fix(windows) parse powershell commands

2026-05-15 00:32:51 +00:00 · 2025-11-19 04:08:18 -08:00
333 changed files with 4242 additions and 15517 deletions
--- a/.github/workflows/cargo-deny.yml
+++ b/.github/workflows/cargo-deny.yml
@@ -1,26 +0,0 @@
-name: cargo-deny
-
-on:
-  pull_request:
-  push:
-    branches:
-      - main
-
-jobs:
-  cargo-deny:
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: ./codex-rs
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-
-      - name: Install Rust toolchain
-        uses: dtolnay/rust-toolchain@stable
-
-      - name: Run cargo-deny
-        uses: EmbarkStudios/cargo-deny-action@v1
-        with:
-          rust-version: stable
-          manifest-path: ./codex-rs/Cargo.toml
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,7 +12,7 @@ jobs:
      NODE_OPTIONS: --max-old-space-size=4096
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5

      - name: Setup pnpm
        uses: pnpm/action-setup@v4
--- a/.github/workflows/cla.yml
+++ b/.github/workflows/cla.yml
@@ -48,5 +48,4 @@ jobs:
          branch: cla-signatures
          allowlist: |
            codex
-            dependabot
            dependabot[bot]
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -18,7 +18,7 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
      - name: Annotate locations with typos
        uses: codespell-project/codespell-problem-matcher@b80729f885d32f78a716c2f107b4db1025001c42 # v1
      - name: Codespell
--- a/.github/workflows/issue-deduplicator.yml
+++ b/.github/workflows/issue-deduplicator.yml
@@ -16,7 +16,7 @@ jobs:
    outputs:
      codex_output: ${{ steps.codex.outputs.final-message }}
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5

      - name: Prepare Codex inputs
        env:
@@ -46,6 +46,7 @@ jobs:
        with:
          openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
          allow-users: "*"
+          model: gpt-5.1
          prompt: |
            You are an assistant that triages new GitHub issues by identifying potential duplicates.

--- a/.github/workflows/issue-labeler.yml
+++ b/.github/workflows/issue-labeler.yml
@@ -16,7 +16,7 @@ jobs:
    outputs:
      codex_output: ${{ steps.codex.outputs.final-message }}
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5

      - id: codex
        uses: openai/codex-action@main
--- a/.github/workflows/rust-ci.yml
+++ b/.github/workflows/rust-ci.yml
@@ -17,7 +17,7 @@ jobs:
      codex: ${{ steps.detect.outputs.codex }}
      workflows: ${{ steps.detect.outputs.workflows }}
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
        with:
          fetch-depth: 0
      - name: Detect changed paths (no external action)
@@ -56,7 +56,7 @@ jobs:
      run:
        working-directory: codex-rs
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
      - uses: dtolnay/rust-toolchain@1.90
        with:
          components: rustfmt
@@ -74,7 +74,7 @@ jobs:
      run:
        working-directory: codex-rs
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
      - uses: dtolnay/rust-toolchain@1.90
      - uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
        with:
@@ -147,21 +147,12 @@ jobs:
            profile: release

    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
      - uses: dtolnay/rust-toolchain@1.90
        with:
          targets: ${{ matrix.target }}
          components: clippy

-      - name: Compute lockfile hash
-        id: lockhash
-        working-directory: codex-rs
-        shell: bash
-        run: |
-          set -euo pipefail
-          echo "hash=$(sha256sum Cargo.lock | cut -d' ' -f1)" >> "$GITHUB_OUTPUT"
-          echo "toolchain_hash=$(sha256sum rust-toolchain.toml | cut -d' ' -f1)" >> "$GITHUB_OUTPUT"
-
      # Explicit cache restore: split cargo home vs target, so we can
      # avoid caching the large target dir on the gnu-dev job.
      - name: Restore cargo home cache
@@ -173,7 +164,7 @@ jobs:
            ~/.cargo/registry/index/
            ~/.cargo/registry/cache/
            ~/.cargo/git/db/
-          key: cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ steps.lockhash.outputs.toolchain_hash }}
+          key: cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ hashFiles('**/Cargo.lock') }}-${{ hashFiles('codex-rs/rust-toolchain.toml') }}
          restore-keys: |
            cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-

@@ -210,9 +201,9 @@ jobs:
        uses: actions/cache/restore@v4
        with:
          path: ${{ github.workspace }}/.sccache/
-          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
+          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ hashFiles('**/Cargo.lock') }}-${{ github.run_id }}
          restore-keys: |
-            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-
+            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ hashFiles('**/Cargo.lock') }}-
            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-

      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
@@ -287,7 +278,7 @@ jobs:
            ~/.cargo/registry/index/
            ~/.cargo/registry/cache/
            ~/.cargo/git/db/
-          key: cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ steps.lockhash.outputs.toolchain_hash }}
+          key: cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ hashFiles('**/Cargo.lock') }}-${{ hashFiles('codex-rs/rust-toolchain.toml') }}

      - name: Save sccache cache (fallback)
        if: always() && !cancelled() && env.USE_SCCACHE == 'true' && env.SCCACHE_GHA_ENABLED != 'true'
@@ -295,7 +286,7 @@ jobs:
        uses: actions/cache/save@v4
        with:
          path: ${{ github.workspace }}/.sccache/
-          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
+          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ hashFiles('**/Cargo.lock') }}-${{ github.run_id }}

      - name: sccache stats
        if: always() && env.USE_SCCACHE == 'true'
@@ -368,20 +359,11 @@ jobs:
            profile: dev

    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
      - uses: dtolnay/rust-toolchain@1.90
        with:
          targets: ${{ matrix.target }}

-      - name: Compute lockfile hash
-        id: lockhash
-        working-directory: codex-rs
-        shell: bash
-        run: |
-          set -euo pipefail
-          echo "hash=$(sha256sum Cargo.lock | cut -d' ' -f1)" >> "$GITHUB_OUTPUT"
-          echo "toolchain_hash=$(sha256sum rust-toolchain.toml | cut -d' ' -f1)" >> "$GITHUB_OUTPUT"
-
      - name: Restore cargo home cache
        id: cache_cargo_home_restore
        uses: actions/cache/restore@v4
@@ -391,7 +373,7 @@ jobs:
            ~/.cargo/registry/index/
            ~/.cargo/registry/cache/
            ~/.cargo/git/db/
-          key: cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ steps.lockhash.outputs.toolchain_hash }}
+          key: cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ hashFiles('**/Cargo.lock') }}-${{ hashFiles('codex-rs/rust-toolchain.toml') }}
          restore-keys: |
            cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-

@@ -427,9 +409,9 @@ jobs:
        uses: actions/cache/restore@v4
        with:
          path: ${{ github.workspace }}/.sccache/
-          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
+          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ hashFiles('**/Cargo.lock') }}-${{ github.run_id }}
          restore-keys: |
-            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-
+            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ hashFiles('**/Cargo.lock') }}-
            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-

      - uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
@@ -454,7 +436,7 @@ jobs:
            ~/.cargo/registry/index/
            ~/.cargo/registry/cache/
            ~/.cargo/git/db/
-          key: cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ steps.lockhash.outputs.toolchain_hash }}
+          key: cargo-home-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ hashFiles('**/Cargo.lock') }}-${{ hashFiles('codex-rs/rust-toolchain.toml') }}

      - name: Save sccache cache (fallback)
        if: always() && !cancelled() && env.USE_SCCACHE == 'true' && env.SCCACHE_GHA_ENABLED != 'true'
@@ -462,7 +444,7 @@ jobs:
        uses: actions/cache/save@v4
        with:
          path: ${{ github.workspace }}/.sccache/
-          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
+          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ hashFiles('**/Cargo.lock') }}-${{ github.run_id }}

      - name: sccache stats
        if: always() && env.USE_SCCACHE == 'true'
--- a/.github/workflows/rust-release.yml
+++ b/.github/workflows/rust-release.yml
@@ -19,7 +19,7 @@ jobs:
  tag-check:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5

      - name: Validate tag matches Cargo.toml version
        shell: bash
@@ -76,7 +76,7 @@ jobs:
            target: aarch64-pc-windows-msvc

    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
      - uses: dtolnay/rust-toolchain@1.90
        with:
          targets: ${{ matrix.target }}
@@ -371,19 +371,8 @@ jobs:
          path: |
            codex-rs/dist/${{ matrix.target }}/*

-  shell-tool-mcp:
-    name: shell-tool-mcp
-    needs: tag-check
-    uses: ./.github/workflows/shell-tool-mcp.yml
-    with:
-      release-tag: ${{ github.ref_name }}
-      publish: true
-    secrets: inherit
-
  release:
-    needs:
-      - build
-      - shell-tool-mcp
+    needs: build
    name: release
    runs-on: ubuntu-latest
    permissions:
@@ -397,7 +386,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5

      - uses: actions/download-artifact@v4
        with:
@@ -406,14 +395,6 @@ jobs:
      - name: List
        run: ls -R dist/

-      # This is a temporary fix: we should modify shell-tool-mcp.yml so these
-      # files do not end up in dist/ in the first place.
-      - name: Delete entries from dist/ that should not go in the release
-        run: |
-          rm -rf dist/shell-tool-mcp*
-
-          ls -R dist/
-
      - name: Define release name
        id: release_name
        run: |
--- a/.github/workflows/sdk.yml
+++ b/.github/workflows/sdk.yml
@@ -11,7 +11,7 @@ jobs:
    timeout-minutes: 10
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5

      - name: Setup pnpm
        uses: pnpm/action-setup@v4
--- a/.github/workflows/shell-tool-mcp-ci.yml
+++ b/.github/workflows/shell-tool-mcp-ci.yml
@@ -1,48 +0,0 @@
-name: shell-tool-mcp CI
-
-on:
-  push:
-    paths:
-      - "shell-tool-mcp/**"
-      - ".github/workflows/shell-tool-mcp-ci.yml"
-      - "pnpm-lock.yaml"
-      - "pnpm-workspace.yaml"
-  pull_request:
-    paths:
-      - "shell-tool-mcp/**"
-      - ".github/workflows/shell-tool-mcp-ci.yml"
-      - "pnpm-lock.yaml"
-      - "pnpm-workspace.yaml"
-
-env:
-  NODE_VERSION: 22
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          run_install: false
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v5
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          cache: "pnpm"
-
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
-
-      - name: Format check
-        run: pnpm --filter @openai/codex-shell-tool-mcp run format
-
-      - name: Run tests
-        run: pnpm --filter @openai/codex-shell-tool-mcp test
-
-      - name: Build
-        run: pnpm --filter @openai/codex-shell-tool-mcp run build
--- a/.github/workflows/shell-tool-mcp.yml
+++ b/.github/workflows/shell-tool-mcp.yml
@@ -1,412 +0,0 @@
-name: shell-tool-mcp
-
-on:
-  workflow_call:
-    inputs:
-      release-version:
-        description: Version to publish (x.y.z or x.y.z-alpha.N). Defaults to GITHUB_REF_NAME when it starts with rust-v.
-        required: false
-        type: string
-      release-tag:
-        description: Tag name to use when downloading release artifacts (defaults to rust-v<version>).
-        required: false
-        type: string
-      publish:
-        description: Whether to publish to npm when the version is releasable.
-        required: false
-        default: true
-        type: boolean
-
-env:
-  NODE_VERSION: 22
-
-jobs:
-  metadata:
-    runs-on: ubuntu-latest
-    outputs:
-      version: ${{ steps.compute.outputs.version }}
-      release_tag: ${{ steps.compute.outputs.release_tag }}
-      should_publish: ${{ steps.compute.outputs.should_publish }}
-      npm_tag: ${{ steps.compute.outputs.npm_tag }}
-    steps:
-      - name: Compute version and tags
-        id: compute
-        run: |
-          set -euo pipefail
-
-          version="${{ inputs.release-version }}"
-          release_tag="${{ inputs.release-tag }}"
-
-          if [[ -z "$version" ]]; then
-            if [[ -n "$release_tag" && "$release_tag" =~ ^rust-v.+ ]]; then
-              version="${release_tag#rust-v}"
-            elif [[ "${GITHUB_REF_NAME:-}" =~ ^rust-v.+ ]]; then
-              version="${GITHUB_REF_NAME#rust-v}"
-              release_tag="${GITHUB_REF_NAME}"
-            else
-              echo "release-version is required when GITHUB_REF_NAME is not a rust-v tag."
-              exit 1
-            fi
-          fi
-
-          if [[ -z "$release_tag" ]]; then
-            release_tag="rust-v${version}"
-          fi
-
-          npm_tag=""
-          should_publish="false"
-          if [[ "$version" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-            should_publish="true"
-          elif [[ "$version" =~ ^[0-9]+\.[0-9]+\.[0-9]+-alpha\.[0-9]+$ ]]; then
-            should_publish="true"
-            npm_tag="alpha"
-          fi
-
-          echo "version=${version}" >> "$GITHUB_OUTPUT"
-          echo "release_tag=${release_tag}" >> "$GITHUB_OUTPUT"
-          echo "npm_tag=${npm_tag}" >> "$GITHUB_OUTPUT"
-          echo "should_publish=${should_publish}" >> "$GITHUB_OUTPUT"
-
-  rust-binaries:
-    name: Build Rust - ${{ matrix.target }}
-    needs: metadata
-    runs-on: ${{ matrix.runner }}
-    timeout-minutes: 30
-    defaults:
-      run:
-        working-directory: codex-rs
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: macos-15-xlarge
-            target: aarch64-apple-darwin
-          - runner: macos-15-xlarge
-            target: x86_64-apple-darwin
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            install_musl: true
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            install_musl: true
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - uses: dtolnay/rust-toolchain@1.90
-        with:
-          targets: ${{ matrix.target }}
-
-      - if: ${{ matrix.install_musl }}
-        name: Install musl build dependencies
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y musl-tools pkg-config
-
-      - name: Build exec server binaries
-        run: cargo build --release --target ${{ matrix.target }} --bin codex-exec-mcp-server --bin codex-execve-wrapper
-
-      - name: Stage exec server binaries
-        run: |
-          dest="${GITHUB_WORKSPACE}/artifacts/vendor/${{ matrix.target }}"
-          mkdir -p "$dest"
-          cp "target/${{ matrix.target }}/release/codex-exec-mcp-server" "$dest/"
-          cp "target/${{ matrix.target }}/release/codex-execve-wrapper" "$dest/"
-
-      - uses: actions/upload-artifact@v5
-        with:
-          name: shell-tool-mcp-rust-${{ matrix.target }}
-          path: artifacts/**
-          if-no-files-found: error
-
-  bash-linux:
-    name: Build Bash (Linux) - ${{ matrix.variant }} - ${{ matrix.target }}
-    needs: metadata
-    runs-on: ${{ matrix.runner }}
-    timeout-minutes: 30
-    container:
-      image: ${{ matrix.image }}
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            variant: ubuntu-24.04
-            image: ubuntu:24.04
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            variant: ubuntu-22.04
-            image: ubuntu:22.04
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            variant: ubuntu-20.04
-            image: ubuntu:20.04
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            variant: debian-12
-            image: debian:12
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            variant: debian-11
-            image: debian:11
-          - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            variant: centos-9
-            image: quay.io/centos/centos:stream9
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            variant: ubuntu-24.04
-            image: arm64v8/ubuntu:24.04
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            variant: ubuntu-22.04
-            image: arm64v8/ubuntu:22.04
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            variant: ubuntu-20.04
-            image: arm64v8/ubuntu:20.04
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            variant: debian-12
-            image: arm64v8/debian:12
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            variant: debian-11
-            image: arm64v8/debian:11
-          - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            variant: centos-9
-            image: quay.io/centos/centos:stream9
-    steps:
-      - name: Install build prerequisites
-        shell: bash
-        run: |
-          set -euo pipefail
-          if command -v apt-get >/dev/null 2>&1; then
-            apt-get update
-            DEBIAN_FRONTEND=noninteractive apt-get install -y git build-essential bison autoconf gettext
-          elif command -v dnf >/dev/null 2>&1; then
-            dnf install -y git gcc gcc-c++ make bison autoconf gettext
-          elif command -v yum >/dev/null 2>&1; then
-            yum install -y git gcc gcc-c++ make bison autoconf gettext
-          else
-            echo "Unsupported package manager in container"
-            exit 1
-          fi
-
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Build patched Bash
-        shell: bash
-        run: |
-          set -euo pipefail
-          git clone --depth 1 https://github.com/bminor/bash /tmp/bash
-          cd /tmp/bash
-          git fetch --depth 1 origin a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b
-          git checkout a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b
-          git apply "${GITHUB_WORKSPACE}/shell-tool-mcp/patches/bash-exec-wrapper.patch"
-          ./configure --without-bash-malloc
-          cores="$(command -v nproc >/dev/null 2>&1 && nproc || getconf _NPROCESSORS_ONLN)"
-          make -j"${cores}"
-
-          dest="${GITHUB_WORKSPACE}/artifacts/vendor/${{ matrix.target }}/bash/${{ matrix.variant }}"
-          mkdir -p "$dest"
-          cp bash "$dest/bash"
-
-      - uses: actions/upload-artifact@v5
-        with:
-          name: shell-tool-mcp-bash-${{ matrix.target }}-${{ matrix.variant }}
-          path: artifacts/**
-          if-no-files-found: error
-
-  bash-darwin:
-    name: Build Bash (macOS) - ${{ matrix.variant }} - ${{ matrix.target }}
-    needs: metadata
-    runs-on: ${{ matrix.runner }}
-    timeout-minutes: 30
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: macos-15-xlarge
-            target: aarch64-apple-darwin
-            variant: macos-15
-          - runner: macos-14
-            target: aarch64-apple-darwin
-            variant: macos-14
-          - runner: macos-13
-            target: x86_64-apple-darwin
-            variant: macos-13
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Build patched Bash
-        shell: bash
-        run: |
-          set -euo pipefail
-          git clone --depth 1 https://github.com/bminor/bash /tmp/bash
-          cd /tmp/bash
-          git fetch --depth 1 origin a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b
-          git checkout a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b
-          git apply "${GITHUB_WORKSPACE}/shell-tool-mcp/patches/bash-exec-wrapper.patch"
-          ./configure --without-bash-malloc
-          cores="$(getconf _NPROCESSORS_ONLN)"
-          make -j"${cores}"
-
-          dest="${GITHUB_WORKSPACE}/artifacts/vendor/${{ matrix.target }}/bash/${{ matrix.variant }}"
-          mkdir -p "$dest"
-          cp bash "$dest/bash"
-
-      - uses: actions/upload-artifact@v5
-        with:
-          name: shell-tool-mcp-bash-${{ matrix.target }}-${{ matrix.variant }}
-          path: artifacts/**
-          if-no-files-found: error
-
-  package:
-    name: Package npm module
-    needs:
-      - metadata
-      - rust-binaries
-      - bash-linux
-      - bash-darwin
-    runs-on: ubuntu-latest
-    env:
-      PACKAGE_VERSION: ${{ needs.metadata.outputs.version }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          version: 10.8.1
-          run_install: false
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v5
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-
-      - name: Install JavaScript dependencies
-        run: pnpm install --frozen-lockfile
-
-      - name: Build (shell-tool-mcp)
-        run: pnpm --filter @openai/codex-shell-tool-mcp run build
-
-      - name: Download build artifacts
-        uses: actions/download-artifact@v4
-        with:
-          path: artifacts
-
-      - name: Assemble staging directory
-        id: staging
-        shell: bash
-        run: |
-          set -euo pipefail
-          staging="${STAGING_DIR}"
-          mkdir -p "$staging" "$staging/vendor"
-          cp shell-tool-mcp/README.md "$staging/"
-          cp shell-tool-mcp/package.json "$staging/"
-          cp -R shell-tool-mcp/bin "$staging/"
-
-          found_vendor="false"
-          shopt -s nullglob
-          for vendor_dir in artifacts/*/vendor; do
-            rsync -av "$vendor_dir/" "$staging/vendor/"
-            found_vendor="true"
-          done
-          if [[ "$found_vendor" == "false" ]]; then
-            echo "No vendor payloads were downloaded."
-            exit 1
-          fi
-
-          node - <<'NODE'
-            import fs from "node:fs";
-            import path from "node:path";
-
-            const stagingDir = process.env.STAGING_DIR;
-            const version = process.env.PACKAGE_VERSION;
-            const pkgPath = path.join(stagingDir, "package.json");
-            const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf8"));
-            pkg.version = version;
-            fs.writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + "\n");
-          NODE
-
-          echo "dir=$staging" >> "$GITHUB_OUTPUT"
-        env:
-          STAGING_DIR: ${{ runner.temp }}/shell-tool-mcp
-
-      - name: Ensure binaries are executable
-        run: |
-          set -euo pipefail
-          staging="${{ steps.staging.outputs.dir }}"
-          chmod +x \
-            "$staging"/vendor/*/codex-exec-mcp-server \
-            "$staging"/vendor/*/codex-execve-wrapper \
-            "$staging"/vendor/*/bash/*/bash
-
-      - name: Create npm tarball
-        shell: bash
-        run: |
-          set -euo pipefail
-          mkdir -p dist/npm
-          staging="${{ steps.staging.outputs.dir }}"
-          pack_info=$(cd "$staging" && npm pack --ignore-scripts --json --pack-destination "${GITHUB_WORKSPACE}/dist/npm")
-          filename=$(PACK_INFO="$pack_info" node -e 'const data = JSON.parse(process.env.PACK_INFO); console.log(data[0].filename);')
-          mv "dist/npm/${filename}" "dist/npm/codex-shell-tool-mcp-npm-${PACKAGE_VERSION}.tgz"
-
-      - uses: actions/upload-artifact@v5
-        with:
-          name: codex-shell-tool-mcp-npm
-          path: dist/npm/codex-shell-tool-mcp-npm-${{ env.PACKAGE_VERSION }}.tgz
-          if-no-files-found: error
-
-  publish:
-    name: Publish npm package
-    needs:
-      - metadata
-      - package
-    if: ${{ inputs.publish && needs.metadata.outputs.should_publish == 'true' }}
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      contents: read
-    steps:
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          version: 10.8.1
-          run_install: false
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v5
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          registry-url: https://registry.npmjs.org
-          scope: "@openai"
-
-      - name: Update npm
-        run: npm install -g npm@latest
-
-      - name: Download npm tarball
-        uses: actions/download-artifact@v4
-        with:
-          name: codex-shell-tool-mcp-npm
-          path: dist/npm
-
-      - name: Publish to npm
-        env:
-          NPM_TAG: ${{ needs.metadata.outputs.npm_tag }}
-          VERSION: ${{ needs.metadata.outputs.version }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          tag_args=()
-          if [[ -n "${NPM_TAG}" ]]; then
-            tag_args+=(--tag "${NPM_TAG}")
-          fi
-          npm publish "dist/npm/codex-shell-tool-mcp-npm-${VERSION}.tgz" "${tag_args[@]}"
--- a/README.md
+++ b/README.md
@@ -69,9 +69,7 @@ Codex can access MCP servers. To configure them, refer to the [config docs](./do

 Codex CLI supports a rich set of configuration options, with preferences stored in `~/.codex/config.toml`. For full configuration options, see [Configuration](./docs/config.md).

-### Execpolicy
-
-See the [Execpolicy quickstart](./docs/execpolicy.md) to set up rules that govern what commands Codex can execute.
+---

 ### Docs & FAQ

@@ -85,7 +83,6 @@ See the [Execpolicy quickstart](./docs/execpolicy.md) to set up rules that gover
 - [**Configuration**](./docs/config.md)
  - [Example config](./docs/example-config.md)
 - [**Sandbox & approvals**](./docs/sandbox.md)
- [**Execpolicy quickstart**](./docs/execpolicy.md)
 - [**Authentication**](./docs/authentication.md)
  - [Auth methods](./docs/authentication.md#forcing-a-specific-auth-method-advanced)
  - [Login on a "Headless" machine](./docs/authentication.md#connecting-on-a-headless-machine)
--- a/codex-rs/.cargo/audit.toml
+++ b/codex-rs/.cargo/audit.toml
@@ -1,6 +0,0 @@
-[advisories]
-ignore = [
-    "RUSTSEC-2024-0388", # derivative 2.2.0 via starlark; upstream crate is unmaintained
-    "RUSTSEC-2025-0057", # fxhash 0.2.1 via starlark_map; upstream crate is unmaintained
-    "RUSTSEC-2024-0436", # paste 1.0.15 via starlark/ratatui; upstream crate is unmaintained
-]
--- a/codex-rs/.config/nextest.toml
+++ b/codex-rs/.config/nextest.toml
@@ -7,7 +7,3 @@ slow-timeout = { period = "15s", terminate-after = 2 }
 # Do not add new tests here
 filter = 'test(rmcp_client) | test(humanlike_typing_1000_chars_appears_live_no_placeholder)'
 slow-timeout = { period = "1m", terminate-after = 4 }
-
-[[profile.default.overrides]]
-filter = 'test(approval_matrix_covers_all_modes)'
-slow-timeout = { period = "30s", terminate-after = 2 }
--- a/codex-rs/.github/workflows/cargo-audit.yml
+++ b/codex-rs/.github/workflows/cargo-audit.yml
@@ -1,26 +0,0 @@
-name: Cargo audit
-
-on:
-  pull_request:
-  push:
-    branches:
-      - main
-
-permissions:
-  contents: read
-
-jobs:
-  audit:
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: codex-rs
-    steps:
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
-      - name: Install cargo-audit
-        uses: taiki-e/install-action@v2
-        with:
-          tool: cargo-audit
-      - name: Run cargo audit
-        run: cargo audit --deny warnings
--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
@@ -187,10 +187,8 @@ dependencies = [
 "codex-app-server-protocol",
 "codex-core",
 "codex-protocol",
- "core_test_support",
 "serde",
 "serde_json",
- "shlex",
 "tokio",
 "uuid",
 "wiremock",
@@ -212,7 +210,7 @@ dependencies = [
 "objc2-foundation",
 "parking_lot",
 "percent-encoding",
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 "wl-clipboard-rs",
 "x11rb",
 ]
@@ -262,7 +260,7 @@ dependencies = [
 "memchr",
 "proc-macro2",
 "quote",
- "rustc-hash",
+ "rustc-hash 2.1.1",
 "serde",
 "serde_derive",
 "syn 2.0.104",
@@ -728,17 +726,6 @@ version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"

-[[package]]
-name = "chardetng"
-version = "0.1.17"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "14b8f0b65b7b08ae3c8187e8d77174de20cb6777864c6b832d8ad365999cf1ea"
-dependencies = [
- "cfg-if",
- "encoding_rs",
- "memchr",
-]
-
 [[package]]
 name = "chrono"
 version = "0.4.42"
@@ -870,8 +857,6 @@ dependencies = [
 "serde",
 "serde_json",
 "serial_test",
- "sha2",
- "shlex",
 "tempfile",
 "tokio",
 "toml",
@@ -894,7 +879,6 @@ dependencies = [
 "serde",
 "serde_json",
 "strum_macros 0.27.2",
- "thiserror 2.0.17",
 "ts-rs",
 "uuid",
 ]
@@ -1005,7 +989,6 @@ dependencies = [
 "codex-common",
 "codex-core",
 "codex-exec",
- "codex-execpolicy",
 "codex-login",
 "codex-mcp-server",
 "codex-process-hardening",
@@ -1097,13 +1080,11 @@ dependencies = [
 "async-trait",
 "base64",
 "bytes",
- "chardetng",
 "chrono",
 "codex-app-server-protocol",
 "codex-apply-patch",
 "codex-arg0",
 "codex-async-utils",
- "codex-execpolicy",
 "codex-file-search",
 "codex-git",
 "codex-keyring-store",
@@ -1113,13 +1094,13 @@ dependencies = [
 "codex-utils-pty",
 "codex-utils-readiness",
 "codex-utils-string",
+ "codex-utils-tokenizer",
 "codex-windows-sandbox",
 "core-foundation 0.9.4",
 "core_test_support",
 "ctor 0.5.0",
 "dirs",
 "dunce",
- "encoding_rs",
 "env-flags",
 "escargot",
 "eventsource-stream",
@@ -1132,13 +1113,11 @@ dependencies = [
 "libc",
 "maplit",
 "mcp-types",
- "once_cell",
 "openssl-sys",
 "os_info",
 "predicates",
 "pretty_assertions",
 "rand 0.9.2",
- "regex",
 "regex-lite",
 "reqwest",
 "seccompiler",
@@ -1164,7 +1143,6 @@ dependencies = [
 "tracing-test",
 "tree-sitter",
 "tree-sitter-bash",
- "url",
 "uuid",
 "walkdir",
 "which",
@@ -1209,7 +1187,6 @@ name = "codex-exec-server"
 version = "0.0.0"
 dependencies = [
 "anyhow",
- "async-trait",
 "clap",
 "codex-core",
 "libc",
@@ -1218,11 +1195,9 @@ dependencies = [
 "rmcp",
 "serde",
 "serde_json",
- "shlex",
 "socket2 0.6.0",
 "tempfile",
 "tokio",
- "tokio-util",
 "tracing",
 "tracing-subscriber",
 ]
@@ -1230,21 +1205,6 @@ dependencies = [
 [[package]]
 name = "codex-execpolicy"
 version = "0.0.0"
-dependencies = [
- "anyhow",
- "clap",
- "multimap",
- "pretty_assertions",
- "serde",
- "serde_json",
- "shlex",
- "starlark",
- "thiserror 2.0.17",
-]
-
-[[package]]
-name = "codex-execpolicy-legacy"
-version = "0.0.0"
 dependencies = [
 "allocative",
 "anyhow",
@@ -1262,6 +1222,21 @@ dependencies = [
 "tempfile",
 ]

+[[package]]
+name = "codex-execpolicy2"
+version = "0.0.0"
+dependencies = [
+ "anyhow",
+ "clap",
+ "multimap",
+ "pretty_assertions",
+ "serde",
+ "serde_json",
+ "shlex",
+ "starlark",
+ "thiserror 2.0.17",
+]
+
 [[package]]
 name = "codex-feedback"
 version = "0.0.0"
@@ -1637,8 +1612,20 @@ name = "codex-utils-string"
 version = "0.0.0"

 [[package]]
-name = "codex-windows-sandbox"
+name = "codex-utils-tokenizer"
 version = "0.0.0"
+dependencies = [
+ "anyhow",
+ "codex-utils-cache",
+ "pretty_assertions",
+ "thiserror 2.0.17",
+ "tiktoken-rs",
+ "tokio",
+]
+
+[[package]]
+name = "codex-windows-sandbox"
+version = "0.1.0"
 dependencies = [
 "anyhow",
 "codex-protocol",
@@ -1647,7 +1634,6 @@ dependencies = [
 "rand 0.8.5",
 "serde",
 "serde_json",
- "tempfile",
 "windows-sys 0.52.0",
 ]

@@ -1779,13 +1765,11 @@ version = "0.0.0"
 dependencies = [
 "anyhow",
 "assert_cmd",
- "base64",
 "codex-core",
 "codex-protocol",
 "notify",
 "regex-lite",
 "serde_json",
- "shlex",
 "tempfile",
 "tokio",
 "walkdir",
@@ -2460,6 +2444,17 @@ dependencies = [
 "once_cell",
 ]

+[[package]]
+name = "fancy-regex"
+version = "0.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "531e46835a22af56d1e3b66f04844bed63158bc094a628bec1d321d9b4c44bf2"
+dependencies = [
+ "bit-set",
+ "regex-automata",
+ "regex-syntax 0.8.5",
+]
+
 [[package]]
 name = "fastrand"
 version = "2.3.0"
@@ -2494,7 +2489,7 @@ checksum = "0ce92ff622d6dadf7349484f42c93271a0d49b7cc4d466a936405bacbe10aa78"
 dependencies = [
 "cfg-if",
 "rustix 1.0.8",
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]

 [[package]]
@@ -3398,7 +3393,7 @@ checksum = "e04d7f318608d35d4b61ddd75cbdaee86b023ebe2bd5a66ee0915f0bf93095a9"
 dependencies = [
 "hermit-abi",
 "libc",
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]

 [[package]]
@@ -3590,9 +3585,9 @@ checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"

 [[package]]
 name = "libc"
-version = "0.2.177"
+version = "0.2.175"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2874a2af47a2325c2001a6e6fad9b16a53b802102b528163885171cf92b15976"
+checksum = "6a82ae493e598baaea5209805c49bbf2ea7de956d50d7da0da1164f9c6d28543"

 [[package]]
 name = "libdbus-sys"
@@ -3747,13 +3742,11 @@ dependencies = [
 "assert_cmd",
 "codex-core",
 "codex-mcp-server",
- "core_test_support",
 "mcp-types",
 "os_info",
 "pretty_assertions",
 "serde",
 "serde_json",
- "shlex",
 "tokio",
 "wiremock",
 ]
@@ -4786,7 +4779,7 @@ dependencies = [
 "pin-project-lite",
 "quinn-proto",
 "quinn-udp",
- "rustc-hash",
+ "rustc-hash 2.1.1",
 "rustls",
 "socket2 0.6.0",
 "thiserror 2.0.17",
@@ -4806,7 +4799,7 @@ dependencies = [
 "lru-slab",
 "rand 0.9.2",
 "ring",
- "rustc-hash",
+ "rustc-hash 2.1.1",
 "rustls",
 "rustls-pki-types",
 "slab",
@@ -4996,9 +4989,9 @@ dependencies = [

 [[package]]
 name = "regex"
-version = "1.12.2"
+version = "1.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "843bc0191f75f3e22651ae5f1e72939ab2f72a4bc30fa80a066bd66edefc24d4"
+checksum = "b544ef1b4eac5dc2db33ea63606ae9ffcfac26c1416a2806ae0bf5f56b201191"
 dependencies = [
 "aho-corasick",
 "memchr",
@@ -5008,9 +5001,9 @@ dependencies = [

 [[package]]
 name = "regex-automata"
-version = "0.4.13"
+version = "0.4.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5276caf25ac86c8d810222b3dbb938e512c55c6831a10f3e6ed1c93b84041f1c"
+checksum = "809e8dc61f6de73b46c85f4c96486310fe304c434cfa43669d7b40f711150908"
 dependencies = [
 "aho-corasick",
 "memchr",
@@ -5100,10 +5093,10 @@ dependencies = [

 [[package]]
 name = "rmcp"
-version = "0.9.0"
-source = "git+https://github.com/bolinfest/rust-sdk?branch=pr556#4d9cc16f4c76c84486344f542ed9a3e9364019ba"
+version = "0.8.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e5947688160b56fb6c827e3c20a72c90392a1d7e9dec74749197aa1780ac42ca"
 dependencies = [
- "async-trait",
 "base64",
 "bytes",
 "chrono",
@@ -5134,8 +5127,9 @@ dependencies = [

 [[package]]
 name = "rmcp-macros"
-version = "0.9.0"
-source = "git+https://github.com/bolinfest/rust-sdk?branch=pr556#4d9cc16f4c76c84486344f542ed9a3e9364019ba"
+version = "0.8.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "01263441d3f8635c628e33856c468b96ebbce1af2d3699ea712ca71432d4ee7a"
 dependencies = [
 "darling 0.21.3",
 "proc-macro2",
@@ -5150,6 +5144,12 @@ version = "0.1.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "989e6739f80c4ad5b13e0fd7fe89531180375b18520cc8c82080e4dc4035b84f"

+[[package]]
+name = "rustc-hash"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2"
+
 [[package]]
 name = "rustc-hash"
 version = "2.1.1"
@@ -5175,7 +5175,7 @@ dependencies = [
 "errno",
 "libc",
 "linux-raw-sys 0.4.15",
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]

 [[package]]
@@ -6370,6 +6370,21 @@ dependencies = [
 "zune-jpeg",
 ]

+[[package]]
+name = "tiktoken-rs"
+version = "0.9.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3a19830747d9034cd9da43a60eaa8e552dfda7712424aebf187b7a60126bae0d"
+dependencies = [
+ "anyhow",
+ "base64",
+ "bstr",
+ "fancy-regex",
+ "lazy_static",
+ "regex",
+ "rustc-hash 1.1.0",
+]
+
 [[package]]
 name = "time"
 version = "0.3.44"
@@ -6555,18 +6570,18 @@ dependencies = [

 [[package]]
 name = "toml_datetime"
-version = "0.7.3"
+version = "0.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f2cdb639ebbc97961c51720f858597f7f24c4fc295327923af55b74c3c724533"
+checksum = "bade1c3e902f58d73d3f294cd7f20391c1cb2fbcb643b73566bc773971df91e3"
 dependencies = [
- "serde_core",
+ "serde",
 ]

 [[package]]
 name = "toml_edit"
-version = "0.23.7"
+version = "0.23.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6485ef6d0d9b5d0ec17244ff7eb05310113c3f316f2d14200d4de56b3cb98f8d"
+checksum = "7211ff1b8f0d3adae1663b7da9ffe396eabe1ca25f0b0bee42b0da29a9ddce93"
 dependencies = [
 "indexmap 2.12.0",
 "toml_datetime",
@@ -6577,18 +6592,18 @@ dependencies = [

 [[package]]
 name = "toml_parser"
-version = "1.0.4"
+version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c0cbe268d35bdb4bb5a56a2de88d0ad0eb70af5384a99d648cd4b3d04039800e"
+checksum = "b551886f449aa90d4fe2bdaa9f4a2577ad2dde302c61ecf262d80b116db95c10"
 dependencies = [
 "winnow",
 ]

 [[package]]
 name = "toml_writer"
-version = "1.0.4"
+version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df8b2b54733674ad286d16267dcfc7a71ed5c776e4ac7aa3c3e2561f7c637bf2"
+checksum = "fcc842091f2def52017664b53082ecbbeb5c7731092bad69d2c63050401dfd64"

 [[package]]
 name = "tonic"
@@ -7258,9 +7273,9 @@ dependencies = [

 [[package]]
 name = "webbrowser"
-version = "1.0.6"
+version = "1.0.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "00f1243ef785213e3a32fa0396093424a3a6ea566f9948497e5a2309261a4c97"
+checksum = "aaf4f3c0ba838e82b4e5ccc4157003fb8c324ee24c058470ffb82820becbde98"
 dependencies = [
 "core-foundation 0.10.1",
 "jni",
@@ -7327,7 +7342,7 @@ version = "0.1.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cf221c93e13a30d793f7645a0e7762c55d169dbb0a49671918a2319d289b10bb"
 dependencies = [
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]

 [[package]]
@@ -7753,9 +7768,9 @@ checksum = "271414315aff87387382ec3d271b52d7ae78726f5d44ac98b4f4030c91880486"

 [[package]]
 name = "winnow"
-version = "0.7.13"
+version = "0.7.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "21a0236b59786fed61e2a80582dd500fe61f18b5dca67a4a067d0bc9039339cf"
+checksum = "f3edebf492c8125044983378ecb5766203ad3b4c2f7a922bd7dd207f6d443e95"
 dependencies = [
 "memchr",
 ]
--- a/codex-rs/Cargo.toml
+++ b/codex-rs/Cargo.toml
@@ -18,7 +18,7 @@ members = [
    "exec",
    "exec-server",
    "execpolicy",
-    "execpolicy-legacy",
+    "execpolicy2",
    "keyring-store",
    "file-search",
    "linux-sandbox",
@@ -41,17 +41,17 @@ members = [
    "utils/pty",
    "utils/readiness",
    "utils/string",
+    "utils/tokenizer",
 ]
 resolver = "2"

 [workspace.package]
-version = "0.64.0-alpha.6"
+version = "0.0.0"
 # Track the edition for all workspace crates in one place. Individual
 # crates can still override this value, but keeping it here means new
 # crates created with `cargo new -w ...` automatically inherit the 2024
 # edition.
 edition = "2024"
-license = "Apache-2.0"

 [workspace.dependencies]
 # Internal
@@ -67,7 +67,6 @@ codex-chatgpt = { path = "chatgpt" }
 codex-common = { path = "common" }
 codex-core = { path = "core" }
 codex-exec = { path = "exec" }
-codex-execpolicy = { path = "execpolicy" }
 codex-feedback = { path = "feedback" }
 codex-file-search = { path = "file-search" }
 codex-git = { path = "utils/git" }
@@ -90,6 +89,7 @@ codex-utils-json-to-toml = { path = "utils/json-to-toml" }
 codex-utils-pty = { path = "utils/pty" }
 codex-utils-readiness = { path = "utils/readiness" }
 codex-utils-string = { path = "utils/string" }
+codex-utils-tokenizer = { path = "utils/tokenizer" }
 codex-windows-sandbox = { path = "windows-sandbox-rs" }
 core_test_support = { path = "core/tests/common" }
 mcp-types = { path = "mcp-types" }
@@ -109,7 +109,6 @@ async-trait = "0.1.89"
 axum = { version = "0.8", default-features = false }
 base64 = "0.22.1"
 bytes = "1.10.1"
-chardetng = "0.1.17"
 chrono = "0.4.42"
 clap = "4"
 clap_complete = "4"
@@ -121,7 +120,6 @@ diffy = "0.4.2"
 dirs = "6"
 dotenvy = "0.15.7"
 dunce = "1.0.4"
-encoding_rs = "0.8.35"
 env-flags = "0.1.1"
 env_logger = "0.11.5"
 escargot = "0.5"
@@ -139,7 +137,7 @@ itertools = "0.14.0"
 keyring = { version = "3.6", default-features = false }
 landlock = "0.4.1"
 lazy_static = "1"
-libc = "0.2.177"
+libc = "0.2.175"
 log = "0.4"
 lru = "0.12.5"
 maplit = "1.0.2"
@@ -147,7 +145,7 @@ mime_guess = "2.0.5"
 multimap = "0.10.0"
 notify = "8.2.0"
 nucleo-matcher = "0.3.1"
-once_cell = "1.20.2"
+once_cell = "1"
 openssl-sys = "*"
 opentelemetry = "0.30.0"
 opentelemetry-appender-tracing = "0.30.0"
@@ -166,11 +164,11 @@ rand = "0.9"
 ratatui = "0.29.0"
 ratatui-macros = "0.6.0"
 regex-lite = "0.1.7"
-regex = "1.12.2"
 reqwest = "0.12"
-rmcp = { version = "0.9.0", default-features = false }
+rmcp = { version = "0.8.5", default-features = false }
 schemars = "0.8.22"
 seccompiler = "0.5.0"
+sentry = "0.34.0"
 serde = "1"
 serde_json = "1"
 serde_with = "3.14"
@@ -189,6 +187,7 @@ tempfile = "3.23.0"
 test-log = "0.2.18"
 textwrap = "0.16.2"
 thiserror = "2.0.17"
+tiktoken-rs = "0.9"
 time = "0.3"
 tiny_http = "0.12"
 tokio = "1"
@@ -196,7 +195,7 @@ tokio-stream = "0.1.17"
 tokio-test = "0.4"
 tokio-util = "0.7.16"
 toml = "0.9.5"
-toml_edit = "0.23.5"
+toml_edit = "0.23.4"
 tonic = "0.13.1"
 tracing = "0.1.41"
 tracing-appender = "0.2.3"
@@ -262,7 +261,12 @@ unwrap_used = "deny"
 # cargo-shear cannot see the platform-specific openssl-sys usage, so we
 # silence the false positive here instead of deleting a real dependency.
 [workspace.metadata.cargo-shear]
-ignored = ["icu_provider", "openssl-sys", "codex-utils-readiness"]
+ignored = [
+    "icu_provider",
+    "openssl-sys",
+    "codex-utils-readiness",
+    "codex-utils-tokenizer",
+]

 [profile.release]
 lto = "fat"
@@ -283,7 +287,6 @@ opt-level = 0
 # ratatui = { path = "../../ratatui" }
 crossterm = { git = "https://github.com/nornagon/crossterm", branch = "nornagon/color-query" }
 ratatui = { git = "https://github.com/nornagon/ratatui", branch = "nornagon-v0.29.0-patch" }
-rmcp = { git = "https://github.com/bolinfest/rust-sdk", branch = "pr556" }

 # Uncomment to debug local changes.
 # rmcp = { path = "../../rust-sdk/crates/rmcp" }
--- a/codex-rs/ansi-escape/Cargo.toml
+++ b/codex-rs/ansi-escape/Cargo.toml
@@ -1,8 +1,7 @@
 [package]
+edition = "2024"
 name = "codex-ansi-escape"
-version.workspace = true
-edition.workspace = true
-license.workspace = true
+version = { workspace = true }

 [lib]
 name = "codex_ansi_escape"
--- a/codex-rs/app-server-protocol/Cargo.toml
+++ b/codex-rs/app-server-protocol/Cargo.toml
@@ -1,8 +1,7 @@
 [package]
+edition = "2024"
 name = "codex-app-server-protocol"
-version.workspace = true
-edition.workspace = true
-license.workspace = true
+version = { workspace = true }

 [lib]
 name = "codex_app_server_protocol"
@@ -20,7 +19,6 @@ schemars = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
 serde_json = { workspace = true }
 strum_macros = { workspace = true }
-thiserror = { workspace = true }
 ts-rs = { workspace = true }
 uuid = { workspace = true, features = ["serde", "v7"] }

--- a/codex-rs/app-server-protocol/src/lib.rs
+++ b/codex-rs/app-server-protocol/src/lib.rs
@@ -7,6 +7,5 @@ pub use export::generate_ts;
 pub use export::generate_types;
 pub use jsonrpc_lite::*;
 pub use protocol::common::*;
-pub use protocol::thread_history::*;
 pub use protocol::v1::*;
 pub use protocol::v2::*;
--- a/codex-rs/app-server-protocol/src/protocol/common.rs
+++ b/codex-rs/app-server-protocol/src/protocol/common.rs
@@ -164,19 +164,6 @@ client_request_definitions! {
        response: v2::FeedbackUploadResponse,
    },

-    ConfigRead => "config/read" {
-        params: v2::ConfigReadParams,
-        response: v2::ConfigReadResponse,
-    },
-    ConfigValueWrite => "config/value/write" {
-        params: v2::ConfigValueWriteParams,
-        response: v2::ConfigWriteResponse,
-    },
-    ConfigBatchWrite => "config/batchWrite" {
-        params: v2::ConfigBatchWriteParams,
-        response: v2::ConfigWriteResponse,
-    },
-
    GetAccount => "account/read" {
        params: v2::GetAccountParams,
        response: v2::GetAccountResponse,
@@ -391,7 +378,7 @@ macro_rules! server_notification_definitions {
        impl TryFrom<JSONRPCNotification> for ServerNotification {
            type Error = serde_json::Error;

-            fn try_from(value: JSONRPCNotification) -> Result<Self, serde_json::Error> {
+            fn try_from(value: JSONRPCNotification) -> Result<Self, Self::Error> {
                serde_json::from_value(serde_json::to_value(value)?)
            }
        }
@@ -451,13 +438,6 @@ server_request_definitions! {
        response: v2::CommandExecutionRequestApprovalResponse,
    },

-    /// Sent when approval is requested for a specific file change.
-    /// This request is used for Turns started via turn/start.
-    FileChangeRequestApproval => "item/fileChange/requestApproval" {
-        params: v2::FileChangeRequestApprovalParams,
-        response: v2::FileChangeRequestApprovalResponse,
-    },
-
    /// DEPRECATED APIs below
    /// Request to approve a patch.
    /// This request is used for Turns started via the legacy APIs (i.e. SendUserTurn, SendUserMessage).
@@ -500,7 +480,6 @@ pub struct FuzzyFileSearchResponse {

 server_notification_definitions! {
    /// NEW NOTIFICATIONS
-    Error => "error" (v2::ErrorNotification),
    ThreadStarted => "thread/started" (v2::ThreadStartedNotification),
    TurnStarted => "turn/started" (v2::TurnStartedNotification),
    TurnCompleted => "turn/completed" (v2::TurnCompletedNotification),
@@ -515,9 +494,6 @@ server_notification_definitions! {
    ReasoningSummaryPartAdded => "item/reasoning/summaryPartAdded" (v2::ReasoningSummaryPartAddedNotification),
    ReasoningTextDelta => "item/reasoning/textDelta" (v2::ReasoningTextDeltaNotification),

-    /// Notifies the user of world-writable directories on Windows, which cannot be protected by the sandbox.
-    WindowsWorldWritableWarning => "windows/worldWritableWarning" (v2::WindowsWorldWritableWarningNotification),
-
    #[serde(rename = "account/login/completed")]
    #[ts(rename = "account/login/completed")]
    #[strum(serialize = "account/login/completed")]
@@ -552,7 +528,7 @@ mod tests {
        let request = ClientRequest::NewConversation {
            request_id: RequestId::Integer(42),
            params: v1::NewConversationParams {
-                model: Some("gpt-5.1-codex-max".to_string()),
+                model: Some("gpt-5.1-codex".to_string()),
                model_provider: None,
                profile: None,
                cwd: None,
@@ -570,7 +546,7 @@ mod tests {
                "method": "newConversation",
                "id": 42,
                "params": {
-                    "model": "gpt-5.1-codex-max",
+                    "model": "gpt-5.1-codex",
                    "modelProvider": null,
                    "profile": null,
                    "cwd": null,
--- a/codex-rs/app-server-protocol/src/protocol/mod.rs
+++ b/codex-rs/app-server-protocol/src/protocol/mod.rs
@@ -2,6 +2,5 @@
 // Exposes protocol pieces used by `lib.rs` via `pub use protocol::common::*;`.

