Remove sandbox policy from command exec

.bazelrc

@@ -29,13 +29,10 @@ common:linux --test_env=PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin
 common:macos --test_env=PATH=/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin
 
 # Pass through some env vars Windows needs to use powershell?
+common:windows --test_env=PATH
 common:windows --test_env=SYSTEMROOT
 common:windows --test_env=COMSPEC
 common:windows --test_env=WINDIR
-# Rust's libtest harness runs test bodies on std-spawned threads. The default
-# 2 MiB stack can be too small for large async test futures on Windows CI; see
-# https://github.com/openai/codex/pull/19067 for the motivating failure.
-common --test_env=RUST_MIN_STACK=8388608 # 8 MiB
 
 common --test_output=errors
 common --bes_results_url=https://app.buildbuddy.io/invocation/

.codespellrc

@@ -1,6 +1,6 @@
 [codespell]
 # Ref: https://github.com/codespell-project/codespell#using-a-config-file
-skip = .git*,vendor,*-lock.yaml,*.lock,.codespellrc,*test.ts,*.jsonl,frame*.txt,*.snap,*.snap.new
+skip = .git*,vendor,*-lock.yaml,*.lock,.codespellrc,*test.ts,*.jsonl,frame*.txt,*.snap,*.snap.new,*meriyah.umd.min.js
 check-hidden = true
 ignore-regex = ^\s*"image/\S+": ".*|\b(afterAll)\b
 ignore-words-list = ratatui,ser,iTerm,iterm2,iterm,te,TE,PASE,SEH

.devcontainer/Dockerfile.secure

@@ -4,11 +4,9 @@ ARG TZ
 ARG DEBIAN_FRONTEND=noninteractive
 ARG NODE_MAJOR=22
 ARG RUST_TOOLCHAIN=1.92.0
-# Keep this in sync with .devcontainer/codex-install/package.json and pnpm-lock.yaml.
-ARG CODEX_NPM_VERSION=0.121.0
+ARG CODEX_NPM_VERSION=latest
 
 ENV TZ="$TZ"
-ENV COREPACK_ENABLE_DOWNLOAD_PROMPT=0
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
@@ -45,18 +43,12 @@ RUN apt-get update \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
-COPY .devcontainer/codex-install/package.json \
-     .devcontainer/codex-install/pnpm-lock.yaml \
-     .devcontainer/codex-install/pnpm-workspace.yaml \
-     /opt/codex-install/
-
 RUN curl -fsSL "https://deb.nodesource.com/setup_${NODE_MAJOR}.x" | bash - \
     && apt-get update \
     && apt-get install -y --no-install-recommends nodejs \
-    && test "$(node -p "require('/opt/codex-install/package.json').dependencies['@openai/codex']")" = "${CODEX_NPM_VERSION}" \
-    && cd /opt/codex-install \
-    && corepack pnpm install --prod --frozen-lockfile \
-    && ln -s /opt/codex-install/node_modules/.bin/codex /usr/local/bin/codex \
+    && npm install -g corepack@latest "@openai/codex@${CODEX_NPM_VERSION}" \
+    && corepack enable \
+    && corepack prepare pnpm@10.28.2 --activate \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 

.devcontainer/codex-install/package.json

@@ -1,13 +0,0 @@
-{
-  "name": "codex-devcontainer-install",
-  "private": true,
-  "description": "Locked Codex CLI install boundary for the secure devcontainer.",
-  "dependencies": {
-    "@openai/codex": "0.121.0"
-  },
-  "engines": {
-    "node": ">=22",
-    "pnpm": ">=10.33.0"
-  },
-  "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319"
-}

.devcontainer/codex-install/pnpm-lock.yaml

@@ -1,85 +0,0 @@
-lockfileVersion: '9.0'
-
-settings:
-  autoInstallPeers: true
-  excludeLinksFromLockfile: false
-
-importers:
-
-  .:
-    dependencies:
-      '@openai/codex':
-        specifier: 0.121.0
-        version: 0.121.0
-
-packages:
-
-  '@openai/codex@0.121.0':
-    resolution: {integrity: sha512-kCJ2NeATd4QBQRmqV04ymdN1ZU3MSwnJQDm/KzjpuzGvCuUVEn7no/T2mRyxQ2x77AACqriNOyPPoM/yufyvNg==}
-    engines: {node: '>=16'}
-    hasBin: true
-
-  '@openai/codex@0.121.0-darwin-arm64':
-    resolution: {integrity: sha512-ZyBqIB6Fb4I0hGb/h65Vu7ePYjHSmGiqqfm+/1djEuxDPkqjfi4wkxYxNYNY+6najyNGN4UijOSTTf19eDCrqw==}
-    engines: {node: '>=16'}
-    cpu: [arm64]
-    os: [darwin]
-
-  '@openai/codex@0.121.0-darwin-x64':
-    resolution: {integrity: sha512-1/OAtdkAZ5yPI3xqaEFlHuPziS1yCqL2gOZdswE7HTmmwpIxi6Z3FCo60JWDPluIp89z4tftdjq73/OCN0YVcw==}
-    engines: {node: '>=16'}
-    cpu: [x64]
-    os: [darwin]
-
-  '@openai/codex@0.121.0-linux-arm64':
-    resolution: {integrity: sha512-2UgMmdo237o7SCMsfb529cOSEM2HFUgN6OBkv5SBLwfNY1NO2Ex6JnUjlppEXlX6/4cXfZ5qjDghVz5j/+B9zw==}
-    engines: {node: '>=16'}
-    cpu: [arm64]
-    os: [linux]
-
-  '@openai/codex@0.121.0-linux-x64':
-    resolution: {integrity: sha512-vlpNJXIqss800J+32Vy7TUZzv31n61b45OLxmsVQGFkTNLJcjFrj9jDUC7I62eC4F16gLioilefNfv4CdJQOEw==}
-    engines: {node: '>=16'}
-    cpu: [x64]
-    os: [linux]
-
-  '@openai/codex@0.121.0-win32-arm64':
-    resolution: {integrity: sha512-m88q4f3XI5npn1t6OG0nWGHWWAjO5FgjRwxh4hdujbLO6t9CiCNfhfPZIOSsoATbrCNwLC+6S77m3cjbNToPNg==}
-    engines: {node: '>=16'}
-    cpu: [arm64]
-    os: [win32]
-
-  '@openai/codex@0.121.0-win32-x64':
-    resolution: {integrity: sha512-Fp0ecVOyM+VcBi/y4HVvRzhifO9YqRiHzhV3rhtAppC7flh22WPguLC4kmvXYAR0p3RPzbo35M2CedWnkOT+cw==}
-    engines: {node: '>=16'}
-    cpu: [x64]
-    os: [win32]
-
-snapshots:
-
-  '@openai/codex@0.121.0':
-    optionalDependencies:
-      '@openai/codex-darwin-arm64': '@openai/codex@0.121.0-darwin-arm64'
-      '@openai/codex-darwin-x64': '@openai/codex@0.121.0-darwin-x64'
-      '@openai/codex-linux-arm64': '@openai/codex@0.121.0-linux-arm64'
-      '@openai/codex-linux-x64': '@openai/codex@0.121.0-linux-x64'
-      '@openai/codex-win32-arm64': '@openai/codex@0.121.0-win32-arm64'
-      '@openai/codex-win32-x64': '@openai/codex@0.121.0-win32-x64'
-
-  '@openai/codex@0.121.0-darwin-arm64':
-    optional: true
-
-  '@openai/codex@0.121.0-darwin-x64':
-    optional: true
-
-  '@openai/codex@0.121.0-linux-arm64':
-    optional: true
-
-  '@openai/codex@0.121.0-linux-x64':
-    optional: true
-
-  '@openai/codex@0.121.0-win32-arm64':
-    optional: true
-
-  '@openai/codex@0.121.0-win32-x64':
-    optional: true

.devcontainer/codex-install/pnpm-workspace.yaml

@@ -1,12 +0,0 @@
-packages:
-  - "."
-
-minimumReleaseAge: 10080
-minimumReleaseAgeExclude: []
-
-blockExoticSubdeps: true
-strictDepBuilds: true
-trustPolicy: no-downgrade
-trustPolicyIgnoreAfter: 10080
-trustPolicyExclude: []
-allowBuilds: {}

.devcontainer/devcontainer.secure.json

@@ -8,7 +8,7 @@
       "TZ": "${localEnv:TZ:UTC}",
       "NODE_MAJOR": "22",
       "RUST_TOOLCHAIN": "1.92.0",
-      "CODEX_NPM_VERSION": "0.121.0"
+      "CODEX_NPM_VERSION": "latest"
     }
   },
   "runArgs": [

.gitattributes

@@ -1,2 +1 @@
 codex-rs/app-server-protocol/schema/** linguist-generated
-codex-rs/hooks/schema/generated/** linguist-generated

.github/actions/linux-code-sign/action.yml

@@ -7,9 +7,6 @@ inputs:
   artifacts-dir:
     description: Absolute path to the directory containing built binaries to sign.
     required: true
-  binaries:
-    description: Space-delimited binary basenames to sign.
-    default: "codex codex-responses-api-proxy"
 
 runs:
   using: composite
@@ -21,7 +18,6 @@ runs:
       shell: bash
       env:
         ARTIFACTS_DIR: ${{ inputs.artifacts-dir }}
-        BINARIES: ${{ inputs.binaries }}
         COSIGN_EXPERIMENTAL: "1"
         COSIGN_YES: "true"
         COSIGN_OIDC_CLIENT_ID: "sigstore"
@@ -35,7 +31,7 @@ runs:
           exit 1
         fi
 
-        for binary in ${BINARIES}; do
+        for binary in codex codex-responses-api-proxy; do
           artifact="${dest}/${binary}"
           if [[ ! -f "$artifact" ]]; then
             echo "Binary $artifact not found"

.github/actions/macos-code-sign/action.yml

@@ -4,9 +4,6 @@ inputs:
   target:
     description: Rust compilation target triple (e.g. aarch64-apple-darwin).
     required: true
-  binaries:
-    description: Space-delimited binary basenames to sign and notarize.
-    default: "codex codex-responses-api-proxy"
   sign-binaries:
     description: Whether to sign and notarize the macOS binaries.
     required: false
@@ -122,7 +119,6 @@ runs:
       shell: bash
       env:
         TARGET: ${{ inputs.target }}
-        BINARIES: ${{ inputs.binaries }}
       run: |
         set -euo pipefail
 
@@ -138,7 +134,7 @@ runs:
 
         entitlements_path="$GITHUB_ACTION_PATH/codex.entitlements.plist"
 
-        for binary in ${BINARIES}; do
+        for binary in codex codex-responses-api-proxy; do
           path="codex-rs/target/${TARGET}/release/${binary}"
           codesign --force --options runtime --timestamp --entitlements "$entitlements_path" --sign "$APPLE_CODESIGN_IDENTITY" "${keychain_args[@]}" "$path"
         done
@@ -148,7 +144,6 @@ runs:
       shell: bash
       env:
         TARGET: ${{ inputs.target }}
-        BINARIES: ${{ inputs.binaries }}
         APPLE_NOTARIZATION_KEY_P8: ${{ inputs.apple-notarization-key-p8 }}
         APPLE_NOTARIZATION_KEY_ID: ${{ inputs.apple-notarization-key-id }}
         APPLE_NOTARIZATION_ISSUER_ID: ${{ inputs.apple-notarization-issuer-id }}
@@ -187,9 +182,8 @@ runs:
           notarize_submission "$binary" "$archive_path" "$notary_key_path"
         }
 
-        for binary in ${BINARIES}; do
-          notarize_binary "${binary}"
-        done
+        notarize_binary "codex"
+        notarize_binary "codex-responses-api-proxy"
 
     - name: Sign and notarize macOS dmg
       if: ${{ inputs.sign-dmg == 'true' }}

.github/actions/prepare-bazel-ci/action.yml

@@ -8,7 +8,7 @@ inputs:
     description: Logical namespace used to keep concurrent Bazel jobs from reserving the same repository cache key.
     required: true
   install-test-prereqs:
-    description: Install DotSlash for Bazel-backed test jobs.
+    description: Install Node.js and DotSlash for Bazel-backed test jobs.
     required: false
     default: "false"
 outputs:

.github/actions/setup-bazel-ci/action.yml

@@ -5,7 +5,7 @@ inputs:
     description: Target triple used for cache namespacing.
     required: true
   install-test-prereqs:
-    description: Install DotSlash for Bazel-backed test jobs.
+    description: Install Node.js and DotSlash for Bazel-backed test jobs.
     required: false
     default: "false"
 outputs:
@@ -16,6 +16,12 @@ outputs:
 runs:
   using: composite
   steps:
+    - name: Set up Node.js for js_repl tests
+      if: inputs.install-test-prereqs == 'true'
+      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+      with:
+        node-version-file: codex-rs/node-version.txt
+
     # Some integration tests rely on DotSlash being installed.
     # See https://github.com/openai/codex/pull/7617.
     - name: Install DotSlash
@@ -116,11 +122,6 @@ runs:
           }
         }
 
-    - name: Compute cache-stable Windows Bazel PATH
-      if: runner.os == 'Windows'
-      shell: pwsh
-      run: ./.github/scripts/compute-bazel-windows-path.ps1
-
     - name: Enable Git long paths (Windows)
       if: runner.os == 'Windows'
       shell: pwsh

.github/actions/windows-code-sign/action.yml

@@ -4,9 +4,6 @@ inputs:
   target:
     description: Target triple for the artifacts to sign.
     required: true
-  binaries:
-    description: Space-delimited binary basenames to sign.
-    default: "codex codex-responses-api-proxy codex-windows-sandbox-setup codex-command-runner"
   client-id:
     description: Azure Trusted Signing client ID.
     required: true
@@ -36,23 +33,6 @@ runs:
         tenant-id: ${{ inputs.tenant-id }}
         subscription-id: ${{ inputs.subscription-id }}
 
-    - name: Prepare file list
-      id: prepare
-      shell: bash
-      env:
-        TARGET: ${{ inputs.target }}
-        BINARIES: ${{ inputs.binaries }}
-      run: |
-        set -euo pipefail
-
-        {
-          echo "files<<EOF"
-          for binary in ${BINARIES}; do
-            echo "${GITHUB_WORKSPACE}/codex-rs/target/${TARGET}/release/${binary}.exe"
-          done
-          echo "EOF"
-        } >> "$GITHUB_OUTPUT"
-
     - name: Sign Windows binaries with Azure Trusted Signing
       uses: azure/trusted-signing-action@1d365fec12862c4aa68fcac418143d73f0cea293 # v0
       with:
@@ -70,4 +50,8 @@ runs:
         exclude-azure-developer-cli-credential: true
         exclude-interactive-browser-credential: true
         cache-dependencies: false
-        files: ${{ steps.prepare.outputs.files }}
+        files: |
+          ${{ github.workspace }}/codex-rs/target/${{ inputs.target }}/release/codex.exe
+          ${{ github.workspace }}/codex-rs/target/${{ inputs.target }}/release/codex-responses-api-proxy.exe
+          ${{ github.workspace }}/codex-rs/target/${{ inputs.target }}/release/codex-windows-sandbox-setup.exe
+          ${{ github.workspace }}/codex-rs/target/${{ inputs.target }}/release/codex-command-runner.exe

.github/dotslash-config.json

@@ -28,34 +28,6 @@
         }
       }
     },
-    "codex-app-server": {
-      "platforms": {
-        "macos-aarch64": {
-          "regex": "^codex-app-server-aarch64-apple-darwin\\.zst$",
-          "path": "codex-app-server"
-        },
-        "macos-x86_64": {
-          "regex": "^codex-app-server-x86_64-apple-darwin\\.zst$",
-          "path": "codex-app-server"
-        },
-        "linux-x86_64": {
-          "regex": "^codex-app-server-x86_64-unknown-linux-musl\\.zst$",
-          "path": "codex-app-server"
-        },
-        "linux-aarch64": {
-          "regex": "^codex-app-server-aarch64-unknown-linux-musl\\.zst$",
-          "path": "codex-app-server"
-        },
-        "windows-x86_64": {
-          "regex": "^codex-app-server-x86_64-pc-windows-msvc\\.exe\\.zst$",
-          "path": "codex-app-server.exe"
-        },
-        "windows-aarch64": {
-          "regex": "^codex-app-server-aarch64-pc-windows-msvc\\.exe\\.zst$",
-          "path": "codex-app-server.exe"
-        }
-      }
-    },
     "codex-responses-api-proxy": {
       "platforms": {
         "macos-aarch64": {

.github/scripts/compute-bazel-windows-path.ps1

@@ -1,105 +0,0 @@
-<#
-BuildBuddy cache keys include the action and test environment, so Bazel should
-not inherit the full hosted-runner PATH on Windows. That PATH includes volatile
-tool entries, such as Maven, that can change independently of this repo and
-cause avoidable cache misses.
-
-This script derives a smaller, cache-stable PATH that keeps the Windows
-toolchain entries Bazel-backed CI tasks need: MSVC and Windows SDK paths, Git,
-PowerShell, Node, Python, DotSlash, and the standard Windows system
-directories.
-`setup-bazel-ci` runs this after exporting the MSVC environment, and the script
-publishes the result via `GITHUB_ENV` as `CODEX_BAZEL_WINDOWS_PATH` so later
-steps can pass that explicit PATH to Bazel.
-#>
-
-$stablePathEntries = New-Object System.Collections.Generic.List[string]
-$seenEntries = [System.Collections.Generic.HashSet[string]]::new([System.StringComparer]::OrdinalIgnoreCase)
-$windowsAppsPath = if ([string]::IsNullOrWhiteSpace($env:LOCALAPPDATA)) {
-  $null
-} else {
-  "$($env:LOCALAPPDATA)\Microsoft\WindowsApps"
-}
-$windowsDir = if ($env:WINDIR) {
-  $env:WINDIR
-} elseif ($env:SystemRoot) {
-  $env:SystemRoot
-} else {
-  $null
-}
-
-function Add-StablePathEntry {
-  param([string]$PathEntry)
-
-  if ([string]::IsNullOrWhiteSpace($PathEntry)) {
-    return
-  }
-
-  if ($seenEntries.Add($PathEntry)) {
-    [void]$stablePathEntries.Add($PathEntry)
-  }
-}
-
-foreach ($pathEntry in ($env:PATH -split ';')) {
-  if ([string]::IsNullOrWhiteSpace($pathEntry)) {
-    continue
-  }
-
-  if (
-    $pathEntry -like '*Microsoft Visual Studio*' -or
-    $pathEntry -like '*Windows Kits*' -or
-    $pathEntry -like '*Microsoft SDKs*' -or
-    $pathEntry -like 'C:\Program Files\Git\*' -or
-    $pathEntry -like 'C:\Program Files\PowerShell\*' -or
-    $pathEntry -like 'C:\hostedtoolcache\windows\node\*' -or
-    $pathEntry -like 'C:\hostedtoolcache\windows\Python\*' -or
-    $pathEntry -eq 'D:\a\_temp\install-dotslash\bin' -or
-    ($windowsDir -and ($pathEntry -eq $windowsDir -or $pathEntry -like "${windowsDir}\*"))
-  ) {
-    Add-StablePathEntry $pathEntry
-  }
-}
-
-$gitCommand = Get-Command git -ErrorAction SilentlyContinue
-if ($gitCommand) {
-  Add-StablePathEntry (Split-Path $gitCommand.Source -Parent)
-}
-
-$nodeCommand = Get-Command node -ErrorAction SilentlyContinue
-if ($nodeCommand) {
-  Add-StablePathEntry (Split-Path $nodeCommand.Source -Parent)
-}
-
-$python3Command = Get-Command python3 -ErrorAction SilentlyContinue
-if ($python3Command) {
-  Add-StablePathEntry (Split-Path $python3Command.Source -Parent)
-}
-
-$pythonCommand = Get-Command python -ErrorAction SilentlyContinue
-if ($pythonCommand) {
-  Add-StablePathEntry (Split-Path $pythonCommand.Source -Parent)
-}
-
-$pwshCommand = Get-Command pwsh -ErrorAction SilentlyContinue
-if ($pwshCommand) {
-  Add-StablePathEntry (Split-Path $pwshCommand.Source -Parent)
-}
-
-if ($windowsAppsPath) {
-  Add-StablePathEntry $windowsAppsPath
-}
-
-if ($stablePathEntries.Count -eq 0) {
-  throw 'Failed to derive cache-stable Windows PATH.'
-}
-
-if ([string]::IsNullOrWhiteSpace($env:GITHUB_ENV)) {
-  throw 'GITHUB_ENV must be set.'
-}
-
-$stablePath = $stablePathEntries -join ';'
-Write-Host 'Derived CODEX_BAZEL_WINDOWS_PATH entries:'
-foreach ($pathEntry in $stablePathEntries) {
-  Write-Host "  $pathEntry"
-}
-"CODEX_BAZEL_WINDOWS_PATH=$stablePath" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append

.github/scripts/run-argument-comment-lint-bazel.sh

@@ -2,6 +2,16 @@
 
 set -euo pipefail
 
+ci_config=ci-linux
+case "${RUNNER_OS:-}" in
+  macOS)
+    ci_config=ci-macos
+    ;;
+  Windows)
+    ci_config=ci-windows
+    ;;
+esac
+
 bazel_lint_args=("$@")
 if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
   has_host_platform_override=0
@@ -34,6 +44,29 @@ if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
   bazel_lint_args+=("--skip_incompatible_explicit_targets")
 fi
 
