Move workspace roots onto thread/session state and stop using active permission profile modifications as an overlay for writable roots. Existing app-server threads now preserve their persisted PermissionProfile value across resume, fork, and turn updates; permissions requests on existing threads only update the active named profile after validating it exists. Workspace roots can be updated independently, and SandboxPolicy::WorkspaceWrite no longer stores its own writable_roots.

Enable --deny-warnings for cargo shear (#21616 )
## Summary In https://github.com/openai/codex/pull/21584, we disabled doctests for crates that lack any doctests. We can enforce that property via `cargo shear --deny-warnings`: crates that lack doctests will be flagged if doctests are enabled, and crates with doctests will be flagged if doctests are disabled. A few additional notes: - By adding `--deny-warnings`, `cargo shear` also flagged a number of modules that were not reachable at all. Some of those have been removed. - This PR removes a usage of `windows_modules!` (since `cargo shear` and `rustfmt` couldn't see through it) in favor of simple `#[cfg(target_os = "windows")]` macros. As a consequence, many of these files exhibit churn in this PR, since they weren't being formatted by `rustfmt` at all on main. - Again, to make the code more analyzable, this PR also removes some usages of `#[path = "cwd_junction.rs"]` in favor of a more standard module structure. The bin sidecar structure is still retained, but, e.g., `windows-sandbox-rs/src/bin/command_runner.rs‎` was moved to `windows-sandbox-rs/src/bin/command_runner/main.rs`, and so on. --------- Co-authored-by: Codex <noreply@openai.com>
2026-05-08 21:32:33 +00:00 · 2026-05-08 14:27:42 -07:00 · 2026-05-08 20:29:00 +00:00 · 2026-05-08 13:20:05 -07:00 · 2026-05-08 13:00:57 -07:00 · 2026-05-08 22:37:10 +03:00
687 changed files with 16175 additions and 16938 deletions
--- a/.github/ISSUE_TEMPLATE/3-cli.yml
+++ b/.github/ISSUE_TEMPLATE/3-cli.yml
@@ -2,7 +2,6 @@ name: 💻 CLI Bug
 description: Report an issue in the Codex CLI
 labels:
  - bug
-  - needs triage
 body:
  - type: markdown
    attributes:
@@ -41,9 +40,9 @@ body:
    id: terminal
    attributes:
      label: What terminal emulator and version are you using (if applicable)?
-      description: Also note any multiplexer in use (screen / tmux / zellij)
      description: |
-        E.g, VSCode, Terminal.app, iTerm2, Ghostty, Windows Terminal (WSL / PowerShell)
+        Also note any multiplexer in use (screen / tmux / zellij).
+        E.g., VS Code, Terminal.app, iTerm2, Ghostty, Windows Terminal (WSL / PowerShell)
  - type: textarea
    id: actual
    attributes:
--- a/.github/ISSUE_TEMPLATE/5-feature-request.yml
+++ b/.github/ISSUE_TEMPLATE/5-feature-request.yml
@@ -10,7 +10,7 @@ body:

        Before you submit a feature:
        1. Search existing issues for similar features. If you find one, 👍 it rather than opening a new one.
-        2. The Codex team will try to balance the varying needs of the community when prioritizing or rejecting new features. Not all features will be accepted. See [Contributing](https://github.com/openai/codex#contributing) for more details.
+        2. The Codex team will try to balance the varying needs of the community when prioritizing or rejecting new features. Not all features will be accepted. See [Contributing](https://github.com/openai/codex/blob/main/docs/contributing.md) for more details.

  - type: input
    id: variant
--- a/.github/ISSUE_TEMPLATE/6-docs-issue.yml
+++ b/.github/ISSUE_TEMPLATE/6-docs-issue.yml
@@ -1,6 +1,6 @@
 name: 📗 Documentation Issue
 description: Tell us if there is missing or incorrect documentation
-labels: [docs]
+labels: [documentation]
 body:
  - type: markdown
    attributes:
@@ -24,4 +24,4 @@ body:
  - type: textarea
    attributes:
      label: Where did you find it?
-      description: If possible, please provide the URL(s) where you found this issue.
+      description: If possible, please provide the URL(s) where you found this issue.
--- a/.github/actions/prepare-bazel-ci/action.yml
+++ b/.github/actions/prepare-bazel-ci/action.yml
@@ -50,7 +50,7 @@ runs:
    - name: Restore bazel repository cache
      id: cache_bazel_repository_restore
      continue-on-error: true
-      uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+      uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
      with:
        path: ${{ steps.setup_bazel.outputs.repository-cache-path }}
        key: ${{ steps.cache_bazel_repository_key.outputs.repository-cache-key }}
--- a/.github/actions/windows-code-sign/action.yml
+++ b/.github/actions/windows-code-sign/action.yml
@@ -30,7 +30,7 @@ runs:
  using: composite
  steps:
    - name: Azure login for Trusted Signing (OIDC)
-      uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2
+      uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
      with:
        client-id: ${{ inputs.client-id }}
        tenant-id: ${{ inputs.tenant-id }}
@@ -54,7 +54,7 @@ runs:
        } >> "$GITHUB_OUTPUT"

    - name: Sign Windows binaries with Azure Trusted Signing
-      uses: azure/trusted-signing-action@1d365fec12862c4aa68fcac418143d73f0cea293 # v0
+      uses: azure/trusted-signing-action@1d365fec12862c4aa68fcac418143d73f0cea293 # v0.5.11
      with:
        endpoint: ${{ inputs.endpoint }}
        trusted-signing-account-name: ${{ inputs.account-name }}
--- a/.github/dependabot.yaml
+++ b/.github/dependabot.yaml
@@ -6,25 +6,37 @@ updates:
    directory: .github/actions/codex
    schedule:
      interval: weekly
+    cooldown:
+      default-days: 7
  - package-ecosystem: cargo
    directories:
      - codex-rs
      - codex-rs/*
    schedule:
      interval: weekly
+    cooldown:
+      default-days: 7
  - package-ecosystem: devcontainers
    directory: /
    schedule:
      interval: weekly
+    cooldown:
+      default-days: 7
  - package-ecosystem: docker
    directory: codex-cli
    schedule:
      interval: weekly
+    cooldown:
+      default-days: 7
  - package-ecosystem: github-actions
    directory: /
    schedule:
      interval: weekly
+    cooldown:
+      default-days: 7
  - package-ecosystem: rust-toolchain
    directory: codex-rs
    schedule:
      interval: weekly
+    cooldown:
+      default-days: 7
--- a/.github/workflows/bazel.yml
+++ b/.github/workflows/bazel.yml
@@ -56,7 +56,9 @@ jobs:
    name: Bazel test on ${{ matrix.os }} for ${{ matrix.target }}

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Check rusty_v8 MODULE.bazel checksums
        if: matrix.os == 'ubuntu-24.04' && matrix.target == 'x86_64-unknown-linux-gnu'
@@ -122,7 +124,7 @@ jobs:
      - name: Upload Bazel execution logs
        if: always() && !cancelled()
        continue-on-error: true
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: bazel-execution-logs-test-${{ matrix.target }}
          path: ${{ runner.temp }}/bazel-execution-logs
@@ -133,7 +135,7 @@ jobs:
      - name: Save bazel repository cache
        if: always() && !cancelled() && steps.prepare_bazel.outputs.repository-cache-hit != 'true'
        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: ${{ steps.prepare_bazel.outputs.repository-cache-path }}
          key: ${{ steps.prepare_bazel.outputs.repository-cache-key }}
@@ -148,7 +150,9 @@ jobs:
    name: Bazel test on windows-latest for x86_64-pc-windows-gnullvm (native main)

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Prepare Bazel CI
        id: prepare_bazel
@@ -195,7 +199,7 @@ jobs:
      - name: Upload Bazel execution logs
        if: always() && !cancelled()
        continue-on-error: true
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: bazel-execution-logs-test-windows-native-x86_64-pc-windows-gnullvm
          path: ${{ runner.temp }}/bazel-execution-logs
@@ -206,7 +210,7 @@ jobs:
      - name: Save bazel repository cache
        if: always() && !cancelled() && steps.prepare_bazel.outputs.repository-cache-hit != 'true'
        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: ${{ steps.prepare_bazel.outputs.repository-cache-path }}
          key: ${{ steps.prepare_bazel.outputs.repository-cache-key }}
@@ -231,7 +235,9 @@ jobs:
    name: Bazel clippy on ${{ matrix.os }} for ${{ matrix.target }}

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Prepare Bazel CI
        id: prepare_bazel
@@ -286,7 +292,7 @@ jobs:
      - name: Upload Bazel execution logs
        if: always() && !cancelled()
        continue-on-error: true
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: bazel-execution-logs-clippy-${{ matrix.target }}
          path: ${{ runner.temp }}/bazel-execution-logs
@@ -297,7 +303,7 @@ jobs:
      - name: Save bazel repository cache
        if: always() && !cancelled() && steps.prepare_bazel.outputs.repository-cache-hit != 'true'
        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: ${{ steps.prepare_bazel.outputs.repository-cache-path }}
          key: ${{ steps.prepare_bazel.outputs.repository-cache-key }}
@@ -318,7 +324,9 @@ jobs:
    name: Verify release build on ${{ matrix.os }} for ${{ matrix.target }}

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Prepare Bazel CI
        id: prepare_bazel
@@ -390,7 +398,7 @@ jobs:
      - name: Upload Bazel execution logs
        if: always() && !cancelled()
        continue-on-error: true
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: bazel-execution-logs-verify-release-build-${{ matrix.target }}
          path: ${{ runner.temp }}/bazel-execution-logs
@@ -401,7 +409,7 @@ jobs:
      - name: Save bazel repository cache
        if: always() && !cancelled() && steps.prepare_bazel.outputs.repository-cache-hit != 'true'
        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: ${{ steps.prepare_bazel.outputs.repository-cache-path }}
          key: ${{ steps.prepare_bazel.outputs.repository-cache-key }}
--- a/.github/workflows/blob-size-policy.yml
+++ b/.github/workflows/blob-size-policy.yml
@@ -8,9 +8,10 @@ jobs:
    name: Blob size policy
    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
+          persist-credentials: false

      - name: Determine PR comparison range
        id: range
--- a/.github/workflows/cargo-deny.yml
+++ b/.github/workflows/cargo-deny.yml
@@ -14,7 +14,9 @@ jobs:
        working-directory: ./codex-rs
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,7 +12,9 @@ jobs:
      NODE_OPTIONS: --max-old-space-size=4096
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Verify codex-rs Cargo manifests inherit workspace settings
        run: python3 .github/scripts/verify_cargo_workspace_manifests.py
@@ -29,7 +31,7 @@ jobs:
          run_install: false

      - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: 22

@@ -63,7 +65,7 @@ jobs:
          echo "pack_output=$PACK_OUTPUT" >> "$GITHUB_OUTPUT"

      - name: Upload staged npm package artifact
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: codex-npm-staging
          path: ${{ steps.stage_npm_package.outputs.pack_output }}
--- a/.github/workflows/close-stale-contributor-prs.yml
+++ b/.github/workflows/close-stale-contributor-prs.yml
@@ -17,7 +17,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Close inactive PRs from contributors
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -18,9 +18,11 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Annotate locations with typos
-        uses: codespell-project/codespell-problem-matcher@b80729f885d32f78a716c2f107b4db1025001c42 # v1
+        uses: codespell-project/codespell-problem-matcher@b80729f885d32f78a716c2f107b4db1025001c42 # v1.1.0
      - name: Codespell
        uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579 # v2.2
        with:
--- a/.github/workflows/issue-deduplicator.yml
+++ b/.github/workflows/issue-deduplicator.yml
@@ -19,7 +19,9 @@ jobs:
      reason: ${{ steps.normalize-all.outputs.reason }}
      has_matches: ${{ steps.normalize-all.outputs.has_matches }}
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Prepare Codex inputs
        env:
@@ -155,7 +157,9 @@ jobs:
      reason: ${{ steps.normalize-open.outputs.reason }}
      has_matches: ${{ steps.normalize-open.outputs.has_matches }}
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Prepare Codex inputs
        env:
@@ -342,7 +346,7 @@ jobs:
      issues: write
    steps:
      - name: Comment on issue
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          CODEX_OUTPUT: ${{ needs.select-final.outputs.codex_output }}
        with:
--- a/.github/workflows/issue-labeler.yml
+++ b/.github/workflows/issue-labeler.yml
@@ -17,7 +17,9 @@ jobs:
    outputs:
      codex_output: ${{ steps.codex.outputs.final-message }}
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - id: codex
        uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02 # v1.7
--- a/.github/workflows/rust-ci-full.yml
+++ b/.github/workflows/rust-ci-full.yml
@@ -7,6 +7,11 @@ on:
  workflow_dispatch:

 # CI builds in debug (dev) for faster signal.
+env:
+  # Cargo's libgit2 transport has been flaky on macOS when fetching git
+  # dependencies with nested submodules. Use the system git CLI, which has
+  # better network/proxy behavior and matches Cargo's own suggested fallback.
+  CARGO_NET_GIT_FETCH_WITH_CLI: "true"

 jobs:
  # --- CI that doesn't need specific targets ---------------------------------
@@ -17,7 +22,9 @@ jobs:
      run:
        working-directory: codex-rs
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
        with:
          components: rustfmt
@@ -31,14 +38,15 @@ jobs:
      run:
        working-directory: codex-rs
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
-      - uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
-          tool: cargo-shear
-          version: 1.5.1
+          persist-credentials: false
+      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
+      - uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2.62.49
+        with:
+          tool: cargo-shear@1.11.2
      - name: cargo shear
-        run: cargo shear
+        run: cargo shear --deny-warnings

  argument_comment_lint_package:
    name: Argument comment lint package
@@ -47,14 +55,16 @@ jobs:
      CARGO_DYLINT_VERSION: 5.0.0
      DYLINT_LINK_VERSION: 5.0.0
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
        with:
          toolchain: nightly-2025-09-18
          components: llvm-tools-preview, rustc-dev, rust-src
      - name: Cache cargo-dylint tooling
        id: cargo_dylint_cache
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: |
            ~/.cargo/bin/cargo-dylint
@@ -97,7 +107,9 @@ jobs:
              group: codex-runners
              labels: codex-windows-x64
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - uses: ./.github/actions/setup-bazel-ci
        with:
          target: ${{ runner.os }}
@@ -233,7 +245,9 @@ jobs:
              labels: codex-windows-arm64

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Install Linux build dependencies
        if: ${{ runner.os == 'Linux' }}
        shell: bash
@@ -276,7 +290,7 @@ jobs:
      # avoid caching the large target dir on the gnu-dev job.
      - name: Restore cargo home cache
        id: cache_cargo_home_restore
-        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: |
            ~/.cargo/bin/
@@ -294,7 +308,7 @@ jobs:
      # Install and restore sccache cache
      - name: Install sccache
        if: ${{ env.USE_SCCACHE == 'true' }}
-        uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
+        uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2.62.49
        with:
          tool: sccache
          version: 0.7.5
@@ -321,7 +335,7 @@ jobs:
      - name: Restore sccache cache (fallback)
        if: ${{ env.USE_SCCACHE == 'true' && env.SCCACHE_GHA_ENABLED != 'true' }}
        id: cache_sccache_restore
-        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: ${{ github.workspace }}/.sccache/
          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
@@ -348,7 +362,7 @@ jobs:
      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
        name: Restore APT cache (musl)
        id: cache_apt_restore
-        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: |
            /var/cache/apt
@@ -356,7 +370,7 @@ jobs:

      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
        name: Install Zig
-        uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2
+        uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2.2.1
        with:
          version: 0.14.0

@@ -430,7 +444,7 @@ jobs:

      - name: Install cargo-chef
        if: ${{ matrix.profile == 'release' }}
-        uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
+        uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2.62.49
        with:
          tool: cargo-chef
          version: 0.1.71
@@ -449,7 +463,7 @@ jobs:

      - name: Upload Cargo timings (clippy)
        if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: cargo-timings-rust-ci-clippy-${{ matrix.target }}-${{ matrix.profile }}
          path: codex-rs/target/**/cargo-timings/cargo-timing.html
@@ -460,7 +474,7 @@ jobs:
      - name: Save cargo home cache
        if: always() && !cancelled() && steps.cache_cargo_home_restore.outputs.cache-hit != 'true'
        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: |
            ~/.cargo/bin/
@@ -476,7 +490,7 @@ jobs:
      - name: Save sccache cache (fallback)
        if: always() && !cancelled() && env.USE_SCCACHE == 'true' && env.SCCACHE_GHA_ENABLED != 'true'
        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: ${{ github.workspace }}/.sccache/
          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
@@ -501,7 +515,7 @@ jobs:
      - name: Save APT cache (musl)
        if: always() && !cancelled() && (matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl') && steps.cache_apt_restore.outputs.cache-hit != 'true'
        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: |
            /var/cache/apt
@@ -559,7 +573,9 @@ jobs:
              labels: codex-windows-arm64

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Install Linux build dependencies
        if: ${{ runner.os == 'Linux' }}
        shell: bash
@@ -567,7 +583,7 @@ jobs:
          set -euo pipefail
          if command -v apt-get >/dev/null 2>&1; then
            sudo apt-get update -y
-            sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends pkg-config libcap-dev
+            sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends pkg-config libcap-dev bubblewrap
          fi

      # Some integration tests rely on DotSlash being installed.
@@ -590,7 +606,7 @@ jobs:

      - name: Restore cargo home cache
        id: cache_cargo_home_restore
-        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: |
            ~/.cargo/bin/
@@ -603,7 +619,7 @@ jobs:

      - name: Install sccache
        if: ${{ env.USE_SCCACHE == 'true' }}
-        uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
+        uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2.62.49
        with:
          tool: sccache
          version: 0.7.5
@@ -630,7 +646,7 @@ jobs:
      - name: Restore sccache cache (fallback)
        if: ${{ env.USE_SCCACHE == 'true' && env.SCCACHE_GHA_ENABLED != 'true' }}
        id: cache_sccache_restore
-        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: ${{ github.workspace }}/.sccache/
          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
@@ -638,7 +654,7 @@ jobs:
            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-
            sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-

-      - uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
+      - uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2.62.49
        with:
          tool: nextest
          version: 0.9.103
@@ -674,7 +690,7 @@ jobs:

      - name: Upload Cargo timings (nextest)
        if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: cargo-timings-rust-ci-nextest-${{ matrix.target }}-${{ matrix.profile }}
          path: codex-rs/target/**/cargo-timings/cargo-timing.html
@@ -683,7 +699,7 @@ jobs:
      - name: Save cargo home cache
        if: always() && !cancelled() && steps.cache_cargo_home_restore.outputs.cache-hit != 'true'
        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: |
            ~/.cargo/bin/
@@ -695,7 +711,7 @@ jobs:
      - name: Save sccache cache (fallback)
        if: always() && !cancelled() && env.USE_SCCACHE == 'true' && env.SCCACHE_GHA_ENABLED != 'true'
        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: ${{ github.workspace }}/.sccache/
          key: sccache-${{ matrix.runner }}-${{ matrix.target }}-${{ matrix.profile }}-${{ steps.lockhash.outputs.hash }}-${{ github.run_id }}
@@ -722,10 +738,12 @@ jobs:
        shell: bash
        run: |
          set +e
-          if [[ "${{ steps.test.outcome }}" != "success" ]]; then
+          if [[ "${STEPS_TEST_OUTCOME}" != "success" ]]; then
            docker logs codex-remote-test-env || true
          fi
          docker rm -f codex-remote-test-env >/dev/null 2>&1 || true
+        env:
+          STEPS_TEST_OUTCOME: ${{ steps.test.outcome }}

      - name: verify tests passed
        if: steps.test.outcome == 'failure'
--- a/.github/workflows/rust-ci.yml
+++ b/.github/workflows/rust-ci.yml
@@ -14,9 +14,10 @@ jobs:
      codex: ${{ steps.detect.outputs.codex }}
      workflows: ${{ steps.detect.outputs.workflows }}
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
+          persist-credentials: false
      - name: Detect changed paths (no external action)
        id: detect
        shell: bash
@@ -61,7 +62,9 @@ jobs:
      run:
        working-directory: codex-rs
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
        with:
          components: rustfmt
@@ -77,14 +80,15 @@ jobs:
      run:
        working-directory: codex-rs
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
-      - uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
-          tool: cargo-shear
-          version: 1.5.1
+          persist-credentials: false
+      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
+      - uses: taiki-e/install-action@44c6d64aa62cd779e873306675c7a58e86d6d532 # v2.62.49
+        with:
+          tool: cargo-shear@1.11.2
      - name: cargo shear
-        run: cargo shear
+        run: cargo shear --deny-warnings

  argument_comment_lint_package:
    name: Argument comment lint package
@@ -95,7 +99,9 @@ jobs:
      CARGO_DYLINT_VERSION: 5.0.0
      DYLINT_LINK_VERSION: 5.0.0
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
      - name: Install nightly argument-comment-lint toolchain
        shell: bash
@@ -109,7 +115,7 @@ jobs:
          rustup default nightly-2025-09-18
      - name: Cache cargo-dylint tooling
        id: cargo_dylint_cache
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: |
            ~/.cargo/bin/cargo-dylint
@@ -170,8 +176,10 @@ jobs:

          echo "No argument-comment-lint relevant changes."
          echo "run=false" >> "$GITHUB_OUTPUT"
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        if: ${{ steps.argument_comment_lint_gate.outputs.run == 'true' }}
+        with:
+          persist-credentials: false
      - name: Run argument comment lint on codex-rs via Bazel
        if: ${{ steps.argument_comment_lint_gate.outputs.run == 'true' }}
        uses: ./.github/actions/run-argument-comment-lint
@@ -203,20 +211,25 @@ jobs:

          # If nothing relevant changed (PR touching only root README, etc.),
          # declare success regardless of other jobs.
-          if [[ '${{ needs.changed.outputs.argument_comment_lint }}' != 'true' && '${{ needs.changed.outputs.codex }}' != 'true' && '${{ needs.changed.outputs.workflows }}' != 'true' ]]; then
+          if [[ "${NEEDS_CHANGED_OUTPUTS_ARGUMENT_COMMENT_LINT}" != 'true' && "${NEEDS_CHANGED_OUTPUTS_CODEX}" != 'true' && "${NEEDS_CHANGED_OUTPUTS_WORKFLOWS}" != 'true' ]]; then
            echo 'No relevant changes -> CI not required.'
            exit 0
          fi

-          if [[ '${{ needs.changed.outputs.argument_comment_lint_package }}' == 'true' ]]; then
+          if [[ "${NEEDS_CHANGED_OUTPUTS_ARGUMENT_COMMENT_LINT_PACKAGE}" == 'true' ]]; then
            [[ '${{ needs.argument_comment_lint_package.result }}' == 'success' ]] || { echo 'argument_comment_lint_package failed'; exit 1; }
          fi

-          if [[ '${{ needs.changed.outputs.argument_comment_lint }}' == 'true' || '${{ needs.changed.outputs.workflows }}' == 'true' ]]; then
+          if [[ "${NEEDS_CHANGED_OUTPUTS_ARGUMENT_COMMENT_LINT}" == 'true' || "${NEEDS_CHANGED_OUTPUTS_WORKFLOWS}" == 'true' ]]; then
            [[ '${{ needs.argument_comment_lint_prebuilt.result }}' == 'success' ]] || { echo 'argument_comment_lint_prebuilt failed'; exit 1; }
          fi

-          if [[ '${{ needs.changed.outputs.codex }}' == 'true' || '${{ needs.changed.outputs.workflows }}' == 'true' ]]; then
+          if [[ "${NEEDS_CHANGED_OUTPUTS_CODEX}" == 'true' || "${NEEDS_CHANGED_OUTPUTS_WORKFLOWS}" == 'true' ]]; then
            [[ '${{ needs.general.result }}' == 'success' ]] || { echo 'general failed'; exit 1; }
            [[ '${{ needs.cargo_shear.result }}' == 'success' ]] || { echo 'cargo_shear failed'; exit 1; }
          fi
+        env:
+          NEEDS_CHANGED_OUTPUTS_ARGUMENT_COMMENT_LINT: ${{ needs.changed.outputs.argument_comment_lint }}
+          NEEDS_CHANGED_OUTPUTS_CODEX: ${{ needs.changed.outputs.codex }}
+          NEEDS_CHANGED_OUTPUTS_WORKFLOWS: ${{ needs.changed.outputs.workflows }}
+          NEEDS_CHANGED_OUTPUTS_ARGUMENT_COMMENT_LINT_PACKAGE: ${{ needs.changed.outputs.argument_comment_lint_package }}
--- a/.github/workflows/rust-release-argument-comment-lint.yml
+++ b/.github/workflows/rust-release-argument-comment-lint.yml
@@ -56,7 +56,9 @@ jobs:
              labels: codex-windows-x64

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
        with:
@@ -100,7 +102,7 @@ jobs:
            (cd "${RUNNER_TEMP}" && tar -czf "$GITHUB_WORKSPACE/$archive_path" argument-comment-lint)
          fi

-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: argument-comment-lint-${{ matrix.target }}
          path: dist/argument-comment-lint/${{ matrix.target }}/*
--- a/.github/workflows/rust-release-prepare.yml
+++ b/.github/workflows/rust-release-prepare.yml
@@ -18,10 +18,11 @@ jobs:
    if: github.repository == 'openai/codex'
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: main
          fetch-depth: 0
+          persist-credentials: false

      - name: Update models.json
        env:
@@ -43,7 +44,7 @@ jobs:
          curl --http1.1 --fail --show-error --location "${headers[@]}" "${url}" | jq '.' > codex-rs/models-manager/models.json

      - name: Open pull request (if changed)
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
        with:
          commit-message: "Update models.json"
          title: "Update models.json"
--- a/.github/workflows/rust-release-windows.yml
+++ b/.github/workflows/rust-release-windows.yml
@@ -83,7 +83,9 @@ jobs:
              labels: codex-windows-arm64

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Print runner specs (Windows)
        shell: powershell
        run: |
@@ -112,7 +114,7 @@ jobs:
          cargo build --target ${{ matrix.target }} --release --timings "${build_args[@]}"

      - name: Upload Cargo timings
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: cargo-timings-rust-release-windows-${{ matrix.target }}-${{ matrix.bundle }}
          path: codex-rs/target/**/cargo-timings/cargo-timing.html
@@ -128,7 +130,7 @@ jobs:
          done

      - name: Upload Windows binaries
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: windows-binaries-${{ matrix.target }}-${{ matrix.bundle }}
          path: |
@@ -165,22 +167,24 @@ jobs:
              labels: codex-windows-arm64

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Download prebuilt Windows primary binaries
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: windows-binaries-${{ matrix.target }}-primary
          path: codex-rs/target/${{ matrix.target }}/release

      - name: Download prebuilt Windows helper binaries
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: windows-binaries-${{ matrix.target }}-helpers
          path: codex-rs/target/${{ matrix.target }}/release

      - name: Download prebuilt Windows app-server binary
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: windows-binaries-${{ matrix.target }}-app-server
          path: codex-rs/target/${{ matrix.target }}/release
@@ -281,7 +285,7 @@ jobs:
            "${GITHUB_WORKSPACE}/.github/workflows/zstd" -T0 -19 "$dest/$base"
          done

-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: ${{ matrix.target }}
          path: |
--- a/.github/workflows/rust-release-zsh.yml
+++ b/.github/workflows/rust-release-zsh.yml
@@ -45,7 +45,9 @@ jobs:
            git \
            libncursesw5-dev