 pub mod common;
-pub mod thread_history;
 pub mod v1;
 pub mod v2;
--- a/codex-rs/app-server-protocol/src/protocol/thread_history.rs
+++ b/codex-rs/app-server-protocol/src/protocol/thread_history.rs
@@ -1,409 +0,0 @@
-use crate::protocol::v2::ThreadItem;
-use crate::protocol::v2::Turn;
-use crate::protocol::v2::TurnStatus;
-use crate::protocol::v2::UserInput;
-use codex_protocol::protocol::AgentReasoningEvent;
-use codex_protocol::protocol::AgentReasoningRawContentEvent;
-use codex_protocol::protocol::EventMsg;
-use codex_protocol::protocol::TurnAbortedEvent;
-use codex_protocol::protocol::UserMessageEvent;
-
-/// Convert persisted [`EventMsg`] entries into a sequence of [`Turn`] values.
-///
-/// The purpose of this is to convert the EventMsgs persisted in a rollout file
-/// into a sequence of Turns and ThreadItems, which allows the client to render
-/// the historical messages when resuming a thread.
-pub fn build_turns_from_event_msgs(events: &[EventMsg]) -> Vec<Turn> {
-    let mut builder = ThreadHistoryBuilder::new();
-    for event in events {
-        builder.handle_event(event);
-    }
-    builder.finish()
-}
-
-struct ThreadHistoryBuilder {
-    turns: Vec<Turn>,
-    current_turn: Option<PendingTurn>,
-    next_turn_index: i64,
-    next_item_index: i64,
-}
-
-impl ThreadHistoryBuilder {
-    fn new() -> Self {
-        Self {
-            turns: Vec::new(),
-            current_turn: None,
-            next_turn_index: 1,
-            next_item_index: 1,
-        }
-    }
-
-    fn finish(mut self) -> Vec<Turn> {
-        self.finish_current_turn();
-        self.turns
-    }
-
-    /// This function should handle all EventMsg variants that can be persisted in a rollout file.
-    /// See `should_persist_event_msg` in `codex-rs/core/rollout/policy.rs`.
-    fn handle_event(&mut self, event: &EventMsg) {
-        match event {
-            EventMsg::UserMessage(payload) => self.handle_user_message(payload),
-            EventMsg::AgentMessage(payload) => self.handle_agent_message(payload.message.clone()),
-            EventMsg::AgentReasoning(payload) => self.handle_agent_reasoning(payload),
-            EventMsg::AgentReasoningRawContent(payload) => {
-                self.handle_agent_reasoning_raw_content(payload)
-            }
-            EventMsg::TokenCount(_) => {}
-            EventMsg::EnteredReviewMode(_) => {}
-            EventMsg::ExitedReviewMode(_) => {}
-            EventMsg::UndoCompleted(_) => {}
-            EventMsg::TurnAborted(payload) => self.handle_turn_aborted(payload),
-            _ => {}
-        }
-    }
-
-    fn handle_user_message(&mut self, payload: &UserMessageEvent) {
-        self.finish_current_turn();
-        let mut turn = self.new_turn();
-        let id = self.next_item_id();
-        let content = self.build_user_inputs(payload);
-        turn.items.push(ThreadItem::UserMessage { id, content });
-        self.current_turn = Some(turn);
-    }
-
-    fn handle_agent_message(&mut self, text: String) {
-        if text.is_empty() {
-            return;
-        }
-
-        let id = self.next_item_id();
-        self.ensure_turn()
-            .items
-            .push(ThreadItem::AgentMessage { id, text });
-    }
-
-    fn handle_agent_reasoning(&mut self, payload: &AgentReasoningEvent) {
-        if payload.text.is_empty() {
-            return;
-        }
-
-        // If the last item is a reasoning item, add the new text to the summary.
-        if let Some(ThreadItem::Reasoning { summary, .. }) = self.ensure_turn().items.last_mut() {
-            summary.push(payload.text.clone());
-            return;
-        }
-
-        // Otherwise, create a new reasoning item.
-        let id = self.next_item_id();
-        self.ensure_turn().items.push(ThreadItem::Reasoning {
-            id,
-            summary: vec![payload.text.clone()],
-            content: Vec::new(),
-        });
-    }
-
-    fn handle_agent_reasoning_raw_content(&mut self, payload: &AgentReasoningRawContentEvent) {
-        if payload.text.is_empty() {
-            return;
-        }
-
-        // If the last item is a reasoning item, add the new text to the content.
-        if let Some(ThreadItem::Reasoning { content, .. }) = self.ensure_turn().items.last_mut() {
-            content.push(payload.text.clone());
-            return;
-        }
-
-        // Otherwise, create a new reasoning item.
-        let id = self.next_item_id();
-        self.ensure_turn().items.push(ThreadItem::Reasoning {
-            id,
-            summary: Vec::new(),
-            content: vec![payload.text.clone()],
-        });
-    }
-
-    fn handle_turn_aborted(&mut self, _payload: &TurnAbortedEvent) {
-        let Some(turn) = self.current_turn.as_mut() else {
-            return;
-        };
-        turn.status = TurnStatus::Interrupted;
-    }
-
-    fn finish_current_turn(&mut self) {
-        if let Some(turn) = self.current_turn.take() {
-            if turn.items.is_empty() {
-                return;
-            }
-            self.turns.push(turn.into());
-        }
-    }
-
-    fn new_turn(&mut self) -> PendingTurn {
-        PendingTurn {
-            id: self.next_turn_id(),
-            items: Vec::new(),
-            status: TurnStatus::Completed,
-        }
-    }
-
-    fn ensure_turn(&mut self) -> &mut PendingTurn {
-        if self.current_turn.is_none() {
-            let turn = self.new_turn();
-            return self.current_turn.insert(turn);
-        }
-
-        if let Some(turn) = self.current_turn.as_mut() {
-            return turn;
-        }
-
-        unreachable!("current turn must exist after initialization");
-    }
-
-    fn next_turn_id(&mut self) -> String {
-        let id = format!("turn-{}", self.next_turn_index);
-        self.next_turn_index += 1;
-        id
-    }
-
-    fn next_item_id(&mut self) -> String {
-        let id = format!("item-{}", self.next_item_index);
-        self.next_item_index += 1;
-        id
-    }
-
-    fn build_user_inputs(&self, payload: &UserMessageEvent) -> Vec<UserInput> {
-        let mut content = Vec::new();
-        if !payload.message.trim().is_empty() {
-            content.push(UserInput::Text {
-                text: payload.message.clone(),
-            });
-        }
-        if let Some(images) = &payload.images {
-            for image in images {
-                content.push(UserInput::Image { url: image.clone() });
-            }
-        }
-        content
-    }
-}
-
-struct PendingTurn {
-    id: String,
-    items: Vec<ThreadItem>,
-    status: TurnStatus,
-}
-
-impl From<PendingTurn> for Turn {
-    fn from(value: PendingTurn) -> Self {
-        Self {
-            id: value.id,
-            items: value.items,
-            status: value.status,
-        }
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use codex_protocol::protocol::AgentMessageEvent;
-    use codex_protocol::protocol::AgentReasoningEvent;
-    use codex_protocol::protocol::AgentReasoningRawContentEvent;
-    use codex_protocol::protocol::TurnAbortReason;
-    use codex_protocol::protocol::TurnAbortedEvent;
-    use codex_protocol::protocol::UserMessageEvent;
-    use pretty_assertions::assert_eq;
-
-    #[test]
-    fn builds_multiple_turns_with_reasoning_items() {
-        let events = vec![
-            EventMsg::UserMessage(UserMessageEvent {
-                message: "First turn".into(),
-                images: Some(vec!["https://example.com/one.png".into()]),
-            }),
-            EventMsg::AgentMessage(AgentMessageEvent {
-                message: "Hi there".into(),
-            }),
-            EventMsg::AgentReasoning(AgentReasoningEvent {
-                text: "thinking".into(),
-            }),
-            EventMsg::AgentReasoningRawContent(AgentReasoningRawContentEvent {
-                text: "full reasoning".into(),
-            }),
-            EventMsg::UserMessage(UserMessageEvent {
-                message: "Second turn".into(),
-                images: None,
-            }),
-            EventMsg::AgentMessage(AgentMessageEvent {
-                message: "Reply two".into(),
-            }),
-        ];
-
-        let turns = build_turns_from_event_msgs(&events);
-        assert_eq!(turns.len(), 2);
-
-        let first = &turns[0];
-        assert_eq!(first.id, "turn-1");
-        assert_eq!(first.status, TurnStatus::Completed);
-        assert_eq!(first.items.len(), 3);
-        assert_eq!(
-            first.items[0],
-            ThreadItem::UserMessage {
-                id: "item-1".into(),
-                content: vec![
-                    UserInput::Text {
-                        text: "First turn".into(),
-                    },
-                    UserInput::Image {
-                        url: "https://example.com/one.png".into(),
-                    }
-                ],
-            }
-        );
-        assert_eq!(
-            first.items[1],
-            ThreadItem::AgentMessage {
-                id: "item-2".into(),
-                text: "Hi there".into(),
-            }
-        );
-        assert_eq!(
-            first.items[2],
-            ThreadItem::Reasoning {
-                id: "item-3".into(),
-                summary: vec!["thinking".into()],
-                content: vec!["full reasoning".into()],
-            }
-        );
-
-        let second = &turns[1];
-        assert_eq!(second.id, "turn-2");
-        assert_eq!(second.items.len(), 2);
-        assert_eq!(
-            second.items[0],
-            ThreadItem::UserMessage {
-                id: "item-4".into(),
-                content: vec![UserInput::Text {
-                    text: "Second turn".into()
-                }],
-            }
-        );
-        assert_eq!(
-            second.items[1],
-            ThreadItem::AgentMessage {
-                id: "item-5".into(),
-                text: "Reply two".into(),
-            }
-        );
-    }
-
-    #[test]
-    fn splits_reasoning_when_interleaved() {
-        let events = vec![
-            EventMsg::UserMessage(UserMessageEvent {
-                message: "Turn start".into(),
-                images: None,
-            }),
-            EventMsg::AgentReasoning(AgentReasoningEvent {
-                text: "first summary".into(),
-            }),
-            EventMsg::AgentReasoningRawContent(AgentReasoningRawContentEvent {
-                text: "first content".into(),
-            }),
-            EventMsg::AgentMessage(AgentMessageEvent {
-                message: "interlude".into(),
-            }),
-            EventMsg::AgentReasoning(AgentReasoningEvent {
-                text: "second summary".into(),
-            }),
-        ];
-
-        let turns = build_turns_from_event_msgs(&events);
-        assert_eq!(turns.len(), 1);
-        let turn = &turns[0];
-        assert_eq!(turn.items.len(), 4);
-
-        assert_eq!(
-            turn.items[1],
-            ThreadItem::Reasoning {
-                id: "item-2".into(),
-                summary: vec!["first summary".into()],
-                content: vec!["first content".into()],
-            }
-        );
-        assert_eq!(
-            turn.items[3],
-            ThreadItem::Reasoning {
-                id: "item-4".into(),
-                summary: vec!["second summary".into()],
-                content: Vec::new(),
-            }
-        );
-    }
-
-    #[test]
-    fn marks_turn_as_interrupted_when_aborted() {
-        let events = vec![
-            EventMsg::UserMessage(UserMessageEvent {
-                message: "Please do the thing".into(),
-                images: None,
-            }),
-            EventMsg::AgentMessage(AgentMessageEvent {
-                message: "Working...".into(),
-            }),
-            EventMsg::TurnAborted(TurnAbortedEvent {
-                reason: TurnAbortReason::Replaced,
-            }),
-            EventMsg::UserMessage(UserMessageEvent {
-                message: "Let's try again".into(),
-                images: None,
-            }),
-            EventMsg::AgentMessage(AgentMessageEvent {
-                message: "Second attempt complete.".into(),
-            }),
-        ];
-
-        let turns = build_turns_from_event_msgs(&events);
-        assert_eq!(turns.len(), 2);
-
-        let first_turn = &turns[0];
-        assert_eq!(first_turn.status, TurnStatus::Interrupted);
-        assert_eq!(first_turn.items.len(), 2);
-        assert_eq!(
-            first_turn.items[0],
-            ThreadItem::UserMessage {
-                id: "item-1".into(),
-                content: vec![UserInput::Text {
-                    text: "Please do the thing".into()
-                }],
-            }
-        );
-        assert_eq!(
-            first_turn.items[1],
-            ThreadItem::AgentMessage {
-                id: "item-2".into(),
-                text: "Working...".into(),
-            }
-        );
-
-        let second_turn = &turns[1];
-        assert_eq!(second_turn.status, TurnStatus::Completed);
-        assert_eq!(second_turn.items.len(), 2);
-        assert_eq!(
-            second_turn.items[0],
-            ThreadItem::UserMessage {
-                id: "item-3".into(),
-                content: vec![UserInput::Text {
-                    text: "Let's try again".into()
-                }],
-            }
-        );
-        assert_eq!(
-            second_turn.items[1],
-            ThreadItem::AgentMessage {
-                id: "item-4".into(),
-                text: "Second attempt complete.".into(),
-            }
-        );
-    }
-}
--- a/codex-rs/app-server-protocol/src/protocol/v2.rs
+++ b/codex-rs/app-server-protocol/src/protocol/v2.rs
@@ -11,18 +11,14 @@ use codex_protocol::items::AgentMessageContent as CoreAgentMessageContent;
 use codex_protocol::items::TurnItem as CoreTurnItem;
 use codex_protocol::models::ResponseItem;
 use codex_protocol::parse_command::ParsedCommand as CoreParsedCommand;
-use codex_protocol::protocol::CodexErrorInfo as CoreCodexErrorInfo;
-use codex_protocol::protocol::CreditsSnapshot as CoreCreditsSnapshot;
 use codex_protocol::protocol::RateLimitSnapshot as CoreRateLimitSnapshot;
 use codex_protocol::protocol::RateLimitWindow as CoreRateLimitWindow;
-use codex_protocol::protocol::SessionSource as CoreSessionSource;
 use codex_protocol::user_input::UserInput as CoreUserInput;
 use mcp_types::ContentBlock as McpContentBlock;
 use schemars::JsonSchema;
 use serde::Deserialize;
 use serde::Serialize;
 use serde_json::Value as JsonValue;
-use thiserror::Error;
 use ts_rs::TS;

 // Macro to declare a camelCased API v2 enum mirroring a core enum which
@@ -50,72 +46,6 @@ macro_rules! v2_enum_from_core {
    };
 }

-/// This translation layer make sure that we expose codex error code in camel case.
-///
-/// When an upstream HTTP status is available (for example, from the Responses API or a provider),
-/// it is forwarded in `httpStatusCode` on the relevant `codexErrorInfo` variant.
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-#[ts(export_to = "v2/")]
-pub enum CodexErrorInfo {
-    ContextWindowExceeded,
-    UsageLimitExceeded,
-    HttpConnectionFailed {
-        #[serde(rename = "httpStatusCode")]
-        #[ts(rename = "httpStatusCode")]
-        http_status_code: Option<u16>,
-    },
-    /// Failed to connect to the response SSE stream.
-    ResponseStreamConnectionFailed {
-        #[serde(rename = "httpStatusCode")]
-        #[ts(rename = "httpStatusCode")]
-        http_status_code: Option<u16>,
-    },
-    InternalServerError,
-    Unauthorized,
-    BadRequest,
-    SandboxError,
-    /// The response SSE stream disconnected in the middle of a turn before completion.
-    ResponseStreamDisconnected {
-        #[serde(rename = "httpStatusCode")]
-        #[ts(rename = "httpStatusCode")]
-        http_status_code: Option<u16>,
-    },
-    /// Reached the retry limit for responses.
-    ResponseTooManyFailedAttempts {
-        #[serde(rename = "httpStatusCode")]
-        #[ts(rename = "httpStatusCode")]
-        http_status_code: Option<u16>,
-    },
-    Other,
-}
-
-impl From<CoreCodexErrorInfo> for CodexErrorInfo {
-    fn from(value: CoreCodexErrorInfo) -> Self {
-        match value {
-            CoreCodexErrorInfo::ContextWindowExceeded => CodexErrorInfo::ContextWindowExceeded,
-            CoreCodexErrorInfo::UsageLimitExceeded => CodexErrorInfo::UsageLimitExceeded,
-            CoreCodexErrorInfo::HttpConnectionFailed { http_status_code } => {
-                CodexErrorInfo::HttpConnectionFailed { http_status_code }
-            }
-            CoreCodexErrorInfo::ResponseStreamConnectionFailed { http_status_code } => {
-                CodexErrorInfo::ResponseStreamConnectionFailed { http_status_code }
-            }
-            CoreCodexErrorInfo::InternalServerError => CodexErrorInfo::InternalServerError,
-            CoreCodexErrorInfo::Unauthorized => CodexErrorInfo::Unauthorized,
-            CoreCodexErrorInfo::BadRequest => CodexErrorInfo::BadRequest,
-            CoreCodexErrorInfo::SandboxError => CodexErrorInfo::SandboxError,
-            CoreCodexErrorInfo::ResponseStreamDisconnected { http_status_code } => {
-                CodexErrorInfo::ResponseStreamDisconnected { http_status_code }
-            }
-            CoreCodexErrorInfo::ResponseTooManyFailedAttempts { http_status_code } => {
-                CodexErrorInfo::ResponseTooManyFailedAttempts { http_status_code }
-            }
-            CoreCodexErrorInfo::Other => CodexErrorInfo::Other,
-        }
-    }
-}
-
 v2_enum_from_core!(
    pub enum AskForApproval from codex_protocol::protocol::AskForApproval {
        UnlessTrusted, OnFailure, OnRequest, Never
@@ -128,127 +58,6 @@ v2_enum_from_core!(
    }
 );

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-#[ts(export_to = "v2/")]
-pub enum ConfigLayerName {
-    Mdm,
-    System,
-    SessionFlags,
-    User,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-#[ts(export_to = "v2/")]
-pub struct ConfigLayerMetadata {
-    pub name: ConfigLayerName,
-    pub source: String,
-    pub version: String,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-#[ts(export_to = "v2/")]
-pub struct ConfigLayer {
-    pub name: ConfigLayerName,
-    pub source: String,
-    pub version: String,
-    pub config: JsonValue,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-#[ts(export_to = "v2/")]
-pub enum MergeStrategy {
-    Replace,
-    Upsert,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-#[ts(export_to = "v2/")]
-pub enum WriteStatus {
-    Ok,
-    OkOverridden,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-#[ts(export_to = "v2/")]
-pub struct OverriddenMetadata {
-    pub message: String,
-    pub overriding_layer: ConfigLayerMetadata,
-    pub effective_value: JsonValue,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-#[ts(export_to = "v2/")]
-pub struct ConfigWriteResponse {
-    pub status: WriteStatus,
-    pub version: String,
-    pub overridden_metadata: Option<OverriddenMetadata>,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-#[ts(export_to = "v2/")]
-pub enum ConfigWriteErrorCode {
-    ConfigLayerReadonly,
-    ConfigVersionConflict,
-    ConfigValidationError,
-    ConfigPathNotFound,
-    ConfigSchemaUnknownKey,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-#[ts(export_to = "v2/")]
-pub struct ConfigReadParams {
-    #[serde(default)]
-    pub include_layers: bool,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-#[ts(export_to = "v2/")]
-pub struct ConfigReadResponse {
-    pub config: JsonValue,
-    pub origins: HashMap<String, ConfigLayerMetadata>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub layers: Option<Vec<ConfigLayer>>,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-#[ts(export_to = "v2/")]
-pub struct ConfigValueWriteParams {
-    pub file_path: String,
-    pub key_path: String,
-    pub value: JsonValue,
-    pub merge_strategy: MergeStrategy,
-    pub expected_version: Option<String>,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-#[ts(export_to = "v2/")]
-pub struct ConfigBatchWriteParams {
-    pub file_path: String,
-    pub edits: Vec<ConfigEdit>,
-    pub expected_version: Option<String>,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-#[ts(export_to = "v2/")]
-pub struct ConfigEdit {
-    pub key_path: String,
-    pub value: JsonValue,
-    pub merge_strategy: MergeStrategy,
-}
-
 v2_enum_from_core!(
    pub enum CommandRiskLevel from codex_protocol::approvals::SandboxRiskLevel {
        Low,
@@ -381,56 +190,6 @@ pub enum CommandAction {
    },
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-#[ts(rename_all = "camelCase", export_to = "v2/")]
-#[derive(Default)]
-pub enum SessionSource {
-    Cli,
-    #[serde(rename = "vscode")]
-    #[ts(rename = "vscode")]
-    #[default]
-    VsCode,
-    Exec,
-    AppServer,
-    #[serde(other)]
-    Unknown,
-}
-
-impl From<CoreSessionSource> for SessionSource {
-    fn from(value: CoreSessionSource) -> Self {
-        match value {
-            CoreSessionSource::Cli => SessionSource::Cli,
-            CoreSessionSource::VSCode => SessionSource::VsCode,
-            CoreSessionSource::Exec => SessionSource::Exec,
-            CoreSessionSource::Mcp => SessionSource::AppServer,
-            CoreSessionSource::SubAgent(_) => SessionSource::Unknown,
-            CoreSessionSource::Unknown => SessionSource::Unknown,
-        }
-    }
-}
-
-impl From<SessionSource> for CoreSessionSource {
-    fn from(value: SessionSource) -> Self {
-        match value {
-            SessionSource::Cli => CoreSessionSource::Cli,
-            SessionSource::VsCode => CoreSessionSource::VSCode,
-            SessionSource::Exec => CoreSessionSource::Exec,
-            SessionSource::AppServer => CoreSessionSource::Mcp,
-            SessionSource::Unknown => CoreSessionSource::Unknown,
-        }
-    }
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-#[ts(export_to = "v2/")]
-pub struct GitInfo {
-    pub sha: Option<String>,
-    pub branch: Option<String>,
-    pub origin_url: Option<String>,
-}
-
 impl CommandAction {
    pub fn into_core(self) -> CoreParsedCommand {
        match self {
@@ -753,24 +512,11 @@ pub struct Thread {
    pub id: String,
    /// Usually the first user message in the thread, if available.
    pub preview: String,
-    /// Model provider used for this thread (for example, 'openai').
    pub model_provider: String,
    /// Unix timestamp (in seconds) when the thread was created.
    pub created_at: i64,
    /// [UNSTABLE] Path to the thread on disk.
    pub path: PathBuf,
-    /// Working directory captured for the thread.
-    pub cwd: PathBuf,
-    /// Version of the CLI that created the thread.
-    pub cli_version: String,
-    /// Origin of the thread (CLI, VSCode, codex exec, codex app-server, etc.).
-    pub source: SessionSource,
-    /// Optional Git metadata captured when the thread was created.
-    pub git_info: Option<GitInfo>,
-    /// Only populated on a `thread/resume` response.
-    /// For all other responses and notifications returning a Thread,
-    /// the turns field will be an empty list.
-    pub turns: Vec<Turn>,
 }

 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
@@ -785,28 +531,18 @@ pub struct AccountUpdatedNotification {
 #[ts(export_to = "v2/")]
 pub struct Turn {
    pub id: String,
-    /// Only populated on a `thread/resume` response.
-    /// For all other responses and notifications returning a Turn,
-    /// the items field will be an empty list.
+    /// This is currently only populated for resumed threads.
+    /// TODO: properly populate items for all turns.
    pub items: Vec<ThreadItem>,
    #[serde(flatten)]
    pub status: TurnStatus,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS, Error)]
-#[serde(rename_all = "camelCase")]
-#[ts(export_to = "v2/")]
-#[error("{message}")]
-pub struct TurnError {
-    pub message: String,
-    pub codex_error_info: Option<CodexErrorInfo>,
-}
-
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
-pub struct ErrorNotification {
-    pub error: TurnError,
+pub struct TurnError {
+    pub message: String,
 }

 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
@@ -1040,7 +776,6 @@ pub enum CommandExecutionStatus {
    InProgress,
    Completed,
    Failed,
-    Declined,
 }

 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
@@ -1053,23 +788,20 @@ pub struct FileUpdateChange {
 }

 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(tag = "type", rename_all = "camelCase")]
-#[ts(tag = "type")]
+#[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
 pub enum PatchChangeKind {
    Add,
    Delete,
-    Update { move_path: Option<PathBuf> },
+    Update,
 }

 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
 pub enum PatchApplyStatus {
-    InProgress,
    Completed,
    Failed,
-    Declined,
 }

 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
@@ -1202,15 +934,6 @@ pub struct McpToolCallProgressNotification {
    pub message: String,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-#[ts(export_to = "v2/")]
-pub struct WindowsWorldWritableWarningNotification {
-    pub sample_paths: Vec<String>,
-    pub extra_count: usize,
-    pub failed_scan: bool,
-}
-
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
@@ -1244,26 +967,6 @@ pub struct CommandExecutionRequestApprovalResponse {
    pub accept_settings: Option<CommandExecutionRequestAcceptSettings>,
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-#[ts(export_to = "v2/")]
-pub struct FileChangeRequestApprovalParams {
-    pub thread_id: String,
-    pub turn_id: String,
-    pub item_id: String,
-    /// Optional explanatory reason (e.g. request for extra write access).
-    pub reason: Option<String>,
-    /// [UNSTABLE] When set, the agent is asking the user to allow writes under this root
-    /// for the remainder of the session (unclear if this is honored today).
-    pub grant_root: Option<PathBuf>,
-}
-
-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[ts(export_to = "v2/")]
-pub struct FileChangeRequestApprovalResponse {
-    pub decision: ApprovalDecision,
-}
-
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
@@ -1277,7 +980,6 @@ pub struct AccountRateLimitsUpdatedNotification {
 pub struct RateLimitSnapshot {
    pub primary: Option<RateLimitWindow>,
    pub secondary: Option<RateLimitWindow>,
-    pub credits: Option<CreditsSnapshot>,
 }

 impl From<CoreRateLimitSnapshot> for RateLimitSnapshot {
@@ -1285,7 +987,6 @@ impl From<CoreRateLimitSnapshot> for RateLimitSnapshot {
        Self {
            primary: value.primary.map(RateLimitWindow::from),
            secondary: value.secondary.map(RateLimitWindow::from),
-            credits: value.credits.map(CreditsSnapshot::from),
        }
    }
 }
@@ -1309,25 +1010,6 @@ impl From<CoreRateLimitWindow> for RateLimitWindow {
    }
 }

-#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
-#[serde(rename_all = "camelCase")]
-#[ts(export_to = "v2/")]
-pub struct CreditsSnapshot {
-    pub has_credits: bool,
-    pub unlimited: bool,
-    pub balance: Option<String>,
-}
-
-impl From<CoreCreditsSnapshot> for CreditsSnapshot {
-    fn from(value: CoreCreditsSnapshot) -> Self {
-        Self {
-            has_credits: value.has_credits,
-            unlimited: value.unlimited,
-            balance: value.balance,
-        }
-    }
-}
-
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
@@ -1350,7 +1032,6 @@ mod tests {
    use codex_protocol::items::WebSearchItem;
    use codex_protocol::user_input::UserInput as CoreUserInput;
    use pretty_assertions::assert_eq;
-    use serde_json::json;
    use std::path::PathBuf;

    #[test]
@@ -1436,20 +1117,4 @@ mod tests {
            }
        );
    }
-
-    #[test]
-    fn codex_error_info_serializes_http_status_code_in_camel_case() {
-        let value = CodexErrorInfo::ResponseTooManyFailedAttempts {
-            http_status_code: Some(401),
-        };
-
-        assert_eq!(
-            serde_json::to_value(value).unwrap(),
-            json!({
-                "responseTooManyFailedAttempts": {
-                    "httpStatusCode": 401
-                }
-            })
-        );
-    }
 }
--- a/codex-rs/app-server-test-client/Cargo.toml
+++ b/codex-rs/app-server-test-client/Cargo.toml
@@ -1,8 +1,7 @@
 [package]
 name = "codex-app-server-test-client"
-version.workspace = true
-edition.workspace = true
-license.workspace = true
+version = { workspace = true }
+edition = "2024"

 [lints]
 workspace = true
--- a/codex-rs/app-server-test-client/src/main.rs
+++ b/codex-rs/app-server-test-client/src/main.rs
@@ -24,8 +24,6 @@ use codex_app_server_protocol::ClientRequest;
 use codex_app_server_protocol::CommandExecutionRequestAcceptSettings;
 use codex_app_server_protocol::CommandExecutionRequestApprovalParams;
 use codex_app_server_protocol::CommandExecutionRequestApprovalResponse;
-use codex_app_server_protocol::FileChangeRequestApprovalParams;
-use codex_app_server_protocol::FileChangeRequestApprovalResponse;
 use codex_app_server_protocol::GetAccountRateLimitsResponse;
 use codex_app_server_protocol::InitializeParams;
 use codex_app_server_protocol::InitializeResponse;
@@ -101,15 +99,6 @@ enum CliCommand {
    /// Start a V2 turn that should not elicit an ExecCommand approval.
    #[command(name = "no-trigger-cmd-approval")]
    NoTriggerCmdApproval,
-    /// Send two sequential V2 turns in the same thread to test follow-up behavior.
-    SendFollowUpV2 {
-        /// Initial user message for the first turn.
-        #[arg()]
-        first_message: String,
-        /// Follow-up user message for the second turn.
-        #[arg()]
-        follow_up_message: String,
-    },
    /// Trigger the ChatGPT login flow and wait for completion.
    TestLogin,
    /// Fetch the current account rate limits from the Codex app-server.
@@ -129,10 +118,6 @@ fn main() -> Result<()> {
            trigger_patch_approval(codex_bin, user_message)
        }
        CliCommand::NoTriggerCmdApproval => no_trigger_cmd_approval(codex_bin),
-        CliCommand::SendFollowUpV2 {
-            first_message,
-            follow_up_message,
-        } => send_follow_up_v2(codex_bin, first_message, follow_up_message),
        CliCommand::TestLogin => test_login(codex_bin),
        CliCommand::GetAccountRateLimits => get_account_rate_limits(codex_bin),
    }
@@ -222,44 +207,6 @@ fn send_message_v2_with_policies(
    Ok(())
 }

-fn send_follow_up_v2(
-    codex_bin: String,
-    first_message: String,
-    follow_up_message: String,
-) -> Result<()> {
-    let mut client = CodexClient::spawn(codex_bin)?;
-
-    let initialize = client.initialize()?;
-    println!("< initialize response: {initialize:?}");
-
-    let thread_response = client.thread_start(ThreadStartParams::default())?;
-    println!("< thread/start response: {thread_response:?}");
-
-    let first_turn_params = TurnStartParams {
-        thread_id: thread_response.thread.id.clone(),
-        input: vec![V2UserInput::Text {
-            text: first_message,
-        }],
-        ..Default::default()
-    };
-    let first_turn_response = client.turn_start(first_turn_params)?;
-    println!("< turn/start response (initial): {first_turn_response:?}");
-    client.stream_turn(&thread_response.thread.id, &first_turn_response.turn.id)?;
-
-    let follow_up_params = TurnStartParams {
-        thread_id: thread_response.thread.id.clone(),
-        input: vec![V2UserInput::Text {
-            text: follow_up_message,
-        }],
-        ..Default::default()
-    };
-    let follow_up_response = client.turn_start(follow_up_params)?;
-    println!("< turn/start response (follow-up): {follow_up_response:?}");
-    client.stream_turn(&thread_response.thread.id, &follow_up_response.turn.id)?;
-
-    Ok(())
-}
-
 fn test_login(codex_bin: String) -> Result<()> {
    let mut client = CodexClient::spawn(codex_bin)?;

@@ -730,9 +677,6 @@ impl CodexClient {
            ServerRequest::CommandExecutionRequestApproval { request_id, params } => {
                self.handle_command_execution_request_approval(request_id, params)?;
            }
-            ServerRequest::FileChangeRequestApproval { request_id, params } => {
-                self.approve_file_change_request(request_id, params)?;
-            }
            other => {
                bail!("received unsupported server request: {other:?}");
            }
@@ -773,37 +717,6 @@ impl CodexClient {
        Ok(())
    }

-    fn approve_file_change_request(
-        &mut self,
-        request_id: RequestId,
-        params: FileChangeRequestApprovalParams,
-    ) -> Result<()> {
-        let FileChangeRequestApprovalParams {
-            thread_id,
-            turn_id,
-            item_id,
-            reason,
-            grant_root,
-        } = params;
-
-        println!(
-            "\n< fileChange approval requested for thread {thread_id}, turn {turn_id}, item {item_id}"
-        );
-        if let Some(reason) = reason.as_deref() {
-            println!("< reason: {reason}");
-        }
-        if let Some(grant_root) = grant_root.as_deref() {
-            println!("< grant root: {}", grant_root.display());
-        }
-
-        let response = FileChangeRequestApprovalResponse {
-            decision: ApprovalDecision::Accept,
-        };
-        self.send_server_request_response(request_id, &response)?;
-        println!("< approved fileChange request for item {item_id}");
-        Ok(())
-    }
-
    fn send_server_request_response<T>(&mut self, request_id: RequestId, response: &T) -> Result<()>
    where
        T: Serialize,
--- a/codex-rs/app-server/Cargo.toml
+++ b/codex-rs/app-server/Cargo.toml
@@ -1,8 +1,7 @@
 [package]
+edition = "2024"
 name = "codex-app-server"
-version.workspace = true
-edition.workspace = true
-license.workspace = true
+version = { workspace = true }

 [[bin]]
 name = "codex-app-server"
@@ -30,9 +29,6 @@ codex-utils-json-to-toml = { workspace = true }
 chrono = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
 serde_json = { workspace = true }
-sha2 = { workspace = true }
-tempfile = { workspace = true }
-toml = { workspace = true }
 tokio = { workspace = true, features = [
    "io-std",
    "macros",
@@ -54,5 +50,6 @@ mcp-types = { workspace = true }
 os_info = { workspace = true }
 pretty_assertions = { workspace = true }
 serial_test = { workspace = true }
+tempfile = { workspace = true }
+toml = { workspace = true }
 wiremock = { workspace = true }
-shlex = { workspace = true }
--- a/codex-rs/app-server/README.md
+++ b/codex-rs/app-server/README.md
@@ -9,8 +9,8 @@
 - [Initialization](#initialization)
 - [Core primitives](#core-primitives)
 - [Thread & turn endpoints](#thread--turn-endpoints)
- [Events (work-in-progress)](#events-work-in-progress)
 - [Auth endpoints](#auth-endpoints)
+- [Events (work-in-progress)](#v2-streaming-events-work-in-progress)

 ## Protocol

@@ -234,90 +234,6 @@ When the reviewer finishes, the server emits `item/completed` containing the sam

 The `review` string is plain text that already bundles the overall explanation plus a bullet list for each structured finding (matching `ThreadItem::CodeReview` in the generated schema). Use this notification to render the reviewer output in your client.

-## Events (work-in-progress)
-
-Event notifications are the server-initiated event stream for thread lifecycles, turn lifecycles, and the items within them. After you start or resume a thread, keep reading stdout for `thread/started`, `turn/*`, and `item/*` notifications.
-
-### Turn events
-
-The app-server streams JSON-RPC notifications while a turn is running. Each turn starts with `turn/started` (initial `turn`) and ends with `turn/completed` (final `turn` plus token `usage`), and clients subscribe to the events they care about, rendering each item incrementally as updates arrive. The per-item lifecycle is always: `item/started` → zero or more item-specific deltas → `item/completed`.
-
- `turn/started` — `{ turn }` with the turn id, empty `items`, and `status: "inProgress"`.
- `turn/completed` — `{ turn }` where `turn.status` is `completed`, `interrupted`, or `failed`; failures carry `{ error: { message, codexErrorInfo? } }`.
-
-Today both notifications carry an empty `items` array even when item events were streamed; rely on `item/*` notifications for the canonical item list until this is fixed.
-
-#### Thread items
-
-`ThreadItem` is the tagged union carried in turn responses and `item/*` notifications. Currently we support events for the following items:
- `userMessage` — `{id, content}` where `content` is a list of user inputs (`text`, `image`, or `localImage`).
- `agentMessage` — `{id, text}` containing the accumulated agent reply.
- `reasoning` — `{id, summary, content}` where `summary` holds streamed reasoning summaries (applicable for most OpenAI models) and `content` holds raw reasoning blocks (applicable for e.g. open source models).
- `commandExecution` — `{id, command, cwd, status, commandActions, aggregatedOutput?, exitCode?, durationMs?}` for sandboxed commands; `status` is `inProgress`, `completed`, `failed`, or `declined`.
- `fileChange` — `{id, changes, status}` describing proposed edits; `changes` list `{path, kind, diff}` and `status` is `inProgress`, `completed`, `failed`, or `declined`.
- `mcpToolCall` — `{id, server, tool, status, arguments, result?, error?}` describing MCP calls; `status` is `inProgress`, `completed`, or `failed`.
- `webSearch` — `{id, query}` for a web search request issued by the agent.
-
-All items emit two shared lifecycle events:
- `item/started` — emits the full `item` when a new unit of work begins so the UI can render it immediately; the `item.id` in this payload matches the `itemId` used by deltas.
- `item/completed` — sends the final `item` once that work finishes (e.g., after a tool call or message completes); treat this as the authoritative state.
-
-There are additional item-specific events:
-#### agentMessage
- `item/agentMessage/delta` — appends streamed text for the agent message; concatenate `delta` values for the same `itemId` in order to reconstruct the full reply.
-#### reasoning
- `item/reasoning/summaryTextDelta` — streams readable reasoning summaries; `summaryIndex` increments when a new summary section opens.
- `item/reasoning/summaryPartAdded` — marks the boundary between reasoning summary sections for an `itemId`; subsequent `summaryTextDelta` entries share the same `summaryIndex`.
- `item/reasoning/textDelta` — streams raw reasoning text (only applicable for e.g. open source models); use `contentIndex` to group deltas that belong together before showing them in the UI.
-#### commandExecution
- `item/commandExecution/outputDelta` — streams stdout/stderr for the command; append deltas in order to render live output alongside `aggregatedOutput` in the final item.
-Final `commandExecution` items include parsed `commandActions`, `status`, `exitCode`, and `durationMs` so the UI can summarize what ran and whether it succeeded.
-#### fileChange
-`fileChange` items contain a `changes` list with `{path, kind, diff}` entries (`kind` is `add`, `delete`, or `update` with an optional `movePath`). The `status` tracks whether apply succeeded (`completed`), failed, or was `declined`.
-
-### Errors
-`error` event is emitted whenever the server hits an error mid-turn (for example, upstream model errors or quota limits). Carries the same `{ error: { message, codexErrorInfo? } }` payload as `turn.status: "failed"` and may precede that terminal notification.
-
-  `codexErrorInfo` maps to the `CodexErrorInfo` enum. Common values:
-  - `ContextWindowExceeded`
-  - `UsageLimitExceeded`
-  - `HttpConnectionFailed { httpStatusCode? }`: upstream HTTP failures including 4xx/5xx
-  - `ResponseStreamConnectionFailed { httpStatusCode? }`: failure to connect to the response SSE stream
-  - `ResponseStreamDisconnected { httpStatusCode? }`: disconnect of the response SSE stream in the middle of a turn before completion
-  - `ResponseTooManyFailedAttempts { httpStatusCode? }`
-  - `BadRequest`
-  - `Unauthorized`
-  - `SandboxError`
-  - `InternalServerError`
-  - `Other`: all unclassified errors
-
-When an upstream HTTP status is available (for example, from the Responses API or a provider), it is forwarded in `httpStatusCode` on the relevant `codexErrorInfo` variant.
-
-## Approvals
-
-Certain actions (shell commands or modifying files) may require explicit user approval depending on the user's config. When `turn/start` is used, the app-server drives an approval flow by sending a server-initiated JSON-RPC request to the client. The client must respond to tell Codex whether to proceed. UIs should present these requests inline with the active turn so users can review the proposed command or diff before choosing.
-
- Requests include `threadId` and `turnId`—use them to scope UI state to the active conversation.
- Respond with a single `{ "decision": "accept" | "decline" }` payload (plus optional `acceptSettings` on command executions). The server resumes or declines the work and ends the item with `item/completed`.
-
-### Command execution approvals
-
-Order of messages:
-1. `item/started` — shows the pending `commandExecution` item with `command`, `cwd`, and other fields so you can render the proposed action.
-2. `item/commandExecution/requestApproval` (request) — carries the same `itemId`, `threadId`, `turnId`, optionally `reason` or `risk`, plus `parsedCmd` for friendly display.
-3. Client response — `{ "decision": "accept", "acceptSettings": { "forSession": false } }` or `{ "decision": "decline" }`.
-4. `item/completed` — final `commandExecution` item with `status: "completed" | "failed" | "declined"` and execution output. Render this as the authoritative result.
-
-### File change approvals
-
-Order of messages:
-1. `item/started` — emits a `fileChange` item with `changes` (diff chunk summaries) and `status: "inProgress"`. Show the proposed edits and paths to the user.
-2. `item/fileChange/requestApproval` (request) — includes `itemId`, `threadId`, `turnId`, and an optional `reason`.
-3. Client response — `{ "decision": "accept" }` or `{ "decision": "decline" }`.
-4. `item/completed` — returns the same `fileChange` item with `status` updated to `completed`, `failed`, or `declined` after the patch attempt. Rely on this to show success/failure and finalize the diff state in your UI.
-
-UI guidance for IDEs: surface an approval dialog as soon as the request arrives. The turn will proceed after the server receives a response to the approval request. The terminal `item/completed` notification will be sent with the appropriate status.
-
 ## Auth endpoints

 The JSON-RPC auth/account surface exposes request/response methods plus server-initiated notifications (no `id`). Use these to determine auth state, start or cancel logins, logout, and inspect ChatGPT rate limits.
@@ -413,3 +329,33 @@ Field notes:
 - `codex app-server generate-ts --out <dir>` emits v2 types under `v2/`.
 - `codex app-server generate-json-schema --out <dir>` outputs `codex_app_server_protocol.schemas.json`.
 - See [“Authentication and authorization” in the config docs](../../docs/config.md#authentication-and-authorization) for configuration knobs.
+
+
+## Events (work-in-progress)
+
+Event notifications are the server-initiated event stream for thread lifecycles, turn lifecycles, and the items within them. After you start or resume a thread, keep reading stdout for `thread/started`, `turn/*`, and `item/*` notifications.
+
+### Turn events
+
+The app-server streams JSON-RPC notifications while a turn is running. Each turn starts with `turn/started` (initial `turn`) and ends with `turn/completed` (final `turn` plus token `usage`), and clients subscribe to the events they care about, rendering each item incrementally as updates arrive. The per-item lifecycle is always: `item/started` → zero or more item-specific deltas → `item/completed`.
+
+#### Thread items
+
+`ThreadItem` is the tagged union carried in turn responses and `item/*` notifications. Currently we support events for the following items:
+- `userMessage` — `{id, content}` where `content` is a list of user inputs (`text`, `image`, or `localImage`).
+- `agentMessage` — `{id, text}` containing the accumulated agent reply.
+- `reasoning` — `{id, summary, content}` where `summary` holds streamed reasoning summaries (applicable for most OpenAI models) and `content` holds raw reasoning blocks (applicable for e.g. open source models).
+- `mcpToolCall` — `{id, server, tool, status, arguments, result?, error?}` describing MCP calls; `status` is `inProgress`, `completed`, or `failed`.
+- `webSearch` — `{id, query}` for a web search request issued by the agent.
+
+All items emit two shared lifecycle events:
+- `item/started` — emits the full `item` when a new unit of work begins so the UI can render it immediately; the `item.id` in this payload matches the `itemId` used by deltas.
+- `item/completed` — sends the final `item` once that work finishes (e.g., after a tool call or message completes); treat this as the authoritative state.
+
+There are additional item-specific events:
+#### agentMessage
+- `item/agentMessage/delta` — appends streamed text for the agent message; concatenate `delta` values for the same `itemId` in order to reconstruct the full reply.
+#### reasoning
+- `item/reasoning/summaryTextDelta` — streams readable reasoning summaries; `summaryIndex` increments when a new summary section opens.
+- `item/reasoning/summaryPartAdded` — marks the boundary between reasoning summary sections for an `itemId`; subsequent `summaryTextDelta` entries share the same `summaryIndex`.
+- `item/reasoning/textDelta` — streams raw reasoning text (only applicable for e.g. open source models); use `contentIndex` to group deltas that belong together before showing them in the UI.
--- a/codex-rs/app-server/src/bespoke_event_handling.rs
+++ b/codex-rs/app-server/src/bespoke_event_handling.rs
@@ -8,26 +8,19 @@ use codex_app_server_protocol::AgentMessageDeltaNotification;
 use codex_app_server_protocol::ApplyPatchApprovalParams;
 use codex_app_server_protocol::ApplyPatchApprovalResponse;
 use codex_app_server_protocol::ApprovalDecision;
-use codex_app_server_protocol::CodexErrorInfo as V2CodexErrorInfo;
 use codex_app_server_protocol::CommandAction as V2ParsedCommand;
 use codex_app_server_protocol::CommandExecutionOutputDeltaNotification;
 use codex_app_server_protocol::CommandExecutionRequestApprovalParams;
 use codex_app_server_protocol::CommandExecutionRequestApprovalResponse;
 use codex_app_server_protocol::CommandExecutionStatus;
-use codex_app_server_protocol::ErrorNotification;
 use codex_app_server_protocol::ExecCommandApprovalParams;
 use codex_app_server_protocol::ExecCommandApprovalResponse;
-use codex_app_server_protocol::FileChangeRequestApprovalParams;
-use codex_app_server_protocol::FileChangeRequestApprovalResponse;
-use codex_app_server_protocol::FileUpdateChange;
 use codex_app_server_protocol::InterruptConversationResponse;
 use codex_app_server_protocol::ItemCompletedNotification;
 use codex_app_server_protocol::ItemStartedNotification;
 use codex_app_server_protocol::McpToolCallError;
 use codex_app_server_protocol::McpToolCallResult;
 use codex_app_server_protocol::McpToolCallStatus;
-use codex_app_server_protocol::PatchApplyStatus;
-use codex_app_server_protocol::PatchChangeKind as V2PatchChangeKind;
 use codex_app_server_protocol::ReasoningSummaryPartAddedNotification;
 use codex_app_server_protocol::ReasoningSummaryTextDeltaNotification;
 use codex_app_server_protocol::ReasoningTextDeltaNotification;
@@ -47,7 +40,6 @@ use codex_core::protocol::Event;
 use codex_core::protocol::EventMsg;
 use codex_core::protocol::ExecApprovalRequestEvent;
 use codex_core::protocol::ExecCommandEndEvent;
-use codex_core::protocol::FileChange as CoreFileChange;
 use codex_core::protocol::McpToolCallBeginEvent;
 use codex_core::protocol::McpToolCallEndEvent;
 use codex_core::protocol::Op;
@@ -55,9 +47,7 @@ use codex_core::protocol::ReviewDecision;
 use codex_core::review_format::format_review_findings_block;
 use codex_protocol::ConversationId;
 use codex_protocol::protocol::ReviewOutputEvent;
-use std::collections::HashMap;
 use std::convert::TryFrom;
-use std::path::PathBuf;
 use std::sync::Arc;
 use tokio::sync::oneshot;
 use tracing::error;
@@ -80,74 +70,24 @@ pub(crate) async fn apply_bespoke_event_handling(
        }
        EventMsg::ApplyPatchApprovalRequest(ApplyPatchApprovalRequestEvent {
            call_id,
-            turn_id,
            changes,
            reason,
            grant_root,
-        }) => match api_version {
-            ApiVersion::V1 => {
-                let params = ApplyPatchApprovalParams {
-                    conversation_id,
-                    call_id,
-                    file_changes: changes.clone(),
-                    reason,
-                    grant_root,
-                };
-                let rx = outgoing
-                    .send_request(ServerRequestPayload::ApplyPatchApproval(params))
-                    .await;
-                tokio::spawn(async move {
-                    on_patch_approval_response(event_id, rx, conversation).await;
-                });
-            }
-            ApiVersion::V2 => {
-                // Until we migrate the core to be aware of a first class FileChangeItem
-                // and emit the corresponding EventMsg, we repurpose the call_id as the item_id.
-                let item_id = call_id.clone();
-                let patch_changes = convert_patch_changes(&changes);
-
-                let first_start = {
-                    let mut map = turn_summary_store.lock().await;
-                    let summary = map.entry(conversation_id).or_default();
-                    summary.file_change_started.insert(item_id.clone())
-                };
-                if first_start {
-                    let item = ThreadItem::FileChange {
-                        id: item_id.clone(),
-                        changes: patch_changes.clone(),
-                        status: PatchApplyStatus::InProgress,
-                    };
-                    let notification = ItemStartedNotification { item };
-                    outgoing
-                        .send_server_notification(ServerNotification::ItemStarted(notification))
-                        .await;
-                }
-
-                let params = FileChangeRequestApprovalParams {
-                    thread_id: conversation_id.to_string(),
-                    turn_id: turn_id.clone(),
-                    item_id: item_id.clone(),
-                    reason,
-                    grant_root,
-                };
-                let rx = outgoing
-                    .send_request(ServerRequestPayload::FileChangeRequestApproval(params))
-                    .await;
-                tokio::spawn(async move {
-                    on_file_change_request_approval_response(
-                        event_id,
-                        conversation_id,
-                        item_id,
-                        patch_changes,
-                        rx,
-                        conversation,
-                        outgoing,
-                        turn_summary_store,
-                    )
-                    .await;
-                });
-            }
-        },
+        }) => {
+            let params = ApplyPatchApprovalParams {
+                conversation_id,
+                call_id,
+                file_changes: changes,
+                reason,
+                grant_root,
+            };
+            let rx = outgoing
+                .send_request(ServerRequestPayload::ApplyPatchApproval(params))
+                .await;
+            tokio::spawn(async move {
+                on_patch_approval_response(event_id, rx, conversation).await;
+            });
+        }
        EventMsg::ExecApprovalRequest(ExecApprovalRequestEvent {
            call_id,
            turn_id,
@@ -175,20 +115,12 @@ pub(crate) async fn apply_bespoke_event_handling(
                });
            }
            ApiVersion::V2 => {
-                let item_id = call_id.clone();
-                let command_actions = parsed_cmd
-                    .iter()
-                    .cloned()
-                    .map(V2ParsedCommand::from)
-                    .collect::<Vec<_>>();
-                let command_string = shlex_join(&command);
-
                let params = CommandExecutionRequestApprovalParams {
                    thread_id: conversation_id.to_string(),
                    turn_id: turn_id.clone(),
                    // Until we migrate the core to be aware of a first class CommandExecutionItem
                    // and emit the corresponding EventMsg, we repurpose the call_id as the item_id.
-                    item_id: item_id.clone(),
+                    item_id: call_id.clone(),
                    reason,
                    risk: risk.map(V2SandboxCommandAssessment::from),
                };
@@ -198,17 +130,8 @@ pub(crate) async fn apply_bespoke_event_handling(
                    ))
                    .await;
                tokio::spawn(async move {
-                    on_command_execution_request_approval_response(
-                        event_id,
-                        item_id,
-                        command_string,
-                        cwd,
-                        command_actions,
-                        rx,
-                        conversation,
-                        outgoing,
-                    )
-                    .await;
+                    on_command_execution_request_approval_response(event_id, rx, conversation)
+                        .await;
                });
            }
        },
@@ -279,29 +202,7 @@ pub(crate) async fn apply_bespoke_event_handling(
            }
        }
        EventMsg::Error(ev) => {
-            let turn_error = TurnError {
-                message: ev.message,
-                codex_error_info: ev.codex_error_info.map(V2CodexErrorInfo::from),
-            };
-            handle_error(conversation_id, turn_error.clone(), &turn_summary_store).await;
-            outgoing
-                .send_server_notification(ServerNotification::Error(ErrorNotification {
-                    error: turn_error,
-                }))
-                .await;
-        }
-        EventMsg::StreamError(ev) => {
-            // We don't need to update the turn summary store for stream errors as they are intermediate error states for retries,
-            // but we notify the client.
-            let turn_error = TurnError {
-                message: ev.message,
-                codex_error_info: ev.codex_error_info.map(V2CodexErrorInfo::from),
-            };
-            outgoing
-                .send_server_notification(ServerNotification::Error(ErrorNotification {
-                    error: turn_error,
-                }))
-                .await;
+            handle_error(conversation_id, ev.message, &turn_summary_store).await;
        }
        EventMsg::EnteredReviewMode(review_request) => {
            let notification = ItemStartedNotification {
@@ -343,65 +244,17 @@ pub(crate) async fn apply_bespoke_event_handling(
                .send_server_notification(ServerNotification::ItemCompleted(notification))
                .await;
        }
-        EventMsg::PatchApplyBegin(patch_begin_event) => {
-            // Until we migrate the core to be aware of a first class FileChangeItem
-            // and emit the corresponding EventMsg, we repurpose the call_id as the item_id.
-            let item_id = patch_begin_event.call_id.clone();
-
-            let first_start = {
-                let mut map = turn_summary_store.lock().await;
-                let summary = map.entry(conversation_id).or_default();
-                summary.file_change_started.insert(item_id.clone())
-            };
-            if first_start {
-                let item = ThreadItem::FileChange {
-                    id: item_id.clone(),
-                    changes: convert_patch_changes(&patch_begin_event.changes),
-                    status: PatchApplyStatus::InProgress,
-                };
-                let notification = ItemStartedNotification { item };
-                outgoing
-                    .send_server_notification(ServerNotification::ItemStarted(notification))
-                    .await;
-            }
-        }
-        EventMsg::PatchApplyEnd(patch_end_event) => {
-            // Until we migrate the core to be aware of a first class FileChangeItem
-            // and emit the corresponding EventMsg, we repurpose the call_id as the item_id.
-            let item_id = patch_end_event.call_id.clone();
-
-            let status = if patch_end_event.success {
-                PatchApplyStatus::Completed
-            } else {
-                PatchApplyStatus::Failed
-            };
-            let changes = convert_patch_changes(&patch_end_event.changes);
-            complete_file_change_item(
-                conversation_id,
-                item_id,
-                changes,
-                status,
-                outgoing.as_ref(),
-                &turn_summary_store,
-            )
-            .await;
-        }
        EventMsg::ExecCommandBegin(exec_command_begin_event) => {
-            let item_id = exec_command_begin_event.call_id.clone();
-            let command_actions = exec_command_begin_event
-                .parsed_cmd
-                .into_iter()
-                .map(V2ParsedCommand::from)
-                .collect::<Vec<_>>();
-            let command = shlex_join(&exec_command_begin_event.command);
-            let cwd = exec_command_begin_event.cwd;
-
            let item = ThreadItem::CommandExecution {
-                id: item_id,
-                command,
-                cwd,
+                id: exec_command_begin_event.call_id.clone(),
+                command: shlex_join(&exec_command_begin_event.command),
+                cwd: exec_command_begin_event.cwd,
                status: CommandExecutionStatus::InProgress,
-                command_actions,
+                command_actions: exec_command_begin_event
+                    .parsed_cmd
+                    .into_iter()
+                    .map(V2ParsedCommand::from)
+                    .collect(),
                aggregated_output: None,
                exit_code: None,
                duration_ms: None,
@@ -439,10 +292,6 @@ pub(crate) async fn apply_bespoke_event_handling(
            } else {
                CommandExecutionStatus::Failed
            };
-            let command_actions = parsed_cmd
-                .into_iter()
-                .map(V2ParsedCommand::from)
-                .collect::<Vec<_>>();

            let aggregated_output = if aggregated_output.is_empty() {
                None
@@ -457,7 +306,7 @@ pub(crate) async fn apply_bespoke_event_handling(
                command: shlex_join(&command),
                cwd,
                status,
-                command_actions,
+                command_actions: parsed_cmd.into_iter().map(V2ParsedCommand::from).collect(),
                aggregated_output,
                exit_code: Some(exit_code),
                duration_ms: Some(duration_ms),
@@ -516,56 +365,6 @@ async fn emit_turn_completed_with_status(
        .await;
 }

