Fix Windows HANDLE check for windows-sys 0.52

Refine Linux and Windows sleep inhibitor robustness
Ensure Linux sleep inhibitor releases on drop
2026-05-23 12:34:25 +00:00 · 2026-02-13 21:38:12 +00:00 · 2026-02-13 21:36:45 +00:00 · 2026-02-13 21:36:45 +00:00 · 2026-02-13 21:36:45 +00:00 · 2026-02-13 21:36:44 +00:00
509 changed files with 35433 additions and 11743 deletions
--- a/.codespellignore
+++ b/.codespellignore
@@ -1,3 +1,5 @@
 iTerm
 iTerm2
-psuedo
+psuedo
+te
+TE
--- a/.codespellrc
+++ b/.codespellrc
@@ -1,6 +1,6 @@
 [codespell]
 # Ref: https://github.com/codespell-project/codespell#using-a-config-file
-skip = .git*,vendor,*-lock.yaml,*.lock,.codespellrc,*test.ts,*.jsonl,frame*.txt,*.snap,*.snap.new
+skip = .git*,vendor,*-lock.yaml,*.lock,.codespellrc,*test.ts,*.jsonl,frame*.txt,*.snap,*.snap.new,*meriyah.umd.min.js
 check-hidden = true
 ignore-regex = ^\s*"image/\S+": ".*|\b(afterAll)\b
-ignore-words-list = ratatui,ser,iTerm,iterm2,iterm
+ignore-words-list = ratatui,ser,iTerm,iterm2,iterm,te,TE
--- a/.codex/skills/test-tui/SKILL.md
+++ b/.codex/skills/test-tui/SKILL.md
@@ -0,0 +1,14 @@
+---
+name: test-tui
+description: Guide for testing Codex TUI interactively
+---
+
+You can start and use Codex TUI to verify changes. 
+
+Important notes:
+
+Start interactively.
+Always set RUST_LOG="trace" when starting the process.
+Pass `-c log_dir=<some_temp_dir>` argument to have logs written to a specific directory to help with debugging.
+When sending a test message programmatically, send text first, then send Enter in a separate write (do not send text + Enter in one burst).
+Use `just codex` target to run - `just codex -c ...`
--- a/.github/ISSUE_TEMPLATE/1-codex-app.yml
+++ b/.github/ISSUE_TEMPLATE/1-codex-app.yml
@@ -21,6 +21,13 @@ body:
      label: What subscription do you have?
    validations:
      required: true
+  - type: input
+    id: platform
+    attributes:
+      label: What platform is your computer?
+      description: |
+        For macOS and Linux: copy the output of `uname -mprs`
+        For Windows: copy the output of `"$([Environment]::OSVersion | ForEach-Object VersionString) $(if ([Environment]::Is64BitOperatingSystem) { "x64" } else { "x86" })"` in the PowerShell console
  - type: textarea
    id: actual
    attributes:
--- a/.github/prompts/issue-deduplicator.txt
+++ b/.github/prompts/issue-deduplicator.txt
@@ -1,18 +0,0 @@
-You are an assistant that triages new GitHub issues by identifying potential duplicates.
-
-You will receive the following JSON files located in the current working directory:
- `codex-current-issue.json`: JSON object describing the newly created issue (fields: number, title, body).
- `codex-existing-issues.json`: JSON array of recent issues (each element includes number, title, body, createdAt).
-
-Instructions:
- Load both files as JSON and review their contents carefully. The codex-existing-issues.json file is large, ensure you explore all of it.
- Compare the current issue against the existing issues to find up to five that appear to describe the same underlying problem or request.
- Only consider an issue a potential duplicate if there is a clear overlap in symptoms, feature requests, reproduction steps, or error messages.
- Prioritize newer issues when similarity is comparable.
- Ignore pull requests and issues whose similarity is tenuous.
- When unsure, prefer returning fewer matches.
-
-Output requirements:
- Respond with a JSON array of issue numbers (integers), ordered from most likely duplicate to least.
- Include at most five numbers.
- If you find no plausible duplicates, respond with `[]`.
--- a/.github/scripts/install-musl-build-tools.sh
+++ b/.github/scripts/install-musl-build-tools.sh
@@ -17,7 +17,7 @@ if [[ -n "${APT_INSTALL_ARGS:-}" ]]; then
 fi

 sudo apt-get update "${apt_update_args[@]}"
-sudo apt-get install -y "${apt_install_args[@]}" musl-tools pkg-config g++ clang libc++-dev libc++abi-dev lld
+sudo apt-get install -y "${apt_install_args[@]}" ca-certificates curl musl-tools pkg-config libcap-dev g++ clang libc++-dev libc++abi-dev lld xz-utils

 case "${TARGET}" in
  x86_64-unknown-linux-musl)
@@ -32,6 +32,11 @@ case "${TARGET}" in
    ;;
 esac

+libcap_version="2.75"
+libcap_sha256="de4e7e064c9ba451d5234dd46e897d7c71c96a9ebf9a0c445bc04f4742d83632"
+libcap_tarball_name="libcap-${libcap_version}.tar.xz"
+libcap_download_url="https://mirrors.edge.kernel.org/pub/linux/libs/security/linux-privs/libcap2/${libcap_tarball_name}"
+
 # Use the musl toolchain as the Rust linker to avoid Zig injecting its own CRT.
 if command -v "${arch}-linux-musl-gcc" >/dev/null; then
  musl_linker="$(command -v "${arch}-linux-musl-gcc")"
@@ -47,6 +52,43 @@ runner_temp="${RUNNER_TEMP:-/tmp}"
 tool_root="${runner_temp}/codex-musl-tools-${TARGET}"
 mkdir -p "${tool_root}"

+libcap_root="${tool_root}/libcap-${libcap_version}"
+libcap_src_root="${libcap_root}/src"
+libcap_prefix="${libcap_root}/prefix"
+libcap_pkgconfig_dir="${libcap_prefix}/lib/pkgconfig"
+
+if [[ ! -f "${libcap_prefix}/lib/libcap.a" ]]; then
+  mkdir -p "${libcap_src_root}" "${libcap_prefix}/lib" "${libcap_prefix}/include/sys" "${libcap_prefix}/include/linux" "${libcap_pkgconfig_dir}"
+  libcap_tarball="${libcap_root}/${libcap_tarball_name}"
+
+  curl -fsSL "${libcap_download_url}" -o "${libcap_tarball}"
+  echo "${libcap_sha256}  ${libcap_tarball}" | sha256sum -c -
+
+  tar -xJf "${libcap_tarball}" -C "${libcap_src_root}"
+  libcap_source_dir="${libcap_src_root}/libcap-${libcap_version}"
+  make -C "${libcap_source_dir}/libcap" -j"$(nproc)" \
+    CC="${musl_linker}" \
+    AR=ar \
+    RANLIB=ranlib
+
+  cp "${libcap_source_dir}/libcap/libcap.a" "${libcap_prefix}/lib/libcap.a"
+  cp "${libcap_source_dir}/libcap/include/uapi/linux/capability.h" "${libcap_prefix}/include/linux/capability.h"
+  cp "${libcap_source_dir}/libcap/../libcap/include/sys/capability.h" "${libcap_prefix}/include/sys/capability.h"
+
+  cat > "${libcap_pkgconfig_dir}/libcap.pc" <<EOF
+prefix=${libcap_prefix}
+exec_prefix=\${prefix}
+libdir=\${prefix}/lib
+includedir=\${prefix}/include
+
+Name: libcap
+Description: Linux capabilities
+Version: ${libcap_version}
+Libs: -L\${libdir} -lcap
+Cflags: -I\${includedir}
+EOF
+fi
+
 sysroot=""
 if command -v zig >/dev/null; then
  zig_bin="$(command -v zig)"
@@ -59,7 +101,19 @@ set -euo pipefail

 args=()
 skip_next=0
+pending_include=0
 for arg in "\$@"; do
+  if [[ "\${pending_include}" -eq 1 ]]; then
+    pending_include=0
+    if [[ "\${arg}" == /usr/include || "\${arg}" == /usr/include/* ]]; then
+      # Keep host-only headers available, but after the target sysroot headers.
+      args+=("-idirafter" "\${arg}")
+    else
+      args+=("-I" "\${arg}")
+    fi
+    continue
+  fi
+
  if [[ "\${skip_next}" -eq 1 ]]; then
    skip_next=0
    continue
@@ -77,6 +131,15 @@ for arg in "\$@"; do
      fi
      continue
      ;;
+    -I)
+      pending_include=1
+      continue
+      ;;
+    -I/usr/include|-I/usr/include/*)
+      # Avoid making glibc headers win over musl headers.
+      args+=("-idirafter" "\${arg#-I}")
+      continue
+      ;;
    -Wp,-U_FORTIFY_SOURCE)
      # aws-lc-sys emits this GCC preprocessor forwarding form in debug
      # builds, but zig cc expects the define flag directly.
@@ -95,7 +158,19 @@ set -euo pipefail

 args=()
 skip_next=0
+pending_include=0
 for arg in "\$@"; do
+  if [[ "\${pending_include}" -eq 1 ]]; then
+    pending_include=0
+    if [[ "\${arg}" == /usr/include || "\${arg}" == /usr/include/* ]]; then
+      # Keep host-only headers available, but after the target sysroot headers.
+      args+=("-idirafter" "\${arg}")
+    else
+      args+=("-I" "\${arg}")
+    fi
+    continue
+  fi
+
  if [[ "\${skip_next}" -eq 1 ]]; then
    skip_next=0
    continue
@@ -113,6 +188,15 @@ for arg in "\$@"; do
      fi
      continue
      ;;
+    -I)
+      pending_include=1
+      continue
+      ;;
+    -I/usr/include|-I/usr/include/*)
+      # Avoid making glibc headers win over musl headers.
+      args+=("-idirafter" "\${arg#-I}")
+      continue
+      ;;
    -Wp,-U_FORTIFY_SOURCE)
      # aws-lc-sys emits this GCC forwarding form in debug builds; zig c++
      # expects the define flag directly.
@@ -175,3 +259,21 @@ echo "${cargo_linker_var}=${musl_linker}" >> "$GITHUB_ENV"
 echo "CMAKE_C_COMPILER=${cc}" >> "$GITHUB_ENV"
 echo "CMAKE_CXX_COMPILER=${cxx}" >> "$GITHUB_ENV"
 echo "CMAKE_ARGS=-DCMAKE_HAVE_THREADS_LIBRARY=1 -DCMAKE_USE_PTHREADS_INIT=1 -DCMAKE_THREAD_LIBS_INIT=-pthread -DTHREADS_PREFER_PTHREAD_FLAG=ON" >> "$GITHUB_ENV"
+
+# Allow pkg-config resolution during cross-compilation.
+echo "PKG_CONFIG_ALLOW_CROSS=1" >> "$GITHUB_ENV"
+pkg_config_path="${libcap_pkgconfig_dir}"
+if [[ -n "${PKG_CONFIG_PATH:-}" ]]; then
+  pkg_config_path="${pkg_config_path}:${PKG_CONFIG_PATH}"
+fi
+echo "PKG_CONFIG_PATH=${pkg_config_path}" >> "$GITHUB_ENV"
+pkg_config_path_var="PKG_CONFIG_PATH_${TARGET}"
+pkg_config_path_var="${pkg_config_path_var//-/_}"
+echo "${pkg_config_path_var}=${libcap_pkgconfig_dir}" >> "$GITHUB_ENV"
+
+if [[ -n "${sysroot}" && "${sysroot}" != "/" ]]; then
+  echo "PKG_CONFIG_SYSROOT_DIR=${sysroot}" >> "$GITHUB_ENV"
+  pkg_config_sysroot_var="PKG_CONFIG_SYSROOT_DIR_${TARGET}"
+  pkg_config_sysroot_var="${pkg_config_sysroot_var//-/_}"
+  echo "${pkg_config_sysroot_var}=${sysroot}" >> "$GITHUB_ENV"
+fi
--- a/.github/workflows/bazel.yml
+++ b/.github/workflows/bazel.yml
@@ -100,12 +100,45 @@ jobs:
      - name: bazel test //...
        env:
          BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
-          CODEX_BWRAP_ENABLE_FFI: ${{ contains(matrix.target, 'unknown-linux') && '1' || '0' }}
        shell: bash
        run: |
-          bazel $BAZEL_STARTUP_ARGS --bazelrc=.github/workflows/ci.bazelrc test //... \
-            --build_metadata=REPO_URL=https://github.com/openai/codex.git \
-            --build_metadata=COMMIT_SHA=$(git rev-parse HEAD) \
-            --build_metadata=ROLE=CI \
-            --build_metadata=VISIBILITY=PUBLIC \
-            "--remote_header=x-buildbuddy-api-key=$BUILDBUDDY_API_KEY"
+          bazel_args=(
+            test
+            //...
+            --test_verbose_timeout_warnings
+            --build_metadata=REPO_URL=https://github.com/openai/codex.git
+            --build_metadata=COMMIT_SHA=$(git rev-parse HEAD)
+            --build_metadata=ROLE=CI
+            --build_metadata=VISIBILITY=PUBLIC
+          )
+
+          if [[ -n "${BUILDBUDDY_API_KEY:-}" ]]; then
+            echo "BuildBuddy API key is available; using remote Bazel configuration."
+            bazel $BAZEL_STARTUP_ARGS \
+              --bazelrc=.github/workflows/ci.bazelrc \
+              "${bazel_args[@]}" \
+              "--remote_header=x-buildbuddy-api-key=$BUILDBUDDY_API_KEY"
+          else
+            echo "BuildBuddy API key is not available; using local Bazel configuration."
+            # Keep fork/community PRs on Bazel but disable remote services that are
+            # configured in .bazelrc and require auth.
+            #
+            # Flag docs:
+            # - Command-line reference: https://bazel.build/reference/command-line-reference
+            # - Remote caching overview: https://bazel.build/remote/caching
+            # - Remote execution overview: https://bazel.build/remote/rbe
+            # - Build Event Protocol overview: https://bazel.build/remote/bep
+            #
+            # --noexperimental_remote_repo_contents_cache:
+            #   disable remote repo contents cache enabled in .bazelrc startup options.
+            #   https://bazel.build/reference/command-line-reference#startup_options-flag--experimental_remote_repo_contents_cache
+            # --remote_cache= and --remote_executor=:
+            #   clear remote cache/execution endpoints configured in .bazelrc.
+            #   https://bazel.build/reference/command-line-reference#common_options-flag--remote_cache
+            #   https://bazel.build/reference/command-line-reference#common_options-flag--remote_executor
+            bazel $BAZEL_STARTUP_ARGS \
+              --noexperimental_remote_repo_contents_cache \
+              "${bazel_args[@]}" \
+              --remote_cache= \
+              --remote_executor=
+          fi
--- a/.github/workflows/issue-deduplicator.yml
+++ b/.github/workflows/issue-deduplicator.yml
@@ -15,34 +15,68 @@ jobs:
    permissions:
      contents: read
    outputs:
-      codex_output: ${{ steps.codex.outputs.final-message }}
+      codex_output: ${{ steps.select-final.outputs.codex_output }}
    steps:
      - uses: actions/checkout@v6

      - name: Prepare Codex inputs
        env:
          GH_TOKEN: ${{ github.token }}
+          REPO: ${{ github.repository }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
        run: |
          set -eo pipefail

          CURRENT_ISSUE_FILE=codex-current-issue.json
-          EXISTING_ISSUES_FILE=codex-existing-issues.json
+          EXISTING_ALL_FILE=codex-existing-issues-all.json
+          EXISTING_OPEN_FILE=codex-existing-issues-open.json

-          gh issue list --repo "${{ github.repository }}" \
-            --json number,title,body,createdAt \
+          gh issue list --repo "$REPO" \
+            --json number,title,body,createdAt,updatedAt,state,labels \
            --limit 1000 \
            --state all \
            --search "sort:created-desc" \
-            | jq '.' \
-            > "$EXISTING_ISSUES_FILE"
+            | jq '[.[] | {
+                number,
+                title,
+                body: ((.body // "")[0:4000]),
+                createdAt,
+                updatedAt,
+                state,
+                labels: ((.labels // []) | map(.name))
+              }]' \
+            > "$EXISTING_ALL_FILE"

-          gh issue view "${{ github.event.issue.number }}" \
-            --repo "${{ github.repository }}" \
+          gh issue list --repo "$REPO" \
+            --json number,title,body,createdAt,updatedAt,state,labels \
+            --limit 1000 \
+            --state open \
+            --search "sort:created-desc" \
+            | jq '[.[] | {
+                number,
+                title,
+                body: ((.body // "")[0:4000]),
+                createdAt,
+                updatedAt,
+                state,
+                labels: ((.labels // []) | map(.name))
+              }]' \
+            > "$EXISTING_OPEN_FILE"
+
+          gh issue view "$ISSUE_NUMBER" \
+            --repo "$REPO" \
            --json number,title,body \
-            | jq '.' \
+            | jq '{number, title, body: ((.body // "")[0:4000])}' \
            > "$CURRENT_ISSUE_FILE"

-      - id: codex
+          echo "Prepared duplicate detection input files."
+          echo "all_issue_count=$(jq 'length' "$EXISTING_ALL_FILE")"
+          echo "open_issue_count=$(jq 'length' "$EXISTING_OPEN_FILE")"
+
+      # Prompt instructions are intentionally inline in this workflow. The old
+      # .github/prompts/issue-deduplicator.txt file is obsolete and removed.
+      - id: codex-all
+        name: Find duplicates (pass 1, all issues)
        uses: openai/codex-action@main
        with:
          openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
@@ -52,14 +86,17 @@ jobs:

            You will receive the following JSON files located in the current working directory:
            - `codex-current-issue.json`: JSON object describing the newly created issue (fields: number, title, body).
-            - `codex-existing-issues.json`: JSON array of recent issues (each element includes number, title, body, createdAt).
+            - `codex-existing-issues-all.json`: JSON array of recent issues with states, timestamps, and labels.

            Instructions:
            - Compare the current issue against the existing issues to find up to five that appear to describe the same underlying problem or request.
-            - Focus on the underlying intent and context of each issue—such as reported symptoms, feature requests, reproduction steps, or error messages—rather than relying solely on string similarity or synthetic metrics.
-            - After your analysis, validate your results in 1-2 lines explaining your decision to return the selected matches.
-            - When unsure, prefer returning fewer matches.
-            - Include at most five numbers.
+            - Prioritize concrete overlap in symptoms, reproduction details, error signatures, and user intent.
+            - Prefer active unresolved issues when confidence is similar.
+            - Closed issues can still be valid duplicates if they clearly match.
+            - Return fewer matches rather than speculative ones.
+            - If confidence is low, return an empty list.
+            - Include at most five issue numbers.
+            - After analysis, provide a short reason for your decision.

          output-schema: |
            {
@@ -77,6 +114,179 @@ jobs:
              "additionalProperties": false
            }

+      - id: normalize-all
+        name: Normalize pass 1 output
+        env:
+          CODEX_OUTPUT: ${{ steps.codex-all.outputs.final-message }}
+          CURRENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
+        run: |
+          set -eo pipefail
+
+          raw=${CODEX_OUTPUT//$'\r'/}
+          parsed=false
+          issues='[]'
+          reason=''
+
+          if [ -n "$raw" ] && printf '%s' "$raw" | jq -e 'type == "object" and (.issues | type == "array")' >/dev/null 2>&1; then
+            parsed=true
+            issues=$(printf '%s' "$raw" | jq -c '[.issues[] | tostring]')
+            reason=$(printf '%s' "$raw" | jq -r '.reason // ""')
+          else
+            reason='Pass 1 output was empty or invalid JSON.'
+          fi
+
+          filtered=$(jq -cn --argjson issues "$issues" --arg current "$CURRENT_ISSUE_NUMBER" '[
+            $issues[]
+            | tostring
+            | select(. != $current)
+          ] | reduce .[] as $issue ([]; if index($issue) then . else . + [$issue] end) | .[:5]')
+
+          has_matches=false
+          if [ "$(jq 'length' <<< "$filtered")" -gt 0 ]; then
+            has_matches=true
+          fi
+
+          echo "Pass 1 parsed: $parsed"
+          echo "Pass 1 matches after filtering: $(jq 'length' <<< "$filtered")"
+          echo "Pass 1 reason: $reason"
+
+          {
+            echo "issues_json=$filtered"
+            echo "reason<<EOF"
+            echo "$reason"
+            echo "EOF"
+            echo "has_matches=$has_matches"
+          } >> "$GITHUB_OUTPUT"
+
+      - id: codex-open
+        name: Find duplicates (pass 2, open issues)
+        if: ${{ steps.normalize-all.outputs.has_matches != 'true' }}
+        uses: openai/codex-action@main
+        with:
+          openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
+          allow-users: "*"
+          prompt: |
+            You are an assistant that triages new GitHub issues by identifying potential duplicates.
+
+            This is a fallback pass because a broad search did not find convincing matches.
+
+            You will receive the following JSON files located in the current working directory:
+            - `codex-current-issue.json`: JSON object describing the newly created issue (fields: number, title, body).
+            - `codex-existing-issues-open.json`: JSON array of open issues only.
+
+            Instructions:
+            - Search only these active unresolved issues for duplicates of the current issue.
+            - Prioritize concrete overlap in symptoms, reproduction details, error signatures, and user intent.
+            - Prefer fewer, higher-confidence matches.
+            - If confidence is low, return an empty list.
+            - Include at most five issue numbers.
+            - After analysis, provide a short reason for your decision.
+
+          output-schema: |
+            {
+              "type": "object",
+              "properties": {
+                "issues": {
+                  "type": "array",
+                  "items": {
+                    "type": "string"
+                  }
+                },
+                "reason": { "type": "string" }
+              },
+              "required": ["issues", "reason"],
+              "additionalProperties": false
+            }
+
+      - id: normalize-open
+        name: Normalize pass 2 output
+        if: ${{ steps.normalize-all.outputs.has_matches != 'true' }}
+        env:
+          CODEX_OUTPUT: ${{ steps.codex-open.outputs.final-message }}
+          CURRENT_ISSUE_NUMBER: ${{ github.event.issue.number }}
+        run: |
+          set -eo pipefail
+
+          raw=${CODEX_OUTPUT//$'\r'/}
+          parsed=false
+          issues='[]'
+          reason=''
+
+          if [ -n "$raw" ] && printf '%s' "$raw" | jq -e 'type == "object" and (.issues | type == "array")' >/dev/null 2>&1; then
+            parsed=true
+            issues=$(printf '%s' "$raw" | jq -c '[.issues[] | tostring]')
+            reason=$(printf '%s' "$raw" | jq -r '.reason // ""')
+          else
+            reason='Pass 2 output was empty or invalid JSON.'
+          fi
+
+          filtered=$(jq -cn --argjson issues "$issues" --arg current "$CURRENT_ISSUE_NUMBER" '[
+            $issues[]
+            | tostring
+            | select(. != $current)
+          ] | reduce .[] as $issue ([]; if index($issue) then . else . + [$issue] end) | .[:5]')
+
+          has_matches=false
+          if [ "$(jq 'length' <<< "$filtered")" -gt 0 ]; then
+            has_matches=true
+          fi
+
+          echo "Pass 2 parsed: $parsed"
+          echo "Pass 2 matches after filtering: $(jq 'length' <<< "$filtered")"
+          echo "Pass 2 reason: $reason"
+
+          {
+            echo "issues_json=$filtered"
+            echo "reason<<EOF"
+            echo "$reason"
+            echo "EOF"
+            echo "has_matches=$has_matches"
+          } >> "$GITHUB_OUTPUT"
+
+      - id: select-final
+        name: Select final duplicate set
+        env:
+          PASS1_ISSUES: ${{ steps.normalize-all.outputs.issues_json }}
+          PASS1_REASON: ${{ steps.normalize-all.outputs.reason }}
+          PASS2_ISSUES: ${{ steps.normalize-open.outputs.issues_json }}
+          PASS2_REASON: ${{ steps.normalize-open.outputs.reason }}
+          PASS1_HAS_MATCHES: ${{ steps.normalize-all.outputs.has_matches }}
+          PASS2_HAS_MATCHES: ${{ steps.normalize-open.outputs.has_matches }}
+        run: |
+          set -eo pipefail
+
+          selected_issues='[]'
+          selected_reason='No plausible duplicates found.'
+          selected_pass='none'
+
+          if [ "$PASS1_HAS_MATCHES" = "true" ]; then
+            selected_issues=${PASS1_ISSUES:-'[]'}
+            selected_reason=${PASS1_REASON:-'Pass 1 found duplicates.'}
+            selected_pass='all'
+          fi
+
+          if [ "$PASS2_HAS_MATCHES" = "true" ]; then
+            selected_issues=${PASS2_ISSUES:-'[]'}
+            selected_reason=${PASS2_REASON:-'Pass 2 found duplicates.'}
+            selected_pass='open-fallback'
+          fi
+
+          final_json=$(jq -cn \
+            --argjson issues "$selected_issues" \
+            --arg reason "$selected_reason" \
+            --arg pass "$selected_pass" \
+            '{issues: $issues, reason: $reason, pass: $pass}')
+
+          echo "Final pass used: $selected_pass"
+          echo "Final duplicate count: $(jq '.issues | length' <<< "$final_json")"
+          echo "Final reason: $(jq -r '.reason' <<< "$final_json")"
+
+          {
+            echo "codex_output<<EOF"
+            echo "$final_json"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+
  comment-on-issue:
    name: Comment with potential duplicates
    needs: gather-duplicates
@@ -105,11 +315,17 @@ jobs:

            const issues = Array.isArray(parsed?.issues) ? parsed.issues : [];
            const currentIssueNumber = String(context.payload.issue.number);
+            const passUsed = typeof parsed?.pass === 'string' ? parsed.pass : 'unknown';
+            const reason = typeof parsed?.reason === 'string' ? parsed.reason : '';

            console.log(`Current issue number: ${currentIssueNumber}`);
+            console.log(`Pass used: ${passUsed}`);
+            if (reason) {
+              console.log(`Reason: ${reason}`);
+            }
            console.log(issues);

-            const filteredIssues = issues.filter((value) => String(value) !== currentIssueNumber);
+            const filteredIssues = [...new Set(issues.map((value) => String(value)))].filter((value) => value !== currentIssueNumber).slice(0, 5);

            if (filteredIssues.length === 0) {
              core.info('Codex reported no potential duplicates.');
--- a/.github/workflows/rust-ci.yml
+++ b/.github/workflows/rust-ci.yml
@@ -59,7 +59,7 @@ jobs:
        working-directory: codex-rs
    steps:
      - uses: actions/checkout@v6
-      - uses: dtolnay/rust-toolchain@1.93
+      - uses: dtolnay/rust-toolchain@1.93.0
        with:
          components: rustfmt
      - name: cargo fmt
@@ -75,7 +75,7 @@ jobs:
        working-directory: codex-rs
    steps:
      - uses: actions/checkout@v6
-      - uses: dtolnay/rust-toolchain@1.93
+      - uses: dtolnay/rust-toolchain@1.93.0
      - uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
        with:
          tool: cargo-shear
@@ -99,9 +99,8 @@ jobs:
      USE_SCCACHE: ${{ startsWith(matrix.runner, 'windows') && 'false' || 'true' }}
      CARGO_INCREMENTAL: "0"
      SCCACHE_CACHE_SIZE: 10G
-      # Keep cargo-based CI independent of system bwrap build deps.
-      # The bwrap FFI path is validated in Bazel workflows.
-      CODEX_BWRAP_ENABLE_FFI: "0"
+      # In rust-ci, representative release-profile checks use thin LTO for faster feedback.
+      CARGO_PROFILE_RELEASE_LTO: ${{ matrix.profile == 'release' && 'thin' || 'fat' }}

    strategy:
      fail-fast: false
@@ -163,6 +162,12 @@ jobs:
            runs_on:
              group: codex-runners
              labels: codex-linux-x64
+          - runner: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-musl
+            profile: release
+            runs_on:
+              group: codex-runners
+              labels: codex-linux-arm64
          - runner: windows-x64
            target: x86_64-pc-windows-msvc
            profile: release
@@ -178,16 +183,20 @@ jobs:

    steps:
      - uses: actions/checkout@v6
-      - name: Install UBSan runtime (musl)
-        if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl' }}
+      - name: Install Linux build dependencies
+        if: ${{ runner.os == 'Linux' }}
        shell: bash
        run: |
          set -euo pipefail
          if command -v apt-get >/dev/null 2>&1; then
            sudo apt-get update -y
-            sudo DEBIAN_FRONTEND=noninteractive apt-get install -y libubsan1
+            packages=(pkg-config libcap-dev)
+            if [[ "${{ matrix.target }}" == 'x86_64-unknown-linux-musl' || "${{ matrix.target }}" == 'aarch64-unknown-linux-musl' ]]; then
+              packages+=(libubsan1)
+            fi
+            sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends "${packages[@]}"
          fi
-      - uses: dtolnay/rust-toolchain@1.93
+      - uses: dtolnay/rust-toolchain@1.93.0
        with:
          targets: ${{ matrix.target }}
          components: clippy
@@ -379,21 +388,15 @@ jobs:
          cargo chef cook --recipe-path "$RECIPE" --target ${{ matrix.target }} --release --all-features

      - name: cargo clippy
-        id: clippy
-        run: cargo clippy --target ${{ matrix.target }} --all-features --tests --profile ${{ matrix.profile }} -- -D warnings
+        run: cargo clippy --target ${{ matrix.target }} --all-features --tests --profile ${{ matrix.profile }} --timings -- -D warnings

-      # Running `cargo build` from the workspace root builds the workspace using
-      # the union of all features from third-party crates. This can mask errors
-      # where individual crates have underspecified features. To avoid this, we
-      # run `cargo check` for each crate individually, though because this is
-      # slower, we only do this for the x86_64-unknown-linux-gnu target.
-      - name: cargo check individual crates
-        id: cargo_check_all_crates
-        if: ${{ matrix.target == 'x86_64-unknown-linux-gnu' && matrix.profile != 'release' }}
-        continue-on-error: true
-        run: |
-          find . -name Cargo.toml -mindepth 2 -maxdepth 2 -print0 \
-            | xargs -0 -n1 -I{} bash -c 'cd "$(dirname "{}")" && cargo check --profile ${{ matrix.profile }}'
+      - name: Upload Cargo timings (clippy)
+        if: always()
+        uses: actions/upload-artifact@v6
+        with:
+          name: cargo-timings-rust-ci-clippy-${{ matrix.target }}-${{ matrix.profile }}
+          path: codex-rs/target/**/cargo-timings/cargo-timing.html
+          if-no-files-found: warn

      # Save caches explicitly; make non-fatal so cache packaging
      # never fails the overall job. Only save when key wasn't hit.
@@ -447,15 +450,6 @@ jobs:
            /var/cache/apt
          key: apt-${{ matrix.runner }}-${{ matrix.target }}-v1

-      # Fail the job if any of the previous steps failed.
-      - name: verify all steps passed
-        if: |
-          steps.clippy.outcome == 'failure' ||
-          steps.cargo_check_all_crates.outcome == 'failure'
-        run: |
-          echo "One or more checks failed (clippy or cargo_check_all_crates). See logs for details."
-          exit 1
-
  tests:
    name: Tests — ${{ matrix.runner }} - ${{ matrix.target }}
    runs-on: ${{ matrix.runs_on || matrix.runner }}
@@ -470,9 +464,6 @@ jobs:
      USE_SCCACHE: ${{ startsWith(matrix.runner, 'windows') && 'false' || 'true' }}
      CARGO_INCREMENTAL: "0"
      SCCACHE_CACHE_SIZE: 10G
-      # Keep cargo-based CI independent of system bwrap build deps.
-      # The bwrap FFI path is validated in Bazel workflows.
-      CODEX_BWRAP_ENABLE_FFI: "0"

    strategy:
      fail-fast: false
@@ -508,12 +499,21 @@ jobs:

    steps:
      - uses: actions/checkout@v6
+      - name: Install Linux build dependencies
+        if: ${{ runner.os == 'Linux' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          if command -v apt-get >/dev/null 2>&1; then
+            sudo apt-get update -y
+            sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends pkg-config libcap-dev
+          fi
      # Some integration tests rely on DotSlash being installed.
      # See https://github.com/openai/codex/pull/7617.
      - name: Install DotSlash
        uses: facebook/install-dotslash@v2

-      - uses: dtolnay/rust-toolchain@1.93
+      - uses: dtolnay/rust-toolchain@1.93.0
        with:
          targets: ${{ matrix.target }}

@@ -583,11 +583,19 @@ jobs:

      - name: tests
        id: test
-        run: cargo nextest run --all-features --no-fail-fast --target ${{ matrix.target }} --cargo-profile ci-test
+        run: cargo nextest run --all-features --no-fail-fast --target ${{ matrix.target }} --cargo-profile ci-test --timings
        env:
          RUST_BACKTRACE: 1
          NEXTEST_STATUS_LEVEL: leak