-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Build, smoke-test, and stage zsh artifact
        shell: bash
@@ -53,7 +55,7 @@ jobs:
          "${GITHUB_WORKSPACE}/.github/scripts/build-zsh-release-artifact.sh" \
            "dist/zsh/${{ matrix.target }}/${{ matrix.archive_name }}"

-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: codex-zsh-${{ matrix.target }}
          path: dist/zsh/${{ matrix.target }}/*
@@ -81,7 +83,9 @@ jobs:
            brew install autoconf
          fi

-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Build, smoke-test, and stage zsh artifact
        shell: bash
@@ -89,7 +93,7 @@ jobs:
          "${GITHUB_WORKSPACE}/.github/scripts/build-zsh-release-artifact.sh" \
            "dist/zsh/${{ matrix.target }}/${{ matrix.archive_name }}"

-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: codex-zsh-${{ matrix.target }}
          path: dist/zsh/${{ matrix.target }}/*
--- a/.github/workflows/rust-release.yml
+++ b/.github/workflows/rust-release.yml
@@ -19,7 +19,9 @@ jobs:
  tag-check:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - uses: dtolnay/rust-toolchain@a0b273b48ed29de4470960879e8381ff45632f26 # 1.93.0
      - name: Validate tag matches Cargo.toml version
        shell: bash
@@ -118,7 +120,9 @@ jobs:
            build_dmg: "false"

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Print runner specs (Linux)
        if: ${{ runner.os == 'Linux' }}
        shell: bash
@@ -181,9 +185,10 @@ jobs:

      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
        name: Install Zig
-        uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2
+        uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2.2.1
        with:
          version: 0.14.0
+          use-cache: false

      - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
        name: Install musl build tools
@@ -284,7 +289,7 @@ jobs:
          cargo build --target ${{ matrix.target }} --release --timings "${build_args[@]}"

      - name: Upload Cargo timings
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: cargo-timings-rust-release-${{ matrix.target }}-${{ matrix.bundle }}
          path: codex-rs/target/**/cargo-timings/cargo-timing.html
@@ -430,7 +435,7 @@ jobs:
            zstd -T0 -19 --rm "$dest/$base"
          done

-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: ${{ matrix.artifact_name }}
          # Upload the per-binary .zst files, .tar.gz equivalents, and any
@@ -476,7 +481,9 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Generate release notes from tag commit message
        id: release_notes
@@ -498,7 +505,7 @@ jobs:

          echo "path=${notes_path}" >> "${GITHUB_OUTPUT}"

-      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          path: dist

@@ -553,7 +560,7 @@ jobs:
          run_install: false

      - name: Setup Node.js for npm packaging
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: 22

@@ -579,7 +586,7 @@ jobs:
          cp scripts/install/install.ps1 dist/install.ps1

      - name: Create GitHub Release
-        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
        with:
          name: ${{ steps.release_name.outputs.name }}
          tag_name: ${{ github.ref_name }}
@@ -638,7 +645,7 @@ jobs:

    steps:
      - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          # Node 24 bundles npm >= 11.5.1, which trusted publishing requires.
          node-version: 24
--- a/.github/workflows/rusty-v8-release.yml
+++ b/.github/workflows/rusty-v8-release.yml
@@ -17,10 +17,12 @@ jobs:
      v8_version: ${{ steps.v8_version.outputs.version }}

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: "3.12"

@@ -69,7 +71,9 @@ jobs:
            target: aarch64-unknown-linux-musl

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Set up Bazel
        uses: ./.github/actions/setup-bazel-ci
@@ -77,7 +81,7 @@ jobs:
          target: ${{ matrix.target }}

      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: "3.12"

@@ -133,7 +137,7 @@ jobs:
            --output-dir "dist/${TARGET}"

      - name: Upload staged musl artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: rusty-v8-${{ needs.metadata.outputs.v8_version }}-${{ matrix.target }}
          path: dist/${{ matrix.target }}/*
@@ -161,12 +165,12 @@ jobs:
            exit 1
          fi

-      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          path: dist

      - name: Create GitHub Release
-        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
        with:
          tag_name: ${{ needs.metadata.outputs.release_tag }}
          name: ${{ needs.metadata.outputs.release_tag }}
--- a/.github/workflows/sdk.yml
+++ b/.github/workflows/sdk.yml
@@ -13,7 +13,9 @@ jobs:
    timeout-minutes: 10
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Install Linux bwrap build dependencies
        shell: bash
@@ -28,7 +30,7 @@ jobs:
          run_install: false

      - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: 22
          cache: pnpm
@@ -115,7 +117,7 @@ jobs:
      - name: Save bazel repository cache
        if: always() && !cancelled() && steps.setup_bazel.outputs.cache-hit != 'true'
        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: |
            ~/.cache/bazel-repo-cache
--- a/.github/workflows/v8-canary.yml
+++ b/.github/workflows/v8-canary.yml
@@ -40,10 +40,12 @@ jobs:
      v8_version: ${{ steps.v8_version.outputs.version }}

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: "3.12"

@@ -74,7 +76,9 @@ jobs:
            target: aarch64-unknown-linux-musl

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Set up Bazel
        uses: ./.github/actions/setup-bazel-ci
@@ -82,7 +86,7 @@ jobs:
          target: ${{ matrix.target }}

      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: "3.12"

@@ -132,7 +136,7 @@ jobs:
            --output-dir "dist/${TARGET}"

      - name: Upload staged musl artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: v8-canary-${{ needs.metadata.outputs.v8_version }}-${{ matrix.target }}
          path: dist/${{ matrix.target }}/*
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -26,7 +26,7 @@ In the codex-rs folder where the rust code lives:
  - Implementations may still use `async fn foo(&self, ...) -> T` when they satisfy that contract.
  - Do not use `#[allow(async_fn_in_trait)]` as a shortcut around spelling the future contract explicitly.
 - When writing tests, prefer comparing the equality of entire objects over fields one by one.
- When making a change that adds or changes an API, ensure that the documentation in the `docs/` folder is up to date if applicable.
+- Do not add general product or user-facing documentation to the `docs/` folder. The official Codex documentation lives elsewhere. The exception is app-server API documentation, which is covered by the app-server guidance below.
 - Prefer private modules and explicitly exported public crate API.
 - If you change `ConfigToml` or nested config types, run `just write-config-schema` to update `codex-rs/core/config.schema.json`.
 - When working with MCP tool calls, prefer using `codex-rs/codex-mcp/src/mcp_connection_manager.rs` to handle mutation of tools and tool calls. Aim to minimize the footprint of changes and leverage existing abstractions rather than plumbing code through multiple levels of function calls.
@@ -130,7 +130,7 @@ When UI or text output changes intentionally, update the snapshots as follows:

 If you don’t have the tool:

- `cargo install cargo-insta`
+- `cargo install --locked cargo-insta`

 ### Test assertions

@@ -210,7 +210,7 @@ These guidelines apply to app-server protocol work in `codex-rs`, especially:

 ### Development Workflow

- Update docs/examples when API behavior changes (at minimum `app-server/README.md`).
+- Update app-server docs/examples when API behavior changes (at minimum `app-server/README.md`).
 - Regenerate schema fixtures when API shapes change:
  `just write-app-server-schema`
  (and `just write-app-server-schema --experimental` when experimental API fixtures are affected).
--- a/MODULE.bazel.lock
+++ b/MODULE.bazel.lock
@@ -665,6 +665,7 @@
      "aws-lc-rs_1.16.2": "{\"dependencies\":[{\"name\":\"aws-lc-fips-sys\",\"optional\":true,\"req\":\"^0.13.1\"},{\"default_features\":false,\"name\":\"aws-lc-sys\",\"optional\":true,\"req\":\"^0.39.0\"},{\"features\":[\"derive\"],\"kind\":\"dev\",\"name\":\"clap\",\"req\":\"^4.4\"},{\"kind\":\"dev\",\"name\":\"hex\",\"req\":\"^0.4.3\"},{\"kind\":\"dev\",\"name\":\"lazy_static\",\"req\":\"^1.5.0\"},{\"kind\":\"dev\",\"name\":\"paste\",\"req\":\"^1.0.15\"},{\"kind\":\"dev\",\"name\":\"regex\",\"req\":\"^1.11.1\"},{\"name\":\"untrusted\",\"optional\":true,\"req\":\"^0.7.1\"},{\"name\":\"zeroize\",\"req\":\"^1.8.1\"}],\"features\":{\"alloc\":[],\"asan\":[\"aws-lc-sys?/asan\",\"aws-lc-fips-sys?/asan\"],\"bindgen\":[\"aws-lc-sys?/bindgen\",\"aws-lc-fips-sys?/bindgen\"],\"default\":[\"aws-lc-sys\",\"alloc\",\"ring-io\",\"ring-sig-verify\"],\"dev-tests-only\":[],\"fips\":[\"dep:aws-lc-fips-sys\"],\"non-fips\":[\"aws-lc-sys\"],\"prebuilt-nasm\":[\"aws-lc-sys?/prebuilt-nasm\"],\"ring-io\":[\"dep:untrusted\"],\"ring-sig-verify\":[\"dep:untrusted\"],\"test_logging\":[],\"unstable\":[]}}",
      "aws-lc-sys_0.39.0": "{\"dependencies\":[{\"kind\":\"build\",\"name\":\"bindgen\",\"optional\":true,\"req\":\"^0.72.0\"},{\"features\":[\"parallel\"],\"kind\":\"build\",\"name\":\"cc\",\"req\":\"^1.2.26\"},{\"kind\":\"build\",\"name\":\"cmake\",\"req\":\"^0.1.54\"},{\"kind\":\"build\",\"name\":\"dunce\",\"req\":\"^1.0.5\"},{\"kind\":\"build\",\"name\":\"fs_extra\",\"req\":\"^1.3.0\"}],\"features\":{\"all-bindings\":[],\"asan\":[],\"bindgen\":[\"dep:bindgen\"],\"default\":[\"all-bindings\"],\"disable-prebuilt-nasm\":[],\"fips\":[\"dep:bindgen\"],\"prebuilt-nasm\":[],\"ssl\":[\"bindgen\",\"all-bindings\"]}}",
      "aws-runtime_1.5.17": "{\"dependencies\":[{\"kind\":\"dev\",\"name\":\"arbitrary\",\"req\":\"^1.3\"},{\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"features\":[\"http0-compat\"],\"name\":\"aws-sigv4\",\"req\":\"^1.3.7\"},{\"name\":\"aws-smithy-async\",\"req\":\"^1.2.7\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-smithy-async\",\"req\":\"^1.2.7\"},{\"name\":\"aws-smithy-eventstream\",\"optional\":true,\"req\":\"^0.60.14\"},{\"name\":\"aws-smithy-http\",\"req\":\"^0.62.6\"},{\"kind\":\"dev\",\"name\":\"aws-smithy-protocol-test\",\"req\":\"^0.63.7\"},{\"features\":[\"client\"],\"name\":\"aws-smithy-runtime\",\"req\":\"^1.9.5\"},{\"features\":[\"client\"],\"name\":\"aws-smithy-runtime-api\",\"req\":\"^1.9.3\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-smithy-runtime-api\",\"req\":\"^1.9.3\"},{\"name\":\"aws-smithy-types\",\"req\":\"^1.3.5\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-smithy-types\",\"req\":\"^1.3.5\"},{\"name\":\"aws-types\",\"req\":\"^1.3.11\"},{\"name\":\"bytes\",\"req\":\"^1.10.0\"},{\"kind\":\"dev\",\"name\":\"bytes-utils\",\"req\":\"^0.1.2\"},{\"kind\":\"dev\",\"name\":\"convert_case\",\"req\":\"^0.6.0\"},{\"name\":\"fastrand\",\"req\":\"^2.3.0\"},{\"default_features\":false,\"kind\":\"dev\",\"name\":\"futures-util\",\"req\":\"^0.3.29\"},{\"name\":\"http-02x\",\"package\":\"http\",\"req\":\"^0.2.9\"},{\"name\":\"http-1x\",\"optional\":true,\"package\":\"http\",\"req\":\"^1.1.0\"},{\"name\":\"http-body-04x\",\"package\":\"http-body\",\"req\":\"^0.4.5\"},{\"name\":\"http-body-1x\",\"optional\":true,\"package\":\"http-body\",\"req\":\"^1.0.0\"},{\"name\":\"percent-encoding\",\"req\":\"^2.3.1\"},{\"name\":\"pin-project-lite\",\"req\":\"^0.2.14\"},{\"kind\":\"dev\",\"name\":\"proptest\",\"req\":\"^1.2\"},{\"name\":\"regex-lite\",\"optional\":true,\"req\":\"^0.1.5\"},{\"features\":[\"derive\"],\"kind\":\"dev\",\"name\":\"serde\",\"req\":\"^1\"},{\"kind\":\"dev\",\"name\":\"serde_json\",\"req\":\"^1\"},{\"features\":[\"macros\",\"rt\",\"time\"],\"kind\":\"dev\",\"name\":\"tokio\",\"req\":\"^1.23.1\"},{\"name\":\"tracing\",\"req\":\"^0.1.40\"},{\"features\":[\"env-filter\"],\"kind\":\"dev\",\"name\":\"tracing-subscriber\",\"req\":\"^0.3.17\"},{\"kind\":\"dev\",\"name\":\"tracing-test\",\"req\":\"^0.2.4\"},{\"name\":\"uuid\",\"req\":\"^1\"}],\"features\":{\"event-stream\":[\"dep:aws-smithy-eventstream\",\"aws-sigv4/sign-eventstream\"],\"http-02x\":[],\"http-1x\":[\"dep:http-1x\",\"dep:http-body-1x\"],\"sigv4a\":[\"aws-sigv4/sigv4a\"],\"test-util\":[\"dep:regex-lite\"]}}",
+      "aws-sdk-signin_1.2.0": "{\"dependencies\":[{\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"name\":\"aws-runtime\",\"req\":\"^1.5.17\"},{\"name\":\"aws-smithy-async\",\"req\":\"^1.2.7\"},{\"name\":\"aws-smithy-http\",\"req\":\"^0.62.6\"},{\"name\":\"aws-smithy-json\",\"req\":\"^0.61.8\"},{\"features\":[\"client\"],\"name\":\"aws-smithy-runtime\",\"req\":\"^1.9.5\"},{\"features\":[\"client\",\"http-02x\"],\"name\":\"aws-smithy-runtime-api\",\"req\":\"^1.9.3\"},{\"name\":\"aws-smithy-types\",\"req\":\"^1.3.5\"},{\"name\":\"aws-types\",\"req\":\"^1.3.11\"},{\"name\":\"bytes\",\"req\":\"^1.4.0\"},{\"name\":\"fastrand\",\"req\":\"^2.0.0\"},{\"name\":\"http\",\"req\":\"^0.2.9\"},{\"kind\":\"dev\",\"name\":\"proptest\",\"req\":\"^1\"},{\"name\":\"regex-lite\",\"req\":\"^0.1.5\"},{\"features\":[\"macros\",\"test-util\",\"rt-multi-thread\"],\"kind\":\"dev\",\"name\":\"tokio\",\"req\":\"^1.23.1\"},{\"name\":\"tracing\",\"req\":\"^0.1\"}],\"features\":{\"behavior-version-latest\":[],\"default\":[\"rustls\",\"default-https-client\",\"rt-tokio\"],\"default-https-client\":[\"aws-smithy-runtime/default-https-client\"],\"gated-tests\":[],\"rt-tokio\":[\"aws-smithy-async/rt-tokio\",\"aws-smithy-types/rt-tokio\"],\"rustls\":[\"aws-smithy-runtime/tls-rustls\"],\"test-util\":[\"aws-credential-types/test-util\",\"aws-smithy-runtime/test-util\"]}}",
      "aws-sdk-sso_1.91.0": "{\"dependencies\":[{\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"name\":\"aws-runtime\",\"req\":\"^1.5.17\"},{\"name\":\"aws-smithy-async\",\"req\":\"^1.2.7\"},{\"name\":\"aws-smithy-http\",\"req\":\"^0.62.6\"},{\"name\":\"aws-smithy-json\",\"req\":\"^0.61.8\"},{\"features\":[\"client\"],\"name\":\"aws-smithy-runtime\",\"req\":\"^1.9.5\"},{\"features\":[\"client\",\"http-02x\"],\"name\":\"aws-smithy-runtime-api\",\"req\":\"^1.9.3\"},{\"name\":\"aws-smithy-types\",\"req\":\"^1.3.5\"},{\"name\":\"aws-types\",\"req\":\"^1.3.11\"},{\"name\":\"bytes\",\"req\":\"^1.4.0\"},{\"name\":\"fastrand\",\"req\":\"^2.0.0\"},{\"name\":\"http\",\"req\":\"^0.2.9\"},{\"kind\":\"dev\",\"name\":\"proptest\",\"req\":\"^1\"},{\"name\":\"regex-lite\",\"req\":\"^0.1.5\"},{\"features\":[\"macros\",\"test-util\",\"rt-multi-thread\"],\"kind\":\"dev\",\"name\":\"tokio\",\"req\":\"^1.23.1\"},{\"name\":\"tracing\",\"req\":\"^0.1\"}],\"features\":{\"behavior-version-latest\":[],\"default\":[\"rustls\",\"default-https-client\",\"rt-tokio\"],\"default-https-client\":[\"aws-smithy-runtime/default-https-client\"],\"gated-tests\":[],\"rt-tokio\":[\"aws-smithy-async/rt-tokio\",\"aws-smithy-types/rt-tokio\"],\"rustls\":[\"aws-smithy-runtime/tls-rustls\"],\"test-util\":[\"aws-credential-types/test-util\",\"aws-smithy-runtime/test-util\"]}}",
      "aws-sdk-ssooidc_1.93.0": "{\"dependencies\":[{\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"name\":\"aws-runtime\",\"req\":\"^1.5.17\"},{\"name\":\"aws-smithy-async\",\"req\":\"^1.2.7\"},{\"name\":\"aws-smithy-http\",\"req\":\"^0.62.6\"},{\"name\":\"aws-smithy-json\",\"req\":\"^0.61.8\"},{\"features\":[\"client\"],\"name\":\"aws-smithy-runtime\",\"req\":\"^1.9.5\"},{\"features\":[\"client\",\"http-02x\"],\"name\":\"aws-smithy-runtime-api\",\"req\":\"^1.9.3\"},{\"name\":\"aws-smithy-types\",\"req\":\"^1.3.5\"},{\"name\":\"aws-types\",\"req\":\"^1.3.11\"},{\"name\":\"bytes\",\"req\":\"^1.4.0\"},{\"name\":\"fastrand\",\"req\":\"^2.0.0\"},{\"name\":\"http\",\"req\":\"^0.2.9\"},{\"kind\":\"dev\",\"name\":\"proptest\",\"req\":\"^1\"},{\"name\":\"regex-lite\",\"req\":\"^0.1.5\"},{\"features\":[\"macros\",\"test-util\",\"rt-multi-thread\"],\"kind\":\"dev\",\"name\":\"tokio\",\"req\":\"^1.23.1\"},{\"name\":\"tracing\",\"req\":\"^0.1\"}],\"features\":{\"behavior-version-latest\":[],\"default\":[\"rustls\",\"default-https-client\",\"rt-tokio\"],\"default-https-client\":[\"aws-smithy-runtime/default-https-client\"],\"gated-tests\":[],\"rt-tokio\":[\"aws-smithy-async/rt-tokio\",\"aws-smithy-types/rt-tokio\"],\"rustls\":[\"aws-smithy-runtime/tls-rustls\"],\"test-util\":[\"aws-credential-types/test-util\",\"aws-smithy-runtime/test-util\"]}}",
      "aws-sdk-sts_1.95.0": "{\"dependencies\":[{\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-credential-types\",\"req\":\"^1.2.11\"},{\"name\":\"aws-runtime\",\"req\":\"^1.5.17\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-runtime\",\"req\":\"^1.5.17\"},{\"name\":\"aws-smithy-async\",\"req\":\"^1.2.7\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-smithy-async\",\"req\":\"^1.2.7\"},{\"name\":\"aws-smithy-http\",\"req\":\"^0.62.6\"},{\"features\":[\"test-util\",\"wire-mock\"],\"kind\":\"dev\",\"name\":\"aws-smithy-http-client\",\"req\":\"^1.1.5\"},{\"name\":\"aws-smithy-json\",\"req\":\"^0.61.8\"},{\"kind\":\"dev\",\"name\":\"aws-smithy-protocol-test\",\"req\":\"^0.63.7\"},{\"name\":\"aws-smithy-query\",\"req\":\"^0.60.9\"},{\"features\":[\"client\"],\"name\":\"aws-smithy-runtime\",\"req\":\"^1.9.5\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-smithy-runtime\",\"req\":\"^1.9.5\"},{\"features\":[\"client\",\"http-02x\"],\"name\":\"aws-smithy-runtime-api\",\"req\":\"^1.9.3\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-smithy-runtime-api\",\"req\":\"^1.9.3\"},{\"name\":\"aws-smithy-types\",\"req\":\"^1.3.5\"},{\"features\":[\"test-util\"],\"kind\":\"dev\",\"name\":\"aws-smithy-types\",\"req\":\"^1.3.5\"},{\"name\":\"aws-smithy-xml\",\"req\":\"^0.60.13\"},{\"name\":\"aws-types\",\"req\":\"^1.3.11\"},{\"name\":\"fastrand\",\"req\":\"^2.0.0\"},{\"default_features\":false,\"features\":[\"alloc\"],\"kind\":\"dev\",\"name\":\"futures-util\",\"req\":\"^0.3.25\"},{\"name\":\"http\",\"req\":\"^0.2.9\"},{\"kind\":\"dev\",\"name\":\"http-1x\",\"package\":\"http\",\"req\":\"^1\"},{\"kind\":\"dev\",\"name\":\"proptest\",\"req\":\"^1\"},{\"name\":\"regex-lite\",\"req\":\"^0.1.5\"},{\"kind\":\"dev\",\"name\":\"serde_json\",\"req\":\"^1.0.0\"},{\"features\":[\"macros\",\"test-util\",\"rt-multi-thread\"],\"kind\":\"dev\",\"name\":\"tokio\",\"req\":\"^1.23.1\"},{\"name\":\"tracing\",\"req\":\"^0.1\"},{\"features\":[\"env-filter\",\"json\"],\"kind\":\"dev\",\"name\":\"tracing-subscriber\",\"req\":\"^0.3.16\"}],\"features\":{\"behavior-version-latest\":[],\"default\":[\"rustls\",\"default-https-client\",\"rt-tokio\"],\"default-https-client\":[\"aws-smithy-runtime/default-https-client\"],\"gated-tests\":[],\"rt-tokio\":[\"aws-smithy-async/rt-tokio\",\"aws-smithy-types/rt-tokio\"],\"rustls\":[\"aws-smithy-runtime/tls-rustls\"],\"test-util\":[\"aws-credential-types/test-util\",\"aws-smithy-runtime/test-util\"]}}",
--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
@@ -757,6 +757,7 @@ checksum = "96571e6996817bf3d58f6b569e4b9fd2e9d2fcf9f7424eed07b2ce9bb87535e5"
 dependencies = [
 "aws-credential-types",
 "aws-runtime",
+ "aws-sdk-signin",
 "aws-sdk-sso",
 "aws-sdk-ssooidc",
 "aws-sdk-sts",
@@ -767,15 +768,20 @@ dependencies = [
 "aws-smithy-runtime-api",
 "aws-smithy-types",
 "aws-types",
+ "base64-simd",
 "bytes",
 "fastrand",
 "hex",
 "http 1.4.0",
+ "p256",
+ "rand 0.8.5",
 "ring",
+ "sha2",
 "time",
 "tokio",
 "tracing",
 "url",
+ "uuid",
 "zeroize",
 ]

@@ -838,6 +844,28 @@ dependencies = [
 "uuid",
 ]

+[[package]]
+name = "aws-sdk-signin"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c084bd63941916e1348cb8d9e05ac2e49bdd40a380e9167702683184c6c6be53"
+dependencies = [
+ "aws-credential-types",
+ "aws-runtime",
+ "aws-smithy-async",
+ "aws-smithy-http",
+ "aws-smithy-json",
+ "aws-smithy-runtime",
+ "aws-smithy-runtime-api",
+ "aws-smithy-types",
+ "aws-types",
+ "bytes",
+ "fastrand",
+ "http 0.2.12",
+ "regex-lite",
+ "tracing",
+]
+
 [[package]]
 name = "aws-sdk-sso"
 version = "1.91.0"
@@ -1866,7 +1894,6 @@ dependencies = [
 "codex-config",
 "codex-core",
 "codex-core-plugins",
- "codex-device-key",
 "codex-exec-server",
 "codex-external-agent-migration",
 "codex-external-agent-sessions",
@@ -2131,10 +2158,10 @@ name = "codex-builtin-mcps"
 version = "0.0.0"
 dependencies = [
 "anyhow",
- "codex-config",
 "codex-memories-mcp",
 "codex-utils-absolute-path",
 "pretty_assertions",
+ "tokio",
 ]

 [[package]]
@@ -2182,7 +2209,6 @@ dependencies = [
 "codex-app-server-protocol",
 "codex-app-server-test-client",
 "codex-arg0",
- "codex-builtin-mcps",
 "codex-chatgpt",
 "codex-cloud-tasks",
 "codex-config",
@@ -2433,7 +2459,6 @@ dependencies = [
 "bm25",
 "chrono",
 "clap",
- "codex-agent-graph-store",
 "codex-analytics",
 "codex-api",
 "codex-app-server-protocol",
@@ -2570,6 +2595,7 @@ dependencies = [
 "codex-core-skills",
 "codex-exec-server",
 "codex-git-utils",
+ "codex-hooks",
 "codex-login",
 "codex-model-provider",
 "codex-otel",
@@ -2638,22 +2664,6 @@ dependencies = [
 "serde_json",
 ]

-[[package]]
-name = "codex-device-key"
-version = "0.0.0"
-dependencies = [
- "async-trait",
- "base64 0.22.1",
- "p256",
- "pretty_assertions",
- "rand 0.9.3",
- "serde",
- "serde_json",
- "thiserror 2.0.18",
- "tokio",
- "url",
-]
-
 [[package]]
 name = "codex-exec"
 version = "0.0.0"
@@ -2723,6 +2733,7 @@ dependencies = [
 "serde",
 "serde_json",
 "serial_test",
+ "sha2",
 "tempfile",
 "test-case",
 "thiserror 2.0.18",
@@ -3320,7 +3331,6 @@ dependencies = [
 "codex-utils-absolute-path",
 "codex-utils-image",
 "codex-utils-string",
- "codex-utils-template",
 "encoding_rs",
 "globset",
 "http 1.4.0",
@@ -3435,6 +3445,7 @@ dependencies = [
 "codex-otel",
 "codex-protocol",
 "codex-state",
+ "codex-utils-absolute-path",
 "codex-utils-path",
 "codex-utils-string",
 "pretty_assertions",
@@ -3626,17 +3637,13 @@ dependencies = [
 "codex-protocol",
 "codex-rollout",
 "codex-state",
+ "codex-utils-absolute-path",
 "pretty_assertions",
- "prost 0.14.3",
 "serde",
 "serde_json",
 "tempfile",
 "thiserror 2.0.18",
 "tokio",
- "tokio-stream",
- "tonic",
- "tonic-prost",
- "tonic-prost-build",
 "tracing",
 "uuid",
 ]
@@ -3949,7 +3956,6 @@ dependencies = [
 "codex-core",
 "codex-model-provider-info",
 "codex-protocol",
- "codex-utils-absolute-path",
 "pretty_assertions",
 ]