-async fn complete_file_change_item(
-    conversation_id: ConversationId,
-    item_id: String,
-    changes: Vec<FileUpdateChange>,
-    status: PatchApplyStatus,
-    outgoing: &OutgoingMessageSender,
-    turn_summary_store: &TurnSummaryStore,
-) {
-    {
-        let mut map = turn_summary_store.lock().await;
-        if let Some(summary) = map.get_mut(&conversation_id) {
-            summary.file_change_started.remove(&item_id);
-        }
-    }
-
-    let item = ThreadItem::FileChange {
-        id: item_id,
-        changes,
-        status,
-    };
-    let notification = ItemCompletedNotification { item };
-    outgoing
-        .send_server_notification(ServerNotification::ItemCompleted(notification))
-        .await;
-}
-
-async fn complete_command_execution_item(
-    item_id: String,
-    command: String,
-    cwd: PathBuf,
-    command_actions: Vec<V2ParsedCommand>,
-    status: CommandExecutionStatus,
-    outgoing: &OutgoingMessageSender,
-) {
-    let item = ThreadItem::CommandExecution {
-        id: item_id,
-        command,
-        cwd,
-        status,
-        command_actions,
-        aggregated_output: None,
-        exit_code: None,
-        duration_ms: None,
-    };
-    let notification = ItemCompletedNotification { item };
-    outgoing
-        .send_server_notification(ServerNotification::ItemCompleted(notification))
-        .await;
-}
-
 async fn find_and_remove_turn_summary(
    conversation_id: ConversationId,
    turn_summary_store: &TurnSummaryStore,
@@ -582,8 +381,10 @@ async fn handle_turn_complete(
 ) {
    let turn_summary = find_and_remove_turn_summary(conversation_id, turn_summary_store).await;

-    let status = if let Some(error) = turn_summary.last_error {
-        TurnStatus::Failed { error }
+    let status = if let Some(message) = turn_summary.last_error_message {
+        TurnStatus::Failed {
+            error: TurnError { message },
+        }
    } else {
        TurnStatus::Completed
    };
@@ -604,11 +405,11 @@ async fn handle_turn_interrupted(

 async fn handle_error(
    conversation_id: ConversationId,
-    error: TurnError,
+    message: String,
    turn_summary_store: &TurnSummaryStore,
 ) {
    let mut map = turn_summary_store.lock().await;
-    map.entry(conversation_id).or_default().last_error = Some(error);
+    map.entry(conversation_id).or_default().last_error_message = Some(message);
 }

 async fn on_patch_approval_response(
@@ -711,172 +512,42 @@ fn render_review_output_text(output: &ReviewOutputEvent) -> String {
    }
 }

-fn convert_patch_changes(changes: &HashMap<PathBuf, CoreFileChange>) -> Vec<FileUpdateChange> {
-    let mut converted: Vec<FileUpdateChange> = changes
-        .iter()
-        .map(|(path, change)| FileUpdateChange {
-            path: path.to_string_lossy().into_owned(),
-            kind: map_patch_change_kind(change),
-            diff: format_file_change_diff(change),
-        })
-        .collect();
-    converted.sort_by(|a, b| a.path.cmp(&b.path));
-    converted
-}
-
-fn map_patch_change_kind(change: &CoreFileChange) -> V2PatchChangeKind {
-    match change {
-        CoreFileChange::Add { .. } => V2PatchChangeKind::Add,
-        CoreFileChange::Delete { .. } => V2PatchChangeKind::Delete,
-        CoreFileChange::Update { move_path, .. } => V2PatchChangeKind::Update {
-            move_path: move_path.clone(),
-        },
-    }
-}
-
-fn format_file_change_diff(change: &CoreFileChange) -> String {
-    match change {
-        CoreFileChange::Add { content } => content.clone(),
-        CoreFileChange::Delete { content } => content.clone(),
-        CoreFileChange::Update {
-            unified_diff,
-            move_path,
-        } => {
-            if let Some(path) = move_path {
-                format!("{unified_diff}\n\nMoved to: {}", path.display())
-            } else {
-                unified_diff.clone()
-            }
-        }
-    }
-}
-
-#[allow(clippy::too_many_arguments)]
-async fn on_file_change_request_approval_response(
-    event_id: String,
-    conversation_id: ConversationId,
-    item_id: String,
-    changes: Vec<FileUpdateChange>,
-    receiver: oneshot::Receiver<JsonValue>,
-    codex: Arc<CodexConversation>,
-    outgoing: Arc<OutgoingMessageSender>,
-    turn_summary_store: TurnSummaryStore,
-) {
-    let response = receiver.await;
-    let (decision, completion_status) = match response {
-        Ok(value) => {
-            let response = serde_json::from_value::<FileChangeRequestApprovalResponse>(value)
-                .unwrap_or_else(|err| {
-                    error!("failed to deserialize FileChangeRequestApprovalResponse: {err}");
-                    FileChangeRequestApprovalResponse {
-                        decision: ApprovalDecision::Decline,
-                    }
-                });
-
-            let (decision, completion_status) = match response.decision {
-                ApprovalDecision::Accept => (ReviewDecision::Approved, None),
-                ApprovalDecision::Decline => {
-                    (ReviewDecision::Denied, Some(PatchApplyStatus::Declined))
-                }
-                ApprovalDecision::Cancel => {
-                    (ReviewDecision::Abort, Some(PatchApplyStatus::Declined))
-                }
-            };
-            // Allow EventMsg::PatchApplyEnd to emit ItemCompleted for accepted patches.
-            // Only short-circuit on declines/cancels/failures.
-            (decision, completion_status)
-        }
-        Err(err) => {
-            error!("request failed: {err:?}");
-            (ReviewDecision::Denied, Some(PatchApplyStatus::Failed))
-        }
-    };
-
-    if let Some(status) = completion_status {
-        complete_file_change_item(
-            conversation_id,
-            item_id,
-            changes,
-            status,
-            outgoing.as_ref(),
-            &turn_summary_store,
-        )
-        .await;
-    }
-
-    if let Err(err) = codex
-        .submit(Op::PatchApproval {
-            id: event_id,
-            decision,
-        })
-        .await
-    {
-        error!("failed to submit PatchApproval: {err}");
-    }
-}
-
-#[allow(clippy::too_many_arguments)]
 async fn on_command_execution_request_approval_response(
    event_id: String,
-    item_id: String,
-    command: String,
-    cwd: PathBuf,
-    command_actions: Vec<V2ParsedCommand>,
    receiver: oneshot::Receiver<JsonValue>,
    conversation: Arc<CodexConversation>,
-    outgoing: Arc<OutgoingMessageSender>,
 ) {
    let response = receiver.await;
-    let (decision, completion_status) = match response {
-        Ok(value) => {
-            let response = serde_json::from_value::<CommandExecutionRequestApprovalResponse>(value)
-                .unwrap_or_else(|err| {
-                    error!("failed to deserialize CommandExecutionRequestApprovalResponse: {err}");
-                    CommandExecutionRequestApprovalResponse {
-                        decision: ApprovalDecision::Decline,
-                        accept_settings: None,
-                    }
-                });
-
-            let CommandExecutionRequestApprovalResponse {
-                decision,
-                accept_settings,
-            } = response;
-
-            let (decision, completion_status) = match (decision, accept_settings) {
-                (ApprovalDecision::Accept, Some(settings)) if settings.for_session => {
-                    (ReviewDecision::ApprovedForSession, None)
-                }
-                (ApprovalDecision::Accept, _) => (ReviewDecision::Approved, None),
-                (ApprovalDecision::Decline, _) => (
-                    ReviewDecision::Denied,
-                    Some(CommandExecutionStatus::Declined),
-                ),
-                (ApprovalDecision::Cancel, _) => (
-                    ReviewDecision::Abort,
-                    Some(CommandExecutionStatus::Declined),
-                ),
-            };
-            (decision, completion_status)
-        }
+    let value = match response {
+        Ok(value) => value,
        Err(err) => {
            error!("request failed: {err:?}");
-            (ReviewDecision::Denied, Some(CommandExecutionStatus::Failed))
+            return;
        }
    };

-    if let Some(status) = completion_status {
-        complete_command_execution_item(
-            item_id.clone(),
-            command.clone(),
-            cwd.clone(),
-            command_actions.clone(),
-            status,
-            outgoing.as_ref(),
-        )
-        .await;
-    }
+    let response = serde_json::from_value::<CommandExecutionRequestApprovalResponse>(value)
+        .unwrap_or_else(|err| {
+            error!("failed to deserialize CommandExecutionRequestApprovalResponse: {err}");
+            CommandExecutionRequestApprovalResponse {
+                decision: ApprovalDecision::Decline,
+                accept_settings: None,
+            }
+        });

+    let CommandExecutionRequestApprovalResponse {
+        decision,
+        accept_settings,
+    } = response;
+
+    let decision = match (decision, accept_settings) {
+        (ApprovalDecision::Accept, Some(settings)) if settings.for_session => {
+            ReviewDecision::ApprovedForSession
+        }
+        (ApprovalDecision::Accept, _) => ReviewDecision::Approved,
+        (ApprovalDecision::Decline, _) => ReviewDecision::Denied,
+        (ApprovalDecision::Cancel, _) => ReviewDecision::Abort,
+    };
    if let Err(err) = conversation
        .submit(Op::ExecApproval {
            id: event_id,
@@ -971,24 +642,10 @@ mod tests {
        let conversation_id = ConversationId::new();
        let turn_summary_store = new_turn_summary_store();

-        handle_error(
-            conversation_id,
-            TurnError {
-                message: "boom".to_string(),
-                codex_error_info: Some(V2CodexErrorInfo::InternalServerError),
-            },
-            &turn_summary_store,
-        )
-        .await;
+        handle_error(conversation_id, "boom".to_string(), &turn_summary_store).await;

        let turn_summary = find_and_remove_turn_summary(conversation_id, &turn_summary_store).await;
-        assert_eq!(
-            turn_summary.last_error,
-            Some(TurnError {
-                message: "boom".to_string(),
-                codex_error_info: Some(V2CodexErrorInfo::InternalServerError),
-            })
-        );
+        assert_eq!(turn_summary.last_error_message, Some("boom".to_string()));
        Ok(())
    }

@@ -1028,15 +685,7 @@ mod tests {
        let conversation_id = ConversationId::new();
        let event_id = "interrupt1".to_string();
        let turn_summary_store = new_turn_summary_store();
-        handle_error(
-            conversation_id,
-            TurnError {
-                message: "oops".to_string(),
-                codex_error_info: None,
-            },
-            &turn_summary_store,
-        )
-        .await;
+        handle_error(conversation_id, "oops".to_string(), &turn_summary_store).await;
        let (tx, mut rx) = mpsc::channel(CHANNEL_CAPACITY);
        let outgoing = Arc::new(OutgoingMessageSender::new(tx));

@@ -1068,15 +717,7 @@ mod tests {
        let conversation_id = ConversationId::new();
        let event_id = "complete_err1".to_string();
        let turn_summary_store = new_turn_summary_store();
-        handle_error(
-            conversation_id,
-            TurnError {
-                message: "bad".to_string(),
-                codex_error_info: Some(V2CodexErrorInfo::Other),
-            },
-            &turn_summary_store,
-        )
-        .await;
+        handle_error(conversation_id, "bad".to_string(), &turn_summary_store).await;
        let (tx, mut rx) = mpsc::channel(CHANNEL_CAPACITY);
        let outgoing = Arc::new(OutgoingMessageSender::new(tx));

@@ -1100,7 +741,6 @@ mod tests {
                    TurnStatus::Failed {
                        error: TurnError {
                            message: "bad".to_string(),
-                            codex_error_info: Some(V2CodexErrorInfo::Other),
                        }
                    }
                );
@@ -1151,15 +791,7 @@ mod tests {

        // Turn 1 on conversation A
        let a_turn1 = "a_turn1".to_string();
-        handle_error(
-            conversation_a,
-            TurnError {
-                message: "a1".to_string(),
-                codex_error_info: Some(V2CodexErrorInfo::BadRequest),
-            },
-            &turn_summary_store,
-        )
-        .await;
+        handle_error(conversation_a, "a1".to_string(), &turn_summary_store).await;
        handle_turn_complete(
            conversation_a,
            a_turn1.clone(),
@@ -1170,15 +802,7 @@ mod tests {

        // Turn 1 on conversation B
        let b_turn1 = "b_turn1".to_string();
-        handle_error(
-            conversation_b,
-            TurnError {
-                message: "b1".to_string(),
-                codex_error_info: None,
-            },
-            &turn_summary_store,
-        )
-        .await;
+        handle_error(conversation_b, "b1".to_string(), &turn_summary_store).await;
        handle_turn_complete(
            conversation_b,
            b_turn1.clone(),
@@ -1210,7 +834,6 @@ mod tests {
                    TurnStatus::Failed {
                        error: TurnError {
                            message: "a1".to_string(),
-                            codex_error_info: Some(V2CodexErrorInfo::BadRequest),
                        }
                    }
                );
@@ -1231,7 +854,6 @@ mod tests {
                    TurnStatus::Failed {
                        error: TurnError {
                            message: "b1".to_string(),
-                            codex_error_info: None,
                        }
                    }
                );
--- a/codex-rs/app-server/src/codex_message_processor.rs
+++ b/codex-rs/app-server/src/codex_message_processor.rs
@@ -39,7 +39,6 @@ use codex_app_server_protocol::GetConversationSummaryResponse;
 use codex_app_server_protocol::GetUserAgentResponse;
 use codex_app_server_protocol::GetUserSavedConfigResponse;
 use codex_app_server_protocol::GitDiffToRemoteResponse;
-use codex_app_server_protocol::GitInfo as ApiGitInfo;
 use codex_app_server_protocol::InputItem as WireInputItem;
 use codex_app_server_protocol::InterruptConversationParams;
 use codex_app_server_protocol::JSONRPCErrorError;
@@ -84,7 +83,6 @@ use codex_app_server_protocol::ThreadStartParams;
 use codex_app_server_protocol::ThreadStartResponse;
 use codex_app_server_protocol::ThreadStartedNotification;
 use codex_app_server_protocol::Turn;
-use codex_app_server_protocol::TurnError;
 use codex_app_server_protocol::TurnInterruptParams;
 use codex_app_server_protocol::TurnStartParams;
 use codex_app_server_protocol::TurnStartResponse;
@@ -93,7 +91,6 @@ use codex_app_server_protocol::TurnStatus;
 use codex_app_server_protocol::UserInfoResponse;
 use codex_app_server_protocol::UserInput as V2UserInput;
 use codex_app_server_protocol::UserSavedConfig;
-use codex_app_server_protocol::build_turns_from_event_msgs;
 use codex_backend_client::Client as BackendClient;
 use codex_core::AuthManager;
 use codex_core::CodexConversation;
@@ -114,8 +111,8 @@ use codex_core::config_loader::load_config_as_toml;
 use codex_core::default_client::get_codex_user_agent;
 use codex_core::exec::ExecParams;
 use codex_core::exec_env::create_env;
-use codex_core::features::Feature;
 use codex_core::find_conversation_path_by_id_str;
+use codex_core::get_platform_sandbox;
 use codex_core::git_info::git_diff_to_remote;
 use codex_core::parse_cursor;
 use codex_core::protocol::EventMsg;
@@ -131,7 +128,7 @@ use codex_protocol::ConversationId;
 use codex_protocol::config_types::ForcedLoginMethod;
 use codex_protocol::items::TurnItem;
 use codex_protocol::models::ResponseItem;
-use codex_protocol::protocol::GitInfo as CoreGitInfo;
+use codex_protocol::protocol::GitInfo;
 use codex_protocol::protocol::RateLimitSnapshot as CoreRateLimitSnapshot;
 use codex_protocol::protocol::RolloutItem;
 use codex_protocol::protocol::SessionMetaLine;
@@ -139,7 +136,6 @@ use codex_protocol::protocol::USER_MESSAGE_BEGIN;
 use codex_protocol::user_input::UserInput as CoreInputItem;
 use codex_utils_json_to_toml::json_to_toml;
 use std::collections::HashMap;
-use std::collections::HashSet;
 use std::ffi::OsStr;
 use std::io::Error as IoError;
 use std::path::Path;
@@ -162,8 +158,7 @@ pub(crate) type PendingInterrupts = Arc<Mutex<HashMap<ConversationId, PendingInt
 /// Per-conversation accumulation of the latest states e.g. error message while a turn runs.
 #[derive(Default, Clone)]
 pub(crate) struct TurnSummary {
-    pub(crate) file_change_started: HashSet<String>,
-    pub(crate) last_error: Option<TurnError>,
+    pub(crate) last_error_message: Option<String>,
 }

 pub(crate) type TurnSummaryStore = Arc<Mutex<HashMap<ConversationId, TurnSummary>>>;
@@ -472,11 +467,6 @@ impl CodexMessageProcessor {
            ClientRequest::ExecOneOffCommand { request_id, params } => {
                self.exec_one_off_command(request_id, params).await;
            }
-            ClientRequest::ConfigRead { .. }
-            | ClientRequest::ConfigValueWrite { .. }
-            | ClientRequest::ConfigBatchWrite { .. } => {
-                warn!("Config request reached CodexMessageProcessor unexpectedly");
-            }
            ClientRequest::GetAccountRateLimits {
                request_id,
                params: _,
@@ -1175,7 +1165,7 @@ impl CodexMessageProcessor {
        let exec_params = ExecParams {
            command: params.command,
            cwd,
-            expiration: timeout_ms.into(),
+            timeout_ms,
            env,
            with_escalated_permissions: None,
            justification: None,
@@ -1186,6 +1176,13 @@ impl CodexMessageProcessor {
            .sandbox_policy
            .unwrap_or_else(|| self.config.sandbox_policy.clone());

+        let sandbox_type = match &effective_policy {
+            codex_core::protocol::SandboxPolicy::DangerFullAccess => {
+                codex_core::exec::SandboxType::None
+            }
+            _ => get_platform_sandbox().unwrap_or(codex_core::exec::SandboxType::None),
+        };
+        tracing::debug!("Sandbox type: {sandbox_type:?}");
        let codex_linux_sandbox_exe = self.config.codex_linux_sandbox_exe.clone();
        let outgoing = self.outgoing.clone();
        let req_id = request_id;
@@ -1194,6 +1191,7 @@ impl CodexMessageProcessor {
        tokio::spawn(async move {
            match codex_core::exec::process_exec_tool_call(
                exec_params,
+                sandbox_type,
                &effective_policy,
                sandbox_cwd.as_path(),
                &codex_linux_sandbox_exe,
@@ -1239,7 +1237,7 @@ impl CodexMessageProcessor {
        let overrides = ConfigOverrides {
            model,
            config_profile: profile,
-            cwd: cwd.clone().map(PathBuf::from),
+            cwd: cwd.map(PathBuf::from),
            approval_policy,
            sandbox_mode,
            model_provider,
@@ -1251,17 +1249,7 @@ impl CodexMessageProcessor {
            ..Default::default()
        };

-        // Persist windows sandbox feature.
-        // TODO: persist default config in general.
-        let mut cli_overrides = cli_overrides.unwrap_or_default();
-        if cfg!(windows) && self.config.features.enabled(Feature::WindowsSandbox) {
-            cli_overrides.insert(
-                "features.enable_experimental_windows_sandbox".to_string(),
-                serde_json::json!(true),
-            );
-        }
-
-        let config = match derive_config_from_params(overrides, Some(cli_overrides)).await {
+        let config = match derive_config_from_params(overrides, cli_overrides).await {
            Ok(config) => config,
            Err(err) => {
                let error = JSONRPCErrorError {
@@ -1653,11 +1641,6 @@ impl CodexMessageProcessor {
                session_configured,
                ..
            }) => {
-                let SessionConfiguredEvent {
-                    rollout_path,
-                    initial_messages,
-                    ..
-                } = session_configured;
                // Auto-attach a conversation listener when resuming a thread.
                if let Err(err) = self
                    .attach_conversation_listener(conversation_id, false, ApiVersion::V2)
@@ -1670,8 +1653,8 @@ impl CodexMessageProcessor {
                    );
                }

-                let mut thread = match read_summary_from_rollout(
-                    rollout_path.as_path(),
+                let thread = match read_summary_from_rollout(
+                    session_configured.rollout_path.as_path(),
                    fallback_model_provider.as_str(),
                )
                .await
@@ -1682,17 +1665,13 @@ impl CodexMessageProcessor {
                            request_id,
                            format!(
                                "failed to load rollout `{}` for conversation {conversation_id}: {err}",
-                                rollout_path.display()
+                                session_configured.rollout_path.display()
                            ),
                        )
                        .await;
                        return;
                    }
                };
-                thread.turns = initial_messages
-                    .as_deref()
-                    .map_or_else(Vec::new, build_turns_from_event_msgs);
-
                let response = ThreadResumeResponse {
                    thread,
                    model: session_configured.model,
@@ -1702,7 +1681,6 @@ impl CodexMessageProcessor {
                    sandbox: session_configured.sandbox_policy.into(),
                    reasoning_effort: session_configured.reasoning_effort,
                };
-
                self.outgoing.send_response(request_id, response).await;
            }
            Err(err) => {
@@ -1953,15 +1931,6 @@ impl CodexMessageProcessor {
                    include_apply_patch_tool,
                } = overrides;

-                // Persist windows sandbox feature.
-                let mut cli_overrides = cli_overrides.unwrap_or_default();
-                if cfg!(windows) && self.config.features.enabled(Feature::WindowsSandbox) {
-                    cli_overrides.insert(
-                        "features.enable_experimental_windows_sandbox".to_string(),
-                        serde_json::json!(true),
-                    );
-                }
-
                let overrides = ConfigOverrides {
                    model,
                    config_profile: profile,
@@ -1977,7 +1946,7 @@ impl CodexMessageProcessor {
                    ..Default::default()
                };

-                derive_config_from_params(overrides, Some(cli_overrides)).await
+                derive_config_from_params(overrides, cli_overrides).await
            }
            None => Ok(self.config.as_ref().clone()),
        };
@@ -2799,7 +2768,6 @@ impl CodexMessageProcessor {
        } else {
            None
        };
-        let session_source = self.conversation_manager.session_source();

        let upload_result = tokio::task::spawn_blocking(move || {
            let rollout_path_ref = validated_rollout_path.as_deref();
@@ -2808,7 +2776,6 @@ impl CodexMessageProcessor {
                reason.as_deref(),
                include_logs,
                rollout_path_ref,
-                Some(session_source),
            )
        })
        .await;
@@ -2930,7 +2897,7 @@ fn extract_conversation_summary(
    path: PathBuf,
    head: &[serde_json::Value],
    session_meta: &SessionMeta,
-    git: Option<&CoreGitInfo>,
+    git: Option<&GitInfo>,
    fallback_provider: &str,
 ) -> Option<ConversationSummary> {
    let preview = head
@@ -2971,7 +2938,7 @@ fn extract_conversation_summary(
    })
 }

-fn map_git_info(git_info: &CoreGitInfo) -> ConversationGitInfo {
+fn map_git_info(git_info: &GitInfo) -> ConversationGitInfo {
    ConversationGitInfo {
        sha: git_info.commit_hash.clone(),
        branch: git_info.branch.clone(),
@@ -2994,18 +2961,10 @@ fn summary_to_thread(summary: ConversationSummary) -> Thread {
        preview,
        timestamp,
        model_provider,
-        cwd,
-        cli_version,
-        source,
-        git_info,
+        ..
    } = summary;

    let created_at = parse_datetime(timestamp.as_deref());
-    let git_info = git_info.map(|info| ApiGitInfo {
-        sha: info.sha,
-        branch: info.branch,
-        origin_url: info.origin_url,
-    });

    Thread {
        id: conversation_id.to_string(),
@@ -3013,11 +2972,6 @@ fn summary_to_thread(summary: ConversationSummary) -> Thread {
        model_provider,
        created_at: created_at.map(|dt| dt.timestamp()).unwrap_or(0),
        path,
-        cwd,
-        cli_version,
-        source: source.into(),
-        git_info,
-        turns: Vec::new(),
    }
 }

--- a/codex-rs/app-server/src/config_api.rs
+++ b/codex-rs/app-server/src/config_api.rs
@@ -1,974 +0,0 @@
-use crate::error_code::INTERNAL_ERROR_CODE;
-use crate::error_code::INVALID_REQUEST_ERROR_CODE;
-use anyhow::anyhow;
-use codex_app_server_protocol::ConfigBatchWriteParams;
-use codex_app_server_protocol::ConfigLayer;
-use codex_app_server_protocol::ConfigLayerMetadata;
-use codex_app_server_protocol::ConfigLayerName;
-use codex_app_server_protocol::ConfigReadParams;
-use codex_app_server_protocol::ConfigReadResponse;
-use codex_app_server_protocol::ConfigValueWriteParams;
-use codex_app_server_protocol::ConfigWriteErrorCode;
-use codex_app_server_protocol::ConfigWriteResponse;
-use codex_app_server_protocol::JSONRPCErrorError;
-use codex_app_server_protocol::MergeStrategy;
-use codex_app_server_protocol::OverriddenMetadata;
-use codex_app_server_protocol::WriteStatus;
-use codex_core::config::ConfigToml;
-use codex_core::config_loader::LoadedConfigLayers;
-use codex_core::config_loader::LoaderOverrides;
-use codex_core::config_loader::load_config_layers_with_overrides;
-use codex_core::config_loader::merge_toml_values;
-use serde_json::Value as JsonValue;
-use serde_json::json;
-use sha2::Digest;
-use sha2::Sha256;
-use std::collections::HashMap;
-use std::path::Path;
-use std::path::PathBuf;
-use tempfile::NamedTempFile;
-use tokio::task;
-use toml::Value as TomlValue;
-
-const SESSION_FLAGS_SOURCE: &str = "--config";
-const MDM_SOURCE: &str = "com.openai.codex/config_toml_base64";
-const CONFIG_FILE_NAME: &str = "config.toml";
-
-#[derive(Clone)]
-pub(crate) struct ConfigApi {
-    codex_home: PathBuf,
-    cli_overrides: Vec<(String, TomlValue)>,
-    loader_overrides: LoaderOverrides,
-}
-
-impl ConfigApi {
-    pub(crate) fn new(codex_home: PathBuf, cli_overrides: Vec<(String, TomlValue)>) -> Self {
-        Self {
-            codex_home,
-            cli_overrides,
-            loader_overrides: LoaderOverrides::default(),
-        }
-    }
-
-    #[cfg(test)]
-    fn with_overrides(
-        codex_home: PathBuf,
-        cli_overrides: Vec<(String, TomlValue)>,
-        loader_overrides: LoaderOverrides,
-    ) -> Self {
-        Self {
-            codex_home,
-            cli_overrides,
-            loader_overrides,
-        }
-    }
-
-    pub(crate) async fn read(
-        &self,
-        params: ConfigReadParams,
-    ) -> Result<ConfigReadResponse, JSONRPCErrorError> {
-        let layers = self
-            .load_layers_state()
-            .await
-            .map_err(|err| internal_error("failed to read configuration layers", err))?;
-
-        let effective = layers.effective_config();
-        validate_config(&effective).map_err(|err| internal_error("invalid configuration", err))?;
-
-        let response = ConfigReadResponse {
-            config: to_json_value(&effective),
-            origins: layers.origins(),
-            layers: params.include_layers.then(|| layers.layers_high_to_low()),
-        };
-
-        Ok(response)
-    }
-
-    pub(crate) async fn write_value(
-        &self,
-        params: ConfigValueWriteParams,
-    ) -> Result<ConfigWriteResponse, JSONRPCErrorError> {
-        let edits = vec![(params.key_path, params.value, params.merge_strategy)];
-        self.apply_edits(params.file_path, params.expected_version, edits)
-            .await
-    }
-
-    pub(crate) async fn batch_write(
-        &self,
-        params: ConfigBatchWriteParams,
-    ) -> Result<ConfigWriteResponse, JSONRPCErrorError> {
-        let edits = params
-            .edits
-            .into_iter()
-            .map(|edit| (edit.key_path, edit.value, edit.merge_strategy))
-            .collect();
-
-        self.apply_edits(params.file_path, params.expected_version, edits)
-            .await
-    }
-
-    async fn apply_edits(
-        &self,
-        file_path: String,
-        expected_version: Option<String>,
-        edits: Vec<(String, JsonValue, MergeStrategy)>,
-    ) -> Result<ConfigWriteResponse, JSONRPCErrorError> {
-        let allowed_path = self.codex_home.join(CONFIG_FILE_NAME);
-        if !paths_match(&allowed_path, &file_path) {
-            return Err(config_write_error(
-                ConfigWriteErrorCode::ConfigLayerReadonly,
-                "Only writes to the user config are allowed",
-            ));
-        }
-
-        let layers = self
-            .load_layers_state()
-            .await
-            .map_err(|err| internal_error("failed to load configuration", err))?;
-
-        if let Some(expected) = expected_version.as_deref()
-            && expected != layers.user.version
-        {
-            return Err(config_write_error(
-                ConfigWriteErrorCode::ConfigVersionConflict,
-                "Configuration was modified since last read. Fetch latest version and retry.",
-            ));
-        }
-
-        let mut user_config = layers.user.config.clone();
-        let mut mutated = false;
-        let mut parsed_segments = Vec::new();
-
-        for (key_path, value, strategy) in edits.into_iter() {
-            let segments = parse_key_path(&key_path).map_err(|message| {
-                config_write_error(ConfigWriteErrorCode::ConfigValidationError, message)
-            })?;
-            let parsed_value = parse_value(value).map_err(|message| {
-                config_write_error(ConfigWriteErrorCode::ConfigValidationError, message)
-            })?;
-
-            let changed = apply_merge(&mut user_config, &segments, parsed_value.as_ref(), strategy)
-                .map_err(|err| match err {
-                    MergeError::PathNotFound => config_write_error(
-                        ConfigWriteErrorCode::ConfigPathNotFound,
-                        "Path not found",
-                    ),
-                    MergeError::Validation(message) => {
-                        config_write_error(ConfigWriteErrorCode::ConfigValidationError, message)
-                    }
-                })?;
-
-            mutated |= changed;
-            parsed_segments.push(segments);
-        }
-
-        validate_config(&user_config).map_err(|err| {
-            config_write_error(
-                ConfigWriteErrorCode::ConfigValidationError,
-                format!("Invalid configuration: {err}"),
-            )
-        })?;
-
-        let updated_layers = layers.with_user_config(user_config.clone());
-        let effective = updated_layers.effective_config();
-        validate_config(&effective).map_err(|err| {
-            config_write_error(
-                ConfigWriteErrorCode::ConfigValidationError,
-                format!("Invalid configuration: {err}"),
-            )
-        })?;
-
-        if mutated {
-            self.persist_user_config(&user_config)
-                .await
-                .map_err(|err| internal_error("failed to persist config.toml", err))?;
-        }
-
-        let overridden = first_overridden_edit(&updated_layers, &effective, &parsed_segments);
-        let status = overridden
-            .as_ref()
-            .map(|_| WriteStatus::OkOverridden)
-            .unwrap_or(WriteStatus::Ok);
-
-        Ok(ConfigWriteResponse {
-            status,
-            version: updated_layers.user.version.clone(),
-            overridden_metadata: overridden,
-        })
-    }
-
-    async fn load_layers_state(&self) -> std::io::Result<LayersState> {
-        let LoadedConfigLayers {
-            base,
-            managed_config,
-            managed_preferences,
-        } = load_config_layers_with_overrides(&self.codex_home, self.loader_overrides.clone())
-            .await?;
-
-        let user = LayerState::new(
-            ConfigLayerName::User,
-            self.codex_home.join(CONFIG_FILE_NAME),
-            base,
-        );
-
-        let session_flags = LayerState::new(
-            ConfigLayerName::SessionFlags,
-            PathBuf::from(SESSION_FLAGS_SOURCE),
-            {
-                let mut root = TomlValue::Table(toml::map::Map::new());
-                for (path, value) in self.cli_overrides.iter() {
-                    apply_override(&mut root, path, value.clone());
-                }
-                root
-            },
-        );
-
-        let system = managed_config.map(|cfg| {
-            LayerState::new(
-                ConfigLayerName::System,
-                system_config_path(&self.codex_home),
-                cfg,
-            )
-        });
-
-        let mdm = managed_preferences
-            .map(|cfg| LayerState::new(ConfigLayerName::Mdm, PathBuf::from(MDM_SOURCE), cfg));
-
-        Ok(LayersState {
-            user,
-            session_flags,
-            system,
-            mdm,
-        })
-    }
-
-    async fn persist_user_config(&self, user_config: &TomlValue) -> anyhow::Result<()> {
-        let codex_home = self.codex_home.clone();
-        let serialized = toml::to_string_pretty(user_config)?;
-
-        task::spawn_blocking(move || -> anyhow::Result<()> {
-            std::fs::create_dir_all(&codex_home)?;
-
-            let target = codex_home.join(CONFIG_FILE_NAME);
-            let tmp = NamedTempFile::new_in(&codex_home)?;
-            std::fs::write(tmp.path(), serialized.as_bytes())?;
-            tmp.persist(&target)?;
-            Ok(())
-        })
-        .await
-        .map_err(|err| anyhow!("config persistence task panicked: {err}"))??;
-
-        Ok(())
-    }
-}
-
-fn parse_value(value: JsonValue) -> Result<Option<TomlValue>, String> {
-    if value.is_null() {
-        return Ok(None);
-    }
-
-    serde_json::from_value::<TomlValue>(value)
-        .map(Some)
-        .map_err(|err| format!("invalid value: {err}"))
-}
-
-fn parse_key_path(path: &str) -> Result<Vec<String>, String> {
-    if path.trim().is_empty() {
-        return Err("keyPath must not be empty".to_string());
-    }
-    Ok(path
-        .split('.')
-        .map(std::string::ToString::to_string)
-        .collect())
-}
-
-fn apply_override(target: &mut TomlValue, path: &str, value: TomlValue) {
-    use toml::value::Table;
-
-    let segments: Vec<&str> = path.split('.').collect();
-    let mut current = target;
-
-    for (idx, segment) in segments.iter().enumerate() {
-        let is_last = idx == segments.len() - 1;
-
-        if is_last {
-            match current {
-                TomlValue::Table(table) => {
-                    table.insert(segment.to_string(), value);
-                }
-                _ => {
-                    let mut table = Table::new();
-                    table.insert(segment.to_string(), value);
-                    *current = TomlValue::Table(table);
-                }
-            }
-            return;
-        }
-
-        match current {
-            TomlValue::Table(table) => {
-                current = table
-                    .entry((*segment).to_string())
-                    .or_insert_with(|| TomlValue::Table(Table::new()));
-            }
-            _ => {
-                *current = TomlValue::Table(Table::new());
-                if let TomlValue::Table(tbl) = current {
-                    current = tbl
-                        .entry((*segment).to_string())
-                        .or_insert_with(|| TomlValue::Table(Table::new()));
-                }
-            }
-        }
-    }
-}
-
-#[derive(Debug)]
-enum MergeError {
-    PathNotFound,
-    Validation(String),
-}
-
-fn apply_merge(
-    root: &mut TomlValue,
-    segments: &[String],
-    value: Option<&TomlValue>,
-    strategy: MergeStrategy,
-) -> Result<bool, MergeError> {
-    let Some(value) = value else {
-        return clear_path(root, segments);
-    };
-
-    let Some((last, parents)) = segments.split_last() else {
-        return Err(MergeError::Validation(
-            "keyPath must not be empty".to_string(),
-        ));
-    };
-
-    let mut current = root;
-
-    for segment in parents {
-        match current {
-            TomlValue::Table(table) => {
-                current = table
-                    .entry(segment.clone())
-                    .or_insert_with(|| TomlValue::Table(toml::map::Map::new()));
-            }
-            _ => {
-                *current = TomlValue::Table(toml::map::Map::new());
-                if let TomlValue::Table(table) = current {
-                    current = table
-                        .entry(segment.clone())
-                        .or_insert_with(|| TomlValue::Table(toml::map::Map::new()));
-                }
-            }
-        }
-    }
-
-    let table = current.as_table_mut().ok_or_else(|| {
-        MergeError::Validation("cannot set value on non-table parent".to_string())
-    })?;
-
-    if matches!(strategy, MergeStrategy::Upsert)
-        && let Some(existing) = table.get_mut(last)
-        && matches!(existing, TomlValue::Table(_))
-        && matches!(value, TomlValue::Table(_))
-    {
-        merge_toml_values(existing, value);
-        return Ok(true);
-    }
-
-    let changed = table
-        .get(last)
-        .map(|existing| Some(existing) != Some(value))
-        .unwrap_or(true);
-    table.insert(last.clone(), value.clone());
-    Ok(changed)
-}
-
-fn clear_path(root: &mut TomlValue, segments: &[String]) -> Result<bool, MergeError> {
-    let Some((last, parents)) = segments.split_last() else {
-        return Err(MergeError::Validation(
-            "keyPath must not be empty".to_string(),
-        ));
-    };
-
-    let mut current = root;
-    for segment in parents {
-        match current {
-            TomlValue::Table(table) => {
-                current = table.get_mut(segment).ok_or(MergeError::PathNotFound)?;
-            }
-            _ => return Err(MergeError::PathNotFound),
-        }
-    }
-
-    let Some(parent) = current.as_table_mut() else {
-        return Err(MergeError::PathNotFound);
-    };
-
-    Ok(parent.remove(last).is_some())
-}
-
-#[derive(Clone)]
-struct LayerState {
-    name: ConfigLayerName,
-    source: PathBuf,
-    config: TomlValue,
-    version: String,
-}
-
-impl LayerState {
-    fn new(name: ConfigLayerName, source: PathBuf, config: TomlValue) -> Self {
-        let version = version_for_toml(&config);
-        Self {
-            name,
-            source,
-            config,
-            version,
-        }
-    }
-
-    fn metadata(&self) -> ConfigLayerMetadata {
-        ConfigLayerMetadata {
-            name: self.name.clone(),
-            source: self.source.display().to_string(),
-            version: self.version.clone(),
-        }
-    }
-
-    fn as_layer(&self) -> ConfigLayer {
-        ConfigLayer {
-            name: self.name.clone(),
-            source: self.source.display().to_string(),
-            version: self.version.clone(),
-            config: to_json_value(&self.config),
-        }
-    }
-}
-
-#[derive(Clone)]
-struct LayersState {
-    user: LayerState,
-    session_flags: LayerState,
-    system: Option<LayerState>,
-    mdm: Option<LayerState>,
-}
-
-impl LayersState {
-    fn with_user_config(self, user_config: TomlValue) -> Self {
-        Self {
-            user: LayerState::new(self.user.name, self.user.source, user_config),
-            session_flags: self.session_flags,
-            system: self.system,
-            mdm: self.mdm,
-        }
-    }
-
-    fn effective_config(&self) -> TomlValue {
-        let mut merged = self.user.config.clone();
-        merge_toml_values(&mut merged, &self.session_flags.config);
-        if let Some(system) = &self.system {
-            merge_toml_values(&mut merged, &system.config);
-        }
-        if let Some(mdm) = &self.mdm {
-            merge_toml_values(&mut merged, &mdm.config);
-        }
-        merged
-    }
-
-    fn origins(&self) -> HashMap<String, ConfigLayerMetadata> {
-        let mut origins = HashMap::new();
-        let mut path = Vec::new();
-
-        record_origins(
-            &self.user.config,
-            &self.user.metadata(),
-            &mut path,
-            &mut origins,
-        );
-        record_origins(
-            &self.session_flags.config,
-            &self.session_flags.metadata(),
-            &mut path,
-            &mut origins,
-        );
-        if let Some(system) = &self.system {
-            record_origins(&system.config, &system.metadata(), &mut path, &mut origins);
-        }
-        if let Some(mdm) = &self.mdm {
-            record_origins(&mdm.config, &mdm.metadata(), &mut path, &mut origins);
-        }
-
-        origins
-    }
-
-    fn layers_high_to_low(&self) -> Vec<ConfigLayer> {
-        let mut layers = Vec::new();
-        if let Some(mdm) = &self.mdm {
-            layers.push(mdm.as_layer());
-        }
-        if let Some(system) = &self.system {
-            layers.push(system.as_layer());
-        }
-        layers.push(self.session_flags.as_layer());
-        layers.push(self.user.as_layer());
-        layers
-    }
-}
-
-fn record_origins(
-    value: &TomlValue,
-    meta: &ConfigLayerMetadata,
-    path: &mut Vec<String>,
-    origins: &mut HashMap<String, ConfigLayerMetadata>,
-) {
-    match value {
-        TomlValue::Table(table) => {
-            for (key, val) in table {
-                path.push(key.clone());
-                record_origins(val, meta, path, origins);
-                path.pop();
-            }
-        }
-        TomlValue::Array(items) => {
-            for (idx, item) in items.iter().enumerate() {
-                path.push(idx.to_string());
-                record_origins(item, meta, path, origins);
-                path.pop();
-            }
-        }
-        _ => {
-            if !path.is_empty() {
-                origins.insert(path.join("."), meta.clone());
-            }
-        }
-    }
-}
-
-fn to_json_value(value: &TomlValue) -> JsonValue {
-    serde_json::to_value(value).unwrap_or(JsonValue::Null)
-}
-
-fn validate_config(value: &TomlValue) -> Result<(), toml::de::Error> {
-    let _: ConfigToml = value.clone().try_into()?;
-    Ok(())
-}
-
-fn version_for_toml(value: &TomlValue) -> String {
-    let json = to_json_value(value);
-    let canonical = canonical_json(&json);
-    let serialized = serde_json::to_vec(&canonical).unwrap_or_default();
-    let mut hasher = Sha256::new();
-    hasher.update(serialized);
-    let hash = hasher.finalize();
-    let hex = hash
-        .iter()
-        .map(|byte| format!("{byte:02x}"))
-        .collect::<String>();
-    format!("sha256:{hex}")
-}
-
-fn canonical_json(value: &JsonValue) -> JsonValue {
-    match value {
-        JsonValue::Object(map) => {
-            let mut sorted = serde_json::Map::new();
-            let mut keys = map.keys().cloned().collect::<Vec<_>>();
-            keys.sort();
-            for key in keys {
-                if let Some(val) = map.get(&key) {
-                    sorted.insert(key, canonical_json(val));
-                }
-            }
-            JsonValue::Object(sorted)
-        }
-        JsonValue::Array(items) => JsonValue::Array(items.iter().map(canonical_json).collect()),
-        other => other.clone(),
-    }
-}
-
-fn paths_match(expected: &Path, provided: &str) -> bool {
-    let provided_path = PathBuf::from(provided);
-    if let (Ok(expanded_expected), Ok(expanded_provided)) =
-        (expected.canonicalize(), provided_path.canonicalize())
-    {
-        return expanded_expected == expanded_provided;
-    }
-
-    expected == provided_path
-}
-
-fn value_at_path<'a>(root: &'a TomlValue, segments: &[String]) -> Option<&'a TomlValue> {
-    let mut current = root;
-    for segment in segments {
-        match current {
-            TomlValue::Table(table) => {
-                current = table.get(segment)?;
-            }
-            TomlValue::Array(items) => {
-                let idx: usize = segment.parse().ok()?;
-                current = items.get(idx)?;
-            }
-            _ => return None,
-        }
-    }
-    Some(current)
-}
-
-fn override_message(layer: &ConfigLayerName) -> String {
-    match layer {
-        ConfigLayerName::Mdm => "Overridden by managed policy (mdm)".to_string(),
-        ConfigLayerName::System => "Overridden by managed config (system)".to_string(),
-        ConfigLayerName::SessionFlags => "Overridden by session flags".to_string(),
-        ConfigLayerName::User => "Overridden by user config".to_string(),
-    }
-}
-
-fn compute_override_metadata(
-    layers: &LayersState,
-    effective: &TomlValue,
-    segments: &[String],
-) -> Option<OverriddenMetadata> {
-    let user_value = value_at_path(&layers.user.config, segments);
-    let effective_value = value_at_path(effective, segments);
-
-    if user_value.is_some() && user_value == effective_value {
-        return None;
-    }
-
-    if user_value.is_none() && effective_value.is_none() {
-        return None;
-    }
-
-    let effective_layer = find_effective_layer(layers, segments);
-    let overriding_layer = effective_layer.unwrap_or_else(|| layers.user.metadata());
-    let message = override_message(&overriding_layer.name);
-
-    Some(OverriddenMetadata {
-        message,
-        overriding_layer,
-        effective_value: effective_value
-            .map(to_json_value)
-            .unwrap_or(JsonValue::Null),
-    })
-}
-
-fn first_overridden_edit(
-    layers: &LayersState,
-    effective: &TomlValue,
-    edits: &[Vec<String>],
-) -> Option<OverriddenMetadata> {
-    for segments in edits {
-        if let Some(meta) = compute_override_metadata(layers, effective, segments) {
-            return Some(meta);
-        }
-    }
-    None
-}
-
-fn find_effective_layer(layers: &LayersState, segments: &[String]) -> Option<ConfigLayerMetadata> {
-    let check =
-        |state: &LayerState| value_at_path(&state.config, segments).map(|_| state.metadata());
-
-    if let Some(mdm) = &layers.mdm
-        && let Some(meta) = check(mdm)
-    {
-        return Some(meta);
-    }
-    if let Some(system) = &layers.system
-        && let Some(meta) = check(system)
-    {
-        return Some(meta);
-    }
-    if let Some(meta) = check(&layers.session_flags) {
-        return Some(meta);
-    }
-    check(&layers.user)
-}
-
-fn system_config_path(codex_home: &Path) -> PathBuf {
-    if let Ok(path) = std::env::var("CODEX_MANAGED_CONFIG_PATH") {
-        return PathBuf::from(path);
-    }
-
-    #[cfg(unix)]
-    {
-        let _ = codex_home;
-        PathBuf::from("/etc/codex/managed_config.toml")
-    }
-
-    #[cfg(not(unix))]
-    {
-        codex_home.join("managed_config.toml")
-    }
-}
-
-fn internal_error<E: std::fmt::Display>(context: &str, err: E) -> JSONRPCErrorError {
-    JSONRPCErrorError {
-        code: INTERNAL_ERROR_CODE,
-        message: format!("{context}: {err}"),
-        data: None,
-    }
-}
-
-fn config_write_error(code: ConfigWriteErrorCode, message: impl Into<String>) -> JSONRPCErrorError {
-    JSONRPCErrorError {
-        code: INVALID_REQUEST_ERROR_CODE,
-        message: message.into(),
-        data: Some(json!({
-            "config_write_error_code": code,
-        })),
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use pretty_assertions::assert_eq;
-    use tempfile::tempdir;
-
-    #[tokio::test]
-    async fn read_includes_origins_and_layers() {
-        let tmp = tempdir().expect("tempdir");
-        std::fs::write(tmp.path().join(CONFIG_FILE_NAME), "model = \"user\"").unwrap();
-
-        let managed_path = tmp.path().join("managed_config.toml");
-        std::fs::write(&managed_path, "approval_policy = \"never\"").unwrap();
-
-        let api = ConfigApi::with_overrides(
-            tmp.path().to_path_buf(),
-            vec![],
-            LoaderOverrides {
-                managed_config_path: Some(managed_path),
-                #[cfg(target_os = "macos")]
-                managed_preferences_base64: None,
-            },
-        );
-
-        let response = api
-            .read(ConfigReadParams {
-                include_layers: true,
-            })
-            .await
-            .expect("response");
-
-        assert_eq!(
-            response.config.get("approval_policy"),
-            Some(&json!("never"))
-        );
-
-        assert_eq!(
-            response
-                .origins
-                .get("approval_policy")
-                .expect("origin")
-                .name,
-            ConfigLayerName::System
-        );
-        let layers = response.layers.expect("layers present");
-        assert_eq!(layers.first().unwrap().name, ConfigLayerName::System);
-        assert_eq!(layers.get(1).unwrap().name, ConfigLayerName::SessionFlags);
-        assert_eq!(layers.last().unwrap().name, ConfigLayerName::User);
-    }
-
-    #[tokio::test]
-    async fn write_value_reports_override() {
-        let tmp = tempdir().expect("tempdir");
-        std::fs::write(
-            tmp.path().join(CONFIG_FILE_NAME),
-            "approval_policy = \"on-request\"",
-        )
-        .unwrap();
-
-        let managed_path = tmp.path().join("managed_config.toml");
-        std::fs::write(&managed_path, "approval_policy = \"never\"").unwrap();
-
-        let api = ConfigApi::with_overrides(
-            tmp.path().to_path_buf(),
-            vec![],
-            LoaderOverrides {
-                managed_config_path: Some(managed_path),
-                #[cfg(target_os = "macos")]
-                managed_preferences_base64: None,
-            },
-        );
-
-        let result = api
-            .write_value(ConfigValueWriteParams {
-                file_path: tmp.path().join(CONFIG_FILE_NAME).display().to_string(),
-                key_path: "approval_policy".to_string(),
-                value: json!("never"),
-                merge_strategy: MergeStrategy::Replace,
-                expected_version: None,
-            })
-            .await
-            .expect("result");
-
-        let read_after = api
-            .read(ConfigReadParams {
-                include_layers: true,
-            })
-            .await
-            .expect("read");
-        let config_object = read_after.config.as_object().expect("object");
-        assert_eq!(config_object.get("approval_policy"), Some(&json!("never")));
-        assert_eq!(
-            read_after
-                .origins
-                .get("approval_policy")
-                .expect("origin")
-                .name,
-            ConfigLayerName::System
-        );
-        assert_eq!(result.status, WriteStatus::Ok);
-        assert!(result.overridden_metadata.is_none());
-    }
-
-    #[tokio::test]
-    async fn version_conflict_rejected() {
-        let tmp = tempdir().expect("tempdir");
-        std::fs::write(tmp.path().join(CONFIG_FILE_NAME), "model = \"user\"").unwrap();
-
-        let api = ConfigApi::new(tmp.path().to_path_buf(), vec![]);
-        let error = api
-            .write_value(ConfigValueWriteParams {
-                file_path: tmp.path().join(CONFIG_FILE_NAME).display().to_string(),
-                key_path: "model".to_string(),
-                value: json!("gpt-5"),
-                merge_strategy: MergeStrategy::Replace,
-                expected_version: Some("sha256:bogus".to_string()),
-            })
-            .await
-            .expect_err("should fail");
-
-        assert_eq!(error.code, INVALID_REQUEST_ERROR_CODE);
-        assert_eq!(
-            error
-                .data
-                .as_ref()
-                .and_then(|d| d.get("config_write_error_code"))
-                .and_then(serde_json::Value::as_str),
-            Some("configVersionConflict")
-        );
-    }
-
-    #[tokio::test]
-    async fn invalid_user_value_rejected_even_if_overridden_by_managed() {
-        let tmp = tempdir().expect("tempdir");
-        std::fs::write(tmp.path().join(CONFIG_FILE_NAME), "model = \"user\"").unwrap();
-
-        let managed_path = tmp.path().join("managed_config.toml");
-        std::fs::write(&managed_path, "approval_policy = \"never\"").unwrap();
-
-        let api = ConfigApi::with_overrides(
-            tmp.path().to_path_buf(),
-            vec![],
-            LoaderOverrides {
-                managed_config_path: Some(managed_path),
-                #[cfg(target_os = "macos")]
-                managed_preferences_base64: None,
-            },
-        );
-
-        let error = api
-            .write_value(ConfigValueWriteParams {
-                file_path: tmp.path().join(CONFIG_FILE_NAME).display().to_string(),
-                key_path: "approval_policy".to_string(),
-                value: json!("bogus"),
-                merge_strategy: MergeStrategy::Replace,
-                expected_version: None,
-            })
-            .await
-            .expect_err("should fail validation");
-
-        assert_eq!(error.code, INVALID_REQUEST_ERROR_CODE);
-        assert_eq!(
-            error
-                .data
-                .as_ref()
-                .and_then(|d| d.get("config_write_error_code"))
-                .and_then(serde_json::Value::as_str),
-            Some("configValidationError")
-        );
-
-        let contents =
-            std::fs::read_to_string(tmp.path().join(CONFIG_FILE_NAME)).expect("read config");
-        assert_eq!(contents.trim(), "model = \"user\"");
-    }
-
-    #[tokio::test]
-    async fn read_reports_managed_overrides_user_and_session_flags() {
-        let tmp = tempdir().expect("tempdir");
-        std::fs::write(tmp.path().join(CONFIG_FILE_NAME), "model = \"user\"").unwrap();
-
-        let managed_path = tmp.path().join("managed_config.toml");
-        std::fs::write(&managed_path, "model = \"system\"").unwrap();
-
-        let cli_overrides = vec![(
-            "model".to_string(),
-            TomlValue::String("session".to_string()),
-        )];
-
-        let api = ConfigApi::with_overrides(
-            tmp.path().to_path_buf(),
-            cli_overrides,
-            LoaderOverrides {
-                managed_config_path: Some(managed_path),
-                #[cfg(target_os = "macos")]
-                managed_preferences_base64: None,
-            },
-        );
-
-        let response = api
-            .read(ConfigReadParams {
-                include_layers: true,
-            })
-            .await
-            .expect("response");
-
-        assert_eq!(response.config.get("model"), Some(&json!("system")));
-        assert_eq!(
-            response.origins.get("model").expect("origin").name,
-            ConfigLayerName::System
-        );
-        let layers = response.layers.expect("layers");
-        assert_eq!(layers.first().unwrap().name, ConfigLayerName::System);
-        assert_eq!(layers.get(1).unwrap().name, ConfigLayerName::SessionFlags);
-        assert_eq!(layers.get(2).unwrap().name, ConfigLayerName::User);
-    }
-
-    #[tokio::test]
-    async fn write_value_reports_managed_override() {
-        let tmp = tempdir().expect("tempdir");
-        std::fs::write(tmp.path().join(CONFIG_FILE_NAME), "").unwrap();
-
-        let managed_path = tmp.path().join("managed_config.toml");
-        std::fs::write(&managed_path, "approval_policy = \"never\"").unwrap();
-
-        let api = ConfigApi::with_overrides(
-            tmp.path().to_path_buf(),
-            vec![],
-            LoaderOverrides {
-                managed_config_path: Some(managed_path),
-                #[cfg(target_os = "macos")]
-                managed_preferences_base64: None,
-            },
-        );
-
-        let result = api
-            .write_value(ConfigValueWriteParams {
-                file_path: tmp.path().join(CONFIG_FILE_NAME).display().to_string(),
-                key_path: "approval_policy".to_string(),
-                value: json!("on-request"),
-                merge_strategy: MergeStrategy::Replace,
-                expected_version: None,
-            })
-            .await
-            .expect("result");
-
-        assert_eq!(result.status, WriteStatus::OkOverridden);
-        let overridden = result.overridden_metadata.expect("overridden metadata");
-        assert_eq!(overridden.overriding_layer.name, ConfigLayerName::System);
-        assert_eq!(overridden.effective_value, json!("never"));
-    }
-}
--- a/codex-rs/app-server/src/lib.rs
+++ b/codex-rs/app-server/src/lib.rs
@@ -18,7 +18,6 @@ use tokio::io::AsyncWriteExt;
 use tokio::io::BufReader;
 use tokio::io::{self};
 use tokio::sync::mpsc;
-use toml::Value as TomlValue;
 use tracing::Level;
 use tracing::debug;
 use tracing::error;
@@ -31,7 +30,6 @@ use tracing_subscriber::util::SubscriberInitExt;