+      - name: Upload Cargo timings (nextest)
+        if: always()
+        uses: actions/upload-artifact@v6
+        with:
+          name: cargo-timings-rust-ci-nextest-${{ matrix.target }}-${{ matrix.profile }}
+          path: codex-rs/target/**/cargo-timings/cargo-timing.html
+          if-no-files-found: warn
+
      - name: Save cargo home cache
        if: always() && !cancelled() && steps.cache_cargo_home_restore.outputs.cache-hit != 'true'
        continue-on-error: true
--- a/.github/workflows/rust-release-windows.yml
+++ b/.github/workflows/rust-release-windows.yml
@@ -0,0 +1,264 @@
+name: rust-release-windows
+
+on:
+  workflow_call:
+    inputs:
+      release-lto:
+        required: true
+        type: string
+    secrets:
+      AZURE_TRUSTED_SIGNING_CLIENT_ID:
+        required: true
+      AZURE_TRUSTED_SIGNING_TENANT_ID:
+        required: true
+      AZURE_TRUSTED_SIGNING_SUBSCRIPTION_ID:
+        required: true
+      AZURE_TRUSTED_SIGNING_ENDPOINT:
+        required: true
+      AZURE_TRUSTED_SIGNING_ACCOUNT_NAME:
+        required: true
+      AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME:
+        required: true
+
+jobs:
+  build-windows-binaries:
+    name: Build Windows binaries - ${{ matrix.runner }} - ${{ matrix.target }} - ${{ matrix.bundle }}
+    runs-on: ${{ matrix.runs_on }}
+    timeout-minutes: 60
+    permissions:
+      contents: read
+    defaults:
+      run:
+        working-directory: codex-rs
+    env:
+      CARGO_PROFILE_RELEASE_LTO: ${{ inputs.release-lto }}
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: windows-x64
+            target: x86_64-pc-windows-msvc
+            bundle: primary
+            build_args: --bin codex --bin codex-responses-api-proxy
+            runs_on:
+              group: codex-runners
+              labels: codex-windows-x64
+          - runner: windows-arm64
+            target: aarch64-pc-windows-msvc
+            bundle: primary
+            build_args: --bin codex --bin codex-responses-api-proxy
+            runs_on:
+              group: codex-runners
+              labels: codex-windows-arm64
+          - runner: windows-x64
+            target: x86_64-pc-windows-msvc
+            bundle: helpers
+            build_args: --bin codex-windows-sandbox-setup --bin codex-command-runner
+            runs_on:
+              group: codex-runners
+              labels: codex-windows-x64
+          - runner: windows-arm64
+            target: aarch64-pc-windows-msvc
+            bundle: helpers
+            build_args: --bin codex-windows-sandbox-setup --bin codex-command-runner
+            runs_on:
+              group: codex-runners
+              labels: codex-windows-arm64
+
+    steps:
+      - uses: actions/checkout@v6
+      - name: Print runner specs (Windows)
+        shell: powershell
+        run: |
+          $computer = Get-CimInstance Win32_ComputerSystem
+          $cpu = Get-CimInstance Win32_Processor | Select-Object -First 1
+          $ramGiB = [math]::Round($computer.TotalPhysicalMemory / 1GB, 1)
+          Write-Host "Runner: $env:RUNNER_NAME"
+          Write-Host "OS: $([System.Environment]::OSVersion.VersionString)"
+          Write-Host "CPU: $($cpu.Name)"
+          Write-Host "Logical CPUs: $($computer.NumberOfLogicalProcessors)"
+          Write-Host "Physical CPUs: $($computer.NumberOfProcessors)"
+          Write-Host "Total RAM: $ramGiB GiB"
+          Write-Host "Disk usage:"
+          Get-PSDrive -PSProvider FileSystem | Format-Table -AutoSize Name, @{Name='Size(GB)';Expression={[math]::Round(($_.Used + $_.Free) / 1GB, 1)}}, @{Name='Free(GB)';Expression={[math]::Round($_.Free / 1GB, 1)}}
+      - uses: dtolnay/rust-toolchain@1.93.0
+        with:
+          targets: ${{ matrix.target }}
+
+      - name: Cargo build (Windows binaries)
+        shell: bash
+        run: |
+          cargo build --target ${{ matrix.target }} --release --timings ${{ matrix.build_args }}
+
+      - name: Upload Cargo timings
+        uses: actions/upload-artifact@v6
+        with:
+          name: cargo-timings-rust-release-windows-${{ matrix.target }}-${{ matrix.bundle }}
+          path: codex-rs/target/**/cargo-timings/cargo-timing.html
+          if-no-files-found: warn
+
+      - name: Stage Windows binaries
+        shell: bash
+        run: |
+          output_dir="target/${{ matrix.target }}/release/staged-${{ matrix.bundle }}"
+          mkdir -p "$output_dir"
+          if [[ "${{ matrix.bundle }}" == "primary" ]]; then
+            cp target/${{ matrix.target }}/release/codex.exe "$output_dir/codex.exe"
+            cp target/${{ matrix.target }}/release/codex-responses-api-proxy.exe "$output_dir/codex-responses-api-proxy.exe"
+          else
+            cp target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe "$output_dir/codex-windows-sandbox-setup.exe"
+            cp target/${{ matrix.target }}/release/codex-command-runner.exe "$output_dir/codex-command-runner.exe"
+          fi
+
+      - name: Upload Windows binaries
+        uses: actions/upload-artifact@v6
+        with:
+          name: windows-binaries-${{ matrix.target }}-${{ matrix.bundle }}
+          path: |
+            codex-rs/target/${{ matrix.target }}/release/staged-${{ matrix.bundle }}/*
+
+  build-windows:
+    needs:
+      - build-windows-binaries
+    name: Build - ${{ matrix.runner }} - ${{ matrix.target }}
+    runs-on: ${{ matrix.runs_on }}
+    timeout-minutes: 60
+    permissions:
+      contents: read
+      id-token: write
+    defaults:
+      run:
+        working-directory: codex-rs
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: windows-x64
+            target: x86_64-pc-windows-msvc
+            runs_on:
+              group: codex-runners
+              labels: codex-windows-x64
+          - runner: windows-arm64
+            target: aarch64-pc-windows-msvc
+            runs_on:
+              group: codex-runners
+              labels: codex-windows-arm64
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Download prebuilt Windows primary binaries
+        uses: actions/download-artifact@v7
+        with:
+          name: windows-binaries-${{ matrix.target }}-primary
+          path: codex-rs/target/${{ matrix.target }}/release
+
+      - name: Download prebuilt Windows helper binaries
+        uses: actions/download-artifact@v7
+        with:
+          name: windows-binaries-${{ matrix.target }}-helpers
+          path: codex-rs/target/${{ matrix.target }}/release
+
+      - name: Verify binaries
+        shell: bash
+        run: |
+          set -euo pipefail
+          ls -lh target/${{ matrix.target }}/release/codex.exe
+          ls -lh target/${{ matrix.target }}/release/codex-responses-api-proxy.exe
+          ls -lh target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe
+          ls -lh target/${{ matrix.target }}/release/codex-command-runner.exe
+
+      - name: Sign Windows binaries with Azure Trusted Signing
+        uses: ./.github/actions/windows-code-sign
+        with:
+          target: ${{ matrix.target }}
+          client-id: ${{ secrets.AZURE_TRUSTED_SIGNING_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TRUSTED_SIGNING_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_TRUSTED_SIGNING_SUBSCRIPTION_ID }}
+          endpoint: ${{ secrets.AZURE_TRUSTED_SIGNING_ENDPOINT }}
+          account-name: ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }}
+          certificate-profile-name: ${{ secrets.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME }}
+
+      - name: Stage artifacts
+        shell: bash
+        run: |
+          dest="dist/${{ matrix.target }}"
+          mkdir -p "$dest"
+
+          cp target/${{ matrix.target }}/release/codex.exe "$dest/codex-${{ matrix.target }}.exe"
+          cp target/${{ matrix.target }}/release/codex-responses-api-proxy.exe "$dest/codex-responses-api-proxy-${{ matrix.target }}.exe"
+          cp target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe "$dest/codex-windows-sandbox-setup-${{ matrix.target }}.exe"
+          cp target/${{ matrix.target }}/release/codex-command-runner.exe "$dest/codex-command-runner-${{ matrix.target }}.exe"
+
+      - name: Install DotSlash
+        uses: facebook/install-dotslash@v2
+
+      - name: Compress artifacts
+        shell: bash
+        run: |
+          # Path that contains the uncompressed binaries for the current
+          # ${{ matrix.target }}
+          dest="dist/${{ matrix.target }}"
+          repo_root=$PWD
+
+          # For compatibility with environments that lack the `zstd` tool we
+          # additionally create a `.tar.gz` and `.zip` for every Windows binary.
+          # The end result is:
+          #   codex-<target>.zst
+          #   codex-<target>.tar.gz
+          #   codex-<target>.zip
+          for f in "$dest"/*; do
+            base="$(basename "$f")"
+            # Skip files that are already archives (shouldn't happen, but be
+            # safe).
+            if [[ "$base" == *.tar.gz || "$base" == *.zip || "$base" == *.dmg ]]; then
+              continue
+            fi
+
+            # Don't try to compress signature bundles.
+            if [[ "$base" == *.sigstore ]]; then
+              continue
+            fi
+
+            # Create per-binary tar.gz
+            tar -C "$dest" -czf "$dest/${base}.tar.gz" "$base"
+
+            # Create zip archive for Windows binaries.
+            # Must run from inside the dest dir so 7z won't embed the
+            # directory path inside the zip.
+            if [[ "$base" == "codex-${{ matrix.target }}.exe" ]]; then
+              # Bundle the sandbox helper binaries into the main codex zip so
+              # WinGet installs include the required helpers next to codex.exe.
+              # Fall back to the single-binary zip if the helpers are missing
+              # to avoid breaking releases.
+              bundle_dir="$(mktemp -d)"
+              runner_src="$dest/codex-command-runner-${{ matrix.target }}.exe"
+              setup_src="$dest/codex-windows-sandbox-setup-${{ matrix.target }}.exe"
+              if [[ -f "$runner_src" && -f "$setup_src" ]]; then
+                cp "$dest/$base" "$bundle_dir/$base"
+                cp "$runner_src" "$bundle_dir/codex-command-runner.exe"
+                cp "$setup_src" "$bundle_dir/codex-windows-sandbox-setup.exe"
+                # Use an absolute path so bundle zips land in the real dist
+                # dir even when 7z runs from a temp directory.
+                (cd "$bundle_dir" && 7z a "$repo_root/$dest/${base}.zip" .)
+              else
+                echo "warning: missing sandbox binaries; falling back to single-binary zip"
+                echo "warning: expected $runner_src and $setup_src"
+                (cd "$dest" && 7z a "${base}.zip" "$base")
+              fi
+              rm -rf "$bundle_dir"
+            else
+              (cd "$dest" && 7z a "${base}.zip" "$base")
+            fi
+
+            # Keep raw executables and produce .zst alongside them.
+            "${GITHUB_WORKSPACE}/.github/workflows/zstd" -T0 -19 "$dest/$base"
+          done
+
+      - uses: actions/upload-artifact@v6
+        with:
+          name: ${{ matrix.target }}
+          path: |
+            codex-rs/dist/${{ matrix.target }}/*
--- a/.github/workflows/rust-release.yml
+++ b/.github/workflows/rust-release.yml
@@ -48,7 +48,7 @@ jobs:
  build:
    needs: tag-check
    name: Build - ${{ matrix.runner }} - ${{ matrix.target }}
-    runs-on: ${{ matrix.runner }}
+    runs-on: ${{ matrix.runs_on || matrix.runner }}
    timeout-minutes: 60
    permissions:
      contents: read
@@ -57,7 +57,7 @@ jobs:
      run:
        working-directory: codex-rs
    env:
-      CODEX_BWRAP_ENABLE_FFI: ${{ contains(matrix.target, 'unknown-linux') && '1' || '0' }}
+      CARGO_PROFILE_RELEASE_LTO: ${{ contains(github.ref_name, '-alpha') && 'thin' || 'fat' }}

    strategy:
      fail-fast: false
@@ -75,13 +75,38 @@ jobs:
            target: aarch64-unknown-linux-musl
          - runner: ubuntu-24.04-arm
            target: aarch64-unknown-linux-gnu
-          - runner: windows-latest
-            target: x86_64-pc-windows-msvc
-          - runner: windows-11-arm
-            target: aarch64-pc-windows-msvc

    steps:
      - uses: actions/checkout@v6
+      - name: Print runner specs (Linux)
+        if: ${{ runner.os == 'Linux' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          cpu_model="$(lscpu | awk -F: '/Model name/ {gsub(/^[ \t]+/, "", $2); print $2; exit}')"
+          total_ram="$(awk '/MemTotal/ {printf "%.1f GiB\n", $2 / 1024 / 1024}' /proc/meminfo)"
+          echo "Runner: ${RUNNER_NAME:-unknown}"
+          echo "OS: $(uname -a)"
+          echo "CPU model: ${cpu_model}"
+          echo "Logical CPUs: $(nproc)"
+          echo "Total RAM: ${total_ram}"
+          echo "Disk usage:"
+          df -h .
+      - name: Print runner specs (macOS)
+        if: ${{ runner.os == 'macOS' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          total_ram="$(sysctl -n hw.memsize | awk '{printf "%.1f GiB\n", $1 / 1024 / 1024 / 1024}')"
+          echo "Runner: ${RUNNER_NAME:-unknown}"
+          echo "OS: $(sw_vers -productName) $(sw_vers -productVersion)"
+          echo "Hardware model: $(sysctl -n hw.model)"
+          echo "CPU architecture: $(uname -m)"
+          echo "Logical CPUs: $(sysctl -n hw.logicalcpu)"
+          echo "Physical CPUs: $(sysctl -n hw.physicalcpu)"
+          echo "Total RAM: ${total_ram}"
+          echo "Disk usage:"
+          df -h .
      - name: Install Linux bwrap build dependencies
        if: ${{ runner.os == 'Linux' }}
        shell: bash
@@ -98,7 +123,7 @@ jobs:
            sudo apt-get update -y
            sudo DEBIAN_FRONTEND=noninteractive apt-get install -y libubsan1
          fi
-      - uses: dtolnay/rust-toolchain@1.93
+      - uses: dtolnay/rust-toolchain@1.93.0
        with:
          targets: ${{ matrix.target }}

@@ -113,20 +138,6 @@ jobs:
          echo "${cargo_home}/bin" >> "$GITHUB_PATH"
          : > "${cargo_home}/config.toml"

-      - uses: actions/cache@v5
-        with:
-          path: |
-            ~/.cargo/bin/
-            ~/.cargo/registry/index/
-            ~/.cargo/registry/cache/
-            ~/.cargo/git/db/
-            ${{ github.workspace }}/.cargo-home/bin/
-            ${{ github.workspace }}/.cargo-home/registry/index/
-            ${{ github.workspace }}/.cargo-home/registry/cache/
-            ${{ github.workspace }}/.cargo-home/git/db/
-            ${{ github.workspace }}/codex-rs/target/
-          key: cargo-${{ matrix.runner }}-${{ matrix.target }}-release-${{ hashFiles('**/Cargo.lock') }}
-
      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
        name: Install Zig
        uses: mlugg/setup-zig@v2
@@ -194,11 +205,14 @@ jobs:
      - name: Cargo build
        shell: bash
        run: |
-          if [[ "${{ contains(matrix.target, 'windows') }}" == 'true' ]]; then
-            cargo build --target ${{ matrix.target }} --release --bin codex --bin codex-responses-api-proxy --bin codex-windows-sandbox-setup --bin codex-command-runner
-          else
-            cargo build --target ${{ matrix.target }} --release --bin codex --bin codex-responses-api-proxy
-          fi
+          cargo build --target ${{ matrix.target }} --release --timings --bin codex --bin codex-responses-api-proxy
+
+      - name: Upload Cargo timings
+        uses: actions/upload-artifact@v6
+        with:
+          name: cargo-timings-rust-release-${{ matrix.target }}
+          path: codex-rs/target/**/cargo-timings/cargo-timing.html
+          if-no-files-found: warn

      - if: ${{ contains(matrix.target, 'linux') }}
        name: Cosign Linux artifacts
@@ -207,18 +221,6 @@ jobs:
          target: ${{ matrix.target }}
          artifacts-dir: ${{ github.workspace }}/codex-rs/target/${{ matrix.target }}/release

-      - if: ${{ contains(matrix.target, 'windows') }}
-        name: Sign Windows binaries with Azure Trusted Signing
-        uses: ./.github/actions/windows-code-sign
-        with:
-          target: ${{ matrix.target }}
-          client-id: ${{ secrets.AZURE_TRUSTED_SIGNING_CLIENT_ID }}
-          tenant-id: ${{ secrets.AZURE_TRUSTED_SIGNING_TENANT_ID }}
-          subscription-id: ${{ secrets.AZURE_TRUSTED_SIGNING_SUBSCRIPTION_ID }}
-          endpoint: ${{ secrets.AZURE_TRUSTED_SIGNING_ENDPOINT }}
-          account-name: ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }}
-          certificate-profile-name: ${{ secrets.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME }}
-
      - if: ${{ runner.os == 'macOS' }}
        name: MacOS code signing (binaries)
        uses: ./.github/actions/macos-code-sign
@@ -297,15 +299,8 @@ jobs:
          dest="dist/${{ matrix.target }}"
          mkdir -p "$dest"

-          if [[ "${{ matrix.runner }}" == windows* ]]; then
-            cp target/${{ matrix.target }}/release/codex.exe "$dest/codex-${{ matrix.target }}.exe"
-            cp target/${{ matrix.target }}/release/codex-responses-api-proxy.exe "$dest/codex-responses-api-proxy-${{ matrix.target }}.exe"
-            cp target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe "$dest/codex-windows-sandbox-setup-${{ matrix.target }}.exe"
-            cp target/${{ matrix.target }}/release/codex-command-runner.exe "$dest/codex-command-runner-${{ matrix.target }}.exe"
-          else
-            cp target/${{ matrix.target }}/release/codex "$dest/codex-${{ matrix.target }}"
-            cp target/${{ matrix.target }}/release/codex-responses-api-proxy "$dest/codex-responses-api-proxy-${{ matrix.target }}"
-          fi
+          cp target/${{ matrix.target }}/release/codex "$dest/codex-${{ matrix.target }}"
+          cp target/${{ matrix.target }}/release/codex-responses-api-proxy "$dest/codex-responses-api-proxy-${{ matrix.target }}"

          if [[ "${{ matrix.target }}" == *linux* ]]; then
            cp target/${{ matrix.target }}/release/codex.sigstore "$dest/codex-${{ matrix.target }}.sigstore"
@@ -316,34 +311,18 @@ jobs:
            cp target/${{ matrix.target }}/release/codex-${{ matrix.target }}.dmg "$dest/codex-${{ matrix.target }}.dmg"
          fi

-      - if: ${{ matrix.runner == 'windows-11-arm' }}
-        name: Install zstd
-        shell: powershell
-        run: choco install -y zstandard
-
      - name: Compress artifacts
        shell: bash
        run: |
          # Path that contains the uncompressed binaries for the current
          # ${{ matrix.target }}
          dest="dist/${{ matrix.target }}"
-          repo_root=$PWD
-
-          # We want to ship the raw Windows executables in the GitHub Release
-          # in addition to the compressed archives. Keep the originals for
-          # Windows targets; remove them elsewhere to limit the number of
-          # artifacts that end up in the GitHub Release.
-          keep_originals=false
-          if [[ "${{ matrix.runner }}" == windows* ]]; then
-            keep_originals=true
-          fi

          # For compatibility with environments that lack the `zstd` tool we
-          # additionally create a `.tar.gz` for all platforms and `.zip` for
-          # Windows alongside every single binary that we publish. The end result is:
+          # additionally create a `.tar.gz` alongside every binary we publish.
+          # The end result is:
          #   codex-<target>.zst          (existing)
          #   codex-<target>.tar.gz       (new)
-          #   codex-<target>.zip          (only for Windows)

          # 1. Produce a .tar.gz for every file in the directory *before* we
          #    run `zstd --rm`, because that flag deletes the original files.
@@ -363,43 +342,9 @@ jobs:
            # Create per-binary tar.gz
            tar -C "$dest" -czf "$dest/${base}.tar.gz" "$base"

-            # Create zip archive for Windows binaries
-            # Must run from inside the dest dir so 7z won't
-            # embed the directory path inside the zip.
-            if [[ "${{ matrix.runner }}" == windows* ]]; then
-              if [[ "$base" == "codex-${{ matrix.target }}.exe" ]]; then
-                # Bundle the sandbox helper binaries into the main codex zip so
-                # WinGet installs include the required helpers next to codex.exe.
-                # Fall back to the single-binary zip if the helpers are missing
-                # to avoid breaking releases.
-                bundle_dir="$(mktemp -d)"
-                runner_src="$dest/codex-command-runner-${{ matrix.target }}.exe"
-                setup_src="$dest/codex-windows-sandbox-setup-${{ matrix.target }}.exe"
-                if [[ -f "$runner_src" && -f "$setup_src" ]]; then
-                  cp "$dest/$base" "$bundle_dir/$base"
-                  cp "$runner_src" "$bundle_dir/codex-command-runner.exe"
-                  cp "$setup_src" "$bundle_dir/codex-windows-sandbox-setup.exe"
-                  # Use an absolute path so bundle zips land in the real dist
-                  # dir even when 7z runs from a temp directory.
-                  (cd "$bundle_dir" && 7z a "$repo_root/$dest/${base}.zip" .)
-                else
-                  echo "warning: missing sandbox binaries; falling back to single-binary zip"
-                  echo "warning: expected $runner_src and $setup_src"
-                  (cd "$dest" && 7z a "${base}.zip" "$base")
-                fi
-                rm -rf "$bundle_dir"
-              else
-                (cd "$dest" && 7z a "${base}.zip" "$base")
-              fi
-            fi
-
-            # Also create .zst (existing behaviour) *and* remove the original
-            # uncompressed binary to keep the directory small.
-            zstd_args=(-T0 -19)
-            if [[ "${keep_originals}" == false ]]; then
-              zstd_args+=(--rm)
-            fi
-            zstd "${zstd_args[@]}" "$dest/$base"
+            # Also create .zst and remove the uncompressed binaries to keep
+            # non-Windows artifact directories small.
+            zstd -T0 -19 --rm "$dest/$base"
          done

      - uses: actions/upload-artifact@v6
@@ -410,6 +355,13 @@ jobs:
          path: |
            codex-rs/dist/${{ matrix.target }}/*

+  build-windows:
+    needs: tag-check
+    uses: ./.github/workflows/rust-release-windows.yml
+    with:
+      release-lto: ${{ contains(github.ref_name, '-alpha') && 'thin' || 'fat' }}
+    secrets: inherit
+
  shell-tool-mcp:
    name: shell-tool-mcp
    needs: tag-check
@@ -422,6 +374,7 @@ jobs:
  release:
    needs:
      - build
+      - build-windows
      - shell-tool-mcp
    name: release
    runs-on: ubuntu-latest
@@ -470,6 +423,12 @@ jobs:
      - name: Delete entries from dist/ that should not go in the release
        run: |
          rm -rf dist/shell-tool-mcp*
+          rm -rf dist/windows-binaries*
+          # cargo-timing.html appears under multiple target-specific directories.
+          # If included in files: dist/**, release upload races on duplicate
+          # asset names and can fail with 404s.
+          find dist -type f -name 'cargo-timing.html' -delete
+          find dist -type d -empty -delete

          ls -R dist/

--- a/.github/workflows/sdk.yml
+++ b/.github/workflows/sdk.yml
@@ -13,6 +13,13 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@v6

+      - name: Install Linux bwrap build dependencies
+        shell: bash
+        run: |
+          set -euo pipefail
+          sudo apt-get update -y
+          sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends pkg-config libcap-dev
+
      - name: Setup pnpm
        uses: pnpm/action-setup@v4
        with:
@@ -24,7 +31,7 @@ jobs:
          node-version: 22
          cache: pnpm

-      - uses: dtolnay/rust-toolchain@1.93
+      - uses: dtolnay/rust-toolchain@1.93.0

      - name: build codex
        run: cargo build --bin codex
--- a/.github/workflows/shell-tool-mcp.yml
+++ b/.github/workflows/shell-tool-mcp.yml
@@ -72,6 +72,8 @@ jobs:
    needs: metadata
    runs-on: ${{ matrix.runner }}
    timeout-minutes: 30
+    env:
+      CARGO_PROFILE_RELEASE_LTO: ${{ contains(needs.metadata.outputs.version, '-alpha') && 'thin' || 'fat' }}
    defaults:
      run:
        working-directory: codex-rs
@@ -103,7 +105,7 @@ jobs:
            sudo DEBIAN_FRONTEND=noninteractive apt-get install -y libubsan1
          fi

-      - uses: dtolnay/rust-toolchain@1.93
+      - uses: dtolnay/rust-toolchain@1.93.0
        with:
          targets: ${{ matrix.target }}

@@ -249,11 +251,11 @@ jobs:
          set -euo pipefail
          if command -v apt-get >/dev/null 2>&1; then
            apt-get update
-            DEBIAN_FRONTEND=noninteractive apt-get install -y git build-essential bison autoconf gettext
+            DEBIAN_FRONTEND=noninteractive apt-get install -y git build-essential bison autoconf gettext libncursesw5-dev
          elif command -v dnf >/dev/null 2>&1; then
-            dnf install -y git gcc gcc-c++ make bison autoconf gettext
+            dnf install -y git gcc gcc-c++ make bison autoconf gettext ncurses-devel
          elif command -v yum >/dev/null 2>&1; then
-            yum install -y git gcc gcc-c++ make bison autoconf gettext
+            yum install -y git gcc gcc-c++ make bison autoconf gettext ncurses-devel
          else
            echo "Unsupported package manager in container"
            exit 1
@@ -327,6 +329,212 @@ jobs:
          path: artifacts/**
          if-no-files-found: error

+  zsh-linux:
+    name: Build zsh (Linux) - ${{ matrix.variant }} - ${{ matrix.target }}
+    needs: metadata
+    runs-on: ${{ matrix.runner }}
+    timeout-minutes: 30
+    container:
+      image: ${{ matrix.image }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: ubuntu-24.04
+            target: x86_64-unknown-linux-musl
+            variant: ubuntu-24.04
+            image: ubuntu:24.04
+          - runner: ubuntu-24.04
+            target: x86_64-unknown-linux-musl
+            variant: ubuntu-22.04
+            image: ubuntu:22.04
+          - runner: ubuntu-24.04
+            target: x86_64-unknown-linux-musl
+            variant: debian-12
+            image: debian:12
+          - runner: ubuntu-24.04
+            target: x86_64-unknown-linux-musl
+            variant: debian-11
+            image: debian:11
+          - runner: ubuntu-24.04
+            target: x86_64-unknown-linux-musl
+            variant: centos-9
+            image: quay.io/centos/centos:stream9
+          - runner: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-musl
+            variant: ubuntu-24.04
+            image: arm64v8/ubuntu:24.04
+          - runner: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-musl
+            variant: ubuntu-22.04
+            image: arm64v8/ubuntu:22.04
+          - runner: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-musl
+            variant: ubuntu-20.04
+            image: arm64v8/ubuntu:20.04
+          - runner: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-musl
+            variant: debian-12
+            image: arm64v8/debian:12
+          - runner: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-musl
+            variant: debian-11
+            image: arm64v8/debian:11
+          - runner: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-musl
+            variant: centos-9
+            image: quay.io/centos/centos:stream9
+    steps:
+      - name: Install build prerequisites
+        shell: bash
+        run: |
+          set -euo pipefail
+          if command -v apt-get >/dev/null 2>&1; then
+            apt-get update
+            DEBIAN_FRONTEND=noninteractive apt-get install -y git build-essential bison autoconf gettext libncursesw5-dev
+          elif command -v dnf >/dev/null 2>&1; then
+            dnf install -y git gcc gcc-c++ make bison autoconf gettext ncurses-devel
+          elif command -v yum >/dev/null 2>&1; then
+            yum install -y git gcc gcc-c++ make bison autoconf gettext ncurses-devel
+          else
+            echo "Unsupported package manager in container"
+            exit 1
+          fi
+
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Build patched zsh
+        shell: bash
+        run: |
+          set -euo pipefail
+          git clone --depth 1 https://git.code.sf.net/p/zsh/code /tmp/zsh
+          cd /tmp/zsh
+          git fetch --depth 1 origin 77045ef899e53b9598bebc5a41db93a548a40ca6
+          git checkout 77045ef899e53b9598bebc5a41db93a548a40ca6
+          git apply "${GITHUB_WORKSPACE}/shell-tool-mcp/patches/zsh-exec-wrapper.patch"
+          ./Util/preconfig
+          ./configure
+          cores="$(command -v nproc >/dev/null 2>&1 && nproc || getconf _NPROCESSORS_ONLN)"
+          make -j"${cores}"
+
+          dest="${GITHUB_WORKSPACE}/artifacts/vendor/${{ matrix.target }}/zsh/${{ matrix.variant }}"
+          mkdir -p "$dest"
+          cp Src/zsh "$dest/zsh"
+
+      - name: Smoke test zsh exec wrapper
+        shell: bash
+        run: |
+          set -euo pipefail
+          tmpdir="$(mktemp -d)"
+          cat > "$tmpdir/exec-wrapper" <<'EOF'
+          #!/usr/bin/env bash
+          set -euo pipefail
+          : "${CODEX_WRAPPER_LOG:?missing CODEX_WRAPPER_LOG}"
+          printf '%s\n' "$@" > "$CODEX_WRAPPER_LOG"
+          file="$1"
+          shift
+          if [[ "$#" -eq 0 ]]; then
+            exec "$file"
+          fi
+          arg0="$1"
+          shift
+          exec -a "$arg0" "$file" "$@"
+          EOF
+          chmod +x "$tmpdir/exec-wrapper"
+
+          CODEX_WRAPPER_LOG="$tmpdir/wrapper.log" \
+          EXEC_WRAPPER="$tmpdir/exec-wrapper" \
+          /tmp/zsh/Src/zsh -fc '/bin/echo smoke-zsh' > "$tmpdir/stdout.txt"
+
+          grep -Fx "smoke-zsh" "$tmpdir/stdout.txt"
+          grep -Fx "/bin/echo" "$tmpdir/wrapper.log"
+
+      - uses: actions/upload-artifact@v6
+        with:
+          name: shell-tool-mcp-zsh-${{ matrix.target }}-${{ matrix.variant }}
+          path: artifacts/**
+          if-no-files-found: error
+
+  zsh-darwin:
+    name: Build zsh (macOS) - ${{ matrix.variant }} - ${{ matrix.target }}
+    needs: metadata
+    runs-on: ${{ matrix.runner }}
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: macos-15-xlarge
+            target: aarch64-apple-darwin
+            variant: macos-15
+          - runner: macos-14
+            target: aarch64-apple-darwin
+            variant: macos-14
+    steps:
+      - name: Install build prerequisites
+        shell: bash
+        run: |
+          set -euo pipefail
+          if ! command -v autoconf >/dev/null 2>&1; then
+            brew install autoconf
+          fi
+
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Build patched zsh
+        shell: bash
+        run: |
+          set -euo pipefail
+          git clone --depth 1 https://git.code.sf.net/p/zsh/code /tmp/zsh
+          cd /tmp/zsh
+          git fetch --depth 1 origin 77045ef899e53b9598bebc5a41db93a548a40ca6
+          git checkout 77045ef899e53b9598bebc5a41db93a548a40ca6
+          git apply "${GITHUB_WORKSPACE}/shell-tool-mcp/patches/zsh-exec-wrapper.patch"
+          ./Util/preconfig
+          ./configure
+          cores="$(getconf _NPROCESSORS_ONLN)"
+          make -j"${cores}"
+
+          dest="${GITHUB_WORKSPACE}/artifacts/vendor/${{ matrix.target }}/zsh/${{ matrix.variant }}"
+          mkdir -p "$dest"
+          cp Src/zsh "$dest/zsh"
+
+      - name: Smoke test zsh exec wrapper
+        shell: bash
+        run: |
+          set -euo pipefail
+          tmpdir="$(mktemp -d)"
+          cat > "$tmpdir/exec-wrapper" <<'EOF'
+          #!/usr/bin/env bash
+          set -euo pipefail
+          : "${CODEX_WRAPPER_LOG:?missing CODEX_WRAPPER_LOG}"
+          printf '%s\n' "$@" > "$CODEX_WRAPPER_LOG"
+          file="$1"
+          shift
+          if [[ "$#" -eq 0 ]]; then
+            exec "$file"
+          fi
+          arg0="$1"
+          shift
+          exec -a "$arg0" "$file" "$@"
+          EOF
+          chmod +x "$tmpdir/exec-wrapper"
+
+          CODEX_WRAPPER_LOG="$tmpdir/wrapper.log" \
+          EXEC_WRAPPER="$tmpdir/exec-wrapper" \
+          /tmp/zsh/Src/zsh -fc '/bin/echo smoke-zsh' > "$tmpdir/stdout.txt"
+
+          grep -Fx "smoke-zsh" "$tmpdir/stdout.txt"
+          grep -Fx "/bin/echo" "$tmpdir/wrapper.log"
+
+      - uses: actions/upload-artifact@v6
+        with:
+          name: shell-tool-mcp-zsh-${{ matrix.target }}-${{ matrix.variant }}
+          path: artifacts/**
+          if-no-files-found: error
+
  package:
    name: Package npm module
    needs:
@@ -334,6 +542,8 @@ jobs:
      - rust-binaries
      - bash-linux
      - bash-darwin
+      - zsh-linux
+      - zsh-darwin
    runs-on: ubuntu-latest
    env:
      PACKAGE_VERSION: ${{ needs.metadata.outputs.version }}
@@ -407,7 +617,8 @@ jobs:
          chmod +x \
            "$staging"/vendor/*/codex-exec-mcp-server \
            "$staging"/vendor/*/codex-execve-wrapper \
-            "$staging"/vendor/*/bash/*/bash
+            "$staging"/vendor/*/bash/*/bash \
+            "$staging"/vendor/*/zsh/*/zsh

      - name: Create npm tarball
        shell: bash
--- a/.github/workflows/zstd
+++ b/.github/workflows/zstd
@@ -0,0 +1,46 @@
+#!/usr/bin/env dotslash
+
+// This DotSlash file wraps zstd for Windows runners.
+// The upstream release provides win32/win64 binaries; for windows-aarch64 we
+// use the win64 artifact via Windows x64 emulation.
+{
+  "name": "zstd",
+  "platforms": {
+    "windows-x86_64": {
+      "size": 1747181,
+      "hash": "sha256",
+      "digest": "acb4e8111511749dc7a3ebedca9b04190e37a17afeb73f55d4425dbf0b90fad9",
+      "format": "zip",
+      "path": "zstd-v1.5.7-win64/zstd.exe",
+      "providers": [
+        {
+          "url": "https://github.com/facebook/zstd/releases/download/v1.5.7/zstd-v1.5.7-win64.zip"
+        },
+        {
+          "type": "github-release",
+          "repo": "facebook/zstd",
+          "tag": "v1.5.7",
+          "name": "zstd-v1.5.7-win64.zip"
+        }
+      ]
+    },
+    "windows-aarch64": {
+      "size": 1747181,
+      "hash": "sha256",
+      "digest": "acb4e8111511749dc7a3ebedca9b04190e37a17afeb73f55d4425dbf0b90fad9",
+      "format": "zip",
+      "path": "zstd-v1.5.7-win64/zstd.exe",
+      "providers": [
+        {
+          "url": "https://github.com/facebook/zstd/releases/download/v1.5.7/zstd-v1.5.7-win64.zip"
+        },
+        {
+          "type": "github-release",
+          "repo": "facebook/zstd",
+          "tag": "v1.5.7",
+          "name": "zstd-v1.5.7-win64.zip"
+        }
+      ]
+    }
+  }
+}
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -60,7 +60,14 @@ See `codex-rs/tui/styles.md`.

 ### Snapshot tests

-This repo uses snapshot tests (via `insta`), especially in `codex-rs/tui`, to validate rendered output. When UI or text output changes intentionally, update the snapshots as follows:
+This repo uses snapshot tests (via `insta`), especially in `codex-rs/tui`, to validate rendered output.
+
+**Requirement:** any change that affects user-visible UI (including adding new UI) must include
+corresponding `insta` snapshot coverage (add a new snapshot test if one doesn't exist yet, or
+update the existing snapshot). Review and accept snapshot updates as part of the PR so UI impact
+is easy to review and future diffs stay visual.
+
+When UI or text output changes intentionally, update the snapshots as follows:

 - Run tests to generate any updated snapshots:
  - `cargo test -p codex-tui`
@@ -158,3 +165,5 @@ These guidelines apply to app-server protocol work in `codex-rs`, especially:
  `just write-app-server-schema`
  (and `just write-app-server-schema --experimental` when experimental API fixtures are affected).
 - Validate with `cargo test -p codex-app-server-protocol`.
+- Avoid boilerplate tests that only assert experimental field markers for individual
+  request fields in `common.rs`; rely on schema generation/tests and behavioral coverage instead.
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -96,6 +96,7 @@ crate.annotation(
 inject_repo(crate, "zstd")

 bazel_dep(name = "bzip2", version = "1.0.8.bcr.3")
+bazel_dep(name = "libcap", version = "2.27.bcr.1")

 crate.annotation(
    crate = "bzip2-sys",
--- a/MODULE.bazel.lock
+++ b/MODULE.bazel.lock
@@ -82,6 +82,8 @@
    "https://bcr.bazel.build/modules/jsoncpp/1.9.5/MODULE.bazel": "31271aedc59e815656f5736f282bb7509a97c7ecb43e927ac1a37966e0578075",
    "https://bcr.bazel.build/modules/jsoncpp/1.9.6/MODULE.bazel": "2f8d20d3b7d54143213c4dfc3d98225c42de7d666011528dc8fe91591e2e17b0",
    "https://bcr.bazel.build/modules/jsoncpp/1.9.6/source.json": "a04756d367a2126c3541682864ecec52f92cdee80a35735a3cb249ce015ca000",
+    "https://bcr.bazel.build/modules/libcap/2.27.bcr.1/MODULE.bazel": "7c034d7a4d92b2293294934377f5d1cbc88119710a11079fa8142120f6f08768",
+    "https://bcr.bazel.build/modules/libcap/2.27.bcr.1/source.json": "3b116cbdbd25a68ffb587b672205f6d353a4c19a35452e480d58fc89531e0a10",
    "https://bcr.bazel.build/modules/libpfm/4.11.0/MODULE.bazel": "45061ff025b301940f1e30d2c16bea596c25b176c8b6b3087e92615adbd52902",
    "https://bcr.bazel.build/modules/nlohmann_json/3.6.1/MODULE.bazel": "6f7b417dcc794d9add9e556673ad25cb3ba835224290f4f848f8e2db1e1fca74",
    "https://bcr.bazel.build/modules/nlohmann_json/3.6.1/source.json": "f448c6e8963fdfa7eb831457df83ad63d3d6355018f6574fb017e8169deb43a9",
@@ -204,6 +206,8 @@
    "https://bcr.bazel.build/modules/rules_swift/2.4.0/MODULE.bazel": "1639617eb1ede28d774d967a738b4a68b0accb40650beadb57c21846beab5efd",
    "https://bcr.bazel.build/modules/rules_swift/3.1.2/MODULE.bazel": "72c8f5cf9d26427cee6c76c8e3853eb46ce6b0412a081b2b6db6e8ad56267400",
    "https://bcr.bazel.build/modules/rules_swift/3.1.2/source.json": "e85761f3098a6faf40b8187695e3de6d97944e98abd0d8ce579cb2daf6319a66",
+    "https://bcr.bazel.build/modules/sed/4.9.bcr.3/MODULE.bazel": "3aca45895b85b6ef65366cc12a45217ba6870f8931d2d62e09c99c772d9736ab",
+    "https://bcr.bazel.build/modules/sed/4.9.bcr.3/source.json": "31c0cf4c135ed3fa58298cd7bcfd4301c54ea4cf59d7c4e2ea0a180ce68eb34f",
    "https://bcr.bazel.build/modules/stardoc/0.5.1/MODULE.bazel": "1a05d92974d0c122f5ccf09291442580317cdd859f07a8655f1db9a60374f9f8",
    "https://bcr.bazel.build/modules/stardoc/0.5.3/MODULE.bazel": "c7f6948dae6999bf0db32c1858ae345f112cacf98f174c7a8bb707e41b974f1c",
    "https://bcr.bazel.build/modules/stardoc/0.6.2/MODULE.bazel": "7060193196395f5dd668eda046ccbeacebfd98efc77fed418dbe2b82ffaa39fd",
@@ -608,6 +612,10 @@
      "arrayvec_0.7.6": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"bencher\",\"req\":\"^0.1.4\"},{\"default_features\":false,\"name\":\"borsh\",\"optional\":true,\"req\":\"^1.2.0\"},{\"kind\":\"dev\",\"name\":\"matches\",\"req\":\"^0.1\"},{\"default_features\":false,\"name\":\"serde\",\"optional\":true,\"req\":\"^1.0\"},{\"kind\":\"dev\",\"name\":\"serde_test\",\"req\":\"^1.0\"},{\"default_features\":false,\"name\":\"zeroize\",\"optional\":true,\"req\":\"^1.4\"}],\"features\":{\"default\":[\"std\"],\"std\":[]}}",
      "ascii-canvas_3.0.0": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"diff\",\"req\":\"^0.1\"},{\"name\":\"term\",\"req\":\"^0.7\"}],\"features\":{}}",
      "ascii_1.1.0": "{\"dependencies\":[{\"name\":\"serde\",\"optional\":true,\"req\":\"^1.0.25\"},{\"name\":\"serde_test\",\"optional\":true,\"req\":\"^1.0\"}],\"features\":{\"alloc\":[],\"default\":[\"std\"],\"std\":[\"alloc\"]}}",
+      "askama_0.15.4": "{\"dependencies\":[{\"default_features\":false,\"name\":\"askama_macros\",\"optional\":true,\"req\":\"=0.15.4\"},{\"kind\":\"dev\",\"name\":\"assert_matches\",\"req\":\"^1.5.0\"},{\"kind\":\"dev\",\"name\":\"criterion\",\"req\":\"^0.8\"},{\"name\":\"itoa\",\"req\":\"^1.0.11\"},{\"default_features\":false,\"name\":\"percent-encoding\",\"optional\":true,\"req\":\"^2.1.0\"},{\"default_features\":false,\"name\":\"serde\",\"optional\":true,\"req\":\"^1.0\"},{\"default_features\":false,\"name\":\"serde_json\",\"optional\":true,\"req\":\"^1.0\"}],\"features\":{\"alloc\":[\"askama_macros?/alloc\",\"serde?/alloc\",\"serde_json?/alloc\",\"percent-encoding?/alloc\"],\"code-in-doc\":[\"askama_macros?/code-in-doc\"],\"config\":[\"askama_macros?/config\"],\"default\":[\"config\",\"derive\",\"std\",\"urlencode\"],\"derive\":[\"dep:askama_macros\",\"dep:askama_macros\"],\"full\":[\"default\",\"code-in-doc\",\"serde_json\"],\"nightly-spans\":[\"askama_macros/nightly-spans\"],\"serde_json\":[\"std\",\"askama_macros?/serde_json\",\"dep:serde\",\"dep:serde_json\"],\"std\":[\"alloc\",\"askama_macros?/std\",\"serde?/std\",\"serde_json?/std\",\"percent-encoding?/std\"],\"urlencode\":[\"askama_macros?/urlencode\",\"dep:percent-encoding\"]}}",
+      "askama_derive_0.15.4": "{\"dependencies\":[{\"name\":\"basic-toml\",\"optional\":true,\"req\":\"^0.1.1\"},{\"kind\":\"dev\",\"name\":\"console\",\"req\":\"^0.16.0\"},{\"kind\":\"dev\",\"name\":\"criterion\",\"req\":\"^0.8\"},{\"name\":\"memchr\",\"req\":\"^2\"},{\"name\":\"parser\",\"package\":\"askama_parser\",\"req\":\"=0.15.4\"},{\"kind\":\"dev\",\"name\":\"prettyplease\",\"req\":\"^0.2.20\"},{\"default_features\":false,\"name\":\"proc-macro2\",\"req\":\"^1\"},{\"default_features\":false,\"name\":\"pulldown-cmark\",\"optional\":true,\"req\":\"^0.13.0\"},{\"default_features\":false,\"name\":\"quote\",\"req\":\"^1\"},{\"name\":\"rustc-hash\",\"req\":\"^2.0.0\"},{\"name\":\"serde\",\"optional\":true,\"req\":\"^1.0\"},{\"name\":\"serde_derive\",\"optional\":true,\"req\":\"^1.0\"},{\"kind\":\"dev\",\"name\":\"similar\",\"req\":\"^2.6.0\"},{\"default_features\":false,\"features\":[\"clone-impls\",\"derive\",\"full\",\"parsing\",\"printing\"],\"name\":\"syn\",\"req\":\"^2.0.3\"}],\"features\":{\"alloc\":[],\"code-in-doc\":[\"dep:pulldown-cmark\"],\"config\":[\"external-sources\",\"dep:basic-toml\",\"dep:serde\",\"dep:serde_derive\",\"parser/config\"],\"default\":[\"alloc\",\"code-in-doc\",\"config\",\"external-sources\",\"proc-macro\",\"serde_json\",\"std\",\"urlencode\"],\"external-sources\":[],\"nightly-spans\":[],\"proc-macro\":[\"proc-macro2/proc-macro\"],\"serde_json\":[],\"std\":[\"alloc\"],\"urlencode\":[]}}",
+      "askama_macros_0.15.4": "{\"dependencies\":[{\"default_features\":false,\"features\":[\"external-sources\",\"proc-macro\"],\"name\":\"askama_derive\",\"package\":\"askama_derive\",\"req\":\"=0.15.4\"}],\"features\":{\"alloc\":[\"askama_derive/alloc\"],\"code-in-doc\":[\"askama_derive/code-in-doc\"],\"config\":[\"askama_derive/config\"],\"default\":[\"config\",\"derive\",\"std\",\"urlencode\"],\"derive\":[],\"full\":[\"default\",\"code-in-doc\",\"serde_json\"],\"nightly-spans\":[\"askama_derive/nightly-spans\"],\"serde_json\":[\"askama_derive/serde_json\"],\"std\":[\"askama_derive/std\"],\"urlencode\":[\"askama_derive/urlencode\"]}}",
+      "askama_parser_0.15.4": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"criterion\",\"req\":\"^0.8\"},{\"name\":\"rustc-hash\",\"req\":\"^2.0.0\"},{\"name\":\"serde\",\"optional\":true,\"req\":\"^1.0\"},{\"name\":\"serde_derive\",\"optional\":true,\"req\":\"^1.0\"},{\"name\":\"unicode-ident\",\"req\":\"^1.0.12\"},{\"features\":[\"simd\"],\"name\":\"winnow\",\"req\":\"^0.7.0\"}],\"features\":{\"config\":[\"dep:serde\",\"dep:serde_derive\"]}}",
      "asn1-rs-derive_0.6.0": "{\"dependencies\":[{\"name\":\"proc-macro2\",\"req\":\"^1.0\"},{\"name\":\"quote\",\"req\":\"^1.0\"},{\"features\":[\"full\"],\"name\":\"syn\",\"req\":\"^2.0\"},{\"name\":\"synstructure\",\"req\":\"^0.13\"}],\"features\":{}}",
      "asn1-rs-impl_0.2.0": "{\"dependencies\":[{\"name\":\"proc-macro2\",\"req\":\"^1\"},{\"name\":\"quote\",\"req\":\"^1\"},{\"name\":\"syn\",\"req\":\"^2.0\"}],\"features\":{}}",
      "asn1-rs_0.7.1": "{\"dependencies\":[{\"name\":\"asn1-rs-derive\",\"req\":\"^0.6\"},{\"name\":\"asn1-rs-impl\",\"req\":\"^0.2\"},{\"name\":\"bitvec\",\"optional\":true,\"req\":\"^1.0\"},{\"name\":\"colored\",\"optional\":true,\"req\":\"^3.0\"},{\"kind\":\"dev\",\"name\":\"colored\",\"req\":\"^3.0\"},{\"name\":\"cookie-factory\",\"optional\":true,\"req\":\"^0.3.0\"},{\"name\":\"displaydoc\",\"req\":\"^0.2.2\"},{\"kind\":\"dev\",\"name\":\"hex-literal\",\"req\":\"^0.4\"},{\"default_features\":false,\"features\":[\"std\"],\"name\":\"nom\",\"req\":\"^7.0\"},{\"name\":\"num-bigint\",\"optional\":true,\"req\":\"^0.4\"},{\"name\":\"num-traits\",\"req\":\"^0.2.14\"},{\"kind\":\"dev\",\"name\":\"pem\",\"req\":\"^3.0\"},{\"name\":\"rusticata-macros\",\"req\":\"^4.0\"},{\"name\":\"thiserror\",\"req\":\"^2.0.0\"},{\"features\":[\"macros\",\"parsing\",\"formatting\"],\"name\":\"time\",\"optional\":true,\"req\":\"^0.3\"},{\"kind\":\"dev\",\"name\":\"trybuild\",\"req\":\"^1.0\"}],\"features\":{\"bigint\":[\"num-bigint\"],\"bits\":[\"bitvec\"],\"datetime\":[\"time\"],\"debug\":[\"std\",\"colored\"],\"default\":[\"std\"],\"serialize\":[\"cookie-factory\"],\"std\":[],\"trace\":[\"debug\"]}}",
--- a/3
+++ b/3
@@ -4,3 +4,6 @@ Copyright 2025 OpenAI
 This project includes code derived from [Ratatui](https://github.com/ratatui/ratatui), licensed under the MIT license.
 Copyright (c) 2016-2022 Florian Dehau
 Copyright (c) 2023-2025 The Ratatui Developers
+
+This project includes Meriyah parser assets from [meriyah](https://github.com/meriyah/meriyah), licensed under the ISC license.
+Copyright (c) 2019 and later, KFlash and others.
--- a/codex-cli/scripts/build_npm_package.py
+++ b/codex-cli/scripts/build_npm_package.py
@@ -76,7 +76,7 @@ PACKAGE_NATIVE_COMPONENTS: dict[str, list[str]] = {
    "codex-win32-x64": ["codex", "rg", "codex-windows-sandbox-setup", "codex-command-runner"],
    "codex-win32-arm64": ["codex", "rg", "codex-windows-sandbox-setup", "codex-command-runner"],
    "codex-responses-api-proxy": ["codex-responses-api-proxy"],
-    "codex-sdk": ["codex"],
+    "codex-sdk": [],
 }

