 +495,13 @@ async fn prefers_apikey_when_config_prefers_apikey_even_with_chatgpt_tokens() {
     config.model_provider = model_provider;
     config.preferred_auth_method = AuthMode::ApiKey;
 
-    let conversation_manager = ConversationManager::default();
+    let auth_manager =
+        match CodexAuth::from_codex_home(codex_home.path(), config.preferred_auth_method) {
+            Ok(Some(auth)) => codex_login::AuthManager::from_auth_for_testing(auth),
+            Ok(None) => panic!("No CodexAuth found in codex_home"),
+            Err(e) => panic!("Failed to load CodexAuth: {}", e),
+        };
+    let conversation_manager = ConversationManager::new(auth_manager);
     let NewConversation {
         conversation: codex,
         ..
@@ -540,9 +555,10 @@ async fn includes_user_instructions_message_in_request() {
     config.model_provider = model_provider;
     config.user_instructions = Some("be nice".to_string());
 
-    let conversation_manager = ConversationManager::default();
+    let conversation_manager =
+        ConversationManager::with_auth(CodexAuth::from_api_key("Test API Key"));
     let codex = conversation_manager
-        .new_conversation_with_auth(config, Some(CodexAuth::from_api_key("Test API Key")))
+        .new_conversation(config)
         .await
         .expect("create new conversation")
         .conversation;
@@ -632,9 +648,9 @@ async fn azure_overrides_assign_properties_used_for_responses_url() {
     let mut config = load_default_config_for_test(&codex_home);
     config.model_provider = provider;
 
-    let conversation_manager = ConversationManager::default();
+    let conversation_manager = ConversationManager::with_auth(create_dummy_codex_auth());
     let codex = conversation_manager
-        .new_conversation_with_auth(config, None)
+        .new_conversation(config)
         .await
         .expect("create new conversation")
         .conversation;
@@ -708,9 +724,9 @@ async fn env_var_overrides_loaded_auth() {
     let mut config = load_default_config_for_test(&codex_home);
     config.model_provider = provider;
 
-    let conversation_manager = ConversationManager::default();
+    let conversation_manager = ConversationManager::with_auth(create_dummy_codex_auth());
     let codex = conversation_manager
-        .new_conversation_with_auth(config, Some(create_dummy_codex_auth()))
+        .new_conversation(config)
         .await
         .expect("create new conversation")
         .conversation;
@@ -730,3 +746,151 @@ async fn env_var_overrides_loaded_auth() {
 fn create_dummy_codex_auth() -> CodexAuth {
     CodexAuth::create_dummy_chatgpt_auth_for_testing()
 }
+
+/// Scenario:
+/// - Turn 1: user sends U1; model streams deltas then a final assistant message A.
+/// - Turn 2: user sends U2; model streams a delta then the same final assistant message A.
+/// - Turn 3: user sends U3; model responds (same SSE again, not important).
+///
+/// We assert that the `input` sent on each turn contains the expected conversation history
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn history_dedupes_streamed_and_final_messages_across_turns() {
+    // Skip under Codex sandbox network restrictions (mirrors other tests).
+    if std::env::var(CODEX_SANDBOX_NETWORK_DISABLED_ENV_VAR).is_ok() {
+        println!(
+            "Skipping test because it cannot execute when network is disabled in a Codex sandbox."
+        );
+        return;
+    }
+
+    // Mock server that will receive three sequential requests and return the same SSE stream
+    // each time: a few deltas, then a final assistant message, then completed.
+    let server = MockServer::start().await;
+
+    // Build a small SSE stream with deltas and a final assistant message.
+    // We emit the same body for all 3 turns; ids vary but are unused by assertions.
+    let sse_raw = r##"[
+        {"type":"response.output_text.delta", "delta":"Hey "},
+        {"type":"response.output_text.delta", "delta":"there"},
+        {"type":"response.output_text.delta", "delta":"!\n"},
+        {"type":"response.output_item.done", "item":{
+            "type":"message", "role":"assistant",
+            "content":[{"type":"output_text","text":"Hey there!\n"}]
+        }},
+        {"type":"response.completed", "response": {"id": "__ID__"}}
+    ]"##;
+    let sse1 = core_test_support::load_sse_fixture_with_id_from_str(sse_raw, "resp1");
+
+    Mock::given(method("POST"))
+        .and(path("/v1/responses"))
+        .respond_with(
+            ResponseTemplate::new(200)
+                .insert_header("content-type", "text/event-stream")
+                .set_body_raw(sse1.clone(), "text/event-stream"),
+        )
+        .expect(3) // respond identically to the three sequential turns
+        .mount(&server)
+        .await;
+
+    // Configure provider to point to mock server (Responses API) and use API key auth.
+    let model_provider = ModelProviderInfo {
+        base_url: Some(format!("{}/v1", server.uri())),
+        ..built_in_model_providers()["openai"].clone()
+    };
+
+    // Init session with isolated codex home.
+    let codex_home = TempDir::new().unwrap();
+    let mut config = load_default_config_for_test(&codex_home);
+    config.model_provider = model_provider;
+
+    let conversation_manager =
+        ConversationManager::with_auth(CodexAuth::from_api_key("Test API Key"));
+    let NewConversation {
+        conversation: codex,
+        ..
+    } = conversation_manager
+        .new_conversation(config)
+        .await
+        .expect("create new conversation");
+
+    // Turn 1: user sends U1; wait for completion.
+    codex
+        .submit(Op::UserInput {
+            items: vec![InputItem::Text { text: "U1".into() }],
+        })
+        .await
+        .unwrap();
+    wait_for_event(&codex, |ev| matches!(ev, EventMsg::TaskComplete(_))).await;
+
+    // Turn 2: user sends U2; wait for completion.
+    codex
+        .submit(Op::UserInput {
+            items: vec![InputItem::Text { text: "U2".into() }],
+        })
+        .await
+        .unwrap();
+    wait_for_event(&codex, |ev| matches!(ev, EventMsg::TaskComplete(_))).await;
+
+    // Turn 3: user sends U3; wait for completion.
+    codex
+        .submit(Op::UserInput {
+            items: vec![InputItem::Text { text: "U3".into() }],
+        })
+        .await
+        .unwrap();
+    wait_for_event(&codex, |ev| matches!(ev, EventMsg::TaskComplete(_))).await;
+
+    // Inspect the three captured requests.
+    let requests = server.received_requests().await.unwrap();
+    assert_eq!(requests.len(), 3, "expected 3 requests (one per turn)");
+
+    // Replace full-array compare with tail-only raw JSON compare using a single hard-coded value.
+    let r3_tail_expected = serde_json::json!([
+        {
+            "type": "message",
+            "id": null,
+            "role": "user",
+            "content": [{"type":"input_text","text":"U1"}]
+        },
+        {
+            "type": "message",
+            "id": null,
+            "role": "assistant",
+            "content": [{"type":"output_text","text":"Hey there!\n"}]
+        },
+        {
+            "type": "message",
+            "id": null,
+            "role": "user",
+            "content": [{"type":"input_text","text":"U2"}]
+        },
+        {
+            "type": "message",
+            "id": null,
+            "role": "assistant",
+            "content": [{"type":"output_text","text":"Hey there!\n"}]
+        },
+        {
+            "type": "message",
+            "id": null,
+            "role": "user",
+            "content": [{"type":"input_text","text":"U3"}]
+        }
+    ]);
+
+    let r3_input_array = requests[2]
+        .body_json::<serde_json::Value>()
+        .unwrap()
+        .get("input")
+        .and_then(|v| v.as_array())
+        .cloned()
+        .expect("r3 missing input array");
+    // skipping earlier context and developer messages
+    let tail_len = r3_tail_expected.as_array().unwrap().len();
+    let actual_tail = &r3_input_array[r3_input_array.len() - tail_len..];
+    assert_eq!(
+        serde_json::Value::Array(actual_tail.to_vec()),
+        r3_tail_expected,
+        "request 3 tail mismatch",
+    );
+}