 mod bespoke_event_handling;
 mod codex_message_processor;
-mod config_api;
 mod error_code;
 mod fuzzy_file_search;
 mod message_processor;
@@ -82,12 +80,11 @@ pub async fn run_main(
            format!("error parsing -c overrides: {e}"),
        )
    })?;
-    let config =
-        Config::load_with_cli_overrides(cli_kv_overrides.clone(), ConfigOverrides::default())
-            .await
-            .map_err(|e| {
-                std::io::Error::new(ErrorKind::InvalidData, format!("error loading config: {e}"))
-            })?;
+    let config = Config::load_with_cli_overrides(cli_kv_overrides, ConfigOverrides::default())
+        .await
+        .map_err(|e| {
+            std::io::Error::new(ErrorKind::InvalidData, format!("error loading config: {e}"))
+        })?;

    let feedback = CodexFeedback::new();

@@ -124,12 +121,10 @@ pub async fn run_main(
    // Task: process incoming messages.
    let processor_handle = tokio::spawn({
        let outgoing_message_sender = OutgoingMessageSender::new(outgoing_tx);
-        let cli_overrides: Vec<(String, TomlValue)> = cli_kv_overrides.clone();
        let mut processor = MessageProcessor::new(
            outgoing_message_sender,
            codex_linux_sandbox_exe,
            std::sync::Arc::new(config),
-            cli_overrides,
            feedback.clone(),
        );
        async move {
--- a/codex-rs/app-server/src/message_processor.rs
+++ b/codex-rs/app-server/src/message_processor.rs
@@ -1,22 +1,17 @@
 use std::path::PathBuf;
-use std::sync::Arc;

 use crate::codex_message_processor::CodexMessageProcessor;
-use crate::config_api::ConfigApi;
 use crate::error_code::INVALID_REQUEST_ERROR_CODE;
 use crate::outgoing_message::OutgoingMessageSender;
 use codex_app_server_protocol::ClientInfo;
 use codex_app_server_protocol::ClientRequest;
-use codex_app_server_protocol::ConfigBatchWriteParams;
-use codex_app_server_protocol::ConfigReadParams;
-use codex_app_server_protocol::ConfigValueWriteParams;
 use codex_app_server_protocol::InitializeResponse;
+
 use codex_app_server_protocol::JSONRPCError;
 use codex_app_server_protocol::JSONRPCErrorError;
 use codex_app_server_protocol::JSONRPCNotification;
 use codex_app_server_protocol::JSONRPCRequest;
 use codex_app_server_protocol::JSONRPCResponse;
-use codex_app_server_protocol::RequestId;
 use codex_core::AuthManager;
 use codex_core::ConversationManager;
 use codex_core::config::Config;
@@ -24,12 +19,11 @@ use codex_core::default_client::USER_AGENT_SUFFIX;
 use codex_core::default_client::get_codex_user_agent;
 use codex_feedback::CodexFeedback;
 use codex_protocol::protocol::SessionSource;
-use toml::Value as TomlValue;
+use std::sync::Arc;

 pub(crate) struct MessageProcessor {
    outgoing: Arc<OutgoingMessageSender>,
    codex_message_processor: CodexMessageProcessor,
-    config_api: ConfigApi,
    initialized: bool,
 }

@@ -40,7 +34,6 @@ impl MessageProcessor {
        outgoing: OutgoingMessageSender,
        codex_linux_sandbox_exe: Option<PathBuf>,
        config: Arc<Config>,
-        cli_overrides: Vec<(String, TomlValue)>,
        feedback: CodexFeedback,
    ) -> Self {
        let outgoing = Arc::new(outgoing);
@@ -58,15 +51,13 @@ impl MessageProcessor {
            conversation_manager,
            outgoing.clone(),
            codex_linux_sandbox_exe,
-            Arc::clone(&config),
+            config,
            feedback,
        );
-        let config_api = ConfigApi::new(config.codex_home.clone(), cli_overrides);

        Self {
            outgoing,
            codex_message_processor,
-            config_api,
            initialized: false,
        }
    }
@@ -127,7 +118,6 @@ impl MessageProcessor {
                    self.outgoing.send_response(request_id, response).await;

                    self.initialized = true;
-
                    return;
                }
            }
@@ -144,20 +134,9 @@ impl MessageProcessor {
            }
        }

-        match codex_request {
-            ClientRequest::ConfigRead { request_id, params } => {
-                self.handle_config_read(request_id, params).await;
-            }
-            ClientRequest::ConfigValueWrite { request_id, params } => {
-                self.handle_config_value_write(request_id, params).await;
-            }
-            ClientRequest::ConfigBatchWrite { request_id, params } => {
-                self.handle_config_batch_write(request_id, params).await;
-            }
-            other => {
-                self.codex_message_processor.process_request(other).await;
-            }
-        }
+        self.codex_message_processor
+            .process_request(codex_request)
+            .await;
    }

    pub(crate) async fn process_notification(&self, notification: JSONRPCNotification) {
@@ -177,33 +156,4 @@ impl MessageProcessor {
    pub(crate) fn process_error(&mut self, err: JSONRPCError) {
        tracing::error!("<- error: {:?}", err);
    }
-
-    async fn handle_config_read(&self, request_id: RequestId, params: ConfigReadParams) {
-        match self.config_api.read(params).await {
-            Ok(response) => self.outgoing.send_response(request_id, response).await,
-            Err(error) => self.outgoing.send_error(request_id, error).await,
-        }
-    }
-
-    async fn handle_config_value_write(
-        &self,
-        request_id: RequestId,
-        params: ConfigValueWriteParams,
-    ) {
-        match self.config_api.write_value(params).await {
-            Ok(response) => self.outgoing.send_response(request_id, response).await,
-            Err(error) => self.outgoing.send_error(request_id, error).await,
-        }
-    }
-
-    async fn handle_config_batch_write(
-        &self,
-        request_id: RequestId,
-        params: ConfigBatchWriteParams,
-    ) {
-        match self.config_api.batch_write(params).await {
-            Ok(response) => self.outgoing.send_response(request_id, response).await,
-            Err(error) => self.outgoing.send_error(request_id, error).await,
-        }
-    }
 }
--- a/codex-rs/app-server/src/outgoing_message.rs
+++ b/codex-rs/app-server/src/outgoing_message.rs
@@ -229,7 +229,6 @@ mod tests {
                        resets_at: Some(123),
                    }),
                    secondary: None,
-                    credits: None,
                },
            });

@@ -244,8 +243,7 @@ mod tests {
                            "windowDurationMins": 15,
                            "resetsAt": 123
                        },
-                        "secondary": null,
-                        "credits": null
+                        "secondary": null
                    }
                },
            }),
--- a/codex-rs/app-server/tests/common/Cargo.toml
+++ b/codex-rs/app-server/tests/common/Cargo.toml
@@ -1,8 +1,7 @@
 [package]
+edition = "2024"
 name = "app_test_support"
-version.workspace = true
-edition.workspace = true
-license.workspace = true
+version = { workspace = true }

 [lib]
 path = "lib.rs"
@@ -25,5 +24,3 @@ tokio = { workspace = true, features = [
 ] }
 uuid = { workspace = true }
 wiremock = { workspace = true }
-core_test_support = { path = "../../../core/tests/common" }
-shlex = { workspace = true }
--- a/codex-rs/app-server/tests/common/lib.rs
+++ b/codex-rs/app-server/tests/common/lib.rs
@@ -9,14 +9,12 @@ pub use auth_fixtures::ChatGptIdTokenClaims;
 pub use auth_fixtures::encode_id_token;
 pub use auth_fixtures::write_chatgpt_auth;
 use codex_app_server_protocol::JSONRPCResponse;
-pub use core_test_support::format_with_current_shell;
-pub use core_test_support::format_with_current_shell_display;
 pub use mcp_process::McpProcess;
 pub use mock_model_server::create_mock_chat_completions_server;
 pub use mock_model_server::create_mock_chat_completions_server_unchecked;
 pub use responses::create_apply_patch_sse_response;
 pub use responses::create_final_assistant_message_sse_response;
-pub use responses::create_shell_command_sse_response;
+pub use responses::create_shell_sse_response;
 pub use rollout::create_fake_rollout;
 use serde::de::DeserializeOwned;

--- a/codex-rs/app-server/tests/common/mcp_process.rs
+++ b/codex-rs/app-server/tests/common/mcp_process.rs
@@ -18,9 +18,6 @@ use codex_app_server_protocol::CancelLoginAccountParams;
 use codex_app_server_protocol::CancelLoginChatGptParams;
 use codex_app_server_protocol::ClientInfo;
 use codex_app_server_protocol::ClientNotification;
-use codex_app_server_protocol::ConfigBatchWriteParams;
-use codex_app_server_protocol::ConfigReadParams;
-use codex_app_server_protocol::ConfigValueWriteParams;
 use codex_app_server_protocol::FeedbackUploadParams;
 use codex_app_server_protocol::GetAccountParams;
 use codex_app_server_protocol::GetAuthStatusParams;
@@ -404,30 +401,6 @@ impl McpProcess {
        self.send_request("logoutChatGpt", None).await
    }

-    pub async fn send_config_read_request(
-        &mut self,
-        params: ConfigReadParams,
-    ) -> anyhow::Result<i64> {
-        let params = Some(serde_json::to_value(params)?);
-        self.send_request("config/read", params).await
-    }
-
-    pub async fn send_config_value_write_request(
-        &mut self,
-        params: ConfigValueWriteParams,
-    ) -> anyhow::Result<i64> {
-        let params = Some(serde_json::to_value(params)?);
-        self.send_request("config/value/write", params).await
-    }
-
-    pub async fn send_config_batch_write_request(
-        &mut self,
-        params: ConfigBatchWriteParams,
-    ) -> anyhow::Result<i64> {
-        let params = Some(serde_json::to_value(params)?);
-        self.send_request("config/batchWrite", params).await
-    }
-
    /// Send an `account/logout` JSON-RPC request.
    pub async fn send_logout_account_request(&mut self) -> anyhow::Result<i64> {
        self.send_request("account/logout", None).await
--- a/codex-rs/app-server/tests/common/responses.rs
+++ b/codex-rs/app-server/tests/common/responses.rs
@@ -1,18 +1,17 @@
 use serde_json::json;
 use std::path::Path;

-pub fn create_shell_command_sse_response(
+pub fn create_shell_sse_response(
    command: Vec<String>,
    workdir: Option<&Path>,
    timeout_ms: Option<u64>,
    call_id: &str,
 ) -> anyhow::Result<String> {
-    // The `arguments` for the `shell_command` tool is a serialized JSON object.
-    let command_str = shlex::try_join(command.iter().map(String::as_str))?;
+    // The `arguments`` for the `shell` tool is a serialized JSON object.
    let tool_call_arguments = serde_json::to_string(&json!({
-        "command": command_str,
+        "command": command,
        "workdir": workdir.map(|w| w.to_string_lossy()),
-        "timeout_ms": timeout_ms
+        "timeout": timeout_ms
    }))?;
    let tool_call = json!({
        "choices": [
@@ -22,7 +21,7 @@ pub fn create_shell_command_sse_response(
                        {
                            "id": call_id,
                            "function": {
-                                "name": "shell_command",
+                                "name": "shell",
                                "arguments": tool_call_arguments
                            }
                        }
@@ -63,10 +62,10 @@ pub fn create_apply_patch_sse_response(
    patch_content: &str,
    call_id: &str,
 ) -> anyhow::Result<String> {
-    // Use shell_command to call apply_patch with heredoc format
-    let command = format!("apply_patch <<'EOF'\n{patch_content}\nEOF");
+    // Use shell command to call apply_patch with heredoc format
+    let shell_command = format!("apply_patch <<'EOF'\n{patch_content}\nEOF");
    let tool_call_arguments = serde_json::to_string(&json!({
-        "command": command
+        "command": ["bash", "-lc", shell_command]
    }))?;

    let tool_call = json!({
@@ -77,7 +76,7 @@ pub fn create_apply_patch_sse_response(
                        {
                            "id": call_id,
                            "function": {
-                                "name": "shell_command",
+                                "name": "shell",
                                "arguments": tool_call_arguments
                            }
                        }
--- a/codex-rs/app-server/tests/common/rollout.rs
+++ b/codex-rs/app-server/tests/common/rollout.rs
@@ -1,8 +1,6 @@
 use anyhow::Result;
 use codex_protocol::ConversationId;
-use codex_protocol::protocol::GitInfo;
 use codex_protocol::protocol::SessionMeta;
-use codex_protocol::protocol::SessionMetaLine;
 use codex_protocol::protocol::SessionSource;
 use serde_json::json;
 use std::fs;
@@ -24,7 +22,6 @@ pub fn create_fake_rollout(
    meta_rfc3339: &str,
    preview: &str,
    model_provider: Option<&str>,
-    git_info: Option<GitInfo>,
 ) -> Result<String> {
    let uuid = Uuid::new_v4();
    let uuid_str = uuid.to_string();
@@ -40,7 +37,7 @@ pub fn create_fake_rollout(
    let file_path = dir.join(format!("rollout-{filename_ts}-{uuid}.jsonl"));

    // Build JSONL lines
-    let meta = SessionMeta {
+    let payload = serde_json::to_value(SessionMeta {
        id: conversation_id,
        timestamp: meta_rfc3339.to_string(),
        cwd: PathBuf::from("/"),
@@ -49,10 +46,6 @@ pub fn create_fake_rollout(
        instructions: None,
        source: SessionSource::Cli,
        model_provider: model_provider.map(str::to_string),
-    };
-    let payload = serde_json::to_value(SessionMetaLine {
-        meta,
-        git: git_info,
    })?;

    let lines = [
--- a/codex-rs/app-server/tests/suite/codex_message_processor_flow.rs
+++ b/codex-rs/app-server/tests/suite/codex_message_processor_flow.rs
@@ -2,8 +2,7 @@ use anyhow::Result;
 use app_test_support::McpProcess;
 use app_test_support::create_final_assistant_message_sse_response;
 use app_test_support::create_mock_chat_completions_server;
-use app_test_support::create_shell_command_sse_response;
-use app_test_support::format_with_current_shell;
+use app_test_support::create_shell_sse_response;
 use app_test_support::to_response;
 use codex_app_server_protocol::AddConversationListenerParams;
 use codex_app_server_protocol::AddConversationSubscriptionResponse;
@@ -57,7 +56,7 @@ async fn test_codex_jsonrpc_conversation_flow() -> Result<()> {
    // Create a mock model server that immediately ends each turn.
    // Two turns are expected: initial session configure + one user message.
    let responses = vec![
-        create_shell_command_sse_response(
+        create_shell_sse_response(
            vec!["ls".to_string()],
            Some(&working_directory),
            Some(5000),
@@ -176,7 +175,7 @@ async fn test_send_user_turn_changes_approval_policy_behavior() -> Result<()> {

    // Mock server will request a python shell call for the first and second turn, then finish.
    let responses = vec![
-        create_shell_command_sse_response(
+        create_shell_sse_response(
            vec![
                "python3".to_string(),
                "-c".to_string(),
@@ -187,7 +186,7 @@ async fn test_send_user_turn_changes_approval_policy_behavior() -> Result<()> {
            "call1",
        )?,
        create_final_assistant_message_sse_response("done 1")?,
-        create_shell_command_sse_response(
+        create_shell_sse_response(
            vec![
                "python3".to_string(),
                "-c".to_string(),
@@ -268,7 +267,11 @@ async fn test_send_user_turn_changes_approval_policy_behavior() -> Result<()> {
        ExecCommandApprovalParams {
            conversation_id,
            call_id: "call1".to_string(),
-            command: format_with_current_shell("python3 -c 'print(42)'"),
+            command: vec![
+                "python3".to_string(),
+                "-c".to_string(),
+                "print(42)".to_string(),
+            ],
            cwd: working_directory.clone(),
            reason: None,
            risk: None,
@@ -350,15 +353,23 @@ async fn test_send_user_turn_updates_sandbox_and_cwd_between_turns() -> Result<(
    std::fs::create_dir(&second_cwd)?;

    let responses = vec![
-        create_shell_command_sse_response(
-            vec!["echo".to_string(), "first".to_string(), "turn".to_string()],
+        create_shell_sse_response(
+            vec![
+                "bash".to_string(),
+                "-lc".to_string(),
+                "echo first turn".to_string(),
+            ],
            None,
            Some(5000),
            "call-first",
        )?,
        create_final_assistant_message_sse_response("done first")?,
-        create_shell_command_sse_response(
-            vec!["echo".to_string(), "second".to_string(), "turn".to_string()],
+        create_shell_sse_response(
+            vec![
+                "bash".to_string(),
+                "-lc".to_string(),
+                "echo second turn".to_string(),
+            ],
            None,
            Some(5000),
            "call-second",
@@ -470,9 +481,13 @@ async fn test_send_user_turn_updates_sandbox_and_cwd_between_turns() -> Result<(
        exec_begin.cwd, second_cwd,
        "exec turn should run from updated cwd"
    );
-    let expected_command = format_with_current_shell("echo second turn");
    assert_eq!(
-        exec_begin.command, expected_command,
+        exec_begin.command,
+        vec![
+            "bash".to_string(),
+            "-lc".to_string(),
+            "echo second turn".to_string()
+        ],
        "exec turn should run expected command"
    );

--- a/codex-rs/app-server/tests/suite/config.rs
+++ b/codex-rs/app-server/tests/suite/config.rs
@@ -27,7 +27,7 @@ fn create_config_toml(codex_home: &Path) -> std::io::Result<()> {
    std::fs::write(
        config_toml,
        r#"
-model = "gpt-5.1-codex-max"
+model = "gpt-5.1-codex"
 approval_policy = "on-request"
 sandbox_mode = "workspace-write"
 model_reasoning_summary = "detailed"
@@ -87,7 +87,7 @@ async fn get_config_toml_parses_all_fields() -> Result<()> {
            }),
            forced_chatgpt_workspace_id: Some("12345678-0000-0000-0000-000000000000".into()),
            forced_login_method: Some(ForcedLoginMethod::Chatgpt),
-            model: Some("gpt-5.1-codex-max".into()),
+            model: Some("gpt-5.1-codex".into()),
            model_reasoning_effort: Some(ReasoningEffort::High),
            model_reasoning_summary: Some(ReasoningSummary::Detailed),
            model_verbosity: Some(Verbosity::Medium),
--- a/codex-rs/app-server/tests/suite/interrupt.rs
+++ b/codex-rs/app-server/tests/suite/interrupt.rs
@@ -19,7 +19,7 @@ use tokio::time::timeout;

 use app_test_support::McpProcess;
 use app_test_support::create_mock_chat_completions_server;
-use app_test_support::create_shell_command_sse_response;
+use app_test_support::create_shell_sse_response;
 use app_test_support::to_response;

 const DEFAULT_READ_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(10);
@@ -56,7 +56,7 @@ async fn shell_command_interruption() -> anyhow::Result<()> {
    std::fs::create_dir(&working_directory)?;

    // Create mock server with a single SSE response: the long sleep command
-    let server = create_mock_chat_completions_server(vec![create_shell_command_sse_response(
+    let server = create_mock_chat_completions_server(vec![create_shell_sse_response(
        shell_command.clone(),
        Some(&working_directory),
        Some(10_000), // 10 seconds timeout in ms
--- a/codex-rs/app-server/tests/suite/list_resume.rs
+++ b/codex-rs/app-server/tests/suite/list_resume.rs
@@ -31,7 +31,6 @@ async fn test_list_and_resume_conversations() -> Result<()> {
        "2025-01-02T12:00:00Z",
        "Hello A",
        Some("openai"),
-        None,
    )?;
    create_fake_rollout(
        codex_home.path(),
@@ -39,7 +38,6 @@ async fn test_list_and_resume_conversations() -> Result<()> {
        "2025-01-01T13:00:00Z",
        "Hello B",
        Some("openai"),
-        None,
    )?;
    create_fake_rollout(
        codex_home.path(),
@@ -47,7 +45,6 @@ async fn test_list_and_resume_conversations() -> Result<()> {
        "2025-01-01T12:00:00Z",
        "Hello C",
        None,
-        None,
    )?;

    let mut mcp = McpProcess::new(codex_home.path()).await?;
@@ -108,7 +105,6 @@ async fn test_list_and_resume_conversations() -> Result<()> {
        "2025-01-01T11:30:00Z",
        "Hello TP",
        Some("test-provider"),
-        None,
    )?;

    // Filtering by model provider should return only matching sessions.
--- a/codex-rs/app-server/tests/suite/set_default_model.rs
+++ b/codex-rs/app-server/tests/suite/set_default_model.rs
@@ -57,7 +57,7 @@ fn create_config_toml(codex_home: &Path) -> std::io::Result<()> {
    std::fs::write(
        config_toml,
        r#"
-model = "gpt-5.1-codex-max"
+model = "gpt-5.1-codex"
 model_reasoning_effort = "medium"
 "#,
    )
--- a/codex-rs/app-server/tests/suite/v2/config_rpc.rs
+++ b/codex-rs/app-server/tests/suite/v2/config_rpc.rs
@@ -1,347 +0,0 @@
-use anyhow::Result;
-use app_test_support::McpProcess;
-use app_test_support::to_response;
-use codex_app_server_protocol::ConfigBatchWriteParams;
-use codex_app_server_protocol::ConfigEdit;
-use codex_app_server_protocol::ConfigLayerName;
-use codex_app_server_protocol::ConfigReadParams;
-use codex_app_server_protocol::ConfigReadResponse;
-use codex_app_server_protocol::ConfigValueWriteParams;
-use codex_app_server_protocol::ConfigWriteResponse;
-use codex_app_server_protocol::JSONRPCError;
-use codex_app_server_protocol::JSONRPCResponse;
-use codex_app_server_protocol::MergeStrategy;
-use codex_app_server_protocol::RequestId;
-use codex_app_server_protocol::WriteStatus;
-use pretty_assertions::assert_eq;
-use serde_json::json;
-use tempfile::TempDir;
-use tokio::time::timeout;
-
-const DEFAULT_READ_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(10);
-
-fn write_config(codex_home: &TempDir, contents: &str) -> Result<()> {
-    Ok(std::fs::write(
-        codex_home.path().join("config.toml"),
-        contents,
-    )?)
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn config_read_returns_effective_and_layers() -> Result<()> {
-    let codex_home = TempDir::new()?;
-    write_config(
-        &codex_home,
-        r#"
-model = "gpt-user"
-sandbox_mode = "workspace-write"
-"#,
-    )?;
-
-    let mut mcp = McpProcess::new(codex_home.path()).await?;
-    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
-
-    let request_id = mcp
-        .send_config_read_request(ConfigReadParams {
-            include_layers: true,
-        })
-        .await?;
-    let resp: JSONRPCResponse = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
-    )
-    .await??;
-    let ConfigReadResponse {
-        config,
-        origins,
-        layers,
-    } = to_response(resp)?;
-
-    assert_eq!(config.get("model"), Some(&json!("gpt-user")));
-    assert_eq!(
-        origins.get("model").expect("origin").name,
-        ConfigLayerName::User
-    );
-    let layers = layers.expect("layers present");
-    assert_eq!(layers.len(), 2);
-    assert_eq!(layers[0].name, ConfigLayerName::SessionFlags);
-    assert_eq!(layers[1].name, ConfigLayerName::User);
-
-    Ok(())
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn config_read_includes_system_layer_and_overrides() -> Result<()> {
-    let codex_home = TempDir::new()?;
-    write_config(
-        &codex_home,
-        r#"
-model = "gpt-user"
-approval_policy = "on-request"
-sandbox_mode = "workspace-write"
-
-[sandbox_workspace_write]
-writable_roots = ["/user"]
-network_access = true
-"#,
-    )?;
-
-    let managed_path = codex_home.path().join("managed_config.toml");
-    std::fs::write(
-        &managed_path,
-        r#"
-model = "gpt-system"
-approval_policy = "never"
-
-[sandbox_workspace_write]
-writable_roots = ["/system"]
-"#,
-    )?;
-
-    let managed_path_str = managed_path.display().to_string();
-
-    let mut mcp = McpProcess::new_with_env(
-        codex_home.path(),
-        &[("CODEX_MANAGED_CONFIG_PATH", Some(&managed_path_str))],
-    )
-    .await?;
-    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
-
-    let request_id = mcp
-        .send_config_read_request(ConfigReadParams {
-            include_layers: true,
-        })
-        .await?;
-    let resp: JSONRPCResponse = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(request_id)),
-    )
-    .await??;
-    let ConfigReadResponse {
-        config,
-        origins,
-        layers,
-    } = to_response(resp)?;
-
-    assert_eq!(config.get("model"), Some(&json!("gpt-system")));
-    assert_eq!(
-        origins.get("model").expect("origin").name,
-        ConfigLayerName::System
-    );
-
-    assert_eq!(config.get("approval_policy"), Some(&json!("never")));
-    assert_eq!(
-        origins.get("approval_policy").expect("origin").name,
-        ConfigLayerName::System
-    );
-
-    assert_eq!(config.get("sandbox_mode"), Some(&json!("workspace-write")));
-    assert_eq!(
-        origins.get("sandbox_mode").expect("origin").name,
-        ConfigLayerName::User
-    );
-
-    assert_eq!(
-        config
-            .get("sandbox_workspace_write")
-            .and_then(|v| v.get("writable_roots")),
-        Some(&json!(["/system"]))
-    );
-    assert_eq!(
-        origins
-            .get("sandbox_workspace_write.writable_roots.0")
-            .expect("origin")
-            .name,
-        ConfigLayerName::System
-    );
-
-    assert_eq!(
-        config
-            .get("sandbox_workspace_write")
-            .and_then(|v| v.get("network_access")),
-        Some(&json!(true))
-    );
-    assert_eq!(
-        origins
-            .get("sandbox_workspace_write.network_access")
-            .expect("origin")
-            .name,
-        ConfigLayerName::User
-    );
-
-    let layers = layers.expect("layers present");
-    assert_eq!(layers.len(), 3);
-    assert_eq!(layers[0].name, ConfigLayerName::System);
-    assert_eq!(layers[1].name, ConfigLayerName::SessionFlags);
-    assert_eq!(layers[2].name, ConfigLayerName::User);
-
-    Ok(())
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn config_value_write_replaces_value() -> Result<()> {
-    let codex_home = TempDir::new()?;
-    write_config(
-        &codex_home,
-        r#"
-model = "gpt-old"
-"#,
-    )?;
-
-    let mut mcp = McpProcess::new(codex_home.path()).await?;
-    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
-
-    let read_id = mcp
-        .send_config_read_request(ConfigReadParams {
-            include_layers: false,
-        })
-        .await?;
-    let read_resp: JSONRPCResponse = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(read_id)),
-    )
-    .await??;
-    let read: ConfigReadResponse = to_response(read_resp)?;
-    let expected_version = read.origins.get("model").map(|m| m.version.clone());
-
-    let write_id = mcp
-        .send_config_value_write_request(ConfigValueWriteParams {
-            file_path: codex_home.path().join("config.toml").display().to_string(),
-            key_path: "model".to_string(),
-            value: json!("gpt-new"),
-            merge_strategy: MergeStrategy::Replace,
-            expected_version,
-        })
-        .await?;
-    let write_resp: JSONRPCResponse = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(write_id)),
-    )
-    .await??;
-    let write: ConfigWriteResponse = to_response(write_resp)?;
-
-    assert_eq!(write.status, WriteStatus::Ok);
-    assert!(write.overridden_metadata.is_none());
-
-    let verify_id = mcp
-        .send_config_read_request(ConfigReadParams {
-            include_layers: false,
-        })
-        .await?;
-    let verify_resp: JSONRPCResponse = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(verify_id)),
-    )
-    .await??;
-    let verify: ConfigReadResponse = to_response(verify_resp)?;
-    assert_eq!(verify.config.get("model"), Some(&json!("gpt-new")));
-
-    Ok(())
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn config_value_write_rejects_version_conflict() -> Result<()> {
-    let codex_home = TempDir::new()?;
-    write_config(
-        &codex_home,
-        r#"
-model = "gpt-old"
-"#,
-    )?;
-
-    let mut mcp = McpProcess::new(codex_home.path()).await?;
-    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
-
-    let write_id = mcp
-        .send_config_value_write_request(ConfigValueWriteParams {
-            file_path: codex_home.path().join("config.toml").display().to_string(),
-            key_path: "model".to_string(),
-            value: json!("gpt-new"),
-            merge_strategy: MergeStrategy::Replace,
-            expected_version: Some("sha256:stale".to_string()),
-        })
-        .await?;
-
-    let err: JSONRPCError = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_error_message(RequestId::Integer(write_id)),
-    )
-    .await??;
-    let code = err
-        .error
-        .data
-        .as_ref()
-        .and_then(|d| d.get("config_write_error_code"))
-        .and_then(|v| v.as_str());
-    assert_eq!(code, Some("configVersionConflict"));
-
-    Ok(())
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn config_batch_write_applies_multiple_edits() -> Result<()> {
-    let codex_home = TempDir::new()?;
-    write_config(&codex_home, "")?;
-
-    let mut mcp = McpProcess::new(codex_home.path()).await?;
-    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
-
-    let batch_id = mcp
-        .send_config_batch_write_request(ConfigBatchWriteParams {
-            file_path: codex_home.path().join("config.toml").display().to_string(),
-            edits: vec![
-                ConfigEdit {
-                    key_path: "sandbox_mode".to_string(),
-                    value: json!("workspace-write"),
-                    merge_strategy: MergeStrategy::Replace,
-                },
-                ConfigEdit {
-                    key_path: "sandbox_workspace_write".to_string(),
-                    value: json!({
-                        "writable_roots": ["/tmp"],
-                        "network_access": false
-                    }),
-                    merge_strategy: MergeStrategy::Replace,
-                },
-            ],
-            expected_version: None,
-        })
-        .await?;
-    let batch_resp: JSONRPCResponse = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(batch_id)),
-    )
-    .await??;
-    let batch_write: ConfigWriteResponse = to_response(batch_resp)?;
-    assert_eq!(batch_write.status, WriteStatus::Ok);
-
-    let read_id = mcp
-        .send_config_read_request(ConfigReadParams {
-            include_layers: false,
-        })
-        .await?;
-    let read_resp: JSONRPCResponse = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(read_id)),
-    )
-    .await??;
-    let read: ConfigReadResponse = to_response(read_resp)?;
-    assert_eq!(
-        read.config.get("sandbox_mode"),
-        Some(&json!("workspace-write"))
-    );
-    assert_eq!(
-        read.config
-            .get("sandbox_workspace_write")
-            .and_then(|v| v.get("writable_roots")),
-        Some(&json!(["/tmp"]))
-    );
-    assert_eq!(
-        read.config
-            .get("sandbox_workspace_write")
-            .and_then(|v| v.get("network_access")),
-        Some(&json!(false))
-    );
-
-    Ok(())
-}
--- a/codex-rs/app-server/tests/suite/v2/mod.rs
+++ b/codex-rs/app-server/tests/suite/v2/mod.rs
@@ -1,5 +1,4 @@
 mod account;
-mod config_rpc;
 mod model_list;
 mod rate_limits;
 mod review;
--- a/codex-rs/app-server/tests/suite/v2/model_list.rs
+++ b/codex-rs/app-server/tests/suite/v2/model_list.rs
@@ -45,33 +45,6 @@ async fn list_models_returns_all_models_with_large_limit() -> Result<()> {
    } = to_response::<ModelListResponse>(response)?;

    let expected_models = vec![
-        Model {
-            id: "gpt-5.1-codex-max".to_string(),
-            model: "gpt-5.1-codex-max".to_string(),
-            display_name: "gpt-5.1-codex-max".to_string(),
-            description: "Latest Codex-optimized flagship for deep and fast reasoning.".to_string(),
-            supported_reasoning_efforts: vec![
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::Low,
-                    description: "Fast responses with lighter reasoning".to_string(),
-                },
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::Medium,
-                    description: "Balances speed and reasoning depth for everyday tasks"
-                        .to_string(),
-                },
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::High,
-                    description: "Maximizes reasoning depth for complex problems".to_string(),
-                },
-                ReasoningEffortOption {
-                    reasoning_effort: ReasoningEffort::XHigh,
-                    description: "Extra high reasoning depth for complex problems".to_string(),
-                },
-            ],
-            default_reasoning_effort: ReasoningEffort::Medium,
-            is_default: true,
-        },
        Model {
            id: "gpt-5.1-codex".to_string(),
            model: "gpt-5.1-codex".to_string(),
@@ -93,7 +66,7 @@ async fn list_models_returns_all_models_with_large_limit() -> Result<()> {
                },
            ],
            default_reasoning_effort: ReasoningEffort::Medium,
-            is_default: false,
+            is_default: true,
        },
        Model {
            id: "gpt-5.1-codex-mini".to_string(),
@@ -174,7 +147,7 @@ async fn list_models_pagination_works() -> Result<()> {
    } = to_response::<ModelListResponse>(first_response)?;

    assert_eq!(first_items.len(), 1);
-    assert_eq!(first_items[0].id, "gpt-5.1-codex-max");
+    assert_eq!(first_items[0].id, "gpt-5.1-codex");
    let next_cursor = first_cursor.ok_or_else(|| anyhow!("cursor for second page"))?;

    let second_request = mcp
@@ -196,7 +169,7 @@ async fn list_models_pagination_works() -> Result<()> {
    } = to_response::<ModelListResponse>(second_response)?;

    assert_eq!(second_items.len(), 1);
-    assert_eq!(second_items[0].id, "gpt-5.1-codex");
+    assert_eq!(second_items[0].id, "gpt-5.1-codex-mini");
    let third_cursor = second_cursor.ok_or_else(|| anyhow!("cursor for third page"))?;

    let third_request = mcp
@@ -218,30 +191,8 @@ async fn list_models_pagination_works() -> Result<()> {
    } = to_response::<ModelListResponse>(third_response)?;

    assert_eq!(third_items.len(), 1);
-    assert_eq!(third_items[0].id, "gpt-5.1-codex-mini");
-    let fourth_cursor = third_cursor.ok_or_else(|| anyhow!("cursor for fourth page"))?;
-
-    let fourth_request = mcp
-        .send_list_models_request(ModelListParams {
-            limit: Some(1),
-            cursor: Some(fourth_cursor.clone()),
-        })
-        .await?;
-
-    let fourth_response: JSONRPCResponse = timeout(
-        DEFAULT_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(fourth_request)),
-    )
-    .await??;
-
-    let ModelListResponse {
-        data: fourth_items,
-        next_cursor: fourth_cursor,
-    } = to_response::<ModelListResponse>(fourth_response)?;
-
-    assert_eq!(fourth_items.len(), 1);
-    assert_eq!(fourth_items[0].id, "gpt-5.1");
-    assert!(fourth_cursor.is_none());
+    assert_eq!(third_items[0].id, "gpt-5.1");
+    assert!(third_cursor.is_none());
    Ok(())
 }

--- a/codex-rs/app-server/tests/suite/v2/rate_limits.rs
+++ b/codex-rs/app-server/tests/suite/v2/rate_limits.rs
@@ -152,7 +152,6 @@ async fn get_account_rate_limits_returns_snapshot() -> Result<()> {
                window_duration_mins: Some(1440),
                resets_at: Some(secondary_reset_timestamp),
            }),
-            credits: None,
        },
    };
    assert_eq!(received, expected);
--- a/codex-rs/app-server/tests/suite/v2/thread_list.rs
+++ b/codex-rs/app-server/tests/suite/v2/thread_list.rs
@@ -2,14 +2,10 @@ use anyhow::Result;
 use app_test_support::McpProcess;
 use app_test_support::create_fake_rollout;
 use app_test_support::to_response;
-use codex_app_server_protocol::GitInfo as ApiGitInfo;
 use codex_app_server_protocol::JSONRPCResponse;
 use codex_app_server_protocol::RequestId;
-use codex_app_server_protocol::SessionSource;
 use codex_app_server_protocol::ThreadListParams;
 use codex_app_server_protocol::ThreadListResponse;
-use codex_protocol::protocol::GitInfo as CoreGitInfo;
-use std::path::PathBuf;
 use tempfile::TempDir;
 use tokio::time::timeout;

@@ -28,7 +24,7 @@ async fn thread_list_basic_empty() -> Result<()> {
        .send_thread_list_request(ThreadListParams {
            cursor: None,
            limit: Some(10),
-            model_providers: Some(vec!["mock_provider".to_string()]),
+            model_providers: None,
        })
        .await?;
    let list_resp: JSONRPCResponse = timeout(
@@ -67,7 +63,6 @@ async fn thread_list_pagination_next_cursor_none_on_last_page() -> Result<()> {
        "2025-01-02T12:00:00Z",
        "Hello",
        Some("mock_provider"),
-        None,
    )?;
    let _b = create_fake_rollout(
        codex_home.path(),
@@ -75,7 +70,6 @@ async fn thread_list_pagination_next_cursor_none_on_last_page() -> Result<()> {
        "2025-01-01T13:00:00Z",
        "Hello",
        Some("mock_provider"),
-        None,
    )?;
    let _c = create_fake_rollout(
        codex_home.path(),
@@ -83,7 +77,6 @@ async fn thread_list_pagination_next_cursor_none_on_last_page() -> Result<()> {
        "2025-01-01T12:00:00Z",
        "Hello",
        Some("mock_provider"),
-        None,
    )?;

    let mut mcp = McpProcess::new(codex_home.path()).await?;
@@ -111,10 +104,6 @@ async fn thread_list_pagination_next_cursor_none_on_last_page() -> Result<()> {
        assert_eq!(thread.preview, "Hello");
        assert_eq!(thread.model_provider, "mock_provider");
        assert!(thread.created_at > 0);
-        assert_eq!(thread.cwd, PathBuf::from("/"));
-        assert_eq!(thread.cli_version, "0.0.0");
-        assert_eq!(thread.source, SessionSource::Cli);
-        assert_eq!(thread.git_info, None);
    }
    let cursor1 = cursor1.expect("expected nextCursor on first page");

@@ -140,10 +129,6 @@ async fn thread_list_pagination_next_cursor_none_on_last_page() -> Result<()> {
        assert_eq!(thread.preview, "Hello");
        assert_eq!(thread.model_provider, "mock_provider");
        assert!(thread.created_at > 0);
-        assert_eq!(thread.cwd, PathBuf::from("/"));
-        assert_eq!(thread.cli_version, "0.0.0");
-        assert_eq!(thread.source, SessionSource::Cli);
-        assert_eq!(thread.git_info, None);
    }
    assert_eq!(cursor2, None, "expected nextCursor to be null on last page");

@@ -162,7 +147,6 @@ async fn thread_list_respects_provider_filter() -> Result<()> {
        "2025-01-02T10:00:00Z",
        "X",
        Some("mock_provider"),
-        None,
    )?; // mock_provider
    let _b = create_fake_rollout(
        codex_home.path(),
@@ -170,7 +154,6 @@ async fn thread_list_respects_provider_filter() -> Result<()> {
        "2025-01-02T11:00:00Z",
        "X",
        Some("other_provider"),
-        None,
    )?;

    let mut mcp = McpProcess::new(codex_home.path()).await?;
@@ -197,63 +180,6 @@ async fn thread_list_respects_provider_filter() -> Result<()> {
    assert_eq!(thread.model_provider, "other_provider");
    let expected_ts = chrono::DateTime::parse_from_rfc3339("2025-01-02T11:00:00Z")?.timestamp();
    assert_eq!(thread.created_at, expected_ts);
-    assert_eq!(thread.cwd, PathBuf::from("/"));
-    assert_eq!(thread.cli_version, "0.0.0");
-    assert_eq!(thread.source, SessionSource::Cli);
-    assert_eq!(thread.git_info, None);
-
-    Ok(())
-}
-
-#[tokio::test]
-async fn thread_list_includes_git_info() -> Result<()> {
-    let codex_home = TempDir::new()?;
-    create_minimal_config(codex_home.path())?;
-
-    let git_info = CoreGitInfo {
-        commit_hash: Some("abc123".to_string()),
-        branch: Some("main".to_string()),
-        repository_url: Some("https://example.com/repo.git".to_string()),
-    };
-    let conversation_id = create_fake_rollout(
-        codex_home.path(),
-        "2025-02-01T09-00-00",
-        "2025-02-01T09:00:00Z",
-        "Git info preview",
-        Some("mock_provider"),
-        Some(git_info),
-    )?;
-
-    let mut mcp = McpProcess::new(codex_home.path()).await?;
-    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
-
-    let list_id = mcp
-        .send_thread_list_request(ThreadListParams {
-            cursor: None,
-            limit: Some(10),
-            model_providers: Some(vec!["mock_provider".to_string()]),
-        })
-        .await?;
-    let resp: JSONRPCResponse = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(list_id)),
-    )
-    .await??;
-    let ThreadListResponse { data, .. } = to_response::<ThreadListResponse>(resp)?;
-    let thread = data
-        .iter()
-        .find(|t| t.id == conversation_id)
-        .expect("expected thread for created rollout");
-
-    let expected_git = ApiGitInfo {
-        sha: Some("abc123".to_string()),
-        branch: Some("main".to_string()),
-        origin_url: Some("https://example.com/repo.git".to_string()),
-    };
-    assert_eq!(thread.git_info, Some(expected_git));
-    assert_eq!(thread.source, SessionSource::Cli);
-    assert_eq!(thread.cwd, PathBuf::from("/"));
-    assert_eq!(thread.cli_version, "0.0.0");

    Ok(())
 }
--- a/codex-rs/app-server/tests/suite/v2/thread_resume.rs
+++ b/codex-rs/app-server/tests/suite/v2/thread_resume.rs
@@ -1,21 +1,15 @@
 use anyhow::Result;
 use app_test_support::McpProcess;
-use app_test_support::create_fake_rollout;
 use app_test_support::create_mock_chat_completions_server;
 use app_test_support::to_response;
 use codex_app_server_protocol::JSONRPCResponse;
 use codex_app_server_protocol::RequestId;
-use codex_app_server_protocol::SessionSource;
-use codex_app_server_protocol::ThreadItem;
 use codex_app_server_protocol::ThreadResumeParams;
 use codex_app_server_protocol::ThreadResumeResponse;
 use codex_app_server_protocol::ThreadStartParams;
 use codex_app_server_protocol::ThreadStartResponse;
-use codex_app_server_protocol::TurnStatus;
-use codex_app_server_protocol::UserInput;
 use codex_protocol::models::ContentItem;
 use codex_protocol::models::ResponseItem;
-use std::path::PathBuf;
 use tempfile::TempDir;
 use tokio::time::timeout;

@@ -33,7 +27,7 @@ async fn thread_resume_returns_original_thread() -> Result<()> {
    // Start a thread.
    let start_id = mcp
        .send_thread_start_request(ThreadStartParams {
-            model: Some("gpt-5.1-codex-max".to_string()),
+            model: Some("gpt-5.1-codex".to_string()),
            ..Default::default()
        })
        .await?;
@@ -64,70 +58,6 @@ async fn thread_resume_returns_original_thread() -> Result<()> {
    Ok(())
 }