 PACKAGE_TARGET_FILTERS: dict[str, str] = {
@@ -205,7 +205,6 @@ def main() -> int:
                    f"Staged version {version} for release in {staging_dir_str}\n\n"
                    "Verify the SDK contents:\n"
                    f"    ls {staging_dir_str}/dist\n"
-                    f"    ls {staging_dir_str}/vendor\n"
                    "    node -e \"import('./dist/index.js').then(() => console.log('ok'))\"\n\n"
                )
        else:
@@ -318,12 +317,11 @@ def stage_sources(staging_dir: Path, version: str, package: str) -> None:
        if isinstance(scripts, dict):
            scripts.pop("prepare", None)

-        files = package_json.get("files")
-        if isinstance(files, list):
-            if "vendor" not in files:
-                files.append("vendor")
-        else:
-            package_json["files"] = ["dist", "vendor"]
+        dependencies = package_json.get("dependencies")
+        if not isinstance(dependencies, dict):
+            dependencies = {}
+        dependencies[CODEX_NPM_NAME] = version
+        package_json["dependencies"] = dependencies

    with open(staging_dir / "package.json", "w", encoding="utf-8") as out:
        json.dump(package_json, out, indent=2)
--- a/codex-rs/BUILD.bazel
+++ b/codex-rs/BUILD.bazel
@@ -1 +1,3 @@
-
+exports_files([
+    "node-version.txt",
+])
--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
@@ -1348,12 +1348,12 @@ dependencies = [
 "axum",
 "base64 0.22.1",
 "chrono",
+ "clap",
 "codex-app-server-protocol",
 "codex-arg0",
 "codex-backend-client",
 "codex-chatgpt",
 "codex-cloud-requirements",
- "codex-common",
 "codex-core",
 "codex-execpolicy",
 "codex-feedback",
@@ -1362,9 +1362,13 @@ dependencies = [
 "codex-protocol",
 "codex-rmcp-client",
 "codex-utils-absolute-path",
+ "codex-utils-cargo-bin",
+ "codex-utils-cli",
 "codex-utils-json-to-toml",
 "core_test_support",
+ "futures",
 "os_info",
+ "owo-colors",
 "pretty_assertions",
 "rmcp",
 "serde",
@@ -1374,6 +1378,7 @@ dependencies = [
 "tempfile",
 "time",
 "tokio",
+ "tokio-tungstenite",
 "toml 0.9.11+spec-1.1.0",
 "tracing",
 "tracing-subscriber",
@@ -1396,6 +1401,7 @@ dependencies = [
 "schemars 0.8.22",
 "serde",
 "serde_json",
+ "shlex",
 "similar",
 "strum_macros 0.27.2",
 "tempfile",
@@ -1414,6 +1420,8 @@ dependencies = [
 "codex-protocol",
 "serde",
 "serde_json",
+ "tungstenite",
+ "url",
 "uuid",
 ]

@@ -1485,10 +1493,10 @@ version = "0.0.0"
 dependencies = [
 "anyhow",
 "clap",
- "codex-common",
 "codex-core",
 "codex-git",
 "codex-utils-cargo-bin",
+ "codex-utils-cli",
 "pretty_assertions",
 "serde",
 "serde_json",
@@ -1512,7 +1520,6 @@ dependencies = [
 "codex-arg0",
 "codex-chatgpt",
 "codex-cloud-tasks",
- "codex-common",
 "codex-core",
 "codex-exec",
 "codex-execpolicy",
@@ -1524,6 +1531,7 @@ dependencies = [
 "codex-stdio-to-uds",
 "codex-tui",
 "codex-utils-cargo-bin",
+ "codex-utils-cli",
 "codex-windows-sandbox",
 "libc",
 "owo-colors",
@@ -1567,13 +1575,18 @@ version = "0.0.0"
 dependencies = [
 "async-trait",
 "base64 0.22.1",
+ "chrono",
 "codex-backend-client",
 "codex-core",
 "codex-otel",
 "codex-protocol",
+ "hmac",
 "pretty_assertions",
+ "serde",
 "serde_json",
+ "sha2",
 "tempfile",
+ "thiserror 2.0.18",
 "tokio",
 "toml 0.9.11+spec-1.1.0",
 "tracing",
@@ -1589,10 +1602,10 @@ dependencies = [
 "chrono",
 "clap",
 "codex-cloud-tasks-client",
- "codex-common",
 "codex-core",
 "codex-login",
 "codex-tui",
+ "codex-utils-cli",
 "crossterm",
 "owo-colors",
 "pretty_assertions",
@@ -1624,17 +1637,22 @@ dependencies = [
 ]

 [[package]]
-name = "codex-common"
+name = "codex-config"
 version = "0.0.0"
 dependencies = [
- "clap",
- "codex-core",
- "codex-lmstudio",
- "codex-ollama",
+ "anyhow",
+ "codex-app-server-protocol",
+ "codex-execpolicy",
 "codex-protocol",
 "codex-utils-absolute-path",
+ "futures",
+ "multimap",
 "pretty_assertions",
 "serde",
+ "serde_json",
+ "sha2",
+ "thiserror 2.0.18",
+ "tokio",
 "toml 0.9.11+spec-1.1.0",
 ]

@@ -1660,7 +1678,7 @@ dependencies = [
 "codex-arg0",
 "codex-async-utils",
 "codex-client",
- "codex-core",
+ "codex-config",
 "codex-execpolicy",
 "codex-file-search",
 "codex-git",
@@ -1670,12 +1688,14 @@ dependencies = [
 "codex-otel",
 "codex-protocol",
 "codex-rmcp-client",
+ "codex-shell-command",
 "codex-state",
 "codex-utils-absolute-path",
 "codex-utils-cargo-bin",
 "codex-utils-home-dir",
 "codex-utils-pty",
 "codex-utils-readiness",
+ "codex-utils-sanitizer",
 "codex-utils-string",
 "codex-windows-sandbox",
 "core-foundation 0.9.4",
@@ -1696,7 +1716,6 @@ dependencies = [
 "landlock",
 "libc",
 "maplit",
- "multimap",
 "notify",
 "once_cell",
 "openssl-sys",
@@ -1705,7 +1724,6 @@ dependencies = [
 "predicates",
 "pretty_assertions",
 "rand 0.9.2",
- "regex",
 "regex-lite",
 "reqwest",
 "rmcp",
@@ -1733,8 +1751,6 @@ dependencies = [
 "tracing",
 "tracing-subscriber",
 "tracing-test",
- "tree-sitter",
- "tree-sitter-bash",
 "url",
 "uuid",
 "walkdir",
@@ -1767,11 +1783,14 @@ dependencies = [
 "clap",
 "codex-arg0",
 "codex-cloud-requirements",
- "codex-common",
 "codex-core",
 "codex-protocol",
 "codex-utils-absolute-path",
 "codex-utils-cargo-bin",
+ "codex-utils-cli",
+ "codex-utils-elapsed",
+ "codex-utils-oss",
+ "codex-utils-sandbox-summary",
 "core_test_support",
 "libc",
 "owo-colors",
@@ -1992,9 +2011,9 @@ version = "0.0.0"
 dependencies = [
 "anyhow",
 "codex-arg0",
- "codex-common",
 "codex-core",
 "codex-protocol",
+ "codex-utils-cli",
 "codex-utils-json-to-toml",
 "core_test_support",
 "mcp_test_support",
@@ -2018,6 +2037,7 @@ version = "0.0.0"
 dependencies = [
 "anyhow",
 "async-trait",
+ "base64 0.22.1",
 "clap",
 "codex-utils-absolute-path",
 "codex-utils-rustls-provider",
@@ -2190,6 +2210,26 @@ dependencies = [
 "tracing",
 ]

+[[package]]
+name = "codex-shell-command"
+version = "0.0.0"
+dependencies = [
+ "anyhow",
+ "base64 0.22.1",
+ "codex-protocol",
+ "codex-utils-absolute-path",
+ "once_cell",
+ "pretty_assertions",
+ "regex",
+ "serde",
+ "serde_json",
+ "shlex",
+ "tree-sitter",
+ "tree-sitter-bash",
+ "url",
+ "which",
+]
+
 [[package]]
 name = "codex-state"
 version = "0.0.0"
@@ -2241,7 +2281,6 @@ dependencies = [
 "codex-chatgpt",
 "codex-cli",
 "codex-cloud-requirements",
- "codex-common",
 "codex-core",
 "codex-feedback",
 "codex-file-search",
@@ -2250,8 +2289,15 @@ dependencies = [
 "codex-protocol",
 "codex-state",
 "codex-utils-absolute-path",
+ "codex-utils-approval-presets",
 "codex-utils-cargo-bin",
+ "codex-utils-cli",
+ "codex-utils-elapsed",
+ "codex-utils-fuzzy-match",
+ "codex-utils-oss",
 "codex-utils-pty",
+ "codex-utils-sandbox-summary",
+ "codex-utils-sleep-inhibitor",
 "codex-windows-sandbox",
 "color-eyre",
 "crossterm",
@@ -2317,6 +2363,13 @@ dependencies = [
 "ts-rs",
 ]

+[[package]]
+name = "codex-utils-approval-presets"
+version = "0.0.0"
+dependencies = [
+ "codex-core",
+]
+
 [[package]]
 name = "codex-utils-cache"
 version = "0.0.0"
@@ -2335,6 +2388,26 @@ dependencies = [
 "thiserror 2.0.18",
 ]

+[[package]]
+name = "codex-utils-cli"
+version = "0.0.0"
+dependencies = [
+ "clap",
+ "codex-core",
+ "codex-protocol",
+ "pretty_assertions",
+ "serde",
+ "toml 0.9.11+spec-1.1.0",
+]
+
+[[package]]
+name = "codex-utils-elapsed"
+version = "0.0.0"
+
+[[package]]
+name = "codex-utils-fuzzy-match"
+version = "0.0.0"
+
 [[package]]
 name = "codex-utils-home-dir"
 version = "0.0.0"
@@ -2365,6 +2438,15 @@ dependencies = [
 "toml 0.9.11+spec-1.1.0",
 ]

+[[package]]
+name = "codex-utils-oss"
+version = "0.0.0"
+dependencies = [
+ "codex-core",
+ "codex-lmstudio",
+ "codex-ollama",
+]
+
 [[package]]
 name = "codex-utils-pty"
 version = "0.0.0"
@@ -2399,6 +2481,32 @@ dependencies = [
 "rustls",
 ]

+[[package]]
+name = "codex-utils-sandbox-summary"
+version = "0.0.0"
+dependencies = [
+ "codex-core",
+ "codex-utils-absolute-path",
+ "pretty_assertions",
+]
+
+[[package]]
+name = "codex-utils-sanitizer"
+version = "0.0.0"
+dependencies = [
+ "regex",
+]
+
+[[package]]
+name = "codex-utils-sleep-inhibitor"
+version = "0.0.0"
+dependencies = [
+ "core-foundation 0.9.4",
+ "libc",
+ "tracing",
+ "windows-sys 0.52.0",
+]
+
 [[package]]
 name = "codex-utils-string"
 version = "0.0.0"
@@ -2620,6 +2728,7 @@ dependencies = [
 "codex-protocol",
 "codex-utils-absolute-path",
 "codex-utils-cargo-bin",
+ "ctor 0.6.3",
 "futures",
 "notify",
 "pretty_assertions",
@@ -7308,9 +7417,9 @@ dependencies = [

 [[package]]
 name = "rmcp"
-version = "0.14.0"
+version = "0.15.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0a621b37a548ff6ab6292d57841eb25785a7f146d89391a19c9f199414bd13da"
+checksum = "1bef41ebc9ebed2c1b1d90203e9d1756091e8a00bbc3107676151f39868ca0ee"
 dependencies = [
 "async-trait",
 "axum",
@@ -7344,9 +7453,9 @@ dependencies = [

 [[package]]
 name = "rmcp-macros"
-version = "0.14.0"
+version = "0.15.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6b79ed92303f9262db79575aa8c3652581668e9d136be6fd0b9ededa78954c95"
+checksum = "0e88ad84b8b6237a934534a62b379a5be6388915663c0cc598ceb9b3292bbbfe"
 dependencies = [
 "darling 0.23.0",
 "proc-macro2",
--- a/codex-rs/Cargo.toml
+++ b/codex-rs/Cargo.toml
@@ -15,7 +15,8 @@ members = [
    "cloud-tasks",
    "cloud-tasks-client",
    "cli",
-    "common",
+    "config",
+    "shell-command",
    "core",
    "hooks",
    "secrets",
@@ -49,6 +50,14 @@ members = [
    "utils/readiness",
    "utils/rustls-provider",
    "utils/string",
+    "utils/cli",
+    "utils/elapsed",
+    "utils/sandbox-summary",
+    "utils/sanitizer",
+    "utils/sleep-inhibitor",
+    "utils/approval-presets",
+    "utils/oss",
+    "utils/fuzzy-match",
    "codex-client",
    "codex-api",
    "state",
@@ -77,20 +86,19 @@ codex-apply-patch = { path = "apply-patch" }
 codex-arg0 = { path = "arg0" }
 codex-async-utils = { path = "async-utils" }
 codex-backend-client = { path = "backend-client" }
-codex-cloud-requirements = { path = "cloud-requirements" }
 codex-chatgpt = { path = "chatgpt" }
-codex-cli = { path = "cli"}
+codex-cli = { path = "cli" }
 codex-client = { path = "codex-client" }
-codex-common = { path = "common" }
+codex-cloud-requirements = { path = "cloud-requirements" }
+codex-config = { path = "config" }
 codex-core = { path = "core" }
-codex-hooks = { path = "hooks" }
-codex-secrets = { path = "secrets" }
 codex-exec = { path = "exec" }
 codex-execpolicy = { path = "execpolicy" }
 codex-experimental-api-macros = { path = "codex-experimental-api-macros" }
 codex-feedback = { path = "feedback" }
 codex-file-search = { path = "file-search" }
 codex-git = { path = "utils/git" }
+codex-hooks = { path = "hooks" }
 codex-keyring-store = { path = "keyring-store" }
 codex-linux-sandbox = { path = "linux-sandbox" }
 codex-lmstudio = { path = "lmstudio" }
@@ -103,18 +111,28 @@ codex-process-hardening = { path = "process-hardening" }
 codex-protocol = { path = "protocol" }
 codex-responses-api-proxy = { path = "responses-api-proxy" }
 codex-rmcp-client = { path = "rmcp-client" }
+codex-secrets = { path = "secrets" }
+codex-shell-command = { path = "shell-command" }
 codex-state = { path = "state" }
 codex-stdio-to-uds = { path = "stdio-to-uds" }
 codex-tui = { path = "tui" }
 codex-utils-absolute-path = { path = "utils/absolute-path" }
+codex-utils-approval-presets = { path = "utils/approval-presets" }
 codex-utils-cache = { path = "utils/cache" }
 codex-utils-cargo-bin = { path = "utils/cargo-bin" }
+codex-utils-cli = { path = "utils/cli" }
+codex-utils-elapsed = { path = "utils/elapsed" }
+codex-utils-fuzzy-match = { path = "utils/fuzzy-match" }
+codex-utils-home-dir = { path = "utils/home-dir" }
 codex-utils-image = { path = "utils/image" }
 codex-utils-json-to-toml = { path = "utils/json-to-toml" }
-codex-utils-home-dir = { path = "utils/home-dir" }
+codex-utils-oss = { path = "utils/oss" }
 codex-utils-pty = { path = "utils/pty" }
 codex-utils-readiness = { path = "utils/readiness" }
 codex-utils-rustls-provider = { path = "utils/rustls-provider" }
+codex-utils-sandbox-summary = { path = "utils/sandbox-summary" }
+codex-utils-sanitizer = { path = "utils/sanitizer" }
+codex-utils-sleep-inhibitor = { path = "utils/sleep-inhibitor" }
 codex-utils-string = { path = "utils/string" }
 codex-windows-sandbox = { path = "windows-sandbox-rs" }
 core_test_support = { path = "core/tests/common" }
@@ -127,12 +145,12 @@ allocative = "0.3.3"
 ansi-to-tui = "7.0.0"
 anyhow = "1"
 arboard = { version = "3", features = ["wayland-data-control"] }
+askama = "0.15.4"
 assert_cmd = "2"
 assert_matches = "1.5.0"
 async-channel = "2.3.1"
 async-stream = "0.3.6"
 async-trait = "0.1.89"
-askama = "0.15.4"
 axum = { version = "0.8", default-features = false }
 base64 = "0.22.1"
 bm25 = "2.3.2"
@@ -142,8 +160,8 @@ chrono = "0.4.43"
 clap = "4"
 clap_complete = "4"
 color-eyre = "0.6.3"
-crossterm = "0.28.1"
 crossbeam-channel = "0.5.15"
+crossterm = "0.28.1"
 ctor = "0.6.3"
 derive_more = "2"
 diffy = "0.4.2"
@@ -161,10 +179,10 @@ icu_decimal = "2.1"
 icu_locale_core = "2.1"
 icu_provider = { version = "2.1", features = ["sync"] }
 ignore = "0.4.23"
-indoc = "2.0"
 image = { version = "^0.25.9", default-features = false }
 include_dir = "0.7.4"
 indexmap = "2.12.0"
+indoc = "2.0"
 insta = "1.46.3"
 inventory = "0.3.19"
 itertools = "0.14.0"
@@ -186,7 +204,6 @@ opentelemetry-appender-tracing = "0.31.0"
 opentelemetry-otlp = "0.31.0"
 opentelemetry-semantic-conventions = "0.31.0"
 opentelemetry_sdk = "0.31.0"
-tracing-opentelemetry = "0.32.0"
 os_info = "3.12.0"
 owo-colors = "4.2.0"
 path-absolutize = "3.1.1"
@@ -201,11 +218,15 @@ ratatui-macros = "0.6.0"
 regex = "1.12.3"
 regex-lite = "0.1.8"
 reqwest = "0.12"
-rmcp = { version = "0.14.0", default-features = false }
-rustls = { version = "0.23", default-features = false, features = ["ring", "std"] }
+rmcp = { version = "0.15.0", default-features = false }
 runfiles = { git = "https://github.com/dzbarsky/rules_rust", rev = "b56cbaa8465e74127f1ea216f813cd377295ad81" }
+rustls = { version = "0.23", default-features = false, features = [
+    "ring",
+    "std",
+] }
 schemars = "0.8.22"
 seccompiler = "0.5.0"
+semver = "1.0"
 sentry = "0.46.0"
 serde = "1"
 serde_json = "1"
@@ -215,11 +236,19 @@ serde_yaml = "0.9"
 serial_test = "3.2.0"
 sha1 = "0.10.6"
 sha2 = "0.10"
-semver = "1.0"
 shlex = "1.3.0"
 similar = "2.7.0"
 socket2 = "0.6.1"
-sqlx = { version = "0.8.6", default-features = false, features = ["chrono", "json", "macros", "migrate", "runtime-tokio-rustls", "sqlite", "time", "uuid"] }
+sqlx = { version = "0.8.6", default-features = false, features = [
+    "chrono",
+    "json",
+    "macros",
+    "migrate",
+    "runtime-tokio-rustls",
+    "sqlite",
+    "time",
+    "uuid",
+] }
 starlark = "0.13.0"
 strum = "0.27.2"
 strum_macros = "0.27.2"
@@ -234,20 +263,23 @@ tiny_http = "0.12"
 tokio = "1"
 tokio-stream = "0.1.18"
 tokio-test = "0.4"
-tokio-tungstenite = { version = "0.28.0", features = ["proxy", "rustls-tls-native-roots"] }
-tungstenite = { version = "0.27.0", features = ["deflate", "proxy"] }
+tokio-tungstenite = { version = "0.28.0", features = [
+    "proxy",
+    "rustls-tls-native-roots",
+] }
 tokio-util = "0.7.18"
 toml = "0.9.5"
 toml_edit = "0.24.0"
 tracing = "0.1.44"
 tracing-appender = "0.2.3"
+tracing-opentelemetry = "0.32.0"
 tracing-subscriber = "0.3.22"
 tracing-test = "0.2.5"
 tree-sitter = "0.25.10"
 tree-sitter-bash = "0.25"
-zstd = "0.13"
 tree-sitter-highlight = "0.25.10"
 ts-rs = "11"
+tungstenite = { version = "0.27.0", features = ["deflate", "proxy"] }
 uds_windows = "1.1.0"
 unicode-segmentation = "1.12.0"
 unicode-width = "0.2"
@@ -260,6 +292,7 @@ webbrowser = "1.0"
 which = "8"
 wildmatch = "2.6.1"
 zip = "2.4.2"
+zstd = "0.13"

 wiremock = "0.6"
 zeroize = "1.8.2"
@@ -305,7 +338,12 @@ unwrap_used = "deny"
 # cargo-shear cannot see the platform-specific openssl-sys usage, so we
 # silence the false positive here instead of deleting a real dependency.
 [workspace.metadata.cargo-shear]
-ignored = ["icu_provider", "openssl-sys", "codex-utils-readiness", "codex-secrets"]
+ignored = [
+    "icu_provider",
+    "openssl-sys",
+    "codex-utils-readiness",
+    "codex-secrets",
+]