+bazel_startup_args=()
+if [[ -n "${BAZEL_OUTPUT_USER_ROOT:-}" ]]; then
+  bazel_startup_args+=("--output_user_root=${BAZEL_OUTPUT_USER_ROOT}")
+fi
+
+run_bazel() {
+  if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
+    MSYS2_ARG_CONV_EXCL='*' bazel "$@"
+    return
+  fi
+
+  bazel "$@"
+}
+
+run_bazel_with_startup_args() {
+  if [[ ${#bazel_startup_args[@]} -gt 0 ]]; then
+    run_bazel "${bazel_startup_args[@]}" "$@"
+    return
+  fi
+
+  run_bazel "$@"
+}
+
 read_query_labels() {
   local query="$1"
   local query_stdout
@@ -41,10 +74,12 @@ read_query_labels() {
   query_stdout="$(mktemp)"
   query_stderr="$(mktemp)"
 
-  if ! ./.github/scripts/run-bazel-query-ci.sh \
+  if ! run_bazel_with_startup_args \
+    --noexperimental_remote_repo_contents_cache \
+    query \
     --keep_going \
     --output=label \
-    -- "$query" >"$query_stdout" 2>"$query_stderr"; then
+    "$query" >"$query_stdout" 2>"$query_stderr"; then
     cat "$query_stderr" >&2
     rm -f "$query_stdout" "$query_stderr"
     exit 1

.github/scripts/run-bazel-ci.sh

@@ -4,6 +4,7 @@ set -euo pipefail
 
 print_failed_bazel_test_logs=0
 print_failed_bazel_action_summary=0
+use_node_test_env=0
 remote_download_toplevel=0
 windows_msvc_host_platform=0
 
@@ -17,6 +18,10 @@ while [[ $# -gt 0 ]]; do
       print_failed_bazel_action_summary=1
       shift
       ;;
+    --use-node-test-env)
+      use_node_test_env=1
+      shift
+      ;;
     --remote-download-toplevel)
       remote_download_toplevel=1
       shift
@@ -37,7 +42,7 @@ while [[ $# -gt 0 ]]; do
 done
 
 if [[ $# -eq 0 ]]; then
-  echo "Usage: $0 [--print-failed-test-logs] [--print-failed-action-summary] [--remote-download-toplevel] [--windows-msvc-host-platform] -- <bazel args> -- <targets>" >&2
+  echo "Usage: $0 [--print-failed-test-logs] [--print-failed-action-summary] [--use-node-test-env] [--remote-download-toplevel] [--windows-msvc-host-platform] -- <bazel args> -- <targets>" >&2
   exit 1
 fi
 
@@ -244,6 +249,16 @@ if [[ ${#bazel_args[@]} -eq 0 || ${#bazel_targets[@]} -eq 0 ]]; then
   exit 1
 fi
 
+if [[ $use_node_test_env -eq 1 ]]; then
+  # Bazel test sandboxes on macOS may resolve an older Homebrew `node`
+  # before the `actions/setup-node` runtime on PATH.
+  node_bin="$(which node)"
+  if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
+    node_bin="$(cygpath -w "${node_bin}")"
+  fi
+  bazel_args+=("--test_env=CODEX_JS_REPL_NODE_PATH=${node_bin}")
+fi
+
 post_config_bazel_args=()
 if [[ "${RUNNER_OS:-}" == "Windows" && $windows_msvc_host_platform -eq 1 ]]; then
   has_host_platform_override=0
@@ -291,6 +306,7 @@ if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
     INCLUDE
     LIB
     LIBPATH
+    PATH
     UCRTVersion
     UniversalCRTSdkDir
     VCINSTALLDIR
@@ -307,17 +323,6 @@ if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
       post_config_bazel_args+=("--action_env=${env_var}" "--host_action_env=${env_var}")
     fi
   done
-
-  if [[ -z "${CODEX_BAZEL_WINDOWS_PATH:-}" ]]; then
-    echo "CODEX_BAZEL_WINDOWS_PATH must be set for Windows Bazel CI." >&2
-    exit 1
-  fi
-
-  post_config_bazel_args+=(
-    "--action_env=PATH=${CODEX_BAZEL_WINDOWS_PATH}"
-    "--host_action_env=PATH=${CODEX_BAZEL_WINDOWS_PATH}"
-    "--test_env=PATH=${CODEX_BAZEL_WINDOWS_PATH}"
-  )
 fi
 
 bazel_console_log="$(mktemp)"

.github/scripts/run-bazel-query-ci.sh

@@ -1,75 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-# Run Bazel queries with the same CI startup settings as the main build/test
-# invocation so target-discovery queries can reuse the same Bazel server.
-
-query_args=()
-while [[ $# -gt 0 ]]; do
-  case "$1" in
-    --)
-      shift
-      break
-      ;;
-    *)
-      query_args+=("$1")
-      shift
-      ;;
-  esac
-done
-
-if [[ $# -ne 1 ]]; then
-  echo "Usage: $0 [<bazel query args>...] -- <query expression>" >&2
-  exit 1
-fi
-
-query_expression="$1"
-
-ci_config=ci-linux
-case "${RUNNER_OS:-}" in
-  macOS)
-    ci_config=ci-macos
-    ;;
-  Windows)
-    ci_config=ci-windows
-    ;;
-esac
-
-bazel_startup_args=()
-if [[ -n "${BAZEL_OUTPUT_USER_ROOT:-}" ]]; then
-  bazel_startup_args+=("--output_user_root=${BAZEL_OUTPUT_USER_ROOT}")
-fi
-
-run_bazel() {
-  if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
-    MSYS2_ARG_CONV_EXCL='*' bazel "$@"
-    return
-  fi
-
-  bazel "$@"
-}
-
-bazel_query_args=(--noexperimental_remote_repo_contents_cache query)
-if [[ -n "${BUILDBUDDY_API_KEY:-}" ]]; then
-  bazel_query_args+=(
-    "--config=${ci_config}"
-    "--remote_header=x-buildbuddy-api-key=${BUILDBUDDY_API_KEY}"
-  )
-fi
-
-if [[ -n "${BAZEL_REPO_CONTENTS_CACHE:-}" ]]; then
-  bazel_query_args+=("--repo_contents_cache=${BAZEL_REPO_CONTENTS_CACHE}")
-fi
-
-if [[ -n "${BAZEL_REPOSITORY_CACHE:-}" ]]; then
-  bazel_query_args+=("--repository_cache=${BAZEL_REPOSITORY_CACHE}")
-fi
-
-bazel_query_args+=("${query_args[@]}" "$query_expression")
-
-if (( ${#bazel_startup_args[@]} > 0 )); then
-  run_bazel "${bazel_startup_args[@]}" "${bazel_query_args[@]}"
-else
-  run_bazel "${bazel_query_args[@]}"
-fi

.github/workflows/Dockerfile.bazel

@@ -8,9 +8,25 @@ FROM ubuntu:24.04
 
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
-    curl git python3 ca-certificates && \
+    curl git python3 ca-certificates xz-utils && \
     rm -rf /var/lib/apt/lists/*
 
+COPY codex-rs/node-version.txt /tmp/node-version.txt
+
+RUN set -eux; \
+    node_arch="$(dpkg --print-architecture)"; \
+    case "${node_arch}" in \
+      amd64) node_dist_arch="x64" ;; \
+      arm64) node_dist_arch="arm64" ;; \
+      *) echo "unsupported architecture: ${node_arch}"; exit 1 ;; \
+    esac; \
+    node_version="$(tr -d '[:space:]' </tmp/node-version.txt)"; \
+    curl -fsSLO "https://nodejs.org/dist/v${node_version}/node-v${node_version}-linux-${node_dist_arch}.tar.xz"; \
+    tar -xJf "node-v${node_version}-linux-${node_dist_arch}.tar.xz" -C /usr/local --strip-components=1; \
+    rm "node-v${node_version}-linux-${node_dist_arch}.tar.xz" /tmp/node-version.txt; \
+    node --version; \
+    npm --version
+
 # Install dotslash.
 RUN curl -LSfs "https://github.com/facebook/dotslash/releases/download/v0.5.8/dotslash-ubuntu-22.04.$(uname -m).tar.gz" | tar fxz - -C /usr/local/bin
 

.github/workflows/bazel.yml

@@ -85,6 +85,7 @@ jobs:
 
           bazel_wrapper_args=(
             --print-failed-test-logs
+            --use-node-test-env
           )
           bazel_test_args=(
             test

.github/workflows/issue-deduplicator.yml

@@ -61,7 +61,7 @@ jobs:
       # .github/prompts/issue-deduplicator.txt file is obsolete and removed.
       - id: codex-all
         name: Find duplicates (pass 1, all issues)
-        uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02 # v1.7
+        uses: openai/codex-action@0b91f4a2703c23df3102c3f0967d3c6db34eedef # v1
         with:
           openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
           allow-users: "*"
@@ -195,7 +195,7 @@ jobs:
 
       - id: codex-open
         name: Find duplicates (pass 2, open issues)
-        uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02 # v1.7
+        uses: openai/codex-action@0b91f4a2703c23df3102c3f0967d3c6db34eedef # v1
         with:
           openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
           allow-users: "*"

.github/workflows/issue-labeler.yml

@@ -20,7 +20,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - id: codex
-        uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02 # v1.7
+        uses: openai/codex-action@0b91f4a2703c23df3102c3f0967d3c6db34eedef # v1
         with:
           openai-api-key: ${{ secrets.CODEX_OPENAI_API_KEY }}
           allow-users: "*"

.github/workflows/rust-ci-full.yml

@@ -76,8 +76,6 @@ jobs:
       - name: Test argument comment lint package
         working-directory: tools/argument-comment-lint
         run: cargo test
-        env:
-          RUST_MIN_STACK: "8388608" # 8 MiB
 
   argument_comment_lint_prebuilt:
     name: Argument comment lint - ${{ matrix.name }}
@@ -560,6 +558,10 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - name: Set up Node.js for js_repl tests
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        with:
+          node-version-file: codex-rs/node-version.txt
       - name: Install Linux build dependencies
         if: ${{ runner.os == 'Linux' }}
         shell: bash
@@ -669,7 +671,6 @@ jobs:
         run: cargo nextest run --no-fail-fast --target ${{ matrix.target }} --cargo-profile ci-test --timings
         env:
           RUST_BACKTRACE: 1
-          RUST_MIN_STACK: "8388608" # 8 MiB
           NEXTEST_STATUS_LEVEL: leak
 
       - name: Upload Cargo timings (nextest)

.github/workflows/rust-ci.yml

@@ -131,8 +131,6 @@ jobs:
       - name: Test argument comment lint package
         working-directory: tools/argument-comment-lint
         run: cargo test
-        env:
-          RUST_MIN_STACK: "8388608" # 8 MiB
 
   argument_comment_lint_prebuilt:
     name: Argument comment lint - ${{ matrix.name }}

.github/workflows/rust-release-windows.yml

@@ -40,42 +40,28 @@ jobs:
           - runner: windows-x64
             target: x86_64-pc-windows-msvc
             bundle: primary
-            binaries: "codex codex-responses-api-proxy"
+            build_args: --bin codex --bin codex-responses-api-proxy
             runs_on:
               group: codex-runners
               labels: codex-windows-x64
           - runner: windows-arm64
             target: aarch64-pc-windows-msvc
             bundle: primary
-            binaries: "codex codex-responses-api-proxy"
+            build_args: --bin codex --bin codex-responses-api-proxy
             runs_on:
               group: codex-runners
               labels: codex-windows-arm64
           - runner: windows-x64
             target: x86_64-pc-windows-msvc
             bundle: helpers
-            binaries: "codex-windows-sandbox-setup codex-command-runner"
+            build_args: --bin codex-windows-sandbox-setup --bin codex-command-runner
             runs_on:
               group: codex-runners
               labels: codex-windows-x64
           - runner: windows-arm64
             target: aarch64-pc-windows-msvc
             bundle: helpers
-            binaries: "codex-windows-sandbox-setup codex-command-runner"
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-arm64
-          - runner: windows-x64
-            target: x86_64-pc-windows-msvc
-            bundle: app-server
-            binaries: "codex-app-server"
-            runs_on:
-              group: codex-runners
-              labels: codex-windows-x64
-          - runner: windows-arm64
-            target: aarch64-pc-windows-msvc
-            bundle: app-server
-            binaries: "codex-app-server"
+            build_args: --bin codex-windows-sandbox-setup --bin codex-command-runner
             runs_on:
               group: codex-runners
               labels: codex-windows-arm64
@@ -103,11 +89,7 @@ jobs:
       - name: Cargo build (Windows binaries)
         shell: bash
         run: |
-          build_args=()
-          for binary in ${{ matrix.binaries }}; do
-            build_args+=(--bin "$binary")
-          done
-          cargo build --target ${{ matrix.target }} --release --timings "${build_args[@]}"
+          cargo build --target ${{ matrix.target }} --release --timings ${{ matrix.build_args }}
 
       - name: Upload Cargo timings
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
@@ -121,9 +103,13 @@ jobs:
         run: |
           output_dir="target/${{ matrix.target }}/release/staged-${{ matrix.bundle }}"
           mkdir -p "$output_dir"
-          for binary in ${{ matrix.binaries }}; do
-            cp "target/${{ matrix.target }}/release/${binary}.exe" "$output_dir/${binary}.exe"
-          done
+          if [[ "${{ matrix.bundle }}" == "primary" ]]; then
+            cp target/${{ matrix.target }}/release/codex.exe "$output_dir/codex.exe"
+            cp target/${{ matrix.target }}/release/codex-responses-api-proxy.exe "$output_dir/codex-responses-api-proxy.exe"
+          else
+            cp target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe "$output_dir/codex-windows-sandbox-setup.exe"
+            cp target/${{ matrix.target }}/release/codex-command-runner.exe "$output_dir/codex-command-runner.exe"
+          fi
 
       - name: Upload Windows binaries
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
@@ -144,8 +130,6 @@ jobs:
     defaults:
       run:
         working-directory: codex-rs
-    env:
-      WINDOWS_BINARIES: "codex codex-responses-api-proxy codex-windows-sandbox-setup codex-command-runner codex-app-server"
 
     strategy:
       fail-fast: false
@@ -177,25 +161,19 @@ jobs:
           name: windows-binaries-${{ matrix.target }}-helpers
           path: codex-rs/target/${{ matrix.target }}/release
 
-      - name: Download prebuilt Windows app-server binary
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
-        with:
-          name: windows-binaries-${{ matrix.target }}-app-server
-          path: codex-rs/target/${{ matrix.target }}/release
-
       - name: Verify binaries
         shell: bash
         run: |
           set -euo pipefail
-          for binary in ${WINDOWS_BINARIES}; do
-            ls -lh "target/${{ matrix.target }}/release/${binary}.exe"
-          done
+          ls -lh target/${{ matrix.target }}/release/codex.exe
+          ls -lh target/${{ matrix.target }}/release/codex-responses-api-proxy.exe
+          ls -lh target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe
+          ls -lh target/${{ matrix.target }}/release/codex-command-runner.exe
 
       - name: Sign Windows binaries with Azure Trusted Signing
         uses: ./.github/actions/windows-code-sign
         with:
           target: ${{ matrix.target }}
-          binaries: ${{ env.WINDOWS_BINARIES }}
           client-id: ${{ secrets.AZURE_TRUSTED_SIGNING_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TRUSTED_SIGNING_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_TRUSTED_SIGNING_SUBSCRIPTION_ID }}
@@ -209,10 +187,10 @@ jobs:
           dest="dist/${{ matrix.target }}"
           mkdir -p "$dest"
 
-          for binary in ${WINDOWS_BINARIES}; do
-            cp "target/${{ matrix.target }}/release/${binary}.exe" \
-              "$dest/${binary}-${{ matrix.target }}.exe"
-          done
+          cp target/${{ matrix.target }}/release/codex.exe "$dest/codex-${{ matrix.target }}.exe"
+          cp target/${{ matrix.target }}/release/codex-responses-api-proxy.exe "$dest/codex-responses-api-proxy-${{ matrix.target }}.exe"
+          cp target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe "$dest/codex-windows-sandbox-setup-${{ matrix.target }}.exe"
+          cp target/${{ matrix.target }}/release/codex-command-runner.exe "$dest/codex-command-runner-${{ matrix.target }}.exe"
 
       - name: Install DotSlash
         uses: facebook/install-dotslash@1e4e7b3e07eaca387acb98f1d4720e0bee8dbb6a # v2

.github/workflows/rust-release.yml

@@ -47,7 +47,7 @@ jobs:
 
   build:
     needs: tag-check
-    name: Build - ${{ matrix.runner }} - ${{ matrix.target }} - ${{ matrix.bundle }}
+    name: Build - ${{ matrix.runner }} - ${{ matrix.target }}
     runs-on: ${{ matrix.runs_on || matrix.runner }}
     timeout-minutes: 60
     permissions:
@@ -67,53 +67,16 @@ jobs:
         include:
           - runner: macos-15-xlarge
             target: aarch64-apple-darwin
-            bundle: primary
-            artifact_name: aarch64-apple-darwin
-            binaries: "codex codex-responses-api-proxy"
-            build_dmg: "true"
-          - runner: macos-15-xlarge
-            target: aarch64-apple-darwin
-            bundle: app-server
-            artifact_name: aarch64-apple-darwin-app-server
-            binaries: "codex-app-server"
-            build_dmg: "false"
           - runner: macos-15-xlarge
             target: x86_64-apple-darwin
-            bundle: primary
-            artifact_name: x86_64-apple-darwin
-            binaries: "codex codex-responses-api-proxy"
-            build_dmg: "true"
-          - runner: macos-15-xlarge
-            target: x86_64-apple-darwin
-            bundle: app-server
-            artifact_name: x86_64-apple-darwin-app-server
-            binaries: "codex-app-server"
-            build_dmg: "false"
-          # Release artifacts intentionally ship MUSL-linked Linux binaries.
           - runner: ubuntu-24.04
             target: x86_64-unknown-linux-musl
-            bundle: primary
-            artifact_name: x86_64-unknown-linux-musl
-            binaries: "codex codex-responses-api-proxy"
-            build_dmg: "false"
           - runner: ubuntu-24.04
-            target: x86_64-unknown-linux-musl
-            bundle: app-server
-            artifact_name: x86_64-unknown-linux-musl-app-server
-            binaries: "codex-app-server"
-            build_dmg: "false"
+            target: x86_64-unknown-linux-gnu
           - runner: ubuntu-24.04-arm
             target: aarch64-unknown-linux-musl
-            bundle: primary
-            artifact_name: aarch64-unknown-linux-musl
-            binaries: "codex codex-responses-api-proxy"
-            build_dmg: "false"
           - runner: ubuntu-24.04-arm
-            target: aarch64-unknown-linux-musl
-            bundle: app-server
-            artifact_name: aarch64-unknown-linux-musl-app-server
-            binaries: "codex-app-server"
-            build_dmg: "false"
+            target: aarch64-unknown-linux-gnu
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
@@ -256,17 +219,13 @@ jobs:
       - name: Cargo build
         shell: bash
         run: |
-          build_args=()
-          for binary in ${{ matrix.binaries }}; do
-            build_args+=(--bin "$binary")
-          done
           echo "CARGO_PROFILE_RELEASE_LTO: ${CARGO_PROFILE_RELEASE_LTO}"
-          cargo build --target ${{ matrix.target }} --release --timings "${build_args[@]}"
+          cargo build --target ${{ matrix.target }} --release --timings --bin codex --bin codex-responses-api-proxy
 
       - name: Upload Cargo timings
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         with:
-          name: cargo-timings-rust-release-${{ matrix.target }}-${{ matrix.bundle }}
+          name: cargo-timings-rust-release-${{ matrix.target }}
           path: codex-rs/target/**/cargo-timings/cargo-timing.html
           if-no-files-found: warn
 
@@ -276,14 +235,12 @@ jobs:
         with:
           target: ${{ matrix.target }}
           artifacts-dir: ${{ github.workspace }}/codex-rs/target/${{ matrix.target }}/release
-          binaries: ${{ matrix.binaries }}
 
       - if: ${{ runner.os == 'macOS' }}
         name: MacOS code signing (binaries)
         uses: ./.github/actions/macos-code-sign
         with:
           target: ${{ matrix.target }}
-          binaries: ${{ matrix.binaries }}
           sign-binaries: "true"
           sign-dmg: "false"
           apple-certificate: ${{ secrets.APPLE_CERTIFICATE_P12 }}
@@ -292,7 +249,7 @@ jobs:
           apple-notarization-key-id: ${{ secrets.APPLE_NOTARIZATION_KEY_ID }}
           apple-notarization-issuer-id: ${{ secrets.APPLE_NOTARIZATION_ISSUER_ID }}
 
-      - if: ${{ runner.os == 'macOS' && matrix.build_dmg == 'true' }}
+      - if: ${{ runner.os == 'macOS' }}
         name: Build macOS dmg
         shell: bash
         run: |
@@ -307,17 +264,23 @@ jobs:
           # The previous "MacOS code signing (binaries)" step signs + notarizes the
           # built artifacts in `${release_dir}`. This step packages *those same*
           # signed binaries into a dmg.
+          codex_binary_path="${release_dir}/codex"
+          proxy_binary_path="${release_dir}/codex-responses-api-proxy"
+
           rm -rf "$dmg_root"
           mkdir -p "$dmg_root"
 