@@ -4004,7 +4010,6 @@ dependencies = [
 "chrono",
 "codex-otel",
 "codex-protocol",
- "codex-utils-absolute-path",
 "codex-utils-pty",
 "codex-utils-string",
 "dirs-next",
--- a/codex-rs/Cargo.toml
+++ b/codex-rs/Cargo.toml
@@ -30,7 +30,6 @@ members = [
    "collaboration-mode-templates",
    "connectors",
    "config",
-    "device-key",
    "shell-command",
    "shell-escalation",
    "skills",
@@ -154,7 +153,6 @@ codex-core = { path = "core" }
 codex-core-api = { path = "core-api" }
 codex-core-plugins = { path = "core-plugins" }
 codex-core-skills = { path = "core-skills" }
-codex-device-key = { path = "device-key" }
 codex-exec = { path = "exec" }
 codex-file-system = { path = "file-system" }
 codex-exec-server = { path = "exec-server" }
@@ -319,7 +317,6 @@ os_info = "3.12.0"
 owo-colors = "4.3.0"
 path-absolutize = "3.1.1"
 pathdiff = "0.2"
-p256 = "0.13.2"
 portable-pty = "0.9.0"
 predicates = "3"
 pretty_assertions = "1.4.1"
@@ -467,24 +464,21 @@ unwrap_used = "deny"
 [workspace.metadata.cargo-shear]
 ignored = [
    "codex-agent-graph-store",
-    "codex-memories-mcp",
    "icu_provider",
    "openssl-sys",
-    "codex-utils-readiness",
-    "codex-utils-template",
    "codex-v8-poc",
 ]

 [profile.dev]
 # Keep line tables/backtraces while avoiding expensive full variable debug info
 # across local dev builds.
-debug = 1
+debug = "limited"

 [profile.dev-small]
 inherits = "dev"
 opt-level = 0
-debug = 0
-strip = true
+debug = "none"
+strip = "symbols"

 [profile.release]
 lto = "fat"
@@ -496,8 +490,15 @@ strip = "symbols"
 # See https://github.com/openai/codex/issues/1411 for details.
 codegen-units = 1

+[profile.profiling]
+inherits = "release"
+debug = "full"
+lto = false
+strip = false
+
 [profile.ci-test]
-debug = 1         # Reduce debug symbol size
+# Reduce binary size to reduce disk pressure.
+debug = "limited"
 inherits = "test"
 opt-level = 0

--- a/codex-rs/agent-graph-store/Cargo.toml
+++ b/codex-rs/agent-graph-store/Cargo.toml
@@ -7,6 +7,7 @@ version.workspace = true
 [lib]
 name = "codex_agent_graph_store"
 path = "src/lib.rs"
+doctest = false

 [lints]
 workspace = true
--- a/codex-rs/analytics/src/accepted_lines.rs
+++ b/codex-rs/analytics/src/accepted_lines.rs
@@ -0,0 +1,298 @@
+use crate::events::CodexAcceptedLineFingerprintsEventParams;
+use crate::events::CodexAcceptedLineFingerprintsEventRequest;
+use crate::events::TrackEventRequest;
+use crate::facts::AcceptedLineFingerprint;
+use codex_git_utils::canonicalize_git_remote_url;
+use codex_git_utils::get_git_remote_urls_assume_git_repo;
+use sha1::Digest;
+use std::path::Path;
+
+const ACCEPTED_LINE_FINGERPRINT_EVENT_TARGET_BYTES: usize = 2 * 1024 * 1024;
+const ACCEPTED_LINE_FINGERPRINT_EVENT_FIXED_BYTES: usize = 1024;
+
+#[derive(Clone, Debug, PartialEq, Eq)]
+pub struct AcceptedLineFingerprintSummary {
+    pub accepted_added_lines: u64,
+    pub accepted_deleted_lines: u64,
+    pub line_fingerprints: Vec<AcceptedLineFingerprint>,
+}
+
+pub(crate) struct AcceptedLineFingerprintEventInput {
+    pub(crate) event_type: &'static str,
+    pub(crate) turn_id: String,
+    pub(crate) thread_id: String,
+    pub(crate) product_surface: Option<String>,
+    pub(crate) model_slug: Option<String>,
+    pub(crate) completed_at: u64,
+    pub(crate) repo_hash: Option<String>,
+    pub(crate) accepted_added_lines: u64,
+    pub(crate) accepted_deleted_lines: u64,
+    pub(crate) line_fingerprints: Vec<AcceptedLineFingerprint>,
+}
+
+pub fn accepted_line_fingerprints_from_unified_diff(
+    unified_diff: &str,
+) -> AcceptedLineFingerprintSummary {
+    let mut current_path: Option<String> = None;
+    let mut in_hunk = false;
+    let mut accepted_added_lines = 0;
+    let mut accepted_deleted_lines = 0;
+    let mut line_fingerprints = Vec::new();
+
+    for line in unified_diff.lines() {
+        if line.starts_with("diff --git ") {
+            current_path = None;
+            in_hunk = false;
+            continue;
+        }
+
+        if line.starts_with("@@ ") {
+            in_hunk = true;
+            continue;
+        }
+
+        if !in_hunk && let Some(path) = line.strip_prefix("+++ ") {
+            current_path = normalize_diff_path(path);
+            continue;
+        }
+
+        if !in_hunk && line.starts_with("--- ") {
+            continue;
+        }
+
+        if let Some(added_line) = line.strip_prefix('+') {
+            accepted_added_lines += 1;
+            if let Some(path) = current_path.as_deref()
+                && let Some(normalized_line) = normalize_effective_line(added_line)
+            {
+                line_fingerprints.push(AcceptedLineFingerprint {
+                    path_hash: fingerprint_hash("path", path),
+                    line_hash: fingerprint_hash("line", &normalized_line),
+                });
+            }
+            continue;
+        }
+
+        if line.starts_with('-') {
+            accepted_deleted_lines += 1;
+        }
+    }
+
+    AcceptedLineFingerprintSummary {
+        accepted_added_lines,
+        accepted_deleted_lines,
+        line_fingerprints,
+    }
+}
+
+pub fn fingerprint_hash(domain: &str, value: &str) -> String {
+    let mut hasher = sha1::Sha1::new();
+    hasher.update(b"file-line-v1\0");
+    hasher.update(domain.as_bytes());
+    hasher.update(b"\0");
+    hasher.update(value.as_bytes());
+    format!("{:x}", hasher.finalize())
+}
+
+pub(crate) fn accepted_line_fingerprint_event_requests(
+    input: AcceptedLineFingerprintEventInput,
+) -> Vec<TrackEventRequest> {
+    let chunks = accepted_line_fingerprint_chunks(input.line_fingerprints);
+    chunks
+        .into_iter()
+        .enumerate()
+        .map(|(index, line_fingerprints)| {
+            let is_first_chunk = index == 0;
+            TrackEventRequest::AcceptedLineFingerprints(Box::new(
+                CodexAcceptedLineFingerprintsEventRequest {
+                    event_type: "codex_accepted_line_fingerprints",
+                    event_params: CodexAcceptedLineFingerprintsEventParams {
+                        event_type: input.event_type,
+                        turn_id: input.turn_id.clone(),
+                        thread_id: input.thread_id.clone(),
+                        product_surface: input.product_surface.clone(),
+                        model_slug: input.model_slug.clone(),
+                        completed_at: input.completed_at,
+                        repo_hash: input.repo_hash.clone(),
+                        accepted_added_lines: if is_first_chunk {
+                            input.accepted_added_lines
+                        } else {
+                            0
+                        },
+                        accepted_deleted_lines: if is_first_chunk {
+                            input.accepted_deleted_lines
+                        } else {
+                            0
+                        },
+                        line_fingerprints,
+                    },
+                },
+            ))
+        })
+        .collect()
+}
+
+pub async fn accepted_line_repo_hash_for_cwd(cwd: &Path) -> Option<String> {
+    let remotes = get_git_remote_urls_assume_git_repo(cwd).await?;
+    remotes
+        .get("origin")
+        .or_else(|| remotes.values().next())
+        .map(|remote_url| {
+            let canonical_remote_url =
+                canonicalize_git_remote_url(remote_url).unwrap_or_else(|| remote_url.to_string());
+            fingerprint_hash("repo", &canonical_remote_url)
+        })
+}
+
+fn normalize_diff_path(path: &str) -> Option<String> {
+    let path = path.trim();
+    if path == "/dev/null" {
+        return None;
+    }
+
+    Some(
+        path.strip_prefix("b/")
+            .or_else(|| path.strip_prefix("a/"))
+            .unwrap_or(path)
+            .to_string(),
+    )
+}
+
+fn normalize_effective_line(line: &str) -> Option<String> {
+    let normalized = line.split_whitespace().collect::<Vec<_>>().join(" ");
+    if normalized.len() <= 3 {
+        return None;
+    }
+    if !normalized
+        .chars()
+        .any(|ch| ch.is_alphanumeric() || ch == '_')
+    {
+        return None;
+    }
+    Some(normalized)
+}
+
+fn accepted_line_fingerprint_chunks(
+    line_fingerprints: Vec<AcceptedLineFingerprint>,
+) -> Vec<Vec<AcceptedLineFingerprint>> {
+    if line_fingerprints.is_empty() {
+        return vec![Vec::new()];
+    }
+
+    let mut chunks = Vec::new();
+    let mut current = Vec::new();
+    let mut current_bytes = ACCEPTED_LINE_FINGERPRINT_EVENT_FIXED_BYTES;
+
+    for fingerprint in line_fingerprints {
+        let item_bytes = accepted_line_fingerprint_json_bytes(&fingerprint);
+        let separator_bytes = usize::from(!current.is_empty());
+        if !current.is_empty()
+            && current_bytes + separator_bytes + item_bytes
+                > ACCEPTED_LINE_FINGERPRINT_EVENT_TARGET_BYTES
+        {
+            chunks.push(current);
+            current = Vec::new();
+            current_bytes = ACCEPTED_LINE_FINGERPRINT_EVENT_FIXED_BYTES;
+        }
+        current_bytes += usize::from(!current.is_empty()) + item_bytes;
+        current.push(fingerprint);
+    }
+
+    if !current.is_empty() {
+        chunks.push(current);
+    }
+    chunks
+}
+
+fn accepted_line_fingerprint_json_bytes(fingerprint: &AcceptedLineFingerprint) -> usize {
+    // {"path_hash":"...","line_hash":"..."} plus one byte of array comma
+    // accounted for by the caller when needed.
+    32 + fingerprint.path_hash.len() + fingerprint.line_hash.len()
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn parses_counts_and_effective_added_fingerprints() {
+        let diff = "\
+diff --git a/src/lib.rs b/src/lib.rs
+index 1111111..2222222
+--- a/src/lib.rs
+++ b/src/lib.rs
+@@ -1,3 +1,5 @@
+-old line
+fn useful() {
+}
+    return user.id;
+ context
+";
+
+        let summary = accepted_line_fingerprints_from_unified_diff(diff);
+
+        assert_eq!(
+            summary,
+            AcceptedLineFingerprintSummary {
+                accepted_added_lines: 3,
+                accepted_deleted_lines: 1,
+                line_fingerprints: vec![
+                    AcceptedLineFingerprint {
+                        path_hash: fingerprint_hash("path", "src/lib.rs"),
+                        line_hash: fingerprint_hash("line", "fn useful() {"),
+                    },
+                    AcceptedLineFingerprint {
+                        path_hash: fingerprint_hash("path", "src/lib.rs"),
+                        line_hash: fingerprint_hash("line", "return user.id;"),
+                    },
+                ],
+            }
+        );
+    }
+
+    #[test]
+    fn skips_added_file_metadata_headers() {
+        let diff = "\
+diff --git a/new.py b/new.py
+new file mode 100644
+index 0000000..1111111
+--- /dev/null
+++ b/new.py
+@@ -0,0 +1 @@
+print('hello')
+";
+
+        let summary = accepted_line_fingerprints_from_unified_diff(diff);
+
+        assert_eq!(summary.accepted_added_lines, 1);
+        assert_eq!(summary.accepted_deleted_lines, 0);
+        assert_eq!(summary.line_fingerprints.len(), 1);
+    }
+
+    #[test]
+    fn parses_hunk_lines_that_look_like_file_headers() {
+        let diff = "\
+diff --git a/src/lib.rs b/src/lib.rs
+index 1111111..2222222
+--- a/src/lib.rs
+++ b/src/lib.rs
+@@ -1,2 +1,2 @@
+--- old value
+++ new value
+";
+
+        let summary = accepted_line_fingerprints_from_unified_diff(diff);
+
+        assert_eq!(
+            summary,
+            AcceptedLineFingerprintSummary {
+                accepted_added_lines: 1,
+                accepted_deleted_lines: 1,
+                line_fingerprints: vec![AcceptedLineFingerprint {
+                    path_hash: fingerprint_hash("path", "src/lib.rs"),
+                    line_hash: fingerprint_hash("line", "++ new value"),
+                }],
+            }
+        );
+    }
+}
--- a/codex-rs/analytics/src/analytics_client_tests.rs
+++ b/codex-rs/analytics/src/analytics_client_tests.rs
@@ -1,5 +1,7 @@
 use crate::client::AnalyticsEventsQueue;
 use crate::events::AppServerRpcTransport;
+use crate::events::CodexAcceptedLineFingerprintsEventParams;
+use crate::events::CodexAcceptedLineFingerprintsEventRequest;
 use crate::events::CodexAppMentionedEventRequest;
 use crate::events::CodexAppServerClientMetadata;
 use crate::events::CodexAppUsedEventRequest;
@@ -28,6 +30,7 @@ use crate::events::codex_hook_run_metadata;
 use crate::events::codex_plugin_metadata;
 use crate::events::codex_plugin_used_metadata;
 use crate::events::subagent_thread_started_event_request;
+use crate::facts::AcceptedLineFingerprint;
 use crate::facts::AnalyticsFact;
 use crate::facts::AnalyticsJsonRpcError;
 use crate::facts::AppInvocation;
@@ -89,6 +92,7 @@ use codex_app_server_protocol::ThreadStartResponse;
 use codex_app_server_protocol::ThreadStatus as AppServerThreadStatus;
 use codex_app_server_protocol::Turn;
 use codex_app_server_protocol::TurnCompletedNotification;
+use codex_app_server_protocol::TurnDiffUpdatedNotification;
 use codex_app_server_protocol::TurnError as AppServerTurnError;
 use codex_app_server_protocol::TurnStartParams;
 use codex_app_server_protocol::TurnStartedNotification;
@@ -170,6 +174,7 @@ fn sample_thread_start_response(
        model_provider: "openai".to_string(),
        service_tier: None,
        cwd: test_path_buf("/tmp").abs(),
+        workspace_roots: Vec::new(),
        instruction_sources: Vec::new(),
        approval_policy: AppServerAskForApproval::OnFailure,
        approvals_reviewer: AppServerApprovalsReviewer::User,
@@ -226,6 +231,7 @@ fn sample_thread_resume_response_with_source(
        model_provider: "openai".to_string(),
        service_tier: None,
        cwd: test_path_buf("/tmp").abs(),
+        workspace_roots: Vec::new(),
        instruction_sources: Vec::new(),
        approval_policy: AppServerAskForApproval::OnFailure,
        approvals_reviewer: AppServerApprovalsReviewer::User,
@@ -636,6 +642,7 @@ fn sample_initialize_fact(connection_id: u64) -> AnalyticsFact {
            },
            capabilities: Some(InitializeCapabilities {
                experimental_api: false,
+                request_attestation: false,
                opt_out_notification_methods: None,
            }),
        },
@@ -827,6 +834,206 @@ fn app_used_event_serializes_expected_shape() {
    );
 }

+#[test]
+fn accepted_line_fingerprints_event_serializes_expected_shape() {
+    let event = TrackEventRequest::AcceptedLineFingerprints(Box::new(
+        CodexAcceptedLineFingerprintsEventRequest {
+            event_type: "codex_accepted_line_fingerprints",
+            event_params: CodexAcceptedLineFingerprintsEventParams {
+                event_type: "codex.accepted_line_fingerprints",
+                turn_id: "turn-1".to_string(),
+                thread_id: "thread-1".to_string(),
+                product_surface: Some("codex".to_string()),
+                model_slug: Some("gpt-5.1-codex".to_string()),
+                completed_at: 1710000000,
+                repo_hash: Some("repo-hash-1".to_string()),
+                accepted_added_lines: 42,
+                accepted_deleted_lines: 40,
+                line_fingerprints: vec![AcceptedLineFingerprint {
+                    path_hash: "path-hash-1".to_string(),
+                    line_hash: "line-hash-1".to_string(),
+                }],
+            },
+        },
+    ));
+
+    let payload = serde_json::to_value(&event).expect("serialize accepted line fingerprints event");
+
+    assert_eq!(
+        payload,
+        json!({
+            "event_type": "codex_accepted_line_fingerprints",
+            "event_params": {
+                "event_type": "codex.accepted_line_fingerprints",
+                "turn_id": "turn-1",
+                "thread_id": "thread-1",
+                "product_surface": "codex",
+                "model_slug": "gpt-5.1-codex",
+                "completed_at": 1710000000,
+                "repo_hash": "repo-hash-1",
+                "accepted_added_lines": 42,
+                "accepted_deleted_lines": 40,
+                "line_fingerprints": [
+                    {
+                        "path_hash": "path-hash-1",
+                        "line_hash": "line-hash-1"
+                    }
+                ]
+            }
+        })
+    );
+}
+
+#[tokio::test]
+async fn reducer_chunks_large_accepted_line_fingerprint_events_without_repeating_counts() {
+    let mut reducer = AnalyticsReducer::default();
+    let mut events = Vec::new();
+
+    ingest_turn_prerequisites(
+        &mut reducer,
+        &mut events,
+        /*include_initialize*/ true,
+        /*include_resolved_config*/ true,
+        /*include_started*/ true,
+        /*include_token_usage*/ true,
+    )
+    .await;
+    events.clear();
+
+    let mut diff = "\
+diff --git a/src/lib.rs b/src/lib.rs
+index 1111111..2222222
+--- a/src/lib.rs
+++ b/src/lib.rs
+@@ -0,0 +1,20000 @@
+"
+    .to_string();
+    for index in 0..20_000 {
+        diff.push_str(&format!("+let value_{index} = {index};\n"));
+    }
+
+    reducer
+        .ingest(
+            AnalyticsFact::Notification(Box::new(ServerNotification::TurnDiffUpdated(
+                TurnDiffUpdatedNotification {
+                    thread_id: "thread-2".to_string(),
+                    turn_id: "turn-2".to_string(),
+                    diff,
+                },
+            ))),
+            &mut events,
+        )
+        .await;
+    assert!(events.is_empty());
+
+    reducer
+        .ingest(
+            AnalyticsFact::Notification(Box::new(sample_turn_completed_notification(
+                "thread-2",
+                "turn-2",
+                AppServerTurnStatus::Completed,
+                /*codex_error_info*/ None,
+            ))),
+            &mut events,
+        )
+        .await;
+
+    let accepted_line_events = events
+        .iter()
+        .filter_map(|event| match event {
+            TrackEventRequest::AcceptedLineFingerprints(event) => Some(event),
+            _ => None,
+        })
+        .collect::<Vec<_>>();
+    assert!(accepted_line_events.len() > 1);
+    let mut total_fingerprints = 0;
+    for (index, event) in accepted_line_events.iter().enumerate() {
+        assert_eq!(event.event_params.turn_id, "turn-2");
+        assert_eq!(event.event_params.thread_id, "thread-2");
+        total_fingerprints += event.event_params.line_fingerprints.len();
+        if index == 0 {
+            assert_eq!(event.event_params.accepted_added_lines, 20_000);
+            assert_eq!(event.event_params.accepted_deleted_lines, 0);
+        } else {
+            assert_eq!(event.event_params.accepted_added_lines, 0);
+            assert_eq!(event.event_params.accepted_deleted_lines, 0);
+        }
+        assert!(serde_json::to_vec(event).expect("serialize chunk").len() < 2_100_000);
+    }
+    assert_eq!(total_fingerprints, 20_000);
+}
+
+#[tokio::test]
+async fn reducer_emits_accepted_line_fingerprints_once_from_latest_turn_diff_on_completion() {
+    let mut reducer = AnalyticsReducer::default();
+    let mut events = Vec::new();
+
+    ingest_turn_prerequisites(
+        &mut reducer,
+        &mut events,
+        /*include_initialize*/ true,
+        /*include_resolved_config*/ true,
+        /*include_started*/ true,
+        /*include_token_usage*/ true,
+    )
+    .await;
+    events.clear();
+
+    for line in ["let old_value = 1;", "let latest_value = 2;"] {
+        let diff = format!(
+            "\
+diff --git a/src/lib.rs b/src/lib.rs
+index 1111111..2222222
+--- a/src/lib.rs
+++ b/src/lib.rs
+@@ -0,0 +1 @@
+{line}
+"
+        );
+        reducer
+            .ingest(
+                AnalyticsFact::Notification(Box::new(ServerNotification::TurnDiffUpdated(
+                    TurnDiffUpdatedNotification {
+                        thread_id: "thread-2".to_string(),
+                        turn_id: "turn-2".to_string(),
+                        diff,
+                    },
+                ))),
+                &mut events,
+            )
+            .await;
+    }
+    assert!(events.is_empty());
+
+    reducer
+        .ingest(
+            AnalyticsFact::Notification(Box::new(sample_turn_completed_notification(
+                "thread-2",
+                "turn-2",
+                AppServerTurnStatus::Completed,
+                /*codex_error_info*/ None,
+            ))),
+            &mut events,
+        )
+        .await;
+
+    let accepted_line_events = events
+        .iter()
+        .filter_map(|event| match event {
+            TrackEventRequest::AcceptedLineFingerprints(event) => Some(event),
+            _ => None,
+        })
+        .collect::<Vec<_>>();
+    assert_eq!(accepted_line_events.len(), 1);
+    let event = accepted_line_events[0];
+    assert_eq!(event.event_params.accepted_added_lines, 1);
+    assert_eq!(event.event_params.line_fingerprints.len(), 1);
+    assert_eq!(
+        event.event_params.line_fingerprints[0].line_hash,
+        crate::fingerprint_hash("line", "let latest_value = 2;")
+    );
+}
+
 #[test]
 fn compaction_event_serializes_expected_shape() {
    let event = TrackEventRequest::Compaction(Box::new(CodexCompactionEventRequest {
@@ -1012,7 +1219,7 @@ fn command_execution_event_serializes_expected_shape() {
                    runtime_os_version: "15.3.1".to_string(),
                    runtime_arch: "aarch64".to_string(),
                },
-                thread_source: Some("user"),
+                thread_source: Some(ThreadSource::User),
                subagent_source: None,
                parent_thread_id: None,
                tool_name: "shell".to_string(),
@@ -1122,6 +1329,7 @@ async fn initialize_caches_client_and_thread_lifecycle_publishes_once_initialize
                    },
                    capabilities: Some(InitializeCapabilities {
                        experimental_api: false,
+                        request_attestation: false,
                        opt_out_notification_methods: None,
                    }),
                },
@@ -1269,6 +1477,7 @@ async fn compaction_event_ingests_custom_fact() {
                    },
                    capabilities: Some(InitializeCapabilities {
                        experimental_api: false,
+                        request_attestation: false,
                        opt_out_notification_methods: None,
                    }),
                },
@@ -1382,6 +1591,7 @@ async fn guardian_review_event_ingests_custom_fact_with_optional_target_item() {
                    },
                    capabilities: Some(InitializeCapabilities {
                        experimental_api: false,
+                        request_attestation: false,
                        opt_out_notification_methods: None,
                    }),
                },
--- a/codex-rs/analytics/src/client.rs
+++ b/codex-rs/analytics/src/client.rs
@@ -30,6 +30,7 @@ use codex_app_server_protocol::ServerNotification;
 use codex_app_server_protocol::ServerRequest;
 use codex_app_server_protocol::ServerResponse;
 use codex_login::AuthManager;
+use codex_login::CodexAuth;
 use codex_login::default_client::create_client;
 use codex_plugin::PluginTelemetryMetadata;
 use std::collections::HashSet;
@@ -340,8 +341,9 @@ impl AnalyticsEventsClient {
        });
    }

-    pub fn track_server_response(&self, response: ServerResponse) {
+    pub fn track_server_response(&self, completed_at_ms: u64, response: ServerResponse) {
        self.record_fact(AnalyticsFact::ServerResponse {
+            completed_at_ms,
            response: Box::new(response),
        });
    }
@@ -351,6 +353,7 @@ impl AnalyticsEventsClient {
            notification,
            ServerNotification::TurnStarted(_)
                | ServerNotification::TurnCompleted(_)
+                | ServerNotification::TurnDiffUpdated(_)
                | ServerNotification::ItemStarted(_)
                | ServerNotification::ItemCompleted(_)
                | ServerNotification::ItemGuardianApprovalReviewStarted(_)
@@ -370,6 +373,7 @@ async fn send_track_events(
    if events.is_empty() {
        return;
    }
+
    let Some(auth) = auth_manager.auth().await else {
        return;
    };
@@ -379,12 +383,45 @@ async fn send_track_events(

    let base_url = base_url.trim_end_matches('/');
    let url = format!("{base_url}/codex/analytics-events/events");
+    for events in track_event_request_batches(events) {
+        send_track_events_request(&auth, &url, events).await;
+    }
+}
+
+fn track_event_request_batches(events: Vec<TrackEventRequest>) -> Vec<Vec<TrackEventRequest>> {
+    let mut batches = Vec::new();
+    let mut current_batch = Vec::new();
+
+    for event in events {
+        if event.should_send_in_isolated_request() {
+            if !current_batch.is_empty() {
+                batches.push(current_batch);
+                current_batch = Vec::new();
+            }
+            batches.push(vec![event]);
+        } else {
+            current_batch.push(event);
+        }
+    }
+
+    if !current_batch.is_empty() {
+        batches.push(current_batch);
+    }
+
+    batches
+}
+
+async fn send_track_events_request(auth: &CodexAuth, url: &str, events: Vec<TrackEventRequest>) {
+    if events.is_empty() {
+        return;
+    }
+
    let payload = TrackEventsRequest { events };

    let response = create_client()
-        .post(&url)
+        .post(url)
        .timeout(ANALYTICS_EVENTS_TIMEOUT)
-        .headers(codex_model_provider::auth_provider_from_auth(&auth).to_auth_headers())
+        .headers(codex_model_provider::auth_provider_from_auth(auth).to_auth_headers())
        .header("Content-Type", "application/json")
        .json(&payload)
        .send()
--- a/codex-rs/analytics/src/client_tests.rs
+++ b/codex-rs/analytics/src/client_tests.rs
@@ -1,6 +1,14 @@
 use super::AnalyticsEventsClient;
 use super::AnalyticsEventsQueue;
+use super::track_event_request_batches;
+use crate::events::CodexAcceptedLineFingerprintsEventParams;
+use crate::events::CodexAcceptedLineFingerprintsEventRequest;
+use crate::events::SkillInvocationEventParams;
+use crate::events::SkillInvocationEventRequest;
+use crate::events::TrackEventRequest;
+use crate::facts::AcceptedLineFingerprint;
 use crate::facts::AnalyticsFact;
+use crate::facts::InvocationType;
 use codex_app_server_protocol::ApprovalsReviewer as AppServerApprovalsReviewer;
 use codex_app_server_protocol::AskForApproval as AppServerAskForApproval;
 use codex_app_server_protocol::ClientRequest;
@@ -31,6 +39,47 @@ use std::sync::Mutex;
 use tokio::sync::mpsc;
 use tokio::sync::mpsc::error::TryRecvError;