codex-rs/core/tests/suite/compact.rs

@@ -141,9 +141,9 @@ async fn summarize_context_three_requests_and_instructions() {
     let home = TempDir::new().unwrap();
     let mut config = load_default_config_for_test(&home);
     config.model_provider = model_provider;
-    let conversation_manager = ConversationManager::default();
+    let conversation_manager = ConversationManager::with_auth(CodexAuth::from_api_key("dummy"));
     let codex = conversation_manager
-        .new_conversation_with_auth(config, Some(CodexAuth::from_api_key("dummy")))
+        .new_conversation(config)
         .await
         .unwrap()
         .conversation;

codex-rs/core/tests/suite/exec.rs

@@ -70,12 +70,12 @@ async fn truncates_output_lines() {
 
     let output = run_test_cmd(tmp, cmd).await.unwrap();
 
-    let expected_output = (1..=256)
+    let expected_output = (1..=300)
         .map(|i| format!("{i}\n"))
         .collect::<Vec<_>>()
         .join("");
     assert_eq!(output.stdout.text, expected_output);
-    assert_eq!(output.stdout.truncated_after_lines, Some(256));
+    assert_eq!(output.stdout.truncated_after_lines, None);
 }
 
 /// Command succeeds with exit code 0 normally
@@ -91,8 +91,8 @@ async fn truncates_output_bytes() {
 
     let output = run_test_cmd(tmp, cmd).await.unwrap();
 
-    assert_eq!(output.stdout.text.len(), 10240);
-    assert_eq!(output.stdout.truncated_after_lines, Some(10));
+    assert!(output.stdout.text.len() >= 15000);
+    assert_eq!(output.stdout.truncated_after_lines, None);
 }
 
 /// Command not found returns exit code 127, this is not considered a sandbox error

codex-rs/core/tests/suite/exec_stream_events.rs

@@ -139,3 +139,34 @@ async fn test_exec_stderr_stream_events_echo() {
     }
     assert_eq!(String::from_utf8_lossy(&err), "oops\n");
 }
+
+#[tokio::test]
+async fn test_aggregated_output_interleaves_in_order() {
+    // Spawn a shell that alternates stdout and stderr with sleeps to enforce order.
+    let cmd = vec![
+        "/bin/sh".to_string(),
+        "-c".to_string(),
+        "printf 'O1\\n'; sleep 0.01; printf 'E1\\n' 1>&2; sleep 0.01; printf 'O2\\n'; sleep 0.01; printf 'E2\\n' 1>&2".to_string(),
+    ];
+
+    let params = ExecParams {
+        command: cmd,
+        cwd: std::env::current_dir().unwrap_or_else(|_| PathBuf::from(".")),
+        timeout_ms: Some(5_000),
+        env: HashMap::new(),
+        with_escalated_permissions: None,
+        justification: None,
+    };
+
+    let policy = SandboxPolicy::new_read_only_policy();
+
+    let result = process_exec_tool_call(params, SandboxType::None, &policy, &None, None)
+        .await
+        .expect("process_exec_tool_call");
+
+    assert_eq!(result.exit_code, 0);
+    assert_eq!(result.stdout.text, "O1\nO2\n");
+    assert_eq!(result.stderr.text, "E1\nE2\n");
+    assert_eq!(result.aggregated_output.text, "O1\nE1\nO2\nE2\n");
+    assert_eq!(result.aggregated_output.truncated_after_lines, None);
+}