-          for binary in ${{ matrix.binaries }}; do
-            binary_path="${release_dir}/${binary}"
-            if [[ ! -f "${binary_path}" ]]; then
-              echo "Binary ${binary_path} not found"
-              exit 1
-            fi
-            ditto "${binary_path}" "${dmg_root}/${binary}"
-          done
+          if [[ ! -f "$codex_binary_path" ]]; then
+            echo "Binary $codex_binary_path not found"
+            exit 1
+          fi
+          if [[ ! -f "$proxy_binary_path" ]]; then
+            echo "Binary $proxy_binary_path not found"
+            exit 1
+          fi
+
+          ditto "$codex_binary_path" "${dmg_root}/codex"
+          ditto "$proxy_binary_path" "${dmg_root}/codex-responses-api-proxy"
 
           rm -f "$dmg_path"
           hdiutil create \
@@ -332,7 +295,7 @@ jobs:
             exit 1
           fi
 
-      - if: ${{ runner.os == 'macOS' && matrix.build_dmg == 'true' }}
+      - if: ${{ runner.os == 'macOS' }}
         name: MacOS code signing (dmg)
         uses: ./.github/actions/macos-code-sign
         with:
@@ -351,15 +314,15 @@ jobs:
           dest="dist/${{ matrix.target }}"
           mkdir -p "$dest"
 
-          for binary in ${{ matrix.binaries }}; do
-            cp "target/${{ matrix.target }}/release/${binary}" "$dest/${binary}-${{ matrix.target }}"
-            if [[ "${{ matrix.target }}" == *linux* ]]; then
-              cp "target/${{ matrix.target }}/release/${binary}.sigstore" \
-                "$dest/${binary}-${{ matrix.target }}.sigstore"
-            fi
-          done
+          cp target/${{ matrix.target }}/release/codex "$dest/codex-${{ matrix.target }}"
+          cp target/${{ matrix.target }}/release/codex-responses-api-proxy "$dest/codex-responses-api-proxy-${{ matrix.target }}"
 
-          if [[ "${{ matrix.build_dmg }}" == "true" ]]; then
+          if [[ "${{ matrix.target }}" == *linux* ]]; then
+            cp target/${{ matrix.target }}/release/codex.sigstore "$dest/codex-${{ matrix.target }}.sigstore"
+            cp target/${{ matrix.target }}/release/codex-responses-api-proxy.sigstore "$dest/codex-responses-api-proxy-${{ matrix.target }}.sigstore"
+          fi
+
+          if [[ "${{ matrix.target }}" == *apple-darwin ]]; then
             cp target/${{ matrix.target }}/release/codex-${{ matrix.target }}.dmg "$dest/codex-${{ matrix.target }}.dmg"
           fi
 
@@ -401,7 +364,7 @@ jobs:
 
       - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         with:
-          name: ${{ matrix.artifact_name }}
+          name: ${{ matrix.target }}
           # Upload the per-binary .zst files as well as the new .tar.gz
           # equivalents we generated in the previous step.
           path: |

.gitignore

@@ -52,7 +52,6 @@ yarn-error.log*
 # env
 .env*
 !.env.example
-.venv/
 
 # package
 *.tgz
@@ -92,3 +91,4 @@ CHANGELOG.ignore.md
 # Python bytecode files
 __pycache__/
 *.pyc
+

NOTICE

@@ -4,3 +4,6 @@ Copyright 2025 OpenAI
 This project includes code derived from [Ratatui](https://github.com/ratatui/ratatui), licensed under the MIT license.
 Copyright (c) 2016-2022 Florian Dehau
 Copyright (c) 2023-2025 The Ratatui Developers
+
+This project includes Meriyah parser assets from [meriyah](https://github.com/meriyah/meriyah), licensed under the ISC license.
+Copyright (c) 2019 and later, KFlash and others.

codex-cli/.dockerignore

@@ -0,0 +1 @@
+node_modules/

codex-cli/Dockerfile

@@ -0,0 +1,59 @@
+FROM node:24-slim
+
+ARG TZ
+ENV TZ="$TZ"
+
+# Install basic development tools, ca-certificates, and iptables/ipset, then clean up apt cache to reduce image size
+RUN apt-get update && apt-get install -y --no-install-recommends \
+  aggregate \
+  ca-certificates \
+  curl \
+  dnsutils \
+  fzf \
+  gh \
+  git \
+  gnupg2 \
+  iproute2 \
+  ipset \
+  iptables \
+  jq \
+  less \
+  man-db \
+  procps \
+  unzip \
+  ripgrep \
+  zsh \
+  && rm -rf /var/lib/apt/lists/*
+
+# Ensure default node user has access to /usr/local/share
+RUN mkdir -p /usr/local/share/npm-global && \
+  chown -R node:node /usr/local/share
+
+ARG USERNAME=node
+
+# Set up non-root user
+USER node
+
+# Install global packages
+ENV NPM_CONFIG_PREFIX=/usr/local/share/npm-global
+ENV PATH=$PATH:/usr/local/share/npm-global/bin
+
+# Install codex
+COPY dist/codex.tgz codex.tgz
+RUN npm install -g codex.tgz \
+  && npm cache clean --force \
+  && rm -rf /usr/local/share/npm-global/lib/node_modules/codex-cli/node_modules/.cache \
+  && rm -rf /usr/local/share/npm-global/lib/node_modules/codex-cli/tests \
+  && rm -rf /usr/local/share/npm-global/lib/node_modules/codex-cli/docs
+
+# Inside the container we consider the environment already sufficiently locked
+# down, therefore instruct Codex CLI to allow running without sandboxing.
+ENV CODEX_UNSAFE_ALLOW_NO_SANDBOX=1
+
+# Copy and set up firewall script as root.
+USER root
+COPY scripts/init_firewall.sh /usr/local/bin/
+RUN chmod 500 /usr/local/bin/init_firewall.sh
+
+# Drop back to non-root.
+USER node

codex-cli/package.json

@@ -18,5 +18,5 @@
     "url": "git+https://github.com/openai/codex.git",
     "directory": "codex-cli"
   },
-  "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319"
+  "packageManager": "pnpm@10.29.3+sha512.498e1fb4cca5aa06c1dcf2611e6fafc50972ffe7189998c409e90de74566444298ffe43e6cd2acdc775ba1aa7cc5e092a8b7054c811ba8c5770f84693d33d2dc"
 }

codex-cli/scripts/build_container.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -euo pipefail
+
+SCRIPT_DIR=$(realpath "$(dirname "$0")")
+trap "popd >> /dev/null" EXIT
+pushd "$SCRIPT_DIR/.." >> /dev/null || {
+  echo "Error: Failed to change directory to $SCRIPT_DIR/.."
+  exit 1
+}
+pnpm install
+pnpm run build
+rm -rf ./dist/openai-codex-*.tgz
+pnpm pack --pack-destination ./dist
+mv ./dist/openai-codex-*.tgz ./dist/codex.tgz
+docker build -t codex -f "./Dockerfile" .

codex-rs/BUILD.bazel

@@ -1,5 +1,6 @@
 exports_files([
     "clippy.toml",
+    "node-version.txt",
 ])
 
 filegroup(

codex-rs/Cargo.lock

@@ -1773,7 +1773,6 @@ dependencies = [
  "codex-app-server-protocol",
  "codex-git-utils",
  "codex-login",
- "codex-model-provider",
  "codex-plugin",
  "codex-protocol",
  "codex-utils-absolute-path",
@@ -1841,7 +1840,6 @@ dependencies = [
  "chrono",
  "clap",
  "codex-analytics",
- "codex-api",
  "codex-app-server-protocol",
  "codex-arg0",
  "codex-backend-client",
@@ -1858,10 +1856,10 @@ dependencies = [
  "codex-git-utils",
  "codex-login",
  "codex-mcp",
- "codex-model-provider",
  "codex-model-provider-info",
  "codex-models-manager",
  "codex-otel",
+ "codex-plugin",
  "codex-protocol",
  "codex-rmcp-client",
  "codex-rollout",
@@ -1870,7 +1868,6 @@ dependencies = [
  "codex-state",
  "codex-thread-store",
  "codex-tools",
- "codex-uds",
  "codex-utils-absolute-path",
  "codex-utils-cargo-bin",
  "codex-utils-cli",
@@ -2048,11 +2045,9 @@ name = "codex-backend-client"
 version = "0.0.0"
 dependencies = [
  "anyhow",
- "codex-api",
  "codex-backend-openapi-models",
  "codex-client",
  "codex-login",
- "codex-model-provider",
  "codex-protocol",
  "pretty_assertions",
  "reqwest",
@@ -2076,11 +2071,11 @@ dependencies = [
  "anyhow",
  "clap",
  "codex-app-server-protocol",
+ "codex-config",
  "codex-connectors",
  "codex-core",
  "codex-git-utils",
  "codex-login",
- "codex-model-provider",
  "codex-utils-cargo-bin",
  "codex-utils-cli",
  "pretty_assertions",
@@ -2108,7 +2103,6 @@ dependencies = [
  "codex-cloud-tasks",
  "codex-config",
  "codex-core",
- "codex-core-plugins",
  "codex-exec",
  "codex-exec-server",
  "codex-execpolicy",
@@ -2121,7 +2115,6 @@ dependencies = [
  "codex-protocol",
  "codex-responses-api-proxy",
  "codex-rmcp-client",
- "codex-rollout-trace",
  "codex-sandboxing",
  "codex-state",
  "codex-stdio-to-uds",
@@ -2209,6 +2202,7 @@ version = "0.0.0"
 dependencies = [
  "anyhow",
  "async-trait",
+ "base64 0.22.1",
  "chrono",
  "clap",
  "codex-client",
@@ -2217,7 +2211,6 @@ dependencies = [
  "codex-core",
  "codex-git-utils",
  "codex-login",
- "codex-model-provider",
  "codex-tui",
  "codex-utils-cli",
  "crossterm",
@@ -2242,7 +2235,6 @@ dependencies = [
  "anyhow",
  "async-trait",
  "chrono",
- "codex-api",
  "codex-backend-client",
  "codex-git-utils",
  "serde",
@@ -2301,7 +2293,6 @@ dependencies = [
  "libc",
  "multimap",
  "pretty_assertions",
- "prost 0.14.3",
  "schemars 0.8.22",
  "serde",
  "serde_json",
@@ -2310,12 +2301,8 @@ dependencies = [
  "tempfile",
  "thiserror 2.0.18",
  "tokio",
- "tokio-stream",
  "toml 0.9.11+spec-1.1.0",
  "toml_edit 0.24.0+spec-1.1.0",
- "tonic",
- "tonic-prost",
- "tonic-prost-build",
  "tracing",
  "wildmatch",
  "winapi-util",
@@ -2452,6 +2439,7 @@ dependencies = [
  "whoami",
  "windows-sys 0.52.0",
  "wiremock",
+ "zip 2.4.2",
  "zstd 0.13.3",
 ]
 
@@ -2459,7 +2447,6 @@ dependencies = [
 name = "codex-core-plugins"
 version = "0.0.0"
 dependencies = [
- "anyhow",
  "chrono",
  "codex-app-server-protocol",
  "codex-config",
@@ -2467,14 +2454,11 @@ dependencies = [
  "codex-exec-server",
  "codex-git-utils",
  "codex-login",
- "codex-model-provider",
- "codex-otel",
  "codex-plugin",
  "codex-protocol",
  "codex-utils-absolute-path",
  "codex-utils-plugins",
  "dirs",
- "libc",
  "pretty_assertions",
  "reqwest",
  "serde",
@@ -2485,8 +2469,6 @@ dependencies = [
  "toml 0.9.11+spec-1.1.0",
  "tracing",
  "url",
- "wiremock",
- "zip 2.4.2",
 ]
 
 [[package]]
@@ -2499,7 +2481,6 @@ dependencies = [
  "codex-config",
  "codex-exec-server",
  "codex-login",
- "codex-model-provider",
  "codex-otel",
  "codex-protocol",
  "codex-skills",
@@ -2536,7 +2517,6 @@ dependencies = [
 name = "codex-device-key"
 version = "0.0.0"
 dependencies = [
- "async-trait",
  "base64 0.22.1",
  "p256",
  "pretty_assertions",
@@ -2544,7 +2524,6 @@ dependencies = [
  "serde",
  "serde_json",
  "thiserror 2.0.18",
- "tokio",
  "url",
 ]
 
@@ -2600,9 +2579,7 @@ dependencies = [
  "arc-swap",
  "async-trait",
  "base64 0.22.1",
- "bytes",
  "codex-app-server-protocol",
- "codex-client",
  "codex-config",
  "codex-protocol",
  "codex-sandboxing",
@@ -2612,7 +2589,6 @@ dependencies = [
  "ctor 0.6.3",
  "futures",
  "pretty_assertions",
- "reqwest",
  "serde",
  "serde_json",
  "serial_test",
@@ -2621,7 +2597,6 @@ dependencies = [
  "thiserror 2.0.18",
  "tokio",
  "tokio-tungstenite",
- "tokio-util",
  "tracing",
  "uuid",
 ]
@@ -2860,12 +2835,10 @@ version = "0.0.0"
 dependencies = [
  "anyhow",
  "async-channel",
- "codex-api",
  "codex-async-utils",
  "codex-config",
  "codex-exec-server",
  "codex-login",
- "codex-model-provider",
  "codex-otel",
  "codex-plugin",
  "codex-protocol",
@@ -2925,23 +2898,14 @@ name = "codex-model-provider"
 version = "0.0.0"
 dependencies = [
  "async-trait",
- "codex-agent-identity",
  "codex-api",
  "codex-aws-auth",
  "codex-client",
- "codex-feedback",
  "codex-login",
  "codex-model-provider-info",
- "codex-models-manager",
- "codex-otel",
  "codex-protocol",
- "codex-response-debug-context",
  "http 1.4.0",
  "pretty_assertions",
- "serde_json",
- "tokio",
- "tracing",
- "wiremock",
 ]
 
 [[package]]
@@ -2965,21 +2929,32 @@ dependencies = [
 name = "codex-models-manager"
 version = "0.0.0"
 dependencies = [
- "async-trait",
+ "base64 0.22.1",
  "chrono",
+ "codex-api",
  "codex-app-server-protocol",
  "codex-collaboration-mode-templates",
+ "codex-config",
+ "codex-feedback",
  "codex-login",
+ "codex-model-provider",
+ "codex-model-provider-info",
  "codex-otel",
  "codex-protocol",
+ "codex-response-debug-context",
+ "codex-utils-absolute-path",
  "codex-utils-output-truncation",
  "codex-utils-template",
+ "core_test_support",
+ "http 1.4.0",
  "pretty_assertions",
  "serde",
  "serde_json",
  "tempfile",
  "tokio",
  "tracing",
+ "tracing-subscriber",
+ "wiremock",
 ]
 
 [[package]]
@@ -3164,8 +3139,6 @@ version = "0.0.0"
 dependencies = [
  "anyhow",
  "axum",
- "bytes",
- "codex-api",
  "codex-client",
  "codex-config",
  "codex-exec-server",
@@ -3225,7 +3198,6 @@ name = "codex-rollout-trace"
 version = "0.0.0"
 dependencies = [
  "anyhow",
- "codex-code-mode",
  "codex-protocol",
  "pretty_assertions",
  "serde",
@@ -3399,7 +3371,6 @@ dependencies = [
  "tonic",
  "tonic-prost",
  "tonic-prost-build",
- "tracing",
  "uuid",
 ]
 
@@ -3439,7 +3410,6 @@ dependencies = [
  "codex-cloud-requirements",
  "codex-config",
  "codex-connectors",
- "codex-core-plugins",
  "codex-core-skills",
  "codex-exec-server",
  "codex-features",

codex-rs/README.md

@@ -94,7 +94,7 @@ In `workspace-write`, Codex also includes `~/.codex/memories` in its writable ro
 
 This folder is the root of a Cargo workspace. It contains quite a bit of experimental code, but here are the key crates:
 
-- [`core/`](./core) contains the business logic for Codex. Ultimately, we hope this becomes a library crate that is generally useful for building other Rust/native applications that use Codex.
+- [`core/`](./core) contains the business logic for Codex. Ultimately, we hope this to be a library crate that is generally useful for building other Rust/native applications that use Codex.
 - [`exec/`](./exec) "headless" CLI for use in automation.
 - [`tui/`](./tui) CLI that launches a fullscreen TUI built with [Ratatui](https://ratatui.rs/).
 - [`cli/`](./cli) CLI multitool that provides the aforementioned CLIs via subcommands.

codex-rs/analytics/Cargo.toml

@@ -16,7 +16,6 @@ workspace = true
 codex-app-server-protocol = { workspace = true }
 codex-git-utils = { workspace = true }
 codex-login = { workspace = true }
-codex-model-provider = { workspace = true }
 codex-plugin = { workspace = true }
 codex-protocol = { workspace = true }
 os_info = { workspace = true }

codex-rs/analytics/src/analytics_client_tests.rs

@@ -161,7 +161,11 @@ fn sample_thread_start_response(thread_id: &str, ephemeral: bool, model: &str) -
 }
 
 fn sample_permission_profile() -> AppServerPermissionProfile {
-    CorePermissionProfile::from_legacy_sandbox_policy(&SandboxPolicy::DangerFullAccess).into()
+    CorePermissionProfile::from_legacy_sandbox_policy(
+        &SandboxPolicy::DangerFullAccess,
+        &test_path_buf("/tmp"),
+    )
+    .into()
 }
 
 fn sample_app_server_client_metadata() -> CodexAppServerClientMetadata {
@@ -320,7 +324,7 @@ fn sample_turn_resolved_config(turn_id: &str) -> TurnResolvedConfigFact {
         reasoning_summary: None,
         service_tier: None,
         approval_policy: AskForApproval::OnRequest,
-        approvals_reviewer: ApprovalsReviewer::AutoReview,
+        approvals_reviewer: ApprovalsReviewer::GuardianSubagent,
         sandbox_network_access: true,
         collaboration_mode: ModeKind::Plan,
         personality: None,
@@ -1330,7 +1334,7 @@ fn subagent_thread_started_other_serializes_explicit_parent_thread_id() {
         },
     ));
 
-    let payload = serde_json::to_value(&event).expect("serialize auto-review subagent event");
+    let payload = serde_json::to_value(&event).expect("serialize guardian subagent event");
     assert_eq!(payload["event_params"]["subagent_source"], "guardian");
     assert_eq!(
         payload["event_params"]["parent_thread_id"],
@@ -1754,7 +1758,7 @@ fn turn_event_serializes_expected_shape() {
             reasoning_summary: Some("detailed".to_string()),
             service_tier: "flex".to_string(),
             approval_policy: "on-request".to_string(),
-            approvals_reviewer: "auto_review".to_string(),
+            approvals_reviewer: "guardian_subagent".to_string(),
             sandbox_network_access: true,
             collaboration_mode: Some("plan"),
             personality: Some("pragmatic".to_string()),
@@ -1815,7 +1819,7 @@ fn turn_event_serializes_expected_shape() {
                 "reasoning_summary": "detailed",
                 "service_tier": "flex",
                 "approval_policy": "on-request",
-                "approvals_reviewer": "auto_review",
+                "approvals_reviewer": "guardian_subagent",
                 "sandbox_network_access": true,
                 "collaboration_mode": "plan",
                 "personality": "pragmatic",

codex-rs/analytics/src/client.rs

@@ -312,9 +312,16 @@ async fn send_track_events(
     let Some(auth) = auth_manager.auth().await else {
         return;
     };
-    if !auth.uses_codex_backend() {
+    if !auth.is_chatgpt_auth() {
         return;
     }
+    let access_token = match auth.get_token() {
+        Ok(token) => token,
+        Err(_) => return,
+    };
+    let Some(account_id) = auth.get_account_id() else {
+        return;
+    };
 
     let base_url = base_url.trim_end_matches('/');
     let url = format!("{base_url}/codex/analytics-events/events");
@@ -323,7 +330,8 @@ async fn send_track_events(
     let response = create_client()
         .post(&url)
         .timeout(ANALYTICS_EVENTS_TIMEOUT)
-        .headers(codex_model_provider::auth_provider_from_auth(&auth).to_auth_headers())
+        .bearer_auth(&access_token)
+        .header("chatgpt-account-id", &account_id)
         .header("Content-Type", "application/json")
         .json(&payload)
         .send()

codex-rs/analytics/src/events.rs

@@ -23,7 +23,7 @@ use codex_app_server_protocol::CodexErrorInfo;
 use codex_login::default_client::originator;
 use codex_plugin::PluginTelemetryMetadata;
 use codex_protocol::approvals::NetworkApprovalProtocol;
-use codex_protocol::models::AdditionalPermissionProfile;
+use codex_protocol::models::PermissionProfile;
 use codex_protocol::models::SandboxPermissions;
 use codex_protocol::protocol::GuardianAssessmentOutcome;
 use codex_protocol::protocol::GuardianCommandSource;
@@ -180,17 +180,17 @@ pub enum GuardianApprovalRequestSource {
 pub enum GuardianReviewedAction {
     Shell {
         sandbox_permissions: SandboxPermissions,
-        additional_permissions: Option<AdditionalPermissionProfile>,
+        additional_permissions: Option<PermissionProfile>,
     },
     UnifiedExec {
         sandbox_permissions: SandboxPermissions,
-        additional_permissions: Option<AdditionalPermissionProfile>,
+        additional_permissions: Option<PermissionProfile>,
         tty: bool,
     },
     Execve {
         source: GuardianCommandSource,
         program: String,
-        additional_permissions: Option<AdditionalPermissionProfile>,
+        additional_permissions: Option<PermissionProfile>,
     },
     ApplyPatch {},
     NetworkAccess {

codex-rs/app-server-client/src/lib.rs

@@ -42,8 +42,6 @@ use codex_app_server_protocol::ServerNotification;
 use codex_app_server_protocol::ServerRequest;
 use codex_arg0::Arg0DispatchPaths;
 use codex_config::NoopThreadConfigLoader;
-use codex_config::RemoteThreadConfigLoader;
-use codex_config::ThreadConfigLoader;
 use codex_core::config::Config;
 use codex_core::config_loader::CloudRequirementsLoader;
 use codex_core::config_loader::LoaderOverrides;
@@ -100,7 +98,7 @@ pub mod legacy_core {
     }
 
     pub mod plugins {
-        pub use codex_core::plugins::PluginsManager;
+        pub use codex_core::plugins::*;
     }
 
     pub mod review_format {
@@ -359,13 +357,6 @@ pub struct InProcessClientStartArgs {
     pub channel_capacity: usize,
 }
 