+fn sample_accepted_line_fingerprint_event(thread_id: &str) -> TrackEventRequest {
+    TrackEventRequest::AcceptedLineFingerprints(Box::new(
+        CodexAcceptedLineFingerprintsEventRequest {
+            event_type: "codex_accepted_line_fingerprints",
+            event_params: CodexAcceptedLineFingerprintsEventParams {
+                event_type: "codex.accepted_line_fingerprints",
+                turn_id: "turn-1".to_string(),
+                thread_id: thread_id.to_string(),
+                product_surface: Some("codex".to_string()),
+                model_slug: Some("gpt-5.1-codex".to_string()),
+                completed_at: 1,
+                repo_hash: None,
+                accepted_added_lines: 1,
+                accepted_deleted_lines: 0,
+                line_fingerprints: vec![AcceptedLineFingerprint {
+                    path_hash: "path-hash".to_string(),
+                    line_hash: "line-hash".to_string(),
+                }],
+            },
+        },
+    ))
+}
+
+fn sample_regular_track_event(thread_id: &str) -> TrackEventRequest {
+    TrackEventRequest::SkillInvocation(SkillInvocationEventRequest {
+        event_type: "skill_invocation",
+        skill_id: format!("skill-{thread_id}"),
+        skill_name: "doc".to_string(),
+        event_params: SkillInvocationEventParams {
+            product_client_id: None,
+            skill_scope: None,
+            plugin_id: None,
+            repo_url: None,
+            thread_id: Some(thread_id.to_string()),
+            turn_id: Some("turn-1".to_string()),
+            invoke_type: Some(InvocationType::Explicit),
+            model_slug: Some("gpt-5.1-codex".to_string()),
+        },
+    })
+}
+
 fn client_with_receiver() -> (AnalyticsEventsClient, mpsc::Receiver<AnalyticsFact>) {
    let (sender, receiver) = mpsc::channel(8);
    let queue = AnalyticsEventsQueue {
@@ -108,6 +157,7 @@ fn sample_thread_start_response() -> ClientResponsePayload {
        model_provider: "openai".to_string(),
        service_tier: None,
        cwd: test_path_buf("/tmp").abs(),
+        workspace_roots: Vec::new(),
        instruction_sources: Vec::new(),
        approval_policy: AppServerAskForApproval::OnFailure,
        approvals_reviewer: AppServerApprovalsReviewer::User,
@@ -125,6 +175,7 @@ fn sample_thread_resume_response() -> ClientResponsePayload {
        model_provider: "openai".to_string(),
        service_tier: None,
        cwd: test_path_buf("/tmp").abs(),
+        workspace_roots: Vec::new(),
        instruction_sources: Vec::new(),
        approval_policy: AppServerAskForApproval::OnFailure,
        approvals_reviewer: AppServerApprovalsReviewer::User,
@@ -142,6 +193,7 @@ fn sample_thread_fork_response() -> ClientResponsePayload {
        model_provider: "openai".to_string(),
        service_tier: None,
        cwd: test_path_buf("/tmp").abs(),
+        workspace_roots: Vec::new(),
        instruction_sources: Vec::new(),
        approval_policy: AppServerAskForApproval::OnFailure,
        approvals_reviewer: AppServerApprovalsReviewer::User,
@@ -222,3 +274,23 @@ fn track_response_only_enqueues_analytics_relevant_responses() {
    );
    assert!(matches!(receiver.try_recv(), Err(TryRecvError::Empty)));
 }
+
+#[test]
+fn track_event_request_batches_only_isolates_accepted_line_fingerprint_events() {
+    let batches = track_event_request_batches(vec![
+        sample_regular_track_event("thread-1"),
+        sample_regular_track_event("thread-2"),
+        sample_accepted_line_fingerprint_event("thread-3"),
+        sample_accepted_line_fingerprint_event("thread-4"),
+        sample_regular_track_event("thread-5"),
+        sample_regular_track_event("thread-6"),
+    ]);
+
+    assert_eq!(batches.len(), 4);
+    assert_eq!(batches[0].len(), 2);
+    assert_eq!(batches[1].len(), 1);
+    assert_eq!(batches[2].len(), 1);
+    assert_eq!(batches[3].len(), 2);
+    assert!(batches[1][0].should_send_in_isolated_request());
+    assert!(batches[2][0].should_send_in_isolated_request());
+}
--- a/codex-rs/analytics/src/events.rs
+++ b/codex-rs/analytics/src/events.rs
@@ -1,5 +1,6 @@
 use std::time::Instant;

+use crate::facts::AcceptedLineFingerprint;
 use crate::facts::AppInvocation;
 use crate::facts::CodexCompactionEvent;
 use crate::facts::CompactionImplementation;
@@ -18,6 +19,7 @@ use crate::facts::TurnStatus;
 use crate::facts::TurnSteerRejectionReason;
 use crate::facts::TurnSteerResult;
 use crate::facts::TurnSubmissionType;
+use crate::now_unix_millis;
 use crate::now_unix_seconds;
 use codex_app_server_protocol::CodexErrorInfo;
 use codex_app_server_protocol::CommandExecutionSource;
@@ -70,6 +72,9 @@ pub(crate) enum TrackEventRequest {
    CollabAgentToolCall(CodexCollabAgentToolCallEventRequest),
    WebSearch(CodexWebSearchEventRequest),
    ImageGeneration(CodexImageGenerationEventRequest),
+    AcceptedLineFingerprints(Box<CodexAcceptedLineFingerprintsEventRequest>),
+    #[allow(dead_code)]
+    ReviewEvent(CodexReviewEventRequest),
    PluginUsed(CodexPluginUsedEventRequest),
    PluginInstalled(CodexPluginEventRequest),
    PluginUninstalled(CodexPluginEventRequest),
@@ -77,6 +82,32 @@ pub(crate) enum TrackEventRequest {
    PluginDisabled(CodexPluginEventRequest),
 }

+impl TrackEventRequest {
+    pub(crate) fn should_send_in_isolated_request(&self) -> bool {
+        matches!(self, Self::AcceptedLineFingerprints(_))
+    }
+}
+
+#[derive(Serialize)]
+pub(crate) struct CodexAcceptedLineFingerprintsEventParams {
+    pub(crate) event_type: &'static str,
+    pub(crate) turn_id: String,
+    pub(crate) thread_id: String,
+    pub(crate) product_surface: Option<String>,
+    pub(crate) model_slug: Option<String>,
+    pub(crate) completed_at: u64,
+    pub(crate) repo_hash: Option<String>,
+    pub(crate) accepted_added_lines: u64,
+    pub(crate) accepted_deleted_lines: u64,
+    pub(crate) line_fingerprints: Vec<AcceptedLineFingerprint>,
+}
+
+#[derive(Serialize)]
+pub(crate) struct CodexAcceptedLineFingerprintsEventRequest {
+    pub(crate) event_type: &'static str,
+    pub(crate) event_params: CodexAcceptedLineFingerprintsEventParams,
+}
+
 #[derive(Serialize)]
 pub(crate) struct SkillInvocationEventRequest {
    pub(crate) event_type: &'static str,
@@ -259,7 +290,7 @@ pub struct GuardianReviewTrackContext {
    approval_request_source: GuardianApprovalRequestSource,
    reviewed_action: GuardianReviewedAction,
    review_timeout_ms: u64,
-    started_at: u64,
+    pub started_at_ms: u64,
    started_instant: Instant,
 }

@@ -281,7 +312,7 @@ impl GuardianReviewTrackContext {
            approval_request_source,
            reviewed_action,
            review_timeout_ms,
-            started_at: now_unix_seconds(),
+            started_at_ms: now_unix_millis(),
            started_instant: Instant::now(),
        }
    }
@@ -314,7 +345,7 @@ impl GuardianReviewTrackContext {
            tool_call_count: None,
            time_to_first_token_ms: result.time_to_first_token_ms,
            completion_latency_ms: Some(self.started_instant.elapsed().as_millis() as u64),
-            started_at: self.started_at,
+            started_at: self.started_at_ms / 1_000,
            completed_at: Some(now_unix_seconds()),
            input_tokens: result.token_usage.as_ref().map(|usage| usage.input_tokens),
            cached_input_tokens: result
@@ -442,7 +473,7 @@ pub(crate) struct CodexToolItemEventBase {
    pub(crate) item_id: String,
    pub(crate) app_server_client: CodexAppServerClientMetadata,
    pub(crate) runtime: CodexRuntimeMetadata,
-    pub(crate) thread_source: Option<&'static str>,
+    pub(crate) thread_source: Option<ThreadSource>,
    pub(crate) subagent_source: Option<String>,
    pub(crate) parent_thread_id: Option<String>,
    pub(crate) tool_name: String,
@@ -462,6 +493,83 @@ pub(crate) struct CodexToolItemEventBase {
    pub(crate) requested_network_access: bool,
 }

+#[allow(dead_code)]
+#[derive(Clone, Copy, Debug, Serialize)]
+#[serde(rename_all = "snake_case")]
+pub(crate) enum ReviewSubjectKind {
+    CommandExecution,
+    FileChange,
+    McpToolCall,
+    Permissions,
+    NetworkAccess,
+}
+
+#[allow(dead_code)]
+#[derive(Clone, Copy, Debug, Serialize)]
+#[serde(rename_all = "snake_case")]
+pub(crate) enum Reviewer {
+    Guardian,
+    User,
+}
+
+#[allow(dead_code)]
+#[derive(Clone, Copy, Debug, Serialize)]
+#[serde(rename_all = "snake_case")]
+pub(crate) enum ReviewTrigger {
+    Initial,
+    SandboxDenial,
+    NetworkPolicyDenial,
+    ExecveIntercept,
+}
+
+#[allow(dead_code)]
+#[derive(Clone, Copy, Debug, Serialize)]
+#[serde(rename_all = "snake_case")]
+pub(crate) enum ReviewStatus {
+    Approved,
+    Denied,
+    Aborted,
+    TimedOut,
+}
+
+#[allow(dead_code)]
+#[derive(Clone, Copy, Debug, Serialize)]
+#[serde(rename_all = "snake_case")]
+pub(crate) enum ReviewResolution {
+    None,
+    SessionApproval,
+    ExecPolicyAmendment,
+    NetworkPolicyAmendment,
+}
+
+#[derive(Serialize)]
+pub(crate) struct CodexReviewEventParams {
+    pub(crate) thread_id: String,
+    pub(crate) turn_id: String,
+    pub(crate) item_id: Option<String>,
+    pub(crate) review_id: String,
+    pub(crate) app_server_client: CodexAppServerClientMetadata,
+    pub(crate) runtime: CodexRuntimeMetadata,
+    pub(crate) thread_source: Option<ThreadSource>,
+    pub(crate) subagent_source: Option<String>,
+    pub(crate) parent_thread_id: Option<String>,
+    pub(crate) tool_kind: ReviewSubjectKind,
+    pub(crate) tool_name: String,
+    pub(crate) reviewer: Reviewer,
+    pub(crate) trigger: ReviewTrigger,
+    pub(crate) status: ReviewStatus,
+    pub(crate) resolution: ReviewResolution,
+    pub(crate) started_at_ms: u64,
+    pub(crate) completed_at_ms: u64,
+    pub(crate) duration_ms: Option<u64>,
+}
+
+#[derive(Serialize)]
+pub(crate) struct CodexReviewEventRequest {
+    pub(crate) event_type: &'static str,
+    pub(crate) event_params: CodexReviewEventParams,
+}
+#[allow(dead_code)]
 #[derive(Clone, Copy, Debug, Serialize)]
 #[serde(rename_all = "snake_case")]
 pub(crate) enum WebSearchActionKind {
--- a/codex-rs/analytics/src/facts.rs
+++ b/codex-rs/analytics/src/facts.rs
@@ -28,6 +28,12 @@ use codex_protocol::protocol::TokenUsage;
 use serde::Serialize;
 use std::path::PathBuf;

+#[derive(Clone, Debug, PartialEq, Eq, Serialize)]
+pub struct AcceptedLineFingerprint {
+    pub path_hash: String,
+    pub line_hash: String,
+}
+
 #[derive(Clone)]
 pub struct TrackEventsContext {
    pub model_slug: String,
@@ -296,6 +302,7 @@ pub(crate) enum AnalyticsFact {
        request: Box<ServerRequest>,
    },
    ServerResponse {
+        completed_at_ms: u64,
        response: Box<ServerResponse>,
    },
    Notification(Box<ServerNotification>),
--- a/codex-rs/analytics/src/lib.rs
+++ b/codex-rs/analytics/src/lib.rs
@@ -1,3 +1,4 @@
+mod accepted_lines;
 mod client;
 mod events;
 mod facts;
@@ -6,6 +7,8 @@ mod reducer;
 use std::time::SystemTime;
 use std::time::UNIX_EPOCH;

+pub use accepted_lines::accepted_line_fingerprints_from_unified_diff;
+pub use accepted_lines::fingerprint_hash;
 pub use client::AnalyticsEventsClient;
 pub use events::AppServerRpcTransport;
 pub use events::GuardianApprovalRequestSource;
@@ -17,6 +20,7 @@ pub use events::GuardianReviewSessionKind;
 pub use events::GuardianReviewTerminalStatus;
 pub use events::GuardianReviewTrackContext;
 pub use events::GuardianReviewedAction;
+pub use facts::AcceptedLineFingerprint;
 pub use facts::AnalyticsJsonRpcError;
 pub use facts::AppInvocation;
 pub use facts::CodexCompactionEvent;
--- a/codex-rs/analytics/src/reducer.rs
+++ b/codex-rs/analytics/src/reducer.rs
@@ -1,3 +1,7 @@
+use crate::accepted_lines::AcceptedLineFingerprintEventInput;
+use crate::accepted_lines::accepted_line_fingerprint_event_requests;
+use crate::accepted_lines::accepted_line_fingerprints_from_unified_diff;
+use crate::accepted_lines::accepted_line_repo_hash_for_cwd;
 use crate::events::AppServerRpcTransport;
 use crate::events::CodexAppMentionedEventRequest;
 use crate::events::CodexAppServerClientMetadata;
@@ -104,6 +108,7 @@ use codex_protocol::protocol::TokenUsage;
 use sha1::Digest;
 use std::collections::HashMap;
 use std::path::Path;
+use std::path::PathBuf;

 #[derive(Default)]
 pub(crate) struct AnalyticsReducer {
@@ -264,6 +269,7 @@ struct TurnState {
    started_at: Option<u64>,
    token_usage: Option<TokenUsage>,
    completed: Option<CompletedTurnState>,
+    latest_diff: Option<String>,
    steer_count: usize,
 }

@@ -305,7 +311,7 @@ impl AnalyticsReducer {
                response,
            } => {
                if let Some(response) = response.into_client_response(request_id) {
-                    self.ingest_response(connection_id, response, out);
+                    self.ingest_response(connection_id, response, out).await;
                }
            }
            AnalyticsFact::ErrorResponse {
@@ -317,7 +323,7 @@ impl AnalyticsReducer {
                self.ingest_error_response(connection_id, request_id, error_type, out);
            }
            AnalyticsFact::Notification(notification) => {
-                self.ingest_notification(*notification, out);
+                self.ingest_notification(*notification, out).await;
            }
            AnalyticsFact::ServerRequest {
                connection_id: _connection_id,
@@ -325,6 +331,7 @@ impl AnalyticsReducer {
            } => {}
            AnalyticsFact::ServerResponse {
                response: _response,
+                ..
            } => {}
            AnalyticsFact::Custom(input) => match input {
                CustomAnalyticsFact::SubAgentThreadStarted(input) => {
@@ -337,10 +344,10 @@ impl AnalyticsReducer {
                    self.ingest_guardian_review(*input, out);
                }
                CustomAnalyticsFact::TurnResolvedConfig(input) => {
-                    self.ingest_turn_resolved_config(*input, out);
+                    self.ingest_turn_resolved_config(*input, out).await;
                }
                CustomAnalyticsFact::TurnTokenUsage(input) => {
-                    self.ingest_turn_token_usage(*input, out);
+                    self.ingest_turn_token_usage(*input, out).await;
                }
                CustomAnalyticsFact::SkillInvoked(input) => {
                    self.ingest_skill_invoked(input, out).await;
@@ -472,7 +479,7 @@ impl AnalyticsReducer {
        }
    }

-    fn ingest_turn_resolved_config(
+    async fn ingest_turn_resolved_config(
        &mut self,
        input: TurnResolvedConfigFact,
        out: &mut Vec<TrackEventRequest>,
@@ -488,15 +495,16 @@ impl AnalyticsReducer {
            started_at: None,
            token_usage: None,
            completed: None,
+            latest_diff: None,
            steer_count: 0,
        });
        turn_state.thread_id = Some(thread_id);
        turn_state.num_input_images = Some(num_input_images);
        turn_state.resolved_config = Some(input);
-        self.maybe_emit_turn_event(&turn_id, out);
+        self.maybe_emit_turn_event(&turn_id, out).await;
    }

-    fn ingest_turn_token_usage(
+    async fn ingest_turn_token_usage(
        &mut self,
        input: TurnTokenUsageFact,
        out: &mut Vec<TrackEventRequest>,
@@ -510,11 +518,12 @@ impl AnalyticsReducer {
            started_at: None,
            token_usage: None,
            completed: None,
+            latest_diff: None,
            steer_count: 0,
        });
        turn_state.thread_id = Some(input.thread_id);
        turn_state.token_usage = Some(input.token_usage);
-        self.maybe_emit_turn_event(&turn_id, out);
+        self.maybe_emit_turn_event(&turn_id, out).await;
    }

    async fn ingest_skill_invoked(
@@ -621,7 +630,7 @@ impl AnalyticsReducer {
        });
    }

-    fn ingest_response(
+    async fn ingest_response(
        &mut self,
        connection_id: u64,
        response: ClientResponse,
@@ -673,12 +682,13 @@ impl AnalyticsReducer {
                    started_at: None,
                    token_usage: None,
                    completed: None,
+                    latest_diff: None,
                    steer_count: 0,
                });
                turn_state.connection_id = Some(connection_id);
                turn_state.thread_id = Some(pending_request.thread_id);
                turn_state.num_input_images = Some(pending_request.num_input_images);
-                self.maybe_emit_turn_event(&turn_id, out);
+                self.maybe_emit_turn_event(&turn_id, out).await;
            }
            ClientResponse::TurnSteer {
                request_id,
@@ -740,7 +750,7 @@ impl AnalyticsReducer {
        );
    }

-    fn ingest_notification(
+    async fn ingest_notification(
        &mut self,
        notification: ServerNotification,
        out: &mut Vec<TrackEventRequest>,
@@ -811,6 +821,7 @@ impl AnalyticsReducer {
                    started_at: None,
                    token_usage: None,
                    completed: None,
+                    latest_diff: None,
                    steer_count: 0,
                });
                turn_state.started_at = notification
@@ -818,6 +829,24 @@ impl AnalyticsReducer {
                    .started_at
                    .and_then(|started_at| u64::try_from(started_at).ok());
            }
+            ServerNotification::TurnDiffUpdated(notification) => {
+                let turn_state =
+                    self.turns
+                        .entry(notification.turn_id.clone())
+                        .or_insert(TurnState {
+                            connection_id: None,
+                            thread_id: None,
+                            num_input_images: None,
+                            resolved_config: None,
+                            started_at: None,
+                            token_usage: None,
+                            completed: None,
+                            latest_diff: None,
+                            steer_count: 0,
+                        });
+                turn_state.thread_id = Some(notification.thread_id);
+                turn_state.latest_diff = Some(notification.diff);
+            }
            ServerNotification::TurnCompleted(notification) => {
                let turn_state =
                    self.turns
@@ -830,6 +859,7 @@ impl AnalyticsReducer {
                            started_at: None,
                            token_usage: None,
                            completed: None,
+                            latest_diff: None,
                            steer_count: 0,
                        });
                turn_state.completed = Some(CompletedTurnState {
@@ -849,7 +879,7 @@ impl AnalyticsReducer {
                        .and_then(|duration_ms| u64::try_from(duration_ms).ok()),
                });
                let turn_id = notification.turn.id;
-                self.maybe_emit_turn_event(&turn_id, out);
+                self.maybe_emit_turn_event(&turn_id, out).await;
            }
            _ => {}
        }
@@ -985,7 +1015,7 @@ impl AnalyticsReducer {
        }));
    }

-    fn maybe_emit_turn_event(&mut self, turn_id: &str, out: &mut Vec<TrackEventRequest>) {
+    async fn maybe_emit_turn_event(&mut self, turn_id: &str, out: &mut Vec<TrackEventRequest>) {
        let Some(turn_state) = self.turns.get(turn_id) else {
            return;
        };
@@ -1018,18 +1048,23 @@ impl AnalyticsReducer {
            warn_missing_analytics_context(&drop_site, MissingAnalyticsContext::ThreadMetadata);
            return;
        };
-        out.push(TrackEventRequest::TurnEvent(Box::new(
-            CodexTurnEventRequest {
-                event_type: "codex_turn_event",
-                event_params: codex_turn_event_params(
-                    connection_state.app_server_client.clone(),
-                    connection_state.runtime.clone(),
-                    turn_id.to_string(),
-                    turn_state,
-                    thread_metadata,
-                ),
-            },
-        )));
+        let turn_event = TrackEventRequest::TurnEvent(Box::new(CodexTurnEventRequest {
+            event_type: "codex_turn_event",
+            event_params: codex_turn_event_params(
+                connection_state.app_server_client.clone(),
+                connection_state.runtime.clone(),
+                turn_id.to_string(),
+                turn_state,
+                thread_metadata,
+            ),
+        }));
+        let accepted_line_event = accepted_line_event_input(turn_id, turn_state);
+
+        out.push(turn_event);
+        if let Some((mut input, cwd)) = accepted_line_event {
+            input.repo_hash = accepted_line_repo_hash_for_cwd(cwd.as_path()).await;
+            out.extend(accepted_line_fingerprint_event_requests(input));
+        }
        self.turns.remove(turn_id);
    }

@@ -1447,7 +1482,7 @@ fn tool_item_base(
        item_id,
        app_server_client: context.connection_state.app_server_client.clone(),
        runtime: context.connection_state.runtime.clone(),
-        thread_source: thread_metadata.thread_source.map(ThreadSource::as_str),
+        thread_source: thread_metadata.thread_source,
        subagent_source: thread_metadata.subagent_source.clone(),
        parent_thread_id: thread_metadata.parent_thread_id.clone(),
        tool_name,
@@ -1641,6 +1676,36 @@ fn web_search_query_count(query: &str, action: Option<&WebSearchAction>) -> Opti
    }
 }

+fn accepted_line_event_input(
+    turn_id: &str,
+    turn_state: &TurnState,
+) -> Option<(AcceptedLineFingerprintEventInput, PathBuf)> {
+    let latest_diff = turn_state.latest_diff.as_deref()?;
+    let summary = accepted_line_fingerprints_from_unified_diff(latest_diff);
+    if summary.accepted_added_lines == 0 && summary.accepted_deleted_lines == 0 {
+        return None;
+    }
+
+    let thread_id = turn_state.thread_id.clone()?;
+    let resolved_config = turn_state.resolved_config.clone()?;
+
+    Some((
+        AcceptedLineFingerprintEventInput {
+            event_type: "codex.accepted_line_fingerprints",
+            turn_id: turn_id.to_string(),
+            thread_id,
+            product_surface: Some("codex".to_string()),
+            model_slug: Some(resolved_config.model.clone()),
+            completed_at: now_unix_seconds(),
+            repo_hash: None,
+            accepted_added_lines: summary.accepted_added_lines,
+            accepted_deleted_lines: summary.accepted_deleted_lines,
+            line_fingerprints: summary.line_fingerprints,
+        },
+        resolved_config.permission_profile_cwd,
+    ))
+}
+
 fn codex_turn_event_params(
    app_server_client: CodexAppServerClientMetadata,
    runtime: CodexRuntimeMetadata,
--- a/codex-rs/ansi-escape/Cargo.toml
+++ b/codex-rs/ansi-escape/Cargo.toml
@@ -7,6 +7,8 @@ license.workspace = true
 [lib]
 name = "codex_ansi_escape"
 path = "src/lib.rs"
+test = false
+doctest = false

 [lints]
 workspace = true
--- a/codex-rs/app-server-client/Cargo.toml
+++ b/codex-rs/app-server-client/Cargo.toml
@@ -7,6 +7,7 @@ license.workspace = true
 [lib]
 name = "codex_app_server_client"
 path = "src/lib.rs"
+doctest = false

 [lints]
 workspace = true
--- a/codex-rs/app-server-client/src/lib.rs
+++ b/codex-rs/app-server-client/src/lib.rs
@@ -29,6 +29,7 @@ pub use codex_app_server::in_process::DEFAULT_IN_PROCESS_CHANNEL_CAPACITY;
 pub use codex_app_server::in_process::InProcessServerEvent;
 use codex_app_server::in_process::InProcessStartArgs;
 use codex_app_server::in_process::LogDbLayer;
+pub use codex_app_server::in_process::StateDbHandle;
 use codex_app_server_protocol::ClientInfo;
 use codex_app_server_protocol::ClientNotification;
 use codex_app_server_protocol::ClientRequest;
@@ -46,7 +47,6 @@ use codex_config::LoaderOverrides;
 use codex_config::NoopThreadConfigLoader;
 use codex_config::RemoteThreadConfigLoader;
 use codex_config::ThreadConfigLoader;
-pub use codex_core::StateDbHandle;
 use codex_core::config::Config;
 pub use codex_exec_server::EnvironmentManager;
 pub use codex_exec_server::ExecServerRuntimePaths;
@@ -374,6 +374,7 @@ impl InProcessClientStartArgs {
    pub fn initialize_params(&self) -> InitializeParams {
        let capabilities = InitializeCapabilities {
            experimental_api: self.experimental_api,
+            request_attestation: false,
            opt_out_notification_methods: if self.opt_out_notification_methods.is_empty() {
                None
            } else {
@@ -950,7 +951,7 @@ mod tests {
    use codex_app_server_protocol::ToolRequestUserInputParams;
    use codex_app_server_protocol::ToolRequestUserInputQuestion;
    use codex_core::config::ConfigBuilder;
-    use codex_core::init_state_db_from_config;
+    use codex_core::init_state_db;
    use futures::SinkExt;
    use futures::StreamExt;
    use pretty_assertions::assert_eq;
@@ -1016,7 +1017,7 @@ mod tests {
    ) -> TestClient {
        let codex_home = TempDir::new().expect("temp dir");
        let config = Arc::new(build_test_config_for_codex_home(codex_home.path()).await);
-        let state_db = init_state_db_from_config(config.as_ref())
+        let state_db = init_state_db(config.as_ref())
            .await
            .expect("state db should initialize for in-process test");
        let client = InProcessAppServerClient::start(InProcessClientStartArgs {
--- a/codex-rs/app-server-client/src/remote.rs
+++ b/codex-rs/app-server-client/src/remote.rs
@@ -73,6 +73,7 @@ impl RemoteAppServerConnectArgs {
    fn initialize_params(&self) -> InitializeParams {
        let capabilities = InitializeCapabilities {
            experimental_api: self.experimental_api,
+            request_attestation: false,
            opt_out_notification_methods: if self.opt_out_notification_methods.is_empty() {
                None
            } else {
--- a/codex-rs/app-server-protocol/Cargo.toml
+++ b/codex-rs/app-server-protocol/Cargo.toml
@@ -7,6 +7,7 @@ license.workspace = true
 [lib]
 name = "codex_app_server_protocol"
 path = "src/lib.rs"
+doctest = false