 [profile.release]
 lto = "fat"
--- a/codex-rs/app-server-protocol/Cargo.toml
+++ b/codex-rs/app-server-protocol/Cargo.toml
@@ -20,6 +20,7 @@ codex-utils-absolute-path = { workspace = true }
 schemars = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
 serde_json = { workspace = true }
+shlex = { workspace = true }
 strum_macros = { workspace = true }
 thiserror = { workspace = true }
 ts-rs = { workspace = true }
--- a/codex-rs/app-server-protocol/schema/json/ClientRequest.json
+++ b/codex-rs/app-server-protocol/schema/json/ClientRequest.json
@@ -88,7 +88,7 @@
          "type": "string"
        },
        {
-          "description": "*All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox.",
+          "description": "DEPRECATED: *All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox. Prefer `OnRequest` for interactive runs or `Never` for non-interactive runs.",
          "enum": [
            "on-failure"
          ],
@@ -1243,6 +1243,104 @@
      ],
      "type": "string"
    },
+    "ReadOnlyAccess": {
+      "oneOf": [
+        {
+          "properties": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "fullAccess"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
+    "ReadOnlyAccess2": {
+      "description": "Determines how read-only file access is granted inside a restricted sandbox.",
+      "oneOf": [
+        {
+          "description": "Restrict reads to an explicit set of roots.\n\nWhen `include_platform_defaults` is `true`, platform defaults required for basic execution are included in addition to `readable_roots`.",
+          "properties": {
+            "include_platform_defaults": {
+              "default": true,
+              "description": "Include built-in platform read roots required for basic process execution.",
+              "type": "boolean"
+            },
+            "readable_roots": {
+              "description": "Additional absolute roots that should be readable.",
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccess2Type",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess2",
+          "type": "object"
+        },
+        {
+          "description": "Allow unrestricted file reads.",
+          "properties": {
+            "type": {
+              "enum": [
+                "full-access"
+              ],
+              "title": "FullAccessReadOnlyAccess2Type",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess2",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -1922,6 +2020,16 @@
        },
        {
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "readOnly"
@@ -1974,6 +2082,16 @@
              "default": false,
              "type": "boolean"
            },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "workspaceWrite"
@@ -2018,8 +2136,16 @@
          "type": "object"
        },
        {
-          "description": "Read-only access to the entire file-system.",
+          "description": "Read-only access configuration.",
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess2"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "read-only"
@@ -2078,6 +2204,14 @@
              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
              "type": "boolean"
            },
+            "read_only_access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess2"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "workspace-write"
@@ -2431,6 +2565,13 @@
            "null"
          ]
        },
+        "cwd": {
+          "description": "Optional cwd filter; when set, only threads whose session cwd exactly matches this path are returned.",
+          "type": [
+            "string",
+            "null"
+          ]
+        },
        "limit": {
          "description": "Optional page size; defaults to a reasonable server-side value.",
          "format": "uint32",
--- a/codex-rs/app-server-protocol/schema/json/EventMsg.json
+++ b/codex-rs/app-server-protocol/schema/json/EventMsg.json
@@ -104,7 +104,7 @@
          "type": "string"
        },
        {
-          "description": "*All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox.",
+          "description": "DEPRECATED: *All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox. Prefer `OnRequest` for interactive runs or `Never` for non-interactive runs.",
          "enum": [
            "on-failure"
          ],
@@ -175,6 +175,7 @@
          "enum": [
            "context_window_exceeded",
            "usage_limit_exceeded",
+            "server_overloaded",
            "internal_server_error",
            "unauthorized",
            "bad_request",
@@ -184,35 +185,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "model_cap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "model_cap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -560,6 +532,9 @@
                "null"
              ]
            },
+            "turn_id": {
+              "type": "string"
+            },
            "type": {
              "enum": [
                "task_started"
@@ -569,6 +544,7 @@
            }
          },
          "required": [
+            "turn_id",
            "type"
          ],
          "title": "TaskStartedEventMsg",
@@ -583,6 +559,9 @@
                "null"
              ]
            },
+            "turn_id": {
+              "type": "string"
+            },
            "type": {
              "enum": [
                "task_complete"
@@ -592,6 +571,7 @@
            }
          },
          "required": [
+            "turn_id",
            "type"
          ],
          "title": "TaskCompleteEventMsg",
@@ -1369,6 +1349,14 @@
              "default": "agent",
              "description": "Where the command originated. Defaults to Agent for backward compatibility."
            },
+            "status": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ExecCommandStatus"
+                }
+              ],
+              "description": "Completion status for this command execution."
+            },
            "stderr": {
              "description": "Captured stderr",
              "type": "string"
@@ -1397,6 +1385,7 @@
            "exit_code",
            "formatted_output",
            "parsed_cmd",
+            "status",
            "stderr",
            "stdout",
            "turn_id",
@@ -1825,6 +1814,14 @@
              "description": "The changes that were applied (mirrors PatchApplyBeginEvent::changes).",
              "type": "object"
            },
+            "status": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/PatchApplyStatus"
+                }
+              ],
+              "description": "Completion status for this patch application."
+            },
            "stderr": {
              "description": "Captured stderr (parser errors, IO failures, etc.).",
              "type": "string"
@@ -1852,6 +1849,7 @@
          },
          "required": [
            "call_id",
+            "status",
            "stderr",
            "stdout",
            "success",
@@ -2129,6 +2127,12 @@
            "reason": {
              "$ref": "#/definitions/TurnAbortReason"
            },
+            "turn_id": {
+              "type": [
+                "string",
+                "null"
+              ]
+            },
            "type": {
              "enum": [
                "turn_aborted"
@@ -2887,6 +2891,14 @@
      ],
      "type": "string"
    },
+    "ExecCommandStatus": {
+      "enum": [
+        "completed",
+        "failed",
+        "declined"
+      ],
+      "type": "string"
+    },
    "ExecOutputStream": {
      "enum": [
        "stdout",
@@ -3414,6 +3426,14 @@
        }
      ]
    },
+    "PatchApplyStatus": {
+      "enum": [
+        "completed",
+        "failed",
+        "declined"
+      ],
+      "type": "string"
+    },
    "PlanItemArg": {
      "additionalProperties": false,
      "properties": {
@@ -3456,6 +3476,18 @@
            }
          ]
        },
+        "limit_id": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "limit_name": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
        "plan_type": {
          "anyOf": [
            {
@@ -3518,6 +3550,57 @@
      ],
      "type": "object"
    },
+    "ReadOnlyAccess": {
+      "description": "Determines how read-only file access is granted inside a restricted sandbox.",
+      "oneOf": [
+        {
+          "description": "Restrict reads to an explicit set of roots.\n\nWhen `include_platform_defaults` is `true`, platform defaults required for basic execution are included in addition to `readable_roots`.",
+          "properties": {
+            "include_platform_defaults": {
+              "default": true,
+              "description": "Include built-in platform read roots required for basic process execution.",
+              "type": "boolean"
+            },
+            "readable_roots": {
+              "description": "Additional absolute roots that should be readable.",
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "description": "Allow unrestricted file reads.",
+          "properties": {
+            "type": {
+              "enum": [
+                "full-access"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -4355,8 +4438,16 @@
          "type": "object"
        },
        {
-          "description": "Read-only access to the entire file-system.",
+          "description": "Read-only access configuration.",
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "read-only"
@@ -4415,6 +4506,14 @@
              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
              "type": "boolean"
            },
+            "read_only_access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "workspace-write"
@@ -5303,6 +5402,9 @@
            "null"
          ]
        },
+        "turn_id": {
+          "type": "string"
+        },
        "type": {
          "enum": [
            "task_started"
@@ -5312,6 +5414,7 @@
        }
      },
      "required": [
+        "turn_id",
        "type"
      ],
      "title": "TaskStartedEventMsg",
@@ -5326,6 +5429,9 @@
            "null"
          ]
        },
+        "turn_id": {
+          "type": "string"
+        },
        "type": {
          "enum": [
            "task_complete"
@@ -5335,6 +5441,7 @@
        }
      },
      "required": [
+        "turn_id",
        "type"
      ],
      "title": "TaskCompleteEventMsg",
@@ -6112,6 +6219,14 @@
          "default": "agent",
          "description": "Where the command originated. Defaults to Agent for backward compatibility."
        },
+        "status": {
+          "allOf": [
+            {
+              "$ref": "#/definitions/ExecCommandStatus"
+            }
+          ],
+          "description": "Completion status for this command execution."
+        },
        "stderr": {
          "description": "Captured stderr",
          "type": "string"
@@ -6140,6 +6255,7 @@
        "exit_code",
        "formatted_output",
        "parsed_cmd",
+        "status",
        "stderr",
        "stdout",
        "turn_id",
@@ -6568,6 +6684,14 @@
          "description": "The changes that were applied (mirrors PatchApplyBeginEvent::changes).",
          "type": "object"
        },
+        "status": {
+          "allOf": [
+            {
+              "$ref": "#/definitions/PatchApplyStatus"
+            }
+          ],
+          "description": "Completion status for this patch application."
+        },
        "stderr": {
          "description": "Captured stderr (parser errors, IO failures, etc.).",
          "type": "string"
@@ -6595,6 +6719,7 @@
      },
      "required": [
        "call_id",
+        "status",
        "stderr",
        "stdout",
        "success",
@@ -6872,6 +6997,12 @@
        "reason": {
          "$ref": "#/definitions/TurnAbortReason"
        },
+        "turn_id": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
        "type": {
          "enum": [
            "turn_aborted"
--- a/codex-rs/app-server-protocol/schema/json/FuzzyFileSearchSessionUpdatedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/FuzzyFileSearchSessionUpdatedNotification.json
@@ -0,0 +1,63 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "definitions": {
+    "FuzzyFileSearchResult": {
+      "description": "Superset of [`codex_file_search::FileMatch`]",
+      "properties": {
+        "file_name": {
+          "type": "string"
+        },
+        "indices": {
+          "items": {
+            "format": "uint32",
+            "minimum": 0.0,
+            "type": "integer"
+          },
+          "type": [
+            "array",
+            "null"
+          ]
+        },
+        "path": {
+          "type": "string"
+        },
+        "root": {
+          "type": "string"
+        },
+        "score": {
+          "format": "uint32",
+          "minimum": 0.0,
+          "type": "integer"
+        }
+      },
+      "required": [
+        "file_name",
+        "path",
+        "root",
+        "score"
+      ],
+      "type": "object"
+    }
+  },
+  "properties": {
+    "files": {
+      "items": {
+        "$ref": "#/definitions/FuzzyFileSearchResult"
+      },
+      "type": "array"
+    },
+    "query": {
+      "type": "string"
+    },
+    "sessionId": {
+      "type": "string"
+    }
+  },
+  "required": [
+    "files",
+    "query",
+    "sessionId"
+  ],
+  "title": "FuzzyFileSearchSessionUpdatedNotification",
+  "type": "object"
+}
--- a/codex-rs/app-server-protocol/schema/json/ServerNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/ServerNotification.json
@@ -193,6 +193,11 @@
          "default": false,
          "type": "boolean"
        },
+        "isEnabled": {
+          "default": true,
+          "description": "Whether this app is enabled in config.toml. Example: ```toml [apps.bad_app] enabled = false ```",
+          "type": "boolean"
+        },
        "logoUrl": {
          "type": [
            "string",
@@ -241,7 +246,7 @@
          "type": "string"
        },
        {
-          "description": "*All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox.",
+          "description": "DEPRECATED: *All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox. Prefer `OnRequest` for interactive runs or `Never` for non-interactive runs.",
          "enum": [
            "on-failure"
          ],
@@ -373,6 +378,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -382,35 +388,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -515,6 +492,7 @@
          "enum": [
            "context_window_exceeded",
            "usage_limit_exceeded",
+            "server_overloaded",
            "internal_server_error",
            "unauthorized",
            "bad_request",
@@ -524,35 +502,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "model_cap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "model_cap"
-          ],
-          "title": "ModelCapCodexErrorInfo2",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -1204,6 +1153,9 @@
                "null"
              ]
            },
+            "turn_id": {
+              "type": "string"
+            },
            "type": {
              "enum": [
                "task_started"
@@ -1213,6 +1165,7 @@
            }
          },
          "required": [
+            "turn_id",
            "type"
          ],
          "title": "TaskStartedEventMsg",
@@ -1227,6 +1180,9 @@
                "null"
              ]
            },
+            "turn_id": {
+              "type": "string"
+            },
            "type": {
              "enum": [
                "task_complete"
@@ -1236,6 +1192,7 @@
            }
          },
          "required": [
+            "turn_id",
            "type"
          ],
          "title": "TaskCompleteEventMsg",
@@ -2013,6 +1970,14 @@
              "default": "agent",
              "description": "Where the command originated. Defaults to Agent for backward compatibility."
            },
+            "status": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ExecCommandStatus"
+                }
+              ],
+              "description": "Completion status for this command execution."
+            },
            "stderr": {
              "description": "Captured stderr",
              "type": "string"
@@ -2041,6 +2006,7 @@
            "exit_code",
            "formatted_output",
            "parsed_cmd",
+            "status",
            "stderr",
            "stdout",
            "turn_id",
@@ -2469,6 +2435,14 @@
              "description": "The changes that were applied (mirrors PatchApplyBeginEvent::changes).",
              "type": "object"
            },
+            "status": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/PatchApplyStatus2"
+                }
+              ],
+              "description": "Completion status for this patch application."
+            },
            "stderr": {
              "description": "Captured stderr (parser errors, IO failures, etc.).",
              "type": "string"
@@ -2496,6 +2470,7 @@
          },
          "required": [
            "call_id",
+            "status",
            "stderr",
            "stdout",
            "success",
@@ -2773,6 +2748,12 @@
            "reason": {
              "$ref": "#/definitions/TurnAbortReason"
            },
+            "turn_id": {
+              "type": [
+                "string",
+                "null"
+              ]
+            },
            "type": {
              "enum": [
                "turn_aborted"
@@ -3531,6 +3512,14 @@
      ],
      "type": "string"
    },
+    "ExecCommandStatus": {
+      "enum": [
+        "completed",
+        "failed",
+        "declined"
+      ],
+      "type": "string"
+    },
    "ExecOutputStream": {
      "enum": [
        "stdout",
@@ -3726,6 +3715,65 @@
      ],
      "type": "object"
    },
+    "FuzzyFileSearchResult": {
+      "description": "Superset of [`codex_file_search::FileMatch`]",
+      "properties": {
+        "file_name": {
+          "type": "string"
+        },
+        "indices": {
+          "items": {
+            "format": "uint32",
+            "minimum": 0.0,
+            "type": "integer"
+          },
+          "type": [
+            "array",
+            "null"
+          ]
+        },
+        "path": {
+          "type": "string"
+        },
+        "root": {
+          "type": "string"
+        },
+        "score": {
+          "format": "uint32",
+          "minimum": 0.0,
+          "type": "integer"
+        }
+      },
+      "required": [
+        "file_name",
+        "path",
+        "root",
+        "score"
+      ],
+      "type": "object"
+    },
+    "FuzzyFileSearchSessionUpdatedNotification": {
+      "properties": {
+        "files": {
+          "items": {
+            "$ref": "#/definitions/FuzzyFileSearchResult"
+          },
+          "type": "array"
+        },
+        "query": {
+          "type": "string"
+        },
+        "sessionId": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "files",
+        "query",
+        "sessionId"
+      ],
+      "type": "object"
+    },
    "GhostCommit": {
      "description": "Details of a ghost commit created from a repository state.",
      "properties": {
@@ -4268,6 +4316,14 @@
      ],
      "type": "string"
    },
+    "PatchApplyStatus2": {
+      "enum": [
+        "completed",
+        "failed",
+        "declined"
+      ],
+      "type": "string"
+    },
    "PatchChangeKind": {
      "oneOf": [
        {
@@ -4392,6 +4448,18 @@
            }
          ]
        },
+        "limitId": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "limitName": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
        "planType": {
          "anyOf": [
            {
@@ -4437,6 +4505,18 @@
            }
          ]
        },
+        "limit_id": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "limit_name": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
        "plan_type": {
          "anyOf": [
            {
@@ -4544,6 +4624,57 @@
      ],
      "type": "object"
    },
+    "ReadOnlyAccess": {
+      "description": "Determines how read-only file access is granted inside a restricted sandbox.",
+      "oneOf": [
+        {
+          "description": "Restrict reads to an explicit set of roots.\n\nWhen `include_platform_defaults` is `true`, platform defaults required for basic execution are included in addition to `readable_roots`.",
+          "properties": {
+            "include_platform_defaults": {
+              "default": true,
+              "description": "Include built-in platform read roots required for basic process execution.",
+              "type": "boolean"
+            },
+            "readable_roots": {
+              "description": "Additional absolute roots that should be readable.",
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "description": "Allow unrestricted file reads.",
+          "properties": {
+            "type": {
+              "enum": [
+                "full-access"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -5461,8 +5592,16 @@
          "type": "object"
        },
        {
-          "description": "Read-only access to the entire file-system.",
+          "description": "Read-only access configuration.",
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "read-only"
@@ -5521,6 +5660,14 @@
              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
              "type": "boolean"
            },
+            "read_only_access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "workspace-write"
@@ -5850,7 +5997,8 @@
        {
          "enum": [
            "review",
-            "compact"
+            "compact",
+            "memory_consolidation"
          ],
          "type": "string"
        },
@@ -8122,6 +8270,26 @@
      "title": "ConfigWarningNotification",
      "type": "object"
    },
+    {
+      "properties": {
+        "method": {
+          "enum": [
+            "fuzzyFileSearch/sessionUpdated"
+          ],
+          "title": "FuzzyFileSearch/sessionUpdatedNotificationMethod",
+          "type": "string"
+        },
+        "params": {
+          "$ref": "#/definitions/FuzzyFileSearchSessionUpdatedNotification"
+        }
+      },
+      "required": [
+        "method",
+        "params"
+      ],
+      "title": "FuzzyFileSearch/sessionUpdatedNotification",
+      "type": "object"
+    },
    {
      "description": "Notifies the user of world-writable directories on Windows, which cannot be protected by the sandbox.",
      "properties": {
--- a/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json
+++ b/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json
@@ -208,7 +208,7 @@
          "type": "string"
        },
        {
-          "description": "*All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox.",
+          "description": "DEPRECATED: *All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox. Prefer `OnRequest` for interactive runs or `Never` for non-interactive runs.",
          "enum": [
            "on-failure"
          ],
@@ -1884,6 +1884,7 @@
          "enum": [
            "context_window_exceeded",
            "usage_limit_exceeded",
+            "server_overloaded",
            "internal_server_error",
            "unauthorized",
            "bad_request",
@@ -1893,35 +1894,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "model_cap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "model_cap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -2573,6 +2545,9 @@
                "null"
              ]
            },
+            "turn_id": {
+              "type": "string"
+            },
            "type": {
              "enum": [
                "task_started"
@@ -2582,6 +2557,7 @@
            }
          },
          "required": [
+            "turn_id",
            "type"
          ],
          "title": "TaskStartedEventMsg",
@@ -2596,6 +2572,9 @@
                "null"
              ]
            },
+            "turn_id": {
+              "type": "string"
+            },
            "type": {
              "enum": [
                "task_complete"
@@ -2605,6 +2584,7 @@
            }
          },
          "required": [
+            "turn_id",
            "type"
          ],
          "title": "TaskCompleteEventMsg",
@@ -3382,6 +3362,14 @@
              "default": "agent",
              "description": "Where the command originated. Defaults to Agent for backward compatibility."
            },
+            "status": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ExecCommandStatus"
+                }
+              ],
+              "description": "Completion status for this command execution."
+            },
            "stderr": {
              "description": "Captured stderr",
              "type": "string"
@@ -3410,6 +3398,7 @@
            "exit_code",
            "formatted_output",
            "parsed_cmd",
+            "status",
            "stderr",
            "stdout",
            "turn_id",
@@ -3838,6 +3827,14 @@
              "description": "The changes that were applied (mirrors PatchApplyBeginEvent::changes).",
              "type": "object"
            },
+            "status": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/v2/PatchApplyStatus"
+                }
+              ],
+              "description": "Completion status for this patch application."
+            },
            "stderr": {
              "description": "Captured stderr (parser errors, IO failures, etc.).",
              "type": "string"
@@ -3865,6 +3862,7 @@
          },
          "required": [
            "call_id",
+            "status",
            "stderr",
            "stdout",
            "success",
@@ -4142,6 +4140,12 @@
            "reason": {
              "$ref": "#/definitions/TurnAbortReason"
            },
+            "turn_id": {
+              "type": [
+                "string",
+                "null"
+              ]
+            },
            "type": {
              "enum": [
                "turn_aborted"
@@ -4956,6 +4960,14 @@
      ],
      "type": "string"
    },
+    "ExecCommandStatus": {
+      "enum": [
+        "completed",
+        "failed",
+        "declined"
+      ],
+      "type": "string"
+    },
    "ExecOneOffCommandParams": {
      "$schema": "http://json-schema.org/draft-07/schema#",
      "properties": {
@@ -5400,6 +5412,30 @@
      ],
      "type": "object"
    },
+    "FuzzyFileSearchSessionUpdatedNotification": {
+      "$schema": "http://json-schema.org/draft-07/schema#",
+      "properties": {
+        "files": {
+          "items": {
+            "$ref": "#/definitions/FuzzyFileSearchResult"
+          },
+          "type": "array"
+        },
+        "query": {
+          "type": "string"
+        },
+        "sessionId": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "files",
+        "query",
+        "sessionId"
+      ],
+      "title": "FuzzyFileSearchSessionUpdatedNotification",
+      "type": "object"
+    },
    "GetAuthStatusParams": {
      "$schema": "http://json-schema.org/draft-07/schema#",
      "properties": {
@@ -6436,6 +6472,14 @@
        }
      ]
    },
+    "PatchApplyStatus": {
+      "enum": [
+        "completed",
+        "failed",
+        "declined"
+      ],
+      "type": "string"
+    },
    "PlanItemArg": {
      "additionalProperties": false,
      "properties": {
@@ -6541,6 +6585,18 @@
            }
          ]
        },
+        "limit_id": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "limit_name": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
        "plan_type": {
          "anyOf": [
            {
@@ -6603,6 +6659,57 @@
      ],
      "type": "object"
    },
+    "ReadOnlyAccess": {
+      "description": "Determines how read-only file access is granted inside a restricted sandbox.",
+      "oneOf": [
+        {
+          "description": "Restrict reads to an explicit set of roots.\n\nWhen `include_platform_defaults` is `true`, platform defaults required for basic execution are included in addition to `readable_roots`.",
+          "properties": {
+            "include_platform_defaults": {
+              "default": true,
+              "description": "Include built-in platform read roots required for basic process execution.",
+              "type": "boolean"
+            },
+            "readable_roots": {
+              "description": "Additional absolute roots that should be readable.",
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "description": "Allow unrestricted file reads.",
+          "properties": {
+            "type": {
+              "enum": [
+                "full-access"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -7616,8 +7723,16 @@
          "type": "object"
        },
        {
-          "description": "Read-only access to the entire file-system.",
+          "description": "Read-only access configuration.",
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "read-only"
@@ -7676,6 +7791,14 @@
              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
              "type": "boolean"
            },
+            "read_only_access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "workspace-write"
@@ -8360,6 +8483,26 @@
          "title": "ConfigWarningNotification",
          "type": "object"
        },
+        {
+          "properties": {
+            "method": {
+              "enum": [
+                "fuzzyFileSearch/sessionUpdated"
+              ],
+              "title": "FuzzyFileSearch/sessionUpdatedNotificationMethod",
+              "type": "string"
+            },
+            "params": {
+              "$ref": "#/definitions/FuzzyFileSearchSessionUpdatedNotification"
+            }
+          },
+          "required": [
+            "method",
+            "params"
+          ],
+          "title": "FuzzyFileSearch/sessionUpdatedNotification",
+          "type": "object"
+        },
        {
          "description": "Notifies the user of world-writable directories on Windows, which cannot be protected by the sandbox.",
          "properties": {
@@ -8983,7 +9126,8 @@
        {
          "enum": [
            "review",
-            "compact"
+            "compact",
+            "memory_consolidation"
          ],
          "type": "string"
        },
@@ -10058,6 +10202,11 @@
            "default": false,
            "type": "boolean"
          },
+          "isEnabled": {
+            "default": true,
+            "description": "Whether this app is enabled in config.toml. Example: ```toml [apps.bad_app] enabled = false ```",
+            "type": "boolean"
+          },
          "logoUrl": {
            "type": [
              "string",
@@ -10253,6 +10402,7 @@
            "enum": [
              "contextWindowExceeded",
              "usageLimitExceeded",
+              "serverOverloaded",
              "internalServerError",
              "unauthorized",
              "badRequest",
@@ -10262,35 +10412,6 @@
            ],
            "type": "string"
          },
-          {
-            "additionalProperties": false,
-            "properties": {
-              "modelCap": {
-                "properties": {
-                  "model": {
-                    "type": "string"
-                  },
-                  "reset_after_seconds": {
-                    "format": "uint64",
-                    "minimum": 0.0,
-                    "type": [
-                      "integer",
-                      "null"
-                    ]
-                  }
-                },
-                "required": [
-                  "model"
-                ],
-                "type": "object"
-              }
-            },
-            "required": [
-              "modelCap"
-            ],
-            "title": "ModelCapCodexErrorInfo",
-            "type": "object"
-          },
          {
            "additionalProperties": false,
            "properties": {
@@ -11823,7 +11944,22 @@
        "$schema": "http://json-schema.org/draft-07/schema#",
        "properties": {
          "rateLimits": {
-            "$ref": "#/definitions/v2/RateLimitSnapshot"
+            "allOf": [
+              {
+                "$ref": "#/definitions/v2/RateLimitSnapshot"
+              }
+            ],
+            "description": "Backward-compatible single-bucket view; mirrors the historical payload."
+          },
+          "rateLimitsByLimitId": {
+            "additionalProperties": {
+              "$ref": "#/definitions/v2/RateLimitSnapshot"
+            },
+            "description": "Multi-bucket view keyed by metered `limit_id` (for example, `codex`).",
+            "type": [
+              "object",
+              "null"
+            ]
          }
        },
        "required": [
@@ -12838,6 +12974,18 @@
              }
            ]
          },
+          "limitId": {
+            "type": [
+              "string",
+              "null"
+            ]
+          },
+          "limitName": {
+            "type": [
+              "string",
+              "null"
+            ]
+          },
          "planType": {
            "anyOf": [
              {
@@ -12918,6 +13066,53 @@
        "title": "RawResponseItemCompletedNotification",
        "type": "object"
      },
+      "ReadOnlyAccess": {
+        "oneOf": [
+          {
+            "properties": {
+              "includePlatformDefaults": {
+                "default": true,
+                "type": "boolean"
+              },
+              "readableRoots": {
+                "default": [],
+                "items": {
+                  "$ref": "#/definitions/v2/AbsolutePathBuf"
+                },
+                "type": "array"
+              },
+              "type": {
+                "enum": [
+                  "restricted"
+                ],
+                "title": "RestrictedReadOnlyAccessType",
+                "type": "string"
+              }
+            },
+            "required": [
+              "type"
+            ],
+            "title": "RestrictedReadOnlyAccess",
+            "type": "object"
+          },
+          {
+            "properties": {
+              "type": {
+                "enum": [
+                  "fullAccess"
+                ],
+                "title": "FullAccessReadOnlyAccessType",
+                "type": "string"
+              }
+            },
+            "required": [
+              "type"
+            ],
+            "title": "FullAccessReadOnlyAccess",
+            "type": "object"
+          }
+        ]
+      },
      "ReasoningEffort": {
        "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
        "enum": [
@@ -13758,6 +13953,16 @@
          },
          {
            "properties": {
+              "access": {
+                "allOf": [
+                  {
+                    "$ref": "#/definitions/v2/ReadOnlyAccess"
+                  }
+                ],
+                "default": {
+                  "type": "fullAccess"
+                }
+              },
              "type": {
                "enum": [
                  "readOnly"
@@ -13810,6 +14015,16 @@
                "default": false,
                "type": "boolean"
              },
+              "readOnlyAccess": {
+                "allOf": [
+                  {
+                    "$ref": "#/definitions/v2/ReadOnlyAccess"
+                  }
+                ],
+                "default": {
+                  "type": "fullAccess"
+                }
+              },
              "type": {
                "enum": [
                  "workspaceWrite"
@@ -14266,7 +14481,8 @@
          {
            "enum": [
              "review",
-              "compact"
+              "compact",
+              "memory_consolidation"
            ],
            "type": "string"
          },
@@ -15120,6 +15336,13 @@
              "null"
            ]
          },
+          "cwd": {
+            "description": "Optional cwd filter; when set, only threads whose session cwd exactly matches this path are returned.",
+            "type": [
+              "string",
+              "null"
+            ]
+          },
          "limit": {
            "description": "Optional page size; defaults to a reasonable server-side value.",
            "format": "uint32",
--- a/codex-rs/app-server-protocol/schema/json/v1/ExecOneOffCommandParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/ExecOneOffCommandParams.json
@@ -13,6 +13,57 @@
      ],
      "type": "string"
    },
+    "ReadOnlyAccess": {
+      "description": "Determines how read-only file access is granted inside a restricted sandbox.",
+      "oneOf": [
+        {
+          "description": "Restrict reads to an explicit set of roots.\n\nWhen `include_platform_defaults` is `true`, platform defaults required for basic execution are included in addition to `readable_roots`.",
+          "properties": {
+            "include_platform_defaults": {
+              "default": true,
+              "description": "Include built-in platform read roots required for basic process execution.",
+              "type": "boolean"
+            },
+            "readable_roots": {
+              "description": "Additional absolute roots that should be readable.",
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "description": "Allow unrestricted file reads.",
+          "properties": {
+            "type": {
+              "enum": [
+                "full-access"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "SandboxPolicy": {
      "description": "Determines execution restrictions for model shell commands.",
      "oneOf": [
@@ -34,8 +85,16 @@
          "type": "object"
        },
        {
-          "description": "Read-only access to the entire file-system.",
+          "description": "Read-only access configuration.",
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "read-only"
@@ -94,6 +153,14 @@
              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
              "type": "boolean"
            },
+            "read_only_access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "workspace-write"
--- a/codex-rs/app-server-protocol/schema/json/v1/ForkConversationParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/ForkConversationParams.json
@@ -12,7 +12,7 @@
          "type": "string"
        },
        {
-          "description": "*All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox.",
+          "description": "DEPRECATED: *All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox. Prefer `OnRequest` for interactive runs or `Never` for non-interactive runs.",
          "enum": [
            "on-failure"
          ],
--- a/codex-rs/app-server-protocol/schema/json/v1/ForkConversationResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/ForkConversationResponse.json
@@ -104,7 +104,7 @@
          "type": "string"
        },
        {
-          "description": "*All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox.",
+          "description": "DEPRECATED: *All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox. Prefer `OnRequest` for interactive runs or `Never` for non-interactive runs.",
          "enum": [
            "on-failure"
          ],
@@ -175,6 +175,7 @@
          "enum": [
            "context_window_exceeded",
            "usage_limit_exceeded",
+            "server_overloaded",
            "internal_server_error",
            "unauthorized",
            "bad_request",
@@ -184,35 +185,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "model_cap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "model_cap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -560,6 +532,9 @@
                "null"
              ]
            },
+            "turn_id": {
+              "type": "string"
+            },
            "type": {
              "enum": [
                "task_started"
@@ -569,6 +544,7 @@
            }
          },
          "required": [
+            "turn_id",
            "type"
          ],
          "title": "TaskStartedEventMsg",
@@ -583,6 +559,9 @@
                "null"
              ]
            },
+            "turn_id": {
+              "type": "string"
+            },
            "type": {
              "enum": [
                "task_complete"
@@ -592,6 +571,7 @@
            }
          },
          "required": [
+            "turn_id",
            "type"
          ],
          "title": "TaskCompleteEventMsg",
@@ -1369,6 +1349,14 @@
              "default": "agent",
              "description": "Where the command originated. Defaults to Agent for backward compatibility."
            },
+            "status": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ExecCommandStatus"
+                }
+              ],
+              "description": "Completion status for this command execution."
+            },
            "stderr": {
              "description": "Captured stderr",
              "type": "string"
@@ -1397,6 +1385,7 @@
            "exit_code",
            "formatted_output",
            "parsed_cmd",
+            "status",
            "stderr",
            "stdout",
            "turn_id",
@@ -1825,6 +1814,14 @@
              "description": "The changes that were applied (mirrors PatchApplyBeginEvent::changes).",
              "type": "object"
            },
+            "status": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/PatchApplyStatus"
+                }
+              ],
+              "description": "Completion status for this patch application."
+            },
            "stderr": {
              "description": "Captured stderr (parser errors, IO failures, etc.).",
              "type": "string"
@@ -1852,6 +1849,7 @@
          },
          "required": [
            "call_id",
+            "status",
            "stderr",
            "stdout",
            "success",
@@ -2129,6 +2127,12 @@
            "reason": {
              "$ref": "#/definitions/TurnAbortReason"
            },
+            "turn_id": {
+              "type": [
+                "string",
+                "null"
+              ]
+            },
            "type": {
              "enum": [
                "turn_aborted"
@@ -2887,6 +2891,14 @@
      ],
      "type": "string"
    },
+    "ExecCommandStatus": {
+      "enum": [
+        "completed",
+        "failed",
+        "declined"
+      ],
+      "type": "string"
+    },
    "ExecOutputStream": {
      "enum": [
        "stdout",
@@ -3414,6 +3426,14 @@
        }
      ]
    },
+    "PatchApplyStatus": {
+      "enum": [
+        "completed",
+        "failed",
+        "declined"
+      ],
+      "type": "string"
+    },
    "PlanItemArg": {
      "additionalProperties": false,
      "properties": {
@@ -3456,6 +3476,18 @@
            }
          ]
        },
+        "limit_id": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "limit_name": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
        "plan_type": {
          "anyOf": [
            {
@@ -3518,6 +3550,57 @@
      ],
      "type": "object"
    },
+    "ReadOnlyAccess": {
+      "description": "Determines how read-only file access is granted inside a restricted sandbox.",
+      "oneOf": [
+        {
+          "description": "Restrict reads to an explicit set of roots.\n\nWhen `include_platform_defaults` is `true`, platform defaults required for basic execution are included in addition to `readable_roots`.",
+          "properties": {
+            "include_platform_defaults": {
+              "default": true,
+              "description": "Include built-in platform read roots required for basic process execution.",
+              "type": "boolean"
+            },
+            "readable_roots": {
+              "description": "Additional absolute roots that should be readable.",
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "description": "Allow unrestricted file reads.",
+          "properties": {
+            "type": {
+              "enum": [
+                "full-access"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -4355,8 +4438,16 @@
          "type": "object"
        },
        {
-          "description": "Read-only access to the entire file-system.",
+          "description": "Read-only access configuration.",
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "read-only"
@@ -4415,6 +4506,14 @@
              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
              "type": "boolean"
            },
+            "read_only_access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "workspace-write"
--- a/codex-rs/app-server-protocol/schema/json/v1/GetConversationSummaryResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/GetConversationSummaryResponse.json
@@ -113,7 +113,8 @@
        {
          "enum": [
            "review",
-            "compact"
+            "compact",
+            "memory_consolidation"
          ],
          "type": "string"
        },
--- a/codex-rs/app-server-protocol/schema/json/v1/GetUserSavedConfigResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/GetUserSavedConfigResponse.json
@@ -16,7 +16,7 @@
          "type": "string"
        },
        {
-          "description": "*All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox.",
+          "description": "DEPRECATED: *All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox. Prefer `OnRequest` for interactive runs or `Never` for non-interactive runs.",
          "enum": [
            "on-failure"
          ],
--- a/codex-rs/app-server-protocol/schema/json/v1/ListConversationsResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/ListConversationsResponse.json
@@ -113,7 +113,8 @@
        {
          "enum": [
            "review",
-            "compact"
+            "compact",
+            "memory_consolidation"
          ],
          "type": "string"
        },
--- a/codex-rs/app-server-protocol/schema/json/v1/NewConversationParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/NewConversationParams.json
@@ -12,7 +12,7 @@
          "type": "string"
        },
        {
-          "description": "*All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox.",
+          "description": "DEPRECATED: *All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox. Prefer `OnRequest` for interactive runs or `Never` for non-interactive runs.",
          "enum": [
            "on-failure"
          ],
--- a/codex-rs/app-server-protocol/schema/json/v1/ResumeConversationParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/ResumeConversationParams.json
@@ -12,7 +12,7 @@
          "type": "string"
        },
        {
-          "description": "*All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox.",
+          "description": "DEPRECATED: *All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox. Prefer `OnRequest` for interactive runs or `Never` for non-interactive runs.",
          "enum": [
            "on-failure"
          ],
--- a/codex-rs/app-server-protocol/schema/json/v1/ResumeConversationResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/ResumeConversationResponse.json
@@ -104,7 +104,7 @@
          "type": "string"
        },
        {
-          "description": "*All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox.",
+          "description": "DEPRECATED: *All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox. Prefer `OnRequest` for interactive runs or `Never` for non-interactive runs.",
          "enum": [
            "on-failure"
          ],
@@ -175,6 +175,7 @@
          "enum": [
            "context_window_exceeded",
            "usage_limit_exceeded",
+            "server_overloaded",
            "internal_server_error",
            "unauthorized",
            "bad_request",
@@ -184,35 +185,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "model_cap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "model_cap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -560,6 +532,9 @@
                "null"
              ]
            },
+            "turn_id": {
+              "type": "string"
+            },
            "type": {
              "enum": [
                "task_started"
@@ -569,6 +544,7 @@
            }
          },
          "required": [
+            "turn_id",
            "type"
          ],
          "title": "TaskStartedEventMsg",
@@ -583,6 +559,9 @@
                "null"
              ]
            },
+            "turn_id": {
+              "type": "string"
+            },
            "type": {
              "enum": [
                "task_complete"
@@ -592,6 +571,7 @@
            }
          },
          "required": [
+            "turn_id",
            "type"
          ],
          "title": "TaskCompleteEventMsg",
@@ -1369,6 +1349,14 @@
              "default": "agent",
              "description": "Where the command originated. Defaults to Agent for backward compatibility."
            },
+            "status": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ExecCommandStatus"
+                }
+              ],
+              "description": "Completion status for this command execution."
+            },
            "stderr": {
              "description": "Captured stderr",
              "type": "string"
@@ -1397,6 +1385,7 @@
            "exit_code",
            "formatted_output",
            "parsed_cmd",
+            "status",
            "stderr",
            "stdout",
            "turn_id",
@@ -1825,6 +1814,14 @@
              "description": "The changes that were applied (mirrors PatchApplyBeginEvent::changes).",
              "type": "object"
            },
+            "status": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/PatchApplyStatus"
+                }
+              ],
+              "description": "Completion status for this patch application."
+            },
            "stderr": {
              "description": "Captured stderr (parser errors, IO failures, etc.).",
              "type": "string"
@@ -1852,6 +1849,7 @@
          },
          "required": [
            "call_id",
+            "status",
            "stderr",
            "stdout",
            "success",
@@ -2129,6 +2127,12 @@
            "reason": {
              "$ref": "#/definitions/TurnAbortReason"
            },
+            "turn_id": {
+              "type": [
+                "string",
+                "null"
+              ]
+            },
            "type": {
              "enum": [
                "turn_aborted"
@@ -2887,6 +2891,14 @@
      ],
      "type": "string"
    },
+    "ExecCommandStatus": {
+      "enum": [
+        "completed",
+        "failed",
+        "declined"
+      ],
+      "type": "string"
+    },
    "ExecOutputStream": {
      "enum": [
        "stdout",
@@ -3414,6 +3426,14 @@
        }
      ]
    },
+    "PatchApplyStatus": {
+      "enum": [
+        "completed",
+        "failed",
+        "declined"
+      ],
+      "type": "string"
+    },
    "PlanItemArg": {
      "additionalProperties": false,
      "properties": {
@@ -3456,6 +3476,18 @@
            }
          ]
        },
+        "limit_id": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "limit_name": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
        "plan_type": {
          "anyOf": [
            {
@@ -3518,6 +3550,57 @@
      ],
      "type": "object"
    },
+    "ReadOnlyAccess": {
+      "description": "Determines how read-only file access is granted inside a restricted sandbox.",
+      "oneOf": [
+        {
+          "description": "Restrict reads to an explicit set of roots.\n\nWhen `include_platform_defaults` is `true`, platform defaults required for basic execution are included in addition to `readable_roots`.",
+          "properties": {
+            "include_platform_defaults": {
+              "default": true,
+              "description": "Include built-in platform read roots required for basic process execution.",
+              "type": "boolean"
+            },
+            "readable_roots": {
+              "description": "Additional absolute roots that should be readable.",
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "description": "Allow unrestricted file reads.",
+          "properties": {
+            "type": {
+              "enum": [
+                "full-access"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -4355,8 +4438,16 @@
          "type": "object"
        },
        {
-          "description": "Read-only access to the entire file-system.",
+          "description": "Read-only access configuration.",
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "read-only"
@@ -4415,6 +4506,14 @@
              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
              "type": "boolean"
            },
+            "read_only_access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "workspace-write"
--- a/codex-rs/app-server-protocol/schema/json/v1/SendUserTurnParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/SendUserTurnParams.json
@@ -16,7 +16,7 @@
          "type": "string"
        },
        {
-          "description": "*All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox.",
+          "description": "DEPRECATED: *All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox. Prefer `OnRequest` for interactive runs or `Never` for non-interactive runs.",
          "enum": [
            "on-failure"
          ],
@@ -142,6 +142,57 @@
      ],
      "type": "string"
    },
+    "ReadOnlyAccess": {
+      "description": "Determines how read-only file access is granted inside a restricted sandbox.",
+      "oneOf": [
+        {
+          "description": "Restrict reads to an explicit set of roots.\n\nWhen `include_platform_defaults` is `true`, platform defaults required for basic execution are included in addition to `readable_roots`.",
+          "properties": {
+            "include_platform_defaults": {
+              "default": true,
+              "description": "Include built-in platform read roots required for basic process execution.",
+              "type": "boolean"
+            },
+            "readable_roots": {
+              "description": "Additional absolute roots that should be readable.",
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "description": "Allow unrestricted file reads.",
+          "properties": {
+            "type": {
+              "enum": [
+                "full-access"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -195,8 +246,16 @@
          "type": "object"
        },
        {
-          "description": "Read-only access to the entire file-system.",
+          "description": "Read-only access configuration.",
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "read-only"
@@ -255,6 +314,14 @@
              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
              "type": "boolean"
            },
+            "read_only_access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "workspace-write"
--- a/codex-rs/app-server-protocol/schema/json/v1/SessionConfiguredNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/SessionConfiguredNotification.json
@@ -104,7 +104,7 @@
          "type": "string"
        },
        {
-          "description": "*All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox.",
+          "description": "DEPRECATED: *All* commands are auto‑approved, but they are expected to run inside a sandbox where network access is disabled and writes are confined to a specific set of paths. If the command fails, it will be escalated to the user to approve execution without a sandbox. Prefer `OnRequest` for interactive runs or `Never` for non-interactive runs.",
          "enum": [
            "on-failure"
          ],
@@ -175,6 +175,7 @@
          "enum": [
            "context_window_exceeded",
            "usage_limit_exceeded",
+            "server_overloaded",
            "internal_server_error",
            "unauthorized",
            "bad_request",
@@ -184,35 +185,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "model_cap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "model_cap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -560,6 +532,9 @@
                "null"
              ]
            },
+            "turn_id": {
+              "type": "string"
+            },
            "type": {
              "enum": [
                "task_started"
@@ -569,6 +544,7 @@
            }
          },
          "required": [
+            "turn_id",
            "type"
          ],
          "title": "TaskStartedEventMsg",
@@ -583,6 +559,9 @@
                "null"
              ]
            },
+            "turn_id": {
+              "type": "string"
+            },
            "type": {
              "enum": [
                "task_complete"
@@ -592,6 +571,7 @@
            }
          },
          "required": [
+            "turn_id",
            "type"
          ],
          "title": "TaskCompleteEventMsg",
@@ -1369,6 +1349,14 @@
              "default": "agent",
              "description": "Where the command originated. Defaults to Agent for backward compatibility."
            },
+            "status": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ExecCommandStatus"
+                }
+              ],
+              "description": "Completion status for this command execution."
+            },
            "stderr": {
              "description": "Captured stderr",
              "type": "string"
@@ -1397,6 +1385,7 @@
            "exit_code",
            "formatted_output",
            "parsed_cmd",
+            "status",
            "stderr",
            "stdout",
            "turn_id",
@@ -1825,6 +1814,14 @@
              "description": "The changes that were applied (mirrors PatchApplyBeginEvent::changes).",
              "type": "object"
            },
+            "status": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/PatchApplyStatus"
+                }
+              ],
+              "description": "Completion status for this patch application."
+            },
            "stderr": {
              "description": "Captured stderr (parser errors, IO failures, etc.).",
              "type": "string"
@@ -1852,6 +1849,7 @@
          },
          "required": [
            "call_id",
+            "status",
            "stderr",
            "stdout",
            "success",
@@ -2129,6 +2127,12 @@
            "reason": {
              "$ref": "#/definitions/TurnAbortReason"
            },
+            "turn_id": {
+              "type": [
+                "string",
+                "null"
+              ]
+            },
            "type": {
              "enum": [
                "turn_aborted"
@@ -2887,6 +2891,14 @@
      ],
      "type": "string"
    },
+    "ExecCommandStatus": {
+      "enum": [
+        "completed",
+        "failed",
+        "declined"
+      ],
+      "type": "string"
+    },
    "ExecOutputStream": {
      "enum": [
        "stdout",
@@ -3414,6 +3426,14 @@
        }
      ]
    },
+    "PatchApplyStatus": {
+      "enum": [
+        "completed",
+        "failed",
+        "declined"
+      ],
+      "type": "string"
+    },
    "PlanItemArg": {
      "additionalProperties": false,
      "properties": {
@@ -3456,6 +3476,18 @@
            }
          ]
        },
+        "limit_id": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "limit_name": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
        "plan_type": {
          "anyOf": [
            {
@@ -3518,6 +3550,57 @@
      ],
      "type": "object"
    },
+    "ReadOnlyAccess": {
+      "description": "Determines how read-only file access is granted inside a restricted sandbox.",
+      "oneOf": [
+        {
+          "description": "Restrict reads to an explicit set of roots.\n\nWhen `include_platform_defaults` is `true`, platform defaults required for basic execution are included in addition to `readable_roots`.",
+          "properties": {
+            "include_platform_defaults": {
+              "default": true,
+              "description": "Include built-in platform read roots required for basic process execution.",
+              "type": "boolean"
+            },
+            "readable_roots": {
+              "description": "Additional absolute roots that should be readable.",
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "description": "Allow unrestricted file reads.",
+          "properties": {
+            "type": {
+              "enum": [
+                "full-access"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -4355,8 +4438,16 @@
          "type": "object"
        },
        {
-          "description": "Read-only access to the entire file-system.",
+          "description": "Read-only access configuration.",
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "read-only"
@@ -4415,6 +4506,14 @@
              "description": "When set to `true`, outbound network access is allowed. `false` by default.",
              "type": "boolean"
            },
+            "read_only_access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "description": "Read access granted while running under this policy."
+            },
            "type": {
              "enum": [
                "workspace-write"
--- a/codex-rs/app-server-protocol/schema/json/v2/AccountRateLimitsUpdatedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/AccountRateLimitsUpdatedNotification.json
@@ -48,6 +48,18 @@
            }
          ]
        },
+        "limitId": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "limitName": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
        "planType": {
          "anyOf": [
            {
--- a/codex-rs/app-server-protocol/schema/json/v2/AppListUpdatedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/AppListUpdatedNotification.json
@@ -29,6 +29,11 @@
          "default": false,
          "type": "boolean"
        },
+        "isEnabled": {
+          "default": true,
+          "description": "Whether this app is enabled in config.toml. Example: ```toml [apps.bad_app] enabled = false ```",
+          "type": "boolean"
+        },
        "logoUrl": {
          "type": [
            "string",
--- a/codex-rs/app-server-protocol/schema/json/v2/AppsListResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/AppsListResponse.json
@@ -29,6 +29,11 @@
          "default": false,
          "type": "boolean"
        },
+        "isEnabled": {
+          "default": true,
+          "description": "Whether this app is enabled in config.toml. Example: ```toml [apps.bad_app] enabled = false ```",
+          "type": "boolean"
+        },
        "logoUrl": {
          "type": [
            "string",
--- a/codex-rs/app-server-protocol/schema/json/v2/CommandExecParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/CommandExecParams.json
@@ -12,6 +12,53 @@
      ],
      "type": "string"
    },
+    "ReadOnlyAccess": {
+      "oneOf": [
+        {
+          "properties": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "fullAccess"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "SandboxPolicy": {
      "oneOf": [
        {
@@ -32,6 +79,16 @@
        },
        {
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "readOnly"
@@ -84,6 +141,16 @@
              "default": false,
              "type": "boolean"
            },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "workspaceWrite"
--- a/codex-rs/app-server-protocol/schema/json/v2/ErrorNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ErrorNotification.json
@@ -8,6 +8,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -17,35 +18,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
--- a/codex-rs/app-server-protocol/schema/json/v2/GetAccountRateLimitsResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/GetAccountRateLimitsResponse.json
@@ -48,6 +48,18 @@
            }
          ]
        },
+        "limitId": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "limitName": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
        "planType": {
          "anyOf": [
            {
@@ -110,7 +122,22 @@
  },
  "properties": {
    "rateLimits": {
-      "$ref": "#/definitions/RateLimitSnapshot"
+      "allOf": [
+        {
+          "$ref": "#/definitions/RateLimitSnapshot"
+        }
+      ],
+      "description": "Backward-compatible single-bucket view; mirrors the historical payload."
+    },
+    "rateLimitsByLimitId": {
+      "additionalProperties": {
+        "$ref": "#/definitions/RateLimitSnapshot"
+      },
+      "description": "Multi-bucket view keyed by metered `limit_id` (for example, `codex`).",
+      "type": [
+        "object",
+        "null"
+      ]
    }
  },
  "required": [
--- a/codex-rs/app-server-protocol/schema/json/v2/ReviewStartResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ReviewStartResponse.json
@@ -27,6 +27,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -36,35 +37,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadForkResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadForkResponse.json
@@ -40,6 +40,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -49,35 +50,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -488,6 +460,53 @@
        }
      ]
    },
+    "ReadOnlyAccess": {
+      "oneOf": [
+        {
+          "properties": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "fullAccess"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -520,6 +539,16 @@
        },
        {
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "readOnly"
@@ -572,6 +601,16 @@
              "default": false,
              "type": "boolean"
            },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "workspaceWrite"
@@ -627,7 +666,8 @@
        {
          "enum": [
            "review",
-            "compact"
+            "compact",
+            "memory_consolidation"
          ],
          "type": "string"
        },
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadListParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadListParams.json
@@ -39,6 +39,13 @@
        "null"
      ]
    },
+    "cwd": {
+      "description": "Optional cwd filter; when set, only threads whose session cwd exactly matches this path are returned.",
+      "type": [
+        "string",
+        "null"
+      ]
+    },
    "limit": {
      "description": "Optional page size; defaults to a reasonable server-side value.",
      "format": "uint32",
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadListResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadListResponse.json
@@ -27,6 +27,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -36,35 +37,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -500,7 +472,8 @@
        {
          "enum": [
            "review",
-            "compact"
+            "compact",
+            "memory_consolidation"
          ],
          "type": "string"
        },
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadReadResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadReadResponse.json
@@ -27,6 +27,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -36,35 +37,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -500,7 +472,8 @@
        {
          "enum": [
            "review",
-            "compact"
+            "compact",
+            "memory_consolidation"
          ],
          "type": "string"
        },
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadResumeResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadResumeResponse.json
@@ -40,6 +40,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -49,35 +50,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -488,6 +460,53 @@
        }
      ]
    },
+    "ReadOnlyAccess": {
+      "oneOf": [
+        {
+          "properties": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "fullAccess"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -520,6 +539,16 @@
        },
        {
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "readOnly"
@@ -572,6 +601,16 @@
              "default": false,
              "type": "boolean"
            },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "workspaceWrite"
@@ -627,7 +666,8 @@
        {
          "enum": [
            "review",
-            "compact"
+            "compact",
+            "memory_consolidation"
          ],
          "type": "string"
        },
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadRollbackResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadRollbackResponse.json
@@ -27,6 +27,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -36,35 +37,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -500,7 +472,8 @@
        {
          "enum": [
            "review",
-            "compact"
+            "compact",
+            "memory_consolidation"
          ],
          "type": "string"
        },
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadStartResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadStartResponse.json
@@ -40,6 +40,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -49,35 +50,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -488,6 +460,53 @@
        }
      ]
    },
+    "ReadOnlyAccess": {
+      "oneOf": [
+        {
+          "properties": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "fullAccess"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -520,6 +539,16 @@
        },
        {
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "readOnly"
@@ -572,6 +601,16 @@
              "default": false,
              "type": "boolean"
            },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "workspaceWrite"
@@ -627,7 +666,8 @@
        {
          "enum": [
            "review",
-            "compact"
+            "compact",
+            "memory_consolidation"
          ],
          "type": "string"
        },
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadStartedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadStartedNotification.json
@@ -27,6 +27,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -36,35 +37,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -500,7 +472,8 @@
        {
          "enum": [
            "review",
-            "compact"
+            "compact",
+            "memory_consolidation"
          ],
          "type": "string"
        },
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadUnarchiveResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadUnarchiveResponse.json
@@ -27,6 +27,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -36,35 +37,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
@@ -500,7 +472,8 @@
        {
          "enum": [
            "review",
-            "compact"
+            "compact",
+            "memory_consolidation"
          ],
          "type": "string"
        },
--- a/codex-rs/app-server-protocol/schema/json/v2/TurnCompletedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/TurnCompletedNotification.json
@@ -27,6 +27,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -36,35 +37,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
--- a/codex-rs/app-server-protocol/schema/json/v2/TurnStartParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/TurnStartParams.json
@@ -72,6 +72,53 @@
      ],
      "type": "string"
    },
+    "ReadOnlyAccess": {
+      "oneOf": [
+        {
+          "properties": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "fullAccess"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
    "ReasoningEffort": {
      "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
      "enum": [
@@ -124,6 +171,16 @@
        },
        {
          "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "readOnly"
@@ -176,6 +233,16 @@
              "default": false,
              "type": "boolean"
            },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
            "type": {
              "enum": [
                "workspaceWrite"
--- a/codex-rs/app-server-protocol/schema/json/v2/TurnStartResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/TurnStartResponse.json
@@ -27,6 +27,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -36,35 +37,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
--- a/codex-rs/app-server-protocol/schema/json/v2/TurnStartedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/TurnStartedNotification.json
@@ -27,6 +27,7 @@
          "enum": [
            "contextWindowExceeded",
            "usageLimitExceeded",
+            "serverOverloaded",
            "internalServerError",
            "unauthorized",
            "badRequest",
@@ -36,35 +37,6 @@
          ],
          "type": "string"
        },
-        {
-          "additionalProperties": false,
-          "properties": {
-            "modelCap": {
-              "properties": {
-                "model": {
-                  "type": "string"
-                },
-                "reset_after_seconds": {
-                  "format": "uint64",
-                  "minimum": 0.0,
-                  "type": [
-                    "integer",
-                    "null"
-                  ]
-                }
-              },
-              "required": [
-                "model"
-              ],
-              "type": "object"
-            }
-          },
-          "required": [
-            "modelCap"
-          ],
-          "title": "ModelCapCodexErrorInfo",
-          "type": "object"
-        },
        {
          "additionalProperties": false,
          "properties": {
--- a/codex-rs/app-server-protocol/schema/typescript/CodexErrorInfo.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/CodexErrorInfo.ts
@@ -5,4 +5,4 @@
 /**
 * Codex errors that we expose to clients.
 */
-export type CodexErrorInfo = "context_window_exceeded" | "usage_limit_exceeded" | { "model_cap": { model: string, reset_after_seconds: bigint | null, } } | { "http_connection_failed": { http_status_code: number | null, } } | { "response_stream_connection_failed": { http_status_code: number | null, } } | "internal_server_error" | "unauthorized" | "bad_request" | "sandbox_error" | { "response_stream_disconnected": { http_status_code: number | null, } } | { "response_too_many_failed_attempts": { http_status_code: number | null, } } | "thread_rollback_failed" | "other";
+export type CodexErrorInfo = "context_window_exceeded" | "usage_limit_exceeded" | "server_overloaded" | { "http_connection_failed": { http_status_code: number | null, } } | { "response_stream_connection_failed": { http_status_code: number | null, } } | "internal_server_error" | "unauthorized" | "bad_request" | "sandbox_error" | { "response_stream_disconnected": { http_status_code: number | null, } } | { "response_too_many_failed_attempts": { http_status_code: number | null, } } | "thread_rollback_failed" | "other";
--- a/codex-rs/app-server-protocol/schema/typescript/ExecCommandEndEvent.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/ExecCommandEndEvent.ts
@@ -2,6 +2,7 @@