-fn configured_thread_config_loader(config: &Config) -> Arc<dyn ThreadConfigLoader> {
-    match config.experimental_thread_config_endpoint.as_deref() {
-        Some(endpoint) => Arc::new(RemoteThreadConfigLoader::new(endpoint)),
-        None => Arc::new(NoopThreadConfigLoader),
-    }
-}
-
 impl InProcessClientStartArgs {
     /// Builds initialize params from caller-provided metadata.
     pub fn initialize_params(&self) -> InitializeParams {
@@ -390,14 +381,13 @@ impl InProcessClientStartArgs {
 
     fn into_runtime_start_args(self) -> InProcessStartArgs {
         let initialize = self.initialize_params();
-        let thread_config_loader = configured_thread_config_loader(&self.config);
         InProcessStartArgs {
             arg0_paths: self.arg0_paths,
             config: self.config,
             cli_overrides: self.cli_overrides,
             loader_overrides: self.loader_overrides,
             cloud_requirements: self.cloud_requirements,
-            thread_config_loader,
+            thread_config_loader: Arc::new(NoopThreadConfigLoader),
             feedback: self.feedback,
             log_db: self.log_db,
             environment_manager: self.environment_manager,
@@ -2023,42 +2013,6 @@ mod tests {
         );
     }
 
-    #[tokio::test]
-    async fn runtime_start_args_use_remote_thread_config_loader_when_configured() {
-        let mut config = build_test_config().await;
-        config.experimental_thread_config_endpoint = Some("not-a-valid-endpoint".to_string());
-
-        let runtime_args = InProcessClientStartArgs {
-            arg0_paths: Arg0DispatchPaths::default(),
-            config: Arc::new(config),
-            cli_overrides: Vec::new(),
-            loader_overrides: LoaderOverrides::default(),
-            cloud_requirements: CloudRequirementsLoader::default(),
-            feedback: CodexFeedback::new(),
-            log_db: None,
-            environment_manager: Arc::new(EnvironmentManager::default_for_tests()),
-            config_warnings: Vec::new(),
-            session_source: SessionSource::Exec,
-            enable_codex_api_key_env: false,
-            client_name: "codex-app-server-client-test".to_string(),
-            client_version: "0.0.0-test".to_string(),
-            experimental_api: true,
-            opt_out_notification_methods: Vec::new(),
-            channel_capacity: DEFAULT_IN_PROCESS_CHANNEL_CAPACITY,
-        }
-        .into_runtime_start_args();
-
-        let err = runtime_args
-            .thread_config_loader
-            .load(Default::default())
-            .await
-            .expect_err("configured remote loader should try to connect");
-        assert_eq!(
-            err.code(),
-            codex_config::ThreadConfigLoadErrorCode::RequestFailed
-        );
-    }
-
     #[tokio::test]
     async fn shutdown_completes_promptly_without_retained_managers() {
         let client = start_test_client(SessionSource::Cli).await;

codex-rs/app-server-protocol/schema/json/ClientRequest.json

@@ -13,10 +13,9 @@
       "type": "string"
     },
     "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
       "enum": [
         "user",
-        "auto_review",
         "guardian_subagent"
       ],
       "type": "string"
@@ -172,7 +171,7 @@
       "type": "object"
     },
     "CommandExecParams": {
-      "description": "Run a standalone command (argv vector) in the server sandbox without creating a thread or turn.\n\nThe final `command/exec` response is deferred until the process exits and is sent only after all `command/exec/outputDelta` notifications for that connection have been emitted.",
+      "description": "Run a standalone command (argv vector) without creating a thread or turn.\n\nThe final `command/exec` response is deferred until the process exits and is sent only after all `command/exec/outputDelta` notifications for that connection have been emitted.",
       "properties": {
         "command": {
           "description": "Command argv vector. Empty arrays are rejected.",
@@ -218,17 +217,6 @@
             "null"
           ]
         },
-        "permissionProfile": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/PermissionProfile"
-            },
-            {
-              "type": "null"
-            }
-          ],
-          "description": "Optional full permissions profile for this command.\n\nDefaults to the user's configured permissions when omitted. Cannot be combined with `sandboxPolicy`."
-        },
         "processId": {
           "description": "Optional client-supplied, connection-scoped process id.\n\nRequired for `tty`, `streamStdin`, `streamStdoutStderr`, and follow-up `command/exec/write`, `command/exec/resize`, and `command/exec/terminate` calls. When omitted, buffered execution gets an internal id that is not exposed to the client.",
           "type": [
@@ -236,17 +224,6 @@
             "null"
           ]
         },
-        "sandboxPolicy": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/SandboxPolicy"
-            },
-            {
-              "type": "null"
-            }
-          ],
-          "description": "Optional sandbox policy for this command.\n\nUses the same shape as thread/turn execution sandbox configuration and defaults to the user's configured policy when omitted. Cannot be combined with `permissionProfile`."
-        },
         "size": {
           "anyOf": [
             {
@@ -909,217 +886,6 @@
       ],
       "type": "object"
     },
-    "FileSystemAccessMode": {
-      "enum": [
-        "read",
-        "write",
-        "none"
-      ],
-      "type": "string"
-    },
-    "FileSystemPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "path"
-              ],
-              "title": "PathFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "PathFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "pattern": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "glob_pattern"
-              ],
-              "title": "GlobPatternFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "pattern",
-            "type"
-          ],
-          "title": "GlobPatternFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "special"
-              ],
-              "title": "SpecialFileSystemPathType",
-              "type": "string"
-            },
-            "value": {
-              "$ref": "#/definitions/FileSystemSpecialPath"
-            }
-          },
-          "required": [
-            "type",
-            "value"
-          ],
-          "title": "SpecialFileSystemPath",
-          "type": "object"
-        }
-      ]
-    },
-    "FileSystemSandboxEntry": {
-      "properties": {
-        "access": {
-          "$ref": "#/definitions/FileSystemAccessMode"
-        },
-        "path": {
-          "$ref": "#/definitions/FileSystemPath"
-        }
-      },
-      "required": [
-        "access",
-        "path"
-      ],
-      "type": "object"
-    },
-    "FileSystemSpecialPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "root"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "RootFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "minimal"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "MinimalFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "current_working_directory"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "CurrentWorkingDirectoryFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "project_roots"
-              ],
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "KindFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "tmpdir"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "TmpdirFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "slash_tmp"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "SlashTmpFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "unknown"
-              ],
-              "type": "string"
-            },
-            "path": {
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind",
-            "path"
-          ],
-          "type": "object"
-        }
-      ]
-    },
     "FsCopyParams": {
       "description": "Copy a file or directory tree on the host filesystem.",
       "properties": {
@@ -1721,17 +1487,6 @@
       ],
       "type": "object"
     },
-    "MarketplaceUpgradeParams": {
-      "properties": {
-        "marketplaceName": {
-          "type": [
-            "string",
-            "null"
-          ]
-        }
-      },
-      "type": "object"
-    },
     "McpResourceReadParams": {
       "properties": {
         "server": {
@@ -1891,135 +1646,6 @@
       ],
       "type": "string"
     },
-    "PermissionProfile": {
-      "oneOf": [
-        {
-          "description": "Codex owns sandbox construction for this profile.",
-          "properties": {
-            "fileSystem": {
-              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
-            },
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "managed"
-              ],
-              "title": "ManagedPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "fileSystem",
-            "network",
-            "type"
-          ],
-          "title": "ManagedPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Do not apply an outer sandbox.",
-          "properties": {
-            "type": {
-              "enum": [
-                "disabled"
-              ],
-              "title": "DisabledPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "DisabledPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Filesystem isolation is enforced by an external caller.",
-          "properties": {
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "external"
-              ],
-              "title": "ExternalPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "network",
-            "type"
-          ],
-          "title": "ExternalPermissionProfile",
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfileFileSystemPermissions": {
-      "oneOf": [
-        {
-          "properties": {
-            "entries": {
-              "items": {
-                "$ref": "#/definitions/FileSystemSandboxEntry"
-              },
-              "type": "array"
-            },
-            "globScanMaxDepth": {
-              "format": "uint",
-              "minimum": 1.0,
-              "type": [
-                "integer",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "restricted"
-              ],
-              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "entries",
-            "type"
-          ],
-          "title": "RestrictedPermissionProfileFileSystemPermissions",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "unrestricted"
-              ],
-              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfileNetworkPermissions": {
-      "properties": {
-        "enabled": {
-          "type": "boolean"
-        }
-      },
-      "required": [
-        "enabled"
-      ],
-      "type": "object"
-    },
     "Personality": {
       "enum": [
         "none",
@@ -2126,6 +1752,53 @@
       ],
       "type": "object"
     },
+    "ReadOnlyAccess": {
+      "oneOf": [
+        {
+          "properties": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "fullAccess"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
     "RealtimeOutputModality": {
       "enum": [
         "text",
@@ -3009,6 +2682,16 @@
         },
         {
           "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
             "networkAccess": {
               "default": false,
               "type": "boolean"
@@ -3065,6 +2748,16 @@
               "default": false,
               "type": "boolean"
             },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
             "type": {
               "enum": [
                 "workspaceWrite"
@@ -3327,10 +3020,6 @@
         "ephemeral": {
           "type": "boolean"
         },
-        "excludeTurns": {
-          "description": "When true, return only thread metadata and live fork state without populating `thread.turns`. This is useful when the client plans to call `thread/turns/list` immediately after forking.",
-          "type": "boolean"
-        },
         "model": {
           "description": "Configuration overrides for the forked thread, if any.",
           "type": [
@@ -3344,17 +3033,6 @@
             "null"
           ]
         },
-        "permissionProfile": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/PermissionProfile"
-            },
-            {
-              "type": "null"
-            }
-          ],
-          "description": "Full permissions override for the forked thread. Cannot be combined with `sandbox`."
-        },
         "sandbox": {
           "anyOf": [
             {
@@ -3391,15 +3069,6 @@
       ],
       "type": "object"
     },
-    "ThreadGoalStatus": {
-      "enum": [
-        "active",
-        "paused",
-        "budgetLimited",
-        "complete"
-      ],
-      "type": "string"
-    },
     "ThreadInjectItemsParams": {
       "properties": {
         "items": {
@@ -3743,10 +3412,6 @@
             "null"
           ]
         },
-        "excludeTurns": {
-          "description": "When true, return only thread metadata and live-resume state without populating `thread.turns`. This is useful when the client plans to call `thread/turns/list` immediately after resuming.",
-          "type": "boolean"
-        },
         "model": {
           "description": "Configuration overrides for the resumed thread, if any.",
           "type": [
@@ -3760,17 +3425,6 @@
             "null"
           ]
         },
-        "permissionProfile": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/PermissionProfile"
-            },
-            {
-              "type": "null"
-            }
-          ],
-          "description": "Full permissions override for the resumed thread. Cannot be combined with `sandbox`."
-        },
         "personality": {
           "anyOf": [
             {
@@ -3954,17 +3608,6 @@
             "null"
           ]
         },
-        "permissionProfile": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/PermissionProfile"
-            },
-            {
-              "type": "null"
-            }
-          ],
-          "description": "Full permissions override for this thread. Cannot be combined with `sandbox`."
-        },
         "personality": {
           "anyOf": [
             {
@@ -4176,17 +3819,6 @@
         "outputSchema": {
           "description": "Optional JSON Schema used to constrain the final assistant message for this turn."
         },
-        "permissionProfile": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/PermissionProfile"
-            },
-            {
-              "type": "null"
-            }
-          ],
-          "description": "Override the full permissions profile for this turn and subsequent turns. Cannot be combined with `sandboxPolicy`."
-        },
         "personality": {
           "anyOf": [
             {
@@ -4928,30 +4560,6 @@
       "title": "Marketplace/removeRequest",
       "type": "object"
     },
-    {
-      "properties": {
-        "id": {
-          "$ref": "#/definitions/RequestId"
-        },
-        "method": {
-          "enum": [
-            "marketplace/upgrade"
-          ],
-          "title": "Marketplace/upgradeRequestMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/MarketplaceUpgradeParams"
-        }
-      },
-      "required": [
-        "id",
-        "method",
-        "params"
-      ],
-      "title": "Marketplace/upgradeRequest",
-      "type": "object"
-    },
     {
       "properties": {
         "id": {

codex-rs/app-server-protocol/schema/json/CommandExecutionRequestApprovalParams.json

@@ -25,7 +25,6 @@
           ]
         },
         "read": {
-          "description": "This will be removed in favor of `entries`.",
           "items": {
             "$ref": "#/definitions/AbsolutePathBuf"
           },
@@ -35,7 +34,6 @@
           ]
         },
         "write": {
-          "description": "This will be removed in favor of `entries`.",
           "items": {
             "$ref": "#/definitions/AbsolutePathBuf"
           },
@@ -78,8 +76,7 @@
             {
               "type": "null"
             }
-          ],
-          "description": "Partial overlay used for per-command permission requests."
+          ]
         }
       },
       "type": "object"

codex-rs/app-server-protocol/schema/json/PermissionsRequestApprovalParams.json

@@ -25,7 +25,6 @@
           ]
         },
         "read": {
-          "description": "This will be removed in favor of `entries`.",
           "items": {
             "$ref": "#/definitions/AbsolutePathBuf"
           },
@@ -35,7 +34,6 @@
           ]
         },
         "write": {
-          "description": "This will be removed in favor of `entries`.",
           "items": {
             "$ref": "#/definitions/AbsolutePathBuf"
           },

codex-rs/app-server-protocol/schema/json/PermissionsRequestApprovalResponse.json

@@ -25,7 +25,6 @@
           ]
         },
         "read": {
-          "description": "This will be removed in favor of `entries`.",
           "items": {
             "$ref": "#/definitions/AbsolutePathBuf"
           },
@@ -35,7 +34,6 @@
           ]
         },
         "write": {
-          "description": "This will be removed in favor of `entries`.",
           "items": {
             "$ref": "#/definitions/AbsolutePathBuf"
           },
@@ -313,13 +311,6 @@
         }
       ],
       "default": "turn"
-    },
-    "strictAutoReview": {
-      "description": "Review every subsequent command in this turn before normal sandboxed execution.",
-      "type": [
-        "boolean",
-        "null"
-      ]
     }
   },
   "required": [

codex-rs/app-server-protocol/schema/json/ServerNotification.json

@@ -84,7 +84,6 @@
           ]
         },
         "read": {
-          "description": "This will be removed in favor of `entries`.",
           "items": {
             "$ref": "#/definitions/AbsolutePathBuf"
           },
@@ -94,7 +93,6 @@
           ]
         },
         "write": {
-          "description": "This will be removed in favor of `entries`.",
           "items": {
             "$ref": "#/definitions/AbsolutePathBuf"
           },
@@ -482,7 +480,6 @@
             "contextWindowExceeded",
             "usageLimitExceeded",
             "serverOverloaded",
-            "cyberPolicy",
             "internalServerError",
             "unauthorized",
             "badRequest",
@@ -1707,23 +1704,6 @@
       ],
       "type": "string"
     },
-    "GuardianWarningNotification": {
-      "properties": {
-        "message": {
-          "description": "Concise guardian warning message for the user.",
-          "type": "string"
-        },
-        "threadId": {
-          "description": "Thread target for the guardian warning.",
-          "type": "string"
-        }
-      },
-      "required": [
-        "message",
-        "threadId"
-      ],
-      "type": "object"
-    },
     "HookCompletedNotification": {
       "properties": {
         "run": {
@@ -2263,34 +2243,6 @@
       ],
       "type": "object"
     },
-    "ModelVerification": {
-      "enum": [
-        "trustedAccessForCyber"
-      ],
-      "type": "string"
-    },
-    "ModelVerificationNotification": {
-      "properties": {
-        "threadId": {
-          "type": "string"
-        },
-        "turnId": {
-          "type": "string"
-        },
-        "verifications": {
-          "items": {
-            "$ref": "#/definitions/ModelVerification"
-          },
-          "type": "array"
-        }
-      },
-      "required": [
-        "threadId",
-        "turnId",
-        "verifications"
-      ],
-      "type": "object"
-    },
     "NetworkApprovalProtocol": {
       "enum": [
         "http",
@@ -3028,93 +2980,6 @@
       ],
       "type": "object"
     },
-    "ThreadGoal": {
-      "properties": {
-        "createdAt": {
-          "format": "int64",
-          "type": "integer"
-        },
-        "objective": {
-          "type": "string"
-        },
-        "status": {
-          "$ref": "#/definitions/ThreadGoalStatus"
-        },
-        "threadId": {
-          "type": "string"
-        },
-        "timeUsedSeconds": {
-          "format": "int64",
-          "type": "integer"
-        },
-        "tokenBudget": {
-          "format": "int64",
-          "type": [
-            "integer",
-            "null"
-          ]
-        },
-        "tokensUsed": {
-          "format": "int64",
-          "type": "integer"
-        },
-        "updatedAt": {
-          "format": "int64",
-          "type": "integer"
-        }
-      },
-      "required": [
-        "createdAt",
-        "objective",
-        "status",
-        "threadId",
-        "timeUsedSeconds",
-        "tokensUsed",
-        "updatedAt"
-      ],
-      "type": "object"
-    },
-    "ThreadGoalClearedNotification": {
-      "properties": {
-        "threadId": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "threadId"
-      ],
-      "type": "object"
-    },
-    "ThreadGoalStatus": {
-      "enum": [
-        "active",
-        "paused",
-        "budgetLimited",
-        "complete"
-      ],
-      "type": "string"
-    },
-    "ThreadGoalUpdatedNotification": {
-      "properties": {
-        "goal": {
-          "$ref": "#/definitions/ThreadGoal"
-        },
-        "threadId": {
-          "type": "string"
-        },
-        "turnId": {
-          "type": [
-            "string",
-            "null"
-          ]
-        }
-      },
-      "required": [
-        "goal",
-        "threadId"
-      ],
-      "type": "object"
-    },
     "ThreadId": {
       "type": "string"
     },
@@ -4814,46 +4679,6 @@
       "title": "Thread/name/updatedNotification",
       "type": "object"
     },
-    {
-      "properties": {
-        "method": {
-          "enum": [
-            "thread/goal/updated"
-          ],
-          "title": "Thread/goal/updatedNotificationMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/ThreadGoalUpdatedNotification"
-        }
-      },
-      "required": [
-        "method",
-        "params"
-      ],
-      "title": "Thread/goal/updatedNotification",
-      "type": "object"
-    },
-    {
-      "properties": {
-        "method": {
-          "enum": [
-            "thread/goal/cleared"
-          ],
-          "title": "Thread/goal/clearedNotificationMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/ThreadGoalClearedNotification"
-        }
-      },
-      "required": [
-        "method",
-        "params"
-      ],
-      "title": "Thread/goal/clearedNotification",
-      "type": "object"
-    },
     {
       "properties": {
         "method": {
@@ -5497,26 +5322,6 @@
       "title": "Model/reroutedNotification",
       "type": "object"
     },
-    {
-      "properties": {
-        "method": {
-          "enum": [
-            "model/verification"
-          ],
-          "title": "Model/verificationNotificationMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/ModelVerificationNotification"
-        }
-      },
-      "required": [
-        "method",
-        "params"
-      ],
-      "title": "Model/verificationNotification",
-      "type": "object"
-    },
     {
       "properties": {
         "method": {
@@ -5537,26 +5342,6 @@
       "title": "WarningNotification",
       "type": "object"
     },
-    {
-      "properties": {
-        "method": {
-          "enum": [
-            "guardianWarning"
-          ],
-          "title": "GuardianWarningNotificationMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/GuardianWarningNotification"
-        }
-      },
-      "required": [
-        "method",
-        "params"
-      ],
-      "title": "GuardianWarningNotification",
-      "type": "object"
-    },
     {
       "properties": {
         "method": {