 [lints]
 workspace = true
--- a/codex-rs/app-server-protocol/schema/json/AttestationGenerateParams.json
+++ b/codex-rs/app-server-protocol/schema/json/AttestationGenerateParams.json
@@ -0,0 +1,5 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "AttestationGenerateParams",
+  "type": "object"
+}
--- a/codex-rs/app-server-protocol/schema/json/AttestationGenerateResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/AttestationGenerateResponse.json
@@ -1,14 +1,14 @@
 {
  "$schema": "http://json-schema.org/draft-07/schema#",
-  "description": "Fetch a controller-local device key public key by id.",
  "properties": {
-    "keyId": {
+    "token": {
+      "description": "Opaque client attestation token.",
      "type": "string"
    }
  },
  "required": [
-    "keyId"
+    "token"
  ],
-  "title": "DeviceKeyPublicParams",
+  "title": "AttestationGenerateResponse",
  "type": "object"
 }
--- a/codex-rs/app-server-protocol/schema/json/ClientRequest.json
+++ b/codex-rs/app-server-protocol/schema/json/ClientRequest.json
@@ -533,200 +533,6 @@
        }
      ]
    },
-    "DeviceKeyCreateParams": {
-      "description": "Create a controller-local device key with a random key id.",
-      "properties": {
-        "accountUserId": {
-          "type": "string"
-        },
-        "clientId": {
-          "type": "string"
-        },
-        "protectionPolicy": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/DeviceKeyProtectionPolicy"
-            },
-            {
-              "type": "null"
-            }
-          ],
-          "description": "Defaults to `hardware_only` when omitted."
-        }
-      },
-      "required": [
-        "accountUserId",
-        "clientId"
-      ],
-      "type": "object"
-    },
-    "DeviceKeyProtectionPolicy": {
-      "description": "Protection policy for creating or loading a controller-local device key.",
-      "enum": [
-        "hardware_only",
-        "allow_os_protected_nonextractable"
-      ],
-      "type": "string"
-    },
-    "DeviceKeyPublicParams": {
-      "description": "Fetch a controller-local device key public key by id.",
-      "properties": {
-        "keyId": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "keyId"
-      ],
-      "type": "object"
-    },
-    "DeviceKeySignParams": {
-      "description": "Sign an accepted structured payload with a controller-local device key.",
-      "properties": {
-        "keyId": {
-          "type": "string"
-        },
-        "payload": {
-          "$ref": "#/definitions/DeviceKeySignPayload"
-        }
-      },
-      "required": [
-        "keyId",
-        "payload"
-      ],
-      "type": "object"
-    },
-    "DeviceKeySignPayload": {
-      "description": "Structured payloads accepted by `device/key/sign`.",
-      "oneOf": [
-        {
-          "description": "Payload bound to one remote-control controller websocket `/client` connection challenge.",
-          "properties": {
-            "accountUserId": {
-              "type": "string"
-            },
-            "audience": {
-              "$ref": "#/definitions/RemoteControlClientConnectionAudience"
-            },
-            "clientId": {
-              "type": "string"
-            },
-            "nonce": {
-              "type": "string"
-            },
-            "scopes": {
-              "description": "Must contain exactly `remote_control_controller_websocket`.",
-              "items": {
-                "type": "string"
-              },
-              "type": "array"
-            },
-            "sessionId": {
-              "description": "Backend-issued websocket session id that this proof authorizes.",
-              "type": "string"
-            },
-            "targetOrigin": {
-              "description": "Origin of the backend endpoint that issued the challenge and will verify this proof.",
-              "type": "string"
-            },
-            "targetPath": {
-              "description": "Websocket route path that this proof authorizes.",
-              "type": "string"
-            },
-            "tokenExpiresAt": {
-              "description": "Remote-control token expiration as Unix seconds.",
-              "format": "int64",
-              "type": "integer"
-            },
-            "tokenSha256Base64url": {
-              "description": "SHA-256 of the controller-scoped remote-control token, encoded as unpadded base64url.",
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "remoteControlClientConnection"
-              ],
-              "title": "RemoteControlClientConnectionDeviceKeySignPayloadType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "accountUserId",
-            "audience",
-            "clientId",
-            "nonce",
-            "scopes",
-            "sessionId",
-            "targetOrigin",
-            "targetPath",
-            "tokenExpiresAt",
-            "tokenSha256Base64url",
-            "type"
-          ],
-          "title": "RemoteControlClientConnectionDeviceKeySignPayload",
-          "type": "object"
-        },
-        {
-          "description": "Payload bound to a remote-control client `/client/enroll` ownership challenge.",
-          "properties": {
-            "accountUserId": {
-              "type": "string"
-            },
-            "audience": {
-              "$ref": "#/definitions/RemoteControlClientEnrollmentAudience"
-            },
-            "challengeExpiresAt": {
-              "description": "Enrollment challenge expiration as Unix seconds.",
-              "format": "int64",
-              "type": "integer"
-            },
-            "challengeId": {
-              "description": "Backend-issued enrollment challenge id that this proof authorizes.",
-              "type": "string"
-            },
-            "clientId": {
-              "type": "string"
-            },
-            "deviceIdentitySha256Base64url": {
-              "description": "SHA-256 of the requested device identity operation, encoded as unpadded base64url.",
-              "type": "string"
-            },
-            "nonce": {
-              "type": "string"
-            },
-            "targetOrigin": {
-              "description": "Origin of the backend endpoint that issued the challenge and will verify this proof.",
-              "type": "string"
-            },
-            "targetPath": {
-              "description": "HTTP route path that this proof authorizes.",
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "remoteControlClientEnrollment"
-              ],
-              "title": "RemoteControlClientEnrollmentDeviceKeySignPayloadType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "accountUserId",
-            "audience",
-            "challengeExpiresAt",
-            "challengeId",
-            "clientId",
-            "deviceIdentitySha256Base64url",
-            "nonce",
-            "targetOrigin",
-            "targetPath",
-            "type"
-          ],
-          "title": "RemoteControlClientEnrollmentDeviceKeySignPayload",
-          "type": "object"
-        }
-      ]
-    },
    "DynamicToolSpec": {
      "properties": {
        "deferLoading": {
@@ -1453,6 +1259,11 @@
            "array",
            "null"
          ]
+        },
+        "requestAttestation": {
+          "default": false,
+          "description": "Opt into `attestation/generate` requests for upstream `x-oai-attestation`.",
+          "type": "boolean"
        }
      },
      "type": "object"
@@ -2039,31 +1850,6 @@
        }
      ]
    },
-    "PermissionProfileModificationParams": {
-      "oneOf": [
-        {
-          "description": "Additional concrete directory that should be writable.",
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "additionalWritableRoot"
-              ],
-              "title": "AdditionalWritableRootPermissionProfileModificationParamsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "AdditionalWritableRootPermissionProfileModificationParams",
-          "type": "object"
-        }
-      ]
-    },
    "PermissionProfileNetworkPermissions": {
      "properties": {
        "enabled": {
@@ -2078,20 +1864,11 @@
    "PermissionProfileSelectionParams": {
      "oneOf": [
        {
-          "description": "Select a named built-in or user-defined profile and optionally apply bounded modifications that Codex knows how to validate.",
+          "description": "Select a named built-in or user-defined profile. This updates profile identity metadata only; it does not replace the thread's effective permissions profile.",
          "properties": {
            "id": {
              "type": "string"
            },
-            "modifications": {
-              "items": {
-                "$ref": "#/definitions/PermissionProfileModificationParams"
-              },
-              "type": [
-                "array",
-                "null"
-              ]
-            },
            "type": {
              "enum": [
                "profile"
@@ -2285,8 +2062,18 @@
      ],
      "type": "object"
    },
+    "PluginShareUpdateDiscoverability": {
+      "enum": [
+        "UNLISTED",
+        "PRIVATE"
+      ],
+      "type": "string"
+    },
    "PluginShareUpdateTargetsParams": {
      "properties": {
+        "discoverability": {
+          "$ref": "#/definitions/PluginShareUpdateDiscoverability"
+        },
        "remotePluginId": {
          "type": "string"
        },
@@ -2298,6 +2085,7 @@
        }
      },
      "required": [
+        "discoverability",
        "remotePluginId",
        "shareTargets"
      ],
@@ -2504,20 +2292,6 @@
        }
      ]
    },
-    "RemoteControlClientConnectionAudience": {
-      "description": "Audience for a remote-control client connection device-key proof.",
-      "enum": [
-        "remote_control_client_websocket"
-      ],
-      "type": "string"
-    },
-    "RemoteControlClientEnrollmentAudience": {
-      "description": "Audience for a remote-control client enrollment device-key proof.",
-      "enum": [
-        "remote_control_client_enrollment"
-      ],
-      "type": "string"
-    },
    "RequestId": {
      "anyOf": [
        {
@@ -3314,13 +3088,6 @@
              ],
              "title": "WorkspaceWriteSandboxPolicyType",
              "type": "string"
-            },
-            "writableRoots": {
-              "default": [],
-              "items": {
-                "$ref": "#/definitions/AbsolutePathBuf"
-              },
-              "type": "array"
            }
          },
          "required": [
@@ -3420,24 +3187,6 @@
      ],
      "type": "object"
    },
-    "SkillsListExtraRootsForCwd": {
-      "properties": {
-        "cwd": {
-          "type": "string"
-        },
-        "extraUserRoots": {
-          "items": {
-            "type": "string"
-          },
-          "type": "array"
-        }
-      },
-      "required": [
-        "cwd",
-        "extraUserRoots"
-      ],
-      "type": "object"
-    },
    "SkillsListParams": {
      "properties": {
        "cwds": {
@@ -3450,17 +3199,6 @@
        "forceReload": {
          "description": "When true, bypass the skills cache and re-scan skills from disk.",
          "type": "boolean"
-        },
-        "perCwdExtraUserRoots": {
-          "default": null,
-          "description": "Optional per-cwd extra roots to scan as user-scoped skills.",
-          "items": {
-            "$ref": "#/definitions/SkillsListExtraRootsForCwd"
-          },
-          "type": [
-            "array",
-            "null"
-          ]
        }
      },
      "type": "object"
@@ -3616,7 +3354,8 @@
            {
              "type": "null"
            }
-          ]
+          ],
+          "description": "Deprecated for fork. The server rejects this field because the source permission profile value is preserved across fork."
        },
        "serviceTier": {
          "type": [
@@ -4027,7 +3766,8 @@
            {
              "type": "null"
            }
-          ]
+          ],
+          "description": "Deprecated for resume. The server rejects this field because the persisted permission profile value is preserved across resume."
        },
        "serviceTier": {
          "type": [
@@ -4304,6 +4044,31 @@
      ],
      "type": "object"
    },
+    "TurnItemsView": {
+      "oneOf": [
+        {
+          "description": "`items` was not loaded for this turn. The field is intentionally empty.",
+          "enum": [
+            "notLoaded"
+          ],
+          "type": "string"
+        },
+        {
+          "description": "`items` contains only a display summary for this turn.",
+          "enum": [
+            "summary"
+          ],
+          "type": "string"
+        },
+        {
+          "description": "`items` contains every ThreadItem available from persisted app-server history for this turn.",
+          "enum": [
+            "full"
+          ],
+          "type": "string"
+        }
+      ]
+    },
    "TurnStartParams": {
      "properties": {
        "approvalPolicy": {
@@ -4382,7 +4147,7 @@
              "type": "null"
            }
          ],
-          "description": "Override the sandbox policy for this turn and subsequent turns."
+          "description": "Deprecated for turns. The server rejects this field because the thread permission profile value is not mutable through `turn/start`."
        },
        "serviceTier": {
          "description": "Override the service tier for this turn and subsequent turns.",
@@ -5308,78 +5073,6 @@
      "title": "App/listRequest",
      "type": "object"
    },
-    {
-      "properties": {
-        "id": {
-          "$ref": "#/definitions/RequestId"
-        },
-        "method": {
-          "enum": [
-            "device/key/create"
-          ],
-          "title": "Device/key/createRequestMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/DeviceKeyCreateParams"
-        }
-      },
-      "required": [
-        "id",
-        "method",
-        "params"
-      ],
-      "title": "Device/key/createRequest",
-      "type": "object"
-    },
-    {
-      "properties": {
-        "id": {
-          "$ref": "#/definitions/RequestId"
-        },
-        "method": {
-          "enum": [
-            "device/key/public"
-          ],
-          "title": "Device/key/publicRequestMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/DeviceKeyPublicParams"
-        }
-      },
-      "required": [
-        "id",
-        "method",
-        "params"
-      ],
-      "title": "Device/key/publicRequest",
-      "type": "object"
-    },
-    {
-      "properties": {
-        "id": {
-          "$ref": "#/definitions/RequestId"
-        },
-        "method": {
-          "enum": [
-            "device/key/sign"
-          ],
-          "title": "Device/key/signRequestMethod",
-          "type": "string"
-        },
-        "params": {
-          "$ref": "#/definitions/DeviceKeySignParams"
-        }
-      },
-      "required": [
-        "id",
-        "method",
-        "params"
-      ],
-      "title": "Device/key/signRequest",
-      "type": "object"
-    },
    {
      "properties": {
        "id": {
--- a/codex-rs/app-server-protocol/schema/json/CommandExecutionRequestApprovalParams.json
+++ b/codex-rs/app-server-protocol/schema/json/CommandExecutionRequestApprovalParams.json
@@ -593,6 +593,11 @@
        "null"
      ]
    },
+    "startedAtMs": {
+      "description": "Unix timestamp (in milliseconds) when this approval request started.",
+      "format": "int64",
+      "type": "integer"
+    },
    "threadId": {
      "type": "string"
    },
@@ -602,6 +607,7 @@
  },
  "required": [
    "itemId",
+    "startedAtMs",
    "threadId",
    "turnId"
  ],
--- a/codex-rs/app-server-protocol/schema/json/FileChangeRequestApprovalParams.json
+++ b/codex-rs/app-server-protocol/schema/json/FileChangeRequestApprovalParams.json
@@ -18,6 +18,11 @@
        "null"
      ]
    },
+    "startedAtMs": {
+      "description": "Unix timestamp (in milliseconds) when this approval request started.",
+      "format": "int64",
+      "type": "integer"
+    },
    "threadId": {
      "type": "string"
    },
@@ -27,6 +32,7 @@
  },
  "required": [
    "itemId",
+    "startedAtMs",
    "threadId",
    "turnId"
  ],
--- a/codex-rs/app-server-protocol/schema/json/PermissionsRequestApprovalParams.json
+++ b/codex-rs/app-server-protocol/schema/json/PermissionsRequestApprovalParams.json
@@ -297,6 +297,11 @@
        "null"
      ]
    },
+    "startedAtMs": {
+      "description": "Unix timestamp (in milliseconds) when this approval request started.",
+      "format": "int64",
+      "type": "integer"
+    },
    "threadId": {
      "type": "string"
    },
@@ -308,6 +313,7 @@
    "cwd",
    "itemId",
    "permissions",
+    "startedAtMs",
    "threadId",
    "turnId"
  ],
--- a/codex-rs/app-server-protocol/schema/json/ServerNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/ServerNotification.json
@@ -1963,6 +1963,11 @@
        "action": {
          "$ref": "#/definitions/GuardianApprovalReviewAction"
        },
+        "completedAtMs": {
+          "description": "Unix timestamp (in milliseconds) when this review completed.",
+          "format": "int64",
+          "type": "integer"
+        },
        "decisionSource": {
          "$ref": "#/definitions/AutoReviewDecisionSource"
        },
@@ -1973,6 +1978,11 @@
          "description": "Stable identifier for this review.",
          "type": "string"
        },
+        "startedAtMs": {
+          "description": "Unix timestamp (in milliseconds) when this review started.",
+          "format": "int64",
+          "type": "integer"
+        },
        "targetItemId": {
          "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
          "type": [
@@ -1989,9 +1999,11 @@
      },
      "required": [
        "action",
+        "completedAtMs",
        "decisionSource",
        "review",
        "reviewId",
+        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -2010,6 +2022,11 @@
          "description": "Stable identifier for this review.",
          "type": "string"
        },
+        "startedAtMs": {
+          "description": "Unix timestamp (in milliseconds) when this review started.",
+          "format": "int64",
+          "type": "integer"
+        },
        "targetItemId": {
          "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
          "type": [
@@ -2028,6 +2045,7 @@
        "action",
        "review",
        "reviewId",
+        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -2719,7 +2737,7 @@
      "type": "string"
    },
    "RemoteControlStatusChangedNotification": {
-      "description": "Current remote-control connection status and environment id exposed to clients.",
+      "description": "Current remote-control connection status and remote identity exposed to clients.",
      "properties": {
        "environmentId": {
          "type": [
@@ -2727,11 +2745,15 @@
            "null"
          ]
        },
+        "installationId": {
+          "type": "string"
+        },
        "status": {
          "$ref": "#/definitions/RemoteControlConnectionStatus"
        }
      },
      "required": [
+        "installationId",
        "status"
      ],
      "type": "object"
--- a/codex-rs/app-server-protocol/schema/json/ServerRequest.json
+++ b/codex-rs/app-server-protocol/schema/json/ServerRequest.json
@@ -121,6 +121,9 @@
      ],
      "type": "object"
    },
+    "AttestationGenerateParams": {
+      "type": "object"
+    },
    "ChatgptAuthTokensRefreshParams": {
      "properties": {
        "previousAccountId": {
@@ -417,6 +420,11 @@
            "null"
          ]
        },
+        "startedAtMs": {
+          "description": "Unix timestamp (in milliseconds) when this approval request started.",
+          "format": "int64",
+          "type": "integer"
+        },
        "threadId": {
          "type": "string"
        },
@@ -426,6 +434,7 @@
      },
      "required": [
        "itemId",
+        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -598,6 +607,11 @@
            "null"
          ]
        },
+        "startedAtMs": {
+          "description": "Unix timestamp (in milliseconds) when this approval request started.",
+          "format": "int64",
+          "type": "integer"
+        },
        "threadId": {
          "type": "string"
        },
@@ -607,6 +621,7 @@
      },
      "required": [
        "itemId",
+        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -1587,6 +1602,11 @@
            "null"
          ]
        },
+        "startedAtMs": {
+          "description": "Unix timestamp (in milliseconds) when this approval request started.",
+          "format": "int64",
+          "type": "integer"
+        },
        "threadId": {
          "type": "string"
        },
@@ -1598,6 +1618,7 @@
        "cwd",
        "itemId",
        "permissions",
+        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -1900,6 +1921,31 @@
      "title": "Account/chatgptAuthTokens/refreshRequest",
      "type": "object"
    },
+    {
+      "description": "Generate a fresh upstream attestation result on demand.",
+      "properties": {
+        "id": {
+          "$ref": "#/definitions/RequestId"
+        },
+        "method": {
+          "enum": [
+            "attestation/generate"
+          ],
+          "title": "Attestation/generateRequestMethod",
+          "type": "string"
+        },
+        "params": {
+          "$ref": "#/definitions/AttestationGenerateParams"
+        }
+      },
+      "required": [
+        "id",
+        "method",
+        "params"
+      ],
+      "title": "Attestation/generateRequest",
+      "type": "object"
+    },
    {
      "description": "DEPRECATED APIs below Request to approve a patch. This request is used for Turns started via the legacy APIs (i.e. SendUserTurn, SendUserMessage).",
      "properties": {
--- a/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json
+++ b/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json
@@ -83,6 +83,25 @@
      "title": "ApplyPatchApprovalResponse",
      "type": "object"
    },
+    "AttestationGenerateParams": {
+      "$schema": "http://json-schema.org/draft-07/schema#",
+      "title": "AttestationGenerateParams",
+      "type": "object"
+    },
+    "AttestationGenerateResponse": {
+      "$schema": "http://json-schema.org/draft-07/schema#",
+      "properties": {
+        "token": {
+          "description": "Opaque client attestation token.",
+          "type": "string"
+        }
+      },
+      "required": [
+        "token"
+      ],
+      "title": "AttestationGenerateResponse",
+      "type": "object"
+    },
    "ChatgptAuthTokensRefreshParams": {
      "$schema": "http://json-schema.org/draft-07/schema#",
      "properties": {
@@ -906,78 +925,6 @@
          "title": "App/listRequest",
          "type": "object"
        },
-        {
-          "properties": {
-            "id": {
-              "$ref": "#/definitions/v2/RequestId"
-            },
-            "method": {
-              "enum": [
-                "device/key/create"
-              ],
-              "title": "Device/key/createRequestMethod",
-              "type": "string"
-            },
-            "params": {
-              "$ref": "#/definitions/v2/DeviceKeyCreateParams"
-            }
-          },
-          "required": [
-            "id",
-            "method",
-            "params"
-          ],
-          "title": "Device/key/createRequest",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "id": {
-              "$ref": "#/definitions/v2/RequestId"
-            },
-            "method": {
-              "enum": [
-                "device/key/public"
-              ],
-              "title": "Device/key/publicRequestMethod",
-              "type": "string"
-            },
-            "params": {
-              "$ref": "#/definitions/v2/DeviceKeyPublicParams"
-            }
-          },
-          "required": [
-            "id",
-            "method",
-            "params"
-          ],
-          "title": "Device/key/publicRequest",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "id": {
-              "$ref": "#/definitions/v2/RequestId"
-            },
-            "method": {
-              "enum": [
-                "device/key/sign"
-              ],
-              "title": "Device/key/signRequestMethod",
-              "type": "string"
-            },
-            "params": {
-              "$ref": "#/definitions/v2/DeviceKeySignParams"
-            }
-          },
-          "required": [
-            "id",
-            "method",
-            "params"
-          ],
-          "title": "Device/key/signRequest",
-          "type": "object"
-        },
        {
          "properties": {
            "id": {
@@ -2218,6 +2165,11 @@
            "null"
          ]
        },
+        "startedAtMs": {
+          "description": "Unix timestamp (in milliseconds) when this approval request started.",
+          "format": "int64",
+          "type": "integer"
+        },
        "threadId": {
          "type": "string"
        },
@@ -2227,6 +2179,7 @@
      },
      "required": [
        "itemId",
+        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -2483,6 +2436,11 @@
            "null"
          ]
        },
+        "startedAtMs": {
+          "description": "Unix timestamp (in milliseconds) when this approval request started.",
+          "format": "int64",
+          "type": "integer"
+        },
        "threadId": {
          "type": "string"
        },
@@ -2492,6 +2450,7 @@
      },
      "required": [
        "itemId",
+        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -2680,6 +2639,11 @@
            "array",
            "null"
          ]
+        },
+        "requestAttestation": {
+          "default": false,
+          "description": "Opt into `attestation/generate` requests for upstream `x-oai-attestation`.",
+          "type": "boolean"
        }
      },
      "type": "object"
@@ -3663,6 +3627,11 @@
            "null"
          ]
        },
+        "startedAtMs": {
+          "description": "Unix timestamp (in milliseconds) when this approval request started.",
+          "format": "int64",
+          "type": "integer"
+        },
        "threadId": {
          "type": "string"
        },
@@ -3674,6 +3643,7 @@
        "cwd",
        "itemId",
        "permissions",
+        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -5261,6 +5231,31 @@
          "title": "Account/chatgptAuthTokens/refreshRequest",
          "type": "object"
        },
+        {
+          "description": "Generate a fresh upstream attestation result on demand.",
+          "properties": {
+            "id": {
+              "$ref": "#/definitions/v2/RequestId"
+            },
+            "method": {
+              "enum": [
+                "attestation/generate"
+              ],
+              "title": "Attestation/generateRequestMethod",
+              "type": "string"
+            },
+            "params": {
+              "$ref": "#/definitions/AttestationGenerateParams"
+            }
+          },
+          "required": [
+            "id",
+            "method",
+            "params"
+          ],
+          "title": "Attestation/generateRequest",
+          "type": "object"
+        },
        {
          "description": "DEPRECATED APIs below Request to approve a patch. This request is used for Turns started via the legacy APIs (i.e. SendUserTurn, SendUserMessage).",
          "properties": {
@@ -5588,14 +5583,6 @@
          "id": {
            "description": "Identifier from `default_permissions` or the implicit built-in default, such as `:workspace` or a user-defined `[permissions.<id>]` profile.",
            "type": "string"
-          },
-          "modifications": {
-            "default": [],
-            "description": "Bounded user-requested modifications applied on top of the named profile, if any.",
-            "items": {
-              "$ref": "#/definitions/v2/ActivePermissionProfileModification"
-            },
-            "type": "array"
          }
        },
        "required": [
@@ -5603,31 +5590,6 @@
        ],
        "type": "object"
      },
-      "ActivePermissionProfileModification": {
-        "oneOf": [
-          {
-            "description": "Additional concrete directory that should be writable.",
-            "properties": {
-              "path": {
-                "$ref": "#/definitions/v2/AbsolutePathBuf"
-              },
-              "type": {
-                "enum": [
-                  "additionalWritableRoot"
-                ],
-                "title": "AdditionalWritableRootActivePermissionProfileModificationType",
-                "type": "string"
-              }
-            },
-            "required": [
-              "path",
-              "type"
-            ],
-            "title": "AdditionalWritableRootActivePermissionProfileModification",
-            "type": "object"
-          }
-        ]
-      },
      "AddCreditsNudgeCreditType": {
        "enum": [
          "credits",
@@ -7947,300 +7909,6 @@
        "title": "DeprecationNoticeNotification",
        "type": "object"
      },
-      "DeviceKeyAlgorithm": {
-        "description": "Device-key algorithm reported at enrollment and signing boundaries.",
-        "enum": [
-          "ecdsa_p256_sha256"
-        ],
-        "type": "string"
-      },
-      "DeviceKeyCreateParams": {
-        "$schema": "http://json-schema.org/draft-07/schema#",
-        "description": "Create a controller-local device key with a random key id.",
-        "properties": {
-          "accountUserId": {
-            "type": "string"
-          },
-          "clientId": {
-            "type": "string"
-          },
-          "protectionPolicy": {
-            "anyOf": [
-              {
-                "$ref": "#/definitions/v2/DeviceKeyProtectionPolicy"
-              },
-              {
-                "type": "null"
-              }
-            ],
-            "description": "Defaults to `hardware_only` when omitted."
-          }
-        },
-        "required": [
-          "accountUserId",
-          "clientId"
-        ],
-        "title": "DeviceKeyCreateParams",
-        "type": "object"
-      },
-      "DeviceKeyCreateResponse": {
-        "$schema": "http://json-schema.org/draft-07/schema#",
-        "description": "Device-key metadata and public key returned by create/public APIs.",
-        "properties": {
-          "algorithm": {
-            "$ref": "#/definitions/v2/DeviceKeyAlgorithm"
-          },
-          "keyId": {
-            "type": "string"
-          },
-          "protectionClass": {
-            "$ref": "#/definitions/v2/DeviceKeyProtectionClass"
-          },
-          "publicKeySpkiDerBase64": {
-            "description": "SubjectPublicKeyInfo DER encoded as base64.",
-            "type": "string"
-          }
-        },
-        "required": [
-          "algorithm",
-          "keyId",
-          "protectionClass",
-          "publicKeySpkiDerBase64"
-        ],
-        "title": "DeviceKeyCreateResponse",
-        "type": "object"
-      },
-      "DeviceKeyProtectionClass": {
-        "description": "Platform protection class for a controller-local device key.",
-        "enum": [
-          "hardware_secure_enclave",
-          "hardware_tpm",
-          "os_protected_nonextractable"
-        ],
-        "type": "string"
-      },
-      "DeviceKeyProtectionPolicy": {
-        "description": "Protection policy for creating or loading a controller-local device key.",
-        "enum": [
-          "hardware_only",
-          "allow_os_protected_nonextractable"
-        ],
-        "type": "string"
-      },
-      "DeviceKeyPublicParams": {
-        "$schema": "http://json-schema.org/draft-07/schema#",
-        "description": "Fetch a controller-local device key public key by id.",
-        "properties": {
-          "keyId": {
-            "type": "string"
-          }
-        },
-        "required": [
-          "keyId"
-        ],
-        "title": "DeviceKeyPublicParams",
-        "type": "object"
-      },
-      "DeviceKeyPublicResponse": {
-        "$schema": "http://json-schema.org/draft-07/schema#",
-        "description": "Device-key public metadata returned by `device/key/public`.",
-        "properties": {
-          "algorithm": {
-            "$ref": "#/definitions/v2/DeviceKeyAlgorithm"
-          },
-          "keyId": {
-            "type": "string"
-          },
-          "protectionClass": {
-            "$ref": "#/definitions/v2/DeviceKeyProtectionClass"
-          },
-          "publicKeySpkiDerBase64": {
-            "description": "SubjectPublicKeyInfo DER encoded as base64.",
-            "type": "string"
-          }
-        },
-        "required": [
-          "algorithm",
-          "keyId",
-          "protectionClass",
-          "publicKeySpkiDerBase64"
-        ],
-        "title": "DeviceKeyPublicResponse",
-        "type": "object"
-      },
-      "DeviceKeySignParams": {
-        "$schema": "http://json-schema.org/draft-07/schema#",
-        "description": "Sign an accepted structured payload with a controller-local device key.",
-        "properties": {
-          "keyId": {
-            "type": "string"
-          },
-          "payload": {
-            "$ref": "#/definitions/v2/DeviceKeySignPayload"
-          }
-        },
-        "required": [
-          "keyId",
-          "payload"
-        ],
-        "title": "DeviceKeySignParams",
-        "type": "object"
-      },
-      "DeviceKeySignPayload": {
-        "description": "Structured payloads accepted by `device/key/sign`.",
-        "oneOf": [
-          {
-            "description": "Payload bound to one remote-control controller websocket `/client` connection challenge.",
-            "properties": {
-              "accountUserId": {
-                "type": "string"
-              },
-              "audience": {
-                "$ref": "#/definitions/v2/RemoteControlClientConnectionAudience"
-              },
-              "clientId": {
-                "type": "string"
-              },
-              "nonce": {
-                "type": "string"
-              },
-              "scopes": {
-                "description": "Must contain exactly `remote_control_controller_websocket`.",
-                "items": {
-                  "type": "string"
-                },
-                "type": "array"
-              },
-              "sessionId": {
-                "description": "Backend-issued websocket session id that this proof authorizes.",
-                "type": "string"
-              },
-              "targetOrigin": {
-                "description": "Origin of the backend endpoint that issued the challenge and will verify this proof.",
-                "type": "string"
-              },
-              "targetPath": {
-                "description": "Websocket route path that this proof authorizes.",
-                "type": "string"
-              },
-              "tokenExpiresAt": {
-                "description": "Remote-control token expiration as Unix seconds.",
-                "format": "int64",
-                "type": "integer"
-              },
-              "tokenSha256Base64url": {
-                "description": "SHA-256 of the controller-scoped remote-control token, encoded as unpadded base64url.",
-                "type": "string"
-              },
-              "type": {
-                "enum": [
-                  "remoteControlClientConnection"
-                ],
-                "title": "RemoteControlClientConnectionDeviceKeySignPayloadType",
-                "type": "string"
-              }
-            },
-            "required": [
-              "accountUserId",
-              "audience",
-              "clientId",
-              "nonce",
-              "scopes",
-              "sessionId",
-              "targetOrigin",
-              "targetPath",
-              "tokenExpiresAt",
-              "tokenSha256Base64url",
-              "type"
-            ],
-            "title": "RemoteControlClientConnectionDeviceKeySignPayload",
-            "type": "object"
-          },
-          {
-            "description": "Payload bound to a remote-control client `/client/enroll` ownership challenge.",
-            "properties": {
-              "accountUserId": {
-                "type": "string"
-              },
-              "audience": {
-                "$ref": "#/definitions/v2/RemoteControlClientEnrollmentAudience"
-              },
-              "challengeExpiresAt": {
-                "description": "Enrollment challenge expiration as Unix seconds.",
-                "format": "int64",
-                "type": "integer"
-              },
-              "challengeId": {
-                "description": "Backend-issued enrollment challenge id that this proof authorizes.",
-                "type": "string"
-              },
-              "clientId": {
-                "type": "string"
-              },