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { ExecCommandSource } from "./ExecCommandSource";
+import type { ExecCommandStatus } from "./ExecCommandStatus";
 import type { ParsedCommand } from "./ParsedCommand";

 export type ExecCommandEndEvent = { 
@@ -56,4 +57,8 @@ duration: string,
 /**
 * Formatted output from the command, as seen by the model.
 */
-formatted_output: string, };
+formatted_output: string, 
+/**
+ * Completion status for this command execution.
+ */
+status: ExecCommandStatus, };
--- a/codex-rs/app-server-protocol/schema/typescript/ExecCommandStatus.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/ExecCommandStatus.ts
@@ -0,0 +1,5 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+export type ExecCommandStatus = "completed" | "failed" | "declined";
--- a/codex-rs/app-server-protocol/schema/typescript/FuzzyFileSearchSessionUpdatedNotification.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/FuzzyFileSearchSessionUpdatedNotification.ts
@@ -0,0 +1,6 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { FuzzyFileSearchResult } from "./FuzzyFileSearchResult";
+
+export type FuzzyFileSearchSessionUpdatedNotification = { sessionId: string, query: string, files: Array<FuzzyFileSearchResult>, };
--- a/codex-rs/app-server-protocol/schema/typescript/PatchApplyEndEvent.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/PatchApplyEndEvent.ts
@@ -2,6 +2,7 @@

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { FileChange } from "./FileChange";
+import type { PatchApplyStatus } from "./PatchApplyStatus";

 export type PatchApplyEndEvent = { 
 /**
@@ -28,4 +29,8 @@ success: boolean,
 /**
 * The changes that were applied (mirrors PatchApplyBeginEvent::changes).
 */
-changes: { [key in string]?: FileChange }, };
+changes: { [key in string]?: FileChange }, 
+/**
+ * Completion status for this patch application.
+ */
+status: PatchApplyStatus, };
--- a/codex-rs/app-server-protocol/schema/typescript/PatchApplyStatus.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/PatchApplyStatus.ts
@@ -0,0 +1,5 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+export type PatchApplyStatus = "completed" | "failed" | "declined";
--- a/codex-rs/app-server-protocol/schema/typescript/RateLimitSnapshot.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/RateLimitSnapshot.ts
@@ -5,4 +5,4 @@ import type { CreditsSnapshot } from "./CreditsSnapshot";
 import type { PlanType } from "./PlanType";
 import type { RateLimitWindow } from "./RateLimitWindow";

-export type RateLimitSnapshot = { primary: RateLimitWindow | null, secondary: RateLimitWindow | null, credits: CreditsSnapshot | null, plan_type: PlanType | null, };
+export type RateLimitSnapshot = { limit_id: string | null, limit_name: string | null, primary: RateLimitWindow | null, secondary: RateLimitWindow | null, credits: CreditsSnapshot | null, plan_type: PlanType | null, };
--- a/codex-rs/app-server-protocol/schema/typescript/ReadOnlyAccess.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/ReadOnlyAccess.ts
@@ -0,0 +1,19 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { AbsolutePathBuf } from "./AbsolutePathBuf";
+
+/**
+ * Determines how read-only file access is granted inside a restricted
+ * sandbox.
+ */
+export type ReadOnlyAccess = { "type": "restricted", 
+/**
+ * Include built-in platform read roots required for basic process
+ * execution.
+ */
+include_platform_defaults: boolean, 
+/**
+ * Additional absolute roots that should be readable.
+ */
+readable_roots?: Array<AbsolutePathBuf>, } | { "type": "full-access" };
--- a/codex-rs/app-server-protocol/schema/typescript/SandboxPolicy.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/SandboxPolicy.ts
@@ -3,11 +3,16 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { AbsolutePathBuf } from "./AbsolutePathBuf";
 import type { NetworkAccess } from "./NetworkAccess";
+import type { ReadOnlyAccess } from "./ReadOnlyAccess";

 /**
 * Determines execution restrictions for model shell commands.
 */
-export type SandboxPolicy = { "type": "danger-full-access" } | { "type": "read-only" } | { "type": "external-sandbox", 
+export type SandboxPolicy = { "type": "danger-full-access" } | { "type": "read-only", 
+/**
+ * Read access granted while running under this policy.
+ */
+access?: ReadOnlyAccess, } | { "type": "external-sandbox", 
 /**
 * Whether the external sandbox permits outbound network traffic.
 */
@@ -17,6 +22,10 @@ network_access: NetworkAccess, } | { "type": "workspace-write",
 * writable from within the sandbox.
 */
 writable_roots?: Array<AbsolutePathBuf>, 
+/**
+ * Read access granted while running under this policy.
+ */
+read_only_access?: ReadOnlyAccess, 
 /**
 * When set to `true`, outbound network access is allowed. `false` by
 * default.
--- a/codex-rs/app-server-protocol/schema/typescript/ServerNotification.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/ServerNotification.ts
@@ -2,6 +2,7 @@

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { AuthStatusChangeNotification } from "./AuthStatusChangeNotification";
+import type { FuzzyFileSearchSessionUpdatedNotification } from "./FuzzyFileSearchSessionUpdatedNotification";
 import type { LoginChatGptCompleteNotification } from "./LoginChatGptCompleteNotification";
 import type { SessionConfiguredNotification } from "./SessionConfiguredNotification";
 import type { AccountLoginCompletedNotification } from "./v2/AccountLoginCompletedNotification";
@@ -37,4 +38,4 @@ import type { WindowsWorldWritableWarningNotification } from "./v2/WindowsWorldW
 /**
 * Notification sent from the server to the client.
 */
-export type ServerNotification = { "method": "error", "params": ErrorNotification } | { "method": "thread/started", "params": ThreadStartedNotification } | { "method": "thread/name/updated", "params": ThreadNameUpdatedNotification } | { "method": "thread/tokenUsage/updated", "params": ThreadTokenUsageUpdatedNotification } | { "method": "turn/started", "params": TurnStartedNotification } | { "method": "turn/completed", "params": TurnCompletedNotification } | { "method": "turn/diff/updated", "params": TurnDiffUpdatedNotification } | { "method": "turn/plan/updated", "params": TurnPlanUpdatedNotification } | { "method": "item/started", "params": ItemStartedNotification } | { "method": "item/completed", "params": ItemCompletedNotification } | { "method": "rawResponseItem/completed", "params": RawResponseItemCompletedNotification } | { "method": "item/agentMessage/delta", "params": AgentMessageDeltaNotification } | { "method": "item/plan/delta", "params": PlanDeltaNotification } | { "method": "item/commandExecution/outputDelta", "params": CommandExecutionOutputDeltaNotification } | { "method": "item/commandExecution/terminalInteraction", "params": TerminalInteractionNotification } | { "method": "item/fileChange/outputDelta", "params": FileChangeOutputDeltaNotification } | { "method": "item/mcpToolCall/progress", "params": McpToolCallProgressNotification } | { "method": "mcpServer/oauthLogin/completed", "params": McpServerOauthLoginCompletedNotification } | { "method": "account/updated", "params": AccountUpdatedNotification } | { "method": "account/rateLimits/updated", "params": AccountRateLimitsUpdatedNotification } | { "method": "app/list/updated", "params": AppListUpdatedNotification } | { "method": "item/reasoning/summaryTextDelta", "params": ReasoningSummaryTextDeltaNotification } | { "method": "item/reasoning/summaryPartAdded", "params": ReasoningSummaryPartAddedNotification } | { "method": "item/reasoning/textDelta", "params": ReasoningTextDeltaNotification } | { "method": "thread/compacted", "params": ContextCompactedNotification } | { "method": "deprecationNotice", "params": DeprecationNoticeNotification } | { "method": "configWarning", "params": ConfigWarningNotification } | { "method": "windows/worldWritableWarning", "params": WindowsWorldWritableWarningNotification } | { "method": "account/login/completed", "params": AccountLoginCompletedNotification } | { "method": "authStatusChange", "params": AuthStatusChangeNotification } | { "method": "loginChatGptComplete", "params": LoginChatGptCompleteNotification } | { "method": "sessionConfigured", "params": SessionConfiguredNotification };
+export type ServerNotification = { "method": "error", "params": ErrorNotification } | { "method": "thread/started", "params": ThreadStartedNotification } | { "method": "thread/name/updated", "params": ThreadNameUpdatedNotification } | { "method": "thread/tokenUsage/updated", "params": ThreadTokenUsageUpdatedNotification } | { "method": "turn/started", "params": TurnStartedNotification } | { "method": "turn/completed", "params": TurnCompletedNotification } | { "method": "turn/diff/updated", "params": TurnDiffUpdatedNotification } | { "method": "turn/plan/updated", "params": TurnPlanUpdatedNotification } | { "method": "item/started", "params": ItemStartedNotification } | { "method": "item/completed", "params": ItemCompletedNotification } | { "method": "rawResponseItem/completed", "params": RawResponseItemCompletedNotification } | { "method": "item/agentMessage/delta", "params": AgentMessageDeltaNotification } | { "method": "item/plan/delta", "params": PlanDeltaNotification } | { "method": "item/commandExecution/outputDelta", "params": CommandExecutionOutputDeltaNotification } | { "method": "item/commandExecution/terminalInteraction", "params": TerminalInteractionNotification } | { "method": "item/fileChange/outputDelta", "params": FileChangeOutputDeltaNotification } | { "method": "item/mcpToolCall/progress", "params": McpToolCallProgressNotification } | { "method": "mcpServer/oauthLogin/completed", "params": McpServerOauthLoginCompletedNotification } | { "method": "account/updated", "params": AccountUpdatedNotification } | { "method": "account/rateLimits/updated", "params": AccountRateLimitsUpdatedNotification } | { "method": "app/list/updated", "params": AppListUpdatedNotification } | { "method": "item/reasoning/summaryTextDelta", "params": ReasoningSummaryTextDeltaNotification } | { "method": "item/reasoning/summaryPartAdded", "params": ReasoningSummaryPartAddedNotification } | { "method": "item/reasoning/textDelta", "params": ReasoningTextDeltaNotification } | { "method": "thread/compacted", "params": ContextCompactedNotification } | { "method": "deprecationNotice", "params": DeprecationNoticeNotification } | { "method": "configWarning", "params": ConfigWarningNotification } | { "method": "fuzzyFileSearch/sessionUpdated", "params": FuzzyFileSearchSessionUpdatedNotification } | { "method": "windows/worldWritableWarning", "params": WindowsWorldWritableWarningNotification } | { "method": "account/login/completed", "params": AccountLoginCompletedNotification } | { "method": "authStatusChange", "params": AuthStatusChangeNotification } | { "method": "loginChatGptComplete", "params": LoginChatGptCompleteNotification } | { "method": "sessionConfigured", "params": SessionConfiguredNotification };
--- a/codex-rs/app-server-protocol/schema/typescript/SubAgentSource.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/SubAgentSource.ts
@@ -3,4 +3,4 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { ThreadId } from "./ThreadId";

-export type SubAgentSource = "review" | "compact" | { "thread_spawn": { parent_thread_id: ThreadId, depth: number, } } | { "other": string };
+export type SubAgentSource = "review" | "compact" | { "thread_spawn": { parent_thread_id: ThreadId, depth: number, } } | "memory_consolidation" | { "other": string };
--- a/codex-rs/app-server-protocol/schema/typescript/TurnAbortedEvent.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/TurnAbortedEvent.ts
@@ -3,4 +3,4 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { TurnAbortReason } from "./TurnAbortReason";

-export type TurnAbortedEvent = { reason: TurnAbortReason, };
+export type TurnAbortedEvent = { turn_id: string | null, reason: TurnAbortReason, };
--- a/codex-rs/app-server-protocol/schema/typescript/TurnCompleteEvent.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/TurnCompleteEvent.ts
@@ -2,4 +2,4 @@

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.

-export type TurnCompleteEvent = { last_agent_message: string | null, };
+export type TurnCompleteEvent = { turn_id: string, last_agent_message: string | null, };
--- a/codex-rs/app-server-protocol/schema/typescript/TurnStartedEvent.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/TurnStartedEvent.ts
@@ -3,4 +3,4 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { ModeKind } from "./ModeKind";

-export type TurnStartedEvent = { model_context_window: bigint | null, collaboration_mode_kind: ModeKind, };
+export type TurnStartedEvent = { turn_id: string, model_context_window: bigint | null, collaboration_mode_kind: ModeKind, };
--- a/codex-rs/app-server-protocol/schema/typescript/index.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/index.ts
@@ -62,6 +62,7 @@ export type { ExecCommandBeginEvent } from "./ExecCommandBeginEvent";
 export type { ExecCommandEndEvent } from "./ExecCommandEndEvent";
 export type { ExecCommandOutputDeltaEvent } from "./ExecCommandOutputDeltaEvent";
 export type { ExecCommandSource } from "./ExecCommandSource";
+export type { ExecCommandStatus } from "./ExecCommandStatus";
 export type { ExecOneOffCommandParams } from "./ExecOneOffCommandParams";
 export type { ExecOneOffCommandResponse } from "./ExecOneOffCommandResponse";
 export type { ExecOutputStream } from "./ExecOutputStream";
@@ -77,6 +78,7 @@ export type { FunctionCallOutputPayload } from "./FunctionCallOutputPayload";
 export type { FuzzyFileSearchParams } from "./FuzzyFileSearchParams";
 export type { FuzzyFileSearchResponse } from "./FuzzyFileSearchResponse";
 export type { FuzzyFileSearchResult } from "./FuzzyFileSearchResult";
+export type { FuzzyFileSearchSessionUpdatedNotification } from "./FuzzyFileSearchSessionUpdatedNotification";
 export type { GetAuthStatusParams } from "./GetAuthStatusParams";
 export type { GetAuthStatusResponse } from "./GetAuthStatusResponse";
 export type { GetConversationSummaryParams } from "./GetConversationSummaryParams";
@@ -128,6 +130,7 @@ export type { NewConversationResponse } from "./NewConversationResponse";
 export type { ParsedCommand } from "./ParsedCommand";
 export type { PatchApplyBeginEvent } from "./PatchApplyBeginEvent";
 export type { PatchApplyEndEvent } from "./PatchApplyEndEvent";
+export type { PatchApplyStatus } from "./PatchApplyStatus";
 export type { Personality } from "./Personality";
 export type { PlanDeltaEvent } from "./PlanDeltaEvent";
 export type { PlanItem } from "./PlanItem";
@@ -137,6 +140,7 @@ export type { Profile } from "./Profile";
 export type { RateLimitSnapshot } from "./RateLimitSnapshot";
 export type { RateLimitWindow } from "./RateLimitWindow";
 export type { RawResponseItemEvent } from "./RawResponseItemEvent";
+export type { ReadOnlyAccess } from "./ReadOnlyAccess";
 export type { ReasoningContentDeltaEvent } from "./ReasoningContentDeltaEvent";
 export type { ReasoningEffort } from "./ReasoningEffort";
 export type { ReasoningItem } from "./ReasoningItem";
--- a/codex-rs/app-server-protocol/schema/typescript/v2/AppInfo.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/AppInfo.ts
@@ -5,4 +5,13 @@
 /**
 * EXPERIMENTAL - app metadata returned by app-list APIs.
 */
-export type AppInfo = { id: string, name: string, description: string | null, logoUrl: string | null, logoUrlDark: string | null, distributionChannel: string | null, installUrl: string | null, isAccessible: boolean, };
+export type AppInfo = { id: string, name: string, description: string | null, logoUrl: string | null, logoUrlDark: string | null, distributionChannel: string | null, installUrl: string | null, isAccessible: boolean, 
+/**
+ * Whether this app is enabled in config.toml.
+ * Example:
+ * ```toml
+ * [apps.bad_app]
+ * enabled = false
+ * ```
+ */
+isEnabled: boolean, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/CodexErrorInfo.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/CodexErrorInfo.ts
@@ -8,4 +8,4 @@
 * When an upstream HTTP status is available (for example, from the Responses API or a provider),
 * it is forwarded in `httpStatusCode` on the relevant `codexErrorInfo` variant.
 */
-export type CodexErrorInfo = "contextWindowExceeded" | "usageLimitExceeded" | { "modelCap": { model: string, reset_after_seconds: bigint | null, } } | { "httpConnectionFailed": { httpStatusCode: number | null, } } | { "responseStreamConnectionFailed": { httpStatusCode: number | null, } } | "internalServerError" | "unauthorized" | "badRequest" | "threadRollbackFailed" | "sandboxError" | { "responseStreamDisconnected": { httpStatusCode: number | null, } } | { "responseTooManyFailedAttempts": { httpStatusCode: number | null, } } | "other";
+export type CodexErrorInfo = "contextWindowExceeded" | "usageLimitExceeded" | "serverOverloaded" | { "httpConnectionFailed": { httpStatusCode: number | null, } } | { "responseStreamConnectionFailed": { httpStatusCode: number | null, } } | "internalServerError" | "unauthorized" | "badRequest" | "threadRollbackFailed" | "sandboxError" | { "responseStreamDisconnected": { httpStatusCode: number | null, } } | { "responseTooManyFailedAttempts": { httpStatusCode: number | null, } } | "other";
--- a/codex-rs/app-server-protocol/schema/typescript/v2/GetAccountRateLimitsResponse.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/GetAccountRateLimitsResponse.ts
@@ -3,4 +3,12 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { RateLimitSnapshot } from "./RateLimitSnapshot";

-export type GetAccountRateLimitsResponse = { rateLimits: RateLimitSnapshot, };
+export type GetAccountRateLimitsResponse = { 
+/**
+ * Backward-compatible single-bucket view; mirrors the historical payload.
+ */
+rateLimits: RateLimitSnapshot, 
+/**
+ * Multi-bucket view keyed by metered `limit_id` (for example, `codex`).
+ */
+rateLimitsByLimitId: { [key in string]?: RateLimitSnapshot } | null, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/RateLimitSnapshot.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/RateLimitSnapshot.ts
@@ -5,4 +5,4 @@ import type { PlanType } from "../PlanType";
 import type { CreditsSnapshot } from "./CreditsSnapshot";
 import type { RateLimitWindow } from "./RateLimitWindow";

-export type RateLimitSnapshot = { primary: RateLimitWindow | null, secondary: RateLimitWindow | null, credits: CreditsSnapshot | null, planType: PlanType | null, };
+export type RateLimitSnapshot = { limitId: string | null, limitName: string | null, primary: RateLimitWindow | null, secondary: RateLimitWindow | null, credits: CreditsSnapshot | null, planType: PlanType | null, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ReadOnlyAccess.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ReadOnlyAccess.ts
@@ -0,0 +1,6 @@
+// GENERATED CODE! DO NOT MODIFY BY HAND!
+
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { AbsolutePathBuf } from "../AbsolutePathBuf";
+
+export type ReadOnlyAccess = { "type": "restricted", includePlatformDefaults: boolean, readableRoots: Array<AbsolutePathBuf>, } | { "type": "fullAccess" };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/SandboxPolicy.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/SandboxPolicy.ts
@@ -3,5 +3,6 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { AbsolutePathBuf } from "../AbsolutePathBuf";
 import type { NetworkAccess } from "./NetworkAccess";
+import type { ReadOnlyAccess } from "./ReadOnlyAccess";

-export type SandboxPolicy = { "type": "dangerFullAccess" } | { "type": "readOnly" } | { "type": "externalSandbox", networkAccess: NetworkAccess, } | { "type": "workspaceWrite", writableRoots: Array<AbsolutePathBuf>, networkAccess: boolean, excludeTmpdirEnvVar: boolean, excludeSlashTmp: boolean, };
+export type SandboxPolicy = { "type": "dangerFullAccess" } | { "type": "readOnly", access: ReadOnlyAccess, } | { "type": "externalSandbox", networkAccess: NetworkAccess, } | { "type": "workspaceWrite", writableRoots: Array<AbsolutePathBuf>, readOnlyAccess: ReadOnlyAccess, networkAccess: boolean, excludeTmpdirEnvVar: boolean, excludeSlashTmp: boolean, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ThreadForkParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ThreadForkParams.ts
@@ -21,4 +21,8 @@ export type ThreadForkParams = {threadId: string, /**
 path?: string | null, /**
 * Configuration overrides for the forked thread, if any.
 */
-model?: string | null, modelProvider?: string | null, cwd?: string | null, approvalPolicy?: AskForApproval | null, sandbox?: SandboxMode | null, config?: { [key in string]?: JsonValue } | null, baseInstructions?: string | null, developerInstructions?: string | null};
+model?: string | null, modelProvider?: string | null, cwd?: string | null, approvalPolicy?: AskForApproval | null, sandbox?: SandboxMode | null, config?: { [key in string]?: JsonValue } | null, baseInstructions?: string | null, developerInstructions?: string | null, /**
+ * If true, persist additional rollout EventMsg variants required to
+ * reconstruct a richer thread history on subsequent resume/fork/read.
+ */
+persistExtendedHistory: boolean};
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ThreadListParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ThreadListParams.ts
@@ -31,4 +31,9 @@ sourceKinds?: Array<ThreadSourceKind> | null,
 * Optional archived filter; when set to true, only archived threads are returned.
 * If false or null, only non-archived threads are returned.
 */
-archived?: boolean | null, };
+archived?: boolean | null, 
+/**
+ * Optional cwd filter; when set, only threads whose session cwd exactly
+ * matches this path are returned.
+ */
+cwd?: string | null, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ThreadResumeParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ThreadResumeParams.ts
@@ -30,4 +30,8 @@ history?: Array<ResponseItem> | null, /**
 path?: string | null, /**
 * Configuration overrides for the resumed thread, if any.
 */
-model?: string | null, modelProvider?: string | null, cwd?: string | null, approvalPolicy?: AskForApproval | null, sandbox?: SandboxMode | null, config?: { [key in string]?: JsonValue } | null, baseInstructions?: string | null, developerInstructions?: string | null, personality?: Personality | null};
+model?: string | null, modelProvider?: string | null, cwd?: string | null, approvalPolicy?: AskForApproval | null, sandbox?: SandboxMode | null, config?: { [key in string]?: JsonValue } | null, baseInstructions?: string | null, developerInstructions?: string | null, personality?: Personality | null, /**
+ * If true, persist additional rollout EventMsg variants required to
+ * reconstruct a richer thread history on subsequent resume/fork/read.
+ */
+persistExtendedHistory: boolean};
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ThreadStartParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ThreadStartParams.ts
@@ -10,4 +10,8 @@ export type ThreadStartParams = {model?: string | null, modelProvider?: string |
 * If true, opt into emitting raw Responses API items on the event stream.
 * This is for internal use only (e.g. Codex Cloud).
 */
-experimentalRawEvents: boolean};
+experimentalRawEvents: boolean, /**
+ * If true, persist additional rollout EventMsg variants required to
+ * reconstruct a richer thread history on resume/fork/read.
+ */
+persistExtendedHistory: boolean};
--- a/codex-rs/app-server-protocol/schema/typescript/v2/index.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/index.ts
@@ -101,6 +101,7 @@ export type { ProfileV2 } from "./ProfileV2";
 export type { RateLimitSnapshot } from "./RateLimitSnapshot";
 export type { RateLimitWindow } from "./RateLimitWindow";
 export type { RawResponseItemCompletedNotification } from "./RawResponseItemCompletedNotification";
+export type { ReadOnlyAccess } from "./ReadOnlyAccess";
 export type { ReasoningEffortOption } from "./ReasoningEffortOption";
 export type { ReasoningSummaryPartAddedNotification } from "./ReasoningSummaryPartAddedNotification";
 export type { ReasoningSummaryTextDeltaNotification } from "./ReasoningSummaryTextDeltaNotification";
--- a/codex-rs/app-server-protocol/src/protocol/common.rs
+++ b/codex-rs/app-server-protocol/src/protocol/common.rs
@@ -458,6 +458,21 @@ client_request_definitions! {
        params: FuzzyFileSearchParams,
        response: FuzzyFileSearchResponse,
    },
+    #[experimental("fuzzyFileSearch/sessionStart")]
+    FuzzyFileSearchSessionStart => "fuzzyFileSearch/sessionStart" {
+        params: FuzzyFileSearchSessionStartParams,
+        response: FuzzyFileSearchSessionStartResponse,
+    },
+    #[experimental("fuzzyFileSearch/sessionUpdate")]
+    FuzzyFileSearchSessionUpdate => "fuzzyFileSearch/sessionUpdate" {
+        params: FuzzyFileSearchSessionUpdateParams,
+        response: FuzzyFileSearchSessionUpdateResponse,
+    },
+    #[experimental("fuzzyFileSearch/sessionStop")]
+    FuzzyFileSearchSessionStop => "fuzzyFileSearch/sessionStop" {
+        params: FuzzyFileSearchSessionStopParams,
+        response: FuzzyFileSearchSessionStopResponse,
+    },
    /// Execute a command (argv vector) under the server's sandbox.
    ExecOneOffCommand {
        params: v1::ExecOneOffCommandParams,
@@ -702,6 +717,47 @@ pub struct FuzzyFileSearchResponse {
    pub files: Vec<FuzzyFileSearchResult>,
 }

+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(rename_all = "camelCase")]
+pub struct FuzzyFileSearchSessionStartParams {
+    pub session_id: String,
+    pub roots: Vec<String>,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS, Default)]
+pub struct FuzzyFileSearchSessionStartResponse {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(rename_all = "camelCase")]
+pub struct FuzzyFileSearchSessionUpdateParams {
+    pub session_id: String,
+    pub query: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS, Default)]
+pub struct FuzzyFileSearchSessionUpdateResponse {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(rename_all = "camelCase")]
+pub struct FuzzyFileSearchSessionStopParams {
+    pub session_id: String,
+}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS, Default)]
+pub struct FuzzyFileSearchSessionStopResponse {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(rename_all = "camelCase")]
+pub struct FuzzyFileSearchSessionUpdatedNotification {
+    pub session_id: String,
+    pub query: String,
+    pub files: Vec<FuzzyFileSearchResult>,
+}
+
 server_notification_definitions! {
    /// NEW NOTIFICATIONS
    Error => "error" (v2::ErrorNotification),
@@ -734,6 +790,7 @@ server_notification_definitions! {
    ContextCompacted => "thread/compacted" (v2::ContextCompactedNotification),
    DeprecationNotice => "deprecationNotice" (v2::DeprecationNoticeNotification),
    ConfigWarning => "configWarning" (v2::ConfigWarningNotification),
+    FuzzyFileSearchSessionUpdated => "fuzzyFileSearch/sessionUpdated" (FuzzyFileSearchSessionUpdatedNotification),

    /// Notifies the user of world-writable directories on Windows, which cannot be protected by the sandbox.
    WindowsWorldWritableWarning => "windows/worldWritableWarning" (v2::WindowsWorldWritableWarningNotification),
@@ -1266,17 +1323,4 @@ mod tests {
        let reason = crate::experimental_api::ExperimentalApi::experimental_reason(&request);
        assert_eq!(reason, Some("mock/experimentalMethod"));
    }
-
-    #[test]
-    fn thread_start_mock_field_is_marked_experimental() {
-        let request = ClientRequest::ThreadStart {
-            request_id: RequestId::Integer(1),
-            params: v2::ThreadStartParams {
-                mock_experimental_field: Some("mock".to_string()),
-                ..Default::default()
-            },
-        };
-        let reason = crate::experimental_api::ExperimentalApi::experimental_reason(&request);
-        assert_eq!(reason, Some("thread/start.mockExperimentalField"));
-    }
 }
--- a/codex-rs/app-server-protocol/src/protocol/thread_history.rs
+++ b/codex-rs/app-server-protocol/src/protocol/thread_history.rs
--- a/codex-rs/app-server-protocol/src/protocol/v2.rs
+++ b/codex-rs/app-server-protocol/src/protocol/v2.rs
@@ -29,9 +29,12 @@ use codex_protocol::protocol::AgentStatus as CoreAgentStatus;
 use codex_protocol::protocol::AskForApproval as CoreAskForApproval;
 use codex_protocol::protocol::CodexErrorInfo as CoreCodexErrorInfo;
 use codex_protocol::protocol::CreditsSnapshot as CoreCreditsSnapshot;
+use codex_protocol::protocol::ExecCommandStatus as CoreExecCommandStatus;
 use codex_protocol::protocol::NetworkAccess as CoreNetworkAccess;
+use codex_protocol::protocol::PatchApplyStatus as CorePatchApplyStatus;
 use codex_protocol::protocol::RateLimitSnapshot as CoreRateLimitSnapshot;
 use codex_protocol::protocol::RateLimitWindow as CoreRateLimitWindow;
+use codex_protocol::protocol::ReadOnlyAccess as CoreReadOnlyAccess;
 use codex_protocol::protocol::SessionSource as CoreSessionSource;
 use codex_protocol::protocol::SkillDependencies as CoreSkillDependencies;
 use codex_protocol::protocol::SkillErrorInfo as CoreSkillErrorInfo;
@@ -88,10 +91,7 @@ macro_rules! v2_enum_from_core {
 pub enum CodexErrorInfo {
    ContextWindowExceeded,
    UsageLimitExceeded,
-    ModelCap {
-        model: String,
-        reset_after_seconds: Option<u64>,
-    },
+    ServerOverloaded,
    HttpConnectionFailed {
        #[serde(rename = "httpStatusCode")]
        #[ts(rename = "httpStatusCode")]
@@ -128,13 +128,7 @@ impl From<CoreCodexErrorInfo> for CodexErrorInfo {
        match value {
            CoreCodexErrorInfo::ContextWindowExceeded => CodexErrorInfo::ContextWindowExceeded,
            CoreCodexErrorInfo::UsageLimitExceeded => CodexErrorInfo::UsageLimitExceeded,
-            CoreCodexErrorInfo::ModelCap {
-                model,
-                reset_after_seconds,
-            } => CodexErrorInfo::ModelCap {
-                model,
-                reset_after_seconds,
-            },
+            CoreCodexErrorInfo::ServerOverloaded => CodexErrorInfo::ServerOverloaded,
            CoreCodexErrorInfo::HttpConnectionFailed { http_status_code } => {
                CodexErrorInfo::HttpConnectionFailed { http_status_code }
            }
@@ -404,6 +398,10 @@ const fn default_enabled() -> bool {
    true
 }

+const fn default_include_platform_defaults() -> bool {
+    true
+}
+
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS, ExperimentalApi)]
 #[serde(rename_all = "snake_case")]
 #[ts(export_to = "v2/")]
@@ -647,13 +645,65 @@ pub enum NetworkAccess {
    Enabled,
 }