codex-rs/app-server-protocol/schema/json/ServerRequest.json

@@ -25,7 +25,6 @@
           ]
         },
         "read": {
-          "description": "This will be removed in favor of `entries`.",
           "items": {
             "$ref": "#/definitions/AbsolutePathBuf"
           },
@@ -35,7 +34,6 @@
           ]
         },
         "write": {
-          "description": "This will be removed in favor of `entries`.",
           "items": {
             "$ref": "#/definitions/AbsolutePathBuf"
           },
@@ -78,8 +76,7 @@
             {
               "type": "null"
             }
-          ],
-          "description": "Partial overlay used for per-command permission requests."
+          ]
         }
       },
       "type": "object"

codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.v2.schemas.json

@@ -46,22 +46,6 @@
           ],
           "title": "ChatgptAccount",
           "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "amazonBedrock"
-              ],
-              "title": "AmazonBedrockAccountType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "AmazonBedrockAccount",
-          "type": "object"
         }
       ]
     },
@@ -164,7 +148,6 @@
           ]
         },
         "read": {
-          "description": "This will be removed in favor of `entries`.",
           "items": {
             "$ref": "#/definitions/AbsolutePathBuf"
           },
@@ -174,7 +157,6 @@
           ]
         },
         "write": {
-          "description": "This will be removed in favor of `entries`.",
           "items": {
             "$ref": "#/definitions/AbsolutePathBuf"
           },
@@ -623,10 +605,9 @@
       "type": "object"
     },
     "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
       "enum": [
         "user",
-        "auto_review",
         "guardian_subagent"
       ],
       "type": "string"
@@ -1396,30 +1377,6 @@
           "title": "Marketplace/removeRequest",
           "type": "object"
         },
-        {
-          "properties": {
-            "id": {
-              "$ref": "#/definitions/RequestId"
-            },
-            "method": {
-              "enum": [
-                "marketplace/upgrade"
-              ],
-              "title": "Marketplace/upgradeRequestMethod",
-              "type": "string"
-            },
-            "params": {
-              "$ref": "#/definitions/MarketplaceUpgradeParams"
-            }
-          },
-          "required": [
-            "id",
-            "method",
-            "params"
-          ],
-          "title": "Marketplace/upgradeRequest",
-          "type": "object"
-        },
         {
           "properties": {
             "id": {
@@ -2607,7 +2564,6 @@
             "contextWindowExceeded",
             "usageLimitExceeded",
             "serverOverloaded",
-            "cyberPolicy",
             "internalServerError",
             "unauthorized",
             "badRequest",
@@ -3009,7 +2965,7 @@
     },
     "CommandExecParams": {
       "$schema": "http://json-schema.org/draft-07/schema#",
-      "description": "Run a standalone command (argv vector) in the server sandbox without creating a thread or turn.\n\nThe final `command/exec` response is deferred until the process exits and is sent only after all `command/exec/outputDelta` notifications for that connection have been emitted.",
+      "description": "Run a standalone command (argv vector) without creating a thread or turn.\n\nThe final `command/exec` response is deferred until the process exits and is sent only after all `command/exec/outputDelta` notifications for that connection have been emitted.",
       "properties": {
         "command": {
           "description": "Command argv vector. Empty arrays are rejected.",
@@ -3055,17 +3011,6 @@
             "null"
           ]
         },
-        "permissionProfile": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/PermissionProfile"
-            },
-            {
-              "type": "null"
-            }
-          ],
-          "description": "Optional full permissions profile for this command.\n\nDefaults to the user's configured permissions when omitted. Cannot be combined with `sandboxPolicy`."
-        },
         "processId": {
           "description": "Optional client-supplied, connection-scoped process id.\n\nRequired for `tty`, `streamStdin`, `streamStdoutStderr`, and follow-up `command/exec/write`, `command/exec/resize`, and `command/exec/terminate` calls. When omitted, buffered execution gets an internal id that is not exposed to the client.",
           "type": [
@@ -3073,17 +3018,6 @@
             "null"
           ]
         },
-        "sandboxPolicy": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/SandboxPolicy"
-            },
-            {
-              "type": "null"
-            }
-          ],
-          "description": "Optional sandbox policy for this command.\n\nUses the same shape as thread/turn execution sandbox configuration and defaults to the user's configured policy when omitted. Cannot be combined with `permissionProfile`."
-        },
         "size": {
           "anyOf": [
             {
@@ -3959,100 +3893,6 @@
       "title": "ConfigWriteResponse",
       "type": "object"
     },
-    "ConfiguredHookHandler": {
-      "oneOf": [
-        {
-          "properties": {
-            "async": {
-              "type": "boolean"
-            },
-            "command": {
-              "type": "string"
-            },
-            "statusMessage": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
-            "timeoutSec": {
-              "format": "uint64",
-              "minimum": 0.0,
-              "type": [
-                "integer",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "command"
-              ],
-              "title": "CommandConfiguredHookHandlerType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "async",
-            "command",
-            "type"
-          ],
-          "title": "CommandConfiguredHookHandler",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "prompt"
-              ],
-              "title": "PromptConfiguredHookHandlerType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "PromptConfiguredHookHandler",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "agent"
-              ],
-              "title": "AgentConfiguredHookHandlerType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "AgentConfiguredHookHandler",
-          "type": "object"
-        }
-      ]
-    },
-    "ConfiguredHookMatcherGroup": {
-      "properties": {
-        "hooks": {
-          "items": {
-            "$ref": "#/definitions/ConfiguredHookHandler"
-          },
-          "type": "array"
-        },
-        "matcher": {
-          "type": [
-            "string",
-            "null"
-          ]
-        }
-      },
-      "required": [
-        "hooks"
-      ],
-      "type": "object"
-    },
     "ContentItem": {
       "oneOf": [
         {
@@ -6155,25 +5995,6 @@
       ],
       "type": "string"
     },
-    "GuardianWarningNotification": {
-      "$schema": "http://json-schema.org/draft-07/schema#",
-      "properties": {
-        "message": {
-          "description": "Concise guardian warning message for the user.",
-          "type": "string"
-        },
-        "threadId": {
-          "description": "Thread target for the guardian warning.",
-          "type": "string"
-        }
-      },
-      "required": [
-        "message",
-        "threadId"
-      ],
-      "title": "GuardianWarningNotification",
-      "type": "object"
-    },
     "HookCompletedNotification": {
       "$schema": "http://json-schema.org/draft-07/schema#",
       "properties": {
@@ -6901,67 +6722,6 @@
       "title": "LogoutAccountResponse",
       "type": "object"
     },
-    "ManagedHooksRequirements": {
-      "properties": {
-        "PermissionRequest": {
-          "items": {
-            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
-          },
-          "type": "array"
-        },
-        "PostToolUse": {
-          "items": {
-            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
-          },
-          "type": "array"
-        },
-        "PreToolUse": {
-          "items": {
-            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
-          },
-          "type": "array"
-        },
-        "SessionStart": {
-          "items": {
-            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
-          },
-          "type": "array"
-        },
-        "Stop": {
-          "items": {
-            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
-          },
-          "type": "array"
-        },
-        "UserPromptSubmit": {
-          "items": {
-            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
-          },
-          "type": "array"
-        },
-        "managedDir": {
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "windowsManagedDir": {
-          "type": [
-            "string",
-            "null"
-          ]
-        }
-      },
-      "required": [
-        "PermissionRequest",
-        "PostToolUse",
-        "PreToolUse",
-        "SessionStart",
-        "Stop",
-        "UserPromptSubmit"
-      ],
-      "type": "object"
-    },
     "MarketplaceAddParams": {
       "$schema": "http://json-schema.org/draft-07/schema#",
       "properties": {
@@ -7073,64 +6833,6 @@
       "title": "MarketplaceRemoveResponse",
       "type": "object"
     },
-    "MarketplaceUpgradeErrorInfo": {
-      "properties": {
-        "marketplaceName": {
-          "type": "string"
-        },
-        "message": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "marketplaceName",
-        "message"
-      ],
-      "type": "object"
-    },
-    "MarketplaceUpgradeParams": {
-      "$schema": "http://json-schema.org/draft-07/schema#",
-      "properties": {
-        "marketplaceName": {
-          "type": [
-            "string",
-            "null"
-          ]
-        }
-      },
-      "title": "MarketplaceUpgradeParams",
-      "type": "object"
-    },
-    "MarketplaceUpgradeResponse": {
-      "$schema": "http://json-schema.org/draft-07/schema#",
-      "properties": {
-        "errors": {
-          "items": {
-            "$ref": "#/definitions/MarketplaceUpgradeErrorInfo"
-          },
-          "type": "array"
-        },
-        "selectedMarketplaces": {
-          "items": {
-            "type": "string"
-          },
-          "type": "array"
-        },
-        "upgradedRoots": {
-          "items": {
-            "$ref": "#/definitions/AbsolutePathBuf"
-          },
-          "type": "array"
-        }
-      },
-      "required": [
-        "errors",
-        "selectedMarketplaces",
-        "upgradedRoots"
-      ],
-      "title": "MarketplaceUpgradeResponse",
-      "type": "object"
-    },
     "McpAuthStatus": {
       "enum": [
         "unsupported",
@@ -7740,36 +7442,6 @@
       ],
       "type": "object"
     },
-    "ModelVerification": {
-      "enum": [
-        "trustedAccessForCyber"
-      ],
-      "type": "string"
-    },
-    "ModelVerificationNotification": {
-      "$schema": "http://json-schema.org/draft-07/schema#",
-      "properties": {
-        "threadId": {
-          "type": "string"
-        },
-        "turnId": {
-          "type": "string"
-        },
-        "verifications": {
-          "items": {
-            "$ref": "#/definitions/ModelVerification"
-          },
-          "type": "array"
-        }
-      },
-      "required": [
-        "threadId",
-        "turnId",
-        "verifications"
-      ],
-      "title": "ModelVerificationNotification",
-      "type": "object"
-    },
     "NetworkAccess": {
       "enum": [
         "restricted",
@@ -8000,132 +7672,61 @@
       ]
     },
     "PermissionProfile": {
-      "oneOf": [
-        {
-          "description": "Codex owns sandbox construction for this profile.",
-          "properties": {
-            "fileSystem": {
+      "properties": {
+        "fileSystem": {
+          "anyOf": [
+            {
               "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
             },
-            "network": {
+            {
+              "type": "null"
+            }
+          ]
+        },
+        "network": {
+          "anyOf": [
+            {
               "$ref": "#/definitions/PermissionProfileNetworkPermissions"
             },
-            "type": {
-              "enum": [
-                "managed"
-              ],
-              "title": "ManagedPermissionProfileType",
-              "type": "string"
+            {
+              "type": "null"
             }
-          },
-          "required": [
-            "fileSystem",
-            "network",
-            "type"
-          ],
-          "title": "ManagedPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Do not apply an outer sandbox.",
-          "properties": {
-            "type": {
-              "enum": [
-                "disabled"
-              ],
-              "title": "DisabledPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "DisabledPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Filesystem isolation is enforced by an external caller.",
-          "properties": {
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "external"
-              ],
-              "title": "ExternalPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "network",
-            "type"
-          ],
-          "title": "ExternalPermissionProfile",
-          "type": "object"
+          ]
         }
-      ]
+      },
+      "type": "object"
     },
     "PermissionProfileFileSystemPermissions": {
-      "oneOf": [
-        {
-          "properties": {
-            "entries": {
-              "items": {
-                "$ref": "#/definitions/FileSystemSandboxEntry"
-              },
-              "type": "array"
-            },
-            "globScanMaxDepth": {
-              "format": "uint",
-              "minimum": 1.0,
-              "type": [
-                "integer",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "restricted"
-              ],
-              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
-              "type": "string"
-            }
+      "properties": {
+        "entries": {
+          "items": {
+            "$ref": "#/definitions/FileSystemSandboxEntry"
           },
-          "required": [
-            "entries",
-            "type"
-          ],
-          "title": "RestrictedPermissionProfileFileSystemPermissions",
-          "type": "object"
+          "type": "array"
         },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "unrestricted"
-              ],
-              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
-          "type": "object"
+        "globScanMaxDepth": {
+          "format": "uint",
+          "minimum": 1.0,
+          "type": [
+            "integer",
+            "null"
+          ]
         }
-      ]
+      },
+      "required": [
+        "entries"
+      ],
+      "type": "object"
     },
     "PermissionProfileNetworkPermissions": {
       "properties": {
         "enabled": {
-          "type": "boolean"
+          "type": [
+            "boolean",
+            "null"
+          ]
         }
       },
-      "required": [
-        "enabled"
-      ],
       "type": "object"
     },
     "Personality": {
@@ -8942,6 +8543,53 @@
       "title": "RawResponseItemCompletedNotification",
       "type": "object"
     },
+    "ReadOnlyAccess": {
+      "oneOf": [
+        {
+          "properties": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "fullAccess"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
     "RealtimeConversationVersion": {
       "enum": [
         "v1",
@@ -10150,6 +9798,16 @@
         },
         {
           "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
             "networkAccess": {
               "default": false,
               "type": "boolean"
@@ -10206,6 +9864,16 @@
               "default": false,
               "type": "boolean"
             },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
             "type": {
               "enum": [
                 "workspaceWrite"
@@ -10444,46 +10112,6 @@
           "title": "Thread/name/updatedNotification",
           "type": "object"
         },
-        {
-          "properties": {
-            "method": {
-              "enum": [
-                "thread/goal/updated"
-              ],
-              "title": "Thread/goal/updatedNotificationMethod",
-              "type": "string"
-            },
-            "params": {
-              "$ref": "#/definitions/ThreadGoalUpdatedNotification"
-            }
-          },
-          "required": [
-            "method",
-            "params"
-          ],
-          "title": "Thread/goal/updatedNotification",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "method": {
-              "enum": [
-                "thread/goal/cleared"
-              ],
-              "title": "Thread/goal/clearedNotificationMethod",
-              "type": "string"
-            },
-            "params": {
-              "$ref": "#/definitions/ThreadGoalClearedNotification"
-            }
-          },
-          "required": [
-            "method",
-            "params"
-          ],
-          "title": "Thread/goal/clearedNotification",
-          "type": "object"
-        },
         {
           "properties": {
             "method": {
@@ -11127,26 +10755,6 @@
           "title": "Model/reroutedNotification",
           "type": "object"
         },
-        {
-          "properties": {
-            "method": {
-              "enum": [
-                "model/verification"
-              ],
-              "title": "Model/verificationNotificationMethod",
-              "type": "string"
-            },
-            "params": {
-              "$ref": "#/definitions/ModelVerificationNotification"
-            }
-          },
-          "required": [
-            "method",
-            "params"
-          ],
-          "title": "Model/verificationNotification",
-          "type": "object"
-        },
         {
           "properties": {
             "method": {
@@ -11167,26 +10775,6 @@
           "title": "WarningNotification",
           "type": "object"
         },
-        {
-          "properties": {
-            "method": {
-              "enum": [
-                "guardianWarning"
-              ],
-              "title": "GuardianWarningNotificationMethod",
-              "type": "string"
-            },
-            "params": {
-              "$ref": "#/definitions/GuardianWarningNotification"
-            }
-          },
-          "required": [
-            "method",
-            "params"
-          ],
-          "title": "GuardianWarningNotification",
-          "type": "object"
-        },
         {
           "properties": {
             "method": {
@@ -12385,10 +11973,6 @@
         "ephemeral": {
           "type": "boolean"
         },
-        "excludeTurns": {
-          "description": "When true, return only thread metadata and live fork state without populating `thread.turns`. This is useful when the client plans to call `thread/turns/list` immediately after forking.",
-          "type": "boolean"
-        },
         "model": {
           "description": "Configuration overrides for the forked thread, if any.",
           "type": [
@@ -12402,17 +11986,6 @@
             "null"
           ]
         },
-        "permissionProfile": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/PermissionProfile"
-            },
-            {
-              "type": "null"
-            }
-          ],
-          "description": "Full permissions override for the forked thread. Cannot be combined with `sandbox`."
-        },
         "sandbox": {
           "anyOf": [
             {
@@ -12491,7 +12064,7 @@
             }
           ],
           "default": null,
-          "description": "Canonical active permissions view for this thread."
+          "description": "Canonical active permissions view for this thread when representable. This is `null` for external sandbox policies because external enforcement cannot be round-tripped as a `PermissionProfile`."
         },
         "reasoningEffort": {
           "anyOf": [
@@ -12537,97 +12110,6 @@
       "title": "ThreadForkResponse",
       "type": "object"
     },
-    "ThreadGoal": {
-      "properties": {
-        "createdAt": {
-          "format": "int64",
-          "type": "integer"
-        },
-        "objective": {
-          "type": "string"
-        },
-        "status": {
-          "$ref": "#/definitions/ThreadGoalStatus"
-        },
-        "threadId": {
-          "type": "string"
-        },
-        "timeUsedSeconds": {
-          "format": "int64",
-          "type": "integer"
-        },
-        "tokenBudget": {
-          "format": "int64",
-          "type": [
-            "integer",
-            "null"
-          ]
-        },
-        "tokensUsed": {
-          "format": "int64",
-          "type": "integer"
-        },
-        "updatedAt": {
-          "format": "int64",
-          "type": "integer"
-        }
-      },
-      "required": [
-        "createdAt",
-        "objective",
-        "status",
-        "threadId",
-        "timeUsedSeconds",
-        "tokensUsed",
-        "updatedAt"
-      ],
-      "type": "object"
-    },
-    "ThreadGoalClearedNotification": {
-      "$schema": "http://json-schema.org/draft-07/schema#",
-      "properties": {
-        "threadId": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "threadId"
-      ],
-      "title": "ThreadGoalClearedNotification",
-      "type": "object"
-    },
-    "ThreadGoalStatus": {
-      "enum": [
-        "active",
-        "paused",
-        "budgetLimited",
-        "complete"
-      ],
-      "type": "string"
-    },
-    "ThreadGoalUpdatedNotification": {
-      "$schema": "http://json-schema.org/draft-07/schema#",
-      "properties": {
-        "goal": {
-          "$ref": "#/definitions/ThreadGoal"
-        },
-        "threadId": {
-          "type": "string"
-        },
-        "turnId": {
-          "type": [
-            "string",
-            "null"
-          ]
-        }
-      },
-      "required": [
-        "goal",
-        "threadId"
-      ],
-      "title": "ThreadGoalUpdatedNotification",
-      "type": "object"
-    },
     "ThreadId": {
       "type": "string"
     },
@@ -13909,10 +13391,6 @@
             "null"
           ]
         },
-        "excludeTurns": {
-          "description": "When true, return only thread metadata and live-resume state without populating `thread.turns`. This is useful when the client plans to call `thread/turns/list` immediately after resuming.",
-          "type": "boolean"
-        },
         "model": {
           "description": "Configuration overrides for the resumed thread, if any.",
           "type": [
@@ -13926,17 +13404,6 @@
             "null"
           ]
         },
-        "permissionProfile": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/PermissionProfile"
-            },
-            {
-              "type": "null"
-            }
-          ],
-          "description": "Full permissions override for the resumed thread. Cannot be combined with `sandbox`."
-        },
         "personality": {
           "anyOf": [
             {
@@ -14025,7 +13492,7 @@
             }
           ],
           "default": null,
-          "description": "Canonical active permissions view for this thread."
+          "description": "Canonical active permissions view for this thread when representable. This is `null` for external sandbox policies because external enforcement cannot be round-tripped as a `PermissionProfile`."
         },
         "reasoningEffort": {
           "anyOf": [
@@ -14243,17 +13710,6 @@
             "null"
           ]
         },
-        "permissionProfile": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/PermissionProfile"
-            },
-            {
-              "type": "null"
-            }
-          ],
-          "description": "Full permissions override for this thread. Cannot be combined with `sandbox`."
-        },
         "personality": {
           "anyOf": [
             {
@@ -14352,7 +13808,7 @@
             }
           ],
           "default": null,
-          "description": "Canonical active permissions view for this thread."
+          "description": "Canonical active permissions view for this thread when representable. This is `null` for external sandbox policies because external enforcement cannot be round-tripped as a `PermissionProfile`."
         },
         "reasoningEffort": {
           "anyOf": [
@@ -15059,17 +14515,6 @@
         "outputSchema": {
           "description": "Optional JSON Schema used to constrain the final assistant message for this turn."
         },
-        "permissionProfile": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/PermissionProfile"
-            },
-            {
-              "type": "null"
-            }
-          ],
-          "description": "Override the full permissions profile for this turn and subsequent turns. Cannot be combined with `sandboxPolicy`."
-        },
         "personality": {
           "anyOf": [
             {