-              "deviceIdentitySha256Base64url": {
-                "description": "SHA-256 of the requested device identity operation, encoded as unpadded base64url.",
-                "type": "string"
-              },
-              "nonce": {
-                "type": "string"
-              },
-              "targetOrigin": {
-                "description": "Origin of the backend endpoint that issued the challenge and will verify this proof.",
-                "type": "string"
-              },
-              "targetPath": {
-                "description": "HTTP route path that this proof authorizes.",
-                "type": "string"
-              },
-              "type": {
-                "enum": [
-                  "remoteControlClientEnrollment"
-                ],
-                "title": "RemoteControlClientEnrollmentDeviceKeySignPayloadType",
-                "type": "string"
-              }
-            },
-            "required": [
-              "accountUserId",
-              "audience",
-              "challengeExpiresAt",
-              "challengeId",
-              "clientId",
-              "deviceIdentitySha256Base64url",
-              "nonce",
-              "targetOrigin",
-              "targetPath",
-              "type"
-            ],
-            "title": "RemoteControlClientEnrollmentDeviceKeySignPayload",
-            "type": "object"
-          }
-        ]
-      },
-      "DeviceKeySignResponse": {
-        "$schema": "http://json-schema.org/draft-07/schema#",
-        "description": "ASN.1 DER signature returned by `device/key/sign`.",
-        "properties": {
-          "algorithm": {
-            "$ref": "#/definitions/v2/DeviceKeyAlgorithm"
-          },
-          "signatureDerBase64": {
-            "description": "ECDSA signature DER encoded as base64.",
-            "type": "string"
-          },
-          "signedPayloadBase64": {
-            "description": "Exact bytes signed by the device key, encoded as base64. Verifiers must verify this byte string directly and must not reserialize `payload`.",
-            "type": "string"
-          }
-        },
-        "required": [
-          "algorithm",
-          "signatureDerBase64",
-          "signedPayloadBase64"
-        ],
-        "title": "DeviceKeySignResponse",
-        "type": "object"
-      },
      "DynamicToolCallOutputContentItem": {
        "oneOf": [
          {
@@ -10244,6 +9912,11 @@
          "action": {
            "$ref": "#/definitions/v2/GuardianApprovalReviewAction"
          },
+          "completedAtMs": {
+            "description": "Unix timestamp (in milliseconds) when this review completed.",
+            "format": "int64",
+            "type": "integer"
+          },
          "decisionSource": {
            "$ref": "#/definitions/v2/AutoReviewDecisionSource"
          },
@@ -10254,6 +9927,11 @@
            "description": "Stable identifier for this review.",
            "type": "string"
          },
+          "startedAtMs": {
+            "description": "Unix timestamp (in milliseconds) when this review started.",
+            "format": "int64",
+            "type": "integer"
+          },
          "targetItemId": {
            "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
            "type": [
@@ -10270,9 +9948,11 @@
        },
        "required": [
          "action",
+          "completedAtMs",
          "decisionSource",
          "review",
          "reviewId",
+          "startedAtMs",
          "threadId",
          "turnId"
        ],
@@ -10293,6 +9973,11 @@
            "description": "Stable identifier for this review.",
            "type": "string"
          },
+          "startedAtMs": {
+            "description": "Unix timestamp (in milliseconds) when this review started.",
+            "format": "int64",
+            "type": "integer"
+          },
          "targetItemId": {
            "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
            "type": [
@@ -10311,6 +9996,7 @@
          "action",
          "review",
          "reviewId",
+          "startedAtMs",
          "threadId",
          "turnId"
        ],
@@ -11985,31 +11671,6 @@
          }
        ]
      },
-      "PermissionProfileModificationParams": {
-        "oneOf": [
-          {
-            "description": "Additional concrete directory that should be writable.",
-            "properties": {
-              "path": {
-                "$ref": "#/definitions/v2/AbsolutePathBuf"
-              },
-              "type": {
-                "enum": [
-                  "additionalWritableRoot"
-                ],
-                "title": "AdditionalWritableRootPermissionProfileModificationParamsType",
-                "type": "string"
-              }
-            },
-            "required": [
-              "path",
-              "type"
-            ],
-            "title": "AdditionalWritableRootPermissionProfileModificationParams",
-            "type": "object"
-          }
-        ]
-      },
      "PermissionProfileNetworkPermissions": {
        "properties": {
          "enabled": {
@@ -12024,20 +11685,11 @@
      "PermissionProfileSelectionParams": {
        "oneOf": [
          {
-            "description": "Select a named built-in or user-defined profile and optionally apply bounded modifications that Codex knows how to validate.",
+            "description": "Select a named built-in or user-defined profile. This updates profile identity metadata only; it does not replace the thread's effective permissions profile.",
            "properties": {
              "id": {
                "type": "string"
              },
-              "modifications": {
-                "items": {
-                  "$ref": "#/definitions/v2/PermissionProfileModificationParams"
-                },
-                "type": [
-                  "array",
-                  "null"
-                ]
-              },
              "type": {
                "enum": [
                  "profile"
@@ -12144,6 +11796,12 @@
              "null"
            ]
          },
+          "hooks": {
+            "items": {
+              "$ref": "#/definitions/v2/PluginHookSummary"
+            },
+            "type": "array"
+          },
          "marketplaceName": {
            "type": "string"
          },
@@ -12175,6 +11833,7 @@
        },
        "required": [
          "apps",
+          "hooks",
          "marketplaceName",
          "mcpServers",
          "skills",
@@ -12182,6 +11841,21 @@
        ],
        "type": "object"
      },
+      "PluginHookSummary": {
+        "properties": {
+          "eventName": {
+            "$ref": "#/definitions/v2/HookEventName"
+          },
+          "key": {
+            "type": "string"
+          }
+        },
+        "required": [
+          "eventName",
+          "key"
+        ],
+        "type": "object"
+      },
      "PluginInstallParams": {
        "$schema": "http://json-schema.org/draft-07/schema#",
        "properties": {
@@ -12531,6 +12205,21 @@
          },
          "remotePluginId": {
            "type": "string"
+          },
+          "shareTargets": {
+            "items": {
+              "$ref": "#/definitions/v2/PluginSharePrincipal"
+            },
+            "type": [
+              "array",
+              "null"
+            ]
+          },
+          "shareUrl": {
+            "type": [
+              "string",
+              "null"
+            ]
          }
        },
        "required": [
@@ -12707,9 +12396,19 @@
        ],
        "type": "object"
      },
+      "PluginShareUpdateDiscoverability": {
+        "enum": [
+          "UNLISTED",
+          "PRIVATE"
+        ],
+        "type": "string"
+      },
      "PluginShareUpdateTargetsParams": {
        "$schema": "http://json-schema.org/draft-07/schema#",
        "properties": {
+          "discoverability": {
+            "$ref": "#/definitions/v2/PluginShareUpdateDiscoverability"
+          },
          "remotePluginId": {
            "type": "string"
          },
@@ -12721,6 +12420,7 @@
          }
        },
        "required": [
+          "discoverability",
          "remotePluginId",
          "shareTargets"
        ],
@@ -12730,6 +12430,9 @@
      "PluginShareUpdateTargetsResponse": {
        "$schema": "http://json-schema.org/draft-07/schema#",
        "properties": {
+          "discoverability": {
+            "$ref": "#/definitions/v2/PluginShareDiscoverability"
+          },
          "principals": {
            "items": {
              "$ref": "#/definitions/v2/PluginSharePrincipal"
@@ -12738,6 +12441,7 @@
          }
        },
        "required": [
+          "discoverability",
          "principals"
        ],
        "title": "PluginShareUpdateTargetsResponse",
@@ -13573,20 +13277,6 @@
        "title": "ReasoningTextDeltaNotification",
        "type": "object"
      },
-      "RemoteControlClientConnectionAudience": {
-        "description": "Audience for a remote-control client connection device-key proof.",
-        "enum": [
-          "remote_control_client_websocket"
-        ],
-        "type": "string"
-      },
-      "RemoteControlClientEnrollmentAudience": {
-        "description": "Audience for a remote-control client enrollment device-key proof.",
-        "enum": [
-          "remote_control_client_enrollment"
-        ],
-        "type": "string"
-      },
      "RemoteControlConnectionStatus": {
        "enum": [
          "disabled",
@@ -13598,7 +13288,7 @@
      },
      "RemoteControlStatusChangedNotification": {
        "$schema": "http://json-schema.org/draft-07/schema#",
-        "description": "Current remote-control connection status and environment id exposed to clients.",
+        "description": "Current remote-control connection status and remote identity exposed to clients.",
        "properties": {
          "environmentId": {
            "type": [
@@ -13606,11 +13296,15 @@
              "null"
            ]
          },
+          "installationId": {
+            "type": "string"
+          },
          "status": {
            "$ref": "#/definitions/v2/RemoteControlConnectionStatus"
          }
        },
        "required": [
+          "installationId",
          "status"
        ],
        "title": "RemoteControlStatusChangedNotification",
@@ -14600,13 +14294,6 @@
                ],
                "title": "WorkspaceWriteSandboxPolicyType",
                "type": "string"
-              },
-              "writableRoots": {
-                "default": [],
-                "items": {
-                  "$ref": "#/definitions/v2/AbsolutePathBuf"
-                },
-                "type": "array"
              }
            },
            "required": [
@@ -15073,24 +14760,6 @@
        ],
        "type": "object"
      },
-      "SkillsListExtraRootsForCwd": {
-        "properties": {
-          "cwd": {
-            "type": "string"
-          },
-          "extraUserRoots": {
-            "items": {
-              "type": "string"
-            },
-            "type": "array"
-          }
-        },
-        "required": [
-          "cwd",
-          "extraUserRoots"
-        ],
-        "type": "object"
-      },
      "SkillsListParams": {
        "$schema": "http://json-schema.org/draft-07/schema#",
        "properties": {
@@ -15104,17 +14773,6 @@
          "forceReload": {
            "description": "When true, bypass the skills cache and re-scan skills from disk.",
            "type": "boolean"
-          },
-          "perCwdExtraUserRoots": {
-            "default": null,
-            "description": "Optional per-cwd extra roots to scan as user-scoped skills.",
-            "items": {
-              "$ref": "#/definitions/v2/SkillsListExtraRootsForCwd"
-            },
-            "type": [
-              "array",
-              "null"
-            ]
          }
        },
        "title": "SkillsListParams",
@@ -15623,7 +15281,8 @@
              {
                "type": "null"
              }
-            ]
+            ],
+            "description": "Deprecated for fork. The server rejects this field because the source permission profile value is preserved across fork."
          },
          "serviceTier": {
            "type": [
@@ -17126,7 +16785,8 @@
              {
                "type": "null"
              }
-            ]
+            ],
+            "description": "Deprecated for resume. The server rejects this field because the persisted permission profile value is preserved across resume."
          },
          "serviceTier": {
            "type": [
@@ -18168,7 +17828,7 @@
                "type": "null"
              }
            ],
-            "description": "Override the sandbox policy for this turn and subsequent turns."
+            "description": "Deprecated for turns. The server rejects this field because the thread permission profile value is not mutable through `turn/start`."
          },
          "serviceTier": {
            "description": "Override the service tier for this turn and subsequent turns.",
--- a/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.v2.schemas.json
+++ b/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.v2.schemas.json
@@ -143,14 +143,6 @@
        "id": {
          "description": "Identifier from `default_permissions` or the implicit built-in default, such as `:workspace` or a user-defined `[permissions.<id>]` profile.",
          "type": "string"
-        },
-        "modifications": {
-          "default": [],
-          "description": "Bounded user-requested modifications applied on top of the named profile, if any.",
-          "items": {
-            "$ref": "#/definitions/ActivePermissionProfileModification"
-          },
-          "type": "array"
        }
      },
      "required": [
@@ -158,31 +150,6 @@
      ],
      "type": "object"
    },
-    "ActivePermissionProfileModification": {
-      "oneOf": [
-        {
-          "description": "Additional concrete directory that should be writable.",
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "additionalWritableRoot"
-              ],
-              "title": "AdditionalWritableRootActivePermissionProfileModificationType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "AdditionalWritableRootActivePermissionProfileModification",
-          "type": "object"
-        }
-      ]
-    },
    "AddCreditsNudgeCreditType": {
      "enum": [
        "credits",
@@ -1665,78 +1632,6 @@
          "title": "App/listRequest",
          "type": "object"
        },
-        {
-          "properties": {
-            "id": {
-              "$ref": "#/definitions/RequestId"
-            },
-            "method": {
-              "enum": [
-                "device/key/create"
-              ],
-              "title": "Device/key/createRequestMethod",
-              "type": "string"
-            },
-            "params": {
-              "$ref": "#/definitions/DeviceKeyCreateParams"
-            }
-          },
-          "required": [
-            "id",
-            "method",
-            "params"
-          ],
-          "title": "Device/key/createRequest",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "id": {
-              "$ref": "#/definitions/RequestId"
-            },
-            "method": {
-              "enum": [
-                "device/key/public"
-              ],
-              "title": "Device/key/publicRequestMethod",
-              "type": "string"
-            },
-            "params": {
-              "$ref": "#/definitions/DeviceKeyPublicParams"
-            }
-          },
-          "required": [
-            "id",
-            "method",
-            "params"
-          ],
-          "title": "Device/key/publicRequest",
-          "type": "object"
-        },
-        {
-          "properties": {
-            "id": {
-              "$ref": "#/definitions/RequestId"
-            },
-            "method": {
-              "enum": [
-                "device/key/sign"
-              ],
-              "title": "Device/key/signRequestMethod",
-              "type": "string"
-            },
-            "params": {
-              "$ref": "#/definitions/DeviceKeySignParams"
-            }
-          },
-          "required": [
-            "id",
-            "method",
-            "params"
-          ],
-          "title": "Device/key/signRequest",
-          "type": "object"
-        },
        {
          "properties": {
            "id": {
@@ -4403,300 +4298,6 @@
      "title": "DeprecationNoticeNotification",
      "type": "object"
    },
-    "DeviceKeyAlgorithm": {
-      "description": "Device-key algorithm reported at enrollment and signing boundaries.",
-      "enum": [
-        "ecdsa_p256_sha256"
-      ],
-      "type": "string"
-    },
-    "DeviceKeyCreateParams": {
-      "$schema": "http://json-schema.org/draft-07/schema#",
-      "description": "Create a controller-local device key with a random key id.",
-      "properties": {
-        "accountUserId": {
-          "type": "string"
-        },
-        "clientId": {
-          "type": "string"
-        },
-        "protectionPolicy": {
-          "anyOf": [
-            {
-              "$ref": "#/definitions/DeviceKeyProtectionPolicy"
-            },
-            {
-              "type": "null"
-            }
-          ],
-          "description": "Defaults to `hardware_only` when omitted."
-        }
-      },
-      "required": [
-        "accountUserId",
-        "clientId"
-      ],
-      "title": "DeviceKeyCreateParams",
-      "type": "object"
-    },
-    "DeviceKeyCreateResponse": {
-      "$schema": "http://json-schema.org/draft-07/schema#",
-      "description": "Device-key metadata and public key returned by create/public APIs.",
-      "properties": {
-        "algorithm": {
-          "$ref": "#/definitions/DeviceKeyAlgorithm"
-        },
-        "keyId": {
-          "type": "string"
-        },
-        "protectionClass": {
-          "$ref": "#/definitions/DeviceKeyProtectionClass"
-        },
-        "publicKeySpkiDerBase64": {
-          "description": "SubjectPublicKeyInfo DER encoded as base64.",
-          "type": "string"
-        }
-      },
-      "required": [
-        "algorithm",
-        "keyId",
-        "protectionClass",
-        "publicKeySpkiDerBase64"
-      ],
-      "title": "DeviceKeyCreateResponse",
-      "type": "object"
-    },
-    "DeviceKeyProtectionClass": {
-      "description": "Platform protection class for a controller-local device key.",
-      "enum": [
-        "hardware_secure_enclave",
-        "hardware_tpm",
-        "os_protected_nonextractable"
-      ],
-      "type": "string"
-    },
-    "DeviceKeyProtectionPolicy": {
-      "description": "Protection policy for creating or loading a controller-local device key.",
-      "enum": [
-        "hardware_only",
-        "allow_os_protected_nonextractable"
-      ],
-      "type": "string"
-    },
-    "DeviceKeyPublicParams": {
-      "$schema": "http://json-schema.org/draft-07/schema#",
-      "description": "Fetch a controller-local device key public key by id.",
-      "properties": {
-        "keyId": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "keyId"
-      ],
-      "title": "DeviceKeyPublicParams",
-      "type": "object"
-    },
-    "DeviceKeyPublicResponse": {
-      "$schema": "http://json-schema.org/draft-07/schema#",
-      "description": "Device-key public metadata returned by `device/key/public`.",
-      "properties": {
-        "algorithm": {
-          "$ref": "#/definitions/DeviceKeyAlgorithm"
-        },
-        "keyId": {
-          "type": "string"
-        },
-        "protectionClass": {
-          "$ref": "#/definitions/DeviceKeyProtectionClass"
-        },
-        "publicKeySpkiDerBase64": {
-          "description": "SubjectPublicKeyInfo DER encoded as base64.",
-          "type": "string"
-        }
-      },
-      "required": [
-        "algorithm",
-        "keyId",
-        "protectionClass",
-        "publicKeySpkiDerBase64"
-      ],
-      "title": "DeviceKeyPublicResponse",
-      "type": "object"
-    },
-    "DeviceKeySignParams": {
-      "$schema": "http://json-schema.org/draft-07/schema#",
-      "description": "Sign an accepted structured payload with a controller-local device key.",
-      "properties": {
-        "keyId": {
-          "type": "string"
-        },
-        "payload": {
-          "$ref": "#/definitions/DeviceKeySignPayload"
-        }
-      },
-      "required": [
-        "keyId",
-        "payload"
-      ],
-      "title": "DeviceKeySignParams",
-      "type": "object"
-    },
-    "DeviceKeySignPayload": {
-      "description": "Structured payloads accepted by `device/key/sign`.",
-      "oneOf": [
-        {
-          "description": "Payload bound to one remote-control controller websocket `/client` connection challenge.",
-          "properties": {
-            "accountUserId": {
-              "type": "string"
-            },
-            "audience": {
-              "$ref": "#/definitions/RemoteControlClientConnectionAudience"
-            },
-            "clientId": {
-              "type": "string"
-            },
-            "nonce": {
-              "type": "string"
-            },
-            "scopes": {
-              "description": "Must contain exactly `remote_control_controller_websocket`.",
-              "items": {
-                "type": "string"
-              },
-              "type": "array"
-            },
-            "sessionId": {
-              "description": "Backend-issued websocket session id that this proof authorizes.",
-              "type": "string"
-            },
-            "targetOrigin": {
-              "description": "Origin of the backend endpoint that issued the challenge and will verify this proof.",
-              "type": "string"
-            },
-            "targetPath": {
-              "description": "Websocket route path that this proof authorizes.",
-              "type": "string"
-            },
-            "tokenExpiresAt": {
-              "description": "Remote-control token expiration as Unix seconds.",
-              "format": "int64",
-              "type": "integer"
-            },
-            "tokenSha256Base64url": {
-              "description": "SHA-256 of the controller-scoped remote-control token, encoded as unpadded base64url.",
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "remoteControlClientConnection"
-              ],
-              "title": "RemoteControlClientConnectionDeviceKeySignPayloadType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "accountUserId",
-            "audience",
-            "clientId",
-            "nonce",
-            "scopes",
-            "sessionId",
-            "targetOrigin",
-            "targetPath",
-            "tokenExpiresAt",
-            "tokenSha256Base64url",
-            "type"
-          ],
-          "title": "RemoteControlClientConnectionDeviceKeySignPayload",
-          "type": "object"
-        },
-        {
-          "description": "Payload bound to a remote-control client `/client/enroll` ownership challenge.",
-          "properties": {
-            "accountUserId": {
-              "type": "string"
-            },
-            "audience": {
-              "$ref": "#/definitions/RemoteControlClientEnrollmentAudience"
-            },
-            "challengeExpiresAt": {
-              "description": "Enrollment challenge expiration as Unix seconds.",
-              "format": "int64",
-              "type": "integer"
-            },
-            "challengeId": {
-              "description": "Backend-issued enrollment challenge id that this proof authorizes.",
-              "type": "string"
-            },
-            "clientId": {
-              "type": "string"
-            },
-            "deviceIdentitySha256Base64url": {
-              "description": "SHA-256 of the requested device identity operation, encoded as unpadded base64url.",
-              "type": "string"
-            },
-            "nonce": {
-              "type": "string"
-            },
-            "targetOrigin": {
-              "description": "Origin of the backend endpoint that issued the challenge and will verify this proof.",
-              "type": "string"
-            },
-            "targetPath": {
-              "description": "HTTP route path that this proof authorizes.",
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "remoteControlClientEnrollment"
-              ],
-              "title": "RemoteControlClientEnrollmentDeviceKeySignPayloadType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "accountUserId",
-            "audience",
-            "challengeExpiresAt",
-            "challengeId",
-            "clientId",
-            "deviceIdentitySha256Base64url",
-            "nonce",
-            "targetOrigin",
-            "targetPath",
-            "type"
-          ],
-          "title": "RemoteControlClientEnrollmentDeviceKeySignPayload",
-          "type": "object"
-        }
-      ]
-    },
-    "DeviceKeySignResponse": {
-      "$schema": "http://json-schema.org/draft-07/schema#",
-      "description": "ASN.1 DER signature returned by `device/key/sign`.",
-      "properties": {
-        "algorithm": {
-          "$ref": "#/definitions/DeviceKeyAlgorithm"
-        },
-        "signatureDerBase64": {
-          "description": "ECDSA signature DER encoded as base64.",
-          "type": "string"
-        },
-        "signedPayloadBase64": {
-          "description": "Exact bytes signed by the device key, encoded as base64. Verifiers must verify this byte string directly and must not reserialize `payload`.",
-          "type": "string"
-        }
-      },
-      "required": [
-        "algorithm",
-        "signatureDerBase64",
-        "signedPayloadBase64"
-      ],
-      "title": "DeviceKeySignResponse",
-      "type": "object"
-    },
    "DynamicToolCallOutputContentItem": {
      "oneOf": [
        {
@@ -6775,6 +6376,11 @@
            "array",
            "null"
          ]
+        },
+        "requestAttestation": {
+          "default": false,
+          "description": "Opt into `attestation/generate` requests for upstream `x-oai-attestation`.",
+          "type": "boolean"
        }
      },
      "type": "object"
@@ -6855,6 +6461,11 @@
        "action": {
          "$ref": "#/definitions/GuardianApprovalReviewAction"
        },
+        "completedAtMs": {
+          "description": "Unix timestamp (in milliseconds) when this review completed.",
+          "format": "int64",
+          "type": "integer"
+        },
        "decisionSource": {
          "$ref": "#/definitions/AutoReviewDecisionSource"
        },
@@ -6865,6 +6476,11 @@
          "description": "Stable identifier for this review.",
          "type": "string"
        },
+        "startedAtMs": {
+          "description": "Unix timestamp (in milliseconds) when this review started.",
+          "format": "int64",
+          "type": "integer"
+        },
        "targetItemId": {
          "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
          "type": [
@@ -6881,9 +6497,11 @@
      },
      "required": [
        "action",
+        "completedAtMs",
        "decisionSource",
        "review",
        "reviewId",
+        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -6904,6 +6522,11 @@
          "description": "Stable identifier for this review.",
          "type": "string"
        },
+        "startedAtMs": {
+          "description": "Unix timestamp (in milliseconds) when this review started.",
+          "format": "int64",
+          "type": "integer"
+        },
        "targetItemId": {
          "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
          "type": [
@@ -6922,6 +6545,7 @@
        "action",
        "review",
        "reviewId",
+        "startedAtMs",
        "threadId",
        "turnId"
      ],
@@ -8596,31 +8220,6 @@
        }
      ]
    },
-    "PermissionProfileModificationParams": {
-      "oneOf": [
-        {
-          "description": "Additional concrete directory that should be writable.",
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "additionalWritableRoot"
-              ],
-              "title": "AdditionalWritableRootPermissionProfileModificationParamsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "AdditionalWritableRootPermissionProfileModificationParams",
-          "type": "object"
-        }
-      ]
-    },
    "PermissionProfileNetworkPermissions": {
      "properties": {
        "enabled": {
@@ -8635,20 +8234,11 @@
    "PermissionProfileSelectionParams": {
      "oneOf": [
        {
-          "description": "Select a named built-in or user-defined profile and optionally apply bounded modifications that Codex knows how to validate.",
+          "description": "Select a named built-in or user-defined profile. This updates profile identity metadata only; it does not replace the thread's effective permissions profile.",
          "properties": {
            "id": {
              "type": "string"
            },
-            "modifications": {
-              "items": {
-                "$ref": "#/definitions/PermissionProfileModificationParams"
-              },
-              "type": [
-                "array",
-                "null"
-              ]
-            },
            "type": {
              "enum": [
                "profile"
@@ -8755,6 +8345,12 @@
            "null"
          ]
        },
+        "hooks": {
+          "items": {
+            "$ref": "#/definitions/PluginHookSummary"
+          },
+          "type": "array"
+        },
        "marketplaceName": {
          "type": "string"
        },
@@ -8786,6 +8382,7 @@
      },
      "required": [
        "apps",
+        "hooks",
        "marketplaceName",
        "mcpServers",
        "skills",
@@ -8793,6 +8390,21 @@
      ],
      "type": "object"
    },
+    "PluginHookSummary": {
+      "properties": {
+        "eventName": {
+          "$ref": "#/definitions/HookEventName"
+        },
+        "key": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "eventName",
+        "key"
+      ],
+      "type": "object"
+    },
    "PluginInstallParams": {
      "$schema": "http://json-schema.org/draft-07/schema#",
      "properties": {
@@ -9142,6 +8754,21 @@
        },
        "remotePluginId": {
          "type": "string"
+        },
+        "shareTargets": {
+          "items": {
+            "$ref": "#/definitions/PluginSharePrincipal"
+          },
+          "type": [
+            "array",
+            "null"
+          ]
+        },
+        "shareUrl": {
+          "type": [
+            "string",
+            "null"
+          ]
        }
      },
      "required": [
@@ -9318,9 +8945,19 @@
      ],
      "type": "object"
    },
+    "PluginShareUpdateDiscoverability": {
+      "enum": [
+        "UNLISTED",
+        "PRIVATE"
+      ],
+      "type": "string"
+    },
    "PluginShareUpdateTargetsParams": {
      "$schema": "http://json-schema.org/draft-07/schema#",
      "properties": {
+        "discoverability": {
+          "$ref": "#/definitions/PluginShareUpdateDiscoverability"
+        },
        "remotePluginId": {
          "type": "string"
        },
@@ -9332,6 +8969,7 @@
        }
      },
      "required": [
+        "discoverability",
        "remotePluginId",
        "shareTargets"
      ],
@@ -9341,6 +8979,9 @@
    "PluginShareUpdateTargetsResponse": {
      "$schema": "http://json-schema.org/draft-07/schema#",
      "properties": {
+        "discoverability": {
+          "$ref": "#/definitions/PluginShareDiscoverability"
+        },
        "principals": {
          "items": {
            "$ref": "#/definitions/PluginSharePrincipal"
@@ -9349,6 +8990,7 @@
        }
      },
      "required": [
+        "discoverability",
        "principals"
      ],
      "title": "PluginShareUpdateTargetsResponse",
@@ -10184,20 +9826,6 @@
      "title": "ReasoningTextDeltaNotification",
      "type": "object"
    },
-    "RemoteControlClientConnectionAudience": {
-      "description": "Audience for a remote-control client connection device-key proof.",
-      "enum": [
-        "remote_control_client_websocket"
-      ],
-      "type": "string"
-    },
-    "RemoteControlClientEnrollmentAudience": {
-      "description": "Audience for a remote-control client enrollment device-key proof.",
-      "enum": [
-        "remote_control_client_enrollment"
-      ],
-      "type": "string"
-    },
    "RemoteControlConnectionStatus": {
      "enum": [
        "disabled",
@@ -10209,7 +9837,7 @@
    },
    "RemoteControlStatusChangedNotification": {
      "$schema": "http://json-schema.org/draft-07/schema#",
-      "description": "Current remote-control connection status and environment id exposed to clients.",
+      "description": "Current remote-control connection status and remote identity exposed to clients.",
      "properties": {
        "environmentId": {
          "type": [
@@ -10217,11 +9845,15 @@
            "null"
          ]
        },
+        "installationId": {
+          "type": "string"
+        },
        "status": {
          "$ref": "#/definitions/RemoteControlConnectionStatus"
        }
      },
      "required": [
+        "installationId",
        "status"
      ],
      "title": "RemoteControlStatusChangedNotification",
@@ -11211,13 +10843,6 @@
              ],
              "title": "WorkspaceWriteSandboxPolicyType",
              "type": "string"
-            },
-            "writableRoots": {
-              "default": [],
-              "items": {
-                "$ref": "#/definitions/AbsolutePathBuf"
-              },
-              "type": "array"
            }
          },
          "required": [
@@ -12959,24 +12584,6 @@
      ],
      "type": "object"
    },
-    "SkillsListExtraRootsForCwd": {
-      "properties": {
-        "cwd": {
-          "type": "string"
-        },
-        "extraUserRoots": {
-          "items": {
-            "type": "string"
-          },
-          "type": "array"
-        }
-      },
-      "required": [
-        "cwd",
-        "extraUserRoots"
-      ],
-      "type": "object"
-    },
    "SkillsListParams": {
      "$schema": "http://json-schema.org/draft-07/schema#",
      "properties": {
@@ -12990,17 +12597,6 @@
        "forceReload": {
          "description": "When true, bypass the skills cache and re-scan skills from disk.",
          "type": "boolean"
-        },
-        "perCwdExtraUserRoots": {
-          "default": null,
-          "description": "Optional per-cwd extra roots to scan as user-scoped skills.",
-          "items": {
-            "$ref": "#/definitions/SkillsListExtraRootsForCwd"
-          },
-          "type": [
-            "array",
-            "null"
-          ]
        }
      },
      "title": "SkillsListParams",
@@ -13509,7 +13105,8 @@
            {
              "type": "null"
            }
-          ]
+          ],
+          "description": "Deprecated for fork. The server rejects this field because the source permission profile value is preserved across fork."
        },
        "serviceTier": {
          "type": [
@@ -15012,7 +14609,8 @@
            {
              "type": "null"
            }
-          ]
+          ],
+          "description": "Deprecated for resume. The server rejects this field because the persisted permission profile value is preserved across resume."
        },
        "serviceTier": {
          "type": [
@@ -16054,7 +15652,7 @@
              "type": "null"
            }
          ],
-          "description": "Override the sandbox policy for this turn and subsequent turns."
+          "description": "Deprecated for turns. The server rejects this field because the thread permission profile value is not mutable through `turn/start`."
        },
        "serviceTier": {
          "description": "Override the service tier for this turn and subsequent turns.",
--- a/codex-rs/app-server-protocol/schema/json/v1/InitializeParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v1/InitializeParams.json
@@ -39,6 +39,11 @@
            "array",
            "null"
          ]
+        },
+        "requestAttestation": {
+          "default": false,
+          "description": "Opt into `attestation/generate` requests for upstream `x-oai-attestation`.",
+          "type": "boolean"
        }
      },
      "type": "object"
--- a/codex-rs/app-server-protocol/schema/json/v2/CommandExecParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/CommandExecParams.json
@@ -441,13 +441,6 @@
              ],
              "title": "WorkspaceWriteSandboxPolicyType",
              "type": "string"
-            },
-            "writableRoots": {
-              "default": [],
-              "items": {
-                "$ref": "#/definitions/AbsolutePathBuf"
-              },
-              "type": "array"
            }
          },
          "required": [
--- a/codex-rs/app-server-protocol/schema/json/v2/DeviceKeyCreateParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/DeviceKeyCreateParams.json