-#[tokio::test]
-async fn thread_resume_returns_rollout_history() -> Result<()> {
-    let server = create_mock_chat_completions_server(vec![]).await;
-    let codex_home = TempDir::new()?;
-    create_config_toml(codex_home.path(), &server.uri())?;
-
-    let preview = "Saved user message";
-    let conversation_id = create_fake_rollout(
-        codex_home.path(),
-        "2025-01-05T12-00-00",
-        "2025-01-05T12:00:00Z",
-        preview,
-        Some("mock_provider"),
-        None,
-    )?;
-
-    let mut mcp = McpProcess::new(codex_home.path()).await?;
-    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
-
-    let resume_id = mcp
-        .send_thread_resume_request(ThreadResumeParams {
-            thread_id: conversation_id.clone(),
-            ..Default::default()
-        })
-        .await?;
-    let resume_resp: JSONRPCResponse = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(resume_id)),
-    )
-    .await??;
-    let ThreadResumeResponse { thread, .. } = to_response::<ThreadResumeResponse>(resume_resp)?;
-
-    assert_eq!(thread.id, conversation_id);
-    assert_eq!(thread.preview, preview);
-    assert_eq!(thread.model_provider, "mock_provider");
-    assert!(thread.path.is_absolute());
-    assert_eq!(thread.cwd, PathBuf::from("/"));
-    assert_eq!(thread.cli_version, "0.0.0");
-    assert_eq!(thread.source, SessionSource::Cli);
-    assert_eq!(thread.git_info, None);
-
-    assert_eq!(
-        thread.turns.len(),
-        1,
-        "expected rollouts to include one turn"
-    );
-    let turn = &thread.turns[0];
-    assert_eq!(turn.status, TurnStatus::Completed);
-    assert_eq!(turn.items.len(), 1, "expected user message item");
-    match &turn.items[0] {
-        ThreadItem::UserMessage { content, .. } => {
-            assert_eq!(
-                content,
-                &vec![UserInput::Text {
-                    text: preview.to_string()
-                }]
-            );
-        }
-        other => panic!("expected user message item, got {other:?}"),
-    }
-
-    Ok(())
-}
-
 #[tokio::test]
 async fn thread_resume_prefers_path_over_thread_id() -> Result<()> {
    let server = create_mock_chat_completions_server(vec![]).await;
@@ -139,7 +69,7 @@ async fn thread_resume_prefers_path_over_thread_id() -> Result<()> {

    let start_id = mcp
        .send_thread_start_request(ThreadStartParams {
-            model: Some("gpt-5.1-codex-max".to_string()),
+            model: Some("gpt-5.1-codex".to_string()),
            ..Default::default()
        })
        .await?;
@@ -184,7 +114,7 @@ async fn thread_resume_supports_history_and_overrides() -> Result<()> {
    // Start a thread.
    let start_id = mcp
        .send_thread_start_request(ThreadStartParams {
-            model: Some("gpt-5.1-codex-max".to_string()),
+            model: Some("gpt-5.1-codex".to_string()),
            ..Default::default()
        })
        .await?;
--- a/codex-rs/app-server/tests/suite/v2/turn_interrupt.rs
+++ b/codex-rs/app-server/tests/suite/v2/turn_interrupt.rs
@@ -3,7 +3,7 @@
 use anyhow::Result;
 use app_test_support::McpProcess;
 use app_test_support::create_mock_chat_completions_server;
-use app_test_support::create_shell_command_sse_response;
+use app_test_support::create_shell_sse_response;
 use app_test_support::to_response;
 use codex_app_server_protocol::JSONRPCNotification;
 use codex_app_server_protocol::JSONRPCResponse;
@@ -41,7 +41,7 @@ async fn turn_interrupt_aborts_running_turn() -> Result<()> {
    std::fs::create_dir(&working_directory)?;

    // Mock server: long-running shell command then (after abort) nothing else needed.
-    let server = create_mock_chat_completions_server(vec![create_shell_command_sse_response(
+    let server = create_mock_chat_completions_server(vec![create_shell_sse_response(
        shell_command.clone(),
        Some(&working_directory),
        Some(10_000),
--- a/codex-rs/app-server/tests/suite/v2/turn_start.rs
+++ b/codex-rs/app-server/tests/suite/v2/turn_start.rs
@@ -1,22 +1,14 @@
 use anyhow::Result;
 use app_test_support::McpProcess;
-use app_test_support::create_apply_patch_sse_response;
 use app_test_support::create_final_assistant_message_sse_response;
 use app_test_support::create_mock_chat_completions_server;
 use app_test_support::create_mock_chat_completions_server_unchecked;
-use app_test_support::create_shell_command_sse_response;
-use app_test_support::format_with_current_shell_display;
+use app_test_support::create_shell_sse_response;
 use app_test_support::to_response;
-use codex_app_server_protocol::ApprovalDecision;
-use codex_app_server_protocol::CommandExecutionRequestApprovalResponse;
 use codex_app_server_protocol::CommandExecutionStatus;
-use codex_app_server_protocol::FileChangeRequestApprovalResponse;
-use codex_app_server_protocol::ItemCompletedNotification;
 use codex_app_server_protocol::ItemStartedNotification;
 use codex_app_server_protocol::JSONRPCNotification;
 use codex_app_server_protocol::JSONRPCResponse;
-use codex_app_server_protocol::PatchApplyStatus;
-use codex_app_server_protocol::PatchChangeKind;
 use codex_app_server_protocol::RequestId;
 use codex_app_server_protocol::ServerRequest;
 use codex_app_server_protocol::ThreadItem;
@@ -205,7 +197,7 @@ async fn turn_start_exec_approval_toggle_v2() -> Result<()> {
    // Mock server: first turn requests a shell call (elicitation), then completes.
    // Second turn same, but we'll set approval_policy=never to avoid elicitation.
    let responses = vec![
-        create_shell_command_sse_response(
+        create_shell_sse_response(
            vec![
                "python3".to_string(),
                "-c".to_string(),
@@ -216,7 +208,7 @@ async fn turn_start_exec_approval_toggle_v2() -> Result<()> {
            "call1",
        )?,
        create_final_assistant_message_sse_response("done 1")?,
-        create_shell_command_sse_response(
+        create_shell_sse_response(
            vec![
                "python3".to_string(),
                "-c".to_string(),
@@ -330,145 +322,6 @@ async fn turn_start_exec_approval_toggle_v2() -> Result<()> {
    Ok(())
 }

-#[tokio::test]
-async fn turn_start_exec_approval_decline_v2() -> Result<()> {
-    skip_if_no_network!(Ok(()));
-
-    let tmp = TempDir::new()?;
-    let codex_home = tmp.path().to_path_buf();
-    let workspace = tmp.path().join("workspace");
-    std::fs::create_dir(&workspace)?;
-
-    let responses = vec![
-        create_shell_command_sse_response(
-            vec![
-                "python3".to_string(),
-                "-c".to_string(),
-                "print(42)".to_string(),
-            ],
-            None,
-            Some(5000),
-            "call-decline",
-        )?,
-        create_final_assistant_message_sse_response("done")?,
-    ];
-    let server = create_mock_chat_completions_server(responses).await;
-    create_config_toml(codex_home.as_path(), &server.uri(), "untrusted")?;
-
-    let mut mcp = McpProcess::new(codex_home.as_path()).await?;
-    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
-
-    let start_id = mcp
-        .send_thread_start_request(ThreadStartParams {
-            model: Some("mock-model".to_string()),
-            ..Default::default()
-        })
-        .await?;
-    let start_resp: JSONRPCResponse = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(start_id)),
-    )
-    .await??;
-    let ThreadStartResponse { thread, .. } = to_response::<ThreadStartResponse>(start_resp)?;
-
-    let turn_id = mcp
-        .send_turn_start_request(TurnStartParams {
-            thread_id: thread.id.clone(),
-            input: vec![V2UserInput::Text {
-                text: "run python".to_string(),
-            }],
-            cwd: Some(workspace.clone()),
-            ..Default::default()
-        })
-        .await?;
-    let turn_resp: JSONRPCResponse = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(turn_id)),
-    )
-    .await??;
-    let TurnStartResponse { turn } = to_response::<TurnStartResponse>(turn_resp)?;
-
-    let started_command_execution = timeout(DEFAULT_READ_TIMEOUT, async {
-        loop {
-            let started_notif = mcp
-                .read_stream_until_notification_message("item/started")
-                .await?;
-            let started: ItemStartedNotification =
-                serde_json::from_value(started_notif.params.clone().expect("item/started params"))?;
-            if let ThreadItem::CommandExecution { .. } = started.item {
-                return Ok::<ThreadItem, anyhow::Error>(started.item);
-            }
-        }
-    })
-    .await??;
-    let ThreadItem::CommandExecution { id, status, .. } = started_command_execution else {
-        unreachable!("loop ensures we break on command execution items");
-    };
-    assert_eq!(id, "call-decline");
-    assert_eq!(status, CommandExecutionStatus::InProgress);
-
-    let server_req = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_request_message(),
-    )
-    .await??;
-    let ServerRequest::CommandExecutionRequestApproval { request_id, params } = server_req else {
-        panic!("expected CommandExecutionRequestApproval request")
-    };
-    assert_eq!(params.item_id, "call-decline");
-    assert_eq!(params.thread_id, thread.id);
-    assert_eq!(params.turn_id, turn.id);
-
-    mcp.send_response(
-        request_id,
-        serde_json::to_value(CommandExecutionRequestApprovalResponse {
-            decision: ApprovalDecision::Decline,
-            accept_settings: None,
-        })?,
-    )
-    .await?;
-
-    let completed_command_execution = timeout(DEFAULT_READ_TIMEOUT, async {
-        loop {
-            let completed_notif = mcp
-                .read_stream_until_notification_message("item/completed")
-                .await?;
-            let completed: ItemCompletedNotification = serde_json::from_value(
-                completed_notif
-                    .params
-                    .clone()
-                    .expect("item/completed params"),
-            )?;
-            if let ThreadItem::CommandExecution { .. } = completed.item {
-                return Ok::<ThreadItem, anyhow::Error>(completed.item);
-            }
-        }
-    })
-    .await??;
-    let ThreadItem::CommandExecution {
-        id,
-        status,
-        exit_code,
-        aggregated_output,
-        ..
-    } = completed_command_execution
-    else {
-        unreachable!("loop ensures we break on command execution items");
-    };
-    assert_eq!(id, "call-decline");
-    assert_eq!(status, CommandExecutionStatus::Declined);
-    assert!(exit_code.is_none());
-    assert!(aggregated_output.is_none());
-
-    timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_notification_message("codex/event/task_complete"),
-    )
-    .await??;
-
-    Ok(())
-}
-
 #[tokio::test]
 async fn turn_start_updates_sandbox_and_cwd_between_turns_v2() -> Result<()> {
    skip_if_no_network!(Ok(()));
@@ -484,15 +337,23 @@ async fn turn_start_updates_sandbox_and_cwd_between_turns_v2() -> Result<()> {
    std::fs::create_dir(&second_cwd)?;

    let responses = vec![
-        create_shell_command_sse_response(
-            vec!["echo".to_string(), "first".to_string(), "turn".to_string()],
+        create_shell_sse_response(
+            vec![
+                "bash".to_string(),
+                "-lc".to_string(),
+                "echo first turn".to_string(),
+            ],
            None,
            Some(5000),
            "call-first",
        )?,
        create_final_assistant_message_sse_response("done first")?,
-        create_shell_command_sse_response(
-            vec!["echo".to_string(), "second".to_string(), "turn".to_string()],
+        create_shell_sse_response(
+            vec![
+                "bash".to_string(),
+                "-lc".to_string(),
+                "echo second turn".to_string(),
+            ],
            None,
            Some(5000),
            "call-second",
@@ -598,8 +459,7 @@ async fn turn_start_updates_sandbox_and_cwd_between_turns_v2() -> Result<()> {
        unreachable!("loop ensures we break on command execution items");
    };
    assert_eq!(cwd, second_cwd);
-    let expected_command = format_with_current_shell_display("echo second turn");
-    assert_eq!(command, expected_command);
+    assert_eq!(command, "bash -lc 'echo second turn'");
    assert_eq!(status, CommandExecutionStatus::InProgress);

    timeout(
@@ -611,300 +471,6 @@ async fn turn_start_updates_sandbox_and_cwd_between_turns_v2() -> Result<()> {
    Ok(())
 }

-#[tokio::test]
-async fn turn_start_file_change_approval_v2() -> Result<()> {
-    skip_if_no_network!(Ok(()));
-
-    let tmp = TempDir::new()?;
-    let codex_home = tmp.path().join("codex_home");
-    std::fs::create_dir(&codex_home)?;
-    let workspace = tmp.path().join("workspace");
-    std::fs::create_dir(&workspace)?;
-
-    let patch = r#"*** Begin Patch
-*** Add File: README.md
-+new line
-*** End Patch
-"#;
-    let responses = vec![
-        create_apply_patch_sse_response(patch, "patch-call")?,
-        create_final_assistant_message_sse_response("patch applied")?,
-    ];
-    let server = create_mock_chat_completions_server(responses).await;
-    create_config_toml(&codex_home, &server.uri(), "untrusted")?;
-
-    let mut mcp = McpProcess::new(&codex_home).await?;
-    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
-
-    let start_req = mcp
-        .send_thread_start_request(ThreadStartParams {
-            model: Some("mock-model".to_string()),
-            cwd: Some(workspace.to_string_lossy().into_owned()),
-            ..Default::default()
-        })
-        .await?;
-    let start_resp: JSONRPCResponse = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(start_req)),
-    )
-    .await??;
-    let ThreadStartResponse { thread, .. } = to_response::<ThreadStartResponse>(start_resp)?;
-
-    let turn_req = mcp
-        .send_turn_start_request(TurnStartParams {
-            thread_id: thread.id.clone(),
-            input: vec![V2UserInput::Text {
-                text: "apply patch".into(),
-            }],
-            cwd: Some(workspace.clone()),
-            ..Default::default()
-        })
-        .await?;
-    let turn_resp: JSONRPCResponse = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(turn_req)),
-    )
-    .await??;
-    let TurnStartResponse { turn } = to_response::<TurnStartResponse>(turn_resp)?;
-
-    let started_file_change = timeout(DEFAULT_READ_TIMEOUT, async {
-        loop {
-            let started_notif = mcp
-                .read_stream_until_notification_message("item/started")
-                .await?;
-            let started: ItemStartedNotification =
-                serde_json::from_value(started_notif.params.clone().expect("item/started params"))?;
-            if let ThreadItem::FileChange { .. } = started.item {
-                return Ok::<ThreadItem, anyhow::Error>(started.item);
-            }
-        }
-    })
-    .await??;
-    let ThreadItem::FileChange {
-        ref id,
-        status,
-        ref changes,
-    } = started_file_change
-    else {
-        unreachable!("loop ensures we break on file change items");
-    };
-    assert_eq!(id, "patch-call");
-    assert_eq!(status, PatchApplyStatus::InProgress);
-    let started_changes = changes.clone();
-
-    let server_req = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_request_message(),
-    )
-    .await??;
-    let ServerRequest::FileChangeRequestApproval { request_id, params } = server_req else {
-        panic!("expected FileChangeRequestApproval request")
-    };
-    assert_eq!(params.item_id, "patch-call");
-    assert_eq!(params.thread_id, thread.id);
-    assert_eq!(params.turn_id, turn.id);
-    let expected_readme_path = workspace.join("README.md");
-    let expected_readme_path = expected_readme_path.to_string_lossy().into_owned();
-    pretty_assertions::assert_eq!(
-        started_changes,
-        vec![codex_app_server_protocol::FileUpdateChange {
-            path: expected_readme_path.clone(),
-            kind: PatchChangeKind::Add,
-            diff: "new line\n".to_string(),
-        }]
-    );
-
-    mcp.send_response(
-        request_id,
-        serde_json::to_value(FileChangeRequestApprovalResponse {
-            decision: ApprovalDecision::Accept,
-        })?,
-    )
-    .await?;
-
-    let completed_file_change = timeout(DEFAULT_READ_TIMEOUT, async {
-        loop {
-            let completed_notif = mcp
-                .read_stream_until_notification_message("item/completed")
-                .await?;
-            let completed: ItemCompletedNotification = serde_json::from_value(
-                completed_notif
-                    .params
-                    .clone()
-                    .expect("item/completed params"),
-            )?;
-            if let ThreadItem::FileChange { .. } = completed.item {
-                return Ok::<ThreadItem, anyhow::Error>(completed.item);
-            }
-        }
-    })
-    .await??;
-    let ThreadItem::FileChange { ref id, status, .. } = completed_file_change else {
-        unreachable!("loop ensures we break on file change items");
-    };
-    assert_eq!(id, "patch-call");
-    assert_eq!(status, PatchApplyStatus::Completed);
-
-    timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_notification_message("codex/event/task_complete"),
-    )
-    .await??;
-
-    let readme_contents = std::fs::read_to_string(expected_readme_path)?;
-    assert_eq!(readme_contents, "new line\n");
-
-    Ok(())
-}
-
-#[tokio::test]
-async fn turn_start_file_change_approval_decline_v2() -> Result<()> {
-    skip_if_no_network!(Ok(()));
-
-    let tmp = TempDir::new()?;
-    let codex_home = tmp.path().join("codex_home");
-    std::fs::create_dir(&codex_home)?;
-    let workspace = tmp.path().join("workspace");
-    std::fs::create_dir(&workspace)?;
-
-    let patch = r#"*** Begin Patch
-*** Add File: README.md
-+new line
-*** End Patch
-"#;
-    let responses = vec![
-        create_apply_patch_sse_response(patch, "patch-call")?,
-        create_final_assistant_message_sse_response("patch declined")?,
-    ];
-    let server = create_mock_chat_completions_server(responses).await;
-    create_config_toml(&codex_home, &server.uri(), "untrusted")?;
-
-    let mut mcp = McpProcess::new(&codex_home).await?;
-    timeout(DEFAULT_READ_TIMEOUT, mcp.initialize()).await??;
-
-    let start_req = mcp
-        .send_thread_start_request(ThreadStartParams {
-            model: Some("mock-model".to_string()),
-            cwd: Some(workspace.to_string_lossy().into_owned()),
-            ..Default::default()
-        })
-        .await?;
-    let start_resp: JSONRPCResponse = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(start_req)),
-    )
-    .await??;
-    let ThreadStartResponse { thread, .. } = to_response::<ThreadStartResponse>(start_resp)?;
-
-    let turn_req = mcp
-        .send_turn_start_request(TurnStartParams {
-            thread_id: thread.id.clone(),
-            input: vec![V2UserInput::Text {
-                text: "apply patch".into(),
-            }],
-            cwd: Some(workspace.clone()),
-            ..Default::default()
-        })
-        .await?;
-    let turn_resp: JSONRPCResponse = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_response_message(RequestId::Integer(turn_req)),
-    )
-    .await??;
-    let TurnStartResponse { turn } = to_response::<TurnStartResponse>(turn_resp)?;
-
-    let started_file_change = timeout(DEFAULT_READ_TIMEOUT, async {
-        loop {
-            let started_notif = mcp
-                .read_stream_until_notification_message("item/started")
-                .await?;
-            let started: ItemStartedNotification =
-                serde_json::from_value(started_notif.params.clone().expect("item/started params"))?;
-            if let ThreadItem::FileChange { .. } = started.item {
-                return Ok::<ThreadItem, anyhow::Error>(started.item);
-            }
-        }
-    })
-    .await??;
-    let ThreadItem::FileChange {
-        ref id,
-        status,
-        ref changes,
-    } = started_file_change
-    else {
-        unreachable!("loop ensures we break on file change items");
-    };
-    assert_eq!(id, "patch-call");
-    assert_eq!(status, PatchApplyStatus::InProgress);
-    let started_changes = changes.clone();
-
-    let server_req = timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_request_message(),
-    )
-    .await??;
-    let ServerRequest::FileChangeRequestApproval { request_id, params } = server_req else {
-        panic!("expected FileChangeRequestApproval request")
-    };
-    assert_eq!(params.item_id, "patch-call");
-    assert_eq!(params.thread_id, thread.id);
-    assert_eq!(params.turn_id, turn.id);
-    let expected_readme_path = workspace.join("README.md");
-    let expected_readme_path_str = expected_readme_path.to_string_lossy().into_owned();
-    pretty_assertions::assert_eq!(
-        started_changes,
-        vec![codex_app_server_protocol::FileUpdateChange {
-            path: expected_readme_path_str.clone(),
-            kind: PatchChangeKind::Add,
-            diff: "new line\n".to_string(),
-        }]
-    );
-
-    mcp.send_response(
-        request_id,
-        serde_json::to_value(FileChangeRequestApprovalResponse {
-            decision: ApprovalDecision::Decline,
-        })?,
-    )
-    .await?;
-
-    let completed_file_change = timeout(DEFAULT_READ_TIMEOUT, async {
-        loop {
-            let completed_notif = mcp
-                .read_stream_until_notification_message("item/completed")
-                .await?;
-            let completed: ItemCompletedNotification = serde_json::from_value(
-                completed_notif
-                    .params
-                    .clone()
-                    .expect("item/completed params"),
-            )?;
-            if let ThreadItem::FileChange { .. } = completed.item {
-                return Ok::<ThreadItem, anyhow::Error>(completed.item);
-            }
-        }
-    })
-    .await??;
-    let ThreadItem::FileChange { ref id, status, .. } = completed_file_change else {
-        unreachable!("loop ensures we break on file change items");
-    };
-    assert_eq!(id, "patch-call");
-    assert_eq!(status, PatchApplyStatus::Declined);
-
-    timeout(
-        DEFAULT_READ_TIMEOUT,
-        mcp.read_stream_until_notification_message("codex/event/task_complete"),
-    )
-    .await??;
-
-    assert!(
-        !expected_readme_path.exists(),
-        "declined patch should not be applied"
-    );
-
-    Ok(())
-}
-
 // Helper to create a config.toml pointing at the mock model server.
 fn create_config_toml(
    codex_home: &Path,
--- a/codex-rs/apply-patch/Cargo.toml
+++ b/codex-rs/apply-patch/Cargo.toml
@@ -1,8 +1,7 @@
 [package]
+edition = "2024"
 name = "codex-apply-patch"
-version.workspace = true
-edition.workspace = true
-license.workspace = true
+version = { workspace = true }

 [lib]
 name = "codex_apply_patch"
--- a/codex-rs/apply-patch/src/lib.rs
+++ b/codex-rs/apply-patch/src/lib.rs
@@ -31,13 +31,6 @@ pub const APPLY_PATCH_TOOL_INSTRUCTIONS: &str = include_str!("../apply_patch_too

 const APPLY_PATCH_COMMANDS: [&str; 2] = ["apply_patch", "applypatch"];

-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
-enum ApplyPatchShell {
-    Unix,
-    PowerShell,
-    Cmd,
-}
-
 #[derive(Debug, Error, PartialEq)]
 pub enum ApplyPatchError {
    #[error(transparent)]
@@ -103,57 +96,6 @@ pub struct ApplyPatchArgs {
    pub workdir: Option<String>,
 }

-fn classify_shell_name(shell: &str) -> Option<String> {
-    std::path::Path::new(shell)
-        .file_stem()
-        .and_then(|name| name.to_str())
-        .map(str::to_ascii_lowercase)
-}
-
-fn classify_shell(shell: &str, flag: &str) -> Option<ApplyPatchShell> {
-    classify_shell_name(shell).and_then(|name| match name.as_str() {
-        "bash" | "zsh" | "sh" if flag == "-lc" => Some(ApplyPatchShell::Unix),
-        "pwsh" | "powershell" if flag.eq_ignore_ascii_case("-command") => {
-            Some(ApplyPatchShell::PowerShell)
-        }
-        "cmd" if flag.eq_ignore_ascii_case("/c") => Some(ApplyPatchShell::Cmd),
-        _ => None,
-    })
-}
-
-fn can_skip_flag(shell: &str, flag: &str) -> bool {
-    classify_shell_name(shell).is_some_and(|name| {
-        matches!(name.as_str(), "pwsh" | "powershell") && flag.eq_ignore_ascii_case("-noprofile")
-    })
-}
-
-fn parse_shell_script(argv: &[String]) -> Option<(ApplyPatchShell, &str)> {
-    match argv {
-        [shell, flag, script] => classify_shell(shell, flag).map(|shell_type| {
-            let script = script.as_str();
-            (shell_type, script)
-        }),
-        [shell, skip_flag, flag, script] if can_skip_flag(shell, skip_flag) => {
-            classify_shell(shell, flag).map(|shell_type| {
-                let script = script.as_str();
-                (shell_type, script)
-            })
-        }
-        _ => None,
-    }
-}
-
-fn extract_apply_patch_from_shell(
-    shell: ApplyPatchShell,
-    script: &str,
-) -> std::result::Result<(String, Option<String>), ExtractHeredocError> {
-    match shell {
-        ApplyPatchShell::Unix | ApplyPatchShell::PowerShell | ApplyPatchShell::Cmd => {
-            extract_apply_patch_from_bash(script)
-        }
-    }
-}
-
 pub fn maybe_parse_apply_patch(argv: &[String]) -> MaybeApplyPatch {
    match argv {
        // Direct invocation: apply_patch <patch>
@@ -161,9 +103,9 @@ pub fn maybe_parse_apply_patch(argv: &[String]) -> MaybeApplyPatch {
            Ok(source) => MaybeApplyPatch::Body(source),
            Err(e) => MaybeApplyPatch::PatchParseError(e),
        },
-        // Shell heredoc form: (optional `cd <path> &&`) apply_patch <<'EOF' ...
-        _ => match parse_shell_script(argv) {
-            Some((shell, script)) => match extract_apply_patch_from_shell(shell, script) {
+        // Bash heredoc form: (optional `cd <path> &&`) apply_patch <<'EOF' ...
+        [bash, flag, script] if bash == "bash" && flag == "-lc" => {
+            match extract_apply_patch_from_bash(script) {
                Ok((body, workdir)) => match parse_patch(&body) {
                    Ok(mut source) => {
                        source.workdir = workdir;
@@ -175,9 +117,9 @@ pub fn maybe_parse_apply_patch(argv: &[String]) -> MaybeApplyPatch {
                    MaybeApplyPatch::NotApplyPatch
                }
                Err(e) => MaybeApplyPatch::ShellParseError(e),
-            },
-            None => MaybeApplyPatch::NotApplyPatch,
-        },
+            }
+        }
+        _ => MaybeApplyPatch::NotApplyPatch,
    }
 }

@@ -272,17 +214,24 @@ impl ApplyPatchAction {
 /// cwd must be an absolute path so that we can resolve relative paths in the
 /// patch.
 pub fn maybe_parse_apply_patch_verified(argv: &[String], cwd: &Path) -> MaybeApplyPatchVerified {
-    // Detect a raw patch body passed directly as the command or as the body of a shell
+    // Detect a raw patch body passed directly as the command or as the body of a bash -lc
    // script. In these cases, report an explicit error rather than applying the patch.
-    if let [body] = argv
-        && parse_patch(body).is_ok()
-    {
-        return MaybeApplyPatchVerified::CorrectnessError(ApplyPatchError::ImplicitInvocation);
-    }
-    if let Some((_, script)) = parse_shell_script(argv)
-        && parse_patch(script).is_ok()
-    {
-        return MaybeApplyPatchVerified::CorrectnessError(ApplyPatchError::ImplicitInvocation);
+    match argv {
+        [body] => {
+            if parse_patch(body).is_ok() {
+                return MaybeApplyPatchVerified::CorrectnessError(
+                    ApplyPatchError::ImplicitInvocation,
+                );
+            }
+        }
+        [bash, flag, script] if bash == "bash" && flag == "-lc" => {
+            if parse_patch(script).is_ok() {
+                return MaybeApplyPatchVerified::CorrectnessError(
+                    ApplyPatchError::ImplicitInvocation,
+                );
+            }
+        }
+        _ => {}
    }

    match maybe_parse_apply_patch(argv) {
@@ -914,22 +863,6 @@ mod tests {
        strs_to_strings(&["bash", "-lc", script])
    }

-    fn args_powershell(script: &str) -> Vec<String> {
-        strs_to_strings(&["powershell.exe", "-Command", script])
-    }
-
-    fn args_powershell_no_profile(script: &str) -> Vec<String> {
-        strs_to_strings(&["powershell.exe", "-NoProfile", "-Command", script])
-    }
-
-    fn args_pwsh(script: &str) -> Vec<String> {
-        strs_to_strings(&["pwsh", "-NoProfile", "-Command", script])
-    }
-
-    fn args_cmd(script: &str) -> Vec<String> {
-        strs_to_strings(&["cmd.exe", "/c", script])
-    }
-
    fn heredoc_script(prefix: &str) -> String {
        format!(
            "{prefix}apply_patch <<'PATCH'\n*** Begin Patch\n*** Add File: foo\n+hi\n*** End Patch\nPATCH"
@@ -949,7 +882,8 @@ mod tests {
        }]
    }

-    fn assert_match_args(args: Vec<String>, expected_workdir: Option<&str>) {
+    fn assert_match(script: &str, expected_workdir: Option<&str>) {
+        let args = args_bash(script);
        match maybe_parse_apply_patch(&args) {
            MaybeApplyPatch::Body(ApplyPatchArgs { hunks, workdir, .. }) => {
                assert_eq!(workdir.as_deref(), expected_workdir);
@@ -959,11 +893,6 @@ mod tests {
        }
    }

-    fn assert_match(script: &str, expected_workdir: Option<&str>) {
-        let args = args_bash(script);
-        assert_match_args(args, expected_workdir);
-    }
-
    fn assert_not_match(script: &str) {
        let args = args_bash(script);
        assert_matches!(
@@ -1077,28 +1006,6 @@ PATCH"#,
        }
    }

-    #[test]
-    fn test_powershell_heredoc() {
-        let script = heredoc_script("");
-        assert_match_args(args_powershell(&script), None);
-    }
-    #[test]
-    fn test_powershell_heredoc_no_profile() {
-        let script = heredoc_script("");
-        assert_match_args(args_powershell_no_profile(&script), None);
-    }
-    #[test]
-    fn test_pwsh_heredoc() {
-        let script = heredoc_script("");
-        assert_match_args(args_pwsh(&script), None);
-    }
-
-    #[test]
-    fn test_cmd_heredoc_with_cd() {
-        let script = heredoc_script("cd foo && ");
-        assert_match_args(args_cmd(&script), Some("foo"));
-    }
-
    #[test]
    fn test_heredoc_with_leading_cd() {
        assert_match(&heredoc_script("cd foo && "), Some("foo"));
--- a/codex-rs/arg0/Cargo.toml
+++ b/codex-rs/arg0/Cargo.toml
@@ -1,8 +1,7 @@
 [package]
+edition = "2024"
 name = "codex-arg0"
-version.workspace = true
-edition.workspace = true
-license.workspace = true
+version = { workspace = true }

 [lib]
 name = "codex_arg0"
--- a/codex-rs/async-utils/Cargo.toml
+++ b/codex-rs/async-utils/Cargo.toml
@@ -1,8 +1,7 @@
 [package]
+edition.workspace = true
 name = "codex-async-utils"
 version.workspace = true
-edition.workspace = true
-license.workspace = true

 [lints]
 workspace = true
--- a/codex-rs/backend-client/Cargo.toml
+++ b/codex-rs/backend-client/Cargo.toml
@@ -1,8 +1,7 @@
 [package]
 name = "codex-backend-client"
-version.workspace = true
-edition.workspace = true
-license.workspace = true
+version = "0.0.0"
+edition = "2024"
 publish = false

 [lib]
--- a/codex-rs/backend-client/src/client.rs
+++ b/codex-rs/backend-client/src/client.rs
@@ -1,5 +1,4 @@
 use crate::types::CodeTaskDetailsResponse;
-use crate::types::CreditStatusDetails;
 use crate::types::PaginatedListTaskListItem;
 use crate::types::RateLimitStatusPayload;
 use crate::types::RateLimitWindowSnapshot;
@@ -7,7 +6,6 @@ use crate::types::TurnAttemptsSiblingTurnsResponse;
 use anyhow::Result;
 use codex_core::auth::CodexAuth;
 use codex_core::default_client::get_codex_user_agent;
-use codex_protocol::protocol::CreditsSnapshot;
 use codex_protocol::protocol::RateLimitSnapshot;
 use codex_protocol::protocol::RateLimitWindow;
 use reqwest::header::AUTHORIZATION;
@@ -274,23 +272,19 @@ impl Client {

    // rate limit helpers
    fn rate_limit_snapshot_from_payload(payload: RateLimitStatusPayload) -> RateLimitSnapshot {
-        let rate_limit_details = payload
+        let Some(details) = payload
            .rate_limit
-            .and_then(|inner| inner.map(|boxed| *boxed));
-
-        let (primary, secondary) = if let Some(details) = rate_limit_details {
-            (
-                Self::map_rate_limit_window(details.primary_window),
-                Self::map_rate_limit_window(details.secondary_window),
-            )
-        } else {
-            (None, None)
+            .and_then(|inner| inner.map(|boxed| *boxed))
+        else {
+            return RateLimitSnapshot {
+                primary: None,
+                secondary: None,
+            };
        };

        RateLimitSnapshot {
-            primary,
-            secondary,
-            credits: Self::map_credits(payload.credits),
+            primary: Self::map_rate_limit_window(details.primary_window),
+            secondary: Self::map_rate_limit_window(details.secondary_window),
        }
    }

@@ -312,19 +306,6 @@ impl Client {
        })
    }

-    fn map_credits(credits: Option<Option<Box<CreditStatusDetails>>>) -> Option<CreditsSnapshot> {
-        let details = match credits {
-            Some(Some(details)) => *details,
-            _ => return None,
-        };
-
-        Some(CreditsSnapshot {
-            has_credits: details.has_credits,
-            unlimited: details.unlimited,
-            balance: details.balance.and_then(|inner| inner),
-        })
-    }
-
    fn window_minutes_from_seconds(seconds: i32) -> Option<i64> {
        if seconds <= 0 {
            return None;
--- a/codex-rs/backend-client/src/types.rs
+++ b/codex-rs/backend-client/src/types.rs
@@ -1,4 +1,3 @@
-pub use codex_backend_openapi_models::models::CreditStatusDetails;
 pub use codex_backend_openapi_models::models::PaginatedListTaskListItem;
 pub use codex_backend_openapi_models::models::PlanType;
 pub use codex_backend_openapi_models::models::RateLimitStatusDetails;
--- a/codex-rs/chatgpt/Cargo.toml
+++ b/codex-rs/chatgpt/Cargo.toml
@@ -1,8 +1,7 @@
 [package]
+edition = "2024"
 name = "codex-chatgpt"
-version.workspace = true
-edition.workspace = true
-license.workspace = true
+version = { workspace = true }

 [lints]
 workspace = true
--- a/codex-rs/cli/Cargo.toml
+++ b/codex-rs/cli/Cargo.toml
@@ -1,8 +1,7 @@
 [package]
+edition = "2024"
 name = "codex-cli"
-version.workspace = true
-edition.workspace = true
-license.workspace = true
+version = { workspace = true }

 [[bin]]
 name = "codex"
@@ -27,7 +26,6 @@ codex-cloud-tasks = { path = "../cloud-tasks" }
 codex-common = { workspace = true, features = ["cli"] }
 codex-core = { workspace = true }
 codex-exec = { workspace = true }
-codex-execpolicy = { workspace = true }
 codex-login = { workspace = true }
 codex-mcp-server = { workspace = true }
 codex-process-hardening = { workspace = true }
--- a/codex-rs/cli/src/main.rs
+++ b/codex-rs/cli/src/main.rs
@@ -18,7 +18,6 @@ use codex_cli::login::run_logout;
 use codex_cloud_tasks::Cli as CloudTasksCli;
 use codex_common::CliConfigOverrides;
 use codex_exec::Cli as ExecCli;
-use codex_execpolicy::ExecPolicyCheckCommand;
 use codex_responses_api_proxy::Args as ResponsesApiProxyArgs;
 use codex_tui::AppExitInfo;
 use codex_tui::Cli as TuiCli;
@@ -94,10 +93,6 @@ enum Subcommand {
    #[clap(visible_alias = "debug")]
    Sandbox(SandboxArgs),

-    /// Execpolicy tooling.
-    #[clap(hide = true)]
-    Execpolicy(ExecpolicyCommand),
-
    /// Apply the latest diff produced by Codex agent as a `git apply` to your local working tree.
    #[clap(visible_alias = "a")]
    Apply(ApplyCommand),
@@ -167,19 +162,6 @@ enum SandboxCommand {
    Windows(WindowsCommand),
 }

-#[derive(Debug, Parser)]
-struct ExecpolicyCommand {
-    #[command(subcommand)]
-    sub: ExecpolicySubcommand,
-}
-
-#[derive(Debug, clap::Subcommand)]
-enum ExecpolicySubcommand {
-    /// Check execpolicy files against a command.
-    #[clap(name = "check")]
-    Check(ExecPolicyCheckCommand),
-}
-
 #[derive(Debug, Parser)]
 struct LoginCommand {
    #[clap(skip)]
@@ -345,10 +327,6 @@ fn run_update_action(action: UpdateAction) -> anyhow::Result<()> {
    Ok(())
 }

-fn run_execpolicycheck(cmd: ExecPolicyCheckCommand) -> anyhow::Result<()> {
-    cmd.run()
-}
-
 #[derive(Debug, Default, Parser, Clone)]
 struct FeatureToggles {
    /// Enable a feature (repeatable). Equivalent to `-c features.<name>=true`.
@@ -571,9 +549,6 @@ async fn cli_main(codex_linux_sandbox_exe: Option<PathBuf>) -> anyhow::Result<()
                .await?;
            }
        },
-        Some(Subcommand::Execpolicy(ExecpolicyCommand { sub })) => match sub {
-            ExecpolicySubcommand::Check(cmd) => run_execpolicycheck(cmd)?,
-        },
        Some(Subcommand::Apply(mut apply_cli)) => {
            prepend_config_flags(
                &mut apply_cli.config_overrides,
--- a/codex-rs/cli/src/mcp_cmd.rs
+++ b/codex-rs/cli/src/mcp_cmd.rs
@@ -79,7 +79,6 @@ pub struct GetArgs {
 }

 #[derive(Debug, clap::Parser)]
-#[command(override_usage = "codex mcp add [OPTIONS] <NAME> (--url <URL> | -- <COMMAND>...)")]
 pub struct AddArgs {
    /// Name for the MCP server configuration.
    pub name: String,
--- a/codex-rs/cli/tests/execpolicy.rs
+++ b/codex-rs/cli/tests/execpolicy.rs
@@ -1,58 +0,0 @@
-use std::fs;
-
-use assert_cmd::Command;
-use pretty_assertions::assert_eq;
-use serde_json::json;
-use tempfile::TempDir;
-
-#[test]
-fn execpolicy_check_matches_expected_json() -> Result<(), Box<dyn std::error::Error>> {
-    let codex_home = TempDir::new()?;
-    let policy_path = codex_home.path().join("policy.codexpolicy");
-    fs::write(
-        &policy_path,
-        r#"
-prefix_rule(
-    pattern = ["git", "push"],
-    decision = "forbidden",
-)
-"#,
-    )?;
-
-    let output = Command::cargo_bin("codex")?
-        .env("CODEX_HOME", codex_home.path())
-        .args([
-            "execpolicy",
-            "check",
-            "--policy",
-            policy_path
-                .to_str()
-                .expect("policy path should be valid UTF-8"),
-            "git",
-            "push",
-            "origin",
-            "main",
-        ])
-        .output()?;
-
-    assert!(output.status.success());
-    let result: serde_json::Value = serde_json::from_slice(&output.stdout)?;
-    assert_eq!(
-        result,
-        json!({
-            "match": {
-                "decision": "forbidden",
-                "matchedRules": [
-                    {
-                        "prefixRuleMatch": {
-                            "matchedPrefix": ["git", "push"],
-                            "decision": "forbidden"
-                        }
-                    }
-                ]
-            }
-        })
-    );
-
-    Ok(())
-}
--- a/codex-rs/cloud-tasks-client/Cargo.toml
+++ b/codex-rs/cloud-tasks-client/Cargo.toml
@@ -1,8 +1,7 @@
 [package]
 name = "codex-cloud-tasks-client"
-version.workspace = true
-edition.workspace = true
-license.workspace = true
+version = { workspace = true }
+edition = "2024"

 [lib]
 name = "codex_cloud_tasks_client"
--- a/codex-rs/cloud-tasks/Cargo.toml
+++ b/codex-rs/cloud-tasks/Cargo.toml
@@ -1,8 +1,7 @@
 [package]
+edition = "2024"
 name = "codex-cloud-tasks"
-version.workspace = true
-edition.workspace = true
-license.workspace = true
+version = { workspace = true }

 [lib]
 name = "codex_cloud_tasks"
--- a/codex-rs/codex-backend-openapi-models/Cargo.toml
+++ b/codex-rs/codex-backend-openapi-models/Cargo.toml
@@ -1,8 +1,7 @@
 [package]
 name = "codex-backend-openapi-models"
-version.workspace = true
-edition.workspace = true
-license.workspace = true
+version = { workspace = true }
+edition = "2024"

 [lib]
 name = "codex_backend_openapi_models"
--- a/codex-rs/common/Cargo.toml
+++ b/codex-rs/common/Cargo.toml
@@ -1,8 +1,7 @@
 [package]
+edition = "2024"
 name = "codex-common"
-version.workspace = true
-edition.workspace = true
-license.workspace = true
+version = { workspace = true }

 [lints]
 workspace = true
--- a/codex-rs/common/src/config_summary.rs
+++ b/codex-rs/common/src/config_summary.rs
@@ -15,12 +15,13 @@ pub fn create_config_summary_entries(config: &Config) -> Vec<(&'static str, Stri
    if config.model_provider.wire_api == WireApi::Responses
        && config.model_family.supports_reasoning_summaries
    {
-        let reasoning_effort = config
-            .model_reasoning_effort
-            .or(config.model_family.default_reasoning_effort)
-            .map(|effort| effort.to_string())
-            .unwrap_or_else(|| "none".to_string());
-        entries.push(("reasoning effort", reasoning_effort));
+        entries.push((
+            "reasoning effort",
+            config
+                .model_reasoning_effort
+                .map(|effort| effort.to_string())
+                .unwrap_or_else(|| "none".to_string()),
+        ));
        entries.push((
            "reasoning summaries",
            config.model_reasoning_summary.to_string(),
--- a/codex-rs/common/src/model_presets.rs
+++ b/codex-rs/common/src/model_presets.rs
@@ -4,10 +4,6 @@ use codex_app_server_protocol::AuthMode;
 use codex_core::protocol_config_types::ReasoningEffort;
 use once_cell::sync::Lazy;

-pub const HIDE_GPT5_1_MIGRATION_PROMPT_CONFIG: &str = "hide_gpt5_1_migration_prompt";
-pub const HIDE_GPT_5_1_CODEX_MAX_MIGRATION_PROMPT_CONFIG: &str =
-    "hide_gpt-5.1-codex-max_migration_prompt";
-
 /// A reasoning effort option that can be surfaced for a model.
 #[derive(Debug, Clone, Copy)]
 pub struct ReasoningEffortPreset {
@@ -21,7 +17,6 @@ pub struct ReasoningEffortPreset {
 pub struct ModelUpgrade {
    pub id: &'static str,
    pub reasoning_effort_mapping: Option<HashMap<ReasoningEffort, ReasoningEffort>>,
-    pub migration_config_key: &'static str,
 }

 /// Metadata describing a Codex-supported model.
@@ -43,40 +38,10 @@ pub struct ModelPreset {
    pub is_default: bool,
    /// recommended upgrade model
    pub upgrade: Option<ModelUpgrade>,
-    /// Whether this preset should appear in the picker UI.
-    pub show_in_picker: bool,
 }

 static PRESETS: Lazy<Vec<ModelPreset>> = Lazy::new(|| {
    vec![
-        ModelPreset {
-            id: "gpt-5.1-codex-max",
-            model: "gpt-5.1-codex-max",
-            display_name: "gpt-5.1-codex-max",
-            description: "Latest Codex-optimized flagship for deep and fast reasoning.",
-            default_reasoning_effort: ReasoningEffort::Medium,
-            supported_reasoning_efforts: &[
-                ReasoningEffortPreset {
-                    effort: ReasoningEffort::Low,
-                    description: "Fast responses with lighter reasoning",
-                },
-                ReasoningEffortPreset {
-                    effort: ReasoningEffort::Medium,
-                    description: "Balances speed and reasoning depth for everyday tasks",
-                },
-                ReasoningEffortPreset {
-                    effort: ReasoningEffort::High,
-                    description: "Maximizes reasoning depth for complex problems",
-                },
-                ReasoningEffortPreset {
-                    effort: ReasoningEffort::XHigh,
-                    description: "Extra high reasoning depth for complex problems",
-                },
-            ],
-            is_default: true,
-            upgrade: None,
-            show_in_picker: true,
-        },
        ModelPreset {
            id: "gpt-5.1-codex",
            model: "gpt-5.1-codex",
@@ -97,13 +62,8 @@ static PRESETS: Lazy<Vec<ModelPreset>> = Lazy::new(|| {
                    description: "Maximizes reasoning depth for complex or ambiguous problems",
                },
            ],
-            is_default: false,
-            upgrade: Some(ModelUpgrade {
-                id: "gpt-5.1-codex-max",
-                reasoning_effort_mapping: None,
-                migration_config_key: HIDE_GPT_5_1_CODEX_MAX_MIGRATION_PROMPT_CONFIG,
-            }),
-            show_in_picker: true,
+            is_default: true,
+            upgrade: None,
        },
        ModelPreset {
            id: "gpt-5.1-codex-mini",
@@ -122,12 +82,7 @@ static PRESETS: Lazy<Vec<ModelPreset>> = Lazy::new(|| {
                },
            ],
            is_default: false,
-            upgrade: Some(ModelUpgrade {
-                id: "gpt-5.1-codex-max",
-                reasoning_effort_mapping: None,
-                migration_config_key: HIDE_GPT_5_1_CODEX_MAX_MIGRATION_PROMPT_CONFIG,
-            }),
-            show_in_picker: true,
+            upgrade: None,
        },
        ModelPreset {
            id: "gpt-5.1",
@@ -150,12 +105,7 @@ static PRESETS: Lazy<Vec<ModelPreset>> = Lazy::new(|| {
                },
            ],
            is_default: false,
-            upgrade: Some(ModelUpgrade {
-                id: "gpt-5.1-codex-max",
-                reasoning_effort_mapping: None,
-                migration_config_key: HIDE_GPT_5_1_CODEX_MAX_MIGRATION_PROMPT_CONFIG,
-            }),
-            show_in_picker: true,
+            upgrade: None,
        },
        // Deprecated models.
        ModelPreset {
@@ -180,11 +130,9 @@ static PRESETS: Lazy<Vec<ModelPreset>> = Lazy::new(|| {
            ],
            is_default: false,
            upgrade: Some(ModelUpgrade {
-                id: "gpt-5.1-codex-max",
+                id: "gpt-5.1-codex",
                reasoning_effort_mapping: None,
-                migration_config_key: HIDE_GPT_5_1_CODEX_MAX_MIGRATION_PROMPT_CONFIG,
            }),
-            show_in_picker: false,
        },
        ModelPreset {
            id: "gpt-5-codex-mini",
@@ -206,9 +154,7 @@ static PRESETS: Lazy<Vec<ModelPreset>> = Lazy::new(|| {
            upgrade: Some(ModelUpgrade {
                id: "gpt-5.1-codex-mini",
                reasoning_effort_mapping: None,
-                migration_config_key: HIDE_GPT5_1_MIGRATION_PROMPT_CONFIG,
            }),
-            show_in_picker: false,
        },
        ModelPreset {
            id: "gpt-5",
@@ -236,22 +182,21 @@ static PRESETS: Lazy<Vec<ModelPreset>> = Lazy::new(|| {
            ],
            is_default: false,
            upgrade: Some(ModelUpgrade {
-                id: "gpt-5.1-codex-max",
-                reasoning_effort_mapping: None,
-                migration_config_key: HIDE_GPT_5_1_CODEX_MAX_MIGRATION_PROMPT_CONFIG,
+                id: "gpt-5.1",
+                reasoning_effort_mapping: Some(HashMap::from([(
+                    ReasoningEffort::Minimal,
+                    ReasoningEffort::Low,
+                )])),
            }),
-            show_in_picker: false,
        },
    ]
 });

-pub fn builtin_model_presets(auth_mode: Option<AuthMode>) -> Vec<ModelPreset> {
+pub fn builtin_model_presets(_auth_mode: Option<AuthMode>) -> Vec<ModelPreset> {
+    // leave auth mode for later use
    PRESETS
        .iter()
-        .filter(|preset| match auth_mode {
-            Some(AuthMode::ApiKey) => preset.show_in_picker && preset.id != "gpt-5.1-codex-max",
-            _ => preset.show_in_picker,
-        })
+        .filter(|preset| preset.upgrade.is_none())
        .cloned()
        .collect()
 }
@@ -263,21 +208,10 @@ pub fn all_model_presets() -> &'static Vec<ModelPreset> {
 #[cfg(test)]
 mod tests {
    use super::*;
-    use codex_app_server_protocol::AuthMode;

    #[test]
    fn only_one_default_model_is_configured() {
        let default_models = PRESETS.iter().filter(|preset| preset.is_default).count();
        assert!(default_models == 1);
    }
-
-    #[test]
-    fn gpt_5_1_codex_max_hidden_for_api_key_auth() {
-        let presets = builtin_model_presets(Some(AuthMode::ApiKey));
-        assert!(
-            presets
-                .iter()
-                .all(|preset| preset.id != "gpt-5.1-codex-max")
-        );
-    }
 }
--- a/codex-rs/core/Cargo.toml
+++ b/codex-rs/core/Cargo.toml
@@ -1,8 +1,7 @@
 [package]
+edition = "2024"
 name = "codex-core"
-version.workspace = true
-edition.workspace = true
-license.workspace = true
+version = { workspace = true }