codex-rs/app-server-protocol/schema/json/v2/CommandExecParams.json

@@ -1,10 +1,6 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
   "definitions": {
-    "AbsolutePathBuf": {
-      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
-      "type": "string"
-    },
     "CommandExecTerminalSize": {
       "description": "PTY size in character cells for `command/exec` PTY sessions.",
       "properties": {
@@ -26,455 +22,9 @@
         "rows"
       ],
       "type": "object"
-    },
-    "FileSystemAccessMode": {
-      "enum": [
-        "read",
-        "write",
-        "none"
-      ],
-      "type": "string"
-    },
-    "FileSystemPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "path"
-              ],
-              "title": "PathFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "PathFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "pattern": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "glob_pattern"
-              ],
-              "title": "GlobPatternFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "pattern",
-            "type"
-          ],
-          "title": "GlobPatternFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "special"
-              ],
-              "title": "SpecialFileSystemPathType",
-              "type": "string"
-            },
-            "value": {
-              "$ref": "#/definitions/FileSystemSpecialPath"
-            }
-          },
-          "required": [
-            "type",
-            "value"
-          ],
-          "title": "SpecialFileSystemPath",
-          "type": "object"
-        }
-      ]
-    },
-    "FileSystemSandboxEntry": {
-      "properties": {
-        "access": {
-          "$ref": "#/definitions/FileSystemAccessMode"
-        },
-        "path": {
-          "$ref": "#/definitions/FileSystemPath"
-        }
-      },
-      "required": [
-        "access",
-        "path"
-      ],
-      "type": "object"
-    },
-    "FileSystemSpecialPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "root"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "RootFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "minimal"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "MinimalFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "current_working_directory"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "CurrentWorkingDirectoryFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "project_roots"
-              ],
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "KindFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "tmpdir"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "TmpdirFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "slash_tmp"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "SlashTmpFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "unknown"
-              ],
-              "type": "string"
-            },
-            "path": {
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind",
-            "path"
-          ],
-          "type": "object"
-        }
-      ]
-    },
-    "NetworkAccess": {
-      "enum": [
-        "restricted",
-        "enabled"
-      ],
-      "type": "string"
-    },
-    "PermissionProfile": {
-      "oneOf": [
-        {
-          "description": "Codex owns sandbox construction for this profile.",
-          "properties": {
-            "fileSystem": {
-              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
-            },
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "managed"
-              ],
-              "title": "ManagedPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "fileSystem",
-            "network",
-            "type"
-          ],
-          "title": "ManagedPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Do not apply an outer sandbox.",
-          "properties": {
-            "type": {
-              "enum": [
-                "disabled"
-              ],
-              "title": "DisabledPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "DisabledPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Filesystem isolation is enforced by an external caller.",
-          "properties": {
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "external"
-              ],
-              "title": "ExternalPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "network",
-            "type"
-          ],
-          "title": "ExternalPermissionProfile",
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfileFileSystemPermissions": {
-      "oneOf": [
-        {
-          "properties": {
-            "entries": {
-              "items": {
-                "$ref": "#/definitions/FileSystemSandboxEntry"
-              },
-              "type": "array"
-            },
-            "globScanMaxDepth": {
-              "format": "uint",
-              "minimum": 1.0,
-              "type": [
-                "integer",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "restricted"
-              ],
-              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "entries",
-            "type"
-          ],
-          "title": "RestrictedPermissionProfileFileSystemPermissions",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "unrestricted"
-              ],
-              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfileNetworkPermissions": {
-      "properties": {
-        "enabled": {
-          "type": "boolean"
-        }
-      },
-      "required": [
-        "enabled"
-      ],
-      "type": "object"
-    },
-    "SandboxPolicy": {
-      "oneOf": [
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "dangerFullAccess"
-              ],
-              "title": "DangerFullAccessSandboxPolicyType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "DangerFullAccessSandboxPolicy",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "networkAccess": {
-              "default": false,
-              "type": "boolean"
-            },
-            "type": {
-              "enum": [
-                "readOnly"
-              ],
-              "title": "ReadOnlySandboxPolicyType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "ReadOnlySandboxPolicy",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "networkAccess": {
-              "allOf": [
-                {
-                  "$ref": "#/definitions/NetworkAccess"
-                }
-              ],
-              "default": "restricted"
-            },
-            "type": {
-              "enum": [
-                "externalSandbox"
-              ],
-              "title": "ExternalSandboxSandboxPolicyType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "ExternalSandboxSandboxPolicy",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "excludeSlashTmp": {
-              "default": false,
-              "type": "boolean"
-            },
-            "excludeTmpdirEnvVar": {
-              "default": false,
-              "type": "boolean"
-            },
-            "networkAccess": {
-              "default": false,
-              "type": "boolean"
-            },
-            "type": {
-              "enum": [
-                "workspaceWrite"
-              ],
-              "title": "WorkspaceWriteSandboxPolicyType",
-              "type": "string"
-            },
-            "writableRoots": {
-              "default": [],
-              "items": {
-                "$ref": "#/definitions/AbsolutePathBuf"
-              },
-              "type": "array"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "WorkspaceWriteSandboxPolicy",
-          "type": "object"
-        }
-      ]
     }
   },
-  "description": "Run a standalone command (argv vector) in the server sandbox without creating a thread or turn.\n\nThe final `command/exec` response is deferred until the process exits and is sent only after all `command/exec/outputDelta` notifications for that connection have been emitted.",
+  "description": "Run a standalone command (argv vector) without creating a thread or turn.\n\nThe final `command/exec` response is deferred until the process exits and is sent only after all `command/exec/outputDelta` notifications for that connection have been emitted.",
   "properties": {
     "command": {
       "description": "Command argv vector. Empty arrays are rejected.",
@@ -520,17 +70,6 @@
         "null"
       ]
     },
-    "permissionProfile": {
-      "anyOf": [
-        {
-          "$ref": "#/definitions/PermissionProfile"
-        },
-        {
-          "type": "null"
-        }
-      ],
-      "description": "Optional full permissions profile for this command.\n\nDefaults to the user's configured permissions when omitted. Cannot be combined with `sandboxPolicy`."
-    },
     "processId": {
       "description": "Optional client-supplied, connection-scoped process id.\n\nRequired for `tty`, `streamStdin`, `streamStdoutStderr`, and follow-up `command/exec/write`, `command/exec/resize`, and `command/exec/terminate` calls. When omitted, buffered execution gets an internal id that is not exposed to the client.",
       "type": [
@@ -538,17 +77,6 @@
         "null"
       ]
     },
-    "sandboxPolicy": {
-      "anyOf": [
-        {
-          "$ref": "#/definitions/SandboxPolicy"
-        },
-        {
-          "type": "null"
-        }
-      ],
-      "description": "Optional sandbox policy for this command.\n\nUses the same shape as thread/turn execution sandbox configuration and defaults to the user's configured policy when omitted. Cannot be combined with `permissionProfile`."
-    },
     "size": {
       "anyOf": [
         {

codex-rs/app-server-protocol/schema/json/v2/ConfigReadResponse.json

@@ -97,10 +97,9 @@
       "type": "object"
     },
     "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
       "enum": [
         "user",
-        "auto_review",
         "guardian_subagent"
       ],
       "type": "string"

codex-rs/app-server-protocol/schema/json/v2/ConfigRequirementsReadResponse.json

@@ -2,10 +2,9 @@
   "$schema": "http://json-schema.org/draft-07/schema#",
   "definitions": {
     "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
       "enum": [
         "user",
-        "auto_review",
         "guardian_subagent"
       ],
       "type": "string"
@@ -111,161 +110,6 @@
       },
       "type": "object"
     },
-    "ConfiguredHookHandler": {
-      "oneOf": [
-        {
-          "properties": {
-            "async": {
-              "type": "boolean"
-            },
-            "command": {
-              "type": "string"
-            },
-            "statusMessage": {
-              "type": [
-                "string",
-                "null"
-              ]
-            },
-            "timeoutSec": {
-              "format": "uint64",
-              "minimum": 0.0,
-              "type": [
-                "integer",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "command"
-              ],
-              "title": "CommandConfiguredHookHandlerType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "async",
-            "command",
-            "type"
-          ],
-          "title": "CommandConfiguredHookHandler",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "prompt"
-              ],
-              "title": "PromptConfiguredHookHandlerType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "PromptConfiguredHookHandler",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "agent"
-              ],
-              "title": "AgentConfiguredHookHandlerType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "AgentConfiguredHookHandler",
-          "type": "object"
-        }
-      ]
-    },
-    "ConfiguredHookMatcherGroup": {
-      "properties": {
-        "hooks": {
-          "items": {
-            "$ref": "#/definitions/ConfiguredHookHandler"
-          },
-          "type": "array"
-        },
-        "matcher": {
-          "type": [
-            "string",
-            "null"
-          ]
-        }
-      },
-      "required": [
-        "hooks"
-      ],
-      "type": "object"
-    },
-    "ManagedHooksRequirements": {
-      "properties": {
-        "PermissionRequest": {
-          "items": {
-            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
-          },
-          "type": "array"
-        },
-        "PostToolUse": {
-          "items": {
-            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
-          },
-          "type": "array"
-        },
-        "PreToolUse": {
-          "items": {
-            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
-          },
-          "type": "array"
-        },
-        "SessionStart": {
-          "items": {
-            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
-          },
-          "type": "array"
-        },
-        "Stop": {
-          "items": {
-            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
-          },
-          "type": "array"
-        },
-        "UserPromptSubmit": {
-          "items": {
-            "$ref": "#/definitions/ConfiguredHookMatcherGroup"
-          },
-          "type": "array"
-        },
-        "managedDir": {
-          "type": [
-            "string",
-            "null"
-          ]
-        },
-        "windowsManagedDir": {
-          "type": [
-            "string",
-            "null"
-          ]
-        }
-      },
-      "required": [
-        "PermissionRequest",
-        "PostToolUse",
-        "PreToolUse",
-        "SessionStart",
-        "Stop",
-        "UserPromptSubmit"
-      ],
-      "type": "object"
-    },
     "NetworkDomainPermission": {
       "enum": [
         "allow",

codex-rs/app-server-protocol/schema/json/v2/ErrorNotification.json

@@ -9,7 +9,6 @@
             "contextWindowExceeded",
             "usageLimitExceeded",
             "serverOverloaded",
-            "cyberPolicy",
             "internalServerError",
             "unauthorized",
             "badRequest",

codex-rs/app-server-protocol/schema/json/v2/GetAccountResponse.json

@@ -42,22 +42,6 @@
           ],
           "title": "ChatgptAccount",
           "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "amazonBedrock"
-              ],
-              "title": "AmazonBedrockAccountType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "AmazonBedrockAccount",
-          "type": "object"
         }
       ]
     },

codex-rs/app-server-protocol/schema/json/v2/GuardianWarningNotification.json

@@ -1,19 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "properties": {
-    "message": {
-      "description": "Concise guardian warning message for the user.",
-      "type": "string"
-    },
-    "threadId": {
-      "description": "Thread target for the guardian warning.",
-      "type": "string"
-    }
-  },
-  "required": [
-    "message",
-    "threadId"
-  ],
-  "title": "GuardianWarningNotification",
-  "type": "object"
-}

codex-rs/app-server-protocol/schema/json/v2/ItemGuardianApprovalReviewCompletedNotification.json

@@ -25,7 +25,6 @@
           ]
         },
         "read": {
-          "description": "This will be removed in favor of `entries`.",
           "items": {
             "$ref": "#/definitions/AbsolutePathBuf"
           },
@@ -35,7 +34,6 @@
           ]
         },
         "write": {
-          "description": "This will be removed in favor of `entries`.",
           "items": {
             "$ref": "#/definitions/AbsolutePathBuf"
           },

codex-rs/app-server-protocol/schema/json/v2/ItemGuardianApprovalReviewStartedNotification.json

@@ -25,7 +25,6 @@
           ]
         },
         "read": {
-          "description": "This will be removed in favor of `entries`.",
           "items": {
             "$ref": "#/definitions/AbsolutePathBuf"
           },
@@ -35,7 +34,6 @@
           ]
         },
         "write": {
-          "description": "This will be removed in favor of `entries`.",
           "items": {
             "$ref": "#/definitions/AbsolutePathBuf"
           },

codex-rs/app-server-protocol/schema/json/v2/MarketplaceUpgradeParams.json

@@ -1,13 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "properties": {
-    "marketplaceName": {
-      "type": [
-        "string",
-        "null"
-      ]
-    }
-  },
-  "title": "MarketplaceUpgradeParams",
-  "type": "object"
-}

codex-rs/app-server-protocol/schema/json/v2/MarketplaceUpgradeResponse.json

@@ -1,51 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "AbsolutePathBuf": {
-      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
-      "type": "string"
-    },
-    "MarketplaceUpgradeErrorInfo": {
-      "properties": {
-        "marketplaceName": {
-          "type": "string"
-        },
-        "message": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "marketplaceName",
-        "message"
-      ],
-      "type": "object"
-    }
-  },
-  "properties": {
-    "errors": {
-      "items": {
-        "$ref": "#/definitions/MarketplaceUpgradeErrorInfo"
-      },
-      "type": "array"
-    },
-    "selectedMarketplaces": {
-      "items": {
-        "type": "string"
-      },
-      "type": "array"
-    },
-    "upgradedRoots": {
-      "items": {
-        "$ref": "#/definitions/AbsolutePathBuf"
-      },
-      "type": "array"
-    }
-  },
-  "required": [
-    "errors",
-    "selectedMarketplaces",
-    "upgradedRoots"
-  ],
-  "title": "MarketplaceUpgradeResponse",
-  "type": "object"
-}

codex-rs/app-server-protocol/schema/json/v2/ModelVerificationNotification.json

@@ -1,32 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "ModelVerification": {
-      "enum": [
-        "trustedAccessForCyber"
-      ],
-      "type": "string"
-    }
-  },
-  "properties": {
-    "threadId": {
-      "type": "string"
-    },
-    "turnId": {
-      "type": "string"
-    },
-    "verifications": {
-      "items": {
-        "$ref": "#/definitions/ModelVerification"
-      },
-      "type": "array"
-    }
-  },
-  "required": [
-    "threadId",
-    "turnId",
-    "verifications"
-  ],
-  "title": "ModelVerificationNotification",
-  "type": "object"
-}

codex-rs/app-server-protocol/schema/json/v2/ReviewStartResponse.json

@@ -32,7 +32,6 @@
             "contextWindowExceeded",
             "usageLimitExceeded",
             "serverOverloaded",
-            "cyberPolicy",
             "internalServerError",
             "unauthorized",
             "badRequest",

codex-rs/app-server-protocol/schema/json/v2/ThreadForkParams.json

@@ -1,15 +1,10 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
   "definitions": {
-    "AbsolutePathBuf": {
-      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
-      "type": "string"
-    },
     "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
       "enum": [
         "user",
-        "auto_review",
         "guardian_subagent"
       ],
       "type": "string"
@@ -64,346 +59,6 @@
         }
       ]
     },
-    "FileSystemAccessMode": {
-      "enum": [
-        "read",
-        "write",
-        "none"
-      ],
-      "type": "string"
-    },
-    "FileSystemPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "path"
-              ],
-              "title": "PathFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "PathFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "pattern": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "glob_pattern"
-              ],
-              "title": "GlobPatternFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "pattern",
-            "type"
-          ],
-          "title": "GlobPatternFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "special"
-              ],
-              "title": "SpecialFileSystemPathType",
-              "type": "string"
-            },
-            "value": {
-              "$ref": "#/definitions/FileSystemSpecialPath"
-            }
-          },
-          "required": [
-            "type",
-            "value"
-          ],
-          "title": "SpecialFileSystemPath",
-          "type": "object"
-        }
-      ]
-    },
-    "FileSystemSandboxEntry": {
-      "properties": {
-        "access": {
-          "$ref": "#/definitions/FileSystemAccessMode"
-        },
-        "path": {
-          "$ref": "#/definitions/FileSystemPath"
-        }
-      },
-      "required": [
-        "access",
-        "path"
-      ],
-      "type": "object"
-    },
-    "FileSystemSpecialPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "root"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "RootFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "minimal"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "MinimalFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "current_working_directory"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "CurrentWorkingDirectoryFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "project_roots"
-              ],
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "KindFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "tmpdir"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "TmpdirFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "slash_tmp"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "SlashTmpFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "unknown"
-              ],
-              "type": "string"
-            },
-            "path": {
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind",
-            "path"
-          ],
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfile": {
-      "oneOf": [
-        {
-          "description": "Codex owns sandbox construction for this profile.",
-          "properties": {
-            "fileSystem": {
-              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
-            },
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "managed"
-              ],
-              "title": "ManagedPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "fileSystem",
-            "network",
-            "type"
-          ],
-          "title": "ManagedPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Do not apply an outer sandbox.",
-          "properties": {
-            "type": {
-              "enum": [
-                "disabled"
-              ],
-              "title": "DisabledPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "DisabledPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Filesystem isolation is enforced by an external caller.",
-          "properties": {
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "external"
-              ],
-              "title": "ExternalPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "network",
-            "type"
-          ],
-          "title": "ExternalPermissionProfile",
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfileFileSystemPermissions": {
-      "oneOf": [
-        {
-          "properties": {
-            "entries": {
-              "items": {
-                "$ref": "#/definitions/FileSystemSandboxEntry"
-              },
-              "type": "array"
-            },
-            "globScanMaxDepth": {
-              "format": "uint",
-              "minimum": 1.0,
-              "type": [
-                "integer",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "restricted"
-              ],
-              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "entries",
-            "type"
-          ],
-          "title": "RestrictedPermissionProfileFileSystemPermissions",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "unrestricted"
-              ],
-              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfileNetworkPermissions": {
-      "properties": {
-        "enabled": {
-          "type": "boolean"
-        }
-      },
-      "required": [
-        "enabled"
-      ],
-      "type": "object"
-    },
     "SandboxMode": {
       "enum": [
         "read-only",
@@ -471,10 +126,6 @@
     "ephemeral": {
       "type": "boolean"
     },
-    "excludeTurns": {
-      "description": "When true, return only thread metadata and live fork state without populating `thread.turns`. This is useful when the client plans to call `thread/turns/list` immediately after forking.",
-      "type": "boolean"
-    },
     "model": {
       "description": "Configuration overrides for the forked thread, if any.",
       "type": [
@@ -488,17 +139,6 @@
         "null"
       ]
     },
-    "permissionProfile": {
-      "anyOf": [
-        {
-          "$ref": "#/definitions/PermissionProfile"
-        },
-        {
-          "type": "null"
-        }
-      ],
-      "description": "Full permissions override for the forked thread. Cannot be combined with `sandbox`."
-    },
     "sandbox": {
       "anyOf": [
         {

codex-rs/app-server-protocol/schema/json/v2/ThreadForkResponse.json

@@ -9,10 +9,9 @@
       "type": "string"
     },
     "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
       "enum": [
         "user",
-        "auto_review",
         "guardian_subagent"
       ],
       "type": "string"
@@ -94,7 +93,6 @@
             "contextWindowExceeded",
             "usageLimitExceeded",
             "serverOverloaded",
-            "cyberPolicy",
             "internalServerError",
             "unauthorized",
             "badRequest",
@@ -900,134 +898,110 @@
       ]
     },
     "PermissionProfile": {
-      "oneOf": [
-        {
-          "description": "Codex owns sandbox construction for this profile.",
-          "properties": {
-            "fileSystem": {
+      "properties": {
+        "fileSystem": {
+          "anyOf": [
+            {
               "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
             },
-            "network": {
+            {
+              "type": "null"
+            }
+          ]
+        },
+        "network": {
+          "anyOf": [
+            {
               "$ref": "#/definitions/PermissionProfileNetworkPermissions"
             },
-            "type": {
-              "enum": [
-                "managed"
-              ],
-              "title": "ManagedPermissionProfileType",
-              "type": "string"
+            {
+              "type": "null"
             }
-          },
-          "required": [
-            "fileSystem",
-            "network",
-            "type"
-          ],
-          "title": "ManagedPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Do not apply an outer sandbox.",
-          "properties": {
-            "type": {
-              "enum": [
-                "disabled"
-              ],
-              "title": "DisabledPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "DisabledPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Filesystem isolation is enforced by an external caller.",
-          "properties": {
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "external"
-              ],
-              "title": "ExternalPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "network",
-            "type"
-          ],
-          "title": "ExternalPermissionProfile",
-          "type": "object"
+          ]
         }
-      ]
+      },
+      "type": "object"
     },
     "PermissionProfileFileSystemPermissions": {
+      "properties": {
+        "entries": {
+          "items": {
+            "$ref": "#/definitions/FileSystemSandboxEntry"
+          },
+          "type": "array"
+        },
+        "globScanMaxDepth": {
+          "format": "uint",
+          "minimum": 1.0,
+          "type": [
+            "integer",
+            "null"
+          ]
+        }
+      },
+      "required": [
+        "entries"
+      ],
+      "type": "object"
+    },
+    "PermissionProfileNetworkPermissions": {
+      "properties": {
+        "enabled": {
+          "type": [
+            "boolean",
+            "null"
+          ]
+        }
+      },
+      "type": "object"
+    },
+    "ReadOnlyAccess": {
       "oneOf": [
         {
           "properties": {
-            "entries": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
               "items": {
-                "$ref": "#/definitions/FileSystemSandboxEntry"
+                "$ref": "#/definitions/AbsolutePathBuf"
               },
               "type": "array"
             },
-            "globScanMaxDepth": {
-              "format": "uint",
-              "minimum": 1.0,
-              "type": [
-                "integer",
-                "null"
-              ]
-            },
             "type": {
               "enum": [
                 "restricted"
               ],
-              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
+              "title": "RestrictedReadOnlyAccessType",
               "type": "string"
             }
           },
           "required": [
-            "entries",
             "type"
           ],
-          "title": "RestrictedPermissionProfileFileSystemPermissions",
+          "title": "RestrictedReadOnlyAccess",
           "type": "object"
         },
         {
           "properties": {
             "type": {
               "enum": [
-                "unrestricted"
+                "fullAccess"
               ],
-              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
+              "title": "FullAccessReadOnlyAccessType",
               "type": "string"
             }
           },
           "required": [
             "type"
           ],
-          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
+          "title": "FullAccessReadOnlyAccess",
           "type": "object"
         }
       ]
     },
-    "PermissionProfileNetworkPermissions": {
-      "properties": {
-        "enabled": {
-          "type": "boolean"
-        }
-      },
-      "required": [
-        "enabled"
-      ],
-      "type": "object"
-    },
     "ReasoningEffort": {
       "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
       "enum": [
@@ -1060,6 +1034,16 @@
         },
         {
           "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
             "networkAccess": {
               "default": false,
               "type": "boolean"
@@ -1116,6 +1100,16 @@
               "default": false,
               "type": "boolean"
             },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
             "type": {
               "enum": [
                 "workspaceWrite"
@@ -2510,7 +2504,7 @@
         }
       ],
       "default": null,
-      "description": "Canonical active permissions view for this thread."
+      "description": "Canonical active permissions view for this thread when representable. This is `null` for external sandbox policies because external enforcement cannot be round-tripped as a `PermissionProfile`."
     },
     "reasoningEffort": {
       "anyOf": [