@@ -1,39 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "DeviceKeyProtectionPolicy": {
-      "description": "Protection policy for creating or loading a controller-local device key.",
-      "enum": [
-        "hardware_only",
-        "allow_os_protected_nonextractable"
-      ],
-      "type": "string"
-    }
-  },
-  "description": "Create a controller-local device key with a random key id.",
-  "properties": {
-    "accountUserId": {
-      "type": "string"
-    },
-    "clientId": {
-      "type": "string"
-    },
-    "protectionPolicy": {
-      "anyOf": [
-        {
-          "$ref": "#/definitions/DeviceKeyProtectionPolicy"
-        },
-        {
-          "type": "null"
-        }
-      ],
-      "description": "Defaults to `hardware_only` when omitted."
-    }
-  },
-  "required": [
-    "accountUserId",
-    "clientId"
-  ],
-  "title": "DeviceKeyCreateParams",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/v2/DeviceKeyCreateResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/DeviceKeyCreateResponse.json
@@ -1,45 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "DeviceKeyAlgorithm": {
-      "description": "Device-key algorithm reported at enrollment and signing boundaries.",
-      "enum": [
-        "ecdsa_p256_sha256"
-      ],
-      "type": "string"
-    },
-    "DeviceKeyProtectionClass": {
-      "description": "Platform protection class for a controller-local device key.",
-      "enum": [
-        "hardware_secure_enclave",
-        "hardware_tpm",
-        "os_protected_nonextractable"
-      ],
-      "type": "string"
-    }
-  },
-  "description": "Device-key metadata and public key returned by create/public APIs.",
-  "properties": {
-    "algorithm": {
-      "$ref": "#/definitions/DeviceKeyAlgorithm"
-    },
-    "keyId": {
-      "type": "string"
-    },
-    "protectionClass": {
-      "$ref": "#/definitions/DeviceKeyProtectionClass"
-    },
-    "publicKeySpkiDerBase64": {
-      "description": "SubjectPublicKeyInfo DER encoded as base64.",
-      "type": "string"
-    }
-  },
-  "required": [
-    "algorithm",
-    "keyId",
-    "protectionClass",
-    "publicKeySpkiDerBase64"
-  ],
-  "title": "DeviceKeyCreateResponse",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/v2/DeviceKeyPublicResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/DeviceKeyPublicResponse.json
@@ -1,45 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "DeviceKeyAlgorithm": {
-      "description": "Device-key algorithm reported at enrollment and signing boundaries.",
-      "enum": [
-        "ecdsa_p256_sha256"
-      ],
-      "type": "string"
-    },
-    "DeviceKeyProtectionClass": {
-      "description": "Platform protection class for a controller-local device key.",
-      "enum": [
-        "hardware_secure_enclave",
-        "hardware_tpm",
-        "os_protected_nonextractable"
-      ],
-      "type": "string"
-    }
-  },
-  "description": "Device-key public metadata returned by `device/key/public`.",
-  "properties": {
-    "algorithm": {
-      "$ref": "#/definitions/DeviceKeyAlgorithm"
-    },
-    "keyId": {
-      "type": "string"
-    },
-    "protectionClass": {
-      "$ref": "#/definitions/DeviceKeyProtectionClass"
-    },
-    "publicKeySpkiDerBase64": {
-      "description": "SubjectPublicKeyInfo DER encoded as base64.",
-      "type": "string"
-    }
-  },
-  "required": [
-    "algorithm",
-    "keyId",
-    "protectionClass",
-    "publicKeySpkiDerBase64"
-  ],
-  "title": "DeviceKeyPublicResponse",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/v2/DeviceKeySignParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/DeviceKeySignParams.json
@@ -1,165 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "DeviceKeySignPayload": {
-      "description": "Structured payloads accepted by `device/key/sign`.",
-      "oneOf": [
-        {
-          "description": "Payload bound to one remote-control controller websocket `/client` connection challenge.",
-          "properties": {
-            "accountUserId": {
-              "type": "string"
-            },
-            "audience": {
-              "$ref": "#/definitions/RemoteControlClientConnectionAudience"
-            },
-            "clientId": {
-              "type": "string"
-            },
-            "nonce": {
-              "type": "string"
-            },
-            "scopes": {
-              "description": "Must contain exactly `remote_control_controller_websocket`.",
-              "items": {
-                "type": "string"
-              },
-              "type": "array"
-            },
-            "sessionId": {
-              "description": "Backend-issued websocket session id that this proof authorizes.",
-              "type": "string"
-            },
-            "targetOrigin": {
-              "description": "Origin of the backend endpoint that issued the challenge and will verify this proof.",
-              "type": "string"
-            },
-            "targetPath": {
-              "description": "Websocket route path that this proof authorizes.",
-              "type": "string"
-            },
-            "tokenExpiresAt": {
-              "description": "Remote-control token expiration as Unix seconds.",
-              "format": "int64",
-              "type": "integer"
-            },
-            "tokenSha256Base64url": {
-              "description": "SHA-256 of the controller-scoped remote-control token, encoded as unpadded base64url.",
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "remoteControlClientConnection"
-              ],
-              "title": "RemoteControlClientConnectionDeviceKeySignPayloadType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "accountUserId",
-            "audience",
-            "clientId",
-            "nonce",
-            "scopes",
-            "sessionId",
-            "targetOrigin",
-            "targetPath",
-            "tokenExpiresAt",
-            "tokenSha256Base64url",
-            "type"
-          ],
-          "title": "RemoteControlClientConnectionDeviceKeySignPayload",
-          "type": "object"
-        },
-        {
-          "description": "Payload bound to a remote-control client `/client/enroll` ownership challenge.",
-          "properties": {
-            "accountUserId": {
-              "type": "string"
-            },
-            "audience": {
-              "$ref": "#/definitions/RemoteControlClientEnrollmentAudience"
-            },
-            "challengeExpiresAt": {
-              "description": "Enrollment challenge expiration as Unix seconds.",
-              "format": "int64",
-              "type": "integer"
-            },
-            "challengeId": {
-              "description": "Backend-issued enrollment challenge id that this proof authorizes.",
-              "type": "string"
-            },
-            "clientId": {
-              "type": "string"
-            },
-            "deviceIdentitySha256Base64url": {
-              "description": "SHA-256 of the requested device identity operation, encoded as unpadded base64url.",
-              "type": "string"
-            },
-            "nonce": {
-              "type": "string"
-            },
-            "targetOrigin": {
-              "description": "Origin of the backend endpoint that issued the challenge and will verify this proof.",
-              "type": "string"
-            },
-            "targetPath": {
-              "description": "HTTP route path that this proof authorizes.",
-              "type": "string"
-            },
-            "type": {
-              "enum": [
-                "remoteControlClientEnrollment"
-              ],
-              "title": "RemoteControlClientEnrollmentDeviceKeySignPayloadType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "accountUserId",
-            "audience",
-            "challengeExpiresAt",
-            "challengeId",
-            "clientId",
-            "deviceIdentitySha256Base64url",
-            "nonce",
-            "targetOrigin",
-            "targetPath",
-            "type"
-          ],
-          "title": "RemoteControlClientEnrollmentDeviceKeySignPayload",
-          "type": "object"
-        }
-      ]
-    },
-    "RemoteControlClientConnectionAudience": {
-      "description": "Audience for a remote-control client connection device-key proof.",
-      "enum": [
-        "remote_control_client_websocket"
-      ],
-      "type": "string"
-    },
-    "RemoteControlClientEnrollmentAudience": {
-      "description": "Audience for a remote-control client enrollment device-key proof.",
-      "enum": [
-        "remote_control_client_enrollment"
-      ],
-      "type": "string"
-    }
-  },
-  "description": "Sign an accepted structured payload with a controller-local device key.",
-  "properties": {
-    "keyId": {
-      "type": "string"
-    },
-    "payload": {
-      "$ref": "#/definitions/DeviceKeySignPayload"
-    }
-  },
-  "required": [
-    "keyId",
-    "payload"
-  ],
-  "title": "DeviceKeySignParams",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/v2/DeviceKeySignResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/DeviceKeySignResponse.json
@@ -1,33 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "DeviceKeyAlgorithm": {
-      "description": "Device-key algorithm reported at enrollment and signing boundaries.",
-      "enum": [
-        "ecdsa_p256_sha256"
-      ],
-      "type": "string"
-    }
-  },
-  "description": "ASN.1 DER signature returned by `device/key/sign`.",
-  "properties": {
-    "algorithm": {
-      "$ref": "#/definitions/DeviceKeyAlgorithm"
-    },
-    "signatureDerBase64": {
-      "description": "ECDSA signature DER encoded as base64.",
-      "type": "string"
-    },
-    "signedPayloadBase64": {
-      "description": "Exact bytes signed by the device key, encoded as base64. Verifiers must verify this byte string directly and must not reserialize `payload`.",
-      "type": "string"
-    }
-  },
-  "required": [
-    "algorithm",
-    "signatureDerBase64",
-    "signedPayloadBase64"
-  ],
-  "title": "DeviceKeySignResponse",
-  "type": "object"
-}
--- a/codex-rs/app-server-protocol/schema/json/v2/ItemGuardianApprovalReviewCompletedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ItemGuardianApprovalReviewCompletedNotification.json
@@ -574,6 +574,11 @@
    "action": {
      "$ref": "#/definitions/GuardianApprovalReviewAction"
    },
+    "completedAtMs": {
+      "description": "Unix timestamp (in milliseconds) when this review completed.",
+      "format": "int64",
+      "type": "integer"
+    },
    "decisionSource": {
      "$ref": "#/definitions/AutoReviewDecisionSource"
    },
@@ -584,6 +589,11 @@
      "description": "Stable identifier for this review.",
      "type": "string"
    },
+    "startedAtMs": {
+      "description": "Unix timestamp (in milliseconds) when this review started.",
+      "format": "int64",
+      "type": "integer"
+    },
    "targetItemId": {
      "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
      "type": [
@@ -600,9 +610,11 @@
  },
  "required": [
    "action",
+    "completedAtMs",
    "decisionSource",
    "review",
    "reviewId",
+    "startedAtMs",
    "threadId",
    "turnId"
  ],
--- a/codex-rs/app-server-protocol/schema/json/v2/ItemGuardianApprovalReviewStartedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ItemGuardianApprovalReviewStartedNotification.json
@@ -574,6 +574,11 @@
      "description": "Stable identifier for this review.",
      "type": "string"
    },
+    "startedAtMs": {
+      "description": "Unix timestamp (in milliseconds) when this review started.",
+      "format": "int64",
+      "type": "integer"
+    },
    "targetItemId": {
      "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
      "type": [
@@ -592,6 +597,7 @@
    "action",
    "review",
    "reviewId",
+    "startedAtMs",
    "threadId",
    "turnId"
  ],
--- a/codex-rs/app-server-protocol/schema/json/v2/PluginListResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/PluginListResponse.json
@@ -248,6 +248,21 @@
        },
        "remotePluginId": {
          "type": "string"
+        },
+        "shareTargets": {
+          "items": {
+            "$ref": "#/definitions/PluginSharePrincipal"
+          },
+          "type": [
+            "array",
+            "null"
+          ]
+        },
+        "shareUrl": {
+          "type": [
+            "string",
+            "null"
+          ]
        }
      },
      "required": [
@@ -255,6 +270,33 @@
      ],
      "type": "object"
    },
+    "PluginSharePrincipal": {
+      "properties": {
+        "name": {
+          "type": "string"
+        },
+        "principalId": {
+          "type": "string"
+        },
+        "principalType": {
+          "$ref": "#/definitions/PluginSharePrincipalType"
+        }
+      },
+      "required": [
+        "name",
+        "principalId",
+        "principalType"
+      ],
+      "type": "object"
+    },
+    "PluginSharePrincipalType": {
+      "enum": [
+        "user",
+        "group",
+        "workspace"
+      ],
+      "type": "string"
+    },
    "PluginSource": {
      "oneOf": [
        {
--- a/codex-rs/app-server-protocol/schema/json/v2/PluginReadResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/PluginReadResponse.json
@@ -37,6 +37,19 @@
      ],
      "type": "object"
    },
+    "HookEventName": {
+      "enum": [
+        "preToolUse",
+        "permissionRequest",
+        "postToolUse",
+        "preCompact",
+        "postCompact",
+        "sessionStart",
+        "userPromptSubmit",
+        "stop"
+      ],
+      "type": "string"
+    },
    "PluginAuthPolicy": {
      "enum": [
        "ON_INSTALL",
@@ -75,6 +88,12 @@
            "null"
          ]
        },
+        "hooks": {
+          "items": {
+            "$ref": "#/definitions/PluginHookSummary"
+          },
+          "type": "array"
+        },
        "marketplaceName": {
          "type": "string"
        },
@@ -106,6 +125,7 @@
      },
      "required": [
        "apps",
+        "hooks",
        "marketplaceName",
        "mcpServers",
        "skills",
@@ -113,6 +133,21 @@
      ],
      "type": "object"
    },
+    "PluginHookSummary": {
+      "properties": {
+        "eventName": {
+          "$ref": "#/definitions/HookEventName"
+        },
+        "key": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "eventName",
+        "key"
+      ],
+      "type": "object"
+    },
    "PluginInstallPolicy": {
      "enum": [
        "NOT_AVAILABLE",
@@ -267,6 +302,21 @@
        },
        "remotePluginId": {
          "type": "string"
+        },
+        "shareTargets": {
+          "items": {
+            "$ref": "#/definitions/PluginSharePrincipal"
+          },
+          "type": [
+            "array",
+            "null"
+          ]
+        },
+        "shareUrl": {
+          "type": [
+            "string",
+            "null"
+          ]
        }
      },
      "required": [
@@ -274,6 +324,33 @@
      ],
      "type": "object"
    },
+    "PluginSharePrincipal": {
+      "properties": {
+        "name": {
+          "type": "string"
+        },
+        "principalId": {
+          "type": "string"
+        },
+        "principalType": {
+          "$ref": "#/definitions/PluginSharePrincipalType"
+        }
+      },
+      "required": [
+        "name",
+        "principalId",
+        "principalType"
+      ],
+      "type": "object"
+    },
+    "PluginSharePrincipalType": {
+      "enum": [
+        "user",
+        "group",
+        "workspace"
+      ],
+      "type": "string"
+    },
    "PluginSource": {
      "oneOf": [
        {
--- a/codex-rs/app-server-protocol/schema/json/v2/PluginShareListResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/PluginShareListResponse.json
@@ -183,6 +183,21 @@
        },
        "remotePluginId": {
          "type": "string"
+        },
+        "shareTargets": {
+          "items": {
+            "$ref": "#/definitions/PluginSharePrincipal"
+          },
+          "type": [
+            "array",
+            "null"
+          ]
+        },
+        "shareUrl": {
+          "type": [
+            "string",
+            "null"
+          ]
        }
      },
      "required": [
@@ -215,6 +230,33 @@
      ],
      "type": "object"
    },
+    "PluginSharePrincipal": {
+      "properties": {
+        "name": {
+          "type": "string"
+        },
+        "principalId": {
+          "type": "string"
+        },
+        "principalType": {
+          "$ref": "#/definitions/PluginSharePrincipalType"
+        }
+      },
+      "required": [
+        "name",
+        "principalId",
+        "principalType"
+      ],
+      "type": "object"
+    },
+    "PluginSharePrincipalType": {
+      "enum": [
+        "user",
+        "group",
+        "workspace"
+      ],
+      "type": "string"
+    },
    "PluginSource": {
      "oneOf": [
        {
--- a/codex-rs/app-server-protocol/schema/json/v2/PluginShareUpdateTargetsParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/PluginShareUpdateTargetsParams.json
@@ -23,9 +23,19 @@
        "principalType"
      ],
      "type": "object"
+    },
+    "PluginShareUpdateDiscoverability": {
+      "enum": [
+        "UNLISTED",
+        "PRIVATE"
+      ],
+      "type": "string"
    }
  },
  "properties": {
+    "discoverability": {
+      "$ref": "#/definitions/PluginShareUpdateDiscoverability"
+    },
    "remotePluginId": {
      "type": "string"
    },
@@ -37,6 +47,7 @@
    }
  },
  "required": [
+    "discoverability",
    "remotePluginId",
    "shareTargets"
  ],
--- a/codex-rs/app-server-protocol/schema/json/v2/PluginShareUpdateTargetsResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/PluginShareUpdateTargetsResponse.json
@@ -1,6 +1,14 @@
 {
  "$schema": "http://json-schema.org/draft-07/schema#",
  "definitions": {
+    "PluginShareDiscoverability": {
+      "enum": [
+        "LISTED",
+        "UNLISTED",
+        "PRIVATE"
+      ],
+      "type": "string"
+    },
    "PluginSharePrincipal": {
      "properties": {
        "name": {
@@ -30,6 +38,9 @@
    }
  },
  "properties": {
+    "discoverability": {
+      "$ref": "#/definitions/PluginShareDiscoverability"
+    },
    "principals": {
      "items": {
        "$ref": "#/definitions/PluginSharePrincipal"
@@ -38,6 +49,7 @@
    }
  },
  "required": [
+    "discoverability",
    "principals"
  ],
  "title": "PluginShareUpdateTargetsResponse",
--- a/codex-rs/app-server-protocol/schema/json/v2/RemoteControlStatusChangedNotification.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/RemoteControlStatusChangedNotification.json
@@ -11,7 +11,7 @@
      "type": "string"
    }
  },
-  "description": "Current remote-control connection status and environment id exposed to clients.",
+  "description": "Current remote-control connection status and remote identity exposed to clients.",
  "properties": {
    "environmentId": {
      "type": [
@@ -19,11 +19,15 @@
        "null"
      ]
    },
+    "installationId": {
+      "type": "string"
+    },
    "status": {
      "$ref": "#/definitions/RemoteControlConnectionStatus"
    }
  },
  "required": [
+    "installationId",
    "status"
  ],
  "title": "RemoteControlStatusChangedNotification",
--- a/codex-rs/app-server-protocol/schema/json/v2/SkillsListParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/SkillsListParams.json
@@ -1,25 +1,5 @@
 {
  "$schema": "http://json-schema.org/draft-07/schema#",
-  "definitions": {
-    "SkillsListExtraRootsForCwd": {
-      "properties": {
-        "cwd": {
-          "type": "string"
-        },
-        "extraUserRoots": {
-          "items": {
-            "type": "string"
-          },
-          "type": "array"
-        }
-      },
-      "required": [
-        "cwd",
-        "extraUserRoots"
-      ],
-      "type": "object"
-    }
-  },
  "properties": {
    "cwds": {
      "description": "When empty, defaults to the current session working directory.",
@@ -31,17 +11,6 @@
    "forceReload": {
      "description": "When true, bypass the skills cache and re-scan skills from disk.",
      "type": "boolean"
-    },
-    "perCwdExtraUserRoots": {
-      "default": null,
-      "description": "Optional per-cwd extra roots to scan as user-scoped skills.",
-      "items": {
-        "$ref": "#/definitions/SkillsListExtraRootsForCwd"
-      },
-      "type": [
-        "array",
-        "null"
-      ]
    }
  },
  "title": "SkillsListParams",
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadForkParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadForkParams.json
@@ -64,48 +64,14 @@
        }
      ]
    },
-    "PermissionProfileModificationParams": {
-      "oneOf": [
-        {
-          "description": "Additional concrete directory that should be writable.",
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "additionalWritableRoot"
-              ],
-              "title": "AdditionalWritableRootPermissionProfileModificationParamsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "AdditionalWritableRootPermissionProfileModificationParams",
-          "type": "object"
-        }
-      ]
-    },
    "PermissionProfileSelectionParams": {
      "oneOf": [
        {
-          "description": "Select a named built-in or user-defined profile and optionally apply bounded modifications that Codex knows how to validate.",
+          "description": "Select a named built-in or user-defined profile. This updates profile identity metadata only; it does not replace the thread's effective permissions profile.",
          "properties": {
            "id": {
              "type": "string"
            },
-            "modifications": {
-              "items": {
-                "$ref": "#/definitions/PermissionProfileModificationParams"
-              },
-              "type": [
-                "array",
-                "null"
-              ]
-            },
            "type": {
              "enum": [
                "profile"
@@ -212,7 +178,8 @@
        {
          "type": "null"
        }
-      ]
+      ],
+      "description": "Deprecated for fork. The server rejects this field because the source permission profile value is preserved across fork."
    },
    "serviceTier": {
      "type": [
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadForkResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadForkResponse.json
@@ -18,14 +18,6 @@
        "id": {
          "description": "Identifier from `default_permissions` or the implicit built-in default, such as `:workspace` or a user-defined `[permissions.<id>]` profile.",
          "type": "string"
-        },
-        "modifications": {
-          "default": [],
-          "description": "Bounded user-requested modifications applied on top of the named profile, if any.",
-          "items": {
-            "$ref": "#/definitions/ActivePermissionProfileModification"
-          },
-          "type": "array"
        }
      },
      "required": [
@@ -33,31 +25,6 @@
      ],
      "type": "object"
    },
-    "ActivePermissionProfileModification": {
-      "oneOf": [
-        {
-          "description": "Additional concrete directory that should be writable.",
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "additionalWritableRoot"
-              ],
-              "title": "AdditionalWritableRootActivePermissionProfileModificationType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "AdditionalWritableRootActivePermissionProfileModification",
-          "type": "object"
-        }
-      ]
-    },
    "AgentPath": {
      "type": "string"
    },
@@ -1160,13 +1127,6 @@
              ],
              "title": "WorkspaceWriteSandboxPolicyType",
              "type": "string"
-            },
-            "writableRoots": {
-              "default": [],
-              "items": {
-                "$ref": "#/definitions/AbsolutePathBuf"
-              },
-              "type": "array"
            }
          },
          "required": [
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadResumeParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadResumeParams.json
@@ -298,48 +298,14 @@
        }
      ]
    },
-    "PermissionProfileModificationParams": {
-      "oneOf": [
-        {
-          "description": "Additional concrete directory that should be writable.",
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "additionalWritableRoot"
-              ],
-              "title": "AdditionalWritableRootPermissionProfileModificationParamsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "AdditionalWritableRootPermissionProfileModificationParams",
-          "type": "object"
-        }
-      ]
-    },
    "PermissionProfileSelectionParams": {
      "oneOf": [
        {
-          "description": "Select a named built-in or user-defined profile and optionally apply bounded modifications that Codex knows how to validate.",
+          "description": "Select a named built-in or user-defined profile. This updates profile identity metadata only; it does not replace the thread's effective permissions profile.",
          "properties": {
            "id": {
              "type": "string"
            },
-            "modifications": {
-              "items": {
-                "$ref": "#/definitions/PermissionProfileModificationParams"
-              },
-              "type": [
-                "array",
-                "null"
-              ]
-            },
            "type": {
              "enum": [
                "profile"
@@ -1091,7 +1057,8 @@
        {
          "type": "null"
        }
-      ]
+      ],
+      "description": "Deprecated for resume. The server rejects this field because the persisted permission profile value is preserved across resume."
    },
    "serviceTier": {
      "type": [
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadResumeResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadResumeResponse.json
@@ -18,14 +18,6 @@
        "id": {
          "description": "Identifier from `default_permissions` or the implicit built-in default, such as `:workspace` or a user-defined `[permissions.<id>]` profile.",
          "type": "string"
-        },
-        "modifications": {
-          "default": [],
-          "description": "Bounded user-requested modifications applied on top of the named profile, if any.",
-          "items": {
-            "$ref": "#/definitions/ActivePermissionProfileModification"
-          },
-          "type": "array"
        }
      },
      "required": [
@@ -33,31 +25,6 @@
      ],
      "type": "object"
    },
-    "ActivePermissionProfileModification": {
-      "oneOf": [
-        {
-          "description": "Additional concrete directory that should be writable.",
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "additionalWritableRoot"
-              ],
-              "title": "AdditionalWritableRootActivePermissionProfileModificationType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "AdditionalWritableRootActivePermissionProfileModification",
-          "type": "object"
-        }
-      ]
-    },
    "AgentPath": {
      "type": "string"
    },
@@ -1160,13 +1127,6 @@
              ],
              "title": "WorkspaceWriteSandboxPolicyType",
              "type": "string"
-            },
-            "writableRoots": {
-              "default": [],
-              "items": {
-                "$ref": "#/definitions/AbsolutePathBuf"
-              },
-              "type": "array"
            }
          },
          "required": [
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadStartParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadStartParams.json
@@ -90,48 +90,14 @@
      ],
      "type": "object"
    },
-    "PermissionProfileModificationParams": {
-      "oneOf": [
-        {
-          "description": "Additional concrete directory that should be writable.",
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "additionalWritableRoot"
-              ],
-              "title": "AdditionalWritableRootPermissionProfileModificationParamsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "AdditionalWritableRootPermissionProfileModificationParams",
-          "type": "object"
-        }
-      ]
-    },
    "PermissionProfileSelectionParams": {
      "oneOf": [
        {
-          "description": "Select a named built-in or user-defined profile and optionally apply bounded modifications that Codex knows how to validate.",
+          "description": "Select a named built-in or user-defined profile. This updates profile identity metadata only; it does not replace the thread's effective permissions profile.",
          "properties": {
            "id": {
              "type": "string"
            },
-            "modifications": {
-              "items": {
-                "$ref": "#/definitions/PermissionProfileModificationParams"
-              },
-              "type": [
-                "array",
-                "null"
-              ]
-            },
            "type": {
              "enum": [
                "profile"
--- a/codex-rs/app-server-protocol/schema/json/v2/ThreadStartResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/ThreadStartResponse.json
@@ -18,14 +18,6 @@
        "id": {
          "description": "Identifier from `default_permissions` or the implicit built-in default, such as `:workspace` or a user-defined `[permissions.<id>]` profile.",
          "type": "string"
-        },
-        "modifications": {
-          "default": [],
-          "description": "Bounded user-requested modifications applied on top of the named profile, if any.",
-          "items": {
-            "$ref": "#/definitions/ActivePermissionProfileModification"
-          },
-          "type": "array"
        }
      },
      "required": [
@@ -33,31 +25,6 @@
      ],
      "type": "object"
    },
-    "ActivePermissionProfileModification": {
-      "oneOf": [
-        {
-          "description": "Additional concrete directory that should be writable.",
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "additionalWritableRoot"
-              ],
-              "title": "AdditionalWritableRootActivePermissionProfileModificationType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "AdditionalWritableRootActivePermissionProfileModification",
-          "type": "object"
-        }
-      ]
-    },
    "AgentPath": {
      "type": "string"
    },
@@ -1160,13 +1127,6 @@
              ],
              "title": "WorkspaceWriteSandboxPolicyType",
              "type": "string"
-            },
-            "writableRoots": {
-              "default": [],
-              "items": {
-                "$ref": "#/definitions/AbsolutePathBuf"
-              },
-              "type": "array"
            }
          },
          "required": [
--- a/codex-rs/app-server-protocol/schema/json/v2/TurnStartParams.json
+++ b/codex-rs/app-server-protocol/schema/json/v2/TurnStartParams.json
@@ -114,48 +114,14 @@
      ],
      "type": "string"
    },
-    "PermissionProfileModificationParams": {
-      "oneOf": [
-        {
-          "description": "Additional concrete directory that should be writable.",
-          "properties": {
-            "path": {
-              "$ref": "#/definitions/AbsolutePathBuf"
-            },
-            "type": {
-              "enum": [
-                "additionalWritableRoot"
-              ],
-              "title": "AdditionalWritableRootPermissionProfileModificationParamsType",
-              "type": "string"
-            }
-          },
-          "required": [
-            "path",
-            "type"
-          ],
-          "title": "AdditionalWritableRootPermissionProfileModificationParams",
-          "type": "object"
-        }
-      ]
-    },
    "PermissionProfileSelectionParams": {
      "oneOf": [
        {
-          "description": "Select a named built-in or user-defined profile and optionally apply bounded modifications that Codex knows how to validate.",
+          "description": "Select a named built-in or user-defined profile. This updates profile identity metadata only; it does not replace the thread's effective permissions profile.",
          "properties": {
            "id": {
              "type": "string"
            },
-            "modifications": {
-              "items": {
-                "$ref": "#/definitions/PermissionProfileModificationParams"
-              },
-              "type": [
-                "array",
-                "null"
-              ]
-            },
            "type": {
              "enum": [
                "profile"
@@ -295,13 +261,6 @@
              ],
              "title": "WorkspaceWriteSandboxPolicyType",
              "type": "string"
-            },
-            "writableRoots": {
-              "default": [],
-              "items": {
-                "$ref": "#/definitions/AbsolutePathBuf"
-              },
-              "type": "array"
            }
          },
          "required": [
@@ -576,7 +535,7 @@
          "type": "null"
        }
      ],
-      "description": "Override the sandbox policy for this turn and subsequent turns."
+      "description": "Deprecated for turns. The server rejects this field because the thread permission profile value is not mutable through `turn/start`."
    },
    "serviceTier": {
      "description": "Override the service tier for this turn and subsequent turns.",
--- a/codex-rs/app-server-protocol/schema/typescript/ClientRequest.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/ClientRequest.ts
--- a/codex-rs/app-server-protocol/schema/typescript/InitializeCapabilities.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/InitializeCapabilities.ts
@@ -10,6 +10,10 @@ export type InitializeCapabilities = {
 * Opt into receiving experimental API methods and fields.
 */
 experimentalApi: boolean,
+/**
+ * Opt into `attestation/generate` requests for upstream `x-oai-attestation`.
+ */
+requestAttestation: boolean,
 /**
 * Exact notification method names that should be suppressed for this
 * connection (for example `thread/started`).
--- a/codex-rs/app-server-protocol/schema/typescript/ServerRequest.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/ServerRequest.ts
@@ -4,6 +4,7 @@
 import type { ApplyPatchApprovalParams } from "./ApplyPatchApprovalParams";
 import type { ExecCommandApprovalParams } from "./ExecCommandApprovalParams";
 import type { RequestId } from "./RequestId";
+import type { AttestationGenerateParams } from "./v2/AttestationGenerateParams";
 import type { ChatgptAuthTokensRefreshParams } from "./v2/ChatgptAuthTokensRefreshParams";
 import type { CommandExecutionRequestApprovalParams } from "./v2/CommandExecutionRequestApprovalParams";
 import type { DynamicToolCallParams } from "./v2/DynamicToolCallParams";
@@ -15,4 +16,4 @@ import type { ToolRequestUserInputParams } from "./v2/ToolRequestUserInputParams
 /**
 * Request initiated from the server and sent to the client.
 */
-export type ServerRequest = { "method": "item/commandExecution/requestApproval", id: RequestId, params: CommandExecutionRequestApprovalParams, } | { "method": "item/fileChange/requestApproval", id: RequestId, params: FileChangeRequestApprovalParams, } | { "method": "item/tool/requestUserInput", id: RequestId, params: ToolRequestUserInputParams, } | { "method": "mcpServer/elicitation/request", id: RequestId, params: McpServerElicitationRequestParams, } | { "method": "item/permissions/requestApproval", id: RequestId, params: PermissionsRequestApprovalParams, } | { "method": "item/tool/call", id: RequestId, params: DynamicToolCallParams, } | { "method": "account/chatgptAuthTokens/refresh", id: RequestId, params: ChatgptAuthTokensRefreshParams, } | { "method": "applyPatchApproval", id: RequestId, params: ApplyPatchApprovalParams, } | { "method": "execCommandApproval", id: RequestId, params: ExecCommandApprovalParams, };
+export type ServerRequest = { "method": "item/commandExecution/requestApproval", id: RequestId, params: CommandExecutionRequestApprovalParams, } | { "method": "item/fileChange/requestApproval", id: RequestId, params: FileChangeRequestApprovalParams, } | { "method": "item/tool/requestUserInput", id: RequestId, params: ToolRequestUserInputParams, } | { "method": "mcpServer/elicitation/request", id: RequestId, params: McpServerElicitationRequestParams, } | { "method": "item/permissions/requestApproval", id: RequestId, params: PermissionsRequestApprovalParams, } | { "method": "item/tool/call", id: RequestId, params: DynamicToolCallParams, } | { "method": "account/chatgptAuthTokens/refresh", id: RequestId, params: ChatgptAuthTokensRefreshParams, } | { "method": "attestation/generate", id: RequestId, params: AttestationGenerateParams, } | { "method": "applyPatchApproval", id: RequestId, params: ApplyPatchApprovalParams, } | { "method": "execCommandApproval", id: RequestId, params: ExecCommandApprovalParams, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ActivePermissionProfile.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ActivePermissionProfile.ts
@@ -1,7 +1,6 @@
 // GENERATED CODE! DO NOT MODIFY BY HAND!