 [lib]
 doctest = false
@@ -20,11 +19,9 @@ async-trait = { workspace = true }
 base64 = { workspace = true }
 bytes = { workspace = true }
 chrono = { workspace = true, features = ["serde"] }
-chardetng = { workspace = true }
 codex-app-server-protocol = { workspace = true }
 codex-apply-patch = { workspace = true }
 codex-async-utils = { workspace = true }
-codex-execpolicy = { workspace = true }
 codex-file-search = { workspace = true }
 codex-git = { workspace = true }
 codex-keyring-store = { workspace = true }
@@ -34,11 +31,11 @@ codex-rmcp-client = { workspace = true }
 codex-utils-pty = { workspace = true }
 codex-utils-readiness = { workspace = true }
 codex-utils-string = { workspace = true }
+codex-utils-tokenizer = { workspace = true }
 codex-windows-sandbox = { package = "codex-windows-sandbox", path = "../windows-sandbox-rs" }
 dirs = { workspace = true }
 dunce = { workspace = true }
 env-flags = { workspace = true }
-encoding_rs = { workspace = true }
 eventsource-stream = { workspace = true }
 futures = { workspace = true }
 http = { workspace = true }
@@ -57,9 +54,6 @@ sha2 = { workspace = true }
 shlex = { workspace = true }
 similar = { workspace = true }
 strum_macros = { workspace = true }
-url = { workspace = true }
-once_cell = { workspace = true }
-regex = { workspace = true }
 tempfile = { workspace = true }
 test-case = "3.3.1"
 test-log = { workspace = true }
--- a/codex-rs/core/gpt-5.1-codex-max_prompt.md
+++ b/codex-rs/core/gpt-5.1-codex-max_prompt.md
@@ -1,117 +0,0 @@
-You are Codex, based on GPT-5. You are running as a coding agent in the Codex CLI on a user's computer.
-
-## General
-
- When searching for text or files, prefer using `rg` or `rg --files` respectively because `rg` is much faster than alternatives like `grep`. (If the `rg` command is not found, then use alternatives.)
-
-## Editing constraints
-
- Default to ASCII when editing or creating files. Only introduce non-ASCII or other Unicode characters when there is a clear justification and the file already uses them.
- Add succinct code comments that explain what is going on if code is not self-explanatory. You should not add comments like "Assigns the value to the variable", but a brief comment might be useful ahead of a complex code block that the user would otherwise have to spend time parsing out. Usage of these comments should be rare.
- Try to use apply_patch for single file edits, but it is fine to explore other options to make the edit if it does not work well. Do not use apply_patch for changes that are auto-generated (i.e. generating package.json or running a lint or format command like gofmt) or when scripting is more efficient (such as search and replacing a string across a codebase).
- You may be in a dirty git worktree.
-    * NEVER revert existing changes you did not make unless explicitly requested, since these changes were made by the user.
-    * If asked to make a commit or code edits and there are unrelated changes to your work or changes that you didn't make in those files, don't revert those changes.
-    * If the changes are in files you've touched recently, you should read carefully and understand how you can work with the changes rather than reverting them.
-    * If the changes are in unrelated files, just ignore them and don't revert them.
- Do not amend a commit unless explicitly requested to do so.
- While you are working, you might notice unexpected changes that you didn't make. If this happens, STOP IMMEDIATELY and ask the user how they would like to proceed.
- **NEVER** use destructive commands like `git reset --hard` or `git checkout --` unless specifically requested or approved by the user.
-
-## Plan tool
-
-When using the planning tool:
- Skip using the planning tool for straightforward tasks (roughly the easiest 25%).
- Do not make single-step plans.
- When you made a plan, update it after having performed one of the sub-tasks that you shared on the plan.
-
-## Codex CLI harness, sandboxing, and approvals
-
-The Codex CLI harness supports several different configurations for sandboxing and escalation approvals that the user can choose from.
-
-Filesystem sandboxing defines which files can be read or written. The options for `sandbox_mode` are:
- **read-only**: The sandbox only permits reading files.
- **workspace-write**: The sandbox permits reading files, and editing files in `cwd` and `writable_roots`. Editing files in other directories requires approval.
- **danger-full-access**: No filesystem sandboxing - all commands are permitted.
-
-Network sandboxing defines whether network can be accessed without approval. Options for `network_access` are:
- **restricted**: Requires approval
- **enabled**: No approval needed
-
-Approvals are your mechanism to get user consent to run shell commands without the sandbox. Possible configuration options for `approval_policy` are
- **untrusted**: The harness will escalate most commands for user approval, apart from a limited allowlist of safe "read" commands.
- **on-failure**: The harness will allow all commands to run in the sandbox (if enabled), and failures will be escalated to the user for approval to run again without the sandbox.
- **on-request**: Commands will be run in the sandbox by default, and you can specify in your tool call if you want to escalate a command to run without sandboxing. (Note that this mode is not always available. If it is, you'll see parameters for it in the `shell` command description.)
- **never**: This is a non-interactive mode where you may NEVER ask the user for approval to run commands. Instead, you must always persist and work around constraints to solve the task for the user. You MUST do your utmost best to finish the task and validate your work before yielding. If this mode is paired with `danger-full-access`, take advantage of it to deliver the best outcome for the user. Further, in this mode, your default testing philosophy is overridden: Even if you don't see local patterns for testing, you may add tests and scripts to validate your work. Just remove them before yielding.
-
-When you are running with `approval_policy == on-request`, and sandboxing enabled, here are scenarios where you'll need to request approval:
- You need to run a command that writes to a directory that requires it (e.g. running tests that write to /var)
- You need to run a GUI app (e.g., open/xdg-open/osascript) to open browsers or files.
- You are running sandboxed and need to run a command that requires network access (e.g. installing packages)
- If you run a command that is important to solving the user's query, but it fails because of sandboxing, rerun the command with approval. ALWAYS proceed to use the `with_escalated_permissions` and `justification` parameters - do not message the user before requesting approval for the command.
- You are about to take a potentially destructive action such as an `rm` or `git reset` that the user did not explicitly ask for
- (for all of these, you should weigh alternative paths that do not require approval)
-
-When `sandbox_mode` is set to read-only, you'll need to request approval for any command that isn't a read.
-
-You will be told what filesystem sandboxing, network sandboxing, and approval mode are active in a developer or user message. If you are not told about this, assume that you are running with workspace-write, network sandboxing enabled, and approval on-failure.
-
-Although they introduce friction to the user because your work is paused until the user responds, you should leverage them when necessary to accomplish important work. If the completing the task requires escalated permissions, Do not let these settings or the sandbox deter you from attempting to accomplish the user's task unless it is set to "never", in which case never ask for approvals.
-
-When requesting approval to execute a command that will require escalated privileges:
-  - Provide the `with_escalated_permissions` parameter with the boolean value true
-  - Include a short, 1 sentence explanation for why you need to enable `with_escalated_permissions` in the justification parameter
-
-## Special user requests
-
- If the user makes a simple request (such as asking for the time) which you can fulfill by running a terminal command (such as `date`), you should do so.
- If the user asks for a "review", default to a code review mindset: prioritise identifying bugs, risks, behavioural regressions, and missing tests. Findings must be the primary focus of the response - keep summaries or overviews brief and only after enumerating the issues. Present findings first (ordered by severity with file/line references), follow with open questions or assumptions, and offer a change-summary only as a secondary detail. If no findings are discovered, state that explicitly and mention any residual risks or testing gaps.
-
-## Frontend tasks
-When doing frontend design tasks, avoid collapsing into "AI slop" or safe, average-looking layouts.
-Aim for interfaces that feel intentional, bold, and a bit surprising.
- Typography: Use expressive, purposeful fonts and avoid default stacks (Inter, Roboto, Arial, system).
- Color & Look: Choose a clear visual direction; define CSS variables; avoid purple-on-white defaults. No purple bias or dark mode bias.
- Motion: Use a few meaningful animations (page-load, staggered reveals) instead of generic micro-motions.
- Background: Don't rely on flat, single-color backgrounds; use gradients, shapes, or subtle patterns to build atmosphere.
- Overall: Avoid boilerplate layouts and interchangeable UI patterns. Vary themes, type families, and visual languages across outputs.
- Ensure the page loads properly on both desktop and mobile
-
-Exception: If working within an existing website or design system, preserve the established patterns, structure, and visual language.
-
-## Presenting your work and final message
-
-You are producing plain text that will later be styled by the CLI. Follow these rules exactly. Formatting should make results easy to scan, but not feel mechanical. Use judgment to decide how much structure adds value.
-
- Default: be very concise; friendly coding teammate tone.
- Ask only when needed; suggest ideas; mirror the user's style.
- For substantial work, summarize clearly; follow final‑answer formatting.
- Skip heavy formatting for simple confirmations.
- Don't dump large files you've written; reference paths only.
- No "save/copy this file" - User is on the same machine.
- Offer logical next steps (tests, commits, build) briefly; add verify steps if you couldn't do something.
- For code changes:
-  * Lead with a quick explanation of the change, and then give more details on the context covering where and why a change was made. Do not start this explanation with "summary", just jump right in.
-  * If there are natural next steps the user may want to take, suggest them at the end of your response. Do not make suggestions if there are no natural next steps.
-  * When suggesting multiple options, use numeric lists for the suggestions so the user can quickly respond with a single number.
- The user does not command execution outputs. When asked to show the output of a command (e.g. `git show`), relay the important details in your answer or summarize the key lines so the user understands the result.
-
-### Final answer structure and style guidelines
-
- Plain text; CLI handles styling. Use structure only when it helps scanability.
- Headers: optional; short Title Case (1-3 words) wrapped in **…**; no blank line before the first bullet; add only if they truly help.
- Bullets: use - ; merge related points; keep to one line when possible; 4–6 per list ordered by importance; keep phrasing consistent.
- Monospace: backticks for commands/paths/env vars/code ids and inline examples; use for literal keyword bullets; never combine with **.
- Code samples or multi-line snippets should be wrapped in fenced code blocks; include an info string as often as possible.
- Structure: group related bullets; order sections general → specific → supporting; for subsections, start with a bolded keyword bullet, then items; match complexity to the task.
- Tone: collaborative, concise, factual; present tense, active voice; self‑contained; no "above/below"; parallel wording.
- Don'ts: no nested bullets/hierarchies; no ANSI codes; don't cram unrelated keywords; keep keyword lists short—wrap/reformat if long; avoid naming formatting styles in answers.
- Adaptation: code explanations → precise, structured with code refs; simple tasks → lead with outcome; big changes → logical walkthrough + rationale + next actions; casual one-offs → plain sentences, no headers/bullets.
- File References: When referencing files in your response follow the below rules:
-  * Use inline code to make file paths clickable.
-  * Each reference should have a stand alone path. Even if it's the same file.
-  * Accepted: absolute, workspace‑relative, a/ or b/ diff prefixes, or bare filename/suffix.
-  * Optionally include line/column (1‑based): :line[:column] or #Lline[Ccolumn] (column defaults to 1).
-  * Do not use URIs like file://, vscode://, or https://.
-  * Do not provide range of lines
-  * Examples: src/app.ts, src/app.ts:42, b/server/index.js#L10, C:\repo\project\main.rs:12:5
--- a/codex-rs/core/src/bash.rs
+++ b/codex-rs/core/src/bash.rs
@@ -100,7 +100,7 @@ pub fn extract_bash_command(command: &[String]) -> Option<(&str, &str)> {
    if !matches!(flag.as_str(), "-lc" | "-c")
        || !matches!(
            detect_shell_type(&PathBuf::from(shell)),
-            Some(ShellType::Zsh) | Some(ShellType::Bash) | Some(ShellType::Sh)
+            Some(ShellType::Zsh) | Some(ShellType::Bash)
        )
    {
        return None;
--- a/codex-rs/core/src/client.rs
+++ b/codex-rs/core/src/client.rs
@@ -56,7 +56,6 @@ use crate::model_family::ModelFamily;
 use crate::model_provider_info::ModelProviderInfo;
 use crate::model_provider_info::WireApi;
 use crate::openai_model_info::get_model_info;
-use crate::protocol::CreditsSnapshot;
 use crate::protocol::RateLimitSnapshot;
 use crate::protocol::RateLimitWindow;
 use crate::protocol::TokenUsage;
@@ -727,13 +726,7 @@ fn parse_rate_limit_snapshot(headers: &HeaderMap) -> Option<RateLimitSnapshot> {
        "x-codex-secondary-reset-at",
    );

-    let credits = parse_credits_snapshot(headers);
-
-    Some(RateLimitSnapshot {
-        primary,
-        secondary,
-        credits,
-    })
+    Some(RateLimitSnapshot { primary, secondary })
 }

 fn parse_rate_limit_window(
@@ -760,20 +753,6 @@ fn parse_rate_limit_window(
    })
 }

-fn parse_credits_snapshot(headers: &HeaderMap) -> Option<CreditsSnapshot> {
-    let has_credits = parse_header_bool(headers, "x-codex-credits-has-credits")?;
-    let unlimited = parse_header_bool(headers, "x-codex-credits-unlimited")?;
-    let balance = parse_header_str(headers, "x-codex-credits-balance")
-        .map(str::trim)
-        .filter(|value| !value.is_empty())
-        .map(std::string::ToString::to_string);
-    Some(CreditsSnapshot {
-        has_credits,
-        unlimited,
-        balance,
-    })
-}
-
 fn parse_header_f64(headers: &HeaderMap, name: &str) -> Option<f64> {
    parse_header_str(headers, name)?
        .parse::<f64>()
@@ -785,17 +764,6 @@ fn parse_header_i64(headers: &HeaderMap, name: &str) -> Option<i64> {
    parse_header_str(headers, name)?.parse::<i64>().ok()
 }

-fn parse_header_bool(headers: &HeaderMap, name: &str) -> Option<bool> {
-    let raw = parse_header_str(headers, name)?;
-    if raw.eq_ignore_ascii_case("true") || raw == "1" {
-        Some(true)
-    } else if raw.eq_ignore_ascii_case("false") || raw == "0" {
-        Some(false)
-    } else {
-        None
-    }
-}
-
 fn parse_header_str<'a>(headers: &'a HeaderMap, name: &str) -> Option<&'a str> {
    headers.get(name)?.to_str().ok()
 }
--- a/codex-rs/core/src/client_common.rs
+++ b/codex-rs/core/src/client_common.rs
@@ -136,7 +136,7 @@ fn reserialize_shell_outputs(items: &mut [ResponseItem]) {
 }

 fn is_shell_tool_name(name: &str) -> bool {
-    matches!(name, "shell" | "container.exec")
+    matches!(name, "shell" | "container.exec" | "shell_command")
 }

 #[derive(Deserialize)]
@@ -165,9 +165,11 @@ fn build_structured_output(parsed: &ExecOutputJson) -> String {
    ));

    let mut output = parsed.output.clone();
-    if let Some((stripped, total_lines)) = strip_total_output_header(&parsed.output) {
+    if let Some(total_lines) = extract_total_output_lines(&parsed.output) {
        sections.push(format!("Total output lines: {total_lines}"));
-        output = stripped.to_string();
+        if let Some(stripped) = strip_total_output_header(&output) {
+            output = stripped.to_string();
+        }
    }

    sections.push("Output:".to_string());
@@ -176,12 +178,19 @@ fn build_structured_output(parsed: &ExecOutputJson) -> String {
    sections.join("\n")
 }

-fn strip_total_output_header(output: &str) -> Option<(&str, u32)> {
+fn extract_total_output_lines(output: &str) -> Option<u32> {
+    let marker_start = output.find("[... omitted ")?;
+    let marker = &output[marker_start..];
+    let (_, after_of) = marker.split_once(" of ")?;
+    let (total_segment, _) = after_of.split_once(' ')?;
+    total_segment.parse::<u32>().ok()
+}
+
+fn strip_total_output_header(output: &str) -> Option<&str> {
    let after_prefix = output.strip_prefix("Total output lines: ")?;
-    let (total_segment, remainder) = after_prefix.split_once('\n')?;
-    let total_lines = total_segment.parse::<u32>().ok()?;
+    let (_, remainder) = after_prefix.split_once('\n')?;
    let remainder = remainder.strip_prefix('\n').unwrap_or(remainder);
-    Some((remainder, total_lines))
+    Some(remainder)
 }

 #[derive(Debug)]
@@ -422,7 +431,7 @@ mod tests {
                expects_apply_patch_instructions: false,
            },
            InstructionsTestCase {
-                slug: "gpt-5.1-codex-max",
+                slug: "gpt-5.1-codex",
                expects_apply_patch_instructions: false,
            },
        ];
--- a/codex-rs/core/src/codex.rs
+++ b/codex-rs/core/src/codex.rs
@@ -5,12 +5,8 @@ use std::sync::Arc;
 use std::sync::atomic::AtomicU64;

 use crate::AuthManager;
-use crate::SandboxState;
 use crate::client_common::REVIEW_PROMPT;
 use crate::compact;
-use crate::compact::run_inline_auto_compact_task;
-use crate::compact::should_use_remote_compact_task;
-use crate::compact_remote::run_inline_remote_auto_compact_task;
 use crate::features::Feature;
 use crate::function_tool::FunctionCallError;
 use crate::parse_command::parse_command;
@@ -35,7 +31,6 @@ use codex_protocol::protocol::SessionSource;
 use codex_protocol::protocol::TaskStartedEvent;
 use codex_protocol::protocol::TurnAbortReason;
 use codex_protocol::protocol::TurnContextItem;
-use codex_rmcp_client::ElicitationResponse;
 use futures::future::BoxFuture;
 use futures::prelude::*;
 use futures::stream::FuturesOrdered;
@@ -46,7 +41,6 @@ use mcp_types::ListResourcesRequestParams;
 use mcp_types::ListResourcesResult;
 use mcp_types::ReadResourceRequestParams;
 use mcp_types::ReadResourceResult;
-use mcp_types::RequestId;
 use serde_json;
 use serde_json::Value;
 use tokio::sync::Mutex;
@@ -82,6 +76,7 @@ use crate::protocol::ApplyPatchApprovalRequestEvent;
 use crate::protocol::AskForApproval;
 use crate::protocol::BackgroundEventEvent;
 use crate::protocol::DeprecationNoticeEvent;
+use crate::protocol::ErrorEvent;
 use crate::protocol::Event;
 use crate::protocol::EventMsg;
 use crate::protocol::ExecApprovalRequestEvent;
@@ -123,7 +118,6 @@ use crate::user_instructions::UserInstructions;
 use crate::user_notification::UserNotification;
 use crate::util::backoff;
 use codex_async_utils::OrCancelExt;
-use codex_execpolicy::Policy as ExecPolicy;
 use codex_otel::otel_event_manager::OtelEventManager;
 use codex_protocol::config_types::ReasoningEffort as ReasoningEffortConfig;
 use codex_protocol::config_types::ReasoningSummary as ReasoningSummaryConfig;
@@ -131,11 +125,11 @@ use codex_protocol::models::ContentItem;
 use codex_protocol::models::FunctionCallOutputPayload;
 use codex_protocol::models::ResponseInputItem;
 use codex_protocol::models::ResponseItem;
-use codex_protocol::protocol::CodexErrorInfo;
 use codex_protocol::protocol::InitialHistory;
 use codex_protocol::user_input::UserInput;
 use codex_utils_readiness::Readiness;
 use codex_utils_readiness::ReadinessFlag;
+use codex_utils_tokenizer::warm_model_cache;

 /// The high-level interface to the Codex system.
 /// It operates as a queue pair where you send submissions and receive events.
@@ -169,10 +163,6 @@ impl Codex {

        let user_instructions = get_user_instructions(&config).await;

-        let exec_policy = crate::exec_policy::exec_policy_for(&config.features, &config.codex_home)
-            .await
-            .map_err(|err| CodexErr::Fatal(format!("failed to load execpolicy: {err}")))?;
-
        let config = Arc::new(config);

        let session_configuration = SessionConfiguration {
@@ -189,7 +179,6 @@ impl Codex {
            cwd: config.cwd.clone(),
            original_config_do_not_use: Arc::clone(&config),
            features: config.features.clone(),
-            exec_policy,
            session_source,
        };

@@ -287,7 +276,6 @@ pub(crate) struct TurnContext {
    pub(crate) final_output_json_schema: Option<Value>,
    pub(crate) codex_linux_sandbox_exe: Option<PathBuf>,
    pub(crate) tool_call_gate: Arc<ReadinessFlag>,
-    pub(crate) exec_policy: Arc<ExecPolicy>,
    pub(crate) truncation_policy: TruncationPolicy,
 }

@@ -344,8 +332,6 @@ pub(crate) struct SessionConfiguration {

    /// Set of feature flags for this session
    features: Features,
-    /// Execpolicy policy, applied only when enabled by feature flag.
-    exec_policy: Arc<ExecPolicy>,

    // TODO(pakrym): Remove config from here
    original_config_do_not_use: Arc<Config>,
@@ -446,7 +432,6 @@ impl Session {
            final_output_json_schema: None,
            codex_linux_sandbox_exe: config.codex_linux_sandbox_exe.clone(),
            tool_call_gate: Arc::new(ReadinessFlag::new()),
-            exec_policy: session_configuration.exec_policy.clone(),
            truncation_policy: TruncationPolicy::new(&per_turn_config),
        }
    }
@@ -495,7 +480,7 @@ impl Session {
        // - load history metadata
        let rollout_fut = RolloutRecorder::new(&config, rollout_params);

-        let default_shell = shell::default_user_shell();
+        let default_shell_fut = shell::default_user_shell();
        let history_meta_fut = crate::message_history::history_metadata(&config);
        let auth_statuses_fut = compute_auth_statuses(
            config.mcp_servers.iter(),
@@ -503,8 +488,12 @@ impl Session {
        );

        // Join all independent futures.
-        let (rollout_recorder, (history_log_id, history_entry_count), auth_statuses) =
-            tokio::join!(rollout_fut, history_meta_fut, auth_statuses_fut);
+        let (rollout_recorder, default_shell, (history_log_id, history_entry_count), auth_statuses) = tokio::join!(
+            rollout_fut,
+            default_shell_fut,
+            history_meta_fut,
+            auth_statuses_fut
+        );

        let rollout_recorder = rollout_recorder.map_err(|e| {
            error!("failed to initialize rollout recorder: {e:#}");
@@ -546,6 +535,7 @@ impl Session {
            config.model_reasoning_effort,
            config.model_reasoning_summary,
            config.model_context_window,
+            config.model_max_output_tokens,
            config.model_auto_compact_token_limit,
            config.approval_policy,
            config.sandbox_policy.clone(),
@@ -556,6 +546,9 @@ impl Session {
        // Create the mutable state for the Session.
        let state = SessionState::new(session_configuration.clone());

+        // Warm the tokenizer cache for the session model without blocking startup.
+        warm_model_cache(&session_configuration.model);
+
        let services = SessionServices {
            mcp_connection_manager: Arc::new(RwLock::new(McpConnectionManager::default())),
            mcp_startup_cancellation_token: CancellationToken::new(),
@@ -615,22 +608,6 @@ impl Session {
            )
            .await;

-        let sandbox_state = SandboxState {
-            sandbox_policy: session_configuration.sandbox_policy.clone(),
-            codex_linux_sandbox_exe: config.codex_linux_sandbox_exe.clone(),
-            sandbox_cwd: session_configuration.cwd.clone(),
-        };
-        if let Err(e) = sess
-            .services
-            .mcp_connection_manager
-            .read()
-            .await
-            .notify_sandbox_state_change(&sandbox_state)
-            .await
-        {
-            tracing::error!("Failed to notify sandbox state change: {e}");
-        }
-
        // record_initial_history can emit events. We record only after the SessionConfiguredEvent is emitted.
        sess.record_initial_history(initial_history).await;

@@ -661,11 +638,6 @@ impl Session {
        format!("auto-compact-{id}")
    }

-    async fn get_total_token_usage(&self) -> i64 {
-        let state = self.state.lock().await;
-        state.get_total_token_usage()
-    }
-
    async fn record_initial_history(&self, conversation_history: InitialHistory) {
        let turn_context = self.new_turn(SessionSettingsUpdate::default()).await;
        match conversation_history {
@@ -934,7 +906,6 @@ impl Session {

        let event = EventMsg::ApplyPatchApprovalRequest(ApplyPatchApprovalRequestEvent {
            call_id,
-            turn_id: turn_context.sub_id.clone(),
            changes,
            reason,
            grant_root,
@@ -964,19 +935,6 @@ impl Session {
        }
    }

-    pub async fn resolve_elicitation(
-        &self,
-        server_name: String,
-        id: RequestId,
-        response: ElicitationResponse,
-    ) -> anyhow::Result<()> {
-        self.services
-            .mcp_connection_manager
-            .read()
-            .await
-            .resolve_elicitation(server_name, id, response)
-    }
-
    /// Records input items: always append to conversation history and
    /// persist these response items to rollout.
    pub(crate) async fn record_conversation_items(
@@ -1085,7 +1043,7 @@ impl Session {
            Some(turn_context.cwd.clone()),
            Some(turn_context.approval_policy),
            Some(turn_context.sandbox_policy.clone()),
-            self.user_shell().clone(),
+            Some(self.user_shell().clone()),
        )));
        items
    }
@@ -1124,14 +1082,11 @@ impl Session {
        self.send_token_count_event(turn_context).await;
    }

-    pub(crate) async fn recompute_token_usage(&self, turn_context: &TurnContext) {
-        let Some(estimated_total_tokens) = self
-            .clone_history()
-            .await
-            .estimate_token_count(turn_context)
-        else {
-            return;
-        };
+    pub(crate) async fn override_last_token_usage_estimate(
+        &self,
+        turn_context: &TurnContext,
+        estimated_total_tokens: i64,
+    ) {
        {
            let mut state = self.state.lock().await;
            let mut info = state.token_info().unwrap_or(TokenUsageInfo {
@@ -1225,14 +1180,9 @@ impl Session {
        &self,
        turn_context: &TurnContext,
        message: impl Into<String>,
-        codex_error: CodexErr,
    ) {
-        let codex_error_info = CodexErrorInfo::ResponseStreamDisconnected {
-            http_status_code: codex_error.http_status_code_value(),
-        };
        let event = EventMsg::StreamError(StreamErrorEvent {
            message: message.into(),
-            codex_error_info: Some(codex_error_info),
        });
        self.send_event(turn_context, event).await;
    }
@@ -1379,10 +1329,7 @@ impl Session {
 }

 async fn submission_loop(sess: Arc<Session>, config: Arc<Config>, rx_sub: Receiver<Submission>) {
-    // Seed with context in case there is an OverrideTurnContext first.
-    let mut previous_context: Option<Arc<TurnContext>> =
-        Some(sess.new_turn(SessionSettingsUpdate::default()).await);
-
+    let mut previous_context: Option<Arc<TurnContext>> = None;
    // To break out of this loop, send Op::Shutdown.
    while let Ok(sub) = rx_sub.recv().await {
        debug!(?sub, "Submission");
@@ -1450,13 +1397,6 @@ async fn submission_loop(sess: Arc<Session>, config: Arc<Config>, rx_sub: Receiv
                )
                .await;
            }
-            Op::ResolveElicitation {
-                server_name,
-                request_id,
-                decision,
-            } => {
-                handlers::resolve_elicitation(&sess, server_name, request_id, decision).await;
-            }
            Op::Shutdown => {
                if handlers::shutdown(&sess, sub.id.clone()).await {
                    break;
@@ -1485,7 +1425,6 @@ mod handlers {
    use crate::tasks::UndoTask;
    use crate::tasks::UserShellCommandTask;
    use codex_protocol::custom_prompts::CustomPrompt;
-    use codex_protocol::protocol::CodexErrorInfo;
    use codex_protocol::protocol::ErrorEvent;
    use codex_protocol::protocol::Event;
    use codex_protocol::protocol::EventMsg;
@@ -1496,9 +1435,6 @@ mod handlers {
    use codex_protocol::protocol::TurnAbortReason;

    use codex_protocol::user_input::UserInput;
-    use codex_rmcp_client::ElicitationAction;
-    use codex_rmcp_client::ElicitationResponse;
-    use mcp_types::RequestId;
    use std::sync::Arc;
    use tracing::info;
    use tracing::warn;
@@ -1582,32 +1518,6 @@ mod handlers {
        *previous_context = Some(turn_context);
    }

-    pub async fn resolve_elicitation(
-        sess: &Arc<Session>,
-        server_name: String,
-        request_id: RequestId,
-        decision: codex_protocol::approvals::ElicitationAction,
-    ) {
-        let action = match decision {
-            codex_protocol::approvals::ElicitationAction::Accept => ElicitationAction::Accept,
-            codex_protocol::approvals::ElicitationAction::Decline => ElicitationAction::Decline,
-            codex_protocol::approvals::ElicitationAction::Cancel => ElicitationAction::Cancel,
-        };
-        let response = ElicitationResponse {
-            action,
-            content: None,
-        };
-        if let Err(err) = sess
-            .resolve_elicitation(server_name, request_id, response)
-            .await
-        {
-            warn!(
-                error = %err,
-                "failed to resolve elicitation request in session"
-            );
-        }
-    }
-
    pub async fn exec_approval(sess: &Arc<Session>, id: String, decision: ReviewDecision) {
        match decision {
            ReviewDecision::Abort => {
@@ -1761,7 +1671,6 @@ mod handlers {
                id: sub_id.clone(),
                msg: EventMsg::Error(ErrorEvent {
                    message: "Failed to shutdown rollout recorder".to_string(),
-                    codex_error_info: Some(CodexErrorInfo::Other),
                }),
            };
            sess.send_event_raw(event).await;
@@ -1867,7 +1776,6 @@ async fn spawn_review_thread(
        final_output_json_schema: None,
        codex_linux_sandbox_exe: parent_turn_context.codex_linux_sandbox_exe.clone(),
        tool_call_gate: Arc::new(ReadinessFlag::new()),
-        exec_policy: parent_turn_context.exec_policy.clone(),
        truncation_policy: TruncationPolicy::new(&per_turn_config),
    };

@@ -1963,24 +1871,26 @@ pub(crate) async fn run_task(
        .await
        {
            Ok(turn_output) => {
-                let processed_items = turn_output;
+                let TurnRunResult {
+                    processed_items,
+                    total_token_usage,
+                } = turn_output;
                let limit = turn_context
                    .client
                    .get_auto_compact_token_limit()
                    .unwrap_or(i64::MAX);
-                let total_usage_tokens = sess.get_total_token_usage().await;
-                let token_limit_reached = total_usage_tokens >= limit;
+                let total_usage_tokens = total_token_usage
+                    .as_ref()
+                    .map(TokenUsage::tokens_in_context_window);
+                let token_limit_reached = total_usage_tokens
+                    .map(|tokens| tokens >= limit)
+                    .unwrap_or(false);
                let (responses, items_to_record_in_conversation_history) =
                    process_items(processed_items, &sess, &turn_context).await;

                // as long as compaction works well in getting us way below the token limit, we shouldn't worry about being in an infinite loop.
                if token_limit_reached {
-                    if should_use_remote_compact_task(&sess).await {
-                        run_inline_remote_auto_compact_task(sess.clone(), turn_context.clone())
-                            .await;
-                    } else {
-                        run_inline_auto_compact_task(sess.clone(), turn_context.clone()).await;
-                    }
+                    compact::run_inline_auto_compact_task(sess.clone(), turn_context.clone()).await;
                    continue;
                }

@@ -2009,7 +1919,9 @@ pub(crate) async fn run_task(
            }
            Err(e) => {
                info!("Turn error: {e:#}");
-                let event = EventMsg::Error(e.to_error_event(None));
+                let event = EventMsg::Error(ErrorEvent {
+                    message: e.to_string(),
+                });
                sess.send_event(&turn_context, event).await;
                // let the user continue the conversation
                break;
@@ -2026,7 +1938,7 @@ async fn run_turn(
    turn_diff_tracker: SharedTurnDiffTracker,
    input: Vec<ResponseItem>,
    cancellation_token: CancellationToken,
-) -> CodexResult<Vec<ProcessedResponseItem>> {
+) -> CodexResult<TurnRunResult> {
    let mcp_tools = sess
        .services
        .mcp_connection_manager
@@ -2062,14 +1974,12 @@ async fn run_turn(
    let mut base_instructions = turn_context.base_instructions.clone();
    if parallel_tool_calls {
        static INSTRUCTIONS: &str = include_str!("../templates/parallel/instructions.md");
-        if let Some(family) =
-            find_family_for_model(&sess.state.lock().await.session_configuration.model)
-        {
-            let mut new_instructions = base_instructions.unwrap_or(family.base_instructions);
-            new_instructions.push_str(INSTRUCTIONS);
-            base_instructions = Some(new_instructions);
-        }
+        static INSERTION_SPOT: &str = "## Editing constraints";
+        base_instructions
+            .as_mut()
+            .map(|base| base.replace(INSERTION_SPOT, INSTRUCTIONS));
    }
+
    let prompt = Prompt {
        input,
        tools: router.specs(),
@@ -2134,7 +2044,6 @@ async fn run_turn(
                    sess.notify_stream_error(
                        &turn_context,
                        format!("Reconnecting... {retries}/{max_retries}"),
-                        e,
                    )
                    .await;

@@ -2157,6 +2066,12 @@ pub struct ProcessedResponseItem {
    pub response: Option<ResponseInputItem>,
 }

+#[derive(Debug)]
+struct TurnRunResult {
+    processed_items: Vec<ProcessedResponseItem>,
+    total_token_usage: Option<TokenUsage>,
+}
+
 #[allow(clippy::too_many_arguments)]
 async fn try_run_turn(
    router: Arc<ToolRouter>,
@@ -2165,7 +2080,7 @@ async fn try_run_turn(
    turn_diff_tracker: SharedTurnDiffTracker,
    prompt: &Prompt,
    cancellation_token: CancellationToken,
-) -> CodexResult<Vec<ProcessedResponseItem>> {
+) -> CodexResult<TurnRunResult> {
    let rollout_item = RolloutItem::TurnContext(TurnContextItem {
        cwd: turn_context.cwd.clone(),
        approval_policy: turn_context.approval_policy,
@@ -2327,7 +2242,12 @@ async fn try_run_turn(
                    sess.send_event(&turn_context, msg).await;
                }

-                return Ok(processed_items);
+                let result = TurnRunResult {
+                    processed_items,
+                    total_token_usage: token_usage.clone(),
+                };
+
+                return Ok(result);
            }
            ResponseEvent::OutputTextDelta(delta) => {
                // In review child threads, suppress assistant text deltas; the
@@ -2342,7 +2262,7 @@ async fn try_run_turn(
                    sess.send_event(&turn_context, EventMsg::AgentMessageContentDelta(event))
                        .await;
                } else {
-                    error_or_panic("OutputTextDelta without active item".to_string());
+                    error_or_panic("ReasoningSummaryDelta without active item".to_string());
                }
            }
            ResponseEvent::ReasoningSummaryDelta {
@@ -2436,16 +2356,12 @@ use crate::features::Features;
 #[cfg(test)]
 pub(crate) use tests::make_session_and_context;

-#[cfg(test)]
-pub(crate) use tests::make_session_and_context_with_rx;
-
 #[cfg(test)]
 mod tests {
    use super::*;
    use crate::config::ConfigOverrides;
    use crate::config::ConfigToml;
    use crate::exec::ExecToolCallOutput;
-    use crate::shell::default_user_shell;
    use crate::tools::format_exec_output_str;

    use crate::protocol::CompactedItem;
@@ -2555,9 +2471,8 @@ mod tests {
            duration: StdDuration::from_secs(1),
            timed_out: true,
        };
-        let (_, turn_context) = make_session_and_context();

-        let out = format_exec_output_str(&exec, turn_context.truncation_policy);
+        let out = format_exec_output_str(&exec);

        assert_eq!(
            out,
@@ -2673,7 +2588,6 @@ mod tests {
            cwd: config.cwd.clone(),
            original_config_do_not_use: Arc::clone(&config),
            features: Features::default(),
-            exec_policy: Arc::new(ExecPolicy::empty()),
            session_source: SessionSource::Exec,
        };

@@ -2685,7 +2599,7 @@ mod tests {
            unified_exec_manager: UnifiedExecSessionManager::default(),
            notifier: UserNotifier::new(None),
            rollout: Mutex::new(None),
-            user_shell: default_user_shell(),
+            user_shell: shell::Shell::Unknown,
            show_raw_agent_reasoning: config.show_raw_agent_reasoning,
            auth_manager: Arc::clone(&auth_manager),
            otel_event_manager: otel_event_manager.clone(),
@@ -2715,7 +2629,7 @@ mod tests {

    // Like make_session_and_context, but returns Arc<Session> and the event receiver
    // so tests can assert on emitted events.
-    pub(crate) fn make_session_and_context_with_rx() -> (
+    fn make_session_and_context_with_rx() -> (
        Arc<Session>,
        Arc<TurnContext>,
        async_channel::Receiver<Event>,
@@ -2751,7 +2665,6 @@ mod tests {
            cwd: config.cwd.clone(),
            original_config_do_not_use: Arc::clone(&config),
            features: Features::default(),
-            exec_policy: Arc::new(ExecPolicy::empty()),
            session_source: SessionSource::Exec,
        };

@@ -2763,7 +2676,7 @@ mod tests {
            unified_exec_manager: UnifiedExecSessionManager::default(),
            notifier: UserNotifier::new(None),
            rollout: Mutex::new(None),
-            user_shell: default_user_shell(),
+            user_shell: shell::Shell::Unknown,
            show_raw_agent_reasoning: config.show_raw_agent_reasoning,
            auth_manager: Arc::clone(&auth_manager),
            otel_event_manager: otel_event_manager.clone(),
@@ -3108,7 +3021,6 @@ mod tests {
        let session = Arc::new(session);
        let mut turn_context = Arc::new(turn_context_raw);

-        let timeout_ms = 1000;
        let params = ExecParams {
            command: if cfg!(windows) {
                vec![
@@ -3124,7 +3036,7 @@ mod tests {
                ]
            },
            cwd: turn_context.cwd.clone(),
-            expiration: timeout_ms.into(),
+            timeout_ms: Some(1000),
            env: HashMap::new(),
            with_escalated_permissions: Some(true),
            justification: Some("test".to_string()),
@@ -3133,12 +3045,7 @@ mod tests {

        let params2 = ExecParams {
            with_escalated_permissions: Some(false),
-            command: params.command.clone(),
-            cwd: params.cwd.clone(),
-            expiration: timeout_ms.into(),
-            env: HashMap::new(),
-            justification: params.justification.clone(),
-            arg0: None,
+            ..params.clone()
        };

        let turn_diff_tracker = Arc::new(tokio::sync::Mutex::new(TurnDiffTracker::new()));
@@ -3158,7 +3065,7 @@ mod tests {
                    arguments: serde_json::json!({
                        "command": params.command.clone(),
                        "workdir": Some(turn_context.cwd.to_string_lossy().to_string()),
-                        "timeout_ms": params.expiration.timeout_ms(),
+                        "timeout_ms": params.timeout_ms,
                        "with_escalated_permissions": params.with_escalated_permissions,
                        "justification": params.justification.clone(),
                    })
@@ -3195,7 +3102,7 @@ mod tests {
                    arguments: serde_json::json!({
                        "command": params2.command.clone(),
                        "workdir": Some(turn_context.cwd.to_string_lossy().to_string()),
-                        "timeout_ms": params2.expiration.timeout_ms(),
+                        "timeout_ms": params2.timeout_ms,
                        "with_escalated_permissions": params2.with_escalated_permissions,
                        "justification": params2.justification.clone(),
                    })
--- a/codex-rs/core/src/codex_delegate.rs
+++ b/codex-rs/core/src/codex_delegate.rs
@@ -13,8 +13,6 @@ use codex_protocol::protocol::SessionSource;
 use codex_protocol::protocol::SubAgentSource;
 use codex_protocol::protocol::Submission;
 use codex_protocol::user_input::UserInput;
-use std::time::Duration;
-use tokio::time::timeout;
 use tokio_util::sync::CancellationToken;

 use crate::AuthManager;
@@ -62,13 +60,14 @@ pub(crate) async fn run_codex_conversation_interactive(
    let parent_ctx_clone = Arc::clone(&parent_ctx);
    let codex_for_events = Arc::clone(&codex);
    tokio::spawn(async move {
-        forward_events(
+        let _ = forward_events(
            codex_for_events,
            tx_sub,
            parent_session_clone,
            parent_ctx_clone,
-            cancel_token_events,
+            cancel_token_events.clone(),
        )
+        .or_cancel(&cancel_token_events)
        .await;
    });

@@ -157,92 +156,53 @@ async fn forward_events(
    parent_ctx: Arc<TurnContext>,
    cancel_token: CancellationToken,
 ) {
-    let cancelled = cancel_token.cancelled();
-    tokio::pin!(cancelled);
-
-    loop {
-        tokio::select! {
-            _ = &mut cancelled => {
-                shutdown_delegate(&codex).await;
-                break;
+    while let Ok(event) = codex.next_event().await {
+        match event {
+            // ignore all legacy delta events
+            Event {
+                id: _,
+                msg: EventMsg::AgentMessageDelta(_) | EventMsg::AgentReasoningDelta(_),
+            } => continue,
+            Event {
+                id: _,
+                msg: EventMsg::SessionConfigured(_),
+            } => continue,
+            Event {
+                id,
+                msg: EventMsg::ExecApprovalRequest(event),
+            } => {
+                // Initiate approval via parent session; do not surface to consumer.
+                handle_exec_approval(
+                    &codex,
+                    id,
+                    &parent_session,
+                    &parent_ctx,
+                    event,
+                    &cancel_token,
+                )
+                .await;
            }
-            event = codex.next_event() => {
-                let event = match event {
-                    Ok(event) => event,
-                    Err(_) => break,
-                };
-                match event {
-                    // ignore all legacy delta events
-                    Event {
-                        id: _,
-                        msg: EventMsg::AgentMessageDelta(_) | EventMsg::AgentReasoningDelta(_),
-                    } => {}
-                    Event {
-                        id: _,
-                        msg: EventMsg::SessionConfigured(_),
-                    } => {}
-                    Event {
-                        id,
-                        msg: EventMsg::ExecApprovalRequest(event),
-                    } => {
-                        // Initiate approval via parent session; do not surface to consumer.
-                        handle_exec_approval(
-                            &codex,
-                            id,
-                            &parent_session,
-                            &parent_ctx,
-                            event,
-                            &cancel_token,
-                        )
-                        .await;
-                    }
-                    Event {
-                        id,
-                        msg: EventMsg::ApplyPatchApprovalRequest(event),
-                    } => {
-                        handle_patch_approval(
-                            &codex,
-                            id,
-                            &parent_session,
-                            &parent_ctx,
-                            event,
-                            &cancel_token,
-                        )
-                        .await;
-                    }
-                    other => {
-                        match tx_sub.send(other).or_cancel(&cancel_token).await {
-                            Ok(Ok(())) => {}
-                            _ => {
-                                shutdown_delegate(&codex).await;
-                                break;
-                            }
-                        }
-                    }
-                }
+            Event {
+                id,
+                msg: EventMsg::ApplyPatchApprovalRequest(event),
+            } => {
+                handle_patch_approval(
+                    &codex,
+                    id,
+                    &parent_session,
+                    &parent_ctx,
+                    event,
+                    &cancel_token,
+                )
+                .await;
+            }
+            other => {
+                let _ = tx_sub.send(other).await;
            }
        }
    }
 }

-/// Ask the delegate to stop and drain its events so background sends do not hit a closed channel.
-async fn shutdown_delegate(codex: &Codex) {
-    let _ = codex.submit(Op::Interrupt).await;
-    let _ = codex.submit(Op::Shutdown {}).await;
-
-    let _ = timeout(Duration::from_millis(500), async {
-        while let Ok(event) = codex.next_event().await {
-            if matches!(
-                event.msg,
-                EventMsg::TurnAborted(_) | EventMsg::TaskComplete(_)
-            ) {
-                break;
-            }
-        }
-    })
-    .await;
-}
-
 /// Forward ops from a caller to a sub-agent, respecting cancellation.
 async fn forward_ops(
    codex: Arc<Codex>,
@@ -338,85 +298,3 @@ where
        }
    }
 }
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use async_channel::bounded;
-    use codex_protocol::models::ResponseItem;
-    use codex_protocol::protocol::RawResponseItemEvent;
-    use codex_protocol::protocol::TurnAbortReason;
-    use codex_protocol::protocol::TurnAbortedEvent;
-    use pretty_assertions::assert_eq;
-
-    #[tokio::test]
-    async fn forward_events_cancelled_while_send_blocked_shuts_down_delegate() {
-        let (tx_events, rx_events) = bounded(1);
-        let (tx_sub, rx_sub) = bounded(SUBMISSION_CHANNEL_CAPACITY);
-        let codex = Arc::new(Codex {
-            next_id: AtomicU64::new(0),
-            tx_sub,
-            rx_event: rx_events,
-        });
-
-        let (session, ctx, _rx_evt) = crate::codex::make_session_and_context_with_rx();
-
-        let (tx_out, rx_out) = bounded(1);
-        tx_out
-            .send(Event {
-                id: "full".to_string(),
-                msg: EventMsg::TurnAborted(TurnAbortedEvent {
-                    reason: TurnAbortReason::Interrupted,
-                }),
-            })
-            .await
-            .unwrap();
-
-        let cancel = CancellationToken::new();
-        let forward = tokio::spawn(forward_events(
-            Arc::clone(&codex),
-            tx_out.clone(),
-            session,
-            ctx,
-            cancel.clone(),
-        ));
-
-        tx_events
-            .send(Event {
-                id: "evt".to_string(),
-                msg: EventMsg::RawResponseItem(RawResponseItemEvent {
-                    item: ResponseItem::CustomToolCall {
-                        id: None,
-                        status: None,
-                        call_id: "call-1".to_string(),
-                        name: "tool".to_string(),
-                        input: "{}".to_string(),
-                    },
-                }),
-            })
-            .await
-            .unwrap();
-
-        drop(tx_events);
-        cancel.cancel();
-        timeout(std::time::Duration::from_millis(1000), forward)
-            .await
-            .expect("forward_events hung")
-            .expect("forward_events join error");
-
-        let received = rx_out.recv().await.expect("prefilled event missing");
-        assert_eq!("full", received.id);
-        let mut ops = Vec::new();
-        while let Ok(sub) = rx_sub.try_recv() {
-            ops.push(sub.op);
-        }
-        assert!(
-            ops.iter().any(|op| matches!(op, Op::Interrupt)),
-            "expected Interrupt op after cancellation"
-        );
-        assert!(
-            ops.iter().any(|op| matches!(op, Op::Shutdown)),
-            "expected Shutdown op after cancellation"
-        );
-    }
-}
--- a/codex-rs/core/src/command_safety/is_dangerous_command.rs
+++ b/codex-rs/core/src/command_safety/is_dangerous_command.rs
@@ -1,19 +1,14 @@
 use codex_protocol::protocol::AskForApproval;
 use codex_protocol::protocol::SandboxPolicy;

-use crate::sandboxing::SandboxPermissions;
-
 use crate::bash::parse_shell_lc_plain_commands;
 use crate::is_safe_command::is_known_safe_command;
-#[cfg(windows)]
-#[path = "windows_dangerous_commands.rs"]
-mod windows_dangerous_commands;

 pub fn requires_initial_appoval(
    policy: AskForApproval,
    sandbox_policy: &SandboxPolicy,
    command: &[String],
-    sandbox_permissions: SandboxPermissions,
+    with_escalated_permissions: bool,
 ) -> bool {
    if is_known_safe_command(command) {
        return false;
@@ -29,7 +24,8 @@ pub fn requires_initial_appoval(
            // In restricted sandboxes (ReadOnly/WorkspaceWrite), do not prompt for
            // non‑escalated, non‑dangerous commands — let the sandbox enforce
            // restrictions (e.g., block network/write) without a user prompt.
-            if sandbox_permissions.requires_escalated_permissions() {
+            let wants_escalation: bool = with_escalated_permissions;
+            if wants_escalation {
                return true;
            }
            command_might_be_dangerous(command)
@@ -39,13 +35,6 @@ pub fn requires_initial_appoval(
 }

 pub fn command_might_be_dangerous(command: &[String]) -> bool {
-    #[cfg(windows)]
-    {
-        if windows_dangerous_commands::is_dangerous_command_windows(command) {
-            return true;
-        }
-    }
-
    if is_dangerous_to_call_with_exec(command) {
        return true;
    }
--- a/codex-rs/core/src/command_safety/is_safe_command.rs
+++ b/codex-rs/core/src/command_safety/is_safe_command.rs
@@ -267,20 +267,6 @@ mod tests {
        }
    }