codex-rs/app-server-protocol/schema/json/v2/ThreadGoalClearedNotification.json

@@ -1,13 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "properties": {
-    "threadId": {
-      "type": "string"
-    }
-  },
-  "required": [
-    "threadId"
-  ],
-  "title": "ThreadGoalClearedNotification",
-  "type": "object"
-}

codex-rs/app-server-protocol/schema/json/v2/ThreadGoalUpdatedNotification.json

@@ -1,80 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "ThreadGoal": {
-      "properties": {
-        "createdAt": {
-          "format": "int64",
-          "type": "integer"
-        },
-        "objective": {
-          "type": "string"
-        },
-        "status": {
-          "$ref": "#/definitions/ThreadGoalStatus"
-        },
-        "threadId": {
-          "type": "string"
-        },
-        "timeUsedSeconds": {
-          "format": "int64",
-          "type": "integer"
-        },
-        "tokenBudget": {
-          "format": "int64",
-          "type": [
-            "integer",
-            "null"
-          ]
-        },
-        "tokensUsed": {
-          "format": "int64",
-          "type": "integer"
-        },
-        "updatedAt": {
-          "format": "int64",
-          "type": "integer"
-        }
-      },
-      "required": [
-        "createdAt",
-        "objective",
-        "status",
-        "threadId",
-        "timeUsedSeconds",
-        "tokensUsed",
-        "updatedAt"
-      ],
-      "type": "object"
-    },
-    "ThreadGoalStatus": {
-      "enum": [
-        "active",
-        "paused",
-        "budgetLimited",
-        "complete"
-      ],
-      "type": "string"
-    }
-  },
-  "properties": {
-    "goal": {
-      "$ref": "#/definitions/ThreadGoal"
-    },
-    "threadId": {
-      "type": "string"
-    },
-    "turnId": {
-      "type": [
-        "string",
-        "null"
-      ]
-    }
-  },
-  "required": [
-    "goal",
-    "threadId"
-  ],
-  "title": "ThreadGoalUpdatedNotification",
-  "type": "object"
-}

codex-rs/app-server-protocol/schema/json/v2/ThreadListResponse.json

@@ -35,7 +35,6 @@
             "contextWindowExceeded",
             "usageLimitExceeded",
             "serverOverloaded",
-            "cyberPolicy",
             "internalServerError",
             "unauthorized",
             "badRequest",

codex-rs/app-server-protocol/schema/json/v2/ThreadMetadataUpdateResponse.json

@@ -35,7 +35,6 @@
             "contextWindowExceeded",
             "usageLimitExceeded",
             "serverOverloaded",
-            "cyberPolicy",
             "internalServerError",
             "unauthorized",
             "badRequest",

codex-rs/app-server-protocol/schema/json/v2/ThreadReadResponse.json

@@ -35,7 +35,6 @@
             "contextWindowExceeded",
             "usageLimitExceeded",
             "serverOverloaded",
-            "cyberPolicy",
             "internalServerError",
             "unauthorized",
             "badRequest",

codex-rs/app-server-protocol/schema/json/v2/ThreadResumeParams.json

@@ -1,15 +1,10 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
   "definitions": {
-    "AbsolutePathBuf": {
-      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
-      "type": "string"
-    },
     "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
       "enum": [
         "user",
-        "auto_review",
         "guardian_subagent"
       ],
       "type": "string"
@@ -138,217 +133,6 @@
         }
       ]
     },
-    "FileSystemAccessMode": {
-      "enum": [
-        "read",
-        "write",
-        "none"
-      ],
-      "type": "string"
-    },
-    "FileSystemPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "path"
-              ],
-              "title": "PathFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "PathFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "pattern": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "glob_pattern"
-              ],
-              "title": "GlobPatternFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "pattern",
-            "type"
-          ],
-          "title": "GlobPatternFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "special"
-              ],
-              "title": "SpecialFileSystemPathType",
-              "type": "string"
-            },
-            "value": {
-              "$ref": "#/definitions/FileSystemSpecialPath"
-            }
-          },
-          "required": [
-            "type",
-            "value"
-          ],
-          "title": "SpecialFileSystemPath",
-          "type": "object"
-        }
-      ]
-    },
-    "FileSystemSandboxEntry": {
-      "properties": {
-        "access": {
-          "$ref": "#/definitions/FileSystemAccessMode"
-        },
-        "path": {
-          "$ref": "#/definitions/FileSystemPath"
-        }
-      },
-      "required": [
-        "access",
-        "path"
-      ],
-      "type": "object"
-    },
-    "FileSystemSpecialPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "root"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "RootFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "minimal"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "MinimalFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "current_working_directory"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "CurrentWorkingDirectoryFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "project_roots"
-              ],
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "KindFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "tmpdir"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "TmpdirFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "slash_tmp"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "SlashTmpFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "unknown"
-              ],
-              "type": "string"
-            },
-            "path": {
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind",
-            "path"
-          ],
-          "type": "object"
-        }
-      ]
-    },
     "FunctionCallOutputBody": {
       "anyOf": [
         {
@@ -541,135 +325,6 @@
         }
       ]
     },
-    "PermissionProfile": {
-      "oneOf": [
-        {
-          "description": "Codex owns sandbox construction for this profile.",
-          "properties": {
-            "fileSystem": {
-              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
-            },
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "managed"
-              ],
-              "title": "ManagedPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "fileSystem",
-            "network",
-            "type"
-          ],
-          "title": "ManagedPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Do not apply an outer sandbox.",
-          "properties": {
-            "type": {
-              "enum": [
-                "disabled"
-              ],
-              "title": "DisabledPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "DisabledPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Filesystem isolation is enforced by an external caller.",
-          "properties": {
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "external"
-              ],
-              "title": "ExternalPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "network",
-            "type"
-          ],
-          "title": "ExternalPermissionProfile",
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfileFileSystemPermissions": {
-      "oneOf": [
-        {
-          "properties": {
-            "entries": {
-              "items": {
-                "$ref": "#/definitions/FileSystemSandboxEntry"
-              },
-              "type": "array"
-            },
-            "globScanMaxDepth": {
-              "format": "uint",
-              "minimum": 1.0,
-              "type": [
-                "integer",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "restricted"
-              ],
-              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "entries",
-            "type"
-          ],
-          "title": "RestrictedPermissionProfileFileSystemPermissions",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "unrestricted"
-              ],
-              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfileNetworkPermissions": {
-      "properties": {
-        "enabled": {
-          "type": "boolean"
-        }
-      },
-      "required": [
-        "enabled"
-      ],
-      "type": "object"
-    },
     "Personality": {
       "enum": [
         "none",
@@ -1384,10 +1039,6 @@
         "null"
       ]
     },
-    "excludeTurns": {
-      "description": "When true, return only thread metadata and live-resume state without populating `thread.turns`. This is useful when the client plans to call `thread/turns/list` immediately after resuming.",
-      "type": "boolean"
-    },
     "model": {
       "description": "Configuration overrides for the resumed thread, if any.",
       "type": [
@@ -1401,17 +1052,6 @@
         "null"
       ]
     },
-    "permissionProfile": {
-      "anyOf": [
-        {
-          "$ref": "#/definitions/PermissionProfile"
-        },
-        {
-          "type": "null"
-        }
-      ],
-      "description": "Full permissions override for the resumed thread. Cannot be combined with `sandbox`."
-    },
     "personality": {
       "anyOf": [
         {

codex-rs/app-server-protocol/schema/json/v2/ThreadResumeResponse.json

@@ -9,10 +9,9 @@
       "type": "string"
     },
     "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
       "enum": [
         "user",
-        "auto_review",
         "guardian_subagent"
       ],
       "type": "string"
@@ -94,7 +93,6 @@
             "contextWindowExceeded",
             "usageLimitExceeded",
             "serverOverloaded",
-            "cyberPolicy",
             "internalServerError",
             "unauthorized",
             "badRequest",
@@ -900,134 +898,110 @@
       ]
     },
     "PermissionProfile": {
-      "oneOf": [
-        {
-          "description": "Codex owns sandbox construction for this profile.",
-          "properties": {
-            "fileSystem": {
+      "properties": {
+        "fileSystem": {
+          "anyOf": [
+            {
               "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
             },
-            "network": {
+            {
+              "type": "null"
+            }
+          ]
+        },
+        "network": {
+          "anyOf": [
+            {
               "$ref": "#/definitions/PermissionProfileNetworkPermissions"
             },
-            "type": {
-              "enum": [
-                "managed"
-              ],
-              "title": "ManagedPermissionProfileType",
-              "type": "string"
+            {
+              "type": "null"
             }
-          },
-          "required": [
-            "fileSystem",
-            "network",
-            "type"
-          ],
-          "title": "ManagedPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Do not apply an outer sandbox.",
-          "properties": {
-            "type": {
-              "enum": [
-                "disabled"
-              ],
-              "title": "DisabledPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "DisabledPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Filesystem isolation is enforced by an external caller.",
-          "properties": {
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "external"
-              ],
-              "title": "ExternalPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "network",
-            "type"
-          ],
-          "title": "ExternalPermissionProfile",
-          "type": "object"
+          ]
         }
-      ]
+      },
+      "type": "object"
     },
     "PermissionProfileFileSystemPermissions": {
+      "properties": {
+        "entries": {
+          "items": {
+            "$ref": "#/definitions/FileSystemSandboxEntry"
+          },
+          "type": "array"
+        },
+        "globScanMaxDepth": {
+          "format": "uint",
+          "minimum": 1.0,
+          "type": [
+            "integer",
+            "null"
+          ]
+        }
+      },
+      "required": [
+        "entries"
+      ],
+      "type": "object"
+    },
+    "PermissionProfileNetworkPermissions": {
+      "properties": {
+        "enabled": {
+          "type": [
+            "boolean",
+            "null"
+          ]
+        }
+      },
+      "type": "object"
+    },
+    "ReadOnlyAccess": {
       "oneOf": [
         {
           "properties": {
-            "entries": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
               "items": {
-                "$ref": "#/definitions/FileSystemSandboxEntry"
+                "$ref": "#/definitions/AbsolutePathBuf"
               },
               "type": "array"
             },
-            "globScanMaxDepth": {
-              "format": "uint",
-              "minimum": 1.0,
-              "type": [
-                "integer",
-                "null"
-              ]
-            },
             "type": {
               "enum": [
                 "restricted"
               ],
-              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
+              "title": "RestrictedReadOnlyAccessType",
               "type": "string"
             }
           },
           "required": [
-            "entries",
             "type"
           ],
-          "title": "RestrictedPermissionProfileFileSystemPermissions",
+          "title": "RestrictedReadOnlyAccess",
           "type": "object"
         },
         {
           "properties": {
             "type": {
               "enum": [
-                "unrestricted"
+                "fullAccess"
               ],
-              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
+              "title": "FullAccessReadOnlyAccessType",
               "type": "string"
             }
           },
           "required": [
             "type"
           ],
-          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
+          "title": "FullAccessReadOnlyAccess",
           "type": "object"
         }
       ]
     },
-    "PermissionProfileNetworkPermissions": {
-      "properties": {
-        "enabled": {
-          "type": "boolean"
-        }
-      },
-      "required": [
-        "enabled"
-      ],
-      "type": "object"
-    },
     "ReasoningEffort": {
       "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
       "enum": [
@@ -1060,6 +1034,16 @@
         },
         {
           "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
             "networkAccess": {
               "default": false,
               "type": "boolean"
@@ -1116,6 +1100,16 @@
               "default": false,
               "type": "boolean"
             },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
             "type": {
               "enum": [
                 "workspaceWrite"
@@ -2510,7 +2504,7 @@
         }
       ],
       "default": null,
-      "description": "Canonical active permissions view for this thread."
+      "description": "Canonical active permissions view for this thread when representable. This is `null` for external sandbox policies because external enforcement cannot be round-tripped as a `PermissionProfile`."
     },
     "reasoningEffort": {
       "anyOf": [

codex-rs/app-server-protocol/schema/json/v2/ThreadRollbackResponse.json

@@ -35,7 +35,6 @@
             "contextWindowExceeded",
             "usageLimitExceeded",
             "serverOverloaded",
-            "cyberPolicy",
             "internalServerError",
             "unauthorized",
             "badRequest",

codex-rs/app-server-protocol/schema/json/v2/ThreadStartParams.json

@@ -1,15 +1,10 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
   "definitions": {
-    "AbsolutePathBuf": {
-      "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
-      "type": "string"
-    },
     "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
       "enum": [
         "user",
-        "auto_review",
         "guardian_subagent"
       ],
       "type": "string"
@@ -90,346 +85,6 @@
       ],
       "type": "object"
     },
-    "FileSystemAccessMode": {
-      "enum": [
-        "read",
-        "write",
-        "none"
-      ],
-      "type": "string"
-    },
-    "FileSystemPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "path"
-              ],
-              "title": "PathFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "PathFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "pattern": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "glob_pattern"
-              ],
-              "title": "GlobPatternFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "pattern",
-            "type"
-          ],
-          "title": "GlobPatternFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "special"
-              ],
-              "title": "SpecialFileSystemPathType",
-              "type": "string"
-            },
-            "value": {
-              "$ref": "#/definitions/FileSystemSpecialPath"
-            }
-          },
-          "required": [
-            "type",
-            "value"
-          ],
-          "title": "SpecialFileSystemPath",
-          "type": "object"
-        }
-      ]
-    },
-    "FileSystemSandboxEntry": {
-      "properties": {
-        "access": {
-          "$ref": "#/definitions/FileSystemAccessMode"
-        },
-        "path": {
-          "$ref": "#/definitions/FileSystemPath"
-        }
-      },
-      "required": [
-        "access",
-        "path"
-      ],
-      "type": "object"
-    },
-    "FileSystemSpecialPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "root"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "RootFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "minimal"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "MinimalFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "current_working_directory"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "CurrentWorkingDirectoryFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "project_roots"
-              ],
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "KindFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "tmpdir"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "TmpdirFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "slash_tmp"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "SlashTmpFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "unknown"
-              ],
-              "type": "string"
-            },
-            "path": {
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind",
-            "path"
-          ],
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfile": {
-      "oneOf": [
-        {
-          "description": "Codex owns sandbox construction for this profile.",
-          "properties": {
-            "fileSystem": {
-              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
-            },
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "managed"
-              ],
-              "title": "ManagedPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "fileSystem",
-            "network",
-            "type"
-          ],
-          "title": "ManagedPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Do not apply an outer sandbox.",
-          "properties": {
-            "type": {
-              "enum": [
-                "disabled"
-              ],
-              "title": "DisabledPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "DisabledPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Filesystem isolation is enforced by an external caller.",
-          "properties": {
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "external"
-              ],
-              "title": "ExternalPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "network",
-            "type"
-          ],
-          "title": "ExternalPermissionProfile",
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfileFileSystemPermissions": {
-      "oneOf": [
-        {
-          "properties": {
-            "entries": {
-              "items": {
-                "$ref": "#/definitions/FileSystemSandboxEntry"
-              },
-              "type": "array"
-            },
-            "globScanMaxDepth": {
-              "format": "uint",
-              "minimum": 1.0,
-              "type": [
-                "integer",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "restricted"
-              ],
-              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "entries",
-            "type"
-          ],
-          "title": "RestrictedPermissionProfileFileSystemPermissions",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "unrestricted"
-              ],
-              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfileNetworkPermissions": {
-      "properties": {
-        "enabled": {
-          "type": "boolean"
-        }
-      },
-      "required": [
-        "enabled"
-      ],
-      "type": "object"
-    },
     "Personality": {
       "enum": [
         "none",
@@ -459,21 +114,6 @@
         "clear"
       ],
       "type": "string"
-    },
-    "TurnEnvironmentParams": {
-      "properties": {
-        "cwd": {
-          "$ref": "#/definitions/AbsolutePathBuf"
-        },
-        "environmentId": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "cwd",
-        "environmentId"
-      ],
-      "type": "object"
     }
   },
   "properties": {
@@ -541,17 +181,6 @@
         "null"
       ]
     },
-    "permissionProfile": {
-      "anyOf": [
-        {
-          "$ref": "#/definitions/PermissionProfile"
-        },
-        {
-          "type": "null"
-        }
-      ],
-      "description": "Full permissions override for this thread. Cannot be combined with `sandbox`."
-    },
     "personality": {
       "anyOf": [
         {

codex-rs/app-server-protocol/schema/json/v2/ThreadStartResponse.json

@@ -9,10 +9,9 @@
       "type": "string"
     },
     "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
       "enum": [
         "user",
-        "auto_review",
         "guardian_subagent"
       ],
       "type": "string"
@@ -94,7 +93,6 @@
             "contextWindowExceeded",
             "usageLimitExceeded",
             "serverOverloaded",
-            "cyberPolicy",
             "internalServerError",
             "unauthorized",
             "badRequest",
@@ -900,134 +898,110 @@
       ]
     },
     "PermissionProfile": {
-      "oneOf": [
-        {
-          "description": "Codex owns sandbox construction for this profile.",
-          "properties": {
-            "fileSystem": {
+      "properties": {
+        "fileSystem": {
+          "anyOf": [
+            {
               "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
             },
-            "network": {
+            {
+              "type": "null"
+            }
+          ]
+        },
+        "network": {
+          "anyOf": [
+            {
               "$ref": "#/definitions/PermissionProfileNetworkPermissions"
             },
-            "type": {
-              "enum": [
-                "managed"
-              ],
-              "title": "ManagedPermissionProfileType",
-              "type": "string"
+            {
+              "type": "null"
             }
-          },
-          "required": [
-            "fileSystem",
-            "network",
-            "type"
-          ],
-          "title": "ManagedPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Do not apply an outer sandbox.",
-          "properties": {
-            "type": {
-              "enum": [
-                "disabled"
-              ],
-              "title": "DisabledPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "DisabledPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Filesystem isolation is enforced by an external caller.",
-          "properties": {
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "external"
-              ],
-              "title": "ExternalPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "network",
-            "type"
-          ],
-          "title": "ExternalPermissionProfile",
-          "type": "object"
+          ]
         }
-      ]
+      },
+      "type": "object"
     },
     "PermissionProfileFileSystemPermissions": {
+      "properties": {
+        "entries": {
+          "items": {
+            "$ref": "#/definitions/FileSystemSandboxEntry"
+          },
+          "type": "array"
+        },
+        "globScanMaxDepth": {
+          "format": "uint",
+          "minimum": 1.0,
+          "type": [
+            "integer",
+            "null"
+          ]
+        }
+      },
+      "required": [
+        "entries"
+      ],
+      "type": "object"
+    },
+    "PermissionProfileNetworkPermissions": {
+      "properties": {
+        "enabled": {
+          "type": [
+            "boolean",
+            "null"
+          ]
+        }
+      },
+      "type": "object"
+    },
+    "ReadOnlyAccess": {
       "oneOf": [
         {
           "properties": {
-            "entries": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
               "items": {
-                "$ref": "#/definitions/FileSystemSandboxEntry"
+                "$ref": "#/definitions/AbsolutePathBuf"
               },
               "type": "array"
             },
-            "globScanMaxDepth": {
-              "format": "uint",
-              "minimum": 1.0,
-              "type": [
-                "integer",
-                "null"
-              ]
-            },
             "type": {
               "enum": [
                 "restricted"
               ],
-              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
+              "title": "RestrictedReadOnlyAccessType",
               "type": "string"
             }
           },
           "required": [
-            "entries",
             "type"
           ],
-          "title": "RestrictedPermissionProfileFileSystemPermissions",
+          "title": "RestrictedReadOnlyAccess",
           "type": "object"
         },
         {
           "properties": {
             "type": {
               "enum": [
-                "unrestricted"
+                "fullAccess"
               ],
-              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
+              "title": "FullAccessReadOnlyAccessType",
               "type": "string"
             }
           },
           "required": [
             "type"
           ],
-          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
+          "title": "FullAccessReadOnlyAccess",
           "type": "object"
         }
       ]
     },
-    "PermissionProfileNetworkPermissions": {
-      "properties": {
-        "enabled": {
-          "type": "boolean"
-        }
-      },
-      "required": [
-        "enabled"
-      ],
-      "type": "object"
-    },
     "ReasoningEffort": {
       "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
       "enum": [
@@ -1060,6 +1034,16 @@
         },
         {
           "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
             "networkAccess": {
               "default": false,
               "type": "boolean"
@@ -1116,6 +1100,16 @@
               "default": false,
               "type": "boolean"
             },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
             "type": {
               "enum": [
                 "workspaceWrite"
@@ -2510,7 +2504,7 @@
         }
       ],
       "default": null,
-      "description": "Canonical active permissions view for this thread."
+      "description": "Canonical active permissions view for this thread when representable. This is `null` for external sandbox policies because external enforcement cannot be round-tripped as a `PermissionProfile`."
     },
     "reasoningEffort": {
       "anyOf": [