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-import type { ActivePermissionProfileModification } from "./ActivePermissionProfileModification";

 export type ActivePermissionProfile = {
 /**
@@ -13,9 +12,4 @@ id: string,
 * Parent profile identifier once permissions profiles support
 * inheritance. This is currently always `null`.
 */
-extends: string | null,
-/**
- * Bounded user-requested modifications applied on top of the named
- * profile, if any.
- */
-modifications: Array<ActivePermissionProfileModification>, };
+extends: string | null, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ActivePermissionProfileModification.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ActivePermissionProfileModification.ts
@@ -1,6 +0,0 @@
-// GENERATED CODE! DO NOT MODIFY BY HAND!
-
-// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-import type { AbsolutePathBuf } from "../AbsolutePathBuf";
-
-export type ActivePermissionProfileModification = { "type": "additionalWritableRoot", path: AbsolutePathBuf, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/SkillsListExtraRootsForCwd.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/SkillsListExtraRootsForCwd.ts
@@ -2,4 +2,4 @@

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.

-export type SkillsListExtraRootsForCwd = { cwd: string, extraUserRoots: Array<string>, };
+export type AttestationGenerateParams = Record<string, never>;
--- a/codex-rs/app-server-protocol/schema/typescript/v2/AttestationGenerateResponse.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/AttestationGenerateResponse.ts
@@ -2,7 +2,8 @@

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.

+export type AttestationGenerateResponse = {
 /**
- * Fetch a controller-local device key public key by id.
+ * Opaque client attestation token.
 */
-export type DeviceKeyPublicParams = { keyId: string, };
+token: string, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/CommandExecutionRequestApprovalParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/CommandExecutionRequestApprovalParams.ts
@@ -8,6 +8,9 @@ import type { NetworkApprovalContext } from "./NetworkApprovalContext";
 import type { NetworkPolicyAmendment } from "./NetworkPolicyAmendment";

 export type CommandExecutionRequestApprovalParams = {threadId: string, turnId: string, itemId: string, /**
+ * Unix timestamp (in milliseconds) when this approval request started.
+ */
+startedAtMs: number, /**
 * Unique identifier for this specific approval callback.
 *
 * For regular shell/unified_exec approvals, this is null.
--- a/codex-rs/app-server-protocol/schema/typescript/v2/DeviceKeyCreateParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/DeviceKeyCreateParams.ts
@@ -1,13 +0,0 @@
-// GENERATED CODE! DO NOT MODIFY BY HAND!
-
-// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-import type { DeviceKeyProtectionPolicy } from "./DeviceKeyProtectionPolicy";
-
-/**
- * Create a controller-local device key with a random key id.
- */
-export type DeviceKeyCreateParams = {
-/**
- * Defaults to `hardware_only` when omitted.
- */
-protectionPolicy?: DeviceKeyProtectionPolicy | null, accountUserId: string, clientId: string, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/DeviceKeyCreateResponse.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/DeviceKeyCreateResponse.ts
@@ -1,14 +0,0 @@
-// GENERATED CODE! DO NOT MODIFY BY HAND!
-
-// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-import type { DeviceKeyAlgorithm } from "./DeviceKeyAlgorithm";
-import type { DeviceKeyProtectionClass } from "./DeviceKeyProtectionClass";
-
-/**
- * Device-key metadata and public key returned by create/public APIs.
- */
-export type DeviceKeyCreateResponse = { keyId: string,
-/**
- * SubjectPublicKeyInfo DER encoded as base64.
- */
-publicKeySpkiDerBase64: string, algorithm: DeviceKeyAlgorithm, protectionClass: DeviceKeyProtectionClass, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/DeviceKeyProtectionClass.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/DeviceKeyProtectionClass.ts
@@ -1,8 +0,0 @@
-// GENERATED CODE! DO NOT MODIFY BY HAND!
-
-// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-
-/**
- * Platform protection class for a controller-local device key.
- */
-export type DeviceKeyProtectionClass = "hardware_secure_enclave" | "hardware_tpm" | "os_protected_nonextractable";
--- a/codex-rs/app-server-protocol/schema/typescript/v2/DeviceKeyProtectionPolicy.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/DeviceKeyProtectionPolicy.ts
@@ -1,8 +0,0 @@
-// GENERATED CODE! DO NOT MODIFY BY HAND!
-
-// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-
-/**
- * Protection policy for creating or loading a controller-local device key.
- */
-export type DeviceKeyProtectionPolicy = "hardware_only" | "allow_os_protected_nonextractable";
--- a/codex-rs/app-server-protocol/schema/typescript/v2/DeviceKeyPublicResponse.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/DeviceKeyPublicResponse.ts
@@ -1,14 +0,0 @@
-// GENERATED CODE! DO NOT MODIFY BY HAND!
-
-// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-import type { DeviceKeyAlgorithm } from "./DeviceKeyAlgorithm";
-import type { DeviceKeyProtectionClass } from "./DeviceKeyProtectionClass";
-
-/**
- * Device-key public metadata returned by `device/key/public`.
- */
-export type DeviceKeyPublicResponse = { keyId: string,
-/**
- * SubjectPublicKeyInfo DER encoded as base64.
- */
-publicKeySpkiDerBase64: string, algorithm: DeviceKeyAlgorithm, protectionClass: DeviceKeyProtectionClass, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/DeviceKeySignParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/DeviceKeySignParams.ts
@@ -1,9 +0,0 @@
-// GENERATED CODE! DO NOT MODIFY BY HAND!
-
-// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-import type { DeviceKeySignPayload } from "./DeviceKeySignPayload";
-
-/**
- * Sign an accepted structured payload with a controller-local device key.
- */
-export type DeviceKeySignParams = { keyId: string, payload: DeviceKeySignPayload, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/DeviceKeySignPayload.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/DeviceKeySignPayload.ts
@@ -1,54 +0,0 @@
-// GENERATED CODE! DO NOT MODIFY BY HAND!
-
-// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-import type { RemoteControlClientConnectionAudience } from "./RemoteControlClientConnectionAudience";
-import type { RemoteControlClientEnrollmentAudience } from "./RemoteControlClientEnrollmentAudience";
-
-/**
- * Structured payloads accepted by `device/key/sign`.
- */
-export type DeviceKeySignPayload = { "type": "remoteControlClientConnection", nonce: string, audience: RemoteControlClientConnectionAudience,
-/**
- * Backend-issued websocket session id that this proof authorizes.
- */
-sessionId: string,
-/**
- * Origin of the backend endpoint that issued the challenge and will verify this proof.
- */
-targetOrigin: string,
-/**
- * Websocket route path that this proof authorizes.
- */
-targetPath: string, accountUserId: string, clientId: string,
-/**
- * Remote-control token expiration as Unix seconds.
- */
-tokenExpiresAt: number,
-/**
- * SHA-256 of the controller-scoped remote-control token, encoded as unpadded base64url.
- */
-tokenSha256Base64url: string,
-/**
- * Must contain exactly `remote_control_controller_websocket`.
- */
-scopes: Array<string>, } | { "type": "remoteControlClientEnrollment", nonce: string, audience: RemoteControlClientEnrollmentAudience,
-/**
- * Backend-issued enrollment challenge id that this proof authorizes.
- */
-challengeId: string,
-/**
- * Origin of the backend endpoint that issued the challenge and will verify this proof.
- */
-targetOrigin: string,
-/**
- * HTTP route path that this proof authorizes.
- */
-targetPath: string, accountUserId: string, clientId: string,
-/**
- * SHA-256 of the requested device identity operation, encoded as unpadded base64url.
- */
-deviceIdentitySha256Base64url: string,
-/**
- * Enrollment challenge expiration as Unix seconds.
- */
-challengeExpiresAt: number, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/DeviceKeySignResponse.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/DeviceKeySignResponse.ts
@@ -1,18 +0,0 @@
-// GENERATED CODE! DO NOT MODIFY BY HAND!
-
-// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-import type { DeviceKeyAlgorithm } from "./DeviceKeyAlgorithm";
-
-/**
- * ASN.1 DER signature returned by `device/key/sign`.
- */
-export type DeviceKeySignResponse = {
-/**
- * ECDSA signature DER encoded as base64.
- */
-signatureDerBase64: string,
-/**
- * Exact bytes signed by the device key, encoded as base64. Verifiers must verify this byte
- * string directly and must not reserialize `payload`.
- */
-signedPayloadBase64: string, algorithm: DeviceKeyAlgorithm, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/FileChangeRequestApprovalParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/FileChangeRequestApprovalParams.ts
@@ -3,6 +3,10 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.

 export type FileChangeRequestApprovalParams = { threadId: string, turnId: string, itemId: string,
+/**
+ * Unix timestamp (in milliseconds) when this approval request started.
+ */
+startedAtMs: number,
 /**
 * Optional explanatory reason (e.g. request for extra write access).
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ItemGuardianApprovalReviewCompletedNotification.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ItemGuardianApprovalReviewCompletedNotification.ts
@@ -10,6 +10,14 @@ import type { GuardianApprovalReviewAction } from "./GuardianApprovalReviewActio
 * shape is expected to change soon.
 */
 export type ItemGuardianApprovalReviewCompletedNotification = { threadId: string, turnId: string,
+/**
+ * Unix timestamp (in milliseconds) when this review started.
+ */
+startedAtMs: number,
+/**
+ * Unix timestamp (in milliseconds) when this review completed.
+ */
+completedAtMs: number,
 /**
 * Stable identifier for this review.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/ItemGuardianApprovalReviewStartedNotification.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/ItemGuardianApprovalReviewStartedNotification.ts
@@ -9,6 +9,10 @@ import type { GuardianApprovalReviewAction } from "./GuardianApprovalReviewActio
 * shape is expected to change soon.
 */
 export type ItemGuardianApprovalReviewStartedNotification = { threadId: string, turnId: string,
+/**
+ * Unix timestamp (in milliseconds) when this review started.
+ */
+startedAtMs: number,
 /**
 * Stable identifier for this review.
 */
--- a/codex-rs/app-server-protocol/schema/typescript/v2/PermissionProfileModificationParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/PermissionProfileModificationParams.ts
@@ -1,6 +0,0 @@
-// GENERATED CODE! DO NOT MODIFY BY HAND!
-
-// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-import type { AbsolutePathBuf } from "../AbsolutePathBuf";
-
-export type PermissionProfileModificationParams = { "type": "additionalWritableRoot", path: AbsolutePathBuf, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/PermissionProfileSelectionParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/PermissionProfileSelectionParams.ts
@@ -1,6 +1,5 @@
 // GENERATED CODE! DO NOT MODIFY BY HAND!

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-import type { PermissionProfileModificationParams } from "./PermissionProfileModificationParams";

-export type PermissionProfileSelectionParams = { "type": "profile", id: string, modifications?: Array<PermissionProfileModificationParams> | null, };
+export type PermissionProfileSelectionParams = { "type": "profile", id: string, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/PermissionsRequestApprovalParams.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/PermissionsRequestApprovalParams.ts
@@ -4,4 +4,8 @@
 import type { AbsolutePathBuf } from "../AbsolutePathBuf";
 import type { RequestPermissionProfile } from "./RequestPermissionProfile";

-export type PermissionsRequestApprovalParams = { threadId: string, turnId: string, itemId: string, cwd: AbsolutePathBuf, reason: string | null, permissions: RequestPermissionProfile, };
+export type PermissionsRequestApprovalParams = { threadId: string, turnId: string, itemId: string,
+/**
+ * Unix timestamp (in milliseconds) when this approval request started.
+ */
+startedAtMs: number, cwd: AbsolutePathBuf, reason: string | null, permissions: RequestPermissionProfile, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/PluginDetail.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/PluginDetail.ts
@@ -3,7 +3,8 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { AbsolutePathBuf } from "../AbsolutePathBuf";
 import type { AppSummary } from "./AppSummary";
+import type { PluginHookSummary } from "./PluginHookSummary";
 import type { PluginSummary } from "./PluginSummary";
 import type { SkillSummary } from "./SkillSummary";

-export type PluginDetail = { marketplaceName: string, marketplacePath: AbsolutePathBuf | null, summary: PluginSummary, description: string | null, skills: Array<SkillSummary>, apps: Array<AppSummary>, mcpServers: Array<string>, };
+export type PluginDetail = { marketplaceName: string, marketplacePath: AbsolutePathBuf | null, summary: PluginSummary, description: string | null, skills: Array<SkillSummary>, hooks: Array<PluginHookSummary>, apps: Array<AppSummary>, mcpServers: Array<string>, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/DeviceKeyAlgorithm.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/DeviceKeyAlgorithm.ts
@@ -1,8 +1,6 @@
 // GENERATED CODE! DO NOT MODIFY BY HAND!

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { HookEventName } from "./HookEventName";

-/**
- * Device-key algorithm reported at enrollment and signing boundaries.
- */
-export type DeviceKeyAlgorithm = "ecdsa_p256_sha256";
+export type PluginHookSummary = { key: string, eventName: HookEventName, };
--- a/codex-rs/app-server-protocol/schema/typescript/v2/PluginShareContext.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/PluginShareContext.ts
@@ -1,5 +1,6 @@
 // GENERATED CODE! DO NOT MODIFY BY HAND!

 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { PluginSharePrincipal } from "./PluginSharePrincipal";

-export type PluginShareContext = { remotePluginId: string, creatorAccountUserId: string | null, creatorName: string | null, };
+export type PluginShareContext = { remotePluginId: string, shareUrl: string | null, creatorAccountUserId: string | null, creatorName: string | null, shareTargets: Array<PluginSharePrincipal> | null, };
--- a/Show More
+++ b/Show More