+#[derive(Serialize, Deserialize, Debug, Default, Clone, PartialEq, Eq, JsonSchema, TS)]
+#[serde(tag = "type", rename_all = "camelCase")]
+#[ts(tag = "type")]
+#[ts(export_to = "v2/")]
+pub enum ReadOnlyAccess {
+    #[serde(rename_all = "camelCase")]
+    #[ts(rename_all = "camelCase")]
+    Restricted {
+        #[serde(default = "default_include_platform_defaults")]
+        include_platform_defaults: bool,
+        #[serde(default)]
+        readable_roots: Vec<AbsolutePathBuf>,
+    },
+    #[default]
+    FullAccess,
+}
+
+impl ReadOnlyAccess {
+    pub fn to_core(&self) -> CoreReadOnlyAccess {
+        match self {
+            ReadOnlyAccess::Restricted {
+                include_platform_defaults,
+                readable_roots,
+            } => CoreReadOnlyAccess::Restricted {
+                include_platform_defaults: *include_platform_defaults,
+                readable_roots: readable_roots.clone(),
+            },
+            ReadOnlyAccess::FullAccess => CoreReadOnlyAccess::FullAccess,
+        }
+    }
+}
+
+impl From<CoreReadOnlyAccess> for ReadOnlyAccess {
+    fn from(value: CoreReadOnlyAccess) -> Self {
+        match value {
+            CoreReadOnlyAccess::Restricted {
+                include_platform_defaults,
+                readable_roots,
+            } => ReadOnlyAccess::Restricted {
+                include_platform_defaults,
+                readable_roots,
+            },
+            CoreReadOnlyAccess::FullAccess => ReadOnlyAccess::FullAccess,
+        }
+    }
+}
+
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, JsonSchema, TS)]
 #[serde(tag = "type", rename_all = "camelCase")]
 #[ts(tag = "type")]
 #[ts(export_to = "v2/")]
 pub enum SandboxPolicy {
    DangerFullAccess,
-    ReadOnly,
+    #[serde(rename_all = "camelCase")]
+    #[ts(rename_all = "camelCase")]
+    ReadOnly {
+        #[serde(default)]
+        access: ReadOnlyAccess,
+    },
    #[serde(rename_all = "camelCase")]
    #[ts(rename_all = "camelCase")]
    ExternalSandbox {
@@ -666,6 +716,8 @@ pub enum SandboxPolicy {
        #[serde(default)]
        writable_roots: Vec<AbsolutePathBuf>,
        #[serde(default)]
+        read_only_access: ReadOnlyAccess,
+        #[serde(default)]
        network_access: bool,
        #[serde(default)]
        exclude_tmpdir_env_var: bool,
@@ -680,7 +732,11 @@ impl SandboxPolicy {
            SandboxPolicy::DangerFullAccess => {
                codex_protocol::protocol::SandboxPolicy::DangerFullAccess
            }
-            SandboxPolicy::ReadOnly => codex_protocol::protocol::SandboxPolicy::ReadOnly,
+            SandboxPolicy::ReadOnly { access } => {
+                codex_protocol::protocol::SandboxPolicy::ReadOnly {
+                    access: access.to_core(),
+                }
+            }
            SandboxPolicy::ExternalSandbox { network_access } => {
                codex_protocol::protocol::SandboxPolicy::ExternalSandbox {
                    network_access: match network_access {
@@ -691,11 +747,13 @@ impl SandboxPolicy {
            }
            SandboxPolicy::WorkspaceWrite {
                writable_roots,
+                read_only_access,
                network_access,
                exclude_tmpdir_env_var,
                exclude_slash_tmp,
            } => codex_protocol::protocol::SandboxPolicy::WorkspaceWrite {
                writable_roots: writable_roots.clone(),
+                read_only_access: read_only_access.to_core(),
                network_access: *network_access,
                exclude_tmpdir_env_var: *exclude_tmpdir_env_var,
                exclude_slash_tmp: *exclude_slash_tmp,
@@ -710,7 +768,11 @@ impl From<codex_protocol::protocol::SandboxPolicy> for SandboxPolicy {
            codex_protocol::protocol::SandboxPolicy::DangerFullAccess => {
                SandboxPolicy::DangerFullAccess
            }
-            codex_protocol::protocol::SandboxPolicy::ReadOnly => SandboxPolicy::ReadOnly,
+            codex_protocol::protocol::SandboxPolicy::ReadOnly { access } => {
+                SandboxPolicy::ReadOnly {
+                    access: ReadOnlyAccess::from(access),
+                }
+            }
            codex_protocol::protocol::SandboxPolicy::ExternalSandbox { network_access } => {
                SandboxPolicy::ExternalSandbox {
                    network_access: match network_access {
@@ -721,11 +783,13 @@ impl From<codex_protocol::protocol::SandboxPolicy> for SandboxPolicy {
            }
            codex_protocol::protocol::SandboxPolicy::WorkspaceWrite {
                writable_roots,
+                read_only_access,
                network_access,
                exclude_tmpdir_env_var,
                exclude_slash_tmp,
            } => SandboxPolicy::WorkspaceWrite {
                writable_roots,
+                read_only_access: ReadOnlyAccess::from(read_only_access),
                network_access,
                exclude_tmpdir_env_var,
                exclude_slash_tmp,
@@ -1009,7 +1073,10 @@ pub struct ChatgptAuthTokensRefreshResponse {
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
 pub struct GetAccountRateLimitsResponse {
+    /// Backward-compatible single-bucket view; mirrors the historical payload.
    pub rate_limits: RateLimitSnapshot,
+    /// Multi-bucket view keyed by metered `limit_id` (for example, `codex`).
+    pub rate_limits_by_limit_id: Option<HashMap<String, RateLimitSnapshot>>,
 }

 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
@@ -1223,6 +1290,14 @@ pub struct AppInfo {
    pub install_url: Option<String>,
    #[serde(default)]
    pub is_accessible: bool,
+    /// Whether this app is enabled in config.toml.
+    /// Example:
+    /// ```toml
+    /// [apps.bad_app]
+    /// enabled = false
+    /// ```
+    #[serde(default = "default_enabled")]
+    pub is_enabled: bool,
 }

 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
@@ -1357,6 +1432,11 @@ pub struct ThreadStartParams {
    #[experimental("thread/start.experimentalRawEvents")]
    #[serde(default)]
    pub experimental_raw_events: bool,
+    /// If true, persist additional rollout EventMsg variants required to
+    /// reconstruct a richer thread history on resume/fork/read.
+    #[experimental("thread/start.persistFullHistory")]
+    #[serde(default)]
+    pub persist_extended_history: bool,
 }

 #[derive(Serialize, Deserialize, Debug, Default, Clone, PartialEq, JsonSchema, TS)]
@@ -1438,6 +1518,11 @@ pub struct ThreadResumeParams {
    pub developer_instructions: Option<String>,
    #[ts(optional = nullable)]
    pub personality: Option<Personality>,
+    /// If true, persist additional rollout EventMsg variants required to
+    /// reconstruct a richer thread history on subsequent resume/fork/read.
+    #[experimental("thread/resume.persistFullHistory")]
+    #[serde(default)]
+    pub persist_extended_history: bool,
 }

 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
@@ -1491,6 +1576,11 @@ pub struct ThreadForkParams {
    pub base_instructions: Option<String>,
    #[ts(optional = nullable)]
    pub developer_instructions: Option<String>,
+    /// If true, persist additional rollout EventMsg variants required to
+    /// reconstruct a richer thread history on subsequent resume/fork/read.
+    #[experimental("thread/fork.persistFullHistory")]
+    #[serde(default)]
+    pub persist_extended_history: bool,
 }

 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
@@ -1618,6 +1708,10 @@ pub struct ThreadListParams {
    /// If false or null, only non-archived threads are returned.
    #[ts(optional = nullable)]
    pub archived: Option<bool>,
+    /// Optional cwd filter; when set, only threads whose session cwd exactly
+    /// matches this path are returned.
+    #[ts(optional = nullable)]
+    pub cwd: Option<String>,
 }

 #[derive(Serialize, Deserialize, Debug, Clone, Copy, PartialEq, Eq, JsonSchema, TS)]
@@ -2557,6 +2651,22 @@ pub enum CommandExecutionStatus {
    Declined,
 }

+impl From<CoreExecCommandStatus> for CommandExecutionStatus {
+    fn from(value: CoreExecCommandStatus) -> Self {
+        Self::from(&value)
+    }
+}
+
+impl From<&CoreExecCommandStatus> for CommandExecutionStatus {
+    fn from(value: &CoreExecCommandStatus) -> Self {
+        match value {
+            CoreExecCommandStatus::Completed => CommandExecutionStatus::Completed,
+            CoreExecCommandStatus::Failed => CommandExecutionStatus::Failed,
+            CoreExecCommandStatus::Declined => CommandExecutionStatus::Declined,
+        }
+    }
+}
+
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
@@ -2597,6 +2707,22 @@ pub enum PatchApplyStatus {
    Declined,
 }

+impl From<CorePatchApplyStatus> for PatchApplyStatus {
+    fn from(value: CorePatchApplyStatus) -> Self {
+        Self::from(&value)
+    }
+}
+
+impl From<&CorePatchApplyStatus> for PatchApplyStatus {
+    fn from(value: &CorePatchApplyStatus) -> Self {
+        match value {
+            CorePatchApplyStatus::Completed => PatchApplyStatus::Completed,
+            CorePatchApplyStatus::Failed => PatchApplyStatus::Failed,
+            CorePatchApplyStatus::Declined => PatchApplyStatus::Declined,
+        }
+    }
+}
+
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
@@ -3103,6 +3229,8 @@ pub struct AccountRateLimitsUpdatedNotification {
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
 pub struct RateLimitSnapshot {
+    pub limit_id: Option<String>,
+    pub limit_name: Option<String>,
    pub primary: Option<RateLimitWindow>,
    pub secondary: Option<RateLimitWindow>,
    pub credits: Option<CreditsSnapshot>,
@@ -3112,6 +3240,8 @@ pub struct RateLimitSnapshot {
 impl From<CoreRateLimitSnapshot> for RateLimitSnapshot {
    fn from(value: CoreRateLimitSnapshot) -> Self {
        Self {
+            limit_id: value.limit_id,
+            limit_name: value.limit_name,
            primary: value.primary.map(RateLimitWindow::from),
            secondary: value.secondary.map(RateLimitWindow::from),
            credits: value.credits.map(CreditsSnapshot::from),
@@ -3228,11 +3358,21 @@ mod tests {
    use codex_protocol::items::WebSearchItem;
    use codex_protocol::models::WebSearchAction as CoreWebSearchAction;
    use codex_protocol::protocol::NetworkAccess as CoreNetworkAccess;
+    use codex_protocol::protocol::ReadOnlyAccess as CoreReadOnlyAccess;
    use codex_protocol::user_input::UserInput as CoreUserInput;
    use pretty_assertions::assert_eq;
    use serde_json::json;
    use std::path::PathBuf;

+    fn test_absolute_path() -> AbsolutePathBuf {
+        let path = if cfg!(windows) {
+            r"C:\readable"
+        } else {
+            "/readable"
+        };
+        AbsolutePathBuf::from_absolute_path(path).expect("path must be absolute")
+    }
+
    #[test]
    fn sandbox_policy_round_trips_external_sandbox_network_access() {
        let v2_policy = SandboxPolicy::ExternalSandbox {
@@ -3251,6 +3391,100 @@ mod tests {
        assert_eq!(back_to_v2, v2_policy);
    }

+    #[test]
+    fn sandbox_policy_round_trips_read_only_access() {
+        let readable_root = test_absolute_path();
+        let v2_policy = SandboxPolicy::ReadOnly {
+            access: ReadOnlyAccess::Restricted {
+                include_platform_defaults: false,
+                readable_roots: vec![readable_root.clone()],
+            },
+        };
+
+        let core_policy = v2_policy.to_core();
+        assert_eq!(
+            core_policy,
+            codex_protocol::protocol::SandboxPolicy::ReadOnly {
+                access: CoreReadOnlyAccess::Restricted {
+                    include_platform_defaults: false,
+                    readable_roots: vec![readable_root],
+                },
+            }
+        );
+
+        let back_to_v2 = SandboxPolicy::from(core_policy);
+        assert_eq!(back_to_v2, v2_policy);
+    }
+
+    #[test]
+    fn sandbox_policy_round_trips_workspace_write_read_only_access() {
+        let readable_root = test_absolute_path();
+        let v2_policy = SandboxPolicy::WorkspaceWrite {
+            writable_roots: vec![],
+            read_only_access: ReadOnlyAccess::Restricted {
+                include_platform_defaults: false,
+                readable_roots: vec![readable_root.clone()],
+            },
+            network_access: true,
+            exclude_tmpdir_env_var: false,
+            exclude_slash_tmp: false,
+        };
+
+        let core_policy = v2_policy.to_core();
+        assert_eq!(
+            core_policy,
+            codex_protocol::protocol::SandboxPolicy::WorkspaceWrite {
+                writable_roots: vec![],
+                read_only_access: CoreReadOnlyAccess::Restricted {
+                    include_platform_defaults: false,
+                    readable_roots: vec![readable_root],
+                },
+                network_access: true,
+                exclude_tmpdir_env_var: false,
+                exclude_slash_tmp: false,
+            }
+        );
+
+        let back_to_v2 = SandboxPolicy::from(core_policy);
+        assert_eq!(back_to_v2, v2_policy);
+    }
+
+    #[test]
+    fn sandbox_policy_deserializes_legacy_read_only_without_access_field() {
+        let policy: SandboxPolicy = serde_json::from_value(json!({
+            "type": "readOnly"
+        }))
+        .expect("read-only policy should deserialize");
+        assert_eq!(
+            policy,
+            SandboxPolicy::ReadOnly {
+                access: ReadOnlyAccess::FullAccess,
+            }
+        );
+    }
+
+    #[test]
+    fn sandbox_policy_deserializes_legacy_workspace_write_without_read_only_access_field() {
+        let policy: SandboxPolicy = serde_json::from_value(json!({
+            "type": "workspaceWrite",
+            "writableRoots": [],
+            "networkAccess": false,
+            "excludeTmpdirEnvVar": false,
+            "excludeSlashTmp": false
+        }))
+        .expect("workspace-write policy should deserialize");
+        assert_eq!(
+            policy,
+            SandboxPolicy::WorkspaceWrite {
+                writable_roots: vec![],
+                read_only_access: ReadOnlyAccess::FullAccess,
+                network_access: false,
+                exclude_tmpdir_env_var: false,
+                exclude_slash_tmp: false,
+            }
+        );
+    }
+
    #[test]
    fn core_turn_item_into_thread_item_converts_supported_variants() {
        let user_item = TurnItem::UserMessage(UserMessageItem {
--- a/codex-rs/app-server-test-client/Cargo.lock
+++ b/codex-rs/app-server-test-client/Cargo.lock
--- a/codex-rs/app-server-test-client/Cargo.toml
+++ b/codex-rs/app-server-test-client/Cargo.toml
@@ -14,4 +14,6 @@ codex-app-server-protocol = { workspace = true }
 codex-protocol = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
 serde_json = { workspace = true }
+tungstenite = { workspace = true }
+url = { workspace = true }
 uuid = { workspace = true, features = ["v4"] }
--- a/codex-rs/app-server-test-client/README.md
+++ b/codex-rs/app-server-test-client/README.md
@@ -1,2 +1,19 @@
 # App Server Test Client
-Exercises simple `codex app-server` flows end-to-end, logging JSON-RPC messages sent between client and server to stdout.
+Quickstart for running and hitting `codex app-server`.
+
+## Quickstart
+
+Run from `<reporoot>/codex-rs`.
+
+```bash
+# 1) Build debug codex binary
+cargo build -p codex-cli --bin codex
+
+# 2) Start websocket app-server in background
+cargo run -p codex-app-server-test-client -- \
+  --codex-bin ./target/debug/codex \
+  serve --listen ws://127.0.0.1:4222 --kill
+
+# 3) Call app-server (defaults to ws://127.0.0.1:4222)
+cargo run -p codex-app-server-test-client -- model-list
+```
--- a/codex-rs/app-server-test-client/src/lib.rs
+++ b/codex-rs/app-server-test-client/src/lib.rs
@@ -1,8 +1,10 @@
 use std::collections::VecDeque;
 use std::fs;
+use std::fs::OpenOptions;
 use std::io::BufRead;
 use std::io::BufReader;
 use std::io::Write;
+use std::net::TcpStream;
 use std::path::Path;
 use std::path::PathBuf;
 use std::process::Child;
@@ -46,12 +48,17 @@ use codex_app_server_protocol::ModelListParams;
 use codex_app_server_protocol::ModelListResponse;
 use codex_app_server_protocol::NewConversationParams;
 use codex_app_server_protocol::NewConversationResponse;
+use codex_app_server_protocol::ReadOnlyAccess;
 use codex_app_server_protocol::RequestId;
 use codex_app_server_protocol::SandboxPolicy;
 use codex_app_server_protocol::SendUserMessageParams;
 use codex_app_server_protocol::SendUserMessageResponse;
 use codex_app_server_protocol::ServerNotification;
 use codex_app_server_protocol::ServerRequest;
+use codex_app_server_protocol::ThreadListParams;
+use codex_app_server_protocol::ThreadListResponse;
+use codex_app_server_protocol::ThreadResumeParams;
+use codex_app_server_protocol::ThreadResumeResponse;
 use codex_app_server_protocol::ThreadStartParams;
 use codex_app_server_protocol::ThreadStartResponse;
 use codex_app_server_protocol::TurnStartParams;
@@ -64,15 +71,28 @@ use codex_protocol::protocol::EventMsg;
 use serde::Serialize;
 use serde::de::DeserializeOwned;
 use serde_json::Value;
+use tungstenite::Message;
+use tungstenite::WebSocket;
+use tungstenite::connect;
+use tungstenite::stream::MaybeTlsStream;
+use url::Url;
 use uuid::Uuid;

 /// Minimal launcher that initializes the Codex app-server and logs the handshake.
 #[derive(Parser)]
 #[command(author = "Codex", version, about = "Bootstrap Codex app-server", long_about = None)]
 struct Cli {
-    /// Path to the `codex` CLI binary.
-    #[arg(long, env = "CODEX_BIN", default_value = "codex")]
-    codex_bin: PathBuf,
+    /// Path to the `codex` CLI binary. When set, requests use stdio by
+    /// spawning `codex app-server` as a child process.
+    #[arg(long, env = "CODEX_BIN", global = true)]
+    codex_bin: Option<PathBuf>,
+
+    /// Existing websocket server URL to connect to.
+    ///
+    /// If neither `--codex-bin` nor `--url` is provided, defaults to
+    /// `ws://127.0.0.1:4222`.
+    #[arg(long, env = "CODEX_APP_SERVER_URL", global = true)]
+    url: Option<String>,

    /// Forwarded to the `codex` CLI as `--config key=value`. Repeatable.
    ///
@@ -102,6 +122,18 @@ struct Cli {

 #[derive(Subcommand)]
 enum CliCommand {
+    /// Start `codex app-server` on a websocket endpoint in the background.
+    ///
+    /// Logs are written to:
+    ///   `/tmp/codex-app-server-test-client/`
+    Serve {
+        /// WebSocket listen URL passed to `codex app-server --listen`.
+        #[arg(long, default_value = "ws://127.0.0.1:4222")]
+        listen: String,
+        /// Kill any process listening on the same port before starting.
+        #[arg(long, default_value_t = false)]
+        kill: bool,
+    },
    /// Send a user message through the Codex app-server.
    SendMessage {
        /// User message to send to Codex.
@@ -112,6 +144,20 @@ enum CliCommand {
        /// User message to send to Codex.
        user_message: String,
    },
+    /// Resume a V2 thread by id, then send a user message.
+    ResumeMessageV2 {
+        /// Existing thread id to resume.
+        thread_id: String,
+        /// User message to send to Codex.
+        user_message: String,
+    },
+    /// Resume a V2 thread and continuously stream notifications/events.
+    ///
+    /// This command does not auto-exit; stop it with SIGINT/SIGTERM/SIGKILL.
+    ThreadResume {
+        /// Existing thread id to resume.
+        thread_id: String,
+    },
    /// Start a V2 turn that elicits an ExecCommand approval.
    #[command(name = "trigger-cmd-approval")]
    TriggerCmdApproval {
@@ -141,11 +187,19 @@ enum CliCommand {
    /// List the available models from the Codex app-server.
    #[command(name = "model-list")]
    ModelList,
+    /// List stored threads from the Codex app-server.
+    #[command(name = "thread-list")]
+    ThreadList {
+        /// Number of threads to return.
+        #[arg(long, default_value_t = 20)]
+        limit: u32,
+    },
 }

 pub fn run() -> Result<()> {
    let Cli {
        codex_bin,
+        url,
        config_overrides,
        dynamic_tools,
        command,
@@ -154,49 +208,222 @@ pub fn run() -> Result<()> {
    let dynamic_tools = parse_dynamic_tools_arg(&dynamic_tools)?;

    match command {
+        CliCommand::Serve { listen, kill } => {
+            ensure_dynamic_tools_unused(&dynamic_tools, "serve")?;
+            let codex_bin = codex_bin.unwrap_or_else(|| PathBuf::from("codex"));
+            serve(&codex_bin, &config_overrides, &listen, kill)
+        }
        CliCommand::SendMessage { user_message } => {
            ensure_dynamic_tools_unused(&dynamic_tools, "send-message")?;
-            send_message(&codex_bin, &config_overrides, user_message)
+            let endpoint = resolve_endpoint(codex_bin, url)?;
+            send_message(&endpoint, &config_overrides, user_message)
        }
        CliCommand::SendMessageV2 { user_message } => {
-            send_message_v2(&codex_bin, &config_overrides, user_message, &dynamic_tools)
+            let endpoint = resolve_endpoint(codex_bin, url)?;
+            send_message_v2_endpoint(&endpoint, &config_overrides, user_message, &dynamic_tools)
+        }
+        CliCommand::ResumeMessageV2 {
+            thread_id,
+            user_message,
+        } => {
+            let endpoint = resolve_endpoint(codex_bin, url)?;
+            resume_message_v2(
+                &endpoint,
+                &config_overrides,
+                thread_id,
+                user_message,
+                &dynamic_tools,
+            )
+        }
+        CliCommand::ThreadResume { thread_id } => {
+            ensure_dynamic_tools_unused(&dynamic_tools, "thread-resume")?;
+            let endpoint = resolve_endpoint(codex_bin, url)?;
+            thread_resume_follow(&endpoint, &config_overrides, thread_id)
        }
        CliCommand::TriggerCmdApproval { user_message } => {
-            trigger_cmd_approval(&codex_bin, &config_overrides, user_message, &dynamic_tools)
+            let endpoint = resolve_endpoint(codex_bin, url)?;
+            trigger_cmd_approval(&endpoint, &config_overrides, user_message, &dynamic_tools)
        }
        CliCommand::TriggerPatchApproval { user_message } => {
-            trigger_patch_approval(&codex_bin, &config_overrides, user_message, &dynamic_tools)
+            let endpoint = resolve_endpoint(codex_bin, url)?;
+            trigger_patch_approval(&endpoint, &config_overrides, user_message, &dynamic_tools)
        }
        CliCommand::NoTriggerCmdApproval => {
-            no_trigger_cmd_approval(&codex_bin, &config_overrides, &dynamic_tools)
+            let endpoint = resolve_endpoint(codex_bin, url)?;
+            no_trigger_cmd_approval(&endpoint, &config_overrides, &dynamic_tools)
        }
        CliCommand::SendFollowUpV2 {
            first_message,
            follow_up_message,
-        } => send_follow_up_v2(
-            &codex_bin,
-            &config_overrides,
-            first_message,
-            follow_up_message,
-            &dynamic_tools,
-        ),
+        } => {
+            let endpoint = resolve_endpoint(codex_bin, url)?;
+            send_follow_up_v2(
+                &endpoint,
+                &config_overrides,
+                first_message,
+                follow_up_message,
+                &dynamic_tools,
+            )
+        }
        CliCommand::TestLogin => {
            ensure_dynamic_tools_unused(&dynamic_tools, "test-login")?;
-            test_login(&codex_bin, &config_overrides)
+            let endpoint = resolve_endpoint(codex_bin, url)?;
+            test_login(&endpoint, &config_overrides)
        }
        CliCommand::GetAccountRateLimits => {
            ensure_dynamic_tools_unused(&dynamic_tools, "get-account-rate-limits")?;
-            get_account_rate_limits(&codex_bin, &config_overrides)
+            let endpoint = resolve_endpoint(codex_bin, url)?;
+            get_account_rate_limits(&endpoint, &config_overrides)
        }
        CliCommand::ModelList => {
            ensure_dynamic_tools_unused(&dynamic_tools, "model-list")?;
-            model_list(&codex_bin, &config_overrides)
+            let endpoint = resolve_endpoint(codex_bin, url)?;
+            model_list(&endpoint, &config_overrides)
+        }
+        CliCommand::ThreadList { limit } => {
+            ensure_dynamic_tools_unused(&dynamic_tools, "thread-list")?;
+            let endpoint = resolve_endpoint(codex_bin, url)?;
+            thread_list(&endpoint, &config_overrides, limit)
        }
    }
 }

-fn send_message(codex_bin: &Path, config_overrides: &[String], user_message: String) -> Result<()> {
-    let mut client = CodexClient::spawn(codex_bin, config_overrides)?;
+enum Endpoint {
+    SpawnCodex(PathBuf),
+    ConnectWs(String),
+}
+
+fn resolve_endpoint(codex_bin: Option<PathBuf>, url: Option<String>) -> Result<Endpoint> {
+    if codex_bin.is_some() && url.is_some() {
+        bail!("--codex-bin and --url are mutually exclusive");
+    }
+    if let Some(codex_bin) = codex_bin {
+        return Ok(Endpoint::SpawnCodex(codex_bin));
+    }
+    if let Some(url) = url {
+        return Ok(Endpoint::ConnectWs(url));
+    }
+    Ok(Endpoint::ConnectWs("ws://127.0.0.1:4222".to_string()))
+}
+
+fn serve(codex_bin: &Path, config_overrides: &[String], listen: &str, kill: bool) -> Result<()> {
+    let runtime_dir = PathBuf::from("/tmp/codex-app-server-test-client");
+    fs::create_dir_all(&runtime_dir)
+        .with_context(|| format!("failed to create runtime dir {}", runtime_dir.display()))?;
+    let log_path = runtime_dir.join("app-server.log");
+    if kill {
+        kill_listeners_on_same_port(listen)?;
+    }
+
+    let log_file = OpenOptions::new()
+        .create(true)
+        .append(true)
+        .open(&log_path)
+        .with_context(|| format!("failed to open log file {}", log_path.display()))?;
+    let log_file_stderr = log_file
+        .try_clone()
+        .with_context(|| format!("failed to clone log file handle {}", log_path.display()))?;
+
+    let mut cmdline = format!(
+        "tail -f /dev/null | RUST_BACKTRACE=full RUST_LOG=warn,codex_=trace {}",
+        shell_quote(&codex_bin.display().to_string())
+    );
+    for override_kv in config_overrides {
+        cmdline.push_str(&format!(" --config {}", shell_quote(override_kv)));
+    }
+    cmdline.push_str(&format!(" app-server --listen {}", shell_quote(listen)));
+
+    let child = Command::new("nohup")
+        .arg("sh")
+        .arg("-c")
+        .arg(cmdline)
+        .stdin(Stdio::null())
+        .stdout(Stdio::from(log_file))
+        .stderr(Stdio::from(log_file_stderr))
+        .spawn()
+        .with_context(|| format!("failed to start `{}` app-server", codex_bin.display()))?;
+
+    let pid = child.id();
+
+    println!("started codex app-server");
+    println!("listen: {listen}");
+    println!("pid: {pid} (launcher process)");
+    println!("log: {}", log_path.display());
+
+    Ok(())
+}
+
+fn kill_listeners_on_same_port(listen: &str) -> Result<()> {
+    let url = Url::parse(listen).with_context(|| format!("invalid --listen URL `{listen}`"))?;
+    let port = url
+        .port_or_known_default()
+        .with_context(|| format!("unable to infer port from --listen URL `{listen}`"))?;
+
+    let output = Command::new("lsof")
+        .arg("-nP")
+        .arg(format!("-tiTCP:{port}"))
+        .arg("-sTCP:LISTEN")
+        .output()
+        .with_context(|| format!("failed to run lsof for port {port}"))?;
+
+    if !output.status.success() {
+        return Ok(());
+    }
+
+    let pids: Vec<u32> = String::from_utf8_lossy(&output.stdout)
+        .lines()
+        .filter_map(|line| line.trim().parse::<u32>().ok())
+        .collect();
+
+    if pids.is_empty() {
+        return Ok(());
+    }
+
+    for pid in pids {
+        println!("killing listener pid {pid} on port {port}");
+        let pid_str = pid.to_string();
+        let term_status = Command::new("kill")
+            .arg(&pid_str)
+            .status()
+            .with_context(|| format!("failed to send SIGTERM to pid {pid}"))?;
+        if !term_status.success() {
+            continue;
+        }
+    }
+
+    thread::sleep(Duration::from_millis(300));
+
+    let output = Command::new("lsof")
+        .arg("-nP")
+        .arg(format!("-tiTCP:{port}"))
+        .arg("-sTCP:LISTEN")
+        .output()
+        .with_context(|| format!("failed to re-check listeners on port {port}"))?;
+    if !output.status.success() {
+        return Ok(());
+    }
+    let remaining: Vec<u32> = String::from_utf8_lossy(&output.stdout)
+        .lines()
+        .filter_map(|line| line.trim().parse::<u32>().ok())
+        .collect();
+    for pid in remaining {
+        println!("force killing remaining listener pid {pid} on port {port}");
+        let _ = Command::new("kill").arg("-9").arg(pid.to_string()).status();
+    }
+
+    Ok(())
+}
+
+fn shell_quote(input: &str) -> String {
+    format!("'{}'", input.replace('\'', "'\\''"))
+}
+
+fn send_message(
+    endpoint: &Endpoint,
+    config_overrides: &[String],
+    user_message: String,
+) -> Result<()> {
+    let mut client = CodexClient::connect(endpoint, config_overrides)?;

    let initialize = client.initialize()?;
    println!("< initialize response: {initialize:?}");
@@ -222,9 +449,19 @@ pub fn send_message_v2(
    config_overrides: &[String],
    user_message: String,
    dynamic_tools: &Option<Vec<DynamicToolSpec>>,
+) -> Result<()> {
+    let endpoint = Endpoint::SpawnCodex(codex_bin.to_path_buf());
+    send_message_v2_endpoint(&endpoint, config_overrides, user_message, dynamic_tools)
+}
+
+fn send_message_v2_endpoint(
+    endpoint: &Endpoint,
+    config_overrides: &[String],
+    user_message: String,
+    dynamic_tools: &Option<Vec<DynamicToolSpec>>,
 ) -> Result<()> {
    send_message_v2_with_policies(
-        codex_bin,
+        endpoint,
        config_overrides,
        user_message,
        None,
@@ -233,8 +470,63 @@ pub fn send_message_v2(
    )
 }

+fn resume_message_v2(
+    endpoint: &Endpoint,
+    config_overrides: &[String],
+    thread_id: String,
+    user_message: String,
+    dynamic_tools: &Option<Vec<DynamicToolSpec>>,
+) -> Result<()> {
+    ensure_dynamic_tools_unused(dynamic_tools, "resume-message-v2")?;
+
+    let mut client = CodexClient::connect(endpoint, config_overrides)?;
+
+    let initialize = client.initialize()?;
+    println!("< initialize response: {initialize:?}");
+
+    let resume_response = client.thread_resume(ThreadResumeParams {
+        thread_id,
+        ..Default::default()
+    })?;
+    println!("< thread/resume response: {resume_response:?}");
+
+    let turn_response = client.turn_start(TurnStartParams {
+        thread_id: resume_response.thread.id.clone(),
+        input: vec![V2UserInput::Text {
+            text: user_message,
+            text_elements: Vec::new(),
+        }],
+        ..Default::default()
+    })?;
+    println!("< turn/start response: {turn_response:?}");
+
+    client.stream_turn(&resume_response.thread.id, &turn_response.turn.id)?;
+
+    Ok(())
+}
+
+fn thread_resume_follow(
+    endpoint: &Endpoint,
+    config_overrides: &[String],
+    thread_id: String,
+) -> Result<()> {
+    let mut client = CodexClient::connect(endpoint, config_overrides)?;
+
+    let initialize = client.initialize()?;
+    println!("< initialize response: {initialize:?}");
+
+    let resume_response = client.thread_resume(ThreadResumeParams {
+        thread_id,
+        ..Default::default()
+    })?;
+    println!("< thread/resume response: {resume_response:?}");
+    println!("< streaming notifications until process is terminated");
+
+    client.stream_notifications_forever()
+}
+
 fn trigger_cmd_approval(
-    codex_bin: &Path,
+    endpoint: &Endpoint,
    config_overrides: &[String],
    user_message: Option<String>,
    dynamic_tools: &Option<Vec<DynamicToolSpec>>,
@@ -243,17 +535,19 @@ fn trigger_cmd_approval(
        "Run `touch /tmp/should-trigger-approval` so I can confirm the file exists.";
    let message = user_message.unwrap_or_else(|| default_prompt.to_string());
    send_message_v2_with_policies(
-        codex_bin,
+        endpoint,
        config_overrides,
        message,
        Some(AskForApproval::OnRequest),
-        Some(SandboxPolicy::ReadOnly),
+        Some(SandboxPolicy::ReadOnly {
+            access: ReadOnlyAccess::FullAccess,
+        }),
        dynamic_tools,
    )
 }

 fn trigger_patch_approval(
-    codex_bin: &Path,
+    endpoint: &Endpoint,
    config_overrides: &[String],
    user_message: Option<String>,
    dynamic_tools: &Option<Vec<DynamicToolSpec>>,
@@ -262,23 +556,25 @@ fn trigger_patch_approval(
        "Create a file named APPROVAL_DEMO.txt containing a short hello message using apply_patch.";
    let message = user_message.unwrap_or_else(|| default_prompt.to_string());
    send_message_v2_with_policies(
-        codex_bin,
+        endpoint,
        config_overrides,
        message,
        Some(AskForApproval::OnRequest),
-        Some(SandboxPolicy::ReadOnly),
+        Some(SandboxPolicy::ReadOnly {
+            access: ReadOnlyAccess::FullAccess,
+        }),
        dynamic_tools,
    )
 }

 fn no_trigger_cmd_approval(
-    codex_bin: &Path,
+    endpoint: &Endpoint,
    config_overrides: &[String],
    dynamic_tools: &Option<Vec<DynamicToolSpec>>,
 ) -> Result<()> {
    let prompt = "Run `touch should_not_trigger_approval.txt`";
    send_message_v2_with_policies(
-        codex_bin,
+        endpoint,
        config_overrides,
        prompt.to_string(),
        None,
@@ -288,14 +584,14 @@ fn no_trigger_cmd_approval(
 }

 fn send_message_v2_with_policies(
-    codex_bin: &Path,
+    endpoint: &Endpoint,
    config_overrides: &[String],
    user_message: String,
    approval_policy: Option<AskForApproval>,
    sandbox_policy: Option<SandboxPolicy>,
    dynamic_tools: &Option<Vec<DynamicToolSpec>>,
 ) -> Result<()> {
-    let mut client = CodexClient::spawn(codex_bin, config_overrides)?;
+    let mut client = CodexClient::connect(endpoint, config_overrides)?;

    let initialize = client.initialize()?;
    println!("< initialize response: {initialize:?}");
@@ -326,13 +622,13 @@ fn send_message_v2_with_policies(
 }

 fn send_follow_up_v2(
-    codex_bin: &Path,
+    endpoint: &Endpoint,
    config_overrides: &[String],
    first_message: String,
    follow_up_message: String,
    dynamic_tools: &Option<Vec<DynamicToolSpec>>,
 ) -> Result<()> {
-    let mut client = CodexClient::spawn(codex_bin, config_overrides)?;
+    let mut client = CodexClient::connect(endpoint, config_overrides)?;

    let initialize = client.initialize()?;
    println!("< initialize response: {initialize:?}");
@@ -372,8 +668,8 @@ fn send_follow_up_v2(
    Ok(())
 }

-fn test_login(codex_bin: &Path, config_overrides: &[String]) -> Result<()> {
-    let mut client = CodexClient::spawn(codex_bin, config_overrides)?;
+fn test_login(endpoint: &Endpoint, config_overrides: &[String]) -> Result<()> {
+    let mut client = CodexClient::connect(endpoint, config_overrides)?;

    let initialize = client.initialize()?;
    println!("< initialize response: {initialize:?}");
@@ -402,8 +698,8 @@ fn test_login(codex_bin: &Path, config_overrides: &[String]) -> Result<()> {
    }
 }

-fn get_account_rate_limits(codex_bin: &Path, config_overrides: &[String]) -> Result<()> {
-    let mut client = CodexClient::spawn(codex_bin, config_overrides)?;
+fn get_account_rate_limits(endpoint: &Endpoint, config_overrides: &[String]) -> Result<()> {
+    let mut client = CodexClient::connect(endpoint, config_overrides)?;

    let initialize = client.initialize()?;
    println!("< initialize response: {initialize:?}");
@@ -414,8 +710,8 @@ fn get_account_rate_limits(codex_bin: &Path, config_overrides: &[String]) -> Res
    Ok(())
 }

-fn model_list(codex_bin: &Path, config_overrides: &[String]) -> Result<()> {
-    let mut client = CodexClient::spawn(codex_bin, config_overrides)?;
+fn model_list(endpoint: &Endpoint, config_overrides: &[String]) -> Result<()> {
+    let mut client = CodexClient::connect(endpoint, config_overrides)?;

    let initialize = client.initialize()?;
    println!("< initialize response: {initialize:?}");
@@ -426,6 +722,26 @@ fn model_list(codex_bin: &Path, config_overrides: &[String]) -> Result<()> {
    Ok(())
 }

+fn thread_list(endpoint: &Endpoint, config_overrides: &[String], limit: u32) -> Result<()> {
+    let mut client = CodexClient::connect(endpoint, config_overrides)?;
+
+    let initialize = client.initialize()?;
+    println!("< initialize response: {initialize:?}");
+
+    let response = client.thread_list(ThreadListParams {
+        cursor: None,
+        limit: Some(limit),
+        sort_key: None,
+        model_providers: None,
+        source_kinds: None,
+        archived: None,
+        cwd: None,
+    })?;
+    println!("< thread/list response: {response:?}");
+
+    Ok(())
+}
+
 fn ensure_dynamic_tools_unused(
    dynamic_tools: &Option<Vec<DynamicToolSpec>>,
    command: &str,
@@ -460,15 +776,32 @@ fn parse_dynamic_tools_arg(dynamic_tools: &Option<String>) -> Result<Option<Vec<
    Ok(Some(tools))
 }