codex-rs/app-server-protocol/schema/json/v2/ThreadStartedNotification.json

@@ -35,7 +35,6 @@
             "contextWindowExceeded",
             "usageLimitExceeded",
             "serverOverloaded",
-            "cyberPolicy",
             "internalServerError",
             "unauthorized",
             "badRequest",

codex-rs/app-server-protocol/schema/json/v2/ThreadTurnsListResponse.json

@@ -32,7 +32,6 @@
             "contextWindowExceeded",
             "usageLimitExceeded",
             "serverOverloaded",
-            "cyberPolicy",
             "internalServerError",
             "unauthorized",
             "badRequest",

codex-rs/app-server-protocol/schema/json/v2/ThreadUnarchiveResponse.json

@@ -35,7 +35,6 @@
             "contextWindowExceeded",
             "usageLimitExceeded",
             "serverOverloaded",
-            "cyberPolicy",
             "internalServerError",
             "unauthorized",
             "badRequest",

codex-rs/app-server-protocol/schema/json/v2/TurnCompletedNotification.json

@@ -32,7 +32,6 @@
             "contextWindowExceeded",
             "usageLimitExceeded",
             "serverOverloaded",
-            "cyberPolicy",
             "internalServerError",
             "unauthorized",
             "badRequest",

codex-rs/app-server-protocol/schema/json/v2/TurnStartParams.json

@@ -6,10 +6,9 @@
       "type": "string"
     },
     "ApprovalsReviewer": {
-      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `auto_review` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request. The legacy value `guardian_subagent` is accepted for compatibility.",
+      "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
       "enum": [
         "user",
-        "auto_review",
         "guardian_subagent"
       ],
       "type": "string"
@@ -99,217 +98,6 @@
       ],
       "type": "object"
     },
-    "FileSystemAccessMode": {
-      "enum": [
-        "read",
-        "write",
-        "none"
-      ],
-      "type": "string"
-    },
-    "FileSystemPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "path"
-              ],
-              "title": "PathFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "PathFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "pattern": {
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "glob_pattern"
-              ],
-              "title": "GlobPatternFileSystemPathType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "pattern",
-            "type"
-          ],
-          "title": "GlobPatternFileSystemPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "special"
-              ],
-              "title": "SpecialFileSystemPathType",
-              "type": "string"
-            },
-            "value": {
-              "$ref": "#/definitions/FileSystemSpecialPath"
-            }
-          },
-          "required": [
-            "type",
-            "value"
-          ],
-          "title": "SpecialFileSystemPath",
-          "type": "object"
-        }
-      ]
-    },
-    "FileSystemSandboxEntry": {
-      "properties": {
-        "access": {
-          "$ref": "#/definitions/FileSystemAccessMode"
-        },
-        "path": {
-          "$ref": "#/definitions/FileSystemPath"
-        }
-      },
-      "required": [
-        "access",
-        "path"
-      ],
-      "type": "object"
-    },
-    "FileSystemSpecialPath": {
-      "oneOf": [
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "root"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "RootFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "minimal"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "MinimalFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "current_working_directory"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "CurrentWorkingDirectoryFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "project_roots"
-              ],
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "KindFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "tmpdir"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "TmpdirFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "slash_tmp"
-              ],
-              "type": "string"
-            }
-          },
-          "required": [
-            "kind"
-          ],
-          "title": "SlashTmpFileSystemSpecialPath",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "kind": {
-              "enum": [
-                "unknown"
-              ],
-              "type": "string"
-            },
-            "path": {
-              "type": "string"
-            },
-            "subpath": {
-              "type": [
-                "string",
-                "null"
-              ]
-            }
-          },
-          "required": [
-            "kind",
-            "path"
-          ],
-          "type": "object"
-        }
-      ]
-    },
     "ModeKind": {
       "description": "Initial collaboration mode to use when the TUI starts.",
       "enum": [
@@ -325,135 +113,6 @@
       ],
       "type": "string"
     },
-    "PermissionProfile": {
-      "oneOf": [
-        {
-          "description": "Codex owns sandbox construction for this profile.",
-          "properties": {
-            "fileSystem": {
-              "$ref": "#/definitions/PermissionProfileFileSystemPermissions"
-            },
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "managed"
-              ],
-              "title": "ManagedPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "fileSystem",
-            "network",
-            "type"
-          ],
-          "title": "ManagedPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Do not apply an outer sandbox.",
-          "properties": {
-            "type": {
-              "enum": [
-                "disabled"
-              ],
-              "title": "DisabledPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "DisabledPermissionProfile",
-          "type": "object"
-        },
-        {
-          "description": "Filesystem isolation is enforced by an external caller.",
-          "properties": {
-            "network": {
-              "$ref": "#/definitions/PermissionProfileNetworkPermissions"
-            },
-            "type": {
-              "enum": [
-                "external"
-              ],
-              "title": "ExternalPermissionProfileType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "network",
-            "type"
-          ],
-          "title": "ExternalPermissionProfile",
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfileFileSystemPermissions": {
-      "oneOf": [
-        {
-          "properties": {
-            "entries": {
-              "items": {
-                "$ref": "#/definitions/FileSystemSandboxEntry"
-              },
-              "type": "array"
-            },
-            "globScanMaxDepth": {
-              "format": "uint",
-              "minimum": 1.0,
-              "type": [
-                "integer",
-                "null"
-              ]
-            },
-            "type": {
-              "enum": [
-                "restricted"
-              ],
-              "title": "RestrictedPermissionProfileFileSystemPermissionsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "entries",
-            "type"
-          ],
-          "title": "RestrictedPermissionProfileFileSystemPermissions",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "type": {
-              "enum": [
-                "unrestricted"
-              ],
-              "title": "UnrestrictedPermissionProfileFileSystemPermissionsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "type"
-          ],
-          "title": "UnrestrictedPermissionProfileFileSystemPermissions",
-          "type": "object"
-        }
-      ]
-    },
-    "PermissionProfileNetworkPermissions": {
-      "properties": {
-        "enabled": {
-          "type": "boolean"
-        }
-      },
-      "required": [
-        "enabled"
-      ],
-      "type": "object"
-    },
     "Personality": {
       "enum": [
         "none",
@@ -462,6 +121,53 @@
       ],
       "type": "string"
     },
+    "ReadOnlyAccess": {
+      "oneOf": [
+        {
+          "properties": {
+            "includePlatformDefaults": {
+              "default": true,
+              "type": "boolean"
+            },
+            "readableRoots": {
+              "default": [],
+              "items": {
+                "$ref": "#/definitions/AbsolutePathBuf"
+              },
+              "type": "array"
+            },
+            "type": {
+              "enum": [
+                "restricted"
+              ],
+              "title": "RestrictedReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "RestrictedReadOnlyAccess",
+          "type": "object"
+        },
+        {
+          "properties": {
+            "type": {
+              "enum": [
+                "fullAccess"
+              ],
+              "title": "FullAccessReadOnlyAccessType",
+              "type": "string"
+            }
+          },
+          "required": [
+            "type"
+          ],
+          "title": "FullAccessReadOnlyAccess",
+          "type": "object"
+        }
+      ]
+    },
     "ReasoningEffort": {
       "description": "See https://platform.openai.com/docs/guides/reasoning?api-mode=responses#get-started-with-reasoning",
       "enum": [
@@ -514,6 +220,16 @@
         },
         {
           "properties": {
+            "access": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
             "networkAccess": {
               "default": false,
               "type": "boolean"
@@ -570,6 +286,16 @@
               "default": false,
               "type": "boolean"
             },
+            "readOnlyAccess": {
+              "allOf": [
+                {
+                  "$ref": "#/definitions/ReadOnlyAccess"
+                }
+              ],
+              "default": {
+                "type": "fullAccess"
+              }
+            },
             "type": {
               "enum": [
                 "workspaceWrite"
@@ -844,17 +570,6 @@
     "outputSchema": {
       "description": "Optional JSON Schema used to constrain the final assistant message for this turn."
     },
-    "permissionProfile": {
-      "anyOf": [
-        {
-          "$ref": "#/definitions/PermissionProfile"
-        },
-        {
-          "type": "null"
-        }
-      ],
-      "description": "Override the full permissions profile for this turn and subsequent turns. Cannot be combined with `sandboxPolicy`."
-    },
     "personality": {
       "anyOf": [
         {

codex-rs/app-server-protocol/schema/json/v2/TurnStartResponse.json

@@ -32,7 +32,6 @@
             "contextWindowExceeded",
             "usageLimitExceeded",
             "serverOverloaded",
-            "cyberPolicy",
             "internalServerError",
             "unauthorized",
             "badRequest",

codex-rs/app-server-protocol/schema/json/v2/TurnStartedNotification.json

@@ -32,7 +32,6 @@
             "contextWindowExceeded",
             "usageLimitExceeded",
             "serverOverloaded",
-            "cyberPolicy",
             "internalServerError",
             "unauthorized",
             "badRequest",

codex-rs/app-server-protocol/schema/typescript/v2/Account.ts

@@ -3,4 +3,4 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { PlanType } from "../PlanType";
 
-export type Account = { "type": "apiKey", } | { "type": "chatgpt", email: string, planType: PlanType, } | { "type": "amazonBedrock", };
+export type Account = { "type": "apiKey", } | { "type": "chatgpt", email: string, planType: PlanType, };

codex-rs/app-server-protocol/schema/typescript/v2/AdditionalFileSystemPermissions.ts

@@ -4,12 +4,4 @@
 import type { AbsolutePathBuf } from "../AbsolutePathBuf";
 import type { FileSystemSandboxEntry } from "./FileSystemSandboxEntry";
 
-export type AdditionalFileSystemPermissions = {
-/**
- * This will be removed in favor of `entries`.
- */
-read: Array<AbsolutePathBuf> | null,
-/**
- * This will be removed in favor of `entries`.
- */
-write: Array<AbsolutePathBuf> | null, globScanMaxDepth?: number, entries?: Array<FileSystemSandboxEntry>, };
+export type AdditionalFileSystemPermissions = { read: Array<AbsolutePathBuf> | null, write: Array<AbsolutePathBuf> | null, globScanMaxDepth?: number, entries?: Array<FileSystemSandboxEntry>, };

codex-rs/app-server-protocol/schema/typescript/v2/AdditionalPermissionProfile.ts

@@ -4,8 +4,4 @@
 import type { AdditionalFileSystemPermissions } from "./AdditionalFileSystemPermissions";
 import type { AdditionalNetworkPermissions } from "./AdditionalNetworkPermissions";
 
-export type AdditionalPermissionProfile = {
-/**
- * Partial overlay used for per-command permission requests.
- */
-network: AdditionalNetworkPermissions | null, fileSystem: AdditionalFileSystemPermissions | null, };
+export type AdditionalPermissionProfile = { network: AdditionalNetworkPermissions | null, fileSystem: AdditionalFileSystemPermissions | null, };

codex-rs/app-server-protocol/schema/typescript/v2/ApprovalsReviewer.ts

@@ -5,8 +5,8 @@
 /**
  * Configures who approval requests are routed to for review. Examples
  * include sandbox escapes, blocked network access, MCP approval prompts, and
- * ARC escalations. Defaults to `user`. `auto_review` uses a carefully
+ * ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully
  * prompted subagent to gather relevant context and apply a risk-based
  * decision framework before approving or denying the request.
  */
-export type ApprovalsReviewer = "user" | "auto_review" | "guardian_subagent";
+export type ApprovalsReviewer = "user" | "guardian_subagent";

codex-rs/app-server-protocol/schema/typescript/v2/CodexErrorInfo.ts

@@ -9,4 +9,4 @@ import type { NonSteerableTurnKind } from "./NonSteerableTurnKind";
  * When an upstream HTTP status is available (for example, from the Responses API or a provider),
  * it is forwarded in `httpStatusCode` on the relevant `codexErrorInfo` variant.
  */
-export type CodexErrorInfo = "contextWindowExceeded" | "usageLimitExceeded" | "serverOverloaded" | "cyberPolicy" | { "httpConnectionFailed": { httpStatusCode: number | null, } } | { "responseStreamConnectionFailed": { httpStatusCode: number | null, } } | "internalServerError" | "unauthorized" | "badRequest" | "threadRollbackFailed" | "sandboxError" | { "responseStreamDisconnected": { httpStatusCode: number | null, } } | { "responseTooManyFailedAttempts": { httpStatusCode: number | null, } } | { "activeTurnNotSteerable": { turnKind: NonSteerableTurnKind, } } | "other";
+export type CodexErrorInfo = "contextWindowExceeded" | "usageLimitExceeded" | "serverOverloaded" | { "httpConnectionFailed": { httpStatusCode: number | null, } } | { "responseStreamConnectionFailed": { httpStatusCode: number | null, } } | "internalServerError" | "unauthorized" | "badRequest" | "threadRollbackFailed" | "sandboxError" | { "responseStreamDisconnected": { httpStatusCode: number | null, } } | { "responseTooManyFailedAttempts": { httpStatusCode: number | null, } } | { "activeTurnNotSteerable": { turnKind: NonSteerableTurnKind, } } | "other";

codex-rs/app-server-protocol/schema/typescript/v2/CommandExecParams.ts

@@ -2,12 +2,9 @@
 
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { CommandExecTerminalSize } from "./CommandExecTerminalSize";
-import type { PermissionProfile } from "./PermissionProfile";
-import type { SandboxPolicy } from "./SandboxPolicy";
 
 /**
- * Run a standalone command (argv vector) in the server sandbox without
- * creating a thread or turn.
+ * Run a standalone command (argv vector) without creating a thread or turn.
  *
  * The final `command/exec` response is deferred until the process exits and is
  * sent only after all `command/exec/outputDelta` notifications for that
@@ -88,19 +85,4 @@ env?: { [key in string]?: string | null } | null,
  * Optional initial PTY size in character cells. Only valid when `tty` is
  * true.
  */
-size?: CommandExecTerminalSize | null,
-/**
- * Optional sandbox policy for this command.
- *
- * Uses the same shape as thread/turn execution sandbox configuration and
- * defaults to the user's configured policy when omitted. Cannot be
- * combined with `permissionProfile`.
- */
-sandboxPolicy?: SandboxPolicy | null,
-/**
- * Optional full permissions profile for this command.
- *
- * Defaults to the user's configured permissions when omitted. Cannot be
- * combined with `sandboxPolicy`.
- */
-permissionProfile?: PermissionProfile | null, };
+size?: CommandExecTerminalSize | null, };

codex-rs/app-server-protocol/schema/typescript/v2/ConfiguredHookHandler.ts

@@ -1,5 +0,0 @@
-// GENERATED CODE! DO NOT MODIFY BY HAND!
-
-// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-
-export type ConfiguredHookHandler = { "type": "command", command: string, timeoutSec: bigint | null, async: boolean, statusMessage: string | null, } | { "type": "prompt", } | { "type": "agent", };

codex-rs/app-server-protocol/schema/typescript/v2/ConfiguredHookMatcherGroup.ts

@@ -1,6 +0,0 @@
-// GENERATED CODE! DO NOT MODIFY BY HAND!
-
-// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-import type { ConfiguredHookHandler } from "./ConfiguredHookHandler";
-
-export type ConfiguredHookMatcherGroup = { matcher: string | null, hooks: Array<ConfiguredHookHandler>, };

codex-rs/app-server-protocol/schema/typescript/v2/GuardianWarningNotification.ts

@@ -1,13 +0,0 @@
-// GENERATED CODE! DO NOT MODIFY BY HAND!
-
-// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-
-export type GuardianWarningNotification = {
-/**
- * Thread target for the guardian warning.
- */
-threadId: string,
-/**
- * Concise guardian warning message for the user.
- */
-message: string, };

codex-rs/app-server-protocol/schema/typescript/v2/ManagedHooksRequirements.ts

@@ -1,6 +0,0 @@
-// GENERATED CODE! DO NOT MODIFY BY HAND!
-
-// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-import type { ConfiguredHookMatcherGroup } from "./ConfiguredHookMatcherGroup";
-
-export type ManagedHooksRequirements = { managedDir: string | null, windowsManagedDir: string | null, PreToolUse: Array<ConfiguredHookMatcherGroup>, PermissionRequest: Array<ConfiguredHookMatcherGroup>, PostToolUse: Array<ConfiguredHookMatcherGroup>, SessionStart: Array<ConfiguredHookMatcherGroup>, UserPromptSubmit: Array<ConfiguredHookMatcherGroup>, Stop: Array<ConfiguredHookMatcherGroup>, };

codex-rs/app-server-protocol/schema/typescript/v2/MarketplaceUpgradeErrorInfo.ts

@@ -1,5 +0,0 @@
-// GENERATED CODE! DO NOT MODIFY BY HAND!
-
-// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-
-export type MarketplaceUpgradeErrorInfo = { marketplaceName: string, message: string, };

codex-rs/app-server-protocol/schema/typescript/v2/MarketplaceUpgradeParams.ts

@@ -1,5 +0,0 @@
-// GENERATED CODE! DO NOT MODIFY BY HAND!
-
-// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-
-export type MarketplaceUpgradeParams = { marketplaceName?: string | null, };

codex-rs/app-server-protocol/schema/typescript/v2/MarketplaceUpgradeResponse.ts

@@ -1,7 +0,0 @@
-// GENERATED CODE! DO NOT MODIFY BY HAND!
-
-// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-import type { AbsolutePathBuf } from "../AbsolutePathBuf";
-import type { MarketplaceUpgradeErrorInfo } from "./MarketplaceUpgradeErrorInfo";
-
-export type MarketplaceUpgradeResponse = { selectedMarketplaces: Array<string>, upgradedRoots: Array<AbsolutePathBuf>, errors: Array<MarketplaceUpgradeErrorInfo>, };

codex-rs/app-server-protocol/schema/typescript/v2/ModelVerification.ts

@@ -1,5 +0,0 @@
-// GENERATED CODE! DO NOT MODIFY BY HAND!
-
-// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-
-export type ModelVerification = "trustedAccessForCyber";

codex-rs/app-server-protocol/schema/typescript/v2/ModelVerificationNotification.ts

@@ -1,6 +0,0 @@
-// GENERATED CODE! DO NOT MODIFY BY HAND!
-
-// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-import type { ModelVerification } from "./ModelVerification";
-
-export type ModelVerificationNotification = { threadId: string, turnId: string, verifications: Array<ModelVerification>, };

codex-rs/app-server-protocol/schema/typescript/v2/PermissionProfile.ts

@@ -4,4 +4,4 @@
 import type { PermissionProfileFileSystemPermissions } from "./PermissionProfileFileSystemPermissions";
 import type { PermissionProfileNetworkPermissions } from "./PermissionProfileNetworkPermissions";
 
-export type PermissionProfile = { "type": "managed", network: PermissionProfileNetworkPermissions, fileSystem: PermissionProfileFileSystemPermissions, } | { "type": "disabled" } | { "type": "external", network: PermissionProfileNetworkPermissions, };
+export type PermissionProfile = { network: PermissionProfileNetworkPermissions | null, fileSystem: PermissionProfileFileSystemPermissions | null, };

codex-rs/app-server-protocol/schema/typescript/v2/PermissionProfileFileSystemPermissions.ts

@@ -3,4 +3,4 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { FileSystemSandboxEntry } from "./FileSystemSandboxEntry";
 
-export type PermissionProfileFileSystemPermissions = { "type": "restricted", entries: Array<FileSystemSandboxEntry>, globScanMaxDepth?: number, } | { "type": "unrestricted" };
+export type PermissionProfileFileSystemPermissions = { entries: Array<FileSystemSandboxEntry>, globScanMaxDepth?: number, };

codex-rs/app-server-protocol/schema/typescript/v2/PermissionProfileNetworkPermissions.ts

@@ -2,4 +2,4 @@
 
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 
-export type PermissionProfileNetworkPermissions = { enabled: boolean, };
+export type PermissionProfileNetworkPermissions = { enabled: boolean | null, };

codex-rs/app-server-protocol/schema/typescript/v2/PermissionsRequestApprovalResponse.ts

@@ -4,8 +4,4 @@
 import type { GrantedPermissionProfile } from "./GrantedPermissionProfile";
 import type { PermissionGrantScope } from "./PermissionGrantScope";
 
-export type PermissionsRequestApprovalResponse = { permissions: GrantedPermissionProfile, scope: PermissionGrantScope,
-/**
- * Review every subsequent command in this turn before normal sandboxed execution.
- */
-strictAutoReview?: boolean, };
+export type PermissionsRequestApprovalResponse = { permissions: GrantedPermissionProfile, scope: PermissionGrantScope, };