-    #[test]
-    fn windows_powershell_full_path_is_safe() {
-        if !cfg!(windows) {
-            // Windows only because on Linux path splitting doesn't handle `/` separators properly
-            return;
-        }
-
-        assert!(is_known_safe_command(&vec_str(&[
-            r"C:\Program Files\PowerShell\7\pwsh.exe",
-            "-Command",
-            "Get-Location",
-        ])));
-    }
-
    #[test]
    fn bash_lc_safe_examples() {
        assert!(is_known_safe_command(&vec_str(&["bash", "-lc", "ls"])));
--- a/codex-rs/core/src/command_safety/windows_dangerous_commands.rs
+++ b/codex-rs/core/src/command_safety/windows_dangerous_commands.rs
@@ -1,316 +0,0 @@
-use std::path::Path;
-
-use once_cell::sync::Lazy;
-use regex::Regex;
-use shlex::split as shlex_split;
-use url::Url;
-
-pub fn is_dangerous_command_windows(command: &[String]) -> bool {
-    // Prefer structured parsing for PowerShell/CMD so we can spot URL-bearing
-    // invocations of ShellExecute-style entry points before falling back to
-    // simple argv heuristics.
-    if is_dangerous_powershell(command) {
-        return true;
-    }
-
-    if is_dangerous_cmd(command) {
-        return true;
-    }
-
-    is_direct_gui_launch(command)
-}
-
-fn is_dangerous_powershell(command: &[String]) -> bool {
-    let Some((exe, rest)) = command.split_first() else {
-        return false;
-    };
-    if !is_powershell_executable(exe) {
-        return false;
-    }
-    // Parse the PowerShell invocation to get a flat token list we can scan for
-    // dangerous cmdlets/COM calls plus any URL-looking arguments. This is a
-    // best-effort shlex split of the script text, not a full PS parser.
-    let Some(parsed) = parse_powershell_invocation(rest) else {
-        return false;
-    };
-
-    let tokens_lc: Vec<String> = parsed
-        .tokens
-        .iter()
-        .map(|t| t.trim_matches('\'').trim_matches('"').to_ascii_lowercase())
-        .collect();
-    let has_url = args_have_url(&parsed.tokens);
-
-    if has_url
-        && tokens_lc.iter().any(|t| {
-            matches!(
-                t.as_str(),
-                "start-process" | "start" | "saps" | "invoke-item" | "ii"
-            ) || t.contains("start-process")
-                || t.contains("invoke-item")
-        })
-    {
-        return true;
-    }
-
-    if has_url
-        && tokens_lc
-            .iter()
-            .any(|t| t.contains("shellexecute") || t.contains("shell.application"))
-    {
-        return true;
-    }
-
-    if let Some(first) = tokens_lc.first() {
-        // Legacy ShellExecute path via url.dll
-        if first == "rundll32"
-            && tokens_lc
-                .iter()
-                .any(|t| t.contains("url.dll,fileprotocolhandler"))
-            && has_url
-        {
-            return true;
-        }
-        if first == "mshta" && has_url {
-            return true;
-        }
-        if is_browser_executable(first) && has_url {
-            return true;
-        }
-        if matches!(first.as_str(), "explorer" | "explorer.exe") && has_url {
-            return true;
-        }
-    }
-
-    false
-}
-
-fn is_dangerous_cmd(command: &[String]) -> bool {
-    let Some((exe, rest)) = command.split_first() else {
-        return false;
-    };
-    let Some(base) = executable_basename(exe) else {
-        return false;
-    };
-    if base != "cmd" && base != "cmd.exe" {
-        return false;
-    }
-
-    let mut iter = rest.iter();
-    for arg in iter.by_ref() {
-        let lower = arg.to_ascii_lowercase();
-        match lower.as_str() {
-            "/c" | "/r" | "-c" => break,
-            _ if lower.starts_with('/') => continue,
-            // Unknown tokens before the command body => bail.
-            _ => return false,
-        }
-    }
-
-    let Some(first_cmd) = iter.next() else {
-        return false;
-    };
-    // Classic `cmd /c start https://...` ShellExecute path.
-    if !first_cmd.eq_ignore_ascii_case("start") {
-        return false;
-    }
-    let remaining: Vec<String> = iter.cloned().collect();
-    args_have_url(&remaining)
-}
-
-fn is_direct_gui_launch(command: &[String]) -> bool {
-    let Some((exe, rest)) = command.split_first() else {
-        return false;
-    };
-    let Some(base) = executable_basename(exe) else {
-        return false;
-    };
-
-    // Explorer/rundll32/mshta or direct browser exe with a URL anywhere in args.
-    if matches!(base.as_str(), "explorer" | "explorer.exe") && args_have_url(rest) {
-        return true;
-    }
-    if matches!(base.as_str(), "mshta" | "mshta.exe") && args_have_url(rest) {
-        return true;
-    }
-    if (base == "rundll32" || base == "rundll32.exe")
-        && rest.iter().any(|t| {
-            t.to_ascii_lowercase()
-                .contains("url.dll,fileprotocolhandler")
-        })
-        && args_have_url(rest)
-    {
-        return true;
-    }
-    if is_browser_executable(&base) && args_have_url(rest) {
-        return true;
-    }
-
-    false
-}
-
-fn args_have_url(args: &[String]) -> bool {
-    args.iter().any(|arg| looks_like_url(arg))
-}
-
-fn looks_like_url(token: &str) -> bool {
-    // Strip common PowerShell punctuation around inline URLs (quotes, parens, trailing semicolons).
-    // Capture the middle token after trimming leading quotes/parens/whitespace and trailing semicolons/closing parens.
-    static RE: Lazy<Option<Regex>> =
-        Lazy::new(|| Regex::new(r#"^[ "'\(\s]*([^\s"'\);]+)[\s;\)]*$"#).ok());
-    // If the token embeds a URL alongside other text (e.g., Start-Process('https://...'))
-    // as a single shlex token, grab the substring starting at the first URL prefix.
-    let urlish = token
-        .find("https://")
-        .or_else(|| token.find("http://"))
-        .map(|idx| &token[idx..])
-        .unwrap_or(token);
-
-    let candidate = RE
-        .as_ref()
-        .and_then(|re| re.captures(urlish))
-        .and_then(|caps| caps.get(1))
-        .map(|m| m.as_str())
-        .unwrap_or(urlish);
-    let Ok(url) = Url::parse(candidate) else {
-        return false;
-    };
-    matches!(url.scheme(), "http" | "https")
-}
-
-fn executable_basename(exe: &str) -> Option<String> {
-    Path::new(exe)
-        .file_name()
-        .and_then(|osstr| osstr.to_str())
-        .map(str::to_ascii_lowercase)
-}
-
-fn is_powershell_executable(exe: &str) -> bool {
-    matches!(
-        executable_basename(exe).as_deref(),
-        Some("powershell") | Some("powershell.exe") | Some("pwsh") | Some("pwsh.exe")
-    )
-}
-
-fn is_browser_executable(name: &str) -> bool {
-    matches!(
-        name,
-        "chrome"
-            | "chrome.exe"
-            | "msedge"
-            | "msedge.exe"
-            | "firefox"
-            | "firefox.exe"
-            | "iexplore"
-            | "iexplore.exe"
-    )
-}
-
-struct ParsedPowershell {
-    tokens: Vec<String>,
-}
-
-fn parse_powershell_invocation(args: &[String]) -> Option<ParsedPowershell> {
-    if args.is_empty() {
-        return None;
-    }
-
-    let mut idx = 0;
-    while idx < args.len() {
-        let arg = &args[idx];
-        let lower = arg.to_ascii_lowercase();
-        match lower.as_str() {
-            "-command" | "/command" | "-c" => {
-                let script = args.get(idx + 1)?;
-                if idx + 2 != args.len() {
-                    return None;
-                }
-                let tokens = shlex_split(script)?;
-                return Some(ParsedPowershell { tokens });
-            }
-            _ if lower.starts_with("-command:") || lower.starts_with("/command:") => {
-                if idx + 1 != args.len() {
-                    return None;
-                }
-                let (_, script) = arg.split_once(':')?;
-                let tokens = shlex_split(script)?;
-                return Some(ParsedPowershell { tokens });
-            }
-            "-nologo" | "-noprofile" | "-noninteractive" | "-mta" | "-sta" => {
-                idx += 1;
-            }
-            _ if lower.starts_with('-') => {
-                idx += 1;
-            }
-            _ => {
-                let rest = args[idx..].to_vec();
-                return Some(ParsedPowershell { tokens: rest });
-            }
-        }
-    }
-
-    None
-}
-
-#[cfg(test)]
-mod tests {
-    use super::is_dangerous_command_windows;
-
-    fn vec_str(items: &[&str]) -> Vec<String> {
-        items.iter().map(std::string::ToString::to_string).collect()
-    }
-
-    #[test]
-    fn powershell_start_process_url_is_dangerous() {
-        assert!(is_dangerous_command_windows(&vec_str(&[
-            "powershell",
-            "-NoLogo",
-            "-Command",
-            "Start-Process 'https://example.com'"
-        ])));
-    }
-
-    #[test]
-    fn powershell_start_process_url_with_trailing_semicolon_is_dangerous() {
-        assert!(is_dangerous_command_windows(&vec_str(&[
-            "powershell",
-            "-Command",
-            "Start-Process('https://example.com');"
-        ])));
-    }
-
-    #[test]
-    fn powershell_start_process_local_is_not_flagged() {
-        assert!(!is_dangerous_command_windows(&vec_str(&[
-            "powershell",
-            "-Command",
-            "Start-Process notepad.exe"
-        ])));
-    }
-
-    #[test]
-    fn cmd_start_with_url_is_dangerous() {
-        assert!(is_dangerous_command_windows(&vec_str(&[
-            "cmd",
-            "/c",
-            "start",
-            "https://example.com"
-        ])));
-    }
-
-    #[test]
-    fn msedge_with_url_is_dangerous() {
-        assert!(is_dangerous_command_windows(&vec_str(&[
-            "msedge.exe",
-            "https://example.com"
-        ])));
-    }
-
-    #[test]
-    fn explorer_with_directory_is_not_flagged() {
-        assert!(!is_dangerous_command_windows(&vec_str(&[
-            "explorer.exe",
-            "."
-        ])));
-    }
-}
--- a/codex-rs/core/src/command_safety/windows_safe_commands.rs
+++ b/codex-rs/core/src/command_safety/windows_safe_commands.rs
@@ -1,5 +1,4 @@
 use shlex::split as shlex_split;
-use std::path::Path;

 /// On Windows, we conservatively allow only clearly read-only PowerShell invocations
 /// that match a small safelist. Anything else (including direct CMD commands) is unsafe.
@@ -132,14 +131,8 @@ fn split_into_commands(tokens: Vec<String>) -> Option<Vec<Vec<String>>> {

 /// Returns true when the executable name is one of the supported PowerShell binaries.
 fn is_powershell_executable(exe: &str) -> bool {
-    let executable_name = Path::new(exe)
-        .file_name()
-        .and_then(|osstr| osstr.to_str())
-        .unwrap_or(exe)
-        .to_ascii_lowercase();
-
    matches!(
-        executable_name.as_str(),
+        exe.to_ascii_lowercase().as_str(),
        "powershell" | "powershell.exe" | "pwsh" | "pwsh.exe"
    )
 }
@@ -320,27 +313,6 @@ mod tests {
        ])));
    }

-    #[test]
-    fn accepts_full_path_powershell_invocations() {
-        if !cfg!(windows) {
-            // Windows only because on Linux path splitting doesn't handle `/` separators properly
-            return;
-        }
-
-        assert!(is_safe_command_windows(&vec_str(&[
-            r"C:\Program Files\PowerShell\7\pwsh.exe",
-            "-NoProfile",
-            "-Command",
-            "Get-ChildItem -Path .",
-        ])));
-
-        assert!(is_safe_command_windows(&vec_str(&[
-            r"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe",
-            "-Command",
-            "Get-Content Cargo.toml",
-        ])));
-    }
-
    #[test]
    fn allows_read_only_pipelines_and_git_usage() {
        assert!(is_safe_command_windows(&vec_str(&[
--- a/codex-rs/core/src/compact.rs
+++ b/codex-rs/core/src/compact.rs
@@ -7,9 +7,9 @@ use crate::codex::TurnContext;
 use crate::codex::get_last_assistant_message_from_turn;
 use crate::error::CodexErr;
 use crate::error::Result as CodexResult;
-use crate::features::Feature;
 use crate::protocol::AgentMessageEvent;
 use crate::protocol::CompactedItem;
+use crate::protocol::ErrorEvent;
 use crate::protocol::EventMsg;
 use crate::protocol::TaskStartedEvent;
 use crate::protocol::TurnContextItem;
@@ -18,7 +18,6 @@ use crate::truncate::TruncationPolicy;
 use crate::truncate::approx_token_count;
 use crate::truncate::truncate_text;
 use crate::util::backoff;
-use codex_app_server_protocol::AuthMode;
 use codex_protocol::items::TurnItem;
 use codex_protocol::models::ContentItem;
 use codex_protocol::models::ResponseInputItem;
@@ -32,22 +31,12 @@ pub const SUMMARIZATION_PROMPT: &str = include_str!("../templates/compact/prompt
 pub const SUMMARY_PREFIX: &str = include_str!("../templates/compact/summary_prefix.md");
 const COMPACT_USER_MESSAGE_MAX_TOKENS: usize = 20_000;

-pub(crate) async fn should_use_remote_compact_task(session: &Session) -> bool {
-    session
-        .services
-        .auth_manager
-        .auth()
-        .is_some_and(|auth| auth.mode == AuthMode::ChatGPT)
-        && session.enabled(Feature::RemoteCompaction).await
-}
-
 pub(crate) async fn run_inline_auto_compact_task(
    sess: Arc<Session>,
    turn_context: Arc<TurnContext>,
 ) {
    let prompt = turn_context.compact_prompt().to_string();
    let input = vec![UserInput::Text { text: prompt }];
-
    run_compact_task_inner(sess, turn_context, input).await;
 }

@@ -55,12 +44,13 @@ pub(crate) async fn run_compact_task(
    sess: Arc<Session>,
    turn_context: Arc<TurnContext>,
    input: Vec<UserInput>,
-) {
+) -> Option<String> {
    let start_event = EventMsg::TaskStarted(TaskStartedEvent {
        model_context_window: turn_context.client.get_model_context_window(),
    });
    sess.send_event(&turn_context, start_event).await;
    run_compact_task_inner(sess.clone(), turn_context, input).await;
+    None
 }

 async fn run_compact_task_inner(
@@ -127,7 +117,9 @@ async fn run_compact_task_inner(
                    continue;
                }
                sess.set_total_tokens_full(turn_context.as_ref()).await;
-                let event = EventMsg::Error(e.to_error_event(None));
+                let event = EventMsg::Error(ErrorEvent {
+                    message: e.to_string(),
+                });
                sess.send_event(&turn_context, event).await;
                return;
            }
@@ -138,13 +130,14 @@ async fn run_compact_task_inner(
                    sess.notify_stream_error(
                        turn_context.as_ref(),
                        format!("Reconnecting... {retries}/{max_retries}"),
-                        e,
                    )
                    .await;
                    tokio::time::sleep(delay).await;
                    continue;
                } else {
-                    let event = EventMsg::Error(e.to_error_event(None));
+                    let event = EventMsg::Error(ErrorEvent {
+                        message: e.to_string(),
+                    });
                    sess.send_event(&turn_context, event).await;
                    return;
                }
@@ -167,7 +160,15 @@ async fn run_compact_task_inner(
        .collect();
    new_history.extend(ghost_snapshots);
    sess.replace_history(new_history).await;
-    sess.recompute_token_usage(&turn_context).await;
+
+    if let Some(estimated_tokens) = sess
+        .clone_history()
+        .await
+        .estimate_token_count(&turn_context)
+    {
+        sess.override_last_token_usage_estimate(&turn_context, estimated_tokens)
+            .await;
+    }

    let rollout_item = RolloutItem::Compacted(CompactedItem {
        message: summary_text.clone(),
--- a/codex-rs/core/src/compact_remote.rs
+++ b/codex-rs/core/src/compact_remote.rs
@@ -6,37 +6,40 @@ use crate::codex::TurnContext;
 use crate::error::Result as CodexResult;
 use crate::protocol::AgentMessageEvent;
 use crate::protocol::CompactedItem;
+use crate::protocol::ErrorEvent;
 use crate::protocol::EventMsg;
 use crate::protocol::RolloutItem;
 use crate::protocol::TaskStartedEvent;
 use codex_protocol::models::ResponseItem;

-pub(crate) async fn run_inline_remote_auto_compact_task(
+pub(crate) async fn run_remote_compact_task(
    sess: Arc<Session>,
    turn_context: Arc<TurnContext>,
-) {
-    run_remote_compact_task_inner(&sess, &turn_context).await;
-}
-
-pub(crate) async fn run_remote_compact_task(sess: Arc<Session>, turn_context: Arc<TurnContext>) {
+) -> Option<String> {
    let start_event = EventMsg::TaskStarted(TaskStartedEvent {
        model_context_window: turn_context.client.get_model_context_window(),
    });
    sess.send_event(&turn_context, start_event).await;

-    run_remote_compact_task_inner(&sess, &turn_context).await;
-}
-
-async fn run_remote_compact_task_inner(sess: &Arc<Session>, turn_context: &Arc<TurnContext>) {
-    if let Err(err) = run_remote_compact_task_inner_impl(sess, turn_context).await {
-        let event = EventMsg::Error(
-            err.to_error_event(Some("Error running remote compact task".to_string())),
-        );
-        sess.send_event(turn_context, event).await;
+    match run_remote_compact_task_inner(&sess, &turn_context).await {
+        Ok(()) => {
+            let event = EventMsg::AgentMessage(AgentMessageEvent {
+                message: "Compact task completed".to_string(),
+            });
+            sess.send_event(&turn_context, event).await;
+        }
+        Err(err) => {
+            let event = EventMsg::Error(ErrorEvent {
+                message: err.to_string(),
+            });
+            sess.send_event(&turn_context, event).await;
+        }
    }
+
+    None
 }

-async fn run_remote_compact_task_inner_impl(
+async fn run_remote_compact_task_inner(
    sess: &Arc<Session>,
    turn_context: &Arc<TurnContext>,
 ) -> CodexResult<()> {
@@ -65,7 +68,15 @@ async fn run_remote_compact_task_inner_impl(
        new_history.extend(ghost_snapshots);
    }
    sess.replace_history(new_history.clone()).await;
-    sess.recompute_token_usage(turn_context).await;
+
+    if let Some(estimated_tokens) = sess
+        .clone_history()
+        .await
+        .estimate_token_count(turn_context.as_ref())
+    {
+        sess.override_last_token_usage_estimate(turn_context.as_ref(), estimated_tokens)
+            .await;
+    }

    let compacted_item = CompactedItem {
        message: String::new(),
@@ -73,11 +84,5 @@ async fn run_remote_compact_task_inner_impl(
    };
    sess.persist_rollout_items(&[RolloutItem::Compacted(compacted_item)])
        .await;
-
-    let event = EventMsg::AgentMessage(AgentMessageEvent {
-        message: "Compact task completed".to_string(),
-    });
-    sess.send_event(turn_context, event).await;
-
    Ok(())
 }
--- a/codex-rs/core/src/config/edit.rs
+++ b/codex-rs/core/src/config/edit.rs
@@ -4,6 +4,7 @@ use crate::config::types::Notice;
 use anyhow::Context;
 use codex_protocol::config_types::ReasoningEffort;
 use codex_protocol::config_types::TrustLevel;
+use codex_utils_tokenizer::warm_model_cache;
 use std::collections::BTreeMap;
 use std::path::Path;
 use std::path::PathBuf;
@@ -230,6 +231,9 @@ impl ConfigDocument {
    fn apply(&mut self, edit: &ConfigEdit) -> anyhow::Result<bool> {
        match edit {
            ConfigEdit::SetModel { model, effort } => Ok({
+                if let Some(model) = &model {
+                    warm_model_cache(model)
+                }
                let mut mutated = false;
                mutated |= self.write_profile_value(
                    &["model"],
@@ -841,36 +845,6 @@ hide_gpt5_1_migration_prompt = true
        assert_eq!(contents, expected);
    }

-    #[test]
-    fn blocking_set_hide_gpt_5_1_codex_max_migration_prompt_preserves_table() {
-        let tmp = tempdir().expect("tmpdir");
-        let codex_home = tmp.path();
-        std::fs::write(
-            codex_home.join(CONFIG_TOML_FILE),
-            r#"[notice]
-existing = "value"
-"#,
-        )
-        .expect("seed");
-        apply_blocking(
-            codex_home,
-            None,
-            &[ConfigEdit::SetNoticeHideModelMigrationPrompt(
-                "hide_gpt-5.1-codex-max_migration_prompt".to_string(),
-                true,
-            )],
-        )
-        .expect("persist");
-
-        let contents =
-            std::fs::read_to_string(codex_home.join(CONFIG_TOML_FILE)).expect("read config");
-        let expected = r#"[notice]
-existing = "value"
-"hide_gpt-5.1-codex-max_migration_prompt" = true
-"#;
-        assert_eq!(contents, expected);
-    }
-
    #[test]
    fn blocking_replace_mcp_servers_round_trips() {
        let tmp = tempdir().expect("tmpdir");
--- a/codex-rs/core/src/config/mod.rs
+++ b/codex-rs/core/src/config/mod.rs
@@ -61,6 +61,9 @@ pub mod edit;
 pub mod profile;
 pub mod types;

+#[cfg(target_os = "windows")]
+pub const OPENAI_DEFAULT_MODEL: &str = "gpt-5.1";
+#[cfg(not(target_os = "windows"))]
 pub const OPENAI_DEFAULT_MODEL: &str = "gpt-5.1-codex";
 const OPENAI_DEFAULT_REVIEW_MODEL: &str = "gpt-5.1-codex";
 pub const GPT_5_CODEX_MEDIUM_MODEL: &str = "gpt-5.1-codex";
@@ -70,7 +73,7 @@ pub const GPT_5_CODEX_MEDIUM_MODEL: &str = "gpt-5.1-codex";
 /// the context window.
 pub(crate) const PROJECT_DOC_MAX_BYTES: usize = 32 * 1024; // 32 KiB

-pub const CONFIG_TOML_FILE: &str = "config.toml";
+pub(crate) const CONFIG_TOML_FILE: &str = "config.toml";

 /// Application configuration loaded from disk and merged with overrides.
 #[derive(Debug, Clone, PartialEq)]
@@ -78,7 +81,7 @@ pub struct Config {
    /// Optional override of model selection.
    pub model: String,

-    /// Model used specifically for review sessions. Defaults to "gpt-5.1-codex-max".
+    /// Model used specifically for review sessions. Defaults to "gpt-5.1-codex".
    pub review_model: String,

    pub model_family: ModelFamily,
@@ -86,6 +89,9 @@ pub struct Config {
    /// Size of the context window for the model, in tokens.
    pub model_context_window: Option<i64>,

+    /// Maximum number of output tokens.
+    pub model_max_output_tokens: Option<i64>,
+
    /// Token usage threshold triggering auto-compaction of conversation history.
    pub model_auto_compact_token_limit: Option<i64>,

@@ -157,9 +163,6 @@ pub struct Config {
    /// and turn completions when not focused.
    pub tui_notifications: Notifications,

-    /// Enable ASCII animations and shimmer effects in the TUI.
-    pub animations: bool,
-
    /// The directory that should be treated as the current working directory
    /// for the session. All relative paths inside the business-logic layer are
    /// resolved against this path.
@@ -267,11 +270,6 @@ pub struct Config {
    /// Collection of various notices we show the user
    pub notices: Notice,

-    /// When `true`, checks for Codex updates on startup and surfaces update prompts.
-    /// Set to `false` only if your Codex updates are centrally managed.
-    /// Defaults to `true`.
-    pub check_for_update_on_startup: bool,
-
    /// When true, disables burst-paste detection for typed input entirely.
    /// All characters are inserted as they are received, and no buffering
    /// or placeholder replacement will occur for fast keypress bursts.
@@ -572,6 +570,9 @@ pub struct ConfigToml {
    /// Size of the context window for the model, in tokens.
    pub model_context_window: Option<i64>,

+    /// Maximum number of output tokens.
+    pub model_max_output_tokens: Option<i64>,
+
    /// Token usage threshold triggering auto-compaction of conversation history.
    pub model_auto_compact_token_limit: Option<i64>,

@@ -690,11 +691,6 @@ pub struct ConfigToml {
    #[serde(default)]
    pub features: Option<FeaturesToml>,

-    /// When `true`, checks for Codex updates on startup and surfaces update prompts.
-    /// Set to `false` only if your Codex updates are centrally managed.
-    /// Defaults to `true`.
-    pub check_for_update_on_startup: Option<bool>,
-
    /// When true, disables burst-paste detection for typed input entirely.
    /// All characters are inserted as they are received, and no buffering
    /// or placeholder replacement will occur for fast keypress bursts.
@@ -1126,6 +1122,11 @@ impl Config {
        let model_context_window = cfg
            .model_context_window
            .or_else(|| openai_model_info.as_ref().map(|info| info.context_window));
+        let model_max_output_tokens = cfg.model_max_output_tokens.or_else(|| {
+            openai_model_info
+                .as_ref()
+                .map(|info| info.max_output_tokens)
+        });
        let model_auto_compact_token_limit = cfg.model_auto_compact_token_limit.or_else(|| {
            openai_model_info
                .as_ref()
@@ -1172,13 +1173,12 @@ impl Config {
            .or(cfg.review_model)
            .unwrap_or_else(default_review_model);

-        let check_for_update_on_startup = cfg.check_for_update_on_startup.unwrap_or(true);
-
        let config = Self {
            model,
            review_model,
            model_family,
            model_context_window,
+            model_max_output_tokens,
            model_auto_compact_token_limit,
            model_provider_id,
            model_provider,
@@ -1250,14 +1250,12 @@ impl Config {
            active_project,
            windows_wsl_setup_acknowledged: cfg.windows_wsl_setup_acknowledged.unwrap_or(false),
            notices: cfg.notice.unwrap_or_default(),
-            check_for_update_on_startup,
            disable_paste_burst: cfg.disable_paste_burst.unwrap_or(false),
            tui_notifications: cfg
                .tui
                .as_ref()
                .map(|t| t.notifications.clone())
                .unwrap_or_default(),
-            animations: cfg.tui.as_ref().map(|t| t.animations).unwrap_or(true),
            otel: {
                let t: OtelConfigToml = cfg.otel.unwrap_or_default();
                let log_user_prompt = t.log_user_prompt.unwrap_or(false);
@@ -2962,6 +2960,7 @@ model_verbosity = "high"
                review_model: OPENAI_DEFAULT_REVIEW_MODEL.to_string(),
                model_family: find_family_for_model("o3").expect("known model slug"),
                model_context_window: Some(200_000),
+                model_max_output_tokens: Some(100_000),
                model_auto_compact_token_limit: Some(180_000),
                model_provider_id: "openai".to_string(),
                model_provider: fixture.openai_provider.clone(),
@@ -3005,10 +3004,8 @@ model_verbosity = "high"
                active_project: ProjectConfig { trust_level: None },
                windows_wsl_setup_acknowledged: false,
                notices: Default::default(),
-                check_for_update_on_startup: true,
                disable_paste_burst: false,
                tui_notifications: Default::default(),
-                animations: true,
                otel: OtelConfig::default(),
            },
            o3_profile_config
@@ -3035,6 +3032,7 @@ model_verbosity = "high"
            review_model: OPENAI_DEFAULT_REVIEW_MODEL.to_string(),
            model_family: find_family_for_model("gpt-3.5-turbo").expect("known model slug"),
            model_context_window: Some(16_385),
+            model_max_output_tokens: Some(4_096),
            model_auto_compact_token_limit: Some(14_746),
            model_provider_id: "openai-chat-completions".to_string(),
            model_provider: fixture.openai_chat_completions_provider.clone(),
@@ -3078,10 +3076,8 @@ model_verbosity = "high"
            active_project: ProjectConfig { trust_level: None },
            windows_wsl_setup_acknowledged: false,
            notices: Default::default(),
-            check_for_update_on_startup: true,
            disable_paste_burst: false,
            tui_notifications: Default::default(),
-            animations: true,
            otel: OtelConfig::default(),
        };

@@ -3123,6 +3119,7 @@ model_verbosity = "high"
            review_model: OPENAI_DEFAULT_REVIEW_MODEL.to_string(),
            model_family: find_family_for_model("o3").expect("known model slug"),
            model_context_window: Some(200_000),
+            model_max_output_tokens: Some(100_000),
            model_auto_compact_token_limit: Some(180_000),
            model_provider_id: "openai".to_string(),
            model_provider: fixture.openai_provider.clone(),
@@ -3166,10 +3163,8 @@ model_verbosity = "high"
            active_project: ProjectConfig { trust_level: None },
            windows_wsl_setup_acknowledged: false,
            notices: Default::default(),
-            check_for_update_on_startup: true,
            disable_paste_burst: false,
            tui_notifications: Default::default(),
-            animations: true,
            otel: OtelConfig::default(),
        };

@@ -3197,6 +3192,7 @@ model_verbosity = "high"
            review_model: OPENAI_DEFAULT_REVIEW_MODEL.to_string(),
            model_family: find_family_for_model("gpt-5.1").expect("known model slug"),
            model_context_window: Some(272_000),
+            model_max_output_tokens: Some(128_000),
            model_auto_compact_token_limit: Some(244_800),
            model_provider_id: "openai".to_string(),
            model_provider: fixture.openai_provider.clone(),
@@ -3240,10 +3236,8 @@ model_verbosity = "high"
            active_project: ProjectConfig { trust_level: None },
            windows_wsl_setup_acknowledged: false,
            notices: Default::default(),
-            check_for_update_on_startup: true,
            disable_paste_burst: false,
            tui_notifications: Default::default(),
-            animations: true,
            otel: OtelConfig::default(),
        };

--- a/codex-rs/core/src/config/types.rs
+++ b/codex-rs/core/src/config/types.rs
@@ -363,15 +363,6 @@ pub struct Tui {
    /// Defaults to `true`.
    #[serde(default)]
    pub notifications: Notifications,
-
-    /// Enable animations (welcome screen, shimmer effects, spinners).
-    /// Defaults to `true`.
-    #[serde(default = "default_true")]
-    pub animations: bool,
-}
-
-const fn default_true() -> bool {
-    true
 }

 /// Settings for notices we display to users via the tui and app-server clients
@@ -387,9 +378,6 @@ pub struct Notice {
    pub hide_rate_limit_model_nudge: Option<bool>,
    /// Tracks whether the user has seen the model migration prompt
    pub hide_gpt5_1_migration_prompt: Option<bool>,
-    /// Tracks whether the user has seen the gpt-5.1-codex-max migration prompt
-    #[serde(rename = "hide_gpt-5.1-codex-max_migration_prompt")]
-    pub hide_gpt_5_1_codex_max_migration_prompt: Option<bool>,
 }

 impl Notice {
--- a/codex-rs/core/src/config_loader/mod.rs
+++ b/codex-rs/core/src/config_loader/mod.rs
@@ -11,15 +11,15 @@ use toml::Value as TomlValue;
 #[cfg(unix)]
 const CODEX_MANAGED_CONFIG_SYSTEM_PATH: &str = "/etc/codex/managed_config.toml";

-#[derive(Debug, Clone)]
-pub struct LoadedConfigLayers {
+#[derive(Debug)]
+pub(crate) struct LoadedConfigLayers {
    pub base: TomlValue,
    pub managed_config: Option<TomlValue>,
    pub managed_preferences: Option<TomlValue>,
 }

-#[derive(Debug, Default, Clone)]
-pub struct LoaderOverrides {
+#[derive(Debug, Default)]
+pub(crate) struct LoaderOverrides {
    pub managed_config_path: Option<PathBuf>,
    #[cfg(target_os = "macos")]
    pub managed_preferences_base64: Option<String>,
@@ -47,15 +47,11 @@ pub async fn load_config_as_toml(codex_home: &Path) -> io::Result<TomlValue> {
    load_config_as_toml_with_overrides(codex_home, LoaderOverrides::default()).await
 }

-pub async fn load_config_layers(codex_home: &Path) -> io::Result<LoadedConfigLayers> {
-    load_config_layers_with_overrides(codex_home, LoaderOverrides::default()).await
-}
-
 fn default_empty_table() -> TomlValue {
    TomlValue::Table(Default::default())
 }

-pub async fn load_config_layers_with_overrides(
+pub(crate) async fn load_config_layers_with_overrides(
    codex_home: &Path,
    overrides: LoaderOverrides,
 ) -> io::Result<LoadedConfigLayers> {
@@ -134,7 +130,7 @@ async fn read_config_from_path(
 }

 /// Merge config `overlay` into `base`, giving `overlay` precedence.
-pub fn merge_toml_values(base: &mut TomlValue, overlay: &TomlValue) {
+pub(crate) fn merge_toml_values(base: &mut TomlValue, overlay: &TomlValue) {
    if let TomlValue::Table(overlay_table) = overlay
        && let TomlValue::Table(base_table) = base
    {
@@ -151,10 +147,6 @@ pub fn merge_toml_values(base: &mut TomlValue, overlay: &TomlValue) {
 }

 fn managed_config_default_path(codex_home: &Path) -> PathBuf {
-    if let Ok(path) = std::env::var("CODEX_MANAGED_CONFIG_PATH") {
-        return PathBuf::from(path);
-    }
-
    #[cfg(unix)]
    {
        let _ = codex_home;
--- a/codex-rs/core/src/context_manager/history.rs
+++ b/codex-rs/core/src/context_manager/history.rs
@@ -1,14 +1,13 @@
 use crate::codex::TurnContext;
 use crate::context_manager::normalize;
 use crate::truncate::TruncationPolicy;
-use crate::truncate::approx_token_count;
-use crate::truncate::approx_tokens_from_byte_count;
 use crate::truncate::truncate_function_output_items_with_policy;
 use crate::truncate::truncate_text;
 use codex_protocol::models::FunctionCallOutputPayload;
 use codex_protocol::models::ResponseItem;
 use codex_protocol::protocol::TokenUsage;
 use codex_protocol::protocol::TokenUsageInfo;
+use codex_utils_tokenizer::Tokenizer;
 use std::ops::Deref;

 /// Transcript of conversation history
@@ -75,31 +74,26 @@ impl ContextManager {
        history
    }

-    // Estimate token usage using byte-based heuristics from the truncation helpers.
-    // This is a coarse lower bound, not a tokenizer-accurate count.
+    // Estimate the number of tokens in the history. Return None if no tokenizer
+    // is available. This does not consider the reasoning traces.
+    // /!\ The value is a lower bound estimate and does not represent the exact
+    // context length.
    pub(crate) fn estimate_token_count(&self, turn_context: &TurnContext) -> Option<i64> {
+        let model = turn_context.client.get_model();
+        let tokenizer = Tokenizer::for_model(model.as_str()).ok()?;
        let model_family = turn_context.client.get_model_family();
-        let base_tokens =
-            i64::try_from(approx_token_count(model_family.base_instructions.as_str()))
-                .unwrap_or(i64::MAX);

-        let items_tokens = self.items.iter().fold(0i64, |acc, item| {
-            acc + match item {
-                ResponseItem::Reasoning {
-                    encrypted_content: Some(content),
-                    ..
-                }
-                | ResponseItem::CompactionSummary {
-                    encrypted_content: content,
-                } => estimate_reasoning_length(content.len()) as i64,
-                item => {
-                    let serialized = serde_json::to_string(item).unwrap_or_default();
-                    i64::try_from(approx_token_count(&serialized)).unwrap_or(i64::MAX)
-                }
-            }
-        });
-
-        Some(base_tokens.saturating_add(items_tokens))
+        Some(
+            self.items
+                .iter()
+                .map(|item| {
+                    serde_json::to_string(&item)
+                        .map(|item| tokenizer.count(&item))
+                        .unwrap_or_default()
+                })
+                .sum::<i64>()
+                + tokenizer.count(model_family.base_instructions.as_str()),
+        )
    }

    pub(crate) fn remove_first_item(&mut self) {
@@ -130,46 +124,6 @@ impl ContextManager {
        );
    }

-    fn get_non_last_reasoning_items_tokens(&self) -> usize {
-        // get reasoning items excluding all the ones after the last user message
-        let Some(last_user_index) = self
-            .items
-            .iter()
-            .rposition(|item| matches!(item, ResponseItem::Message { role, .. } if role == "user"))
-        else {
-            return 0usize;
-        };
-
-        let total_reasoning_bytes = self
-            .items
-            .iter()
-            .take(last_user_index)
-            .filter_map(|item| {
-                if let ResponseItem::Reasoning {
-                    encrypted_content: Some(content),
-                    ..
-                } = item
-                {
-                    Some(content.len())
-                } else {
-                    None
-                }
-            })
-            .map(estimate_reasoning_length)
-            .fold(0usize, usize::saturating_add);
-
-        let token_estimate = approx_tokens_from_byte_count(total_reasoning_bytes);
-        token_estimate as usize
-    }
-
-    pub(crate) fn get_total_token_usage(&self) -> i64 {
-        self.token_info
-            .as_ref()
-            .map(|info| info.last_token_usage.total_tokens)
-            .unwrap_or(0)
-            .saturating_add(self.get_non_last_reasoning_items_tokens() as i64)
-    }
-
    /// This function enforces a couple of invariants on the in-memory history:
    /// 1. every call (function/custom) has a corresponding output entry
    /// 2. every output has a corresponding call entry
@@ -191,17 +145,13 @@ impl ContextManager {
    }

    fn process_item(&self, item: &ResponseItem, policy: TruncationPolicy) -> ResponseItem {
-        let policy_with_serialization_budget = policy.mul(1.2);
        match item {
            ResponseItem::FunctionCallOutput { call_id, output } => {
-                let truncated =
-                    truncate_text(output.content.as_str(), policy_with_serialization_budget);
-                let truncated_items = output.content_items.as_ref().map(|items| {
-                    truncate_function_output_items_with_policy(
-                        items,
-                        policy_with_serialization_budget,
-                    )
-                });
+                let truncated = truncate_text(output.content.as_str(), policy);
+                let truncated_items = output
+                    .content_items
+                    .as_ref()
+                    .map(|items| truncate_function_output_items_with_policy(items, policy));
                ResponseItem::FunctionCallOutput {
                    call_id: call_id.clone(),
                    output: FunctionCallOutputPayload {
@@ -212,7 +162,7 @@ impl ContextManager {
                }
            }
            ResponseItem::CustomToolCallOutput { call_id, output } => {
-                let truncated = truncate_text(output, policy_with_serialization_budget);
+                let truncated = truncate_text(output, policy);
                ResponseItem::CustomToolCallOutput {
                    call_id: call_id.clone(),
                    output: truncated,
@@ -249,14 +199,6 @@ fn is_api_message(message: &ResponseItem) -> bool {
    }
 }

-fn estimate_reasoning_length(encoded_len: usize) -> usize {
-    encoded_len
-        .saturating_mul(3)
-        .checked_div(4)
-        .unwrap_or(0)
-        .saturating_sub(650)
-}
-
 #[cfg(test)]
 #[path = "history_tests.rs"]
 mod tests;
--- a/codex-rs/core/src/context_manager/history_tests.rs
+++ b/codex-rs/core/src/context_manager/history_tests.rs
@@ -12,8 +12,8 @@ use codex_protocol::models::ReasoningItemReasoningSummary;
 use pretty_assertions::assert_eq;
 use regex_lite::Regex;

+const EXEC_FORMAT_MAX_LINES: usize = 256;
 const EXEC_FORMAT_MAX_BYTES: usize = 10_000;
-const EXEC_FORMAT_MAX_TOKENS: usize = 2_500;

 fn assistant_msg(text: &str) -> ResponseItem {
    ResponseItem::Message {
@@ -56,21 +56,6 @@ fn reasoning_msg(text: &str) -> ResponseItem {
    }
 }

-fn reasoning_with_encrypted_content(len: usize) -> ResponseItem {
-    ResponseItem::Reasoning {
-        id: String::new(),
-        summary: vec![ReasoningItemReasoningSummary::SummaryText {
-            text: "summary".to_string(),
-        }],
-        content: None,
-        encrypted_content: Some("a".repeat(len)),
-    }
-}
-
-fn truncate_exec_output(content: &str) -> String {
-    truncate::truncate_text(content, TruncationPolicy::Tokens(EXEC_FORMAT_MAX_TOKENS))
-}
-
 #[test]
 fn filters_non_api_messages() {
    let mut h = ContextManager::default();
@@ -123,28 +108,6 @@ fn filters_non_api_messages() {
    );
 }

-#[test]
-fn non_last_reasoning_tokens_return_zero_when_no_user_messages() {
-    let history = create_history_with_items(vec![reasoning_with_encrypted_content(800)]);
-
-    assert_eq!(history.get_non_last_reasoning_items_tokens(), 0);
-}
-
-#[test]
-fn non_last_reasoning_tokens_ignore_entries_after_last_user() {
-    let history = create_history_with_items(vec![
-        reasoning_with_encrypted_content(900),
-        user_msg("first"),
-        reasoning_with_encrypted_content(1_000),
-        user_msg("second"),
-        reasoning_with_encrypted_content(2_000),
-    ]);
-    // first: (900 * 0.75 - 650) / 4 = 6.25 tokens
-    // second: (1000 * 0.75 - 650) / 4 = 25 tokens
-    // first + second = 62.5
-    assert_eq!(history.get_non_last_reasoning_items_tokens(), 32);
-}
-
 #[test]
 fn get_history_for_prompt_drops_ghost_commits() {
    let items = vec![ResponseItem::GhostSnapshot {
@@ -265,7 +228,7 @@ fn normalization_retains_local_shell_outputs() {
        ResponseItem::FunctionCallOutput {
            call_id: "shell-1".to_string(),
            output: FunctionCallOutputPayload {
-                content: "Total output lines: 1\n\nok".to_string(),
+                content: "ok".to_string(),
                ..Default::default()
            },
        },
@@ -367,8 +330,8 @@ fn record_items_respects_custom_token_limit() {
    assert!(stored.content.contains("tokens truncated"));
 }

-fn assert_truncated_message_matches(message: &str, line: &str, expected_removed: usize) {
-    let pattern = truncated_message_pattern(line);
+fn assert_truncated_message_matches(message: &str, line: &str, total_lines: usize) {
+    let pattern = truncated_message_pattern(line, total_lines);
    let regex = Regex::new(&pattern).unwrap_or_else(|err| {
        panic!("failed to compile regex {pattern}: {err}");
    });
@@ -384,18 +347,23 @@ fn assert_truncated_message_matches(message: &str, line: &str, expected_removed:
        "body exceeds byte limit: {} bytes",
        body.len()
    );
-    let removed: usize = captures
-        .name("removed")
-        .expect("missing removed capture")
-        .as_str()
-        .parse()
-        .unwrap_or_else(|err| panic!("invalid removed tokens: {err}"));
-    assert_eq!(removed, expected_removed, "mismatched removed token count");
 }

-fn truncated_message_pattern(line: &str) -> String {
+fn truncated_message_pattern(line: &str, total_lines: usize) -> String {
+    let head_lines = EXEC_FORMAT_MAX_LINES / 2;
+    let tail_lines = EXEC_FORMAT_MAX_LINES - head_lines;
+    let head_take = head_lines.min(total_lines);
+    let tail_take = tail_lines.min(total_lines.saturating_sub(head_take));
+    let omitted = total_lines.saturating_sub(head_take + tail_take);
    let escaped_line = regex_lite::escape(line);
-    format!(r"(?s)^(?P<body>{escaped_line}.*?)(?:\r?)?…(?P<removed>\d+) tokens truncated…(?:.*)?$")
+    if omitted == 0 {
+        return format!(
+            r"(?s)^Total output lines: {total_lines}\n\n(?P<body>{escaped_line}.*\n\[\.{{3}} removed \d+ bytes to fit {EXEC_FORMAT_MAX_BYTES} byte limit \.{{3}}]\n\n.*)$",
+        );
+    }
+    format!(
+        r"(?s)^Total output lines: {total_lines}\n\n(?P<body>{escaped_line}.*\n\[\.{{3}} omitted {omitted} of {total_lines} lines \.{{3}}]\n\n.*)$",
+    )
 }

 #[test]
@@ -403,18 +371,27 @@ fn format_exec_output_truncates_large_error() {
    let line = "very long execution error line that should trigger truncation\n";
    let large_error = line.repeat(2_500); // way beyond both byte and line limits

-    let truncated = truncate_exec_output(&large_error);
+    let truncated = truncate::truncate_with_line_bytes_budget(&large_error, EXEC_FORMAT_MAX_BYTES);

-    assert_truncated_message_matches(&truncated, line, 36250);
+    let total_lines = large_error.lines().count();
+    assert_truncated_message_matches(&truncated, line, total_lines);
    assert_ne!(truncated, large_error);
 }

 #[test]
 fn format_exec_output_marks_byte_truncation_without_omitted_lines() {
-    let long_line = "a".repeat(EXEC_FORMAT_MAX_BYTES + 10000);
-    let truncated = truncate_exec_output(&long_line);
+    let long_line = "a".repeat(EXEC_FORMAT_MAX_BYTES + 50);
+    let truncated = truncate::truncate_with_line_bytes_budget(&long_line, EXEC_FORMAT_MAX_BYTES);
+
    assert_ne!(truncated, long_line);
-    assert_truncated_message_matches(&truncated, "a", 2500);
+    let removed_bytes = long_line.len().saturating_sub(EXEC_FORMAT_MAX_BYTES);
+    let marker_line = format!(
+        "[... removed {removed_bytes} bytes to fit {EXEC_FORMAT_MAX_BYTES} byte limit ...]"
+    );
+    assert!(
+        truncated.contains(&marker_line),
+        "missing byte truncation marker: {truncated}"
+    );
    assert!(
        !truncated.contains("omitted"),
        "line omission marker should not appear when no lines were dropped: {truncated}"
@@ -424,25 +401,34 @@ fn format_exec_output_marks_byte_truncation_without_omitted_lines() {
 #[test]
 fn format_exec_output_returns_original_when_within_limits() {
    let content = "example output\n".repeat(10);
-    assert_eq!(truncate_exec_output(&content), content);
+
+    assert_eq!(
+        truncate::truncate_with_line_bytes_budget(&content, EXEC_FORMAT_MAX_BYTES),
+        content
+    );
 }

 #[test]
 fn format_exec_output_reports_omitted_lines_and_keeps_head_and_tail() {
-    let total_lines = 2_000;
-    let filler = "x".repeat(64);
+    let total_lines = EXEC_FORMAT_MAX_LINES + 100;
    let content: String = (0..total_lines)
-        .map(|idx| format!("line-{idx}-{filler}\n"))
+        .map(|idx| format!("line-{idx}\n"))
        .collect();

-    let truncated = truncate_exec_output(&content);
-    assert_truncated_message_matches(&truncated, "line-0-", 34_723);
+    let truncated = truncate::truncate_with_line_bytes_budget(&content, EXEC_FORMAT_MAX_BYTES);
+    let omitted = total_lines - EXEC_FORMAT_MAX_LINES;
+    let expected_marker = format!("[... omitted {omitted} of {total_lines} lines ...]");
+
    assert!(
-        truncated.contains("line-0-"),
+        truncated.contains(&expected_marker),
+        "missing omitted marker: {truncated}"
+    );
+    assert!(
+        truncated.contains("line-0\n"),
        "expected head line to remain: {truncated}"
    );

-    let last_line = format!("line-{}-", total_lines - 1);
+    let last_line = format!("line-{}\n", total_lines - 1);
    assert!(
        truncated.contains(&last_line),
        "expected tail line to remain: {truncated}"
@@ -451,15 +437,22 @@ fn format_exec_output_reports_omitted_lines_and_keeps_head_and_tail() {

 #[test]
 fn format_exec_output_prefers_line_marker_when_both_limits_exceeded() {
-    let total_lines = 300;
+    let total_lines = EXEC_FORMAT_MAX_LINES + 42;
    let long_line = "x".repeat(256);
    let content: String = (0..total_lines)
        .map(|idx| format!("line-{idx}-{long_line}\n"))
        .collect();

-    let truncated = truncate_exec_output(&content);
+    let truncated = truncate::truncate_with_line_bytes_budget(&content, EXEC_FORMAT_MAX_BYTES);

-    assert_truncated_message_matches(&truncated, "line-0-", 17_423);
+    assert!(
+        truncated.contains("[... omitted 42 of 298 lines ...]"),
+        "expected omitted marker when line count exceeds limit: {truncated}"
+    );
+    assert!(
+        !truncated.contains("byte limit"),
+        "line omission marker should take precedence over byte marker: {truncated}"
+    );
 }

 //TODO(aibrahim): run CI in release mode.
--- a/codex-rs/core/src/context_manager/mod.rs
+++ b/codex-rs/core/src/context_manager/mod.rs
@@ -1,4 +1,5 @@
 mod history;
 mod normalize;

+pub(crate) use crate::truncate::truncate_with_line_bytes_budget;
 pub(crate) use history::ContextManager;
--- a/codex-rs/core/src/conversation_manager.rs
+++ b/codex-rs/core/src/conversation_manager.rs
@@ -56,10 +56,6 @@ impl ConversationManager {
        )
    }

-    pub fn session_source(&self) -> SessionSource {
-        self.session_source.clone()
-    }
-
    pub async fn new_conversation(&self, config: Config) -> CodexResult<NewConversation> {
        self.spawn_conversation(config, self.auth_manager.clone())
            .await
--- a/codex-rs/core/src/environment_context.rs
+++ b/codex-rs/core/src/environment_context.rs
@@ -6,7 +6,6 @@ use crate::codex::TurnContext;
 use crate::protocol::AskForApproval;
 use crate::protocol::SandboxPolicy;
 use crate::shell::Shell;
-use crate::shell::default_user_shell;
 use codex_protocol::config_types::SandboxMode;
 use codex_protocol::models::ContentItem;
 use codex_protocol::models::ResponseItem;
@@ -29,7 +28,7 @@ pub(crate) struct EnvironmentContext {
    pub sandbox_mode: Option<SandboxMode>,
    pub network_access: Option<NetworkAccess>,
    pub writable_roots: Option<Vec<PathBuf>>,
-    pub shell: Shell,
+    pub shell: Option<Shell>,
 }

 impl EnvironmentContext {
@@ -37,7 +36,7 @@ impl EnvironmentContext {
        cwd: Option<PathBuf>,
        approval_policy: Option<AskForApproval>,
        sandbox_policy: Option<SandboxPolicy>,
-        shell: Shell,
+        shell: Option<Shell>,
    ) -> Self {
        Self {
            cwd,
@@ -111,7 +110,7 @@ impl EnvironmentContext {
        } else {
            None
        };
-        EnvironmentContext::new(cwd, approval_policy, sandbox_policy, default_user_shell())
+        EnvironmentContext::new(cwd, approval_policy, sandbox_policy, None)
    }
 }

@@ -122,7 +121,7 @@ impl From<&TurnContext> for EnvironmentContext {
            Some(turn_context.approval_policy),
            Some(turn_context.sandbox_policy.clone()),
            // Shell is not configurable from turn to turn
-            default_user_shell(),
+            None,
        )
    }
 }
@@ -170,9 +169,11 @@ impl EnvironmentContext {
            }
            lines.push("  </writable_roots>".to_string());
        }
-
-        let shell_name = self.shell.name();
-        lines.push(format!("  <shell>{shell_name}</shell>"));
+        if let Some(shell) = self.shell
+            && let Some(shell_name) = shell.name()
+        {
+            lines.push(format!("  <shell>{shell_name}</shell>"));
+        }
        lines.push(ENVIRONMENT_CONTEXT_CLOSE_TAG.to_string());
        lines.join("\n")
    }
@@ -192,18 +193,12 @@ impl From<EnvironmentContext> for ResponseItem {

 #[cfg(test)]
 mod tests {
-    use crate::shell::ShellType;
+    use crate::shell::BashShell;
+    use crate::shell::ZshShell;

    use super::*;
    use pretty_assertions::assert_eq;