+enum ClientTransport {
+    Stdio {
+        child: Child,
+        stdin: Option<ChildStdin>,
+        stdout: BufReader<ChildStdout>,
+    },
+    WebSocket {
+        url: String,
+        socket: Box<WebSocket<MaybeTlsStream<TcpStream>>>,
+    },
+}
+
 struct CodexClient {
-    child: Child,
-    stdin: Option<ChildStdin>,
-    stdout: BufReader<ChildStdout>,
+    transport: ClientTransport,
    pending_notifications: VecDeque<JSONRPCNotification>,
 }

 impl CodexClient {
-    fn spawn(codex_bin: &Path, config_overrides: &[String]) -> Result<Self> {
+    fn connect(endpoint: &Endpoint, config_overrides: &[String]) -> Result<Self> {
+        match endpoint {
+            Endpoint::SpawnCodex(codex_bin) => Self::spawn_stdio(codex_bin, config_overrides),
+            Endpoint::ConnectWs(url) => Self::connect_websocket(url),
+        }
+    }
+
+    fn spawn_stdio(codex_bin: &Path, config_overrides: &[String]) -> Result<Self> {
        let codex_bin_display = codex_bin.display();
        let mut cmd = Command::new(codex_bin);
        for override_kv in config_overrides {
@@ -492,9 +825,27 @@ impl CodexClient {
            .context("codex app-server stdout unavailable")?;

        Ok(Self {
-            child: codex_app_server,
-            stdin: Some(stdin),
-            stdout: BufReader::new(stdout),
+            transport: ClientTransport::Stdio {
+                child: codex_app_server,
+                stdin: Some(stdin),
+                stdout: BufReader::new(stdout),
+            },
+            pending_notifications: VecDeque::new(),
+        })
+    }
+
+    fn connect_websocket(url: &str) -> Result<Self> {
+        let parsed = Url::parse(url).with_context(|| format!("invalid websocket URL `{url}`"))?;
+        let (socket, _response) = connect(parsed.as_str()).with_context(|| {
+            format!(
+                "failed to connect to websocket app-server at `{url}`; if no server is running, start one with `codex-app-server-test-client serve --listen {url}`"
+            )
+        })?;
+        Ok(Self {
+            transport: ClientTransport::WebSocket {
+                url: url.to_string(),
+                socket: Box::new(socket),
+            },
            pending_notifications: VecDeque::new(),
        })
    }
@@ -516,7 +867,16 @@ impl CodexClient {
            },
        };

-        self.send_request(request, request_id, "initialize")
+        let response: InitializeResponse = self.send_request(request, request_id, "initialize")?;
+
+        // Complete the initialize handshake.
+        let initialized = JSONRPCMessage::Notification(JSONRPCNotification {
+            method: "initialized".to_string(),
+            params: None,
+        });
+        self.write_jsonrpc_message(initialized)?;
+
+        Ok(response)
    }

    fn start_thread(&mut self) -> Result<NewConversationResponse> {
@@ -592,6 +952,16 @@ impl CodexClient {
        self.send_request(request, request_id, "thread/start")
    }

+    fn thread_resume(&mut self, params: ThreadResumeParams) -> Result<ThreadResumeResponse> {
+        let request_id = self.request_id();
+        let request = ClientRequest::ThreadResume {
+            request_id: request_id.clone(),
+            params,
+        };
+
+        self.send_request(request, request_id, "thread/resume")
+    }
+
    fn turn_start(&mut self, params: TurnStartParams) -> Result<TurnStartResponse> {
        let request_id = self.request_id();
        let request = ClientRequest::TurnStart {
@@ -632,6 +1002,16 @@ impl CodexClient {
        self.send_request(request, request_id, "model/list")
    }

+    fn thread_list(&mut self, params: ThreadListParams) -> Result<ThreadListResponse> {
+        let request_id = self.request_id();
+        let request = ClientRequest::ThreadList {
+            request_id: request_id.clone(),
+            params,
+        };
+
+        self.send_request(request, request_id, "thread/list")
+    }
+
    fn stream_conversation(&mut self, conversation_id: &ThreadId) -> Result<()> {
        loop {
            let notification = self.next_notification()?;
@@ -766,6 +1146,12 @@ impl CodexClient {
        Ok(())
    }

+    fn stream_notifications_forever(&mut self) -> Result<()> {
+        loop {
+            let _ = self.next_notification()?;
+        }
+    }
+
    fn extract_event(
        &self,
        notification: JSONRPCNotification,
@@ -813,17 +1199,7 @@ impl CodexClient {
        let request_json = serde_json::to_string(request)?;
        let request_pretty = serde_json::to_string_pretty(request)?;
        print_multiline_with_prefix("> ", &request_pretty);
-
-        if let Some(stdin) = self.stdin.as_mut() {
-            writeln!(stdin, "{request_json}")?;
-            stdin
-                .flush()
-                .context("failed to flush request to codex app-server")?;
-        } else {
-            bail!("codex app-server stdin closed");
-        }
-
-        Ok(())
+        self.write_payload(&request_json)
    }

    fn wait_for_response<T>(&mut self, request_id: RequestId, method: &str) -> Result<T>
@@ -878,17 +1254,8 @@ impl CodexClient {

    fn read_jsonrpc_message(&mut self) -> Result<JSONRPCMessage> {
        loop {
-            let mut response_line = String::new();
-            let bytes = self
-                .stdout
-                .read_line(&mut response_line)
-                .context("failed to read from codex app-server")?;
-
-            if bytes == 0 {
-                bail!("codex app-server closed stdout");
-            }
-
-            let trimmed = response_line.trim();
+            let raw = self.read_payload()?;
+            let trimmed = raw.trim();
            if trimmed.is_empty() {
                continue;
            }
@@ -1017,16 +1384,56 @@ impl CodexClient {
        let payload = serde_json::to_string(&message)?;
        let pretty = serde_json::to_string_pretty(&message)?;
        print_multiline_with_prefix("> ", &pretty);
+        self.write_payload(&payload)
+    }

-        if let Some(stdin) = self.stdin.as_mut() {
-            writeln!(stdin, "{payload}")?;
-            stdin
-                .flush()
-                .context("failed to flush response to codex app-server")?;
-            return Ok(());
+    fn write_payload(&mut self, payload: &str) -> Result<()> {
+        match &mut self.transport {
+            ClientTransport::Stdio { stdin, .. } => {
+                if let Some(stdin) = stdin.as_mut() {
+                    writeln!(stdin, "{payload}")?;
+                    stdin
+                        .flush()
+                        .context("failed to flush payload to codex app-server")?;
+                    return Ok(());
+                }
+                bail!("codex app-server stdin closed")
+            }
+            ClientTransport::WebSocket { socket, url } => {
+                socket
+                    .send(Message::Text(payload.to_string().into()))
+                    .with_context(|| format!("failed to write websocket message to `{url}`"))?;
+                Ok(())
+            }
        }
+    }

-        bail!("codex app-server stdin closed")
+    fn read_payload(&mut self) -> Result<String> {
+        match &mut self.transport {
+            ClientTransport::Stdio { stdout, .. } => {
+                let mut response_line = String::new();
+                let bytes = stdout
+                    .read_line(&mut response_line)
+                    .context("failed to read from codex app-server")?;
+                if bytes == 0 {
+                    bail!("codex app-server closed stdout");
+                }
+                Ok(response_line)
+            }
+            ClientTransport::WebSocket { socket, url } => loop {
+                let frame = socket
+                    .read()
+                    .with_context(|| format!("failed to read websocket message from `{url}`"))?;
+                match frame {
+                    Message::Text(text) => return Ok(text.to_string()),
+                    Message::Binary(_) | Message::Ping(_) | Message::Pong(_) => continue,
+                    Message::Close(_) => {
+                        bail!("websocket app-server at `{url}` closed the connection")
+                    }
+                    Message::Frame(_) => continue,
+                }
+            },
+        }
    }
 }

@@ -1038,21 +1445,25 @@ fn print_multiline_with_prefix(prefix: &str, payload: &str) {

 impl Drop for CodexClient {
    fn drop(&mut self) {
-        let _ = self.stdin.take();
+        let ClientTransport::Stdio { child, stdin, .. } = &mut self.transport else {
+            return;
+        };

-        if let Ok(Some(status)) = self.child.try_wait() {
+        let _ = stdin.take();
+
+        if let Ok(Some(status)) = child.try_wait() {
            println!("[codex app-server exited: {status}]");
            return;
        }

        thread::sleep(Duration::from_millis(100));

-        if let Ok(Some(status)) = self.child.try_wait() {
+        if let Ok(Some(status)) = child.try_wait() {
            println!("[codex app-server exited: {status}]");
            return;
        }

-        let _ = self.child.kill();
-        let _ = self.child.wait();
+        let _ = child.kill();
+        let _ = child.wait();
    }
 }
--- a/codex-rs/app-server/Cargo.toml
+++ b/codex-rs/app-server/Cargo.toml
@@ -20,8 +20,8 @@ anyhow = { workspace = true }
 async-trait = { workspace = true }
 codex-arg0 = { workspace = true }
 codex-cloud-requirements = { workspace = true }
-codex-common = { workspace = true, features = ["cli"] }
 codex-core = { workspace = true }
+codex-utils-cli = { workspace = true }
 codex-backend-client = { workspace = true }
 codex-file-search = { workspace = true }
 codex-chatgpt = { workspace = true }
@@ -30,8 +30,12 @@ codex-protocol = { workspace = true }
 codex-app-server-protocol = { workspace = true }
 codex-feedback = { workspace = true }
 codex-rmcp-client = { workspace = true }
+codex-utils-absolute-path = { workspace = true }
 codex-utils-json-to-toml = { workspace = true }
 chrono = { workspace = true }
+clap = { workspace = true, features = ["derive"] }
+futures = { workspace = true }
+owo-colors = { workspace = true, features = ["supports-colors"] }
 serde = { workspace = true, features = ["derive"] }
 serde_json = { workspace = true }
 tempfile = { workspace = true }
@@ -44,6 +48,7 @@ tokio = { workspace = true, features = [
    "rt-multi-thread",
    "signal",
 ] }
+tokio-tungstenite = { workspace = true }
 tracing = { workspace = true, features = ["log"] }
 tracing-subscriber = { workspace = true, features = ["env-filter", "fmt"] }
 uuid = { workspace = true, features = ["serde", "v7"] }
@@ -57,8 +62,8 @@ axum = { workspace = true, default-features = false, features = [
 ] }
 base64 = { workspace = true }
 codex-execpolicy = { workspace = true }
-codex-utils-absolute-path = { workspace = true }
 core_test_support = { workspace = true }
+codex-utils-cargo-bin = { workspace = true }
 os_info = { workspace = true }
 pretty_assertions = { workspace = true }
 rmcp = { workspace = true, default-features = false, features = [
@@ -66,5 +71,6 @@ rmcp = { workspace = true, default-features = false, features = [
    "transport-streamable-http-server",
 ] }
 serial_test = { workspace = true }
+tokio-tungstenite = { workspace = true }
 wiremock = { workspace = true }
 shlex = { workspace = true }
--- a/codex-rs/app-server/README.md
+++ b/codex-rs/app-server/README.md
@@ -19,7 +19,20 @@

 ## Protocol

-Similar to [MCP](https://modelcontextprotocol.io/), `codex app-server` supports bidirectional communication, streaming JSONL over stdio. The protocol is JSON-RPC 2.0, though the `"jsonrpc":"2.0"` header is omitted.
+Similar to [MCP](https://modelcontextprotocol.io/), `codex app-server` supports bidirectional communication using JSON-RPC 2.0 messages (with the `"jsonrpc":"2.0"` header omitted on the wire).
+
+Supported transports:
+
+- stdio (`--listen stdio://`, default): newline-delimited JSON (JSONL)
+- websocket (`--listen ws://IP:PORT`): one JSON-RPC message per websocket text frame (**experimental / unsupported**)
+
+Websocket transport is currently experimental and unsupported. Do not rely on it for production workloads.
+
+Backpressure behavior:
+
+- The server uses bounded queues between transport ingress, request processing, and outbound writes.
+- When request ingress is saturated, new requests are rejected with a JSON-RPC error code `-32001` and message `"Server overloaded; retry later."`.
+- Clients should treat this as retryable and use exponential backoff with jitter.

 ## Message Schema

@@ -42,7 +55,7 @@ Use the thread APIs to create, list, or archive conversations. Drive a conversat

 ## Lifecycle Overview

- Initialize once: Immediately after launching the codex app-server process, send an `initialize` request with your client metadata, then emit an `initialized` notification. Any other request before this handshake gets rejected.
+- Initialize once per connection: Immediately after opening a transport connection, send an `initialize` request with your client metadata, then emit an `initialized` notification. Any other request on that connection before this handshake gets rejected.
 - Start (or resume) a thread: Call `thread/start` to open a fresh conversation. The response returns the thread object and you’ll also get a `thread/started` notification. If you’re continuing an existing conversation, call `thread/resume` with its ID instead. If you want to branch from an existing conversation, call `thread/fork` to create a new thread id with copied history.
 - Begin a turn: To send user input, call `turn/start` with the target `threadId` and the user's input. Optional fields let you override model, cwd, sandbox policy, etc. This immediately returns the new turn object and triggers a `turn/started` notification.
 - Stream events: After `turn/start`, keep reading JSON-RPC notifications on stdout. You’ll see `item/started`, `item/completed`, deltas like `item/agentMessage/delta`, tool progress, etc. These represent streaming model output plus any side effects (commands, tool calls, reasoning notes).
@@ -50,7 +63,7 @@ Use the thread APIs to create, list, or archive conversations. Drive a conversat

 ## Initialization

-Clients must send a single `initialize` request before invoking any other method, then acknowledge with an `initialized` notification. The server returns the user agent string it will present to upstream services; subsequent requests issued before initialization receive a `"Not initialized"` error, and repeated `initialize` calls receive an `"Already initialized"` error.
+Clients must send a single `initialize` request per transport connection before invoking any other method on that connection, then acknowledge with an `initialized` notification. The server returns the user agent string it will present to upstream services; subsequent requests issued before initialization receive a `"Not initialized"` error, and repeated `initialize` calls on the same connection receive an `"Already initialized"` error.

 `initialize.params.capabilities` also supports per-connection notification opt-out via `optOutNotificationMethods`, which is a list of exact method names to suppress for that connection. Matching is exact (no wildcards/prefixes). Unknown method names are accepted and ignored.

@@ -104,7 +117,7 @@ Example with notification opt-out:
 - `thread/start` — create a new thread; emits `thread/started` and auto-subscribes you to turn/item events for that thread.
 - `thread/resume` — reopen an existing thread by id so subsequent `turn/start` calls append to it.
 - `thread/fork` — fork an existing thread into a new thread id by copying the stored history; emits `thread/started` and auto-subscribes you to turn/item events for the new thread.
- `thread/list` — page through stored rollouts; supports cursor-based pagination and optional `modelProviders` filtering.
+- `thread/list` — page through stored rollouts; supports cursor-based pagination and optional `modelProviders`, `sourceKinds`, `archived`, and `cwd` filters.
 - `thread/loaded/list` — list the thread ids currently loaded in memory.
 - `thread/read` — read a stored thread by id without resuming it; optionally include turns via `includeTurns`.
 - `thread/archive` — move a thread’s rollout file into the archived directory; returns `{}` on success.
@@ -196,6 +209,8 @@ To branch from a stored session, call `thread/fork` with the `thread.id`. This c
 { "method": "thread/started", "params": { "thread": { … } } }
 ```

+Experimental API: `thread/start`, `thread/resume`, and `thread/fork` accept `persistExtendedHistory: true` to persist a richer subset of ThreadItems for non-lossy history when calling `thread/read`, `thread/resume`, and `thread/fork` later. This does not backfill events that were not persisted previously.
+
 ### Example: List threads (with pagination & filters)

 `thread/list` lets you render a history UI. Results default to `createdAt` (newest first) descending. Pass any combination of:
@@ -206,6 +221,7 @@ To branch from a stored session, call `thread/fork` with the `thread.id`. This c
 - `modelProviders` — restrict results to specific providers; unset, null, or an empty array will include all providers.
 - `sourceKinds` — restrict results to specific sources; omit or pass `[]` for interactive sessions only (`cli`, `vscode`).
 - `archived` — when `true`, list archived threads only. When `false` or `null`, list non-archived threads (default).
+- `cwd` — restrict results to threads whose session cwd exactly matches this path.

 Example:

@@ -748,7 +764,7 @@ To enable or disable a skill by path:

 ## Apps

-Use `app/list` to fetch available apps (connectors). Each entry includes metadata like the app `id`, display `name`, `installUrl`, and whether it is currently accessible.
+Use `app/list` to fetch available apps (connectors). Each entry includes metadata like the app `id`, display `name`, `installUrl`, whether it is currently accessible, and whether it is enabled in config.

 ```json
 { "method": "app/list", "id": 50, "params": {
@@ -767,7 +783,8 @@ Use `app/list` to fetch available apps (connectors). Each entry includes metadat
            "logoUrlDark": null,
            "distributionChannel": null,
            "installUrl": "https://chatgpt.com/apps/demo-app/demo-app",
-            "isAccessible": true
+            "isAccessible": true,
+            "isEnabled": true
        }
    ],
    "nextCursor": null
@@ -793,7 +810,8 @@ The server also emits `app/list/updated` notifications whenever either source (a
        "logoUrlDark": null,
        "distributionChannel": null,
        "installUrl": "https://chatgpt.com/apps/demo-app/demo-app",
-        "isAccessible": true
+        "isAccessible": true,
+        "isEnabled": true
      }
    ]
  }
--- a/codex-rs/app-server/src/bespoke_event_handling.rs
+++ b/codex-rs/app-server/src/bespoke_event_handling.rs
@@ -1,14 +1,13 @@
 use crate::codex_message_processor::ApiVersion;
-use crate::codex_message_processor::PendingInterrupts;
-use crate::codex_message_processor::PendingRollbacks;
-use crate::codex_message_processor::TurnSummary;
-use crate::codex_message_processor::TurnSummaryStore;
-use crate::codex_message_processor::read_event_msgs_from_rollout;
+use crate::codex_message_processor::read_rollout_items_from_rollout;
 use crate::codex_message_processor::read_summary_from_rollout;
 use crate::codex_message_processor::summary_to_thread;
 use crate::error_code::INTERNAL_ERROR_CODE;
 use crate::error_code::INVALID_REQUEST_ERROR_CODE;
-use crate::outgoing_message::OutgoingMessageSender;
+use crate::outgoing_message::ClientRequestResult;
+use crate::outgoing_message::ThreadScopedOutgoingMessageSender;
+use crate::thread_state::ThreadState;
+use crate::thread_state::TurnSummary;
 use codex_app_server_protocol::AccountRateLimitsUpdatedNotification;
 use codex_app_server_protocol::AgentMessageDeltaNotification;
 use codex_app_server_protocol::ApplyPatchApprovalParams;
@@ -69,7 +68,7 @@ use codex_app_server_protocol::TurnInterruptResponse;
 use codex_app_server_protocol::TurnPlanStep;
 use codex_app_server_protocol::TurnPlanUpdatedNotification;
 use codex_app_server_protocol::TurnStatus;
-use codex_app_server_protocol::build_turns_from_event_msgs;
+use codex_app_server_protocol::build_turns_from_rollout_items;
 use codex_core::CodexThread;
 use codex_core::parse_command::shlex_join;
 use codex_core::protocol::ApplyPatchApprovalRequestEvent;
@@ -98,6 +97,7 @@ use std::collections::HashMap;
 use std::convert::TryFrom;
 use std::path::PathBuf;
 use std::sync::Arc;
+use tokio::sync::Mutex;
 use tokio::sync::oneshot;
 use tracing::error;

@@ -108,10 +108,8 @@ pub(crate) async fn apply_bespoke_event_handling(
    event: Event,
    conversation_id: ThreadId,
    conversation: Arc<CodexThread>,
-    outgoing: Arc<OutgoingMessageSender>,
-    pending_interrupts: PendingInterrupts,
-    pending_rollbacks: PendingRollbacks,
-    turn_summary_store: TurnSummaryStore,
+    outgoing: ThreadScopedOutgoingMessageSender,
+    thread_state: Arc<tokio::sync::Mutex<ThreadState>>,
    api_version: ApiVersion,
    fallback_model_provider: String,
 ) {
@@ -122,13 +120,7 @@ pub(crate) async fn apply_bespoke_event_handling(
    match msg {
        EventMsg::TurnStarted(_) => {}
        EventMsg::TurnComplete(_ev) => {
-            handle_turn_complete(
-                conversation_id,
-                event_turn_id,
-                &outgoing,
-                &turn_summary_store,
-            )
-            .await;
+            handle_turn_complete(conversation_id, event_turn_id, &outgoing, &thread_state).await;
        }
        EventMsg::ApplyPatchApprovalRequest(ApplyPatchApprovalRequestEvent {
            call_id,
@@ -159,9 +151,11 @@ pub(crate) async fn apply_bespoke_event_handling(
                let patch_changes = convert_patch_changes(&changes);

                let first_start = {
-                    let mut map = turn_summary_store.lock().await;
-                    let summary = map.entry(conversation_id).or_default();
-                    summary.file_change_started.insert(item_id.clone())
+                    let mut state = thread_state.lock().await;
+                    state
+                        .turn_summary
+                        .file_change_started
+                        .insert(item_id.clone())
                };
                if first_start {
                    let item = ThreadItem::FileChange {
@@ -198,7 +192,7 @@ pub(crate) async fn apply_bespoke_event_handling(
                        rx,
                        conversation,
                        outgoing,
-                        turn_summary_store,
+                        thread_state.clone(),
                    )
                    .await;
                });
@@ -718,18 +712,22 @@ pub(crate) async fn apply_bespoke_event_handling(
                return handle_thread_rollback_failed(
                    conversation_id,
                    message,
-                    &pending_rollbacks,
+                    &thread_state,
                    &outgoing,
                )
                .await;
            };

+            if !ev.affects_turn_status() {
+                return;
+            }
+
            let turn_error = TurnError {
                message: ev.message,
                codex_error_info: ev.codex_error_info.map(V2CodexErrorInfo::from),
                additional_details: None,
            };
-            handle_error(conversation_id, turn_error.clone(), &turn_summary_store).await;
+            handle_error(conversation_id, turn_error.clone(), &thread_state).await;
            outgoing
                .send_server_notification(ServerNotification::Error(ErrorNotification {
                    error: turn_error.clone(),
@@ -857,7 +855,7 @@ pub(crate) async fn apply_bespoke_event_handling(
                conversation_id,
                &event_turn_id,
                raw_response_item_event.item,
-                outgoing.as_ref(),
+                &outgoing,
            )
            .await;
        }
@@ -867,9 +865,11 @@ pub(crate) async fn apply_bespoke_event_handling(
            let item_id = patch_begin_event.call_id.clone();

            let first_start = {
-                let mut map = turn_summary_store.lock().await;
-                let summary = map.entry(conversation_id).or_default();
-                summary.file_change_started.insert(item_id.clone())
+                let mut state = thread_state.lock().await;
+                state
+                    .turn_summary
+                    .file_change_started
+                    .insert(item_id.clone())
            };
            if first_start {
                let item = ThreadItem::FileChange {
@@ -892,11 +892,7 @@ pub(crate) async fn apply_bespoke_event_handling(
            // and emit the corresponding EventMsg, we repurpose the call_id as the item_id.
            let item_id = patch_end_event.call_id.clone();

-            let status = if patch_end_event.success {
-                PatchApplyStatus::Completed
-            } else {
-                PatchApplyStatus::Failed
-            };
+            let status: PatchApplyStatus = (&patch_end_event.status).into();
            let changes = convert_patch_changes(&patch_end_event.changes);
            complete_file_change_item(
                conversation_id,
@@ -904,8 +900,8 @@ pub(crate) async fn apply_bespoke_event_handling(
                changes,
                status,
                event_turn_id.clone(),
-                outgoing.as_ref(),
-                &turn_summary_store,
+                &outgoing,
+                &thread_state,
            )
            .await;
        }
@@ -950,9 +946,8 @@ pub(crate) async fn apply_bespoke_event_handling(
            // We need to detect which item type it is so we can emit the right notification.
            // We already have state tracking FileChange items on item/started, so let's use that.
            let is_file_change = {
-                let map = turn_summary_store.lock().await;
-                map.get(&conversation_id)
-                    .is_some_and(|summary| summary.file_change_started.contains(&item_id))
+                let state = thread_state.lock().await;
+                state.turn_summary.file_change_started.contains(&item_id)
            };
            if is_file_change {
                let notification = FileChangeOutputDeltaNotification {
@@ -1004,14 +999,11 @@ pub(crate) async fn apply_bespoke_event_handling(
                aggregated_output,
                exit_code,
                duration,
+                status,
                ..
            } = exec_command_end_event;

-            let status = if exit_code == 0 {
-                CommandExecutionStatus::Completed
-            } else {
-                CommandExecutionStatus::Failed
-            };
+            let status: CommandExecutionStatus = (&status).into();
            let command_actions = parsed_cmd
                .into_iter()
                .map(V2ParsedCommand::from)
@@ -1049,8 +1041,8 @@ pub(crate) async fn apply_bespoke_event_handling(
        // If this is a TurnAborted, reply to any pending interrupt requests.
        EventMsg::TurnAborted(turn_aborted_event) => {
            let pending = {
-                let mut map = pending_interrupts.lock().await;
-                map.remove(&conversation_id).unwrap_or_default()
+                let mut state = thread_state.lock().await;
+                std::mem::take(&mut state.pending_interrupts)
            };
            if !pending.is_empty() {
                for (rid, ver) in pending {
@@ -1069,18 +1061,12 @@ pub(crate) async fn apply_bespoke_event_handling(
                }
            }

-            handle_turn_interrupted(
-                conversation_id,
-                event_turn_id,
-                &outgoing,
-                &turn_summary_store,
-            )
-            .await;
+            handle_turn_interrupted(conversation_id, event_turn_id, &outgoing, &thread_state).await;
        }
        EventMsg::ThreadRolledBack(_rollback_event) => {
            let pending = {
-                let mut map = pending_rollbacks.lock().await;
-                map.remove(&conversation_id)
+                let mut state = thread_state.lock().await;
+                state.pending_rollbacks.take()
            };

            if let Some(request_id) = pending {
@@ -1101,9 +1087,9 @@ pub(crate) async fn apply_bespoke_event_handling(
                {
                    Ok(summary) => {
                        let mut thread = summary_to_thread(summary);
-                        match read_event_msgs_from_rollout(rollout_path.as_path()).await {
-                            Ok(events) => {
-                                thread.turns = build_turns_from_event_msgs(&events);
+                        match read_rollout_items_from_rollout(rollout_path.as_path()).await {
+                            Ok(items) => {
+                                thread.turns = build_turns_from_rollout_items(&items);
                                ThreadRollbackResponse { thread }
                            }
                            Err(err) => {
@@ -1115,7 +1101,7 @@ pub(crate) async fn apply_bespoke_event_handling(
                                    ),
                                    data: None,
                                };
-                                outgoing.send_error(request_id, error).await;
+                                outgoing.send_error(request_id.clone(), error).await;
                                return;
                            }
                        }
@@ -1129,7 +1115,7 @@ pub(crate) async fn apply_bespoke_event_handling(
                            ),
                            data: None,
                        };
-                        outgoing.send_error(request_id, error).await;
+                        outgoing.send_error(request_id.clone(), error).await;
                        return;
                    }
                };
@@ -1154,7 +1140,7 @@ pub(crate) async fn apply_bespoke_event_handling(
                &event_turn_id,
                turn_diff_event,
                api_version,
-                outgoing.as_ref(),
+                &outgoing,
            )
            .await;
        }
@@ -1164,7 +1150,7 @@ pub(crate) async fn apply_bespoke_event_handling(
                &event_turn_id,
                plan_update_event,
                api_version,
-                outgoing.as_ref(),
+                &outgoing,
            )
            .await;
        }
@@ -1178,7 +1164,7 @@ async fn handle_turn_diff(
    event_turn_id: &str,
    turn_diff_event: TurnDiffEvent,
    api_version: ApiVersion,
-    outgoing: &OutgoingMessageSender,
+    outgoing: &ThreadScopedOutgoingMessageSender,
 ) {
    if let ApiVersion::V2 = api_version {
        let notification = TurnDiffUpdatedNotification {
@@ -1197,7 +1183,7 @@ async fn handle_turn_plan_update(
    event_turn_id: &str,
    plan_update_event: UpdatePlanArgs,
    api_version: ApiVersion,
-    outgoing: &OutgoingMessageSender,
+    outgoing: &ThreadScopedOutgoingMessageSender,
 ) {
    // `update_plan` is a todo/checklist tool; it is not related to plan-mode updates
    if let ApiVersion::V2 = api_version {
@@ -1222,7 +1208,7 @@ async fn emit_turn_completed_with_status(
    event_turn_id: String,
    status: TurnStatus,
    error: Option<TurnError>,
-    outgoing: &OutgoingMessageSender,
+    outgoing: &ThreadScopedOutgoingMessageSender,
 ) {
    let notification = TurnCompletedNotification {
        thread_id: conversation_id.to_string(),
@@ -1244,15 +1230,12 @@ async fn complete_file_change_item(
    changes: Vec<FileUpdateChange>,
    status: PatchApplyStatus,
    turn_id: String,
-    outgoing: &OutgoingMessageSender,
-    turn_summary_store: &TurnSummaryStore,
+    outgoing: &ThreadScopedOutgoingMessageSender,
+    thread_state: &Arc<Mutex<ThreadState>>,
 ) {
-    {
-        let mut map = turn_summary_store.lock().await;
-        if let Some(summary) = map.get_mut(&conversation_id) {
-            summary.file_change_started.remove(&item_id);
-        }
-    }
+    let mut state = thread_state.lock().await;
+    state.turn_summary.file_change_started.remove(&item_id);
+    drop(state);

    let item = ThreadItem::FileChange {
        id: item_id,
@@ -1279,7 +1262,7 @@ async fn complete_command_execution_item(
    process_id: Option<String>,
    command_actions: Vec<V2ParsedCommand>,
    status: CommandExecutionStatus,
-    outgoing: &OutgoingMessageSender,
+    outgoing: &ThreadScopedOutgoingMessageSender,
 ) {
    let item = ThreadItem::CommandExecution {
        id: item_id,
@@ -1307,7 +1290,7 @@ async fn maybe_emit_raw_response_item_completed(
    conversation_id: ThreadId,
    turn_id: &str,
    item: codex_protocol::models::ResponseItem,
-    outgoing: &OutgoingMessageSender,
+    outgoing: &ThreadScopedOutgoingMessageSender,
 ) {
    let ApiVersion::V2 = api_version else {
        return;
@@ -1324,20 +1307,20 @@ async fn maybe_emit_raw_response_item_completed(
 }

 async fn find_and_remove_turn_summary(
-    conversation_id: ThreadId,
-    turn_summary_store: &TurnSummaryStore,
+    _conversation_id: ThreadId,
+    thread_state: &Arc<Mutex<ThreadState>>,
 ) -> TurnSummary {
-    let mut map = turn_summary_store.lock().await;
-    map.remove(&conversation_id).unwrap_or_default()
+    let mut state = thread_state.lock().await;
+    std::mem::take(&mut state.turn_summary)
 }

 async fn handle_turn_complete(
    conversation_id: ThreadId,
    event_turn_id: String,
-    outgoing: &OutgoingMessageSender,
-    turn_summary_store: &TurnSummaryStore,
+    outgoing: &ThreadScopedOutgoingMessageSender,
+    thread_state: &Arc<Mutex<ThreadState>>,
 ) {
-    let turn_summary = find_and_remove_turn_summary(conversation_id, turn_summary_store).await;
+    let turn_summary = find_and_remove_turn_summary(conversation_id, thread_state).await;

    let (status, error) = match turn_summary.last_error {
        Some(error) => (TurnStatus::Failed, Some(error)),
@@ -1350,10 +1333,10 @@ async fn handle_turn_complete(
 async fn handle_turn_interrupted(
    conversation_id: ThreadId,
    event_turn_id: String,
-    outgoing: &OutgoingMessageSender,
-    turn_summary_store: &TurnSummaryStore,
+    outgoing: &ThreadScopedOutgoingMessageSender,
+    thread_state: &Arc<Mutex<ThreadState>>,
 ) {
-    find_and_remove_turn_summary(conversation_id, turn_summary_store).await;
+    find_and_remove_turn_summary(conversation_id, thread_state).await;

    emit_turn_completed_with_status(
        conversation_id,
@@ -1366,15 +1349,12 @@ async fn handle_turn_interrupted(
 }

 async fn handle_thread_rollback_failed(
-    conversation_id: ThreadId,
+    _conversation_id: ThreadId,
    message: String,
-    pending_rollbacks: &PendingRollbacks,
-    outgoing: &OutgoingMessageSender,
+    thread_state: &Arc<Mutex<ThreadState>>,
+    outgoing: &ThreadScopedOutgoingMessageSender,
 ) {
-    let pending_rollback = {
-        let mut map = pending_rollbacks.lock().await;
-        map.remove(&conversation_id)
-    };
+    let pending_rollback = thread_state.lock().await.pending_rollbacks.take();

    if let Some(request_id) = pending_rollback {
        outgoing
@@ -1394,7 +1374,7 @@ async fn handle_token_count_event(
    conversation_id: ThreadId,
    turn_id: String,
    token_count_event: TokenCountEvent,
-    outgoing: &OutgoingMessageSender,
+    outgoing: &ThreadScopedOutgoingMessageSender,
 ) {
    let TokenCountEvent { info, rate_limits } = token_count_event;
    if let Some(token_usage) = info.map(ThreadTokenUsage::from) {
@@ -1419,22 +1399,35 @@ async fn handle_token_count_event(
 }

 async fn handle_error(
-    conversation_id: ThreadId,
+    _conversation_id: ThreadId,
    error: TurnError,
-    turn_summary_store: &TurnSummaryStore,
+    thread_state: &Arc<Mutex<ThreadState>>,
 ) {
-    let mut map = turn_summary_store.lock().await;
-    map.entry(conversation_id).or_default().last_error = Some(error);
+    let mut state = thread_state.lock().await;
+    state.turn_summary.last_error = Some(error);
 }

 async fn on_patch_approval_response(
    call_id: String,
-    receiver: oneshot::Receiver<JsonValue>,
+    receiver: oneshot::Receiver<ClientRequestResult>,
    codex: Arc<CodexThread>,
 ) {
    let response = receiver.await;
    let value = match response {
-        Ok(value) => value,
+        Ok(Ok(value)) => value,
+        Ok(Err(err)) => {
+            error!("request failed with client error: {err:?}");
+            if let Err(submit_err) = codex
+                .submit(Op::PatchApproval {
+                    id: call_id.clone(),
+                    decision: ReviewDecision::Denied,
+                })
+                .await
+            {
+                error!("failed to submit denied PatchApproval after request failure: {submit_err}");
+            }
+            return;
+        }
        Err(err) => {
            error!("request failed: {err:?}");
            if let Err(submit_err) = codex
@@ -1472,12 +1465,16 @@ async fn on_patch_approval_response(
 async fn on_exec_approval_response(
    call_id: String,
    turn_id: String,
-    receiver: oneshot::Receiver<JsonValue>,
+    receiver: oneshot::Receiver<ClientRequestResult>,
    conversation: Arc<CodexThread>,
 ) {
    let response = receiver.await;
    let value = match response {
-        Ok(value) => value,
+        Ok(Ok(value)) => value,
+        Ok(Err(err)) => {
+            error!("request failed with client error: {err:?}");
+            return;
+        }
        Err(err) => {
            error!("request failed: {err:?}");
            return;
@@ -1509,12 +1506,28 @@ async fn on_exec_approval_response(

 async fn on_request_user_input_response(
    event_turn_id: String,
-    receiver: oneshot::Receiver<JsonValue>,
+    receiver: oneshot::Receiver<ClientRequestResult>,
    conversation: Arc<CodexThread>,
 ) {
    let response = receiver.await;
    let value = match response {
-        Ok(value) => value,
+        Ok(Ok(value)) => value,
+        Ok(Err(err)) => {
+            error!("request failed with client error: {err:?}");
+            let empty = CoreRequestUserInputResponse {
+                answers: HashMap::new(),
+            };
+            if let Err(err) = conversation
+                .submit(Op::UserInputAnswer {
+                    id: event_turn_id,
+                    response: empty,
+                })
+                .await
+            {
+                error!("failed to submit UserInputAnswer: {err}");
+            }
+            return;
+        }
        Err(err) => {
            error!("request failed: {err:?}");
            let empty = CoreRequestUserInputResponse {
@@ -1649,14 +1662,14 @@ async fn on_file_change_request_approval_response(
    conversation_id: ThreadId,
    item_id: String,
    changes: Vec<FileUpdateChange>,
-    receiver: oneshot::Receiver<JsonValue>,
+    receiver: oneshot::Receiver<ClientRequestResult>,
    codex: Arc<CodexThread>,
-    outgoing: Arc<OutgoingMessageSender>,
-    turn_summary_store: TurnSummaryStore,
+    outgoing: ThreadScopedOutgoingMessageSender,
+    thread_state: Arc<Mutex<ThreadState>>,
 ) {
    let response = receiver.await;
    let (decision, completion_status) = match response {
-        Ok(value) => {
+        Ok(Ok(value)) => {
            let response = serde_json::from_value::<FileChangeRequestApprovalResponse>(value)
                .unwrap_or_else(|err| {
                    error!("failed to deserialize FileChangeRequestApprovalResponse: {err}");
@@ -1671,6 +1684,10 @@ async fn on_file_change_request_approval_response(
            // Only short-circuit on declines/cancels/failures.
            (decision, completion_status)
        }
+        Ok(Err(err)) => {
+            error!("request failed with client error: {err:?}");
+            (ReviewDecision::Denied, Some(PatchApplyStatus::Failed))
+        }
        Err(err) => {
            error!("request failed: {err:?}");
            (ReviewDecision::Denied, Some(PatchApplyStatus::Failed))
@@ -1684,8 +1701,8 @@ async fn on_file_change_request_approval_response(
            changes,
            status,
            event_turn_id.clone(),
-            outgoing.as_ref(),
-            &turn_summary_store,
+            &outgoing,
+            &thread_state,
        )
        .await;
    }
@@ -1709,13 +1726,13 @@ async fn on_command_execution_request_approval_response(
    command: String,
    cwd: PathBuf,
    command_actions: Vec<V2ParsedCommand>,
-    receiver: oneshot::Receiver<JsonValue>,
+    receiver: oneshot::Receiver<ClientRequestResult>,
    conversation: Arc<CodexThread>,
-    outgoing: Arc<OutgoingMessageSender>,
+    outgoing: ThreadScopedOutgoingMessageSender,
 ) {
    let response = receiver.await;
    let (decision, completion_status) = match response {
-        Ok(value) => {
+        Ok(Ok(value)) => {
            let response = serde_json::from_value::<CommandExecutionRequestApprovalResponse>(value)
                .unwrap_or_else(|err| {
                    error!("failed to deserialize CommandExecutionRequestApprovalResponse: {err}");
@@ -1750,6 +1767,10 @@ async fn on_command_execution_request_approval_response(
            };
            (decision, completion_status)
        }
+        Ok(Err(err)) => {
+            error!("request failed with client error: {err:?}");
+            (ReviewDecision::Denied, Some(CommandExecutionStatus::Failed))
+        }
        Err(err) => {
            error!("request failed: {err:?}");
            (ReviewDecision::Denied, Some(CommandExecutionStatus::Failed))
@@ -1766,7 +1787,7 @@ async fn on_command_execution_request_approval_response(
            None,
            command_actions.clone(),
            status,
-            outgoing.as_ref(),
+            &outgoing,
        )
        .await;
    }
@@ -1894,6 +1915,8 @@ async fn construct_mcp_tool_call_end_notification(
 mod tests {
    use super::*;
    use crate::CHANNEL_CAPACITY;
+    use crate::outgoing_message::ConnectionId;
+    use crate::outgoing_message::OutgoingEnvelope;
    use crate::outgoing_message::OutgoingMessage;
    use crate::outgoing_message::OutgoingMessageSender;
    use anyhow::Result;
@@ -1914,13 +1937,25 @@ mod tests {
    use pretty_assertions::assert_eq;
    use rmcp::model::Content;
    use serde_json::Value as JsonValue;
-    use std::collections::HashMap;
    use std::time::Duration;
    use tokio::sync::Mutex;
    use tokio::sync::mpsc;

-    fn new_turn_summary_store() -> TurnSummaryStore {
-        Arc::new(Mutex::new(HashMap::new()))
+    fn new_thread_state() -> Arc<Mutex<ThreadState>> {
+        Arc::new(Mutex::new(ThreadState::default()))
+    }
+
+    async fn recv_broadcast_message(
+        rx: &mut mpsc::Receiver<OutgoingEnvelope>,
+    ) -> Result<OutgoingMessage> {
+        let envelope = rx
+            .recv()
+            .await
+            .ok_or_else(|| anyhow!("should send one message"))?;
+        match envelope {
+            OutgoingEnvelope::Broadcast { message } => Ok(message),
+            OutgoingEnvelope::ToConnection { message, .. } => Ok(message),
+        }
    }

    #[test]
@@ -1983,7 +2018,7 @@ mod tests {
    #[tokio::test]
    async fn test_handle_error_records_message() -> Result<()> {
        let conversation_id = ThreadId::new();
-        let turn_summary_store = new_turn_summary_store();
+        let thread_state = new_thread_state();

        handle_error(
            conversation_id,
@@ -1992,11 +2027,11 @@ mod tests {
                codex_error_info: Some(V2CodexErrorInfo::InternalServerError),
                additional_details: None,
            },
-            &turn_summary_store,
+            &thread_state,
        )
        .await;

-        let turn_summary = find_and_remove_turn_summary(conversation_id, &turn_summary_store).await;
+        let turn_summary = find_and_remove_turn_summary(conversation_id, &thread_state).await;
        assert_eq!(
            turn_summary.last_error,
            Some(TurnError {
@@ -2014,20 +2049,18 @@ mod tests {
        let event_turn_id = "complete1".to_string();
        let (tx, mut rx) = mpsc::channel(CHANNEL_CAPACITY);
        let outgoing = Arc::new(OutgoingMessageSender::new(tx));
-        let turn_summary_store = new_turn_summary_store();
+        let outgoing = ThreadScopedOutgoingMessageSender::new(outgoing, vec![ConnectionId(1)]);
+        let thread_state = new_thread_state();

        handle_turn_complete(
            conversation_id,
            event_turn_id.clone(),
            &outgoing,
-            &turn_summary_store,
+            &thread_state,
        )
        .await;

-        let msg = rx
-            .recv()
-            .await
-            .ok_or_else(|| anyhow!("should send one notification"))?;
+        let msg = recv_broadcast_message(&mut rx).await?;
        match msg {
            OutgoingMessage::AppServerNotification(ServerNotification::TurnCompleted(n)) => {
                assert_eq!(n.turn.id, event_turn_id);
@@ -2044,7 +2077,7 @@ mod tests {
    async fn test_handle_turn_interrupted_emits_interrupted_with_error() -> Result<()> {
        let conversation_id = ThreadId::new();
        let event_turn_id = "interrupt1".to_string();
-        let turn_summary_store = new_turn_summary_store();
+        let thread_state = new_thread_state();
        handle_error(
            conversation_id,
            TurnError {
@@ -2052,24 +2085,22 @@ mod tests {
                codex_error_info: None,
                additional_details: None,
            },
-            &turn_summary_store,
+            &thread_state,
        )
        .await;
        let (tx, mut rx) = mpsc::channel(CHANNEL_CAPACITY);
        let outgoing = Arc::new(OutgoingMessageSender::new(tx));
+        let outgoing = ThreadScopedOutgoingMessageSender::new(outgoing, vec![ConnectionId(1)]);

        handle_turn_interrupted(
            conversation_id,
            event_turn_id.clone(),
            &outgoing,
-            &turn_summary_store,
+            &thread_state,
        )
        .await;

-        let msg = rx
-            .recv()
-            .await
-            .ok_or_else(|| anyhow!("should send one notification"))?;
+        let msg = recv_broadcast_message(&mut rx).await?;
        match msg {
            OutgoingMessage::AppServerNotification(ServerNotification::TurnCompleted(n)) => {
                assert_eq!(n.turn.id, event_turn_id);
@@ -2086,7 +2117,7 @@ mod tests {
    async fn test_handle_turn_complete_emits_failed_with_error() -> Result<()> {
        let conversation_id = ThreadId::new();
        let event_turn_id = "complete_err1".to_string();
-        let turn_summary_store = new_turn_summary_store();
+        let thread_state = new_thread_state();
        handle_error(
            conversation_id,
            TurnError {
@@ -2094,24 +2125,22 @@ mod tests {
                codex_error_info: Some(V2CodexErrorInfo::Other),
                additional_details: None,
            },
-            &turn_summary_store,
+            &thread_state,
        )
        .await;
        let (tx, mut rx) = mpsc::channel(CHANNEL_CAPACITY);
        let outgoing = Arc::new(OutgoingMessageSender::new(tx));
+        let outgoing = ThreadScopedOutgoingMessageSender::new(outgoing, vec![ConnectionId(1)]);

        handle_turn_complete(
            conversation_id,
            event_turn_id.clone(),
            &outgoing,
-            &turn_summary_store,
+            &thread_state,
        )
        .await;

-        let msg = rx
-            .recv()
-            .await
-            .ok_or_else(|| anyhow!("should send one notification"))?;
+        let msg = recv_broadcast_message(&mut rx).await?;
        match msg {
            OutgoingMessage::AppServerNotification(ServerNotification::TurnCompleted(n)) => {
                assert_eq!(n.turn.id, event_turn_id);
@@ -2134,7 +2163,8 @@ mod tests {
    #[tokio::test]
    async fn test_handle_turn_plan_update_emits_notification_for_v2() -> Result<()> {
        let (tx, mut rx) = mpsc::channel(CHANNEL_CAPACITY);
-        let outgoing = OutgoingMessageSender::new(tx);
+        let outgoing = Arc::new(OutgoingMessageSender::new(tx));
+        let outgoing = ThreadScopedOutgoingMessageSender::new(outgoing, vec![ConnectionId(1)]);
        let update = UpdatePlanArgs {
            explanation: Some("need plan".to_string()),
            plan: vec![
@@ -2160,10 +2190,7 @@ mod tests {
        )
        .await;

-        let msg = rx
-            .recv()
-            .await
-            .ok_or_else(|| anyhow!("should send one notification"))?;
+        let msg = recv_broadcast_message(&mut rx).await?;
        match msg {
            OutgoingMessage::AppServerNotification(ServerNotification::TurnPlanUpdated(n)) => {
                assert_eq!(n.thread_id, conversation_id.to_string());
@@ -2187,6 +2214,7 @@ mod tests {
        let turn_id = "turn-123".to_string();
        let (tx, mut rx) = mpsc::channel(CHANNEL_CAPACITY);
        let outgoing = Arc::new(OutgoingMessageSender::new(tx));
+        let outgoing = ThreadScopedOutgoingMessageSender::new(outgoing, vec![ConnectionId(1)]);

        let info = TokenUsageInfo {
            total_token_usage: TokenUsage {
@@ -2206,6 +2234,8 @@ mod tests {
            model_context_window: Some(4096),
        };
        let rate_limits = RateLimitSnapshot {
+            limit_id: Some("codex".to_string()),
+            limit_name: None,
            primary: Some(RateLimitWindow {
                used_percent: 42.5,
                window_minutes: Some(15),
@@ -2231,10 +2261,7 @@ mod tests {
        )
        .await;

-        let first = rx
-            .recv()
-            .await
-            .ok_or_else(|| anyhow!("expected usage notification"))?;
+        let first = recv_broadcast_message(&mut rx).await?;
        match first {
            OutgoingMessage::AppServerNotification(
                ServerNotification::ThreadTokenUsageUpdated(payload),
@@ -2250,14 +2277,13 @@ mod tests {
            other => bail!("unexpected notification: {other:?}"),
        }

-        let second = rx
-            .recv()
-            .await
-            .ok_or_else(|| anyhow!("expected rate limit notification"))?;
+        let second = recv_broadcast_message(&mut rx).await?;
        match second {
            OutgoingMessage::AppServerNotification(
                ServerNotification::AccountRateLimitsUpdated(payload),
            ) => {
+                assert_eq!(payload.rate_limits.limit_id.as_deref(), Some("codex"));
+                assert_eq!(payload.rate_limits.limit_name, None);
                assert!(payload.rate_limits.primary.is_some());
                assert!(payload.rate_limits.credits.is_some());
            }
@@ -2272,6 +2298,7 @@ mod tests {
        let turn_id = "turn-456".to_string();
        let (tx, mut rx) = mpsc::channel(CHANNEL_CAPACITY);
        let outgoing = Arc::new(OutgoingMessageSender::new(tx));
+        let outgoing = ThreadScopedOutgoingMessageSender::new(outgoing, vec![ConnectionId(1)]);

        handle_token_count_event(
            conversation_id,
@@ -2334,10 +2361,11 @@ mod tests {
        // Conversation A will have two turns; Conversation B will have one turn.
        let conversation_a = ThreadId::new();
        let conversation_b = ThreadId::new();
-        let turn_summary_store = new_turn_summary_store();
+        let thread_state = new_thread_state();

        let (tx, mut rx) = mpsc::channel(CHANNEL_CAPACITY);
        let outgoing = Arc::new(OutgoingMessageSender::new(tx));
+        let outgoing = ThreadScopedOutgoingMessageSender::new(outgoing, vec![ConnectionId(1)]);

        // Turn 1 on conversation A
        let a_turn1 = "a_turn1".to_string();
@@ -2348,16 +2376,10 @@ mod tests {
                codex_error_info: Some(V2CodexErrorInfo::BadRequest),
                additional_details: None,
            },
-            &turn_summary_store,
-        )
-        .await;
-        handle_turn_complete(
-            conversation_a,
-            a_turn1.clone(),
-            &outgoing,
-            &turn_summary_store,
+            &thread_state,
        )
        .await;
+        handle_turn_complete(conversation_a, a_turn1.clone(), &outgoing, &thread_state).await;

        // Turn 1 on conversation B
        let b_turn1 = "b_turn1".to_string();
@@ -2368,32 +2390,17 @@ mod tests {
                codex_error_info: None,
                additional_details: None,
            },
-            &turn_summary_store,
-        )
-        .await;
-        handle_turn_complete(
-            conversation_b,
-            b_turn1.clone(),
-            &outgoing,
-            &turn_summary_store,
+            &thread_state,
        )
        .await;
+        handle_turn_complete(conversation_b, b_turn1.clone(), &outgoing, &thread_state).await;

        // Turn 2 on conversation A
        let a_turn2 = "a_turn2".to_string();
-        handle_turn_complete(
-            conversation_a,
-            a_turn2.clone(),
-            &outgoing,
-            &turn_summary_store,
-        )
-        .await;
+        handle_turn_complete(conversation_a, a_turn2.clone(), &outgoing, &thread_state).await;

        // Verify: A turn 1
-        let msg = rx
-            .recv()
-            .await
-            .ok_or_else(|| anyhow!("should send first notification"))?;
+        let msg = recv_broadcast_message(&mut rx).await?;
        match msg {
            OutgoingMessage::AppServerNotification(ServerNotification::TurnCompleted(n)) => {
                assert_eq!(n.turn.id, a_turn1);
@@ -2411,10 +2418,7 @@ mod tests {
        }

        // Verify: B turn 1
-        let msg = rx
-            .recv()
-            .await
-            .ok_or_else(|| anyhow!("should send second notification"))?;
+        let msg = recv_broadcast_message(&mut rx).await?;
        match msg {
            OutgoingMessage::AppServerNotification(ServerNotification::TurnCompleted(n)) => {
                assert_eq!(n.turn.id, b_turn1);
@@ -2432,10 +2436,7 @@ mod tests {
        }

        // Verify: A turn 2
-        let msg = rx
-            .recv()
-            .await
-            .ok_or_else(|| anyhow!("should send third notification"))?;
+        let msg = recv_broadcast_message(&mut rx).await?;
        match msg {
            OutgoingMessage::AppServerNotification(ServerNotification::TurnCompleted(n)) => {
                assert_eq!(n.turn.id, a_turn2);
@@ -2586,7 +2587,8 @@ mod tests {
    #[tokio::test]
    async fn test_handle_turn_diff_emits_v2_notification() -> Result<()> {
        let (tx, mut rx) = mpsc::channel(CHANNEL_CAPACITY);
-        let outgoing = OutgoingMessageSender::new(tx);
+        let outgoing = Arc::new(OutgoingMessageSender::new(tx));
+        let outgoing = ThreadScopedOutgoingMessageSender::new(outgoing, vec![ConnectionId(1)]);
        let unified_diff = "--- a\n+++ b\n".to_string();
        let conversation_id = ThreadId::new();

@@ -2601,10 +2603,7 @@ mod tests {
        )
        .await;

-        let msg = rx
-            .recv()
-            .await
-            .ok_or_else(|| anyhow!("should send one notification"))?;
+        let msg = recv_broadcast_message(&mut rx).await?;
        match msg {
            OutgoingMessage::AppServerNotification(ServerNotification::TurnDiffUpdated(
                notification,
@@ -2622,7 +2621,8 @@ mod tests {
    #[tokio::test]
    async fn test_handle_turn_diff_is_noop_for_v1() -> Result<()> {
        let (tx, mut rx) = mpsc::channel(CHANNEL_CAPACITY);
-        let outgoing = OutgoingMessageSender::new(tx);
+        let outgoing = Arc::new(OutgoingMessageSender::new(tx));
+        let outgoing = ThreadScopedOutgoingMessageSender::new(outgoing, vec![ConnectionId(1)]);
        let conversation_id = ThreadId::new();

        handle_turn_diff(
--- a/codex-rs/app-server/src/codex_message_processor.rs
+++ b/codex-rs/app-server/src/codex_message_processor.rs
--- a/codex-rs/app-server/src/dynamic_tools.rs
+++ b/codex-rs/app-server/src/dynamic_tools.rs
@@ -7,14 +7,35 @@ use std::sync::Arc;
 use tokio::sync::oneshot;
 use tracing::error;

+use crate::outgoing_message::ClientRequestResult;
+
 pub(crate) async fn on_call_response(
    call_id: String,
-    receiver: oneshot::Receiver<serde_json::Value>,
+    receiver: oneshot::Receiver<ClientRequestResult>,
    conversation: Arc<CodexThread>,
 ) {
    let response = receiver.await;
    let value = match response {
-        Ok(value) => value,
+        Ok(Ok(value)) => value,
+        Ok(Err(err)) => {
+            error!("request failed with client error: {err:?}");
+            let fallback = CoreDynamicToolResponse {
+                content_items: vec![CoreDynamicToolCallOutputContentItem::InputText {
+                    text: "dynamic tool request failed".to_string(),
+                }],
+                success: false,
+            };
+            if let Err(err) = conversation
+                .submit(Op::DynamicToolResponse {
+                    id: call_id.clone(),
+                    response: fallback,
+                })
+                .await
+            {
+                error!("failed to submit DynamicToolResponse: {err}");
+            }
+            return;
+        }
        Err(err) => {
            error!("request failed: {err:?}");
            let fallback = CoreDynamicToolResponse {
--- a/codex-rs/app-server/src/error_code.rs
+++ b/codex-rs/app-server/src/error_code.rs
@@ -1,2 +1,3 @@
 pub(crate) const INVALID_REQUEST_ERROR_CODE: i64 = -32600;
 pub(crate) const INTERNAL_ERROR_CODE: i64 = -32603;
+pub(crate) const OVERLOADED_ERROR_CODE: i64 = -32001;
--- a/codex-rs/app-server/src/fuzzy_file_search.rs
+++ b/codex-rs/app-server/src/fuzzy_file_search.rs
@@ -1,12 +1,18 @@
 use std::num::NonZero;
 use std::path::PathBuf;
 use std::sync::Arc;
+use std::sync::Mutex;
 use std::sync::atomic::AtomicBool;
+use std::sync::atomic::Ordering;

 use codex_app_server_protocol::FuzzyFileSearchResult;
+use codex_app_server_protocol::FuzzyFileSearchSessionUpdatedNotification;
+use codex_app_server_protocol::ServerNotification;
 use codex_file_search as file_search;
 use tracing::warn;

+use crate::outgoing_message::OutgoingMessageSender;
+
 const MATCH_LIMIT: usize = 50;
 const MAX_THREADS: usize = 12;

@@ -77,3 +83,148 @@ pub(crate) async fn run_fuzzy_file_search(

    files
 }
+
+pub(crate) struct FuzzyFileSearchSession {
+    session: file_search::FileSearchSession,
+    shared: Arc<SessionShared>,
+}
+
+impl FuzzyFileSearchSession {
+    pub(crate) fn update_query(&self, query: String) {
+        if self.shared.canceled.load(Ordering::Relaxed) {
+            return;
+        }
+        {
+            #[expect(clippy::unwrap_used)]
+            let mut latest_query = self.shared.latest_query.lock().unwrap();
+            *latest_query = query.clone();
+        }
+        self.session.update_query(&query);
+    }
+}
+
+impl Drop for FuzzyFileSearchSession {
+    fn drop(&mut self) {
+        self.shared.canceled.store(true, Ordering::Relaxed);
+    }
+}
+
+pub(crate) fn start_fuzzy_file_search_session(
+    session_id: String,
+    roots: Vec<String>,
+    outgoing: Arc<OutgoingMessageSender>,
+) -> anyhow::Result<FuzzyFileSearchSession> {
+    #[expect(clippy::expect_used)]
+    let limit = NonZero::new(MATCH_LIMIT).expect("MATCH_LIMIT should be a valid non-zero usize");
+    let cores = std::thread::available_parallelism()
+        .map(std::num::NonZero::get)
+        .unwrap_or(1);
+    let threads = cores.min(MAX_THREADS);
+    #[expect(clippy::expect_used)]
+    let threads = NonZero::new(threads.max(1)).expect("threads should be non-zero");
+    let search_dirs: Vec<PathBuf> = roots.iter().map(PathBuf::from).collect();
+    let canceled = Arc::new(AtomicBool::new(false));
+
+    let shared = Arc::new(SessionShared {
+        session_id,
+        latest_query: Mutex::new(String::new()),
+        outgoing,
+        runtime: tokio::runtime::Handle::current(),
+        canceled: canceled.clone(),
+    });
+
+    let reporter = Arc::new(SessionReporterImpl {
+        shared: shared.clone(),
+    });
+    let session = file_search::create_session(
+        search_dirs,
+        file_search::FileSearchOptions {
+            limit,
+            threads,
+            compute_indices: true,
+            ..Default::default()
+        },
+        reporter,
+        Some(canceled),
+    )?;
+
+    Ok(FuzzyFileSearchSession { session, shared })
+}
+
+struct SessionShared {
+    session_id: String,
+    latest_query: Mutex<String>,
+    outgoing: Arc<OutgoingMessageSender>,
+    runtime: tokio::runtime::Handle,
+    canceled: Arc<AtomicBool>,
+}
+
+struct SessionReporterImpl {
+    shared: Arc<SessionShared>,
+}
+
+impl SessionReporterImpl {
+    fn send_snapshot(&self, snapshot: &file_search::FileSearchSnapshot) {
+        if self.shared.canceled.load(Ordering::Relaxed) {
+            return;
+        }
+
+        let query = {
+            #[expect(clippy::unwrap_used)]
+            self.shared.latest_query.lock().unwrap().clone()
+        };
+        if snapshot.query != query {
+            return;
+        }
+
+        let files = if query.is_empty() {
+            Vec::new()
+        } else {
+            collect_files(snapshot)
+        };
+
+        let notification = ServerNotification::FuzzyFileSearchSessionUpdated(
+            FuzzyFileSearchSessionUpdatedNotification {
+                session_id: self.shared.session_id.clone(),
+                query,
+                files,
+            },
+        );
+        let outgoing = self.shared.outgoing.clone();
+        self.shared.runtime.spawn(async move {
+            outgoing.send_server_notification(notification).await;
+        });
+    }
+}
+
+impl file_search::SessionReporter for SessionReporterImpl {
+    fn on_update(&self, snapshot: &file_search::FileSearchSnapshot) {
+        self.send_snapshot(snapshot);
+    }
+
+    fn on_complete(&self) {}
+}
+
+fn collect_files(snapshot: &file_search::FileSearchSnapshot) -> Vec<FuzzyFileSearchResult> {
+    let mut files = snapshot
+        .matches
+        .iter()
+        .map(|m| {
+            let file_name = m.path.file_name().unwrap_or_default();
+            FuzzyFileSearchResult {
+                root: m.root.to_string_lossy().to_string(),
+                path: m.path.to_string_lossy().to_string(),
+                file_name: file_name.to_string_lossy().to_string(),
+                score: m.score,
+                indices: m.indices.clone(),
+            }
+        })
+        .collect::<Vec<_>>();
+
+    files.sort_by(file_search::cmp_by_score_desc_then_path_asc::<
+        FuzzyFileSearchResult,
+        _,
+        _,
+    >(|f| f.score, |f| f.path.as_str()));
+    files
+}
--- a/codex-rs/app-server/src/lib.rs
+++ b/codex-rs/app-server/src/lib.rs
@@ -1,21 +1,35 @@
 #![deny(clippy::print_stdout, clippy::print_stderr)]

 use codex_cloud_requirements::cloud_requirements_loader;
-use codex_common::CliConfigOverrides;
 use codex_core::AuthManager;
 use codex_core::config::Config;
 use codex_core::config::ConfigBuilder;
 use codex_core::config_loader::CloudRequirementsLoader;
 use codex_core::config_loader::ConfigLayerStackOrdering;
 use codex_core::config_loader::LoaderOverrides;
+use codex_utils_cli::CliConfigOverrides;
+use std::collections::HashMap;
+use std::collections::HashSet;
+use std::collections::VecDeque;
 use std::io::ErrorKind;
 use std::io::Result as IoResult;
 use std::path::PathBuf;
+use std::sync::Arc;
+use std::sync::RwLock;
+use std::sync::atomic::AtomicBool;

 use crate::message_processor::MessageProcessor;
 use crate::message_processor::MessageProcessorArgs;
-use crate::outgoing_message::OutgoingMessage;
+use crate::outgoing_message::ConnectionId;
+use crate::outgoing_message::OutgoingEnvelope;
 use crate::outgoing_message::OutgoingMessageSender;
+use crate::transport::CHANNEL_CAPACITY;
+use crate::transport::ConnectionState;
+use crate::transport::OutboundConnectionState;
+use crate::transport::TransportEvent;
+use crate::transport::route_outgoing_envelope;
+use crate::transport::start_stdio_connection;
+use crate::transport::start_websocket_acceptor;
 use codex_app_server_protocol::ConfigLayerSource;
 use codex_app_server_protocol::ConfigWarningNotification;
 use codex_app_server_protocol::JSONRPCMessage;
@@ -26,13 +40,9 @@ use codex_core::check_execpolicy_for_warnings;
 use codex_core::config_loader::ConfigLoadError;
 use codex_core::config_loader::TextRange as CoreTextRange;
 use codex_feedback::CodexFeedback;
-use tokio::io::AsyncBufReadExt;
-use tokio::io::AsyncWriteExt;
-use tokio::io::BufReader;
-use tokio::io::{self};
 use tokio::sync::mpsc;
+use tokio::task::JoinHandle;
 use toml::Value as TomlValue;
-use tracing::debug;
 use tracing::error;
 use tracing::info;
 use tracing::warn;
@@ -51,11 +61,31 @@ mod fuzzy_file_search;
 mod message_processor;
 mod models;
 mod outgoing_message;
+mod thread_state;
+mod transport;

-/// Size of the bounded channels used to communicate between tasks. The value
-/// is a balance between throughput and memory usage – 128 messages should be
-/// plenty for an interactive CLI.
-const CHANNEL_CAPACITY: usize = 128;
+pub use crate::transport::AppServerTransport;
+
+/// Control-plane messages from the processor/transport side to the outbound router task.
+///
+/// `run_main_with_transport` now uses two loops/tasks:
+/// - processor loop: handles incoming JSON-RPC and request dispatch
+/// - outbound loop: performs potentially slow writes to per-connection writers
+///
+/// `OutboundControlEvent` keeps those loops coordinated without sharing mutable
+/// connection state directly. In particular, the outbound loop needs to know
+/// when a connection opens/closes so it can route messages correctly.
+enum OutboundControlEvent {
+    /// Register a new writer for an opened connection.
+    Opened {
+        connection_id: ConnectionId,
+        writer: mpsc::Sender<crate::outgoing_message::OutgoingMessage>,
+        initialized: Arc<AtomicBool>,
+        opted_out_notification_methods: Arc<RwLock<HashSet<String>>>,
+    },
+    /// Remove state for a closed/disconnected connection.
+    Closed { connection_id: ConnectionId },
+}

 fn config_warning_from_error(
    summary: impl Into<String>,
@@ -173,32 +203,41 @@ pub async fn run_main(
    loader_overrides: LoaderOverrides,
    default_analytics_enabled: bool,
 ) -> IoResult<()> {
-    // Set up channels.
-    let (incoming_tx, mut incoming_rx) = mpsc::channel::<JSONRPCMessage>(CHANNEL_CAPACITY);
-    let (outgoing_tx, mut outgoing_rx) = mpsc::channel::<OutgoingMessage>(CHANNEL_CAPACITY);
+    run_main_with_transport(
+        codex_linux_sandbox_exe,
+        cli_config_overrides,
+        loader_overrides,
+        default_analytics_enabled,
+        AppServerTransport::Stdio,
+    )
+    .await
+}

-    // Task: read from stdin, push to `incoming_tx`.
-    let stdin_reader_handle = tokio::spawn({
-        async move {
-            let stdin = io::stdin();
-            let reader = BufReader::new(stdin);
-            let mut lines = reader.lines();
+pub async fn run_main_with_transport(
+    codex_linux_sandbox_exe: Option<PathBuf>,
+    cli_config_overrides: CliConfigOverrides,
+    loader_overrides: LoaderOverrides,
+    default_analytics_enabled: bool,
+    transport: AppServerTransport,
+) -> IoResult<()> {
+    let (transport_event_tx, mut transport_event_rx) =
+        mpsc::channel::<TransportEvent>(CHANNEL_CAPACITY);
+    let (outgoing_tx, mut outgoing_rx) = mpsc::channel::<OutgoingEnvelope>(CHANNEL_CAPACITY);
+    let (outbound_control_tx, mut outbound_control_rx) =
+        mpsc::channel::<OutboundControlEvent>(CHANNEL_CAPACITY);

-            while let Some(line) = lines.next_line().await.unwrap_or_default() {
-                match serde_json::from_str::<JSONRPCMessage>(&line) {
-                    Ok(msg) => {
-                        if incoming_tx.send(msg).await.is_err() {
-                            // Receiver gone – nothing left to do.
-                            break;
-                        }
-                    }
-                    Err(e) => error!("Failed to deserialize JSONRPCMessage: {e}"),
-                }
-            }
-
-            debug!("stdin reader finished (EOF)");
+    let mut stdio_handles = Vec::<JoinHandle<()>>::new();
+    let mut websocket_accept_handle = None;
+    match transport {
+        AppServerTransport::Stdio => {
+            start_stdio_connection(transport_event_tx.clone(), &mut stdio_handles).await?;
        }
-    });
+        AppServerTransport::WebSocket { bind_address } => {
+            websocket_accept_handle =
+                Some(start_websocket_acceptor(bind_address, transport_event_tx.clone()).await?);
+        }
+    }
+    let shutdown_when_no_connections = matches!(transport, AppServerTransport::Stdio);

    // Parse CLI overrides once and derive the base Config eagerly so later
    // components do not need to work with raw TOML values.
@@ -237,7 +276,11 @@ pub async fn run_main(
                false,
                config.cli_auth_credentials_store_mode,
            );
-            cloud_requirements_loader(auth_manager, config.chatgpt_base_url)
+            cloud_requirements_loader(
+                auth_manager,
+                config.chatgpt_base_url,
+                config.codex_home.clone(),
+            )
        }
        Err(err) => {
            warn!(error = %err, "Failed to preload config for cloud requirements");
@@ -325,15 +368,76 @@ pub async fn run_main(
        }
    }

-    // Task: process incoming messages.
+    let transport_event_tx_for_outbound = transport_event_tx.clone();
+    let outbound_handle = tokio::spawn(async move {
+        let mut outbound_connections = HashMap::<ConnectionId, OutboundConnectionState>::new();
+        let mut pending_closed_connections = VecDeque::<ConnectionId>::new();
+        loop {
+            tokio::select! {
+                biased;
+                event = outbound_control_rx.recv() => {
+                    let Some(event) = event else {
+                        break;
+                    };
+                    match event {
+                        OutboundControlEvent::Opened {
+                            connection_id,
+                            writer,
+                            initialized,
+                            opted_out_notification_methods,
+                        } => {
+                            outbound_connections.insert(
+                                connection_id,
+                                OutboundConnectionState::new(
+                                    writer,
+                                    initialized,
+                                    opted_out_notification_methods,
+                                ),
+                            );
+                        }
+                        OutboundControlEvent::Closed { connection_id } => {
+                            outbound_connections.remove(&connection_id);
+                        }
+                    }
+                }
+                envelope = outgoing_rx.recv() => {
+                    let Some(envelope) = envelope else {
+                        break;
+                    };
+                    let disconnected_connections =
+                        route_outgoing_envelope(&mut outbound_connections, envelope).await;
+                    pending_closed_connections.extend(disconnected_connections);
+                }
+            }
+
+            while let Some(connection_id) = pending_closed_connections.front().copied() {
+                match transport_event_tx_for_outbound
+                    .try_send(TransportEvent::ConnectionClosed { connection_id })
+                {
+                    Ok(()) => {
+                        pending_closed_connections.pop_front();
+                    }
+                    Err(mpsc::error::TrySendError::Full(_)) => {
+                        break;
+                    }
+                    Err(mpsc::error::TrySendError::Closed(_)) => {
+                        return;
+                    }
+                }
+            }
+        }
+        info!("outbound router task exited (channel closed)");
+    });
+
    let processor_handle = tokio::spawn({
-        let outgoing_message_sender = OutgoingMessageSender::new(outgoing_tx);
+        let outgoing_message_sender = Arc::new(OutgoingMessageSender::new(outgoing_tx));
+        let outbound_control_tx = outbound_control_tx;
        let cli_overrides: Vec<(String, TomlValue)> = cli_kv_overrides.clone();
        let loader_overrides = loader_overrides_for_config_api;
        let mut processor = MessageProcessor::new(MessageProcessorArgs {
            outgoing: outgoing_message_sender,
            codex_linux_sandbox_exe,
-            config: std::sync::Arc::new(config),
+            config: Arc::new(config),
            cli_overrides,
            loader_overrides,
            cloud_requirements: cloud_requirements.clone(),
@@ -341,25 +445,119 @@ pub async fn run_main(
            config_warnings,
        });
        let mut thread_created_rx = processor.thread_created_receiver();
+        let mut connections = HashMap::<ConnectionId, ConnectionState>::new();
        async move {
            let mut listen_for_threads = true;
            loop {
                tokio::select! {
-                    msg = incoming_rx.recv() => {
-                        let Some(msg) = msg else {
+                    event = transport_event_rx.recv() => {
+                        let Some(event) = event else {
                            break;
                        };
-                        match msg {
-                            JSONRPCMessage::Request(r) => processor.process_request(r).await,
-                            JSONRPCMessage::Response(r) => processor.process_response(r).await,
-                            JSONRPCMessage::Notification(n) => processor.process_notification(n).await,
-                            JSONRPCMessage::Error(e) => processor.process_error(e).await,
+                        match event {
+                            TransportEvent::ConnectionOpened { connection_id, writer } => {
+                                let outbound_initialized = Arc::new(AtomicBool::new(false));
+                                let outbound_opted_out_notification_methods =
+                                    Arc::new(RwLock::new(HashSet::new()));
+                                if outbound_control_tx
+                                    .send(OutboundControlEvent::Opened {
+                                        connection_id,
+                                        writer,
+                                        initialized: Arc::clone(&outbound_initialized),
+                                        opted_out_notification_methods: Arc::clone(
+                                            &outbound_opted_out_notification_methods,
+                                        ),
+                                    })
+                                    .await
+                                    .is_err()
+                                {
+                                    break;
+                                }
+                                connections.insert(
+                                    connection_id,
+                                    ConnectionState::new(
+                                        outbound_initialized,
+                                        outbound_opted_out_notification_methods,
+                                    ),
+                                );
+                            }
+                            TransportEvent::ConnectionClosed { connection_id } => {
+                                if outbound_control_tx
+                                    .send(OutboundControlEvent::Closed { connection_id })
+                                    .await
+                                    .is_err()
+                                {
+                                    break;
+                                }
+                                processor.connection_closed(connection_id).await;
+                                connections.remove(&connection_id);
+                                if shutdown_when_no_connections && connections.is_empty() {
+                                    break;
+                                }
+                            }
+                            TransportEvent::IncomingMessage { connection_id, message } => {
+                                match message {
+                                    JSONRPCMessage::Request(request) => {
+                                        let Some(connection_state) = connections.get_mut(&connection_id) else {
+                                            warn!("dropping request from unknown connection: {:?}", connection_id);
+                                            continue;
+                                        };
+                                        let was_initialized = connection_state.session.initialized;
+                                        processor
+                                            .process_request(
+                                                connection_id,
+                                                request,
+                                                &mut connection_state.session,
+                                                &connection_state.outbound_initialized,
+                                            )
+                                            .await;
+                                        if let Ok(mut opted_out_notification_methods) = connection_state
+                                            .outbound_opted_out_notification_methods
+                                            .write()
+                                        {
+                                            *opted_out_notification_methods = connection_state
+                                                .session
+                                                .opted_out_notification_methods
+                                                .clone();
+                                        } else {
+                                            warn!(
+                                                "failed to update outbound opted-out notifications"
+                                            );
+                                        }
+                                        if !was_initialized && connection_state.session.initialized {
+                                            processor.send_initialize_notifications().await;
+                                        }
+                                    }
+                                    JSONRPCMessage::Response(response) => {
+                                        processor.process_response(response).await;
+                                    }
+                                    JSONRPCMessage::Notification(notification) => {
+                                        processor.process_notification(notification).await;
+                                    }
+                                    JSONRPCMessage::Error(err) => {
+                                        processor.process_error(err).await;
+                                    }
+                                }
+                            }
                        }
                    }
                    created = thread_created_rx.recv(), if listen_for_threads => {
                        match created {
                            Ok(thread_id) => {
-                                processor.try_attach_thread_listener(thread_id).await;
+                                let initialized_connection_ids: Vec<ConnectionId> = connections
+                                    .iter()
+                                    .filter_map(|(connection_id, connection_state)| {
+                                        connection_state.session.initialized.then_some(*connection_id)
+                                    })
+                                    .collect();
+                                if !initialized_connection_ids.is_empty() {
+                                    processor
+                                        .try_attach_thread_listener(
+                                            thread_id,
+                                            initialized_connection_ids,
+                                        )
+                                        .await;
+                                }
                            }
                            Err(tokio::sync::broadcast::error::RecvError::Lagged(_)) => {
                                // TODO(jif) handle lag.
@@ -380,33 +578,18 @@ pub async fn run_main(
        }
    });

-    // Task: write outgoing messages to stdout.
-    let stdout_writer_handle = tokio::spawn(async move {
-        let mut stdout = io::stdout();
-        while let Some(outgoing_message) = outgoing_rx.recv().await {
-            let Ok(value) = serde_json::to_value(outgoing_message) else {
-                error!("Failed to convert OutgoingMessage to JSON value");
-                continue;
-            };
-            match serde_json::to_string(&value) {
-                Ok(mut json) => {
-                    json.push('\n');
-                    if let Err(e) = stdout.write_all(json.as_bytes()).await {
-                        error!("Failed to write to stdout: {e}");
-                        break;
-                    }
-                }
-                Err(e) => error!("Failed to serialize JSONRPCMessage: {e}"),
-            }
-        }
+    drop(transport_event_tx);

-        info!("stdout writer exited (channel closed)");
-    });
+    let _ = processor_handle.await;
+    let _ = outbound_handle.await;

-    // Wait for all tasks to finish.  The typical exit path is the stdin reader
-    // hitting EOF which, once it drops `incoming_tx`, propagates shutdown to
-    // the processor and then to the stdout task.
-    let _ = tokio::join!(stdin_reader_handle, processor_handle, stdout_writer_handle);
+    if let Some(handle) = websocket_accept_handle {
+        handle.abort();
+    }
+
+    for handle in stdio_handles {
+        let _ = handle.await;
+    }

    Ok(())
 }
--- a/Show More
+++ b/Show More