-    fn fake_shell() -> Shell {
-        Shell {
-            shell_type: ShellType::Bash,
-            shell_path: PathBuf::from("/bin/bash"),
-        }
-    }
-
    fn workspace_write_policy(writable_roots: Vec<&str>, network_access: bool) -> SandboxPolicy {
        SandboxPolicy::WorkspaceWrite {
            writable_roots: writable_roots.into_iter().map(PathBuf::from).collect(),
@@ -219,7 +214,7 @@ mod tests {
            Some(PathBuf::from("/repo")),
            Some(AskForApproval::OnRequest),
            Some(workspace_write_policy(vec!["/repo", "/tmp"], false)),
-            fake_shell(),
+            None,
        );

        let expected = r#"<environment_context>
@@ -231,7 +226,6 @@ mod tests {
    <root>/repo</root>
    <root>/tmp</root>
  </writable_roots>
-  <shell>bash</shell>
 </environment_context>"#;

        assert_eq!(context.serialize_to_xml(), expected);
@@ -243,14 +237,13 @@ mod tests {
            None,
            Some(AskForApproval::Never),
            Some(SandboxPolicy::ReadOnly),
-            fake_shell(),
+            None,
        );

        let expected = r#"<environment_context>
  <approval_policy>never</approval_policy>
  <sandbox_mode>read-only</sandbox_mode>
  <network_access>restricted</network_access>
-  <shell>bash</shell>
 </environment_context>"#;

        assert_eq!(context.serialize_to_xml(), expected);
@@ -262,14 +255,13 @@ mod tests {
            None,
            Some(AskForApproval::OnFailure),
            Some(SandboxPolicy::DangerFullAccess),
-            fake_shell(),
+            None,
        );

        let expected = r#"<environment_context>
  <approval_policy>on-failure</approval_policy>
  <sandbox_mode>danger-full-access</sandbox_mode>
  <network_access>enabled</network_access>
-  <shell>bash</shell>
 </environment_context>"#;

        assert_eq!(context.serialize_to_xml(), expected);
@@ -282,13 +274,13 @@ mod tests {
            Some(PathBuf::from("/repo")),
            Some(AskForApproval::OnRequest),
            Some(workspace_write_policy(vec!["/repo"], false)),
-            fake_shell(),
+            None,
        );
        let context2 = EnvironmentContext::new(
            Some(PathBuf::from("/repo")),
            Some(AskForApproval::Never),
            Some(workspace_write_policy(vec!["/repo"], true)),
-            fake_shell(),
+            None,
        );
        assert!(!context1.equals_except_shell(&context2));
    }
@@ -299,13 +291,13 @@ mod tests {
            Some(PathBuf::from("/repo")),
            Some(AskForApproval::OnRequest),
            Some(SandboxPolicy::new_read_only_policy()),
-            fake_shell(),
+            None,
        );
        let context2 = EnvironmentContext::new(
            Some(PathBuf::from("/repo")),
            Some(AskForApproval::OnRequest),
            Some(SandboxPolicy::new_workspace_write_policy()),
-            fake_shell(),
+            None,
        );

        assert!(!context1.equals_except_shell(&context2));
@@ -317,13 +309,13 @@ mod tests {
            Some(PathBuf::from("/repo")),
            Some(AskForApproval::OnRequest),
            Some(workspace_write_policy(vec!["/repo", "/tmp", "/var"], false)),
-            fake_shell(),
+            None,
        );
        let context2 = EnvironmentContext::new(
            Some(PathBuf::from("/repo")),
            Some(AskForApproval::OnRequest),
            Some(workspace_write_policy(vec!["/repo", "/tmp"], true)),
-            fake_shell(),
+            None,
        );

        assert!(!context1.equals_except_shell(&context2));
@@ -335,19 +327,17 @@ mod tests {
            Some(PathBuf::from("/repo")),
            Some(AskForApproval::OnRequest),
            Some(workspace_write_policy(vec!["/repo"], false)),
-            Shell {
-                shell_type: ShellType::Bash,
+            Some(Shell::Bash(BashShell {
                shell_path: "/bin/bash".into(),
-            },
+            })),
        );
        let context2 = EnvironmentContext::new(
            Some(PathBuf::from("/repo")),
            Some(AskForApproval::OnRequest),
            Some(workspace_write_policy(vec!["/repo"], false)),
-            Shell {
-                shell_type: ShellType::Zsh,
+            Some(Shell::Zsh(ZshShell {
                shell_path: "/bin/zsh".into(),
-            },
+            })),
        );

        assert!(context1.equals_except_shell(&context2));
--- a/codex-rs/core/src/error.rs
+++ b/codex-rs/core/src/error.rs
@@ -10,8 +10,6 @@ use chrono::Local;
 use chrono::Utc;
 use codex_async_utils::CancelErr;
 use codex_protocol::ConversationId;
-use codex_protocol::protocol::CodexErrorInfo;
-use codex_protocol::protocol::ErrorEvent;
 use codex_protocol::protocol::RateLimitSnapshot;
 use reqwest::StatusCode;
 use serde_json;
@@ -432,57 +430,6 @@ impl CodexErr {
    pub fn downcast_ref<T: std::any::Any>(&self) -> Option<&T> {
        (self as &dyn std::any::Any).downcast_ref::<T>()
    }
-
-    /// Translate core error to client-facing protocol error.
-    pub fn to_codex_protocol_error(&self) -> CodexErrorInfo {
-        match self {
-            CodexErr::ContextWindowExceeded => CodexErrorInfo::ContextWindowExceeded,
-            CodexErr::UsageLimitReached(_)
-            | CodexErr::QuotaExceeded
-            | CodexErr::UsageNotIncluded => CodexErrorInfo::UsageLimitExceeded,
-            CodexErr::RetryLimit(_) => CodexErrorInfo::ResponseTooManyFailedAttempts {
-                http_status_code: self.http_status_code_value(),
-            },
-            CodexErr::ConnectionFailed(_) => CodexErrorInfo::HttpConnectionFailed {
-                http_status_code: self.http_status_code_value(),
-            },
-            CodexErr::ResponseStreamFailed(_) => CodexErrorInfo::ResponseStreamConnectionFailed {
-                http_status_code: self.http_status_code_value(),
-            },
-            CodexErr::RefreshTokenFailed(_) => CodexErrorInfo::Unauthorized,
-            CodexErr::SessionConfiguredNotFirstEvent
-            | CodexErr::InternalServerError
-            | CodexErr::InternalAgentDied => CodexErrorInfo::InternalServerError,
-            CodexErr::UnsupportedOperation(_) | CodexErr::ConversationNotFound(_) => {
-                CodexErrorInfo::BadRequest
-            }
-            CodexErr::Sandbox(_) => CodexErrorInfo::SandboxError,
-            _ => CodexErrorInfo::Other,
-        }
-    }
-
-    pub fn to_error_event(&self, message_prefix: Option<String>) -> ErrorEvent {
-        let error_message = self.to_string();
-        let message: String = match message_prefix {
-            Some(prefix) => format!("{prefix}: {error_message}"),
-            None => error_message,
-        };
-        ErrorEvent {
-            message,
-            codex_error_info: Some(self.to_codex_protocol_error()),
-        }
-    }
-
-    pub fn http_status_code_value(&self) -> Option<u16> {
-        let http_status_code = match self {
-            CodexErr::RetryLimit(err) => Some(err.status),
-            CodexErr::UnexpectedStatus(err) => Some(err.status),
-            CodexErr::ConnectionFailed(err) => err.source.status(),
-            CodexErr::ResponseStreamFailed(err) => err.source.status(),
-            _ => None,
-        };
-        http_status_code.as_ref().map(StatusCode::as_u16)
-    }
 }

 pub fn get_error_message_ui(e: &CodexErr) -> String {
@@ -531,10 +478,6 @@ mod tests {
    use chrono::Utc;
    use codex_protocol::protocol::RateLimitWindow;
    use pretty_assertions::assert_eq;
-    use reqwest::Response;
-    use reqwest::ResponseBuilderExt;
-    use reqwest::StatusCode;
-    use reqwest::Url;

    fn rate_limit_snapshot() -> RateLimitSnapshot {
        let primary_reset_at = Utc
@@ -556,7 +499,6 @@ mod tests {
                window_minutes: Some(120),
                resets_at: Some(secondary_reset_at),
            }),
-            credits: None,
        }
    }

@@ -630,33 +572,6 @@ mod tests {
        assert_eq!(get_error_message_ui(&err), "stdout only");
    }

-    #[test]
-    fn to_error_event_handles_response_stream_failed() {
-        let response = http::Response::builder()
-            .status(StatusCode::TOO_MANY_REQUESTS)
-            .url(Url::parse("http://example.com").unwrap())
-            .body("")
-            .unwrap();
-        let source = Response::from(response).error_for_status_ref().unwrap_err();
-        let err = CodexErr::ResponseStreamFailed(ResponseStreamFailed {
-            source,
-            request_id: Some("req-123".to_string()),
-        });
-
-        let event = err.to_error_event(Some("prefix".to_string()));
-
-        assert_eq!(
-            event.message,
-            "prefix: Error while reading the server response: HTTP status client error (429 Too Many Requests) for url (http://example.com/), request id: req-123"
-        );
-        assert_eq!(
-            event.codex_error_info,
-            Some(CodexErrorInfo::ResponseStreamConnectionFailed {
-                http_status_code: Some(429)
-            })
-        );
-    }
-
    #[test]
    fn sandbox_denied_reports_exit_code_when_no_output_available() {
        let output = ExecToolCallOutput {
--- a/codex-rs/core/src/event_mapping.rs
+++ b/codex-rs/core/src/event_mapping.rs
@@ -117,7 +117,7 @@ pub fn parse_turn_item(item: &ResponseItem) -> Option<TurnItem> {
            ..
        } => Some(TurnItem::WebSearch(WebSearchItem {
            id: id.clone().unwrap_or_default(),
-            query: query.clone().unwrap_or_default(),
+            query: query.clone(),
        })),
        _ => None,
    }
@@ -306,7 +306,7 @@ mod tests {
            id: Some("ws_1".to_string()),
            status: Some("completed".to_string()),
            action: WebSearchAction::Search {
-                query: Some("weather".to_string()),
+                query: "weather".to_string(),
            },
        };

--- a/codex-rs/core/src/exec.rs
+++ b/codex-rs/core/src/exec.rs
@@ -14,12 +14,10 @@ use tokio::io::AsyncRead;
 use tokio::io::AsyncReadExt;
 use tokio::io::BufReader;
 use tokio::process::Child;
-use tokio_util::sync::CancellationToken;

 use crate::error::CodexErr;
 use crate::error::Result;
 use crate::error::SandboxErr;
-use crate::get_platform_sandbox;
 use crate::protocol::Event;
 use crate::protocol::EventMsg;
 use crate::protocol::ExecCommandOutputDeltaEvent;
@@ -30,9 +28,8 @@ use crate::sandboxing::ExecEnv;
 use crate::sandboxing::SandboxManager;
 use crate::spawn::StdioPolicy;
 use crate::spawn::spawn_child_async;
-use crate::text_encoding::bytes_to_string_smart;

-pub const DEFAULT_EXEC_COMMAND_TIMEOUT_MS: u64 = 10_000;
+const DEFAULT_TIMEOUT_MS: u64 = 10_000;

 // Hardcode these since it does not seem worth including the libc crate just
 // for these.
@@ -49,59 +46,20 @@ const AGGREGATE_BUFFER_INITIAL_CAPACITY: usize = 8 * 1024; // 8 KiB
 /// Aggregation still collects full output; only the live event stream is capped.
 pub(crate) const MAX_EXEC_OUTPUT_DELTAS_PER_CALL: usize = 10_000;

-#[derive(Debug)]
+#[derive(Clone, Debug)]
 pub struct ExecParams {
    pub command: Vec<String>,
    pub cwd: PathBuf,
-    pub expiration: ExecExpiration,
+    pub timeout_ms: Option<u64>,
    pub env: HashMap<String, String>,
    pub with_escalated_permissions: Option<bool>,
    pub justification: Option<String>,
    pub arg0: Option<String>,
 }

-/// Mechanism to terminate an exec invocation before it finishes naturally.
-#[derive(Debug)]
-pub enum ExecExpiration {
-    Timeout(Duration),
-    DefaultTimeout,
-    Cancellation(CancellationToken),
-}
-
-impl From<Option<u64>> for ExecExpiration {
-    fn from(timeout_ms: Option<u64>) -> Self {
-        timeout_ms.map_or(ExecExpiration::DefaultTimeout, |timeout_ms| {
-            ExecExpiration::Timeout(Duration::from_millis(timeout_ms))
-        })
-    }
-}
-
-impl From<u64> for ExecExpiration {
-    fn from(timeout_ms: u64) -> Self {
-        ExecExpiration::Timeout(Duration::from_millis(timeout_ms))
-    }
-}
-
-impl ExecExpiration {
-    async fn wait(self) {
-        match self {
-            ExecExpiration::Timeout(duration) => tokio::time::sleep(duration).await,
-            ExecExpiration::DefaultTimeout => {
-                tokio::time::sleep(Duration::from_millis(DEFAULT_EXEC_COMMAND_TIMEOUT_MS)).await
-            }
-            ExecExpiration::Cancellation(cancel) => {
-                cancel.cancelled().await;
-            }
-        }
-    }
-
-    /// If ExecExpiration is a timeout, returns the timeout in milliseconds.
-    pub(crate) fn timeout_ms(&self) -> Option<u64> {
-        match self {
-            ExecExpiration::Timeout(duration) => Some(duration.as_millis() as u64),
-            ExecExpiration::DefaultTimeout => Some(DEFAULT_EXEC_COMMAND_TIMEOUT_MS),
-            ExecExpiration::Cancellation(_) => None,
-        }
+impl ExecParams {
+    pub fn timeout_duration(&self) -> Duration {
+        Duration::from_millis(self.timeout_ms.unwrap_or(DEFAULT_TIMEOUT_MS))
    }
 }

@@ -128,21 +86,16 @@ pub struct StdoutStream {

 pub async fn process_exec_tool_call(
    params: ExecParams,
+    sandbox_type: SandboxType,
    sandbox_policy: &SandboxPolicy,
    sandbox_cwd: &Path,
    codex_linux_sandbox_exe: &Option<PathBuf>,
    stdout_stream: Option<StdoutStream>,
 ) -> Result<ExecToolCallOutput> {
-    let sandbox_type = match &sandbox_policy {
-        SandboxPolicy::DangerFullAccess => SandboxType::None,
-        _ => get_platform_sandbox().unwrap_or(SandboxType::None),
-    };
-    tracing::debug!("Sandbox type: {sandbox_type:?}");
-
    let ExecParams {
        command,
        cwd,
-        expiration,
+        timeout_ms,
        env,
        with_escalated_permissions,
        justification,
@@ -161,7 +114,7 @@ pub async fn process_exec_tool_call(
        args: args.to_vec(),
        cwd,
        env,
-        expiration,
+        timeout_ms,
        with_escalated_permissions,
        justification,
    };
@@ -169,7 +122,7 @@ pub async fn process_exec_tool_call(
    let manager = SandboxManager::new();
    let exec_env = manager
        .transform(
-            spec,
+            &spec,
            sandbox_policy,
            sandbox_type,
            sandbox_cwd,
@@ -178,7 +131,7 @@ pub async fn process_exec_tool_call(
        .map_err(CodexErr::from)?;

    // Route through the sandboxing module for a single, unified execution path.
-    crate::sandboxing::execute_env(exec_env, sandbox_policy, stdout_stream).await
+    crate::sandboxing::execute_env(&exec_env, sandbox_policy, stdout_stream).await
 }

 pub(crate) async fn execute_exec_env(
@@ -190,7 +143,7 @@ pub(crate) async fn execute_exec_env(
        command,
        cwd,
        env,
-        expiration,
+        timeout_ms,
        sandbox,
        with_escalated_permissions,
        justification,
@@ -200,7 +153,7 @@ pub(crate) async fn execute_exec_env(
    let params = ExecParams {
        command,
        cwd,
-        expiration,
+        timeout_ms,
        env,
        with_escalated_permissions,
        justification,
@@ -225,12 +178,9 @@ async fn exec_windows_sandbox(
        command,
        cwd,
        env,
-        expiration,
+        timeout_ms,
        ..
    } = params;
-    // TODO(iceweasel-oai): run_windows_sandbox_capture should support all
-    // variants of ExecExpiration, not just timeout.
-    let timeout_ms = expiration.timeout_ms();

    let policy_str = serde_json::to_string(sandbox_policy).map_err(|err| {
        CodexErr::Io(io::Error::other(format!(
@@ -464,7 +414,7 @@ impl StreamOutput<String> {
 impl StreamOutput<Vec<u8>> {
    pub fn from_utf8_lossy(&self) -> StreamOutput<String> {
        StreamOutput {
-            text: bytes_to_string_smart(&self.text),
+            text: String::from_utf8_lossy(&self.text).to_string(),
            truncated_after_lines: self.truncated_after_lines,
        }
    }
@@ -498,12 +448,12 @@ async fn exec(
    {
        return exec_windows_sandbox(params, sandbox_policy).await;
    }
+    let timeout = params.timeout_duration();
    let ExecParams {
        command,
        cwd,
        env,
        arg0,
-        expiration,
        ..
    } = params;

@@ -524,14 +474,14 @@ async fn exec(
        env,
    )
    .await?;
-    consume_truncated_output(child, expiration, stdout_stream).await
+    consume_truncated_output(child, timeout, stdout_stream).await
 }

 /// Consumes the output of a child process, truncating it so it is suitable for
 /// use as the output of a `shell` tool call. Also enforces specified timeout.
 async fn consume_truncated_output(
    mut child: Child,
-    expiration: ExecExpiration,
+    timeout: Duration,
    stdout_stream: Option<StdoutStream>,
 ) -> Result<RawExecToolCallOutput> {
    // Both stdout and stderr were configured with `Stdio::piped()`
@@ -565,14 +515,20 @@ async fn consume_truncated_output(
    ));

    let (exit_status, timed_out) = tokio::select! {
-        status_result = child.wait() => {
-            let exit_status = status_result?;
-            (exit_status, false)
-        }
-        _ = expiration.wait() => {
-            kill_child_process_group(&mut child)?;
-            child.start_kill()?;
-            (synthetic_exit_status(EXIT_CODE_SIGNAL_BASE + TIMEOUT_CODE), true)
+        result = tokio::time::timeout(timeout, child.wait()) => {
+            match result {
+                Ok(status_result) => {
+                    let exit_status = status_result?;
+                    (exit_status, false)
+                }
+                Err(_) => {
+                    // timeout
+                    kill_child_process_group(&mut child)?;
+                    child.start_kill()?;
+                    // Debatable whether `child.wait().await` should be called here.
+                    (synthetic_exit_status(EXIT_CODE_SIGNAL_BASE + TIMEOUT_CODE), true)
+                }
+            }
        }
        _ = tokio::signal::ctrl_c() => {
            kill_child_process_group(&mut child)?;
@@ -824,15 +780,6 @@ mod tests {
    #[cfg(unix)]
    #[tokio::test]
    async fn kill_child_process_group_kills_grandchildren_on_timeout() -> Result<()> {
-        // On Linux/macOS, /bin/bash is typically present; on FreeBSD/OpenBSD,
-        // prefer /bin/sh to avoid NotFound errors.
-        #[cfg(any(target_os = "freebsd", target_os = "openbsd"))]
-        let command = vec![
-            "/bin/sh".to_string(),
-            "-c".to_string(),
-            "sleep 60 & echo $!; sleep 60".to_string(),
-        ];
-        #[cfg(all(unix, not(any(target_os = "freebsd", target_os = "openbsd"))))]
        let command = vec![
            "/bin/bash".to_string(),
            "-c".to_string(),
@@ -842,7 +789,7 @@ mod tests {
        let params = ExecParams {
            command,
            cwd: std::env::current_dir()?,
-            expiration: 500.into(),
+            timeout_ms: Some(500),
            env,
            with_escalated_permissions: None,
            justification: None,
@@ -876,61 +823,4 @@ mod tests {
        assert!(killed, "grandchild process with pid {pid} is still alive");
        Ok(())
    }
-
-    #[tokio::test]
-    async fn process_exec_tool_call_respects_cancellation_token() -> Result<()> {
-        let command = long_running_command();
-        let cwd = std::env::current_dir()?;
-        let env: HashMap<String, String> = std::env::vars().collect();
-        let cancel_token = CancellationToken::new();
-        let cancel_tx = cancel_token.clone();
-        let params = ExecParams {
-            command,
-            cwd: cwd.clone(),
-            expiration: ExecExpiration::Cancellation(cancel_token),
-            env,
-            with_escalated_permissions: None,
-            justification: None,
-            arg0: None,
-        };
-        tokio::spawn(async move {
-            tokio::time::sleep(Duration::from_millis(1_000)).await;
-            cancel_tx.cancel();
-        });
-        let result = process_exec_tool_call(
-            params,
-            &SandboxPolicy::DangerFullAccess,
-            cwd.as_path(),
-            &None,
-            None,
-        )
-        .await;
-        let output = match result {
-            Err(CodexErr::Sandbox(SandboxErr::Timeout { output })) => output,
-            other => panic!("expected timeout error, got {other:?}"),
-        };
-        assert!(output.timed_out);
-        assert_eq!(output.exit_code, EXEC_TIMEOUT_EXIT_CODE);
-        Ok(())
-    }
-
-    #[cfg(unix)]
-    fn long_running_command() -> Vec<String> {
-        vec![
-            "/bin/sh".to_string(),
-            "-c".to_string(),
-            "sleep 30".to_string(),
-        ]
-    }
-
-    #[cfg(windows)]
-    fn long_running_command() -> Vec<String> {
-        vec![
-            "powershell.exe".to_string(),
-            "-NonInteractive".to_string(),
-            "-NoLogo".to_string(),
-            "-Command".to_string(),
-            "Start-Sleep -Seconds 30".to_string(),
-        ]
-    }
 }
--- a/codex-rs/core/src/exec_policy.rs
+++ b/codex-rs/core/src/exec_policy.rs
@@ -1,369 +0,0 @@
-use std::io::ErrorKind;
-use std::path::Path;
-use std::path::PathBuf;
-use std::sync::Arc;
-
-use crate::command_safety::is_dangerous_command::requires_initial_appoval;
-use codex_execpolicy::Decision;
-use codex_execpolicy::Evaluation;
-use codex_execpolicy::Policy;
-use codex_execpolicy::PolicyParser;
-use codex_protocol::protocol::AskForApproval;
-use codex_protocol::protocol::SandboxPolicy;
-use thiserror::Error;
-use tokio::fs;
-
-use crate::bash::parse_shell_lc_plain_commands;
-use crate::features::Feature;
-use crate::features::Features;
-use crate::sandboxing::SandboxPermissions;
-use crate::tools::sandboxing::ApprovalRequirement;
-
-const FORBIDDEN_REASON: &str = "execpolicy forbids this command";
-const PROMPT_REASON: &str = "execpolicy requires approval for this command";
-const POLICY_DIR_NAME: &str = "policy";
-const POLICY_EXTENSION: &str = "codexpolicy";
-
-#[derive(Debug, Error)]
-pub enum ExecPolicyError {
-    #[error("failed to read execpolicy files from {dir}: {source}")]
-    ReadDir {
-        dir: PathBuf,
-        source: std::io::Error,
-    },
-
-    #[error("failed to read execpolicy file {path}: {source}")]
-    ReadFile {
-        path: PathBuf,
-        source: std::io::Error,
-    },
-
-    #[error("failed to parse execpolicy file {path}: {source}")]
-    ParsePolicy {
-        path: String,
-        source: codex_execpolicy::Error,
-    },
-}
-
-pub(crate) async fn exec_policy_for(
-    features: &Features,
-    codex_home: &Path,
-) -> Result<Arc<Policy>, ExecPolicyError> {
-    if !features.enabled(Feature::ExecPolicy) {
-        return Ok(Arc::new(Policy::empty()));
-    }
-
-    let policy_dir = codex_home.join(POLICY_DIR_NAME);
-    let policy_paths = collect_policy_files(&policy_dir).await?;
-
-    let mut parser = PolicyParser::new();
-    for policy_path in &policy_paths {
-        let contents =
-            fs::read_to_string(policy_path)
-                .await
-                .map_err(|source| ExecPolicyError::ReadFile {
-                    path: policy_path.clone(),
-                    source,
-                })?;
-        let identifier = policy_path.to_string_lossy().to_string();
-        parser
-            .parse(&identifier, &contents)
-            .map_err(|source| ExecPolicyError::ParsePolicy {
-                path: identifier,
-                source,
-            })?;
-    }
-
-    let policy = Arc::new(parser.build());
-    tracing::debug!(
-        "loaded execpolicy from {} files in {}",
-        policy_paths.len(),
-        policy_dir.display()
-    );
-
-    Ok(policy)
-}
-
-fn evaluate_with_policy(
-    policy: &Policy,
-    command: &[String],
-    approval_policy: AskForApproval,
-) -> Option<ApprovalRequirement> {
-    let commands = parse_shell_lc_plain_commands(command).unwrap_or_else(|| vec![command.to_vec()]);
-    let evaluation = policy.check_multiple(commands.iter());
-
-    match evaluation {
-        Evaluation::Match { decision, .. } => match decision {
-            Decision::Forbidden => Some(ApprovalRequirement::Forbidden {
-                reason: FORBIDDEN_REASON.to_string(),
-            }),
-            Decision::Prompt => {
-                let reason = PROMPT_REASON.to_string();
-                if matches!(approval_policy, AskForApproval::Never) {
-                    Some(ApprovalRequirement::Forbidden { reason })
-                } else {
-                    Some(ApprovalRequirement::NeedsApproval {
-                        reason: Some(reason),
-                    })
-                }
-            }
-            Decision::Allow => Some(ApprovalRequirement::Skip {
-                bypass_sandbox: true,
-            }),
-        },
-        Evaluation::NoMatch { .. } => None,
-    }
-}
-
-pub(crate) fn create_approval_requirement_for_command(
-    policy: &Policy,
-    command: &[String],
-    approval_policy: AskForApproval,
-    sandbox_policy: &SandboxPolicy,
-    sandbox_permissions: SandboxPermissions,
-) -> ApprovalRequirement {
-    if let Some(requirement) = evaluate_with_policy(policy, command, approval_policy) {
-        return requirement;
-    }
-
-    if requires_initial_appoval(
-        approval_policy,
-        sandbox_policy,
-        command,
-        sandbox_permissions,
-    ) {
-        ApprovalRequirement::NeedsApproval { reason: None }
-    } else {
-        ApprovalRequirement::Skip {
-            bypass_sandbox: false,
-        }
-    }
-}
-
-async fn collect_policy_files(dir: &Path) -> Result<Vec<PathBuf>, ExecPolicyError> {
-    let mut read_dir = match fs::read_dir(dir).await {
-        Ok(read_dir) => read_dir,
-        Err(err) if err.kind() == ErrorKind::NotFound => return Ok(Vec::new()),
-        Err(source) => {
-            return Err(ExecPolicyError::ReadDir {
-                dir: dir.to_path_buf(),
-                source,
-            });
-        }
-    };
-
-    let mut policy_paths = Vec::new();
-    while let Some(entry) =
-        read_dir
-            .next_entry()
-            .await
-            .map_err(|source| ExecPolicyError::ReadDir {
-                dir: dir.to_path_buf(),
-                source,
-            })?
-    {
-        let path = entry.path();
-        let file_type = entry
-            .file_type()
-            .await
-            .map_err(|source| ExecPolicyError::ReadDir {
-                dir: dir.to_path_buf(),
-                source,
-            })?;
-
-        if path
-            .extension()
-            .and_then(|ext| ext.to_str())
-            .is_some_and(|ext| ext == POLICY_EXTENSION)
-            && file_type.is_file()
-        {
-            policy_paths.push(path);
-        }
-    }
-
-    policy_paths.sort();
-
-    Ok(policy_paths)
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use crate::features::Feature;
-    use crate::features::Features;
-    use codex_protocol::protocol::AskForApproval;
-    use codex_protocol::protocol::SandboxPolicy;
-    use pretty_assertions::assert_eq;
-    use std::fs;
-    use tempfile::tempdir;
-
-    #[tokio::test]
-    async fn returns_empty_policy_when_feature_disabled() {
-        let mut features = Features::with_defaults();
-        features.disable(Feature::ExecPolicy);
-        let temp_dir = tempdir().expect("create temp dir");
-
-        let policy = exec_policy_for(&features, temp_dir.path())
-            .await
-            .expect("policy result");
-
-        let commands = [vec!["rm".to_string()]];
-        assert!(matches!(
-            policy.check_multiple(commands.iter()),
-            Evaluation::NoMatch { .. }
-        ));
-        assert!(!temp_dir.path().join(POLICY_DIR_NAME).exists());
-    }
-
-    #[tokio::test]
-    async fn collect_policy_files_returns_empty_when_dir_missing() {
-        let temp_dir = tempdir().expect("create temp dir");
-
-        let policy_dir = temp_dir.path().join(POLICY_DIR_NAME);
-        let files = collect_policy_files(&policy_dir)
-            .await
-            .expect("collect policy files");
-
-        assert!(files.is_empty());
-    }
-
-    #[tokio::test]
-    async fn loads_policies_from_policy_subdirectory() {
-        let temp_dir = tempdir().expect("create temp dir");
-        let policy_dir = temp_dir.path().join(POLICY_DIR_NAME);
-        fs::create_dir_all(&policy_dir).expect("create policy dir");
-        fs::write(
-            policy_dir.join("deny.codexpolicy"),
-            r#"prefix_rule(pattern=["rm"], decision="forbidden")"#,
-        )
-        .expect("write policy file");
-
-        let policy = exec_policy_for(&Features::with_defaults(), temp_dir.path())
-            .await
-            .expect("policy result");
-        let command = [vec!["rm".to_string()]];
-        assert!(matches!(
-            policy.check_multiple(command.iter()),
-            Evaluation::Match { .. }
-        ));
-    }
-
-    #[tokio::test]
-    async fn ignores_policies_outside_policy_dir() {
-        let temp_dir = tempdir().expect("create temp dir");
-        fs::write(
-            temp_dir.path().join("root.codexpolicy"),
-            r#"prefix_rule(pattern=["ls"], decision="prompt")"#,
-        )
-        .expect("write policy file");
-
-        let policy = exec_policy_for(&Features::with_defaults(), temp_dir.path())
-            .await
-            .expect("policy result");
-        let command = [vec!["ls".to_string()]];
-        assert!(matches!(
-            policy.check_multiple(command.iter()),
-            Evaluation::NoMatch { .. }
-        ));
-    }
-
-    #[test]
-    fn evaluates_bash_lc_inner_commands() {
-        let policy_src = r#"
-prefix_rule(pattern=["rm"], decision="forbidden")
-"#;
-        let mut parser = PolicyParser::new();
-        parser
-            .parse("test.codexpolicy", policy_src)
-            .expect("parse policy");
-        let policy = parser.build();
-
-        let forbidden_script = vec![
-            "bash".to_string(),
-            "-lc".to_string(),
-            "rm -rf /tmp".to_string(),
-        ];
-
-        let requirement =
-            evaluate_with_policy(&policy, &forbidden_script, AskForApproval::OnRequest)
-                .expect("expected match for forbidden command");
-
-        assert_eq!(
-            requirement,
-            ApprovalRequirement::Forbidden {
-                reason: FORBIDDEN_REASON.to_string()
-            }
-        );
-    }
-
-    #[test]
-    fn approval_requirement_prefers_execpolicy_match() {
-        let policy_src = r#"prefix_rule(pattern=["rm"], decision="prompt")"#;
-        let mut parser = PolicyParser::new();
-        parser
-            .parse("test.codexpolicy", policy_src)
-            .expect("parse policy");
-        let policy = parser.build();
-        let command = vec!["rm".to_string()];
-
-        let requirement = create_approval_requirement_for_command(
-            &policy,
-            &command,
-            AskForApproval::OnRequest,
-            &SandboxPolicy::DangerFullAccess,
-            SandboxPermissions::UseDefault,
-        );
-
-        assert_eq!(
-            requirement,
-            ApprovalRequirement::NeedsApproval {
-                reason: Some(PROMPT_REASON.to_string())
-            }
-        );
-    }
-
-    #[test]
-    fn approval_requirement_respects_approval_policy() {
-        let policy_src = r#"prefix_rule(pattern=["rm"], decision="prompt")"#;
-        let mut parser = PolicyParser::new();
-        parser
-            .parse("test.codexpolicy", policy_src)
-            .expect("parse policy");
-        let policy = parser.build();
-        let command = vec!["rm".to_string()];
-
-        let requirement = create_approval_requirement_for_command(
-            &policy,
-            &command,
-            AskForApproval::Never,
-            &SandboxPolicy::DangerFullAccess,
-            SandboxPermissions::UseDefault,
-        );
-
-        assert_eq!(
-            requirement,
-            ApprovalRequirement::Forbidden {
-                reason: PROMPT_REASON.to_string()
-            }
-        );
-    }
-
-    #[test]
-    fn approval_requirement_falls_back_to_heuristics() {
-        let command = vec!["python".to_string()];
-
-        let empty_policy = Policy::empty();
-        let requirement = create_approval_requirement_for_command(
-            &empty_policy,
-            &command,
-            AskForApproval::UnlessTrusted,
-            &SandboxPolicy::ReadOnly,
-            SandboxPermissions::UseDefault,
-        );
-
-        assert_eq!(
-            requirement,
-            ApprovalRequirement::NeedsApproval { reason: None }
-        );
-    }
-}
--- a/codex-rs/core/src/features.rs
+++ b/codex-rs/core/src/features.rs
@@ -31,6 +31,9 @@ pub enum Feature {
    GhostCommit,
    /// Use the single unified PTY-backed exec tool.
    UnifiedExec,
+    /// Use the shell command tool that takes `command` as a single string of
+    /// shell instead of an array of args passed to `execvp(3)`.
+    ShellCommandTool,
    /// Enable experimental RMCP features such as OAuth login.
    RmcpClient,
    /// Include the freeform apply_patch tool.
@@ -39,8 +42,6 @@ pub enum Feature {
    ViewImageTool,
    /// Allow the model to request web searches.
    WebSearchRequest,
-    /// Gate the execpolicy enforcement for shell/unified exec.
-    ExecPolicy,
    /// Enable the model-based risk assessments for sandboxed commands.
    SandboxCommandAssessment,
    /// Enable Windows sandbox (restricted token) on Windows.
@@ -259,12 +260,6 @@ pub const FEATURES: &[FeatureSpec] = &[
        stage: Stage::Stable,
        default_enabled: true,
    },
-    FeatureSpec {
-        id: Feature::ViewImageTool,
-        key: "view_image_tool",
-        stage: Stage::Stable,
-        default_enabled: true,
-    },
    // Unstable features.
    FeatureSpec {
        id: Feature::UnifiedExec,
@@ -272,6 +267,12 @@ pub const FEATURES: &[FeatureSpec] = &[
        stage: Stage::Experimental,
        default_enabled: false,
    },
+    FeatureSpec {
+        id: Feature::ShellCommandTool,
+        key: "shell_command_tool",
+        stage: Stage::Experimental,
+        default_enabled: false,
+    },
    FeatureSpec {
        id: Feature::RmcpClient,
        key: "rmcp_client",
@@ -284,18 +285,18 @@ pub const FEATURES: &[FeatureSpec] = &[
        stage: Stage::Beta,
        default_enabled: false,
    },
+    FeatureSpec {
+        id: Feature::ViewImageTool,
+        key: "view_image_tool",
+        stage: Stage::Stable,
+        default_enabled: true,
+    },
    FeatureSpec {
        id: Feature::WebSearchRequest,
        key: "web_search_request",
        stage: Stage::Stable,
        default_enabled: false,
    },
-    FeatureSpec {
-        id: Feature::ExecPolicy,
-        key: "exec_policy",
-        stage: Stage::Experimental,
-        default_enabled: true,
-    },
    FeatureSpec {
        id: Feature::SandboxCommandAssessment,
        key: "experimental_sandbox_command_assessment",
--- a/codex-rs/core/src/git_info.rs
+++ b/codex-rs/core/src/git_info.rs
@@ -825,21 +825,11 @@ mod tests {
            .await
            .expect("Should collect git info from repo");

-        let remote_url_output = Command::new("git")
-            .args(["remote", "get-url", "origin"])
-            .current_dir(&repo_path)
-            .output()
-            .await
-            .expect("Failed to read remote url");
-        // Some dev environments rewrite remotes (e.g., force SSH), so compare against
-        // whatever URL Git reports instead of a fixed placeholder.
-        let expected_remote = String::from_utf8(remote_url_output.stdout)
-            .unwrap()
-            .trim()
-            .to_string();
-
        // Should have repository URL
-        assert_eq!(git_info.repository_url, Some(expected_remote));
+        assert_eq!(
+            git_info.repository_url,
+            Some("https://github.com/example/repo.git".to_string())
+        );
    }

    #[tokio::test]
--- a/codex-rs/core/src/lib.rs
+++ b/codex-rs/core/src/lib.rs
@@ -25,16 +25,12 @@ mod environment_context;
 pub mod error;
 pub mod exec;
 pub mod exec_env;
-mod exec_policy;
 pub mod features;
 mod flags;
 pub mod git_info;
 pub mod landlock;
 pub mod mcp;
 mod mcp_connection_manager;
-pub use mcp_connection_manager::MCP_SANDBOX_STATE_CAPABILITY;
-pub use mcp_connection_manager::MCP_SANDBOX_STATE_NOTIFICATION;
-pub use mcp_connection_manager::SandboxState;
 mod mcp_tool_call;
 mod message_history;
 mod model_provider_info;
@@ -42,7 +38,6 @@ pub mod parse_command;
 pub mod powershell;
 mod response_processing;
 pub mod sandboxing;
-mod text_encoding;
 pub mod token_data;
 mod truncate;
 mod unified_exec;
--- a/codex-rs/core/src/mcp_connection_manager.rs
+++ b/codex-rs/core/src/mcp_connection_manager.rs
@@ -10,9 +10,7 @@ use std::collections::HashMap;
 use std::collections::HashSet;
 use std::env;
 use std::ffi::OsString;
-use std::path::PathBuf;
 use std::sync::Arc;
-use std::sync::Mutex;
 use std::time::Duration;

 use crate::mcp::auth::McpAuthStatusEntry;
@@ -22,18 +20,14 @@ use anyhow::anyhow;
 use async_channel::Sender;
 use codex_async_utils::CancelErr;
 use codex_async_utils::OrCancelExt;
-use codex_protocol::approvals::ElicitationRequestEvent;
 use codex_protocol::protocol::Event;
 use codex_protocol::protocol::EventMsg;
 use codex_protocol::protocol::McpStartupCompleteEvent;
 use codex_protocol::protocol::McpStartupFailure;
 use codex_protocol::protocol::McpStartupStatus;
 use codex_protocol::protocol::McpStartupUpdateEvent;
-use codex_protocol::protocol::SandboxPolicy;
-use codex_rmcp_client::ElicitationResponse;
 use codex_rmcp_client::OAuthCredentialsStoreMode;
 use codex_rmcp_client::RmcpClient;
-use codex_rmcp_client::SendElicitation;
 use futures::future::BoxFuture;
 use futures::future::FutureExt;
 use futures::future::Shared;
@@ -45,17 +39,13 @@ use mcp_types::ListResourcesRequestParams;
 use mcp_types::ListResourcesResult;
 use mcp_types::ReadResourceRequestParams;
 use mcp_types::ReadResourceResult;
-use mcp_types::RequestId;
 use mcp_types::Resource;
 use mcp_types::ResourceTemplate;
 use mcp_types::Tool;

-use serde::Deserialize;
-use serde::Serialize;
 use serde_json::json;
 use sha1::Digest;
 use sha1::Sha1;
-use tokio::sync::oneshot;
 use tokio::task::JoinSet;
 use tokio_util::sync::CancellationToken;
 use tracing::warn;
@@ -120,65 +110,12 @@ pub(crate) struct ToolInfo {
    pub(crate) tool: Tool,
 }

-type ResponderMap = HashMap<(String, RequestId), oneshot::Sender<ElicitationResponse>>;
-
-#[derive(Clone, Default)]
-struct ElicitationRequestManager {
-    requests: Arc<Mutex<ResponderMap>>,
-}
-
-impl ElicitationRequestManager {
-    fn resolve(
-        &self,
-        server_name: String,
-        id: RequestId,
-        response: ElicitationResponse,
-    ) -> Result<()> {
-        self.requests
-            .lock()
-            .map_err(|e| anyhow!("failed to lock elicitation requests: {e:?}"))?
-            .remove(&(server_name, id))
-            .ok_or_else(|| anyhow!("elicitation request not found"))?
-            .send(response)
-            .map_err(|e| anyhow!("failed to send elicitation response: {e:?}"))
-    }
-
-    fn make_sender(&self, server_name: String, tx_event: Sender<Event>) -> SendElicitation {
-        let elicitation_requests = self.requests.clone();
-        Box::new(move |id, elicitation| {
-            let elicitation_requests = elicitation_requests.clone();
-            let tx_event = tx_event.clone();
-            let server_name = server_name.clone();
-            async move {
-                let (tx, rx) = oneshot::channel();
-                if let Ok(mut lock) = elicitation_requests.lock() {
-                    lock.insert((server_name.clone(), id.clone()), tx);
-                }
-                let _ = tx_event
-                    .send(Event {
-                        id: "mcp_elicitation_request".to_string(),
-                        msg: EventMsg::ElicitationRequest(ElicitationRequestEvent {
-                            server_name,
-                            id,
-                            message: elicitation.message,
-                        }),
-                    })
-                    .await;
-                rx.await
-                    .context("elicitation request channel closed unexpectedly")
-            }
-            .boxed()
-        })
-    }
-}
-
 #[derive(Clone)]
 struct ManagedClient {
    client: Arc<RmcpClient>,
    tools: Vec<ToolInfo>,
    tool_filter: ToolFilter,
    tool_timeout: Option<Duration>,
-    server_supports_sandbox_state_capability: bool,
 }

 #[derive(Clone)]
@@ -192,33 +129,19 @@ impl AsyncManagedClient {
        config: McpServerConfig,
        store_mode: OAuthCredentialsStoreMode,
        cancel_token: CancellationToken,
-        tx_event: Sender<Event>,
-        elicitation_requests: ElicitationRequestManager,
    ) -> Self {
        let tool_filter = ToolFilter::from_config(&config);
-        let fut = async move {
-            if let Err(error) = validate_mcp_server_name(&server_name) {
-                return Err(error.into());
-            }
-
-            let client =
-                Arc::new(make_rmcp_client(&server_name, config.transport, store_mode).await?);
-            match start_server_task(
-                server_name,
-                client,
-                config.startup_timeout_sec.or(Some(DEFAULT_STARTUP_TIMEOUT)),
-                config.tool_timeout_sec.unwrap_or(DEFAULT_TOOL_TIMEOUT),
-                tool_filter,
-                tx_event,
-                elicitation_requests,
-            )
-            .or_cancel(&cancel_token)
-            .await
-            {
-                Ok(result) => result,
-                Err(CancelErr::Cancelled) => Err(StartupOutcomeError::Cancelled),
-            }
-        };
+        let fut = start_server_task(
+            server_name,
+            config.transport,
+            store_mode,
+            config
+                .startup_timeout_sec
+                .unwrap_or(DEFAULT_STARTUP_TIMEOUT),
+            config.tool_timeout_sec.unwrap_or(DEFAULT_TOOL_TIMEOUT),
+            tool_filter,
+            cancel_token,
+        );
        Self {
            client: fut.boxed().shared(),
        }
@@ -227,42 +150,12 @@ impl AsyncManagedClient {
    async fn client(&self) -> Result<ManagedClient, StartupOutcomeError> {
        self.client.clone().await
    }
-
-    async fn notify_sandbox_state_change(&self, sandbox_state: &SandboxState) -> Result<()> {
-        let managed = self.client().await?;
-        if !managed.server_supports_sandbox_state_capability {
-            return Ok(());
-        }
-
-        managed
-            .client
-            .send_custom_notification(
-                MCP_SANDBOX_STATE_NOTIFICATION,
-                Some(serde_json::to_value(sandbox_state)?),
-            )
-            .await
-    }
-}
-
-pub const MCP_SANDBOX_STATE_CAPABILITY: &str = "codex/sandbox-state";
-
-/// Custom MCP notification for sandbox state updates.
-/// When used, the `params` field of the notification is [`SandboxState`].
-pub const MCP_SANDBOX_STATE_NOTIFICATION: &str = "codex/sandbox-state/update";
-
-#[derive(Debug, Clone, Serialize, Deserialize)]
-#[serde(rename_all = "camelCase")]
-pub struct SandboxState {
-    pub sandbox_policy: SandboxPolicy,
-    pub codex_linux_sandbox_exe: Option<PathBuf>,
-    pub sandbox_cwd: PathBuf,
 }

 /// A thin wrapper around a set of running [`RmcpClient`] instances.
 #[derive(Default)]
 pub(crate) struct McpConnectionManager {
    clients: HashMap<String, AsyncManagedClient>,
-    elicitation_requests: ElicitationRequestManager,
 }

 impl McpConnectionManager {
@@ -279,7 +172,6 @@ impl McpConnectionManager {
        }
        let mut clients = HashMap::new();
        let mut join_set = JoinSet::new();
-        let elicitation_requests = ElicitationRequestManager::default();
        for (server_name, cfg) in mcp_servers.into_iter().filter(|(_, cfg)| cfg.enabled) {
            let cancel_token = cancel_token.child_token();
            let _ = emit_update(
@@ -290,14 +182,8 @@ impl McpConnectionManager {
                },
            )
            .await;
-            let async_managed_client = AsyncManagedClient::new(
-                server_name.clone(),
-                cfg,
-                store_mode,
-                cancel_token.clone(),
-                tx_event.clone(),
-                elicitation_requests.clone(),
-            );
+            let async_managed_client =
+                AsyncManagedClient::new(server_name.clone(), cfg, store_mode, cancel_token.clone());
            clients.insert(server_name.clone(), async_managed_client.clone());
            let tx_event = tx_event.clone();
            let auth_entry = auth_entries.get(&server_name).cloned();
@@ -331,7 +217,6 @@ impl McpConnectionManager {
            });
        }
        self.clients = clients;
-        self.elicitation_requests = elicitation_requests.clone();
        tokio::spawn(async move {
            let outcomes = join_set.join_all().await;
            let mut summary = McpStartupCompleteEvent::default();
@@ -365,15 +250,6 @@ impl McpConnectionManager {
            .context("failed to get client")
    }

-    pub fn resolve_elicitation(
-        &self,
-        server_name: String,
-        id: RequestId,
-        response: ElicitationResponse,
-    ) -> Result<()> {
-        self.elicitation_requests.resolve(server_name, id, response)
-    }
-
    /// Returns a single map that contains all tools. Each key is the
    /// fully-qualified name for the tool.
    pub async fn list_all_tools(&self) -> HashMap<String, ToolInfo> {
@@ -601,34 +477,6 @@ impl McpConnectionManager {
            .get(tool_name)
            .map(|tool| (tool.server_name.clone(), tool.tool_name.clone()))
    }
-
-    pub async fn notify_sandbox_state_change(&self, sandbox_state: &SandboxState) -> Result<()> {
-        let mut join_set = JoinSet::new();
-
-        for async_managed_client in self.clients.values() {
-            let sandbox_state = sandbox_state.clone();
-            let async_managed_client = async_managed_client.clone();
-            join_set.spawn(async move {
-                async_managed_client
-                    .notify_sandbox_state_change(&sandbox_state)
-                    .await
-            });
-        }
-
-        while let Some(join_res) = join_set.join_next().await {
-            match join_res {
-                Ok(Ok(())) => {}
-                Ok(Err(err)) => {
-                    warn!("Failed to notify sandbox state change to MCP server: {err:#}");
-                }
-                Err(err) => {
-                    warn!("Task panic when notifying sandbox state change to MCP server: {err:#}");
-                }
-            }
-        }
-
-        Ok(())
-    }
 }

 async fn emit_update(
@@ -732,12 +580,43 @@ impl From<anyhow::Error> for StartupOutcomeError {

 async fn start_server_task(
    server_name: String,
-    client: Arc<RmcpClient>,
-    startup_timeout: Option<Duration>, // TODO: cancel_token should handle this.
+    transport: McpServerTransportConfig,
+    store_mode: OAuthCredentialsStoreMode,
+    startup_timeout: Duration, // TODO: cancel_token should handle this.
+    tool_timeout: Duration,
+    tool_filter: ToolFilter,
+    cancel_token: CancellationToken,
+) -> Result<ManagedClient, StartupOutcomeError> {
+    if cancel_token.is_cancelled() {
+        return Err(StartupOutcomeError::Cancelled);
+    }
+    if let Err(error) = validate_mcp_server_name(&server_name) {
+        return Err(error.into());
+    }
+
+    match start_server_work(
+        server_name,
+        transport,
+        store_mode,
+        startup_timeout,
+        tool_timeout,
+        tool_filter,
+    )
+    .or_cancel(&cancel_token)
+    .await
+    {
+        Ok(result) => result,
+        Err(CancelErr::Cancelled) => Err(StartupOutcomeError::Cancelled),
+    }
+}
+
+async fn start_server_work(
+    server_name: String,
+    transport: McpServerTransportConfig,
+    store_mode: OAuthCredentialsStoreMode,
+    startup_timeout: Duration,
    tool_timeout: Duration,
    tool_filter: ToolFilter,
-    tx_event: Sender<Event>,
-    elicitation_requests: ElicitationRequestManager,
 ) -> Result<ManagedClient, StartupOutcomeError> {
    let params = mcp_types::InitializeRequestParams {
        capabilities: ClientCapabilities {
@@ -760,41 +639,7 @@ async fn start_server_task(
        protocol_version: mcp_types::MCP_SCHEMA_VERSION.to_owned(),
    };

-    let send_elicitation = elicitation_requests.make_sender(server_name.clone(), tx_event);
-
-    let initialize_result = client
-        .initialize(params, startup_timeout, send_elicitation)
-        .await
-        .map_err(StartupOutcomeError::from)?;
-
-    let tools = list_tools_for_client(&server_name, &client, startup_timeout)
-        .await
-        .map_err(StartupOutcomeError::from)?;
-
-    let server_supports_sandbox_state_capability = initialize_result
-        .capabilities
-        .experimental
-        .as_ref()
-        .and_then(|exp| exp.get(MCP_SANDBOX_STATE_CAPABILITY))
-        .is_some();
-
-    let managed = ManagedClient {
-        client: Arc::clone(&client),
-        tools,
-        tool_timeout: Some(tool_timeout),
-        tool_filter,
-        server_supports_sandbox_state_capability,
-    };
-
-    Ok(managed)
-}
-
-async fn make_rmcp_client(
-    server_name: &str,
-    transport: McpServerTransportConfig,
-    store_mode: OAuthCredentialsStoreMode,
-) -> Result<RmcpClient, StartupOutcomeError> {
-    match transport {
+    let client_result = match transport {
        McpServerTransportConfig::Stdio {
            command,
            args,
@@ -804,9 +649,16 @@ async fn make_rmcp_client(
        } => {
            let command_os: OsString = command.into();
            let args_os: Vec<OsString> = args.into_iter().map(Into::into).collect();
-            RmcpClient::new_stdio_client(command_os, args_os, env, &env_vars, cwd)
-                .await
-                .map_err(|err| StartupOutcomeError::from(anyhow!(err)))
+            match RmcpClient::new_stdio_client(command_os, args_os, env, &env_vars, cwd).await {
+                Ok(client) => {
+                    let client = Arc::new(client);
+                    client
+                        .initialize(params.clone(), Some(startup_timeout))
+                        .await
+                        .map(|_| client)
+                }
+                Err(err) => Err(err.into()),
+            }
        }
        McpServerTransportConfig::StreamableHttp {
            url,
@@ -815,12 +667,12 @@ async fn make_rmcp_client(
            bearer_token_env_var,
        } => {
            let resolved_bearer_token =
-                match resolve_bearer_token(server_name, bearer_token_env_var.as_deref()) {
+                match resolve_bearer_token(&server_name, bearer_token_env_var.as_deref()) {
                    Ok(token) => token,
                    Err(error) => return Err(error.into()),
                };
-            RmcpClient::new_streamable_http_client(
-                server_name,
+            match RmcpClient::new_streamable_http_client(
+                &server_name,
                &url,
                resolved_bearer_token,
                http_headers,
@@ -828,17 +680,49 @@ async fn make_rmcp_client(
                store_mode,
            )
            .await
-            .map_err(StartupOutcomeError::from)
+            {
+                Ok(client) => {
+                    let client = Arc::new(client);
+                    client
+                        .initialize(params.clone(), Some(startup_timeout))
+                        .await
+                        .map(|_| client)
+                }
+                Err(err) => Err(err),
+            }
        }
-    }
+    };
+
+    let client = match client_result {
+        Ok(client) => client,
+        Err(error) => {
+            return Err(error.into());
+        }
+    };
+
+    let tools = match list_tools_for_client(&server_name, &client, startup_timeout).await {
+        Ok(tools) => tools,
+        Err(error) => {
+            return Err(error.into());
+        }
+    };
+
+    let managed = ManagedClient {
+        client: Arc::clone(&client),
+        tools,
+        tool_timeout: Some(tool_timeout),
+        tool_filter,
+    };
+
+    Ok(managed)
 }

 async fn list_tools_for_client(
    server_name: &str,
    client: &Arc<RmcpClient>,
-    timeout: Option<Duration>,
+    timeout: Duration,
 ) -> Result<Vec<ToolInfo>> {
-    let resp = client.list_tools(None, timeout).await?;
+    let resp = client.list_tools(None, Some(timeout)).await?;
    Ok(resp
        .tools
        .into_iter()
--- a/Show More
+++ b/Show More